Online Virus / Malware News

Stuxnet has received a lot of attention since McAfee first blogged about it in July. This post will answer some of the frequently asked questions we’ve received.

Q: What is Stuxnet?
A: Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729).  It also uses a rootkit to conceal its presence, as well as two stolen digital certificates.  Additional information is provided in the Mcafee Virus Information Library.

Q: When did it first appear and where was it first reported?
A: The threat was discovered in July, but is believed to have been released a year before. McAfee Global Threat Intelligence (GTI) File Reputation first became aware of Stuxnet components starting in January and several File Reputation detections took place before Stuxnet became widely known in July (Artemis!97FD438F25A4, Artemis!4589EF6876E9, Artemis!CC1DB5360109). Early telemetry showed the highest concentration in the Middle East.

Q: What is McAfee’s product coverage for the threat?
A: There are many aspects to Stuxnet, including two recently patched vulnerabilities, and two yet-to-be patched privilege-escalation vulnerabilities. Coverage of the two announced vulnerabilities follows:

CVE-2010-2568

CVE-2010-2729

Coverage of the malware itself:

Stuxnet

Product coverage information has been previously communicated through the free McAfee Labs Threat Advisory service and Virus Information Library.

Q: How does McAfee Global Threat Intelligence (GTI) help protect me against this threat?
A: McAfee GTI File Reputation can identify and block all malware files associated with the Stuxnet worm. In addition, GTI Web Reputation and Network Connection Reputation prevent outbound connectivity to Stuxnet’s command servers, which are used for uploading confidential SCADA data collected by Stuxnet malware from industrial-control systems.

Q: If I have discovered a file identified as Stuxnet on my computer or in my environment, does that mean I was targeted by the creators of the threat?
A: Not necessarily, for a couple of reasons:

1. Although Stuxnet targeted SCADA systems, it also spread through removable media, such as USB devices, via a previously unknown Windows vulnerability, allowing nontargeted systems to be a carrier of the virus. Thousands of McAfee consumer product users have reported binaries that were intended to target systems running Siemens industrial-control systems.
2. Once the Stuxnet attack vector became known, unrelated attackers starting exploiting the same vector. Generic detection signatures can overlap with the initial attack such that other attacks are detected by the Stuxnet name. Although McAfee chose to name generic signatures separately from the signature detecting the original attack binaries, other vendors may not have done so. More than 1,000 binaries have been flagged by various vendors as Stuxnet over the past few months.

Tune in later for additional Stuxnet-related information.

Just after Adobe released its out-of-band patch for CVE-2010-2862, we discovered a malware exploiting a new zero-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this zero day occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader, Version 9.3.4.

This zero-day vulnerability is a typical stack buffer overflow; exploitation of this issue is expected to be relatively easy. Although the latest version of Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and data execution prevention (DEP).

We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.

McAfee Labs is coordinating with Adobe PSIRT, and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue, although there is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.

McAfee protection to date:

• McAfee Network Security Platform: Coverage provided under the signature 0×40293c00, UDS-HTTP: Adobe Reader Unspecified Buffer Overflow
• DAT files: Coverage for known exploits provided in the 6099 DAT release under the signature Exploit-PDF.ps.gen
• Host IPS: Generic buffer overflow protection provides partial coverage
• Foundstone: The FSL package of September 8 includes a vulnerability check to assess if your systems are at risk

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

Recently the US-Cert issued two security bulletins (VU#362332 and VU#840249) about weaknesses in Wind River Systems VxWorks embedded operating system. VxWorks is one of the most popular operating systems that runs on a variety of appliances and devices. Some of these appliances are part of the critical infrastructure in an organization, such as routers and firewalls. An attacker could fully control vulnerable embedded devices by remotely exploiting these two vulnerabilities.

The first bulletin (VU#362332) contains old and well-known issues (CVE-2005-3715, CVE-2005-3804, CVE-2006-0374) on the VxWorks WDB debugging interface. WDB connects host tools to a VxWorks system during development and it is enabled by default. The vulnerability allows any unsolicited requests to access WDB without authentication using the SUN RPC protocol over UDP port 17185.

The second bulletin (VU#840249) addresses exploits that target VxWorks self-designed hashing algorithm used to store passwords in the VxWorks operating system. VxWorks standard hashing algorithm is susceptible to hash collision attacks, which allow attackers to brute-force the password in a relatively short time.

Combing these weaknesses and exploiting them together, an attacker can fully compromise the device. Here is an example of a typical exploit: First, an attacker can scan for an embedded device with VxWorks WDB debug service enabled by exploiting the unauthenticated access vulnerability as detailed in VU#362332. Once the device is found, an attacker can use the debug interface to find the username and password information stored on the device. Using that information, the attacker can then brute-force the password offline by exploiting the second weakness (VU#840249).

