The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat.  It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.

Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.

The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.

Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.

In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.

What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.

The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!

You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.

Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.

However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.

Affected VirusScan users may remove this threat using the latest DATs and engine.

On April 30, an exploit targeting a zero-day vulnerability in the Baofeng media player was published on the Internet. The proof-of-concept exploit had more than enough details for others with malicious intent to create more malicious variants.

Baofeng is a widely popular media player in China, and it plays many common media file formats. May 1 to 3 was the May Day weekend in China. One can imagine many Chinese users surfing the net or searching for their favorite video clips could be hit by this vulnerabililty during the holidays.

Because this vulnerability exploits an ActiveX component, attackers may inject malicious code via common means such as SQL exploits, or they can simply upload malicious web content onto certain websites. Once users browse these web pages, attackers may execute arbitrary code on the users’ computers via the flawed ActiveX component.

Currently, the vendor has confirmed this flaw and the following versions are reportedly affected by this vulnerability:

•  Build versions: 3.09.03.30，3.09.03.25，3.09.04.17，3.09.04.27.

A patch has been released for this vulnerability. Affected users should immediately contact the vendor for the security update.

McAfee VirusScan has proactively detected this exploit as the JS/Exploit-BO.gen Trojan since as early as the 4679 DATs (January 20, 2006).

Microsoft recently reported a new worm found to be exploiting the MS08-067 software flaw in the wild.  Even though our products already detected it generically as W32/IRCbot.gen.a, we decided to take a closer look and make sure we proactively detect all components that the worm might be dropping or downloading.

When run, W32/IRCbot.gen.a copies itself to <system folder>\netmon.exe.  It then drops a rootkit as <system folder>\drivers\sysdrv32.sys (MD5: 0e219b74e2c68a34ca09d8fe114f6d11) and hooks the Windows tcpip.sys driver to remove the outbound connection limits in Windows XP Service Pack 2 and newer. We successfully detect this rootkit as Generic Rootkit.g trojan.  It then follows to establish an outbound connection with a remote IRC server using following credentials:

• PASS h4xg4ng
• NICK [00-USA-XP-9215671]
• USER SP2-ojd, followed by the name of the infected computer.

This worm exploits the MS08-067 vulnerability indeed, and uses a download-and-execute shellcode which behaves in an identical fashion as Conficker’s exploit, with only some differences in implementation. It is encoded using a simple 1-byte XOR key and looks like any other standard PEB shellcode which loads API libraries (i.e. urlmon.dll) and executes URLDownloadToFile() to download malware from already infected systems into new targets. Unlike Conficker which injects a downloaded DLL into running Windows processes, this worm downloads and installs a 66.scr executable file instead.

As mentioned, the Conficker worm uses an exploit derived from the “ms08_067_netapi” Metasploit module to spread itself.  The Metasploit framework has become a popular platform for security tools development and automation. As we can see, the latest version of Metasploit is not only used by whitehatsfor vulnerability assessments and penetration testing, but also for malware development. The W32/IRCbot.gen.a worm is not an exception, it has remote language detection taken from Metasploit’s “smb_fingerprint()” routine implemented in the “smb.rb” module, as well as dcerpc service connection testing code located in the “client.rb” module. By using these routines,  new worm can conveniently determine which operating system and service pack it is targeting to achieve a better infection success rate. The way how W32/IRCbot.gen.a ordered the attack packets is identical to Metasploit’s MS08-067 module  (ms08_067_netapi.rb):

Both Conficker and W32/IRCbot.gen.a uses open source tools similarly to their advantage to make their work much easier.

We went on to investigate additional sites where the worm is connecting to and the payload that it is trying to download. Packet sniffer logs shows that it accesses at least two other remote servers:

• hxxp://98.1[infected].42:443/n
• hxxp://74.2[infected].90:88/jueo.exe

While the first server is not showing any technical activity at the time of research, the second server is still active and hosts additional malware that is installed into infected machines:

Well, hello Donbot ! Upon investigation, the downloaded malware (MD5: 916DB2E2C2D1ED7AF89DD8EBB9C7D84C) detected generically as Generic.dx appears to be a component of an active botnet called Donbot (also known as Bachsoy). Components of Donbot typically create a proxy on infected machines and may be used to relay spam and HTTP traffic. Except for a few, most AV vendors seem to have detection for this malware.

Until recently, Donbot has been a relatively minor player in the lucrative spam business, but it certainly looks like the Donbot authors have decided to expand the potential of their botnet . While other botnets - namely Cutwail and Rustock continue to dominate the distribution of spam, Donbot is making an eager attempt to get a bigger share of the spam revenue pie as one of the top 5 most active botnets worldwide. Clearly, worm authors are focusing on growing their botnets as they might not get another chance like the MS08-067 exploit in a long time.

This would also serve as yet another reminder that there could well be many computers on the Internet that are still not installed with the latest security updates - more than 5 months since the release of the MS08-067 patch.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

Hello, it is now April 1st for at least Asia Pacific and Europe. We’ve been blogging and posting various resources about ways to protect against the Conficker worm up to its “activation day”:

•  “More Comments Regarding Conficker“
•  “W32/Conficker: Much Ado About Nothing?“.

