A couple weeks ago we saw a blog posting by a person named tibbar claiming they had written the first kernel mode IRC bot. See http://tibbar.blog.co.uk/2006/04/06/kernel_mode_IRCbot~708256 for the announcement.

Is this really the first kernel mode bot? I think so, but it is purely a proof of concept with no teeth. What makes this announcement important in my eyes is that it illustrates two points that are very important when we look at the future production of bots and malware in general: Use(and reuse) of open source components and the increase in programmer skillsets.

This kernel bot was easily created because it utilized a kernel socket library written and placed in the public domain by Valerino on rootkit.com (Click here for the rootkit.com post). As The Mythical Man Month states, there is no silver bullet in software development but the brass bullet is module reuse, which we are seeing more and more within malware. Would this kernel bot have been created if it wasn’t for the prebuilt components that were available?
The second important point is that the code organization of the project allows for testing the IRC functionality of the kernel bot in usermode where a lot of bot developers are more comfortable, therefore, easing the development of variants with more IRC functionality. Is this a revolutionary ability? No, but it is more advanced than most bot developers. I believe the advancement of skillsets will lead to more destructive bots as more intelligent programmers spend time increasing bot code quality, advanced features (encrypted P2P using proper key exchange for example) and test harnesses. Malware, bot development specifically, will start to exhibit the standard development life cycle seen in other open source projects such as Apache and firefox.

An interesting few variants of an IRC bot, named http://vil.nai.com/vil/content/v_139347.htm. Rather than connecting back via DNS to an IRC server for receiving commands, the bot attempts to create a P2P network, listening on port 8 (TCP). Initial execution results in outgoing connections to one of several IP addresses (on port 8 TCP), presumably some seeded infections to spawn the P2P network. The bot spreads via email, AIM, Windows messenger and across the network.

One interesting aspect to this family is its (supposed) ability to repack itself. Though unconfirmed in replication testing thus far, reports suggest it attempts to repack itself prior to propagating. If true, would create an interesting challenge for AV scanners.

A new 0-day working exploit code for an unpatched vulnerability in Oracle Export Extensions was posted to Bugtraq last week. US-CERT announces that successful exploitation may allow a remote attacker with some authentication credentials to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.

Rare in 2003/2004, 0-day attacks seem to be more and more common. This term applies to distribution of an exploit linked to a vulnerability which has not yet been corrected. In this case, the period between the appearance of the exploit and that of the corrective patch is null or negative : null if the exploit and the patch arrive on the same day, negative if the patch arrives several days after the exploit.

More information about this new vulnerability can be found here:
CERT-US : Public Exploit Code for Unpatched Vulnerability in Oracle
Secunia Advisory: SA19860

On May 2nd, we are not aware of any vendor-supplied patches for this issue.

In October 2004, the Federal Trade Commission started an investigation of reputed spammers. This story just finds a conclusion on May 4th, 2006. Sanford Wallace (nicknamed Spamford) and his company, Smartbot.net, have to shutdown their operation and give up to more than $4 million in ill-gotten gains. Jared Lansky, an ad broker who disseminated ads containing Wallace's spyware, will give up $227,000 in ill-gotten gains.

The FTC alleged that Sanford Wallace and his company, Smartbot.Net, exploited a security vulnerability in Microsoft's Internet Explorer's Web browser in order to distribute spyware. The spyware caused the CD-ROM tray on computers to open and then issued a "FINAL WARNING!!" to computer screens with a message that said :

If your cd-rom drive's open . . .You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Spyware programmers can control your computer hardware if you failed to protect your computer right at this moment! Download Spy Wiper NOW!" Spy Wiper and Spy Deleter, purported anti-spyware products the defendants promoted, sold for $30.

The official documents are available here :

May 4, 2006 :

• Stipulated Final Order for Permanent Injunction and Settlement of Claims for Monetary Relief As To Defendants OptinTrade, Inc. and Jared Lansky
• Order of Default Judgment, Permanent Injunction, and Other Equitable Relief Against Sanford Wallace and SmartBot.Net, Inc.
• News Release

October 12, 2004 :

• Complaint for Injunction and Other Equitable Relief [PDF 34K]
• Memorandum in Support of Plaintiff's Motion for a Temporary Restraining Order with Expedited Discovery, Preservation of Documents and Order to Show Cause Why a Preliminary Injunction Should Not Issue Against Defendants [PDF 68K]
• News Release

We've been seeing another new load of brand new variants of the Swizzor trojan in the last few days, and we've increased our heuristics to try to pick up these brand new variants before they're released.

If you suspect you have a new Swizzor variant, please update your DATs and make sure you have heuristic scanning enabled.

A new study is available on the Siteadvisor Web site. Named The Safety of Internet Search Engines, it was made by Ben Edelman and the Siteadvisor folks. Authors compared safety of leading search engines, using the company's automated Web site ratings. They find most leading search engines similar in the safety of the sites they link to, though MSN is the safest and Ask lags noticeably behind. The paper also demonstrates that sponsored results are significantly less safe than a search engines' organic results. There are heightened risks for certain keywords, including those frequently searched by kids and novice users. The study started in January 2006, and analysis uses search engine results as well as SiteAdvisor safety data from April 2006 :

• Overall, MSN search results had the lowest percentage (3.9%) of dangerous sites while Ask search results had the highest percentage (6.1%). Google was in between (5.3%). Click here for the chart.
• Sponsored results contained two to four times as many dangerous sites as organic results. Click here for the chart.
• Dangerous sites soared to as much as 72% of results for certain risky keywords (Click here for the chart). Particularly dangerous keywords include "free screensavers", "bearshare", "kazaa", "download music", and "free games."
• Authors estimate that US consumers make 285 million clicks to hostile sites every month as a result of search engine results.

Introduction

We should start with a description of C++ virtual functions implementation; fortunately, there are many articles (particularly this one) which explain it well. Some advanced issues, for instance the multiple inheritance implementation, are described here .
Short summary: if a C++ class contains at least one virtual function, then for each object of this class, the memory chunk allocated for this object contains a pointer to this class virtual function table (vftable for short). On x86 architecture, if the ecx register points to the object variable (so, ecx equals "this" pointer), then a call to this object's third virtual function can be implemented like this:
mov eax, [ecx] ; load eax with a pointer to vftable
call [eax+8] ; call the third function in the table


Why bother to detect vftables?

There are a couple of reasons why detection of vftables can be useful for binary analysis:

• Because vftables can be stored within .text segment, a disassembler may try to treat it as code. Particularly, IDA sometimes does this; as a result, it produces functions containing weird opcodes, for instance:
  sbb (byte_7D3939FF-7D393A7Dh)[ebp], bh
arpl [edx-79D682D4h], ax
If we knew what regions are occupied by vftables, we could instruct IDA not to disassemble them.
• Another usage is related to binary matching of different versions of the same code ( here you can learn more on what binary matching/binary diffing is about). From now on, we assume the debugging symbols are not available.Let's assume that we have already matched a certain number of functions from binary A with functions from binary B (say, we have matched functions with identical bodies, or with identical sets of called imported functions). If
  • a certain function funcA from binary A is present in only one vftable vftA,
  • a certain function funcB from binary B is present in only one vftable vftB,
  • we have already matched funcA with funcB

  then we may safely assume that vftA and vftB refer to the same class; therefore, we may match all members of vftA with respective members of vftB. Similarly, if we have matched class constructors, we can match all members of respective (referenced in the constructor) vftables.The above method has some advantages when compared with other matching algorithms. Particularly, it can reliably match functions which have few/none distinguishing features – all we need is its offset in vftable.

How to locate vftables?

In order to locate a vftable, we may use the fact that the vftable address is explicitely used in a constructor – as a part of object initialization, a constructor stores vftable address within the memory chunk allocated for an object. Therefore, the algorithm looks like this:
simple_vft_loc:

• find all occurrences of "mov [reg+small_const_offset], some_const_val"
• for each "some_const_val",
  • check whether it is a correct address within a binary boundaries
  • If so, extract the DWORD pointed to by some_const_val; let's name it FPTR.
  • Check whether FPTR is a valid pointer into an executable segment, and if it points into something resembling code, not data

  If all above steps succeed, then assume "some_const_val" is a beginning of vft, and a "mov" instruction referencing it belongs to a constructor.

Does it really work?

In order to test the above algorithm, let's run it on a binary for which the debugging symbols are available: this way, we will be able to compare this algorithm's results with .pdb file contents. In case of VC compilers, C++ mangled names of vftables start with "??_7″ prefix, so we can easily extract all vftable entries from the output of any .pdb parser.We have chosen mshtml.dll for our test drive (I bet some of you share the idea that it makes sense to examine this particular binary in some detail). For mshtml.dll version 6.0.3790.2577, mshtml.pdb contains 886 vftable names; they point to 763 different vftables. Simple_vft_loc outputs 768 addresses which are supposed to be vftables. It turned out that 28 vftables were not detected ("false negatives"); mostly because some static objects variables contain a preinitialized vftable pointer (so, the vftable pointer is not set by a constructor, it is set by the linker). On the other hand, 33 addresses were "false positives": they pointed to variables which were not actually vftables, they just happened to start with a function pointer.

As we see, the false negative ratio is below 4%. Moreover, it is very probable that in a binary we would match our mshtml.dll with, the matching vftable would not be detected as well. Therefore, vftable detection false negatives should not impair the matching algorithm.

The false positive ratio is similarly low. Again, it should not lead to errors in binary matching – instead of matching vftable entries, we will match entries in other structures containing function pointers.

The simple_vft_loc algorithm was integrated in the "funcmatch", a binary matching tool, and so far, its performance is very satisfactory.

Other tables of functions?

Another common construction containing function pointers is a RPC dispatch table. An approach very similar to the above, using dispatch table detection, was implemented in the funcmatch tool as well.

On May 18 and 19, two Trojans appeared exploiting a flaw in the Microsoft Word XP and Word 2003 environments. For now, this previously unknown vulnerability is not covered by any patch. Once again we are witnessing a “0-Day” attack. Code exploiting the vulnerability is generically detected by McAfee as Exploit-OleData.gen. On Windows 2000, a crash occurs and stops the process without infection.

The first attack was publicly announced last Thursday by the SANS Institute. The malware came in an e-mail and was sent to several people from an Asian organization which name was not revealed. The exploit code is executed out on first opening of the Word document. It quietly installs a PE format binary encapsulated program (here it is a backdoor) which disappears from the document itself becoming unsuspicious and inoffensive. McAfee detects the EXE file under the name of BackDoor-CKB!cfaae1e6.
A second program was diffused according to a similar method. This one is detected under the name of BackDoor-CKB!6708ddaf.

The group launching the attack is said to have operated from China or Taiwan. It acted in an extremely precise way by creating an e-mail containing specific elements directly linked to the targeted organization. Consequently, it seems improbable that these e-mails spread in the wild. For information the subjects of these e-mails are :

• Note
• RE Final for plan agreement

The DOC files bear the name of FINAL.DOC or PLAN.DOC.

It seems that to succeed, the attack requires administrator rights. It is thus useful to remember that installation of accounts with limited rights increases the level of security of work stations.
Microsoft hopes to provide a patch, at the latest, for June 13.

McAfee Avert Labs has received over 30 submissions of a new variant of Downloader-ATM in the past 7 hours. Updated DAT files were released earlier today to cover this variant. The trojan was mass spammed as an email attachment named ref 7119606.zip, which contains ref 7119606.exe. The message appears as follows:

————————
From: Valuehost Billing Department [mailto:merchant@valuehost.com]
Subject: [order ref 7119606] Credit Card Chargeback
Message-Id:
Date: Thu, 25 May 2006 10:03:10 -0700 (PDT)

Dear customer,

We have received a notice from your card service stating that there was
a chargeback made by the owner of the card that
you paid for your account with. This is a very serious matter. I have
deducted the amount of the chargeback, GBP 119.40,
from your account and added our standard fee of GBP 25.00 as well. (Now
you can see your payment details in attachment.)

If there was some mistake, please let us know immediately so that we
can get this situation resolved. We ask that you have the chargeback
removed as soon as possible, as our account has already been debited for
the amount in question. If you would prefer to make your payment using a new payment
method that would be fine as well (you can use a different credit card
or you may send a money order payable to
Valuehost).

This is a time sensitive issue and must be resolved promptly at the
request of the card service. Please email the billing team using the
Web Administration Panel with information about how
you are going to deal with this situation.
I thank you for your time and hope to hear from you
soon.

See your payment details in attachment.

Sincerely,
Mark J. Burnett
Valuehost Billing Department
http://www.valuehost.com
————————

When run, ref 7119606.exe downloads a new PWS-Cashgrabber variant. This password stealing trojan targets the following banking sites:

• anbusiness.com
• cahoot.com
• co-operativebank.co.uk
• deutsche-bank.de
• e-gold.com
• hsbc.com
• ibank.barclays.co.uk
• my.if.com
• mybank.alliance-leicester.co.uk
• nwolb.com
• officebanking.cl
• olb2.nationet.com
• pass.de
• santandersantiago.cl
• smile.co.uk
• smile.com
• webbank.openplan.co.uk
• welcome6.co-operativebank.co.uk
• www.bbvanet.cl

In addition to logging keystrokes, the trojan can also take screen shots as a means of stealing user’s website credentials.

The concept of parasitic spyware’ predates the popularity of the term Spyware. W95/MTX was a parasitic virus discovered nearly six years ago and contained a backdoor (one type of spyware that allows a remote attacker control an infected computer remotely).

In recent years there’s been a clear distinction between the well organized spyware creators and parasitic virus authors, but that may be changing.

The group behind traffall.biz (a.k.a. the iframecash.biz gang) has begun to move into the area of parasitic virus creation, seen with the discovery of W32/Fontra.a. This is the same group who heavily exploited [Exploit-WMF] a 0-day WMF buffer overflow vulnerability [MS06-001] around the time that it was discovered. They’re known for, among other things, hacking web servers to embed small encrypted script code that load other web pages containing various exploit code (such as Exploit-ANIFile, Exploit-ByteVerify, Exploit-CodeBase, etc). Typically the exploit code results in a downloader .EXE file being run on vulnerable systems, which then installs dozens of other downloaders, spam, proxy, and password stealing trojans. It’s also common for rogue anti-spyware scanners to get installed along the way, such as SpySheriff, or Spyaxe (and most recently BraveSentry).

This group keeps the target moving and appears to be well funded, which could equal a rise in the number of parasitic infectors discovered over the next several months.

Trojans are spammed everyday, but the intensity can vary greatly. Here are the Top 3 for Monday, May 29, 2006

• The first message below is in German and talks about a new worm. The message contains an attachment named ms56.zip (containing ms56.exe, detection was added in today’s DAT release under Downloader-AAP)
• The second message is also in German and talks about eBay account activity. The message contains an attachment named ebay-rechnung.pdf.zip, containing ebay-rechnung.pdf.exe. Detection was added in today’s DAT release under Generic PWS.o *note: this threat was proactively detected heuristically as New Malware.j when scanning email
• The third message describes a fake patch for a “new WinLogon Service vulnerability”. The message contains a hyperlink that points to a new password stealing trojan (PWS-WinPatch will be included in the DAT release of 05/30).

============== Message 1 ==============
From: MS Windows Update [msrobot_donotreply@windowsupdate.com]
Subject: b130 – Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Sehr geehrte Benutzer Microsoft Windows XP!

Gestern haben unbekannte Hacker den neuen Wurm-Virus eingesetzt. Nachdem er ins system reingreift, wird er von sich selbst nach Ihrer mailadressenliste ausgesendet, und alle Ihren Kontakte werden angesteckt. Nach der Ansteckung das System instabil zu arbeiten, und der Komputer genau nach einer Minute nach dem Hochfahren.

Um die Benutzer des Systems Microsoft Windows XP zu, haben unsere Sicherheitsspezialisten eine Erneuerung das System entwickelt.

Sie sollen die an den E-Mail angeh Datei damit das System erneut wird und vollst von neuem Wurm gesch wird.

Mit freundlichen,
Windows Update
=========== End Message 1 ==============

============== Message 2 ==============
From: eBay International AG [support@ebay.de]
Subject: b131 – eBay Rechnung
Guten Tag,
hier ist eine Zusammenfassung der Kontoaktivitaeten seit Ihrer letzten
Rechnung

In der beigelegten PDF Datei finden Sie die genaue Auflistung ihrer
Rechnung
—————————

Rechnung vom 26 Mai 2006
Abrechnungszeitraum: 1.Mai 2006 – 36. Mai 2006 PST/PDT
Fortlaufende ID:
67-EU30552496-2
AG

eBay International AG
Helvetiastrasse 15/17
3005 Bern
Schweiz

Schweizer MwSt-Nummer: 508 508
EU – Umsatzsteuer-Identifikationsnummer:
EU528002232
Firmennummer:
CH-035.3.103.330-3

eBay-Kontonummer:
E137329757297-EUR
Rechnungsnummer:
047868-1396435809470

Letzte Rechnung: |0,00
Zahlungen und Gutschriften: |0,00

Faelliger Gesamtbetrag:
|540,10
Zahlungsmethode
Sie sind das Lastschriftverfahren angemeldet. Der Rechnungsbetrag
wird innerhalb der bis sieben Tage von Ihrem
Bankkonto abgebucht. (Der Abbuchungsbetrag kann von Ihrem
Rechnungsbetrag abweichen, wenn Sie im Zeitraum zwischen der
Rechnungserstellung und dem Abbuchungsdatum Zahlungen geleistet oder
Gutschriften erhalten haben.)

Hinweis
Saeumnisgebuehren: Wenn Ihr eBay-Konto ueberfaellig ist faellt eine
Saeumnisgebuehr an. Um Naeheres zu diesem Thema zu erfahren, gehen
Sie bitte zu Rechnungen und Zahlungen.
(http://pages.ebay.de/help/account/payfees.html)

Mehr zum Thema eBay-Geb=C3=BChren
(http://pages.ebay.de/help/sell/fees.html)

Mitteilungen

Hinweis: eBay fragt niemals per E-Mail nach vertraulichen oder
persoenlichen Daten (z.B. Kennwort, Kreditkarte, Kontonummer).
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Hilfreiche Links

Zur Beantwortung Ihrer Fragen zu Ihrem eBay-Konto benutzen Sie bitte
den folgenden Link:
http://pages.ebay.de/help/account/selling-account-overview.html

Um Ihre Mitgliedsdaten zu aktualisieren, benutzen Sie bitte den
folgenden Link:
http://cgi4.ebay.de/aw-cgi/eBayISAPI.dll?ChangeRegistrationShow

Um eBay zu kontaktieren, verwenden Sie bitte den folgenden Link:
http://pages.ebay.de/help/contact_inline/index.html

Mit freundlichen Gruessen
eBay International AG

Zusaetzliche Mitteilungen
Die oben aufge Bten Leistungen beziehen sich ausschlie Flich auf Ihre
Anmeldung unter www.ebay.de.
=========== End Message 2 ==============

============== Message 3 ==============
From: Microsoft [patch@microsoft.com]
Subject: Microsoft WinLogon Service – Vulnerability Issue

Microsoft Coorporation

A new vulnerability has been discovered in the Microsoft WinLogon Service , that would allow an attacker to gain access to an unpached computer.

Since your email is part of our private mail lists and your have succesfully registered your Microsoft Windows , you can download the patch to fix this vulnerability before others do.

Please click the link below to download the patch and protect your computer against WinLogon attacks :

http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe

You are free to share this with all your friends and relatives that are using Microsoft Windows Operating System

Thank you

Microsoft Coorp.
=========== End Message 3 ==============

Two NY teens were arraigned last Wednesday for trying to extort $150,000 from Myspace.com.  They threatened to release exploit code that would allow for the pilfering of identity information of Myspace.com users.  (See story.)

Late last year, I was asked in an interview where I thought the arena of online attacks would go.  My response was to look at children-friendly sites and games like Neopets, MapleStory, and Runescape.  Well, my prediction was not exactly correct.  None of these sites have been hit by any automated or programmatic attacks, though each suffers from its own versions of social engineering attacks (more commonly referred to by kids as "scams").  However, shortly thereafter, worms were released on both Myspace and Xanga.

It's always a good time to discuss computer security issues with your children.  Here's some thoughts to start:

1)     Generally, don't talk to strangers.  Unfortunately, children are not going to abide by this, as part of the fun of online games is to meet and play with other people.

2)     Don't tell anyone your real full name.  A first name should be good enough.

3)     Don't tell anyone your age.

4)     Don't tell anyone where you live.  For purposes of playing with new-found friends on-line, just tell them the state, or the time zone and when it would be possible to play together again.

5)     To register online for games, don't give out your birthday!  As a general rule, always use January 1^st.  If the site has a requirement to verify the user's age, then the year of birth could be used.  But all online birthdays should be January 1^st.  (All horses have a birthday of January 1.)

6)     Many sites now ask only for your zip code.  But even there, if you've ever lived at a different address than you do now, use that old zip code.  In fact, if the site is not going to be actually sending you anything via US Mail, use that old address for all registrations.

7)     Establish an online email account for the purpose of using it as the registration email address for any online registration.

8)     Establish an answer to the online "security" questions, like "Name of favorite pet" or "Mother's maiden name".  Especially for something like "Mother's maiden name" which is actually used for identity purposes later in life, make up an answer.  If your children have a school mascot, what's its name?  And just use that same answer for all the *online game* registrations.

9)     And if there's going to be money involved, always require that a parent be involved.

Computer security starts with being aware.  And children need to be made aware.  Or tell them it's just another form of "hide and seek."

In May 2006, we added around 5000 new detections in VirusScan. The next table shows you the figures for the year 2006 :

Day after day you can follow up the number of new and enhanced detections by visiting the link : http://vil.nai.com/vil/DATReadme.aspx

In June 2004, we added the first Symbian virus. 2 years after SymbOS/Cabir, we now detects 286 threats and 4 jokes in this environment family :

We have seen the first attempt to create a macro virus affecting StarOffice. The code does not contain any damaging payload. It only tries to open an image hosted on Internet. The image is currently unreachable.
VirusScan currently detects this threat as StartOffice/StarDust.intd. The intd suffix means we are quite convinced that the author intended to create a virus, but failed.

Macro viruses were in the news from 1995 to 2001. They generally affected the Microsoft Office environment. Macro viruses have fallen out of favor and have been insignificant over the past 5 years.

The code is signed with a pseudonym. In 2001, a person using the same pseudonym indicated online that he lived in Germany.

More information can be found on
http://vil.nai.com/vil/content/v_139638.htm

Looks like the days of Virus-Writing-For-Glory may truly be past.

6/6/06 came and went without anything of note in the malware world, it was all business as usual.  No prognostications of doom in the preceding days about the potential of an onslaught of 666-themed viruses and in the end, nothing actually happened worth worrying about. (At least not any more than usual!)
It seems there's no financial motivation in making a big deal of dates that can't be used for phishing or to sell products through spam.

Another year, and another journalist proposes that the security industry discusses threats purely to sell products (http://www.newsforge.com/article.pl?sid=06/06/06/1832223). This is usually followed closely by the conspiracy theory that we actually write the viruses that we protect against. I find it interesting that this argument has cropped up every few years since the nineties.

I often wonder why this argument is so frequently recurring and apparently popular. I suppose, on the one hand, that it fits so neatly into our collective understanding about how free market capitalism works: If you can artificially create demand, you can increase your sales. But why does this same argument not crop up more often for others in security or services fields, like firemen, policemen, doctors, nurses, people who make home security alarms, airbag manufacturers, etc.

Particularly when there are (very rare) documented cases of people in some of these fields actually harming the people they are meant to help? It seems to me that in all of these cases we have:

• good, independent statistics from organizations designed to track those phenomena, so we know what the actual risk is (or it’s at least harder to lie and get away with it).
• they usually catch the bad guy, so everyone knows that the frequency with which someone is playing a scam is very low or non-existent.

But in our world, antivirus companies are the only ones who have good first-hand data about the prevalence of threats, and the attackers are almost always anonymous. How then, could we prove that these accusations aren’t true?

Unfortunately, we probably cannot. There are barely national law enforcement or governmental agencies, never mind global organizations, capable of tracking the problem on the massive scale that it actually occurs. We routinely see millions of attacks on hundreds of thousands of computers occur on a 24-hour basis, and this represents only a fraction of our customer base that has opted in to anonymous reporting. And McAfee represents only a portion of the AV marketshare. And computers with antivirus protection represent only a portion of all computers.

The internet is a remarkable tool for anonymity, even if it weren’t true that in some parts of the globe, there is no authority who will even try to help you track down a virus writer. Add privacy-minded tools like Tor to the mix, and the task quickly becomes mind-boggling.

So here’s some truth, from someone in the trenches: You don’t NEED an antivirus product. As long as:

• you use a good NAT hardware firewall/router
• you practice good, safe surfing habits all the time
• everyone else who uses your computer does the same, and has limited privileges
• you keep the operating system and applications patched on a daily basis
• you have complete control over who can exist on or connect to your computer or network (especially with wireless networks and Bluetooth)
• you have, and keep current, with existing malware trends
• you can recognize and recover from a 0-day attack that does get through
• you have no data worth anything on your computer

Most people either can’t, or don’t want to, expend this kind of effort or maintain this kind of draconian control over their computers. Frankly, most of us wouldn’t use computers or the internet nearly as much if they weren’t as open and flexible as they are. So the value of data and processing power in computers is so massive and growing so fast that there will always be LOTS of people trying to steal or exploit it. Imagine trying to protect a transparent bank from invisible attackers who could see every camera and security mechanism in the building. You would block many attacks, but sooner or later somebody will get through. Which means we’ll have a job for a long time.

So why do we talk about threats to Linux, or Mac, or Windows, or any other platform? Mostly to educate consumers and enterprises about the possible threats, so that people apply an appropriate amount of effort to preventing those threats. Naturally, we have to walk a fine line between creating a false sense of security, and crying wolf too often. The former means people will leave themselves exposed; the latter, that they will ignore real threats that will harm them.

In my position, we are frequently asked to be psychic about impending threats. If we do not start preparing solutions a year or more before the threat appears, we may be unable to protect our customers down the line. If we move too soon, we might expend a lot of effort writing code that isn’t needed. Sometimes we talk about those threats when we think it has relevance for our customers. Recently we’ve taken a lot of flak for bringing up Mac OSX viruses, largely from Mac zealots, as Kaspersky takes flak in the article above (from a Linux site) for talking about Linux threats.

Are we right or wrong about our predictions – it’s too soon to tell. I do believe that if these platforms make serious inroads into Windows marketshare, that their value will go up, and the attackers will follow. But whether that happens depends on far more factors than any threat report by any security vendor. What I am sure of is that the capacity for malware to be effective on these platforms is ample, and that pretending that this is not the case increases the risk of those doing the pretending.

Here’s an earlier example. In June of 2002, we did a press release about a (poorly-written) proof-of-concept threat that was appended to JPEG files called W32/Perrun. Despite the fact that “pure” data files like images (as opposed to files containing macros or scripts like Word docs or HTML) were commonly thought of as immune to infection, or uninteresting as a vector of malware, we took a lambasting in the press (see http://www.infoworld.com/articles/hn/xml/02/06/21/020621hnjpegvirus.html).

Fast-forward to today. There are threats for WMF, MP3, JPG, BMP, ANI, SWF, PNG and a variety of other data file formats. In fact, the most common dropper for malware today is Exploit-WMF (see http://us.mcafee.com/virusInfo/default.asp?id=regional&continent_k=0&track_by=2&period_id=3). So before you blast us for this year’s predictions, wait a few years. Whether you believe our information or not, we’re working on solutions so that you can be protected when the threat materializes.

Likewise, many of us in the AV space weren’t out there earlier this year making a lot of fuss about W32/MyWife.d (or the Kama Sutra or Blackmal worm, as it was commonly known). We knew that the prevalence was grossly over-estimated and that world meltdown was not going to occur on February 3rd. And it didn’t.

In my position, I have the privilege of working with over a hundred of the most hard-working and well-respected experts in the security field. And right now (Thursday evening US time) many of them are in the 50th or 60th hour of their work week. They are not having dinner with their families or playing with their kids. They will be working this weekend while you go to the beach. They (and their spouses) will be woken up in the middle of the night sometime soon to respond to a threat.

I’m not naive enough to think that everyone does this job out of a sense of altruism. Certainly, many researchers get a charge from the technical challenge. Some may even be completely mercenary about it, though I have yet to meet one, at McAfee, or any other antivirus vendor. If they exist, they are not too bright, because most of us could be making as much or more working fewer hours writing code for other kinds of applications. The fact is, most of us do it because we feel good about helping people. And you can’t get that from the company balance sheet.

Joe Telafici

Director of Operations, McAfee Avert Labs

The price of freedom is eternal vigilance
- Thomas Jefferson

In May 2006, millions of U.S. military veterans were worried about risks for identity theft after their electronic records were stolen from the home of an agency employee. Data was saved on a laptop and the laptop was stolen. It contained names, Social Security numbers and birthdays of some 26.8 million veterans.

Speaking about this incident, the Gartner analyst Avivah Litan explained in a research note that data protection is cheaper than a data breach.

"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Ms. Litan said. "This compares with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach."

"Name and Fame" were once the driving factor for writing viruses, but that's not what malware authors of today are driven by.

Money talks and today's generation of malware authors are finding newer ways to indulge in cyber crime. From selling time on bot nets, to spam and phishing or extortion via DDOS attacks, cyber criminals are now targeting home consumers via the re-emergence of a threat called "Ransomware".

Ransomware dates back to 1989, when the "PC CYBORG / AIDS Information Trojan", posing to provide information about the AIDS virus, was the first malware to be classified as ransomware.

This type of malware encrypts important files on the victim's computer, holding them as ransom until the victim agrees to the attackers demands. A typical ransom demand could be anything from transferring money online to an attacker's account or purchasing pharmaceutical drugs from an affiliate website.

After a lull, the past couple of months has seen a rash of ransomware variants including GPCoder, CryZip, MayArchive that attempt to extort money from its victims by encrypting their document files.

Users typically get infected when visiting pornographic, questionable or unsafe sites, but in a recent incident, a specially crafted Microsoft Word document was mass spammed that then attempted to download and install ransomware. With cyber criminals improving upon their distribution techniques with every new variant, it is more important than ever that users  not trust seemingly familiar or safe files particularly when received via P2P clients, IRC, email or other media.

We strongly recommend that users who have fallen victim to ransomware not give in to the demands of the malware authors as this will further fuel the money trail.

A zero day Yahoo! Mail vulnerability was exploited today that results in the execution of arbitrary code.  The vulnerability lies within Yahoo's onload event handling, allowing an attacker to craft an email message that results in script execution when users read their Yahoo! Mail.  In today's attack, a virus author utilized this exploit to run JavaScript that spams @yahoo.com and @yahoogroups.com recipients with a new virus (JS/Yamanner@MM – http://vil.mcafeesecurity.com/vil/content/v_139913.htm).  Yahoo is reportedly working on a fix and blocking these messages.

Here’s an excerpt from an email that was sent to McAfee today:

Subject: I have written JS/Yamanner@MM Worm

Hello

I have written JS/Yamanner@MM Worm that has been discovered 12 June 2006. I found that in Yahoo! mail and use it to execute scripts ( collecting yahoo addresses from someone mail, sending this email using Ajax technology to them and then redirecting them into a sample site).

…

Finally I should mention that I don’t like to disturb no one. Since I live in iran and taking a Job in good computer companies is very hard (becaue getting Visa is very hard from US) I just want to prove that I have some abilities in web programming . And I like to work with professional team like you if there is any way to do that.

Regards

(intentionally censored as not to give props’ to the author)

Yahoo Inc. said Tuesday it has contained a malicious program aimed at the millions of people who use its e-mail service, which ranks as the world’s largest.

…

“We have taken steps to resolve the issue and protect our users from further attacks of this worm,” Yahoo spokeswoman Kelley Podboy said. “The solution has been automatically distributed to all Yahoo Mail customers, and requires no additional action on the part of the user.”

See: Yahoo Says E-Mail Worm Now Contained

Over the past few years we have seen a shift in the primary motivations behind the creation of viruses and trojans.  Personal challenge, peer praise, and prank value used to be main driving factors in the creation of malware.  Today, it's money.

So are we seeing the start of a similar trend in vulnerability land?

Yesterday, Microsoft released 12 patches to cover 21 vulnerabilities.  Brian Krebs blogged that iDefense paid out the advertised $10k to hacker who discovered one of the critical vulnerabilities.  He also states notes that "software flaws identified or purchased by TipppingPoint and iDefense made up 6 of the 21 flaws".  Both iDefense and TippingPoint have publicized vulnerability research incentive programs.

In the past, there has been a perception among some vulnerability researchers that iDefense and other companies will not pony up the promised prize for their work.  Now that this is happening in a public way (see below), others may be more encouraged to try and cash in on the opportunity.  It's a little early to say that this is the start of a vulnerability growth trend, driven by money, but the ingredients are there.

iDefense Vulnerability Contributor Program awards paid:

• Q4 2005 $41k paid in VCP awards
• Q3 2005 $39k paid in VCP awards
• Q1 2005 $21k paid in VCP awards
  

The 2006 Global Security Survey was just released by the Financial Services Industry, conducted by Deloitte Touche Tohmatsu (DTT). This survey of the world's 100 biggest financial services organizations announced a surge in digital attacks over the past year.

The world's largest financial institutions experienced a surge in the number of digital attacks over the past year, specifically from external sources. More than three-quarters (78%, up from 26% in 2005) of respondents confirmed a security breach from outside the organization and almost half (49%, up from 35% in 2005) experienced at least one internal breach. Among the key points of this survey: sophistication of attacks and proliferation of vulnerabilities dominate attention. When asked to rate the intensity of perceived threats over the next twelve months, 53% of respondents chose phishing and pharming while 51% chose viruses, spyware, Trojans and worms. While internal threats continue to rise over previous years organizations appear to be more concerned with threats from the outside, since, in their minds, they bring a higher degree of publicity and potential damage to their reputations. The study suggests that financially motivated, targeted attacks are increasing and the criminal profile is shifting – from script kiddies and disorganized hackers to well funded organized crime rings, whose around-the-clock, across-the-globe attacks are yielding a big financial payback. This trend clearly highlights that random acts of vandalism (such as the web page defacements experienced by 4% of respondents) have been replaced by purposeful, targeted acts of criminal activity (such as the successful phishing attacks experienced by 51% of respondents).
In the survey, identity theft is called the "Crime of the 21st Century". Along with account fraud, they are two priorities that Financial Institutions will likely be focusing on this year.

To end this note, I am surprised by the classification for external breaches experienced by the companies and quoted in page 26 :

• Viruses/worms : 63%
• Phishing/pharming : 51%
• Spyware/malware : 48%

A bit of clarification may be needed for the Deloitte malware definition in order to understand why viruses, worms (page 26 and 27) and Trojan horses (page 29) are not classified in this category. By their definition, malware are only considered as malicious program "deployed to extort some form of monetary gain" as explained in this press release document.

This interesting survey is available at :
http://www.deloitte.com/dtt/research/0,1015,sid=1000&cid=121102,00.html

Here's a trick the traffall.biz (aka iframecash.biz) gang has been using for at least a few weeks. In addition to their usual Internet Explorer exploitation to install downloading downloader trojans (downloading downloading downloaders in many cases), they've been obfuscating some of the traffic by hiding exe files within JPG files. To a network administrator they would see HTTP get requests to traffall.biz/pic/[filename].jpg Which would appear normal (unless you were up-to-date on your bad domain list). And if you were to download the '.jpg' files they would indeed first appear to be just an image of a goofy frog:

Here's a Hex dump of the start of the JPG file:

In the middle of the file, we can see the encrypted executable (the cursor is at the start):

Once the file has been downloaded, the trojan that fetched the file in the first place strips off the image, decrypts the exe, and launches it (and as you may have guessed, the 'it' in this case is yet another downloader). Ironically the trojans that employ this tactic usually download other files that do not use this tactic, so it's less effective in hiding a compromised machine from a network admin. So why else do it? The main reason may be an attempt to slip passed anti-virus and anti-spyware researchers and automated analysis tools. Basic file-type tools will likely see the files as valid JPEGs, which could lead to early dismissal during analysis.

The group behind this remains to be one of the most active spyware creators out there.

The Microsoft France website was defaced today.  The defacement included a claim that it was done by Turkish hackers.  (See: here.)  This follows another defacement on Apple's online store in May, also claimed by a Turkish hacker.

On Friday, I received a spam in a foreign language I did not understand.  At first, I thought it was Hungarian because I receive plenty of Hungarian spam due to past correspondence with Hungarian reporters.  (Postini's Threat Report, released January 2006, reports that those in publishing or advertising receive the most spam.  Because email addresses are harvested by spammers from those they infiltrate, friends of those who fall victim to such attacks also become the recipients of much spam.)  However, it was not Hungarian.  It was Turkish:

Merhaba taraftar, bagnaz !
DAVET http://almanya2006.net/
Ancak icin simdiki erbap futbot
ayni taze havadis ve hediye her
Iyisini bulamazsin !

With the help of Dr Jan Hruska, Co-founder of Sophos, who provided me this translation:

Welcome fanatical supporter !
Invitation (to visit) http://almanya2006.net/
Only for someone expert (in) football
The same fresh news and a present for her
Plentiful

with an attachment named fifabook.rar, containing fifabook.exe.  Just another World Cup scam, I thought.  Turns out, fifabook.exe is a spyware program and is detected by VirusScan as Backdoor-BAC.gen.b.

So, now Turkish computer users are being targeted for spyware installation.

It is good to note that recently, last August, Turkish officials did arrest the authors of Zotob and Mytob in a partnership of cooperation involving the FBI, Moroccan officials, and Microsoft.  But we need many more of these.

The difference though, Turkish hackers were attacking others before.  Now they've turned on their own people.

Last week, Microsoft announced that it had received a single report for a new 0-day vulnerability involving Excel. A malicious spreadsheet was attached to an e-mail and sent to a targeted victim. Various information is available from Microsoft and an interesting FAQ is also available on the Securiteam blog:
http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
http://www.microsoft.com/technet/security/advisory/921365.mspx
http://blogs.securiteam.com/?p=451

Today, this threat has been deemed Low-Profiled due to media attention. FrSIRT has also posted an announcement at http://www.frsirt.com/english/advisories/2006/2361.

According to various reports, the original file is named okN.xls. Supposedly when a user opens the file the software unexpectly closes and some binary files are dropped in the Windows System directory as well as the system root directory.

I have studied a sample. It had a 127,488 byte size. On my French system, the file had a long name with semi-graphical ASCII characters possibly of Asian origin. After I renamed the file and opened it on an English Microsoft Excel 2000 version running on a Windows 2000 environment, the expected exploit did not occur. The filename visible on the left and high corner of the window indicated to me that the file was partially loaded, but no spreadsheet was visible. When I attempted to close Excel, I received an application error message saying some memory address could not be read. I made another test on a Windows XP-PRO (French) environment and with Excel 2002. This time an error message appeared and the file could not be loaded.

My colleagues also tested the file in a Japanese environment with the same disappointing results. We suspect that the exploit is more specifically crafted for Excel 2003 running on a specific OS version. It perhaps uses hardcoded return EIP offsets.

Despite these problems, the XLS file and its embedded downloader are detected as downloader-AWV.dr and downloader-AWV.

If you have the feeling that Microsoft could be addressing more critical vulnerabilities, you may be right. Avert Labs has counted the number of vulnerabilities rated Critical and Important over the last 2 1/2 year and plotted them cumulative by year:
The top graph shows that this year Microsoft has already addressed as many critical vulnerabilities as in the whole of 2005. The bottom graph shows that the number of important vulnerabilities has not changed significantly.

Last week we wrote that we may see the start of a vulnerability growth trend fueled by bounty programs and organized crime. While too early to tell, the statistics indicate that Microsoft seems to be addressing an increasing number of critical vulnerabilities.

Another round of Bagles hit the net today. There were two main executables mass-spammed through previously infected systems. Both were classified as W32/Bagle.fb (one was simply a repackaging of the other). This variant used a trick more commonly seen in Bagle variants two years ago, but less since. The virus sends itself in a password protected ZIP archive and the code needed to unlock the ZIP is sent along with the email messages as a .GIF image attachment.

McAfee VirusScan users were protected from the executables within these password protected ZIPs; detected as either W32/Bagle.dldr or New Malware.b (packed versus never-packed). Email messages sent by the virus may also be detected as W32/Bagle!eml.gen by email scanning products.

This variant started to pickup steam just after 8:00am PDT, peaked within a couple of hours, and is on the decline.

Named detection has been released in the latest DAT update.

One of the most important means for malware to be effective is its selection of an infection vector. An infection vector can be defined as the transmission vehicle that malware uses to spread itself. It is quite natural for malware to gain a wider infection-rate if the vector it chooses is a popular means for communication or collaboration among computers or computer users.

History shows that currently the most popular means for collaboration among computer users has been e-mail. This is why the world has seen the most successful malware exploiting email as it spreads. Some of the other popular means of computer supported collaboration are USENET, IRC, P2P, IM. We have seen a consistent uprise of malware targeting these collaborative systems. Dmitry Gryaznov had described this in his excellent paper “Malware in Popular Networks“.

It might not be possible to predict a complete list of all the infection vectors that malware could use. This list is constantly evolving. We have recently seen malware targeting “orkut”, an internet social network service. There has also been recent reports of worm propagation through social networking websites like “MySpace” and “Xanga”.

Mobile phones are no exception, it is early but the mobile technologies like SMS and Bluetooth are already noticing an uprise of malware.

Well! Malware authors do certainly seem to continually find newer ways to reach places where people are.

A Microsoft Word document was mass-spammed today, which exploits MS01-034. While this vulnerability was patched nearly 5 years ago, the DOC file can still deliver its payload if users allow Word to run the malicious macro within. Spammed messages use attachment names such as apple_prices.zip, prices.zip, and sony_prices.zip. The archive contains a file named my_notebook.doc, which contains a list of notebooks for sale:

• Apple MacBook Pro MA463LL/A Notebook PC
• HP Pavilion DV8230US Notebook PC
• Sony VAIO VGN-FS830/W Notebook PC

The DOC also file contains a macro, that drops a downloader trojan, that downloads a parasitic virus that is also a downloader.

The infection trail can be represented like this:

Spammed email message -> ZIP attachment (prices.zip) ->
Malicious DOC file / Macro (my_notebook.doc) -> Dropped EXE file (666inse_1.exe) ->
Downloaded File (zmacro.txt) -> Downloader Files (…)

This is all contributed to the Sality virus author. Sality is a parasitic infector that utilizes DLL injection, and encryption. It also contains a dowloader payload to install Adware, remote access trojans, keyloggers, proxy servers, etc; yet another recent case of a parasitic virus delivering spyware.

Detection for the DOC file and dropped downloader trojan (666inse_1.exe) will be contained in the next DAT release as W97M/Dropexe and Generic Downloader.ab respectively. Existing W32/Sality.t detection (released May 31, 2006) covers the dowloaded Sality virus.

Speaking of old vulnerabilities being targeted by malware, MS03-011 (patched for more than 3 years) is still on the list of top threats being reported by VirusScan Online customers (see Exploit-ByteVerify). Again, this is exploited by the distributors of spyware in the shape of drive-by downloads.

A quick update on recent DOC file mass-spammings. Two new variants of the W97M/Kukudro trojan (briefly referred to as W97M/Dropexe) were mass-spammed today (Kukudro.b and Kukudro.c). CME numbers have been assigned for the .A and .B variants:

W97M/Kukudro.a!CME-745

W97M/Kukudro.b!CME-476

See: http://vil.nai.com/vil/content/v_140053.htm for details.  

Yea!  And maybe, hopefully, none of the identity information was compromised.  (See story.)  What can we learn from this?

First, CA 1386 provides exclusion for data that is encrypted.  That should seem outright obvious to everyone.  ENCRYPT IT!

There is a question whether the employee had permission to have the data at home.  Make sure you have policy to certify this condition.  For instance, if I have permission to work at home, and I have permission to access the data, without further conditions, this presumes I have permission to have the data at home.  If this is not what you want, make sure everyone knows the situation and the permissions required.

There is the question whether the identity information was compromised.  How can we help to determine such a scenario if it happens to us?  First, make sure that the access to the major database produces an *encrypted* data subset.  (Log the access and review the log often.)  This would promote the consideration that such data on the recipient machine should remain encrypted.  Plus, knowing he has a protected copy, any unencrypted version can be erased when not actively being used.  So, the lifespan of unencrypted copies is shorter.  Second, this forces the user/worker to decrypt the information at the time he needs to work with it, causing a new file to be created with the then-current time/date stamp.  This would help forensics. 

This is not a complete solution, because create/delete/create/delete fills up the hard disk with "unused" sectors that would contain the sensitive information.  But that would happen without this process.  So, at least adopt a process that is useful.  And be reminded that the disk needs to be wiped often.

When's the best time to learn and think about all this?  When someone *else* makes the mistake, of course.  Unless your purpose is to get funding.  But do you want to have to spend that much money and face all that bad publicity?

On Wednesday, the CLUSIF, Club for the Security of Information in France presented its study "Policies of Computer Security & Losses in 2005=E2=80=B3. The study concludes that French companies are increasingly setting up policies and procedures to protect their information system, however, they fall short on approving the budgets necessary to support them.

In a 58 pages document (in French), the association synthesizes testimonies of representative of 400 companies with more than 200 employees from all business sectors. Results show that in 2005 56% of French companies have a defined policy for information system security compared against only 41% two years ago when the previous study was conducted.

CLUSIF notes that only 38% of the companies envisage increasing budgetary resources to the security of information system, 46% announce that they will keep it constant, 4% will reduce it and that 12% have not made a decision.  The study notes that upper management seems difficult to convince. They are not yet completely reassured by the correct use of the budgets that they have already accepted and approved for their company's security.

In addition, the study demonstrates a "strong will of control" on behalf of the people in charge of the information system security (RSSI). Most prefer to block the use of new technologies rather than to seek a solution for its secure deployment. Thus 76% of them prohibit webmail access, 73% refuse VoIP use, 56% prohibit Wi-Fi and 43% prohibit PDA and smartphones.

Regarding recorded losses, only 36% spoke about viruses and 2% about intrusions on the system. The major part, 56%, comes from design errors or software deployment, 47% are loss of essential services like electricity and telecommunications, 46% are errors of use.

Losses due to fortuitous causes remain most numerous. However malevolence and negligence are nevertheless present. At first, they appear weak numerically, but when we look at them cumulatively and then extrapolate on French companies as a whole, the number of announced incidents seems significant:

• Design errors in software deployment : 58%
• Loss of essential services : 47%
• Errors of use : 46%
• Theft : 44%
• Internal breakdowns : 37%
• Virus infections : 36%
• Natural disasters : 8%
• Physical accident : 6%
• Data disclosure : 4%
• Targeted attacks : 4%
• Malicious acts : 3%
• Sabotage : 3%
• Intrusion : 2%
• Fraud : 2%

Every XX days (I'm sure if I actually told you the exact number, I'd be breaking some kind of rule), the system tells me that my password has expired and I have to change it.  I will manage to change it without problems.  But, as I log into the various corporate assets from each of my many machines, or one of my machines stayed online while I changed the password from a different machine, it's a given that within the next few days, our HelpDesk would have to enable my account, because the system has locked me out due to too many accesses with the old password.

There are many components to password policies.  Most people probably do not have this same problem.  But just the same, most people hate their own password policy just as much as I do!

As I understand it, most objections revolve around the myriad standards to create a password that passes the "strong password" test.  They include a length requirement, a mix to include lower and upper-case letters, numbers, and/or punctuation, and the need to change it every so often, without being allowed to write it down.  So, new passwords need to be invented that must be complex yet easy to remember.

Well, I can help you with that.  It's called pattern passwords.

How to Create Easy-to-Remember Strong Passwords Using Patterns

What would you say about a password such as

7ujmnbg%TGB

Easy to remember, isn't it?  Well, to remind me, I'm going to scribble a "75" on a Post-It and put it on my monitor.

It has 11 characters, has upper and lower-case, even a punctuation mark.  Certainly, it would pass any corporate policy on strong passwords.  (And if not, just adjust it after I finish teaching you the concept.)  And I could never forget this password, because, frankly, you can't forget what you never knew!  ;-)  But "75" reminds me.

Here's the password:

That's the letter "J" starting at the position of "7" (7ujmnbg).  Followed by the letter "I" but using [Shift], starting at the position of "5" (%TGB).  And so "75" reminds me that this month, "my password" uses the character positions of "7" and "5" to instantiate the password.

