Seeing double?

What's that? Winifixer! Here are some comments from the web site:
"Statistics approve that virus and trojan attacks damage more than $3 million/hour and the new virus appears each hour. One of them, virus Sasser. A, infected million of computers at the first hours after let out and caused billions damages. It had been corrected within a lot of months."
Scared yet? Or do you just find the wording and explanation a bit odd? Let me see, let's work with those figures. In a day, that's $72 million in damages. In a week, it's half a billion dollars. By the end of the year, that adds up to almost $200 billion.
And it points out that almost EVERYONE's system is infected! WOW! 91% is a big number!

If you haven't read our previous posts, you might not be aware that there are a number of misleading applications being distributed on the web by malicious web site operators. Stuff that we've been calling "Rogueware". Some AV vendors prefix the detections with "not-a-virus: Fraudware", some will call the stuff a "Troj_Renos", some call it a "Misleading Application" and some call it "Rogue Security Software". Some AV vendors have been blogging dramatically about this software and how it was originally distributed, via fake codecs.
Here is the page that offers up the WinIFixerInstaller.exe download for only $99.95:
























What? You're not sure if you want to install that one? Well, you can always install something just like it...called the AdvancedXpFixer! It makes the same exaggerated claims as the site mentioned above, and offers up the AdvancedXPFixerInstaller.exe download. Are you seeing double? Maybe!





















My favorite part is where they provide links on the "company" page to securityfocus articles about developing av engines and heuristics. That's good stuff.

How might you wind up with these pages or software on your system? As always, patch your system! The software is partly being distributed using a few ugly old drive-by client side exploit tricks to run some downloaders on your system without you knowing it when you browse a malicious web site. Successful exploitation also results in a huge fake alert on your system's desktop wallpaper, telling you about all the malware on your system. The malicious sites also download and execute multiple spam bots and other malware, making your system a major problem and source of spam. Double the fix, er.



Update: while double is interesting, triple is all the more exciting!

Year of the Rogueware

Another misleading AV package keeps returning to our lists, modified by its writers and rereleased constantly to minimize AV detection and widen their window of opportunity to mislead users. As previously posted, the themes for this stuff change fairly frequently. But this one, WinSpywareProtect, is like a bad rash that keeps coming back. We find users attempt to run its installer, Install1.exe, and its payload, winspywareprotect.exe, on their ThreatFire community systems far too often.

The web site is fairly convincing. It appears as though the software company has won a number of awards. Any amount of googling, however, will show that these award logos are completely illegitimate:




















AV detection is somewhat shoddy for the installer during this window of opportunity:




















Careful with what you are installing on your system. As in our previous post linked above, fraud and rogueware are rampant efforts -- social engineering can have a payout.

Keeping strings real - Part II

In part 1 of keeping strings real, strings were chased around in a disassembler to provide insight into the functionality of a piece of malware. Part two investigates the instance where there seem to be no recognizable strings in the target at all.

When doing a quick skim of a malware file (in this case, ldr.exe md5:007571544614a7646e750a51ccaf2e9e), sometimes you encounter data that looks similar to the below image. In this particular instance, it seems that these strings are encrypted.

Encrypted strings make it very difficult to do quick analysis. Fortunately, a there are a couple of options to get past this small road block. The string can be observed as it is passed around between functions, or debuggers can be used to halt execution when the target string data is accessed.

For this sample, the above strings were followed from the initial cross reference to a function that is self contained. It takes arguments, executes some code, and returns. The code has a loop, operates on individual bytes (reads from pointers into register halves), and performs a few additions. Is this a possible candidate for a string decryption? You betcha.

After walking through the function once in a debugger, it becomes obvious this function decrypts the string to a different buffer. This is an excellent first step, but there are a massive amount of strings in this file. It would be less than desirable to execute this function in a debugger and make note of the result for each and every encrypted string present. There has to be a faster and more elegant way to figure these out. Now what?

Enter Cryptanalysis. This particular function is not very large or complicated, so determining the algorithm used to reveal the strings should not take an unreasonable amount of effort. After determining the algorithm, it is possible to write a program or script to accept the encrypted string data and output the decrypted string.

Below is what the reversed function looks like.

This function accepts what looks like a null terminated pascal string. The first character in the string contains the length (0 to 255), followed by the ciphered string data, then a zero to indicate the end of the string.

The next step is to add the cipher key value to the first encrypted character in the string. This key value starts at 186 (or 0xBA in hexadecimal). On each loop pass, the key is increased by 2 and added to the next character in the string.

For instance, the character 'a' is represented by the number 97 (0x61). To encrypt this initial data based on the algorithm above, we would subtract 186 (0xBA). To decrypt it later, 186 (0xBA) is added to the encrypted data.

The result of this 97 - 186 subtraction is 167 (0xA7). This math looks funny, but it works this way when working with individual bytes and their associated range of 0 to 255 (unsigned).

This behavior is due to the wrap-around effect caused by an integer overflow. To see this in action on Windows, open calculator (calc.exe), change the view to scientific mode, then change the number system from decimal (Dec) to hexadecimal (Hex), lastly change the size from "Qword" to "Byte." Now you can type in 61 minus BA and the result is A7 (167).

Keeping the above math in mind, the algorithm can now be re-implemented using IDA's built in scripting language (IDC). The script will be need to be passed the source string data, extract a byte, add the key to the byte, store the result, add 2 to the key, and repeat this process till all bytes in the string have been processed.

The Byte() function will be used to extract the byte from the "address" of the string's beginning found in IDA's dissassembler window. The Message() function will display the deciphered byte in the message window, and the PatchByte() function will modify the representation of the byte inside of the disassembler window. (Note: PatchByte() can be commented out to prevent the script from actually modifying any data, it will simply print the result in the message window)

The script representation of this algorithm reconstruction is found in the image below, and the idc script itself can be downloaded from our PC Tools ThreatFire forum, where you can log in and scroll down the thread for 186plus2_decipher.zip:

Now it is time for some fun. An encrypted string is selected in IDA for decoding and the script is launched. The result:

Keeping strings real - Part I

All malware researchers love strings. They allow us to gain valuable insights into the possible behavior of the sample being investigated. Even IT professionals, who do not research malware professionally, can make good use of these clues.

Here's a quick example of strings in a malware disassembly listing:

00403100 Security Troubleshooting.url
00403120 ot.ico
00403128 %s/soft/?c=%1.1d%d%1.1d
00403140 Online Security Guide.url
0040315C ts.ico
00403164 %s/test/?c=%1.1d%d%1.1d
0040317C Online Security Test.url
00403198 *.securemanaging.com
004031B0 *.safetyincludes.com
004031C8 *.securewebinfo.com
004031DC 85.255.117.158
004031EC 88.255.74.197
00403300 195.95.*.*
0040330C 194.187.*.*
00403318 turbocodec.com
00403328 flyvideonetwork.com
0040333C websoft-c.com
0040375C plus-codec.com
0040376C freerealitympegs.com
00403784 inc-codec.com
00403794 user_pref("browser.search.selectedEngine", "Search");
004037D0 user_pref("browser.search.selectedEngine"
00403840 \profiles.ini
00403850 Mozilla\Firefox
00403908 Software\Microsoft\Internet Explorer\New Windows\Allow
00403940 %sVersion\Internet Settings\ZoneMap\EscDomains\%s
004039A8 Domains\%s

Right off the bat, one might guess that there is probably something fishy going on with these domains in relation to Firefox and Internet Explorer settings. A quick google search on some of these domains yields many results which are seemingly related to malware. If the search result is some what ambiguous, a researcher can always plug a string into ThreatExpert to find related malware behavior.

Searching for "securewebinfo.com" on ThreatExpert yields plenty of results. Most of the strings found in this particular sample match up very nicely to the results found, so it is reasonably safe to assume that this sample is probably a variant. However, if the search results were inconclusive, one of the next steps a malware researcher can take is to disassemble the file in the IDA Pro.