Today, McAfee NSP released a UDS (0×40805600/ UDS-RPC: Wind River Systems VxWorks WDB Debug Activities Detected) that provides coverage for CVE-2005-3715, CVE-2005-3804, CVE-2006-0374, and VU#362332. Please note that it is normal for embedded platforms to have remote debugging enabled in a development environment. The VxWorks WDB debug activities may be legitimate; if that is the case, you can ignore the alerts. However, if users see any attempts from unknown or unexpected IP addresses, we recommend that users investigate the activity and take further action if required.

As McAfee Labs predicted in a previous blog post regarding the Microsoft Windows Shell .LNK vulnerability, it was just a matter of time before malware started using Exploit-CVE2010-2568 to take advantage of this new Microsoft zero-day flaw. The flaw is described in CVE-2010-2568.

First, there was talk about PWS-Zbot (a.k.a. Zeus) using the vulnerability in encrypted emails that contained the malicious .LNK file(s); then our research team found a new variant of Downloader-CJX that extended its previous .LNK propagation strategy using social engineering with the new Exploit-CVE2010-2568 .LNK files.

Downloader-CJX is a malware family that installs .LNK files mimicking current Windows and user folders such as Music, Documents, or New Folder. The malware changes the attributes of the real folder to hide it from Explorer, and drops the .LNK files with folder icons, so the user is lured into clicking on these malicious links that appear as legitimate folders. These .LNK files are detected as Downloader-CJX!lnk when found in an infected machine.

The new variant drops additional files on infected systems:

The file x.exe is another copy of Downloader-CJX that in turn drops xxx.dll, a DLL component of Downloader-CJX.

The additional .LNK files exploit the CVE-2010-2568 vulnerability, enabling the malware to load the DLL file when users browse the folder.

These .LNK files are already detected as Exploit-CVE-2010-2568 and the new Downloader-CJX variant as Downloader-CJX.gen.g.

We offer you yet another reminder to keep your anti-malware software updated with the latest DATs, because the bad guys are always updating their software, too.

Today Microsoft updated the security advisory that was initially published last Friday (July 16), stating that they’re working on issuing a security patch for this vulnerability. Earlier, malware exploiting this issue was found in the wild. Researchers at McAfee Labs have been busy tracking this issue over the weekend and we have come up with some more quick Q&A’s.

1. What is the issue with .LNK files and how can it be exploited?
A. McAfee Labs researchers analyzed malware that was exploiting a design flaw in parsing shortcut (.LNK) files. This issue gets triggered because the Windows Shell component does not validate parameters sent out in the shortcut. This issue can be exploited via any mechanism that makes the user load the icon of the .LNK file.

2. Does the malware need a payload (shellcode) to exploit this flaw?
A. Since this is a design issue in the way shortcuts are parsed, no malicious payload (shellcode) is required to exploit this flaw. The .LNK file needs to point to a malicious file, the path of which needs to be hardcoded in the shortcut.

3. What are the requirements to successfully exploit this flaw?
A. This flaw can be triggered when Windows Explorer or Internet Explorer tries to render a malformed .LNK file that points to a malicious executable. The user need not double-click on the .LNK file to trigger the vulnerability; just opening the folder containing the malicious shortcut is enough to get infected.

4. What are the most likely attack vectors used to exploit this vulnerability?
A. USB drives are likely to be affected the most. The malware discovered in the wild was exploiting this issue via a USB drive. File sharing over SMB is another likely vector to exploit this flaw and this can lead to widespread malware infections over internal networks. WebDAV shares are equally susceptible to exploitation.

5. What are the affected platforms?
A. Microsoft has acknowledged that all supported platforms are affected. More details are available in the Microsoft security advisory. Windows XP SP2 is not listed in the list of affected platforms from Microsoft, so there is a chance of Windows XP SP2 users might remain vulnerable.

6. How widely is the issue being exploited?
A. The issue is known to be exploited by malware in the wild. Initial attacks were limited. However, an exploit module in metasploit was published today that uses WebDAV shares as an exploit vector. We expect wider exploitation of this issue. Users should keep their anti-virus software updated with the latest DATs (signatures).

We’ll keep our readers updated on this issue as we analyze more malware and techniques used by malware writers to exploit this flaw.

The news that Google is supposedly dropping Microsoft Windows is spreading like wildfire all over the Internet today. Without getting into any “which OS is better or more secure” holy war, let’s review some facts to see if this “decision” has any basis in reality. (I caution readers to remember this is not confirmed, even if it is true.)

The supposed cause of this change is Operation Aurora, the attack that affected Google and many other companies. From the McAfee Labs Threat Center:

“Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.”

