Today we unveiled our Threats Report for the fourth quarter of 2009. It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries such as Poland, Latvia, Denmark, and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day; yet spam volume decreased by 24 percent in Q4 compared with Q3.

Spammers piggybacked heavily on leading headlines in 2009, taking advantage of breaking news stories, global tragedies, and other timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC and referencing the H1N1 vaccine program, and “get rich quick” scams due to the rise of U.S. unemployment levels.

Politically motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of assaults. Recent political attacks targeted the Polish government, the Copenhagen Climate Conference, and Latvia’s Independence Day.

Malware–including fake security software, attacks on social networks, and AutoRun USB infections–continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the immense increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 countries, with the United States, Germany, and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly, from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The United States still remains the number one country in spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with Europe/Middle East/Africa second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL-Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults, at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

The other day, I came across a malware that attempts to hide its infection not in that technical but in the very unique way.

“Muster” is a family of backdoor which has been using help files for hiding themselves. The help files or “.hlp” files are data files designed to be viewed with Microsoft WinHelp browser for providing online helps for applications users. Earlier variants of “Muster” drop encoded copies of main backdoor components in filenames with the extension “.hlp”. These “.hlp”files are later decrypted with Microsoft CryptAPI with hardcoded keys and executed by loaders.

A recent variant “Muster.e” is using help files in a different way. Once installed, it infects to an existing help file called “imepaden.hlp” which is the one of the help files for Microsoft IME. Of course, this infected help file still can be viewed with WinHelp browser in the same manner as the original help file, and users hardly find its infection from the view.

How this is activated upon each machine boot? Muster.e also drops a sys file that is loaded as a service upon reboot. This sys file is responsible for extracting the appended executable file from the help file and copy it to a standalone executable file called “upgraderUI.exe”with the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run AutoPatch, which makes users to believe this is something related to a system update tool. On top of this, the malware authors also have crafted the sys file for deceiving users.

As you can see, this sys file has names like “MyDDKDevice” and “HelloDDK”, and is designed to dump many debug messages and which looks to be a typical test sys file compiled from a sample code in the layman’s guidebook for learning device driver programming. In fact, if you search on these words, you will see lots of web pages describing device driver programming. It is not that easy to tell why authors have created a sys file this way. However, regarding the efforts on hiding backdoors in help files, I don’t think bad guys have bored with creating a sys file from the scratch but more like tricking users that this is innocent.

One of the likely scenarios planned by the malware authors is this. Victims may notice the existences of this suspicious file UpgraderUI.exe and the registry key, and then they will delete the file and registry key. Then they would think they have removed this backdoor successfully. Even if they find the file and the registry key is coming back again and again on each reboot, users will not able to find any other suspicious files. Users will never imagine that the sys file is malicious or the infection to the file imepaden.hlp.

I don’t know if these deception techniques really work, however you might want to add help files to your checklist if your machine is suspected to be infected. McAfee VirusScan with DATs 5861 or later detects and cleans those infected help files and backdoor files.

Day 2 and Night 2 of the 26th Chaos Communication Congress is over, so it’s time for a short update on what you are missing here.

This year the Congress is organized as a distributed event: Many local Hacker Spaces have joined the network at Berlin Conference Center, giving access to resources and talks to visitors. Check out the Dragons Everywhere Wiki at 26c3 for more info. And of course there are still the live streams of the talks available.

One highlight was certainly an update of the current debate around the Vorratsdatenspeicherung (”data retention”). CCC-spokesperson Constanze Kurz expects a favorable ruling against the current laws by the highest German court. This may have an EU-wide impact.

At the same time (and thank goodness there were streams available!) was Collin Mulliner’s talk about fuzzing smart phones and some of his (and Charlie Miller’s) findings.

Felix ”FX” Lindner changed sides: In a talk covering defense instead of breaking things, he demonstrated the security problems that come with Flash and released a tool for sandboxing .swf files to prevent a class of Flash exploits called Blitzableiter (”lightning rod”). His tool is still work in progress but looks very promising already.

And to finish the day there was the Phonoelit Party at c-base, featuring Mumpi, Vela, and Illo. Another great event!

Of course, this selection is just my personal preference. Make sure to check the schedule for talks that interest you.

With the New Year just days away, it’s time for McAfee Labs 2010 Threat Predictions. What should you be wary of in the coming year? Social networks.

Sites such as Twitter and Facebook have changed the way we communicate, interact, and share on the web. As user bases for the top online social destinations reach record highs, cybercriminals are building out their criminal toolkits, taking advantage of new technologies, third-party applications, and hotspots of activity to exploit users.

What does this mean for the average surfer? Next time you receive an invite from one of your “Facebook friends” to play a game that looks like it’s shaping up to be the next Farmville, think twice before you click. In 2010, users are going to be more vulnerable to attacks that blindly distribute fake apps across their networks. The same goes for bit.ly’s and TinyURLs. As abbreviated URLs become more ubiquitous, it will be even easier for cybercriminals to mask and direct users to malicious sites.

Speaking of ubiquity: McAfee Labs predicts that Adobe will overtake Microsoft as the No. 1 target for cybercriminals in 2010. Adobe products—in particular Acrobat Reader and Flash—have become two of the most widely used apps in the world, and cybercriminals go where the masses go. Cybercriminals will have a field day preying on people using Adobe software.

McAfee also believes the following will play a critical role in 2010:

• Banking Trojans will become even more sophisticated. They showed some firepower in 2009—easily getting around current protections used by banks—but next year they will reach a new level with the ability to interrupt legitimate transactions and make unauthorized withdrawals, while flying under the radar.
• Malware via email attachments will increase, especially targeting corporations, journalists, and individuals
• Botnets, the infrastructure that launches nearly every type of cyberattack, will adopt a peer-to-peer architecture, connecting computer to computer without a centralized control point—making it more difficult for cybersecurity professionals to detect them
• HTML 5 and the evolution of the programming language will give cybercriminals new opportunities to write malware and prey on users

Countering these trends, in 2010 McAfee predicts a good year for law enforcement and the ability to identify, track, and combat cybercrime worldwide. After a decade of cybersecurity research, coordination, and training undertaken by agencies across the globe, the community will reap the benefits of the effort put forth over the past ten years.

McAfee Labs serves up the details on its threat predictions in the full report. Surf the web cautiously in 2010!

(We must correct one oversight: Our colleague Pedro Bueno was one of the authors of the report. His name was inadvertantly left off the document. Thanks, Pedro!)

In her recent blog Joanna Rutkowska describes a proof-of-concept code to attack Truecrypt system disk encryption. The blog also mentions “the concept behind the Evil Maid Attack is neither new, nor l33t in any way.” However, because the POC is now published, we expect script kiddies to jump on this opportunity and tweak this code to their advantage.

As always, to protect our customers we looked into a possible AV detection mechanism to alert users in case the system is compromised. Obviously an AV cannot prevent an Evil Maid attack, but alerting a user on the first reboot after such an infection can go a long way in preventing data loss.

We now detect this proof-of-concept code as Trojan PWS-EvilMaid!demo, due to its password-stealing capabilities. We will watch for any future variants that follow this trend. Here is the screenshot of McAfee alerting the user once the machine is infected. We recommend you reinstall Truecrypt if you see this detection.

Protect what you value!

Surrounded by a network of neon lights across the ceiling, walls of computer screens lit with grave headlines regarding our country’s digital dependence–drinking water, sewer systems, banks, government systems, all vulnerable to an electrical grid outage–I introduced my wife and my sixteen-year-old daughter to our latest McAfee endeavor, an exhibit contributor in the new International Spy Museum exhibit “Weapons of Mass Disruption.”

Yes, you read that correctly. Your humble narrator is part of a museum exhibit.

Nestled on the corner of 8th and F Streets in Washington, D.C., the International Spy Museum has become a must-see in our nation’s capital. It speaks to our country’s tales of espionage and the ultimate currency, intelligence. Never has a place been better suited to educate its visitors about the cybersecurity threats facing our government, our businesses, and you and me.

As former national intelligence director Admiral Michael McConnell mentioned during the exhibit’s opening event, the Internet has created an unprecedented level of vulnerability.

These threats, which could bowl you over in their magnitude and frequency, are constantly evolving, morphing into ever-changing but equally lethal pieces of malware–as diverse and fluid as Web 2.0 itself. In that stuff is our office, littered with Red Bull and Twinkies, where I and many other McAfee Labs researchers garner an understanding of the dark side of cyberspace activity. You know the saying: Keep your friends close but your enemies closer. It is this insight that yields information on breaking threats and a more holistic understanding of the black-hatted enemy.

So consider again the computer wall’s grave headlines in the exhibit: “The Pentagon’s IT system is probed 360 million times a day. Twitter crashed as a result of a denial of service attack against a Georgian proponent. Is our air traffic control system protected?”

The exhibit shouts the theme that we as an industry live and that I shared during my contribution interview. The threat is real. Even my daughter got a kick out of it.

I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .

There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.

For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!

But there are huge benefits even in trivial transmitting of the simplest malware prevalence data:

• If you are an anti-malware vendor you will be able to prioritize samples in your research queues.
• If you are a testing organization you will be able to create more relevant test sets (for example, downgrade rare and old samples).
• If you are an administrator you can submit consolidated field reports to anti-malware vendors and help make the Internet a safer place.

Here is how a portion of the XML with meta-data looks like.

If you are interested - the complete XML schema is available here and if you want to get involved please get in touch with your current point of contact at McAfee Labs.

Today Avert Labs has published a new research paper, “Inside the Password-Stealing Business: the Who and How of Identity Theft.” With so many financial transactions occurring online today, stealing passwords to banks and other accounts is an irresistible attraction for cybercriminals. Thieves around the world use Trojans and other malware to grab user credentials, which they can resell to their crooked clientele while supporting their own illegal businesses.

Our report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families such as Zbot, Sinowal, and Steam Stealer. We also discuss the prevalence of such malware, distribution channels, how criminals keep up with the changes banks make to keep transactions secure, and how they exploit today’s economic climate. Offering illegal “work at home” opportunities to desperate job seekers is one way criminals lure the unsuspecting into furthering their illegal activities.

You’ll find our report here in English and eight more languages.

Want to peek inside another one of these infamous password thieves? Let’s have a look at SilentBanker.

Our story starts with browser helper objects (BHOs), which are plug ins for Internet Explorer. BHOs give developers the opportunity to extend the browser’s functionality without their having access to the browser’s source code. That doesn’t sound too bad, as users aren’t forced to rely on the browser’s developers to implement new features. Even if you’re not a developer, it’s seems useful to download any desired extension, whether you want to customize the user interface or be able to read PDF documents directly in the browser, isn’t it? Well, yes and no! The answer depends on the trustworthiness of the BHO’s author, the server you download from, or the DNS server. Unfortunately, not all BHOs are safe applications—the bad guys are always looking for ways to turn originally useful features into a way to deploy their malware, hunting for usable information such as credentials. Silentbanker is one of those nasty password-stealing malware that comes in the form of a BHO.

This is one “helper” you don’t want on your side: Once installed and automatically loaded by the browser, Silentbanker can interrupt communication between your browser and the Internet! The malware is highly configurable and targets online banking users. Silentbanker will not only recognize and monitor online banking activity but may also modify HTML pages to include additional code or to change a transfer’s details. The data thief acts as a “man in the middle” to inspect and modify data before it is encrypted and sent to a server and after it is received from the server and decrypted. Still think you’re secure with SSL? Unfortunately that’s not the case with this freeloader sitting on top of the browser.

The screenshot above shows a pseudocode representation of Silentbanker’s malicious core. The code is responsible for detouring relevant operating system functions to its own malicious routines. This malware effectively kills security applications such as host intrusion prevention systems and others. Before its own malicious detours are installed, the malware disables any previously installed detours by reading a Windows library’s original code from the hard disk (”read_whole_file”), and then mapping it back to the process’ memory (”remove_API_hooks”)—thus rendering security products relying on the same technology ineffective.

Be sure to run McAfee VirusScan and Artemis, and McAfee Gateway Anti-Malware within your corporate network to protect your systems from password thieves.

As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit of interactivity or training videos. From a security perspective, however, this poses yet another attack vector for criminals to take control of vulnerable systems. As history has shown, complexity and feature richness go hand in hand with remotely exploitable vulnerabilities. It is unfortunately no different with this latest PDF feature.

The exploitation of this vulnerability continues. Below are screenshots from one such malicious PDF document, discovered in a targeted attack this week. The attack contains several compressed streams and at least two embedded Flash movies. The first embedded Flash movie is clean, the second 6exploits CVE-ID 2009-1862, which causes a memory corruption and allows an attacker’s code to execute. Underneath the compression layer, JavaScript code is embedded in the PDF document. This code fills heap memory with the attacker’s shellcode. Apart from the PDF acting as an additional obfuscation layer around the exploit, the JavaScript code, once unpacked, contains another function that attempts to evade detection.

The FileInsight screenshot above shows the JavaScript function “lololo(),” which deobfuscates a string holding the actual malicious payload at run time. The function simply replaces any occurrence of the substring “XX” found in “payLoadCode” with the substring “%u,” converting the previously obfuscated string into one that can be “unescaped” to x86 shellcode. Its purpose is to prevent security products from detecting escaped strings that might be an indicator for an exploit. To find out about the payload’s final purpose, we load the final unescaped string into a disassembler:

This shellcode decodes a certain area found within the PDF document, using XOR operation and key 0xF4, writes every piece of decoded data to a file, and finally executes it by calling the WinExec() API function. The resulting file is a UPX-packed executable with an additional layer of a custom packer on top, complicating static analysis of the binary (proactively blocked as “BehavesLike.Win32.ModifiedUPX.J” by McAfee Gateway Anti-Malware). In order to analyze the executable, it first needs to be freed from its packer layers. What we see then is the executable’s ability to drop the DLL mscvr.dll to disk, with file attributes set to “hidden,” so it can’t be seen in Windows Explorer with default settings enabled. And before the malware injects this DLL into memory of the running explorer.exe process, it infects the network diagnostic utility netstat.exe on disk, so the utility will load msvcr.dll each time it runs. The DLL contains a configuration file embedded as a resource, telling the netstat utility to not display certain Chinese hostnames that the DLL is about to phone home to.

The DLL component is aware of several desktop security products. It attempts to terminate them before it collects private data–such as information about the operating system, CPU speed and type, the list of available drives, the logged-in user’s account name, and credentials for several programs (such as MSN Messenger). What is really bad about this piece of malware is its backdoor component. The sneaky code is capable of connecting to its creators, and waiting for instructions telling it what to do next. Next to common backdoor functionality like uploading, downloading, and moving files–which allow data theft and modification–the backdoor also contains a command to instruct the malware to spread to removable drives (as a worm does). This behavior can infect a corporate network, as we all know from the Conficker incident. McAfee Gateway Anti-Malware protects against this targeted attack, proactively blocking the malicious PDF document as “BehavesLike.PDF.CodeExec.EPEO.”

Agreement and collaboration have been two of the greatest challenges the security community has faced from the very beginning. In an effort to address this, The Industry Connections Security Group (ICSG), a new offering from the IEEE, allows like-minded companies to come together to solve industry or business problems that center on information security. Industry Connections is a program under the IEEE that allows for a fast start-up toward industry collaboration. It also offers the support and infrastructure of an established and well known brand—the IEEE itself. This effort will allow the group to focus on the work of security standards and problem solving, rather than being slowed down with issues such as incorporation or intellectual property matters. McAfee is proud to be a founding member of this effort.

The ICSG is a group of computer security organizations that will work together on common goals and industry issues. The key focus of our collaboration is to solve security issues. In the past few years, attackers have shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. ICSG was established, under the umbrella of the IEEE Standards Association (IEEE-SA) Industry Connections program, out of the desire by many of us in the security industry to pool our experience and resources in response to the systematic and rapid rise in new malware being introduced to the market. The bad actors have been able to leverage the underground economy and scale their efforts, they have access to specialist tools and services, and they collaborate and communicate effectively—whereas the security industry has been generally responding to threats as individual entities.

Although there has been some ad-hoc cooperation in the industry in areas such as malware and phish URL sharing, this cooperation has not been standardized or documented in a format that lends itself to systematic improvement in operational efficiency or visibility, or review by people outside the vertical industries. It is this collaborative and communicative gap that the ICSG looks to close. ICSG has been established to look at and deal with a wide variety of security issues in a forum that allows us to engage all types of industry verticals. We also anticipate that we can work with other efforts to help drive security standards in other areas.

ICSG currently has one team, the Malware Working Group, looking at malware, but the organization will add more as needs evolve. Malware growth has been meteoric for the last several years. As such, the Malware Working Group’s primary goal is to solve some of the malware-related issues the industry faces today. The initial focus will be to establish more intelligent ways of sharing malware samples and the information associated with them to make the computer security industry more effective at combating this ever-evolving threat.
The initial members of ICSG are McAfee, Microsoft, Symantec, Sophos, AVG, and Trend Micro. A number of other individuals have been involved in reviewing the initial document produced by the Malware Working Group, from a variety of companies involved in computer security. If you are looking to join or need info, contact us at:

• joinICSG@ieee.org, joinICSGMal@ieee.org, IndustryConnections@ieee.org

Procedures and policies that have been adopted can be viewed here. Information about the Malware Working Group can be found here.

Today we released our Q2 Threats Report. Some old trends have continued. Some new trends and threats have been established, and some old “friends” have even outdone themselves. Spam volumes have increased 141 percent since March, continuing the longest ever streak of increasing spam volumes. We also highlight the dramatic expansion of botnets and the threat from AutoRun malware.

More than 14 million computers have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise. The report confirmed our first-quarter prediction that the surge in botnet growth would send spam levels to new heights, surpassing their previous peak in October 2008 before the takedown of the spam-hosting ISP McColo.

Our researchers also found that over the course of 30 days AutoRun malware had troubled more than 27 million files. AutoRun malware, which exploits Windows’ AutoRun capabilities, does not require any user clicks to activate, and is most often spread through portable USB and storage devices. The rate of detection surpasses even that of the infamous Conficker worm by 400 percent, making AutoRun one of the most prevalent pieces of malware in the world.

Some of the other areas we cover and discuss:

Cybercrime as a Service
As the number of botnets continues to grow, malware writers have begun to offer malicious software as a service to those who control these bots. By exchanging or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. Programs like Zeus–an easy-to-use Trojan creation tool–continue to make the creation and management of malware even easier.

Cybercriminals Target Twitter, Social Networks
Twitter’s growth in popularity has made it a new target for cybercriminals in the last three months. Malware like the “Mikeey” worm and new variations of the Koobface Trojan attack users through tweets and abbreviated URLs. Spam Twitter accounts are becoming increasingly prevalent. Twitter administrative accounts have also been hacked on multiple occasions, giving cybercriminals access to the private accounts of celebrities and politicians, such as Britney Spears and Barack Obama and even allowing for the publication of sensitive internal strategy documents on the Web. Facebook and MySpace remain strong attack vectors for cybercriminals. In May, spam messages on social networks pointed users to more than 4,000 new Koobface binaries!

To view the McAfee Q2 Threats Report, go here.

I cribbed the title from Megadeth–I admit it. However, when looking at this year’s growth in malware it seems disturbingly appropriate. Global economic downturn or not, malware production continues at a record-setting pace because this is how many cybercriminals make their money. (Malware long ago stopped being about fun and bragging.)

We at Avert Labs have seen almost as much unique malware in the first half of 2009 as we did in ALL of 2008. This is quite something when you consider that in 2008 we saw the greatest ever growth in malware:

For you math and data junkies that comes out to an average of 200,000 unique pieces monthly or more than 6,000 daily. Yep–that was over 6,000 on a daily basis. Bear in mind these are malware we consider unique (something we had to write a driver for) and does not count all the other malware we detect generically or heuristically, but we will save that discussion for another post. When you add in the generic and heuristic detections the number becomes truly mind boggling.

Even when compared to the first half of 2008, the growth is almost three times what it was. The sheer growth is even challenging Moore’s Law a bit.

