Chris Mosby at myITforum.com

The Google blacklist

Thursday January 25, 2007 at 11:53 am CST
Posted by Francois Paget

Used by anti-phishing technology, a list of suspicious URLs is maintained by Google and publicly available on the Internet. It is the Google blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:-1

On his blog, Michael Sutton who analyzed this link, explains it is used by the Google Safe Browsing for Firefox extension which is now part of the Google Toolbar for Firefox.

On January 5th, the Register announced that this public list contained confidential information like peoples’ usernames, passwords or session tokens. They wrote the problem had been corrected. Last Monday an Internet security firm reconfirmed the problem they first discovered on the 3rd of January.

As I am interested in identity theft risks, I played with my favorite Internet search engine. Unfortunately it was not difficult to find copies of some lists that were spread before Google removed the offending data.

Online we are more and more requested to enter our personal data. One day we make an error and inadvertently some of our sensitive information can be stored or even sent to a hacker and perhaps used by him. This post demonstrates that this data can easily become publicly available on the Internet. All the more reason to be vigilant.

New Microsoft Word 2000 Vulnerability

We’ve seen many threats using vulnerabilities based on Microsoft Office documents over the last year, so it’s no surprise that we have recently observed new samples of a threat that follows the same theme. This threat named Trojan.Mdropper.W is using the new Microsoft Word 2000 Unspecified Code Execution Vulnerability (BID22225) to drop threats onto a compromised computer. When the infected Word document is opened, it uses an exploit to drop some files onto the computer. These files are back door Trojans that enable an attacker to gain remote access to your computer.

This vulnerability comes on the back of three other recent and unpatched Microsoft Word vulnerabilities, which are:

BID21518 (CVE-2006-6456)
BID21451 (CVE-2006-5994)
BID21589 (CVE-2006-6561)

To protect yourself against these threats, do not trust unsolicited files or documents about “interesting” topics. Do not open attachments unless they are expected and come from a known and trusted source.

Posted by Hon Lau on January 25, 2007 10:00 AM

Symantec Security Response Weblog: New Microsoft Word 2000 Vulnerability.

http://www.symantec.com/avcenter/security/Content/2007.01.24c.html

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007012409202248

Attacks on Virtual Machines

At AVAR 2006, I presented a paper which discussed ways in which virtual machines are vulnerable to detection and, in some cases, forced hangs or crashes.

The paper briefly discusses the two major types of virtual machines ("hardware-bound" and "pure software") and the two hardware-bound subtypes ("hardware-assisted" and "reduced-privilege guest"). The focus of the paper is the different ways in which various virtual machines can be detected. There are detections for VMware, VirtualPC, Parallels, Bochs, Hydra (though the published methods have since been fixed), QEMU, Atlantis and Sandbox, along with lots of source code.

The slides from the talk are also available, but without the commentary, they're not quite as interesting. The paper and slides are available from here.

Symantec Security Response Weblog: Attacks on Virtual Machines.

Of Love and Bills	Posted by Kimmo @ 07:01 GMT

A new round of malicious billing spam e-mails were received yesterday. All attachments have the filename of Rechnung.pdf.exe. Two variants emerged from these spams: W32/Nurech.X and W32/Nurech.Y.

Later in the day, the phrase "Love is all Around" was given a new meaning when another batch of Stormy was received. This new Stormy is still adhered to the theme of Love. Filenames of this new variant could be any of the following:

   Flash Postcard.exe
   Greeting Postcard.exe
   Greeting Card.exe
   Postcard.exe
   flash postcard.exe
   greeting card.exe
   greeting postcard.exe
   postcard.exe

Attachments are now detected as Trojan-Downloader.Win32.Small.ciw.

As seen from the newest samples, social engineering techniques are still employed to entice a portion of the recipients to execute the malicious attachments.

Vigilance and caution are always advised.

F-Secure : News from the Lab - January of 2007.

