Archive for November, 2007
Friday, November 30th, 2007
This morning, we were observing a surge in hits from an Armadillo/SoftwarePassport packed Rbot variant. It looks like this one might be distributed over a P2P network. AV scanner detection appears to be fairly spotty for now:
When we are looking through files that come in, we see the work of fairly underground joiners/stickers of all sorts — microjoin, minichain, exebind, etc. These tools are used to bind an executable to another file package, so that a stub is added to the original file along with the bot, and they are “binded” together. That way, when the unwitting victim receives a bound file, they’ll think they are running one executable when really they are running two.
An interesting example came in this morning: sdsetup.exe. Interesting, because the filename is the same as the PC Tools product installer for SpywareDoctor. And the icon of the file appears to be the one that PC Tools uses for their SpywareDoctor product. However, here are some properties of the file that appear when you right click on the installer file and select “Properties”. The file is missing a digital signature, and the file’s “Description” is “Win32 Cabinet Self Extractor”. It seems fishy right off the bat, because that’s a legitimate tool normally used to build installers and files that bind more than one executable together, just like the underground binders we see all the time:
Now, below is a genuine installer from PC Tools. Cool icon, huh? You can see the file’s properties by right clicking on it again. Notice the “Digital Signatures” tab, the “PC Tools” signer name, and the confirmation that the signature itself is ok from Verisign. This countersignature provider confirms that the file is from PC Tools, much like a Notary Public’s stamp would for a legal document:
Now we run the file that arrived with the odd Description property and is missing the digital signature. BAM! a new executable is created in the system directory and silently executed. This little obfuscated Rbot treat comes with keylogging capabilities and more, and calls home to a computer running on a dsl line here in Kansas City in the U.S. The server is down for now, but it appears to be cycling through ip addresses:
Reason to be alarmed? Not really, this technique commonly is used by creeps every day. But there are lessons to be learned here. If you are going to install a product, do not get it from your favorite P2P collection. Instead, go to the source, like the PC Tools or ThreatFire web site.
And, if you are going to run an executable, you can check it for a digital signature. It’s one more layer of security — the signature helps confirm that the source of the executable is genuine.
Wednesday, November 28th, 2007
It’s a pretty complicated attack. Basically, when visiting one of these google results, the malicious server will prompt you to download a malicious executable, at the same time while analysing your system for vulnerabilities and attempting to attack them. All this work in an effort to install lots of “rogue security software” that will scan your system, attempt to intimidate the user with fraudulent scan results into purchasing the product. Complete with pop-ups for pharaceuticals sprouting up on the screen.
Yesterday afternoon, we installed their executable manually (displayed at the Sunbelt blog as “VideoAccessCodecInstall.exe”). It runs on a user’s system and then attempts to connect to a website and perform more downloads. The server at that destination was up, but the malicious download was not available.
However, the servers that the “video codec” connects to came back up overnight. Around 55 Internet Explorer windows and various screen prompts on one of our infected lab systems now tell me that malware and porn has been found all over the system (which were not when we started), and we need to buy their products to clean it up and keep my kids away from porn. What garbage.
Some of the product names look like this:
YourPrivacyGuard, ABSSearch, SecurePCCleaner, UltimateDefender, ADWare Remover2007, XPAntivirus, UltimateCleaner
Simply put, the best way to deal with this threat is to update your Windows operating system and application components and keep your system’s third party utilities patched, and maintain effective security products on your system.
We’ll keep you updated on the situation.
If you see this on your system while you are browsing the web with Firefox, do NOT download and execute the executable:
If you see this on your system while you are browsing the web with Internet Explorer, do NOT allow the executable to run:
Here is an example of ThreatFire identifying one of the downloaders, running on a lab system:
Tuesday, November 27th, 2007
Online games have always had the problems of cheats, password stealers and bots. Volumes of information have been written on the topic, including Hoglund and McGraw’s published material. In response, game developers at studios like Blizzard Entertainment and Amped have developed ways to unexpectedly “govern” the software that is running on their users’ systems, and ways to “harden” their software against reverse engineering attempts. For better or worse, these “tools” have turned into somewhat intrusive tools that peek into everything on the system and prevent RE activity using methods similar to those used by malware writers.
Sometimes, these defenses cause problems for the software security industry. You can see here from virustotal signature-based scan results today that our Tantra-playing friends in the Phillipines trying to play “Tantra” might be interrupted by their game’s security software:
These problems cropped up with today’s binaries, and have cropped up in the past. In August, AVG already was detecting the “tantrum.exe” component as a virus with its generic packer detections: Regarding Virus “obfustat.iiy” On Wr Ph, Problem Fixed
The problem, in part, for the av signature-based products seems to be the packer. The packer that Amped is using, Molebox, is polymorphic and provides some difficulties for black, grey and white hat reversers trying to peek into the code behind their tantrum.exe component. Malware writers and distributors in the recent past have used molebox to evade detection and make their creations more difficult to reverse engineer. You might notice that the screenshot above shows that Ikarus detects the component as “Rbot”.
For behavioral-based security products, a problem arises when these components, which have very similar file characteristics to malware that we’ve seen, exhibit behaviors similar to malware. For example, this Tantra game component injects itself into operating system components in the same way as backdoors like Bifrost and other trojans.
For now, it seems that these problems will be ongoing. The game developers need to protect their games the best that they can, and security software products need to be as sensitive as possible.