What many people fail to realize is that Operation Aurora was not really about any technical issues.

But you may ask “Marcus, how can you possibly say that? Have you gone mad? Aurora 0wned multiple computers on multiple networks! They were all running that evil Microsoft Windows. Surely removing Windows will solve all the problems!”

These objections are not even close to the real issue. Sure, the attackers used a very effective zero-day vulnerability. And, certainly, they used lots of evasion techniques in delivering the payload? But the real vulnerability has not been discussed.

People were the weak link.

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.

Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.

When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system.

If determined attackers and gatherers of intelligence invest the time to get to know their targets–their behaviors, likes, dislikes, technical backgrounds, job roles, etc.–the actual exploit is trivial. All they have to do is get their victims to click a link. The more they know about their targets, the more likely users will click it.

Social engineering and intelligence gathering trumps technology every time. It always has and always will.

Today’s cybercriminals frequently use “exploit packs” to easily snare victims for their botnets. Users with underprotected computers who visit booby-trapped websites become the latest botnet zombies. I often receive requests asking me which exploit packs are current and which vulnerabilities they use.

To answer these inquiries, I’ve created a table that lists the exploits referenced by their Common Vulnerabilities & Exposures (CVE) names and their related kits. (Click on the image to enlarge it.)

Looking at this table, we can see that the most up-to-date kit is Crimepack.
Version 3.0 alpha is in the wild. In March 2010, Version 2.2.1 was offered for $400.

Next is the Phoenix Exploit Kit. Its price was around $400 in November 2009.

The Eleonore exploit pack is another popular tool. It was recently in the news after the hack of the United States Treasury website. In February 2010, Version 1.3.2 sold for $1,200. In July 2009, the Version 1.2 went for $700 plus $50 for an encrypter. For $1,500, buyers received a version allowing them to manage the tool through their own domains.

Next we have Fragus ($800), Yes Exploit Kit, and Siberia. In April 2010, the Yes Exploit Kit Standard Edition sold for $900. For an additional $250, buyers could include an “abuse-immunity” Virtual Private Server for one month and two “abuse-immunity” domains.

In the final four columns you’ll find the oldest common tools, offered from 2006 to 2008: El Fiesta, Icepack, MPack. and WebAttacker.

I was just reading Byron Acohido’s writeup on Microsoft ending security support for patches for Windows XP Service Pack 2 and Windows 2000. Now as I work for a vendor myself I completely understand why Microsoft is going EOL (or is it EOS for end-of-support?? I forget…) for these operating systems – better, more robust OS choices exist and no company has unlimited resources to support application and technologies that have seen better days.

I get that, I really do. I do, however, think some larger issues certainly loom:

1. Legacy applications that will not run on higher patch builds
2. Point-of-Sale and embedded devices (think ATM’s an such….) ESPECIALLY if you have a global deployment
3. Patching and upgrading is never easy anyway
4. The agility of cybercriminals

Now I will also concede that its relatively straightforward to compromise a fully patched system. The tools and techniques are readily and easily available if you have a browser and even limited Google search skills – but let’s also be honest: its WAY easier to own an older unpatched build especially when all the vulnerabilities that XP Service Pack 2 and Windows 2000 have are so well documented and available. Malware also tends to be fairly backwards compatible in many cases.

I am not so certain this will cause a great shift in toolkits or focus of your average malware writer or cybercriminal. I DO think it is an excellent opportunity for scammers tho. Just think of the spam campaigns or link spam possibilities – its a great lure.

“MS has stopped support for XP Service Pack 2 click here for low cost upgrades!!!”
“Your machine seems to be running Windows 2000. Click here to upgrade to Windows 7 for a low price.!”

I can see the spam runs, phishing sites and associated fake-av installs now… Be forewarned my friends. And is it just me or is whitelisting and application control looking better and better??

All over the world, individuals and many organized crime and mafia groups have found that the Internet can help them make a lot of money. Others are motivated by ideology: Manipulated by or acting in accordance with an ethos, they conduct illegal activities against institutions or individuals they consider the “enemy.” Far removed from the isolated individuals acting simply irresponsibly or for amusement, these two groups constitute the double threat we know today as cybercrime and hacktivism.

Last week we published a new report that looks, in great depth, at this phenomenon. The main goal is to explain how these organized groups have become established and what the extent of their activities are. In the first part of this report, after offering some definitions, we present some of the major participants who simply cannot be ignored. The second part deals with various topics including cybercrime and hacktivism, economics, politics, culture, and others. Each topic is illustrated with examples found in the news. Through other examples, the third part of the document deals with prices and the return on investment criminals can expect.

Chinese, Japanese, and Brazilian Portuguese versions are also available from the McAfee Labs Technical White Papers web page.