This month, Microsoft has patched 13 vulnerabilities. Among them is one that can be used to create a worm targeting Windows 2000 systems. The MS06-070 Workstation Service vulnerability can be remotely exploited without user interaction. On Windows 2000, no authentication is needed when sending traffic to this service. Details on this vulnerability have been published.
The vulnerabilities in Internet Explorer DirectAnimation.PathControl AxtiveX object and in XML Core Service, both exploited in the wild, have been addressed in this month’s patch cycle.
The update of our graphs of last month is found below. The graphs show that Microsoft is continuing the trend of patching a large number of critical vulnerabilities each month.

Sometime ago, I wrote about the PWS-Bankers, and what their authors were doing to make their sample live the longest amount of time possible: by adding additional sites to the trojan so if the first was out, it would get info from the second… Well, today I got another sample of one of those PWS-Banker.dldr, the downloader part that retrieves the actual banker trojan. This one had about 60(!) different websites, of which more than 50 were active as I write this…thats what I call redundancy!

Most of the urls were abusing dynamic DNS services, as you can see here:

hXXt://imagens5.myvnc.com
hXXt://imagens6.myvnc.com
hXXt://imagens7.myvnc.com
hXXt://imagens8.myvnc.com
hXXt://imagens1.myftp.biz
hXXt://imagens2.myftp.biz
hXXt://imagens3.myftp.biz
hXXt://cervatotal.servebeer.com
hXXt://blosblob.serveblog.net
hXXt://imagens6.myftp.biz
hXXt://imagens7.myftp.biz
hXXt://imagens8.myftp.biz
hXXt://imagens9.myftp.biz
hXXt://imagens1.myftp.org
hXXt://imagens2.myftp.org
hXXt://imagens3.myftp.or
hXXt://imagens4.myftp.org
hXXt://imagens5.myftp.org
hXXt://tulipasfotolog.hopto.org
hXXt://imagens7.myftp.org
hXXt://imagens8.myftp.org
hXXt://imagens9.myftp.org
hXXt://imagens1.bounceme.net
hXXt://imagens2.bounceme.net
hXXt://minhavida.servehalflife.com
hXXt://blobufg.zapto.org
hXXt://blobuegarquitetura.serveblog.net
hXXt://somostodosum.serveblog.net
hXXt://herbalifes.servehalflife.com
hXXt://zabumbaflog.zapto.org
hXXt://superflog.serveblog.net
hXXt://visionflog.serveblog.net
hXXt://floglidiane.bounceme.net
hXXt://flogolandia.serveblog.net
hXXt://blobterra.serveblog.net
hXXt://pudimblob.servebeer.com
hXXt://blobestrelinha.serveblog.net
hXXt://flogalera.serveblog.net
hXXt://flogolandias.serveblog.net
hXXt://superblob.serveblog.net
hXXt://blobuol.serveblog.net
hXXt://flogdasloiras.serveblog.net
hXXt://flogescandalos.serveblog.net
hXXt://flogagitabrasil.serveblog.net
hXXt://blobagitacentral.serveblog.net
hXXt://fobiastudiox.servemp3.com
hXXt://superflog.zapto.org
hXXt://flogao.zapto.org
hXXt://flogflog.no-ip.info
hXXt://zuiii.serveblog.net
hXXt://blobpromilitar.serveblog.net
hXXt://flogpromilitar.serveblog.net
hXXt://fotosfraga.serveblog.net
hXXt://fragantes.serveblog.net
hXXt://catarine.serveblog.net
hXXt://liliane.serveblog.net
hXXt://danielamix.serveblog.net
hXXt://mirelle.serveblog.net
hXXt://lidiane.serveblog.net
hXXt://julinha.serveblog.net

It’s no big revelation to say that spammers and virus writers have been getting increasingly sophisticated about the mechanisms they use to get their ads in front of a set of real, human eyes. It seems, recently, that virus writers are concentrating on improving their background infrastructure to get better metrics and overall success rate.

For instance, it seems the miscreants are getting into the world of data mining. There’ve been a couple examples recently of ways they’ve used different techniques for keeping track of how their botnets are doing. Keep your bots in handy groups for different purposes, and then track them with a nice graphical interface!

