…and from the Crowne plaza hotel – home of the 2nd CARO workshop on “Packers, Decryptors and Obfuscators”.

As you may know, nowadays malware mostly comes in a packed form, in order to thwart Anti-Malware and security products. For this reason it is of great importance to be able to develop technologies that are able to “see through” these executable wrappers and detect the underlying malware in a smart way.

Easy to say – less easy to do. And this is the reason for which this workshop is really interesting

After attending this morning’s part of the workshop I have to say that the presented content has been really excellent – and technical too. Starting from the keynote speech through all the others thus far I’ve been struck by the depth of the information shared. I found Kurt Natvig’s presentation especially interesting as it covered the difficulties emulators face when dealing with modern malware – good job, Kurt!

Hopefully the presentation will be made available online too so I definetely advise anyone interested to monitor the CARO workshop website!

I need to go now as the afternoon’s presentations are starting! Talk to you later!

We have been in contact with one of the German’s Crime Investigating Authorities (LKA). This is a case when a malicious program running on mobile phones was making unauthorised calls. All these calls were connecting to one and the same SMS number which is used to top-up the amount of virtual money for one of the online games. A scheme to top-up in-game cash via SMS messages is frequently used by online game vendors.

This is a really interesting twist because in the past malware writers simply programmed malware (either on a desktop or on a mobile device) to call a premium phone number (one where the cost of a call is high). Of course, with this old method it is easier to trace the destination of funds because for each such call real money is transferred from a phone company to the owner of the premium number. So the principle “follow the money” to track the perpetrators usually works.

This new and indirect way of laundering money through an online game makes it significantly more difficult to track the destination – several in-game assets’ transfers can be made before the money is taken out of the game through real-money trading (RMT – it is a bannable offence in most online games but some games allow that – for example, Second Life).

Our advice is not to use programs for mobile phones that come from untrusted sources (like game forums, Internet newsgroups, Emails, P2P networks, blogs, etc.)

Avertlabs would kindly ask all mobile phone users to be vigilant and submit suspicious programs for our analysis – the easiest way is to use our online Webimmune service www.webimmune.net.

PCI Requirement #6.6 has been in the news for quite some time, primarily because complying with it is not trivial. PCI Security Council published a press release on April 22, 2008, hoping to clarify some of the requirements and help merchants comply before the upcoming deadline of June 30, 2008. Some of the clarifications are confusing, since they seem to go against basic application security concepts, as well as the principle of compensating controls already laid out by the PCI standard.

Requirement #6.6 aims to secure web sites against attacks, by requiring either of the following for all web-facing applications:

1. Manual code review by experts
2. Application Layer Firewall

Now this press release effectively says that the intent of code review requirement is met by:

• Manual web application security vulnerability assessments
• Proper use of automated web application security vulnerability assessment (scanning) tools

The million dollar question is: Can a vulnerability assessment or penetration test really deliver the same findings that a code review does? Is it OK to think that a code review can be replaced by a vulnerability assessment or a penetration test?

I don’t think so. Code review is a white box exercise, where as vulnerability assessment is a black box exercise. Code review allows a security expert to look under the hood and see the guts of the application, where as a vulnerability assessment looks at the application from outside and can only see the few security flaws that have actually manifested themselves into full blown exploitable vulnerabilities. Therefore a vulnerability assessment will leave out many other complex, subtle, yet serious flaws that only a code review could have discovered.

So I wonder why the council thinks that it meets the intent of the code review requirement.

Now here’s some background before you read about the next confusion.

The PCI standard clearly states that a compensating control must be in addition to controls required in the PCI DSS. Sounds complicated but it’s really simple. Let me explain with an example: Let’s take Requirement #3.3 which requires the PAN to be masked when displayed. If this requirement cannot be met then the merchant will have to propose a compensating control. However a compensating control which says that “this data is only accessible to a limited set of employees who need to work with this data” will not be acceptable, because this control is already covered under PCI Requirement #7 which says that data should be accessible only to those employees which have a business need.