Cisco vulnerabilities

Published: 2007-01-24,
Last Updated: 2007-01-24 22:23:04 UTC
by Maarten Van Horenbeeck (Version: 2)

Several readers have written in that Cisco just released three security bulletins regarding issues in the Cisco IOS software:

Crafted TCP Packet can cause denial of service (cisco-sa-20070124-crafted-tcp)
A remotely-exploitable memory leak in the Cisco IOS software could lead to a denial of service condition. This vulnerability applies to much of the IOS 12.0, 12.1 and 12.2 code base.

Crafted IP Option vulnerability (cisco-sa-20070124-crafted-ip-option)
By sending certain ICMP, PIMv2, PGM or URD packets with a specific IP option set to a Cisco IOS or IOS XR device, an attacker could cause the device to reload or even execute arbitrary code. This applies to a wide variety of releases.

IPv6 Routing Header vulnerability (cisco-sa-20070124-IOS-IPv6)
Certain crafted IPv6 Type 0 routing headers could crash a device running IOS.

If you run Cisco switches or routers in your network, we advise you to review these bulletins in detail and take mitigative action where required. As a form of triage we believe organizations are most likely to be affected by the 'Crafted IP Option vulnerability', which also has the highest potential impact.

UPDATE:
Cisco has also released separate "Applied Intelligence Response" bulletins. These contain high quality information on how to detect exploitation of these vulnerabilities, and how they can be mitigated. Most organizations will need to perform a code upgrade for at least some of these vulnerabilities - while testing the new releases, these documents may prove useful.

Detecting and mitigating cisco-sa-20070124-crafted-tcp
Detecting and mitigating cisco-sa-20070124-crafted-ip-option
Detecting and mitigating cisco-sa-20070124-IOS-IPv6 

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc.

- http://www.microsoft.com/technet/security/bulletin/ms07-003.mspx

Fix for quicktime arbitrary code execution

Published: 2007-01-23,
Last Updated: 2007-01-24 15:24:12 UTC
by William Stearns (Version: 3)

     Apple has provided a fix for an buffer overflow vulnerability in RTSP urls.  The fix is available for: "QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, Windows XP/2000".

For Windows users: The patch is only provided for OS X. As a Windows user, your best bet is to uninstall Quicktime and if you still need it download the newest version from Apple later. You can find it by clicking the "Quicktime" tab on Apple's home page (www.apple.com) and follow the download links. Its not clear if the version that is available right now is vulnerable or not. But it does not appear to have been updated recently.

     Many thanks to Juha-Matti for bringing this up.
    
Reader Chris writes in to give us these steps:
- Install Apple Software Update from the QuickTime package if you haven't already
- Start Apple Software Update - Update to ASU 1.0.2
- Check or uncheck the updates you want
- Select "Download Only" from the Tools menu
- Select "Open Downloaded Updates Folder" from the Tools menu
I haven't tested this, *Because I have no Windows Machines*, so we would appreciate some feedback!!

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc.

New Comic Weblog Updates Page

Posted by Chris Mosby on January 23rd, 2007

In an effort to fill the void that was left when the Comic Weblog Updates page stopped working I made something similar here. This page doesn’t go as far back as the other page did, but it will update properly.

The difference with my new page is that you don’t have to sign up with Blo.gs, or anything like that.

People that want to have their blog added to the list can e-mail weblogs@talesfromthelongbox.com with the subject of “Please add my Blog to
the Comic Weblog Page”, and send me their info. I will take care of the rest. In the meantime I will try to add popular blogs on my own.

I hope everyone finds this useful.  Thanks for coming by!

Update: Since the feed script will show multiple post for a blog, I went and added code to show the the title of the post that was updated.  This should cut down on any confusion, and that way you can pick which post to read.

Technorati Tags: comic books, Comic Weblog Updates, blogging

Tales from the Longbox » Blog Archive » New Comic Weblog Updates Page.

“Storm Trojan” Outbreak – A Spam-centric View

While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007.

