While reading my colleague François Paget’s recent blog about detection numbers, I noticed that something about the graph illustrating the growth of the collection maintained by AV-Test.org seemed a bit odd.

The last few months showed a bigger total size than indicated by the forecast line, which is an exponential function. By looking more closely at the statistics of monthly growth we can see why:

During the last couple of months there is no longer an increase in the number of new samples added. The growth is no longer exponential but linear, averaging around 600,000 samples added each month. Looking at our own numbers of new samples, I can confirm this new linear growth.

Why is this a big deal? For years the security industry has been fighting an uphill battle–with the number of new samples increasing every month at an alarming rate. Now with constant, though still massive, growth there is some light at the end of the tunnel. If this trend keeps up, planning for future resources and technologies will become much easier and more manageable.

I’ll add one more remark about counting by “unique samples,” in which unique means the file has got a cryptographic hash different from all other files in the collection: For the time being this is one useful way of counting, but it can’t be mapped to detection numbers (François explained why) and it works today only because most new samples are Trojans. Should we see more file-infecting viruses in the future, and there are some indications they will make a comeback, this way of counting will quickly become useless.

We often read that scam and phishing attacks are more and more complex. I agree… if we deliberately omit the various phishing kits available from the internet, which are usually not very sophisticated! This weekend I got yet another phishing email scam on my personal email address. This one targets Paypal users and specifically Paypal France since it is written in French. I thought that could be a perfect example to dissect in order to highlight the suspicious parts of its content.

So here is the email body:

First thing to notice: the use of “Cher client Paypal”, which means about the same as “Dear Paypal member” and is a formal way, but also a very non-specific way, to start a mail. Paypal always uses our real name in the beginning of its mails, so any email that appears to be sent from Paypal that starts with such common sentence is suspicious. Moreover we use accents in French, and although it is written in French, there is no accent at all. Worse, there are many grammatical errors. Paypal is a big company, and I find it highly unlikely that they don’t have people who can write French properly! So, just the reading of the email body should be sufficient to encourage us to drop it in the trash bin.

But let’s see the subtler parts now.

The email asks us to click on the button “Activer” in order to re-activate our Paypal account (which has never been deactivated obviously). But as you can see in the following screenshot, the button does not point to the Paypal.fr website but it is linked to  the domain falomensdepeyy.com, although “www.paypal.fr” appears in the URL in an attempt to confuse people. A Very typical tactic!

And last, but not least, let’s look at the email header:

The content of the entry called “X-WEBC-Mail-From-Script” is the proof that this email was sent with a script located at http://www.alkasterdesese.com/mailer1.php, which has nothing to do with Paypal’s website! Although the “From” field contains the correct sender “service@paypal.fr”, we are now sure that this email did not come from Paypal.

At the time of writing, both sites located at alkasterdesese.com and falomensdepeyy.com are shut down.

Additionally, Michael Barrett from PayPal has posted an excellent blog on how to spot scams.

Everyday, people buy, sell, trade, study and travel in real life. More and more often, they do the same thing in virtual online communities sometimes referred to as “metaverses” or “digital worlds”. Represented by avatars -a digital representation of themselves – they live a “second life” with new opportunities for networking, teaching, experimenting, and even making money. Businesses, investors as well as not-for-profit organizations invest in these worlds. They explore them in order to open dialogues with distinct target markets and demographics. L’Oreal, Sony, Toyota, Coca-Cola, and GreenPeace are just a few examples.

All of these universes use their own virtual money, which has an exchange rate against euros and dollars. For example, each month, 9 million USD are exchanged on LindeX, the official Second Life currency exchange.

(graph. source: http://www.cyfernet.org/cyfar08/preconference/web2/sl.ppt)

And money encourages malicious behaviour!

First in Seoul, during the last AVAR conference, and then in Laval, at the EICAR conference, Igor Muttik and myself had each proposed a paper on this topic. They are available here and here.

In these papers, we explain that virtual worlds as well as massive multiplayer online gaming (MMOG) have encountered many criminal issues like in the real world—identity theft, stealing of virtual assets, extortion, money laundering and even paedophilia. I focused my paper on examples of attacks conducted from the inside as well as the outside of Second Life and World of Warcraft. In his paper, Igor devotes a substantial part to predicting future trends by analyzing existing market and technological shifts.

KZERO Research has just published a study on the overall virtual world population. They announce 303 million registered people in 21 different universes. A year ago, Gartner predicted 80% of Internet users will have a virtual avatar in 2011, the 2008 figure demonstrate that we have arrived at around 21,6%. Most of these universes are inhabited by young populations from 10 years to 20 years of age. Habbo Hotel is credited with 90 million members. The cartoon universes of WeeWorld or IMVU have more than 20 million young subscribers each. Adults seem to prefer Second Life which is credited with 13 million members.

(enlarged picture available here)

This last study confirms the kids and “tweenager” preponderance in these virtual worlds. Even more prolific than I’d imagined it’d be. Parents must be aware of the interest their children have in investing time in these universes where all kinds of things are allowed and all kinds of propositions are offered. Here too, education, dialogue and vigilance must be favoured.

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

Just when you were wondering what the Storm worm authors could come up with next after using 4th of July theme as bait for their last spam run, Nuwar has now resorted to a war theme. The authors have cleverly chosen to exploit the escalating political tensions in the Middle East between Iran and the United States over Iran’s threat to attack Israel in response to any military action on its nuclear facilities. Some of the subjects observed in today’s spam are:

The beginning of The World War III
US Army crossed Iran’s borders
US Army invaded Iran
US soldiers occupied Iran
USA attacked Iran
USA declares war on Iran
USA unleashed war on Iran
War between USA & Iran

This is not the first time Nuwar has used a war theme. Incidentally, McAfee christened the Storm worm as “Nuwar” because it used the sensational war theme “Nuclear WAR in USA!” when it first appeared. Since then the authors of Nuwar have used and re-used morbid and shocking themes religiously with every new spam run. These themes sometimes get repeated when that time of the year approaches and this one is no different. War themes have been seen in previous Storm worm campaigns dating back to Nov 2006 & Apr 2007.

Unsuspecting users who follow the link in the spammed email are directed to a Storm bait page hosting a video that purportedly shows the first minutes of the beginning of World War III. Except that clicking the video would download “iran_occupation.exe”. And in case a user wanted to know about the advertised Patriots and Veterans Programs they would end up downloading “Form.exe”.  Both files are detected as W32/Nuwar@MM with McAfee’s latest beta dats.

The Storm bait pages are currently being hosted on the following fast-flux domains.

dailydotnews[.]com
dotdailynews[.]com
morenewsonline[.]com
newsworldnow[.]com
statenewsworld[.]com

The above mentioned domain names have be sanitized in the blog and readers are strongly advised not to attempt to visit them as they host a cocktail of exploits that attempt to infect a visiting machine. This information is being provided for administrators to take pro-active measures and block access to the rouge domains.

A recent ZDnet blog discusses a large number of vulnerabilities German research team N.Runs says it found in antimalware products from nearly every vendor. The ZDNet posting includes scary graphs to frighten users of security products. We researched the N.Runs claims by analyzing the raw data and found their claims to be somewhat exaggerated. We will discuss our findings (and make available our source data) in the attached document. We have also provided our source data for anyone who wishes to examine it.

First, N.Runs has indeed found many vulnerabilities and they deserve credit for that. We have worked with the N.Runs team in the past and have found them to be very responsible and intelligent researchers.  We don’t want to attack the legitimacy of the vulnerabilities they found, but do call into question the conclusions drawn on what this means to the state of security.

Due to the amount of information required to examine the ZDNet and N.Runs claims in depth, we have felt it better to provide the entire blog entry in a PDF format. Please see the attached document for much more detail on the subject.

Full Article (in PDF Format)

Source Data (in excel format)

Recently, a piece of malware named MachineDog attracted attention within the China security community. The malware itself appears to be a well designed tiny rootkit, and is quite different from other malware. One special characteristic of this malware is that it’s designed to penetrate the hard disk as well as security software, which are installed in most internet bars and cafes. This means it can infect most machines in many internet bars and cafes, in some cases without too much resistance.

The malware is composed of a user-mode application part and a kernel driver part. The application part does limited work, which includes extracting the driver and installing it as service, then communicating with the driver by io control. The earlier version of the application part does the infection work by sending IRPs into lower disk driver device(\Device\Harddisk\DR0) to locate and write userinit.exe onto the hard disk directly. In later versions, the infection works are improved and moved into the driver itself, leaving the application part tiny and simple.

The driver does the most important work. It does the infection which was implemented earlier in the application part. Its infection method is quite special and interesting, which can bypass and penetrate many hard disk protection software, and some security software. First it reads the atapi.sys driver file  from the hard disk then searches dispatch routine addresses in that driver’s body, to bypass any existing dispatch routine that have inline hooks. Why choose atapi.sys? Because the device created in atapi.sys is the last device in all the device stacks that the IRP passes through, and it’s the end of this IRP. Sending IRPs to this device can avoid all filter devices and inline hooks in any upper device which are used by some security software or protection software. Then the malware sends IRPs to the partition device dispatch routines in atatpi driver to read and write data directly into hard disk. It first reads data to locate which sector userinit.exe is resident in so it knows where to infect. It then writes the inject codes into the hard disk by that way and will att that point modify userinit.exe. At last it will remove inline hook of atapi devices if they’ve been inline hooked until it receives the close command from application part.

Most internet bars and cafes rely on hard disk protection software excessively, and mistakenly believe these types of software can replace security software. Once their machines are infected, the administrator just restores from backups made by the protection software. This malware takes advantage of this contrived neglect. The attack is so dangerous that once it successfully loads its driver into the kernel, most hard disk protection software will be nothing but an empty shuck, with the administrator still having no idea!!!

McAfee customers are protected from the threat by DAT 5337.

Reference:

http://article.pchome.net/content-515951.html

http://tech.ccidnet.com/art/1099/20080709/1501723_1.html

http://www.xj.xinhuanet.com/2008-06/20/content_13599327.htm

Recent phishing attempts have been targeting some popular social networking sites and jobs websites, such as facebook.com and monster.com. Due to the amount of personal and sensitive information which is saved there, they are very valuable to phishers. This data could be used to further target or spear phish individual victims by name and even work interests.

We have seen phishing attacks which targeted careerbuilder.com in the past. The latest target is another big recruitment site – monster.com. Just like typical financial phishing emails, the Monster phishing emails have subjects including imperatives like “Monster customer service: important notice” or “Monster customer service: please confirm your data!”

But please do not be fooled! These are not from Monster at all!!

The phishing domain would appear to be hosted on a new UK domain with dns leading to a bot in Turkey. We can see from this phishing site, the phisher is mainly targeting recruiters for their logins and passwords. This would enable them to access hundreds or even thousands of job seekers’ CVs which often contain a gold mine of sensitive data. Other elements of the recruiters account could be useful as well.

The level of personal data on a CV is pretty high, and in the wrong hands outright dangerous. Be vigilant against unsolicited emails!

Last week, a friend, working at the French CERT-IST, alerted me to some web sites that, although they have direct access or a logon via a Google search, did not display the same result in spite of a unique visible URL. Let me explain…..

In the first case, we arrive on the normal (or official) page, but when surfed to via a Google search, we arrive at a false blog page proposing alternative and even malicious choices and links. This technique is commonly called cloaking. Its goal is to modify the content of a webpage depending on visitor parameters or browser history.

Let’s me first give you an example. Using IE, I enter in the address bar an attacked URL. I directly reach the site:

Using Google, I search for the same site:

I then follow the link and…. Surprise! I arrive on a fake blog page named for the site I searched however it is not the expected one; it is a rogue advertising page.

If I wait on the page and do not browse any proposed link for a few minutes, the normal web page is then displayed in place of the fake one. But if I chose any of these links, I am taken to some very suspicious advertising sites.

To achieve this deception, the main page contains a mere instruction line that launches a malicious javascript, with a long unescape sequence.

When decoded (today, for this job, I used facilities offered at
http://scriptasylum.com/tutorials/encdec/encode-decode.html), I discovered the link to reach the others “recipes” of this attack in an obscure subdirectory.

Using Google, I found this file architecture was not unique. Today more than 80 sites are affected by this attack, luckily these malicious files are detected by McAfee as Exploit-PHPBB.b

It seems this attack benefits people being paid through “pay per click” and/or people behind some rogue software like fake anti-viruses or naughty encounters. For sure, it is a profitable business!!

As early as 2006 the IP addresses revealed by Fiddler were pointed as suspicious. Two years after, they are still alive and still hosted at Global Net Access, LLC and ISPrime Inc, two American companies.

Various URLs visible in the Fiddler web session contain affiliate IDs. Calls at findwhat.com makes one think that the MIVA pay-per-click search engine company is the one involved in this story. As each new page loads, this server records the affiliate ID. This makes it possible for him (the affiliate) to get paid for each click. Consequently, it should it easy to unmask it! 

At this point we can say that nobody seems in a hurry to stop this cloaking party. It looks like many people do well out of it! 

The need to pay attention to security never goes away. Fortunately, operating system vendors continue to improve their platforms, and they have made great progress in security. Traditional stack or heap overflows have become more difficult to exploit. However, we cannot become complacent because it’s clear that hackers have transferred their attention to third-party software. Some popular applications have become targets for viruses and Trojans. Just recently, many vulnerabilities were found and exploited in several popular programs: Real Player (CVE-2007-5601), Yahoo Messenger (CVE-2007-5017), Adobe Acrobat Reader (CVE-2008-2641), and Flash Player (CVE-2007-0071). All of these were found to have remote code-execution vulnerabilities, and actual exploits can be found on the Internet. So although the majority of users has installed the latest operating-system patches, they are still at risk to be attacked via third-party vulnerabilities.

A few days ago, I witnessed an actual exploit occur at a friend’s home. He was running Microsoft Windows Vista, and the attack was targeted at RealPlayer. His mistake was that he had disabled the User Access Control functionality of Vista because he did not like the alerts. So he didn’t get any warning prompts except when a message box showed that RealPlayer would close before the malicious code ran. I then saw many cmd.exe and other suspicious processes start. Windows Vista has the best security so far in the Windows family; nonetheless, all of this happened.

Watching this attack made me think of enterprise security. Businesses cannot pay attention only to operating system vulnerabilities. They need to pay attention to third-party software as well. Currently securiy in third-party software is no better than that in operating systems. So the best practice I can recommend is to use risk and compliance software to scan and find third-party software that doesn’t match enterprise policy. The final step is to update or delete these applications.