McAfee Avert Labs Blog

In my role as an anti-spam researcher I get to see a lot of spam. Most of the spam I see can be categorized into a fairly small range of spam types. Common examples include pharmacy, stock and watch spam.

Over the last few weeks I have seen a new type of spam. This is spam which is trying to sell a product to save money on gas. Below is an example of a gas spam:

Currently McAfee detect gas spam. Volume is low for this type of spam making up typically 0.2% of all spam.

Given the high price of oil it is not surprising that a spammer has started selling a product which claims to reduce gas bills.

Mozilla came out with an advisory yesterday warning users of compromised files in the Vietnamese language pack for Firefox 2. This was not the work of a malicious hacker or intentional booby-trapping of the files by the author but the result of a careless internal virus infection.

The author of the add-on was accidently infected and every help file (*.xhtml) in the Vietnamese language pack for Firefox was modified by the virus and appended with a script. Any user who installed this language pack would have malicious ads displayed in their browser and could have potentially being infected with other exploits.

The script linked to hxxp://js.k0102.com/[Removed].asp (currently offline) - a remote website based in China. The offending script in the compromised help pages have since been removed by the Mozilla developers.

According to Mozilla’s blog, anyone who downloaded the most recent Vietnamese language pack for Firefox 2 since February 18, 2008 would have potentially got an infected copy. The exact number of compromised downloads cannot be ascertained, but since this affected only users who downloaded the Vietnamese language pack, the numbers could be limited.

When contacted, the Mozilla developers were quick to respond and provided us a copy of the compromised files.

McAfee users are pro-actively detected against this threat. The malicious HTML pages are already detected as the W32/Fujacks!htm virus with the 5174 DAT files that were released way back in 29th November 2007.

The media frequently speaks about the underground economy and quote price ranges for various private goods available for sale. I recently read the trends were bearish, but let there be no misunderstanding about that, if the quality is here, the price will still be high. It is just like the price of food, you have the hard-discount and the luxury stores!!

With this post, I wish to be more precise regarding the data regarding the prices of some cybercriminal groups around the globe.

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:

For such prices, the seller offers some guaranties. For example, the purchase is covered by replacement, if you are unable - within the 24 hours - to log into the account using the provided details.

The selling site also proposes US, Austria and Spanish credit cards with full information:

• ccnumber
• cvv2
• exp.date
• name
• adress
• city
• state/province
• zip/postal
• phone-number
• SSN(US Only)
• DL#
• MMN

It is also possible to purchase skimmers (for ATM machine) and “dump tracks” to create fake credit cards. Here too, cost is in touch with the quality:

Depending on the price, you can choose your bank among various lists; more than 900 choices for North America or European countries:

Many other offers are available like shop administrative area accesses (back end of an online store where all the customer details are stored – from Name, SSN, DOB, Address, Phone number to CC) or UK or Swiss Passport information:

And to convince prospective clients, the site offers some free data to demonstrate their know-how. I partially anonymized some of this data so I could provide an example. If you recognize yourself, do not hesitate to contact the police force so that they may institute legal proceedings.

Have you had any odd meetings in your Outlook or Google calendars lately? I’ve been monitoring an interesting spamming technique over the past few weeks where they are sending automatically accepted meeting requests (if you allow that) to your calendar.

The spam is originating from Gmail accounts but the Google and Outlook calendar functions are compatible so the meeting request goes straight into your calendar and you probably won’t notice it until you get a reminder at the spammers chosen time.

All the samples I’ve seen so far are Nigerian Scams which is interesting in itself as the Nigerian scammers have traditionally been less advanced in terms of coming up with new tricks.

This tactic adds a further nuisance factor for the recipients of this spam as it sets your time as “Busy”. Sure, you can turn off automatic acceptance of meeting requests via the Calendar options in Outlook and in Google Calendar but that feature is provided for a reason so why should the spammers stop us using it? This spam campaign has been low volume and targeted as is the nature of the Nigerian Scam email but there’s been alot of talk in the last few months about Gmails captcha being broken so it wouldn’t suprise me if the botnet spammers pick it up pretty soon!

Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire.  I took some time to create a video clip showing what the infection process looks like.  In doing so, hundreds of additional media files were uncovered.  Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:

Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno

Domains linked to from the media files include:

mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net

While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.

– Update May 7 –
Adding some answers for questions that we’ve received.

These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser).  Not all media players support this functionality.

Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee.  Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days.  However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).

Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago.  Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone.  Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.

When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe.  In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

Here are some of the samples names that we’ve seen.  Many many other file names are surely floating around on P2P networks.  File sizes vary as these files are padded with nulls.

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files)  a 4,800 word EULA is displayed. 

Notable parts of the EULA include:

(3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:

PRODUCT Mirar AND EULA http://policy.getmirar.com/

And my favorite:

22. Effective: January 14, 2007.

END OF DOCUMENT

NetNucleus Privacy Policy/EULA
This End User License Agreement (the “Agreement”) is a legal agreement between you and NetNucleus Corp.

