Phishing weekend!

More phishing this weekend, as always. Apparently, the arrests of a suspected phishing group this past week in Germany didn't net much of the phishing crime scene. This email bait arrived on Saturday, and appears to be much better designed than past emails. Little misspellings and giveaways can clue a reader in to fraud, however.

Let's give this one a closer look, and pick out a few of the giveaways. The return addresses at "bankofamerica.com" usually are spelled correctly (outlined in red below), instead of the "bankoffamerica.com" below. Banks don't use hyperlinks that include funny little ip addresses in the URL, or convuluted or misspelled words (unfortunately, the bank targeted in this example may send emails to their customers with hyperlinks to bankofamerica.com). Also, I believe the bank never contacts their customers with these sorts of security issues in this manner over email.

If you are using gmail and receive this kind of fraudulent mail, you can report it to have the site investigated. Click on the little blue arrow in the upper right hand corner of the message. A drop down menu appears, with the "Report phishing" option (outlined in red below). You can select this option to report the site to the appropriate handlers. Click on the image below to enlarge it:

Whatever happened to Pacman?

If you've got kids, don't let them download any free games today. Oh yeah, you too.
It appears that the storm gang is now shifting their focus from football fans to children. This perpetual effort is changing, but its social engineering tactics appear to remain effective.

Today, an email arrived with the offer of 1000+ free games, here is the gimmick:

Subject: 1000 free games!
Message: "1000 plus games for free... Check it out hxxp://70.xxx.xxx.x3/"

If you receive this email message, DO NOT click on the link. The web site identifies your browser (IE, Firefox, Opera) and delivers a matching and reliable exploit with multiple malicious payloads. If your browser and component plugins are fully patched, all of the images are linked to their malicious downloader "ArcadeWorld.exe". This exe is related to the same bunch of malicious executables that no one wants on their system. We have seen variants of them since at least January (and possibly last November) from these guys -- rootkits, unwanted p2p components joining your system to a botnet, downloaders for pulling down more malware, DDoS components to make your the victim's system an attacker, and spam mailer components. DO NOT run this file.

Here is an image of the website. DO NOT visit it:

BofA Phish

Wow. I used to get messages asking about sites like this one from my friends and family, but they weren't quite so convincing. This phish is flapping.

Supposedly, my bank just contacted me 10 minutes ago about a problem with my account. Here is the message:

Subject: Bank of America Account Review Department !

"We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us.If this is not completed by September 16, 2007, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your Online Banking records click on the following link: hxxp://64.xx.72.1x7/www.bankofamerica.com/index.htm"

Oooo this message looks urgent, I might not complete it by September 16th...when I click on the link from a system in our lab (do not do this from your system), the site my browser is directed to looks like an exact replica of the Bofa site. However, this site is not hosted by the Bank of America (a clue is the ip address used in the URL). But it is happy to take my banking username and password!

Lesson to be learned here -- just like answering the phone, don't give out information to anyone just because someone is asking you for it.

DO NOT visit the site, DO NOT provide your username or password:

Virus Bulletin 2007 Presentations

My talented colleague Sergei Shevchenko and myself (Kurt Baumgartner) will be presenting "Last minute technical papers" at this year's Virus Bulletin 2007. If you're not registered yet, you have a few days left!
VB2007 conference: last-minute schedule revealed

Sergei will be speaking about the "sting operation" that he's been working on that is ThreatExpert, a bullet-proof system for identifying threats.
Sergei's technical presentation abstract
You can check out the ThreatExpert system and its reports here:
http://www.pctools.com/threat-expert/

And I'll be describing my research of the Storm threat's behaviors and characteristics over the past nine months, a threat best categorized as "Malware 2.0" (yes, a complete knock off of O'Reilly's and Dougherty's statements on Web v2.0).
O'Reilly -- What Is Web 2.0
My technical presentation abstract


Should be a another great conference this year! Hope to see you there.

Are we ready for some football?

We've been receiving all sorts of new mail from the Storm threat's authors. The latest to arrive at our office accounts is a message appealing to football fans. With college and pro football underway in the states, this social engineering is sure to attract some individuals. Here is the text of the email message:

"Life as we know it is back, NFL season is open.
Know all the games, what time, what channel and the stats.
Never be in the dark again with this online game tracker:
http://ip.address.he.re"

Here is a snapshot of the site offering the "tracker.exe" file that potential victims will reach by clicking on the email message's link. DO NOT visit the site if you receive the email, and DO NOT download and run this "tracker.exe" file:






















Every link on the page, including the "Peyton Manning" link, will fail to download a couple of times, frustrating and confusing the user. Three's a charm, and the tracker.exe file will download to your machine. Again, do not download and run the file. It installs all sorts of rootkit components and executables that you do not want on your system.

The authors have been somewhat inconsistent with this version of the multi-layered threat. They haven't incorporated the commoditized exploits that attack Internet Explorer, Firefox and third party components like the Yahoo! Messenger into this web page, like they have on all of their other recent attack sites. The tracker.exe executable doesn't change with every download, either. Maybe we are very early on in this stage of the spam/website setup, or a different part of the group set this server up.
The location of this server, most likely another Mac OSX server, is somewhat unusual for this group as well. Geobytes tells us that it is located in Tujunga, CA:























Peyton Manning? They probably could have pwned my system with a Brett Favre link.

How do Storm and other current threats attack security solutions and silently maintain their presence on systems?

Malware v2.0 writers continue to develop new techniques and write sophisticated code to evade security solutions. We've seen a surge in the volume of changing and newly distributed malware that “go Ring0”, or install kernel level drivers. Often, and in the case presented here, the driver is installed in order to silently render AV solutions useless. The widespread Storm threat includes kernel level functionality to perform some of its malicious work, but so do a number of other web-based threats that include components not yet detected by all of the AV community.

In our previous post, we examined a commoditized third party plugin exploit being used in the wild now and its "proactive-solution" evading shellcode. This post will take a look at another effective attack method being used right now, often as another layer in a web based attack, with the end result of rendering a majority of real time av scanners ineffective on the system. Why do malware writers go to these lengths? Usually, in order to obtain and maintain presence on the system.

This added technique relies on a driver installer (often downloaded and executed by an attacker’s shellcode), and a driver component to perform the malicious activity. The samples that we have analyzed also will download a spambot and proxies following the driver component’s successful modification/destruction of the av solution’s real-time scanning capabilities.

I'll try to describe the activity and environment in fairly plain terms, so readers don't have to be a device driver writer to understand what is going on.

The driver somehow has to be copied to the system and its service installed. This action can be done in a number of ways. The executable component that creates the driver file and installs the service can be launched on a victim's system by attacking a web browser plugin as detailed in the last post, binding it to another exe and spamming it out to harvested email accounts, or any number of other well known methods already effectively used in the wild.

This downloaded executable copies out the .sys file to c:\windows\system32\drivers and makes a common win32 api call to install this driver as a file system object. Here's a quick snapshot of the thread stack when the call is made:

The dropper’s work is almost done. Next, it starts the service and exits.

Once the driver is started by its installer, it maliciously modifies the file system stack. "Real-time" file scan functionality is then disabled, even for major av products.

Here are a couple of screenshots of the system’s device tree prior to the attack – 1. a device tree representation of the Ntfs and raw filesystem drivers following a default install, and 2. a device tree representation of the Ntfs and raw filesystem drivers following the installation of a major anti-virus product. Keep in mind this kernel layout is what the malware writers are looking at when choosing their targets. The visualization is meant to help understand what is being attacked…

This screenshot presents the filesystem stack prior to the installation of the AV product. Notice that the ntfs driver (labelled DRV \FileSystem\Ntfs) has a named device (labelled DEV \Ntfs), and also in its stack is the system volume (labeled MED \Device\HarddiskVolume1), which represents the underlying disk volume/partition. The XP SP2 operating system device tree normally looks like this following a default install:

This screenshot presents the device tree representation of the file system stack after the installation of a major vendor's anti-virus product. The Ntfs driver stack has been changed altogether. These changes are indicate that the anti-virus scanner has installed a set of mini-filter drivers, shown by the additions of multiple new attachments labeled "ATT Attached: (Unnamed) - \Filesystem\FltMgr":

After observing and recording the state of the filesystem stack in a normal state and in a av solution modified state, we run the malware on this goat system in our lab, and it runs unhindered by the antivirus product -- signatures for the binary have not been added yet by this av vendor, even though the malware has been circulating in the wild for over a couple of weeks now. At least a couple other vendors are detecting the dropper and its driver.

Here is a screenshot of the filesystem stack after the malware has been run. Notice that all of the mini-filter attachments that were attached by the AV solution to the Ntfs device object have now been detached from the stack:

This modification effectively chokes off any real-time functionality of the AV solution's filesystem scanner. We expected the system to crash and throw off a BSOD, but it kept running in this state in our labs for hours without any blue screen.

The AV security application continues to run, without presenting any warning to the user that it has been hacked, so the user thinks everything is ok. But their system is left unprotected at this level.

At last we confirm the inability of the real-time AV filesystem scanner to detect malware copied to disk in real-time. We copy three year old malware binaries (variants of the bagle Trojan) from a server we maintain in the labs to this attacked system. Normally they are caught by this AV scanner’s real-time protection:

The files are copied to the system's hard drive without any detection, while the Auto-protect feature of the scanner quietly reports its “On” status. The AV solution clearly has been rendered useless and misleads the user into thinking that their drive is protected. This last confirmation in the AV gui's status page reinforces that this host compromise is unexpected, effective and stealthy: