Mozilla came out with an advisory yesterday warning users of compromised files in the Vietnamese language pack for Firefox 2. This was not the work of a malicious hacker or intentional booby-trapping of the files by the author but the result of a careless internal virus infection.

The author of the add-on was accidently infected and every help file (*.xhtml) in the Vietnamese language pack for Firefox was modified by the virus and appended with a script. Any user who installed this language pack would have malicious ads displayed in their browser and could have potentially being infected with other exploits.

The script linked to hxxp://js.k0102.com/[Removed].asp (currently offline) - a remote website based in China. The offending script in the compromised help pages have since been removed by the Mozilla developers.

According to Mozilla’s blog, anyone who downloaded the most recent Vietnamese language pack for Firefox 2 since February 18, 2008 would have potentially got an infected copy. The exact number of compromised downloads cannot be ascertained, but since this affected only users who downloaded the Vietnamese language pack, the numbers could be limited.

When contacted, the Mozilla developers were quick to respond and provided us a copy of the compromised files.

McAfee users are pro-actively detected against this threat. The malicious HTML pages are already detected as the W32/Fujacks!htm virus with the 5174 DAT files that were released way back in 29th November 2007.

Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire.  I took some time to create a video clip showing what the infection process looks like.  In doing so, hundreds of additional media files were uncovered.  Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:

Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno

Domains linked to from the media files include:

mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net

While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.

– Update May 7 –
Adding some answers for questions that we’ve received.

These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser).  Not all media players support this functionality.

Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee.  Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days.  However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).

Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago.  Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone.  Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.

When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe.  In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

Here are some of the samples names that we’ve seen.  Many many other file names are surely floating around on P2P networks.  File sizes vary as these files are padded with nulls.

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files)  a 4,800 word EULA is displayed. 

Notable parts of the EULA include:

(3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:

PRODUCT Mirar AND EULA http://policy.getmirar.com/

And my favorite:

22. Effective: January 14, 2007.

END OF DOCUMENT

NetNucleus Privacy Policy/EULA
This End User License Agreement (the “Agreement”) is a legal agreement between you and NetNucleus Corp.

Does END OF DOCUMENT mean you can ignore the rest?  Gotta love it when a “vendor” expects their “customers” to read a EULA that they themselves did not seem to read!

If you agree to the EULA and choose to proceed, Adware “FBrowsingAdvisor” and “SurfingEnhancer” is installed as described in the EULA.  I especially like the directory named used by the developer:

c:\Documents and Settings\tani\My Documents\Dreamsoft\Firefox\firefox_adware\FF-Source\Source\Release\XPCOMEvents.pdb

If Firefox is not installed users may see an error message:

PlayMP3.exe from PlayMP3z.biz is installed, which is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player.  This page lets the user listen to a canned selection of a couple dozen songs.

In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.

… well, it was over already on Saturday, but I’ve been been busy analyzing malware and have not had the time to write this post earlier

Friday’s presentations showed the same quality as the ones presented during the first day of the conference. The day opened with a couple of interesting talks on how to de-obfuscate scripts: this is actually a rather interesting topic, as scripts are getting more and more to be the way in which machines get originally infected, for example when browsing the web. Several analysis techniques and tools have been presented to effectively decode scripts’ code that could otherwise turn into a researcher’s nightmare.

Then we had an interesting presentation from team members of AV-Team.org, in which they presented the results they obtained while trying to test performances of AV engines while scanning packed or protected code and while taking into consideration several factors, like the capabilities of some engines to use generic unpacking techniques and what happens when blacklisting certain packers.

Blacklisting of packers was also the topic of other two presentations, showing how “hot” this topic is. A presentation from Avert Labs’ own Gaith Taha stepped into this difficult field of trying to create a methodology to estimate the risk associated with packer’s blacklisting and generic detection.

Next, Sophos’ Boris Lau presented his work about dealing with virtualizing packers, which uses virtual machines to make code analysis complex and tiresome. The presented work was excellent, showing how to apply techniques that are usually associated with compiler science to help in the difficult fight against these complex protectors.

To close the day, Avert’s Geok Meng Ong presented his work about a different kind of obfuscation, the one that comes from a closed or partially documented file format, accompanying his speech with several case studies.

Looking to the past days in Amsterdam I can truly anything that it has been a really nice experience, a chance to meet great people and discuss with them some very interesting topics… Thanks for the great time guys!!

Now, back to malware analysis
Signing off…

Hello again, Paolo here. Yesterday afternoon the presentations moved to a more practical level, and the topics that were discussed were definitely interesting.

We started this afternoon’s session with “Hump and Dump” - an interesting study about the possibilities of Original Entry Point (OEP) discovery using a statistical technique based on histograms. The retrieval of the OEP of a packed application is important for several reasons one of which is, for example, that its execution usually marks the end of the unpacking process and that the original binary, previously invisible under the wrapper of the protector/packer/obfuscator, is now available in its rebuilt state. Although the work presented by the authors was still somewhat in the early phases it shows good ideas and it may be that with some modifications it can become effective enough to be used in research tools and Anti-Malware scanning engines.

In the following presentation Mario A. López explained to the audience how he and his coworkers at Frisk did approach some complex problems related to unpacking in their own scanning engine but I won’t go deeper as this information is probably not intended for people not directly in the industry.

Next Robert Neumann from VirusBuster presented a nice set of specific unpacking strategies to quickly unpack simple, not-so-simple and even complex packers and protectors - thanks for sharing Robert!

The last presentation was from Ilfak Guilfanov - the author of IDA Pro and Hex-Rays and well known in the security industry for being the developer of the unofficial fix for the Windows Metafile (WMF) vulnerability in Microsoft Windows operating system back in December 2005. In his presentation Ilfak did show us a few tricks to use within IDA to approach obfuscated code including one that researchers face when analyzing complex protector code.

I am very eager to see today’s presentations including the ones coming from McAfee Avert Labs researchers - Gaith Taha and Geok Meng Ong!

Stay tuned for the next update!!!

…and from the Crowne plaza hotel - home of the 2nd CARO workshop on “Packers, Decryptors and Obfuscators”.

As you may know, nowadays malware mostly comes in a packed form, in order to thwart Anti-Malware and security products. For this reason it is of great importance to be able to develop technologies that are able to “see through” these executable wrappers and detect the underlying malware in a smart way.

Easy to say - less easy to do. And this is the reason for which this workshop is really interesting

After attending this morning’s part of the workshop I have to say that the presented content has been really excellent - and technical too. Starting from the keynote speech through all the others thus far I’ve been struck by the depth of the information shared. I found Kurt Natvig’s presentation especially interesting as it covered the difficulties emulators face when dealing with modern malware - good job, Kurt!