Personally, I still have a hard time thinking of these groups as “professional”, in the suit-and-tie sense of the word. But this is so organized it makes me wonder if the people behind these things don’t effectively have Accounting and Marketing departments.
But then, occasionally the spammers take a turn that kinda makes you wonder. Yes, the field of “Pump and Dump” stock spam is getting a bit crowded - maybe something new and different is what’s in order?

Starting last night, there was a new raft of spams using a “technique” which is decidedly odd. Just a single word, spelled out in ASCII art. Are they counting on users to google this strange word just to solve the mystery? Or is the “payload” yet to come?

This week, Secunia and SecurityFocus published advisories on a Microsoft Windows Active Directory vulnerability. Reportedly, a remote attacker could deny service to vulnerable machines by exploiting this vulnerability.

Not much more is public about this flaw. Nonetheless, the flaw’s publication date is conspicuous: it was published on November 14, which coincides with Microsoft’s November Patch Tuesday.

I’ve called attention before to what may be a trend for vulnerability disclosure. Security researchers might be releasing Microsoft vulnerabilities on or just after a Patch Tuesday to maximize the vulnerabilities’ window of exposure. The November 14 Windows Active Directory vulnerability is yet another curve-fitter in this trend!

It’s always nice when I get a few emails in my inbox that aren’t predicting doom and gloom, and give me a giggle or two, so I figured I’d share a few with you.

• I hadn’t heard of the Anti-Hooligan Software Alliance until today. Great idea of course, but a strange choice of name, especially to those of us who’re fans of the comedian Bill Hicks. (I’d link but I can’t find anything without a great profusion of four-letter words) Wikipedia explains my confusion best - What’s the sport people are getting violent about, here? I’m pretty sure “software” is not a sport.

• It’s a perennial point of amusement within the security industry that with the advent of internet-connected kitchen appliances and cars we may some day need to have security software throughout the house. Now I have to wonder, will paper some day come with security software pre-installed on it?

• Today, some so-called “adware” was discovered for OS X. (So called because it opens pop-up windows - it’s pretty minimally functional) Naturally, this is being referred to as iAdware. Okay, so maybe this one elicits more of a groan than an actual giggle, sorry.

Alright, back to the doom and gloom!

A little background info - BuddyProfile.com is a site meant to allow you to spiff up your Buddy Profile for AOL Instant Messenger (AIM). It seems to be popular with a youngish teenage audience; it’s in the top 100,000 sites according to Alexa. It’s this particular fact which makes all the drama that follows just that more disturbing.

The basic problem is one we’ve seen before - When users are free to add their own HTML content with minimal restrictions, people will find a way to add objectionable content like malware and adware.
A SiteAdvisor crawl today turned up some profiles on BuddyProfile.com which immediately redirect the user to an adult site, which points to a file which is detected as Exploit-ANIfile, which is being used to install Adware-PestTrap which then displays “security warnings” to the user.
Just to recap:

1. Popular site, frequented by a large number of kids
2. Allows users to add their own HTML content
3. HTML content is being used on profiles to redirect people browsing this site (presumably said kids) to porn and surreptitiously-installed adware programs

Yuck. Seriously.
I think one of our Site Advisor researchers, Harry Sverdlove, put it best. He likened sites allowing users to embed their own HTML content into profile pages to restaurants letting people bring in their own food to be served to everyone:

“I’ll take the salmonella and the botulism ‘to go’ please.”

Introduction

Let’s assume we need to do the dataflow analysis in a particular execution path in a certain binary. In order to collect as much data as possible, we should single-step a certain execution path, save registers values in each step, and then do some analysis. If we have all registers values, we can deduce values assigned to/from memory locations, by looking at instructions semantics.

Available methods

Let’s focus on the first stage: single-stepping. We have the following methods:
Method 1. win32 API debugging facilities
We can do it in an “official” way, that is:

• attaching a debugger
• forcing single-stepping by setting TF bit in eflags
• collecting register values each time on return from WaitForDebugEvent()

However, it is hopelessly slow, because a context switch is necessary after each instruction, and the debugger needs to issue a few system calls to retrieve context and resume execution.

Method 2. In-process EXCEPTION_SINGLE_STEP trapping
A better way is to trap EXCEPTION_SINGLE_STEP not in the debugger, but in the analyzed process itself. We can set up a SEH, and in the SEH handler collect necessary data, and later resume the execution. We can inject into a process a dll which will do the necessary preparations. The “sha1sum_test.exe” binary, if given a second argument, will execute the critical loop with TF set in eflags, and an exception handler will be called after each instruction.The speed gain is about x10 in comparison with the previous solution. Still, exception dispatching both in kernel and in userspace components imposes significant overhead.
Visit http://www.cybertech.net and you can find more advanced implementations.
Maybe it would be more efficient to implement a fast path in the kernel exception handler (just collect register values and resume execution).

A faster solution

Method 3. [purely in] User Mode Single Stepping
Why do we need TF at all ? If the instruction at address X is about to be executed, we can overwrite the next instruction with “jmp our_handler“. (we will need to make the .text segment writable first). our_handler should

1. switch to a temporary stack; save the registers with pusha+pushf
2. restore the overwritten instructions
3. move the saved registers values to some storage
4. compute where the current instruction transfer the execution; let it be the address X’
5. overwrite X’ with “jmp our_handler“
6. restore registers with popf+popa; restore eriginal esp; return to the next instruction

The tough part is 4. We need the following:

• for instructions which do not transfer control (so, anything besides jmp/jxx/call/loop/ret), we need to know an instruction length. It is easy: we can compute all instructions lengths *before* running a program, store it in some file, which will be subsequently mmapped accessible by our_handler.
• for jmp/ret/loop/”call fixed_addr” we need to add the jump offset to the current address - easy.
• for jxx instructions, we need to consult eflags whether the execution is altered or not - doable.
• if we face a computed call/jump, we could disassemble it on the fly and deduce the target, but it is complicated due to variety of addressing modes of 386. The easier way is to trap to debugger, which will single-step the problematic instruction, and later resume software tracing. The overhead should be small because computed calls/jumps are relatively rare. And we can still simulate the most frequent cases, say “call eax”.
  Additionally, this approach helps when our disassembler cannot recognize a particular instruction.

Implementation

The above functionality has been implemented in “umss” project, in McAfee labs. The package contains the following components:

• umss.cpp: it is supposed to write a map of instructions lengths. It uses the “boomerang” project (http://boomerang.sourceforge.net/). In fact, if we just need to get instructions lengths, any disassembly library would do; however, boomerang is unmatched when it comes to analyse instructions semantics (the said analysis is still to be implemented).
• inject.dll: it is a library to be injected into any process. It implements single-stepping. If it does not know how to handle a particular instruction, it jumps to “\xcc”, and the attached debugger takes care of it.
• tracer.cpp. It implements the rest of the required functionality.

In order to collect some benchmarks, a simple program was written which runs a loop a given number of times. It can be traced with umss, or, if given two arguments, trace itself with method II. Results:

• native run (without any tracing):
  ret=-787054544, time=0.047312ms, loops/ms=211361.374858
• tracing with EXCEPTION_SINGLE_STEP handler (two arguments given to the test program):
  ret=-787054544, time=1085.968872ms, loops/ms=9.208367
• ordinary tracing with WaitForDebugEvent():
  ret=-787054544, time=9999.467773ms, loops/ms=1.000053
• umss:
  ret=-787054544, time=95.365204ms, loops/ms=104.860050

As we see, umss method is about 10 times faster then exception handler, and over 100 faster than the ordinary debugging.
All the execution times were obtained with disabled storing of register values (only the overhead of tracing was important). Anyway, in umss the log file is memory mapped, so especially in case of a SMP (or dual-core) system the performance impact imposed by disk writes should be minimal.Additionally, in order to improve the efficiency, we do not want to trace through library calls (well, it should be configurable which dll we want to trace). If inject.dll observes that the execution leaves the .exe segment, it will overwrite the return address location with its own handler and execute t he library function without tracing; when the library function returns, tracing resumes.

Currently the umss package is in early stage, just enough to confirm usability of the approach and conduct benchmarks. It should be straightforward to implement simple enhancements:

• implement more computed jump/call instructions
• currently only a single executable section map is supported
• implement injecting the dll upon LOAD_DLL_DEBUG_EVENT of a library we want to trace
• perhaps optimize inject.dll better. The interesting part is that it should execute only ca 80 own instruction (per each instruction in the traced process) in a typical case, yet the performance hit is x2000. Probably the parallelism of Pentium is affected, as well as memory caches efficiency.
• finally, implement the crucial part: flow analysis

The umss package can be downloaded from Sourceforge umss download page

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

In the world of security, there are typically two kinds of arms races – symmetric and asymmetric. Asymmetric warfare is where it is orders of magnitude easier to defend than it is to attack (or vice-versa). In other words, given a conscious decision to be secure, it is inherently a lot easier to carefully engineer a fail-safe system, than it is for a malicious attacker to figure out a way to break it. Good examples of asymmetric warfare are cryptography (most modern cryptographic algorithms are practically impossible to break), memory-corruption based exploitation (stack canaries, address-space layout randomization, non-executable memory pages / “PaX”, “no-execute” hardware support etc are all relatively easy to implement and use), deception & uncertainty (e.g. ICMP traceback, honeynets), etc. On the other hand, symmetric warfare is where the attackers and defenders are on a level playing ground in terms of available technologies. The best examples of this have been DRM (Digital Rights Management) and virus technologies (detection and evasion).

Every now and then, good defensive technologies from asymmetric warfare in one security domain are applied for offensive purposes in another security domain (or vice-versa depending upon which came first). The following are two recent examples.

Firstly, in the world of online form submission, “captchas” have become a de-facto standard to check whether an actual human is involved in the process. A captcha is essentially a visual challenge-response test. Typically, a distorted image is generated randomly for each form, and the user is supposed to visually recognize the content displayed and type it in. The assumption is that automated bots can’t identify the content quickly enough, only humans can. A pretty fail-safe technique actually, and it works to this day for most purposes. However, the same concept is now being used by spammers:

The entire unsolicited message is one captcha image. For traditional anti-spam agents that have to quickly scan through emails, this is indistinguishable from legitimate-looking emails from unknown senders and with image-attachments.

So the asymmetric defense from the world on online-form submissions has now introduced an asymmetry in the world of anti-spam. The day wire-speed OCR (optical character recognition) becomes available, possibly invented for spam defense, the asymmetry in online-form submissions will also be lost.

Second, let’s look at TLB (Translation Look-aside Buffer) desynchronization. The PaX technology from Grsecurity introduced the idea of non-executable memory pages via split TLB. A brilliant defensive technology that games the paging-logic of IA32 based CPUs using desynchronization of the TLB to allow a kernel mode driver to know whether a memory access is a data-access or an execute access. So it became possible to detect exploits that tried to execute code copied into pages marked non-executable.

Following this, the split-TLB defense was applied for offensive purposes in Shadow Walker (hiding rootkits from AV/AS scanners) and defensive purposes in Ollybone (reversing packed/encrypted malware). Packed malware typically start off by unpacking the original code into a separate section (marked non-executable by the malware analyst). Then, when the malware attempts to execute the OEP (Original Entry Point) instruction, the Ollybone driver can intercept it and present an “unpacked” memory layout to the reverse engineer. Shadow Walker uses an “inverse-PaX” technique. When a scanner attempts to read from a Rootkit occupied page, a cloaking driver detects it as a non-execute access, and presents a cloaked clean version of the page instead. The driver allows execution of the Rootkit pages as usual. This makes traditional user-space scanning for kernel-mode rootkits completely ineffective.

The following is the latest addition to the utility of this split-TLB trick.

View Demo Here

Unlike Shadow Walker which is designed to hide Rootkit’s kernel-space modifications, we apply the split-TLB trick to hide user-space code (or data) patches instead. This has a tremendous impact in the world of malware analysis and DRM.The proof of concept demo here shows a user-space executable that is designed to be tamper-resistant. It does this using a “checksum” thread that periodically monitors and posts the checksum of certain memory pages used by a critical “worker” thread. The worker thread periodically prints a status message. Once the anti-checksum driver is loaded, it first setups a cloaked clean version of the worker-thread page. Using split-TLB, the checksum thread is shown the clean version only. Then the driver patches the worker-thread code and completely disables its status messages. As seen in the demo, the checksum thread generates checksum-match messages even as the worker-thread has been visibly tampered with. Once the driver is unloaded, the cloaking is removed, and only then the checksum thread detects the process has been tampered with. This illustrates that user-space tamper resistance via self-checksums can not be relied upon anymore for any platform that supports split “TLB” or any style of memory cloaking that distinguishes executes from reads.

So the originally defensive PaX technology turned offensive in Shadow Walker, then defensive in Ollybone, and again either defensive/offensive depending upon whether it’s used for hiding code-patches in malware during analysis or in DRM-enabled products to break their tamper resistance.