Last night Sunbelt blogged about a zero day IE exploit being discovered in the wild. This attack has taken shape much the way Exploit-WMF did back in December 2005. A trojan toolkit known as WebAttacker was updated to include exploiting a new Vector Markup Language Buffer Overflow vulnerability. This toolkit is known to be sold on the underground for as little as $17 US, but just like the Exploit-WMF case, we can expect exploit source to be readily available shortly.

General advice around this kind of attack is to stay on the straight and narrow path while touring the Internet. However, WebAttacker has historically been installed on compromised web servers, and we’ve seen message board posts and blog entries that include iframes to refer to other sites that are running WebAttacker. Disabling JavaSript effectively neuters known attacks. Using an alternate web browser also thwarts this attack.

Microsoft has posted an advisory including workarounds:
http://www.microsoft.com/technet/security/advisory/925568.mspx

McAfee product coverage (including proactive 0-day protection) can be found here:
Exploit information: http://vil.nai.com/vil/Content/v_140629.htm
Vulnerability information: http://vil.nai.com/vil/Content/v_vul26881.htm

P.S. As I write this entry, Exploit-WMF remains as the top most reported malware blocked by our VirusScan Online products.

Yesterday McAfee Avert Labs updated the W32/Mofei.worm entry. This threat has recently been seen in the wild being dropped by Microsoft Office documents that used a 0-day exploit to compromise the victim’s computer.

To respond to some questions I received in Paris, I took a look at this sample.

The dropper is a malformed Microsoft Word document exploiting an undocumented and previously unknown vulnerability in Microsoft Word. The file I used for my tests is a Japanese 3 page Word document. It is approximately 79,265 bytes in size. Via the properties windows, we can see 2 five-uppercase-letters names as author and company names. Names started with the letter K. According to the statistics folder it was created on September 1st.

After I opened this document (Office 2000 on a Windows 2000 machine), 2 files were silently installed in my %windir%system32 directory:

• clipbook.dll (30,720 bytes)
• clipbook.exe (33,713 bytes)

A word document was also created in the %windir% directory (28,160 bytes). It is a “clean” copy of the malformed one.

The files in the system32 directory are related to an old network share propagation worm previously named W32/Mofei.worm. It attempts to spread by copying itself to the ADMIN$ share of remote machines. It scans IP addresses, tries to gain access to the share by trying weak administrator username and passwords. It creates temp and/or log files in the system32 directory. On my system I noticed a file named clipbook.dat.

The Microsoft Word dropper is now detected as W32/Mofei.worm.dr.
Exe and dll files are now detected as W32/Mofei.worm with DAT-4844. With older signature files, clipbook.exe is detected as “Trojan or variant New Malware.n” (since DAT version 4677).

Overview

Encrypting File System (EFS) [1], is integrated in Microsoft’s Windows platform since Windows 2000. Additionally, Windows XP Professional, Windows 2003 Server and Windows 2005 Media Center operating systems also support it. EFS uses public key cryptography that makes use of a user’s account login and password pair to encrypt a private key. The private key is used to encrypt the original data (files or folders). Encrypting any files or folders, in the supported operating systems, is a trivial task and can be done in many ways. For example as shown in the image below calc.exe can be encrypted just by clicking on “advanced” and then checking “Encrypt contents to secure data”.

Programmatically this can be achieved using calling various APIs that support file encryption like CreateFile with FILE_ATTRIBUTE_ENCRYPTED flag or EncryptFile function. Microsoft’s commandline utility Cipher.exe can also be used for encrypting directories and their contents. The result of such encryption is that only authorized user can view these files. Many businesses or home users frequently use it to encrypt the confidential data that needs to be protected from hackers, uploader trojans or somebody gaining physical access to machine.

Concerns

Recently a trojan was seen to take advantage of EFS to protect itself and execute with administrative privileges. This malware is composed of obfuscated DLL and PE files that are thoughtfully crafted. It has two main components, a dialer component that is detected as Qdial-45 the other is a downloader/dropper component detected as Spy-Agent.bf that drops this dialer along with an EFS encrypted downloader file. McAfee has been detecting variants of this trojan since August 02, 2006, however we have observed an upsurge in infection rates in last few weeks.

