We had a customer a while back report a false detection on one of our Foundstone checks. The purpose of the check wasn’t even to detect malware, it was to detect the presence of a certain legitimate remote administration tool. The customer insisted they were not running that administration server on the host. From the diagnostic packet captures they sent in, however, there was no denying that the tool was running on that host whether they knew it or not. And that tool happens to be commonly dropped by malware to serve as its backdoor. No doubt, some damage had already been done by the time they reported this to us, but how much more damage was prevented when this security breach was discovered because of our check?

Malware detection is not one of the most prominent functions of a remote vulnerability scanner. But most major scanners do offer this capability. Don’t expect to replace your traditional AV with vulnerability scanners any time in the future, though.

Although vulnerability scanners can open and read files, they are mostly agentless; so they are reduced to making RPC calls to perform these operations. If you were to mimic the signature scanning of traditional AV, performance would be unacceptably poor. And so malware checks have to resort to detecting only the presence of malware. That is, detecting its traces. This can be the existence of certain files (no opening or reading), registry keys, or a running service. In most cases, having two out of three of these traces is a unique enough combination for a strong detection.

Another way to detect the presence of malware with a vulnerability scanner is to detect the network activity of the malware. If it opens a backdoor on a particular port and listens for commands, which is the majority of malware today, most likely we can detect it remotely. In this respect, the vulnerability scanner actually has an advantage over traditional host-based AV. Take the case of a rootkit that can hide its files, registry entries, running process, service, etc.–it’s virtually invisible on the host. It might even hide its network activity, but it can hide it only from programs running on the local machine. Sophisticated as the rootkit may be, it cannot hide its network activity from the vulnerability scanner working remotely.

In the end, detecting malware with a vulnerability scanner is purely reactive, that is, you are raising a flag after the malware has already installed itself–whereas traditional AV has the noble goal of preventing it from even getting onto the host.

Some might consider the malware detection offering of vulnerability scanners as superfluous because of the limited capability and its reactive nature. But I’m sure that the customer with the hidden remote administration tool isn’t one of them.

A few days ago I was browsing a forum while I read a message from someone saying that he received a strange link from one of his MSN contact list, which was formed like the following:

http://[MSN_login].flatl1n[removed].info

This domain hosts a webpage asking for MSN logins and passwords and pointing to another webpage asking for ICQ login credentials:

But let’s examine this page in details, especially the “Terms of Use” for example:

“Terms of Use / Privacy Policy:

By filling out this form, you authorize TST Management, Inc to spread the word about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.
By using our service/website you hereby fully authorize TST Management, Inc to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.”

Oh well, that reminds me how social engineering is powerful…
The victim received this URL from who is supposed to be one of his MSN contact and it is unlikely he will spend a few minutes reading those lines. So I agree, everything that the attackers do is published inside the Privacy Policy, but I disagree when they say that they don’t “trick” people to get their login credentials: they use social engineering attacks to get users’ passwords, this is dishonest and this is phishing scam!!

Now, here is the funny part of the “Terms of Use”:

“This is a free service. You will not be asked to pay at any time.
You will not be subscribed to anything asking for payment.
This service is made possible by many hours of human effort.

TST Management, Inc reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.”

So ironic…
And the last part, the one that aroused my curiosity:

“You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, TST Management, Inc is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 TST Management, Inc”

I was wondering if this website was effectively hosted in republic of Panama, but a whois of the domain informed me that the IP address is located in Hong Kong actually:

The Reverse IP field says there are 32 other sites hosted on this server (210.56.53.224).
And we can see also that “TST Management, Inc” (who is the registrant of the domain), owns 412 other domains.
So I decided to do a Google search and I wasn’t surprise to notice that they are apparently used to phishing scams!
“TST Management, Inc” seems to be another name for the “Blue China Group Ltd”, the one that was sued by MySpace last year for mass spamming.

I managed to create a screenshot of the old “Mass Comment Poster” website that belonged to them:

We can see that the Terms of use were very cynical too!!

They also host what they introduce as a MySpace tracker (called “Stalker Tracker”) which is in fact another phishing scam website:

Besides the website displays another “typical” Privacy Policy mentioning:

We may temporarily access your MySpace account to do a combination
of the following:
1. Post bulletins to your friends promoting stalkertrack.com.
2. Post comments to your friends promoting stalkertrack.com.
3. Post a blog about our upcoming tracker for your friends to read.
4. Customize your blog header html with a clickable stalkertrack.com ad image.
5. Send a batch of blog invites on your behalf.
6. Send IM invites with a personalized stalkertrack.com message and/or image advertisement attached – to your friends and potential friends and other members.
7. Introduce new entertaining sites to your friends via comments, bulletins, and messages

And guess how can they do that? Once again, just by using the login credentials entered in the form…

Last but not least, once the login credentials are submitted via the phishing scam MSN/ICQ web pages, a PHP script is called to increment an online counter, and here are the statistics available at the moment:

This counter seems to supervise the activity on all their phishing websites, not only on a couple of them.

We can see that 92 people were reaching one of their phishing scam websites when I was looking at the statistics, they were 35334 unique visitors yesterday, 284746 visitors since the beginning of June, 3616516 visitors last month, and 7031582 visitors since this counter has been created (since February/March 2008 according to the second screenshot).

Be vigilant of such IM messages and websites marked as “copyright” to “Blue China Group, Ltd” or “TST Management, Inc“. Whatever the website purports to be they are certainly requesting your login credentials in an unclear way!!

In one of my previous blog posts, I did write about FakeAlert-AG’s fear strategy, that consisted of changing the desktop background, and dropping the legitimate “bugs” screensaver. Well, we’ve seen that in newer variants of this threat the authors of this threat kept the same strategy, but they did change the screensaver to one that is way more scary for computer users…

Yes, you guessed right, the BlueScreen screensaver!!!

As in the previous case, the screensaver chosen by the author(s) of this threat is a legitimate application, this time coming from SysInternals, a company well known for its active contributions to the security community. However, the effect of such a screensaver is such that we’re afraid that it may have tricked several users.

Logging off,

Paolo

This week in Paris, a friend asked me how the anti-virus situation was going and how we will be able to face up to the unexpected increase in malware number. “In a day, one of your competitors announces more than 1.7 million new detections. Its total detection jumped from 74,000 to 1,800,000! If this keep this up, the level of 2 million viruses will be overtook rapidly”, he said. Humorously, the man I was talking to concluded: “and you [McAfee], you still detect less than 400,000 threats?”

Counting malware can be quite a tricky business. At McAfee, and with each anti-virus definitions for VirusScan, we announce how many threats we are detecting with each new DAT release. This figure, however, is a *family* count. Yesterday (June 17th, 2008), the clock said 407125.

In September 2004 with DAT release 4391we reached 100,000 threats detected. With the 4800 release on May 2006 the number of threats detected reached 200,104 detections. This figure doubled in 2 years, and the situation could be analyzed as follow:

To explain how it was possible to pass from 74,000 to 400,000 or to 1,800,000 malware, I informed my friend we had to take into consideration AV researchers “zoos” – in other words: “collections” – consisting of several million malware samples (sometimes we use the term “unique samples”) collected each day.  I explained to him we had, roughly, in our high-security servers, 10,000,000 files:

• classified by family
• often with a vast number of variants
• sometimes with multiple infected files from a single malware variant (when it is parasitic or polymorphic), or when malware authors configure their threats to serve a binary-unique version with each download. In that case, some zoos contain 1 or 2 *versions* while others will have 10,000 and others still 100,000!!
• without forgetting the terrific “miscellaneous” subfolder for files that we cannot pigeonhole

Of course, I said almost all were detected and consequently all these prediction numbers were not gospel truth. I added they were only useful to establish a long-term trend on condition that their computation complies with a single rule as time goes by.

To end my demonstration I searched for real figures. Firstly I fell on AV-test.org statistics. On their site, they explain they manage 60 terabytes of testing data, including several million malware samples and clean files. They tests malware on all important desktop and server platforms, including all currently supported versions of Windows, Linux, Solaris, Unix, Lotus Domino/Notes and MS Exchange. Having just recently received from Germany some figures summarizing their malware collection items, I precisely heard of the size of their collection which exceeded 11 million unique samples (11,002,741 in April 2008).

Strengthened by this number, I was pretty sure we had – at McAfee – the same volume including parasitic and polymorphic malware for which we had to own multiple samples. I asked for a confirmation and received some figures I entered in this other chart:

While I wrote this blog entry, I imagined the reader surprise: in 3 months (from January 31 to April 30) collections increased by 2,880,000 million samples (at McAfee) and by 1,700,000 million samples (at AV-test.org); an average of 760,000 new files each month… This is true, and it is why we constantly work on new technologies to answer this challenge.

To conclude this blog entry, I propose to you the following……. It demonstrates that it is possible to announce that we detected, at the end of 2007, “between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And I predict we will detect at the end of 2008 between 450,000 and 22,000,000 malware”. OK, I joke a bit, but I also want to demonstrate there are many manners to count malware and you must not judge a product only by the announced number of detections.

There has been some debate in anti-phishing circles over what a hosting service provider should do when taking down a phishing site. It boils down to one of three basic actions the victims witness.

• Redirect the hits to the brands legitimate site – This in my opinion is a dangerous thing to do on many levels and any brand requesting this action will feature on a follow-up shortly.
• Remove the site and throw the 404 error – Just stopping the site working and having the browser present a standard error is the standard check-box reaction & minimal effort.
• Use the hit as an opportunity for education – This is by far my favored option (even though I’ll play devils advocate when it’s discussed). Once a victim has fallen for a phish email, help them to help themselves in the future with some easy to understand education.

Education has to be appropriate, I’m not suggesting at “click time” is a good time for presenting the user at the Anti Phishing Phil game for instance. (Phil is great though if you’ve never seen it). “In your face” education at click-time is a topic close to the heart of the APWG, they will present their advice on the topic very soon.

So back to the raison d’être of this blog, a 10 gallon hat tip to AT&T for this great vishing takedown. [Listen to the mp3]*. They’ve raised the bar with this one and deserve some hearty kudos. I can’t think of a better way of dealing with a vishing number. The continuous unavailable tone has no place here since it’s easily confused with mis-dialing ^{(Homer mp3)}. They have replaced the disconnected service with a great education statement and sound advice too if the caller thinks that they were a victim.

^{* The quality is much better on the phone, I used our conference bridge to record the example.}

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic – Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

There mustn’t be much going on in the world today as the Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

Subject: Britney found hanged in locker room
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race

This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

All the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video (that’s actually just an image) it tries to download a .exe file. This is detected as BackDoor-DNM and the spam is also currently detected with our Anti-Spam products.

So it goes without saying.. NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

Avert Labs recently discovered and reported a couple of Linux Kernel vulnerabilities, all of which have been patched by linux kernel maintainers.

The first one is BER Decoding Remote vulnerability (CVE-2008-1673) . This vulnerability was patched by the Linux dev team on 9th June 2008.

This vulnerability is a kernel heap overflow in CIFS module and ip_nat_snmp_basic module. It’s possible to reach the exploitable condition on 64bit platform. Though its hard to trigger a kernel heap overflow in 32bits platform, it’s still possible to crash the Linux box. We strongly recommend users to update to the following kernel versions:

Linux kernel 2.6.25 .5
Linux kernel 2.6.26-rc5-git1
Linux kernel 2.4.36.6

Some vendors have mistakenly marked this as a vulnerability exploitable only in the local network. A correction for them, this vulnerability is remotely exploitable. We contacted one such security service providers who had mentioned this issue as exploitable over the ‘local network’ only and got this response:

“According to our information the ASN.1 decoding vulnerability exists within the modules handling CIFS and SNMP traffic. These are both protocols which we think should be firewalled off the Internet via common “best practices”, thus we set the attack vector to “local network” only.”

I don’t really agree with this approach, anything that is firewallable is locally exploitable then? In fact I would rather say that it is remote vulnerabilities like these that need firewall policies to be enabled and not the other way round. I would love to hear opinions from others on this issue.

BTW our McAfee Network Security Platform (formerly IntruShield) has already been updated with content to protect against this vulnerability.

The other issue was found by Brandon Edwards which is another interesting issue in DCCP, it is a local privilege escalation vulnerability (CVE-2008-2358). The vulnerability (supposedly) only exists in 2.6.17, 2.6.18, and 2.6.19 due to boundary checks in the upstream kernel versions. It is non-trivial to exploit this vulnerability.

We recently came across this article published in one of the Chinese Security E-zines, called pstzine, which talks about a new zero day Cross Domain Scripting flaw in IE6. This is still unpatched in IE6 as of now but IE7 and FireFox are not vulnerable to this.

The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008 , and there were some discussions on this topic on online blogs like GNUCitizen.

We’ve notified Microsoft about this information. Until a patch is available, we advise IE6 users to disable scripting in the browser or upgrade to IE7 to avoid potential exploitation due to the public disclosure of this vulnerability.

We came across some samples and some vendors claims that the these samples were exploiting the new PDF vulnerability CVE-2008-2641.

We took a look at this issue and found that this is not the case, it’s still exploiting the old vulnerability CVE-2007-5659, which is a buffer overflow vulnerability in JavaScript function Collab.collectEmailInfo in Adobe PDF Reader’s own JavaScript Engine.

The JavaScript itself was compressed in the PDF file. After decompressing the content, it showed up an obfuscated JavaScript code. After digging through the obfuscated code, the real exploit was found encrypted in a long string. There is a function which decrypts the string into real exploit code and then pass it to the eval() function.

It’s interesting that the function uses the function code itself (arguments.callee) as part of the key to decrypt the real exploit code, so it won’t work if you simply replace eval() with “alert” or “document.write” to get the real exploit as eval() itself is also part of the key. It’s an interesting way to obfuscate the exploit code to prevent security researchers to reach the real exploit, almost like creating a ’self-checksum’ mechanism.

After we figured out the way to get the real JavaScript exploit code we found that it exploits CVE-2007-5659 reliably with heap spray technology.

Some vendors claim that the exploit works on lower versions but crashes 8.1.2, this is not the case because it’s possible that it might be taking some time for the heap spray to fill the memory. So during that period, we observed that the adobe reader lost response, but it’s not a crash. After a couple minutes, its back to normal, and pop ups a dialog box “Send by Email for review”. So, in short Adobe reader 8.1.2 seems to be immune to this exploit as Adobe already patched this vulnerability.