Hopefully the presentation will be made available online too so I definetely advise anyone interested to monitor the CARO workshop website!

I need to go now as the afternoon’s presentations are starting! Talk to you later!

There’s been considerable stink lately about the Race to Zero contest that is to be held at Defcon. I, for one, am a bit perplexed by this. This article from ZDNet Australia is what finally made my eyes cross in confusion/aggravation.

I don’t know at what point the collective “wisdom” became that signature-based AV was ever intended to be about defending against every threat ever devised, before it was ever devised. Signature-based scanners are intended to detect and clean known threats. If you modify a known threat, it’s not really “known” anymore, is it? Now it’s a variant of a known threat.

It’s certainly desirable to have protection against all threats, known and not-yet-known. This is what things like firewalls, Intrusion Prevention Systems, Data Leakage Prevention and all those other wonderful security products are intended to do, in concert with AV. Most AV software now also includes proactive static detection like Generic and Heuristic detection, along with more dynamic detection like emulation or behavioral detection. Many AV programs now also include broader security functionality like a firewall or IPS.

Generic and Heuristic detection is certainly better at picking up unknown threats than simple signature-based scanning, but there are three things that limit it. For one, it’s still reactive, basing detection on known bad techniques. Secondly, it’s static - obfuscation can still muck up the detection, if it causes the file to deviate from the known bad technique. Finally, there’s still a need for these detections not to be false-prone. Heuristics and generics essentially cover known “really, really bad” techniques. The threshold of badness must be quite high to make it into AV products. Consider how many commercial products and widely used administration tools blur those lines, and you may come to appreciate what a very fine line it is.

It’s not clear from what I’ve seen whether the contest’s judges intend to use the most paranoid settings available within the various products, but their description does seem to indicate they’ll only use the static detection, rather than running it real-time through the products. This does not accomplish a full testing of the products capability, it only tests one component. The results they get will not be what an average user will get.

The contest organizers and participants are playing with fire in order to prove what we already know: Signature-based scanners are meant to protect against known threats. That doesn’t mean that AV is dead, or that it’s useless. The industry is evolving, and its products with it. AV is intended to be one tool in a complete security arsenal. Defense in depth is where it’s at, if you’re really looking to protect your network.

Over the past week, Mailbot.f (a.k.a “Kraken”) was thoroughly studied and reverse engineered by various security researchers. As mentioned in my previous blog, we focused mainly towards the network behavior of the bot and observed a few interesting things.

After the bot installs on a victim machine, it attempts to contact mx.google.com via TCP destination port 25 (SMTP) 3 times. This looks to be a network connectivity test by the bot. If this test fails, the bot does not send out any spam at a later stage. (Note that the bot does not use mx.google.com to spam). Next, the bot downloads the front page of 3 different popular web sites (mostly news sites), such as nytimes.com, cbsnews.com, news.com, cnn.com, reuters.com, msn.com, google.com, etc. We have not observed the use of these web pages in the spam sent out by this bot, however.

The bot then tries to find its peers and communicates with them. If it is an older version of the bot, it uses UDP destination port 447 to communicate with the peers, sending information such as the bot version, outgoing smtp connectivity status and other machine specific information such as hostname, operating system, uptime, language, CPU specs, memory information etc. It also communicates the current modules and their versions. The older version of the bot then downloads an update from its peers by connecting on TCP destination port 447. We have observed that this update is around 100 to 200 kbytes. The bot then updates itself.

The new version of the bot (or updated bot from the previous step) contacts its peers using UDP on random destination ports and sends similar information as in the previous step. It then connects to one of the peers to update its modules using TCP destination port 80. If the peer is available on port 80, the bot communicates using HTTP POST messages and receives the updates from its peers.

In the case when the peer is not available on TCP port 80, the bot communicates on TCP destination port 443 to download the module updates. Though it communicates using TCP port 443, the data is not SSL.

The bot then downloads other modules from its peers, such as spam template, spam payload, and mx server addresses, etc. With this information it starts sending out spam email. After sending out a batch of spam, it downloads further updates and sends out spam again.

We made the above observations after looking at a number of Mailbot.f samples. Most of these samples were either v315 or v316 (as derived from the bot client registration packet). All of the command & control (c&c) communication is encrypted and we were able to decode some of the c&c communication using the wireshark plugin referenced by mnin security blog. Since the bot can be updated, at will by the bot author, some of these observations may/can be changed at any time.

Given that the bot uses

• encrypted data
• random UDP destination ports with random size packet payloads
• legitimate HTTP protocol on TCP destination port 80
• communication on TCP destination port 443

its c&c communication is very stealthy and difficult to detect. Although the bot is currently being used to send spam email, the stealthy c&c communication and the update infrastructure already in-place can pose a greater threat if used for more devastating purposes.

There have been a couple of threads lately, one on LifeHacker, one on Ask Metafilter, about whether it’s necessary to use anti-virus software. The comments in both are a very clear indication on how far we have to go in educating users on the real danger of malware. It would appear the average user is operating under assumptions that might have been true 8 years ago. Now, it’s just a recipe for disaster.

The erroneous assumptions are that:

1) Viruses are noisy/easily visible and
2) Viruses are caused by actively bad behavior

To quote What the Geek from the LifeHacker thread,

I have a business client whose website was giving people a trojan for a while because it got hacked - and guess what? if you didn’t have an AV running, you’d never know that it happened. It would just sit on your computer sending your data off to who knows where silently. Just because it doesn’t give you a big skull and crossbones on the screen doesn’t mean it isn’t there.

This really sums up the situation for me - an innocent user was hacked, and might never have known it, as it was silent. It’s like the difference between the demos we give of an “average scary virus” now versus the ones we gave 10 years ago. Back then, the demos were all skulls and message-boxes and file corruption and deletion. Very spooky, very visual and very loud. Now the scary demos are effectively silent. The malware can come in without any user interaction, and you’d never know it was there without specific tools to show you what changes it’s making behind-the-scenes. Off goes your credit card number and your private documents, without you being the wiser.

And this is not something that just happens in the “bad parts” of the internet. Think of the most innocuous content on the internet. Pictures of cute and fluffy animals would certainly qualify, right? At the end of last year, CuteOverload fell victim to a hacking that delivered trojans to its unsuspecting readers. And major sites are supposed to be safe, right? How about the Superbowl website hack from the beginning of last year?

One point that I think needs bringing up specifically is the question of whether to use “on-access” scanning, or if “on-demand” is enough. As Dwroth succinctly put it in the LifeHacker thread:

All time (active protection) = good for the public, but overkill for the geek.

Turning off on-access scanning has never been a great idea, but now it could be a catastrophically bad idea. We’ve already discussed how one’s level of geekiness does not figure into one’s susceptibility to viruses which don’t require human interaction. Personally, if there’s a virus trying to get onto my computer, I’d really rather find out immediately before any changes could be made to my system rather than some time tomorrow or later this week.

A few minutes is plenty of time for malware to transmit my most sensitive data, why give it hours?

Clear protocols such as FTP or SMTP are unsafe. Anyone on the subnet can easily collect login usernames and passwords just by sniffing the network traffic. Even switched networks can be easily attacked to redirect traffic and gather credentials as simply as on a HUB based network. However, FTP is still widely used and often the only protocol provided by hosting providers and it’s for this reason we weren’t so surprised to come across PWS-FerTP – a piece of malware that takes advantage of this situation, collecting FTP credentials and infecting FTP repositories.

To slow down analysis, PWS-FerTP includes some (very simple) anti-debugging tricks and VMWare detection functionality shown below. Not very stealthy though, utilizing some well known VMWare internal mechanisms used mainly by VMware tools to communicate with the host system.

PWS-FerTP bypasses the Windows Firewall (by modifying the registry) and starts to look for three widely used client applications providing FTP support (FAR Manager, CuteFTP and Total Commander). Indeed, these applications unfortunately use weak encryption to save FTP passwords, while other details such as logins and IP addresses are stored in the clear.

In an attempt to gather more FTP credentials, PWS-FerTP switches the first network adapter found on the system to promiscuous mode via the ioctlsocket API call, allowing for a disabling of MAC filtering and thus sniffing all FTP account details passing by the current subnet.

PWS-FerTP sends all gathered credentials within specially crafted HTTP requests to a remote web server.

But PWS-FerTP is more than a password stealer – a quick string search reveals some interesting blocks of obfuscated Javascript as well:

Once decoded, the aim of this script becomes much clearer, redirecting user’s browser via an IFRAME HTML tag pointing to a malicious website.

In fact, PWS-FerTP connects to each previously gathered FTP account and looks for files whose names belong to this list:
- index.htm
- main.htm
- default.htm
- index.php
- main.php
- default.php

When such a file is found, PWS-FerTP retrieves it locally, injects the Javascript code shown above, and put the file back to the FTP repository.

Another good reason to follow well-known best practices: avoid using clear-text protocols and use applications providing strong encryption, like keepass, to store your credentials.

I was not at all surprised when I first saw the Trojan named anticnn.exe, because I’ve followed recent events between China and the Western media. I am not going to offer any political comments on the conflict between these parties; however, the appearance of this malware well illustrates how information warfare works and further proves that this kind of nonmilitary, nongovernmental battle has become an increasingly common phenomenon.

The Chinese “hacktivists” obviously have no intention of hiding their origins. The file has the flag of the People’s Republic of China as its icon. Upon execution, the red flag is displayed in the lower-right corner of the desktop. After a user clicks the flag, a window with a picture of Mao Zedong pops up with the message “It is a red flag action: using rational action to express your patriotism. That attack target is www.cnn.com.”

The file connects with www.cnn.com and keeps sending HTTP GET requests. The Chinese “hacktivists” seem to believe that as long as there are sufficient participants they will be able to succeed in their attack.

McAfee has detected this malware. I remain concerned, however, that anti-virus detection can prevent only those users who are unaware of the situation from getting involved in this event. Eventually this Trojan could be widely distributed via spam, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. This attack looks like it will be hard to stop if many “infected” users intend to get this tool and run it intentionally.

Just one day later, we came across another tool designed for the same purpose. The difference with this tool is that it does not have a hard-coded target address. Instead, it allows users to manually input a target’s IP address or DNS name, and TCP port. Obviously, the organizers do not wish to name their target too early. In the setup program’s readme file, it says the attacker will inform the target a half-hour before the attack will be launched. Another interesting point: The tool developer states in the readme file that the tool has no backdoor inside. That makes me ask, Should the average user trust the developer’s claims?

Commonly in conversation with family or friends I am asked questions that begin with statements such as “Well, I had this computer virus…” Further into these conversations after asking some additional questions of my own, I become more convinced that the person believes they had a virus. From the descriptions provided I am often inclined to suspect classes of malware and potentially unwanted programs that are commonly referred to as FakeAlerts and rogue security software are responsible.

I have come across many of these types of programs disguised as anti-virus or anti-spyware products that generate false warnings of malware that is supposedly present on the system:

Fake alerts are typically trojans that generate false warnings of spyware on the computer. These alerts are most often displayed as a balloon pop-up from the systray. The fake alerts will typically encourage the user to download or install a rogue security software product by means of “detecting” bogus infections on the system and frighten the user into buying the rogue software in order to clean the fictitious malware that that was discovered.

I am continually surprised at the prevalence of these types of applications and how many computer users install and use these so I thought it might be useful to post some tips that may help with identifying traits that are commonly associated with these types of scams.

Use Responsible browsing practices:
Trojans typically spread manually, often under the premise that they are beneficial or wanted. To do this often times similar techniques such as those used in product marketing are involved. Responsible browsing practices can include identifying when propaganda is used to persuade one into believing something, doing something, or buying something. This is not solely indicative of something malicious in nature, however being able to tell when these methods are utilized can sometimes help one to know when to ask more questions about the motivation or intentions for the use of the tactic.

Do some quick research:
If something does flag ones attention it may be worth the effort to do some quick investigation. Use a well known search engine and enter search terms such as the name of the product you are being asked to purchase, the title of the dialog being displayed, the name of the malware that is being detected, etc. Try to avoid pages that are sponsored by the target of your investigation. Look for third party opinions or reviews. This may help provide some additional counterpoints that may help with an objective analysis of the software in question.

Are there any secondary indications of an infection?
Look for the presence of the files being identified by the software as malicious. Often these files will not exist on the system at all. Sometimes however these types of programs will write the fake files to the system so that it can later detect them as malicious.

Check the time and date stamps on the files. Are they similar to that of the time the program was installed or ran a scan?

Submit the file to an online scanning service such as VirusTotal and see if established anti-virus programs detect them.

These are just a few simple examples from the quick and easy do-it-yourself malware research guide!!