What is my password?  No, not "7ujmnbg%TGB"!  I told you I don't even know my password.  ;-)  My password is the keyboard pattern for the letters "J" and "I"!

Keyboard pattern passwords.  You can decide to use the pattern for letters, numerics, geometric figures (circle, triangle, dash), symbols (plus, equals, star [yhnuhbghj]), and for the cultured linguists, symbols and characters from other languages, like parts of Chinese characters, Russian, Greek, Arab, Hebrew alphabets…  Pick anything that you can identify with (not something that can identify you!), or is easy to type, or easy to remember, or all of the above.  And pick two patterns or a long pattern, to give you enough characters to satisfy your corporate password policy.  And remember to include use of the Shift-key at appropriate points or the pattern will be too easy for others to notice and crack.  This is very important.  The use of the Shift at strategic locations within your pattern is what distinguishes your password from others, and makes it difficult for a new version of password crackers that could be programmed to look for pattern passwords.

Now that you know what pattern passwords are, let's discuss how to use them to satisfy the different aspects of your corporate password policy.

Length.  Design your pattern so it has enough characters to fulfill the password length requirement.  If the first pattern you like is short, add a second pattern, or even a third.  Or append a numeric sequence.  It simply becomes an additional pattern that you add.  Only perhaps the additional characters are chosen to not change.

Upper and lower case, numbers, punctuation.  Judiciously choose where and when to apply the [Shift] key to create the special characters.

Changing the password from month to month.  Move your pattern around the keyboard.  This month, my password location is "75".  Next month, it will be "64".  The following month, it is "53".  And so on.  After I finish with "31", the following month, it can be "08".  Or by then, I could decide to employ a different pattern.  And if I should forget what it is this month, there will only be a select few to try, with a very high likelihood that the first couple I try will be successful.

Multiple passwords for multiple accounts.  Let's say I need to create a new Yahoo email address.  I choose the account name of "Jimmy46".  The password I would use with this account would be my "46" pattern password.  (Notice it's not exactly the same as I was using before.  But all the same, "J" will be at "4" and the "shifted-I" will be at "6".)

I urge you to play around with this.  Have some fun.  Get comfortable with it.  Also, when you decide on a pattern you like, try out your new password at:

http://www.microsoft.com/athome/security/privacy/password_checker.mspx

This page will give you a scoring on your password and tell you if it is "strong" enough.

Oh, and the next time they try to enforce the password policy, respond "can I use dollar sign, hash, seventeen?"  "Too short," they'll say.  So you walk away… with a smirk… You know you can easily fulfill the policy now, but you still hate password policies.

PS.  No, 7ujmnbg%TGB is not really my password.  Besides, I have to change it every month.  (Oops)

Rockets bursting in air, fireworks everywhere!  Thank you for helping mark the 200,000^th entry into the VirusScan malware (malevolent software) detection database.

But truly, this is not a moment to celebrate.  For, larger and larger numbers of malware is a plague, not a cause to celebrate.  Instead, we mark this moment simply as a milestone in our continual trip to fend off the bad stuff from everyone's machines.

It is alarming that we reach this milestone so soon after September 2004 when the count reached 100,000.  Eighteen years to reach 100,000.  Less than two years to double.  Looking ahead, our researchers expect yet another doubling in a similar timeframe.  So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!

 Malware Count and Rate of Growth
 

The last two years have marked a tremendous increase in downloaders and bots, malware that has as its purpose to commandeer the target machine, to be used by the Command and Control machine.  Or rather, the person sitting behind that machine, who has as his motive, $$$$$$$.

In early 2004, a number of viruses like Netsky, Bagle, and Mydoom would infect multiple millions of machines with each release of a new variant.  Many millions of machines would be compromised in a short amount of time causing great financial strife and immediate reaction from IT personnel as well as law enforcement.  Soon, Sven Jaschan was arrested for the creation of the Netsky and Sasser families of viruses.  At about the same time, the author of Gaobot/Agobot and Phatbot was also arrested.  With these two events, we all hoped the arrests would stem the tide on malware.

Instead, malware distribution changed dramatically.  In the first half of 2004, 31 virus outbreaks were rated Medium and above.  The second half of 2004 saw 17 more.  That number fell to 12 for the whole of 2005.  And in 2006, there have been no outbreaks of similar severity!  Instead of huge virus events causing ire from all segments including law enforcement, the preferred method of malware distribution now involves the creation of many minor variants sent through controlled spam efforts.  Good family detection becomes crucial for a less worrisome experience on the Internet.

Another area of concern is the growth of malware targeting mobile telephony.  The numbers are still small, only near 300.  As a result, rates of growth are exaggerated.  However, it will grow.  The worry, as our past experience would show with other forms of malware, the growth will fashion similarly to the above graph.  Except, time will be compressed.  We are still in the era where malware targeting telephony is not yet purposefully stealing money.  And that is the concern.  When the phone becomes the standard means to transfer money, malware targeting telephony will truly explode, much as bots and other means to steal money over the Internet have consumed our energies these past two years.

And so, on this July 4^th, our thanks to the men and women who serve, so we can all enjoy our liberties and pursue happiness.  And thanks also to the cadre of dedicated anti-malware researchers who on this day added that 200,000^th malware detection entry, so we may pursue our enjoyment of the Internet experience with a little less worry.

In some hours, we will make available our latest anti virus definitions for McAfee VirusScan. It will be numbered : DAT-4800.
With this release version the number of threats detected will exceed 200,000 to reach 200,104 detections.

In September 2004 with the DAT-4391 release we reached 100,000 threats detected. We have doubled this figure in less than 2 years !!!

Today our anti-virus not only detect viruses but all kinds of malware :

• Trojans : 31%
• Bots and Windows 32 viruses : 28%
• Scripts and macro viruses : 12%
• Potentially Unwanted Programs (PUPs) : 3%
• Old DOS, boot-sectors, windows 3 .1 and miscellaneous threats : 26%

Yesterday with the DAT-4799, we detected 199,920 viruses. In 24 hours we will have added 184 new detections. Daily updates for anti-virus protection has never been more necessary.

I recently got a bunch of Yahoo instant messages from a few IM buddies. All of them about a geocities page: www.geocities.com/omg_thats_too_funny_3/ Unfortunately, that page was taken down by the time I could check what it was about. Also, my buddies couldn’t recall sending me that link.

It’s essentially a phishing attack delivered over the popular Yahoo instant-messenger network. You might see an offline buddy sign in, send you the above link with a couple of tempting smileys, and quickly log off. The scary part is that it’s sent without their knowledge, frequently when they are not online. They might even remember getting knocked off of the Yahoo IM because “they signed in somewhere else”. This likely meant that their Yahoo accounts had been compromised.

If you look around, you will find quite a few others have been scammed into losing their Yahoo passwords via phishing sites:

http://isc.sans.org/diary.php?storyid=1463
http://www.broadbandreports.com/forum/remark,14377670
http://zigzackly.blogspot.com/2005/10/yahoo-password-hack-warning.html

IMs from buddies are to easily trusted. Many sites that host pictures/videos allow only registered users to view them. So it’s not surprising that this type of attack is so successful.

What’s different about this attack is that it’s not a simple password-stealing attempt from a single targeted user. Once an unsuspecting user compromises her credentials by submitting them at the phishing site, a CGI script on that site uses the YMSG protocol with the stolen credentials, logs on to the Yahoo IM network and gathers the buddy list of that user to propagate the attack further! All buddies on this compromised user account get similar IMs posing as this user.

Theorizing further, it’s not hard to imagine a central attacker controlled dB of stolen Yahoo IM ids (and for the users who fell for the phishing, even their passwords). Such a dB could be really useful for spammers. It can be used to do some fancy data-mining as well (buddy relationships etc). At the very least, it shows which users are security savvy and which ones are not!

The attacker could keep creating newer sites when older ones are taken down/blocked. Yahoo IM’s default-allow policy makes all this even worse – non-buddies (anyone!) can send you an instant message without any previous contact. This is actually the whole point behind using them on social networking sites like Orkut, Myspace etc. So the phishing attacks can’t really be blocked on the network or URL level.

The only solution seems to be to use a “site-key” mechanism on the Yahoo login page(s). Something like a user-specified image/secret that gets displayed before the user even types the username (or password). This image can be selected based on the cookies/Macromedia Flash Objects downloaded through previous sessions. Since only Yahoo can read the content inside these local objects, only Yahoo can generate the right site-key image. The user enters her credentials only on recognizing the right site-key.

Today Microsoft addressed 18 vulnerabilities of which 14 are rated critical. One of the critical vulnerabilities, (MS06-035) Mailslot Heap Buffer Overflow vulnerability, can be remotely exploited by an anonymous user on Windows 2000 SP4 and Windows XP SP1. This vulnerability is the only worm candidate among the patched vulnerabilities today.
The update for our graphs of last month is found below. The top graph shows that this year Microsoft has already addressed more critical vulnerabilities than in the whole of 2005. The bottom graph shows that the number of important vulnerabilities has not changed significantly.

McAfee Avert Labs has given three of the vulnerabilities patched today a rating of High while the others have received a rating of Medium. The ones with a McAfee rating of High are the worm candidate, (MS06-035) Mailslot Heap Buffer Overflow vulnerability, and the Excel and Office vulnerabilities for which exploit code has been published, (MS06-037) Excel Malformed File Vulnerability and (MS06-038) Office Malformed String Parsing Vulnerability.

No need to remind you to review your deployments now!

Virus authors are continuously trying to make life difficult for the antivirus community.

Early worms fired the first warning shot by disabling on access scanning or even deleting antivirus and security related processes on infection, thereby rendering the machine defenseless. Stand alone cleaning tools had to released by antivirus vendors until even these got targeted. Classic case is that of W32/Sober@MM vs. McAfee Stinger.

To prevent researchers from reverse engineering binaries, malwares started using
anti-debugging techniques and would quit execution in presence of a debugger like SoftIce. This made malware analysis more difficult.

For some time we have also seen malwares that are VM (virtual machine) aware. These malwares will not execute on virtual operating environments like VmWare and Microsoft Virtual PC. Researchers were forced to tweak virtual machines at the cost of performance or resort to executing these worm families on real machines. Both methods take up valuable research time when one has to replicate malware dynamically.

The latest salvo is a virus that directly targets the very tools that security researchers use.
Interactive Disassembler Pro (IDA Pro) is a popular disassembler that is used to reverse engineer and decompose binaries. Custom IDC scripts can be written to automate tasks like unpacking a file or running an algorithm.

W32/Gatt is a polymorphic entry point obfuscation virus that infects only scripts associated with IDA Pro. It infects IDC script files found on a machine and replicates when an infected IDC script is executed.

By targeting tools used by antivirus researchers, the author makes an attempt to embarrass the security community.

Researchers are a paranoid lot when dealing with malware and are very careful about the way files are exchanged and executed. What could actually end up happening is a couple of curious wanna be virus writers fooling around with it and getting infected!

A couple of days ago, McAfee-UK released the results of a survey on teens’ attitudes toward safety on the Internet as pertains to accessing free music or videos. Here you can read the press release titled Teenagers Risk PC Security For Free Downloads. But I always prefer the raw data. Unfortunately, this tabulation has already been interpreted and lacks the original questions. But they’re still interesting=85

Sample Size

The research was conducted in June 2006 by ICM Research who conducted 615 interviews with teenagers aged between 13 and 17 in six European countries. The sample breakdown is:

1. % of teenagers unconcerned by the risks of viruses and other threats when downloading music or video content

2. % of teenagers who regularly use illegal (sic) file sharing sites like Kazaa and Limewire

3. % of teenagers who are not worried about internet security when they go online

4. % of teenagers who rarely check to see if their security software is up to date

5. % of teenagers who are entrusted with keeping the family PC secure

6. % of teenagers that purchase digital content from online shops such as iTunes

7. % of teenagers do not scan downloaded files or email attachments for viruses or other threats before opening them

8. % of teenagers who admit to giving out their personal details in chatrooms

9. % of teenagers who are unaware that a breach could cause them to lose all their digitally archived items such as music

10. % of teenagers who did not realise that their PC could be remotely taken over by cyber savvy criminals and used to send spam emails

11. % of teenagers who are unaware that their personal information could be hacked into and stolen

12. % of teenagers aware that their digital content such as music could be lost through infections

13. % of teenagers aware that hackers could steal their personal information

14. % of teenagers who did not know what a phishing scam was

15. % of teenagers who had never heard of spyware

16. % of teenagers who know what phishing is

17. % of teenagers whose family PC is located in their bedroom

18. % of teenagers whose family PC is located in the living room

This is primarily intended as a question for you, the reader, to weigh in on:

In this era of dozens of new variants of common malware families, what is the most important aspect of prevalence to you? Prevalence of individual variants, of specific families, of meta-families?

Historically, prevalence has been based on individual variants, e.g. X number of samples of W97M/Melissa.a or of W32/Bagle.g, etc. As these examples show, this also was primarily based on viruses as it indicated the virus' own spread, rather than counting how many ways a trojan author could spam his own creation.

As frequently-updated trojans and bots become more popular and mass-mailers become less so, it may be that this model needs to be revised.

Do you consider things to be more dangerous or notable when their particular attack-vector is being widely used
("Beware – we see an increase in viruses using a specific vulnerability!"),

or when certain types of malware become more common
("Downloaders are increasing in popularity!"),

or is it still most valuable to you to be alerted when just one specific variant is making the rounds?
("W32/MyLunch.m@MM is everywhere!")

Why do you find that to be the most important aspect? How will that information best assist you in protecting your environment?

Four variants of working Linux/Exploit-PRCTL code has been made available to the Internet over the past 4 days. All of these variants takes advantage of a bug in core dump file handling within Linux Kernel 2.6 that enables local non-privileged users to write into the cron.d folder which they would not normally have write access to. For those unfamiliar with the Linux operating system, the cron.d folder is the Windows Task Scheduler equivalent where tasks or files residing within will be executed on a schedule. To make it relevant, tasks executed in this folder will have privileges of the cron service user – typically root.

This is not the first malware to exploit a Linux kernel vulnerability to gain escalated privileges. But it must be one of the most potent ones in a long while. Despite being limited to only local users, running one of the many vulnerable PHP scripts on a Linux web server could mean quick remote access for those with a malicious intent. One would expect it to be very popular with hackers and PHP worm authors.

Linux 2.6 users should update to the Linux 2.6.17.4 stable release.

An epic transformation in the world of security is upon us. Today, we released the first issue of our semi-annual security magazine Sage. We will leverage this communication vehicle to deliver meaningful and sometime raw content to the masses. We take our responsibility to protect the public from malicious malcontents very seriously and will not shy away from difficult content or taboo topics. Instead, we will share with the world our day-to-day fight and let you decide how important the concepts being broached are to you.

The premiere issue examines the use of open source by the malware writing community. We show the pivotal role that code sharing and full disclosure have played in the evolution of the threat environment, and we anticipate a surge in malware quality and reliability as the malware writers become more professional. Though open source cannot be blamed for how some unsavory individuals may choose to use its tools, techniques, and methodologies, the movement should acknowledge that there are dangers associated with some of its fundamental beliefs.

Sage is meant to be a forum for thought leadership and serious discourse on topical security issues. By drawing on the Labs wealth of data and expertise, and writing challenging security articles, we hope to provoke important discussion about the digital battlefield we have found ourselves in.

Get Sage now from the McAfee Threat Center site:

http://www.mcafee.com/us/threat_center/white_paper.html

There has been some discussion in the last few hours, of a new MySpace virus (JS/SpaceFlash) that has recently been discovered. This is the second to target the MySpace community this year. While the first virus had a significant spread, this one seems to have spread much less. There have also been updates to MySpace this morning, to require a more recent and specific flash-player in order to view videos.

There has been some criticism about the inclusion of active content on sites like MySpace. MySpace is a social networking site that was created with the specific aim of helping musicians post their wares, so that they could gain more exposure without having to have the backing of major labels. This has also recently been expanded to include comedians as well. In light of this aim, it seems necessary that a certain amount of active content be present to achieve this end. What is the point of a site for promoting musicians and comedians without any way to see or hear them?

This situation strikes me as similar to the early days of the addition of macros to MS Office: It's important to balance powerful functionality and security. Despite the best attempts at including security features in any given product, with a large enough user base, it's likely holes will occasionally be found. At that point, the speed and thoroughness of a vendor's response becomes most important.

In the end, macro viruses all but died out, due in large part to the security features added to MS Office, and generic macro-virus detection added by all major antivirus vendors. It will be difficult for MySpace to address things like cross-site scripting and external modification of profiles without hampering users' ability to add content or to use tools to customize their pages. Obviously more still needs to be done on this front, and the battle is far from over.

MySpace has acted reasonably quickly so far, though there's issues left to be addressed in order to keep this sort of thing from happening again in the future. Hopefully they're taking an in-depth look at these issues, particularly external modification of profiles, so that they can minimize the risk of this being done maliciously.

MySpace is full of people who'd like you to try their wares. If it's music or comedy, so much the better. Beware, though, as you may also get something more nefarious. In addition to the two MySpace viruses this year, there are now two reports of MySpace being used to increase installations of adware.

The most recent report is of an ad that was placed on MySpace, which used the WMF exploit which was patched in January (MS06-004), to install adware. Earlier this month, it was found that another company had created profiles on MySpace in order to increase installs of their adware.

Again, we run into the difficulties in balancing functionality and security. There's really nothing to prevent profiles being created for questionable purposes. And in further searching, it actually appears that at some point in the past there were quite a few sites that were linking to Zango downloads, not just those connected to video clips. One such member's page is very clear about his intentions – he's part of the affiliate program, and he's trying to make some money.

Unfortunately, this behavior is explicitly forbidden in the MySpace Terms of Use Agreement. His account has apparently been terminated since posting that request for downloads. Other users have been more fortunate (perhaps they took it down before they were caught, but not before Google could index it!) while links to adware downloads have been removed from their profiles, the rest of their profile is still available.

Also in the Terms of Use Agreement is the caveat that MySpace may require you to download software or content in order to participate in certain services. The update to the video player could be considered one of these things. It could be considered quite confusing for certain users to know which downloads for video players are legitimate, and which are unapproved.

A virus author responded today to the theme of Sage. Said he was the author of Leprosy and Leprosy.B.

Since we just topped 200,000 malware detections, his two comprise .001% of that total. Tiny trifling amount. But Gartner just released data for the Worldwide Antivirus Software Market for 2005 with a figure exceeding US$4B. Let's see, 200,000 is to 2 as $4 billion is to … $40,000. That would be one measure of Neil McAllister's burden on society for 2005.

The problem with writing viruses, they never go away. There is an associated cost to society for the deed that cannot be undone. And for this reason (and many others) you continually hear, no antivirus company will hire ex-virus writers. No matter how "ex" they are, their creations live on.

There had been several instances of the FormSpy trojan being discovered in the wild today. Its installer was heuristically detected as New Malware.ag (now Downloader-AXM).

Upon successful execution, FormSpy hooks mouse and keyboard events in the Mozilla Firefox web browser. It can then forwards information such as credit card numbers, passwords and URLs typed in the browser to a malicious website hosted at IP address 81.95.xx.xx.

Typically, Mozilla Firefox components are installed via .xpi files where users are prompted to confirm the installation. FormSpy writes and modifies Mozilla configuration files directly which bypasses this confirmation process.

When Mozilla Firefox became a popular alternative to Internet Explorer, it was only a matter of time that spyware and trojan authors start writing malicious code in the form of Mozilla Firefox components. Mozilla Firefox users should exercise caution in downloading and installing unsigned extension components from unreliable sources.

Microsoft products have always been an attractive target for hackers and malware authors. With every emergence of a new scripting platform from Microsoft, virus authors have taken advantages of the features of the new scripting language to create milestones in virus outbreak history. The W97M/Melissa outbreak in 1999 that took advantage of word macros and VBS/Loveletter that used the visual basic scripting language to wreak havoc in the year 2000 would go down infamously in history as the most successful script viruses.

Last week, a proof of concept virus "MSH/Cibyz" based on Windows PowerShell was released by members of the RRLF virus group. PowerShell is the new command line shell and scripting language for Microsoft Windows and is seen as a replacement for the default command interpreter shell. It runs on Windows XP, Windows Server 2003, Windows Vista and Windows Longhorn but does not come installed by default as of now.

MSH/Cibyz belongs to the plain old garden variety shell script virus and it uses the same infection methods that one could with any shell, not just the Windows PowerShell in particular. It cannot achieve memory residency nor possess rootkit capabilities, however malicious code written in Windows PowerShell can be modified to drop a Win32 executable on an infected system to achieve the above mentioned features.

Members of the RRLF group had previously released two proof of concept viruses in the past year targeting Microsoft Windows Vista. First was MSH/Danom a script virus written in Monad, the predecessor to Windows PowerShell and the other was W32/Usined alias MSIL/Idonus that used the Dot Net framework. Sadly these viruses can't stake the claim to be Windows Vista viruses and are just Microsoft Shell viruses.

This doesn't seem to deter virus authors working overtime to get their creations ready for Windows Vista and Longhorn to ensure they are in the news for all the wrong reasons.

With Windows PowerShell offering the functionality to do anything one can do from the graphical user interface, via a command line shell, it makes it an attractive platform for malware authors to write next generation viruses. Only time will tell=85

There've been a few articles lately about the potential for security breaches using various devices that frequently get excluded from consideration of an organization's security policies. This is a good indication of a greater security problem, as it applies to not only things like printers and Blackberries, but also things like iPods, PDAs, mobile phones and thumb-drives. Anything that can store data from your network can potentially be used to compromise your network. The more data from your network it can access or store, the more dangerous it could obviously be.

Things like Blackberries and printers require some network connectivity which means they can be used to gain some access to network traffic or information like network topology. PDAs, mobile phones, iPods and thumb-drives are generally just used to synch data with the device but this means that they can be effectively used as a separate hard-drive which can be used to add or subtract files or information.

In a sense, this is no scarier a prospect than any other machine which is typically attached to a corporate network. Where this is problematic is that these devices are considered more like toys than proper machines, and are not given the same security concern.

This would be somewhat analogous to letting random kids from around town into your house. Sure they may be pint-sized and adorable but that doesn't mean these kids couldn't (or wouldn't) sneak the $20 out of your wallet when you aren't around to see. At this point, most people keep their houses well closed, and are reasonably particular about requiring an invitation or level of trust of people they let in. And once they're inside, people are then pretty attentive about what sorts of things people are "allowed" to do while they're there. For instance, you wouldn't allow guests at a party access to a personal safe or your financial records (perhaps not even some family members!), but you might grant your CPA to access the latter.

Network security by and large hasn't quite gotten to this level for most organizations, who instead leave the metaphorical windows and doors open for anyone to come in with the exception of a few known offenders (assuming they haven't found a sneaky alternate way in). At this point it'd generally be best for most organizations to think more along the lines of white-listing or grey-listing rather than simply black-listing: Not just excluding traffic from "known-bad" ports or file types, giving equal scrutiny to devices which aren't your standard PC/server machines, matching user's actual needs with their access levels, etc. As more OS and application-level 0-day exploits are found, a wider variety of file types are considered potentially suspect, and security hacks for devices are published, this becomes unequivocally the case for a larger and larger percentage of the population.

Gone are the days when dumpster diving or going through waste printer paper in the trash was used to gain sensitive information about an organization. The paper shredder was a cheap and cost effective solution to the problem of dumpster diving. Although the occasional confidential printout still pops up here and there due to a failed print job, but for that we can blame it on the faulty ink cartridge!

Today's printer are state of the art multi-function devices that also serve as fax machines, photocopiers or even mini file servers. They come with their own stripped down operating systems usually Linux/NetBSD and support most network protocols namely IP, IPX and AppleTalk. However, few organization take measures to secure their printing devices. Both physically and on the network.

Most printer can be reset to their factory default by certain key combinations or via a hard reboot, depending on the vendor and model. Usually the default username and passwords to configure the printer via the web administration or SNMP interface is freely available on the internet. Once reset and logged in, an attacker could re-configure the printer to dump every job sent to the print spool to disk.

More recently at the just concluded Black Hat conference, a security researcher demonstrated how to run unauthorized software on the printer, compromise network traffic, and access sensitive information being printed, by taking advantage of a configuration error in the printer's web interface.With the kind of sensitive information being sent to the printers, it does becomes a soft target for an attacker to eavesdrop on sensitive company data.

