NEWS FROM THE LAB - October 2008
 
 

Friday, October 31, 2008
 
Proof of Concept Binaries for MS08-067 Targeting English Windows OS's Posted by Dan @ 12:53 GMT

We are seeing the first Proof of Concept binaries that target the MS08-067 vulnerability on the following English localized systems:

Windows XP Service Pack 2
Windows XP Service Pack 3
Windows 2003 Service Pack 2

The payload is encrypted as normal. Its function is to add the guest account to the administrators group, thus allowing unlimited access to the machine. We detect the binaries as follows:

Backdoor:W32/Agent.DIN
Backdoor:W32/Agent.DIO
Backdoor:W32/Agent.DIP

We'll continue to keep an eye on the events.
 
 

 
 
Thursday, October 30, 2008
 
Statements, Reports, Tracking Numbers and Tickets Posted by Patrik @ 16:02 GMT

Over the last 48 hours we've seen a huge increase in ZIP'd malicious e-mail attachments being spammed. The subjects have been:

Your Tracking #xxxxxxxx (where xxxxxxx is a random number)
New Ticket #xxxxx (where xxxxx is a random number)
Accounts Operations Report
Your Statement between 1/1/08 and 10/30/08




The ZIP file typically contains a file that looks like a document (.DOC) but it is really an EXE, there's just a lot of whitespaces between .DOC and .EXE.



Some of these ZIP files are protected by a password which makes it more likely to be allowed through an e-mail server. The password is always in the e-mail message so that the recipient can easily see it.



Using e-mail attachments has made a come back in popularity amongst malware writers during the last few months. We detect this latest batch as variants of the Worm:W32/Autorun family.
 
 

 
 
EstDomains Update Posted by Sean @ 15:15 GMT

The EstDomains story continues.

ICANN received a response from EstDomains, and the termination has been stayed. You can read the details here.

Comments?
 
 

 
 
Wednesday, October 29, 2008
 
Case EstDomains Posted by Mikko @ 14:45 GMT

EstDomains is a domain registrar operating from Estonia. They've been on our map for years as they've been the largest registrar used by online criminals for their domain name registration needs.

EstDomains

Yesterday we received good news.

ICANN has (finally!) pulled the plug on EstDomains, and is removing EstDomains from the list of ICANN-accredited registrars.

See below for the official letter.

EstDomains Letter

EstDomains Letter

We probably first ran into EstDomains in 2005, when investigating the infamous WMF vulnerability. Initially the main site distributing malicious WMF files, unionseek.com, was registered via this new Estonian registrar.

Since then, tens of thousands of malicious domains have been registered with EstDomains. These include drive-by-download sites, botnet command-and-control servers, spammed domains and so on.

example of a malicious domain

Many of the recent fake antivirus tools as well as rogue codecs have been running via EstDomains.

In fact, EstDomains is among the largest registrars in the world and they've registered over 280,000 domains. Not all of them are bad, of course. But a big part of them are.

EstDomains

The EstDomains operation is run by Mr. Vladimir Tšaštšin, from the EstDomains office in downtown Tartu.

Lai, Tartu, Tartumaa 51005, Estonia

Vladimir Tšaštšin (aka "SCR") was sentenced earlier this year to six months of jail for credit card fraud, money laundering, and related charges.

image copyright Maris Ojasuu, �rip�ev

Mr. Tšaštšin is also the CEO and largest owner of Rove Digital. Rove generates revenues of several million Euros a year, as shown in this listing of TOP Estonian IT companies by the �rip�ev magazine:

EstDomains

And EstDomains is just a small part of a larger picture, outlined here by the researchers at Hostexploit.com.

EstDomains

For more on Atrivo and EstDomains, see this article at Security Fix.

Thank you ICANN, for doing the right thing.
 
 

 
 
Monday, October 27, 2008
 
Here's what has been going on with MS08-067 since Friday Posted by Toni @ 08:59 GMT

As most of you likely know, Microsoft released an out-of-band update on October 23, 2008. This usually indicates a worm-capable vulnerability when there are already in-the-wild exploits. MS08-067 is very similar to MS06-040, the netapi vulnerability few years back.

We've been working through the weekend, monitoring the situation around this vulnerability.

F-Secure Helsinki Security Lab

We did some time line analysis on Trojan-Spy:W32/Gimmiv which exploits the vulnerability. As far as we can see, the first versions of Gimmiv were compiled around the 19th of September which is well over a month ago. We also did code comparison between the variants, and mostly, the changes in the variants are because the attackers were changing parameters instead of introducing new features.