What is this malware actually doing with those strings? We are glad you asked!

Below is the image of the strings in the disassembler. The following items are shown moving from left to right: the address in memory where the strings reside, the automatic name IDA gave this location, the string data itself, and last but not least, the cross reference (XREFs).

Navigating to one of the cross references changes the view to an array of string pointers as seen in the image below. This array also contains a cross reference, but to a function this time.

The function seen below was labeled "modify_IEXPLORE_SecurityZones" as it was found to call sub-functions which modify the registry associated with Internet Explorer's Security Zones.

The last loop in this function, "AddAllowPopup_loop", executes once for each item in the domain_name_array. Each item in the array will be added to the AllowPopup registry key. The next time Internet Explorer is run, those domains will be allowed to display pop-up windows at will. This code confirms our suspicions of malicious behavior.

Peach Fuzz

Another open source fuzzing toolkit update was released today, the "Peach Fuzzing Platform v2.0".
Fuzz. As in Peach. Ha!




Anyways, how does fuzzing effect the security of one's computer? Directly, it does not. Indirectly, it does.

Fuzzing an application or service is the process of introducing malformed and unexpected input, often in combination with expected input, to an application consuming data. This process can identify bugs or flaws in software, and lead to the identification of buffer overflows, format string errors. Once these bugs are uncovered, determined individuals may sometimes write code to exploit these bugs. Not all bugs are exploitable.




The easier, more open and popular it is to fuzz applications, the more likely it is that vulnerabilities are found in applications. The frequent hotfixes and updates that Microsoft releases to patch the vulnerabilities in their OS and browser software sometimes are found by individuals performing fuzz testing (and, most likely, some amount of reversing). Rumor has it, the largest fuzzing project in the history of software development was performed by the Microsoft developers and security teams themselves over the past couple of years on their own compiled code.

The Peach platform can fuzz data consumers of many types, including file format parsers, network services, third party plugins like those from Quicktime and Adobe, most any software.

ImmunitySec and Dave Aitel has been releasing this sort of software for years, with SPIKE, SPIKE proxy, and Sharefuzz.




What do our readers think of ethical hacking, exploit development and the spread of these sorts of tools? Please post a comment if you have an opinion on the subject. We'd love to hear from you.

Agent again, this time undetected

Several interesting surges in malware activity are showing up today. The most highly propagated that we are seeing is a large increase in the past 24 hours of an old friend that's been labelled "Trojan.Agent". The filename that we are seeing the most of is "wingmmesc.exe", and it continues to run rampant without much in the way of AV detection, including the new and improved engines to detect suspicious obfuscation:




We are investigating its spread and its packing techniques. While the outer layer was packed with upx, another layer of protection needs to be peeled back, which may explain low AV detections. In the past, this sort of stuff was spread via emails with "enticing" (often pornographic) messages with links to urls, like hxxp://aliodsf . com / video.exe. We'll get back with more detail.

Update...It appears to be related to the Sality family, because we're seeing lots of familiar Sality "WINEUJE.EXE" activity related to the downloader, a worm that's run around for a long time now, especially in Asia. It attempts to download .gif files from "kukutrustnet888.info" and "microupdate14.info", both domains that we've seen from this family before. We'll rename this one to a more appropriate Sality label, and more AV detections should begin to pick up, now that we've uploaded it to virustotal for sharing.

