There was a time when we used to receive spam through regular email.
Then, the spammers learned about image spam, putting the message on picture files.
Recently we saw that they have moved to PDF spam, and later to encrypted PDF files.
A couple days ago we noticed spam in Excel files, and now we find another round with a different vector: RAR-compacted archives with spam inside text files!
Whatever will we see next?

Part 2:

Our very own Avert Labs Researcher Dirk Kollberg did some real nice research with some Nuwar/Storm/Zelathin malwares. What he found out is that those malwares are in fact the cause of such SPAMs!! On this research, Dirk found out that after the malware starts its P2P stuff, it exchange a bunch of UDP packets, then, some requests, and starts to spam about 500-600 traditional ‘postcard-style’ spam, with the http://xx.xx.xx.xx/?. A few minutes later, it starts to send spam emails with a *.zip as attachment, but tactually contains a RAR archive, with the SPAM text file inside!

Isn’t it great?

Yes, we caught them…

What we have still to confirm is if these malware are also responsible for the PDF and XLS spams, but we are working on it…

Dirk plans to release details of his research in a near future. If you are in Vegas make sure you catch Dirk’s presentation on trojan malware at DefCon!!!

Later this week the malware count will most likely go beyond the 300.000 barrier for malicious items count.

Malicious items have come and gone over the years, but some remain persistent. The types of malware are not constant but evolves over time. From the late 80’s till early nineties they were mainly the MS-DOS 8 bit .com & .exe files & boot infectors.

From 1995-2000 VBA code was very dominant, first as a side-effect as people would exchange infected .doc/.xls files unknowingly, later malware code would just read all items from the outlook address book and would automatically mail itself out.

From 2000-2003 Javascript/VBScript items along with 32 bit PE files were dominant, exploits and multi-component malware began to appear.

From 2004 onwards the binary massmailing worms were the topic of the day, resulting in many overloaded Exchange Servers. On some occasions we even had to go to “Medium” risk multiple times a day. The Netsky/Bagle wars are over luckily.

From 2005 onwards the shift went to BOTs and Trojans plus Adware & Spyware & Phishing attempts grew.

The Bots are especially problematic as they’re so hard to fight. The bot networks were mainly used to distribute adware/spyware but on some occasions were also used for DDoS attacks, for “fun” or worse, for ransom etc. Although we still see many bots appearing they don’t seem to be that dominant any more. Nowadays the focus is more on the obtaining of money from adware and trojans but there’s also much spyware. Also specific targeted attacks are more common.

So even though the general public doesn’t hear that much of outbreaks as in the Netsky/Bagle wars, malware numbers still grow very fast using more silent methods with adware/spyware and targeted attacks.

In 2000 we had a little over 50.000 malicious items. That figure went to 100.000 in 2003. In August 2006 we passed the 200.000 barrier and almost exactly 1 year later, august 2007 , we will be passing the 300.000 barrier. With these huge numbers appearing the handling of samples can’t be maintained by humans only. It also continues to raise many questions around the naming of malware.

Your roving man-on-the-street Dave Marcus here at the middle escalator leading up to BlackHat 2007! I cannot really say that I am overflowing with excitement yet as I am fully un-caffeinated which is a rather disturbing thing considering all the content today.

I am looking forward to many of the briefings over the next several days–virtualization, stealth, fuzzing, etc. My geek cup truly runneth over. Avert Labs has a good showing this year at both BlackHat and DefCon as we have presentations at both. John Viega and Dave Coffey will be presenting on building effective application security at BlackHat, while Dirk Kollberg and Toralv Dirro will be discussing recent changes in Trojan developments at DefCon.

I will be attending briefings, blogging on happenings and cornering the l33tz for interviews for our AudioParasitics podcast. Stay tuned!

Yesterday was a rather interesting day for several reasons. I had the opportunity to attend several briefings (which I will get to in a moment), schmooze with vendors (always fun), but best of all socialize with old friends from the old skool (translation: act like a pirate).

The vibe has been changing at BlackHat for quite some time now. It has for several years been becoming more mainstream and (dare I say it) even respectable. Don’t get me wrong: So far the presentations have been good and many of the security industry’s best minds put in a good showing; but there is a difference from years past. IMHO many of the topics seem soooo 10 minutes ago. Same people talking about the same stuff. BluPill and Vitriol…100% Detectable vs Nothing is 100% detectable…Pen Testing…Fuzzing…Wireless pwning. … Some new techniques but nothing really that has not been discussed before. So far I have come away with the thought that they are saving the really good stuff for another convention. And the fed has never been easier to spot.

I tend to judge security research by what its impact on malware will be. Will it create more malware? Will it create better malware? How will this hurt users or impact the enterprise? Will this result in easier zero-day creation? Will this allow malware to be more stealthful? That kinda thing…I sometimes wonder if most of the researchers consider that type of impact from their work; or do they ignore that aspect of it?

