January 2006 - Posts

Tuesday, January 31, 2006

First reports of Nyxem damage Posted by Mikko @ 16:24 GMT

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.

nyxem_killed

When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files.

The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd - most of them in India, Turkey and Peru.

This worm family has been around since March 2004. The worm is named "Nyxem" because the original Nyxem.A variant launched a DDoS attack against the New York Mercantile Exchange website (www.nymex.com). We don't know why.

We have a free tool available to help disinfect machines before the deadline passes.

F-Secure : News from the Lab - January of 2006.

Thanks to Ron adding some more skins, my blog has a new look.  Let me know what you think!

For even more comprehensive information on this virus go here: http://www.isc.sans.org/blackworm

Microsoft Security Advisory (904420)

Win32/Mywife.E@mm

Published: January 30, 2006

Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.

Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.

On systems that are infected by Win32/Mywife@E.mm, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. For more information, see the Microsoft Virus Encyclopedia.

As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependant on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with "Administrator" as the user name together with a blank password.

Read the rest of this advisory here: Microsoft Security Advisory (904420): Win32/Mywife.E@mm.

BlackWorm Summary

Published: 2006-01-26,
Last Updated: 2006-01-27 02:01:42 UTC by Johannes Ullrich (Version: 3(click to highlight changes))

About BlackWorm

Over the last week, "Blackworm" infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This  worm is  different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.  Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm

Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.

How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal

Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":
  1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
  2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

To read the rest of this post, go here:   SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Blackworm Notifications (NEW)
Published: 2006-01-25,
Last Updated: 2006-01-26 17:56:37 UTC by Johannes Ullrich (Version: 1)

Blackworm infected machines reported to a 'counter' site the fact that they got infected. The TISF BlackWorm task force obtained the logs from this counter, and is notifying networks represented in the logs. These notifications will use a from address of "handlers@sans.org" or "Randy_Vaughn@Baylor.edu". Please e-mail jullrich\at/sans.org if you would like to obtain a list for your network, and have not received an automated e-mail.

Please include information to support that your e-mail address is associated with administering the respective networks, or a phone number to validate the information.

Update: We are getting A LOT of requests. Please do not forget to include the IP space you are interested in. Quite a number of people responded that these logs helped them identify infected systems and it likely prevented major data loss to these organizations. BIG THANKS to RCN for providing the counter logs in a timely manner. We could not provide this service without their help.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 

BlackWorm Summary (NEW)

Published: 2006-01-24,
Last Updated: 2006-01-24 17:04:18 UTC by Johannes Ullrich (Version: 1)

About BlackWorm

Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This  worm is  different and more serious then other worms for a number of reasons. In particular, it will delete a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.

We will try to postmore detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page references to other sites.

Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. At this time, a CME ID number is not yet available.

Snort Signatures

Joe Steward (Lurhq.com) provided the following snort signatures based on his analysis of the worm:

This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:

alert tcp any any -> any 80 
(msg:"webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)

This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a

User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)

alert tcp any any -> any 80 
(msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm
infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
classtype:misc-activity; sid:1000377; rev:1;)



Credits

We would like to thank the members of the BlackWrom task force for analysis and coordination. This task force involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.

Links


http://blogs.securityteam.com
Symantec
Trend Micro
Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 

More on Nyxem

Published: 2006-01-23,
Last Updated: 2006-01-23 22:13:35 UTC by Bojan Zdrnja (Version: 1)

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it's still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).




This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can't be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// webstats.web.rcn.net/ [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven't seen in other analysis of the worm says:

"Additional Registry Changes
  • The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed."
The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can't trust it, but this looks like another (big) problem for the average user out there.
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.
 What's the threat? And who is noticing it? Nyxem_e versus CME 508
Published: 2006-01-22,
Last Updated: 2006-01-22 20:00:45 UTC by Patrick Nolan (Version: 4(click to highlight changes))

CME 508 does not threaten like Nyxem_e, on February 3rd and every third day of the month thereafter Nyxem.E will destroy users work (see F-Secure's blog) when the worm activates and replaces "the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP" "on all available drives", and yes, available = shared drives.

fwiw, I look at published email malware statistics daily, both Nyxem_e and CME 508 are approximately the same in volume reports, and nowhere near sober was last year as far as raw numbers go. But Nyxem.E has legs, it's more like a centipede than a worm, and it's not likely to drop off the radar soon, certainly not before the 3rd of February.

The Handlers diary previously referenced Nyxem.E in More on Blackmal/Grew/Nyxem (file deletion payload.
Source info - see the F-Secure Virus Information Pages : Nyxem.E

The vendors below do not mention the destruction of user work, as of the checking I just did, ymmv.
Also Known As: 

WORM_GREW.{A,
B} [Trend Micro],
"It gathers email addresses from files with the following extension names:

DMP
DOC
MDB
MDE
PDF
PPS
PPT
PSD
RAR
XLS
ZIP".

W32.Blackmal.E@mm Symantec

W32/Nyxem-D [Sophos],

W32/MyWife.d@MM  [McAfee],

W32/Grew.A!wm (Fortinet),

W32/Small.KI@mm [Norman],

Win32/Blackmal.F [Computer Associates]

Tearec.A Panda


UPDATE
The CME reference is difficult but not impossible to follow. I'm reading CME links which show "Latest CME Identifiers CME-508", however, that last 508 link has english that says the newest CME-ID is "CME-503  - Date Assigned 2006-01-20". In any event I base my comment that "CME-508" is not a threat because I interpret vendor malware write-ups mentioning CME 503 as the "new" threat called CME-508 at cme.mitre.org. The vendors are listing 503, none are using 508 ......
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

If you grew up in Missouri like I did, some of this just might hit home.  :-)

Growing up in Missouri

1. You've never met any celebrities.

2. Everyone you know has been on a "Float Trip,"

3. "Vacation" means driving to Silver Dollar City, Worlds of Fun or Six Flags.

4. You've seen all the biggest bands ten years AFTER they were popular.

5. You measure distance in minutes rather than miles. For example, "Well, Webb City's only 20 minutes away."

6. Down south to you means Arkansas.

7. The phrase "I'm going to the Lake this weekend" only means one thing.

8. You know several people who have hit a deer.

9. You think Missouri is spelled with an "ah" at the end.

10. Your school classes were canceled because of cold.

11. You know what "Party Cove" is.

12. Your school classes were canceled because of heat.

13. You instinctively ask someone you've just met, "What High School did you go to?"

14. You've had to switch from "heat" to "A/C" in the same day.

15. You think ethanol makes your truck "run a lot better."

16. You know what's knee-high by the Fourth of July.

17. You see people wear bib overalls at funerals.

18. You see a car running in the parking lot at the store with no one in it, no matter what time of day.

19. You know in your heart that Mizzou can beat Nebraska in football.

20. You end your sentences with an unnecessary preposition. Example: "Where's my coat at?"

21. All the festivals across the state are named after a fruit, vegetable, or grain.

22. You install security lights on your house and garage and leave both unlocked.

23. You think of the major four food groups as beef, pork, beer, and Jell-O salad with marshmallows.

24. You carry jumper cables in your car and know that everyone else should.

25. You went to skating parties as a kid.

26. You only own three spices: salt, pepper, and ketchup.

27. You design your kid's Halloween costume to fit over a snowsuit.

28. You think sexy lingerie is tube socks and a flannel nightie.

29. The local paper covers national and international headlines on one page, but requires six pages for sports.

30. You think I-44 is spelled and pronounced "farty-far." (St. Louis only.)

31. You'll pay for your kids to go to college unless they want to go to KU.

32. You think that "deer season" is a National Holiday.

33. You know that Concordia is halfway between Kansas City and Columbia, and Columbia is halfway between St. Louis and Kansas City,
and the Warrenton Outlet Mall is halfway between Columbia and St. Louis.

34. You can't think of anything better than sitting on the porch in the middle of the summer during a thunderstorm.

35. You know which leaves make good toilet paper.

36. You've said, "it's not the heat, it's the humidity."

37. You know all four seasons: Almost Summer, Summer, Still Summer and Football.

38. You know if another Missourian is from the Boot-heel, Ozarks, Eastern, Middle or Western Missouri soon as they open their mouth.

39. You know that Harry S Truman, Walt Disney and Mark Twain are all from Missouri.

40. You failed World Geography in school because you thought Cuba, Versailles, California, Nevada, Houston, Cabool, Louisiana,
Springfield, and Mexico were cities in Missouri. (And they are!)

41. You think a traffic jam is ten cars waiting to pass a tractor.

42. You know what "HOME OF THE THROWED ROLL" means.

43. You actually get this and forward it to all your Missouri
friends.

More on Blackmal/Grew/Nyxem (file deletion payload) (NEW)

Published: 2006-01-20,
Last Updated: 2006-01-20 17:40:06 UTC by Jim Clausing (Version: 1)

Following up on Bojan's story from Wednesday, F-Secure posted a bulletin today with their analysis of the current variant.  The interesting (or is it scary?) part of this analysis is the revelation that on the 3rd of the month it will attempt to delete a lot of documents off the user's disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), PDF files, .zip and .rar archives among others.  They also report that based on a counter on a web page that the worm updates, there are in excess of 400,000 machines infected at this time.

