Online Virus / Malware News

This week in Troyes, France, the University of Technology hosted the fourth French-Speaking Days on Digital Investigations, designed for investigators, prosecuting attorneys, and legal experts in charge of fighting cybercrimes. All the participants in the congress were members of the AFSIN, the Francophone Association for Digital Investigation.

In addition to the usual presentations on improving the administration of these fields, various talks covered juvenile protection and the tools used to unmask pedophiles and prove their guilt.

(Source: Police Headquarters, Paris)

Investigating alleged cybercriminals is difficult work that often must be completed in 48 hours, the time that police can hold a suspect. The main problem is the amount of data that police must analyze.

On average, each suspect owns:

• 5 hard disks
• 140 CDs or DVDs
• 17 floppy disks
• 4 memory cards and USB sticks

When searching a home or office, finding USB drives is always a challenge. They can be concealed in a pen, a lighter, or many other hard-to-examine locations.

The records for a single business are sometimes staggering:

• Up to 31 hard disks
• 14 terabytes of data
• 2.5 million pictures
• 11,000 MSN Messenger contacts to investigate

Only a well-organized methodology, automation, and devotion to the cause can produce results. For security reasons, I cannot describe the characteristics of the police’s child-abuse image scanners, but I was impressed by the technology they use–which not only searches for precalculated hashes of known clean and “illegal” images but also, based on similarities, analyzes images and videos to find and group child sexual-abuse elements. With 200 legal actions in 2009 and 70 police arrests, these computers run 24 hours a day.

Another talk discussed Facebook investigations. They can run on three fronts:

• By analyzing the data stored locally on the computer of the user (cookies and traces). They can be uncovered by searching Internet artifacts and by using forensic techniques.
• By requesting Facebook provide data stored on the server, with or without user knowledge (for example, IP address at creation, IP at connections, contacts, etc.). When requested via subpoena[@]facebook.com, responses have been positive in some occasions. Despite the fact that Facebook’s Law Enforcement Guidelines document is confidential, many versions are available on the Internet.



• By querying data deliberately left by the user. This information is visible in the public area, but above all they are accessible via a set of APIs and tools that include Facebook Query Language, Graph API, and Old REST API. Using scripting languages, the searches can be automated.

With GraphAPI, it is also possible to extract several photos’ metadata information that is not included in the tables. This is a very valuable feature for analyzing users or groups that store illegal photos.

I gave a talk on criminal searches using open sources, and recapped the methods McAfee used to investigate the business Innovative Marketing Ukraine.

We frequently read of the immense gap in cybersavvy between police forces and cybercriminals. The bad guys are way ahead of any attempt to stop them, some say. In Troyes, however, we saw that police investigations have changed and are much more sophisticated than in the past. Despite restricted budgets, law enforcement uses all possible modern equipment and works hand in hand with the security industry and the courts.

[October 5 update at end of file]

The Storm worm marked its presence in early 2007 and became an infamous robot network primarily known for its spamming and phishing activities. Also known as Nuwar/Zhelatin/FakeAV/Peacomm, this bot reappeared early this year, distributed by fake AV software and Trojan downloaders. Storm is a major botnet when compared with many other spamming bots, due to the massive volumes of spam it sends from the victim’s machine. It also uses a fast-flux mechanism to hide its distribution areas. During our static analysis of the Storm executable, we observed it to be heavily obfuscated with an unknown packer and an infinite loop to halt its activity whenever it detects a debugging or virtual machine environment.

Storm’s spam campaign activity includes a variety of spam, with most related to online pharmacy scams and adult products. To get around, this botnet also includes malicious links to URLs that exploit several client vulnerabilities.

Our analysis of Storm confirmed and uncovered some of its unique characteristics, which help network intrusion prevention systems to implement reliable detection mechanisms for Storm’s control activity.

Static Analysis of the Storm Worm
We looked inside the variant we received in April 2010. In the initial part, this sample has various decryption routines. This binary starts with moving 0×5090 bytes to the heap and thereafter executing decryption routines to unpack the binary in stages.

After a complete execution of the loop, the binary is moved to the heap section and then decrypted:

This executable then copies itself as asam.exe into c:\windows, modifies the registry key to execute at Windows start-up, creates the process
asam.exe, and terminates itself.

Analysis of the HTTP Communications Code Within the Dropped File asam.exe

We reverse-engineered this Storm file and came across some of the unique characteristics of its control channel, which is based on base64-encoded, gzipped HTTP data. The code snippets below reveal our analysis of its HTTP communications.

URI Extensions in the POST Request
Hard-coded URI extensions and the URI length that is used in the POST request initiated by Storm:

Random Generation Functions to Form the URI Request Path

The next code snapshot shows the random character-generation function that generates 3 bytes of random alphabetical characters which are appended with the “.” to form the request URI path. Thereafter, the random generation function is called again to select any random extension from .jpg, .htm, and .gif, and completes the URI formation by appending it to the previously generated request path:

HTTP POST Request Header

These are the low-level details of how the POST request will look when the worm is executed on the machine:

As we figured out from the code above, this variant communicates with the bot master via an HTTP POST request. In examining the POST request code, another clue is the possible typo in the user-agent header, in which it is set to “Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1).” (Note “Windoss” instead of Windows. This is a very good hint that Storm is in action; intrusion prevention systems can use this hint to detect Storm on the wire.) The botnet server then responds with the spam template used by the bot to send the spam.

All the preceding data from the server is base64 encoded. After decoding the response from the server, we found following spam template:

Once the bot client decodes this data, it uses the following looped SMTP engine code to send spam mails based on the spam template.

Let’s take a look at one of the spam mails generated by this bot:

More Uncovered Commands

Early variants of this bot had different components and separate binaries for carrying out specific commands; yet the one we analyzed seems to have all the control code embedded inside the single component. As seen in the code below, we found the downloader component, which downloads additional malware onto the system, and the updater component, which downloads the latest copy of the bot executable. Once any of these commands are detected in the server response, the bot allocates the heap to store the received data.

Scanning the Drive for Files
Storm also includes a routine to scan the drives for files with the following extensions:

.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .win, .cgi, .mht, .dhtm, .jsp, .dat, .lst

It also searches for particular strings within these files, probably to extract the information about the host and email addresses contained in them:

@microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, sopho, @foo, @iana, free -av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, pgp, @avp., noreply, local, root@, postmaster@

Detecting Storm Worm on the Wire
The majority of mail traffic over the Internet is spam. We need to detect these spam bots and try to keep them from proliferating. Our analysis provides good hints for detecting Storm traffic on the network. One high-confidence approach would be to correlate multiple suspicious events happening on the network within a short time. One example is a user-agent check for the typo we saw; we can correlate this with the multiple outbound DNS MX queries from the same source within a short time. An even more reliable detection would be to correlate those two events with a spontaneous increase in the outbound SMTP connections from the source. By following up on these hints we can increase our ability to detect Storm at the network gateway.

Update:
McAfee IPS Coverage Status
McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the Storm bot under the attack ID 0×48804200 BOT: Storm Bot Activity Detected. McAfee customers with up-to-date installations are protected against this malware.

It looks like some of the recent success in taking down Zeus-using cybercriminals is coming to the United States. The FBI has recently announced that it has charged as many as 60 people and has arrested 10 as part of a global cyberfraud scam. Summaries of the incident can be found here, here, and here.

Zeus is one of the nastiest and most persistent pieces of malware we deal with. It steals banking logons, can act as a bot, and recently started targeting mobile devices, as well. Recently one of our McAfee Labs researchers, Chintan Shah, posted an excellent blog on the inner mechanisms of the Zeus Crimeware Toolkit; his article is definitely worth a read. You can also listen to a great AudioParasitics podcast episode in which my podcast-partner-in-crime Jim Walter and I discuss Zeus (also called Spy-Agent.bw).

If you are running any of our DAT-based security technologies and they are up to date, you are already enjoying excellent coverage against Zeus.

———- UPDATE October 1 —————

It now seems that Ukrainian authorities have taken action against individuals with suspected involvement in the Zeus cybercrime and money laundering network. The Ukrainian contingent seems to be associated with the more technical aspects of the infrastructure. Read detailed accounts here and here.

Let’s keep those arrests and takedowns coming and take back our Internet!

During the last six years, botnets have become one of the biggest threats to security professionals, businesses, and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk, to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in botnets and social media:

• Twitter-controlled bots are the most prevalent example of using social media to receive and execute bot commands
• KreiosC2, though a proof-of-concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
• Protocol standards such as XMPP, used for authentication, presence, and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The dangers from controlling a bot or botnet through an application such as Twitter cannot be understated. Using widely adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. There’s nothing to it: Log into a Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and send an update:

Then we send our command:

It really is as simple as that: decentralized, application-based control of one or many bots. Don’t try this at home: I ran this exercise from a private Twitter account with only one follower (my other Twitter account) in a research environment, so there was no danger!

The McAfee Labs research team has released a report that examines TwitterBots, KreiosC2, and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control, and attack.

During the last six years, botnets have become one of the biggest threats to security professionals, businesses and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in relation to botnets and social media:

-Twitter controlled bots are the most prevalent example of using social media to receive and execute bot commands
-KreiosC2, though a proof-of concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
-Protocol standards like XMPP, used for authentication, presence and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The danger’s from controlling a bot or botnet through an application like Twitter cannot be understated. Using WIDELY adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. It is as simple as logging into one’s Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and sending an update:

Then we send our command…..

It really is as simple as that – decentralized, application-based control of one or many bots. BTW – This was done from a private Twitter account with only 1 follower (my other Twitter account) in a research environment so there was no danger!

Our research team has released a whitepaper that examines TwitterBots, KreiosC2 and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control and attack.

On April 30 www.multimedia***.com, a newly registered website that allowed users to post, search, and view amateur videos, came online. The site was part of a group of 160 new domain registrations, and was identified by the network of sensors and data feeds that contribute to McAfee Global Threat Intelligence. Seemingly legitimate, many of these domains had all the trappings of media-sharing sites, except for a clue that prompted us to adjust their reputations to “high risk” and block access to them in our products. What tipped us off? Read the story in the newly released report from McAfee Labs entitled Reputation: The Foundation of Effective Threat Protection.

Reputation systems have been used for years across many disciplines–from doctors diagnosing illnesses to economics experts rating financial instruments–to assess and make decisions about situations or entities. Since the early days of online communities and e-commerce, providers and consumers of goods, services, and information via the web have sought ways to gauge the reputation of parties involved in transactions, from vendors to community advice-givers. Reputation calculation tools are more critical to cybersecurity than ever before as more users access more online tools via more devices and interact with colleagues, friends, and strangers in more online venues. Reputation provides a critical level of assurance around identity and integrity in critical Internet-based personal and professional transactions, for which physical-world verification is impossible.

Download the report to gain valuable insights about what makes reputation systems effective and tips for using them in both near-term security policy and long-term strategy.

This report is also available in eight other languages.

Today, McAfee released a report based on a survey of more than 1,000 decision-makers about the use of Web 2.0 technology for business. The report reveals some interesting results (for example, who would have thought the United States is among the countries with the lowest adoption rate, and Germany is the country with the most companies not having policies governing the use of Web 2.0 in place?) and the unsurprising finding that security concerns are the greatest hindrance to adopting Web 2.0 and social networking.

Business leaders worldwide see the value of Web 2.0 in supporting productivity and driving new revenue, but they remain deeply concerned about security threats associated with deploying the technology. The survey of decision-makers in 17 countries found that half of businesses were concerned about the security of Web 2.0 applications such as social media, microblogging, collaborative platforms, web mail, and content-sharing tools. 60 percent were concerned about loss of reputation as a result of Web 2.0 misuse. Six out of ten organizations have already suffered losses averaging US$2 million, for a collective loss of more than US$1.1 billion in security-related incidents last year. Brazil, Spain, and India led in adoption of Web 2.0 technology for business, while adoption was lowest in Canada, Australia, the United States, and the United Kingdom.

