A couple weeks ago we saw a blog posting by a person named tibbar claiming they had written the first kernel mode IRC bot. See http://tibbar.blog.co.uk/2006/04/06/kernel_mode_IRCbot~708256 for the announcement.

Is this really the first kernel mode bot? I think so, but it is purely a proof of concept with no teeth. What makes this announcement important in my eyes is that it illustrates two points that are very important when we look at the future production of bots and malware in general: Use(and reuse) of open source components and the increase in programmer skillsets.

This kernel bot was easily created because it utilized a kernel socket library written and placed in the public domain by Valerino on rootkit.com (Click here for the rootkit.com post). As The Mythical Man Month states, there is no silver bullet in software development but the brass bullet is module reuse, which we are seeing more and more within malware. Would this kernel bot have been created if it wasn’t for the prebuilt components that were available?
The second important point is that the code organization of the project allows for testing the IRC functionality of the kernel bot in usermode where a lot of bot developers are more comfortable, therefore, easing the development of variants with more IRC functionality. Is this a revolutionary ability? No, but it is more advanced than most bot developers. I believe the advancement of skillsets will lead to more destructive bots as more intelligent programmers spend time increasing bot code quality, advanced features (encrypted P2P using proper key exchange for example) and test harnesses. Malware, bot development specifically, will start to exhibit the standard development life cycle seen in other open source projects such as Apache and firefox.

An interesting few variants of an IRC bot, named http://vil.nai.com/vil/content/v_139347.htm. Rather than connecting back via DNS to an IRC server for receiving commands, the bot attempts to create a P2P network, listening on port 8 (TCP). Initial execution results in outgoing connections to one of several IP addresses (on port 8 TCP), presumably some seeded infections to spawn the P2P network. The bot spreads via email, AIM, Windows messenger and across the network.

One interesting aspect to this family is its (supposed) ability to repack itself. Though unconfirmed in replication testing thus far, reports suggest it attempts to repack itself prior to propagating. If true, would create an interesting challenge for AV scanners.

A new 0-day working exploit code for an unpatched vulnerability in Oracle Export Extensions was posted to Bugtraq last week. US-CERT announces that successful exploitation may allow a remote attacker with some authentication credentials to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.

Rare in 2003/2004, 0-day attacks seem to be more and more common. This term applies to distribution of an exploit linked to a vulnerability which has not yet been corrected. In this case, the period between the appearance of the exploit and that of the corrective patch is null or negative : null if the exploit and the patch arrive on the same day, negative if the patch arrives several days after the exploit.

More information about this new vulnerability can be found here:
CERT-US : Public Exploit Code for Unpatched Vulnerability in Oracle
Secunia Advisory: SA19860

On May 2nd, we are not aware of any vendor-supplied patches for this issue.

In October 2004, the Federal Trade Commission started an investigation of reputed spammers. This story just finds a conclusion on May 4th, 2006. Sanford Wallace (nicknamed Spamford) and his company, Smartbot.net, have to shutdown their operation and give up to more than $4 million in ill-gotten gains. Jared Lansky, an ad broker who disseminated ads containing Wallace's spyware, will give up $227,000 in ill-gotten gains.

The FTC alleged that Sanford Wallace and his company, Smartbot.Net, exploited a security vulnerability in Microsoft's Internet Explorer's Web browser in order to distribute spyware. The spyware caused the CD-ROM tray on computers to open and then issued a "FINAL WARNING!!" to computer screens with a message that said :

If your cd-rom drive's open . . .You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Spyware programmers can control your computer hardware if you failed to protect your computer right at this moment! Download Spy Wiper NOW!" Spy Wiper and Spy Deleter, purported anti-spyware products the defendants promoted, sold for $30.

The official documents are available here :

May 4, 2006 :

• Stipulated Final Order for Permanent Injunction and Settlement of Claims for Monetary Relief As To Defendants OptinTrade, Inc. and Jared Lansky
• Order of Default Judgment, Permanent Injunction, and Other Equitable Relief Against Sanford Wallace and SmartBot.Net, Inc.
• News Release

October 12, 2004 :

• Complaint for Injunction and Other Equitable Relief [PDF 34K]
• Memorandum in Support of Plaintiff's Motion for a Temporary Restraining Order with Expedited Discovery, Preservation of Documents and Order to Show Cause Why a Preliminary Injunction Should Not Issue Against Defendants [PDF 68K]
• News Release

We've been seeing another new load of brand new variants of the Swizzor trojan in the last few days, and we've increased our heuristics to try to pick up these brand new variants before they're released.

If you suspect you have a new Swizzor variant, please update your DATs and make sure you have heuristic scanning enabled.

A new study is available on the Siteadvisor Web site. Named The Safety of Internet Search Engines, it was made by Ben Edelman and the Siteadvisor folks. Authors compared safety of leading search engines, using the company's automated Web site ratings. They find most leading search engines similar in the safety of the sites they link to, though MSN is the safest and Ask lags noticeably behind. The paper also demonstrates that sponsored results are significantly less safe than a search engines' organic results. There are heightened risks for certain keywords, including those frequently searched by kids and novice users. The study started in January 2006, and analysis uses search engine results as well as SiteAdvisor safety data from April 2006 :

• Overall, MSN search results had the lowest percentage (3.9%) of dangerous sites while Ask search results had the highest percentage (6.1%). Google was in between (5.3%). Click here for the chart.
• Sponsored results contained two to four times as many dangerous sites as organic results. Click here for the chart.
• Dangerous sites soared to as much as 72% of results for certain risky keywords (Click here for the chart). Particularly dangerous keywords include "free screensavers", "bearshare", "kazaa", "download music", and "free games."
• Authors estimate that US consumers make 285 million clicks to hostile sites every month as a result of search engine results.

Introduction

We should start with a description of C++ virtual functions implementation; fortunately, there are many articles (particularly this one) which explain it well. Some advanced issues, for instance the multiple inheritance implementation, are described here .
Short summary: if a C++ class contains at least one virtual function, then for each object of this class, the memory chunk allocated for this object contains a pointer to this class virtual function table (vftable for short). On x86 architecture, if the ecx register points to the object variable (so, ecx equals "this" pointer), then a call to this object's third virtual function can be implemented like this:
mov eax, [ecx] ; load eax with a pointer to vftable
call [eax+8] ; call the third function in the table


Why bother to detect vftables?

There are a couple of reasons why detection of vftables can be useful for binary analysis:

• Because vftables can be stored within .text segment, a disassembler may try to treat it as code. Particularly, IDA sometimes does this; as a result, it produces functions containing weird opcodes, for instance:
  sbb (byte_7D3939FF-7D393A7Dh)[ebp], bh
arpl [edx-79D682D4h], ax
If we knew what regions are occupied by vftables, we could instruct IDA not to disassemble them.
• Another usage is related to binary matching of different versions of the same code ( here you can learn more on what binary matching/binary diffing is about). From now on, we assume the debugging symbols are not available.Let's assume that we have already matched a certain number of functions from binary A with functions from binary B (say, we have matched functions with identical bodies, or with identical sets of called imported functions). If
  • a certain function funcA from binary A is present in only one vftable vftA,
  • a certain function funcB from binary B is present in only one vftable vftB,
  • we have already matched funcA with funcB

  then we may safely assume that vftA and vftB refer to the same class; therefore, we may match all members of vftA with respective members of vftB. Similarly, if we have matched class constructors, we can match all members of respective (referenced in the constructor) vftables.The above method has some advantages when compared with other matching algorithms. Particularly, it can reliably match functions which have few/none distinguishing features – all we need is its offset in vftable.

How to locate vftables?

In order to locate a vftable, we may use the fact that the vftable address is explicitely used in a constructor – as a part of object initialization, a constructor stores vftable address within the memory chunk allocated for an object. Therefore, the algorithm looks like this:
simple_vft_loc:

• find all occurrences of "mov [reg+small_const_offset], some_const_val"
• for each "some_const_val",
  • check whether it is a correct address within a binary boundaries
  • If so, extract the DWORD pointed to by some_const_val; let's name it FPTR.
  • Check whether FPTR is a valid pointer into an executable segment, and if it points into something resembling code, not data

  If all above steps succeed, then assume "some_const_val" is a beginning of vft, and a "mov" instruction referencing it belongs to a constructor.

Does it really work?

In order to test the above algorithm, let's run it on a binary for which the debugging symbols are available: this way, we will be able to compare this algorithm's results with .pdb file contents. In case of VC compilers, C++ mangled names of vftables start with "??_7″ prefix, so we can easily extract all vftable entries from the output of any .pdb parser.We have chosen mshtml.dll for our test drive (I bet some of you share the idea that it makes sense to examine this particular binary in some detail). For mshtml.dll version 6.0.3790.2577, mshtml.pdb contains 886 vftable names; they point to 763 different vftables. Simple_vft_loc outputs 768 addresses which are supposed to be vftables. It turned out that 28 vftables were not detected ("false negatives"); mostly because some static objects variables contain a preinitialized vftable pointer (so, the vftable pointer is not set by a constructor, it is set by the linker). On the other hand, 33 addresses were "false positives": they pointed to variables which were not actually vftables, they just happened to start with a function pointer.

As we see, the false negative ratio is below 4%. Moreover, it is very probable that in a binary we would match our mshtml.dll with, the matching vftable would not be detected as well. Therefore, vftable detection false negatives should not impair the matching algorithm.

The false positive ratio is similarly low. Again, it should not lead to errors in binary matching – instead of matching vftable entries, we will match entries in other structures containing function pointers.

The simple_vft_loc algorithm was integrated in the "funcmatch", a binary matching tool, and so far, its performance is very satisfactory.

Other tables of functions?