The trojan creates an administrator login account with a random name and random password. Using this login key pair it then encrypts the downloader component that it drops. It then creates a random service that points to the encrypted file with logon properties of the newly created login and password. This service can be arbitrarily started. The encrypted file is executed with the logon credentials that the trojan created, to download the updated variants of spy-agent.bf. Some variants of this trojan also drops a Browser Helper Object, a DLL file in alternate data streams. The DLL file is obfuscated as well and tries to download updated copies of Spy-Agent.bf trojan.

It has been observed to contact the following IPs and domains for updates and DNS queries.

• shiptrop.com
• 195.225.176.85
• 195.225.177.22
• esthost.com
• wscooler.com

The downloader component of the trojan uses steganographic techniques to hide the downloaded packets from network sniffers. From its download servers it downloads a packed file with a “gif” header. It decrypts this fake gif file in memory and creates a random named executable in “C:Documets and Settings\%LocalUser%My Documents” folder and launches it. The origins of these trojans appear to be the domain names “Gromozon.com”, “xearl.com”, and “micotad.com”. Most of them resolves to IP addresses in range 195.225.176.* - 195.225.177.*. It is advisable not to visit these web sites as they may still contain various browser exploits. We have always seen a tendency toward copycat malware. More malware may adopt similar techniques of self preservation using EFS. It is useful to understand what proactive steps can be taken to prevent such an attack.

Prevention

1. As a best practice disable download of unsigned ActiveX controls in the browser and always update Windows and McAfee products for latest signatures and updates.

2. VirusScan Access Protection rules.

• Block Access to Cipher.exe so that it cannot be used to encrypt arbitrary files and folders.
• Prevent Creation of NTFS stream in windows and its subdirectories by adding following rule to prevent file creation.
  • “%windir%**:*”

3. If EFS is not needed it can be disabled by following registry modifications.

• Navigate to the key HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionEFS
• On the right pane, right click to select New, and then click DWORD Value.
• Enter EfsConfiguration for the value name and 1 for the value data to disable EFS.
• Restart the system.
• Any attempt to encrypt the file at this stage will result in the following message. “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”

4. EFS can also be disabled by adding a desktop.ini file, with the following lines, in the folder that needs to be protected from adding encrypted files.

[Encryption]
Disable=1;

5. Programmatically EFS can also be disabled using API EncryptionDisable(DirPath, BOOL) [2].

References

[1] Encrypting File Systems in Windows XP and Windows Server 2003

[2] Disabling EFS for a Specific Folder

McAfee Avert Labs has recently seen spammers start to use Microsoft Word documents and HTML attachments to deliver their advertising payload. By moving the advertising content, most importantly the URL link, into an attached document rather than the body of the email message, spammers are able to evade some of the Anti-Spam vendors’ content filtering techniques. This is because most vendors don’t scan content inside attachments because this has previously not been necessary.

Microsoft Word is a convenient format because it supports clickable links and most recipients will have Word installed or would be able to open the document with another compatible word processor. This is the format chosen recently by a spammer, Leo Kuvayev / BadCow, who is plugging pharmaceuticals using web sites hosted in China. This spammer sends out what appears to be an invoice/bill:

When recipients click on the attachment, they get the spam payload, which advertises the spammer’s pharmaceutical site:

We saw the first samples of this in our traps around the 22nd August, and we are still seeing them today. As expected, the spammer is varying the attachment file name, email body text and subject in nearly every batch of the messages sent, for example:

Subject: Billing Update, Bill #90023
Forward original invoice with attached invoice transmittal sheet to the contracting officer.
DATED MATERIAL,INVOICE ATTACHED

Subject: Your receipt for Invoice #25826
Credit memo attached to deleted payment receipt cannot be applied to different invoice.
Software order has a Related invoice attached with prepayment information.

Subject: Confirm amount of charges for Claim #59703
“Invoice” hence shall mean the invoice attached to this Agreement.
You MUST show and review the UCAR Invoice Number.

Subject: Filed under your account via Statement #67345
This is to acknowledge receipt of your letter (with attached invoice) of August 2006.
Potential fraud alert, please review invoice to prevent further action on your account.

The attachments for these samples have filenames similar to: Bill90023.doc, Invoice25826.doc, Claim59703.doc and Statement67345.doc, but the attachments remain the same so simple checksums are effective for now.
We may see this technique adopted by other spammers, and it may also spread to other popular formats such as PDF. While there are plenty of other characteristics of this spam that can be used to block it, it is yet another incremental step by spammers to attempt to make detection harder. To keep up with this, Anti-Spam vendors may need to add attachment scanning to their solutions, which would require additional processing power on customers email servers. In addition, the attachments mean spam is getting bigger. The messages in the current campaign are only 35k in size, but Word documents are well known for growing very quickly in size. A rise in document spam would mean recipients’ mailboxes and servers clog up faster, worsening the burden that spam puts on us all.

McAfee Avert Labs has been getting a lot of questions about the dangers of data-retention on cell phones. There’s an article covering the concept here.

Here’s our take on the situation: modern cell phones (”smartphones”) are miniature, portable computers-and they will bring along all the same problems with them as the technology matures: Virus, spam, phishing (or smishing), and people stealing data from lost, stolen, recycled, or resold devices.

“But I deleted those messages?!?! How can someone get it back?!?”
I think this is best explained by an analogy: think of your device (phone, computer, etc) data as being a textbook: Table of Contents in the front, informational pages towards the back. You write a document and you add pages to the book. The computer, when asked for a document, will look in the table of contents to figure out what page to read.

Makes sense so far, but when you remove a file, the computer doesn’t erase the pages in back-it removes the entry from the table of contents, so that it no longer knows or cares where the information is. “Why?!?” you may ask . . . well, in a nut-shell computers are lazy (i.e., efficient) and this is the fastest way to “remove” the file from the system. Heck, those pages may be overwritten some day . . . .

But, this introduces a problem: someone could manually search for the pages (skim the book, if you will) and then find and reconstruct the documents (until the page is recycled at least).

This is the problem that many people who have sold their cell phones are finding, those who have purchased them have (or are at least are able to) retrieve their deleted files-files that contain personal messages, email, address books, and worse.

If you are going to dispose of your phone, please contact the manufacturer or your carrier and ask them how to do a “low level” or “zero level” wipe. This is analogous to going through the book with an eraser and scrubbing out each and every letter so that the pages are blank. This makes is quite difficult for the data to ever be retrieved.

This is, of course, exactly what you should do with your computer’s hard drive if you dispose of it.

I can’t say it enough: your smartphone is a computer; you need to treat it as such and exercise the same level of caution you would give to your traditional PC.

Malware authors are continuously innovating with new techniques to render a Windows box defenseless. Given the massive install base of Microsoft Windows users, exploiting any new vulnerability or built-in security feature of Windows is stunningly effective and proves very productive for cyber criminals.

Early trojans upon infecting the system modified the windows registry to restrict launching programs like the registry editor, task manager, command prompt etc. This prevented educated users from manually killing the trojan and/or removing its associated registry entries.

Windows Update was the next target and often the HOSTS file was modified so that an infected machine could not get the latest windows updates from the Microsoft site. Without the latest security updates the machine becomes a sitting duck on the internet for worms and other malware.

System Restore was introduced from Windows Millennium onwards as a feature to allow users to restore a computer to a previous state without losing data. It automatically creates easily identifiable restore points, that allows users to restore the system to a previous time in case of a system crash or virus infection. Most virus families today turn off System Restore and all restore points get deleted once the machine is restarted. So much for restoring a computer to a previous state!!

The built in firewall with WinXp onwards is a nice feature to shield the machine on the internet. Virus authors were quick to come up with a solution. Either disable the firewall service on infection or create an exception list in the firewall rules to allow the malware access. The more popular technique nowadays is for malware to inject itself into trusted processes like Internet Explorer thus bypassing desktop firewall restrictions.

And the latest target in defeating built-in Windows security features is malware targeting the Windows File Protection feature. Windows File Protection protects core system files from being overwritten by third party application installations. If a system file is overwritten, Windows File Protection will restore the correct version automatically. Malware are often now patching SFC.DLL and SFC_OS.DLL which are responsible for checking system integrity to disable the file protection feature of Windows. Once SFC.DLL and SFC_OS.DLL are patched, core system file can be replaced without any alerts thus creating a hospitable environment for worms and other malware.

