Chris Mosby at myITforum.com

The peaceful worm…. not :(

Monday July 28, 2008 at 10:28 am CST
Posted by Paolo Palumbo

Trackback

When analyzing malware, it is not uncommon to stumble across one that wants to propagate some sort of message (I am sure everybody remembers W32/Voterai worm and its malicious political propaganda ;). Well, the W32/Agnub.worm certainly does not bring any novelty to this category of malware.

It is the kind of message that is infuriating and insulting. In fact, the W32/Agnub.worm claims to push for peace & love, and, after a successful infection, greets the victim at every boot of the machine with a “nice and poetic” text message:

It is rather sad to see this type of a messages from a malware that, among other things, deletes your files. In other words, not only does the victim get the damage, but they also get teased!!

The “best” part, if we can use this expression, can be found by scrolling down to the end of the “peaceful” message:

Maybe it’s better not to damage other people’s computers at all rather than apologizing later for having done it.

Fake Jetblue eTickets
Posted by Patrik @ 21:32 GMT | Comment (1)

The most common way a user gets infected these days is through drive-by downloads and while the prevalence of malicious email attachments definately has gone down we still see them on a dialy basis. Like today when we saw a large spam run sending out fake JetBlue etickets.

The mail contains a ZIP file that contains the file eTicket#1721.exe which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself tries to steal usernames and passwords to online banks. I guess we can call this way of spreading malware old school...

Thursday, July 31, 2008

Storm Worm's Lazy Summer Campaigns

The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we're used to seeing. These days they're not piggybacking on real news items, they're starting to come up with new ones.

Storm's latest "FBI vs Facebook" campaign is an example of very badly executed one, lacking their usual fast-flux, any kind of social engineering common sense,  as well as client side exploits next to centralizing all the participating domains on a single nameserver.

Domains used :
wapdailynews .com
smartnewsradio .com
bestvaluenews .com
toplessnewsradio .com
companynewsnetwork .com
goodnewsgames .com
marketgoodnews .com
fednewsworld .com
toplessdailynews .com
stocklownews .com

DNS servers :
NS.BRPRBGOK6 .COM
NS2.BRPRBGOK6 .COM
NS3.BRPRBGOK6 .COM 
NS4.BRPRBGOK6 .COM
NS5.BRPRBGOK6 .COM
NS6.BRPRBGOK6 .COM

Strangely, the domain has been registered using an email hosted on a known Storm fast-flux node used in the recent 4th of July campaign and the U.S's invasion of Iran :

Administrative Contact:
Lee Chung lee@likethisone1.com
+13205897845 fax:
1743, 34
Los-Angeles CA 321458
us

This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using already known Storm nameservers :

ns2.verynicebank .com
ns3.verynicebank .com
ns.likethisone1 .com
ns2.likethisone1 .com
ns3.lollypopycandy .com
ns4.lollypopycandy .com

Someone's bored, definitely, making it look like it's almost someone else managing a Storm Worm campaign on behalf of them.

Acronis True Image Echo Server FTP AES Encryption Security Bypass

Secunia Advisory:
SA30856

Release Date:
2008-07-31

Critical:

Less critical

Impact:
Exposure of sensitive information

Where:
From remote

Solution Status:
Unpatched

Software:
Acronis True Image Echo Enterprise Server 9.x

What Is Undetectable Malware?

Friday July 25, 2008 at 4:08 pm CST
Posted by Allysa Myers

Trackback

OMG, undetectable Trojans are coming to get us! At least that’s what a story in The Register says, referring to Limbo 2.

Or else we’ve just found further evidence of the “AV software is for catching unknown threats” myth.

Malware authors selling “guaranteed undetected” Trojans is not news; it’s been happening since developing Trojans was first motivated by money. The Trojan authors test their creations against freely available AV scanners, and if it’s undetected at that moment, it qualifies as “undetected.” However, that doesn’t mean that they will always remain detected. Or that another type of security product won’t detect it, such as a firewall or network intrusion prevention system.

One amusing example of malware for sale included an end-user license agreement that promised violators would be reported to AV companies so your botnet could be dismantled.

But I digress.

The point is that “undetectable Trojans” implies that some novel method of storing the malware code on the system is being employed, such that security software (and likewise the operating system) is incapable of seeing it. Limbo 2 does no such thing. It’s a simple PWS-Banker Trojan as far as security software is concerned. I find it disappointing that a security company would describe it otherwise–that smacks of FUD to me.

In other news, this will be my last post for the Avert Labs blog. As of next week, I’ll be the Director of Research for West Coast Labs. Thank you all for reading and commenting on my posts throughout the years. Hearing your opinions has been the most entertaining part of being a blogger!

Jul29

Phishers Spoof ‘The Paypal Blog’

by Verna Sagum (Anti-spam Engineer)

Paypal has launched a blog, known as The Paypal Blog, a forum for Paypal employees who want to share their opinions and insights. It also welcomes feedback, suggestions and questions from customers. Unfortunately, phishers have also taken advantage on the popularity of this blog.

There is a spoofed article with title, Social Networking Comes to Paypal, as shown in Figure 1, that talks about giveaways or “FREE STUFF” for the first 100 customers to sign up on the provided spoofed login page located below the article (see Figure 2). It steals Paypal login user names and passwords of customers. To make the blog more convincing, it directs the users to the legitimate article Shop with Paypal at OfficeMax and American Eagle Outfitters, when users click on the text string full story in hyperlink form.

This new trick of social engineering can trap unknowing users since it also uses a genuine-looking type of phishing URL, which is thepaypaiblog.com. What’s worse is that it also uses the picture and identity of known Paypal employee, a technique that is considered as Digital Forgery. The phishing URL has already been blocked by Web Classify Server (URL Filtering Service).

Figure 1: Spoofed The Paypal Blog site

Tuesday, July 29, 2008

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.

Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.

That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

Murky until now? I can barely see anything around me due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.

The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :

"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"

What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.

Related posts:
Storm Worm Hosting Pharmaceutical Scams
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

AVG Anti-Virus UPX Processing Denial of Service

Secunia Advisory:
SA31290

Release Date:
2008-07-29

Critical:

Moderately critical

Impact:
DoS

Where:
From remote

Solution Status:
Vendor Patch

Software:
AVG Anti-Virus 8.x

Trend Micro OfficeScan Web-Deployment ObjRemoveCtrl Class Buffer Overflows

Secunia Advisory:
SA31277

Release Date:
2008-07-29

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
Trend Micro OfficeScan Corporate Edition 7.x

Jul28

The ‘BailiWicked’ Problem

by Jovi Umawing (Technical Communications)

Advanced Threats Researcher Paul Ferguson, along with other security researchers, saw it coming. The code that can exploit a flaw in Domain Name System (DNS) servers—discovered and disclosed by Dan Kaminsky early this month—is confirmed to be in the wild.

Ferguson’s initial report of such a code (CNet News has also speculated about this), and the confirmation reported by The Register late last week finally put an end to the one question that troubled the security industry since Kaminsky’s discovery. These also justified the major security threat that most recipients of the news had initially dubbed as “shameless hype.” We now expect people to start taking this seriously.

The Kaminsky DNS-cache vulnerability allows hackers and phishers to redirect DNS queries, which Kaminsky found to be the method used by Netdevilz, a Turkish hacker group, when they hacked into Photobucket last month. And just last week, two exploit codes have been developed by security researchers from Computer Academic Underground (CAU) and the Metasploit Project. Both organizations have also made public these exploit codes via their respective blog entries.

Constant reader, meet the BailiWickeds—DNS BailiWicked Host Attack and DNS BailiWicked Domain Attack: brothers in arms.

CAU’s |)ruid (read as “druid”), who programmed most of the exploit codes, explains in this blog entry how the tandem can successfully use an unpatched DNS server to online threats. The host attack module is responsible for “injecting individual uncached host records into the target nameserver’s cache,” which means that a hacker can use this module to send out a lot of spoofed reply packets back to the querying client (probably a lot faster than the reply from a real DNS server) in hopes of matching the information, such as transaction ID and source port, from the query sent by the client. Note that to the client, the hacker may take the form of a legitimate DNS server since the hacker throws back responses.

The Domain attack module, on the other hand, replaces “a target domain’s nameserver records in a target nameserver’s cache,” which means that a hacker can use this module to overwrite additional information in a reply packet typically sent by a DNS server to a querying client once the source port and transaction ID are determined. Note that, at this phase, hackers can point users to malicious sites via the spoofed information in the reply packet.

Current BailiWicked codes have been fine-tuned to predict the “dead air” between outgoing query packets and incoming reply packets and vice versa. This enables the exploit to determine the number of spoofed replies it can send to the querying client.

We implore our users to check if their DNS are vulnerable to such exploits by using any of the following tools:

• Dan Kaminsky’s Checker (found at right of the page)
• DNSstuff.Com’s Checker
• DNS-OARC.Net’s Checker

And, yes, we could not stress this more: PATCH NOW.

Invoice Spam Takes Flight

Friday July 25, 2008 at 10:05 am CST
Posted by Craig Schmugar

Trackback

Last night we blogged about fake invoice spam carrying malware.  Unsurprisingly those behind the recent attacks continued today with new spam campaigns involving airline ticket invoices.  Messages may appear as follows (other spam campaigns may appear different):

—————————–
From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
   or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).
—————————–

As with previous campaigns, the executable is a new variant of Spy-Agent.bw.  Once again, Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

DNS cache poisoning vulnerability details confirmed

Published: 2008-07-24,
Last Updated: 2008-07-25 06:47:28 UTC
by Kyle Haugsness (Version: 2)

0 comment(s)

A couple of the handlers tuned into the Blackhat "webinar" today.  The topic was Kaminsky's DNS vulnerability.  Here are some quick notes...

Dan Kaminsky confirmed the details about the vulnerability.  I think he was wanting to save the details until Blackhat, but since it got leaked and exploits have shown up in the last 24 hours, there doesn't seem to be much use in delaying any longer.  Dan seemed to confirm that the leaked blog entry and the latest Metasploit module have identified the vulnerability correctly.
In Kaminsky's tests, he was able to poison a nameserver cache in about 5-10 seconds.  This bug allows the attacker to overwrite entries that are already in the cache.
Nameservers that are authoritative only are not vulnerable.  But setting a high TTL for your hosts which you are authoritative won't help vulnerable resolvers from being poisoned.  This attack bypasses the TTL protections on vulnerable resolvers.
DNS client libraries (workstations and servers that resolve to upstream nameservers) need to be patched also.  The attacks still work against single unpatched hosts - but the priority should be your resolving nameservers.
Home firewall NAT devices are also proving to be vulnerable as many don't seem to randomize the source port.
If I heard correctly, Joao Damas from ISC (Internet Systems Consortium, maintainers of BIND) reports that he has seen attacks already in the wild for this vulnerability.

UPDATE

There is a tool from our friends at Onzra that appears able to detect cache poisoning attacks: http://www.onzra.com/CacheAudit-Latest.tgz

"CacheAudit is an open source aplication for monitoring the cache of a Recursive DNS server. It allows providers to detect and respond quickly to Cache Poisoning events."

It's still beta so take it with a grain of salt but it's definitely worth a look.

DNS cache poisoning attacks spotted in the wild

Date:07.25.2008

Threat Type: Malicious Web Site / Malicious Code

This is an update to our previous alert on the DNS cache poisoning attacks.

The previously embargoed details of a critical DNS cache poisoning flaw have been correctly deduced, and are now public. In a webinar held just yesterday, Dan Kaminsky, the security researcher who discovered this flaw, confirmed that the vulnerability has been leaked.

More code to exploit this flaw has surfaced since our previous alert on this topic, and attacks have been spotted in the wild.

Major ISPs, including AT&T, Time Warner, and Bell Canada have yet to respond to this threat, leaving millions of subscribers at risk. Microsoft has issued a formal security advisory; Apple, whose Mac OS X servers are susceptible, have yet to issue a statement.

Websense® Security Labs™ strongly recommend that customers running their own DNS servers patch immediately. Customers who rely on an upstream DNS provider are urged to contact their provider to confirm that this issue has been addressed properly.

References:

http://www.doxpara.com/?p=1185

http://securitylabs.websense.com/content/Alerts/3139.aspx

http://isc.sans.org/diary.html?storyid=4777

http://www.microsoft.com/technet/security/advisory/956187.mspx

http://db.tidbits.com/article/9706

http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/

http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447

http://www.kb.cert.org/vuls/id/800113

http://w.on24.com/r.htm?e=114268&s=1&k=638307695FF31ED953EF9EC0DF969C02L

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

http://milw0rm.com/exploits/6130

http://milw0rm.com/exploits/6123

Jul26

‘Rechnung’ Spam Receipts Being Sent (Again)

by Jovi Umawing (Technical Communications)

Senior Anti-Malware Security Specialist Rainer Link has reported receiving a peculiar email notification. And it masquerades as being sent by PayPal.

Below is a screenshot of a sample spam email:

Alice Decker, Trend Micro Advanced Threats Researcher, has translated the German text:

Good Morning,
Your order Nr. SP1239192 is now executed.
An amount of 6336.09 EURO was debited directly and it will be shown in your Paypal debit entry. You may find attached the details of the invoice.

PayPal (Europe)
S.447; r.l. & Cie, S.C.A.
01-81 Boulevard Royal
L-0342 Luxembourg

Greetings,
CEO: Mia Mayes
Trade register number: R.C.S. Luxembourg B 212 106

Trend Micro detects the attached ZIP file, which masks itself as a file detailing the invoice of the said transaction, as WORM_OTORUN.C. This worm propagates by dropping copies of itself into removable drives and connecting to certain Web sites to download possibly malicious files.

What is remarkable about this attack, said Decker, is that a worm is sent via email (which hasn’t been the norm). It can also be said that the attack is becoming more diverse, since past schemes involved sending via email downloaders that dropped browser hijacker Trojans (TROJ_BZUB variants), whereas more recently we have been getting downloaders of hijackers with rootkit capabilities (like the WNSPOEM malware) and now, worms.

Additionally, the email message body suggests that a new criminal organization outside Europe triggered this attack, added Decker.

Rechnung spam runs have been hitting users since 2006, and has been observed to be making a comeback during the second half of 2007.

Other such attacks in the past:
• Another Yabe Wave
• IKEA “Rechnung” malware shops for new targets
• New WORM_NUWAR.CQ variant, new faked 1&1 bills, new faked “KD Webshop Bestellung”
• Yet Another “Bill” from Ebay

RealNetworks RealPlayer Multiple Vulnerabilities

Secunia Advisory:
SA27620

Release Date:
2008-07-25

Last Update:
2008-07-29

Critical:

Highly critical

Impact:
Exposure of sensitive information
System access

Where:
From remote

Solution Status:
Partial Fix

Software:
RealPlayer 10.x
RealPlayer 11.x
RealPlayer Enterprise 1.x

CVE reference:
CVE-2007-5400 (Secunia mirror)
CVE-2008-1309 (Secunia mirror)
CVE-2008-3064 (Secunia mirror)
CVE-2008-3066 (Secunia mirror)