March 2009 - Posts

Published: 2009-03-30,
Last Updated: 2009-03-30 22:15:31 UTC
by Daniel Wesemann (Version: 4)
3 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6097&rss'; digg_title = 'Locate Conficker infected hosts with a network scan!'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network. This is great news if you suspect an infection and have no other means to check, or if you simply want to double-check information that your other defense mechanisms (IDS, AntiVirus, etc) provide.

The write-up and scanning tool are available on the Honeynet Website.
Nessus Plug-In 36036: www.nessus.org
Instructions on how to scan for Conficker with NMAP: http://www.skullsecurity.org/blog/?p=209 . http://seclists.org/nmap-dev/2009/q1/0869.html has specific tips on how to scan large networks with the new NMAP feature.

Be careful when searching for any of these tools with a search engine. A good part of the search results returned on the keyword "Conficker" are scare-ware and fake anti-virus that try to cash in on the Conficker scare. We have a summary of removal tools with links available on isc.sans.org/conficker

The Honeynet project have also published a new write-up at http://www.honeynet.org/papers/conficker

Conficker hype used by rogue gangs Posted by Patrik @ 20:20 GMT | postCount('00001639'); Comments

Oh the irony.

As you're all aware Conficker has been in the news a lot lately, especially with regards to if anything will happen on April 1st or not. We found out that rogue security software folks have picked up on this. For example, lets have a look at remove-conficker.org, a domain which was registered today:

remove-conficker.org

They advertise a tool called MalwareRemovalBot. It's fake. Interestingly, it doesn't always find non-existing malware infections on your PC - only sometimes. But one thing is for sure, it does not remove Conficker.C. We tried it and it didn't do a thing to remove it.

When it did find something that it claimed to be malware it looked like this:

MalwareRemovalBots scanning

And then it asked us to register and pay $39.95 for the removal functionality.

MalwareRemovalBots purchase

When following up on this we did a Google search for "remove conficker.c" and saw several purchased ads that lead to the same type of "security" software as well.

Google search for Conficker.C

Like AdwareAlert and AntiSpy2009 It's clear that it's an affiliate program going on.

Rogue software

Get your facts from known sites and download your removal tools from respected companies. Such as ours that you can find here.

Published: 2009-03-31,
Last Updated: 2009-03-31 11:50:58 UTC
by Marcus Sachs (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6103&rss'; digg_title = 'Feeling Conflicted about Conficker?'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

In just a few minutes it will be April 1st at the International Date Line.  Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen.  There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to "help" those who are confused.  There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers.  Our official Conficker page is at http://www.dshield.org/conficker, that's where we have links to all of the software and analysis that we know is trustworthy.

As always, we want to remind our readers that if you are doing what everybody considers to be best business practices (firewalls, unneeded services turned off, systems patched, current antivirus software, user education and awareness, good policies, an incident detection and response mechanism, etc.) then you have very little to worry about.

If you detect anything NEW with respect to Conficker over the next 24 hours please let us know via our contact page.  We'll sound the alarm should something bad happen.  Otherwise, back to work and Happy April Fool's Day!!

Marcus H. Sachs
Director, SANS Internet Storm Center

More Comments Regarding Conficker


A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.

First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)

The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.

But beyond anti-malware protection, what else can you do?

The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.

Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.

What you see is NOT what you get


We’ve all read of social engineering tactics before and how gullible users fall prey to many tactics used by virus authors. As researchers we often give recommendations to family and friends on how not to fall prey to such tricks, but once in a while we need to remind ourselves too that we are included in the intended list of targets.

As researchers we deal with different flavors of malware. Over time and with experience researchers often reach a state of “enlightenment” where you look at a sample and you know if it’s malicious. At least that’s what we believe; however there are times where we too are made to think twice. When dealing with malware it’s not uncommon for analysts to come across a note from the authors once in a while. At times they are taunts and at times they are something more like the example below. We came across a sample which contains messages for security researchers asking to not add detections for the file as this is not a virus. Considering that there are legitimate packers that put warnings for researchers to prevent falsely detecting them, such non-verbal communication can at times make one take a second look.