More in a bit…

Sex sells and virus authors use this age-old tactic to lure the average horny inexperienced PC user into opening suspicious emails. The latest spamming doing the rounds is a trojan email claiming to contain a shocking video of nude hollywood celebrity stars; Angelina Jolie, Natalie Portman and Nicole Kidman. A copy of the spammed email is as follows:

Sadly what the user gets in return for this sex bait is a trojan (Spy-Agent.bv.dldr) that installs a rootkit and downloads further malicious code from the internet.

Any attachment that is porn or warez related, are the kinds of things people would be curious to view. And this is not the first time hollywood sirens have been used as bait in spreading computer viruses via email. Similar trojan spamming have been used in the past with stunning results. McAfee Avert Labs users are protected against this threat with yesterday’s 5089 dats onwards.

Quote for the day:

There is more money being spent on breast implants and Viagra today than on Alzheimer’s research. This means that by 2040, there should be a large elderly population with perky boobs and huge erections and absolutely no recollection of what to do with them

I have received several requests to post the final versions of John Viega and David Coffey’s BlackHat presentation as well as for Toral Dirro and Dirk Kollberg’s presentation form DefCon. They will be uploaded and available later today as well as updated ramblings and musings from myself…..

Hacker Jeopardy was hilarious and the music at the Black Ball was great!!!

An exploit found to be targeting an unpatched (as of the time of this writing) vulnerability for the Japanese word processor, JustSystem Ichitaro was discovered in-the-wild on 3rd August. We identify the threat as Exploit-TaroDrop.c trojan.

The modus operandi bears close resemblance to the 0-day attack we blogged about in April 2007. The attack, delivered in the form of a maliciously crafted document drops BackDoor-DKI.gen, a trojan that was used amongst other malware in the April attacks. The shellcode drops a clean copy of the document as “aa.jtd” and re-opens it in the word processor. Other than that, additional obfuscation code is added on top of the basic XOR encryption we saw in the past.

We caution all Ichitaro users that we may continue to see such attacks against this localized applications. More details of Exploit-TaroDrop.c at http://vil.nai.com/vil/content/v_142899.htm .

DefCon gets quite a lot right and it is not just great content. Actually the content, IMHO, might be the LEAST important aspect to DefCon.

Let’s be honest here. We are all infosec warriors in the information age. We all keep pretty much up to date on security research, malware developments, game hacking, etc…. on a daily basis. Blogs, forums, podcast and other mediums allow us to stay bleeding edge. We have to. Most information in most presentations at most conferences is a good 6 months old (not always, but usually). This is where DefCon distances itself from the pack.

If you really want to see where security theory and research practicality collide (fueled by Brew and Coffee Wars!) then the floor of DefCon is the place to be. Truthfully, it is the activities of DefCon, not the presentations, that you need to get caffeinated for:

* The Network @ DefCon
* 0wn the b0x
* Phreaking Challenge
* CTF (if you gotta ask…….)
* aCTF
* LPCON5 – Lockpicking Contest
* Hacker Jeopardy (one of my personal favorites)
* TCP/IP Drinking Game
* Wardriving Contest
* Wireless Village – ChurchofWiFi
* Lockpicking Village

No disrespect to the presenters or any of their content but pwning-in-action is what makes DefCon well…….. DefCon. This is where the training, conferences and theory all meets the pavement. Can you get root? Can you stop someone from getting root? Do you really know what you are doing? Hey, is that a custom PWS variant that just pwned my data? Ohhhh, I never saw that evasion before!!! It is events like the above where the real education takes place.

Oh and the the Toxic BBQ! Part 2 later today…..

McAfee Avert Labs had several presentations this year. One each at BlackHat and DefCon.

John Viega and David Coffey presented on Building an Effective Application Security Practice on a Shoestring Budget at BlackHat. I heard quite a bit of positive feedback on this at the conference itself. Kudos and extra points to both John and Dave to working in beer references!

Toralv Dirro and Dirk Kollberg presented Trojans: A Reality Check at DefCon. This one was also very well received (I actually got to attend this one!) and they were swamped (maybe not the best choice of word but many people came up to the podium anyway) with questions afterward. They gave a great update on trojans in general as well as a technical dive into recent developments on the German malware scene. Dirk even showed a fascinating command and control demo that illustrated the ease of malware creation and control.

Enjoy!

Looks like the new trend in the downloaders world is country-targeted software. One of the recent downloaders that we received offered specific executables depending on its location: USA, Canada, United Kingdom, other European countries, and all other countries.

This one first checks remote servers, using IPGEO, to see to which country that host belongs. If you reach that site, it will print the country code for you, for example:
US|US

The downloader reads that message and if it identifies the United States, it will download:
bass.exe
If it is CA (Canada),
trout.exe
UK (United Kingdom)
pike.exe
EURO (Europe)
fluke.exe
OTHER (All other countries)
dolphi.exe

Yes, we now have downloaders using IP Geolocation.