To date, software and firmware upgrades for printer were unheard off unless something went really wrong with the printer. The wake up call has now been sounded for IT managers to revisit printers and secure them physically and via software security measures.

Wiki is a type of website that allows users to freely add, remove or edit available content, mostly without the need for registration. With Wiki being a frequently visited site for information, it also becomes an attractive target for malware authors for targeting unsuspecting victims.

Given that most pages can be changed without any user authentication, the following attack scenarios are possible:

• Legitimate hyperlinks in Wiki are modified to point to malware executables.
• Legitimate hyperlinks are modified to point to websites that install malware via drive by downloads using browser vulnerabilities.

In the first scenario, we could have a worm that installs an illegal web server on compromised machines on the internet to host further copies of the worm. Instead of spamming users the worm could then target vulnerable users on Internet Relay Chat (IRC) or popular Instant Messengers (IM). This worm could also traverse and modify pages in Wiki to point to yet a different web server hosting a copy of the worm.

The second scenario is far more alarming as innocent users who click links in Wiki could get re-directed to questionable sites and have malware installed on their systems using zero-day browser vulnerabilities.

A proof of concept that exploits the first scenario has been published which modifies every link in a Wiki page to point to a copy of the worm. To get random wiki pages for infecting, it uses this URL to get to a random topic everytime.

Most people trust Wiki links as it is a great resource for information. Unfortunately the lack of authentication or the usage of a gimpy to edit topics in Wiki, leaves it open for such attacks. Its only a matter of time before Samy meets Wiki.

When Microsoft released the monthly security bulletins on August 8, we blogged that the Windows Server Service vulnerability (MS06-040) was a worm candidate. Exploit code was released to the Internet community on August 10, and the first IRC bots to exploit this vulnerability were discovered in the wild on August 12, all in 4 days.

Without surprise, the bot, IRC-MocBot!MS06-040, is apparently a quick hack from its precedent, IRC-MocBot, with an updated exploit module using publicly available code. It uses the same replication mechanism and even connects to the same hostnames as it did in October 2005.

At the time of writing, the exploit used in two similar variants of this threat are targeting Windows 2000 systems which are not equipped with default Windows firewall or memory protection – both features introduced in Windows XP Service Pack 2 and Windows 2003 Service Pack 1. Even so, this threat may still infect other systems by enticing users into downloading the malware by means of instant messaging, e-mail or other vectors. Once infected, it can then scan for vulnerable systems in your corporate networks.

IRC-MocBot!MS06-040 variants can be detected by McAfee VirusScan using the latest DAT set. More information on IRC-MocBot!MS06-040 is available at http://vil.nai.com/vil/Content/v_140394.htm.

The exploit contained in this threat will not affect you if your Windows systems are updated with the latest MS06-040 patches from Microsoft. Reiterating Monty’s advice from his blog, there is no better reason to review your deployments now.

In the last year phishing emails have increased by aproximately 25%. Fraudsters are still targeting the high profile Banks, Financial Institutions and e-commerce sites that they have been targeting in the past, but in many cases they are changing the content of the phishing mails from the "change your password now" type phishing scams that have been prevalent in the past, to more varied and directed messages.

In addition to attacking these well known companies, fraudsters are increasingly targeting smaller European and American financial institutions, and the targets are changing almost daily.

The old rules still apply to these new types of phish; always visit your Banks website by typing the name directly into your browser, or from a bookmark in your browser, rather than following a link in an email.

The e-commerce phish has also become more directed; much of the phish targeting popular online auction sites appears to have been sent from another user rather than from the auction site. For example, many of the phish are fake messages claiming that you bought an item and have not paid, or the other user has raised a dispute against you, or is enquiring about an item for sale. In all these cases if you think that the message may be genuine then if you log directly into the auction site (do not click on the links in the email) you can see if anyone has tried to contact you.

Even though the content of the phishing messages has become more varied, the social engineering techniques used are still the same, and can be avoided by visiting the financial site directly rather than clicking a link in an email.

A Website called ConsumerReports.org today published an article (strangely it was dated “September 2006) about a test they conducted involving 5,500 samples of artificially created virus samples.

There are several things here that do not seem right:

1. It is claimed that created viruses were “the kind you’d most likely encounter in real life” which is, of course, something the testers cannot know.
2. Creating new viruses for the purpose of testing and education is generally not considered a good idea – viruses can leak and cause real trouble (you can read an open letter on the AVIEN site about that).
3. There is a more scientific way of measuring real proactive detection of AV products on future malware – it is called “proactive testing” or “retrospective testing”. The idea is to measure, say, 3-month old AV product against real field viruses that appeared within these last 3 months. The discussion of the methodology of such tests can be found here and some real test results with common AV products are on the AV-comparatives.org site.
4. Objection #1, that ConsumerReports.org cannot know what viruses we are going to face in future could be moot as their testing team apparently invented a time machine and shifted themselves forward to September .

McAfee Avert Labs received several worms implemented in a scripting language called ‘Lua’ (see http://www.lua.org/). It is a free scripting language first version of which was released in 1994!

There are two things that make this an interesting development. Firstly, this language is widely used for online gaming (”World of Warcraft”, “Garry’s Mod”, “Illarion”, “Escape From Monkey Island”, “Daimonin” MMORPG and many others). The list of games using ‘Lua’ is quite long (see full list of projects at http://www.lua.org/uses.html).

Secondly – two of the recently discovered worms were written to find and remove other ‘Lua’ worms! We have seen W32/Netsky and W32/Bagle families fighting each other in 2004 but we really hope that the history would not repeat itself with worm-wars in online gaming.

Some of the games execute ‘Lua’ scripts on the server side which can potentially compromise the security of the server that thousands of users are currently connected to. Servers used for gaming are nearly always trusted to install and run programs on the client computers (game extensions and updates) thus paving a way to a rapid deployment of malware should a server becomes infected.

Detection of all currently known ‘Lua’ worms is included in the latest DAT update. Avert Lab’s recommendation is to use updated AV, properly configure permissions and introduce file change-control which is particularly important for all user-facing server systems.

McAfee Avert Labs has received samples of a new mass-mailing worm that we call http://vil.nai.com/vil/content/v_140497.htm. What makes it noteworthy is that this worm sometimes sends itself as a usual binary zipped attachment but sometimes mass-mails out Exploit-WMF with itself inside (zipped or non-zipped). The worm is packed inside a modified UPX container and is 78,336 bytes long.

The now ubiquitous WMF exploit first appeared in December 2005 and since then it was one of the most common attack vectors for home users. McAfee AV products have provided proactive detection of known malformed WMF files that can exploit the WMF vulnerability.

Some cell phone users have started receiving SMS messages along these lines: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com“. (This is an example and was not a real url at the time of writing)
This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams.

While some might recognize this as a scam, many unsuspecting users would not. Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message. Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software and steal personal account information and other malicious activities. Because monitoring botnet activity is complex, it is challeging to know the current scope of the problem.

Imagine the threat to enterprise networks once hackers learn how to fully exploit SMiShing techniques. Most large enterprises have thousands of employees, using a variety of devices to access their networks. Despite their best efforts to issue safety guidelines, IT security staff cannot control human behaviour-especially in light of the fact that mobile-users have not (yet) learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks.

Enterprises would be wise to keep a close eye on this issue and think about policies for securing their mobile devices ahead of time, rather than playing catch up when it hits them, and begin to educate their employees about the potential risk now.

Only a little while ago we were discussing the possibility of someone taking the techniques of phishing by email and porting them to SMS. SMiShing instead of phishing.

While the name is catchy, don’t be misled, it’s actually based on a real event. A number of SMS messages were sent out to users in Iceland and Australia telling them they would be charged $2 a day for membership on a dating website. Victims attempting to “unsubscribe” from the site and daily charge get their computers infected with a backdoor trojan. The South Australia Office of Consumer and Business Affairs (OCBA) even put out a warning to consumers about the scam.

Considering that this Smishing event occurred a few months ago with nothing since, one might reasonably relax. We at McAfee Avert Labs would agree with you except that we’ve just received a sample of a mass-mailing worm that performs a Smishing attack. VBS/Eliles.A.

This is a standard VBS worm that skips the loading of a backdoor trojan and simply opens a backdoor on the victims system. Most of the code is in Spanish, with a few comments in German. That incongruence along with variations in coding style of the various internal functions implies that this worm is composed from disparate sources. Very script kiddie.

The interesting part is that it includes a routine to send Smishing messages to users of two Mobile Phone providers in Spain. Rather than calculating random IP addresses to send messages, this worm generates phone numbers within the ranges used by mobile phones. Eliles.A sends its smish message free of charge through the mobile phone providers’ SMS-email gateways.

Unlike the previous smishing episode, Eliles.A does not use the error in billing ploy. Instead this worm tries to be helpful by offering the victim free “antivirus” software for their phone, supposedly from their mobile phone provider. The smishing message specifically targets Nokia Series 60 phones. Users that download and install the software from the link in the SMS find themselves infected with malware. Fortunately, the download link is now dead.

We were startled to see a smishing attack turn up in a simple mass mailing worm. A malware writer who spends time researching a new attack will usually write custom code for it rather than reuse someone else’s code. Over time the attack gets packaged into standard routines and eventually included in the script kiddie’s toolbox. The transition from brand new to script kiddie use can take months. This is the malware equivalent of finding a machine gun in the stone age.

The genie is out of the bottle with regard to smishing. Now that the script kiddies are involved, we’re bound to see a rise in the numbers of smishing attempts in the coming months. So much for relaxation.

For many out there this is the Back To School season, which can also mean deciding what kind of computer to get for school-bound family members. With a new OS update on the horizon for both Windows and Mac, the inevitable comparative security debate is filling blogs and news sites all over the world.

In the end, the security question is sort of irrelevant when deciding which kind of computer to buy.

The big question is still this: What are you going to be using the computer for?

Is little Johnny or Susie going to be using a computer in school? If so, what kind is in use in their school district? Will this machine instead be used by a someone going to college who’ll need it for Video/Picture/Audio manipulation? Graphic design? Perhaps a Mac would be the best choice. Will it be used primarily as a game platform, once homework is done? Windows will give you a lot of popular game options, and word processing is a pretty basic option on any OS. Studying for a CS degree? Again, it may be that Windows is the preferred choice.

Perhaps this machine will be used for web-browsing, email and IMing after homework. Both Windows and Mac have these things thoroughly covered, so we have a different question to ask: Will the person using this machine need someone to show them how to use it and/or do periodic maintenance? Would you be able to help, or would they have to take it to a repair shop each time a mysterious error message pops up or they need a new app installed? Perhaps you should choose the OS you’re more familiar with, to save the added hassle and expense of taking it to a repair shop.

At this stage of the game, there are two basic things which will have the biggest effect on the security of any desktop/laptop machine:

• Application/OS vulnerabilities
• Social engineering

No OS is completely immune from application or OS vulnerabilities. The response of the vendor is the biggest consideration and arguably at this point the major players aren’t leaving actively attacked holes open for extended periods of time. With a firewall and anti-virus software in place, the average user will be reasonably safe. (If your machine should be armored like Fort Knox, obviously “reasonably safe” won’t be sufficient, but that’s another story)

So, what’s left at that point is social engineering. No amount of OS security or security products will prevent you from putting your home address, phone number, credit card information, etc. out on a website if you’re truly determined. Malware does not have to be prevalent to be dangerous – if you’re the only person in the world who got targeted and your machine is compromised in some way, it’s still a big deal to you personally. People still need to be aware and proceed carefully regardless of what kind of machine they’re using.

McAfee security tips

Last night Sunbelt blogged about a zero day IE exploit being discovered in the wild. This attack has taken shape much the way Exploit-WMF did back in December 2005. A trojan toolkit known as WebAttacker was updated to include exploiting a new Vector Markup Language Buffer Overflow vulnerability. This toolkit is known to be sold on the underground for as little as $17 US, but just like the Exploit-WMF case, we can expect exploit source to be readily available shortly.

General advice around this kind of attack is to stay on the straight and narrow path while touring the Internet. However, WebAttacker has historically been installed on compromised web servers, and we’ve seen message board posts and blog entries that include iframes to refer to other sites that are running WebAttacker. Disabling JavaSript effectively neuters known attacks. Using an alternate web browser also thwarts this attack.

Microsoft has posted an advisory including workarounds:
http://www.microsoft.com/technet/security/advisory/925568.mspx

McAfee product coverage (including proactive 0-day protection) can be found here:
Exploit information: http://vil.nai.com/vil/Content/v_140629.htm
Vulnerability information: http://vil.nai.com/vil/Content/v_vul26881.htm

P.S. As I write this entry, Exploit-WMF remains as the top most reported malware blocked by our VirusScan Online products.

Yesterday McAfee Avert Labs updated the W32/Mofei.worm entry. This threat has recently been seen in the wild being dropped by Microsoft Office documents that used a 0-day exploit to compromise the victim’s computer.

To respond to some questions I received in Paris, I took a look at this sample.

The dropper is a malformed Microsoft Word document exploiting an undocumented and previously unknown vulnerability in Microsoft Word. The file I used for my tests is a Japanese 3 page Word document. It is approximately 79,265 bytes in size. Via the properties windows, we can see 2 five-uppercase-letters names as author and company names. Names started with the letter K. According to the statistics folder it was created on September 1st.

After I opened this document (Office 2000 on a Windows 2000 machine), 2 files were silently installed in my %windir%system32 directory:

• clipbook.dll (30,720 bytes)
• clipbook.exe (33,713 bytes)

A word document was also created in the %windir% directory (28,160 bytes). It is a “clean” copy of the malformed one.

The files in the system32 directory are related to an old network share propagation worm previously named W32/Mofei.worm. It attempts to spread by copying itself to the ADMIN$ share of remote machines. It scans IP addresses, tries to gain access to the share by trying weak administrator username and passwords. It creates temp and/or log files in the system32 directory. On my system I noticed a file named clipbook.dat.

The Microsoft Word dropper is now detected as W32/Mofei.worm.dr.
Exe and dll files are now detected as W32/Mofei.worm with DAT-4844. With older signature files, clipbook.exe is detected as “Trojan or variant New Malware.n” (since DAT version 4677).

Overview

Encrypting File System (EFS) [1], is integrated in Microsoft’s Windows platform since Windows 2000. Additionally, Windows XP Professional, Windows 2003 Server and Windows 2005 Media Center operating systems also support it. EFS uses public key cryptography that makes use of a user’s account login and password pair to encrypt a private key. The private key is used to encrypt the original data (files or folders). Encrypting any files or folders, in the supported operating systems, is a trivial task and can be done in many ways. For example as shown in the image below calc.exe can be encrypted just by clicking on “advanced” and then checking “Encrypt contents to secure data”.

Programmatically this can be achieved using calling various APIs that support file encryption like CreateFile with FILE_ATTRIBUTE_ENCRYPTED flag or EncryptFile function. Microsoft’s commandline utility Cipher.exe can also be used for encrypting directories and their contents. The result of such encryption is that only authorized user can view these files. Many businesses or home users frequently use it to encrypt the confidential data that needs to be protected from hackers, uploader trojans or somebody gaining physical access to machine.

Concerns

Recently a trojan was seen to take advantage of EFS to protect itself and execute with administrative privileges. This malware is composed of obfuscated DLL and PE files that are thoughtfully crafted. It has two main components, a dialer component that is detected as Qdial-45 the other is a downloader/dropper component detected as Spy-Agent.bf that drops this dialer along with an EFS encrypted downloader file. McAfee has been detecting variants of this trojan since August 02, 2006, however we have observed an upsurge in infection rates in last few weeks.

The trojan creates an administrator login account with a random name and random password. Using this login key pair it then encrypts the downloader component that it drops. It then creates a random service that points to the encrypted file with logon properties of the newly created login and password. This service can be arbitrarily started. The encrypted file is executed with the logon credentials that the trojan created, to download the updated variants of spy-agent.bf. Some variants of this trojan also drops a Browser Helper Object, a DLL file in alternate data streams. The DLL file is obfuscated as well and tries to download updated copies of Spy-Agent.bf trojan.

It has been observed to contact the following IPs and domains for updates and DNS queries.

• shiptrop.com
• 195.225.176.85
• 195.225.177.22
• esthost.com
• wscooler.com

The downloader component of the trojan uses steganographic techniques to hide the downloaded packets from network sniffers. From its download servers it downloads a packed file with a “gif” header. It decrypts this fake gif file in memory and creates a random named executable in “C:Documets and Settings\%LocalUser%My Documents” folder and launches it. The origins of these trojans appear to be the domain names “Gromozon.com”, “xearl.com”, and “micotad.com”. Most of them resolves to IP addresses in range 195.225.176.* – 195.225.177.*. It is advisable not to visit these web sites as they may still contain various browser exploits. We have always seen a tendency toward copycat malware. More malware may adopt similar techniques of self preservation using EFS. It is useful to understand what proactive steps can be taken to prevent such an attack.

Prevention

1. As a best practice disable download of unsigned ActiveX controls in the browser and always update Windows and McAfee products for latest signatures and updates.

2. VirusScan Access Protection rules.

• Block Access to Cipher.exe so that it cannot be used to encrypt arbitrary files and folders.
• Prevent Creation of NTFS stream in windows and its subdirectories by adding following rule to prevent file creation.
  • “%windir%**:*”

3. If EFS is not needed it can be disabled by following registry modifications.

• Navigate to the key HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionEFS
• On the right pane, right click to select New, and then click DWORD Value.
• Enter EfsConfiguration for the value name and 1 for the value data to disable EFS.
• Restart the system.
• Any attempt to encrypt the file at this stage will result in the following message. “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”

4. EFS can also be disabled by adding a desktop.ini file, with the following lines, in the folder that needs to be protected from adding encrypted files.

[Encryption]
Disable=1;

5. Programmatically EFS can also be disabled using API EncryptionDisable(DirPath, BOOL) [2].

References

[1] Encrypting File Systems in Windows XP and Windows Server 2003

[2] Disabling EFS for a Specific Folder

McAfee Avert Labs has recently seen spammers start to use Microsoft Word documents and HTML attachments to deliver their advertising payload. By moving the advertising content, most importantly the URL link, into an attached document rather than the body of the email message, spammers are able to evade some of the Anti-Spam vendors’ content filtering techniques. This is because most vendors don’t scan content inside attachments because this has previously not been necessary.

Microsoft Word is a convenient format because it supports clickable links and most recipients will have Word installed or would be able to open the document with another compatible word processor. This is the format chosen recently by a spammer, Leo Kuvayev / BadCow, who is plugging pharmaceuticals using web sites hosted in China. This spammer sends out what appears to be an invoice/bill:

When recipients click on the attachment, they get the spam payload, which advertises the spammer’s pharmaceutical site:

We saw the first samples of this in our traps around the 22nd August, and we are still seeing them today. As expected, the spammer is varying the attachment file name, email body text and subject in nearly every batch of the messages sent, for example:

Subject: Billing Update, Bill #90023
Forward original invoice with attached invoice transmittal sheet to the contracting officer.
DATED MATERIAL,INVOICE ATTACHED

Subject: Your receipt for Invoice #25826
Credit memo attached to deleted payment receipt cannot be applied to different invoice.
Software order has a Related invoice attached with prepayment information.

Subject: Confirm amount of charges for Claim #59703
“Invoice” hence shall mean the invoice attached to this Agreement.
You MUST show and review the UCAR Invoice Number.

Subject: Filed under your account via Statement #67345
This is to acknowledge receipt of your letter (with attached invoice) of August 2006.
Potential fraud alert, please review invoice to prevent further action on your account.

The attachments for these samples have filenames similar to: Bill90023.doc, Invoice25826.doc, Claim59703.doc and Statement67345.doc, but the attachments remain the same so simple checksums are effective for now.
We may see this technique adopted by other spammers, and it may also spread to other popular formats such as PDF. While there are plenty of other characteristics of this spam that can be used to block it, it is yet another incremental step by spammers to attempt to make detection harder. To keep up with this, Anti-Spam vendors may need to add attachment scanning to their solutions, which would require additional processing power on customers email servers. In addition, the attachments mean spam is getting bigger. The messages in the current campaign are only 35k in size, but Word documents are well known for growing very quickly in size. A rise in document spam would mean recipients’ mailboxes and servers clog up faster, worsening the burden that spam puts on us all.

McAfee Avert Labs has been getting a lot of questions about the dangers of data-retention on cell phones. There’s an article covering the concept here.

Here’s our take on the situation: modern cell phones (”smartphones”) are miniature, portable computers-and they will bring along all the same problems with them as the technology matures: Virus, spam, phishing (or smishing), and people stealing data from lost, stolen, recycled, or resold devices.

“But I deleted those messages?!?! How can someone get it back?!?”
I think this is best explained by an analogy: think of your device (phone, computer, etc) data as being a textbook: Table of Contents in the front, informational pages towards the back. You write a document and you add pages to the book. The computer, when asked for a document, will look in the table of contents to figure out what page to read.

Makes sense so far, but when you remove a file, the computer doesn’t erase the pages in back-it removes the entry from the table of contents, so that it no longer knows or cares where the information is. “Why?!?” you may ask . . . well, in a nut-shell computers are lazy (i.e., efficient) and this is the fastest way to “remove” the file from the system. Heck, those pages may be overwritten some day . . . .

But, this introduces a problem: someone could manually search for the pages (skim the book, if you will) and then find and reconstruct the documents (until the page is recycled at least).

This is the problem that many people who have sold their cell phones are finding, those who have purchased them have (or are at least are able to) retrieve their deleted files-files that contain personal messages, email, address books, and worse.

If you are going to dispose of your phone, please contact the manufacturer or your carrier and ask them how to do a “low level” or “zero level” wipe. This is analogous to going through the book with an eraser and scrubbing out each and every letter so that the pages are blank. This makes is quite difficult for the data to ever be retrieved.

This is, of course, exactly what you should do with your computer’s hard drive if you dispose of it.

I can’t say it enough: your smartphone is a computer; you need to treat it as such and exercise the same level of caution you would give to your traditional PC.

Malware authors are continuously innovating with new techniques to render a Windows box defenseless. Given the massive install base of Microsoft Windows users, exploiting any new vulnerability or built-in security feature of Windows is stunningly effective and proves very productive for cyber criminals.

Early trojans upon infecting the system modified the windows registry to restrict launching programs like the registry editor, task manager, command prompt etc. This prevented educated users from manually killing the trojan and/or removing its associated registry entries.

Windows Update was the next target and often the HOSTS file was modified so that an infected machine could not get the latest windows updates from the Microsoft site. Without the latest security updates the machine becomes a sitting duck on the internet for worms and other malware.

System Restore was introduced from Windows Millennium onwards as a feature to allow users to restore a computer to a previous state without losing data. It automatically creates easily identifiable restore points, that allows users to restore the system to a previous time in case of a system crash or virus infection. Most virus families today turn off System Restore and all restore points get deleted once the machine is restarted. So much for restoring a computer to a previous state!!

The built in firewall with WinXp onwards is a nice feature to shield the machine on the internet. Virus authors were quick to come up with a solution. Either disable the firewall service on infection or create an exception list in the firewall rules to allow the malware access. The more popular technique nowadays is for malware to inject itself into trusted processes like Internet Explorer thus bypassing desktop firewall restrictions.

And the latest target in defeating built-in Windows security features is malware targeting the Windows File Protection feature. Windows File Protection protects core system files from being overwritten by third party application installations. If a system file is overwritten, Windows File Protection will restore the correct version automatically. Malware are often now patching SFC.DLL and SFC_OS.DLL which are responsible for checking system integrity to disable the file protection feature of Windows. Once SFC.DLL and SFC_OS.DLL are patched, core system file can be replaced without any alerts thus creating a hospitable environment for worms and other malware.

In the past two weeks, McAfee Avert Labs has already seen PWS-Satiloler and W32/Sdbot.worm families that modify SFC.DLL and SFC_OS.DLL to disable Windows File Protection. This functionally will most likely be incorporated into more malware families in the coming weeks and we're bound to see a rise in such cases.

For-profit malware has been increasing on the PC side for quite a few years now. Viruses that hold your files hostage, trojans that steal banking information and adware that floods your computer with popup ads. Malware writers have shifted their goals from gaining notoriety or personal satisfaction from the spread of their creations to the goal of filling their wallets.

Recently though, McAfee Avert Labs has begun to see a similar trend in mobile malware. Most of the mobile malware that we’ve run across has been relatively harmless trojan horses. A few files have been replaced, or the phone fails to start when reboot. A hard reset to clear the phone memory and you’re back to normal, minus your stored phone numbers and calendar information. You might have lost any time spent adding new software or saved documents, but at least none of your private information has been stolen. J2ME/Redbrowser changed the entire situation.

Redbrowser tells the user that it’s a mobile web browser that works over SMS. Instead of browsing to the address that the user wants, Redbrowser actually sends SMS messages to a Premium Rate number. On certain phones, the Java runtime will prevent Redbrowser from sending SMS messages without your permission. Redbrowser’s creator has gone to some length to social engineer you into saying yes when it asks to send the SMSes.

Stealing money in real life ranges from corporate embezzling to the common mugging. Where Redbrowser falls somewhere in between the two, J2ME/Wesber is closer to a mugging.

Like Redbrowser, Wesber also sends out SMS messages to premium number. It just doesn’t do it with as much style. Wesber has no user interface, so if the Java runtime doesn’t give a warning you would have no idea that you’ve just been charged roughly $15.

Wesber is found in a file named “pomoshnik.jar”. Pomoshnik is Russian and translates to “assistant”. It certainly assists its author in getting your money.

With the recent SMiShing incidents, the rise in for-profit mobile malware is definitely troubling.

For about a week McAfee Avert Labs has received, from various sources, samples of a new polymorphic parasitic file infector that infects EXE and DLL files. This newcomer has stealth capabilities and attempts to download some variants of the PWS-Lineage trojan from compromised websites.

As it does not execute its payload when the current ANSI code page identifier for the system is set to 936 (ANSI/OEM – Simplified Chinese – PRC, Singapore), this malware probably comes from Southern or Southeastern Asia.

This virus is named W32/Bacalid. The size of infected files increases approximately by ~35 KB. When a sample is run, it searches for an event named WINXPGOD. If this event is not found on the system, it creates and executes a DLL file named “VCab.dll”. It is then injected into a random running process to ensure it stays resident. The corresponding file is saved in a temp folder.
During my investigations, I noted four different VCAB.DLL files with four different sizes :

• 32,256 bytes and 32,792 bytes when they are packed
• 44,032 bytes and 44,544 bytes if not packed

These files are detected as W32/Bacalib!vcab

The downloaded files have a .wos extension; they are encrypted and get decrypted by the virus.

This threat is interesting because in this period where we generally encounter non self-replicating programs, the appearance of a new complex virus can often cause a stir. As it is an appender and because it erases the DOS Stub of any infected host file, detection is not a real problem. But for cleaning to succeed, the virus body must be decrypted.

Three levels of decryption must be processed and some enhanced anti-emulator codes are inserted to prevent an easy restitution of the original virus code. Polymorphic sequences of commands with variable constants and randomly chosen assembler instruction for this malware are particularly sophisticated. For now we detect 2 variants, they are very similar and just differ with their encryption at the first layer.

Today, computer users must be vigilant. One link hosting the PWS-Lineage is still alive and we continue to receive samples from the wild. Avert Labs has had our teams working at full speed to create a specific removal tool for this threat (stinger utility). For updated removal instructions, a copy of this tool and further information on this threat, please go to W32/Bacalid.

There's been some discussion today of a possible hack of Governor Arnold Schwarzenegger's computer which resulted in a leak of tapes containing private conversations with his staff. This points to issues we've touched on in past blogs: Basically, data retention is an increasingly important reason for you to be concerned with the security of all your machines. This includes phones, printers, PDAs, laptops=85 anything where you keep information you wouldn't want posted on the internet, anything you wouldn't want to have to explain to your boss or your grandparents.

One part of protecting your data is maintaining the security of your machine: Make sure your machine is up to date with all the latest security patches for your OS and applications, make sure you have a firewall and an up-to-date antivirus program, and so on. If your machine is one which requires extra security due to having more sensitive data or because you or your company is higher-profile and more likely to be attacked, you need to be sure to take extra measures like using vulnerability assessment tools and/or intrusion prevention systems.

The other part of protecting your data is being aware of the recording of information that is inherent in typing things into your machine, whether it be things you type into your browser or say in an IM conversation or even recorded conversations. There are plenty of viruses which have been blamed for leaking documents on sensitive machines, this is not a new phenomenon. Hacking too, is nothing new. But as people conduct more of their lives through their computers, it becomes so ubiquitous that people cease to consider the implications of the medium.

Here are a few questions you can ask yourself to determine whether this is information you want to be typing:

1. Is this information going out securely?
2. Do I trust the security of the end-point?
3. Is this something that really needs to be said at all?

If this is, for instance, personally identifying information:
Have you verified that this a secure site? (Looking for the lock in your browser window, for example)
Have you verified that the site is what it says it is? (Logging in directly through your bank's main page, not following a link in email)
Do you really need to be giving out this information at all? (Verifying the reason this person or site is asking)

If this is something more seemingly innocuous like a conversation in IM, the last question becomes especially important. Typing something inflammatory in a chat window is a bit like passing notes in class – the information could be intercepted en route, it could be outright stolen, so the best tactic is just never to write the information down at all unless you want it shared. Then there's the issue of things like online journals or blogs – people so often post incredibly intimate details of their lives since the internet seems like such an incredible source of anonymity, but if word gets back to their employers, there can often be serious consequences.

This is not to say that people should never have private conversations over the internet, as it is a potentially incredible resource for connecting with other people or expressing yourself. The important thing to take away from this is to be conscious of your actions and interactions, as things written down (especially on electronic devices!) have a way of being rather more indelible.

While the definition of malicious software seems clear, that of Potentially Unwanted Programs (PUPs ) is less so.

The first come under the generic title of malware. They are used to steal or destroy information. Even when distributed via games, they can damage the computer system and can often remain resident without authorization. Malware is mainly created to cause harm to the target computer. Authors of malware expect to gain notoriety, or more and more often, illicit income.PUPs on the other hand are usually made by legitimate corporate entities for specific beneficial purposes (to whom they may be beneficial is debatable).

Adwares belong to this category of programs. They install themselves on the user’s machine collecting marketing data and distributing targeted advertising intended to generate income. Their legitimacy becomes debatable when they alter the security state of the computer on which they are installed, or the privacy posture of the user using the computer.

Between 2000 and 2002 there were only about forty or so adware families. Their number rose sharply in the next years. It increased by more than 1000% in three and a half years. In August 2006 there were more than 450 adware families with more than 4000 variants.

I just finished a white paper describing the main participants in the on-line marketing domain. This document explains the concept of affiliators and affiliates and the recognition techniques used to install the payment systems. It analyzes the amounts which affiliates can expect to be paid depending on whether they use “soft” or aggressive methods. The firsts use conventional techniques (pay-per-display, per-click or per-profile). They can expect to receive a payment of $25 for every 1000 positive occurrences produced. On the same basis, an adware pay-per-install payment may bring in up to $150 for 1000 computers.

Following the money, this white paper demonstrates why many low-level delinquents do not hesitate to distribute these programs on a large scale using reprehensible methods.

Now, some “cyber-delinquents” quickly and secretly install thousands of programs each day on target computers without the knowledge of their owners. They are thus able to pocket some tens of thousands of dollars each month.The complete study is available here:

Adware and Spyware: Unraveling the Financial Web

Today Microsoft patched 3 vulnerabilities. The vulnerability that is rated important, (MS06-052) “Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution “, can be remotely exploited without user interaction. However only Windows XP systems that have the non default Microsoft Queuing Service (MSMQ) installed are vulnerable. Administrators who have installed MSMQ are highly recommended to install the MS06-052 patch as soon as processes allow. The other two vulnerabilities require user interaction for an attack to succeed.

The update of our graphs of last month is found below. The graphs show that September is usually a month with a few or no patches.

Whilst investigating how spammers are abusing free web site hosting providers, McAfee Avert Labs has discovered that very few spammers have the technology or resources to abuse the free web hosting providers in an automated or bulk manner. This leads to a vertical marketplace where a spammer (with the necessary skills) can sell this alternate form of web site hosting to other spammers. These “link providers” create and maintain thousands of free hosting accounts on behalf of the spammers, which are then used to redirect to spam web sites. The providers can update the redirects, so that when the final spam web pages are taken down by ISPs, web hosts, or domain resellers, the redirects can be updated to link to another live spam web site.

For this service, plus 50 accounts per day, one particular “link provider” charges $25 a week or $0.04 per link ($25 is roughly the cost of 3-4 real domain names). Some spammers like the free hosting providers – they know that the bigger hosts are unlikely to get blacklisted because they have many legitimate users.Grassing them up: After some discussions we started sending data to one of the larger free hosting providers about accounts seen in our vast network of spam traps. Within about an hour, they had regularly confirmed our data and taken down the accounts. This relationship has cut the abuse observed by us on that provider by over 90% in just over a week. Let’s hope those spammers are buying their new watches from pound$hop, rather than Bolex, this summer!

Everyday we see different things that the miscreants develop to make their job easier. Today I was checking the 288th variant of Opanki. The really interesting thing about this one is that the botnet owner seems concerned over not having an organized way to check the bots, like geographic distribution, for example. But how can he or she accomplish this in an easy way? Yes, Google Analytics! As many of you know, Google offers Google Analytics (www.google.com/analytics) as a free service that allows anyone to keep collect and view tracking information about website visitors, like Unique Visitor Tracking, Daily Visitor, Geo Location…

The following code was found on this bot variant. This is typical code that one would usually add in to a webpage to make Google Analytics work:

_uacct = "UA-XXXXXX-X";

_udn="xxxxxx.com";

urchinTracker();

The _uacct and _udn are parameters that identify the site owner for later statistics.

Yet another example of how the miscreants are organizing themselves…

Thousands of websites are compromised everyday. Many end up defaced or vandalized with greetz to the hacker and flames to the system administrator for failing to maintain server security. Defacing is the lowest form of internet graffiti and is usually done for fun or attention.

More sinister is when organized crime groups use compromised web servers to host malware. The compromised web pages are modified to host zero-day exploits which compromise users via drive by downloads or can be used as staging servers for trojan downloaders to pull and push further malware. Attack script toolkits like WebAttacker are being sold on the internet and are then custom configured to infect visiting computers without any user interaction. An attacker only needs to send spam via email addresses or instant messenger messages inviting recipients to visit a compromised website hosting the vulnerability and its malware exploit.

So how does one know where the attacks will come from? What can be done to track down the bad guys and combat them? One, of many ways, is to scan the internet for vulnerable systems and then monitor the sites that are found to be vulnerable, waiting for them to be hacked. Once the site is compromised, don’t attempt to get the compromised server shutdown as that would only make the bad guys move elsewhere. Rather keep an eye on the server and monitor it for any malicious uploads and downloads.

To quote a recent example, when code for the Exploit-WMF was released, a security company was able to come up with a listing of over a hundred sites that were compromised and hosting this exploit, much faster than big search engines indexed the Internet. Critics may argue that this is akin to watching the enemy plant landmines and waiting for hapless victims to step on it because one happens to be in the business of manufacturing prosthetic limbs. The more intel that can be gathered, the better chance the security community has of shutting down the bad guys. Let us all work with the law enforcement and intel communities.

The internet is a scary place as crime increasingly becomes an omnipresent menace. The window between vulnerability discovery to its incorporation into exploit code has shrunk from months or weeks to true zero-day as attackers and security experts are perpetually in a race against time. Browser vulnerabilities and exploits such as the Exploit-VMLFill are just a prelude to a series of pending exploits that pose the fastest growing threats to internet surfing. At the time of writing, a security update to address this vulnerability is being worked upon by Microsoft and their goal is to release the update on Tuesday, October 10, 2006, or sooner.

With ever increasing browser-based attacks, it is more important than ever that users not trust seemingly familiar or safe links particularly when received via Instant Messengers, Internet Relay Chat or Email. McAfee Avert Labs is committed to continued research against all known exploits of the Vector Markup Language vulnerability and will continue to update our coverage as new attack vectors and threats emerge. The problem will not go away…. but we can sure make life difficult for the bad guys.

There's been a few articles today about a method to hack ATMs which have not had their default administrative passwords changed. This shouldn't be entirely surprising for a number of reasons. We already know some ATMs are also vulnerable to viruses and voting machines can be hacked, etc. Good security practices are good security practices regardless of the specific operating system being used. The hacking incidents mentioned above, in particular, are caused by the same basic conditions that have led to the prevalence of things like bots and password-stealers. In the case of the voting machines and password-stealers, important data kept unencrypted is easy to steal or manipulate. In the case of ATMs and bots, using easy-to-guess passwords makes it very easy to add or subtract things from your machine.

People seem to get lulled into complacency because their particular machine or operating system isn't in common usage, regardless of whether the OS is on a laptop/desktop machine or on another sort of device. Security through obscurity will only get you so far, especially when your device has something of monetary value on (or in) it.

Today was launched the ZERT – ZeroDay Emergency Response Team . The goal of this group of security professionals is to study 0day exploits and develop unofficial patches when those exploits pose a security risk to the internet or users in general and a vendor-supplied patch has not been released yet.

This is an interesting approach, since we have recently seen so many critical security vulnerabilities and exploits without patches. Remeber the Windows WMF vulnerability?

On the other hand, despite of the fact that the ZERT group may perform extensive testing, it is ALWAYS advisable to perform your own tests in your own environment, if you plan to apply them, since it may break applications or conflict with a software/hardware vendor guarantee.

Anyway, it is nice to see efforts like this.

As one zero day gets patched, (Microsoft released an out-of-cycle patch for the recent VML Fill vulnerability) another is found.

Today we discovered an exploit affecting Microsoft PowerPoint (preliminary testing shows Office 2000, Office XP, and Office 2003 are affected). A single target of this exploit has been identified, so like other recent Microsoft Office 0-day discoveries, it appears that this one is also a targeted attack.

What makes this attack interesting, is the fact that it appears that Microsoft’s antivirus product added detection three days ago. The only public information on these threats is the boiler plate Malicious Software Encyclopedia entries (which show an incorrect discovery date of Sep 26, when virus definition files from Sep 23 detect):

• Exploit:Win32/Controlppt.W
• Exploit:Win32/Controlppt.X

There isn’t a public advisory from Microsoft; suggesting the Microsoft’s security team knew of this in-the-wild attack but did not make the information public.

For the record, I am not a fan of full disclosure (the concept, not explicitly the mailing list). I believe that more money has been lost, more data stolen, and more illegal activity around exploits has happened because of full disclosure. Historically, those with the skills to find vulnerabilities and create exploits are not the ones who write Blaster and Sasser, etc. Generally, the people who heavily abuse exploit code have “copy & pasted” the work of others. They customize the payload and release, and in these cases damages would have been significantly reduced if it were not for the availability of exploit details.

That said, if an attack is in the wild, acknowledgment of the attack is not something to conceal. Non-disclose the nitty-gritty details, but do inform.

- Update Sep 27, 2006 9:30 -
Correction, coverage went into the 4861 DAT release.

- Update Sep 26, 2006 17:00 -
McAfee antivirus coverage for these two exploits was released earlier today in DAT version 4860; detected as Exploit-PPT.d trojan.

Just last month we received our first live example of SMiShing. This month we've received evidence that the author of VBS/Eliles.A has taken umbrage at the AV industry's naming conventions. Specifically rule #1: We never name malware after the author's suggested or intended name. This is to discourage people from writng new malware in order to gain notoriety.

The Eliles author, let's call him Eli, is not taking this sitting down. One of our contacts in Asia sent us a sample of Eli's latest attempt at fame, VBS/Eliles.B. Eli left some parts of his worm intact.

Like his first try, VBS/Eliles.B also:

• Hides Drives,disables Registry editing and generally makes removing it a pain.
• Tries to disable your antivirus software
• Sends itself via email to any address it can find
• Attempts a SMiShing attack against customers of two mobile phone companies based in Spain

VBS/Eliles.B additionally:

• Runs a script that types Eli's complaints on our naming and the occasional insult in the current window
• Tries to disable your firewall software

VBS/Eliles.B really brings nothing new to the table. Aside from the SMiShing routines, Eli hasn't created anything new. All the other routines appear to have been created with various ready-made malware toolkits.

Considering that only the text and the download link have been changed in the SMiShing message, it is also doubtful that Eli had a hand in creating that routine. Eli is very likely a script kiddie, a relatively unskilled malware author. More of a mugger than a criminal mastermind.

VBS/Eliles.A & B are not large threats. The disturbing part is that while the SMiShing routines are targeted locally to a specific country in Europe, VBS/Eliles.B has made it to another country in Asia.

VBS scripts are distributed as plain text. Within 2 minutes, using a text editor, a malware author can cut and paste a few strings to generate a new SMiShing attack. Fortunately, Eli is not following the for-profit trend of his more skilled colleagues. Unfortunately, it looks like SMiShing source code is now available to more malware writers.

Today's minor threat can become a component of tomorrow's devastating attack.

To follow up on my Another Day, Another 0-day post; today (Sep 27, 2006), Microsoft has released a security advisory for this vulnerability:

Microsoft Security Advisory (925984)
Vulnerability in PowerPoint Could Allow Remote Code Execution

The following versions of PowerPoint are affected:

• PowerPoint 2000
• PowerPoint 2002
• PowerPoint 2003
• PowerPoint 2004 for Mac
• PowerPoint v. X for Mac

CVE-2006-4694 was assigned for this vulnerability on Sep 11, 2006.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4694

From some time now, I’ve been observing a change in the way that the PWS-Banker variants are being created. McAfee Avert Labs used to see PWS-Bankers which targeted multiple Banks, mostly South-American banks. The new common schema used by criminals consists of 4 different parts.

1) A PWS-Banker-downloader which downloads an information file from one site (Site A). This file has urls from which it will download the bankers.

2) The PWS-Banker-downloader will then follow the urls and try to download same target files from different sites (B and C) for redundancy purposes.

3) The file downloaded can be either the PWS-Banker itself or a new PWS-Banker-downloader which will then download a PWS-Banker-dropper from yet another site (D).

4) The last file can also be a PWS-Banker.dr which is a dropper with about 12 different banks, each one with specific PWS-Banker.

The sketch bellow (taken from my cellular camera) can help readers to better understand:

Yesterday I wrote about the evolution of PWS-Bankers . Today I found possible proof that cyber criminals from Brazil, which is one of the most targeted country for this kind of malware, may be in contact with their Argentinean counterparts. A new pws-banker was discovered today and it has the same structure of the common pws-bankers trojans used by the Brazilians, but instead of just the common Brazilian banks, like Banco do Brasil, Itau, BR-ABN-AMRO and BR-Citibank, this one also targets two banks from Argentina, Banco BiSEL and BANELCO.

Yes, cooperation and sharing between cyber criminals in different countries.

A vast majority of IRC based bots seen these days can be said to be on “Autopilot” in a sense. After joining a pre-defined IRC channel the bots read channel topics and accept them as commands. Authors of such bots just need to set these channels up with correct commands and then leave it up to the bots to spread and possibly go and earn money for their authors.

In general, such bots perform the following steps

1. Query for the domain where the IRC server resides
2. Try to connect to an IRC server at some predefined set of ports
3. Once connected to the IRC server , join a predefined channel by issuing “JOIN =C2=BCbr /> “
4. Read the topic for the channel and accept it as a command

Generally, the topic of the first channel instructs the bot to join other channels, the topics of which may in turn cause the bot to execute various commands or further join more channels. The major functions that such bots generally perform for their author are i) Spread: increase the size of a botnet by scanning the network and infecting other vulnerable machines. ii) Earn money: by downloading adware, stealing personal information etc.

Different bots may connect to different domains, ports, channel names and may download different adware etc but the overall working mechanism remains the same: once the channel topics have been set, they all go about on their own adding more machines to botnet and earning money automatically. While his bots are on autopilot the author may have fun relaxing or may be spend his time on things like researching new vulnerabilities to exploit rather than just sitting in a channel and issuing the same commands to each new machine that joins.

Some such bots have a funny side too, where they would display funny messages along with the IRC banner returned. One example of such bot is W32/Sdbot.worm.gen.h which connects to forum.ednet.es at port 4915. The channel is still active at the time of writing. Click here to see a screen shot of the message returned from the server.

McAfee Avert Labs has been observing such behavior lately and it has also talked about recently. Even though it claims to be one, it is not a “legit botnet”. It will happily issue commands to a bot to scan the network for vulnerable hosts and infect them. Actually, it is as insidious as any other botnet.

One can only see this message by connecting to the server using an IRC client or looking at the bots communication in an ethereal dump. A normal user, whose machine is infected, will not see this message. So, whom is this message intended for???

Possibly it is just intended for the “readers” who analyze such threats. Like, every once in a while we see a malicious executable which has a few strings just for fun or to challenge the person who is analyzing the memory dumps. Similarly I think this is just the fun part which the malware authors and AV researchers share.

Or, if you like, it can be called a social engineering technique which malware writers may use to attempt to fool “readers” to believe that this channel, even if part of a botnet is actually legal. It is, however unlikely to stop researchers from adding detection for such bots nor will it prevent the IRC channel from being taken down once discovered.

Such “special” responses could also potentially be used to obfuscate/encode information being conveyed to the bot.

The online gaming industry has matured into a serious business with revenues running into the billions of dollars. As we know, once something gains popularity on the Internet and is profitable, it becomes an attractive target for hackers.

In the early days, game crackers spent quality time breaking cd protection or gaining secret codes to unlock hidden weapons and levels. With the advent of both Online Games and Massively-Multiplayer Online Role Playing Games (MMORPG), official gaming networks now require legitimate cd keys and/or registered accounts to logon and play online. Virus authors responded by unleashing a rash of trojan horse programs masquerading as game cheats or trainers in order to steal cd keys of Online Games. To get a victim to run these trojans, these files were posted on bulletin board systems, internet relay chat channels or on popular gaming site forums. But the intended victim still had to download and execute the trojan for the ploy to work.

So the obvious question was “How to make a self spreading game cd key stealer?” Sdbots and Gaobot with multiplying capabilities via exploits and weak passwords were readily available at that time. It wasn’t long before a module was written and introduced in the bot code to steal game cd keys of popular online games from Electronic Arts, id Software, Red Storm and Valve. Fortuneately most of the bots in the wild these days have dropped this functionality as the popularity of some online games has waned recently.

Massively-Multiplayer Online Role Playing Games like Lineage, World of Warcraft and the Final Fantasy series rule the gaming world today with an insane number of hardcore
gamers competing against each other in the virtual world. Everyday, McAfee Avert Labs receive numerous malware samples designed to steal game account information targeting popular game titles. And in a shift away from trojan horse programs masquerading as game cheats, we are seeing a trend where virus authors are writing old school viruses like W32/Bacalid, W32/Detnat and W32/Philis that target popular role playing games.

Are these guys doing it for the love of the game? Nope.. sounds too good to be true. Underground RMT (Real-Money trading) groups thrive in dealing with stolen game accounts and operate mostly out of Asia. And with a player’s stolen account information, their virtual assets can be transferred to another players account or simply auctioned off and sold for real money. This phenomenon is currently region specific but could easily reach menacing proportions similar to the threats plaguing online internet banking.

Saw an insteresting bit of news today, on a tactic I wish could be used to confuse the criminal elements out there into stopping their garbage-spewing.

“Wait. Am I sending unsolicited, usually commercial, e-mail to a large number of addressees, or am I engaging in services to avoid or suppress unsolicited e-mails?”

Plus, bonus amusement points for overuse of the phrase “spicy ham”.

Today Microsoft patched 26 vulnerabilities, a record high since their monthly patch cycle started. Among the patched vulnerabilities are the 0-Day vulnerabilities in Word and PowerPoint that have been used in targeted attacks against large enterprises. The vulnerability in the WebViewFolderIcon ActiveX object that allows for Internet Explorer drive-by-install and drive-by-download attacks, has been patched as well. None of today's patched vulnerabilities has been tagged as a worm candidate.

The anticipated remediation of the vulnerability in the DirectAnimation.PathControl ActiveX object in Internet Explorer did not see the light yet.

The update of our graphs of last month is found below. The graphs show that Microsoft has continued the trend of patching a large number of critical vulnerabilities each month.

I’m here at the booth at VB2006 skipping lunch to write some thoughts and observations from lovely Montreal, where the weather, at least today, is very much reminding me of home back at Portland, Oregon .

The conference is a three-day affair again this year, and was preceded by a day of meetings by various industry and user consortia and groups. We began by discussing new testing and certification methodologies designed to go beyond the standard approach of “scan a static collection and count how many were detected.” It’s probably not apparent to most people exactly how much thought, planning, effort and careful interpretation goes into running a scientific, valid, repeatable and meaningful test of a security product.