Does END OF DOCUMENT mean you can ignore the rest?  Gotta love it when a “vendor” expects their “customers” to read a EULA that they themselves did not seem to read!

If you agree to the EULA and choose to proceed, Adware “FBrowsingAdvisor” and “SurfingEnhancer” is installed as described in the EULA.  I especially like the directory named used by the developer:

c:\Documents and Settings\tani\My Documents\Dreamsoft\Firefox\firefox_adware\FF-Source\Source\Release\XPCOMEvents.pdb

If Firefox is not installed users may see an error message:

PlayMP3.exe from PlayMP3z.biz is installed, which is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player.  This page lets the user listen to a canned selection of a couple dozen songs.

In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.

… well, it was over already on Saturday, but I’ve been been busy analyzing malware and have not had the time to write this post earlier

Friday’s presentations showed the same quality as the ones presented during the first day of the conference. The day opened with a couple of interesting talks on how to de-obfuscate scripts: this is actually a rather interesting topic, as scripts are getting more and more to be the way in which machines get originally infected, for example when browsing the web. Several analysis techniques and tools have been presented to effectively decode scripts’ code that could otherwise turn into a researcher’s nightmare.

Then we had an interesting presentation from team members of AV-Team.org, in which they presented the results they obtained while trying to test performances of AV engines while scanning packed or protected code and while taking into consideration several factors, like the capabilities of some engines to use generic unpacking techniques and what happens when blacklisting certain packers.

Blacklisting of packers was also the topic of other two presentations, showing how “hot” this topic is. A presentation from Avert Labs’ own Gaith Taha stepped into this difficult field of trying to create a methodology to estimate the risk associated with packer’s blacklisting and generic detection.

Next, Sophos’ Boris Lau presented his work about dealing with virtualizing packers, which uses virtual machines to make code analysis complex and tiresome. The presented work was excellent, showing how to apply techniques that are usually associated with compiler science to help in the difficult fight against these complex protectors.

To close the day, Avert’s Geok Meng Ong presented his work about a different kind of obfuscation, the one that comes from a closed or partially documented file format, accompanying his speech with several case studies.

Looking to the past days in Amsterdam I can truly anything that it has been a really nice experience, a chance to meet great people and discuss with them some very interesting topics… Thanks for the great time guys!!

Now, back to malware analysis
Signing off…

If you happen to be buying any new PC machine(s) soon, you might find this post very relevant.

In a series of posts, I will be trying to explain the functionalities and security concerns surrounding one of the components that is very likely to be soldered to a motherboard of a machine that you are buying or have bought recently. That is a Trusted Platform Module (TPM).

So what is a TPM?

A TPM is a little chipset that some PC manufacturers have been selling inside their machines for some time now. It has the capability to securely generate and store cryptographic keys inside its non-volatile memory. The main functionalities of the TPM are remote attestation, sealing and binding (don’t worry about these terms; we will come back to them later).

So how can TPM can be used?

The TPM can be used to authenticate hardware devices, platforms, and applications running on top of them. To make this easy to understand, think of your internet browser trying to access your banking website. This browser is running on top of a platform which happened to run on top of some hardware. It is envisaged that [in the future] your bank will be able to verify the type of hardware and software you’re running before giving you access to your banking account; thus, checking the “trustworthiness” of your machine. (This is basically remote attestation).

Do I have to worry?!

As you might have figured out by now, in time you’ll be expected to reveal more about what you’ll be running on your machine in order to get the services you need. Also, content providers will have easier means to enforce usage policies on remote platforms.

Ok, Ok. It is not all bad news. Although Trusted Computing has been criticized by people like Ross Anderson, Bruce Schneier, and the Electronic Frontier Foundation, the Trusted Computing Group (as we will discover more about this in the coming parts) have made some adjustments to answer some of those concerns. (One of the main unsolved concerns is that mass produced hardware and operating systems might restrict some type of legitimate software from running)

On the bright side, TPMs will enable us to verify the integrity of our platforms. This idea will be possible by building our platform trustworthiness, from scratch, securely. First, we authenticate the BIOS, then the boot loader, then the OS, etc. Hence, we can have more assurance about what sort of processes are running on our platforms.

Looking from an Anti-Malware point-of-view, malware authors will be having a lot more difficulty escaping those chains of trust. Rootkits will have no place to hide (theoretically speaking ) in such environments since discrepancies will be found as soon as a rootkit can load itself into memory!

In the next part, I will talk more specifically about the concerns that surround TPMs and the solutions that have come up to answer some of them. Meanwhile, you don’t have to worry about any [undesirable] activity from your TPM-supported-platform, as all those machines come with disabled and non-configured TPMs!

Happy Anniversary!