The day has finally arrived.

McAfee Avert Labs has been closely monitoring Conficker-related threats and, we haven’t observed any significant activities on the domains that it is polling for thus far. Even so, please remain vigilant and watch this space for any further updates to the current status.

On measures to protect yourself and your organisation against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

You know that your malware investigation day will be a pain when you reach the first iframe on the webpage…

This one was pointing:

iframe src=”http://[REMOVED].cn/in.cgi?[REMOVED]

This iframe is a redirect to:

http:// [REMOVED].hostindianet.com/index.php?[REMOVED]

Now it gets interesting. This url contains a script that will send a PDF file, called readme.pdf. As an additional note, this pdf looks like part of the Luckysploit kit.

Readme.pdf is a malicious PDF file as you can imagine.

Dissecting it, there is a shellcode, with several functions like:

-GetTempPathA

-LoadLibraryA

-GetProcAddress

-WinExec

And our friend URLDownloadToFileA , which as the name implies, downloads something form a url to a file

The url is : http:// [REMOVED2].hostindianet.com/l[REMOVED2]?id=4 and id=5

Following these urls, it was possible to find out that both id=4 and id=5 returned the same file, which is one variant of the Waledac.

And yes, both Malicious PDF and the downloaded file are detected by us

And yes2, REMOVED and REMOVED2 are different blocks.

An additional thanks to my friend Tom Liston for the title. I will always remember the Bouncing following malware series…;)

For the unaware, Wine is an application that enables users to run Windows applications on Unix-like computers. Like many users, I use Wine on my Linux machine to run a couple of Windows applications I cannot do without. I could run these applications on a virtual machine, or even dual-boot with Windows and Linux, but running them in Wine is just easier.

Although running Windows applications in Wine has its advantages, it also comes at a price: bringing Windows malware into Linux. I’m aware that it isn’t Wine’s responsibility to distinguish between a malicious and a nonmalicious file, and that Wine shouldn’t have any problem running a malicious file; however, I had this morbid curiosity to see how well today’s malware would fare running on Wine, and so began an experiment using the following setup:

• Ubuntu Linux 8.04 [comes with Gnome desktop environment]
• Wine 1.0 [run as a nonroot user with default settings]

I decided to choose samples that displayed a cocktail of malicious behavior, and so I chose the following:

File Infectors

W32/Philis is a file infector that apart from appending its code to other executables downloads and drops other malware.

This malware ran without throwing any errors in Wine. It immediately dropped files in the “Windows” and “Windows\System32″ folders and executed these dropped files. It then attempted to connect to a preconfigured site, and downloaded more malware successfully. It also began infecting executables in the Wine directory and created a registry run key for the malicious file.

The screenshot below shows the clean “CProcess.ori,” the original file 35KB in size, and “CProcess.vir,” the infected file 131KB in size.

It’s worth mentioning that the autostart registry key the file infector created will not work under Wine, so applications will not be able to autostart when the Linux machine is booted up. Also, this file infector didn’t seem to infect ELF files. But I’m guessing that a file infector that blindly appends/prepends its code to other files shouldn’t have any problem corrupting ELF files.

Autorun Malware

W32/Autorun.Worm.CP is an autorun worm, which drops autorun.inf in the root of removable drives.

This malware also ran without any errors. It dropped both the malicious files and the associated autorun.inf file in the C:\ drive and attached removable devices, and created a registry run key.

The screenshot below shows the created Autorun.inf file, along with the malicious files that were created in the root of the removable device.

The registry run key created by the malware won’t work in Wine, however. As long as the malicious file is running, any new removable devices connected to the machine will get infected, thus making a Linux machine the origin of an infection.

Although it is difficult for malware to autostart in Wine, it is not impossible. Malware can be written to find out if it is running in Wine. It can then either download a Linux binary onto the machine and/or simply add an autostart entry for itself in the Linux desktop environment’s common autostart locations, using the nonroot user’s credentials.

IRC Trojans

IRC/Contact malware drops files and connects to a preconfigured IRC server. This IRC Trojan, when ran in Wine, connected to the preconfigured IRC server. From the IRC server I was able to connect to the bot, and control it. Though the control was limited, I was still able to list the files under the Wine directory, get system information, download files to the Linux machine remotely, etc.

The screen shot below shows my logging into the infected Linux machine and issuing commands:

Click here for larger version of the image.

The screen shot below shows the infected machine responding to the “getinfo” command issued from the IRC channel:

Click here for a larger version of the image.

This IRC Trojan was very simple in features, but I’m guessing that with a complex one, an attacker shouldn’t have any problem scanning the subnet for an exploit and sending a payload to infect Windows machines.

Keyloggers/Password Stealers

Apart from this, I tried running a couple of password stealers and keyloggers, but I couldn’t find one that worked well. I’m guessing they couldn’t get a hook to the keyboard.

Although stealing information using a Windows malware in Wine is difficult, an infected Linux machine can still contribute to a DOS attack or be the origin of an infection as suggested earlier.