After the recent interest in Kraken bot by various communities, Gaurav Dalal, Denys Ma, and I have been observing the network behavior of the bot very closely.  About 2 weeks after the initial analysis from SANS, it seems like the bot author has seeded the bot with an update via TCP port 447. The updated bot now uses a stealthier command and control (c&c) mechanism that will evade previously proposed detections. The updated bot no longer uses UDP port 447 with 74 bytes of payload. After the bot updated itself, we observed that it uses UDP packets with random ports and also random packet payload lengths for its c&c communication. All of this c&c communication is encrypted. As a surprise, we also noticed that the updated bot now uses the well known HTTP protocol on TCP port 80 and 443 to send and receive encrypted c&c communication data. More interestingly, the communication on port 443 is encrypted but non-SSL. The process of the upgrade and also the c&c mechanism itself seems to be very interesting. We are continuing our research and will update this blog with more technical information soon.

There was an interesting article in InformationWeek this morning about a couple of security researchers who have presented the possibility of using offensive technologies to go after hackers. The most recent was Joel Eriksson from Bitsec, who presented at RSA last week about exploiting security holes in remote-access Trojans.

The article also brings up a five-year-old example of an earlier attempt at offensive technology to be used against hackers. In this case, Tom Liston created a tool called LaBrea (after the tar pits) that would ensnare computers which were being used to attack it either intentionally or due to worm infection.

There are plenty of people within the security industry who would like to be able to employ these tactics. The urge to take a pound of flesh for the late nights and weekends spent dealing with malware attacks is certainly understandable. But I know very few people in this industry who actually think it’s a sound idea, or worth the potential legal trouble.

Just as there are few locales where it is legal for you to shoot an intruder in your home, there are few locales where it is legal for you to attack those who intrude on your computer. Even in those locales where it is not illegal to attack an intruder, you must take into consideration the possible court costs. It’s highly likely the survivor (either the intruder or a family member) will sue you, and it will take some time with a lawyer to defend yourself against these charges. It’s entirely possible that a hacker or a worm-infected user would do likewise.

This is still assuming that your case was reasonably clear-cut, that it was genuinely a hacker or worm infection that was coming after you. It could just as easily be used as a sort of alternate flavor of Denial of Service attack–spoof the traffic or exploit a machine for the purpose of making it a target.

The general computing population is not particularly knowledgeable about the inner workings of their machines; some say there should be licensing such as for driving a car. It’s my opinion that there would first have to be this sort of licensing, and then a permit akin to a “Concealed Carry Permit” before this could be considered a good idea.

The Internet is a scary enough place without adding even more unskilled attackers.

As I was recently asked about botnet figures, I revisited our collections to establish some trends in this area.

In 2004 and 2005, bots were placed in a separate group of their own, separate from viruses and Trojans. Their names often ended with « bot » (W32/Sdbot, W32/Spybot, W32/Gaobot…). Based on the number of separate variants we had in our collections (the zoos) at the time, statistics showed a constant increase.

We have noted since then that a lot of malware has a remote-control feature (i.e. they are bots). Whether we are dealing with worms, viruses or Trojans, they are designed to receive commands and execute them at some point in their life. As of today, much of this remotely-controlled malware are known under various malware family names (W32/Nuwar, W32/Mytob, Spam-Samburg, Srizbi, Backdoor-DIX, etc.). Consequently our counting methods have to change.

On the Internet, various websites allow us to measure a different aspect of the threat.

For example, the Shadowserver Web Site shows us a botnet count. The following graph is a count of all the active Command and Control (C&C) servers the Shadowserver Foundation is aware of. There are approximately 2900 botnets today compared to 1400 one year ago:

Counting the infected computers is a much more arduous task. In January 2007, I reported on Vinton Cerf’s talk at the World Economic Forum in Davos, Switzerland and explained that he estimated 100 or 150 millions machines as infected represented over 10% of the PCs connected to the Internet. At the same time, some sources estimated less than 10 millions machines when others say they identify nearly 250000 new bots, or infected IPs each day.

Various techniques can be used to track zombie machines. I will only quote one to allow me the opportunity to give you some interesting links:

1. Observing DNSBL queries
   Method is exposed in a white paper from the College of Computing, Georgia Institute of Technology. It is based on the insight that botmasters themselves perform DNS-based blackhole list (DNSBL) lookups to determine whether their spamming bots are blacklisted or not. There are techniques and heuristic rules to distinguish botnet DNSBL reconnaissance queries from valid DNSBL traffic performed by legitimate mail servers.
2. Watching IRC traffic
   It is one of the simplest methods of detecting IRC-based botnets. It involves sniffing IRC traffic and searching for any signatures matching known botnet commands.
3. Checking Behavioural Characteristics
   As an example, researcher Stephane Racine demonstrated that IRC bots were idle most of the time on a Chat IRC channel but responded faster than a human upon receiving a command.
4. Searching for malware hashes on P2P networks
   With decentralized Peer-to-Peer botnets, compromised nodes on the network can be identified by their retrieval of hashes known to be associated with botnets. The College of Computing and Informatics University of North Carolina at Charlotte proposed this method for tracking W32/Nuwar (alias Storm) infected machines. To determine which search hashes are pertinent, the bot could either be actively running on a network without a true Internet connection to determine current hashes, or the hash generation algorithm could be extracted from its binary to generate hash sets on the fly based on the limited set of random integers and the current time.
5. Watching attack traffic
   Analysing the traffic linked to massive spam distribution or DDoS attacks can reveal the amount of compromised computers. Since January 2008, the Shadowserver graphs demonstrate a huge increase in this field.

To conclude this post, I have to say that looking at these studies did not help me in calculating how many computers are, at the moment, affected by bots! Extrapolation between 120000 or 150000 items known as active in a botnet at a given moment and a total number is hard to envisage… However, making these searches was not useless. We can certainly predict an increase in DDoS attack will be a 2008 issue and, for sure, more and more botnet will be used in the field ; perhaps 40 or 50% of them.

Last week we discussed the fact that Microsoft credited three different researchers for reported CVE-2008-1087 during our monthly Patch Tuesday podcast. The fact that several independent researchers reported the issue suggested that others may not be far behind. This CVE pertains to the Microsoft Graphics Rendering Engine, which has a history of exploitation. In fact, McAfee’s Exploit-WMF detection for MS06-001 exploits was one of the top reported detections around the time that a patch was released. An exploit toolkit was released prior to the patch, which helped contribute to the number of exploits floating around. History may be repeating itself, though out of sequence.

Last Friday the first MS08-021 exploit was discovered in the field, three days after the issue was patched; and though it was not widespread, the discovery of the exploit did highlight the fact that attackers were actively working with exploit code. Today a basic exploit toolkit was posted publicly; and while this new toolkit is primitive, it may very well lead to “one-ups-manship” and the distribution of a more powerful tool.

Given the fact that a patch was released prior to this recent exploit activity it is unlikely that MS08-021 attacks will reach the level of MS06-001 attacks. However, there are still many many vulnerable systems out there, and we’ve seen prevalent exploits that have lasted for years after the issue was patched.

It is interesting to see how the password stealing trojan (commonly called PWS) writers think… Over the last few months I’ve been writing about PWS Bankers, since they are one of the most common kinds of malware that targets Brazil, and since I can read Portuguese, I saw lots of improvements in those malwares, including…. multiple redundancies! Today I got something different. On the email that it sends to the malware author to say “Hello World, I am on machine-XYZ”, now it also includes data about browsing activity and even the bookmarks of the user, including the browser used and start page…, interesting huh?

Below is an example of the information sent by the malware:

Browser………….: C:\Program Files\Internet Explorer\iexplore.exe
Win Dir………….: C:\WINDOWS
Internet Protocol…: xxx.xxx.xxx.xxx
Start Page……….: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Date…………….: 1/8/2007
Time…………….: 6:58:03 AM
O.S. …………..: Microsoft Windows XP (version 5.1)
Bookmarks

*************************************************************
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=IStart
http://www.microsoft.com/isapi/redir.dll?(edited for length)sba=RadioBar&o1=&o2=&o3
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=CLinks
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windowsmedia
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windows
*************************************************************

Yes…he owns your computer and also knows where you surf!

As per my previous blog, many websites offer free video online in an attempt to install malware on user’s systems without their knowledge. Here we have one more which claims to offer a Video Access ActiveX Object (VAX), which is a new way to access free multimedia content on the Internet. The webpage attempts to look more professional by including information like an introduction to ActiveX, EULA and download link as shown: below.

We caution webpage viewers since this malware can be used by a pornographic webpage which calls itself Adult Tuba, whose design pattern matches with the popular video sharing page YouTube in an attempt to deceive users as shown below:

If users click on any movie links and follow the instructions, they ends up downloading malware as shown below, whose detection and removal is covered under the Puper family:

We caution all internet users from getting infected by these Video Access ActiveX Object sites found while surfing the web as we continue to protect our customers against such social engineering attacks.

As we see every year, Christmas season is a great opportunity for a new virus to spread by email using “Christmas” as a reason to read the email. We just had a post here on Avert Labs blog about one a few days ago. If it was just the spammers, we could understand, since they live to do that, but today I got an email from my bank, stating that I could start to send Christmas and New Years virtual cards through their website! I immediately thought that it was a phishing scam, so I decided to check the link. It was indeed a new url created by the bank, something like www.christmascards[insert Bank Name here].com.br, where you could select up to 4 different Christmas / New Years cards and send to your friends… This just happened hours ago… I bet that I will start to receive some Xmas virtual cards and I also bet that those will not be from my friends . So you do not get me wrong, I like virtual postcards, but here, this strange marketing campaign will make things real easy for the bad guys, since the real bank sent a mass mail to all customers telling them that they can send those cards from their website. Now, what do you think will happen when the bank customers start to receive fake virtual postcards on behalf of the bank, with attached malware??

In the “good old days” spammers aggressively scanned the Internet for open relay servers to send spam. Open relays are out of fashion these days. So much so that the Open Relay DataBase is shutting down due to changes in spammer tactics.

Today’s spammers, in collusion with malware authors, infect thousands of machines on the Internet turning them into spam relay zombies. These zombie machines connect to a web server controlled by the spammer, which provides a constantly updated live feed of email addresses and content to spam. The content could be anything from pump-and-dump stock spams, online pharmaceutical drugs or the usual penis enlargement. Each individual zombie machine is capable of sending hundreds of spam emails per minute depending on the bandwidth available. Example: Spam-Maxy, Spam-Loot

And with more machines having access to broadband and ADSL connections, it provides a fertile breeding ground for this unholy alliance of malware authors and spammers to take advantage of.

At McAfee Avert Labs Bangalore, we sampled emails that were captured by our honeypot this quarter. The following chart shows the content of the email messages captured during in-house live testing of malware:

Only 11% constituted executable attachments. 2% were mails containing infection notifications or captured cached passwords that were meant for the trojan author. The rest, some 87%, was spam. A high percentage of this spammed content was image spam and ASCII art; techniques that spammers have effectively used to subvert traditional detection by anti-spam vendors.

Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world.

As of late, a weekend is just not complete without a new W32/Stration variant spamming, and this weekend was no exception. Of course, this variant added a Christmas twist to the message body. To add to the Christmas “fun”, we also saw two other nasties taking advantage of people hoping for a little holiday cheer in their inbox.

Here’s hoping you all missed this excitement because you were having a wonderful holiday with friends and family instead. Or perhaps basking in the glow of a TV, enjoying a new video game console. (Speaking of which, the Wii just got an internet browser which is capable of playing Flash games. Hmmm… Very cool that they went with Opera, though!)

Technologies advance with time, and so is the case with Instant Messengers. Not long ago, people were happy sending text messages. Then VoIP came along and changed the scene. Soon after IM vendors embraced it. Many IM clients are now VoIP enabled. As soon as VoIP started going deeper into the mainstream, security researchers warned of related issues. One issue was abuse with spam, usually referred to as SPIT. Wikipedia states SPIT is “as-yet-nonexistent problem“. As VoIP is getting more popular the scenario is changing fast, this “as-yet-nonexistent problem” is slowly but surely emerging. The following images shows a real-world VoIP spam over Skype.

The image shows a typical spam prospect. The spammer starts a conference call with some random users and starts playing the spam message. This process is most likely not manual but automated with bots.

Use and abuse are two sides of the same coin and this technology is no exception. All major IM providers are giving away SDKs to develop add-ons. However these SDKs also lower the bar for spammers to develop bots. We have witnessed the same with the ongoing development around Skype malware.

The image below shows the assembly code for the loop which is used by Skype malware to search for users. You will notice the “SEARCH USERS” Skype APIs:

The malware actually uses more of these. The image below will highlight those:

These APIs are part of Skype SDK and are documented by skype. It is just a matter of time before we start seeing bots, in the wild build on top of IM SDKs provided by the vendors. We advise users to be aware of this developing attack vector. McAfee Avert Labs is prepared for this battle!!

Inside the Trojan family, password stealers (abbreviation : PWS) are dedicated to monitoring some of your keystrokes. They collect confidential information like Internet logins. Depending on the data collected, an attacker is then able to access your bank, e-commerce, game or social networking website account for the purpose of fraud or other criminal activities.

McAfee Avert Labs recently added detection for a newcomer distributed over the Skype VoIP network. Named PWS-JO, it captures all keystrokes, saves them to a local file and contacts a remote website - hopefully no longer accessible - to send them to. This new example illustrates a new variety of attack vector (in this case a VoIP client), no longer limited to viruses, spammed email or malicious webpages for distribution.

This new alert must also remind us that password stealers are more and more numerous and not limited to immediate financial offenses. Although 62% of them target financial institutions, it is important to note that Massive Multi-Player Online Role Playing Games (MMORPG) are the second predominantly targeted vector (approx 18%).

At McAfee the main PWS families are the following:

In one year the PWS family number grew by 240% (from 5000 to 12000). Users must stay vigilant to not lose their “cyber-money” as well as their uber dragon sabre!!!

As we know there are many websites offering videos of celebrities for free where its major viewers are youngsters.

Here we have a webpage “www(dot)leaked[REMOVED]videos(dot)com” which by its title looks to have a large collection of celebrity videos. The user visits the site, follows the instructions, then ends up installing a worm instead of watching celebrity videos.

The webpage displays “Windows Media Player cannot play video file. Click here to download missing Video ActiveX Object” attempting to get the user to install “missing plugins” for Media Player as shown below:

If user clicks on the (Click Here) hyperlink in the browser they will end up downloading a program called mpg2-3.0.1.exe, as shown below:

Upon execution, mpg2-3.0.1.exe displays the fake error message box shown below and installs a worm called Nugache.

We caution all internet users from getting infected by these fake online video sites found while surfing the web as we continue to protect our customers against such social engineering attacks.

Here’s a concept that might inflate everyone’s ego a little, as well as (hopefully) making them a little more wary: It’s not just CxOs whose names and info are valuable. It’s yours and mine, too.

In Italy, trojan spammers are sending emails which appear to be from lawyers, threatening legal action if the recipient doesn’t clean up their allegedly-infected machine. Of course, this email includes a “helpful link” to a removal tool which is, in reality, a trojan. The most notable thing here is that the email includes actual lawyers’ names and contact information, which is causing significant problems for the lawyers whose names have been used.

We’ve also received reports from Italy indicating people are getting similar emails, but from people who appear to be angry business partners, rather than from lawyers.
Miscreants have also taken to heart the figures regarding the lack of security awareness in smaller businesses. Small companies may feel that they’re too insignificant to be targeted, but their machines may actually be just as valuable as someone in a Fortune 500 company. Small businesses’ bandwidth is often better than a home user’s, their employees’ name and contact info can be used in schemes like this, they might be more apt to be hurt by Denial of Service attacks or extortion attempts, while they’re less apt to have trained or dedicated security staff.

Really, everyone’s data has a useful place in the internet criminal’s arsenal. Doesn’t that just warm the cockles of your heart?

So what do we take away from all this? Regardless of how urgent an email appears to be, it pays to double-check links and attachments with the apparent sender if you’re not expecting it. And to keep yourself from being an “apparent sender”, consider very carefully what information you make available on the internet. Do you need to post your employees’ name and phone numbers publicly or would something more general be feasible?

Last Wednesday, Microsoft posted an advisory for a targeted “zero-day” attack using a Microsoft Word vulnerability CVE-2006-5994, we refer to this as “Microsoft Word 0-Day Vulnerability I”.

In our tracking of this new 0-day vulnerability, I analyzed a Word Document sample for MessageLabs. Just when you would have thought this could be the same 0-day which was most recent, Microsoft confirmed upon our request that we are seeing double trouble — this was really “Microsoft Word 0-Day Vulnerability II”.

I previously wrote about non-executable file formats being a popular vector in recent years; this is a trend that will continue into 2007 and deserves to be given ample consideration in planning for security resources, policies and user education programs.

McAfee Avert Labs released DAT coverage for payload associated with “Microsoft Word 0-Day Vulnerability I” in DAT version 4914 for Downloader-AZQ and Downloader-AZR. The new threat that is exploiting “Microsoft Word 0-Day Vulnerability II” is now covered in DAT version 4915 as Exploit-MSWord.b.

This weekend brought us yet another XSS vulnerability in MySpace being used to modify users’ profiles for malicious ends. Much like in the Windows virus space, we’re apparently past the phase of MySpace worms being used purely for notoriety, and well into the phase of worms for profit.

This worm (JS/QSpace) uses an intended function of QuickTime movies to use JavaScript code to open additional URLs. The additional URL in this case is a JavaScript file which modifies the user’s MySpace profile to include the malicious movie.

This boils down to two primary problems:

1. QuickTime will load external URLs without user consent
2. MySpace will embed or modify content without user consent, even from external sites

The MySpace part of the equation seems pretty straight-forward to address. Couldn’t something be set up to verify that a human is actually intentionally modifying content, especially if done in bulk?

The QuickTime issue being an intended feature makes this a bit trickier. It seems painfully naive to me, for a feature like this to be added with no precautions put in place to prevent malicious use.

One of the biggest reasons movie files are becoming increasingly popular as distribution methods for malware is that between newly discovered vulnerabilities and features like this, the “return on investment” for malware authors using these file-types is sky-rocketing. Very few people hesitate to view a movie file unless the context it comes in is incredibly suspect (and that’s mostly to avoid getting canned for watching porn at work, or getting the snot scared out of you by the car ad with the zombie that jumps out at the end).

But really, never mind the zombie. There are much more disturbing things potentially lurking in videos now.

Malware authors have been pro-active in including exploit code for almost every new vulnerability reported into bots with utmost professionalism. Apart from the numerous Microsoft windows vulnerabilities where exploit code has been methodically incorporated into bot code, McAfee Avert Labs is seeing a trend where popular applications from software vendors are being targeted. In recent weeks we have seen bots that target vulnerabilities or weak passwords in the following applications:

Famatech Remote Admin http://vil.nai.com/vil/content/v_140984.htm
Symantec Antivirus http://vil.nai.com/vil/content/v_140978.htm

Although the vulnerabilities in the above software are dated and patches available, bot authors still found them enticing enough to target machines running vulnerable versions of the these software applications.

Other popular software applications with vulnerabilities that have been targeted by bots in the recent past include:

• CA BrightStor
• Dameware
• MySQL
• WU-FTP
• VNC

Most of the major software vendors like Adobe, Microsoft and Oracle now follow a monthly patching cycle and administrators have their hands full in ensuring that every machine on the network is patched. Sadly, most administrators do not have the flexibility to deploy patches immediately to machines on the network for policy reasons. For example, the organization could be using legacy software which could break if a new service pack was applied and keeping these legacy applications running takes precedence over applying the latest hot fixes. In rare cases a fix could break something else in the operating system or adversely affect other applications. Administrators need more time to first deploy these hot fixes in a test environment and QA them properly before deploying them to the entire enterprise.

Given the trend where malware authors are expanding their attack horizon by targeting vulnerable software applications, it wouldn’t be surprising if an exploit directed at popular instant messaging (IM) clients should surface. IM is popular both in consumer and corporate networks and an exploit that gives remote shell on a machine running an instant messenger would be stunningly effective.

That being said, it will be interesting to wait, watch and revisit this topic if and when an instant messenger remote shell exploit surfaces.

In the world of security, there are typically two kinds of arms races – symmetric and asymmetric. Asymmetric warfare is where it is orders of magnitude easier to defend than it is to attack (or vice-versa). In other words, given a conscious decision to be secure, it is inherently a lot easier to carefully engineer a fail-safe system, than it is for a malicious attacker to figure out a way to break it. Good examples of asymmetric warfare are cryptography (most modern cryptographic algorithms are practically impossible to break), memory-corruption based exploitation (stack canaries, address-space layout randomization, non-executable memory pages / “PaX”, “no-execute” hardware support etc are all relatively easy to implement and use), deception & uncertainty (e.g. ICMP traceback, honeynets), etc. On the other hand, symmetric warfare is where the attackers and defenders are on a level playing ground in terms of available technologies. The best examples of this have been DRM (Digital Rights Management) and virus technologies (detection and evasion).

Every now and then, good defensive technologies from asymmetric warfare in one security domain are applied for offensive purposes in another security domain (or vice-versa depending upon which came first). The following are two recent examples.

Firstly, in the world of online form submission, “captchas” have become a de-facto standard to check whether an actual human is involved in the process. A captcha is essentially a visual challenge-response test. Typically, a distorted image is generated randomly for each form, and the user is supposed to visually recognize the content displayed and type it in. The assumption is that automated bots can’t identify the content quickly enough, only humans can. A pretty fail-safe technique actually, and it works to this day for most purposes. However, the same concept is now being used by spammers:

The entire unsolicited message is one captcha image. For traditional anti-spam agents that have to quickly scan through emails, this is indistinguishable from legitimate-looking emails from unknown senders and with image-attachments.

So the asymmetric defense from the world on online-form submissions has now introduced an asymmetry in the world of anti-spam. The day wire-speed OCR (optical character recognition) becomes available, possibly invented for spam defense, the asymmetry in online-form submissions will also be lost.

Second, let’s look at TLB (Translation Look-aside Buffer) desynchronization. The PaX technology from Grsecurity introduced the idea of non-executable memory pages via split TLB. A brilliant defensive technology that games the paging-logic of IA32 based CPUs using desynchronization of the TLB to allow a kernel mode driver to know whether a memory access is a data-access or an execute access. So it became possible to detect exploits that tried to execute code copied into pages marked non-executable.

Following this, the split-TLB defense was applied for offensive purposes in Shadow Walker (hiding rootkits from AV/AS scanners) and defensive purposes in Ollybone (reversing packed/encrypted malware). Packed malware typically start off by unpacking the original code into a separate section (marked non-executable by the malware analyst). Then, when the malware attempts to execute the OEP (Original Entry Point) instruction, the Ollybone driver can intercept it and present an “unpacked” memory layout to the reverse engineer. Shadow Walker uses an “inverse-PaX” technique. When a scanner attempts to read from a Rootkit occupied page, a cloaking driver detects it as a non-execute access, and presents a cloaked clean version of the page instead. The driver allows execution of the Rootkit pages as usual. This makes traditional user-space scanning for kernel-mode rootkits completely ineffective.

The following is the latest addition to the utility of this split-TLB trick.

View Demo Here

Unlike Shadow Walker which is designed to hide Rootkit’s kernel-space modifications, we apply the split-TLB trick to hide user-space code (or data) patches instead. This has a tremendous impact in the world of malware analysis and DRM.The proof of concept demo here shows a user-space executable that is designed to be tamper-resistant. It does this using a “checksum” thread that periodically monitors and posts the checksum of certain memory pages used by a critical “worker” thread. The worker thread periodically prints a status message. Once the anti-checksum driver is loaded, it first setups a cloaked clean version of the worker-thread page. Using split-TLB, the checksum thread is shown the clean version only. Then the driver patches the worker-thread code and completely disables its status messages. As seen in the demo, the checksum thread generates checksum-match messages even as the worker-thread has been visibly tampered with. Once the driver is unloaded, the cloaking is removed, and only then the checksum thread detects the process has been tampered with. This illustrates that user-space tamper resistance via self-checksums can not be relied upon anymore for any platform that supports split “TLB” or any style of memory cloaking that distinguishes executes from reads.

So the originally defensive PaX technology turned offensive in Shadow Walker, then defensive in Ollybone, and again either defensive/offensive depending upon whether it’s used for hiding code-patches in malware during analysis or in DRM-enabled products to break their tamper resistance.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

Introduction

Let’s assume we need to do the dataflow analysis in a particular execution path in a certain binary. In order to collect as much data as possible, we should single-step a certain execution path, save registers values in each step, and then do some analysis. If we have all registers values, we can deduce values assigned to/from memory locations, by looking at instructions semantics.

Available methods

Let’s focus on the first stage: single-stepping. We have the following methods:
Method 1. win32 API debugging facilities
We can do it in an “official” way, that is:

• attaching a debugger
• forcing single-stepping by setting TF bit in eflags
• collecting register values each time on return from WaitForDebugEvent()

However, it is hopelessly slow, because a context switch is necessary after each instruction, and the debugger needs to issue a few system calls to retrieve context and resume execution.

Method 2. In-process EXCEPTION_SINGLE_STEP trapping
A better way is to trap EXCEPTION_SINGLE_STEP not in the debugger, but in the analyzed process itself. We can set up a SEH, and in the SEH handler collect necessary data, and later resume the execution. We can inject into a process a dll which will do the necessary preparations. The “sha1sum_test.exe” binary, if given a second argument, will execute the critical loop with TF set in eflags, and an exception handler will be called after each instruction.The speed gain is about x10 in comparison with the previous solution. Still, exception dispatching both in kernel and in userspace components imposes significant overhead.
Visit http://www.cybertech.net and you can find more advanced implementations.
Maybe it would be more efficient to implement a fast path in the kernel exception handler (just collect register values and resume execution).

A faster solution

Method 3. [purely in] User Mode Single Stepping
Why do we need TF at all ? If the instruction at address X is about to be executed, we can overwrite the next instruction with “jmp our_handler“. (we will need to make the .text segment writable first). our_handler should

1. switch to a temporary stack; save the registers with pusha+pushf
2. restore the overwritten instructions
3. move the saved registers values to some storage
4. compute where the current instruction transfer the execution; let it be the address X’
5. overwrite X’ with “jmp our_handler“
6. restore registers with popf+popa; restore eriginal esp; return to the next instruction

The tough part is 4. We need the following:

• for instructions which do not transfer control (so, anything besides jmp/jxx/call/loop/ret), we need to know an instruction length. It is easy: we can compute all instructions lengths *before* running a program, store it in some file, which will be subsequently mmapped accessible by our_handler.
• for jmp/ret/loop/”call fixed_addr” we need to add the jump offset to the current address - easy.
• for jxx instructions, we need to consult eflags whether the execution is altered or not - doable.
• if we face a computed call/jump, we could disassemble it on the fly and deduce the target, but it is complicated due to variety of addressing modes of 386. The easier way is to trap to debugger, which will single-step the problematic instruction, and later resume software tracing. The overhead should be small because computed calls/jumps are relatively rare. And we can still simulate the most frequent cases, say “call eax”.
  Additionally, this approach helps when our disassembler cannot recognize a particular instruction.

Implementation

The above functionality has been implemented in “umss” project, in McAfee labs. The package contains the following components:

• umss.cpp: it is supposed to write a map of instructions lengths. It uses the “boomerang” project (http://boomerang.sourceforge.net/). In fact, if we just need to get instructions lengths, any disassembly library would do; however, boomerang is unmatched when it comes to analyse instructions semantics (the said analysis is still to be implemented).
• inject.dll: it is a library to be injected into any process. It implements single-stepping. If it does not know how to handle a particular instruction, it jumps to “\xcc”, and the attached debugger takes care of it.
• tracer.cpp. It implements the rest of the required functionality.

In order to collect some benchmarks, a simple program was written which runs a loop a given number of times. It can be traced with umss, or, if given two arguments, trace itself with method II. Results:

• native run (without any tracing):
  ret=-787054544, time=0.047312ms, loops/ms=211361.374858
• tracing with EXCEPTION_SINGLE_STEP handler (two arguments given to the test program):
  ret=-787054544, time=1085.968872ms, loops/ms=9.208367
• ordinary tracing with WaitForDebugEvent():
  ret=-787054544, time=9999.467773ms, loops/ms=1.000053
• umss:
  ret=-787054544, time=95.365204ms, loops/ms=104.860050

As we see, umss method is about 10 times faster then exception handler, and over 100 faster than the ordinary debugging.
All the execution times were obtained with disabled storing of register values (only the overhead of tracing was important). Anyway, in umss the log file is memory mapped, so especially in case of a SMP (or dual-core) system the performance impact imposed by disk writes should be minimal.Additionally, in order to improve the efficiency, we do not want to trace through library calls (well, it should be configurable which dll we want to trace). If inject.dll observes that the execution leaves the .exe segment, it will overwrite the return address location with its own handler and execute t he library function without tracing; when the library function returns, tracing resumes.

Currently the umss package is in early stage, just enough to confirm usability of the approach and conduct benchmarks. It should be straightforward to implement simple enhancements:

• implement more computed jump/call instructions
• currently only a single executable section map is supported
• implement injecting the dll upon LOAD_DLL_DEBUG_EVENT of a library we want to trace
• perhaps optimize inject.dll better. The interesting part is that it should execute only ca 80 own instruction (per each instruction in the traced process) in a typical case, yet the performance hit is x2000. Probably the parallelism of Pentium is affected, as well as memory caches efficiency.
• finally, implement the crucial part: flow analysis

The umss package can be downloaded from Sourceforge umss download page

Alright, back to the doom and gloom!

A little background info - BuddyProfile.com is a site meant to allow you to spiff up your Buddy Profile for AOL Instant Messenger (AIM). It seems to be popular with a youngish teenage audience; it’s in the top 100,000 sites according to Alexa. It’s this particular fact which makes all the drama that follows just that more disturbing.

The basic problem is one we’ve seen before - When users are free to add their own HTML content with minimal restrictions, people will find a way to add objectionable content like malware and adware.
A SiteAdvisor crawl today turned up some profiles on BuddyProfile.com which immediately redirect the user to an adult site, which points to a file which is detected as Exploit-ANIfile, which is being used to install Adware-PestTrap which then displays “security warnings” to the user.
Just to recap:

1. Popular site, frequented by a large number of kids
2. Allows users to add their own HTML content
3. HTML content is being used on profiles to redirect people browsing this site (presumably said kids) to porn and surreptitiously-installed adware programs

Yuck. Seriously.
I think one of our Site Advisor researchers, Harry Sverdlove, put it best. He likened sites allowing users to embed their own HTML content into profile pages to restaurants letting people bring in their own food to be served to everyone:

“I’ll take the salmonella and the botulism ‘to go’ please.”

It’s no big revelation to say that spammers and virus writers have been getting increasingly sophisticated about the mechanisms they use to get their ads in front of a set of real, human eyes. It seems, recently, that virus writers are concentrating on improving their background infrastructure to get better metrics and overall success rate.

For instance, it seems the miscreants are getting into the world of data mining. There’ve been a couple examples recently of ways they’ve used different techniques for keeping track of how their botnets are doing. Keep your bots in handy groups for different purposes, and then track them with a nice graphical interface!

Personally, I still have a hard time thinking of these groups as “professional”, in the suit-and-tie sense of the word. But this is so organized it makes me wonder if the people behind these things don’t effectively have Accounting and Marketing departments.
But then, occasionally the spammers take a turn that kinda makes you wonder. Yes, the field of “Pump and Dump” stock spam is getting a bit crowded - maybe something new and different is what’s in order?

Starting last night, there was a new raft of spams using a “technique” which is decidedly odd. Just a single word, spelled out in ASCII art. Are they counting on users to google this strange word just to solve the mystery? Or is the “payload” yet to come?