Our latest whitepaper, Financial Fraud and Internet Banking: Threats and Countermeasures, explains how much of this malware can be used to scam and steal from users. The new whitepaper was written by one of our French researchers, François Paget. It can be found here.

There are many reasons why malware continues to grow, but it is mainly a criminal’s game at this point. Malware steals data. The people who write and distribute malware are criminals. Pretty plain and simple to me. The tools and code are readily available and that will certainly not change, but (and this is important) it is also definitely NOT doomsday. Staying educated and updated goes a long way toward safe computing.

A few days ago I got a chance to look at a recent variant of the DNSChanger.ad. It drops a common rootkit that is mostly associated with FakeAlert and DNSChanger Trojans. Over a period of time the dropped sys file names have changed from tdss*.sys to seneka*.sys to skynet*.sys and so on. Our memory detection and cleaning for this rootkit is Generic Rootkit.d. The techniques of this threat are well known now. It basically uses inline hooks on IofCallDriver, IofCompleteRequest, NtFlushInstructionCache, NtEnumerateKey, etc. This Trojan removes permissions from its registry entries as well.

The malware has a hidden sys file in the system32\drivers directory with a name like skynet*.sys. One can use a rootkit analysis tool or just windbg to restore the inline hooks installed by the malware. Even though the malicious file is no longer hidden after hook restoration, the malware can recreate the file after its deletion. It is common that malware try to “watch” or recreate their components but the curious thing was that File Monitor (filemon) did not show any activity and other API-tracing approaches also didn’t point to anything that could explain the rebirth of this file.

Taking a closer look, we found that the malware uses one of the delayed system worker threads to call, at regular intervals, ZwCreateFile in a loop created using KeDelayExecutionThread. The following figure shows the relevant malware code and thread.

This explains how the file is recreated after its deletion. This thread also watches the malware’s registry. This thread continuously restores the system service descriptor table (SSDT) using the code shown below. So any tracing utility that hooks SSDT to monitor activity would not work.

If it were just SSDT rewriting, then filemon should have reported the file activity. But the malware also removes all filesystem filter drivers; because filemon also uses a filesystem filter, it didn’t report anything. The figure below shows the device stack before and after infection. Note that all filters are removed after infection.

And here is the code that removes attached filters.

Actually the attached device field only for NTFS is nulled out, and the rest of the stack remains dangling.

Figure 3 also shows that not only is the filemon filter driver removed but even the Filter Manager has been effectively removed. Removing all filters and rewriting SSDT will thwart analysis tools that use these techniques but may also break other software as well. Obviously it does not matter to malware as long as its rootkit works in a stealthy manner in most environments. It’s a tradeoff that many malware make and this one has made its choice.

We frequently encounter password stealers and backdoors in computers after their owners have browsed unsafe websites or opened unknown email attachments. It is more unusual, however, to see these malware directly implemented in banks’ automated teller machines. In these cases, Trojans have to be installed by people who have physical access to the machines. Data collecting and malware removal would need yet another visit or visits. It should seem obvious that such malware installation requires a high level of “cooperation” from the bank staff.

One of the first attacks occurred in Russia more than one year ago. It was announced in January 2009 when Diebold Inc. released a security fix for its Opteva Windows-based ATMs. At that time, the company said some suspects were apprehended. But it seems the gang was not fully dismantled. In May, we heard of new suspicious files discovered in Eastern European ATM machines. The security firm Trustwave published a study concerning this matter. The software had been updated and new virtual robberies had been launched. On June 3,  The Register also raised public awareness by covering the story. 

When active, the Trojan intercepts transactions and records them on log files. To control an infected ATM, the attacker uses dedicated credit cards that allow him to activate some administrative rules. Via the ATM’s display, he can select various options from the keypad to display statistics (numbers of transactions, cards, keys), print collected data, force the machine to dispense all its cash, uninstall the malware set, and reboot the ATM. Unfortunately, I was unable to test such malware in a real environment (I do not have a spare ATM lying around), but looking at the samples is very instructive. As in the previous attacks, the vulnerable ATMs are equipped with the Diebold Agilis 91x software, and the attacker can examine the registry to display version and statistics:

Targeted currencies are the U.S. dollar, Russian ruble (RUR), and the Ukrainian Hryvnia (UAH):

The attacker can also-–through a password-protected routine–control the currency-dispensing ATM cassette:

We are not aware of any such attacks outside Eastern Europe, but we encourage financial institutions to verify the integrity of their ATM systems. Be proactive!

The known versions of this malware are detected by McAfee VirusScan as PWS-BoldDie. Many generic and unclassified versions can be detected under the name Generic Backdoor!bw.

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

It was very encouraging to see that more than 40 people came to Budapest, Hungary, to discuss and agree on new industry standards as part of the effort undertaken by the Anti-Malware Standards Organization (www.amtso.org.) The awesome historic surroundings set the mood for our discussions.

Seeing such a great turnout in the current economic climate shows how much AMTSO members care about raising the standards of testing anti-malware products. Especially considering the recent rise in the number of rogue security products (such as the now infamous “Anti-virus XP 2009″), it is clear that we need transparent and fair testing more than ever.

AMTSO members finalized and adopted several new documents to the current portfolio. (Have a look at the collection of documents here: www.amtso.org/documents.html.)

But I would like to draw your attention to two papers that, in my opinion, represent very significant steps for the security industry as a whole.

• The first one is “AMTSO Analysis of Reviews Process,” and it presents the process of analyzing reviews. The creation of such a process paves the way to highlight great reviews and/or to expose substandard tests in public. (AMTSO promises to publish all the analyses they undertake.) I really hope that this process, designed to be transparent and fair, will improve the quality of testing and benefit both the developers and consumers of anti-malware technology. If you have doubts that this process is going to be unbiased I will remind you that AMTSO members work for competing security companies, and there would not be a snowball’s chance in hell to agree on the process if it were not designed to be fair. The next step is to put the “AMTSO Analysis of Reviews Process” into practice. I cannot wait to see how it will go.
• “AMTSO Best Practices for Testing In-the-Cloud Security Products” is the second very important milestone. Some anti-virus products started using “cloud” technologies (such as McAfee’s Artemis, which was launched in the beginning of 2008) and the number of cloud-based products is growing; so there is a need to address the fundamental problems associated with testing solutions that are not under the control of the tester. (That is, part of the product is not “in the hands” of the tester; moreover, it can change at any moment in time.) I think it is amazing that representatives of so many competing security companies agreed on fair and scientific principles of how to test cloud-based products. To be honest, when we started this effort we were rather sceptical about finding a sensible way to address all the problems that testers face when evaluating such technologies. The adoption of AMTSO best practices for testing in-the-cloud products means that our brainstorming was successful. I am very pleased to see the agreed results adopted and published. Thanks for that effort go to all the security researchers who contributed to the document and all AMTSO members who voted for it.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

New variants of the StealthMBR trojan aka Mebroot rootkit have recently been spotted in-the-wild. These new variants are significantly different from earlier ones.

StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair. As opposed to earlier variants, which installed lower level hooks on the IRP table of \driver\disk, these new variants are able to hook the IRP table of an even lower driver. And these hooks too are not present all the time but only installed on an on-demand basis. The hijacked disk device object is used to facilitate this. Detection is not the only problem; this threat also poses cleaning challenges by installing watching mechanisms to re-infect the machine. The following image show what an infected MBR looks like. Booting off of an external medium and inspecting should reveal the infected MBR.

The following image shows hijacked kernel object for disk device.

Once installed this threat does not require any file or registry entry to sustain itself on the compromised machine. But for installation to occur there is a dropper executable which has also changed as compared to older variants. The detection for new droppers is added as StealthMBR.a. The good thing is, we already had proactive detection for some dropped files as PWS-JA.gen.a. This should help identify problems and prevent users from getting infected in the first place. We have also developed a solution for detecting and removing this threat once a machine is compromised. It is currently under QA and will be delivered through regular DAT updates very shortly.

While we are on this subject, we also wanted to plug an upcoming webcast. We will be discussing the workings of StealthMBR rootkit and how we deliver solutions for complex threats like these through regular DAT updates without the need for special stand-alone tools. This webcast will also cover the current rootkit trends & techniques. Come and learn about how to prevent rootkit incidents in your environment and how to tackle such incidents if unfortunately they do occur. See you there!

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

Here’s another twist in regionally targeted attacks: A new Trojan (pretending to be a toolbar installer) is spreading that bundles the legitimate toolbar for the German social network “StudiVZ” with a variant of Backdoor-CEP. Among other malicious activities, the backdoor is capable of recording a user’s screen, taking screenshots, and logging keyboard strokes. At first glance, the deliberately modified installer looks perfectly harmless, especially because it refuses to do anything malicious if it detects certain security products or if it thinks it’s being observed through a sandbox or a debugger.

Behind the curtain, however, a lot of non-kosher things happen. The installer injects parts of the bundled malicious code into running processes or starts a legitimate process in suspended state, and then unmaps its content and remaps different, malicious content to the process before resuming it again. The malicious code is hard to detect because it is decrypted and injected into memory and never written to disk.

After the toolbar’s installer has finished, it automatically runs an instance of Internet Explorer to open http://studivz.net, which is the social network’s login site. With the newly installed toolbar clearly visible now through additional controls and logos on top, the user’s next step will most probably be to log into the social networking site.

At this point the backdoor has already infected a number of running processes in memory and installed a callback to capture and save any keystrokes.

The author of this variant of Backdoor-CEP seems to be particularly interested in the credentials of StudiVZ; the Trojan also makes periodic connection attempts to a host located in Germany. Fortunately for McAfee customers, the malicious installer is blocked by Artemis and is blocked at the (former Secure Computing) Web Gateway.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

As the tradition of Valentine’s Day approaches, so does another tradition: Valentine’s Day-themed spam that leads to malware. At McAfee Avert Labs we think everyone by now should know not to click on unlikely links to “love letters” and similar attractions. But we go on doing so. I guess love really does make us blind.  

By looking at the number of times we see the word valentine in spam, we can see how the spammers pump up the volume in the run-up to February 14. The following graph shows results for the month of January.