Scareware

This class of malware displays falsely exaggerated scan reports and tricks users into buying them. They utilize extreme social-engineering tactics combined with obfuscated Java scripts that check for exploits on the machine.

Although I didn’t run the Scareware installer in Wine, I did browse through a site that ran a JavaScript to pop up a window informing me that my “Windows” machine was infected, and requested that I install the malicious file.

Screen shots below:

Click here for a larger screen shot.

It is important to note that if the user had set the file association for Windows executables with Wine, then simply double-clicking the downloaded file would run the malware.

Mitigation Techniques

• Never run Wine applications as root.
• Wine maps the root directory, the user’s home directory, CD ROMs and removable devices found, and these mappings are listed in “~/.wine/dosdevices/”. Consider deleting these except the link to your drive_c.
• Do not set the file association for Windows executables with Wine. This would enable the running of Windows executables in Wine by simply double-clicking them.
• Administrators should think twice before installing Wine on a Linux server. These machines are seldom turned off, and so the problem that a malware faces in Wine with respect to autostarting its code when the machine boots up, I mentioned this earlier, would become void.

The last major event of the year has just ended: The 25th Chaos Communication Congress’ Closing Ceremony just took place. Now in its 25th year, making it one of the oldest annual IT security conferences on the planet, more than 4,000 visitors crowded the BCC in Berlin, making it difficult to get into the talks, much like at Defcon some years ago.

For the talks: As always there was a healthy mix of technical, culture, and society-related topics (the full schedule can be found here;) surprising was the low number of local speakers talking about security problems or releasing tools. This may be related to a lot of confusion about the impact of recent German legislation banning “hackertools.” Recordings of all talks will eventually be available here.

Some of the highlights of the conference (yes, with four days and three parallel tracks I’m certainly missing some that should be mentioned) were Security Failures in Smart Card Payment Systems, by Steven Murdoch; Fabian Yamaguchi’s talk about TCP DoS Vulnerabilities; SWF and the Malware Tragedy, by BeF and fukami; FX of Phenoelit talking about the State of Attack/Defense of Routers (start watching your infrastructure, folks!) and finaly the conference highlight, a talk about creating a rogue CA Certificate, by David Molnar, Marc Stevens, Benne de Weger, Arjen Lenstra, Dag Arne Oswig, Jacob Appelbaum, and Alex Sotirov. By taking advantage of known (and widely ignored) weaknesses of md5-signed certificates and bad implementation of a CA, they were able to create a Rogue CA Certificate, trusted by all browsers–OUCH!

A very interesting note concerning the Rogue CA talk: They didn’t give out any details on what they were planing to talk about until just before the talk itself. As they were afraid that someone or some company might try to gag them and prevent the talk from happening, they were discussing the content with affected parties only under NDA. Meaning: They made the other party sign the NDA, not the other, usual, way around!

This year there were a number of talks about mobile phone (in)security and about the GSM network in general, an interesting trend to follow in the next months/years. And at the very end a vulnerability affecting many Symbian-based phones, trivial to exploit manually, had been released: SMSCurse (I’ve got no working link at the time of this writing). It basically crashes the SMS messaging on a phone and may require factory reset to restore it, depending on the phone.

I took this as an opportunity to create a current backup of my phone–how old is your latest backup?

Have a Happy and Safe New Year!

We have lost count of how many blogs we have written this year that have anything to do with zero-day threats or unpatched vulnerabilities.

Today, many Internet users in China have reported an infection, presumably from browsing the web using a fully patched version of Microsoft Internet Explorer 7.x. My colleague Xiaobo Chen and I investigated the incident and found it to be an active exploit containing downloader shellcode that installs the Downloader-AZN Trojan (proactively detected as New Malware.n since 2005 when scanning with heuristics enabled).

The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll.

We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system. The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.

Fortunately, the 5404 DATs proactively detect the Downloader-AZN Trojan, but there could be other variants. Additional coverage is going into today’s DATs to detect the malicious web scripts as Exploit-XMLhttp.d or Exploit-XMLhttp.c Trojan.

Details about this vulnerability, as well as exploit code, are known to be publicly available.

More information on this situation will be posted as it becomes available.

Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.

Taking a peek into his “malware shop”, one finds a series of malware kits for sale - including a BackDoor kit (a.k.a. Beetle Remote Control Kit). It offers features similar to BackDoor-AWQ, another commercial kit that was also notoriously sold on a Chinese website. Both kits offers a free version, and a commercial version with enhanced features including:

• Kernel rootkit.
• Anti-virus software termination.
• Weekly anti-virus detection monitoring and evasion service.
• Web DDOS attack option (using a method to target webservers using expensive HTTP requests such as an active web application site).

The seller invites interested “customers” to contact him for a quote, but on another page, he has publicly priced a AdClicker trojan kit at CNY258 (~USD$37.80). This kit allows his “customers” to make money from pay-per-click sites using infected machines. Similarly, this kit claims “advanced” features to terminate popular anti-virus software in China, downloads updates and stealth capability.

Oh, wait, he also posted a disclaimer to remind all “customers” that his tools must never be used for “legal purposes” and is sold for “research use” only. For customer service, he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.

This malware shop is hosted on a domain registered very recently, on October 16th, 2008 to someone by the name of Wang Zeyu, possibly from Nanjing, China. Since the release of the tool, it has gained some attention from the mainstream Chinese media.

McAfee Avert Labs detects the toolkit as Exploit-MS08-067 (Generic.dx in older DATs), and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.

Recently, we at Avert Labs received word of a new Windows CE/Mobile polymorphic, companion virus. This was a bit odd since companion viruses used to be more popular in the days of DOS and we haven’t seen too many on newer platforms.

Unlike more standard file infecting viruses, companion viruses do not infect program files but instead pretend to be the original files.   A companion virus will rename a clean file to a hidden or random name and rename itself to the clean file’s name.  The result is that the user runs the virus when intending to run the original program.  To avoid raising suspicion, the original is run once the virus is done executing.   There may not be a noticeable delay before the original program runs.

While the companion technique was used quite often by less complex viruses, this one also uses basic encryption to evade detection.  The decryption code of the virus is polymorphic with a handful of random code blocks.  There may also be defects in portions of the virus.

The appearance of this new virus for Windows Mobile phones may mark a change from for-profit trojans and spyware to the more experimental form of viruses.  Or maybe WinCE malware authors are just tired of other mobile platforms getting all the attention.

It has been over 2 years since I last wrote about malware exploitation of a major vulnerability in the Windows Server Service (MS06-040) by malware.

In 2006, worm authors were quick to adopt the remotely executed exploit in just 4 day following a security update released as part of the regular Patch Tuesdays - IRC-Mocbot, W32/Sdbot, W32/Spybot, W32/Opanki, et ceteras.

Now in 2008, we are faced with malware authors, motivated by profits, more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déjà vu, Microsoft released an out-of-cycle security update today to address in-the-wild attacks against a new MS08-067 vulnerability targeting the same Windows Server Service.

Attacks seen in the wild so far seem to have come from variants of the Spy-Agent.da trojan. When run, it may not be immediately apparent to the victim that it was using any exploits. Taking a quick glimpse into the binary code of basesvc.dll (Spy-Agent.da.dll), one of the DLL components installed by Spy-Agent.da, one can see strings that would look very familiar to those familiar with MS06-040.

On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc).

When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan.

(shellcode after decoding)

Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW !

Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. See Dave’s blog for McAfee’s coverage.

(thanks to Joey Koo and Xiaobo Chen for providing analysis data and packet dumps used in this blog)

When analyzing malware, it is not uncommon to stumble across one that wants to propagate some sort of message (I am sure everybody remembers W32/Voterai worm and its malicious political propaganda ;). Well, the W32/Agnub.worm certainly does not bring any novelty to this category of malware.

It is the kind of message that is infuriating and insulting. In fact, the W32/Agnub.worm claims to push for peace & love, and, after a successful infection, greets the victim at every boot of the machine with a “nice and poetic” text message:

It is rather sad to see this type of a messages from a malware that, among other things, deletes your files. In other words, not only does the victim get the damage, but they also get teased!!

The “best” part, if we can use this expression, can be found by scrolling down to the end of the “peaceful” message:

Maybe it’s better not to damage other people’s computers at all rather than apologizing later for having done it.

Everyday, people buy, sell, trade, study and travel in real life. More and more often, they do the same thing in virtual online communities sometimes referred to as “metaverses” or “digital worlds”. Represented by avatars -a digital representation of themselves - they live a “second life” with new opportunities for networking, teaching, experimenting, and even making money. Businesses, investors as well as not-for-profit organizations invest in these worlds. They explore them in order to open dialogues with distinct target markets and demographics. L’Oreal, Sony, Toyota, Coca-Cola, and GreenPeace are just a few examples.

All of these universes use their own virtual money, which has an exchange rate against euros and dollars. For example, each month, 9 million USD are exchanged on LindeX, the official Second Life currency exchange.

(graph. source: http://www.cyfernet.org/cyfar08/preconference/web2/sl.ppt)

And money encourages malicious behaviour!

First in Seoul, during the last AVAR conference, and then in Laval, at the EICAR conference, Igor Muttik and myself had each proposed a paper on this topic. They are available here and here.

In these papers, we explain that virtual worlds as well as massive multiplayer online gaming (MMOG) have encountered many criminal issues like in the real world—identity theft, stealing of virtual assets, extortion, money laundering and even paedophilia. I focused my paper on examples of attacks conducted from the inside as well as the outside of Second Life and World of Warcraft. In his paper, Igor devotes a substantial part to predicting future trends by analyzing existing market and technological shifts.

KZERO Research has just published a study on the overall virtual world population. They announce 303 million registered people in 21 different universes. A year ago, Gartner predicted 80% of Internet users will have a virtual avatar in 2011, the 2008 figure demonstrate that we have arrived at around 21,6%. Most of these universes are inhabited by young populations from 10 years to 20 years of age. Habbo Hotel is credited with 90 million members. The cartoon universes of WeeWorld or IMVU have more than 20 million young subscribers each. Adults seem to prefer Second Life which is credited with 13 million members.

(enlarged picture available here)

This last study confirms the kids and “tweenager” preponderance in these virtual worlds. Even more prolific than I’d imagined it’d be. Parents must be aware of the interest their children have in investing time in these universes where all kinds of things are allowed and all kinds of propositions are offered. Here too, education, dialogue and vigilance must be favoured.

Commonly in conversation with family or friends I am asked questions that begin with statements such as “Well, I had this computer virus…” Further into these conversations after asking some additional questions of my own, I become more convinced that the person believes they had a virus. From the descriptions provided I am often inclined to suspect classes of malware and potentially unwanted programs that are commonly referred to as FakeAlerts and rogue security software are responsible.

I have come across many of these types of programs disguised as anti-virus or anti-spyware products that generate false warnings of malware that is supposedly present on the system:

Fake alerts are typically trojans that generate false warnings of spyware on the computer. These alerts are most often displayed as a balloon pop-up from the systray. The fake alerts will typically encourage the user to download or install a rogue security software product by means of “detecting” bogus infections on the system and frighten the user into buying the rogue software in order to clean the fictitious malware that that was discovered.

I am continually surprised at the prevalence of these types of applications and how many computer users install and use these so I thought it might be useful to post some tips that may help with identifying traits that are commonly associated with these types of scams.

Use Responsible browsing practices:
Trojans typically spread manually, often under the premise that they are beneficial or wanted. To do this often times similar techniques such as those used in product marketing are involved. Responsible browsing practices can include identifying when propaganda is used to persuade one into believing something, doing something, or buying something. This is not solely indicative of something malicious in nature, however being able to tell when these methods are utilized can sometimes help one to know when to ask more questions about the motivation or intentions for the use of the tactic.

Do some quick research:
If something does flag ones attention it may be worth the effort to do some quick investigation. Use a well known search engine and enter search terms such as the name of the product you are being asked to purchase, the title of the dialog being displayed, the name of the malware that is being detected, etc. Try to avoid pages that are sponsored by the target of your investigation. Look for third party opinions or reviews. This may help provide some additional counterpoints that may help with an objective analysis of the software in question.

Are there any secondary indications of an infection?
Look for the presence of the files being identified by the software as malicious. Often these files will not exist on the system at all. Sometimes however these types of programs will write the fake files to the system so that it can later detect them as malicious.

Check the time and date stamps on the files. Are they similar to that of the time the program was installed or ran a scan?

Submit the file to an online scanning service such as VirusTotal and see if established anti-virus programs detect them.

These are just a few simple examples from the quick and easy do-it-yourself malware research guide!!

Some news is in circulation regarding a recently disclosed (and patched) vulnerability in Adobe’s Flash. The attack used dereferenced NULL pointers, which were believed to be very hard to exploit.

The findings were first revealed in a paper called “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine,”(pdf) by Mark Dowd. The paper described a new technique for causing exploitable memory corruption vulnerability in Adobe’s Flash. Whilst the technique has targeted the ActionScript Virtual Machine for Win32/Intel platform, it’s understood that the attack could be carried out on any other platforms where Flash is available. The real question is whether this attack can be more generic to target dereferenced NULL pointers in general!

It is possible to do so, but it’s not that easy. There are certain conditions an exploit of this type has to satisfy before reaching the ultimate goal. Dowd used some wacky techniques to inject malicious ActionScript byte code into Flash runtime (basically by crafting an SWF with something to trigger the vulnerability and point the execution to another loaded-in-memory part of the file that had the malicious content). Then he forced malloc() to fail by trying to allocate some huge memory chunk. When malloc() failed, it returned NULL.

(OK, at this step a program trying to access a NULL pointer would basically crash, and something to check for malloc() return value is necessary to prevent that crash.)

In this case, Flash didn’t check for malloc() failure and did some pointer arithmetic operation to add the value of the pointer (NULL here) to some offset. Now, this “offset” was controllable, and this is where Dowd had preloaded his malicious content. (Don’t get too excited, folks. There were quite a few other conditions that Dowd’s exploit had to meet before loading his payload. But I’m eliminating a lot of details to present the overall picture). So now we have a pretty successful and reproducible exploit on Flash ActionScript VM. It even bypassed Vista’s ASLR because Vista’s Flash was compiled with the runtime security bit off.

Now, scaling this attack against native code is more difficult in spite of the success it had against ActionScript VM. We will still be looking for a controllable offset and a place to preload our payload. Nevertheless, it is still a neat discovery when taking into consideration the level of complexity needed to load the malicious payload.

This discovery reflects a trend that it is possible to circumvent runtime security countermeasures such as ASLR and the like by targeting other environments with higher privileges running on top of the native platform. And if you’re involved in any secure development lifecycle, you’d better go and check your code!

As I was recently asked about botnet figures, I revisited our collections to establish some trends in this area.

In 2004 and 2005, bots were placed in a separate group of their own, separate from viruses and Trojans. Their names often ended with « bot » (W32/Sdbot, W32/Spybot, W32/Gaobot…). Based on the number of separate variants we had in our collections (the zoos) at the time, statistics showed a constant increase.

We have noted since then that a lot of malware has a remote-control feature (i.e. they are bots). Whether we are dealing with worms, viruses or Trojans, they are designed to receive commands and execute them at some point in their life. As of today, much of this remotely-controlled malware are known under various malware family names (W32/Nuwar, W32/Mytob, Spam-Samburg, Srizbi, Backdoor-DIX, etc.). Consequently our counting methods have to change.

On the Internet, various websites allow us to measure a different aspect of the threat.

For example, the Shadowserver Web Site shows us a botnet count. The following graph is a count of all the active Command and Control (C&C) servers the Shadowserver Foundation is aware of. There are approximately 2900 botnets today compared to 1400 one year ago:

Counting the infected computers is a much more arduous task. In January 2007, I reported on Vinton Cerf’s talk at the World Economic Forum in Davos, Switzerland and explained that he estimated 100 or 150 millions machines as infected represented over 10% of the PCs connected to the Internet. At the same time, some sources estimated less than 10 millions machines when others say they identify nearly 250000 new bots, or infected IPs each day.

Various techniques can be used to track zombie machines. I will only quote one to allow me the opportunity to give you some interesting links:

1. Observing DNSBL queries
   Method is exposed in a white paper from the College of Computing, Georgia Institute of Technology. It is based on the insight that botmasters themselves perform DNS-based blackhole list (DNSBL) lookups to determine whether their spamming bots are blacklisted or not. There are techniques and heuristic rules to distinguish botnet DNSBL reconnaissance queries from valid DNSBL traffic performed by legitimate mail servers.
2. Watching IRC traffic
   It is one of the simplest methods of detecting IRC-based botnets. It involves sniffing IRC traffic and searching for any signatures matching known botnet commands.
3. Checking Behavioural Characteristics
   As an example, researcher Stephane Racine demonstrated that IRC bots were idle most of the time on a Chat IRC channel but responded faster than a human upon receiving a command.
4. Searching for malware hashes on P2P networks
   With decentralized Peer-to-Peer botnets, compromised nodes on the network can be identified by their retrieval of hashes known to be associated with botnets. The College of Computing and Informatics University of North Carolina at Charlotte proposed this method for tracking W32/Nuwar (alias Storm) infected machines. To determine which search hashes are pertinent, the bot could either be actively running on a network without a true Internet connection to determine current hashes, or the hash generation algorithm could be extracted from its binary to generate hash sets on the fly based on the limited set of random integers and the current time.
5. Watching attack traffic
   Analysing the traffic linked to massive spam distribution or DDoS attacks can reveal the amount of compromised computers. Since January 2008, the Shadowserver graphs demonstrate a huge increase in this field.

To conclude this post, I have to say that looking at these studies did not help me in calculating how many computers are, at the moment, affected by bots! Extrapolation between 120000 or 150000 items known as active in a botnet at a given moment and a total number is hard to envisage… However, making these searches was not useless. We can certainly predict an increase in DDoS attack will be a 2008 issue and, for sure, more and more botnet will be used in the field ; perhaps 40 or 50% of them.

When a colleague pointed me at this article about some MS research on using worm techniques to distribute patches more efficiently, I had a moment of extreme déjà vu. After all, Fred Cohen was talking about beneficial uses of viruses in the mid-80’s. But since then, we’ve had a number of attempts occur that prove the old adage that the road to hell is paved with good intentions.

Back in 2001 we saw CodeGreen attempt to locate and patch machines infected with the infamous CodeRed worm. In a variety of other cases, one piece of self-propagating code (worm) has tried to patch backdoors or vulnerabilities, but usually in a self-preservation attempt against a rival author rather than for any altruistic purpose. Examples of this include the Linux Cheese worm and a variety of Bagle and Netsky variants that attempted to remove the other during the much-publicized “Virus Wars” of 2004.

The use of self-replicating code to fix other security problems has invariably proved to be a Bad Idea in the real world because we simply do not understand the epidemiology of the complex, heterogeneous universe we call the Internet. Rather than steal his thunder, I’d invite you to check out Igor Muttik’s talk on “Good Viruses” in the Research Revealed track at RSA this April 9th, if this topic interests you. Alternatively, check out Vesselin Bontchev’s paper on this subject here.

On the other hand, if you actually read the Microsoft research at http://research.microsoft.com/~milanv/, he’s really looking at how the epidemiology of good code versus bad code works. Given that most worms are Windows-based, and Microsoft, by definition, is providing the patches to block those worms that exploit vulnerabilities in their software, this is not irrelevant. While biological analogies to computer viruses are often dismissed, this is one area where a “computer epidemiology” discipline would be most welcome.

McAfee pushes something like a petabyte (Pb) of DAT signatures out in a month, so I can’t even imagine how much bandwidth Microsoft consumes delivering patches to all the Windows machines on the planet. And given how little we really understand about how information flows between computers on the internet, there’s something to be said for advancing the science of information dissemination.

Unfortunately, what most researchers concentrate on is the spread of self-propagating worms exploiting services, like Slammer, Blaster, CodeRed, Witty and other high-profile, fast-spreading worms. Today, though, we’re much more likely to see a huge variety of fairly prosaic threats that rely as much on social engineering as exploits to propagate. And this is an area where there is painfully little research.

