February 2007 - Posts


of the growing number of threats that ride on the rising popularity of digital media and file sharing over the Internet, joining TROJ_ZLOB, among others.

However, TSPY_DENUTARO, like any other persistent threat today, is changing. New variants discovered over the last few days now pretend to be screensaver files. One of these variants is TSPY_DENUTARO.DM. Notably, the file size is reduced considerably (though still much bigger than most threats), and they now use the WinZIP icon.

Nevertheless, once executed on a system, these new variants perform the original family routine: they take a screenshot of the system and, along with the system’s hostname and IP address, upload it to a certain FTP site.

New variants even continue a family tradition: they delete image, video, and archive files, and then, using the file names of deleted files, drop screenshots of Japanese anime with subtitles that seem to attack the illegal use of P2P sites, now matter how ironic that sounds. Images dropped by older variants have said “Are you enjoying committing illegal activities through P2P? If you don’t stop that, I will kill you.” The new variants’ images now say “So, you are still using Winny even after {the creator} lost in his case. I hate you guys.”

This is in reference to the recent conviction of the creator of Winny, the most popular P2P application in Japan, for allegedly conspiring to commit copyright violation (arising from the earlier arrest of two Winny users who allegedly shared copyrighted material). The creator got overwhelming support from the computing community in Japan when he was arrested, calling the arrest wrongful.

Apparently, the authors of TSPY_DENUTARO share the same sentiment. Whether this supports the Winny creator’s plea for innocence or further incriminates him, is not clear.

Source: Movie Files Then, Screensavers Now -  TrendLabs | Anti-Malware Blog - by Trend Micro


Posted by Mikko @ 15:46 GMT

We have two reports of people receiving links to a Warezov-infected file via Skype.

Now, some older Warezov variants have used other Instant Messaging client in a similar fashion, but not Skype.

The messages looked like this:


We detect the binary at that download location as Warezov.ly.

Source: F-Secure : News from the Lab - February of 2007

 Now THIS is funny!

Malware writer got infected!

Monday February 26, 2007 at 1:22 pm CST
Posted by Pedro Bueno


It is funny to pick on malware writers…I like it… :) This time I would like to recommend that they use anti-virus as well, otherwise they can also be infected ! :)

There is no honor among malware writers and we know that. Today I was looking at a file downloaded by what was looking like a common PWS-Banker.dldr (a downloader for Password Stealer Bankers). While doing some analysis on the file, another virus detection came out: W32/Gael.worm.a. This one is a parasitc virus. This made it a bit more suspicious because it is not common to see a PWS-Banker downloader downloading a parasitics virus (really different skills). So, I attempted to clean it to try to make things a bit more clear. I cleaned the file and BINGO! :) another file came out, detected as PWS-Banker.gen.q ! :) Which means that the malware created/bought by the malware writer was infected or he/she got infected before posting the file on the site to be downloaded… :) . Yeah, my job is tooo funny! :)

Source: Computer Security Research - McAfee Avert Labs Blog


New MySpace Nasty
Posted by Mikko @ 15:34 GMT

There's something new spreading on MySpace.

It ends up modifying existing profiles, overlaying the content with a message like this:


If you follow the link, you'll end up with a download. This is a Zlob variant.

We haven't finished our analysis on this, but apparently when run it tries to modify your MySpace page to include a code snippet that is responsible for the malicious download link.


Source: F-Secure : News from the Lab - February of 2007


Flaw found in Office 2007

By Dawn Kawamoto, CNET News.com
Published on ZDNet News: February 23, 2007, 1:17 PM PT

Researchers have discovered a "highly critical" security flaw in newly released Office 2007, despite Microsoft's efforts to deliver its most secure version yet of the productivity software.

The consumer version of Office 2007, which launched only four weeks ago, is designed to withstand higher scrutiny by malicious code writers, as Microsoft subjected the software to code auditors as part of its security development lifecycle.

But researchers at eEye Digital Security found a file format vulnerability in Microsoft Office Publisher 2007, which could be exploited to let an outsider run code on a compromised PC.

"We were surprised we could find a flaw so quickly (after Office 2007 launched) and one that was part of their core products," said Ross Brown, eEye's chief executive.

An attacker could create a malicious publisher file, he said. Once the recipient opens the file, he or she could find the system infected and susceptible to a remote attack.

Researchers at eEye used a standard process of code auditing in discovering the vulnerabilities, Brown added. He noted that Microsoft either did not do a "good job" with its code auditing, or it may not have had enough people working on such a task.