The current wave of Valentine’s Day spam contains links to domains that carry the Waledac Trojan. We are currently monitoring about 100 of these infected domains. Each of the domains is fast-fluxed, so there are hundreds of nameservers and thousands of IP addresses involved. (For more on Waledac, see the recent post from my colleague François Paget.)

Many of the Waledac techniques and features are very similar to those of the well-known Nuwar/Storm Trojan. At this time last year Nuwar was pumping out Valentine’s spam that looked like this:

And today Waledac spam looks like this:

Subjects such as “Deeply in love with you,” “I Knew I Loved You,” and “I Love Being In Love With You,” followed by a short URL in the body are typical of these attempts, which point to sites that offer a little Valentine’s malware. By all means send love notes to your honey before and on Valentine’s Day, but don’t fall for these transparent, annual attempts that lead only to tears.   

(Thanks to my colleagues Kevin McGhee and Dmitry Gryaznov for their contributions.)

Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

Shortcuts, or LNK files, are small binary files which have the path to an applications, sometimes with optional parameters. These files are used for running applications and are placed on folders where they are easy to access by users on such places as Desktops, and Application Launchers. The LNK files are also placed within the Startup folder to run automatically upon system boot. This indirect way of running applications is often attractive to malware authors as shortcuts have not been called out to most user’s attention for the sake of security as much as executable files have. At Avert Labs, we have recently seen some malware abusing shortcut files to launch malicious files/scripts in several different ways. Here, we introduce some methods we have recently seen:

1. Create shortcut files linking to malware files

This is an easy way to launch malware by a user’s actions or upon system reboot. These LNK files are created on the desktop, network shares, and even startup folders. One of the many variants of the Spy-Agent.bw trojan are known to take advantage of shortcuts to run.

2. Parasitic Infection to shortcuts

We have seen the W32/Mokaksu virus modify all LNK files on the desktop and add the path of the malware file to the original path.



The example above is the shortcut to Adobe Acrobat Reader infected with malware. The path to the malicious “Config.Msi.exe” (in the red box) is added before the original path “AcroRd32.exe” (in the yellow box). In the shortcut, the original path is treated as a parameter to the malware file. Upon clicking on the shortcut, the W32/Mokaksu malware runs as well as executing the original file, all while running in the background. Ultimately users only see the application which was associated with the shortcut launch, thereby making it much harder for users to notice the infection.

3. Scripts in the shortcuts

Shortcuts can often contain scripts for “cmd.exe” instead of linking to executable trojan files. The Downloader-BMF trojan is such a case.



When users click on these LNK files, the scripts silently creates and drops ftp scripts to then download vbs scripts from the ftp severs. The downloaded vbs scripts are then responsible for downloading trojan files.

In the first 2 cases, shortcuts are just ways of launching malware whereas in the last case, these LNK files are standalone malicious files in which no other malicious executable files are needed but a legit “cmd.exe”. This type of LNK files can be attached to emails or hosted on the web sites. This implies that we need to be more careful with LNK files. Users can easily check shortcuts by browsing the file property or viewing the file with a binary editor.

If you find suspicious strings, please do not run the files but rather send the files to Avert for further research.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Fake alert malware prey on innocent victims by displaying misleading scan alerts. They trick the user into buying fake antivirus, to fix such falsely exaggerated scan reports. This class of “scareware” software depends on extreme social engineering tactics and comes bundled with Backdoors, Password Stealers, Downloaders, Droppers, Browser Helper Objects, etc.

Each of the above class of malware are used either in the distribution of the fake antivirus itself or in the propogation of other kinds of malware once the fake antivirus is installed on the victim’s machine. Working towards a common goal – extorting money from an innocent victim – these scareware applications have added a new class of malware to their armory – rootkits.

Apart from hiding the scareware’s files, rootkits ensure that access to genuine security vendors’ sites is disabled. The rootkit we noticed, named “tdss[random characters].sys” was blogged about by Computer Associates recently and was associated with the AntiSpywareXP2009 scareware. We, however, noticed that this rootkit was protecting rogue components belonging to WinWebSecurity scareware. This implies that:

1. The same author of the rootkit is supplying his code to multiple scareware vendors for money, or
2. The same group is creating and distributing multiple fake antivirus.

McAfee AV, will detect & clean this rootkit component from DAT version 5496 onwards. However, a user stuck with a machine that does not have antivirus with updated signatures, will have to clean this rootkit manually.

If you are a Windows user, apart from the usual safe computing practices that include using a firewall, an updated Windows operating system and an antivirus software, consider the following steps to minimize the chances of getting infected by such scareware:

1. Install a backup software, which can revert your system to a previous known uninfected state
2. Browse the Internet from sandbox software
3. Install and browse the Internet from a Virtual Machine

On a final note, the Federal Trade Commission has recently won a restraining order against Innovative Marketing and ByteHosting Internet Services – companies responsible for marketing the scareware applications WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. However, we will have to wait to see if this move actually has any impact on curbing the distribution of scareware.

The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins – in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location – just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer – so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface – for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic – that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic – e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

In a recent email to the Full-Disclosure mailing list there’s an interesting article that grabbed our attention. This email talks about how a hacking team claims to have compromised some Linux-based computers and have successfully installed OpenSSH backdoors.

It’s evident that the attackers probably obtained root access by a SSH-password brute-force attack, leveraging the infamous Debian OpenSSL Package Random Number Generator Weakness (CVE-2008-0166) vulnerability. According to the email, after installing this OpenSSH backdoor, the backdoor is capable of recording all information about user accounts, passwords, and IP addresses connecting to and from this host. Hence by social engineering tricks, the attackers can gather the sensitive system information of even more hosts that connect to the compromised machine. At the end of the report this team also lists some achievements they gained, some of which is information on compromised computers.

We have some suggestions for administrators to verify whether they’ve been compromised:

– First compare your devices to check whether any of these are in the records. Note: This list might not be exhaustive; thus even if your host is not present, we recommend you continue to the following steps.

– Use this command to determine whether SSHD on the host has been replaced:

echo netdump|nc localhost 22 or echo netdomp|nc localhost 22

It should output the following information if the backdoor has been installed:

SSH-2.0-OpenSSH_4.3
netdump
SSH2_OUT: 127.0.0.1 user: root pass: password (localhost)


– By using commands such as “strings /pathto/sshd | grep netdump” you can verify whether the backdoor is currently installed and is working.

– And of course, the most effective method is to have all the latest patches installed. If the system is a Debian flavor, you should definitely confirm that the OpenSSL Weakness (CVE-2008-0166) patch has been installed.

– We also suggest the use of public-key-based authentication rather than just a password-authentication mechanism.

We’ll continue to monitor this threat and will update you with more information as it becomes available.

Recently, a piece of malware named MachineDog attracted attention within the China security community. The malware itself appears to be a well designed tiny rootkit, and is quite different from other malware. One special characteristic of this malware is that it’s designed to penetrate the hard disk as well as security software, which are installed in most internet bars and cafes. This means it can infect most machines in many internet bars and cafes, in some cases without too much resistance.

The malware is composed of a user-mode application part and a kernel driver part. The application part does limited work, which includes extracting the driver and installing it as service, then communicating with the driver by io control. The earlier version of the application part does the infection work by sending IRPs into lower disk driver device(\Device\Harddisk\DR0) to locate and write userinit.exe onto the hard disk directly. In later versions, the infection works are improved and moved into the driver itself, leaving the application part tiny and simple.

The driver does the most important work. It does the infection which was implemented earlier in the application part. Its infection method is quite special and interesting, which can bypass and penetrate many hard disk protection software, and some security software. First it reads the atapi.sys driver file  from the hard disk then searches dispatch routine addresses in that driver’s body, to bypass any existing dispatch routine that have inline hooks. Why choose atapi.sys? Because the device created in atapi.sys is the last device in all the device stacks that the IRP passes through, and it’s the end of this IRP. Sending IRPs to this device can avoid all filter devices and inline hooks in any upper device which are used by some security software or protection software. Then the malware sends IRPs to the partition device dispatch routines in atatpi driver to read and write data directly into hard disk. It first reads data to locate which sector userinit.exe is resident in so it knows where to infect. It then writes the inject codes into the hard disk by that way and will att that point modify userinit.exe. At last it will remove inline hook of atapi devices if they’ve been inline hooked until it receives the close command from application part.

Most internet bars and cafes rely on hard disk protection software excessively, and mistakenly believe these types of software can replace security software. Once their machines are infected, the administrator just restores from backups made by the protection software. This malware takes advantage of this contrived neglect. The attack is so dangerous that once it successfully loads its driver into the kernel, most hard disk protection software will be nothing but an empty shuck, with the administrator still having no idea!!!

McAfee customers are protected from the threat by DAT 5337.

Reference:

http://article.pchome.net/content-515951.html

http://tech.ccidnet.com/art/1099/20080709/1501723_1.html

http://www.xj.xinhuanet.com/2008-06/20/content_13599327.htm

We had a customer a while back report a false detection on one of our Foundstone checks. The purpose of the check wasn’t even to detect malware, it was to detect the presence of a certain legitimate remote administration tool. The customer insisted they were not running that administration server on the host. From the diagnostic packet captures they sent in, however, there was no denying that the tool was running on that host whether they knew it or not. And that tool happens to be commonly dropped by malware to serve as its backdoor. No doubt, some damage had already been done by the time they reported this to us, but how much more damage was prevented when this security breach was discovered because of our check?

Malware detection is not one of the most prominent functions of a remote vulnerability scanner. But most major scanners do offer this capability. Don’t expect to replace your traditional AV with vulnerability scanners any time in the future, though.

Although vulnerability scanners can open and read files, they are mostly agentless; so they are reduced to making RPC calls to perform these operations. If you were to mimic the signature scanning of traditional AV, performance would be unacceptably poor. And so malware checks have to resort to detecting only the presence of malware. That is, detecting its traces. This can be the existence of certain files (no opening or reading), registry keys, or a running service. In most cases, having two out of three of these traces is a unique enough combination for a strong detection.