What are the different propagation rates for Web 2.0-based threats like the spate of MySpace or FaceBook attacks over the last couple of years, versus any other web-based attack? How do regional idiosyncrasies like localized software vectors or language of social engineering affect threat propagation? How fast do patches or AV signatures need to be distributed to dampen the spread of threats propagating at different rates? How do different peer-to-peer (P2P) strategies compare to other mechanisms for “good code” dissemination. All of these are increasingly valid and relevant questions in the Wild West of today’s internet.

Let’s just remember that there is no “beta” version of the internet we can experiment on at scale.

Tis the season to be greedy –at least that’s what a couple of New York City thieves thought the other night when they stole an entire 18-wheeler FedEx truck containing somewhere around $1M in valuables. What might go overlooked is the priceless corporate data that could possibly be on that truck as well. We constantly rely on couriers such as FedEx to securely ship all of our “data at rest-in transport”, but what measures are they taking to actually ensure those assumptions? If the breach blog has taught us anything, it’s that not enough companies are encrypting their laptop hard drives, backup tapes, etc… and these types of attacks are still serious risks to our data.

As a security consultant, I repeatedly see and hear about these things going overlooked. From boxes labeled “Iron Mountain” sitting on empty loading docks, to Dell boxes waiting in the vacant hallways of shared office buildings, companies are constantly putting their data at risk at pickup and drop off areas. And I’m actually surprised we don’t see this more often, now even not-so-tech thieves can cash in on the action with these physical attacks. So what do we do? Require all couriers to upgrade to armor cars? Or maybe just spend the time and money now to upgrade your security policy and encrypt all data out of your control!

So who said that Hackers cannot survive outside closed buildings?

Closing ceremony is just over and the approximately 2000 visitors of Chaos Communication Camp 2007 are packing their electronic gear and camping equipment, as well as assessing the damage caused by yesterday’s heavy rain. Those of you who did not make it here missed 5 days of exciting cultural exchange in a truly unique environment. To get an idea what it was like, check out the picture archive.

The hottest topics discussed all over the camp were a new german law in effect banning hacker tools and the so-called Bundestrojaner, proposed to make online searches of suspect’s computers possible. And then there were talks. A lot of them, covering various technical, cultural, social and legal aspects. For those missing a talk or missing camps altogether there is some hope: All talks in the big speaking areas were recorded and will be made publicly available for download sometime later.

And finaly what I liked most: Powerpoint Karaoke

Speakers and volunteers from the audience get a random powerpoint presentation to present, seeing the slides for the first time while doing so. Just so funny to watch!

Yesterday, Apple announced Safari 3.0, including a new version for Windows. This announcement is discussed in an article on CNN with a particularly unfortunate turn of phrase in one quote:

“Safari is another Trojan horse that introduces an innovation of Apple to the Windows community and entices them to the Mac platform”

Now, presumably the intention of this quote was to say that Apple is bringing a gift of innovative and exciting new software to Windows users, who’ll then be lured away to the wonders of Mac-land. Much like the “halo effect” of the iPod.

But it would seem that there’s something aside from enticing software that may be coming with this gift - new and exciting software vulnerabilities!
Among the first to welcome the new Apple Web browser were vulnerability researchers. Shortly after the beta release, security forums were abuzz with talk of new vulnerabilities in this new version of Safari. At least three researchers say they have already found security holes in the new browser.

Applications have become a prime target not just for security researchers looking for vulnerabilities, but also for cybercriminals. As Microsoft has improved the security of Windows, applications that run on the operating system have become increasingly popular attack vectors. Our take has always been that Apple software, regardless of what hardware or OS it’s run on, is just as vulnerable to issues as any other software. Apple software running on Mac OS X has been less of a target because it isn’t as widely used as that running on Windows. QuickTime in particular, which is widely used by Windows users, has long been favorite of vulnerability hunters and cybercriminals. It would seem Safari could be next.

Three of the researchers that announced vulnerabilities in Safari shortly after its release are Aviv Raff, David Maynor and Thor Larholm.
These guys claim several of the vulnerabilities they found could let an attacker remotely gain complete control over a Windows computer running Safari.

Safari 3.0 is still in beta and beta software is expected to have bugs. Even after final release, browsers with vulnerabilities have become more rule than exception. Microsoft’s Internet Explorer, Mozilla’s Firefox, and the existing version of Safari for OS X, regularly get patched to fix security vulnerabilities.

What it boils down to is this: The usual advice for safe computing remains the same. Don’t assume any software is inherently safe, regardless of how safe it purports to be. Software is written by humans, and humans do make mistakes, which can lead to vulnerabilities. Make sure you’re running up to date security software and install the latest security fixes from your software vendors.

Here’s an interesting development. Hackers have been working on exploiting the Nintendo Wii. As a popular tech-item, it is safe to assume this–but it looks like one has achieved a modicum of success.

First, don’t worry–your Wii is not in grave danger, so you can relax and read on . . . .

A few months ago, a vulnerability in the Opera browser was disclosed (and promptly patched by Opera). Check here for their knowledge-base article. Well, it turns out that Opera is the Internet browser for the Wii (aka “Internet Channel”)–and, it turns out that the original (“trial”) version posted to the store is pre-patch.

