There is a crafty trojan making the rounds on the Internet called “MovieCommander”. When looking at this title on a Window’s computer and reading the EULA description, as shown below, many innocent users may think this is a legitimate application designed to help access different video files:

Don’t be fooled! It’s actually a trojan installer which upon execution changes the DNS server address to point to its preferred DNS servers as well as dropping a rootkit under %system32% folder. The rootkit can be detected by McAfee Rootkit Detective as shown below:

Detection for the above malware is covered under trojan category as DNSChanger.f.
We caution all Internet users against such malware as we continue to protect our customers against such attacks.

The latest episode of AudioParasitics was released last Friday. In this episode we discuss ‘bots’ and bot evolution with McAfee Avert Labs own Allysa Myers. Other topics include: Why does AV fail? What are packers and why do they effect malware?

Check it out at the AudioParasitics home page or subscribe through iTunes.

(With props to Ze Frank!)

sleepdoc Says: I love you guys who act like the IT guy on the SNL skit, “Jeez, one could easily manually remove the malware via autoruns or similar tool. …” Right, like the average user has any idea what you mean.

There is a very wide range of technical experience levels among readers of this blog, and it can be very difficult for us to write for all possible levels. So, we’ll conduct a little experiment: Periodically I’ll post a breakdown for those of us who are less technically inclined, to explain a security concept in layman’s terms.

This is where you come in: If this is helpful, let me know. If I’m still being too heavy on the geek-speak, let me know that, too. If you have a specific request, fire away. I’d like this to be as universally useful as possible.

So, here’s a basic breakdown of the ANI exploit situation:

There are a huge number of innocent Web sites–hacked by the same group that hacked the Superbowl site–that are hosting a file which exploits an unpatched hole in many recent Windows versions. The file was created in such a way that it can cause a system to download and run malware.

What that means to you and me is that either just by searching around to our favorite sites, or by following links in e-mail, we could be going to sites that are hacked to contain this malicious ANI file. We’re not talking about searching just for pr0n or warez or something, but regular, everyday Web sites.

If your system is vulnerable, you will not see it run - you may not see much of anything out of the ordinary. And from there, it could be silently pulling other nasty things down onto your machine. There is not currently a patch or work-around from Microsoft to fix this. That’s why this threat is such a big deal.

Adding to this scariness is that these ANI files are being frequently tweaked by the hackers so they can evade antivirus detection. We’ve added generic detection for these malformed files as new ones are found, and this has been working quite well so far at proactively picking up brand new variants. Having a firewall can also help stop those new files that are being downloaded by the ANI files, as those are being frequently updated too. (These downloader trojans are, very generally, what Ned was discussing in his comment)

The bottom line here is to be extra vigilant about updating your virus definitions frequently, and make sure you have a firewall. Keep an eye out on Microsoft’s site for an update.  They’re planning on releasing a patch tomorrow. Don’t run files, especially coming through email, which promise to be Microsoft updates or patches. Get your patches directly from Microsoft.

Next up: Firewalls 101 - what is an “open” port and why should I care?

Microsoft has released a patch for CVE-2007-1765 (aka CVE-2007-0038).  Anyone using a vulnerable system should install this patch ASAP. Hundreds of websites have been found to be hosting exploits, with thousands of websites and spam leading users to that malicious code.  The number of attacks is likely to rise steadily for several weeks if not months.  Exploit-ANIfile.c detection quickly rose to the number one spot on our consumer regional virus tracker chart for Asia, over the weekend.  We can expect the detection of this exploit to top the charts as the most widely seen exploit over the next few weeks as well.  Currently it is taking up the number six spot on the worldwide chart:

There has been some confusion around whether or not Vista is vulnerable to remote code execution.  I’ve posted this video to demonstrate this case.  Here, with DEP enabled (default settings), and IE7 running in protected mode, you will see a proof of concept in action.

Do you ever ask yourself why we talk so much about “another” vulnerability?

For starters, up until a few hours ago, this vulnerability was not covered by an official patch. Another good reason is the fact that we are seeing exploits in the wild.

And if that was not enough, now kits have been released that allow basically anyone to create his or her own exploits, making it a really simple task.

The video below shows exactly that–how easy is to create such exploits, so you can understand why you should worry and protect yourself.

One stocks spam operation has been working very hard in the last week to pump a few German stocks. Not only have they been spamming in both German and English, but they have used a variety of spamming techniques in quick succession and have been sending huge volumes of spam.

In the last few days in March we saw S3C.F being spammed in German. This campaign was in the more traditional text format.

The spammers obviously weren’t happy with their response as they quickly turned to image spam and a new stock (L9Z.F) a few days later to try and increase their response.