Another common construction containing function pointers is a RPC dispatch table. An approach very similar to the above, using dispatch table detection, was implemented in the funcmatch tool as well.

On May 18 and 19, two Trojans appeared exploiting a flaw in the Microsoft Word XP and Word 2003 environments. For now, this previously unknown vulnerability is not covered by any patch. Once again we are witnessing a “0-Day” attack. Code exploiting the vulnerability is generically detected by McAfee as Exploit-OleData.gen. On Windows 2000, a crash occurs and stops the process without infection.

The first attack was publicly announced last Thursday by the SANS Institute. The malware came in an e-mail and was sent to several people from an Asian organization which name was not revealed. The exploit code is executed out on first opening of the Word document. It quietly installs a PE format binary encapsulated program (here it is a backdoor) which disappears from the document itself becoming unsuspicious and inoffensive. McAfee detects the EXE file under the name of BackDoor-CKB!cfaae1e6.
A second program was diffused according to a similar method. This one is detected under the name of BackDoor-CKB!6708ddaf.

The group launching the attack is said to have operated from China or Taiwan. It acted in an extremely precise way by creating an e-mail containing specific elements directly linked to the targeted organization. Consequently, it seems improbable that these e-mails spread in the wild. For information the subjects of these e-mails are :

• Note
• RE Final for plan agreement

The DOC files bear the name of FINAL.DOC or PLAN.DOC.

It seems that to succeed, the attack requires administrator rights. It is thus useful to remember that installation of accounts with limited rights increases the level of security of work stations.
Microsoft hopes to provide a patch, at the latest, for June 13.

McAfee Avert Labs has received over 30 submissions of a new variant of Downloader-ATM in the past 7 hours. Updated DAT files were released earlier today to cover this variant. The trojan was mass spammed as an email attachment named ref 7119606.zip, which contains ref 7119606.exe. The message appears as follows:

————————
From: Valuehost Billing Department [mailto:merchant@valuehost.com]
Subject: [order ref 7119606] Credit Card Chargeback
Message-Id:
Date: Thu, 25 May 2006 10:03:10 -0700 (PDT)

Dear customer,

We have received a notice from your card service stating that there was
a chargeback made by the owner of the card that
you paid for your account with. This is a very serious matter. I have
deducted the amount of the chargeback, GBP 119.40,
from your account and added our standard fee of GBP 25.00 as well. (Now
you can see your payment details in attachment.)

If there was some mistake, please let us know immediately so that we
can get this situation resolved. We ask that you have the chargeback
removed as soon as possible, as our account has already been debited for
the amount in question. If you would prefer to make your payment using a new payment
method that would be fine as well (you can use a different credit card
or you may send a money order payable to
Valuehost).

This is a time sensitive issue and must be resolved promptly at the
request of the card service. Please email the billing team using the
Web Administration Panel with information about how
you are going to deal with this situation.
I thank you for your time and hope to hear from you
soon.

See your payment details in attachment.

Sincerely,
Mark J. Burnett
Valuehost Billing Department
http://www.valuehost.com
————————

When run, ref 7119606.exe downloads a new PWS-Cashgrabber variant. This password stealing trojan targets the following banking sites:

• anbusiness.com
• cahoot.com
• co-operativebank.co.uk
• deutsche-bank.de
• e-gold.com
• hsbc.com
• ibank.barclays.co.uk
• my.if.com
• mybank.alliance-leicester.co.uk
• nwolb.com
• officebanking.cl
• olb2.nationet.com
• pass.de
• santandersantiago.cl
• smile.co.uk
• smile.com
• webbank.openplan.co.uk
• welcome6.co-operativebank.co.uk
• www.bbvanet.cl

In addition to logging keystrokes, the trojan can also take screen shots as a means of stealing user’s website credentials.

The concept of parasitic spyware’ predates the popularity of the term Spyware. W95/MTX was a parasitic virus discovered nearly six years ago and contained a backdoor (one type of spyware that allows a remote attacker control an infected computer remotely).

In recent years there’s been a clear distinction between the well organized spyware creators and parasitic virus authors, but that may be changing.

The group behind traffall.biz (a.k.a. the iframecash.biz gang) has begun to move into the area of parasitic virus creation, seen with the discovery of W32/Fontra.a. This is the same group who heavily exploited [Exploit-WMF] a 0-day WMF buffer overflow vulnerability [MS06-001] around the time that it was discovered. They’re known for, among other things, hacking web servers to embed small encrypted script code that load other web pages containing various exploit code (such as Exploit-ANIFile, Exploit-ByteVerify, Exploit-CodeBase, etc). Typically the exploit code results in a downloader .EXE file being run on vulnerable systems, which then installs dozens of other downloaders, spam, proxy, and password stealing trojans. It’s also common for rogue anti-spyware scanners to get installed along the way, such as SpySheriff, or Spyaxe (and most recently BraveSentry).

This group keeps the target moving and appears to be well funded, which could equal a rise in the number of parasitic infectors discovered over the next several months.