Going by this logic, Requirement #11.2 and 11.3 already cover manual web application security vulnerability assessment as well as automated web application security vulnerability assessment (scanning) tools. So how can these be considered acceptable as a compensating control for Requirement #6.6?

I am surprised that such a proposal is made by none other than the Council, which is the champion of the PCI standard. I really hope the Council corrects this mistake.

- Vivek

Note: Vulnerability assessments and penetration tests can be interpreted differently by different audiences. So I should clarify that I am interpreting them as per PCI guidelines, which closely match how Foundstone interprets these services too.

Hello again, Paolo here. Yesterday afternoon the presentations moved to a more practical level, and the topics that were discussed were definitely interesting.

We started this afternoon’s session with “Hump and Dump” – an interesting study about the possibilities of Original Entry Point (OEP) discovery using a statistical technique based on histograms. The retrieval of the OEP of a packed application is important for several reasons one of which is, for example, that its execution usually marks the end of the unpacking process and that the original binary, previously invisible under the wrapper of the protector/packer/obfuscator, is now available in its rebuilt state. Although the work presented by the authors was still somewhat in the early phases it shows good ideas and it may be that with some modifications it can become effective enough to be used in research tools and Anti-Malware scanning engines.

In the following presentation Mario A. López explained to the audience how he and his coworkers at Frisk did approach some complex problems related to unpacking in their own scanning engine but I won’t go deeper as this information is probably not intended for people not directly in the industry.

Next Robert Neumann from VirusBuster presented a nice set of specific unpacking strategies to quickly unpack simple, not-so-simple and even complex packers and protectors – thanks for sharing Robert!

The last presentation was from Ilfak Guilfanov – the author of IDA Pro and Hex-Rays and well known in the security industry for being the developer of the unofficial fix for the Windows Metafile (WMF) vulnerability in Microsoft Windows operating system back in December 2005. In his presentation Ilfak did show us a few tricks to use within IDA to approach obfuscated code including one that researchers face when analyzing complex protector code.

I am very eager to see today’s presentations including the ones coming from McAfee Avert Labs researchers – Gaith Taha and Geok Meng Ong!

Stay tuned for the next update!!!

Happy Anniversary!

May 3, 2008, marks the 30th anniversary of spam mail. Yes, it’s been three decades since Gary Thuerk, a Digital Equipment Corporation (DEC) employee at that time, broadcast the very first unsolicited advertising message announcing a new product, the DEC-20, to everyone on the Internet’s predecessor, the Advanced Research Projects Agency Network (ARPANET). Developed by the Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense, the ARPANET was the world’s first operational packet switching network and paved the way for the information superhighway we now call the world wide web. Take a look at the innocuous message and a write up of the events surrounding this unsolicited commercial email by clicking here: http://www.templetons.com/brad/spamreact.html.

The term “spam”, which refers to SPAM®, a canned meat product sold by the Hormel Foods Corporation, was coined to describe unwanted and unsolicited commercial email. A description of why this term was used is here: http://en.wikipedia.org/wiki/Spam_%28electronic%29#History. The term wasn’t used much in the early days, and it wasn’t until 1994 that spamming started in earnest. Deliberate commercial spamming as a form of advertising is believed to have been started by a law firm, Canter & Siegel. In 1994, the firm sent a message advertising their immigration services to more 6,000 Usenet newsgroups. They developed mass-mailer software to automate the distribution of the email, a practice still used by spammers today.

Over the past 30 years, the face of spam has changed dramatically—from simple text, to obfuscated text, phishing emails, and spammed malware. And it’s even gone beyond that to image spam, spear phishing, attachment spam, and recently even MP3 based spam. At first, spam was sent from single user accounts. Later, spammers pushed their messages through open mail servers. Today, these unwanted emails are typically sent via huge networks of zombie machines, which are designed by malware writers to send large volumes of spam very efficiently. Spamming has also seeped into new venues and morphed into new forms. Spam has evolved from newsgroup and email spamming to Instant Messaging, mobile phone spam, and blog and search result manipulation spam.

Despite Bill Gates’ prediction in 2004 that spam would cease to exist by 2006 (http://news.bbc.co.uk/1/hi/business/3426367.stm), there appears to be no end in sight, even in spite of recent laws, such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) introduced to help curb spam. Why does the law lack legs? It’s mainly because today’s spammers, who are motivated by the prospect of financial gains, largely operate outside of countries with strict anti-spam laws.

In some ways, Bill Gates’ prediction was correct in that spam filtering solutions have been developed over this period of time to detect and filter almost all the spam that is sent, but this is cleaning up the problem, rather than eliminating it entirely. I don’t think anyone would favour an “email tax” to reduce spam, and Challenge/Response systems only contribute to more unwanted mail and slower communications. I personally believe it would take a concerted effort on the part of Internet Service Providers (ISPs) and Internet backbone providers to filter spam at its sources and block rogue “bullet proof” ISPs. Technology currently exists to identify and isolate hijacked spam sending zombie PCs, but ISPs appear reluctant to commit to the infrastructure and customer support needed to implement these systems in a highly competitive and price-sensitive market. A better alternative may be a transition to a newer, more secure, mail protocol that would make it easier to eliminate spam email at the source.

In addition to ever more creative ways to block received spam, is an upgrade to the SMTP protocol answer? Or do we need more government legislation? Or is it something else altogether? Will it take another 30 years to put spammers out of business? I sure hope not!

If you happen to be buying any new PC machine(s) soon, you might find this post very relevant.

In a series of posts, I will be trying to explain the functionalities and security concerns surrounding one of the components that is very likely to be soldered to a motherboard of a machine that you are buying or have bought recently. That is a Trusted Platform Module (TPM).

So what is a TPM?

A TPM is a little chipset that some PC manufacturers have been selling inside their machines for some time now. It has the capability to securely generate and store cryptographic keys inside its non-volatile memory. The main functionalities of the TPM are remote attestation, sealing and binding (don’t worry about these terms; we will come back to them later).

So how can TPM can be used?

The TPM can be used to authenticate hardware devices, platforms, and applications running on top of them. To make this easy to understand, think of your internet browser trying to access your banking website. This browser is running on top of a platform which happened to run on top of some hardware. It is envisaged that [in the future] your bank will be able to verify the type of hardware and software you’re running before giving you access to your banking account; thus, checking the “trustworthiness” of your machine. (This is basically remote attestation).

Do I have to worry?!

As you might have figured out by now, in time you’ll be expected to reveal more about what you’ll be running on your machine in order to get the services you need. Also, content providers will have easier means to enforce usage policies on remote platforms.

Ok, Ok. It is not all bad news. Although Trusted Computing has been criticized by people like Ross Anderson, Bruce Schneier, and the Electronic Frontier Foundation, the Trusted Computing Group (as we will discover more about this in the coming parts) have made some adjustments to answer some of those concerns. (One of the main unsolved concerns is that mass produced hardware and operating systems might restrict some type of legitimate software from running)

On the bright side, TPMs will enable us to verify the integrity of our platforms. This idea will be possible by building our platform trustworthiness, from scratch, securely. First, we authenticate the BIOS, then the boot loader, then the OS, etc. Hence, we can have more assurance about what sort of processes are running on our platforms.

Looking from an Anti-Malware point-of-view, malware authors will be having a lot more difficulty escaping those chains of trust. Rootkits will have no place to hide (theoretically speaking ) in such environments since discrepancies will be found as soon as a rootkit can load itself into memory!

In the next part, I will talk more specifically about the concerns that surround TPMs and the solutions that have come up to answer some of them. Meanwhile, you don’t have to worry about any [undesirable] activity from your TPM-supported-platform, as all those machines come with disabled and non-configured TPMs!

… well, it was over already on Saturday, but I’ve been been busy analyzing malware and have not had the time to write this post earlier

Friday’s presentations showed the same quality as the ones presented during the first day of the conference. The day opened with a couple of interesting talks on how to de-obfuscate scripts: this is actually a rather interesting topic, as scripts are getting more and more to be the way in which machines get originally infected, for example when browsing the web. Several analysis techniques and tools have been presented to effectively decode scripts’ code that could otherwise turn into a researcher’s nightmare.

Then we had an interesting presentation from team members of AV-Team.org, in which they presented the results they obtained while trying to test performances of AV engines while scanning packed or protected code and while taking into consideration several factors, like the capabilities of some engines to use generic unpacking techniques and what happens when blacklisting certain packers.

Blacklisting of packers was also the topic of other two presentations, showing how “hot” this topic is. A presentation from Avert Labs’ own Gaith Taha stepped into this difficult field of trying to create a methodology to estimate the risk associated with packer’s blacklisting and generic detection.

Next, Sophos’ Boris Lau presented his work about dealing with virtualizing packers, which uses virtual machines to make code analysis complex and tiresome. The presented work was excellent, showing how to apply techniques that are usually associated with compiler science to help in the difficult fight against these complex protectors.

To close the day, Avert’s Geok Meng Ong presented his work about a different kind of obfuscation, the one that comes from a closed or partially documented file format, accompanying his speech with several case studies.

Looking to the past days in Amsterdam I can truly anything that it has been a really nice experience, a chance to meet great people and discuss with them some very interesting topics… Thanks for the great time guys!!

Now, back to malware analysis
Signing off…

Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago.  Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone.  Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.

When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe.  In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

Here are some of the samples names that we’ve seen.  Many many other file names are surely floating around on P2P networks.  File sizes vary as these files are padded with nulls.

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files)  a 4,800 word EULA is displayed. 

Notable parts of the EULA include:

(3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:

PRODUCT Mirar AND EULA http://policy.getmirar.com/

And my favorite:

22. Effective: January 14, 2007.

END OF DOCUMENT

NetNucleus Privacy Policy/EULA
This End User License Agreement (the “Agreement”) is a legal agreement between you and NetNucleus Corp.

Does END OF DOCUMENT mean you can ignore the rest?  Gotta love it when a “vendor” expects their “customers” to read a EULA that they themselves did not seem to read!

If you agree to the EULA and choose to proceed, Adware “FBrowsingAdvisor” and “SurfingEnhancer” is installed as described in the EULA.  I especially like the directory named used by the developer:

c:\Documents and Settings\tani\My Documents\Dreamsoft\Firefox\firefox_adware\FF-Source\Source\Release\XPCOMEvents.pdb

If Firefox is not installed users may see an error message:

PlayMP3.exe from PlayMP3z.biz is installed, which is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player.  This page lets the user listen to a canned selection of a couple dozen songs.

In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.

Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire.  I took some time to create a video clip showing what the infection process looks like.  In doing so, hundreds of additional media files were uncovered.  Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:

Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno

Domains linked to from the media files include:

mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net

While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.

– Update May 7 –
Adding some answers for questions that we’ve received.

These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler – ie. default browser).  Not all media players support this functionality.

Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee.  Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days.  However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).

Have you had any odd meetings in your Outlook or Google calendars lately? I’ve been monitoring an interesting spamming technique over the past few weeks where they are sending automatically accepted meeting requests (if you allow that) to your calendar.

The spam is originating from Gmail accounts but the Google and Outlook calendar functions are compatible so the meeting request goes straight into your calendar and you probably won’t notice it until you get a reminder at the spammers chosen time.

All the samples I’ve seen so far are Nigerian Scams which is interesting in itself as the Nigerian scammers have traditionally been less advanced in terms of coming up with new tricks.

This tactic adds a further nuisance factor for the recipients of this spam as it sets your time as “Busy”. Sure, you can turn off automatic acceptance of meeting requests via the Calendar options in Outlook and in Google Calendar but that feature is provided for a reason so why should the spammers stop us using it? This spam campaign has been low volume and targeted as is the nature of the Nigerian Scam email but there’s been alot of talk in the last few months about Gmails captcha being broken so it wouldn’t suprise me if the botnet spammers pick it up pretty soon!