May 3, 2008, marks the 30th anniversary of spam mail. Yes, it’s been three decades since Gary Thuerk, a Digital Equipment Corporation (DEC) employee at that time, broadcast the very first unsolicited advertising message announcing a new product, the DEC-20, to everyone on the Internet’s predecessor, the Advanced Research Projects Agency Network (ARPANET). Developed by the Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense, the ARPANET was the world’s first operational packet switching network and paved the way for the information superhighway we now call the world wide web. Take a look at the innocuous message and a write up of the events surrounding this unsolicited commercial email by clicking here: http://www.templetons.com/brad/spamreact.html.

The term “spam”, which refers to SPAM®, a canned meat product sold by the Hormel Foods Corporation, was coined to describe unwanted and unsolicited commercial email. A description of why this term was used is here: http://en.wikipedia.org/wiki/Spam_%28electronic%29#History. The term wasn’t used much in the early days, and it wasn’t until 1994 that spamming started in earnest. Deliberate commercial spamming as a form of advertising is believed to have been started by a law firm, Canter & Siegel. In 1994, the firm sent a message advertising their immigration services to more 6,000 Usenet newsgroups. They developed mass-mailer software to automate the distribution of the email, a practice still used by spammers today.

Over the past 30 years, the face of spam has changed dramatically—from simple text, to obfuscated text, phishing emails, and spammed malware. And it’s even gone beyond that to image spam, spear phishing, attachment spam, and recently even MP3 based spam. At first, spam was sent from single user accounts. Later, spammers pushed their messages through open mail servers. Today, these unwanted emails are typically sent via huge networks of zombie machines, which are designed by malware writers to send large volumes of spam very efficiently. Spamming has also seeped into new venues and morphed into new forms. Spam has evolved from newsgroup and email spamming to Instant Messaging, mobile phone spam, and blog and search result manipulation spam.

Despite Bill Gates’ prediction in 2004 that spam would cease to exist by 2006 (http://news.bbc.co.uk/1/hi/business/3426367.stm), there appears to be no end in sight, even in spite of recent laws, such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) introduced to help curb spam. Why does the law lack legs? It’s mainly because today’s spammers, who are motivated by the prospect of financial gains, largely operate outside of countries with strict anti-spam laws.

In some ways, Bill Gates’ prediction was correct in that spam filtering solutions have been developed over this period of time to detect and filter almost all the spam that is sent, but this is cleaning up the problem, rather than eliminating it entirely. I don’t think anyone would favour an “email tax” to reduce spam, and Challenge/Response systems only contribute to more unwanted mail and slower communications. I personally believe it would take a concerted effort on the part of Internet Service Providers (ISPs) and Internet backbone providers to filter spam at its sources and block rogue “bullet proof” ISPs. Technology currently exists to identify and isolate hijacked spam sending zombie PCs, but ISPs appear reluctant to commit to the infrastructure and customer support needed to implement these systems in a highly competitive and price-sensitive market. A better alternative may be a transition to a newer, more secure, mail protocol that would make it easier to eliminate spam email at the source.

In addition to ever more creative ways to block received spam, is an upgrade to the SMTP protocol answer? Or do we need more government legislation? Or is it something else altogether? Will it take another 30 years to put spammers out of business? I sure hope not!

Hello again, Paolo here. Yesterday afternoon the presentations moved to a more practical level, and the topics that were discussed were definitely interesting.

We started this afternoon’s session with “Hump and Dump” - an interesting study about the possibilities of Original Entry Point (OEP) discovery using a statistical technique based on histograms. The retrieval of the OEP of a packed application is important for several reasons one of which is, for example, that its execution usually marks the end of the unpacking process and that the original binary, previously invisible under the wrapper of the protector/packer/obfuscator, is now available in its rebuilt state. Although the work presented by the authors was still somewhat in the early phases it shows good ideas and it may be that with some modifications it can become effective enough to be used in research tools and Anti-Malware scanning engines.

In the following presentation Mario A. López explained to the audience how he and his coworkers at Frisk did approach some complex problems related to unpacking in their own scanning engine but I won’t go deeper as this information is probably not intended for people not directly in the industry.

Next Robert Neumann from VirusBuster presented a nice set of specific unpacking strategies to quickly unpack simple, not-so-simple and even complex packers and protectors - thanks for sharing Robert!

The last presentation was from Ilfak Guilfanov - the author of IDA Pro and Hex-Rays and well known in the security industry for being the developer of the unofficial fix for the Windows Metafile (WMF) vulnerability in Microsoft Windows operating system back in December 2005. In his presentation Ilfak did show us a few tricks to use within IDA to approach obfuscated code including one that researchers face when analyzing complex protector code.

I am very eager to see today’s presentations including the ones coming from McAfee Avert Labs researchers - Gaith Taha and Geok Meng Ong!

Stay tuned for the next update!!!