In the past two weeks, McAfee Avert Labs has already seen PWS-Satiloler and W32/Sdbot.worm families that modify SFC.DLL and SFC_OS.DLL to disable Windows File Protection. This functionally will most likely be incorporated into more malware families in the coming weeks and we're bound to see a rise in such cases.

For-profit malware has been increasing on the PC side for quite a few years now. Viruses that hold your files hostage, trojans that steal banking information and adware that floods your computer with popup ads. Malware writers have shifted their goals from gaining notoriety or personal satisfaction from the spread of their creations to the goal of filling their wallets.

Recently though, McAfee Avert Labs has begun to see a similar trend in mobile malware. Most of the mobile malware that we’ve run across has been relatively harmless trojan horses. A few files have been replaced, or the phone fails to start when reboot. A hard reset to clear the phone memory and you’re back to normal, minus your stored phone numbers and calendar information. You might have lost any time spent adding new software or saved documents, but at least none of your private information has been stolen. J2ME/Redbrowser changed the entire situation.

Redbrowser tells the user that it’s a mobile web browser that works over SMS. Instead of browsing to the address that the user wants, Redbrowser actually sends SMS messages to a Premium Rate number. On certain phones, the Java runtime will prevent Redbrowser from sending SMS messages without your permission. Redbrowser’s creator has gone to some length to social engineer you into saying yes when it asks to send the SMSes.

Stealing money in real life ranges from corporate embezzling to the common mugging. Where Redbrowser falls somewhere in between the two, J2ME/Wesber is closer to a mugging.

Like Redbrowser, Wesber also sends out SMS messages to premium number. It just doesn’t do it with as much style. Wesber has no user interface, so if the Java runtime doesn’t give a warning you would have no idea that you’ve just been charged roughly $15.

Wesber is found in a file named “pomoshnik.jar”. Pomoshnik is Russian and translates to “assistant”. It certainly assists its author in getting your money.

With the recent SMiShing incidents, the rise in for-profit mobile malware is definitely troubling.

For about a week McAfee Avert Labs has received, from various sources, samples of a new polymorphic parasitic file infector that infects EXE and DLL files. This newcomer has stealth capabilities and attempts to download some variants of the PWS-Lineage trojan from compromised websites.

As it does not execute its payload when the current ANSI code page identifier for the system is set to 936 (ANSI/OEM - Simplified Chinese - PRC, Singapore), this malware probably comes from Southern or Southeastern Asia.

This virus is named W32/Bacalid. The size of infected files increases approximately by ~35 KB. When a sample is run, it searches for an event named WINXPGOD. If this event is not found on the system, it creates and executes a DLL file named “VCab.dll”. It is then injected into a random running process to ensure it stays resident. The corresponding file is saved in a temp folder.
During my investigations, I noted four different VCAB.DLL files with four different sizes :

• 32,256 bytes and 32,792 bytes when they are packed
• 44,032 bytes and 44,544 bytes if not packed

These files are detected as W32/Bacalib!vcab

The downloaded files have a .wos extension; they are encrypted and get decrypted by the virus.

This threat is interesting because in this period where we generally encounter non self-replicating programs, the appearance of a new complex virus can often cause a stir. As it is an appender and because it erases the DOS Stub of any infected host file, detection is not a real problem. But for cleaning to succeed, the virus body must be decrypted.

Three levels of decryption must be processed and some enhanced anti-emulator codes are inserted to prevent an easy restitution of the original virus code. Polymorphic sequences of commands with variable constants and randomly chosen assembler instruction for this malware are particularly sophisticated. For now we detect 2 variants, they are very similar and just differ with their encryption at the first layer.

Today, computer users must be vigilant. One link hosting the PWS-Lineage is still alive and we continue to receive samples from the wild. Avert Labs has had our teams working at full speed to create a specific removal tool for this threat (stinger utility). For updated removal instructions, a copy of this tool and further information on this threat, please go to W32/Bacalid.

There's been some discussion today of a possible hack of Governor Arnold Schwarzenegger's computer which resulted in a leak of tapes containing private conversations with his staff. This points to issues we've touched on in past blogs: Basically, data retention is an increasingly important reason for you to be concerned with the security of all your machines. This includes phones, printers, PDAs, laptops=85 anything where you keep information you wouldn't want posted on the internet, anything you wouldn't want to have to explain to your boss or your grandparents.

One part of protecting your data is maintaining the security of your machine: Make sure your machine is up to date with all the latest security patches for your OS and applications, make sure you have a firewall and an up-to-date antivirus program, and so on. If your machine is one which requires extra security due to having more sensitive data or because you or your company is higher-profile and more likely to be attacked, you need to be sure to take extra measures like using vulnerability assessment tools and/or intrusion prevention systems.

The other part of protecting your data is being aware of the recording of information that is inherent in typing things into your machine, whether it be things you type into your browser or say in an IM conversation or even recorded conversations. There are plenty of viruses which have been blamed for leaking documents on sensitive machines, this is not a new phenomenon. Hacking too, is nothing new. But as people conduct more of their lives through their computers, it becomes so ubiquitous that people cease to consider the implications of the medium.

Here are a few questions you can ask yourself to determine whether this is information you want to be typing:

1. Is this information going out securely?
2. Do I trust the security of the end-point?
3. Is this something that really needs to be said at all?

If this is, for instance, personally identifying information:
Have you verified that this a secure site? (Looking for the lock in your browser window, for example)
Have you verified that the site is what it says it is? (Logging in directly through your bank's main page, not following a link in email)
Do you really need to be giving out this information at all? (Verifying the reason this person or site is asking)

If this is something more seemingly innocuous like a conversation in IM, the last question becomes especially important. Typing something inflammatory in a chat window is a bit like passing notes in class - the information could be intercepted en route, it could be outright stolen, so the best tactic is just never to write the information down at all unless you want it shared. Then there's the issue of things like online journals or blogs - people so often post incredibly intimate details of their lives since the internet seems like such an incredible source of anonymity, but if word gets back to their employers, there can often be serious consequences.

This is not to say that people should never have private conversations over the internet, as it is a potentially incredible resource for connecting with other people or expressing yourself. The important thing to take away from this is to be conscious of your actions and interactions, as things written down (especially on electronic devices!) have a way of being rather more indelible.

While the definition of malicious software seems clear, that of Potentially Unwanted Programs (PUPs ) is less so.

The first come under the generic title of malware. They are used to steal or destroy information. Even when distributed via games, they can damage the computer system and can often remain resident without authorization. Malware is mainly created to cause harm to the target computer. Authors of malware expect to gain notoriety, or more and more often, illicit income.PUPs on the other hand are usually made by legitimate corporate entities for specific beneficial purposes (to whom they may be beneficial is debatable).

Adwares belong to this category of programs. They install themselves on the user’s machine collecting marketing data and distributing targeted advertising intended to generate income. Their legitimacy becomes debatable when they alter the security state of the computer on which they are installed, or the privacy posture of the user using the computer.

Between 2000 and 2002 there were only about forty or so adware families. Their number rose sharply in the next years. It increased by more than 1000% in three and a half years. In August 2006 there were more than 450 adware families with more than 4000 variants.

I just finished a white paper describing the main participants in the on-line marketing domain. This document explains the concept of affiliators and affiliates and the recognition techniques used to install the payment systems. It analyzes the amounts which affiliates can expect to be paid depending on whether they use “soft” or aggressive methods. The firsts use conventional techniques (pay-per-display, per-click or per-profile). They can expect to receive a payment of $25 for every 1000 positive occurrences produced. On the same basis, an adware pay-per-install payment may bring in up to $150 for 1000 computers.

Following the money, this white paper demonstrates why many low-level delinquents do not hesitate to distribute these programs on a large scale using reprehensible methods.

Now, some “cyber-delinquents” quickly and secretly install thousands of programs each day on target computers without the knowledge of their owners. They are thus able to pocket some tens of thousands of dollars each month.The complete study is available here:

Adware and Spyware: Unraveling the Financial Web