A big topic seemed to be how to test security products (and behavioral products to a degree) against running malware. Do you exclude rootkits or not (because they can render the measurement techniques invalid)? Do you install the security product after the machine is infected, or do you install it before, but disable the on-access scanner? How do you count legitimate third-party libraries? Harmless images and text files? How do you ensure the malware doesn’t start or stop installing some other piece of code midway through the test? We have our own answers for testing our software, but trying to get agreement among a huge array of vendors is a job I’m glad I don’t have. It probably also explains how bad reviews happen.

Actual talks began late morning yesterday, and were kicked Off by Mikko Hyponnen’s review of malware history from the early days to today. Our own Allysa Myers presented on the possibilities around bot herders using IM to perform command and control functions, and Igor Muttik on scanning of HTTP-borne threats without killing performance. There have been some excellent talks on anti-rootkit techniques, botnet monitoring, some of the subtleties of the spyware landscape and a sort of point-counterpoint discussion of the effectiveness of user education vs. technological solutions. In general, some differences seem apparent generally about the industry this year. There are fewer talks on botnets and rootkit techniques than last year, it seems, and more discussions of behavioral technologies and mobile threats. Spam is also more prominent this year, and this broadening of the technological landscape seems to be paired with a broadening of the vendor and customer organizations represented here this year. It seems so far like the conference is mimicking the malware world today.

This week we received a sample of a variant of W32/Backdoor-DJC.

W32/Backdoor-DJC is a standard targeted backdoor trojan. It steals information from your computer and sends it back the attacker. Instead of using email to send back the stolen data, this variant uses SMS.

Using SMS to transfer stolen information. Malware authors are branching out in their communication methods. Not really innovation. System administrators have been able to monitor their machines via SMS for quite a while. This is more an example of malware authors turning legitimate methods and tools to their purposes.

Previously we've seen similar information stealing trojans on mobile phones. SymbOS/Pbsender swipes your phone and contact info and sends it out via Bluetooth.

Bluetooth is not as effective as email or SMS for sending information. Consider some of the difficulties involved:

• receiving anything requires user interaction, you can't let it sit in your inbox
• you need to be within range, if you're not there you don't get the message

On the other hand with SMS:

• your messages end up in the inbox
• range is not an issue, you can even be in a different country
• your phone does not even have to be on

Once a tool or communication method has been proven effective legitimately it is common for us to see them integrated into malware. So it's no surprise that SMS has now reached this stage.

Well, more accurately from my hotel room here in Montreal, because the floor is full of people moving chairs and taking down booths . Rob Lemos asked me yesterday why so much of the data presented here at VB seems dated, which is not really surprising as papers are due months before the show for editing and printing, etc. That being said, there is a certain amount of self-censoring that goes on – you don’t want to show all your cards to either the competition or the malware authors. But I thought today was a fascinating display of just how relevant the conference was this year.

This morning, Infoworld’s Paul Roberts (http://weblog.infoworld.com/techwatch/archives/cat_security.html) reported on a notice sent from the UK Metropolitan Police (responding to information discovered by Avert staff in Europe) to 3000 British citizens informing them that their computers had been compromised including passwords, credit card numbers, etc. The show today ended with a panel discussion on fighting cybercrime that included representatives from the FBI, several security vendors and a large corporate customer. While most agreed that the trend is getting worse, everyone was in favor both of more information-sharing between vendors and law enforcement, but also more reporting from affected corporations and individuals to law enforcement. While cybercrime is a significant priority at the FBI (after counter-terrorism and counter-intelligence), the more data that law enforcement has, the better their funding opportunities.The real goal here is to increase the risk:reward ratio. Right now cybercrime is so lucrative, so cheap to carry out, and incurs such a low risk of capture (much less of significant penalties depending on the jurisdiction), that it is neither surprising nor unexpected that it is growing.

The other somewhat surreal coincidence was between Randy Abrams’ presentation on Microsoft and competition with the AV industry, and the announcement that MS will be making changes in Vista to reduce EU and Korean concerns over competitive or antitrust issues (http://biz.yahoo.com/rb/061013/microsoft_eu.html?.v=7). Randy’s conclusions, based on his having worked at MS and an AV vendor, was that Microsoft is essentially playing fairly on a technical level, but that their mere presence will affect large AV vendors, like McAfee and Symantec more than the smaller players. He also believes that Microsoft’s success will be largely dependent on the quality of the software and support provided by OneCare and ForeFront. Having watched a number of markets go away after Microsoft’s entry, I am more cynical, and would expect both their sheer ownership of the platform and integration points, if not their access to technical information, to have some non-trivial effect. It sounds like the EU and Korea agree, but time will tell I guess. What is not up for debate is that there is another kid on the block and he’s bigger than all of us put together.

For a good few weeks we’ve been watching the pharmaceutical and wrist-watch spammers using name server host names in the style “ns1.ns1.some-domain.tld.” (normally they are ns1.domain.tld, a simple hostname without the subdomains). This is a pretty unusual thing to do and we can only presume the spammers have their own devious or misguided reasons for doing so. The domains registered against these name servers also exhibit another interesting feature, they are registered with the name servers in an invalid (or at least very unusual) way, and furthermore these domains fail in whole bunch of other simple test cases that are not found in clean sites. With streaming updates we are able to protect against these campaigns, often ahead of the spam campaigns starting.

Patch Tuesday refers to the second Tuesday of each month when Microsoft releases security updates for its products. As a matter of policy, Microsoft releases patches only on Patch Tuesday. (One recent exception to this was an out-of-cycle patch for the Internet Explorer VML vulnerability.)

The researchers at McAfee Avert Labs follow Patch Tuesday with interest: Microsoft’s products are used by the lion’s share of industry and home users, and un-patched vulnerabilities in Microsoft’s products can often have an impact on global security.

Back in July 2006, Patch Tuesday fell on July 11. On July 12, a Trojan, Exploit-PPT.b, was released. This Trojan exploited a previously-unknown Microsoft PowerPoint vulnerability.

An exploit for a new vulnerability follows a Patch Tuesday. A one-time event?

This month, on 12 October 2006-two days after the October Patch Tuesday-we discovered a zero-day exploit in the wild for a new Microsoft PowerPoint 2003 vulnerability, CVE-2006-5296. Microsoft has said on its TechNet blog that this exploit could carry out code execution on the victim’s machine.

Security expert Bruce Schneier has commented that exploits might be released to follow a Patch Tuesday to maximize the “window of exposure”-the time until next month’s Patch Tuesday arrives with security patches for the new vulnerability.

Is Zero-Day Wednesday (or Thursday) going to become a trend? We’ll be watching.

Today’s mass mailers are often seeded from thousands of zombie drones connected to botnets. Time on a botnet can be bought, for the right price, to launch the next mass mailer variant. Then when these zombies are instructed to download and execute a worm, a mini outbreak can be created when thousands of machines over the internet simultaneously start mailing copies of the worm. However, these artificial outbreaks die by themselves when antivirus vendors come out with updated detection for the worm.

By using enticing subjects and message bodies and spoofing the ‘from’ address to appear from trusted sources, mass mailers have traditionally depended on social engineering techniques to get a victim into executing a malware attachment. Given that mass mailers seem out of vogue these days with malware authors focusing on more effective infection vectors like operating system or browser vulnerabilities, it’s nostalgic when we see a new “old” kid in town.

W32/Stration is a mass mailer that has been around since August this year and is one of the few active and evolving mass mailers in recent times. Very typical of the mass mailing variety, W32/Stration harvests email addresses from an infected machine and mails a copy of itself using some convincing message bodies.

A sample spoofed email message is as follows:

“Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses. Please install updates for worm elimination and your computer restoring.”

Leaving out the poor grammar, such a dire message appearing to come from the administrator of your company could be stunningly effective in getting uninformed users to take the bait.

W32/Stration uses a self updating mechanism to keep itself going. Infected machines connect to a hard coded url in the body of the worm to download possibly a newer version of the worm and execute it. This ensures that worm remains undetected for an extended period of time and ensures a longer shelf life in the wild.

The author seems to be investing considerable time and effort into unleashing newer variants of W32/Stration on to the internet. But it’s surprising that no lucrative payloads like adware or password stealing trojans have been seeded onto infected machines. One can only wonder about the objective behind developing and releasing newer variants of this worm. Is the current wave being used to build a massive pool of infected computers for a larger scale of attack on the internet? Sadly, the motive behind unleashing this worm is still unknown at the time of writing this blog. McAfee Avert Labs continues to keep a close eye on future developments of W32/Stration.

As timescales compress in computer security, research organizations feel increasing pressure to be first to report on a threat. It’s hard to perform lengthy fact checking in hours time. In the last couple of months we heard about two different 0-day attacks from two different major security vendors, neither of which were 0-day attacks. This week analysis was posted on a “new” anti-virtual-keyboard technique used by a password stealing trojan; only problem is that technique is at least 3 years old. And this week an IE 7 0-day vulnerability turned out to be more than 5 months old.

Of course the irony is that other researchers have to chase the claims, which reduces the amount of time available for fact checking prior to release for the issues they’re trying to report on; so it’s a vicious cycle. Additionally, people who report on such issues are often excited and anxious to spread the news, not to mention the competitive aspect of all of this.

Generally speaking, the largest organizations tend to lean towards lengthy validation cycles, taking a long time to react, while smaller shops may only do a quick check to validate their claims.

Personally I think either extreme is not good and a balance needs to be found. Part of that balance should include going with what you know at the time, allowing for terms like ‘under investigation’ or ‘believed to be’, while reserving absolute statements until after due diligence has been given.

Maybe that’s just me?

“The Price For Gold On The EURO Realm Dropped again”

No, it’s not the same gold that we have known for thousands of years; it’s virtual gold which MMORPG gamers compete to obtain in order to increase their wealth and power. Surprisingly, some people (aka “gold farmers”) have managed to find a way to convert this virtual gold into real money. It’s estimated that more than 100,000 young people make living in China only through “gold farming”.

Given all this information, no wonder why we have been getting all these password-stealers which are specialized in looking for passwords of MMORPG gamers. This trend started at least three years ago with Trojans like PWS-LegMir, then others followed it such as PWS-Lineage and PWS-WoW. The worrying thing is the number of variants that we come across everyday and the variety of techniques malware writers have been using; starting from keyloggers, rootkits, to network sniffers, and the most recent file-infector, W32/HLLP.Philis.

People within the MMORPG communities have issued several calls to the providers of these games to try and make it harder to do “gold farming”. Genuine players don’t want to see other people staying around and ruining their games. On the other hand, us, here in Avert Labs issue a similar call to the same vendors to try and make it useless for malware writers to write password-stealers for these games. These Trojans and viruses are written for profit, so let’s try to stop the reason they were written for.

Many people know http://zone-h.org/ as a web site that monitors defacements. This morning, I visited the site to search some defaced French governmental web sites. Indeed, attacks against French sites have been increasing since this country passed a bill making it a crime to deny that the Ottoman Turkish empire committed genocide against Armenians in 1915.

Browsing the site, I was surprised to be targeted by a Trojan when I visited some mirrored pages. I am sure that many people, correctly protected or not, do not imagine that they could catch malware from this site.

I just contacted the site founder and co-founder to alert them (see their response below). I would have hoped that they would have be able to modify their mirroring techniques, but at minimum, it would seem necessary to alert people before they open an infected mirrored web page.

Response from zone-h.org:

— QUOTE —Hello,unfortunately there is nothing we can do as some defacers are linking, from the defaced webpage some external pages against which, our internal server antivirus cannot perform any sanitation.

Best regards

Roberto Preatoni

— UNQUOTE —-

Make sure your security technologies are up to date if you are going to browse their site!!!!!!

There’s been discussion lately about whether we’ve already lost the war against malicious bots. Certainly things are looking fairly grim as the rise in the number of variants of IRC bots has grown by leaps and bounds over the last couple of years. Strictly using string-based detection against the unending tide certainly appears to be a lost cause.

On the other hand, there are some more promising developments in recent years:

• Most AV vendors at this point have gone to using some sort of generic detection or behavior-based heuristics against the most popular bot-families, which can proactively detect a certain amount of new bots
• Firewalls and IDS/IPS products are becoming more widely used, even by home users
• Many corporations are blocking IRC traffic
• ISPs are increasingly involved with security groups that have developed to shut down Command & Control channels used by bots

From my perspective, I see a few things being particularly important in solving the bot problem:

• Further cooperation of security companies and ISPs in order to get more C&Cs shut down
• Further cooperation of security companies, ISPs and Law Enforcement agencies in order to ensure more bot masters face legal action
• ISPs offering more security services than simply AV software (i.e. traffic filtering)
• More security information being available to novice users (i.e. http://pbskids.org/license/)
• More accountability for adware vendors who fund these malicious affiliates
• A paradigm shift, particularly in the home user area, to a security strategy of strategically allowing known-good traffic rather than strategically blocking known-bad traffic

What are your thoughts on the general state of things?

Have the Bot Wars been lost? What more could be done to ensure that Bot Masters don’t make the internet completely unusable?

Malware authors targeting other rival malware is always an irony of sorts. The school of thought is while a thief may lie, cheat and steal from everyone else in God’s creation, they would respect other thieves because they see each other as kin. Remember professional courtesy!! Sharks do not eat lawyers .Malicious hackers battling for control over an infected system prefer to keep all the system resources for themselves and there have been several instances in past where malware authors had turned upon each others creations. The two most famous ones were:

1. W32/Nachi, supposedly christened the good worm, targeted machines vulnerable to the blaster worm aka W32/Lovesan. Once installed on a vulnerable machine this worm would terminate and delete instances of the blaster worm. To prevent further compromise of the host machine it would also download and install a patch for the MS03-026 vulnerability from the Microsoft website.

2. Netsky vs. Bagle wars: Both the virus writers regularly flamed each other and targeted the others creations with every newer variant. Bagle targeted Netsky infected machines by spawning a mutex with the same name as the netsky worm as this terminated all previously running instances. While Netsky variants preferred deleting registry entries and killing processes to prevent automatic execution of Bagle and Mydoom variants.

In a recent most incident we got to see Spam-DComServ alias the SpamThru trojan that installs a pirated copy of an antivirus program to get rid of rival malware from the machine.

Quoting an excerpt from the analysis of this trojan by Joe Stewart at SecureWorks:

“SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.”

Seems “professional courtesy” is not something virus writers believe in. Spam-DComServ is yet another malware that does not like sharing its host machine with any other malware. It will be interesting to see if another malware, if any would, counter attack this act of Spam-DComServ.

Rest assured, we will most likely get to see more scenarios like the above where malware authors try to top each other and defeat one anothers malware. There truly is no honor among the thieves!!

During the last week image spam accounted for up to 40% of the total spam received, compared to about 1% a year ago. Image spam has been significantly increasing for the last few months and various kinds of spam, typically pump and dump stocks, pharmacy and degree spam, are now sent as images rather than text. Image spam is typically three times the size of text based spam, so this represents a significant increase in the bandwidth used by spam messages.

During this period our image spam detection remained well over 99% and image spam discard rates were almost as high, averaging about 95% of image spam discarded. Spammers moved to image based spam in an attempt to evade detection, but its not working!

It was only a matter of time, but the first security ISV has publicly announced a product that bypasses PatchGuard. Authentium, announced today that their Authentium ESP Enterprise Platform can bypass PatchGuard. In a world where less than 1% of known threats exploit the kernel in a way that PatchGuard will block, and where only 15 of 264 (less than 6%) Microsoft vulnerabilities from 2004-2006 would have been protected by PatchGuard, according to our calculations, I’m not sure whether to laugh or cry.

Patchguard is an attempt to close a software hole with more software. As Joanna Rutkowska has amply proven, there is no software-only solution to the rootkit problem. Hardware solutions, like Intel’s Vanderpool or AMD’s Pacifica are required to harden PatchGuard to the point it cannot be broken, but they will not be widely spread in the field for years to come. And in closing one small hole, it’s opening a host of others, like those addressed by the behavioral, anti-rootkit technology, and HIPs features we, and other vendors, have been working on for years. Arguably, our solutions are not immune to this same problem, the difference being that instead of one solution from a newbie security vendor, consumers today can deploy multiple solutions from many seasoned vendors to create a layered defense strategy, even at a desktop level.

So in the meantime, MS is going to try to put their fingers in the dike of PatchGuard holes, which are more valuable to security vendors than to malware authors, who can just avoid the kernel structures MS is trying to protect. In many ways, this is the final manifestation of the logical conclusion I came to when Greg Hoglund first announced his NT rootkit: We are, and always have, been locked in an arms race with the malware authors and hackers. Microsoft has just taken away our most effective weapons.

Microsoft is putting McAfee, Authentium, Symantec, Sunbelt and the rest of the security community in the interesting position of having to tell our customers that we can’t protect them beyond a reactive AV signature without “hacking” their operating system. So if we can’t protect them, and Microsoft can’t protect them (and won’t let us), what are consumers and enterprises to do? Right now, security vendors and Microsoft are in a very public standoff. It will be interesting to see what happens when Microsoft’s own customers chime in on this issue. What do you think?

There’s something that I’ve been hearing mentioned a lot lately, particularly from those in law enforcement circles – the importance of “mules” in bot-related money making schemes. These are work-at-home type jobs which are offered through very professional-looking websites, through classified ads, and even through IM.These are a crucial part of the reason so many bots are able to be run from places around the globe. In order to get merchandise (often to re-sell) or cash with stolen credit card credentials, the thieves have to go through more strict regulations if the goods are going to another country. To get around these regulations, they use these mules within those originating countries.

These mules are often someone who’s desperate for money or someone who figures it’ll be the (unfortunately fictitious) company who’d get in trouble rather than themselves, so they tend to ask few questions of their “employers”. Laws in most countries are better able to handle this sort of trafficking of stolen goods, so it tends to be these small-time players who are most often prosecuted within the web of illegal botnet activities.

Two weeks ago, I discussed with you about a Trojan from the Backdoor-BAC family. On the same day, the MET (UK Metropolitan Police Service) announced they were investigating data recovered from a computer in the United State. It contained personal information from hacked machines located in the United Kingdom that were infected by a variant of this malware family. In another news dated October 24th, Computerworld write about identity theft fraud concerning more than 8500 victims in over 60 countries. Among these countries France is mentioned.

As I worked with my German Avert Lab colleague on this issue, I can go into more details. After the backdoor was implemented on the target computer, it transmitted to a remote Web server the e-mails sent by the victim along with their mailbox usernames and passwords. It also caught any on-line transaction (ISP connection, banks and other on-line services like Amazon.com) whenever an HTTPS transaction was executed. The Trojan sent screenshots (jpg format) and user’s keystrokes (txt format) to a collector Web site.

We were able to reach the Web server dedicated to the data collecttion. It held more than 850,000 files representing 4.5 Gb of information. The whole of the data was conscientiously classified by countries. The « France » directory contained 643 files for 4 distinct people. Like my colleagues, I transmitted these data to the French Authorities on October 16th. They alerted the victims the same day.

The next screenshots are an example related to a bank on-line transaction. The jpg file allows the criminal to know the bank account. With the txt file, they can find the password.

This identity theft network was controlled via Web-based techniques. The compromised PCs connected themselves to a master site to receive their commands as well as the location to send stolen data and the password to reach this server. They were also able to update themselves by downloading new pieces of code.

We receive each week hundreds of malicious code samples. Usually we are only able to add detection for them ionto our DATs. In this case we were are able to utilize the information to help the victim. This happens rarely and should remind all of us to stay vigilent.

In my last blog entry I talked about the consequences of Microsoft’s policy of releasing security updates only once a month. Is this encouraging exploit writers to release zero-day Microsoft exploits soon after a month’s Patch Tuesday to maximize the vulnerability’s window of exposure? Yesterday, on 24 Oct 2006, exploit code was released for a Microsoft Internet Explorer (IE) vulnerability. This proof-of-code code could cause denial-of-service (DoS) in IE. Avert Labs is investigating this exploit further.

Patch Tuesday next month falls on November 14. So this IE bug’s potential window of exposure is at least three weeks…

Following our blog on W32/Stration last week, this kid has been enjoying having its presence felt. To date, W32/Stration has been hovering at the top three places in prevalance behind W32/Netsky (another old-school mass mailer) on Postini’s top viruses tracking on their global email systems.

Today, McAfee Avert Labs discovered a new variant of this mass mailer that was gaining speed in spamming to the Internet from infected machines. When another “security expert” claims that “old school” threats are passe, think again. More details of this new variant at:
http://vil.nai.com/vil/content/v_140655.htm

The SANS Institute issued an update to its list of the Top 20 Internet security vulnerabilities. Even if Internet Explorer and Microsoft dominate the list, the institute warned about significant security flaws in Mozilla Firefox and Mac OS X.

The study also notices continuing discovery of multiple zero-day vulnerabilities. One possible explanation is that cyber crime has become so lucrative that huge sums of money are being spent to sponsor research to find more flaws. Many vulnerabilities being found make their way into zero-day attacks often utilizing zombies with lucrative adware, spyware or other potentially unwanted program downloads.

Another trend is a rapidly spreading scourge of successful spear-phishing attacks, especially among defense and nuclear energy sites. SANS spoke about disciplined attackers located in hostile nation-states and targeting US, British, and Canadian government agencies, contractors, and companies.

There’s been a couple articles in the news today that remind us that ignorance is not necessarily bliss:

Infected/compromised machines are being blindly trusted and allowed to spew spam.

Spyware cleaners are being bundled with adware applications.

This second article is especially notable in light of news stories from a few months back pertaining to a firewall product that is allowing digitally-signed applications to connect to the internet by default.
Here’s a couple examples of specific trojans which have come in to Avert Labs in the last year that have been digitally signed:

Downloader-YN trojan

VeryLince trojan

This is not meant to bash on any one company but as a reminder to all of us that accepting things blindly is never a good thing, be it phishing/scam emails, email/IM attachments, downloads, security policies, etc.

Once again, in the name of “software security”, exploit code has been posted publicly that targets an unpatched Microsoft Internet Explorer (IE) vulnerability. This has been labeled as a 0-day exploit, but the first public release of this vulnerability happened on July 18, during a well known vulnerability researcher’s “Month of Browser Bugs” bloganza. The original proof of concept code posted to the blog resulted in IE crashing. The code released yesterday and today allows for the execution of arbitrary code.

I contend that a public exploit released 2+ months after the initial 0-day attack can not be considered a 0-day.

Of course in the real world, it doesn’t make much difference. As I write this blog entry, Microsoft hasn’t yet acknowledged this threat, but I suspect that we will see some information soon, only 72+ days after the 0-day attack was made public. Call it a 0-day, or call it a 72nd-day, either way users are still vulnerable.

That said, the odds of being attacked by this threat were extremely low two days ago. Now that exploit code has been served up on a platter for the bad guys to use, we can expect many attacks for some time to come.

Why is it that some vulnerability researchers feel victorious upon the release of a vendor patch, when it comes at the expense of so many innocent victims? Or maybe this really isn’t about making software more secure.

Today McAfee Avert Labs received a new variant of Backdoor-BAC. At Avert Labs, we are regularly consulted about this Trojan family. Some competitors commonly name it Haxdoor or A311 Dea=E2=80=A0h. A rose by any other name…….

This is one of the most advanced pieces of malware we encounter in the wild and a new one was seen today. Many of them are installed via Internet Explorer vulnerabilities or delivered via spammed or fake e-mail. On infected machines, most variants capture network information and logins and wait while the user browses a website that requires authentification. They often target financial web-sites and collect transaction data like usernames and passwords which are sent to dedicated hosting machines, centralizing the stolen data into incremental log files.

The first Backdoor-BAC variants were encountered in 2003. Then, month after month new variants appeared; they are more and more sophisticated and now often contain rootkit capabilities. They are generally FSG packed. Hundreds of variants exist! The firsts were created by a Russian guy nicknamed Corpse. His creation-kit tool is sold on the Internet from $200 to $500 according to the desired specifications.

The way the Trojan is packaged allows criminals and hackers to create their own settings before recompiling the malware. They can create multiple variants without too much knowledge. The centralized server is called blin drop (Phishing Exposed, Lance James, p340. Syngress ISBN 1-59749-030-X). It is usually a purchased (illegitimately, in almost all cases) dedicated hosting machine with a basic directory structure for the data to be received via a PHP file and then output into log files.