Figure 1. Top 10 malware caught by Symantec Brightmail AntiSpam

One of the things that leaps out from this pie chart is that Peacomm has already ran past the mass-mailing “happy new year” worm (W32.Mixor.Q@mm) despite getting a much later start in the period. The actual number of Peacomm spam is even higher because the majority of messages detected as Trojan.Packed.8 are a result of Peacomm spam as well. Trojan.Packed.8 was a heuristic detection that initially triggered on Peacomm when it was released, but due to the increase in Peacomm activity it was split out into its own detection to allow it to be tracked more easily.

In the above graph (Fig. 1), W32.Mixor.Q@mm comes second after Peacomm in the amount of email detected. Because it is a mass-mailer, Mixor.Q is generating this email directly, unlike Peacomm which is being spammed out. However, there is a link between the two malware. While the first sample of Mixor.Q did not contain Peacomm, it did contain a simple downloader executable. Later samples of Mixor.Q were slightly modified to embed Peacomm, with Mixor simply dropping the executable and running it. It is highly likely that there is a direct correlation between the number of Mixor infections and the later rise of Peacomm, considering that Mixor dropped Peacomm as a payload.

A logical assumption would be that Mixor sent out Peacomm itself, but upon close analysis of a number of Mixor samples, this is not the case. Mixor merely drops Peacomm; so, we believe Peacomm was manually spammed out and the likely chain of events is as follows:

1. Mixor is embedded with Peacomm
2. Mixor self-replicates and infects a large number of hosts
3. Mixor drops Peacomm onto the infected system
4. Peacomm downloads other .exe files including spam proxies, mail harvesters, and self-updaters
5. The spam proxies are used to send spam: “game1.exe” spams out text stocks, and “game0.exe” (copied as taskdir.exe) spams out image-based stocks

One thing to note is that to date we have not seen any Peacomm-infected hosts instructed to send out emails with Peacomm attached in order to propagate Peacomm; these infected hosts are only sending out spam.

Figure 2. Malware per day as caught by Symantec Brightmail AntiSpam

This chart displays the amount of malware caught by our antispam solutions on a daily basis. The first bump is again due to Mixor.Q, which used social-engineering to persuade victims to open up a nasty New Year’s e-greeting card, while the second and more pronounced spike is due to Peacomm hitting the scene. If you have a hard time reading the numbers (they may be a little small), the spike on 2007-1-19 for Peacomm nearly struck the 13 million spam messages mark!

The Peacomm spam is changing form and is now sending out image-based spam that continues to advertise penny stocks. (Fig. 3) The image spam is being sent out at a slightly slower rate, but is still continuous. There are also new spam samples with “romantic” subjects, but these are being easily caught by Symantec Brightmail AntiSpam traps.

Figure 3. Peacomm image-based spam

As for the malware samples, there continues to be new executables downloaded and run to send new image-based spam. New malware variants are still being detected; however, the rootkit in the latest samples is the same used in the previous version.

In regard to operating systems affected, both the non-rootkit sample and the rootkit sample fail to install on Vista with UAC turned on. If a user explicitly right-clicks on the malicious file and clicks "Run as Administrator", then the threat will install the wincom32 driver file and registry entries, but the threat will fail to actually run. However, the restriction in the code that prevented it from executing on Windows 2003 has now been removed.

Symantec Security Response will continue to monitor this threat closely and release any new information or protection updates as new findings come to light.

Posted by Security Response Alert on January 23, 2007 01:30 PM

Symantec Security Response Weblog: "Storm Trojan" Outbreak - A Spam-centric View

Strat Strikes Again!!!

January 23rd, 2007 by Trend Micro

As of this writing we are currently receiving samples that indicates another Stration hit. The samples have already been submitted for the creation of an appropriate Trend solution. We will update you on the detection name and pattern release as soon as possible. So far we have received files with the following MD5 hashes:

• a5e2e7d1583027c9fdd78cc66659dbec
  
• eccb8d8172b0ac71b9b8c2b3900b3777
  
• 6547253301da861b54a8fbcafd311ab1
  
• 9e6efc163477f8346224b165ff01556b

More details to follow. We’ll keep you posted once a solution has been sent out.