Another way to detect the presence of malware with a vulnerability scanner is to detect the network activity of the malware. If it opens a backdoor on a particular port and listens for commands, which is the majority of malware today, most likely we can detect it remotely. In this respect, the vulnerability scanner actually has an advantage over traditional host-based AV. Take the case of a rootkit that can hide its files, registry entries, running process, service, etc.–it’s virtually invisible on the host. It might even hide its network activity, but it can hide it only from programs running on the local machine. Sophisticated as the rootkit may be, it cannot hide its network activity from the vulnerability scanner working remotely.

In the end, detecting malware with a vulnerability scanner is purely reactive, that is, you are raising a flag after the malware has already installed itself–whereas traditional AV has the noble goal of preventing it from even getting onto the host.

Some might consider the malware detection offering of vulnerability scanners as superfluous because of the limited capability and its reactive nature. But I’m sure that the customer with the hidden remote administration tool isn’t one of them.

There have been a couple of threads lately, one on LifeHacker, one on Ask Metafilter, about whether it’s necessary to use anti-virus software. The comments in both are a very clear indication on how far we have to go in educating users on the real danger of malware. It would appear the average user is operating under assumptions that might have been true 8 years ago. Now, it’s just a recipe for disaster.

The erroneous assumptions are that:

1) Viruses are noisy/easily visible and
2) Viruses are caused by actively bad behavior

To quote What the Geek from the LifeHacker thread,

I have a business client whose website was giving people a trojan for a while because it got hacked – and guess what? if you didn’t have an AV running, you’d never know that it happened. It would just sit on your computer sending your data off to who knows where silently. Just because it doesn’t give you a big skull and crossbones on the screen doesn’t mean it isn’t there.

This really sums up the situation for me – an innocent user was hacked, and might never have known it, as it was silent. It’s like the difference between the demos we give of an “average scary virus” now versus the ones we gave 10 years ago. Back then, the demos were all skulls and message-boxes and file corruption and deletion. Very spooky, very visual and very loud. Now the scary demos are effectively silent. The malware can come in without any user interaction, and you’d never know it was there without specific tools to show you what changes it’s making behind-the-scenes. Off goes your credit card number and your private documents, without you being the wiser.

And this is not something that just happens in the “bad parts” of the internet. Think of the most innocuous content on the internet. Pictures of cute and fluffy animals would certainly qualify, right? At the end of last year, CuteOverload fell victim to a hacking that delivered trojans to its unsuspecting readers. And major sites are supposed to be safe, right? How about the Superbowl website hack from the beginning of last year?

One point that I think needs bringing up specifically is the question of whether to use “on-access” scanning, or if “on-demand” is enough. As Dwroth succinctly put it in the LifeHacker thread:

All time (active protection) = good for the public, but overkill for the geek.

Turning off on-access scanning has never been a great idea, but now it could be a catastrophically bad idea. We’ve already discussed how one’s level of geekiness does not figure into one’s susceptibility to viruses which don’t require human interaction. Personally, if there’s a virus trying to get onto my computer, I’d really rather find out immediately before any changes could be made to my system rather than some time tomorrow or later this week.

A few minutes is plenty of time for malware to transmit my most sensitive data, why give it hours?

A few days ago here at Avert Labs we have received yet another interesting malicious file related to the now not-so-famous Tibetan situation. At the beginning it looked like a simple Flash movie, at least judging from the icon.

Executing the file, called RaceForTibet.exe, shows a cartoon with a very skilled Chinese gymnast performing some amazingly convoluted exercise on a “vaulting Bbox” for which the jury immediately scored her a shocking 0! Whilst the gymnast’s performance is “re-wound,” a number of fairly stark photographs of real events, taking place throughout China and Tibet, are shown as a flashback.

As a malware researcher I just could not keep myself from looking further into the file to see if it was anything more than some political movie about events taking place in Tibet and China, especially after several recent posts [1] [2] discussing the Fribet Trojan.

Here are some screenshots of the cartoon that runs using “mini flash-player 2.6”:

For the next step I decided to use our “Rootkit Detective” to check for hidden processes and hooks, and turns out a number of files were silently dropped on my PC!

So here comes the “Pro-Tibetan Movement rootkit”:

As you can see a number of files are now on my system and completely hidden from “user-land”. The original file (RaceforTibet.exe) initially drops a file called “dopydwi.sys” in the %windir%/system32/ drivers folder.

Here is an interesting part of this hidden system driver shown in IDA:

We can now start to see the bigger picture here! The rootkit is actually a keylogger posing as a political message; in fact you can notice above the call to the function “GetKeyboardState“.

Also below we can see the file is creating a device called “ServiceDll”, which will be used to load the driver:

And here we can see the patching of the SSDT, hooking a large number of Windows API functions by changing their address.

The DLL file dropped on the system is going to be used to do the actual keylogging and it’s loaded through the device shown on the first IDA screenshot above.

To complete the picture, a hidden log file kept on the system (dopydwi.log) stores all the information gathered on the compromised machine.

Here is the output of a log file I captured:

[2008-04-10 07:14:53] Ethereal: Save file as [C:\Program Files\Ethereal\ethereal.exe] tibetan-capture
[2008-04-10 09:37:08] Save Image [C:\Program Files\GIMP-2.0\bin\gimp-2.2.exe] sdt-bigj
[2008-04-10 09:45:22] Mozilla Firefox Start Page - Mozilla Firefox [C:\Program Files\Mozilla Firefox\firefox.exe]
www.avertlabs.com
logtest.txt
[2008-04-10 09:46:24] Google - Windows Internet Explorer [C:\Program Files\Internet Explorer\iexplore.exe]
testing search engine

The remote IP where this data is sent to is located in China (humorously enough).

So just when much trouble is taking place, we can also continue to see an increase in attacks carried out by people taking advantage of the media hype and interest raised across the globe over these dramatic circumstances.

Will you watch the Olympic games? Best not if they claim to appear via e-mail as a Flash executable movie!

As promised in my last post, we will discuss some interesting techniques used by StealthMBR and possible motives behind them. This new variant has implemented extensive protection technology at the kernel level, and looking at its layers of defenses it appears to be the job of organized and technical kernel code developer(s) who is/are probably making decent-albeit illegal-income from this. Although StealthMBR is inspired by techniques from prior projects like BootRoot, it is continuously evolving its defenses.

This variant of StealthMBR is unique among other kernel mode rootkits that we have seen to date; not only because it overwrites the MBR but also because of the number of self protection measures it is employing to prevent itself from being detected and removed once it gains the control of the system.

Self protection measures and motives:

1. Hooks IRP dispatch table of \\driver\Disk
Motive: This is one of the lowest level hooks in the kernel, created for IRP_MJ_READ and IRP_MJ_WRITE. These are created to deny read/write permission to any application that is trying to access the MBR.

2. Dummy hooks in IRP dispatch table of \\driver\Disk.
Motive: Other dummy hooks are created, probably to keep all the hooks in the same range, which may dupe some of the anti-rootkit tools that check if all the valid hooks are in the same device object range
.
3. Hooks IRP dispatch table of \\driver\CDRom
Motive: The IRP dispatch table pointers of both disk and cdrom point to same location, so this rootkit hooks the IRP table of CDRom and changes the pointers to the same location as that of the corresponding hooked dispatch routines of disk. If this table is not patched, some AV tools can compare the two pointers and raise a flag if a discrepancy is found. Also, it can be used to restore the original pointers in the IRP dispatch table of disk.

4. Patches classpnp.sys!ClassInitialize function
Motive: The ClassInitialize function is an exported function of the ClassPNP.sys driver, which has references to various pointer locations of the original IRP dispatch table [Figure 1]. An AV tool having the knowledge of this can compare the two pointers and raise a flag if a discrepancy is found. Also, it can be used to restore the original pointers in the IRP dispatch table of disk.

The addresses highlighted ( in red) in Figure 1 are the original addresses which will be patched by the rootkit.

Figure 1

5. Creates a “Watcher” thread
Motive: This is the plan ‘B’ of this malware or a failsafe method to prevent itself from being removed, even if the original pointers are known and somebody(AV) tries to restore its hooks (which is the necessary first step to write back the MBR). This thread continuously watches any attempt to restore the original IRP_MJ_READ/WRITE hooks. As soon as these hooks are modified, the thread does following four things in this order:

• Restores the IRP_MJ_READ and IRP_MJ_WRITE dispatch routines to point to its own routine
• Rewrites the MBR at sector 0
• Rewrites the rootkit loader code and original MBR code at sector 60,  sector 61 and sector 62
• Rewrites the whole rootkit module in the later sectors of disk

6. Direct disk sector write access
Motive: In almost a month, StealthMBR has improved its routine to write to the MBR. Instead of using User mode APIs to write into the MBR, it now uses a call to the IoBuildSynchronousFsdRequest API to write directly in various sectors of disk by using IRP_MJ_WRITE of \\driver\disk.The possible motive of this improvement is again to evade detection by various Intrusion detection tools. 

The following code [Figure 2] is the part of watcher thread, which checks if the value of IRP_MJ_READ/WRITE is the same as the value in the EDI register. If the value has changed it will perform steps a,b,c,d as explained in point 5 above. The following code is annotated to highlight the interesting information and is self-explanatory. It can be noted that there are three calls to the rootkit’s WriteToDisk function to restore various infections.

Figure 2. Annotated code of “watcher” thread of StealhMBR rootkit

What this means for McAfee’s customers
McAfee is detecting this threat generically with the 5256 DAT files as Generic Packed.g and StealthMBR. The in-memory hooks are also detected as StealthMBR!rootkit* in the latest beta dats and will be included in the 5258 DAT files. So make sure to update your DATs to remain protected from this ever stealthy rootkit. 

Conclusion:

Since the last variant we have seen quite a few improvements in this malware, and it looks like the malware authors will keep on modifying this code to challenge AV vendors in this arms race. We will keep monitoring these threats and keep you updated of their progress.

*Note: The memory rootkit detection and repair is only available with the following VirusScan products. Please upgrade to these products to be better protected against such stealth malware.

• VirusScan Enterprise (Ver 8.5)
• VirusScan Online (Ver 11.2 and above)

Yesterday we received new variants of the StealthMBR rootkit from the field. The basic strategy of overwriting the master boot record and hooking the IRP table of \\driver\disk to protect itself is still the same as we explained in our original StealthMBR blog. However, from the perspective of cleaning this threat, the rootkit has been modified to better protect itself from being removed.

A very common self-protection technique exhibited by various malware in user-land is to execute a “watcher” thread that continuously polls its various components, memory, and registry entries for changes by the user or any anti-virus products. StealthMBR has taken this technique into kernel space, where it executes watcher threads in the system processes’ context. StealthMBR’s thread continuously checks for any attempt to restore the original MBR or remove its memory protection hooks. If they are modified, it patches the MBR and hooks right back.

We have added generic detections for this threat as Generic Packed.g and StealthMBR Trojan. Just as with the last variant, we are currently working on an updated cleaning solution that can repair the threat within the DAT files, and won’t require fixing the MBR from the Microsoft Recovery Console.

In a follow-up blog we will discuss the inner workings of this variant–stay tuned!

Most users in China, especially those with limited knowledge of computer security, have experienced the installation of a rootkit while surfing the Internet. In some cases, users don’t notice that a rootkit has been installed. In other cases, users do notice, but are unable to remove the rootkit and opt to reinstall their operating system instead. Once a rootkit has been installed, additional malicious software, such as a trojan horse program, is usually installed. The rootkit is typically used to hide the trojan. The hidden trojan is typically used to steal important information from the system such as online game accounts or bank accounts information and so on. In addition, the attacker can use the compromised system in conjunction with other systems to carry out DDoS attacks.

Some companies apply rootkit technology in their products as a means of defending against tampering with their software. For example, the 3721 web browser plugin makes use of rootkit technology to avoid being uninstalled by other programs and/or plugins. Many other rogue applications like CNNIC, YiSou, qyule, etc, also do this. Some of this rogue software is hard to remove once it has been installed and/or can cause systems to become unstable. Rootkit technology is also often used in software designed to help users cheat in online games. A lot of people play online games in China and many are willing to pay for software that can be used to cheat in the games that they play. Developers use rootkit technology to create software that can be used to cheat in online games without being detected by the gaming software.

Since rootkits are so widespread in China, many local Chinese security software companies focus on defending against them.

Nowadays, many viruses in China install both rootkits and trojan horse programs, causing extensive harm to Chinese networks and significant financial loss. Many people, including victims of these kinds of malware, have organized to help stop its spread. The Chinese government has also taken notice of the spread of malware and has begun to treat malware authors as criminals. Li Jun, the author of the “Panda Burning Joss Sticks” virus, which installed rootkits and trojans on millions of machines, was recently convicted. In addition, a new anti-malware law will come into effect next year. This law will penalize those who create malware.

References:

McAfee Rootkit Paper 1
McAfee Rootkit Paper 2

Today at Avert Labs, we released the third edition of Sage – our security journal. As always, we strive to be a bit different with our content in Sage. A little provocative, new trends, new ideas… And this issue is no different.

In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They’re not just skilled at computer programming—they’re skilled at psychology and linguistics, too.

We examined global malware trends in this report, titled “One Internet, Many Worlds.” The report is based on data compiled by our international security experts and examines the globalization of threats and the unique threats in different countries and regions. In the report, we detail the following trends and conclusions:

• Sophisticated malware authors have increased country-, language-, company-, and software-specific attacks
• Cyberattackers are increasingly attuned to cultural differences and tailor social engineering attacks accordingly
• Cybercrime rings recruit malware writers in countries with high unemployment and high levels of education such as Russia and China
• Cybercriminals take advantage of countries where law enforcement is lax
• Around the world, malware authors are exploiting the viral nature of Web 2.0 and peer-to-peer networks
• More exploits than ever before are targeted at locally popular software and applications

Download Sage 3

These days Malware authors are using cutting-edge and blended attack vectors for infection and spreading to avoid AV detection. These are often difficult to detect and clean.

We had seen MBR (Master Boot Record) viruses during the DOS age while rootkit use has been growing in recent years. In Jan 2008 McAfee came across a new threat, a blend of rootkit and MBR infection functionality named StealthMBR.

It gets installed on a victim’s machine when visiting malicious websites using browser exploits. During infection, it copies itself to the %temp% folder and starts as a service. This service overwrites the MBR with its own code and keeps a backup of original MBR in sector 62. It also overwrites sector 60 and 61 with rootkit loader code and rootkit components in the last sectors of the active partition. Later it restarts the system.

Picture showing infected MBR

Upon reboot, the infected MBR takes control of the system and gives control to the rootkit loader code. The loader code then patches the kernel to load and start its rootkit component.

The rootkit module hooks IRP_MJ_READ & IRP_MJ_WRITE in the IRP table of \\driver\Disk and protects itself from being modified. When the MBR is read, it returns the original MBR code from sector 62. This technique prevents many security tools from detecting and cleaning the malware.

Picture showing a part of rootkit loader module in sector 61

Given the nature of this threat (Rootkit & MBR infection), it needs a complex cleaning routine that can be difficult to achieve using regular AV techniques.

So far ‘Windows Recovery Console’ was the recommended solution to clean this threat. We at Avert Labs have developed a new cleaning method for this threat and incorporated it into DAT 5212 and above (VSE 8.5 and VSO having rootkit scanning option enabled as well). The cleaning involves unhooking the IRP_MJ_READ and IRP_MJ_WRITE entries of \\driver\Disk IRP table in memory and then restoring the original MBR from Sector 62 to Sector 0.

Picture showing MBR restored from sector 62 after cleaning.

Kudos to Harinath Ramachetty and Rachit Mathur for providing a solution for this nasty threat!!!

The term “rootkit” was originally used to refer to toolkits used by root privileged users. This definition has evolved over time. Nowadays, the term rootkit refers to backdoor programs that run with elevated privileges and that are designed to evade detection by users, administrators and rootkit detection software. Rootkits first appeared in China in 2001 and have evolved substantially since then.

These days most rootkits are installed through exploitation of web browser vulnerabilities or from the infection of viruses and worms. In some cases, rootkits are bundled with images that exploit image library flaws to gain access to systems. In other cases, exploits for previously unknown vulnerabilities (zero-day) are placed on web sites and used to hack browsers and install rootkits. For example, exploits for the zero-day vulnerability identified by CVE-2007-0038 were found on many Chinese websites several months before a patch was released. In other cases, popular websites and public forums are hacked. Their content is then modified to include exploits that install rootkits on to user systems. Often, attackers exploit script injection vulnerabilities to gain access to these web sites. They then upload exploits for known issues like MS06-001, MS06-014, MS06-055, MS07-017, Baofeng ActiveX vulnerability, RealPlayer ActiveX vulnerability and so on. In China, many rootkits also spread via malware that targets a popular IM client named QQ. Once a QQ user’s machine has been compromised by a rootkit, it will send messages containing links to malicious websites to all of the friends of the affected QQ user. If these users click the links, they too will be targeted. This method of propagation is widespread and difficult to defend against. Another technique used to spread rootkits includes the addition of malicious programs to pirated software like Windows, Photoshop, Office, etc. People who download and install these pirated programs are infected by the rootkits bundled with them. Since pirated software is popular in China, many machines are infected this way.

Stay tuned for Part 2…..

References:

Rootkit Paper 1
Rootkit Paper 2

A common security theme in corporate America is to secure the outside Internet from the safe intranet. As a penetration tester, I’ll tell you that if you have over 1000 employees there is no “outside”.

Firewalls, NAT devices, and anti-exploitation techniques have made traditional remote exploitation extremely difficult. Pure remote exploitation over a technology such as RPC, IIS, etc still occurs but it’s much less common. Instead, attackers have transitioned to user driven attacks such as phishing, malicious emails, malicious websites, or malicious documents. The basic idea is to get your users to exploit their box for the attacker. Once the user does something unwise, the workstation inside your network is owned. If you have 1000+ workstations, there is virtually no chance that one of your employees won’t eventually enable this type of attack. When you factor in USB sticks, Wifi, VPN access, and laptops that travel, no reasonably large network can assume the internal network doesn’t touch the Internet.

Now that we’ve established the Internet can get into your internal hosts, can it get out?

Brad Antoniewicz’s recent blog describes several data exfiltration techniques. I’ve had success with DNS tunneling. Almost every firewall allows outbound DNS queries and the technology is well proven. Once your local workstation has been exploited, DNS tunneling will let the data out. However, my favorite technique is simple HTTP. First, outbound HTTP access is almost as universal as outbound DNS. To me, there are several benefits of HTTP traffic over DNS Tunnels:

1. DNS tunneling is innately anomalous – the messages are larger and more frequent than normal. Similarly, you’re likely ignoring TTL values. All of these can be red flags

2. Programming an HTTP tunnel is simple. You setup a fake page, setup a trigger value for data, post/get data as needed. You simply need to use the straightforward MS InternetOpen() and similar functions.

3. Many hosts now have firewalls that prompt to allow outbound access by application. In general, it’s best to use DLL injection to hook your callback into IE to get its access and to use any proxy authentication that may be needed. This technique almost always lets me out to the Internet from a workstation.

In various penetration tests, I’ve successfully used remote access tools that utilize HTTP traffic by hooking IE. It’s been VERY effective. Do you have technology to prevent this type of remote command and control?

In closing, as you design your network security policies and deploy technologies dependent on being safe from within, I encourage you to think of both how threats get into your network and how they can get out. If an attacker can do those two things, depending on your perimeter, this is asking for a security incident.

On the heals of Allysa’s Crimeware comes to OS X post, I thought it’d be a good time to revisit some earlier research on DNS changing trojans; in particular trojans authored by the same group behind this Mac malware.

A quick overview on how DNS (Domain Name System) works.  When your computer wants to navigate to a domain on the Web, it needs to translate that domain name to a number.  It may first check a local cache, or hosts file, but the next step is to query your machine’s specified DNS server.  That looks something like this:

Request: Hey SERVER, how do I get to domain.com
Response: Hey CLIENT, go here – 123.123.12.3

DNS changer trojans reconfigure your system’s specified SERVER such that your requests go through a server controlled by the attackers.