Analysis of the code inside the Gimmiv trojan clearly shows that whomever is behind it is an inexperienced coder. Their code is riddled with bugs in places where the author clearly didn't read his API documentation closely enough.

Interestingly also, Gimmiv has a self-destruction date. On the earlier samples the date was set to October 5th 2008 23:59 local time, which of course fails to work at this point, unless your computer's date is incorrectly set. On the newest samples the self-destruction date is set to November 30th 2008 23:59 local time which gives the latest round of Gimmiv a month to spread.

The weekend was really quiet. We received about a handful of Gimmiv variants and no other malware that uses the same vulnerability. Though last night, a new proof of concept for the exploit was released that targets Chinese language Windows systems. We are keeping a really close eye on the situation since all it takes is a single working "universal" public exploit for things to go downhill pretty fast.
 
 

Friday, October 24, 2008
 
Out-of-Band Patch from Microsoft Posted by Patrik @ 04:07 GMT

It doesn't happen very often, but when it does, it's for a good reason. Yesterday, Microsoft released an out-of-band patch for a new, critical vulnerability in Windows.

The patch, MS08-067, fixes a remote procedure call (RPC) issue that would, if successfully exploited, enable an attacker to remotely execute applications on a computer running all currently supported versions of Windows.

This is exactly the type of vulnerability Blaster and Sasser used to infect millions of computers back in 2003 and 2004.




The reason for the out-of-band patch is that there is already a trojan actively using the vulnerability to infect computers, which we detect as Trojan-Spy:W32/Gimmiv.A. This trojan steals confidential information from the infected computer and sends it back to the attacker.

The situation is not as dire as in earlier years, as Windows XP SP2 and newer have a firewall in place by default. If you have file or printer sharing enabled however, your computer could be affected.

We recommend that everyone apply the update as soon as possible.
 
 

 
 
Wednesday, October 22, 2008
 
Virus.VBS.Confi Posted by WebSecurity @ 15:22 GMT

One of our Web Security Analysts — Chu Kian — came across a relatively old threat this week.

It was during his day-to-day work that he encountered a VBS malware, Virus.VBS.Confi.

It's not something new, detection was added in 2005, but it still works and it can still infect some unpatched systems if they browse websites with the malware code present.

Visiting an infected website with the malicious code will prompt for a Java virtual machine component installation, shown below:

Virus.VBS.Confi

On one of our test machines, after selecting to download, the sample displayed a script error. Luckily Windows Script Debugger was open to prompt of any scripting errors, and so up came the actual decoded script of the malware.

Virus.VBS.Confi

Inspecting the decoded script shows that it will try to save the downloaded file as KERNEL.DLL or KERNEL32.DLL (detected as Virus.VBS.Confi) depending on where WSCRIPT.EXE is located. This downloaded file is also used to reference the startup registry key as well as in its shell spawning routine which is achieved by modifying the registry key in opening DLL files. It can also infect files that have extensions of HTM, HTML, ASP, PHP, and JSP.

Taking a look at the infected website and viewing the page source, we saw that the site is actually embedded with the malware code. Maybe this is unknown to the website owner that is why it's still there. (We've now sent abuse messages regarding this.)

Virus.VBS.Confi

Having come across one site, we looked further using Google. You can easily discover more websites that contain the same malware code. Here are some sample search results:

Virus.VBS.Confi

So even though most of today's threats live and die within a few days, there's still some old script malware that exists it can still infect unwary travelers.
 
 

 
 
Wednesday, October 15, 2008
 
Surge in Facebook Malware Posted by Response @ 02:59 GMT

We received reports from our colleagues in Hong Kong yesterday about more malware being distributed on Facebook.

Facebook message

If you're a Facebook user, you may get a message such as this, supposedly from a "friend". Since the message was sent by a friend, the likelihood that you would click on the link is much higher. Upon clicking the link, you would be redirected to a hi5.com site that looks something like the one below.

hi5.com message

Not surprisingly, the website will tell you that you need to update your Adobe Flash Player by downloading a file. Of course, no matter how many times you try, you don't get to see the video. You do get infected though.

YouTube message

When we investigated this yesterday, the links were down and obtaining a sample for analysis was not possible at that point in time. Thanks to Lordian however - who tried again after being woken up by his neighbors late last night — we succeeded in obtaining a sample, which is detected as Net-Worm.Win32.Koobface.bp. Depending on the user agent, Net-Worm.Win32.Koobface.bm might also be served up.

