McAfee Avert Labs Blog

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

Earlier, my colleague Vinoo Thomas blogged about “The Rise in Autorun-Based Malware” and about a method employed to disable such malware from executing that uses the gpedit.msc tool.

I briefly want to add a couple of points to this:

The Group Policy Editor (gpedit.msc) is a tool provided by Microsoft, and is used to modify various system settings. One such setting is the ability to turn off the autoplay feature.

Changes made using this tool eventually get applied in the Windows registry. For example, when a user modifies settings related to autoplay using the group policy editor, it will be reflected in the following location in the registry:

HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key: NoDriveTypeAutoRun

Now, here’s the interesting part. The Group Policy Editor is not available to users of Windows XP Home Edition. Those users would need to manually edit the registry or install TweakUI, a tool available in the PowerToys Suite, or download a third-party tool to do disable this feature.

Isn’t it odd that Microsoft makes a home user manually edit the registry to turn off this feature, yet it provides a tool for administrators using XP Professional?

I can understand the growing concern many are having with the use of removable devices. There has been a known bug in the NoDriveTypeAutoRun subkey value, which allows any changes made to this subkey to revert to its default value.

Of course, the default value enables the autoplay feature to function in all its glory.

All hope is not lost, though, as I managed to find a fix. Save the following text as a .reg file and import it into the registry. And, as always, remember to back up your registry before doing this.

REGEDIT4
[HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Apparently, this registry value prevents Windows from taking actions based on the Autorun.inf file.

If you are a McAfee Virus Scan customer, you could create a custom Access Protection Rule to disable the execution of files named autorun.inf. Many autorun worm variants are detected by McAfee asW32/Autorun.worm.dw.

Finally, Microsoft should implement this autorun feature (which is now exploited by malware) in a more efficient manner. My Ubuntu machine, which has Wine installed, can run Windows executables and has the same autoplay feature as Microsoft does, but with one BIG difference:

When a removable device with an autorun.inf file is inserted on my Ubuntu machine, it recognizes that the autorun.inf file is trying to run an executable and then asks for confirmation. Now, that’s what I call prioritizing the user’s security needs!!

Artemis was a Greek Goddess of hunt, forests and hills (http://en.wikipedia.org/wiki/Artemis). It is also a name for McAfee’s new “always-on,” real-time protection technology (http://www.mcafee.com/artemis) which is now available, without charge, in many of the latest McAfee products.

The legendary home of Greek Gods is the mount Olympus - the highest mountain in Greece.

Well, today Artemis reached another new level - I am very glad to let you know that VirusTotal (a free service run by Spanish company Hispasec through http://www.virustotal.com) have just added Artemis scanning to their portal. So, as of today, instead of just one command-line scanner, the basic detection technology from McAfee Avert Labs, we will be represented by two scanners. They are labeled “McAfee” and “McAfee+Artemis”. Here is how it looks in the VirusTotal portal:

Let us have a close look at this malware sample. We first saw it this morning at 06:35 UTC. Artemis recorded 32 instances of this file before it was analyzed and detection was added to Artemis. Since that moment and until now (~8 hours after first sighting) we saw 586 more samples. These samples, of course, were all successfully detected and blocked. The map shows geographical distribution of the Artemis clients that sent a fingerprint of this malware to the Avert servers.

White dots represent initial submissions (32 of them). Red dots - the blocked ones (586 of them).

Thanks to our colleagues at Hispasec for adding our Artemis technology to their site. This provides a great service to the public and to our Avert Labs researchers!

Most folks associate computer viruses and other prevalent malware with the Internet. Not quite. The earliest computer threats came from the era of floppy disks and removable media. However, with the arrival of the Internet, email and network based attacks became the preferred vector for hackers to spread malicious code and the issues with removable media took a back seat.

Over the years, floppy disks have since been replaced by thumb drives, portable hard drives, flash media cards and other forms of removable data storage. These removable devices of today can hold 10,000 times more data than yesteryears floppy disks. Not only can they store more data, today’s removal storage devices are smart with the ability to run portable software programs or boot an entire operating system.

Given the popularity of removable storage media, virus authors were quick to realize the potential of using this as an infection vector. And they are greatly aided by a convenience feature in operating systems called “Autorun” that exists to automagically launch the content in a removable disk without any user interaction.

