This steady stream of sensitive data flowing into other hands continues to raise questions around "Server in the sky" efforts by government intelligence agencies.
8 hours ago
Thursday, January 31, 2008
Daily breach reports
For an almost daily fix of forehead slapping disbelief, head on over to the Breach Blog. We believe that this blog will be a busy one throughout 2008: "Unfortunately, this past year was a record year for data breaches, according to a couple of groups. (Although, I'm not sure that statement is completely true. It seems more to have been a record year for reporting breaches, due to a number of new factors. Incident reporting has always provided only a partial view of actual events.)".
This steady stream of sensitive data flowing into other hands continues to raise questions around "Server in the sky" efforts by government intelligence agencies.
This steady stream of sensitive data flowing into other hands continues to raise questions around "Server in the sky" efforts by government intelligence agencies.
The day the data died
Broadband users around the world often don't think much about uninterrupted access to online resources, relying on the massive web of cables across the globe. But today, Egyptian, Indian and other users of the internet suffered major interruptions to their online activity, because an underwater Mediterranean internet cable was severed (audio link). Reasons for the interruption may go unidentified for another week.
Update: Renesys blogged about the countries initially impacted, the isp's and carriers in the region, a set of five effected countries and their isps before and after the event, and a report on how Iran was not taken off the grid altogether. It's a fascinating series for those interested in the physical connections of the internet and their relevance to entire regions of the globe.
So how might this event effect decisions and issues around computer security? There isn't a whole lot that behavioral based client side software can do about a severed submarine cable.
But when this sort of contained client side solution that is not dependent on constant updates is compared against "herd mentality" and update-driven technologies, the security technology that is effective against malicious activity, independent of online database access and updates, has an advantage during regional interruptions like this one. Activity in the region continues on, including malicious activity. Phone home solutions are dead in the water, and self contained solutions continue protecting their client.
Update: Renesys blogged about the countries initially impacted, the isp's and carriers in the region, a set of five effected countries and their isps before and after the event, and a report on how Iran was not taken off the grid altogether. It's a fascinating series for those interested in the physical connections of the internet and their relevance to entire regions of the globe.
So how might this event effect decisions and issues around computer security? There isn't a whole lot that behavioral based client side software can do about a severed submarine cable.
But when this sort of contained client side solution that is not dependent on constant updates is compared against "herd mentality" and update-driven technologies, the security technology that is effective against malicious activity, independent of online database access and updates, has an advantage during regional interruptions like this one. Activity in the region continues on, including malicious activity. Phone home solutions are dead in the water, and self contained solutions continue protecting their client.
Tuesday, January 29, 2008
Love in the air
The Storm continues to fall, and while their Valentine's Day message started early in January 2008, we see users continuing to fall for the sweet message of love. Tonight, we observed this site serving up malicious love from Flint, Michigan. The usual set of encoded javascript exploits accompany this lacy heart and "withlove.exe" executable. Do not visit this malicious web site, a slight variation on a Storm site we blogged on earlier this month:
Monday, January 21, 2008
Improving tests and collaboration
What do you get when you put 40+ AV and software security experts together in a room with testing organizations? It sounds like a bad joke, but it happened for the first couple of days this week in Bilbao, Spain. The event itself has the potential to have a very large positive impact on the state of anti-malware testing overall and the relevance and meaning of test data for all of its consumers -- communications between vendors and testers, guidelines for tests, neutrality of the group enforced by academic members, and more.
The world's largest and smallest software security vendors and testing groups are working together to create this non-profit coalition of vendors, testers and academics. The group will be called the AMTSO, or the Anti-Malware Testing Standards Organization. The overall goal will be for the coalition to take on all challenges related to anti-malware security software testing, improving all aspects of the process. It will be a large task to set up standards, and PC Tools is pleased to take part in this effort.
The event was formative in nature, establishing temporary committees for most of the sessions before breaking off into the beginnings of some discussion and debate over technical matters and details that will come up in future meetings. Dr. Igor Muttik of McAfee's AVERT Labs posted detailed information of the proceedings, for those interested.
We will keep you updated on this ongoing effort to improve the state of anti-malware security software testing.
The world's largest and smallest software security vendors and testing groups are working together to create this non-profit coalition of vendors, testers and academics. The group will be called the AMTSO, or the Anti-Malware Testing Standards Organization. The overall goal will be for the coalition to take on all challenges related to anti-malware security software testing, improving all aspects of the process. It will be a large task to set up standards, and PC Tools is pleased to take part in this effort.
The event was formative in nature, establishing temporary committees for most of the sessions before breaking off into the beginnings of some discussion and debate over technical matters and details that will come up in future meetings. Dr. Igor Muttik of McAfee's AVERT Labs posted detailed information of the proceedings, for those interested.
We will keep you updated on this ongoing effort to improve the state of anti-malware security software testing.
Tuesday, January 15, 2008
Chartreuse pill
Ok, we're running out of little pill colors to match up with Matrix analogies. But simply put, the red pill and the subsequent blue pill work attempted to achieve the goal of detecting and abusing virtual machines.
Maybe chartreuse isn't what we're looking for, maybe it is, but worms we are currently monitoring in the wild are mixing up their own colorful pill recipes. The authors' intent is to detect and evade research environments. These virtual or sandboxed environments are frequently the sort of environments that security researchers have been using to automate malware analysis. We are seeing prevalent worms target VirtualPC, VMWare, and now Anubis for detection and evasion (Anubis is connected with an Austrian security group, somewhat similar in purpose to the very effective ThreatExpert).
Here is an assembly code chunk we extracted from an ITW worm. This code is an attempt to detect Anubis:
sub esp, 104h
lea eax, [esp+0]
push ebx
push offset aCInsidetm ; "C:\\InsideTm\\"
push eax ; str1
xor bl, bl ; status (bl) = 0
call ds:strstr
The disassembly matches up somewhat with some proposed Anubis-detecting c code fairly recently posted to an underground forum:
char ModulePath[MAX_PATH];
GetModuleFileName(NULL, ModulePath, MAX_PATH);
p = strstr(ModulePath, "InsideTm");
if(p != NULL) return true;
From some of the code posted recently on the same underground forums, Sandboxie's turn is coming up next.
The older VMWare detection used in the worm is a bit off color from the red pill itself. But it looks like a duplicate copy of what is showing up in the current valentine's day Storm worm variants we are seeing. The code is being used and reused in current malware:
mov eax, 'VMXh' ; VMWare magic number
mov ebx, 0 ; default
mov ecx, 0Ah ; get vmware version command
mov edx, 'VX' ; port #
in eax, dx ; read port
cmp ebx, 'VMXh' ; check vmware reply
setz [ebp+bool_VMWare] ; set vmware status accordingly
pop ebx
pop ecx
pop edx
jmp short @@check_vmware
Anyways, the good folks developing Anubis, and any researchers running automated sandbox technology on top of VirtualPC or VMWare should be aware that these functions are showing up today in prevalent password stealer dropping worms that we've seen rereleased multiple times each day for a couple weeks now.
If you attended VB2007 and checked out Sergei's talk, you'd have seen that ThreatExpert already solves this sort of little pill problem with a goat on a leash.
Maybe chartreuse isn't what we're looking for, maybe it is, but worms we are currently monitoring in the wild are mixing up their own colorful pill recipes. The authors' intent is to detect and evade research environments. These virtual or sandboxed environments are frequently the sort of environments that security researchers have been using to automate malware analysis. We are seeing prevalent worms target VirtualPC, VMWare, and now Anubis for detection and evasion (Anubis is connected with an Austrian security group, somewhat similar in purpose to the very effective ThreatExpert).
Here is an assembly code chunk we extracted from an ITW worm. This code is an attempt to detect Anubis:
sub esp, 104h
lea eax, [esp+0]
push ebx
push offset aCInsidetm ; "C:\\InsideTm\\"
push eax ; str1
xor bl, bl ; status (bl) = 0
call ds:strstr
The disassembly matches up somewhat with some proposed Anubis-detecting c code fairly recently posted to an underground forum:
char ModulePath[MAX_PATH];
GetModuleFileName(NULL, ModulePath, MAX_PATH);
p = strstr(ModulePath, "InsideTm");
if(p != NULL) return true;
From some of the code posted recently on the same underground forums, Sandboxie's turn is coming up next.
The older VMWare detection used in the worm is a bit off color from the red pill itself. But it looks like a duplicate copy of what is showing up in the current valentine's day Storm worm variants we are seeing. The code is being used and reused in current malware:
mov eax, 'VMXh' ; VMWare magic number
mov ebx, 0 ; default
mov ecx, 0Ah ; get vmware version command
mov edx, 'VX' ; port #
in eax, dx ; read port
cmp ebx, 'VMXh' ; check vmware reply
setz [ebp+bool_VMWare] ; set vmware status accordingly
pop ebx
pop ecx
pop edx
jmp short @@check_vmware
Anyways, the good folks developing Anubis, and any researchers running automated sandbox technology on top of VirtualPC or VMWare should be aware that these functions are showing up today in prevalent password stealer dropping worms that we've seen rereleased multiple times each day for a couple weeks now.
If you attended VB2007 and checked out Sergei's talk, you'd have seen that ThreatExpert already solves this sort of little pill problem with a goat on a leash.
Storm's premature invitation
Some things arrive way too early. This time, it's the Storm worm.
The Storm gang is starting early on the Valentine's day theme, and we are receiving emails from these affectionate souls, trying to deliver "withlove.exe", and other malicious vday themed executable names to our systems.
This campaign includes familiar and consistent characteristics. An email will arrive with a cute statement related to the theme, inviting a user to visit a hyperlink containing an ip address. The destination web site will attempt to exploit the visitor's system, and if it can't, the page provides a download link for the executable:
The authors of this one must be planning on some Valentine's day Mexican cuisine. We've seen it dropping files like "burito.ini" and "burito5e84-1216.sys", before killing AV products and adding the victim host to its huge botnet.
Last year's massive Storm outbreak pushed romantic subject lines such as "Sending You My Love" and "You're the One". While "With love", "I Would Dream", and "Memories of You" isn't all that much of a change, it's a small twist. Nicolas Albright made a fairly safe prediction that this upcoming holiday would be the next target:
"The DISOG team is placing bets on the next rouse. I say adult rated material for February 14th (St. Valentines Day)."
I'm sure he'll have another interesting post about this variant.
The Storm gang is starting early on the Valentine's day theme, and we are receiving emails from these affectionate souls, trying to deliver "withlove.exe", and other malicious vday themed executable names to our systems.
This campaign includes familiar and consistent characteristics. An email will arrive with a cute statement related to the theme, inviting a user to visit a hyperlink containing an ip address. The destination web site will attempt to exploit the visitor's system, and if it can't, the page provides a download link for the executable:
The authors of this one must be planning on some Valentine's day Mexican cuisine. We've seen it dropping files like "burito.ini" and "burito5e84-1216.sys", before killing AV products and adding the victim host to its huge botnet.
Last year's massive Storm outbreak pushed romantic subject lines such as "Sending You My Love" and "You're the One". While "With love", "I Would Dream", and "Memories of You" isn't all that much of a change, it's a small twist. Nicolas Albright made a fairly safe prediction that this upcoming holiday would be the next target:
"The DISOG team is placing bets on the next rouse. I say adult rated material for February 14th (St. Valentines Day)."
I'm sure he'll have another interesting post about this variant.
Monday, January 14, 2008
Fake alert for Spyware.CyberLog-X
A new round of the FakeAlert family has been released this past weekend, the same family of rogueware components that Alex Eckelberry of Sunbelt has posted. We are seeing a surge in hits for new components installed as "MultiMedia Software" codecs that result in a barrage of popups identifying "Spyware.CyberLog-X" and "Trojan-Spy.Win32@mx" on the system:
Of course, there was no spyware on these clean lab systems prior to the codec install, and no legitimate video codecs were installed on the machine as a result of running the setup.exe program.
Of course, there was no spyware on these clean lab systems prior to the codec install, and no legitimate video codecs were installed on the machine as a result of running the setup.exe program.
Wednesday, January 9, 2008
Microsoft MS08-001 Reversing
If you are yet unaware, Microsoft pushed out another couple of security updates this month and posted about it in their new "Microsoft Vulnerability Research and Defense" blog. Msoft started it a couple of weeks ago, providing lower level technical information about the vulnerabilities they are fixing.
Be sure to install MS08-001 if you haven't already.
The first of the updates, MS08-001, provides reason for caution, because it allows for reliable exploitation. Surprisingly, we have not seen any public exploitation or even PoC just yet.
You can watch a great four minute video of MS08-001 patch analysis by the makers of Bindiff, a binary diffing tool used to uncover security vulnerabilities like this one. Grab your popcorn, bring a date, and head on over. I'll ruin the ending for you...of the nine functions changed in the tcpip component that was patched, they examine one function that iterates a list of structures and mistakenly performs a bad comparison. They even find some overwriteable memory for successful exploit!
Be sure to install MS08-001 if you haven't already.
The first of the updates, MS08-001, provides reason for caution, because it allows for reliable exploitation. Surprisingly, we have not seen any public exploitation or even PoC just yet.
You can watch a great four minute video of MS08-001 patch analysis by the makers of Bindiff, a binary diffing tool used to uncover security vulnerabilities like this one. Grab your popcorn, bring a date, and head on over. I'll ruin the ending for you...of the nine functions changed in the tcpip component that was patched, they examine one function that iterates a list of structures and mistakenly performs a bad comparison. They even find some overwriteable memory for successful exploit!
Tuesday, January 8, 2008
Help.exe still not much of a helper
One of the highest hitting worms that ThreatFire encountered over the past week is a worm designed to target online game player logins by dropping a password stealer and rootkit components on infected systems. We previously blogged about the help.exe component that drops rkd.dll, amvo0.dll and amvo.exe, and now we observe many more variants that are repacked with some fairly sophisticated packer and code perversion technology.
The password stealers themselves are updated on various websites that we have observed moving locations throughout China, repacked for AV and emulation evasion purposes. We also see ongoing server side polymorphism with the dropper.
The executables all display very unusual static PE characteristics. First, the import directory contains the name of one dll (kernel32) and imports only three of its functions (LoadLibraryA, GetProcAddress, ExitProcess), the bare bones minimum that you need for a PE packer:
All of the section names are mangled, to further raise our suspicion:
And finally, the resource section is huge and unrecognizable to a simple resource section parser (hint -- it contains more executable code):
Unfortunately, effectively this incessant rate of change results in a low rate of AV scanner detection:
If you are seeing a popup like this one, go ahead and quarantine the thing:
The password stealers themselves are updated on various websites that we have observed moving locations throughout China, repacked for AV and emulation evasion purposes. We also see ongoing server side polymorphism with the dropper.
The executables all display very unusual static PE characteristics. First, the import directory contains the name of one dll (kernel32) and imports only three of its functions (LoadLibraryA, GetProcAddress, ExitProcess), the bare bones minimum that you need for a PE packer:
All of the section names are mangled, to further raise our suspicion:
And finally, the resource section is huge and unrecognizable to a simple resource section parser (hint -- it contains more executable code):
Unfortunately, effectively this incessant rate of change results in a low rate of AV scanner detection:
If you are seeing a popup like this one, go ahead and quarantine the thing:
Bootkit binaries in the wild
Yesterday, we were further analyzing an executable that we recently haven't been seeing all that much of, tmpms45.exe. The filename is familiar, as sometimes various executables with that name are delivered by malicious emails or malicious web pages. Most often, we see it as a part of a commodity exploit kit (i.e. Mpack), and the malicious web site operators simply forgot to change the filename in the kit's scripts that they just purchased.
This time, however, a file delivered with that filename is receiving a lot of attention as the newest piece of malware writing directly to raw disk and the master boot record on WindowsXP systems. It may also go by several other names, like mat16.exe, mat17.exe, mat18.exe and so on. The code for the malicious dropper itself is getting attention partly because it is the first in the wild malware found to contain a slightly modifed version of the "BootRoot" code presented at Blackhat 2005 by eEye researchers.
This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.
This time, however, a file delivered with that filename is receiving a lot of attention as the newest piece of malware writing directly to raw disk and the master boot record on WindowsXP systems. It may also go by several other names, like mat16.exe, mat17.exe, mat18.exe and so on. The code for the malicious dropper itself is getting attention partly because it is the first in the wild malware found to contain a slightly modifed version of the "BootRoot" code presented at Blackhat 2005 by eEye researchers.
This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.
Friday, January 4, 2008
More 2008 Fbi Botnet Arrests
As predicted in an earlier post, the slow cooker has been heating it up. Several years of the Fbi's efforts are resulting in more 2008 arrests related to botnets and cybercrime. Eleven people are indicted in this case, involving spam and a "pump and dump" scheme for thinly traded Chinese penny stocks:
"The charges arose after a three-year investigation - led by agents from the Federal Bureau of Investigation, with assistance from the U.S. Postal Inspection Service and the Internal Revenue Service - revealed a sophisticated and extensive spamming operation that, as alleged in the indictment, largely focused on running a stock "pump and dump" scheme, whereby the defendants sent spam touting thinly traded Chinese penny stocks, drove up their stock price, and reaped profits by selling the stock at artificially inflated prices."
The fraudulent spam messages were sent off of zombies around the world. Keep those bots off of your Windows systems.
Eight of those individuals charged are being sought, including a Peter Severa of Russia. This individual is one of the longest running spam operators on the internet. You can see a description of this individual on spamhaus:
"One of the longest operating criminal spam-lords on the internet. Works with many other Easter Euro and US based botnet spammers."
Maybe, just maybe, there will be a day when this sort of garbage doesn't show up in my email:
**********************************************************************************
"Add Enerbrite tech to your Radar
Volume spike today, big news expected this week
Symbol: E-T-G-U
Currently : $ 0.0017
Big News is due out this week and trading volume is off the charts.
People are loading up. Read the latest PR and find out what they know.
You'll want to get in on ETGU too.
Dont miss this chance to ride a multibagger.
Add ETGU to your Radar and get in MONDAY before the news gets out.
"There is no real excellence in all this world Which can be separated from right living." David Star Jordan"
**********************************************************************************
"The charges arose after a three-year investigation - led by agents from the Federal Bureau of Investigation, with assistance from the U.S. Postal Inspection Service and the Internal Revenue Service - revealed a sophisticated and extensive spamming operation that, as alleged in the indictment, largely focused on running a stock "pump and dump" scheme, whereby the defendants sent spam touting thinly traded Chinese penny stocks, drove up their stock price, and reaped profits by selling the stock at artificially inflated prices."
The fraudulent spam messages were sent off of zombies around the world. Keep those bots off of your Windows systems.
Eight of those individuals charged are being sought, including a Peter Severa of Russia. This individual is one of the longest running spam operators on the internet. You can see a description of this individual on spamhaus:
"One of the longest operating criminal spam-lords on the internet. Works with many other Easter Euro and US based botnet spammers."
Maybe, just maybe, there will be a day when this sort of garbage doesn't show up in my email:
**********************************************************************************
"Add Enerbrite tech to your Radar
Volume spike today, big news expected this week
Symbol: E-T-G-U
Currently : $ 0.0017
Big News is due out this week and trading volume is off the charts.
People are loading up. Read the latest PR and find out what they know.
You'll want to get in on ETGU too.
Dont miss this chance to ride a multibagger.
Add ETGU to your Radar and get in MONDAY before the news gets out.
"There is no real excellence in all this world Which can be separated from right living." David Star Jordan"
**********************************************************************************
Thursday, January 3, 2008
New (delf?)lob or (z?)lob variant
We are seeing a number of hits from binaries served up from the Ukraine via web pages' prompts from domains registered in China and hosted in the U.S. Now that's international.
These sites in the Ukraine are linked to by servers all over the world, and serve up "Rogueware", or fraudulent adware, similar to the Zlob family. A couple of vendors are assigning it vague family names like "Delflob" or "Delf".
Through a redirected http session, the user sees the standard video codec hoax. Recently, this same hoax coldly was used with other shocking news like the Bhutto assassination and the Zoey Zane death, and most likely will continue to be used throughout 2008. This site could have been a part of the fake codecs on blogger effort, but because detection is so low, it is most likely a new effort or will be a part of a new effort. Notice the "play video" title bar and the instruction "You must download the Video ActiveX Object to play":
Once the user is suckered into clicking on the image to download the adware posing as a legitimate video codec, a file with variations on the name install_video_3913230.exe is served up. If the user runs the installer, thinking of it as a legitimate codec, it in turn writes out G76-tmp_.exe, which also installs toprates.dll. Toprates.dll is a file that claims to be a video driver in its properties, but it is nothing more than rogueware (also called rogue antispyware), or adware making fraudulent and threatening claims that a user's system is infected and in a dangerous state. And by paying up, the user will soon fix this dangerous situation.
ThreatFire users have been seeing prompts regarding the temp file's (%TEMP%\GL76-tmp.exe) adjustments to security settings:
If the user allows the action to occur and then double clicks on "My Computer", or opens an explorer window another way, they are prompted with an intimidating warning. If the intimidated user clicks on "Ok", this adware directs user's browser to a web site peddling IeDefender, fraudulently claiming that the user's system has been infected by an "unknown trojan" (implicitly something other than this garbage):
Unfortunately, AV detection for the variant has been low since our ThreatFire community started seeing this malware:
Even if one of our Threatfire users accepted the temp file's attempt to change the system's security settings, TF would prompt a second time on the source of the disingenuous warnings as it attempts to intimidate the user with more confusing ads. At this point the user really should quarantine this rogueware. If ThreatFire hasn't seen the specific delivered binary before, it prompts the user:
ThreatFire will be picking these off as a part of the "Zlob" family.
You might notice that this hoax has a lot to do with the very last line of a previous post, quoting an ad from the distributor of these sorts of rogueware installs.
These sites in the Ukraine are linked to by servers all over the world, and serve up "Rogueware", or fraudulent adware, similar to the Zlob family. A couple of vendors are assigning it vague family names like "Delflob" or "Delf".
Through a redirected http session, the user sees the standard video codec hoax. Recently, this same hoax coldly was used with other shocking news like the Bhutto assassination and the Zoey Zane death, and most likely will continue to be used throughout 2008. This site could have been a part of the fake codecs on blogger effort, but because detection is so low, it is most likely a new effort or will be a part of a new effort. Notice the "play video" title bar and the instruction "You must download the Video ActiveX Object to play":
Once the user is suckered into clicking on the image to download the adware posing as a legitimate video codec, a file with variations on the name install_video_3913230.exe is served up. If the user runs the installer, thinking of it as a legitimate codec, it in turn writes out G76-tmp_.exe, which also installs toprates.dll. Toprates.dll is a file that claims to be a video driver in its properties, but it is nothing more than rogueware (also called rogue antispyware), or adware making fraudulent and threatening claims that a user's system is infected and in a dangerous state. And by paying up, the user will soon fix this dangerous situation.
ThreatFire users have been seeing prompts regarding the temp file's (%TEMP%\GL76-tmp.exe) adjustments to security settings:
If the user allows the action to occur and then double clicks on "My Computer", or opens an explorer window another way, they are prompted with an intimidating warning. If the intimidated user clicks on "Ok", this adware directs user's browser to a web site peddling IeDefender, fraudulently claiming that the user's system has been infected by an "unknown trojan" (implicitly something other than this garbage):
Unfortunately, AV detection for the variant has been low since our ThreatFire community started seeing this malware:
Even if one of our Threatfire users accepted the temp file's attempt to change the system's security settings, TF would prompt a second time on the source of the disingenuous warnings as it attempts to intimidate the user with more confusing ads. At this point the user really should quarantine this rogueware. If ThreatFire hasn't seen the specific delivered binary before, it prompts the user:
ThreatFire will be picking these off as a part of the "Zlob" family.
You might notice that this hoax has a lot to do with the very last line of a previous post, quoting an ad from the distributor of these sorts of rogueware installs.
British anti-hacktool guidelines
In yesterday's post, I mentioned that the ChaseNET forums have been shut down. The distribution links for their SharK project, Bifrost and Poison Ivy Rat (Trojan) suites also have been removed. These projects could arguably be described as "Remote Administration Tools".
Monday, the British legislature published guidelines for the application of a 1990 Computer Misuse Act that makes it illegal to distribute "hacking tools". A perfect example of tools that this new application might apply to would be the ChaseNET projects. While these RATs could be argued as tools comparable to PCAnywhere or GoToMyPC, they include stealth and information stealing functionality that is designed to evade security solutions for effective system compromise, control and theft of sensitive user data. These sorts of tools certainly fit under the description of "dual-use" tools, and I suppose the British law was developed with the intent to take down this sort of site.
We'll take a look from a low level technical perspective at some of these RATs' bad behaviors and provide some details in a later post.
Monday, the British legislature published guidelines for the application of a 1990 Computer Misuse Act that makes it illegal to distribute "hacking tools". A perfect example of tools that this new application might apply to would be the ChaseNET projects. While these RATs could be argued as tools comparable to PCAnywhere or GoToMyPC, they include stealth and information stealing functionality that is designed to evade security solutions for effective system compromise, control and theft of sensitive user data. These sorts of tools certainly fit under the description of "dual-use" tools, and I suppose the British law was developed with the intent to take down this sort of site.
We'll take a look from a low level technical perspective at some of these RATs' bad behaviors and provide some details in a later post.
Wednesday, January 2, 2008
Notes from the underground II
AV veteran Peter Ferrie of Symantec noticed that the vx scene he has been fighting for so long has been winding down. The scene's virus writers are beginning to post their farewellz and shoutz on the 29A forums and others.
He also points out that the trojan scene has steadily been replacing the activity of vx writers:
"We are striving to put them out of business. Once they're all gone, those Trojans will keep us in business for a long time. Not that we want them, either."
Even those trojan groups are beginning to disappear. The ChaseNET forums, a major international source of "Remote Administration Tool" (RAT for short, otherwise known as "Trojan Horse") activity since 2004, are closing down as well. This shutdown curiously coincides with the Fbi arrest of longtime ChaseNET member "Digerati". He faces up to five years in prison and a $250,000 fine if convicted of conspiracy to commit computer fraud, as we posted previously last year.
While the oldest of the groups might be drying up, unfortunately there are more growing to replace the vxers in different parts of the world. Recently released "Zines" from these newer groups publish technically sophisticated source details of password stealing, advanced rootkitting techniques, and more. These zines follow the trend away from virus writing for reputation to password stealer writing for profit. Plug in the slow cooker, cuz we'll see more "Bot Roast" style arrests in 2008.
Unfortunately, we are also seeing more posts overseas from individuals seeking bot herding partners, looking to install more adware on victims' systems and raise revenues for those involved. This sort of collaboration and malware should also continue throughout 2008, as we have been seeing a high level of this activity at the end of 2007.
Some of the most prevalent malware ThreatFire currently is seeing comes from the Zlob or Popuper families that are distributed in this manner. And here is one of the requests that we are seeing on an overseas forum regarding rogueware installs:
"We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots."
Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as "Digerati". His deal includes a two year prison term.
He also points out that the trojan scene has steadily been replacing the activity of vx writers:
"We are striving to put them out of business. Once they're all gone, those Trojans will keep us in business for a long time. Not that we want them, either."
Even those trojan groups are beginning to disappear. The ChaseNET forums, a major international source of "Remote Administration Tool" (RAT for short, otherwise known as "Trojan Horse") activity since 2004, are closing down as well. This shutdown curiously coincides with the Fbi arrest of longtime ChaseNET member "Digerati". He faces up to five years in prison and a $250,000 fine if convicted of conspiracy to commit computer fraud, as we posted previously last year.
While the oldest of the groups might be drying up, unfortunately there are more growing to replace the vxers in different parts of the world. Recently released "Zines" from these newer groups publish technically sophisticated source details of password stealing, advanced rootkitting techniques, and more. These zines follow the trend away from virus writing for reputation to password stealer writing for profit. Plug in the slow cooker, cuz we'll see more "Bot Roast" style arrests in 2008.
Unfortunately, we are also seeing more posts overseas from individuals seeking bot herding partners, looking to install more adware on victims' systems and raise revenues for those involved. This sort of collaboration and malware should also continue throughout 2008, as we have been seeing a high level of this activity at the end of 2007.
Some of the most prevalent malware ThreatFire currently is seeing comes from the Zlob or Popuper families that are distributed in this manner. And here is one of the requests that we are seeing on an overseas forum regarding rogueware installs:
"We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots."
Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as "Digerati". His deal includes a two year prison term.
Subscribe to:
Posts (Atom)