Then a few days later again the same images were being spammed but in a more unusual fashion. Hundreds of images similar to the one above were uploaded to imageshack.us, a free image hosting site and then sent out in a high volume spam campaign with just links to these images and some random text.

Although we have seen some US stock spam campaigns in the same period the German ones have outnumbered them by far which is an unusual twist in the story of this type of spam. I wonder if it has anything to do with the spammer mentioned in our previous blog?

A new spam campaign doing the rounds looks fairly innocent but its sole purpose is to verify that your email address is active. This will inevitably lead to your email address being added to multiple spam lists. The main problem with this particular spam is that the email is hard to spot and simply opening it will quietly alert the spammer your email address is active.

The email thanks you for using the digital locker at Windows Marketplace and goes on to give you details of how to download your purchase which in this case is Windows Vista Ultimate Upgrade. The spam only has links to msn.com that forward to Windows Marketplace.

Hidden in the html there’s a blank white image that tries to load from a link as follows:

The spammer has cleverly used a PHP script to send him your email address when the image tries to load. The script then returns a link to the blank white image (http://xxx.xxx.xxx.xxx/dot_clear.gif) that is barely noticeable in the spammed email.

We have seen this spam from the following:

From: “Web Useds”
From: “Web Services”
From: “Web Help”
From: “Support Services”
From: “Sales Depot”
From: “Digital Plaza”
From: “Digital Locker”
From: “Customer Support”
From: “Buy now”
From: “Web Depot”
From: “Ref Depot”

And the subject of the email is usually one of these with random numbers in square brackets:

Subject: [635] Important info regarding your Order
Subject: [7738] Your Order
Subject: [4241] Support Request

Or sometimes just has your email address in the subject:

Subject: youremail@yourdomain.com

So if you notice any emails like these its best to avoid opening them, it’s also advisable to set your email client to ask before downloading images if this feature is available.

McAfee Avert Labs welcomes our new CEO Dave DeWalt aboard. Check out his first blog post on our sister blog Security Insights.

Danger And Benefits of Obfuscation
Most of the malicious code we see on a daily hourly basis is obfuscated in one way or another. PE (portable executable format) files are packed (compressed and/or encrypted), scripts are encoded and/or encrypted, etc. Obfuscation is one of the biggest challenges for content scanners today, both on the host and on the wire. Emulation has been instrumental in getting past layers of obfuscation without the need for custom decryption code with each passing threat, by allowing malicious code to decrypt itself in a “sandbox”. However, over time anti-emulation, anti-debugger, and more generally anti-deobfuscation techniques have made this more challenging; and along with emulation, comes a performance impact. But, there are more rudimentary ways to tackle this problem.

Obfuscation is a double edged sword. At some point, the methods used go to such an extreme to evade detection, that the method itself is enough to base detection. In October last year, an obfuscation module was introduced for a popular penetration testing toolkit. One of the methods used involves generating random white space inside of HTML exploits. This tactic can evade detection in some cases, but this “noise” itself can be enough to trigger on. Valid files do not typically contain such noise. This paradox is present in other areas of threat tactics as well. Take social engineering for example. Email spam, and even viruses, that are so overwhelmingly written to trick users into taking some action often stick out like a soar thumb. Another example is the plethora of threats that do not function in typical forensic environments used by researchers. Today it seems that more bots are built to NOT run under virtual machine environments than those that are. The result—many infections can be avoided by simply by running in a virtual environment. As more and more users run virtual machines, the anti-researcher technique becomes a hindrance to the malware.

Internet Explorer “Feature” Exploited
In June 2006, an issue was reported in the way Internet Explorer interprets ASCII characters. IE only takes into account 7-bits while interpreting ASCII encoded 8-bit streams, ignoring the most significant bit (8th bit). For example, both values shown below are interpreted as character ‘A’ if we consider only 7-bits and ignore the 8th, but the representation is different if all 8-bits are accounted for. Other browsers however do not show this behavior.

This issue has been discussed before and it seems due to the ambiguity in specifications, it cannot exactly be considered as a bug in IE. Whether Microsoft got it right in IE and most everyone else got it wrong (including Mozilla and Opera), or the other way around, it is a challenge for most traditional anti-malware scanners when looking at 8-bit character representations of web pages. This technique can be used for malicious purposes and otherwise-known threats can suddenly “appear unknown” to scanners and yet render fine with IE. We ran a small test by “encoding” some of the well known and detected threats using this technique, and none of the AV scanners tested passed (including Microsoft’s).

Obviously, this problem can be solved. Either by fixing the bug/feature in IE or by updating most content scanners to function the way that IE behaves.

There may be another option. Like the aforementioned obfuscation techniques, this encoding poses a hindrance in detection and at the same time opens a window for some proactive detection where existence of 8-bit characters with values greater that 0×7F (maximum possible with 7-bit) can be considered suspicious in the context of ASCII encoded web pages.

Real-World Attack
McAfee Avert Labs has been monitoring this technique being employed in the wild for malicious purposes. In one recent case, the payload exploits MS06-055, a patched Microsoft VML vulnerability to download the W32/Fujacks.ab virus.

Fujacks.ab is a variant of Fujack.aa (the first known worm to leverage the recent ANI file handling vulnerability). The nefarious group behind these Fujack variants was one of the frontrunners in hosting ANI exploits (patched in MS07-017). So not only were they early adopters of ANI file exploitation, they were also early adopters of 8-bit ASCII malware obfuscation.

The MS06-055 exploit connected with Fujacks.ab utilizes obfuscation techniques discussed in the first section of this blog, and is proactively detected as Exploit-ObscuredHtml as a result. Also VirusScan’s ScriptScan is able to see past the 8-bit ASCII encoding and detects as JS/Exploit-BO.gen.

It is interesting to note that none of the other AV scanners tested detect this obfuscated sample even though many do detect once decoded.

McAfee ScriptScan to the Rescue
Emulation can be an effective way to get underneath obfuscation, but anti-emulation techniques may circumvent this approach. McAfee VirusScan products contain a feature known as ScriptScan. ScriptScan is a technology capable of scanning beyond the obfuscated layer in client-side web script files. Most obfuscated scripts contain simple but redundant arithmetic algorithms and variable randomization that bypasses most file scanners. They are a challenge to products that only scan these files at the top layer because legitimate scripts can contain similar algorithms. ScriptScan monitors script execution in Microsoft Internet Explorer (IE) and scans the underlying scripts exactly as decoded by IE. More critically, scripts must be decoded to run and ScriptScan is initiated before they can execute; effectively blocking malicious scripts from execution.

Why Many Comparative Tests Are Flawed
While our tests show a lack of file detection, they are admittedly flawed. They are flawed for the same reason that VirusTotal and a number of other comparative tests are flawed; they don’t test threats in their real-world environment. 8-bit ASCII obfuscated threats may not be detected by command-line, on-demand, or even certain on-access scanners. However, if those threats are scanned in the course of being rendered by Internet Explorer, the obfuscation is removed (which is what allows VirusScan’s ScriptScan to detect). It is unclear how many AV products contain this feature. While such an approach is not possible at the gateway, emulation may be a partial solution. Clearly a challenge with emulation is that one must code the emulator to mirror the behavior of the interpreter, in this case Internet Explorer. And by mirror, that includes coding in the same bugs and features, such as IE’s 8-bit ASCII decoding. It is believed that the majority of web content scanners do not handle such decoding the way IE does. It would be prudent for Microsoft to resolve this, and remove the capability from the hands of attackers.

Just when you think you have had enough of obfuscation in executable files and web scripts, McAfee Avert Labs has been tracking a series malformed image files in the current wave of 0-day ANI exploits since the wild fire started burning about 2 weeks ago. Some of these ANI exploits introduce what I would like to call obfuscation in image files.

ANI files are cursor icon images that are commonly used on the Windows platform of which its format specifications based on Resource Interchange File Format (RIFF) are public and open. In the ANI exploit code that were made public, we found common ANI headers that were modified and redundant noise prepended, in an attempt to circumvent detection in most traditional content filtering and anti-virus products that lacks proper scanning, in the context of the threat, and proactive exploit protection.

All of these “malformed” image files are rendered by Internet Explorer and can cause remote code execution or memory corruption in unpatched Windows systems, in our tests.

In this sample, the ANI exploit generated by a popular free-for-all toolkit, uses a lot of random tags such as “gIZU”, a nonsense RIFF tag. It looks like it was inspired by “TSIL”, a reversed “LIST”, found in the first variants of the 0-day to be discovered. The RIFF specifications does not forbid 4-byte ASCII identifiers outside the common list of ANI tags and most image viewers including Internet Explorer parses them without any problems until it hits upon the relevant parts that causes the buffer overflow issue to occur.

As of today, approximately 10 days after the initial reports of the original Windows ANI 0-day vulnerability having reached public domain, many exploits generated and obfuscated using freely available toolkits still go undetected by a majority of anti-virus products tested.

(click here for full size image)

Just as ambiguity and variations in specifications and implementation can lead to bugs and security issues, they can also be exploited by malware authors to circumvent conventional detection. This presents a new challenge to security products that scan image files for malicious content using basic methods that ignore the context of the threat.

Windows users are once again reminded to install the security patch for this vulnerability from Microsoft.

Š