The report, “Web 2.0: A Complex Balancing Act–The First Global Study on Web 2.0 Usage, Risks and Best Practices,” was commissioned by McAfee and authored by faculty affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University in Indiana, examines the drivers for Web 2.0 and social networking use in business, and assesses their benefits and risks. Overall, the research highlights that although organizations see the potential value of Web 2.0 tools, decision makers continue to debate whether or how to allow employee usage of the technology in the workplace. “Web 2.0 technologies are impacting all aspects of the way businesses work,” said George Kurtz, chief technology officer for McAfee. “As Web 2.0 technologies gain popularity, organizations are faced with a choice: They can allow them to propagate unchecked, they can block them, or they can embrace them and the benefits they provide while managing them in a secure way.”

Key Report Findings:

• Web 2.0 adoption rates vary across countries. Overall, Web 2.0 adoption rates are high, reaching 90 percent or above in Brazil, Spain, and India. Adoption is lowest in the United States, United Kingdom, Australia, and Canada.
• New revenue streams are the highest driver of Web 2.0 adoption. Three out of four organizations reported that expanded use of Web 2.0 technologies creates new revenue streams, while 40 percent said the tools have boosted productivity and enhanced effective marketing strategies.
• Security is the leading concern. Half of respondents named security as their primary concern for Web 2.0. One-third identified fear of security issues as the main reason Web 2.0 applications are not used more widely in their businesses. Companies’ top four perceived threats from employee use of Web 2.0 are malicious software (35 percent), viruses (15 percent), overexposure of information (11 percent), and spyware (10 percent).
• Reputation damage is the biggest business consequence. Sixty percent of companies reported that the most significant consequence from inappropriate Web 2.0 and social media usage is loss of reputation, brand, clients, or confidence. One-third of respondents reported unplanned investments related to workarounds related to social media in the workplace. Fourteen percent of organizations reported litigation or legal threats caused by employees disclosing confidential or sensitive information, with more than 60 percent of those threats caused by social media disclosures.
• Many businesses block Web 2.0 rather than put policies in place. Worldwide, 13 percent of organizations block all Web 2.0 activity, while 81 percent restrict the use of at least one Web 2.0 tool because they are concerned about security. Yet almost one-third of organizations reported that they do not have any social media policy in place. A quarter of organizations monitor how staff use social media and 66 percent have introduced social media policies, 71 percent of which use technology to enforce them.

Executives and industry experts who contributed to the research agreed that successful organizational use of Web 2.0 is a complex balancing act. Enterprises must analyze business challenges and opportunities while mitigating the risks and ensure staff training and robust technologies are in place to avoid cyberattacks.

“Web 2.0 and social networking technologies can be used effectively for business,” said Eugene H. Spafford, founder and Executive Director of CERIAS. “But to reap the benefits of Web 2.0, organizations must be proactive about understanding and managing the challenges. That involves putting the right policies in place, and deploying the technology that can enforce those policies.”

McAfee will host a webcast, “Bridging the Web 2.0 Security Gap,” on October 6 at 2 p.m. Eastern time, with Chenxi Wang of Forrester Research. This webcast will cover a recent Forrester Web 2.0 security trends study commissioned by McAfee. The session will help educate enterprise users on protecting their businesses while successfully using Web 2.0 technologies.

“Web 2.0: A Complex Balancing Act–The First Global Study on Web 2.0 Usage, Risks and Best Practices” is available for download at www.mcafee.com.

McAfee Labs has been monitoring a spam run that was launched earlier today. The message follows:

The attachments are all the same and contain an encoded JavaScript, which redirects to a web page on the numerouno-india.com domain.

The destination page does a redirect (to a page on the scaner-g.cz.cc domain) and also contains an iframe (with a target of a page on the arestyute.com domain).

The redirect domain displays the standard fake anti-virus scanning animated image and subsequent prompt to download an executable:

fake scanning image

download prompt

icon used by executable

The iframe leads to a cocktail of exploits, including a Java Development Toolkit exploit (CVE-2010-0886), as well as exploits targeting Adobe Flash and PDF vulnerabilities, including CVE-2007-5659, CVE-2008-2992, CVE-2010-0188.