In the words of a malware author

Besides the fact that they seem to agree that they have authored this program :) , technically they are right - this is not a virus, but a trojan downloader !!  This trojan silently downloads arbitrary files (porn dialer in this particular case) from remote site (hxxp://[skipped].com/del/cmb_[random].exe) and executes it. (New detection added to detect both samples is “Generic.acf”)

A second example was a little more fascinating for us. Researchers often take two approaches to analysis: Static (opening up the file in Hiew or other similar tools) and Dynamic (replicating the malware). In this case we opened the file in Hiew and the first thing that was apparent was that the file had abnormal resources and import data.

Abnormal Resources

Moving past this error, we also noticed that the Entry Point mentioned in the header is 0001A001 and for an Image Base of 00400000, we should be able to get Hiew to go to the EP which should be at 0041A001. However it looks like the file ends at 00410DFF causing Hiew to fail reaching EP.

Header Information for EP

At this point in our minds we are more or less sure that this file is corrupt and it could be the end of analysis, but WAIT !!! Though we may be certain the Windows Loader will complain if we attempt to execute this sample, it actually runs like a charm. OK things are getting really fishy, so back to the drawing board we go. We re-open the file up in Hiew and this time we observe in more detail, the section header.

Section Table Entries

There are 10 odd looking sections which is fine, some of the sections have Physical Size as 0 and others overlap which though suspicious is fine too. And then we stumble upon the possible culprit. The authors have modified the Physical Size of the first two sections to FF003000 and FF000200 respectively where as their Virtual Sizes are 3000 and 1000. Patching the section sizes to 00003000 and 00000200 fixes the EP issue in Hiew allowing it to get to the correct EP.

Heck even IDA wasn’t able to load the files and gave the following errors and quit: “Virtual Array: Address space limit reached”

IDA Error

Olly on the other hand mentions the large section size but still loads it comfortably.

Clearly the authors are attempting social engineering here by crafting the section table. A second opinion is also that using this technique might trick certain AV products to mis-load such files. We’d like to hear your thoughts too…..

So the moral of the story is, don’t judge a book by its cover or malware based on only one tool, drink more coffee and keep at it. Happy Researching !!  [We currently detect this as Spy-Agent.dp.gen]



img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Mar29
by Arman Capili (Technical Communications)

Malware targeting machines running on Mac OS are quickly becoming quite common, with new variants appearing on a seemingly monthly basis. Just last week, our friends at Intego reported of new variant of the RSPLUG Trojan in the wild.

Taking its cue from the routines of the first RSPLUG malware, this latest incarnation no longer limits itself to porn sites. It has been determined to be hosted in several websites linked to one another, offering keygens, cracks, and serial numbers for Mac applications.

Detected by Trend Micro as OSX_RSPLUG.B, this malware arrives on an affected system as a downloaded file from the Web and uses the file name serial_Avid.Xpress.Pro.5.7.2.dmg. And like the earlier variant, it also causes the affected system to redirect to a malicious URL by modifying the system’s network settings.

Worthy of note is its similarity to last month’s Mac Trojan, detected as OSX_KROWI.A, that piggybacked on pirated versions of Apple iWorks 2009 and Adobe Photoshop for Mac. Both incidents appear to ride on the ease-of-use and predictability of software installation on Macs - an apparently successful social engineering ruse.

Perpetrators of these malware continue to circumvent stumbling blocks in directly infecting Macs by tapping into the weakness and gullibility of users downloading and installing pirated software. Trend Micro reiterates its advice to users to use legitimate software only to avoid brushes with these types of security concerns. The Smart Protection Network already detects OSX_RSPLUG.B and provides solutions for its cleanup and removal.

GhostNet Posted by Mikko @ 14:21 GMT | postCount('00001637'); Comment (1)

Typical document used in a targeted attack.

The University of Toronto published today a great research paper on targeted attacks.

We've talked about targeted attacks for years. These cases usually go like this:

1. You receive a spoofed e-mail with an attachment
2. The e-mail appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you get a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically a Poison Ivy or Gh0st Rat variant
8. No one else got the e-mail but you
9. You work for a government, a defense contractor or an NGO

gh0st rat

But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were.

GhostNet
Click the image above to read John Markoff's article.

The release of the paper was synchronized with the New York Times article. University of Cambridge released a related research paper at the same time as well. The Cambridge paper goes all the way to point the finger directly at the Chinese Government. Most other parties, us included, have not done such direct accusations without concrete proof of government involvement.

For a reason or another, infowar-monitor.net has been down all day. So we've made a mirror of the research papers available here:

GhostNet.doc GhostNet.doc

More resources: Here's a video that we posted earlier about targeted attacks:

YouTube

And here are selected blog posts on the topic:


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Mar27
by Jake Soriano (Technical Communications)

The Trend Micro Content Security team discovered spoofed email messages that pretend to be from Delta Airlines. The fake email message contains a confirmation numbers of supposed ticket purchase and a ZIP file. Recipients are told that this said file contains details on the travel itinerary.

Here’s a screenshot of a spammed message:


Figure 1. Sample spam.

The ZIP file is, of course, a malicious file detected by Trend Micro as TROJ_DELF.PSZ.


Figure 2. Malicious file.

The Trojan automatically runs at every system startup by modifying a registry entry. It has rootkit routines which enable the binary to hide its processes, files, or registry entries. The file also connects to a website to download files. This exposes an infected system to more threats.

This would not be the first time cybercriminals used airline tickets as bait. A fake American Airlines website was used for phishing late last year. The fact that airline tickets are relatively inexpensive now could also be a factor in the proliferation of these types of threats. Users may think they’re having a free vacation but in fact their PCs are already being infected with malware.

The Trend Micro Smart Protection Network already blocks TROJ_DELF.PSZ and provides solutions for its cleanup and removal

Sound Fake? Finding a Malicious Driver

Thursday March 26, 2009 at 9:52 am CST
Posted by Di Tian

Trackback

You already know that malware changes registry keys to take advantage of the autorun capability when systems and applications start. The registry keys we often see for this purpose include:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Legit_program]\Debugger
HKEY_CLASSES_ROOT\CLSID\[CLSID]\InprocServer32

Recently, we noticed that the Lando Trojan uses a different registry to load its malicious code into Internet Explorer. By dropping a fake sound driver (wdmaud.sys) into the %system32% folder and by adding the registry key HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2: “%system32%\wdmaud.sys,” the malware author injects malicious code into the iexplore.exe process. When the user launches Internet Explorer, the attacker hijacks Google search.

How can you distinguish the real sound driver from the fake? The legitimate wdmaud.sys is a component of Microsoft’s WDM driver or WINMM WDM Audio Compatibility driver. You’ll find it in the %system32%\drivers\ folder. It is about 84KB and includes complete version information.

Meanwhile the malicious wdmaud.sys is located in the %system32%\system32 folder. It is only about 22KB and has no version information.

By comparing their file properties, you can easily tell the difference. But, as always, be careful when deleting the malicious wdmaud.sys or other suspicious files. You don’t want to trash the legitimate driver.


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Mar30

Much has been said about the DOWNAD worm (a.k.a. Conficker) and its enigmatic payload that will supposedly be unleashed on April 1st. There are two days to go until the moment of truth and the hype isn’t expected to die down. But online threat history tells us that trigger/activation dates of equally hyped malware have come and gone without much fanfare. Whether or not April 1 will play out to be D-Day indeed, the security industry will be keeping an eye out for any malicious activity—like it should.

What we do know at this point is that the latest variant, which we detect as WORM_DOWNAD.KK (first detected on March 4, 2009), includes an algorithm to generate a list of 50,000 different domains. Five hundred (500) of these will be randomly selected to be contacted by infected PCs beginning April 1, 2009 to receive updated copies, new malware components, or additional functional instructions.

Figure 1. Routines that WORM_DOWNAD.KK will start performing beginning 1 April 2009

Trend Micro is part of the Conficker Working Group, also called the Conficker Cabal. As part of this group, we must continue to set straight misconceptions surrounding DOWNAD/Conficker and what it’s set to do on the anticipated date. Allow us to reiterate some facts:

Q: What will happen on April 1, 2009?
A: Based on our collective technical analysis, we’ve determined that systems infected with the latest
version of Conficker will begin to use a new algorithm to determine what domains to contact. We have
not identified any other actions scheduled to take place on April 1, 2009.

Q: Will an updated version of Conficker go out to already-infected systems on April 1?
A: It is possible that systems with the latest version of Conficker will be updated with a newer version
of Conficker on April 1 by contacting domains on the new domain list. However, these systems could
be updated on any date before or after April 1 as well using the “peer- to-peer” updating channel in the
latest version of Conficker.

Q: Should the general public be alarmed? Why or why not?
A: No, the general public should not be alarmed. Most home users have been protected by Microsoft
Security Update MS08-067 being applied automatically.

Q: Are there any other changes in the latest version of Conficker?
A: The latest version of Conficker also introduces a new “peer-to-peer” (P2P) updating capability. This
capability could enable a system infected by the latest version of Conficker to receive a new version or
new instructions by contacting another system infected by Conficker rather than by contacting a
domain determined by the domain generation algorithm.

Q: We hear talk of an impending second phase of attacks from Conficker. What do you anticipate happening next?
A: There may be a second phase of the threat at some point in time. However, we believe that with a
situation like this—which has similarly taken place many times in the past—and given the tremendous
amount of attention that this worm has received, as well as industry and law enforcement monitoring, these efforts will be a deterrent to a large second wave of attacks. At the end of the day, we can’t
speculate on the intentions of criminals, but what we can do is work to limit the impact of any second
phase.

Q: Why does Conficker continue to spread even though Microsoft issued the update in October?
A: There is always some percentage of customers who don’t apply an update at any given time, due to a variety of reasons. While most home users have been protected by the patch being applied automatically, once the worm gets a foothold inside an enterprise, it’s difficult to remove and this is where people are having problems.

Q: Why is Conficker using domain names? Is this a new trend?
A: It is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend.

Q: What is the Conficker Working Group doing about this new algorithm?
A: The Conficker working group has been working continuously to block access to domains that systems infected by Conficker attempt to contact. We are continuing this work and have expanded this effort to include those domains that will be contacted by the latest version of Conficker starting on
April 1, 2009.

Q: What should people who are worried about April 1 and Conficker do?
A: We recommend that home users who have not yet enabled automatic updates do so and ensure their security software is up to date with the latest signatures.

We recommend that enterprises continue to focus on the guidance from experts in industry, academia and governments worldwide and continue to deploy the security update MS08-067, ensure their security software have the latest signatures, clean any systems that are infected with any version of Conficker using the tools and guidance we’ve provided, and evaluate additional security best practices in accordance with their organizations policies and procedures.

Q: We’ve seen some reports that this worm blocks people from receiving updates, including antivirus updates. Are you seeing this and what are you doing about it?
A: Yes. Often malware attacks use a variety of tactics to remain on the system and undetected. We continue to encourage to visit Trend Micro’s Online Virus and Spyware Scanner—HouseCall—and run the HouseCall online scanner 4 to check for and remove any malware.

Trend Micro also provides a Downadup/Conficker removal tool, called SysClean, located at:
http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip.

If a PC has already been victimized by Downadup/Conficker, and access to TRENDMICRO.COM has
been disabled, users will have to retrieve a copy of this tool via other means (e.g. on an uninfected
computer), and use it to disinfect their system(s). You can also get this Sysclean tool from https://securecloud.com/support/sysclean.

Read about DOWNAD blog entries:

SHARETHIS.addEntry({ title: "What Will Go DOWNAD on April 1?", url: "http://blog.trendmicro.com/what-will-go-downad-on-april-1/" });

Published: 2009-03-29,
Last Updated: 2009-03-30 00:19:34 UTC
by Chris Carboni (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6091&rss'; digg_title = 'April 1st - What Will Really Happen?'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

As reports and the belief of impending problems from the April 1st changes to Conficker contine to grow and spread this seems like a good time to separate fact from fiction.

 
Here is what we know:
 
This is not an April Fools joke or hoax.
 
The Conficker worm (also known as Downadup) will begin to poll 500 different domain names every day looking for updates as opposed to the 250 per day it is now looking at.
 
The P2P update functionality reported in the new version, already exists today.
 
SRI as a very nice write up on the new Conficker variant available here
 
In addition f-secure as a very nice Q&A article here  and a nice description of the variant here 
 
Based on these facts and a wealth of other information, we at the Internet Storm Center beleive that April 1st we be more or less, business as usual.
 
This is not to say that we will not be monitoring the situation.
 
We will be watching events very closely, speaking with industry and other contacts (including the Conficker Working Group) as well as monitoring other indications of potential malicious activity (shameless plug for Dshield data) so that we can provide appropriate guidance should it be needed.
 
And as always, should you notice anything unusual on your network (Conficker related or not) feel free to contact us and let us know.
 
HOD:  Chris Carboni
 
Published: 2009-03-27,
Last Updated: 2009-03-27 19:31:49 UTC
by David Goldsmith (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6082&rss'; digg_title = 'Bad Symantec Virus Defintions Update'; digg_skin='compact'; digg_topic = 'security';

We had a report earlier today about problems with non-malicious PDF files getting flagged by the Symantec AntiVirus 10 and Symantec Endpoint Protection 11 products.  The March 26, 2007 rev 7 definitions appear to be the cause of the issue.  The PDF files were getting flagged as Bloodhound.PDF.6 based on hueristics detection.

There is also a thread about this issue on Symantec's forum today.

If you upgrade your signatures to revision 67 or later, or use the Rapid Release definitions whose sequence number is 93430 or higher, the problem appears to have been resolved.

W32/Conficker: Much Ado About Nothing?


In the run-up to April 1st 2009, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed” - no other worm in recent history has generated this much media attention. But what have we learnt from history?  From the days of Michelangelo to the recent Blaster, SoBig, Sober and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have only turned out to be damn squids.

What happens on April Fool’s Day is anyone’s guess. While we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding newer functionality and anti-debugging tricks with every released variant. In order to resist Conficker Cabal initiative which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially hosts a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker also known as Downadup, Kido worm, and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site shows an overall antivirus detection rate of consistently 90% or above. And these high detection rates are across vendors - small or big.

In the run up to April 1st, McAfee is offering a special build of its stand-alone cleaning tool christened Stinger which will be updated on a daily basis to include any undetected Conficker variants from the wild.  This special build of the Stinger tool can be downloaded from the Avert Tools site. We’ve has also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for the MS08-067 - Microsoft Windows Server Service vulnerability which is exploited by the worm can be viewed at our threat center.

Please ensure that your copy of Microsoft Windows is patched and security software is fully up to date to ensure that April 1st 2009, is a day like any other day!

Should I Care About server.exe?


Computer users know that they shouldn’t touch system files. If they did, they could damage their computers. A well-known ploy of malware authors is to name their files after system files. Users can be tricked into ignoring malicious files on their systems by this social-engineering method.

Let’s look at what the Backdoor-CEP.gen Trojan does, for example. When a user is infected with this Trojan, its drops the file server.exe into the user’s system directory:

 server.exe

Like many system files, server.exe is hidden. Now how many users would take a second look at server.exe in their system32 folders? Unfortunately, server.exe is a backdoor that waits for and responds to commands from remote attackers. As always, users should exercise caution when dealing with executables of unknown origin. For more about the Backdoor-CEP.gen family, check out its VIL page.

Symantec Data Leak Remains Under Investigation

By Brian Prince
More Posts Next page »