This new variant is described at : BackDoor-BAC!55436

Ever wondered how a trojan infected computer gets its orders to spam? Take a peek with me into one trojan’s junkmail activities. The following account is happening as I type, and shows that some image spam is not unique even though it appears to be random.

The smtp sending trojan first phones home for its task list, via http on the smtp port (25). Port 25 on the host machine is running Apache/1.3.37 — this is a very unusual place to find apache running.

The task list looks like this:

$GET "http://example.com:25/outtask/urlTask8_c_2.txt?id=MAGID-ID-STRING&flag=1"
10
12|http://serv2.example.com/outtask/tasks/task_12_letter_1162390208.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

20|http://serv2.example.com/outtask/tasks/task_20_letter_1162390209.txt|
http://get.example.com:8091/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

22|http://serv2.example.com/outtask/tasks/task_22_letter_1162390209.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

^{(line breaks and spaces added for readability)}

The response it got is in the following format:
“tasknumber|spam-text URL|Address-list URL|Report address|1||Report address2|”

So in the example above, the bot got 3 tasks. We’ll take a look at the first one in more detail….
Read the rest of this entry »

McAfee Avert have received several samples of a spammed Word DOC file called “McAfee Inc. Reports.doc” (size 205,824 bytes). This trojan file carries a macro that, if allowed to run, will drop on the harddisk and execute a file called “LS060E5.eXE” (size 27,648 bytes).

Detection of both files was added to 4887 DATs (02 Nov 2006) under W97M/Kukudro.t and the PWS-LDPinch names, respectively.

What makes this incident worth mentioning is that the spammers appear to have used a mcafee@{domain}.com template for their spoofed emails (we have seen many domain names used – e.g. “europe”, “playful”). This was picked up by the media http://www.net-security.org/virus_news.php?id=710 which, unfortunately, was ambiguous enough to generate certain levels of confusion.

Some readers who did not follow the link to the description on the Kaspersky site clearly missed the statement “Kaspersky Lab believes that McAfee is in no way involved in the distribution of this Trojan“. As a result we started receiving questions like “Did you really..?”

For those interested to find the answer to this question please follow the link to one of our earlier posts on this subject - http://www.avertlabs.com/research/blog/?p=28 “Can I trust myself?”.

Microsoft recently posted Security Advisory (927892) for a critical vulnerability in Microsoft XML Core Services. This vulnerability was discovered in the field and allows for remote code execution. This equates to another means for drive-by attacks via Internet Explorer. Exploitation is not believed to be wide spread at this time, but we can expect exploit code to become public early in the week at which point exploitation will pick up exponentially.

Workarounds include setting the kill bit for the XMLHTTP 4.0 ActiveX Control and modifying Internet Explorer’s security settings. For more information, see:
http://www.microsoft.com/technet/security/advisory/927892.mspx

McAfee Avert Labs is currently analyzing this threat.

The threat landscape is constantly changing, and our technology must adapt and change as well. Long gone are the days when malware authors were primarily novice coders (or script kiddies). Today we see evidence of the rise of organized crime in malware creation, where development teams are creating malicious software, testing it, automating its production and release. Sophisticated techniques such as polymorphism, the recurrence of parasitic infectors, rootkits, and automated systems with cycling encryption releasing new builds constantly are becoming more prevalent. Furthermore, it is difficult to remember the last time I worked on a sample that was not packed or encrypted, or obfuscated in some attempt to disguise its nefarious purpose. There are many examples, but some stand out in my mind: w32/Stration, w32/Bacalid, and w32/Polip.

The increase in sophistication signals an acceleration of the ongoing arms race between malware authors and security research organizations. IT Organizations must constantly upgrade, patch and deploy the latest software and fixes to keep their networks secure. The release of the 5100 AV Engine by McAfee is a major weapon in the arsenal of McAfee customers for fighting malware. The 5100 engine has upgraded capabilities which allow Avert Labs researchers to more effectively detect new malware generically, or old malware that has been obfuscated. Our internal testing data indicates that the 5100 engine may provide as much as 30% improved detection performance over the 4400 engine. This 30% is provided by the 5100 engine’s capability to deobfuscate the malicious code.

This is proactive detection, provided by McAfee’s newest weapon in the fight against malware.

Avert strongly recommends anyone using McAfee AntiVirus or AntiSpyware products to upgrade to the latest engine.

Further Information and Engine Download Here

Within the last month we’ve seen a spike of new W32/HLLP.Philis variants being posted primarily on Chinese sites. This goes to further underscore the point in our last blog about the importance placed in the malware authoring community of frequent new variants and the recurrence of parasitic infectors.

What makes this particularly notable is that most of these virus-laden postings were from links included in blog and forum posts.

Comment spam is nothing new, malware-related comment spam has specifically been reported for a number of months. This serves as a reminder that malware authors are constantly keeping up with trends in technology. Regardless of whether something is reasonably new, if it’s something that’s popular it’ll be a good “return on investment” for their malicious purposes.

Hackers are trying to use the good reputation of Wikipedia to lure unsuspecting users into executing malware. The very openness of Wiki that allows users to freely add or edit available content has made it an attractive target for virus authors to plant malicious code in articles. A POC worm targeting Wiki was discovered earlier in August of this year.

In a recent incident, an email was mass spammed to German computer users requesting them to download a security fix for a new variant of the infamous Blaster worm. The email was crafted to supposedly appear from Wikipedia, complete with an official Wikipedia logo. The email directed users to a fixed Wikipedia article which included a link to malware hosted on an external site.

Editors at Wikipedia were quick to fix the misleading content in the article. However since Wiki stores all previous revisions to an article, the attacker was able to direct users to the archived pages via the spammed email. Wikipedia administrators had to finally erase all old versions of the article to resolve the issue.

As malware authors continue to improve social engineering techniques, public community sites like MySpace, Orkut, Wikipedia et al will have to adapt and modify their policies with regards to posting and editing content. One can take a cue from webmail providers like Hotmail and Yahoo that have implemented mandatory virus scanning of attachments, to have all content scanned by an antivirus before being posted. This will help prevent mischief makers from creating toxic pages.

Update: A detailed anaylsis of this threat can be viewed at the McAfee Avert Labs Threat Library. Trojan Nordex: http://vil.nai.com/vil/content/v_140856.htm.

It would seem MySpace is looking at the possibility of expanding to China, while at the same time Chinese websites are experiencing a significant amount of traffic in malware comment-spam. It seems to me, unless MySpace gets significantly more involved in making sure the possibility of the XSS vulnerabilities that were used by previous malware are covered, this could be a recipe for disaster. This is a potentially huge source of revenue for the people at News Corp, but also for adware affiliates and malware distributors.

But really, MySpace isn’t the only one that needs to take note of this. It’s really time for Web 2.0 to have a paradigm shift.
These websites were started by individuals, and intentionally left to be developed and made great by its user base. They’re all highly customizable, letting you include an incredible amount of your own content. On the one hand this is a brilliant idea, and has made the internet a much more compelling “place”. (Or is that “tube”?) On the other hand, no one gave much thought to security as these places were being built up. The news has been liberally littered lately, with stories about various user-driven sites being used to distribute malware.

Without this change of direction, it could be that within a couple years these sites may become functionally unusable – they’ll be crushed by the very thing that made them revolutionary.

I, for one, hope this does not come to pass.

Recently one of our researchers, David Rayhawk, gave an interview to Fox news on mobile malware and smishing.

Fox News 35 has the video on their site. There is also a mirror on Google video. The interview covered topics such as data destroying malware and the advent of smishing and for-profit malware. We have covered these topics in earlier posts.

While the current threats are not very widespread, the samples we’re seeing indicate that the capability for greater trouble is approaching.

After Exploit-WMF and umpteen image file format exploits that followed, general computer users should understand that something not baring the file extension *.EXE
does not imply they are safe to view. Malware crafted out of document and media file formats are nothing new; nor are they a threat unique to Windows users. Before Word document 0-day’s made it into mainstream news headlines, there were text file exploits. More recently, there was Exploit-WinAmpPLS playing a spyware note; and a Microsoft security advistory for five critical Flash Player vulnerabilities today; as the music plays on.

Today, McAfee Avert Labs discovered W32/Realor.worm in the wild that was actively modifying all Real Media (*.rmvb) files in its path. These “infected” media files launch a malicious webpage without prompting, as they are being viewed by the user in Real media player. These files can be music or videos hosted on a network drive containing corporate presentations, a personal media server, or a P2P shared folder et cetera. When was the last time you hesitated in opening a movie file ?

As much as the new world of broadband multimedia presents new channels for entertainment and business opportunities, it is an attractive breeding ground for malware like any other popular application. Whether through a worm, using tools or hand-crafted, they are a penetration vector hard to resist for profiteering malware authors. McAfee Avert Labs recognises a rising trend in the manipulation of media files to embed or install malware. Heuristics and generic detection such as New Downloader.b
and Generic Downloader.bl are only some of the proactive measures to block such attempts. Internet users are advised to be precautious with sharing media files on a publicly writable folder or viewing media files from unknown sources — like you would with unsolicited e-mails and *.EXE files.

On Sunday November 5th, we blogged about a 0-day exploit discovered in the wild that was targeting a Microsoft XML Core Services vulnerability. McAfee Avert Labs had been tracking and monitoring the payload deployed by this exploit.

W32/Kibik.a was the detection name assigned on Sunday, which was soon included in the McAfee VirusScan DAT release the following week. With rootkit heuristics, behavioral detection and IP blacklists being the talk of the (security) town in recent years, W32/Kibik.a makes an interesting attempt to survive in this competitive matrix of today.

W32/Kibik.a is a parasite that attaches to Windows Explorer (explorer.exe), even covering backup copies of explorer.exe in system restore, service pack installation and windows installer folders, making it a hard time for the victims to restore the original system file. On the process list, explorer.exe has its perfectly legitimate presence; on disk, the infected explorer.exe file has no distinction in filesize because W32/Kibik.a attaches to unused segments in the original file. Behavioral detection products looking for rootkit characteristics or autorun register keys will find nothing, because there isn’t any rootkit or autorun key.

To make it even difficult to track for network administrators, W32/Kibik.a sends innocent looking search requests to Google Blogsearch – only the search keywords are unique hexadecimal strings. Google Blogsearch, unlike Google Web Search that we are most familiar with, indexes blog entries with RSS and Atom feeds from blog authors. This makes blog content more readily searchable than Web search. When indexed, search results can return dynamic data, such as URLs to download, or commands to execute in a synchronized manner. At the time of writing, W32/Kibik.a’s searches have not yielded any results thus far.

From silent installation via a 0-day exploit, to silent residence and operations and virtually silent and innocent looking Google search; W32/Kibik.a could well be the start of a new trend in scalable remote controlled malware (a.k.a. botnet) in 2007. It is no wonder with its stealthy elements, few security vendors had detected or repaired W32/Kibik.a to date.

McAfee Avert Labs continues to monitor W32/Kibik.a and other malware using these techniques.

Š

This month, Microsoft has patched 13 vulnerabilities. Among them is one that can be used to create a worm targeting Windows 2000 systems. The MS06-070 Workstation Service vulnerability can be remotely exploited without user interaction. On Windows 2000, no authentication is needed when sending traffic to this service. Details on this vulnerability have been published.
The vulnerabilities in Internet Explorer DirectAnimation.PathControl AxtiveX object and in XML Core Service, both exploited in the wild, have been addressed in this month’s patch cycle.
The update of our graphs of last month is found below. The graphs show that Microsoft is continuing the trend of patching a large number of critical vulnerabilities each month.

Sometime ago, I wrote about the PWS-Bankers, and what their authors were doing to make their sample live the longest amount of time possible: by adding additional sites to the trojan so if the first was out, it would get info from the second… Well, today I got another sample of one of those PWS-Banker.dldr, the downloader part that retrieves the actual banker trojan. This one had about 60(!) different websites, of which more than 50 were active as I write this…thats what I call redundancy!

Most of the urls were abusing dynamic DNS services, as you can see here:

hXXt://imagens5.myvnc.com
hXXt://imagens6.myvnc.com
hXXt://imagens7.myvnc.com
hXXt://imagens8.myvnc.com
hXXt://imagens1.myftp.biz
hXXt://imagens2.myftp.biz
hXXt://imagens3.myftp.biz
hXXt://cervatotal.servebeer.com
hXXt://blosblob.serveblog.net
hXXt://imagens6.myftp.biz
hXXt://imagens7.myftp.biz
hXXt://imagens8.myftp.biz
hXXt://imagens9.myftp.biz
hXXt://imagens1.myftp.org
hXXt://imagens2.myftp.org
hXXt://imagens3.myftp.or
hXXt://imagens4.myftp.org
hXXt://imagens5.myftp.org
hXXt://tulipasfotolog.hopto.org
hXXt://imagens7.myftp.org
hXXt://imagens8.myftp.org
hXXt://imagens9.myftp.org
hXXt://imagens1.bounceme.net
hXXt://imagens2.bounceme.net
hXXt://minhavida.servehalflife.com
hXXt://blobufg.zapto.org
hXXt://blobuegarquitetura.serveblog.net
hXXt://somostodosum.serveblog.net
hXXt://herbalifes.servehalflife.com
hXXt://zabumbaflog.zapto.org
hXXt://superflog.serveblog.net
hXXt://visionflog.serveblog.net
hXXt://floglidiane.bounceme.net
hXXt://flogolandia.serveblog.net
hXXt://blobterra.serveblog.net
hXXt://pudimblob.servebeer.com
hXXt://blobestrelinha.serveblog.net
hXXt://flogalera.serveblog.net
hXXt://flogolandias.serveblog.net
hXXt://superblob.serveblog.net
hXXt://blobuol.serveblog.net
hXXt://flogdasloiras.serveblog.net
hXXt://flogescandalos.serveblog.net
hXXt://flogagitabrasil.serveblog.net
hXXt://blobagitacentral.serveblog.net
hXXt://fobiastudiox.servemp3.com
hXXt://superflog.zapto.org
hXXt://flogao.zapto.org
hXXt://flogflog.no-ip.info
hXXt://zuiii.serveblog.net
hXXt://blobpromilitar.serveblog.net
hXXt://flogpromilitar.serveblog.net
hXXt://fotosfraga.serveblog.net
hXXt://fragantes.serveblog.net
hXXt://catarine.serveblog.net
hXXt://liliane.serveblog.net
hXXt://danielamix.serveblog.net
hXXt://mirelle.serveblog.net
hXXt://lidiane.serveblog.net
hXXt://julinha.serveblog.net

It’s no big revelation to say that spammers and virus writers have been getting increasingly sophisticated about the mechanisms they use to get their ads in front of a set of real, human eyes. It seems, recently, that virus writers are concentrating on improving their background infrastructure to get better metrics and overall success rate.

For instance, it seems the miscreants are getting into the world of data mining. There’ve been a couple examples recently of ways they’ve used different techniques for keeping track of how their botnets are doing. Keep your bots in handy groups for different purposes, and then track them with a nice graphical interface!

Personally, I still have a hard time thinking of these groups as “professional”, in the suit-and-tie sense of the word. But this is so organized it makes me wonder if the people behind these things don’t effectively have Accounting and Marketing departments.
But then, occasionally the spammers take a turn that kinda makes you wonder. Yes, the field of “Pump and Dump” stock spam is getting a bit crowded – maybe something new and different is what’s in order?

Starting last night, there was a new raft of spams using a “technique” which is decidedly odd. Just a single word, spelled out in ASCII art. Are they counting on users to google this strange word just to solve the mystery? Or is the “payload” yet to come?

This week, Secunia and SecurityFocus published advisories on a Microsoft Windows Active Directory vulnerability. Reportedly, a remote attacker could deny service to vulnerable machines by exploiting this vulnerability.

Not much more is public about this flaw. Nonetheless, the flaw’s publication date is conspicuous: it was published on November 14, which coincides with Microsoft’s November Patch Tuesday.

I’ve called attention before to what may be a trend for vulnerability disclosure. Security researchers might be releasing Microsoft vulnerabilities on or just after a Patch Tuesday to maximize the vulnerabilities’ window of exposure. The November 14 Windows Active Directory vulnerability is yet another curve-fitter in this trend!

It’s always nice when I get a few emails in my inbox that aren’t predicting doom and gloom, and give me a giggle or two, so I figured I’d share a few with you.

• I hadn’t heard of the Anti-Hooligan Software Alliance until today. Great idea of course, but a strange choice of name, especially to those of us who’re fans of the comedian Bill Hicks. (I’d link but I can’t find anything without a great profusion of four-letter words) Wikipedia explains my confusion best – What’s the sport people are getting violent about, here? I’m pretty sure “software” is not a sport.

• It’s a perennial point of amusement within the security industry that with the advent of internet-connected kitchen appliances and cars we may some day need to have security software throughout the house. Now I have to wonder, will paper some day come with security software pre-installed on it?

• Today, some so-called “adware” was discovered for OS X. (So called because it opens pop-up windows – it’s pretty minimally functional) Naturally, this is being referred to as iAdware. Okay, so maybe this one elicits more of a groan than an actual giggle, sorry.

Alright, back to the doom and gloom!

A little background info – BuddyProfile.com is a site meant to allow you to spiff up your Buddy Profile for AOL Instant Messenger (AIM). It seems to be popular with a youngish teenage audience; it’s in the top 100,000 sites according to Alexa. It’s this particular fact which makes all the drama that follows just that more disturbing.

The basic problem is one we’ve seen before – When users are free to add their own HTML content with minimal restrictions, people will find a way to add objectionable content like malware and adware.
A SiteAdvisor crawl today turned up some profiles on BuddyProfile.com which immediately redirect the user to an adult site, which points to a file which is detected as Exploit-ANIfile, which is being used to install Adware-PestTrap which then displays “security warnings” to the user.
Just to recap:

1. Popular site, frequented by a large number of kids
2. Allows users to add their own HTML content
3. HTML content is being used on profiles to redirect people browsing this site (presumably said kids) to porn and surreptitiously-installed adware programs

Yuck. Seriously.
I think one of our Site Advisor researchers, Harry Sverdlove, put it best. He likened sites allowing users to embed their own HTML content into profile pages to restaurants letting people bring in their own food to be served to everyone:

“I’ll take the salmonella and the botulism ‘to go’ please.”

Introduction

Let’s assume we need to do the dataflow analysis in a particular execution path in a certain binary. In order to collect as much data as possible, we should single-step a certain execution path, save registers values in each step, and then do some analysis. If we have all registers values, we can deduce values assigned to/from memory locations, by looking at instructions semantics.

Available methods

Let’s focus on the first stage: single-stepping. We have the following methods:
Method 1. win32 API debugging facilities
We can do it in an “official” way, that is:

• attaching a debugger
• forcing single-stepping by setting TF bit in eflags
• collecting register values each time on return from WaitForDebugEvent()

However, it is hopelessly slow, because a context switch is necessary after each instruction, and the debugger needs to issue a few system calls to retrieve context and resume execution.

Method 2. In-process EXCEPTION_SINGLE_STEP trapping
A better way is to trap EXCEPTION_SINGLE_STEP not in the debugger, but in the analyzed process itself. We can set up a SEH, and in the SEH handler collect necessary data, and later resume the execution. We can inject into a process a dll which will do the necessary preparations. The “sha1sum_test.exe” binary, if given a second argument, will execute the critical loop with TF set in eflags, and an exception handler will be called after each instruction.The speed gain is about x10 in comparison with the previous solution. Still, exception dispatching both in kernel and in userspace components imposes significant overhead.
Visit http://www.cybertech.net and you can find more advanced implementations.
Maybe it would be more efficient to implement a fast path in the kernel exception handler (just collect register values and resume execution).

A faster solution

Method 3. [purely in] User Mode Single Stepping
Why do we need TF at all ? If the instruction at address X is about to be executed, we can overwrite the next instruction with “jmp our_handler“. (we will need to make the .text segment writable first). our_handler should

1. switch to a temporary stack; save the registers with pusha+pushf
2. restore the overwritten instructions
3. move the saved registers values to some storage
4. compute where the current instruction transfer the execution; let it be the address X’
5. overwrite X’ with “jmp our_handler“
6. restore registers with popf+popa; restore eriginal esp; return to the next instruction

The tough part is 4. We need the following:

• for instructions which do not transfer control (so, anything besides jmp/jxx/call/loop/ret), we need to know an instruction length. It is easy: we can compute all instructions lengths *before* running a program, store it in some file, which will be subsequently mmapped accessible by our_handler.
• for jmp/ret/loop/”call fixed_addr” we need to add the jump offset to the current address – easy.
• for jxx instructions, we need to consult eflags whether the execution is altered or not – doable.
• if we face a computed call/jump, we could disassemble it on the fly and deduce the target, but it is complicated due to variety of addressing modes of 386. The easier way is to trap to debugger, which will single-step the problematic instruction, and later resume software tracing. The overhead should be small because computed calls/jumps are relatively rare. And we can still simulate the most frequent cases, say “call eax”.
  Additionally, this approach helps when our disassembler cannot recognize a particular instruction.

Implementation

The above functionality has been implemented in “umss” project, in McAfee labs. The package contains the following components:

• umss.cpp: it is supposed to write a map of instructions lengths. It uses the “boomerang” project (http://boomerang.sourceforge.net/). In fact, if we just need to get instructions lengths, any disassembly library would do; however, boomerang is unmatched when it comes to analyse instructions semantics (the said analysis is still to be implemented).
• inject.dll: it is a library to be injected into any process. It implements single-stepping. If it does not know how to handle a particular instruction, it jumps to “\xcc”, and the attached debugger takes care of it.
• tracer.cpp. It implements the rest of the required functionality.

In order to collect some benchmarks, a simple program was written which runs a loop a given number of times. It can be traced with umss, or, if given two arguments, trace itself with method II. Results:

• native run (without any tracing):
  ret=-787054544, time=0.047312ms, loops/ms=211361.374858
• tracing with EXCEPTION_SINGLE_STEP handler (two arguments given to the test program):
  ret=-787054544, time=1085.968872ms, loops/ms=9.208367
• ordinary tracing with WaitForDebugEvent():
  ret=-787054544, time=9999.467773ms, loops/ms=1.000053
• umss:
  ret=-787054544, time=95.365204ms, loops/ms=104.860050

As we see, umss method is about 10 times faster then exception handler, and over 100 faster than the ordinary debugging.
All the execution times were obtained with disabled storing of register values (only the overhead of tracing was important). Anyway, in umss the log file is memory mapped, so especially in case of a SMP (or dual-core) system the performance impact imposed by disk writes should be minimal.Additionally, in order to improve the efficiency, we do not want to trace through library calls (well, it should be configurable which dll we want to trace). If inject.dll observes that the execution leaves the .exe segment, it will overwrite the return address location with its own handler and execute t he library function without tracing; when the library function returns, tracing resumes.

Currently the umss package is in early stage, just enough to confirm usability of the approach and conduct benchmarks. It should be straightforward to implement simple enhancements:

• implement more computed jump/call instructions
• currently only a single executable section map is supported
• implement injecting the dll upon LOAD_DLL_DEBUG_EVENT of a library we want to trace
• perhaps optimize inject.dll better. The interesting part is that it should execute only ca 80 own instruction (per each instruction in the traced process) in a typical case, yet the performance hit is x2000. Probably the parallelism of Pentium is affected, as well as memory caches efficiency.
• finally, implement the crucial part: flow analysis

The umss package can be downloaded from Sourceforge umss download page

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

In the world of security, there are typically two kinds of arms races – symmetric and asymmetric. Asymmetric warfare is where it is orders of magnitude easier to defend than it is to attack (or vice-versa). In other words, given a conscious decision to be secure, it is inherently a lot easier to carefully engineer a fail-safe system, than it is for a malicious attacker to figure out a way to break it. Good examples of asymmetric warfare are cryptography (most modern cryptographic algorithms are practically impossible to break), memory-corruption based exploitation (stack canaries, address-space layout randomization, non-executable memory pages / “PaX”, “no-execute” hardware support etc are all relatively easy to implement and use), deception & uncertainty (e.g. ICMP traceback, honeynets), etc. On the other hand, symmetric warfare is where the attackers and defenders are on a level playing ground in terms of available technologies. The best examples of this have been DRM (Digital Rights Management) and virus technologies (detection and evasion).

Every now and then, good defensive technologies from asymmetric warfare in one security domain are applied for offensive purposes in another security domain (or vice-versa depending upon which came first). The following are two recent examples.