The payload of these exploits is a password-stealing Trojan, which copies itself using a randomly named folder and file in the %AppData% directory and creates a registry run key to load the file at start-up, for example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  “{608F1285-57B7-C631-DE51-8A99508CC7A9}” = “C:\Documents and Settings\Administrator\Application Data\Ezudi\oqek.exe”

This password stealer injects into the iexplorer.exe process and targets dozens of mainstream financial institutions.  It also contacts the domains ohmaebahsh.ru and eexiziedai.ru.

• This fake AV executable was detected by Global Threat Intelligence File Reputation at the time of this blogging when running at Very Low sensitivity or higher.
• The first-stage domain (numerouno-india.com) is rated RED by TrustedSource and SiteAdvisor
• The second-stage domains (arestyute.com, and scaner-g.cz.cc) are rated RED by TrustedSource and SiteAdvisor
• The third-stage domains (ohmaebahsh.ru and eexiziedai.ru) have been rated RED by TrustedSouce and SiteAdvisor for weeks
• DAT file coverage is being added under the following names:
  • PWS-Zbot
  • FakeAlert-PE
  • JS/Downloader.gen
  • JS/FakeAlert-AB.dldr

Customers may download updated signatures using the extra.dat request page: https://www.webimmune.net/extra/getextra.aspx. These are also available in the beta DATs.

A new phishing scam is targeting users of the Electronic Federal Tax Payment System (EFTPS), a free service provided by the U.S. Department of the Treasury since 1996. The recent fraudulent format uses an email message that claims to be a rejected tax payment and directs users to a fake website for additional information. Remember, don’t ever provide any personal or financial information to unsolicited email messages.

Our research found a set of these fraudulent websites created on September 12. All the URLs are associated with the same IP address and in the same country.

The scam message:
Subject:
Your EFTPS Tax Payment ID has been rejected.

Body:
Report ID: ***. Your Federal Tax Payment ID: *** has been rejected. Return Reason Code R## – The identification number used in the Company Identification Field is not valid. Please, check the information and refer to Code R##  to get details about your company payment in transaction contacts section: http://www.eftps*******7.com/contacts

If you receive one of these messages claiming to be from the EFTPS or IRS, don’t open it or click any link. It’s safer to manually type the URL (web address) instead of clicking a link. To verify whether a government or financial institution is trying to contact you, call that agency. You’ll find useful tips for avoiding phishing scams in this McAfee publication.

Over the weekend I had the chance to put some work into my lowbie dwarf paladin named Boulderbrain. I was at the Stormwind bank minding my own business when I suddenly get this whisper:

Now normally I simply ignore most whispers I get in-game (other times I simply don’t notice them) but this one caught my attention. Zooming in I think you will see why:

This message is telling me that Blizzard suspects my account of using third-party tools to cheat and would I go to their website, login, and check my account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster, and the website itself is a phishing site:

This particular fake was hosted on an IP address that had a pretty questionable report. (HINT, HINT use our SiteAdvisor browser plug in!) World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using two-factor authentication (commonly called 2FA or simply tokens), which can add an additional layer of protection to your logon credentials:

The addition of the 2FA pin makes it extremely difficult to break into or pop the account itself. (It’s like adding a secondary token to your bank logon.) OK, now granted I got the free Core Hound pup with it, but it also has a sweet iPhone app that generates the 2FA code!

Now what were those third-party apps the original phish may have alluded to? Bots most likely. As anyone who follows this blog is aware, bots refer to robots, usually malicious in nature, but they simply automate tasks. Some of the more popular bots for World of Warcraft are farming and leveling bots. They are designed for pretty much what you would guess: They automate the “farming” of a variety of materials (later sold for in-game gold) or even honor (honor points can be used to purchase in-game items). These bots can also automate the process of leveling your character. Some examples:

and also:

Should your account be found to be using any of these, it will get banned–as it violates Blizzard’s terms of service. Credential and logon theft is one of the biggest areas of malware we at McAfee Labs deal with on a daily basis. Make sure you stay updated, properly configured and be cautious of in-game messages!

And level-up old school–the account you save may be your own!