It has been almost a year since the rogue antivirus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via Drive by downloads, SEO poisoning, Spam campaigns and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

• Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

• Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

• Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

• Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again - starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen - or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch - so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as - Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. - Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Fasten your seatbelts, for today we take you on a tour of fake-alert Trojans that have been doing rounds in the Internet lately. On this tour of various malware stations you’ll be taken to a system infected by a fake/rogue anti-virus application. Below is an example of a method implemented by such malware to infect a machine.

Here is your itinerary:

Station 1: Malicious web page that hosts a malware
Station 2: Browser helper object
Station 3: Fake/rogue anti-virus application downloader
Destination: Fake/rogue anti-virus application–infected system

The journey starts with a malicious web page that hosts a malware. Users reach these malicious pages through social engineering techniques such as a link via email/instant messanger, or redirection from a compromised legitimate website. A single click on these links will start the infection.

Upon visiting the malware-hosting web page, the user “buys a ticket” in the form of an executable file downloaded onto the system through some social engineering technique.

On our example tour,

• http://best[blocked]tube.net

When users visit the page above, they’re asked to download wmcodec_update.exe, which pretends to be a codec plug-in for Windows Media Player. A message box pops up repeatedly until users download the fake plug-in file, which is a Multi Dropper malware.

Upon execution, the downloaded file pops up a fake error message, as shown below:

The malware continues to execute and drops

1. Browser helper objects
2. Fake/rogue anti-virus application downloader

Our “tourists” now move to the next station, the browser helper object. At this station, the victims’ browsers are compromised. For example, a user’s search queries are manipulated to contain a link to another malicious web page. The following two images show the difference between a “clean” search and one made after a link to a malicious web page has been injected by the browser helper object. I have highlighted one malicious site; try to find five differences between the two images.

Before injection of the URL:

A compromised browser–after injection of the malicious URL:

Many spyware applications use browser helper objects to capture the surfing habits of users. This information is used later by the malware authors for pop-up ads relevant to search keywords, for example.

The next station on our tour is the fake/rogue anti-virus application downloader. Here users see two magazines, which are links to porn sites, on the desktop.

The fake application is downloaded without user intervention by the “fake” downloader. Finally the users systems are infected with a fake application malware.

At this point, users see a bogus alert from the fake application.

Scanning through the report generated by the fake app reveals that this report is exaggerated and false.

The fake-alert malware displays spurious alerts to entice users into buying products to “repair” the system from the fake, exaggerated threat.

Did you enjoy your fake-alert tour? Today, malware often work as a team to infect computers. In this tour, we saw a malicious web page hosting malware, Multi Dropper, a browser helper object, a downloader, and a fake alert work together for a common goal.

As always, we advise you to take precautions with fake plug-in downloads that loop infinitely–without giving you a chance to close that message box. Try to kill such processes of spurious messages through the Task Manager. Be careful about the links in your email, especially in anonymous mail and links in instant messages. Always practice “safe surfing,” which is the first step in keeping your computers clean.

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

I never thought I’d see the day!

ICANN found it’s dentures down the back of the sofa and taken a bite out of the criminals domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th. [pdf]

So I’ve got a question… Who’s got the balls to take on ESTDomains problems “customers” ?

“ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains”

I recently presented at APWG to encourage the anti-phishing community that registrars and registries can actually act rather than pleading innocence or the classic “our hands are tied” type excuses. In the case of fast-flux they are probably the only ones that can help in fact. I encouraged participants to point out that registrars and registries are guilty of acting illegally in many jurisdictions by facilitating illegal or infectious sites.

The general stance was that if Directi can clean them out then so can anyone else.

I pointed out that between 2 registrars (EST and Klik/Vivids) about $1.5M of revenue had taken place with Directi (who gives a healthy proportion of it to Verisign Etc…). I concluded with a slide to motivate participants to “Hug a Registrar” and I implore our readers to help out too. Anyone scoring over 30% on this uribl page is a prime candidate for advocates in the community to reach out and “help”.

So here is my top 5 for today:

#1 Moniker - Infested with spammers and pirated software sites. (MSOffice isn’t €79.95 delivered in a zip file)
#2 XIN NET - This is where the Pill spammers moved to and have given the .cn TLD a bad name.
#3 35 Tech & OnlineNic - Same as above but with more variety in pill sites and some casinos thrown in too.
#4 Planet Online - (Surprised to see them so high) Home of the unique URL “snowshoe” spammers ? almost legit ? The real world doesn’t care for their bulk and whois protected domains (via directi’s Logicboxes), or fake contacts.
#5 Dynamic Dolphin - Owned by Scott Ricter’s Media Breakaway, formerly bankrupted OptinRealBig . MS won cases against him in New York in 2005. This accreditation is probably against ICANN’s policy. These days they generally annoy via social networks.
#Bonus - *.directNIC [Mikko's open letter]

This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN

Hip Hip…

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

YouTube is an excellent resource for video sharing: Users can upload, view, and share video clips. It’s also not novel to find a legitimate web site being used as a vector to spread porn-spewing malware. We blogged earlier about fake video embedded in blogspot domains and attackers capitalizing on sensational news hitting the media. This time attackers are promising free adult video on YouTube to assault unsuspecting users.

Attackers are using fake profiles that contain a video link to YouTube to kick-start an infection. This profile contains a link pointing to:

http://superelection[blocked].info

The preceding web site is infamous for various U.S.-election-related spam and hosts a cocktail of exploits that attempt a drive-by installation on the victim’s machine. The site also attempts to social engineer the victim by promoting a fake codec that installs the Puper Trojan. We have identified multiple profiles connecting to various exploit-serving sites hosting the fake codec. The attackers have been successful in promoting this attack by posting the YouTube links to various forums. With numerous visits to this YouTube link so far, the chances are good that a number of users have fallen victim to this attack.

We advise all Internet users to follow safe browsing practices and keep their systems patched. Meanwhile we at McAfee Avert Labs will continue to protect our customers against such attacks.

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

We had a customer a while back report a false detection on one of our Foundstone checks. The purpose of the check wasn’t even to detect malware, it was to detect the presence of a certain legitimate remote administration tool. The customer insisted they were not running that administration server on the host. From the diagnostic packet captures they sent in, however, there was no denying that the tool was running on that host whether they knew it or not. And that tool happens to be commonly dropped by malware to serve as its backdoor. No doubt, some damage had already been done by the time they reported this to us, but how much more damage was prevented when this security breach was discovered because of our check?

Malware detection is not one of the most prominent functions of a remote vulnerability scanner. But most major scanners do offer this capability. Don’t expect to replace your traditional AV with vulnerability scanners any time in the future, though.

Although vulnerability scanners can open and read files, they are mostly agentless; so they are reduced to making RPC calls to perform these operations. If you were to mimic the signature scanning of traditional AV, performance would be unacceptably poor. And so malware checks have to resort to detecting only the presence of malware. That is, detecting its traces. This can be the existence of certain files (no opening or reading), registry keys, or a running service. In most cases, having two out of three of these traces is a unique enough combination for a strong detection.

Another way to detect the presence of malware with a vulnerability scanner is to detect the network activity of the malware. If it opens a backdoor on a particular port and listens for commands, which is the majority of malware today, most likely we can detect it remotely. In this respect, the vulnerability scanner actually has an advantage over traditional host-based AV. Take the case of a rootkit that can hide its files, registry entries, running process, service, etc.–it’s virtually invisible on the host. It might even hide its network activity, but it can hide it only from programs running on the local machine. Sophisticated as the rootkit may be, it cannot hide its network activity from the vulnerability scanner working remotely.

In the end, detecting malware with a vulnerability scanner is purely reactive, that is, you are raising a flag after the malware has already installed itself–whereas traditional AV has the noble goal of preventing it from even getting onto the host.

Some might consider the malware detection offering of vulnerability scanners as superfluous because of the limited capability and its reactive nature. But I’m sure that the customer with the hidden remote administration tool isn’t one of them.

Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire.  I took some time to create a video clip showing what the infection process looks like.  In doing so, hundreds of additional media files were uncovered.  Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:

Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno

Domains linked to from the media files include:

mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net

While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.

– Update May 7 –
Adding some answers for questions that we’ve received.

These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser).  Not all media players support this functionality.

Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee.  Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days.  However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).

Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago.  Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone.  Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.

When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe.  In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

Here are some of the samples names that we’ve seen.  Many many other file names are surely floating around on P2P networks.  File sizes vary as these files are padded with nulls.

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files)  a 4,800 word EULA is displayed. 

Notable parts of the EULA include:

(3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:

PRODUCT Mirar AND EULA http://policy.getmirar.com/

And my favorite:

22. Effective: January 14, 2007.

END OF DOCUMENT

NetNucleus Privacy Policy/EULA
This End User License Agreement (the “Agreement”) is a legal agreement between you and NetNucleus Corp.

Does END OF DOCUMENT mean you can ignore the rest?  Gotta love it when a “vendor” expects their “customers” to read a EULA that they themselves did not seem to read!

If you agree to the EULA and choose to proceed, Adware “FBrowsingAdvisor” and “SurfingEnhancer” is installed as described in the EULA.  I especially like the directory named used by the developer:

c:\Documents and Settings\tani\My Documents\Dreamsoft\Firefox\firefox_adware\FF-Source\Source\Release\XPCOMEvents.pdb

If Firefox is not installed users may see an error message:

PlayMP3.exe from PlayMP3z.biz is installed, which is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player.  This page lets the user listen to a canned selection of a couple dozen songs.

In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.

Commonly in conversation with family or friends I am asked questions that begin with statements such as “Well, I had this computer virus…” Further into these conversations after asking some additional questions of my own, I become more convinced that the person believes they had a virus. From the descriptions provided I am often inclined to suspect classes of malware and potentially unwanted programs that are commonly referred to as FakeAlerts and rogue security software are responsible.

I have come across many of these types of programs disguised as anti-virus or anti-spyware products that generate false warnings of malware that is supposedly present on the system:

Fake alerts are typically trojans that generate false warnings of spyware on the computer. These alerts are most often displayed as a balloon pop-up from the systray. The fake alerts will typically encourage the user to download or install a rogue security software product by means of “detecting” bogus infections on the system and frighten the user into buying the rogue software in order to clean the fictitious malware that that was discovered.

I am continually surprised at the prevalence of these types of applications and how many computer users install and use these so I thought it might be useful to post some tips that may help with identifying traits that are commonly associated with these types of scams.

Use Responsible browsing practices:
Trojans typically spread manually, often under the premise that they are beneficial or wanted. To do this often times similar techniques such as those used in product marketing are involved. Responsible browsing practices can include identifying when propaganda is used to persuade one into believing something, doing something, or buying something. This is not solely indicative of something malicious in nature, however being able to tell when these methods are utilized can sometimes help one to know when to ask more questions about the motivation or intentions for the use of the tactic.

Do some quick research:
If something does flag ones attention it may be worth the effort to do some quick investigation. Use a well known search engine and enter search terms such as the name of the product you are being asked to purchase, the title of the dialog being displayed, the name of the malware that is being detected, etc. Try to avoid pages that are sponsored by the target of your investigation. Look for third party opinions or reviews. This may help provide some additional counterpoints that may help with an objective analysis of the software in question.

Are there any secondary indications of an infection?
Look for the presence of the files being identified by the software as malicious. Often these files will not exist on the system at all. Sometimes however these types of programs will write the fake files to the system so that it can later detect them as malicious.

Check the time and date stamps on the files. Are they similar to that of the time the program was installed or ran a scan?

Submit the file to an online scanning service such as VirusTotal and see if established anti-virus programs detect them.

These are just a few simple examples from the quick and easy do-it-yourself malware research guide!!

I recently switched to one of the biggest ISPs in China and leased a 2M ADSL broadband Internet connection. I manually set up a PPPoE connection named “Telecom” in Windows XP, configured to use the username and password I received from my ISP. I tested the connection and found that most protocols (DNS, ICMP, FTP, and even HTTPS) worked fine, but my browsers were always redirected to a special page telling me that I needed to use the special PPPoE dial-up client “ChinaNetClient,” supplied by my ISP, to dial the ADSL connection.