Firstly, in the world of online form submission, “captchas” have become a de-facto standard to check whether an actual human is involved in the process. A captcha is essentially a visual challenge-response test. Typically, a distorted image is generated randomly for each form, and the user is supposed to visually recognize the content displayed and type it in. The assumption is that automated bots can’t identify the content quickly enough, only humans can. A pretty fail-safe technique actually, and it works to this day for most purposes. However, the same concept is now being used by spammers:

The entire unsolicited message is one captcha image. For traditional anti-spam agents that have to quickly scan through emails, this is indistinguishable from legitimate-looking emails from unknown senders and with image-attachments.

So the asymmetric defense from the world on online-form submissions has now introduced an asymmetry in the world of anti-spam. The day wire-speed OCR (optical character recognition) becomes available, possibly invented for spam defense, the asymmetry in online-form submissions will also be lost.

Second, let’s look at TLB (Translation Look-aside Buffer) desynchronization. The PaX technology from Grsecurity introduced the idea of non-executable memory pages via split TLB. A brilliant defensive technology that games the paging-logic of IA32 based CPUs using desynchronization of the TLB to allow a kernel mode driver to know whether a memory access is a data-access or an execute access. So it became possible to detect exploits that tried to execute code copied into pages marked non-executable.

Following this, the split-TLB defense was applied for offensive purposes in Shadow Walker (hiding rootkits from AV/AS scanners) and defensive purposes in Ollybone (reversing packed/encrypted malware). Packed malware typically start off by unpacking the original code into a separate section (marked non-executable by the malware analyst). Then, when the malware attempts to execute the OEP (Original Entry Point) instruction, the Ollybone driver can intercept it and present an “unpacked” memory layout to the reverse engineer. Shadow Walker uses an “inverse-PaX” technique. When a scanner attempts to read from a Rootkit occupied page, a cloaking driver detects it as a non-execute access, and presents a cloaked clean version of the page instead. The driver allows execution of the Rootkit pages as usual. This makes traditional user-space scanning for kernel-mode rootkits completely ineffective.

The following is the latest addition to the utility of this split-TLB trick.

View Demo Here

Unlike Shadow Walker which is designed to hide Rootkit’s kernel-space modifications, we apply the split-TLB trick to hide user-space code (or data) patches instead. This has a tremendous impact in the world of malware analysis and DRM.The proof of concept demo here shows a user-space executable that is designed to be tamper-resistant. It does this using a “checksum” thread that periodically monitors and posts the checksum of certain memory pages used by a critical “worker” thread. The worker thread periodically prints a status message. Once the anti-checksum driver is loaded, it first setups a cloaked clean version of the worker-thread page. Using split-TLB, the checksum thread is shown the clean version only. Then the driver patches the worker-thread code and completely disables its status messages. As seen in the demo, the checksum thread generates checksum-match messages even as the worker-thread has been visibly tampered with. Once the driver is unloaded, the cloaking is removed, and only then the checksum thread detects the process has been tampered with. This illustrates that user-space tamper resistance via self-checksums can not be relied upon anymore for any platform that supports split “TLB” or any style of memory cloaking that distinguishes executes from reads.

So the originally defensive PaX technology turned offensive in Shadow Walker, then defensive in Ollybone, and again either defensive/offensive depending upon whether it’s used for hiding code-patches in malware during analysis or in DRM-enabled products to break their tamper resistance.

Malware authors have been pro-active in including exploit code for almost every new vulnerability reported into bots with utmost professionalism. Apart from the numerous Microsoft windows vulnerabilities where exploit code has been methodically incorporated into bot code, McAfee Avert Labs is seeing a trend where popular applications from software vendors are being targeted. In recent weeks we have seen bots that target vulnerabilities or weak passwords in the following applications:

Famatech Remote Admin http://vil.nai.com/vil/content/v_140984.htm
Symantec Antivirus http://vil.nai.com/vil/content/v_140978.htm

Although the vulnerabilities in the above software are dated and patches available, bot authors still found them enticing enough to target machines running vulnerable versions of the these software applications.

Other popular software applications with vulnerabilities that have been targeted by bots in the recent past include:

• CA BrightStor
• Dameware
• MySQL
• WU-FTP
• VNC

Most of the major software vendors like Adobe, Microsoft and Oracle now follow a monthly patching cycle and administrators have their hands full in ensuring that every machine on the network is patched. Sadly, most administrators do not have the flexibility to deploy patches immediately to machines on the network for policy reasons. For example, the organization could be using legacy software which could break if a new service pack was applied and keeping these legacy applications running takes precedence over applying the latest hot fixes. In rare cases a fix could break something else in the operating system or adversely affect other applications. Administrators need more time to first deploy these hot fixes in a test environment and QA them properly before deploying them to the entire enterprise.

Given the trend where malware authors are expanding their attack horizon by targeting vulnerable software applications, it wouldn’t be surprising if an exploit directed at popular instant messaging (IM) clients should surface. IM is popular both in consumer and corporate networks and an exploit that gives remote shell on a machine running an instant messenger would be stunningly effective.

That being said, it will be interesting to wait, watch and revisit this topic if and when an instant messenger remote shell exploit surfaces.

The most common use of the popular HTTP error code, 404 is to communicate that the client was able to reach to the server, but the server could not find the requested file. To a naive user this pretty much means “Let’s move on!”

We present the following information to warn users of a social engineering attack currently in vogue with several malware authors. McAfee Avert Labs recently evaluated a website called 404dnserror(dot)com. At the time of writing this blog, the website throws a “fake” 404 file not found page. But a closer look at the error page, as depicted below, shows that the server tries to install an ActiveX control and the installation message communicates that page is not available as it’s blocked by an adware/spyware. It also proposes to install a security product called “System Doctor” to remove this adware/spyware.

Further analysis of System Doctor reveals this is actually a flavor of the “WinFixer” application that claims to fix registry and hardware errors or to clean adware/spyware.

We caution web users of these “fake” error codes seen while surfing web and continue to protect our customers against these attacks.

____________________UPDATE DEC, 6 2006_________________________________

“On 5 December 2006 we incorrectly reported that “Spyware Doctor”, published by PC Tools was involved in this scam resulting in the publication of fake error codes to induce end users to download their software (in the above blog titled “404 Not Just “File Not Found”"). It has since come to our attention through further research that the software in fact was “System Doctor”, a rogue software product which attempts to trade off its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor.”

This weekend brought us yet another XSS vulnerability in MySpace being used to modify users’ profiles for malicious ends. Much like in the Windows virus space, we’re apparently past the phase of MySpace worms being used purely for notoriety, and well into the phase of worms for profit.

This worm (JS/QSpace) uses an intended function of QuickTime movies to use JavaScript code to open additional URLs. The additional URL in this case is a JavaScript file which modifies the user’s MySpace profile to include the malicious movie.

This boils down to two primary problems:

1. QuickTime will load external URLs without user consent
2. MySpace will embed or modify content without user consent, even from external sites

The MySpace part of the equation seems pretty straight-forward to address. Couldn’t something be set up to verify that a human is actually intentionally modifying content, especially if done in bulk?

The QuickTime issue being an intended feature makes this a bit trickier. It seems painfully naive to me, for a feature like this to be added with no precautions put in place to prevent malicious use.

One of the biggest reasons movie files are becoming increasingly popular as distribution methods for malware is that between newly discovered vulnerabilities and features like this, the “return on investment” for malware authors using these file-types is sky-rocketing. Very few people hesitate to view a movie file unless the context it comes in is incredibly suspect (and that’s mostly to avoid getting canned for watching porn at work, or getting the snot scared out of you by the car ad with the zombie that jumps out at the end).

But really, never mind the zombie. There are much more disturbing things potentially lurking in videos now.

We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.

The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).

MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A.

SymbOS/Mobispy.A is based on an early version of commercial call and SMS recording software. SymbOS/Mobispy.A installs on a phone and records incoming and outgoing SMS messages. It also tracks the phone numbers of all dialed and received calls. The purchaser of the software gets an account on a central server. SymbOS/Mobispy. A sends all the data it’s captured to that account.

Considering that data-stealing and other for-profit malware have made their entrance on mobile phones, it is worrisome to see spyware make its debut. Around eight months ago a commercial remote phone monitoring application was released. There was much speculation on how much time it would take for malware authors to integrate it into their own malware. We have seen malware authors create custom prototype code to implement new attacks but it is interesting to see them purchase commercial spyware to do their job for them.

It would appear that the SymbOS/MultiDropper.CG author has made a wise choice in using commercial products, avoiding the hassle and expense of creating a new hit single by using an existing one. There are two things though that complicate the picture:

• The software is licensed for only one phone ID(IMEI). As soon as the monitoring account on the central server receives logs from an unregistered IMEI it’s expected to be shut down.
• It is unlikely that the author of SymbOS/MultiDropper.CG is the original purchaser of this copy of the software. Only the original purchaser would have access to the results of SymbOS/Mobispy.A’s spying.

Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit.

As per reader’s feedback on my earlier blog “404 not just “File Not Found“, they wanted more information regarding how a Potentially Unwanted Program, called “System Doctor”, gets installed. So I will emphasis more on this programs behavior in this post.

System Doctor tries to fools users by utilizing images that are similar to a legitimate product from PC Tools called “Spyware Doctor” as shown below:

Installation on the victim’s machine is via an ActiveX control, as shown below, which needs user’s interaction:

Upon installation, System Doctor scans the user’s system and displays an “Error Message” box as shown below:

If the innocent user clicks on the “Repair Now” button he will redirected to another page, where they are asked for credit card details:

In my previous blog it was incorrectly reported as “Spyware Doctor” instead of “System Doctor”. Through further research and discussion, the software is in fact “System Doctor”, a rogue software product that attempts to leverage its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor as per discussion with PC Tools.

We caution web users from entering their card details and CVV number into these masked doctors seen while surfing web as we continue to protect our customers against such social engineering attacks.

Many of you have heard about the Nigerian Email Scam (aka 419 Fraud) that proliferates through email traffic and usually sits waiting in your Inbox or Junk Mail folder for the next victim. Many do not know, however, that the scam has been successful for over a decade now since the 1990’s and gets its origins as far back as the 16^th century.

The Nigerian Email scam is a derivative of the Spanish Prisoner Con where a victim is told about a Spanish prisoner that is extremely wealthy who needs somone’s help in getting free. This so-called prisoner is relying on the con artist to raise enough money to free him. The con artist approaches his victim with the story and allows him to help with a portion of the fundraising with the promise of high reward and financial gain. There was even a Hollywood movie called The Spanish Prisoner made in 1997 based on this plot.

The first instances of the Nigerian Scam were seen in the early 1990’s. Back then, it was delivered via postal service or fax. Over ten years later, its main method of delivery is email and to this day there are still people falling victim to the scam. Losses are estimated in the billions of dollars. Brian Ross of ABC News has recently completed an interesting investigative report following the trail of these Nigerian con artists.

To add insult to injury, there is an immensely popular song and music video in Nigeria whose lyrics flaunt the success of the scam (“you be the mugu², I be the master”) and ridicule Caucasians’ greed (“Oyinbo³ people greedy, I say them greedy”).

“I Go Chop Your Dollar” (video)

I Go Chop Your Dollar (lyrics)
I don’t suffer no be small
Upon say I get sense
Poverty no good at all, no
Now I’m make I join this business
419¹ no be thief, it’s just a game
Everybody they play ‘em
If anybody fall mugu², ha! My brother I go chop ‘em

Chorus

National Airport now me get ‘em
National Stadium now me build ‘em
President now my sister brother
You be the mugu² , I be the master
Oyinbo³ I go chop your dollar, I go take your money disappear
419¹ is just a game, you are the loser I am the winner
The refinery now me get ‘em,
The contract, now you I go give ‘em
But you go pay me small money make I bring ‘em
You be the mugu², I be the master… now me be the master ooo!!!!

When Oyinbo³ play wayo, them go say now new style
When country man do ‘em own, them go the shout bring ‘em, kill ‘em, die!
Oyinbo³ people greedy, I say them greedy
I don’t see them tire that’s why when them fall enter my trap o!
All day show them fire

1. Nigerian criminal code that the scam violates
2. Nigerian Pidgin for “fool”
3. Nigerian Pidgin for “Caucasians”

Last Wednesday, Microsoft posted an advisory for a targeted “zero-day” attack using a Microsoft Word vulnerability CVE-2006-5994, we refer to this as “Microsoft Word 0-Day Vulnerability I”.

In our tracking of this new 0-day vulnerability, I analyzed a Word Document sample for MessageLabs. Just when you would have thought this could be the same 0-day which was most recent, Microsoft confirmed upon our request that we are seeing double trouble — this was really “Microsoft Word 0-Day Vulnerability II”.

I previously wrote about non-executable file formats being a popular vector in recent years; this is a trend that will continue into 2007 and deserves to be given ample consideration in planning for security resources, policies and user education programs.

McAfee Avert Labs released DAT coverage for payload associated with “Microsoft Word 0-Day Vulnerability I” in DAT version 4914 for Downloader-AZQ and Downloader-AZR. The new threat that is exploiting “Microsoft Word 0-Day Vulnerability II” is now covered in DAT version 4915 as Exploit-MSWord.b.

I’ve seen a number of fake charity sites crop up over the last week or so, and the cynic in me knows it’s that time of year again. Christmas is a time of joy and happiness, good will to all men, peace on earth, and thank whoever you believe in you’re not a turkey! It’s not restricted to the Christmas period but, at this time of year, we are more likely to think of those less fortunate and that is exactly the feelings the fraudsters are trying to exploit with fraudulent sites purporting to help needy children who are abandoned, distressed, endangered, exploited, homeless, hungry, sick or suffering.

The websites I’ve seen so far are very professional with a fairly high amount of graphical content (flash and html versions no less) and a good amount of verbiage designed to make the reader feel upset, guilty, sentimental, or otherwise relieved of a tear or two. Much of the layout and content on one of these fraudulent sites was directly copied directly from a legitimate charities websites with simply a name and a logo changed. These websites are as bad as some of the leaflets that drop through your door, but they cost less, well at least in the short term.

Q:Can you tell the difference?

I’ll save the answer until later. So how many real charities use compromised machines to host their websites or botnets to send their email? Not one! Here is a sample of the spammed image from one of the recent campaigns. (Doesn’t it look a bit like the recent stock spams?) I expect the quality of the email content to improve in the future however.

Please be very wary of any donation opportunities appearing via email, just as you would if a stranger was knocking at your door, cap in hand. This FTC site has some good advice on responsible donating.

A:The Red one was the fraud site.

Here’s a concept that might inflate everyone’s ego a little, as well as (hopefully) making them a little more wary: It’s not just CxOs whose names and info are valuable. It’s yours and mine, too.

In Italy, trojan spammers are sending emails which appear to be from lawyers, threatening legal action if the recipient doesn’t clean up their allegedly-infected machine. Of course, this email includes a “helpful link” to a removal tool which is, in reality, a trojan. The most notable thing here is that the email includes actual lawyers’ names and contact information, which is causing significant problems for the lawyers whose names have been used.

We’ve also received reports from Italy indicating people are getting similar emails, but from people who appear to be angry business partners, rather than from lawyers.
Miscreants have also taken to heart the figures regarding the lack of security awareness in smaller businesses. Small companies may feel that they’re too insignificant to be targeted, but their machines may actually be just as valuable as someone in a Fortune 500 company. Small businesses’ bandwidth is often better than a home user’s, their employees’ name and contact info can be used in schemes like this, they might be more apt to be hurt by Denial of Service attacks or extortion attempts, while they’re less apt to have trained or dedicated security staff.

Really, everyone’s data has a useful place in the internet criminal’s arsenal. Doesn’t that just warm the cockles of your heart?

So what do we take away from all this? Regardless of how urgent an email appears to be, it pays to double-check links and attachments with the apparent sender if you’re not expecting it. And to keep yourself from being an “apparent sender”, consider very carefully what information you make available on the internet. Do you need to post your employees’ name and phone numbers publicly or would something more general be feasible?

As we know there are many websites offering videos of celebrities for free where its major viewers are youngsters.

Here we have a webpage “www(dot)leaked[REMOVED]videos(dot)com” which by its title looks to have a large collection of celebrity videos. The user visits the site, follows the instructions, then ends up installing a worm instead of watching celebrity videos.

The webpage displays “Windows Media Player cannot play video file. Click here to download missing Video ActiveX Object” attempting to get the user to install “missing plugins” for Media Player as shown below:

If user clicks on the (Click Here) hyperlink in the browser they will end up downloading a program called mpg2-3.0.1.exe, as shown below:

Upon execution, mpg2-3.0.1.exe displays the fake error message box shown below and installs a worm called Nugache.

We caution all internet users from getting infected by these fake online video sites found while surfing the web as we continue to protect our customers against such social engineering attacks.

This Patch-Tuesday, Microsoft patched 11 vulnerabilities. Among the patched vulnerabilities are two that can be remotely exploited by an anonymous user, MS06-074 SNMP Buffer Overflow Vulnerability and MS06-077 Remote Installation Service Vulnerability. The Windows SNMP Service and Remote Installation Service are not default installed which greatly reduces the attack surface.

The vulnerability in Visual Studio, exploited in the wild, has been addressed in this month’s patch cycle.

The update of our graphs of last month is found below. The top graph shows that Microsoft almost hit one hundred critical vulnerabilities for 2006. The year is not over and Microsoft may provide out-of-cycle patches for the current 0-Day Word vulnerabilities.

Some helpful soul has decided there isn’t enough Symbian spyware in the world. A Russian malware author has released a prototype of SMS forwarding spyware, SymbOS/Htool-SMSSender.A.intd. He’s included the source code to aid in modification.

The author, let’s call him Scripty, says that SymbOS/Htool-SMSSender.A.intd can:

• Hide from the user
• Load on startup
• Copy the text of the last SMS you received
• Send that text in a new SMS to the author

SymbOS/Htool-SMSSender.A.intd performs the first three steps well, but it fails to do the last. Looking at the source code, it appears Scripty didn’t write the SMS sending code. Scripty, though apparently unskilled, believes the source code will be useful to other malware authors for constructing their own SMS spyware.

Only last week we saw signs of malware authors integrating commercial spyware into their creations. This week we’ve run across the first evidence that malware writers are actively working on developing their own spyware.

In the week leading up to 12 December 2006, two new Microsoft Word zero-day vulnerabilities became public (Word I, Word II). Microsoft’s December Patch Tuesday fell on December 12, but this cocktail of Microsoft’s patches did not include fixes for the two new Word flaws. To make matters worse, on December 12, a third zero-day Word flaw was released (Word III).

Although one could argue that the December 12 release of a new Microsoft flaw was only a coincidence, it fits the trend of the disclosure of Microsoft vulnerabilities on or just after a Patch Tuesday. November’s trend-fitter, a vulnerability in Microsoft Active Directory, did not include a public proof-of-concept; this month’s trend-fitter, however, does have a public proof-of-concept.

So the Word zero-day trio has a window of exposure of at least a month. Please stay secure as we continue to protect our customers against such attacks.

Inside the Trojan family, password stealers (abbreviation : PWS) are dedicated to monitoring some of your keystrokes. They collect confidential information like Internet logins. Depending on the data collected, an attacker is then able to access your bank, e-commerce, game or social networking website account for the purpose of fraud or other criminal activities.

McAfee Avert Labs recently added detection for a newcomer distributed over the Skype VoIP network. Named PWS-JO, it captures all keystrokes, saves them to a local file and contacts a remote website – hopefully no longer accessible – to send them to. This new example illustrates a new variety of attack vector (in this case a VoIP client), no longer limited to viruses, spammed email or malicious webpages for distribution.

This new alert must also remind us that password stealers are more and more numerous and not limited to immediate financial offenses. Although 62% of them target financial institutions, it is important to note that Massive Multi-Player Online Role Playing Games (MMORPG) are the second predominantly targeted vector (approx 18%).

At McAfee the main PWS families are the following:

In one year the PWS family number grew by 240% (from 5000 to 12000). Users must stay vigilant to not lose their “cyber-money” as well as their uber dragon sabre!!!

Technologies advance with time, and so is the case with Instant Messengers. Not long ago, people were happy sending text messages. Then VoIP came along and changed the scene. Soon after IM vendors embraced it. Many IM clients are now VoIP enabled. As soon as VoIP started going deeper into the mainstream, security researchers warned of related issues. One issue was abuse with spam, usually referred to as SPIT. Wikipedia states SPIT is “as-yet-nonexistent problem“. As VoIP is getting more popular the scenario is changing fast, this “as-yet-nonexistent problem” is slowly but surely emerging. The following images shows a real-world VoIP spam over Skype.

The image shows a typical spam prospect. The spammer starts a conference call with some random users and starts playing the spam message. This process is most likely not manual but automated with bots.

Use and abuse are two sides of the same coin and this technology is no exception. All major IM providers are giving away SDKs to develop add-ons. However these SDKs also lower the bar for spammers to develop bots. We have witnessed the same with the ongoing development around Skype malware.

The image below shows the assembly code for the loop which is used by Skype malware to search for users. You will notice the “SEARCH USERS” Skype APIs:

The malware actually uses more of these. The image below will highlight those:

These APIs are part of Skype SDK and are documented by skype. It is just a matter of time before we start seeing bots, in the wild build on top of IM SDKs provided by the vendors. We advise users to be aware of this developing attack vector. McAfee Avert Labs is prepared for this battle!!

As of late, a weekend is just not complete without a new W32/Stration variant spamming, and this weekend was no exception. Of course, this variant added a Christmas twist to the message body. To add to the Christmas “fun”, we also saw two other nasties taking advantage of people hoping for a little holiday cheer in their inbox.

Here’s hoping you all missed this excitement because you were having a wonderful holiday with friends and family instead. Or perhaps basking in the glow of a TV, enjoying a new video game console. (Speaking of which, the Wii just got an internet browser which is capable of playing Flash games. Hmmm… Very cool that they went with Opera, though!)

In the “good old days” spammers aggressively scanned the Internet for open relay servers to send spam. Open relays are out of fashion these days. So much so that the Open Relay DataBase is shutting down due to changes in spammer tactics.

Today’s spammers, in collusion with malware authors, infect thousands of machines on the Internet turning them into spam relay zombies. These zombie machines connect to a web server controlled by the spammer, which provides a constantly updated live feed of email addresses and content to spam. The content could be anything from pump-and-dump stock spams, online pharmaceutical drugs or the usual penis enlargement. Each individual zombie machine is capable of sending hundreds of spam emails per minute depending on the bandwidth available. Example: Spam-Maxy, Spam-Loot

And with more machines having access to broadband and ADSL connections, it provides a fertile breeding ground for this unholy alliance of malware authors and spammers to take advantage of.

At McAfee Avert Labs Bangalore, we sampled emails that were captured by our honeypot this quarter. The following chart shows the content of the email messages captured during in-house live testing of malware:

Only 11% constituted executable attachments. 2% were mails containing infection notifications or captured cached passwords that were meant for the trojan author. The rest, some 87%, was spam. A high percentage of this spammed content was image spam and ASCII art; techniques that spammers have effectively used to subvert traditional detection by anti-spam vendors.

Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world.

As we see every year, Christmas season is a great opportunity for a new virus to spread by email using “Christmas” as a reason to read the email. We just had a post here on Avert Labs blog about one a few days ago. If it was just the spammers, we could understand, since they live to do that, but today I got an email from my bank, stating that I could start to send Christmas and New Years virtual cards through their website! I immediately thought that it was a phishing scam, so I decided to check the link. It was indeed a new url created by the bank, something like www.christmascards[insert Bank Name here].com.br, where you could select up to 4 different Christmas / New Years cards and send to your friends… This just happened hours ago… I bet that I will start to receive some Xmas virtual cards and I also bet that those will not be from my friends . So you do not get me wrong, I like virtual postcards, but here, this strange marketing campaign will make things real easy for the bad guys, since the real bank sent a mass mail to all customers telling them that they can send those cards from their website. Now, what do you think will happen when the bank customers start to receive fake virtual postcards on behalf of the bank, with attached malware??

Apparently not! On December 20, a new zero-day exploit for Microsoft Windows operating systems was released. This exploit targets a weakness in the Client Server Run-Time Subsystem, and allows local privilege escalation or denial of service.

Microsoft has acknowledged this vulnerability and admitted that its newest operating system, Windows Vista, is vulnerable.

Keep reading for more on exploits released this holiday season. Happy holidays!