Update (Jasper Pimentel, Tue, 23 Jan 2007 01:54:17 PM)

This malware (which Trend detects as TROJ_STRAT.CJ) arrives as an attachment in an email message that announces to the user that (s)he has received a postcard. The email details are as follows.

The detection pattern for TROJ_STRAT.CJ will be available in OPR 4.209.00.

Strat Strikes Again!!! -  TrendLabs | Anti-Malware Blog - by Trend Micro.

“Storm” trojan, an evolution in progress

Monday January 22, 2007 at 5:22 pm CST
Posted by Allysa Myers

It’s been a few days since our last post on the subject of Downloader-BAI, and the massive seeding is still continuing with dozens of new variants each day.

The first interesting bit in this event is watching the authors of this malware cobbling separate pieces together. Some time this weekend, this Downloader trojan was being found in the droppings of a mass mailer, W32/Nuwar@MM which had previously been tied to a couple of other Downloader trojan familes. So now, being tied with a mass-mailer as well as a mass seeding, this trojan has become more self-sustaining in its distribution. It’s unlikely, at this point, that this will be dying down completely any time soon.

Another thing that’s particularly notable, from a technical perspective, is that this collection of trojans is coordinating itself by way of a peer to peer network. This is something we’ve been seeing malware authors playing with more and more lately, with this one arguably being the most successful. W32/Nugache and the “Phatbot” variant of W32/Gaobot both attempted coordinating by P2P through Gnutella cache servers, but they were very limited in the number of bots that could be in a given botnet. Malware authors seem to understand that having any single point of failure means that at some point, they will in fact fail and have to rebuild their botnet. By having a “headless” botnet, they can self-heal more effectively.

Most notable of all with this event, with Downloader-BAI and Nuwar, is the social engineering tactics being used in this seeding. W32/Nuwar gained quite a bit of notoriety during the holidays, for its variety of holiday-specific subject lines. Now Downloader-BAI is being seeded with a list of subject lines, the majority of which are intended to ruffle feathers or cause concern in certain specific countries, for example:

• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• British Muslims Genocide
• 230 dead as storm batters Europe.
• Radical Muslim drinking enemies’ blood.
• Sadam Hussein alive!
• Russian missle shot down USA satellite
• Russian missle shot down Chinese aircraft
• Sadam Hussein safe and sound!
• The commander of a U.S. nuclear submarine lunch the rocket by mistake.
• Hugo Chavez dead.
• Fidel Castro dead.
• The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
• U.S. Southwest braces for another winter blast. More then 1000 people are dead.
• Venezuelan leader: “Let’s the War Begin”.

Personally, I find messages making outlandish claims something to be deleted without further ado. (Especially those messages that have file-attachments, and whose spelling is rather suspect) But for some reason this tactic is still proving successful. None of these techniques are particularly new or innovative, and if one were employing basic security measures this could be avoided. But due to the combination of huge numbers of new variants and social engineering tactics, it’s working for these miscreants.

Computer Security Research - McAfee Avert Labs Blog.

Trojan.Peacomm Part 2 – The Botnet Evolves

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

Figure 1. IPs originating activity - UDP port 7871

More interestingly, the new version of the threat has fully fledged rootkit capabilities, albeit not very sophisticated. It would appear that the malware writers were in a rush to get the new version out as quickly as possible and some functionality of the rootkit has not been implemented correctly.

It is now capable of hiding several files and registry keys by hooking several kernel functions and patching the tcpip.sys system driver to hide its ports from commands, such as netstat -o or netstat -b. However, due to some mistakes in the rootkit code, running netstat -an lets you see ports 7871 or 4000 open and waiting for connections. It is also important to note that a personal firewall will also notify you of the process services.exe trying to make connections on these ports. Furthermore, the rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again.

There is also code in the threat that will prevent it from executing if it detects the machine is running Windows 2003. We presume the malware writers didn’t have time to test it on this operating system. The rootkit driver is not free of bugs either, and in some cases it causes the system to crash and reboot.

So, what is the purpose of all this renewed activity, you ask? The primary goal is to create a botnet that sends tons and tons of penny stock spam (but because the botnet can be controlled by its owners, we may see changes in functionality). During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped. We are speculating that the task of sending the junk email is then passed on to another member of the botnet. My colleagues in the antispam team are seeing greater activity, too. Of course, users of Symantec’s Brightmail are also protected from this latest spam run.

Figure 2. Sample of Peacomm spam email

The good news is that, just the same as yesterday, Symantec customers remain protected by our detection and remediation technology present in the latest, up-to-date versions of our products.

Symantec Security Response Weblog: Trojan.Peacomm Part 2 - The Botnet Evolves.

Stormy Love	Posted by Patrik @ 20:00 GMT

This evening a new wave of the Stormy worm has been widely spammed. The subjects used in the e-mails have now changed from news-related events to love-related topics as you can see from the screenshot and the list of subjects below.

A list of subjects we've seen so far include:

A Bouguet of Love A Day in Bed Coupon A Monkey Rose for You A Red Hot Kiss Against All Odds All That Matters Baby, I'll Be There Back Together Breakfast in Bed Coupon Can't Wait to See You! Cyber Love Dinner Coupon Dream Date Coupon Emptiness Inside Me Fields Of Love For You Full Heart I Believe I Can't Function I Dream of You I Think of You Internet Love It's Your Move

Kiss Coupon Love Birds Love You Deeply Made for Each Other Miracle of Love Moonlit Waterfall My Invitation Our Love Our Love is Free Our Two Hearts Passionate Kiss Pockets of Love Puppy Love Red Rose Sending You My Love Showers of Love Someone at Last Soul Partners Summer Love Take My Hand That Special Love The Dance of Love The Long Haul

The Love Bugs This Day Forward This Feeling Till Morning's Light Till Morninig's Light The Mood for Love To New Spouse Together Again Together You and I Touched by Love Twice Blest Until the Day We're a Perfect Fit Wild Nights Will you? When I'm With You Worthy of You Wrapped Up Wrapped in Your Arms You are our of this world You Lucky Duck! You Rock Me! You Were Worth the Wait

Thanks to Diego who notified us and told us that this list looks very similar to the list of Romantic Cards over at 2000greetings.com and indeed it does.

The list of files is much shorter:

Greeting Postcard.exe
postcard.exe
greeting card.exe
Flash Postcard.exe
flash postcard.exe

We now detect this as Email-Worm.Win32.Zhelatin.a.

Note: For those of you who aren't already filtering EXE's in the e-mail gateway – do it now!

F-Secure : News from the Lab - January of 2007.

Looks like the Common Malware Enumeration now has an ID for the threat we have been watching today.  Here is the info

Been a while since we have seen one grow this fast.

For additional information, visit our website at http://securityresponse.symantec.com

Storm Worm starts to use Rootkit techniques	Posted by Kimmo @ 21:45 GMT

The weekend has been very busy with Storm Worm. We have lately discovered new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys, and active network connections. F-Secure BlackLight is able to detect the hidden files.

These variants are now detected as W32/Stormy.AB and Trojan-Downloader.Win32.Agent.bet.

F-Secure : News from the Lab - January of 2007.

Trojan Hitches a Ride on Hot News

January 22nd, 2007 by Kathryn Cheng

Barely a day since a storm carrying 200 kph winds lashed over Europe, a spammed Trojan already claims to have this story in full details. This Trojan hitches a ride on email messages with subjects carrying the latest news. An example of the said spammed mail has the subject “230 dead as storm batters Europe”. Other subjects can be any of the following:

• A killer at 11, he’s free at 21 and kill again!
  
  
• British Muslims Genocide
  
  
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  

The spam mail lures its recipients into opening its attachment by using file names such as full Clip.exe, full Story.exe, full Video.exe, and read More.exe.

This Trojan, detected by Trend Micro as TROJ_SMALL.EDW, is currently in the wild and raising infection counts in Japan. It downloads other possibly malicious files from certain Web sites. Trend Micro advises users to refrain from opening unsolicited email messages.

Update (Roberto Tayag, Sun, 21 Jan 2007 12:43:35 PM)

We have seen burst of emails from this trojan as well as updates to the malware itself and its emails. Our own honeypot has already received 29,000++ samples of this trojan. We have received reports that this particular sample is creating a P2P botnet. We are now confirming this one as of writing. We will update you as soon as possible.

Update (Sheryll Tiauzon, Mon, 22 Jan 2007 09:29:05 AM)

Well this malware has certainly stirred up quite a storm these past few days. It is worth mentioning that this file is actually the file dropped by WORM_NUWAR.CQ. It then in turn drops a file wincom32.sys and registers itself as a service to enable automatic execution at system startup. The file wincom32.sys actually possesses rootkit capabilities which permits certain files and processes to remain hidden though not entirely impossible to detect.

Aside from the reports that it also tries to establish a peer-to-peer connection, below is an updated list of email subjects and email attachments used by the malware.

Subject: (any of the ff.)

• 230 dead as storm batters Europe.
  
  
• A killer at 11, he’s free at 21 and kill again!
  
  
• British Muslims Genocide
  
  
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  

Attachment: (any of the ff.)

• Full Clip.exe
  
  
• Full Story.exe
  
  
• Full Video.exe
  
  
• Read More.exe
  
  
• Video.exe

Here’s a sample of the email:

To help protect against this threat it would be advisable to block email attachments with executable files. Also block access to the following urls:

• http://69.50.166.234/cp/rule.php
  
  
• http://81.177.3.169/dir/game1.exe
  
  
• http://81.177.3.169/dir/game2.exe
  
  
• http://81.177.3.169/dir/game3.exe
  
  
• http://81.177.3.169/dir/game4.exe
  
  
• http://81.177.3.169/dir/game5.exe
  
  
• http://81.177.26.27/cp/rule.php
  
  
• http://205.209.179.112/cp/rule.php
  
  
• http://209.123.8.198/cp/rule.php
  
  
• http://217.107.217.187/game0.exe
  
  
• http://217.107.217.187/cp/rule.php
  
  
• http://217.107.217.187/sp/post.php

Trojan Hitches a Ride on Hot News -  TrendLabs | Anti-Malware Blog - by Trend Micro.

Trojan.Peacomm: Building a Peer-to-Peer Botnet

Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology already detected as Trojan.Packed.8. Today's LiveUpdate definitions detect it as Trojan.Peacomm. Users of Symantec’s Brightmail Anti-Spam are also protected from this spam email.

The executable drops a system driver (wincom32.sys, also detected as Trojan.Peacomm), which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique similar to Rustock (see Mimi Hoang’s blog and Elia Florio’s blog). However, in spite of its name, wincom32.sys driver is not a "real" rootkit as it does not hide its presence or its registry keys in the system.

Once the computer is infected, Trojan.Peacomm attempts to establish peer-to-peer communication on UDP port 4000 with a small list of IP addresses, in order to download and execute more malicious files. If you use a personal firewall with egress filtering, you will be notified that the services.exe process is attempting to connect to a remote address on this port. Symantec’s Threat Management System shows a spike in traffic for UDP port 4000:

When it manages to connect to any of these initial IP addresses, it receives a list of additional IP addresses of infected machines and adds them to its list of available peers, building up a distributed network to aid in the download of more malware. The Trojan also keeps a "blacklist" of unsuitable peers. Part of this encrypted P2P configuration is stored in a file peers.ini stored in the %System% folder.

Currently the malware being downloaded is as follows:

game0.exe: A downloader + rootkit component – detected as Trojan.Abwiz.F
game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine – detected as W32.Mixor.Q@mm
game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server – detected as W32.Mixor.Q@mm
game3.exe: W32.Mixor.Q@mm
game4.exe: It contacts a C&C server to download some configuration file – detected as W32.Mixor.Q@mm

From a malware writer’s point of view, this strategy of using peer-to-peer communication presents clear advantages over the traditional botnet method of one (or a few) Command & Control server(s). First and foremost, it minimizes the chances of losing the botnet if you "cut the head" by bringing down the C&C server or redirecting the traffic. It also helps spread the load that such downloads would impose on a single server.

You are advised to update your products to the latest available security updates from Symantec. We also recommend following the safe computing practices and exercising caution when opening emails.

Posted by Amado Hidalgo on January 19, 2007 10:00 AM

Symantec Security Response Weblog: Trojan.Peacomm: Building a Peer-to-Peer Botnet.

Downloader-BAI seeding

Friday January 19, 2007 at 11:42 am CST
Posted by Allysa Myers

Overnight we’ve seen a rash of new variants of Downloader-BAI being seeded.  Within a few hours time, over 20 new variants have been released.

This trojan can choose from the following list of subjects:

• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• Naked teens attack home director
• A killer at 11, he’s free at 21 and kill again!
• British Muslims Genocide
• 230 dead as storm batters Europe

and the following attachment names:

• Read More.exe
• Full Clip.exe
• Full Story.exe
• Video.exe

The large number of variants underscores a topic that’s been discussed much lately - The biggest trend in malware is a sort of buck-shot approach.  Create a very large number of different variants in a short span of time, hoping to gain at least a few extra hours in which to be undetected by at least some traditional AV scanners.  This reminds us again of the need to have a multi-layered defense.  Even something as simple as filtering EXE files at the gateway would have made this seeding event a non-issue.

Computer Security Research - McAfee Avert Labs Blog.

Another trojan run by the Storm Worm gang	Posted by Mikko @ 07:29 GMT

We got a repeat of what happened last night – but with a modified version of the trojan and fresh news items in the subject field.

This time the subjects in the mails are:

  Russian missle shot down Chinese satellite
  Russian missle shot down USA aircraft
  Russian missle shot down USA satellite
  Chinese missile shot down USA aircraft
  Chinese missile shot down USA satellite
  Sadam Hussein alive!
  Sadam Hussein safe and sound!
  Radical Muslim drinking enemies' blood.
  U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  U.S. Southwest braces for another winter blast. More then 1000 people are dead.
  Venezuelan leader: "Let's the War beginning".
  Fidel Castro dead.
  Hugo Chavez dead.

And the attachment names are:

  Video.exe
  Full Video.exe
  Read More.exe
  Full Text.exe
  Full Clip.exe

When run, this malware creates a peer-to-peer botnet via port 7871/UDP or 4000/UDP.

We detect this as Trojan-Downloader.Win32.Agent.bet.

Update on Saturday: A few hours later, there was another run with new and modified variants. Mostly the same Subject fields, with the addition of:

  President of Russia Putin dead
  Third World War just have started!
  The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
  The commander of a U.S. nuclear submarine lunch the rocket by mistake.
  First Nuclear Act of Terrorism!

Update on Sunday: Another run. This time with a different theme included in the subjects:

  So in Love
  Happy World Religion Day!
  Most Beautiful Girl
  Someone at Last
  I Believe
  The Dance of Love
  The Miracle of Love
  All For You
  Vacation Love
  I am Complete
  Wrapped Up
  Moonlit Waterfall
  A Little (sex) Card
  A Special Kiss
  Hugging My Pillow
  Safe and Sound
  You're Soo kissable
  A Romantic Place
  Breakfast in Bed Coupon
  For You
  I Love You So
  Safe and Sound
  Want to Meet?
  We Are Different
  We Have Walked
  You Asked Me Why

New filenames include Flash Postcard.exe.

Detection for these is in our update 2007-01-21_04

F-Secure : News from the Lab - January of 2007.

Storm-Worm Small.DAM Spread Quickly	Posted by Jusu @ 09:53 GMT

The Small.DAM (Storm-Worm) we posted on earlier spread very fast during the night, Helsinki time. The heavy seeding through spam was quickly obvious on our tracking screens. The worm was spread throughout the world very rapidly.

Here is some footage of the worm's spread to share with our readers:

The video is encoded with XViD (4651k).

Also available via YouTube.

F-Secure : News from the Lab - January of 2007.

Small.DAM spammed around	Posted by Francis @ 04:48 GMT

This morning we have been witnessing activities of Small.DAM being spammed.

Here are the possible subjects headings:

230 dead as storm batters Europe.
A killer at 11, he's free at 21 and...
British Muslims Genocide
Naked teens attack home director.
U.S. Secretary of State Condoleezza...

The "Storm in Europe" title is particularly timely, as there really is a storm in Europe at the moment and dozens of people have died.

Attachments may be of the following filenames:

Full Clip.exe
Full Story.exe
Read More.exe
Video.exe

The detection for Small.DAM was already included in our database update 2007-01-15_01.

F-Secure : News from the Lab - January of 2007.

Russians attempting the $1 scam

Thursday January 18, 2007 at 5:04 pm CST
Posted by Chris Barton

 “Give me $1 to unsubscribe”

That’s basically what the latest Russian spam says.  Let me get one thing straight for anyone that’s not had their coffee yet. Never pay spammers, ever. All the smart spammers have suckers lists. You have been warned! Etc Etc…

International spam has been a growing problem for a long time and with a world-wide network of spam traps, we see (and deal with) a lot of local spam. This rather interesting specimen group landed in the lap of a researcher this afternoon because it was a little out of the ordinary.

Andrey Slabosnickiy from Rostov-on-Don was insightful enough to invite one of our international spam-traps to unsubscribe from his general database for a buck. 

Take a look at the original

and our English translation.

By providing many ways to make the unsubscribe payment (Web Money, Yandex, SMS, or Money@Mail.ru) Andrey will be leaving quite a money trail for the local authorities to follow should they wish to do so, though I doubt they will given the state of local anti-spam laws. Shame, we’d be happy to help

Computer Security Research - McAfee Avert Labs Blog.

European Storm Video E-Mail

Published: 2007-01-19,
Last Updated: 2007-01-19 13:40:37 UTC
by Johannes Ullrich (Version: 1)

I just received an e-mail with the subject "230 dead as storm batters Europe".  It includes an attachment "Video.exe".  While I haven't analyzed it yet, it's probably save to assume that this is not a video.  Nothing new to have a disaster followed up by a simple e-mail virus claiming to be a video of the event.  However, this one came a bit faster then normal it seems. The storm is still blowing. At least, give our handler Swa some time to fix his roof. (and just as I typed this, Kenneth sent in a second version.  Same subject but a different name for the executable)

As for must current and relevant threats, anti-virus coverage is poor. The current summary from Virustotal:

Antivirus	Version	Update	Result
AntiVir	7.3.0.26	01.18.2007	no virus found
Authentium	4.93.8	01.19.2007	W32/Downloader.AYDY
Avast	4.7.936.0	01.18.2007	no virus found
AVG	386	01.18.2007	no virus found
BitDefender	7.2	01.19.2007	MemScan:Trojan.Agent.AHS
CAT-QuickHeal	9.00	01.17.2007	no virus found
ClamAV	devel-20060426	01.19.2007	Trojan.Downloader-647
DrWeb	4.33	01.18.2007	no virus found
eSafe	7.0.14.0	01.19.2007	suspicious Trojan/Worm
eTrust-InoculateIT	23.73.117	01.19.2007	no virus found
eTrust-Vet	30.3.3334	01.18.2007	no virus found
Ewido	4.0	01.18.2007	no virus found
Fortinet	2.82.0.0	01.19.2007	no virus found
F-Prot	3.16f	01.19.2007	security risk named W32/Downloader.AYDY
F-Prot4	4.2.1.29	01.19.2007	W32/Downloader.AYDY
Ikarus	T3.1.0.27	01.09.2007	no virus found
Kaspersky	4.0.2.24	01.19.2007	Trojan-Downloader.Win32.Small.dam
McAfee	4942	01.18.2007	no virus found