McAfee Avert Labs has observed an alarming increase in malware using autorun as an infection vector. In addition to traditional autorun worms that used this feature, pure-play backdoors, password stealers, common Trojans and even parasitic viruses that previously required a user to double click an executable file in order to infect a system have started incorporating the autoplay technique to spread.

To give an example of how rampant the problem of autorun malware in the real world is, shown below is the McAfee global virus map which tracks statistics of infections observed by McAfee users world wide.

Generic!atr is a McAfee antivirus detection the for the configuration file (autorun.inf) where the path to the malware executable that needs to autoplay is specified. This detection is observed on over two million files in the last 24 hours and has always been in the top five detections globally ever since the signature was added to the McAfee DAT files. What is shown above are detections seen only on computers installed with McAfee antivirus, where those users have opted into reporting their detections. When you take in to account the millions of computers on the Internet and other vendor detections of autorun based threats, one understands how rampant the problem is.

Why is autorun as an infection vector so popular especially with machines running the Windows operating system? The fact is autorun is enabled by default on all flavors of Microsoft Windows including the latest versions of Windows Vista and Windows Server 2008. A user only has to insert a removable disk into an infected machine running Microsoft Windows and the malware would autocopy itself and infect the disk without any additional user interaction. And this self sustained cycle continues unabated every time the disk is inserted into a new machine.

So what can a user do to protect themselves against autorun based malware? The autorun feature can easily be disabled via the Windows group policy editor. If you’re a system administrator, it makes sense to disable autoplay via Active Directory and push this policy to the entire enterprise. Prevention is always better than drastic bans of USB disks & drives, although it makes you wonder why Microsoft can’t *fix* this ill-used feature in their next Windows update

The Apple iPhone is vulnerable to a new bug related to the signing of iPhone applications.  Applications that are created with the official iPhone SDK need to be cryptographically signed by the author and Apple before they’re allowed into the App store or installed on an iPhone.  The digital signing is a security measure that serves two purposes; helping to identify the developer in case of any problems and making sure that an approved application hasn’t been modified.

An iPhone developer discovered the bug while looking for a way to duplicate a feature of Apple created iPhone applications: dynamic default.png files.  The default.png file is displayed when an iPhone application is launched and can be used as a static splashscreen.  When you quit an Apple created application, it takes a snapshot of the screen when you quit and saves it as default.png within itself.  The next time you start the app it loads the new default.png, and everything looks like it was when it was last run. The application hasn’t fully loaded yet, but the saved default.png trick makes it look that way.

Unlike Apple’s apps, those created by other developers can’t modify their default.png files. Since the default.png is stored within the application as a part of itself, it gets digitally signed.  Modifying the image file and thus the app, makes the digital signature invalid.  An alternative would be to use a default.png in the application’s data directory, but only the file within the application is supported on the iPhone.

The method to replicate Apple’s default.png trick involves a defect in the codesign utility in the iPhone SDK.  codesign is the utility used by developers when they digitally sign their applications.  Normally codesign will take every file within an iPhone application into account when it creates the digital signature.  the problem with codesign is that it doesn’t handle symbolic links (symlinks) properly.

Symlinks are like shortcuts to files; if you want to refer to one file in two locations or with two different names you can create a symlink in the new location.  The symlink isn’t a new file copy, just a pointer to the original file.  codesign doesn’t follow the pointer to the original file, so it doesn’t consider that file during signing.  The new approach is to create a symlink named default.png that points to a location or file outside of the application that can be easily modified.

This is a neat trick, but harmless.  If it were only the codesign utility that has this symlink problem, then the technique would not work for an installed application.  The real trouble arises when symlinks are used to obscure other program files or components during signing.  The digital signature process was intended to ensure that no unapproved or unsafe modifications could occur.  An attacker could arrange for malicious components to be installed using a self-update feature.  Since the digital signature ignores symlinks, the malicious application could contain pointers to the yet to be downloaded parts.  Since the bad portions of the program don’t exist during the approval process, malicious applications can sneak through.  This effectively bypasses the iPhone OS’s protection against the running of malicious code.

Fortunately, since the application is signed, tracking down the author of such malware should be considerably easier.  Given that the vulnerability lies within a utility in the iPhone SDK and within the iPhone OS’s verification system, it should be fixed shortly in a future update.

Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.

Taking a peek into his “malware shop”, one finds a series of malware kits for sale - including a BackDoor kit (a.k.a. Beetle Remote Control Kit). It offers features similar to BackDoor-AWQ, another commercial kit that was also notoriously sold on a Chinese website. Both kits offers a free version, and a commercial version with enhanced features including:

• Kernel rootkit.
• Anti-virus software termination.
• Weekly anti-virus detection monitoring and evasion service.
• Web DDOS attack option (using a method to target webservers using expensive HTTP requests such as an active web application site).

The seller invites interested “customers” to contact him for a quote, but on another page, he has publicly priced a AdClicker trojan kit at CNY258 (~USD$37.80). This kit allows his “customers” to make money from pay-per-click sites using infected machines. Similarly, this kit claims “advanced” features to terminate popular anti-virus software in China, downloads updates and stealth capability.

Oh, wait, he also posted a disclaimer to remind all “customers” that his tools must never be used for “legal purposes” and is sold for “research use” only. For customer service, he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.

This malware shop is hosted on a domain registered very recently, on October 16th, 2008 to someone by the name of Wang Zeyu, possibly from Nanjing, China. Since the release of the tool, it has gained some attention from the mainstream Chinese media.

McAfee Avert Labs detects the toolkit as Exploit-MS08-067 (Generic.dx in older DATs), and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.

Recently, we at Avert Labs received word of a new Windows CE/Mobile polymorphic, companion virus. This was a bit odd since companion viruses used to be more popular in the days of DOS and we haven’t seen too many on newer platforms.

Unlike more standard file infecting viruses, companion viruses do not infect program files but instead pretend to be the original files.   A companion virus will rename a clean file to a hidden or random name and rename itself to the clean file’s name.  The result is that the user runs the virus when intending to run the original program.  To avoid raising suspicion, the original is run once the virus is done executing.   There may not be a noticeable delay before the original program runs.

While the companion technique was used quite often by less complex viruses, this one also uses basic encryption to evade detection.  The decryption code of the virus is polymorphic with a handful of random code blocks.  There may also be defects in portions of the virus.

The appearance of this new virus for Windows Mobile phones may mark a change from for-profit trojans and spyware to the more experimental form of viruses.  Or maybe WinCE malware authors are just tired of other mobile platforms getting all the attention.

You may have read in the press recently about landfill ISP McColo being de-peered. Spam is just part of this story, though probably the most visual and media friendly, please don’t see this ongoing situation as mostly spam related. Spam is simply the most visible tentacle of this octopus.

Our esteemed blogmaster Ed has been moaning about getting something on the blog about it & I wanted to dig out something meaningful for our readers so I contacted a close partner of ours and got some real mailserver stats.

Quite the haircut I’m sure you’ll agree.

You can read my previous blog about bots calling home to mother-ships (often via proxies) if you’re interested as to why this had such a sudden and dramatic effect.

Enjoy the lower load averages while they last though

This is no reason to rest however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF today for sure.

Look what we ran across in our spam traps recently:

$50 for a survey! It’s our unlucky day…

[Click for full size]

As you can see from the partially obscured email address it is clearly NOT from JP Morgan Chase!! I hope this variation on the theme is suspicious enough to set off most peoples “too-good-to-be-true” radar. We can expect this type of attack to get much more convincing real soon no doubt.

It is very exciting to see that finally AMTSO published two documents on its Website (http://www.amtso.org/documents/cat_view/13-amtso-principles-and-guidelines.html):

• AMTSO Fundamental Principles of Testing
• AMTSO Best Practices for Dynamic Testing

These documents were posted by AMTSO for public comments as RFC versions back in August 2008. Most of the comments from http://blog.amtso.org actually got reflected in the final text so AMTSO did incorporate many different opinions in its standards, which is a good thing!

The most important thing about these standards is that there is now hope that the quality of anti-malware reviews will improve over time because vendors and testers can work more closely together for the benefit of all computer users.

Here is what Jeff Green, Senior Vice President of McAfee Avert Labs said about this event: “While there have been many great security software reviews in the past, many poor reviews reviews have confused or misled people. We are glad to see that Anti-Malware Testing Standards Organization has taken this problem by the horns and formalized the principles of fair testing. This is a significant milestone that should skew the balance towards fair and scientific testing, providing users with a true viewpoint on the security protection vendors provide.”

Let’s hope that there will be more standards from AMTSO and they would look as good as those just published.