Request: Hey BAD_SERVER, how do I get to domain.com
Response: Hey CLIENT, go here – 111.222.3.4

Now the expectation is that the attackers who control the rogue DNS server would redirect requests to popular financial sites and other heavily phished sites.  Like ebay, Paypal, banks, etc.  Well, I ran a few thousand requests through rogue DNS servers; focusing on the top websites.  To my surprise only 1 domain was resolving to the wrong address.

adultfriendfinder.com

Adult FriendFinder (and associated FriendFinder.com, which is also rerouted) claims to have the largest affiliate program on the net, with over 150 million registered users.  They pay out for account creations, membership orders, and affiliate referals.  But this statement on FriendFinder’s affiliate page seems more relevant:

Testing a few thousands domain out of millions on the web barely scratches the surface, but this does highlight that top tier, typically phished, sites are not the target by the authors.  Targeting what I call secondardy targets (instead of say financial institutions) is a growing trend.  In general, there is less risk of being prosecuted.

It’s worth mentioning that other behavior was observed by these trojans.  Typically they install a rootkit (such as DNSChanger.f), which redirects search results.  Other domains can get redirected by the rootkit (irrespective of DNS).  Also, non-existed domains (think typo-squatting) may get redirected to domain landing pages by the rootkit or DNS.  While I missed the conference, I just noticed that further research on this topic was presented at Virus Bulletin last month.

There has been a family of malware called Puper which has been plaguing Windows users in increasing numbers since 2005. It’s a nasty beast which has been in the news quite a bit lately for its nefarious installation tactics. Most notably it’s been found to install itself by way of exploits on infected MySpace pages.

Suddenly Puper has its eye on Macs.

What happens is this: Say you’re out searching for a bit of porn with your blissfully malware-free Mac. You’re led to a site which says you need to install a new codec to view the videos they offer. You try to install this codec, but instead you get a nasty and silent surprise. After all that, you still get no videos.

When the newest Puper fake codec site is accessed by a Mac, the file which is offered is a DMG file rather than the usual EXE file one would see on Windows. Depending on your browser settings, this may run automatically. Once it runs, it begins installing an application called “MacCodec”.

The authors behind some of the most wide-spread PC malware (Puper, aka Zlob) have released a Mac version; authors who have experience distributing malware to the masses. This is no PoC. This is not a drill.

Dozens of fake codec sites are serving the malicious disk image file to Mac web browsers (based on the user-agent):

In the background, a script is created which then creates a scheduled task to change the DNS to point to a malicious server. In effect, instead of getting valid entries for websites like you would expect, you’re now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you.

Again, Avert Labs has identified dozens of different fake codec sites currently serving this Mac malware.

People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues. This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows.

Most of the virus researchers in Avert spend their days analyzing samples coming in from customers. With a good percentage of the samples coming in every day being unknown, there’s plenty to keep us busy, 24/7/365. But what is it like, sorting through an unending stream of samples every day? What does that entail?

It’s a bit like trying to identify a life-form from a disconnected body part. Sometimes the body part is actually the whole animal, but it’s often just a toenail or a feather. There are times where we don’t even get a body part, but a footprint or a piece of the animal’s droppings.

Sometimes we’ll get lucky and it’s an animal whose footprint we know really well, or which has very distinctive feathers. Then we can say “there’s a good chance what you have is a peacock”, based on just that feather. But more often than not, people are dealing with something entirely new or rare. Perhaps this critter only displays its distinctive traits in very specific circumstances.

Of course, our favorite sort of sample is one which is a complete body with a good explanation of where and how the animal was found. Whereas a foot accompanied by no information may get an answer of “This is an amphibian”, more of the animal or more context can increase the odds of us being able to say something more specific: “This is Litoria caerulea – aka the Dumpy Tree Frog. It lives in Australia and it is often found hiding in downspouts.”

So how does someone wishing to submit something for analysis go about doing it?

For starters, include as much info as you can: What version of security product are you using? In the case of our products, what version of the product, what engine and DAT files are you using? Are you seeing detection with some AV product? What filename and virus name was given? Are you seeing strange behavior that you associate with the file?

Getting the whole beast can be a bit more tricky. There’s sort of a continuum of sneakiness, from very spammy looking emails with attachments, to bots which get in through software vulnerabilities and then drop rootkits. If you’re the “lucky” recipient of the easy variety, ZIP up that email and send it to us.)

If your sample falls somewhere on the sneakier side of the spectrum, files can really be scattered all over a machine, and some of them are particularly good at hiding. You may want to try scanning your system with the Rootkit Detective or the Beta DATs from the Avert Tools page. This can help identify more suspicious files.

Maybe you’re pretty astute and you’ve noticed that after you ran a file a strange file, it created hundreds of randomly named files in your Windows directory. We may or may not need more than one of those files. You’ll want to check for duplicates, to make sure. If you know how to generate hashes for a file, just make sure you have one of each unique hash, up to about 10. (If you have something parasitic or polymorphic this will give us a decent representation) If you’re not sure how to create a hash, there are certain programs which can help you. One of my favorites is the CRC option in WinZIP (in Configurations, under the Options menu). This allows you to group by CRC and get rid of any duplicates.

In short, try not to just send a blurry video of Sasquatch (or is that a guy in a gorilla suit?) or to send us a hundred disembodied ant legs. The more thorough and complete the sample, the better the chances of getting a complete picture of what’s plaguing your machine.

File this one under “Déjà vu all over again”. After learning from F-Secure of shady rootkit-like activities noticed in the software packaged with several Sony USB drives, we were first a bit amazed. After all that had occurred with the audio CD episode, could this really be true? Well, it was.

In the class of nasty rootkits the ones that top the chart are those that use blended techniques to hide or protect themselves. I/O request packet filtering is one kernel mode rootkit technique that is gaining popularity along with the already common SDT hooking.

Sony’s microvault USB media ‘Fingerprint Access’ software uses programs and device drivers developed by Fineart Technology Co. Ltd.. The Fineart device driver installs as a file-system filter driver on top of the existing driver stack. It also hooks the Service Descriptor Table in order to hook NtEnumerateKey. After establishing this, all file system information is filtered through this new device driver and thus it can easily hide any directory or file. Following is a snapshot of windbg showing the device stack.

Figure 1 – \Driver\FG adds itself on top of the driver stack for file system IO.

The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives. However, in this case (*cough* AGAIN! *cough*) the authors apparently did not keep the security implications in mind. The executable can be placed in potentially any directory and when executed will subsequently hide all the folders and files within that directory!

As a test we placed the binary in %windir%. Upon launch all the files and subdirectories including system32 were indeed hidden. None of the resources within the directories were accessible anymore. We could no longer run simple utilities like ‘regedit’ or ‘notepad’ or ‘cmd’ using the Run dialog box in start menu, as the path was not resolved due to cloaking. Although one could still access the files using fully qualified paths. Fortunately the executable by itself does not add an entry to the registry Run key or establish any other startup method, so the hidden objects are accessible again upon reboot. However the device driver component is loaded into memory after reboot, so at that stage it is a simple matter of re-executing the binary to hide directories and files:

The publisher may argue that the default installation path is %windir%\[some directory], but that does nothing to stop malware authors from copying the binary to an arbitrary directory of their choice and executing it in that location. Alternately they could simply hide their malicious creations in the default installation directory itself. Another easy hack for malware authors would be to launch the binary from their chosen directory and add a startup entry for the software to ensure it is hidden immediately on boot-up.

Here is the snapshot of VirusScan in action. VirusScan detects the device driver s HideVault!sys and removes it to disable any potential cloaking upon reboot.

Sadly, it appears that expediency of function has again trumped forethought of consequences in one of Sony’s creations.

We have been studying the issue of malicious hypervisors for quite some time at McAfee Avert Labs and have come up with several techniques to detect whether the system runs on top of a hypervisor or whether there is a piece of code that is trying to initiate a hypervisor. Our work included, of course, analyzing things like Blue Pill and other similar malicious hypervisors.

Last week I was at BlackHat, and it was a very exciting week in terms of Blue Pill and the virtualization rootkits issue in general. During the BlackHat 2007 Briefings in Las Vegas there were three interesting sessions that relate to virtualization system security and rootkits. I attended those three sessions and had a chance to chat some with three presenters. The main points I would emphasize are the following:

1. Providing a system virtualization facility at the processor level without applying any sound security policy is a serious design flaw.
2. A malware authors’ job is to leverage system design flaws and hence the virtualization rootkits were very expected, including Blue Pill.
3. There is no rootkit that is undetectable even if it installs itself as a hypervisor. The challenge is always in how to repair rootkits once they control some layer in the system architecture
4. There needs to be a more organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions

Now before I go into what happened during the three sessions at BlackHat, I would like to provide our readers with some background and personal thoughts about this topic. Less than two years ago, both Intel and AMD started to provide virtualization support at the processor level. This support is essentially comprised of a set of processor enhancements that improve traditional software-based virtualization solutions. These integrated features give virtualization software, namely Virtual Machine Monitors (VMMs) and Hypervisors, the ability to take advantage of offloading workloads to the system hardware, enabling more streamlined virtualization software stacks and “near native” performance characteristics. For instance, virtualization-enabled processors allow VMMs to rely on the hardware for isolating and mapping memory between virtual machines. This is achieved by adding another level of indirection for mapping VM-based physical address to host-based physical addresses. Both Intel and AMD also provide an additional level of indirection for mapping VM I/O addresses to host I/O physical address. Virtualizing memory addresses and I/O addresses at the processor level is a great extension that would minimize the work done by today’s software hypervisors. However, in doing that neither Intel nor AMD considered the security risk by providing such a powerful facility in the hardware with no restriction to which software piece could take advantage of it. In theory there have been lots of publications about safer computing initiative and how to use TPM technology to authenticate the piece of software that is initializing the processor into the virtualization mode. But in reality, this was not provided in the first release of the virtualization-aware processors as the hypervisors authentication was not provided at the firmware or BIOS level.

