Archive for January, 2008

« Older Entries
Newer Entries »

Improving tests and collaboration

Monday, January 21st, 2008

What do you get when you put 40+ AV and software security experts together in a room with testing organizations? It sounds like a bad joke, but it happened for the first couple of days this week in Bilbao, Spain. The event itself has the potential to have a very large positive impact on the state of anti-malware testing overall and the relevance and meaning of test data for all of its consumers — communications between vendors and testers, guidelines for tests, neutrality of the group enforced by academic members, and more.

The world’s largest and smallest software security vendors and testing groups are working together to create this non-profit coalition of vendors, testers and academics. The group will be called the AMTSO, or the Anti-Malware Testing Standards Organization. The overall goal will be for the coalition to take on all challenges related to anti-malware security software testing, improving all aspects of the process. It will be a large task to set up standards, and PC Tools is pleased to take part in this effort.

The event was formative in nature, establishing temporary committees for most of the sessions before breaking off into the beginnings of some discussion and debate over technical matters and details that will come up in future meetings. Dr. Igor Muttik of McAfee’s AVERT Labs posted detailed information of the proceedings, for those interested.

We will keep you updated on this ongoing effort to improve the state of anti-malware security software testing.

Posted in AMTSO | No Comments »

Chartreuse pill

Tuesday, January 15th, 2008

Ok, we’re running out of little pill colors to match up with Matrix analogies. But simply put, the red pill and the subsequent blue pill work attempted to achieve the goal of detecting and abusing virtual machines.

Maybe chartreuse isn’t what we’re looking for, maybe it is, but worms we are currently monitoring in the wild are mixing up their own colorful pill recipes. The authors’ intent is to detect and evade research environments. These virtual or sandboxed environments are frequently the sort of environments that security researchers have been using to automate malware analysis. We are seeing prevalent worms target VirtualPC, VMWare, and now Anubis for detection and evasion (Anubis is connected with an Austrian security group, somewhat similar in purpose to the very effective ThreatExpert).

Here is an assembly code chunk we extracted from an ITW worm. This code is an attempt to detect Anubis:
sub esp, 104h
lea eax, [esp+0]
push ebx
push offset aCInsidetm ; “C:\\InsideTm\\”
push eax ; str1
xor bl, bl ; status (bl) = 0
call ds:strstr

The disassembly matches up somewhat with some proposed Anubis-detecting c code fairly recently posted to an underground forum:
char ModulePath[MAX_PATH];
GetModuleFileName(NULL, ModulePath, MAX_PATH);
p = strstr(ModulePath, “InsideTm”);
if(p != NULL) return true;

From some of the code posted recently on the same underground forums, Sandboxie’s turn is coming up next.

The older VMWare detection used in the worm is a bit off color from the red pill itself. But it looks like a duplicate copy of what is showing up in the current valentine’s day Storm worm variants we are seeing. The code is being used and reused in current malware:
mov eax, ‘VMXh’ ; VMWare magic number
mov ebx, 0 ; default
mov ecx, 0Ah ; get vmware version command
mov edx, ‘VX’ ; port #
in eax, dx ; read port
cmp ebx, ‘VMXh’ ; check vmware reply
setz [ebp+bool_VMWare] ; set vmware status accordingly
pop ebx
pop ecx
pop edx
jmp short @@check_vmware

Anyways, the good folks developing Anubis, and any researchers running automated sandbox technology on top of VirtualPC or VMWare should be aware that these functions are showing up today in prevalent password stealer dropping worms that we’ve seen rereleased multiple times each day for a couple weeks now.

If you attended VB2007 and checked out Sergei’s talk, you’d have seen that ThreatExpert already solves this sort of little pill problem with a goat on a leash.

Posted in Evasion technique, Virus Bulletin, Worm | No Comments »

Storm’s premature invitation

Tuesday, January 15th, 2008

Some things arrive way too early. This time, it’s the Storm worm.

The Storm gang is starting early on the Valentine’s day theme, and we are receiving emails from these affectionate souls, trying to deliver “withlove.exe“, and other malicious vday themed executable names to our systems.

This campaign includes familiar and consistent characteristics. An email will arrive with a cute statement related to the theme, inviting a user to visit a hyperlink containing an ip address. The destination web site will attempt to exploit the visitor’s system, and if it can’t, the page provides a download link for the executable:

The authors of this one must be planning on some Valentine’s day Mexican cuisine. We’ve seen it dropping files like “burito.ini” and “burito5e84-1216.sys”, before killing AV products and adding the victim host to its huge botnet.

Last year’s massive Storm outbreak pushed romantic subject lines such as “Sending You My Love” and “You’re the One”. While “With love”, “I Would Dream”, and “Memories of You” isn’t all that much of a change, it’s a small twist. Nicolas Albright made a fairly safe prediction that this upcoming holiday would be the next target:
“The DISOG team is placing bets on the next rouse. I say adult rated material for February 14th (St. Valentines Day).”

I’m sure he’ll have another interesting post about this variant.

Posted in Bot, Storm, Worm | 1 Comment »

« Older Entries
Newer Entries »