Microsoft, meanwhile, said it is investigating eEye's report of a possible vulnerability in Publisher 2007 and will provide users with additional guidance if necessary.

Executives at the software giant have recently said they expect security challenges to keep emerging, as an increasing number of devices connect to the Internet.

No public exploits have been reported in circulation for Publisher 2007 and, given Office 2007's recent release, the flaw may hold little attraction for attackers who may wish to concentrate on software that is in greater distribution, eEye said.

Source: Flaw found in Office 2007 | Tech News on ZDNet


Firefox released

Published: 2007-02-23,
Last Updated: 2007-02-23 20:13:43 UTC
by Jim Clausing (Version: 2)

The Mozilla folks have released the long-awaited version of Firefox.  The second link below shows that 7 security issues were fixed.  One rate critical.  Bugs fixed appear to include CVE-2007-1004, CVE-2007-0995, CVE-2007-0981, CVE-2007-0800, CVE-2007-0780, CVE-2007-0779, CVE-2007-0778, CVE-2007-0777, CVE-2007-0776, CVE-2007-0775, CVE-2007-0008, and CVE-2007-0009, among others.  This also fixed the issue with the password manager that was exploited late last year, CVE-2006-6077.  The bookmarklet vulnerability CVE-2007-1084 does NOT appear to have been addressed.
Release Notes: http://www.mozilla.com/en-US/firefox/
Security Issues: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.2

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Title: Microsoft Security Bulletin Minor Revisions
Issued: February 23, 2007

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-010
* MS06-058

Bulletin Information:

* MS07-010

- http://www.microsoft.com/technet/security/bulletin/ms07-010.mspx
- Reason for Revision: Bulletin updated: "Frequently Asked Questions (FAQ) Related to This Security Update" section in "Executive Summary" for WSUS Windows Defender update process.
- Originally posted: February 13, 2007
- Updated: February 22, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS06-058

- http://www.microsoft.com/technet/security/bulletin/ms06-058.mspx
- Reason for Revision: Bulletin updated: Further investigation of CVE-2006-3877 as originally revealed that the update was not effective in removing the vulnerability from affected systems.  The Microsoft Security bulletin, MS07-015 has been issued to properly address CVE-2006-3877 and customers should apply the updates in this bulletin immediately.
- Originally posted: October 10, 2006
- Updated: February 21, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1



On the trail of Downloader-AAP

Thursday February 22, 2007 at 9:50 am CST
Posted by Vinoo Thomas


Downloader-AAP a.k.a Clagger has been an active family of trojans that has been regularly spammed since May 2005. This trojan downloader provides an excellent case study of how a carefully thought out social engineering approach can deceive users into opening executable attachments in mail.

The Downloader-AAP trojan is usually targeting German computer users who by now must be familiar with receiving spammed mails with executables named “Rechung.pdf.exe or Rakningen.exe or Empfangs.exe”. You would think most organizations would be blocking executables by extension at the email gateway or that people would be careful about running .EXE files. Out of morbid curiosity as to how successful the authors of Downloader-AAP are with their approach, I decided to follow the trojan’s trail back to the author.

Upon infection, the trojan does a WHOIS on the ip address of the infected machine and posts all cached passwords to a webserver hosted in Germany, with folders arranged according to country’s domain name.

WebServer hosting stolen passwords

Apparently business is good!! There were around 95 countries in all starting from .AE (UAE)  to .ZW (Zambia). Pretty decent payback for plain social engineering huh? Looking at the file folder for .DE (Germany), one can see many folders created for infections that occurred around the time the trojan was mass spammed to users.

Stolen German accounts

Each sub folder is created based on a unique hash value generated for every infected machine and contains text files with the stolen passwords. A sample text file with cached auto complete passwords is as follows:

Stolen passwords

Given that there are thousands of folder and files, how do the authors look for interesting information? Apparently the authors are using bash scripts and the favorites searches are for “bofa, citi, chaser, hsbc and nordea”. (No prizes for guessing the $$$Bank$$$ connection.)

The modus operandi of these criminals is to target vulnerable *nix machines on the internet running Apache. Once the server is compromised, they mass spam an undetected version of the trojan to thousands of email address and any stolen passwords from infected users are posted to this server. Once the rogue server has been found out and taken offline, they find a new target and this vicious circle of crime continues.

The good news is we got root access to the server and were able to collect some incriminating evidence to pass on to the authorities. Hope to hear something soon from them.

Source: Computer Security Research - McAfee Avert Labs Blog


Credit Card Data Breaches
Posted by Sean @ 13:50 GMT

There's been quite a lot of news regarding TJX Companies and their data breach. The most recent news is that the amount of data stolen was greater than was earlier reported during January.

TJX is the parent company of Marshalls and TJMaxx (TKMaxx in Europe). The breach affects a great many people and their credit card numbers. Click here and here for more details.

Some journalists from Sweden visited for an interview a few weeks ago. As more are more financial transactions are occurring online, Mikko was asked a question along the lines of… What can average consumers do to protect themselves from credit card fraud?

And the answer was in essence – Carefully read and review your billing statement.

Billing Statement

This is true whether you shop online or not. TJX operates "brick and mortar" stores. Yet, your credit card transactions exist on their network. Most business transactions are "online" today in one way or another.

So review and audit your statement each month. If you have access to it electronically then perhaps review it more often. If you see anything that you don't recognize – call your card issuer. We've sought information many times in the past (forgetful after long trips) and the people on the other end of the line were always very willing to assist.

Source: F-Secure : News from the Lab - February of 2007


New Web-based Email Worm Found

February 23rd, 2007 by Eric Avena

Trend Micro has received reports of a new worm spreading in the wild. This new worm, detected as WORM_ZHELATIN.CH, propagates via Web-based email messages. Some of the affected email service providers are the following:

  • AOL
  • Bellsouth
  • Care2
  • Comcast
  • EarthLink
  • FastMail
  • Gmail
  • Hotmail
  • Lycos
  • Outblaze
  • Rambler
  • Tiscali
  • Yahoo!

Users of these email service providers are advised to be wary of email messages from unexpected sources.

It is interesting to note that one of the affected email service providers is Rambler, one of the biggest Russian search engines and Web portals.

Trend Micro is conducting an in-depth analysis of this worm. More information will be posted shortly.

Update (02.23.2007):

Upon further analysis, this worm apparently connects to a certain URL in order to retrieve message details (or message templates), which it sends using the abovementioned Web-based email service providers.

It also drops TROJ_AGENT.JWE, a Trojan that is registered as a Layered Service Provider (LSP). This routine allows this worm to intercept and log network traffic before it redirects an affected user to an originally desired Web site. Apart from fully entrenching the dropped Trojan on the system, that is.

The Trend Micro URL Filtering Engine already blocks the malicious links related to this malware. However, user are still advised to avoid clicking on suspicious links even if they come from known and trusted sources.

Source: New Web-based Email Worm Found -  TrendLabs | Anti-Malware Blog - by Trend Micro


This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes by malicious people.
Internet Explorer 7 "onunload" Event Spoofing Vulnerability

Secunia Research has discovered a vulnerability in Internet Explorer 7, which can be exploited by a malicious website to spoof the address bar. The vulnerability is caused due to an error in Internet Explorer 7's handling of "onunload" events, enabling a malicious website to abort the loading of a new website. This can be exploited to spoof the address bar if e.g. the user enters a new website manually in the address bar, which is commonly exercised as best practice.


Harry Waldron - Security News & Best Practices Blog

Source: IE 7 - New address bar spoofing vulnerability


'Pharming' attack hits 50 banks

By Jeremy Kirk, IDG News Service

Hackers made an extra effort with this one...

Jeremy Kirk, IDG News Service
22 February 2007

An attack this week that targeted online customers of at least 50 financial institutions in the US, Europe and Asia-Pacific has been shut down, a security expert said Thursday.

The attack was notable for the extra effort put into it by the hackers, who constructed a separate look-alike Web site for each financial institution they targeted, said Henry Gonzalez, senior security researcher for Websense.

To be infected, a user had to be lured to a Web site that hosted malicious code exploiting a critical vulnerability revealed last year in Microsoft software, Websense said.

The vulnerability, for which Microsoft had issued a patch, is particularly dangerous since it requires a user merely to visit a Web site rigged with the malicious code.

Once lured to the Web site, an unpatched computer would download a Trojan horse in a file called "iexplorer.exe," which then downloads five additional files from a server in Russia. The Web sites displayed only an error message and recommended that the user shut off their firewall and antivirus software.

If a user with an infected PC then visited any of the targeted banking sites, they were redirected to a mock-up of the bank's Web site that collected their login credentials and transferred them to the Russian server, Gonzalez said. The user was then passed back to the legitimate site where they were already logged in, making the attack invisible.

The technique is known as a pharming attack. Like phishing attacks, pharming involves the creation of look-alike Web sites that fool people into giving away their personal information. But where phishing attacks encourage victims to click on links in spam messages to lure them to the look-alike site, pharming attacks direct the victim to the look-alike site even if they type the address of the real site into their browser.

"It takes a lot of work but is quite clever," Gonzalez said. "The job is well done."

The Web sites hosting the malicious code, which were located in Germany, Estonia and the UK, had been shut down by ISPs as of Thursday morning, along with the look-alike Web sites, Gonzalez said.

It was unclear how many people may have fallen victim to the attack, which went on for at least three days. Websense did not hear of people losing money from accounts, but "people don't like to make it public if it ever happens," Gonzalez said.

The attack also installed a "bot" on users' PCs, which gave the attacker remote control of the infected machine. Through reverse engineering and other techniques, Websense researchers were able to capture screenshots of the bot controller.

The controller also shows infection statistics. Websense said at least 1,000 machines were being infected per day, mostly in the US and Australia.

Source: Techworld.com - Security News - 'Pharming' attack hits 50 banks


Google Desktop Cross-Site Scripting Weakness

Google Desktop is prone to a cross-site scripting weakness because the application fails to properly sanitize user-supplied input.

Successful attacks must exploit this weakness in conjunction with a latent cross-site scripting vulnerability in the 'google.com' domain.

Attackers may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow attackers to access the contents of the Google Desktop search index or potentially to execute arbitrary code.

Source: Google Desktop Cross-Site Scripting Weakness

Hmmm isnt this interesting.... 

Google Apps Premier Edition Takes Aim at the Enterprise

By John Pallatto
February 22, 2007

After months of testing, Google is ready to see whether businesses large and small are ready to pay to use its online suite of basic business applications, including spreadsheets, e-mail, word processing, calendars and instant messaging.

Google, which has steadily transformed itself from a search engine pioneer into a data access, Internet advertising and business application powerhouse, introduced on Feb. 22 its Google Apps Premier Edition at a cost of $50 per account per year.

The Premier Edition adds Google Docs and Spreadsheets; Gmail for mobile devices on BlackBerry; and application-level controls to Google Calendar, Gmail, Google Talk and Start Page applications that the company introduced as a free service starting in August 2006.

While the free applications were initially offered to serve small and midsize companies, the Premier Edition has collaboration and management features that will appeal to companies of all sizes, including large enterprises, said Dave Girouard, vice president and general manager of Google's enterprise group in Mountain View, Calif.

Google Docs and Spreadsheets allow multiple employees to work on the same document simultaneously and the applications keep track of all revisions and edits. The application-level control features allow administrators to set limits on how documents are shared inside and outside an organization.

Click here to read about the launch of Google's private-label apps start pages.

Google is supporting the apps with a 99.9 percent update service-level agreement in which customers will receive credits for downtime. The company is also offering 10GB of storage per user, as well as application programming interfaces to enable data migration, user provisioning and single sign-on, along with mail gateways to allow businesses to customize their e-mail service.

These features are helping to draw interest from large organizations that "have a desire for choice," Girouard said. Google is seeing a "higher level of interest from big company CIOs than we would have expected at the start," he said.

Providing basic business applications, spreadsheets, word processing and e-mail as an online service "is a big opportunity in the market that nobody has taken advantage of yet," he said.

But Girouard denied that the Premier Edition is designed specifically to take market share away from Microsoft Office. Google doesn't believe that enterprise customers will "buy any less Microsoft products" because they decide to use Google Apps. Instead they expect that companies will use Google apps as a supplement to their Microsoft Office applications and to give employees who wouldn't normally have a copy of Microsoft Office on their desktops a chance to use the Google productivity applications online, Girouard said.

Surveys have shown that more than 40 percent of the work force isn't given access to e-mail by their employers, Girouard said. Google Apps could provide an inexpensive way for employers to provide e-mail access to workers in retail or in other industries where people are not normally linked to desktop workstations, he said.

To read Peter Coffee's view on whether Google poses a serious challenge to Microsoft Office, click here.

But analysts said that the Premier Edition poses a long-term challenge to Microsoft, which has garnered huge revenues and profits from selling its Office package for hundreds of dollars a copy plus annual maintenance fees.

"This is the first time there is a compelling, low-cost, service-based alternative to Microsoft Office. And although Google isn't positioning this offering directly against Office, that's where it is headed," said Erica Driver, principal analyst with Forrester Research in Cambridge, Mass.

Next Page: Window of opportunity.

"Microsoft has a couple of years' opportunity to respond to this. But it is certainly an indicator of the direction in which Google is headed. And I fully expect [Google] to add more and more features and capabilities into this suite," Driver said.

In the next few years, said Driver, Google will focus on delivering this service to workers who wouldn't normally have access to Microsoft Office.

"But looking ahead a few years, I see this cutting into Microsoft's revenues and I also see it forcing Microsoft to consider alternative delivery mechanisms for its own products—most noticeably software as a service," she said.

Microsoft is definitely going to have to find a way to respond to the challenge posed by Google Apps over the next five years, said Jim Murphy, research director with AMR Research in Boston.

"It is the beginning of probably the most significant challenge we have seen to Microsoft on the desktop, enterprise or otherwise, in probably 10 years," when it was locked in competition with IBM over the Lotus desktop applications, Murphy said.

What do corporate executives think about Google's chances of cutting into Microsoft's Office and Live business? Find out here.

The introduction of Google Apps is "timely," he said, because enterprises will soon have to decide whether they will upgrade to the latest version of Microsoft Office.

Companies of all sizes will likely experiment with Google Apps before they decide whether to carry out the next Office upgrade. "At least it's going to interest CIOs, and they are going to look at it," Murphy said.

"In five years we'll see a more competitive environment" in the desktop applications market, Murphy said. Microsoft will at least have that much time to decide whether it can use its own experience with the Office Live applications to successfully shift into the software-as-a-service model, he said.

One company that decided to make the shift is Prudential Real Estate Affiliates, a Chicago-area franchise that employees 450 sales agents and support staff. The agency has been using Gmail for nearly a year in place of an outsourced e-mail service that performed so poorly that it had to be replaced, said Camden Daily, the group's technology director.

The agency had already worked with Google on the Google Earth and Maps projects, so it used its Google contacts to join the Gmail beta program. "We went ahead and switched, and basically everybody loved the interface ever since," he said.

Daily said he rarely gets complaints from users saying they can't access the Gmail service or are having trouble learning how to use it.

Using Gmail also saves Daily a lot of time and effort in software installation and maintenance. "We're a pretty big real estate company. But we only have a couple of people in our IT department," he said. Since all software updates and patches will be handled in Google's data center, "if a new a new update comes along, I'm not going to have to walk around and touch 50 machines to install it. I don't have to worry about patches, security problems," Daily said.

There is also a lot of interest among the agency staff in using the Google Calendar, he said. But the agency has been holding off until it finds the right synchronization utility for staffers who want to access the calendar with their BlackBerrys and other smart devices.

Check out eWEEK.com's Enterprise Applications Center for the latest news, reviews and analysis about productivity and business solutions.

Source: Google Apps Premier Edition Takes Aim at the Enterprise


Kernel Malware
Posted by Kimmo @ 08:34 GMT

Last December, I blogged about the AVAR 2006 conference where I presented my paper on kernel malware. Finally, we are able to provide the material for our readers. Both the paper and slides are available in PDF format.

The paper – "Kernel Malware: The Attack from Within" – is about kernel malware, explaining what they are, how they work, and what makes their detection and removal challenging. It also looks at two interesting malware cases utilizing kernel-mode techniques to avoid detection and to bypass personal firewalls.

An important part of the paper was a statistical analysis run over a large sample set to investigate how the kernel malware trend has changed over the years. Details for the analysis can be found from the paper but I thought it would be nice also to post the results here. Below, we have two graphs demonstrating the change in kernel malware trends since year 2003 onwards.

Kernel Samples 720

The first graph shows how the number of kernel-mode driver samples has changed over the years. This data includes different variants of the same family. A more interesting graph is shown below, which illustrates the cumulative number of malware families utilizing kernel-mode components.

Kernel Families 720

From these two graphs we can easily see how the trend has changed dramatically at the end of the year 2004. This is mostly explained by the increased number of malware starting to use kernel-mode rootkits to hide their presence on the compromised system.

Today, kernel-mode rootkits are much more common than their user-mode counterparts. There are many reasons for this. Kernel-mode rootkits are more powerful thus they are able to hide better. Documentation with examples and fully working source code is easily available – there are even books available that explain in detail how to write your own kernel-mode rootkit. Implementing a full-flexed user-mode rootkit is a complex task. It seems that for malware authors, it is much easier just to upgrade their user-mode malware with a cut-and-paste kernel-mode rootkit.

Signing Off,

Source: F-Secure : News from the Lab - February of 2007

More Posts Next page »