-----------------
Jim Clausing, jclausing /at/ isc.sans.org
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.
F-Secure Security Bulletin
Published: 2006-01-19,
Last Updated: 2006-01-19 21:18:40 UTC by Deborah Hale (Version: 1)

F-Secure has issued a critical security bulletin regarding a Code Execution vulnerability that affects all of F-Secure products. The bulletin states that if you have the 2004 to 2006 versions with the Automatic Delivery System that you will be patched automatically.

For older versions or systems that are not automatically updated - the patches are available at:
http://www.f-secure.com/security/fsc-2006-1.shtml

http://secunia.com/advisories/18529/

Good work Thierry for discovery of this vulnerability. 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Symbian operating system - Nokia series 60 mobile phones - 3 new Trojans
Published: 2006-01-19,
Last Updated: 2006-01-19 20:53:20 UTC by Deborah Hale (Version: 1)

For those of you with the Nokia Series 60 phones I have some bad news.  Symantec today has posted 3 new trojans identified that impact your operating system. 

SymbOS.Sendtool.A -  The Trojan horse drops a hacktool that can be used to send malicious programs, such as variants of the SymbOS.PBStealer family of Trojans, to other mobile devices via Bluetooth.

SymbOS.Pbstealer.D - The Trojan sends the user's contact information database, Notepad, and Calendar To Do list to other Bluetooth-enabled devices.

SymbOS.Bootton.E - A Trojan horse that restarts the mobile device when executed. However, as it also drops corrupted components, the device is unable to restart.

While looking at this information - I discovered that this particular phone OS has been hit several times in the last 2 years by trojan like programs.  I can't find anything on the Nokia site that indicates that a patch is available.  I wonder if it isn't time for Nokia to take a serious look at fixing the problem?  Especially since one of these new ones allows someone with another Bluetooth device to steal the user's information. 

What about it Nokia?  For those of you that own these devices, what are you doing to protect your phone?
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Port 13701 spikes (NEW)

Published: 2006-01-18,
Last Updated: 2006-01-18 21:19:38 UTC by Swa Frantzen (Version: 1)

Immediately after the FrSIRT public release of the exploit against Veritas NetBackup scanning for TCP/13701 started to increase dramatically.



Date Sources Targets Records
2006-01-18 156 47350 96176
2006-01-17 319 64840 202750
2006-01-16 173 19805 56116
2006-01-15 8 18 39
2006-01-14 4 3 10
2006-01-13 7 7 24
 
For a more detailed view:

http://isc.sans.org/specialport.php?port=13701

We also provide per autonomous system reports for those managing an AS:
http://isc.sans.org/specialport.php?port=13701&as=[ASN]


SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Worldnic outage (NEW)

Published: 2006-01-18,
Last Updated: 2006-01-18 19:20:33 UTC by Swa Frantzen (Version: 1)

We got reports that worldnic DNS servers were not responding and in our preliminary search we found that all the ns?.worldnic.com DNS servers were indeed not responding to requests.

For a while we had trouble reaching the network solutions website (redirection loop), next their website spoke of "a widespread outage" without more detailed information. Now it says "At 10:45 a.m. this morning, we experienced a hardware problem that impeded traffic to our hosting and e-mail servers.  We experienced technical difficulties with an auto recovery system.  At 11:50 a.m. the system was restored. " which would seem to indicate the problems are over.
To the more technical reader it might be clear that the problem that was reported had nothing to do with their email nor their web hosting servers, but with their DNS servers. Or perhaps these servers had issues as well, but that hardly matters to the average user when DNS isn't working as it should.

Also remember
this diary about a very similar incident.

--
Swa Frantzen
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.
There are bullys even in cyberspace. It is sad really.

DDoS and the Million Dollar homepage

Posted by Mikko @ 18:09 GMT

The Million Dollar homepage gained lots of publicity during new year for making Alex Tew, the 21-year old student behind it a millionaire - by selling pixels! Unfortunately it also gained the attention of a botnet gang, who have launched several DDoS attacks as well as defaced the site at least once.

According to The Times, the attackers (calling themselves the "The Dark Group") sent an extortion e-mail to Mr. Tew on January 7th, demanding $5000. When the ransom was not paid, the site was attacked, as documented on Netcraft.

milliondollarhomepage.comA week later, Tew received another mail from the attackers, asking for $50000. And this morning, after the ransom was not paid, the whole site was defaced with a note saying "don't come back you sly dog!".

This is an interesting case, as the target is quite unusual. Instead of the usual targets (online shops, credit card merchants, gambling sites), this time the attackers are targeting a private person because they know he has the money.

Alex Tew comments on the developments in his own blog.

F-Secure : News from the Lab - January of 2006.
More Posts Next page »