Now think of that with me for a moment – we have now a very powerful un-locked facility in the processor that allows any piece of software running in ring zero (like a device driver) to initialize a processor-supported hypervisor and hence take control of the whole computing environment, including the operating system. Yes, this is true, and it was a serious design flaw. Of course both Intel and AMD designers assumed that operating system kernel developers are the only ones who would care about virtualization and would use that facility provided by their processors, which turned out to be untrue. Joanna Rutkowska (the Blue Pill author) and other people have demonstrated some sample code that would initiate a hypervisor, and since it runs outside the operating a system then it can be considered a rootkit. But as the reader may understand now, there are no secrets there. No undocumented stuff; it is all about a powerful hardware feature that was not protected by any security policy.

Now to make the situation worse, both Intel and AMD are competing in that space and I guess both are trying to get software virtualization vendors to rely on their processor native virtualization support. But software-based hypervisors do more than memory and I/O virtualization. They do binary translation for instance which allows them to control programs execution at the instruction level and control programs response to system interrupts. To accommodate that need, both Intel and AMD provide the ability to exit from the VM to the VMM when a certain instruction is executed or a certain condition takes place inside the VM. For hackers this is a very lucrative feature, so not only can they install a thin hypervisor but they can also control the execution of certain instructions and fake many things from below the operating system, like timestamp counters which used to be a very reliable method for measuring elapsed time. When looking at the Intel and AMD virtualization specification, it does not look like they require many things from the hypervisor. In other words, it is up to the hypervisor to decide on what it wants and what it does not want to virtualize. This by itself lowers the cost of making a malicious hypervisor. Let me conclude this introduction by making the following statements:

• Providing a hardware based virtualization support without protecting it with sound security policy is a major flaw in the system design!!!;
• Hardware assisted hypervisors have the freedom to choose which software execution facility to virtualize and control;
• Blue Pill and other types of malicious hypervisors were anticipated by security experts who are well acquainted with the processor architecture.

I think I have provided quite enough background as well as some personal thoughts on the subject, so let’s move on to talk about what happened at Las Vegas last week. As I said there were three sessions that related to virtualization based malware and Blue Pill:

1. “Don’t Tell Joanna, The Virtualized Rootkit Is Dead,” by Thomas Ptacek, Nate Lawson and Peter Ferrie;
2. “IsGameOver(), anyone?,” by Joanna Rutkowska and Alexander Tereshkin; and
3. “Kick Ass Hypervisoring: Windows Server Virtualization,” by Brandon Baker.

The first session was the “Don’t tell Joanna” on Wednesday morning. The main point we got from that session is that it is very easy to detect virtualization rootkits. Speaking from my experience in the anti-rootkit space over twelve years, including my last project/product offered by McAfee “The McAfee Rootkit Detective”, I totally believe that “there is no rootkit that is undetectable”. I also tried to emphasize that fact in a McAfee podcast recorded before Black Hat. In their session Peter, Thomas and Nate focused more on time-based detection methods by calling an instruction that would cause the system to exit from the VM to the VMM, then measure the time elapsed until the execution is back to the VM and compare that with the regular time taken when running without the hypervisor. I have always liked that time-based approach and it was heavily discussed in Avert Labs some time ago, but we thought of using some other non-time based methods that rely on observing changes made to some processor status and cache fields like TLB (Translation Lookaside Buffers). Anyhow, after the session ended I talked for about an hour or more with Peter Ferrie – I told Peter that it was a very nice presentation and that my personal research findings support their conclusions although I use some different non-time based detection methods. Peter and I were wondering how Joanna would respond in her presentation in the afternoon.

Then came the afternoon and I was sitting there in the second row in front of Joanna. Joanna seemed a little bit nervous when she started her presentation. Initially Joanna picked again on Windows Vista by showing some Visa-signed drivers that allow anyone to write to any kernel memory or modify the MSR (Model Specific Register). That was nice but it is something we see every week at Avert Labs so nothing new in it to me at least. Then came the second part of Joanna’s presentation and she started to say how her Blue Pill rootkit can adjust the time stamp counters in such a way that would not allow any code to detect the overhead of running on top of a hypervisor. I made a comment in the form of a question during the presentation but Joanna said questions would be answered only after she finished the presentation. The point I wanted to make and maybe Joanna is reading this now, is that her argument of being able to fix the time stamp counters is not a strong technical argument for the following reasons:

1. This would require Blue Pill to emulate all the processor instructions that cause a VM exit and adjust the time stamp counter. Therefore we are no longer talking about a thin hypervisor that intercepts only specific instruction, interrupt, etc. but rather about a heavy hypervisor that would require significant amount of work from Joanna and her team.
2. The detection code can still issue arbitrary I/O requests to any I/O device that may be doing nothing but causing a VM exit and would then calculate the execution time. This would require Blue Pill to handle requests to I/O devices.
3. Manipulating time stamp counters does not seem to be a wise thing to do and there might be some device drivers that rely on the validity of those time stamp counters to perform correctly.

During the session I started questioning the value in spending all that time trying to build a Blue Pill that cannot be detected. There are many factors to consider like:

1. One day soon either hardware systems or operating systems will ship by default with a hypervisor. That hypervisor would have to be the first hypervisor and would not allow nested hypervisors. Intel has already produced the Intel AMT/vPro systems that ship with a hypervisor. Microsoft is soon to release the next version of its server platform that has a built-in hypervisor.
2. There are only a few commercial hypervisors and most provide some interface to the VM to communicate with the hypervisor if it exists. This interface can be used to authenticate the hypervisor. Security software can decide to halt the system if the system is not running on a hypervisor that is trusted by the company security policy. McAfee as a security company certainly encourages hypervisor vendors to pay more attention to those interfaces and make them solid enough to be used by security software running inside the VM.
3. Maybe Joanna can still claim that Blue Pill will emulate that commercial hypervisor interface, which is another layer in the system that would be emulated to hide its presence. Still we have a valid question: “what is this all about”. Eventually and very soon there will be only certain hypervisors that are trusted by the firmware and that’s it.

Anyhow, I felt kind of bored in the middle of the presentation and started to write a simple detection method that is not time-based and would definitely detect if the system is running on top of a hypervisor or not. This technique is based on some research I was doing less than a year ago at Avert Labs. Here is a scanned image of my hand writing of that approach made during Joana’s presentation.

Link to my Blue Pill notes here.

This detection method relies also on another major design flaw in the existing processor architecture. Here is some technical background: processors use TLBs (Translation Lookaside buffers) to cache the mapping from virtual (more accurately linear) addresses to physical addresses. But in doing that processors need to know where to get the address translation or mapping from. Well the mapping is stored inside the PTE (Page Table Entries). But the question is who would fill those entries inside the PTE? Well presumably (at least by the system designer) it’s the operating system of course. But guess what? PTEs themselves are writable and any code running in ring zero (like a device driver) can modify PTEs and hence change the mapping of linear addresses to physical addresses. Hah, this is the trick, and here is how the detection code works:

1. Allocate large contiguous block of non-paged memory;
2. Fill that allocated memory with character ‘A’;
3. Allocate another contiguous block of non-paged memory of the same size like block ‘A’;
4. Fill that second allocated memory with character ‘B’;
5. Freeze the execution of the operating system (do not ask how but we can do it);
6. Invalidate all TLB entries. There are processor instructions for that which could be as simple as moving execution “cr3, system_page_directory_table_address”;
7. Read the first byte of each page in the allocated ‘A’. This would cause those entries to be added to the processor TLB cache;
8. Change the mapping of the allocated ‘A’ pages to point to physical memory holding pages ‘B’. This means that what the processor uses inside the TLBs is not what is there in the PTE;
9. Call any instruction that would cause an exit to the hypervisor if it exists like CPUID. Exiting from the VM to the VMM causes the TLBs to be invalidated or cleared; and
10. Try to read the virtual memory of the first allocated block. If you see character ‘A’ then it means that the processor found entries in the TLBs and hence those entries were not cleared among an exit from the VM to the VMM. If it reads B, then it means that the TLB entries were invalidated due to the existence of the hypervisor and the processor has to use PTEs again to get the mapping from virtual to physical.

I wrote those steps briefly in my BlackHat conference block note and waited for the session to end. Then to my surprise just before the end of the presentation Joanna had a slide that mentioned a detection method similar to mine but without the step that freezes the system. I kind of felt proud of myself, of course, and showed the person next to me that I had it written in my block note. Anyhow, after briefly embracing that detection method Joanna said that it does not work and the people who came up with it did not try it. Well, that was too much! I have been researching that space for quite some time and I know it works!

After Joanna finished her presentation, off course, with no room for asking questions or making comments I felt that maybe I needed to talk with her. I waited until the crowd around Joanna was reduced to few people that included my friend Peter Ferrie, and I went to talk to Joanna. I told her “Joanna, this detection method that you mentioned at the end of your presentation should work and we have tried similar things.” Joanna looked at me and said no it does not. I said well I know it works. She then grabbed my conference ID and looked at my name while asking me who I am. I said Ahmed Sallam from McAfee Avert Labs. Joanna said she did not know that McAfee is working on that and I told her that we have been researching that area for some time. She then asked how it worked, I said that this is not a subject to be discussed in front in a crowd. But in all cases, Joanna, we can detect the Blue Pill so you may stop claiming that it is undetectable.

That was the end of the first day at Black Hat and I started to feel that we have been putting too much energy into something that may not deserve all the time and effort that we have been putting into it.

Now let’s get to the third session which was the “Kick Ass Hypervisoring: Windows Server Virtualization” by Brandon Baker from Microsoft, the following day. I went very excited to the session waiting for Microsoft to outline their plan for how to secure the hypervisor or to leverage the hypervisor for having better security. I heard none of that. As a matter of fact, Microsoft said that they are not utilizing the processor-based DMA remapping feature which allows true isolation of physical memory and hence protect against DMA-based physical memory attacks. We certainly understand that Microsoft is working hard to build its new hypervisor but we need to hear some good answers on Microsoft plans to make its hypervisor truly secured.

I hope that our blog readers now have a better understanding of this serious topic and would like to conclude this post by re-emphasizing on the importance of having an organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions.