Spyware Doctor bundle?

This morning, we were observing a surge in hits from an Armadillo/SoftwarePassport packed Rbot variant. It looks like this one might be distributed over a P2P network. AV scanner detection appears to be fairly spotty for now:


























When we are looking through files that come in, we see the work of fairly underground joiners/stickers of all sorts -- microjoin, minichain, exebind, etc. These tools are used to bind an executable to another file package, so that a stub is added to the original file along with the bot, and they are "binded" together. That way, when the unwitting victim receives a bound file, they'll think they are running one executable when really they are running two.
An interesting example came in this morning: sdsetup.exe. Interesting, because the filename is the same as the PC Tools product installer for SpywareDoctor. And the icon of the file appears to be the one that PC Tools uses for their SpywareDoctor product. However, here are some properties of the file that appear when you right click on the installer file and select "Properties". The file is missing a digital signature, and the file's "Description" is "Win32 Cabinet Self Extractor". It seems fishy right off the bat, because that's a legitimate tool normally used to build installers and files that bind more than one executable together, just like the underground binders we see all the time:

















Now, below is a genuine installer from PC Tools. Cool icon, huh? You can see the file's properties by right clicking on it again. Notice the "Digital Signatures" tab, the "PC Tools" signer name, and the confirmation that the signature itself is ok from Verisign. This countersignature provider confirms that the file is from PC Tools, much like a Notary Public's stamp would for a legal document:




















Now we run the file that arrived with the odd Description property and is missing the digital signature. BAM! a new executable is created in the system directory and silently executed. This little obfuscated Rbot treat comes with keylogging capabilities and more, and calls home to a computer running on a dsl line here in Kansas City in the U.S. The server is down for now, but it appears to be cycling through ip addresses:


























Reason to be alarmed? Not really, this technique commonly is used by creeps every day. But there are lessons to be learned here. If you are going to install a product, do not get it from your favorite P2P collection. Instead, go to the source, like the PC Tools or ThreatFire web site.
And, if you are going to run an executable, you can check it for a digital signature. It's one more layer of security -- the signature helps confirm that the source of the executable is genuine.

40,000 googled pages, an ineffective link that gets fixed, and tons of system-freezing downloads

We've been tracking the malicious search campaign involving thousands of domains and pages cited at the Internet Storm Center desk this morning for some time now. A couple of the sites in China each host approximately 5,000 web pages that each incorporate the same link to one malicious javascript page targeting Windows users. Other servers around the world have basically the same configuration. ThreatFire users are protected.

It's a pretty complicated attack. Basically, when visiting one of these google results, the malicious server will prompt you to download a malicious executable, at the same time while analysing your system for vulnerabilities and attempting to attack them. All this work in an effort to install lots of "rogue security software" that will scan your system, attempt to intimidate the user with fraudulent scan results into purchasing the product. Complete with pop-ups for pharaceuticals sprouting up on the screen.

Yesterday afternoon, we installed their executable manually (displayed at the Sunbelt blog as "VideoAccessCodecInstall.exe"). It runs on a user's system and then attempts to connect to a website and perform more downloads. The server at that destination was up, but the malicious download was not available.
However, the servers that the "video codec" connects to came back up overnight. Around 55 Internet Explorer windows and various screen prompts on one of our infected lab systems now tell me that malware and porn has been found all over the system (which were not when we started), and we need to buy their products to clean it up and keep my kids away from porn. What garbage.
Some of the product names look like this:
YourPrivacyGuard, ABSSearch, SecurePCCleaner, UltimateDefender, ADWare Remover2007, XPAntivirus, UltimateCleaner

So we've been visiting these malicious web sites in the lab, and they appear to prompt you to install a video codec, enticing you to check out the video that is about to play onscreen. But, in the background, the web page's javascript identifies the OS, browser and JavaVM version of the visiting user and attacks the browser accordingly. Based on this information, it attacks multiple Microsoft vulnerabilities: MS06-014, MS06-006, MS05-001, MS03-011. It also can attack a couple of old Firefox vulnerabilities: first MFSA 2005-50, and if that attack fails on your firefox browser, it resorts to attacking MS06-006, which overflows a buffer in unpatched versions of Firefox.

Simply put, the best way to deal with this threat is to update your Windows operating system and application components and keep your system's third party utilities patched, and maintain effective security products on your system.
We'll keep you updated on the situation.

If you see this on your system while you are browsing the web with Firefox, do NOT download and execute the executable:

















If you see this on your system while you are browsing the web with Internet Explorer, do NOT allow the executable to run:
























Here is an example of ThreatFire identifying one of the downloaders, running on a lab system:

Online games and false positives

Online games have always had the problems of cheats, password stealers and bots. Volumes of information have been written on the topic, including Hoglund and McGraw's published material. In response, game developers at studios like Blizzard Entertainment and Amped have developed ways to unexpectedly "govern" the software that is running on their users' systems, and ways to "harden" their software against reverse engineering attempts. For better or worse, these "tools" have turned into somewhat intrusive tools that peek into everything on the system and prevent RE activity using methods similar to those used by malware writers.

Sometimes, these defenses cause problems for the software security industry. You can see here from virustotal signature-based scan results today that our Tantra-playing friends in the Phillipines trying to play "Tantra" might be interrupted by their game's security software:


























These problems cropped up with today's binaries, and have cropped up in the past. In August, AVG already was detecting the "tantrum.exe" component as a virus with its generic packer detections: Regarding Virus "obfustat.iiy" On Wr Ph, Problem Fixed
The problem, in part, for the av signature-based products seems to be the packer. The packer that Amped is using, Molebox, is polymorphic and provides some difficulties for black, grey and white hat reversers trying to peek into the code behind their tantrum.exe component. Malware writers and distributors in the recent past have used molebox to evade detection and make their creations more difficult to reverse engineer. You might notice that the screenshot above shows that Ikarus detects the component as "Rbot".

For behavioral-based security products, a problem arises when these components, which have very similar file characteristics to malware that we've seen, exhibit behaviors similar to malware. For example, this Tantra game component injects itself into operating system components in the same way as backdoors like Bifrost and other trojans.

For now, it seems that these problems will be ongoing. The game developers need to protect their games the best that they can, and security software products need to be as sensitive as possible.

Microsoft making IE client-side exploits easier once again

In an interesting move, Microsoft is returning more drive-by exploitation functionality to their Internet Explorer browser:
"Back in April 2006, we made a change to how Internet Explorer handled embedded controls used on some webpages. Some sites required users to “click to activate” before they could interact with the control. Microsoft has now licensed the technologies from Eolas, removing the “click to activate” requirement in Internet Explorer. Because of this, we're removing the “click to activate” behavior from Internet Explorer!"

Very exciting. This change means that malicious web sites delivering drive-by exploits targeting ActiveX controls will once again run without any user intervention from Internet Explorer.

The DailyDave mail list (run by Dave Aitel, an individual driving the penetration-testing industry with his CANVAS product), pointed this out last night in regards to the recent RTSP QuickTime 0day discussion and how CANVAS attacks the vulnerability:
"Dave-
It's not hard to make the exploit work against IE 7, but the user will have to click on the ActiveX (or hit the spacebar) to enable it.

Steve Shockley-
Fixed that for you"

ThreatFire prevents buffer overflow exploits like the QuickTime 0day. A related link can be found here -- the same SEH overwrite technique used in Krystian Kloskowski's recent 0day QuickTime exploit is described in that writeup.

Bot on the loose -- careful with images

We continue to see lots of triggers from files that appear to have names resembling image files. Be very careful with these sorts of files, here is an example filename that is causing problems in-the-wild (on users' systems, or ITW):
PHOTO3.JPEG-WWW.IMGUPLOAD.COM.

It's nice to see the av vendors catching up with this worm:

File PUSHBHOST.EXE received on 11.21.2007 03:26:30 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2007.11.21.0	2007.11.20	-
AntiVir	7.6.0.34	2007.11.20	TR/Drop.IRC.TKB.15
Authentium	4.93.8	2007.11.21	-
Avast	4.7.1074.0	2007.11.20	Win32:Delf-GNA
AVG	7.5.0.503	2007.11.20	IRC/BackDoor.SdBot3.VOF
BitDefender	7.2	2007.11.21	Trojan.Dropper.IRC.TKB
CAT-QuickHeal	9.00	2007.11.20	Backdoor.SdBot.cib
ClamAV	0.91.2	2007.11.21	-
DrWeb	4.44.0.09170	2007.11.20	-
eSafe	7.0.15.0	2007.11.14	-
eTrust-Vet	31.3.5312	2007.11.20	Win32/Pushbot.AT
Ewido	4.0	2007.11.20	-
FileAdvisor	1	2007.11.21	-
Fortinet	3.14.0.0	2007.11.21	W32/SDBot.CIB!tr.bdr
F-Prot	4.4.2.54	2007.11.21	W32/Sdbot.AEEP
F-Secure	6.70.13030.0	2007.11.21	Backdoor.Win32.SdBot.cib
Ikarus	T3.1.1.12	2007.11.21	Backdoor.Win32.Agent.LA
Kaspersky	7.0.0.125	2007.11.21	Backdoor.Win32.SdBot.cib
McAfee	5167	2007.11.20	-
Microsoft	1.3007	2007.11.21	VirTool:Win32/DelfInject.gen!D
NOD32v2	2674	2007.11.21	Win32/IRCBot.AAU
Norman	5.80.02	2007.11.20	W32/Malware.BGLP
Panda	9.0.0.4	2007.11.21	W32/MSNWorm.BB.worm
Prevx1	V2	2007.11.21	MSNLive-Image:Worm-a
Rising	20.19.11.00	2007.11.21	-
Sophos	4.23.0	2007.11.21	-
Sunbelt	2.2.907.0	2007.11.21	-
Symantec	10	2007.11.21	-
TheHacker	6.2.9.135	2007.11.20	Backdoor/SdBot.cib
VBA32	3.12.2.5	2007.11.20	-
VirusBuster	4.3.26:9	2007.11.20	-
Webwasher-Gateway	6.0.1	2007.11.21	Trojan.Drop.IRC.TKB.15
Additional information
File size: 63488 bytes
MD5: 1dc5b5977ea11bc63a57c6c464021f3b
SHA1: fd86ab861f8e40943b4e4615d1fc581ae35c404f

You always can scan your files prior to opening them at our ThreatExpert site.

Btw, ThreatFire will identify some variants as Worm.MsnBot, and it will prevent the outbound internet connection activity, the file copy activity, and the remote thread injection performed by this family.

Quarantine what you think are images acting in bizarre ways on your system.

Undetected bot activity

We're seeing a pretty dramatic uptick in bot activity today. With all the attention that botnet activity has been getting lately, I thought that this stuff was going the way of Ruben Studdard. Anyways, unfortunately, we are also seeing a very low detection rate for the major AV players, with most of the detections in the scanners supported by Virustotal coming from somewhat unreliable heuristic based detections:

File V received on 11.16.2007 21:22:05 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 HEUR/Crypted
Authentium 4.93.8 2007.11.16 -
Avast 4.7.1074.0 2007.11.15 Win32:IRCBot-CFX
AVG 7.5.0.503 2007.11.16 Obfustat.VTU
BitDefender 7.2 2007.11.16 Packer.Krunchy.B
CAT-QuickHeal 9.00 2007.11.16 (Suspicious) -
DNAScanClamAV 0.91.2 2007.11.16 -DrWeb 4.44.0.09170 2007.11.16 BackDoor.IRC.Sdbot.2056
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.2.5300 2007.11.16 -
Ewido 4.0 2007.11.16 -
FileAdvisor 1 2007.11.16 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.16 -
Ikarus T3.1.1.12 2007.11.16 Virus.Win32.IRCBot.CFX
Kaspersky 7.0.0.125 2007.11.16 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.16 Backdoor:Win32/Poebot.V
NOD32v2 2664 2007.11.16 -
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.16 Suspicious file
Prevx1 V2 2007.11.16 -
Rising 20.18.40.00 2007.11.16 Trojan.Win32.Agent.vyl
Sophos 4.23.0 2007.11.16 Mal/EncPk-BP
Sunbelt 2.2.907.0 2007.11.16 -
Symantec 10 2007.11.16 -
TheHacker 6.2.9.132 2007.11.16 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.16 Packed/FRBR
Webwasher-Gateway 6.0.1 2007.11.16 Heuristic.Crypted

This low detection antivirus scanner rate may be due to the use of the kkrunch packer.
Threatfire has been identifying it as "Trojan.CnomBot".
The bots are all reporting back to a server in China. We'll keep you updated.

A tsunami inheritance

Old scams don't go away. The Nigerian 411 scam became a bit more sophisticated not too long ago. In addition to the weepy story of a mysterious, deceased, incredibly wealthy relative that left no will but left behind lots and lots of money, the senders include a link to news stories around the globe. Somehow, the link is supposed to add credibility to this anonymous person's claim from South Africa. Here is an example that got through Yahoo!'s spam filter today, notice the link circled in red. This news story happens to be from 2004:

















If you receive one of these, delete it.

In our lab, we clicked on the link, and it took us to a legitimate CNN story. See the linked page here:


























Aw, come on, doesn't that make it believable?
No. This sort of email is fraudulent. Delete it.

AVKiller making the rounds again

We're hearing more reports of AV killing bots being spammed in Europe again. Back in September, we posted an analysis of a driver that modifies the file system stack. In human terms, that means the driver disables most real-time anti-virus scanner functionality (it's the anti-virus software magic that can scan a file when you copy it to your drive, and immediately identify the file as malicious). Luckily, this time around, eighteen of the thirty-two scanners maintained on Virustotal detect the portion of this critter. It is the downloader that is emailed to users (when we first saw the file, detection rates were almost non-existent):


























The email message containing the AVKill/rootkit attachment is getting through spam filters this time around. The best advice, if you receive an email with an enticing subject line like "Free Hot Game" or "Free Sports Tracker" and the text of the message is nonsense, is to delete it immediately.

Microsoft Security Bulletin MS07-0062?

While there may be some important Microsoft updates, none of them will arrive via email. Write it down. Microsoft does not send out updates via email. Do not click on links related to Microsoft's updates that arrive via email.

There seems to be a new variant of some old mischief being sent out. Remember, Microsoft NEVER sends out updates via email. Do not run any executable sent to you with the subject line "Microsoft Security Bulletin MS07-0062".

If you want to update your Windows system or check for new patches, go to your Start Menu and find the "Microsoft Updates" or "Windows Updates" shortcut. Or, just go to the Microsoft Update page using Internet Explorer.

250,000 bots later...

...John Schiefer is pleading guilty to four federal charges related to fraud and wiretapping. Mr. Schiefer is only 26 years old:
Los Angeles hacker to plead guilty to infecting 250,000 computers to steal identities

One of the awful things about this case is that Schiefer was an "information security consultant" (or should we say con artist) for an L.A. company by the name of 3G Communications.
He is pleading guilty to charges based on his building a botnet of a quarter million systems, using those bots in order to steal user identities, and installing adware on those same users systems.

If true, the bots that he implemented scraped various user names and passwords. The software techniques most likely used by bots like these are nothing new at all. Bot source has been in wide circulation for this type of activity for years now. Almost all of it comes with a "pstore.c" file, complete with comments to describe the scraping code, like "IE AutoComplete", "MSN Explorer Signup", "IE Password-Protected sites". This bot code is all written to steal the passwords that Internet Explorer components were designed to save for you in a secure manner in Windows protected storage.

ThreatFire has detected and prevented this sort of malware behavior for a looong time. Any software component that shouldn't be looking through the protected storage in order to snag usernames and passwords is prevented from doing so.
You also can see an example report of spybot activity here at our Threatexpert site.

Some other techniques to steal paypal passwords that are in more current bots are being sold as a part of kits now as well. Hundreds of thousands of systems at the least were infected this past year by these commodity kits, and the numbers continue to increase.

Interestingly, Mr. Schiefer is from Los Angeles. Maybe he'll spend some time with another California citizen, Jeanson James Ancheta, who received the "longest known sentence for a defendent who spread computer viruses" in May 2006.