Incidentally, if you are using any platform other than Windows, you just get redirected to the real YouTube.

It looks as if Facebook is increasingly becoming a popular target for all sorts of attacks. You can read through the numerous topics on this issue at the Facebook Public Discussion Board. Do note that some of the discussion topics include live links though, so be careful what you click.

On a related note, we've noticed that there is a Facebook phish, live at http://www.faceiibook.com and registered in China.

Another team effort by the Response Team — Lordian, Jojo & Fei
 
 

 
 
Tuesday, October 14, 2008
 
Exploit Predictions Posted by Sean @ 16:08 GMT

It is the second Tuesday of October, and that means it's time for Microsoft's scheduled updates.

According to The Register, Microsoft is rolling out their Microsoft Active Protections Program (MAPP) this month. MAPP aims to provide a predictive attack forecast.

They have a lot to predict this month. There are four critical and six important updates coming.

Microsoft's Updates for October 2008

See Microsoft's Security Bulletin for additional details.

And while you're updating your home computer, remember our Health Check application. It assists updating third-party applications that are vulnerable to exploits. And it's free.
 
 

 
 
Friday, October 10, 2008
 
Poll: Stickers 2008 Posted by Sean @ 15:22 GMT

Wow. Our request for sticker suggestions yielded some really great results. Thanks to everyone.

Now we have a couple of polls that will factor into our decision making process.

Let us know which ones you like best.

Sticker Poll #1
Sticker Poll #2
 
 

 
 
Wednesday, October 8, 2008
 
Stickers 2008 Posted by Sean @ 17:19 GMT

It's about time for some new Laptop Stickers! What are we referring to? Free stickers from the Security Labs, that's what.

This is the set from March 2006.

Stickers

And this is the set from January 2007.

2007 Stickers

The lab hasn't really had any in stock for some time now… and they're still often requested. Therefore, we're going to print some up in preparation for Hack In The Box Security Conference 2008 — Malaysia.

Now — we want your suggestions for 2008's stickers, and we don't have very much time.

So make your suggestion HERE and we'll enter you into a drawing. Those selected will receive a free sheet.

If there's time, we'll do a poll on Friday and over the weekend. Past suggestions can be read here, here, here, and here.

Cheers!
 
 

 
 
You've Got Spam Posted by Response @ 04:41 GMT

Everyone gets malware-tainted spam nowadays. Here's one targeted at the Brazilian online banking crowd.

spam e-mail

Clicking on the imagen2.jpg link will prompt a popup link asking you to download "the image". That link downloads a file detected as Trojan-Downloader:W32/Banload.FUA. Executing this file downloads and executes Trojan-Spy:W32/Agent.BSV and Trojan-Spy:W32/Banker.ITH. These trojan-spies harvest personal and banking information from the infected machine.

Trojan-Spy:W32/Agent.BSV gathers e-mail addresses, then uploads a text file containing the harvested data to the server ftp://ftp.golfacil.web.br.com/[...]/[...]/. As you can see in the code for the spam e-mail below, all the addresses in the text file are then targeted for more spam. Chances are, most of these e-mails won't reach native Portuguese speakers. Reading spam e-mail — great reason to learn a new language.

Spamming harvested e-mail addresses

Incidentally, the server also has PHP files used for spamming. One is detected as HackTool:PHP/Spammer.A, and the other is detected as HackTool:PHP/Spammer.B.

Meanwhile, Trojan-Spy:W32/Banker.ITH gathers banking information and posts the data into a php file of the same server.

To hide all this activity, the attacker(s) put up this message on the home page.

Under Construction

Hmm. The page is "under construction", but there's a live URL leading to it in spam e-mails? Cute.

Response team post by � Lordian
 
 

 
 
The Art of the Hidden File Posted by Response @ 02:51 GMT

The art of hiding codes via XOR is simple, easy and extremely ancient. Despite its antiquity though, it is still in use today.

Here's a great example: Trojan-Downloader:W32/Tibs.VX. It performs a very simple operation to hide its executable components inside six JPEG files. Since the JPEG files also contain valid pictures, they can be easily dismissed. The trojan then downloads the JPEG files, saves them temporarily on the system, retrieves the executables and installs them.

If any of the files are opened with an image viewer, this image is displayed:

Innocent looking JPEG image

Perfectly innocent, right? But after performing the XOR operation, the executable file becomes evident:

Hidden EXE in the JPEG

This is not a very common tactic, though we've seen it before in Rogue:W32/AntivirusXP2008 variants. Still, even tricks as simple as a single assembly language opcode never really get old.

Response team post by — Christine
 
 

 
 
Monday, October 6, 2008
 
"Latest security Update Standard 128-bit Upgrade Certificate" Posted by Mikko @ 14:35 GMT

When phishing was young, many phishers registered lookalike domains, along the lines of bankofamerika.com, login-chase.com, and paypal-account-verification.com.

Eventually most of the phishing gangs moved on to random domains in far-away countries and just prepended the domain to create host names along the lines of www.bankofamerica.com.444hzjr4zp2b8oacgd.org.ve, www.chase.com.host8.asia, and www.paypal.com.dll-s.eu.

But every now and then we run into new fraud sites that are using the old school tricks. Like today, when somebody spammed around e-mails such as these:

sbooff.com

The link takes you to sbooff.com, which desperately tries to mimic sboff.com, the official home page of Standard Bank Offshore:

sbooff.com

Do note that isn't technically a phishing site, as it doesn't try trick you into entering your details to a fake site. It just tries to convince you to install a "Upgrade Certificate". Which is a program. Which is actually the Trojan-Downloader.Win32.Agent.aiqo banking trojan.

The site has been reported and should be offline soon.
 
 

 
 
Friday, October 3, 2008
 
The 15th Posted by Mikko @ 13:08 GMT

Greetings from Ottawa.

VB

The antivirus industry's most important annual conference — Virus Bulletin — is in full swing.

VB

It seems incredible but this is my 15th VB — and I have the card to prove it!

VB  VB

Pretty much everybody is here — as can be seen from this excellent video shot by the Sophos gang. The video was shown in the annual gala dinner last night — be sure to check it out.

This year, we had our Kimmo Kasslin deliver a presentation on the opening day of the conference.

Kimmo Kasslin

The audience seemed quite astonished to hear the full story behind the most advanced malware we've seen so far: Mebroot. Kimmo characterized it as a "Commercial-grade framework" and as a "Malware Operating system".

The research needed to fully understand this malware was done as a joint operation between F-Secure and Symantec. Our fellow, Kimmo, worked together with Elia Florio from Symantec Security Response in this great example of cross-industry co-operation.

Details of Mebroot functionality uncovered in the presentation included:

  • Mebroot is the most advanced and stealthiest malware seen so far
  • It operates at the lowest level of the Windows operating system
  • Mebroot writes its startup code to the first physical sector on the hard drive
  • When an infected machine is started, Mebroot loads first and survives through the Windows boot
  • Mebroot hides all changes made to the infected system
  • It heavily uses undocumented features of Windows
  • It creates a complex network communication system, involving pseudo random domain names
  • Large parts of the code is highly obfuscated
  • Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder
  • All botnet communication is encrypted with advanced encryption mechanism
  • The malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level
  • The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs
  • The botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modules
  • As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines


The authors of Mebroot remain unknown at this time. However, it's obvious they are well organized and well funded.

To download the slide set prepared by Kimmo and Elia, click on the image below.

Kimmo Kasslin & Elia Florio

Signing off,
Mikko

P.S. This would seem like a great opportunity to plug another conference: T2 will be held in Helsinki later this month and Kimmo will be talking there as well, on the Evolution of Kernel-Mode Malware. The agenda as a whole looks very good, take a look.

T2
 
 

 
 
Wednesday, October 1, 2008
 
John Doe is a Criminal Mastermind Posted by Sean @ 18:54 GMT

WinDefender 2008 was the subject of yesterday's post. It's a rogue security application, and part of an ever increasing consumer scam.

A search for "Really Legal Stuff" ties WinDefender 2008 to Antivirus XP 2008, another persistent and very nasty rogue.

Rogue WinDefender 2008 and Antivirus XP

Here's another *really* related rogue, Spyware Guard 2008.

Rogue SpywareGuard 2008 - Really Legal Stuff

Spyware Guard 2008's legal page makes references to Pandora Software.

There are other rogue websites that refer to Pandora Software, and claim it to be located in Dortmund, Germany with a support contact of Oleg Dvorezky. Right… sure.

Whois records list the registrant of Pandora as Trans Eurogroup S A with a physical address of Victoria, SC. Where the heck is SC? It's the Republic of Seychelles, an archipelago nation that's located in the Indian Ocean.

On sites that refer to Pandora Software, you'll also find many cross-references to Innovagest2000. The innovagest2000.com website lists their contact address as Madrid, Spain.

Innovagest2000 claims to provide simply the best entertainment online. And just what kind of entertainment do they provide?

Entertainment such as SystemDefender, yet another rogue. More scareware.

Rogue SystemDefender Scan

Oh no, 324 threats! Is it the animation that's supposed to be fun… ?

It isn't that much fun if you click on the Free Scan Now button.

Do that and you'll get a file that we detect as Trojan-Downloader.Win32.Adload.ma.

Rogue SystemDefender - Trojan-Downloader.Win32.Adload.MA

Trojan-downloaders are kind of a killjoy when it comes to entertainment.

SysCleaner's website is also one of Innovagest2000's efforts from the looks of it.

Rogue SysCleaner Scan

Huh. SysCleaner also detects 324 things to fix, just like SystemDefender does. Guess that's part of the entertainment.

Using a selection of text from SysCleaner's privacy policy page, we located another batch of rogues.

AntiMalware 2009

Rogue AntiMalware 2009

Total Eliminator

Rogue TotalEliminator - Privacy Policy

eKerberos

Rogue_eKerberos_400x360

FileShredder 2008

Rogue FileShredder 2008

Andromeda AntiVirus

Rogue Andromeda AntiVirus

Real Antivirus

Rogue Real Antivirus

PC Antispy

Rogue PC Antispy

Another selection of text from these sites yields many search results that are definitely not safe for work, i.e. pornography. Really obscene stuff. Morally upright citizens of the world, these guys — not.

The company that provides this so called entertainment is urbangestdesarrollos.com. The Urbangestdesarrollos site, which also claims a contact address of Madrid, Spain, is a carbon copy of Innovagest2000. Both Urban and Innova state that credit card statements may show New Concept Business SL.

New Concept Business S.L. claims to be from Barcelona, Spain. Hmm, Spain again. Whois records list the location as Barcelona but the contact person is located in Amsterdam, ES and has a phone number starting with +1.800.

ES as in Spain? Amsterdam, Spain? With a US toll-free phone number? Right, that's probably accurate, you think?

These creeps are really anonymous.

Which brings us to this bit of news: Microsoft and Washington state are suing scareware purveyors.

And just who is the target of their lawsuit? Texas-based Branch Software and its owner James Reed McCreary. RegistryCleanerXP is the name of his scareware application. The Whois information for registrycleanerxp.com, which is still online by the way, actually seems to have legitimate contact details.

Why isn't McCreary more anonymous? It's probably because he isn't the worst of the scareware that's out there. Yeah, he's guilty of deceptive and misleading advertising, and we're happy to see something being attempted, but there's lots worse out there.

The lawsuit against McCreary could very likely devolve into a First Amendment speech case attempting to define deceptive practices, and then eventually he'll walk. Just like spam king Jeremy Jaynes, who had his spam conviction overturned a few weeks ago. Jaynes was incredibly guilty, and yet the Virginia law just wasn't good enough. Too broad.

We can always hope that Washington has better laws, and a judge that understands all of the technical details, but we aren't holding our breath while waiting for the results.

What about the worst of the purveyors? The ones behind stuff such as Antivirus 2009, Malwarecore, WinDefender, WinSpywareProtect and XPDefender?

Brian Krebs' has the key details, as he very often does, in this Security Fix post.

In a separate action, Microsoft filed five "John Doe" lawsuits to learn the identities of individuals responsible for marketing other scareware products.

Oh, John Doe lawsuits. That will take care of the problem, no? Once we learn the identities of the individuals, we'll just have to track them down in Dortmund/Madrid/Barcelona/Victoria/Amsterdam in Germany/Spain/Seychelles… and that's just the supposed locations for the John Does involved with the WinDefender chain of apps.

The Antivirus 2009 gang… is located in an entirely different set of European countries.

We applaud the effort, but we think it's going to take a lot more than the Attorney General of Washington to fix this problem. The Internet has no borders. Perhaps the effort would be better spent to create an international agency with the enforcement power to shut down rogue sites, many of which are hosted in the US?

Here's some final screenshots for you. Do see the tiny little red asterisk above the "y" in the word "Utility"?

Rogue WinDefender 2008 - Online Scanning Utility

That's a disclaimer.

Rogue WinDefender 2008 - Disclaimer

Is the text to small for you to read?

It says Typical system scan that shows how the real WinDefender product will be scanning your computer. Advertising purposes only.

John Doe truly has no shame.