So folks that have downloaded the original Internet Channel for the Wii have this vulnerability. You can see a demonstration of it here:

Go to a web page that has the specially crafted JPEG image in it and Opera will crash. That means it’s theoretically possible to run malcode–and according to the hacker conversations they are trying hard to do exactly that.

Hackers are going to be out of luck though, the patched version of Opera (9.10) was released to the store on 12 April. So time is rapidly running out on pulling off an exploit for this one.

The Internet Channel on the Wii has to be update manually. So Wii users, if you downloaded the Internet Channel, you need to update it.

Still, this serves as a good reminder the any system, closed or otherwise, is vulnerable to malcode.

But the story goes on: Opera is quite popular on mobile handsets, so we tried it out on several handsets with potentially vulnerable versions of Opera installed. In our brief testing, we had two cases where the image successfully crashed the browser (one Symbian8/s60 and one Symbian9/UIQ).

So there is the potential for concern–especially since a someone was kind enough to post the directions for generating the specially crafted images. Now anyone can crash the un-patched browser. Remember, a crash is an opportunity to compromise a system–hard to do, but it does happen.

Now, if only Accounting will approve the lab’s requisition for a Wii for ongoing research purposes. We should probably get a PS3 also, just in case . . . .

McAfee Avert Labs welcomes our new CEO Dave DeWalt aboard. Check out his first blog post on our sister blog Security Insights.

A new spam campaign doing the rounds looks fairly innocent but its sole purpose is to verify that your email address is active. This will inevitably lead to your email address being added to multiple spam lists. The main problem with this particular spam is that the email is hard to spot and simply opening it will quietly alert the spammer your email address is active.

The email thanks you for using the digital locker at Windows Marketplace and goes on to give you details of how to download your purchase which in this case is Windows Vista Ultimate Upgrade. The spam only has links to msn.com that forward to Windows Marketplace.

Hidden in the html there’s a blank white image that tries to load from a link as follows:

The spammer has cleverly used a PHP script to send him your email address when the image tries to load. The script then returns a link to the blank white image (http://xxx.xxx.xxx.xxx/dot_clear.gif) that is barely noticeable in the spammed email.

We have seen this spam from the following:

From: “Web Useds”
From: “Web Services”
From: “Web Help”
From: “Support Services”
From: “Sales Depot”
From: “Digital Plaza”
From: “Digital Locker”
From: “Customer Support”
From: “Buy now”
From: “Web Depot”
From: “Ref Depot”

And the subject of the email is usually one of these with random numbers in square brackets:

Subject: [635] Important info regarding your Order
Subject: [7738] Your Order
Subject: [4241] Support Request

Or sometimes just has your email address in the subject:

Subject: youremail@yourdomain.com

So if you notice any emails like these its best to avoid opening them, it’s also advisable to set your email client to ask before downloading images if this feature is available.

On the heels of my Zero-Day Excels Over Word blog, McAfee Avert Labs is currently investigating a new Word exploit.  Preliminary analysis shows that this is a different issue than those referenced in my last blog:

This new exploit may be somehow related to MS06-027 and the DAT files proactively detect this new threat as a variant of Exploit-MS06-027 since June 2006.  This threat appears to exploit Word 2000.  Again, this is preliminary analysis.  We are working with Microsoft to confirm the history of this vulnerability and will update the blog when we have more information.

Like many of the recent Word exploits, this appears to have been used in a very limited and targeted attack.

Update Feb 9, 1:30pm
Microsoft has acknowledged this issue.  They state that it is limited to a Denial of Service attack on Word 2000 and that code execution is not possible.

Denial of Service is clearly not as critical as other recent issues.  Looks like this targeted attack was flawed.

Update Feb 14, 4:30pm

Further analysis shows this is likely not limited to denial of service.  See Exploit Targeting Unpatched Word Vulnerability Spotted (Follow-up)

In case anyone was wondering what that new graphic in the upper right hand corner of the blog is, let me share some exciting news! The McAfee Avert Labs Security Blog has been nominated for a Codie Award for Best Technology Blog! Simply being named a finalist by the Software & Information Industry Association is a huge honor for us.

The Codie Awards recognize 72 categories of outstanding products and services through a unique combination of journalist and peer review. This year’s 367 finalists represent technology and business excellence, passion and success and were chosen from more than 1,200 nominations submitted by more than 600 companies—breaking the record set in the 2006 awards. Over 219 individuals in the trade press, consulting, educators, IT specialists and other neutral specialists were involved in reviewing the entries.

The Software & Information Industry Association (SIIA) is the principal trade association for the software and digital content industry. SIIA provides global services in government relations, business development, corporate education and intellectual property protection to more than 800 leading software and information companies.

Final voting will begin February 12 by SIIA voting members at http://www.siia.net/codies/2007. Winners will be named on April 17 at the gala event, which will take place at the Palace Hotel, San Francisco, CA.

Shout-Outs and props to all the researchers at McAfee Avert Labs because it is their content and research that drives the blog. Thanks as well to all our readers!
Wish us luck!!!!