Using Wireshark to sniff the traffic, I determined that HTTP (only port 80) sessions were being hijacked, and this page was being sent to my browser.

At this point I decided to read the EULA in the contract with my ISP (something I should have done beforehand), and found that it says I should use only the special ChinaNetClient to dial my ADSL connection, and that they cannot guarantee that I will be able to access the Internet if I use other clients.

So I downloaded and installed the client software and used the same username and password I used in my Telecom connection.

As expected, the HTTP hijacking stopped. But to my dismay, the ChinaNetClient pushed advertisements to my Windows desktop.  It seems my ISP is eager to introduce its additional services. I don’t like the thought of having to install unfamiliar software just to dial an ADSL connection, much less unfamiliar software that displays unwanted ads. Who knows what else it might bring to my desktop?

So I was determined to learn how to get my ADSL connection working without using the client from my ISP. First I noticed that the client set up another PPPoE connection named “Vnet_PPPoE” in Network Connections, similar to the Telecom connection I manually created. Assuming the ChinaNetClient just uses the Vnet_PPPoE connection to dial the ADSL, I wondered how my ISP’s server knows whether I used the ChinaNetClient.

Using Wireshark again, I found that after the client successfully dials up, it appears to connect to an HTTP server inside my ISP’s network and send some account information.

I suspected there is some authentication server in my ISP waiting to receive the dial client’s authentication information, and when received, tells the hijack devices to skip my IP address. The HTTP session packets seemed easy to forge so I wrote a small program that would connect to the authentication server. If my suspicion was correct, I should be able to connect using my Telecom connection, then run my program, and hopefully prevent the HTTP hijacking. Alas it was no use, the hijacking continued.

So I compared the packets my program sent one by one with the packets the ChinaNetClient sent, but I found no differences. Now I was clueless. I clicked here and there in the ChinaNetClient and found nothing unusual. I finally opened the Vnet_PPPoE connection that ChinaNetClient created, and here I did find something unusual. The username in the Vnet_PPPoE properties was just the string “UserName,” not the username I input in the ChinaNetClient UI.

I opened the pcap files I had saved and searched for the username and password sent in the PPPoE dial session. To my surprise, I found that although the Vnet_PPPoE connection sent my real password, the username was not exactly the username I got from my ISP. It wasn’t “UserName” as displayed in the Vnet_PPPoE properties either. It added two special characters (”~l”) to the username I got from my ISP.

So I modified the username in my Telecom connection to the username I found in the packet captures, connected, and sure enough the hijacking stopped. It seems my ISP keeps two usernames for me. If I use the orginal username, it will prevent me from accessing Internet Web sites and ask me to download and install the ChinaNetClient software, so they can push what they want to my desktop.

After being able to access the Internet normally, I searched online and found many discussions on this topic. Apparently the ISP adds different additional characters to usernames in different Chinese cities. Others found the real username recorded in the event viewer of Windows.

Here we are today - several years after Spyware’s nasty head poked through the security landscape in full force - and asking ourselves: What, if anything, has changed? Has the proliferation of the various types of PUPs (potentially unwanted programs) slowed down? Has the nastiness of spyware and it’s relatives diminished? I say, that landscape has simply changed. The gray areas have gotten grayer, and at the same time, the divide between the good and bad has broadened. The adware vendors have cleaned up just enough to appear truly benign, whereas the number of rootkits has flourished. There are many ways to sidestep legitimate detection, and the PUP vendors are becoming more and more deft at this on a number of different areas. If you’d like to explore more on this topic, please see our recently released whitepaper discussing the morphing campaign of Spyware…..

I’ve been fascinated by a couple articles by Cory Doctorow on the difficulties inherent in the popularity of Social Networking sites like Facebook, and the differences between “Myware” and “Spyware”. There’s a lot of food for thought here, primarily regarding the difficulties in assessing another entity’s intent.

As someone who tries to assess intent for a living, I’m immersed in this difficulty on a daily basis. Even if an application developer has a perfectly legitimate intent, the person who is using the application may have another purpose entirely - is the program built such that it can prevent such unauthorized use? This sort of dilemma is what led to the classification of “Potentially Unwanted Programs” - either a program’s original intent falls too far into the grey area or we see an instance where a clearly helpful administrative application is being used in a way that is clearly malicious in intent.

Instances like the XCP Sony DRM rootkit and Sears’ use of the Comscore application really underscore the problem. From the companies’ perspective, they’re doing something perfectly reasonable and harmless to the user. People who find these applications on their machines may feel otherwise, and they may feel that the applications’ actions are inadequately documented or simply intrude too far into the user’s privacy.

The privacy line gets even thinner and more blurry with Social Networking sites, where a certain lack of privacy is inherently part of the equation and generally considered desirable. You can share personal information, pictures, music taste, etc. with all your friends, in one simple, efficient maneuver. It seems perfectly reasonable and simple, given the assumption that “friendship” is a simple black and white matter. Few things in life are ever so simple.

A friend of mine recently joined a Social Networking site, thinking it would be all about that simple, efficient sharing maneuver. She put all her contact information up, and made it viewable only by her friends. What harm could there be in that? (I talked her into removing it a few minutes later.) Fast forward to a few days later, when she received a friend request from someone in her past that she’d had reason to fear for her physical safety with, once upon a time. She had absolutely no desire to be in contact with this person, but there was no way for her to completely block this person from viewing her profile, and for various reasons she felt unable to reject the request directly. She’s more or less given up on this site as a result of that incident. Thank goodness she’d already removed her contact info!

There really is no simple solution to the problem of the thin, blurry line of privacy. There’s no silver bullet that will magically make everyone’s internet experience totally warm and fuzzy. I think the most important thing to take away from this is that we need to constantly be vigilant about maintaining our right to privacy, and to push companies to give us the granularity that lets us decide when and with whom we’ll share our information.

Unlocking your iPhone so that you can install third party applications can be fun. Using the Installer.app application on the iPhone and its default repository you can install utilities, games, and other applications. By adding additional repositories to the Installer, it is possible to gain access to a much greater quantity of software.

Occasionally, if you’re not careful you can end up installing malicious software from a bad repository. This happened to a number of iPhone owners a few days ago.

An application calling itself “iPhone firmware 1.1.3 prep” claims to be a tool to prepare your iPhone for the upcoming iPhone update. It actually installs another separate legitimate utility. The damage occurs if you already had the utility installed and you want to remove the false firmware update “prep” tool. Uninstalling the fake tool just uninstalls the real utilities.

Information from the STE Packaging repository site and its owner details how the “prep” tool functions and how it was distributed. Users who added the jmwiki.com repository site to Installer.app were offered the “prep” tool and two other similar packages. It was determined that the malicious repository and applications were created by an 11 year old. The child’s parents were informed and the repository was taken down.

Phone modification (changing the OS, reflashing, unlocking, etc.) can sometimes be dangerous. While corrupting a firmware upgrade for a mobile device might be possible, it is not surprising that someone has created much simpler malicious installation files. On the Symbian platform we have seen quite a few malware, such as SymbOS/Skulls and SymbOS/Appdisabler, that disable or overwrite legitimate applications upon installation.

Users can avoid such problems by:

• Acquiring software only from trusted sources
• Installing only official firmware updates

Well, Zango is at it again, making news with distasteful distribution tactics. They were one of the first groups to get into distributing themselves surreptitiously on MySpace, now they’ve caught on to the growing popularity of Facebook by coupling it with a Facebook App called Secret Crush.

It’s not particularly shocking that this has taken place, it was really just a matter of time given Zango’s previous activities.

My first thought in these situations is how to sum up the situation briefly so it can be used as an explanation how to avoid getting burned by these things. The first problem in this scenario is that it’s sending you to a 3rd-party website to download additional software. This is a huge red flag to me as a security-conscious person, period. But more than that, there’s something much less obviously problematic that really bothers me.

Facebook is quickly becoming full of Apps that require you to send it to X number of friends before you can have their enticing toy. This is, plain and simple, a sleazy social engineering tactic. What do they have to gain by such a scheme? Even if it’s not specifically malware or adware, I avoid these things like the plague. At the very least, I don’t want to be encouraging people to pursue social engineering to achieve App-popularity.

These Socially Transmitted Apps are the Web 2.0 equivalent of Chain Letters and I want no part of it.

Many governmental and civil service web sites call peoples’ attention to chain-letters based on the age-old pyramid scheme. The U.S. Postal Inspection Service gives this definition:

A typical chain letter includes names and addresses of several individuals whom you may or may not know. You are instructed to send a certain amount of money–usually $5–to the person at the top of the list, and then eliminate that name and add yours to the bottom. You are then instructed to mail copies of the letter to a few more individuals who will hopefully repeat the entire process. The letter promises that if they follow the same procedure, your name will gradually move to the top of the list and you’ll receive money — lots of it.

These rip-off schemes reached the Internet a long time ago. Chain letters are now disseminated over the Internet. These rely on copying and e-mailing your contacts rather than the established paper method. Many antispam products are dedicated to intercepting them. Today, people dreaming of “making money fast” can easily find the software that claims to help them do just that by some efficient Internet searching.

These programs supposedly facilitate making secure payments. The below image shows the result of one of these programs (seemingly of French origin) - an e-mail spam attachment for worldwide distribution:

The basic principle is as follows:

• Via Paypal, somebody decided to enter the chain and send 5 Euros to the participant on the top of the list. His e-mail address is displayed when you run the software,
• After payment, the recipient is supposed to send back a registration key that modifies the configuration by entering the details of the gullible caller at the fourth place and thus altering the list of previous participants,
• Having done this, the updated file must be sent out to as many people as it is possible to entice more victims and gradually push the sender to the top of the list.

Looking at this sample, I asked myself whether we should detect this file or not: it is not dangerous to the computer, it is not a malware nor an adware and the people sending the 5 Euros are acting on their own accord. My personal opinion was thus:

• It is dishonest. And it is not only my opinion but the one mentioned by many government agencies,
• Chain letter and pyramidal schemes are illegal in many countries,
• It seems this program is of French origin and the French laws forbid these
  schemes (article L122-6),
• It uses Paypal and Paypal forbids the use of their system for such activities.

To ultimately battle these types of programs we really need, as usual, to be suspicious whenever someone propose that you can get rich quick!!!

We detect this Potentially Unwanted Program as Scheme-Ultrate.

Ok, having been doing this stuff for a while I’ve seen a fair amount of questionable practices. It takes something pretty unique to get my goat (antivirus researcher pun intended) at this point. That said, what I found Micro Bill Systems doing had my jaw hitting the desk.

Following up on a post to the Grok.org.uk [Full-Disclosure] mailing list, I did some research (and yes, it was legitimate reasearch!) into the billing method used by sexxxpassport.com. Micro Bill Systems (MBS) provides the billing used by the site, and the model is rather unconventional, to say the least.

Sexxxpassport offers a free three-day trial to their adult site. All that is required is download and execution of the “Authenticator” software. (Note: most images link to original resolution versions)

The full terms (all 11+ pages) are displayed below this when clicking the link (which consists of that entire underlined text block shown). However, the user is not required to actually view the terms at any point before proceeding. In combination with the fact that the most alarming sections of the Terms begin around page 5, it begs the question of how reasonable it is to assume the user will have fully absorbed and understood them.

Furthermore, by offering access to the services without requiring any billing information it seems very likely the content providers are banking (literally!) on people assuming they can just stop accessing the site before the trial ends, without needing to affirmatively cancel the service, and all will be well. However, that assumption is woefully incorrect.

After three days (in accordance with the Terms), it’s assumed the user wishes to subscribe, and they are charged for 90 days worth of access at “less than 45p per day” (so, somewhere around £40, or approximately $80). Then the popups start.

The frequency and persistence of the popups is actually outlined in the full Terms & Conditions. In fact, it is very explicit about what the MBS software is going to do, with the forcefullness of the billing display ramping up over a few weeks.

Possibly the most alarming item of the Terms & Conditions is in Section 12:

12.5 If You choose to ignore the payment reminders and do not pay the Membership Fee, You hereby understand and acknowledge that the prompt reminders may become more frequent and that You may lose the ability to use Your computer until You have submitted payment. The payment reminders will be active while your computer is online or offline.

Yes, you read that correctly. They are claiming the right to disrupt and potentially completely disable use of your computer as a means to compel payment. Depending on the current display resolution of the system the locked billing popup can indeed obscure things to the point of making it unusable. The popup window will automatically restore itself if resized or moved. It also carries the “always on top” attribute, so it will cover other desktop elements or application windows. Though the disruption is limited in duration it appears that the daily display count for the billing reminder is reset if the system is rebooted, and so could occur more than once per day.

There are also clauses in the Terms & Conditions where fees can pile up quickly.

Depending on how you interpret (a), I could see it adding £25 a day for each beyond the 7th that you have an outstanding bill. Not versed in accounting, I’m unclear precisely the circumstances where (b) and (c) are to be applied.

The closest analogy I’ve come up with: You’re offered a free trial of satellite radio for your car. Then, a week later, you go to leave for work one morning and find a boot on your car, immobilizing it until you pay up.

The most they should be able to do, in my view, is cut off access to their services and refer the individual to collections. What it appears they are doing is, in my humble opinion, a form of extortion based on the (usually correct) assumption that a person’s computer will be key to many other activities in their daily life. Also, possibly with inadvertent/passive blackmail as a bonus: someone not wanting other family members or a spouse to realize they’ve been surfing for pornography, or perhaps even more dire, someone to see it on a computer at their workplace, and becoming desperate to silence the persistent billing popups.

Faced with such a situation, it is probable that most “customers” would quickly pay to regain control of their systems and avoid possible embarrasment. I strongly suspect the powerful social engineering leverage created by this situation is not accidental.

Additional details are available at the Avert Labs Threat Library page for MicroBillSystems.

It seems to be about that time to, once again, get out our computer security crystal ball and conjecture about the upcoming year.

Many things are changing. Some are staying the same. In some areas we are in uncharted territory.

Threats are moving quickly to technologies such as VoIP and instant messaging. Virtualization will have a huge impact on both data security and the data security industry itself. Professional and organized criminals continue to drive much of the malicious activity. The complete set of predictions is available for download on McAfee’s Threat Center as well as a bonus episode of our podcast AudioParasitics.

Most of the virus researchers in Avert spend their days analyzing samples coming in from customers. With a good percentage of the samples coming in every day being unknown, there’s plenty to keep us busy, 24/7/365. But what is it like, sorting through an unending stream of samples every day? What does that entail?

It’s a bit like trying to identify a life-form from a disconnected body part. Sometimes the body part is actually the whole animal, but it’s often just a toenail or a feather. There are times where we don’t even get a body part, but a footprint or a piece of the animal’s droppings.

Sometimes we’ll get lucky and it’s an animal whose footprint we know really well, or which has very distinctive feathers. Then we can say “there’s a good chance what you have is a peacock”, based on just that feather. But more often than not, people are dealing with something entirely new or rare. Perhaps this critter only displays its distinctive traits in very specific circumstances.

Of course, our favorite sort of sample is one which is a complete body with a good explanation of where and how the animal was found. Whereas a foot accompanied by no information may get an answer of “This is an amphibian”, more of the animal or more context can increase the odds of us being able to say something more specific: “This is Litoria caerulea - aka the Dumpy Tree Frog. It lives in Australia and it is often found hiding in downspouts.”

So how does someone wishing to submit something for analysis go about doing it?

For starters, include as much info as you can: What version of security product are you using? In the case of our products, what version of the product, what engine and DAT files are you using? Are you seeing detection with some AV product? What filename and virus name was given? Are you seeing strange behavior that you associate with the file?

Getting the whole beast can be a bit more tricky. There’s sort of a continuum of sneakiness, from very spammy looking emails with attachments, to bots which get in through software vulnerabilities and then drop rootkits. If you’re the “lucky” recipient of the easy variety, ZIP up that email and send it to us.)

If your sample falls somewhere on the sneakier side of the spectrum, files can really be scattered all over a machine, and some of them are particularly good at hiding. You may want to try scanning your system with the Rootkit Detective or the Beta DATs from the Avert Tools page. This can help identify more suspicious files.

Maybe you’re pretty astute and you’ve noticed that after you ran a file a strange file, it created hundreds of randomly named files in your Windows directory. We may or may not need more than one of those files. You’ll want to check for duplicates, to make sure. If you know how to generate hashes for a file, just make sure you have one of each unique hash, up to about 10. (If you have something parasitic or polymorphic this will give us a decent representation) If you’re not sure how to create a hash, there are certain programs which can help you. One of my favorites is the CRC option in WinZIP (in Configurations, under the Options menu). This allows you to group by CRC and get rid of any duplicates.

In short, try not to just send a blurry video of Sasquatch (or is that a guy in a gorilla suit?) or to send us a hundred disembodied ant legs. The more thorough and complete the sample, the better the chances of getting a complete picture of what’s plaguing your machine.

Adware and Spyware have long been the bane of computer users, probably even more than viruses. Most of the time malware authors employ the age-old art of social engineering to victimize the not so tech-savvy computer users into installing Adware and Spyware. Over time, these people came up with innovative methods to convince a user into installing these so-called AntiSpyware programs.

This time, it’s a fake Microsoft AntiSpyware website that is promoting the rogue AntiSpyware application, AntiSpyStorm. Avert had earlier blogged about rogue AntiSpyware applications like SystemDoctor and we have probably classified several hundreds of them, if not thousands. This threat appears to be a successor to the trojan FakeAlert-D.

This Fake Microsoft AntiSpyware Center page purports to be an “Online Security Scanner” which scans the system for viruses and spywares. After the dupery scanning, the user will be presented with a dubious and falsified list of Trojans after which the user will be prompted to download and install an ActiveX Control to remove the threats.

The infection starts when the unsuspecting user installs the alleged ActiveX control. The trojan hijacks the Internet explorer homepage, shows fake alerts and exaggerated security threats which instigates a user to install a trial version of AntiSpyStorm product.

After installation the product offers a free system scan for threats. The reports of this scan are exaggerated and contain false errors reported as actual threat. When the user is scared into believing these threats are real, AntiSpyStorm offers the victim to download the full version and tricks the victim into entering his credit card details.

I have put together a short video which shows how an unsuspecting user could get infected.

The rogue Anti-Spyware is detected with the current DATS as Adware-AntiSpyStorm and the fake ActiveX control is detected as FakeAlert-T.

Browsing my webmail account on one of the biggest providers in Italy I was hit by this popup message:

The cause of the javascript popup was the banner at the top of the page, urging me to download and install the SystemDoctor software.

I’m familiar with the brand, it’s an application that claims your computer is full of errors and then asks you to buy the registered version to clean them.

To verify, I followed the link and installed the software which found 375 “severe errors” on a crystal clean Windows XP installation, including marking as “critical error” files dropped by the installer itself, perfectly legitimate registry keys etc. Asking for money to remove imaginary errors is, I would say, questionable behavior.

So the questions of the day are: “Should web service provider police their ads? Should they make sure paid banners are safe for their viewers? And will this trend of malwae writers using paid ads to distribute malcode continue?”

There are two trends which seem to be heading for an inevitable conflict.

• increasing use of virtualization in the market place
• increasing detection of debuggers and virtual environments by malcode

Virtualization, while once relatively small is expanding in the market, driven by cost cutting measures, affordability, and disaster recovery to name just a few.  Large players (VmWare, IBM, Microsoft, and others) are offering competing platforms to serve the customer need.  Public information and general interest lead one to believe in a moderate rate of adoption.

On the other hand malware often times is encapsulated with Anti-VM technologies (e.g. Themida), or uses code to detect the virtual environment (e.g. Nuwar) and then exits the application.  This has been a generally increasing in an attempt to irritate security researchers who find virtual machines a convenient way to analyse malware quickly.

VM technologies present their own security hurdles in the future, but in the short term these trends probably make Virtual machines more secure (at least from a malware perspective) than physical ones.  These trends will eventually force malware authors to make a decision.  Write code to make it harder for security researchers to analyse, or expand platform support to virtual environments.

File this one under “Déjà vu all over again”. After learning from F-Secure of shady rootkit-like activities noticed in the software packaged with several Sony USB drives, we were first a bit amazed. After all that had occurred with the audio CD episode, could this really be true? Well, it was.

In the class of nasty rootkits the ones that top the chart are those that use blended techniques to hide or protect themselves. I/O request packet filtering is one kernel mode rootkit technique that is gaining popularity along with the already common SDT hooking.

Sony’s microvault USB media ‘Fingerprint Access’ software uses programs and device drivers developed by Fineart Technology Co. Ltd.. The Fineart device driver installs as a file-system filter driver on top of the existing driver stack. It also hooks the Service Descriptor Table in order to hook NtEnumerateKey. After establishing this, all file system information is filtered through this new device driver and thus it can easily hide any directory or file. Following is a snapshot of windbg showing the device stack.

Figure 1 - \Driver\FG adds itself on top of the driver stack for file system IO.

The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives. However, in this case (*cough* AGAIN! *cough*) the authors apparently did not keep the security implications in mind. The executable can be placed in potentially any directory and when executed will subsequently hide all the folders and files within that directory!

As a test we placed the binary in %windir%. Upon launch all the files and subdirectories including system32 were indeed hidden. None of the resources within the directories were accessible anymore. We could no longer run simple utilities like ‘regedit’ or ‘notepad’ or ‘cmd’ using the Run dialog box in start menu, as the path was not resolved due to cloaking. Although one could still access the files using fully qualified paths. Fortunately the executable by itself does not add an entry to the registry Run key or establish any other startup method, so the hidden objects are accessible again upon reboot. However the device driver component is loaded into memory after reboot, so at that stage it is a simple matter of re-executing the binary to hide directories and files:

The publisher may argue that the default installation path is %windir%\[some directory], but that does nothing to stop malware authors from copying the binary to an arbitrary directory of their choice and executing it in that location. Alternately they could simply hide their malicious creations in the default installation directory itself. Another easy hack for malware authors would be to launch the binary from their chosen directory and add a startup entry for the software to ensure it is hidden immediately on boot-up.

Here is the snapshot of VirusScan in action. VirusScan detects the device driver s HideVault!sys and removes it to disable any potential cloaking upon reboot.

Sadly, it appears that expediency of function has again trumped forethought of consequences in one of Sony’s creations.

Yesterday was a rather interesting day for several reasons. I had the opportunity to attend several briefings (which I will get to in a moment), schmooze with vendors (always fun), but best of all socialize with old friends from the old skool (translation: act like a pirate).

The vibe has been changing at BlackHat for quite some time now. It has for several years been becoming more mainstream and (dare I say it) even respectable. Don’t get me wrong: So far the presentations have been good and many of the security industry’s best minds put in a good showing; but there is a difference from years past. IMHO many of the topics seem soooo 10 minutes ago. Same people talking about the same stuff. BluPill and Vitriol…100% Detectable vs Nothing is 100% detectable…Pen Testing…Fuzzing…Wireless pwning. … Some new techniques but nothing really that has not been discussed before. So far I have come away with the thought that they are saving the really good stuff for another convention. And the fed has never been easier to spot.

I tend to judge security research by what its impact on malware will be. Will it create more malware? Will it create better malware? How will this hurt users or impact the enterprise? Will this result in easier zero-day creation? Will this allow malware to be more stealthful? That kinda thing…I sometimes wonder if most of the researchers consider that type of impact from their work; or do they ignore that aspect of it?

More in a bit…

Later this week the malware count will most likely go beyond the 300.000 barrier for malicious items count.

Malicious items have come and gone over the years, but some remain persistent. The types of malware are not constant but evolves over time. From the late 80’s till early nineties they were mainly the MS-DOS 8 bit .com & .exe files & boot infectors.

From 1995-2000 VBA code was very dominant, first as a side-effect as people would exchange infected .doc/.xls files unknowingly, later malware code would just read all items from the outlook address book and would automatically mail itself out.

From 2000-2003 Javascript/VBScript items along with 32 bit PE files were dominant, exploits and multi-component malware began to appear.

From 2004 onwards the binary massmailing worms were the topic of the day, resulting in many overloaded Exchange Servers. On some occasions we even had to go to “Medium” risk multiple times a day. The Netsky/Bagle wars are over luckily.

From 2005 onwards the shift went to BOTs and Trojans plus Adware & Spyware & Phishing attempts grew.

The Bots are especially problematic as they’re so hard to fight. The bot networks were mainly used to distribute adware/spyware but on some occasions were also used for DDoS attacks, for “fun” or worse, for ransom etc. Although we still see many bots appearing they don’t seem to be that dominant any more. Nowadays the focus is more on the obtaining of money from adware and trojans but there’s also much spyware. Also specific targeted attacks are more common.

So even though the general public doesn’t hear that much of outbreaks as in the Netsky/Bagle wars, malware numbers still grow very fast using more silent methods with adware/spyware and targeted attacks.

In 2000 we had a little over 50.000 malicious items. That figure went to 100.000 in 2003. In August 2006 we passed the 200.000 barrier and almost exactly 1 year later, august 2007 , we will be passing the 300.000 barrier. With these huge numbers appearing the handling of samples can’t be maintained by humans only. It also continues to raise many questions around the naming of malware.

Following up on a tip from my colleagues at McAfee’s SiteAdvisor, I examined an interesting piece of software recently from a provider I’d not heard of before, a product called “MeMe,” made by MeMedia, Inc.

The installation was immediate upon launching the installer, with no EULA or other notification displayed until the software was running. The MeMedia Web site suggests the software is intended to supplement a user’s browsing and general use of the Internet by tracking usage (locally, the software assures) and then proactively searching out and alerting the user to additional content that matches the interest categories that MeMe has identified. The term “meocentrism” is cutely coined on the product’s web site to describe this. I also read a notice that the software may be used “in support of free software,” suggesting potential bundling. Oddly, visiting MeMedia’s home page results only in a page with a logo and “coming soon,” though several subpages are accessible and the software appears to be available and functioning. The interface is designed to resemble a three-dimensional cube, and uses many shadow and animation effects:

Peeking under the hood, I grabbed some of the network traffic to verify that no user-browsing data was in fact being transmitted. I was surprised to find communication with servers in the whenu.com domain, and even parameters being passed in HTTP transmissions such as “&app=whenusave.” Save! (also incarnated as “SaveNow”) is an advertising client product made by WhenU. I did not note any personally identifiable data being transferred to remote systems during a few limited tests, but the indications point to a mechanism similar to what WhenU uses in its advertisment products (running search terms against a local database to preclude the need for sending user data from the local system). It appears that the MeMe software is somehow leveraging WhenU’s infrastructure. Along with many overlapping IP addresses and DNS records, we have indications that MeMedia is in partnership with or wholly owned by WhenU.

Crossing into speculation, I find interesting the apparent repurposing of adware infrastructure as a “usage assistant”; something to help a user find content on general topics of interest rather than simply pushing comparative product offers. The vendor achieves the same goal of connecting a user with specific content; MeMedia could easily define and control the data set that the client software could search to find the user’s identified interests. Vendors could feasibly monetize additions to such a content repository as well as more direct targeted advertising. If my speculation is correct, such a scenario–though not far removed from traditional push-advertising models–might at least be better accepted by users. Although the field of data such a “meocentric” digital helper could sift through might really be a walled garden of sponsored content, the idea seems less intrusive than a pop-up hawking a widget.

On my test environment, which is essentially clean of any usage data, MeMe “found” an article on Michael Vick for me after running for several minutes. This occured even without my doing any browsing or other activity. I later found that several terms were apparently hard coded into the installer package (ExecuteParameters=”/i\”rock;Chicago Bears;Serena Williams;Michael Vick\”"), ensuring that the recipient would at least have some “interests” about which content could be “found” right off the bat.

It’s awfully kind of them to look out for us boring folk. 

As we know, proper marketing is crucial for any product to grow. In the case of online activity, several potentially unwanted programs (PUPs) like Adware-MemWatcher, Adware-Look2Me and Adware-Apropos have come up with different strategies. These latest strategies include monitoring a user’s browsing habits to better know the user’s interest and according to that, display various pop up ads.

Here is a case where a PUP named Malwarewipe is getting marketed by a trojan called Puper. The strategy begins with Puper dropping its supporting files on user’s system for further action and then displaying hoax balloon messages as shown below:

The trojan will often direct more hoax messages at the user about their system being vulnerable:

This trojan has a wide variety of hoax virus alert messages to make the user feel more insecure, as further shown:

If the user clicks on the OK button, the trojan directs the user’s browser to a MalwareWipe page, similar to the one shown below. This is detected as the potentially unwanted program called Adware-Malwarewipe.

We caution web users to be aware of these hoax alert messages seen while surfing the web as we continue to protect our customers against such social engineering attacks.

We’ve seen the many cases of Spyware-makers being brought to justice and paying hefty fines because of their immoral practices and ill-gotten gains. (We hope to see more of these cases thanks to the work of the FTC, CDT, and Anti-Spyware Coalition)

We’ve seen cases of corporate espionage, like the Israeli couple who are serving time in prison for making spyware and charging companies for their services of spying and stealing data.

We’ve even seen cases of people who used Spyware with the intent of spying on their spouses getting thrown in jail. As was the case in the “Jealous Spyware Husband” who spent £100 on spyware to monitor his wife because he thought she was cheating on him and eventually killed her. He is now serving a life sentence.

But this is the first case I’ve seen where someone may receive prison time because of their negligence for not removing spyware from a PC… In Norwich, CT, a substitute teacher faces prison time because the classroom computer she was teaching with was infected with Spyware and she exposed her 7^th grade students to pornographic images due to the pop-ups that the Spyware was generating. Julie Amero was convicted on Friday, January 5, 2007 of four counts of risk of injury to a minor and faces a maximum sentence of 40 years in prison.

Is it not bad enough that spyware-makers are stealing our identity, capturing our data, annoying us with pop-ups, slowing down our Internet connection, and crashing our PCs? Now they are making their victims liable for the crap that they insidiously put on our computers!

End User License Agreements, those infamous instruments of legal pretzelism, have broken the logic barrier and are beginning to collapse into a nonsensical linguistic singularity. A bold claim, you say? I have evidence! This is a direct quote from an adware-related EULA I recently encountered:

Producing a mental experience similar to that accompanying contemplation of the interstellar void or the size of the US national debt, the mind is confounded here not by huge distances or sums, but by raw logical absurdity: lengthy, multi-clause legalese sentences carefully describing, in English, what you should do if you don’t understand English.

…

At least they include the suggestion that you get a translator to help you read it. How thoughtful!

McAfee Avert Labs Blog End Reader License Agreement:
By reading this blog post you agree to accept any unsolicited slithy toves that may result in the wabe, regardless of whether brillig conditions prevail. You additionally release McAfee from any and all liability should your borogoves become mimsy.

Some helpful soul has decided there isn’t enough Symbian spyware in the world. A Russian malware author has released a prototype of SMS forwarding spyware, SymbOS/Htool-SMSSender.A.intd. He’s included the source code to aid in modification.

The author, let’s call him Scripty, says that SymbOS/Htool-SMSSender.A.intd can:

• Hide from the user
• Load on startup
• Copy the text of the last SMS you received
• Send that text in a new SMS to the author

SymbOS/Htool-SMSSender.A.intd performs the first three steps well, but it fails to do the last. Looking at the source code, it appears Scripty didn’t write the SMS sending code. Scripty, though apparently unskilled, believes the source code will be useful to other malware authors for constructing their own SMS spyware.

Only last week we saw signs of malware authors integrating commercial spyware into their creations. This week we’ve run across the first evidence that malware writers are actively working on developing their own spyware.

As per reader’s feedback on my earlier blog “404 not just “File Not Found“, they wanted more information regarding how a Potentially Unwanted Program, called “System Doctor”, gets installed. So I will emphasis more on this programs behavior in this post.

System Doctor tries to fools users by utilizing images that are similar to a legitimate product from PC Tools called “Spyware Doctor” as shown below:

Installation on the victim’s machine is via an ActiveX control, as shown below, which needs user’s interaction:

Upon installation, System Doctor scans the user’s system and displays an “Error Message” box as shown below:

If the innocent user clicks on the “Repair Now” button he will redirected to another page, where they are asked for credit card details:

In my previous blog it was incorrectly reported as “Spyware Doctor” instead of “System Doctor”. Through further research and discussion, the software is in fact “System Doctor”, a rogue software product that attempts to leverage its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor as per discussion with PC Tools.

We caution web users from entering their card details and CVV number into these masked doctors seen while surfing web as we continue to protect our customers against such social engineering attacks.

The most common use of the popular HTTP error code, 404 is to communicate that the client was able to reach to the server, but the server could not find the requested file. To a naive user this pretty much means “Let’s move on!”

We present the following information to warn users of a social engineering attack currently in vogue with several malware authors. McAfee Avert Labs recently evaluated a website called 404dnserror(dot)com. At the time of writing this blog, the website throws a “fake” 404 file not found page. But a closer look at the error page, as depicted below, shows that the server tries to install an ActiveX control and the installation message communicates that page is not available as it’s blocked by an adware/spyware. It also proposes to install a security product called “System Doctor” to remove this adware/spyware.

Further analysis of System Doctor reveals this is actually a flavor of the “WinFixer” application that claims to fix registry and hardware errors or to clean adware/spyware.

We caution web users of these “fake” error codes seen while surfing web and continue to protect our customers against these attacks.

____________________UPDATE DEC, 6 2006_________________________________

“On 5 December 2006 we incorrectly reported that “Spyware Doctor”, published by PC Tools was involved in this scam resulting in the publication of fake error codes to induce end users to download their software (in the above blog titled “404 Not Just “File Not Found”"). It has since come to our attention through further research that the software in fact was “System Doctor”, a rogue software product which attempts to trade off its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor.”

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

While the definition of malicious software seems clear, that of Potentially Unwanted Programs (PUPs ) is less so.

The first come under the generic title of malware. They are used to steal or destroy information. Even when distributed via games, they can damage the computer system and can often remain resident without authorization. Malware is mainly created to cause harm to the target computer. Authors of malware expect to gain notoriety, or more and more often, illicit income.PUPs on the other hand are usually made by legitimate corporate entities for specific beneficial purposes (to whom they may be beneficial is debatable).

Adwares belong to this category of programs. They install themselves on the user’s machine collecting marketing data and distributing targeted advertising intended to generate income. Their legitimacy becomes debatable when they alter the security state of the computer on which they are installed, or the privacy posture of the user using the computer.

Between 2000 and 2002 there were only about forty or so adware families. Their number rose sharply in the next years. It increased by more than 1000% in three and a half years. In August 2006 there were more than 450 adware families with more than 4000 variants.

I just finished a white paper describing the main participants in the on-line marketing domain. This document explains the concept of affiliators and affiliates and the recognition techniques used to install the payment systems. It analyzes the amounts which affiliates can expect to be paid depending on whether they use “soft” or aggressive methods. The firsts use conventional techniques (pay-per-display, per-click or per-profile). They can expect to receive a payment of $25 for every 1000 positive occurrences produced. On the same basis, an adware pay-per-install payment may bring in up to $150 for 1000 computers.

Following the money, this white paper demonstrates why many low-level delinquents do not hesitate to distribute these programs on a large scale using reprehensible methods.

Now, some “cyber-delinquents” quickly and secretly install thousands of programs each day on target computers without the knowledge of their owners. They are thus able to pocket some tens of thousands of dollars each month.The complete study is available here:

Adware and Spyware: Unraveling the Financial Web