“The Price For Gold On The EURO Realm Dropped again”

No, it’s not the same gold that we have known for thousands of years; it’s virtual gold which MMORPG gamers compete to obtain in order to increase their wealth and power. Surprisingly, some people (aka “gold farmers”) have managed to find a way to convert this virtual gold into real money. It’s estimated that more than 100,000 young people make living in China only through “gold farming”.

Given all this information, no wonder why we have been getting all these password-stealers which are specialized in looking for passwords of MMORPG gamers. This trend started at least three years ago with Trojans like PWS-LegMir, then others followed it such as PWS-Lineage and PWS-WoW. The worrying thing is the number of variants that we come across everyday and the variety of techniques malware writers have been using; starting from keyloggers, rootkits, to network sniffers, and the most recent file-infector, W32/HLLP.Philis.

People within the MMORPG communities have issued several calls to the providers of these games to try and make it harder to do “gold farming”. Genuine players don’t want to see other people staying around and ruining their games. On the other hand, us, here in Avert Labs issue a similar call to the same vendors to try and make it useless for malware writers to write password-stealers for these games. These Trojans and viruses are written for profit, so let’s try to stop the reason they were written for.

Many people know http://zone-h.org/ as a web site that monitors defacements. This morning, I visited the site to search some defaced French governmental web sites. Indeed, attacks against French sites have been increasing since this country passed a bill making it a crime to deny that the Ottoman Turkish empire committed genocide against Armenians in 1915.

Browsing the site, I was surprised to be targeted by a Trojan when I visited some mirrored pages. I am sure that many people, correctly protected or not, do not imagine that they could catch malware from this site.

I just contacted the site founder and co-founder to alert them (see their response below). I would have hoped that they would have be able to modify their mirroring techniques, but at minimum, it would seem necessary to alert people before they open an infected mirrored web page.

Response from zone-h.org:

— QUOTE —Hello,unfortunately there is nothing we can do as some defacers are linking, from the defaced webpage some external pages against which, our internal server antivirus cannot perform any sanitation.

Best regards

Roberto Preatoni

— UNQUOTE —-

Make sure your security technologies are up to date if you are going to browse their site!!!!!!

There’s been discussion lately about whether we’ve already lost the war against malicious bots. Certainly things are looking fairly grim as the rise in the number of variants of IRC bots has grown by leaps and bounds over the last couple of years. Strictly using string-based detection against the unending tide certainly appears to be a lost cause.

On the other hand, there are some more promising developments in recent years:

• Most AV vendors at this point have gone to using some sort of generic detection or behavior-based heuristics against the most popular bot-families, which can proactively detect a certain amount of new bots
• Firewalls and IDS/IPS products are becoming more widely used, even by home users
• Many corporations are blocking IRC traffic
• ISPs are increasingly involved with security groups that have developed to shut down Command & Control channels used by bots

From my perspective, I see a few things being particularly important in solving the bot problem:

• Further cooperation of security companies and ISPs in order to get more C&Cs shut down
• Further cooperation of security companies, ISPs and Law Enforcement agencies in order to ensure more bot masters face legal action
• ISPs offering more security services than simply AV software (i.e. traffic filtering)
• More security information being available to novice users (i.e. http://pbskids.org/license/)
• More accountability for adware vendors who fund these malicious affiliates
• A paradigm shift, particularly in the home user area, to a security strategy of strategically allowing known-good traffic rather than strategically blocking known-bad traffic

What are your thoughts on the general state of things?

Have the Bot Wars been lost? What more could be done to ensure that Bot Masters don’t make the internet completely unusable?

Malware authors targeting other rival malware is always an irony of sorts. The school of thought is while a thief may lie, cheat and steal from everyone else in God’s creation, they would respect other thieves because they see each other as kin. Remember professional courtesy!! Sharks do not eat lawyers .Malicious hackers battling for control over an infected system prefer to keep all the system resources for themselves and there have been several instances in past where malware authors had turned upon each others creations. The two most famous ones were:

1. W32/Nachi, supposedly christened the good worm, targeted machines vulnerable to the blaster worm aka W32/Lovesan. Once installed on a vulnerable machine this worm would terminate and delete instances of the blaster worm. To prevent further compromise of the host machine it would also download and install a patch for the MS03-026 vulnerability from the Microsoft website.

2. Netsky vs. Bagle wars: Both the virus writers regularly flamed each other and targeted the others creations with every newer variant. Bagle targeted Netsky infected machines by spawning a mutex with the same name as the netsky worm as this terminated all previously running instances. While Netsky variants preferred deleting registry entries and killing processes to prevent automatic execution of Bagle and Mydoom variants.

In a recent most incident we got to see Spam-DComServ alias the SpamThru trojan that installs a pirated copy of an antivirus program to get rid of rival malware from the machine.

Quoting an excerpt from the analysis of this trojan by Joe Stewart at SecureWorks:

“SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.”

Seems “professional courtesy” is not something virus writers believe in. Spam-DComServ is yet another malware that does not like sharing its host machine with any other malware. It will be interesting to see if another malware, if any would, counter attack this act of Spam-DComServ.

Rest assured, we will most likely get to see more scenarios like the above where malware authors try to top each other and defeat one anothers malware. There truly is no honor among the thieves!!

During the last week image spam accounted for up to 40% of the total spam received, compared to about 1% a year ago. Image spam has been significantly increasing for the last few months and various kinds of spam, typically pump and dump stocks, pharmacy and degree spam, are now sent as images rather than text. Image spam is typically three times the size of text based spam, so this represents a significant increase in the bandwidth used by spam messages.

During this period our image spam detection remained well over 99% and image spam discard rates were almost as high, averaging about 95% of image spam discarded. Spammers moved to image based spam in an attempt to evade detection, but its not working!

It was only a matter of time, but the first security ISV has publicly announced a product that bypasses PatchGuard. Authentium, announced today that their Authentium ESP Enterprise Platform can bypass PatchGuard. In a world where less than 1% of known threats exploit the kernel in a way that PatchGuard will block, and where only 15 of 264 (less than 6%) Microsoft vulnerabilities from 2004-2006 would have been protected by PatchGuard, according to our calculations, I’m not sure whether to laugh or cry.

Patchguard is an attempt to close a software hole with more software. As Joanna Rutkowska has amply proven, there is no software-only solution to the rootkit problem. Hardware solutions, like Intel’s Vanderpool or AMD’s Pacifica are required to harden PatchGuard to the point it cannot be broken, but they will not be widely spread in the field for years to come. And in closing one small hole, it’s opening a host of others, like those addressed by the behavioral, anti-rootkit technology, and HIPs features we, and other vendors, have been working on for years. Arguably, our solutions are not immune to this same problem, the difference being that instead of one solution from a newbie security vendor, consumers today can deploy multiple solutions from many seasoned vendors to create a layered defense strategy, even at a desktop level.

So in the meantime, MS is going to try to put their fingers in the dike of PatchGuard holes, which are more valuable to security vendors than to malware authors, who can just avoid the kernel structures MS is trying to protect. In many ways, this is the final manifestation of the logical conclusion I came to when Greg Hoglund first announced his NT rootkit: We are, and always have, been locked in an arms race with the malware authors and hackers. Microsoft has just taken away our most effective weapons.

Microsoft is putting McAfee, Authentium, Symantec, Sunbelt and the rest of the security community in the interesting position of having to tell our customers that we can’t protect them beyond a reactive AV signature without “hacking” their operating system. So if we can’t protect them, and Microsoft can’t protect them (and won’t let us), what are consumers and enterprises to do? Right now, security vendors and Microsoft are in a very public standoff. It will be interesting to see what happens when Microsoft’s own customers chime in on this issue. What do you think?

There’s something that I’ve been hearing mentioned a lot lately, particularly from those in law enforcement circles - the importance of “mules” in bot-related money making schemes. These are work-at-home type jobs which are offered through very professional-looking websites, through classified ads, and even through IM.These are a crucial part of the reason so many bots are able to be run from places around the globe. In order to get merchandise (often to re-sell) or cash with stolen credit card credentials, the thieves have to go through more strict regulations if the goods are going to another country. To get around these regulations, they use these mules within those originating countries.

These mules are often someone who’s desperate for money or someone who figures it’ll be the (unfortunately fictitious) company who’d get in trouble rather than themselves, so they tend to ask few questions of their “employers”. Laws in most countries are better able to handle this sort of trafficking of stolen goods, so it tends to be these small-time players who are most often prosecuted within the web of illegal botnet activities.

Two weeks ago, I discussed with you about a Trojan from the Backdoor-BAC family. On the same day, the MET (UK Metropolitan Police Service) announced they were investigating data recovered from a computer in the United State. It contained personal information from hacked machines located in the United Kingdom that were infected by a variant of this malware family. In another news dated October 24th, Computerworld write about identity theft fraud concerning more than 8500 victims in over 60 countries. Among these countries France is mentioned.

As I worked with my German Avert Lab colleague on this issue, I can go into more details. After the backdoor was implemented on the target computer, it transmitted to a remote Web server the e-mails sent by the victim along with their mailbox usernames and passwords. It also caught any on-line transaction (ISP connection, banks and other on-line services like Amazon.com) whenever an HTTPS transaction was executed. The Trojan sent screenshots (jpg format) and user’s keystrokes (txt format) to a collector Web site.

We were able to reach the Web server dedicated to the data collecttion. It held more than 850,000 files representing 4.5 Gb of information. The whole of the data was conscientiously classified by countries. The « France » directory contained 643 files for 4 distinct people. Like my colleagues, I transmitted these data to the French Authorities on October 16th. They alerted the victims the same day.

The next screenshots are an example related to a bank on-line transaction. The jpg file allows the criminal to know the bank account. With the txt file, they can find the password.

This identity theft network was controlled via Web-based techniques. The compromised PCs connected themselves to a master site to receive their commands as well as the location to send stolen data and the password to reach this server. They were also able to update themselves by downloading new pieces of code.

We receive each week hundreds of malicious code samples. Usually we are only able to add detection for them ionto our DATs. In this case we were are able to utilize the information to help the victim. This happens rarely and should remind all of us to stay vigilent.

In my last blog entry I talked about the consequences of Microsoft’s policy of releasing security updates only once a month. Is this encouraging exploit writers to release zero-day Microsoft exploits soon after a month’s Patch Tuesday to maximize the vulnerability’s window of exposure? Yesterday, on 24 Oct 2006, exploit code was released for a Microsoft Internet Explorer (IE) vulnerability. This proof-of-code code could cause denial-of-service (DoS) in IE. Avert Labs is investigating this exploit further.

Patch Tuesday next month falls on November 14. So this IE bug’s potential window of exposure is at least three weeks…

Following our blog on W32/Stration last week, this kid has been enjoying having its presence felt. To date, W32/Stration has been hovering at the top three places in prevalance behind W32/Netsky (another old-school mass mailer) on Postini’s top viruses tracking on their global email systems.

Today, McAfee Avert Labs discovered a new variant of this mass mailer that was gaining speed in spamming to the Internet from infected machines. When another “security expert” claims that “old school” threats are passe, think again. More details of this new variant at:
http://vil.nai.com/vil/content/v_140655.htm