Cnet headline needs clarification

I came across another headline that needs some clarification. The FireFox effort doesn't really deserve this one: "Firefox add-on infected with Trojan"



The language pack add-on in particular, vietnamese_language_pack-2.0-fx-win.xpi, was not infected with a trojan. We inspected some of the allegedly "trojanized" files ourselves. The ".xpi" package can simply be renamed to ".zip" and its contents extracted. Then, we extracted vi-VN.jar. Buried deep within the directories, we can find a help directory. There, multiple ".xhtml" files exist. At the very bottom of these files, we find some script code:

< c = "h xx p : / / %6A %73 %2E %6B%30%31%30%32%2E%63%6F%6D/ %30%31%2E%61%73%70">

This statement can be decoded and when viewed, redirects a browser to hxxp://js. k0102. com/ 01. asp

At this point, nothing of a highly damaging nature has occured. Web pages redirect browsers to ads all the time, for example. This particular web page redirected browsers to some advertisements.
How often might the redirection have occurred? I am not really sure. In my browser, I installed the language pack, but couldn't find a way to display the related help pages with the script code. It seems the distributed files would not have readily effected FireFox users. But it appears to not be virulent.

So how come this script code wasn't detected before it was released? Well, the AV scanners that the Mozilla team was using didn't detect this line of code. It's somewhat surprising that the scanners didn't catch it, considering the viral family that most likely left this line of code and was running on the developer's machine has been in the wild in the Asian region since at least 2006.

Nonetheless, it is never good when any developers are working on infected systems. Release quality comes into question when things like this happen, but this one doesn't seem to be terribly alarming. The group appropriately froze access to the package, removed the dozen or so xhtml files, and re-released the package. All in plain view.

Ongoing targeted attacks during Tibet, Burma controversy and Olympic torch protests

Unfortunately, targeted computer attacks commonly occur. This morning's NPR show exposed such problems in regards to activists and journalists in China. Sadly, not much data is public about these sorts of attacks and it would be easy to speculate that such types of attacks are on the rise. Sometimes, the groups being attacked do not want members to be exposed or further put into public light and sometimes they do not fully understand they are being attacked. The NPR audio mentioned groups like the Falun Gong, Students for a Free Tibet, Human Rights in China and some China-based foreign journalists. Often, the attackers' identities are more difficult to uncover than more entertaining examples we've given in the past. While spoofed sources may seem to be from friends or friendly members of organizations, the true source remains in the shadows, hiding university or seemingly public ip addresses.

The various code used in targeted attacks that we have evaluated to date are not terribly impressive pieces of malware. The trojans and spyware often are delivered over email as embedded data within files of all formats with enticing names that the recipient would most likely be interested in. For example, the NPR interview mentioned a "resume.doc" file that was delivered to current board members and staff of the targeted Students for a Free Tibet from the spoofed email address of an ex-board member. These Microsoft Word docs, Excel spreadsheets, malicious .chm help files, and Powerpoint slideshows usually are malformed in one way or another to attack vulnerabilities in flawed software on the receiver's side. When opened by outdated software, these maliciously crafted files and the included code drop and run trojans and spyware embedded in the files on the victim's system.
Most can be prevented by keeping software updated and patched, running security solutions, and as always, security in layers is recommended.

The audio mentions that most AV scanners are often evaded by the software components of these targeted attacks (an unusual admission from a member of the AV industry!). And that trojan builders create nastier rodents in response to the AV companies' better mousetraps.
ThreatFire is different -- our behavioral-based cat is bigger and faster than that little piece of cheese sitting on the wire and wood thing in the attic. Purrs like a kitten too.

Risk from p2p networks?

Some media attention has been given to the circulation of a number of malicious files found on gnutella networks accessed by LimeWire users. As always, please use caution when participating in these sorts of networks. Anytime files are shared amongst a community of users, there is an increased risk of malware.

Some files were distributed on those networks with a .mp3 or .mpg extension and instead of video or audio content, contain asf files, which are scripts that direct the default handler (your web browser) to a specified URL or web site.
Luckily, most users find it suspicious when they expect to play a sound or video file in their media player, and instead receive a web browser prompting them to download and install more software. So they don't run it -- that's probably why McAfee saw a half million .mpg/mp3's that contained a link to malicious software, but saw not even 10% of that number resulting in actual downloaded adware on user's desktops.




While it's great that AV scanner detection has caught up with the file extension trickery on the P2P networks, it's unfortunate that the individuals peddling this adware just skip that step and distribute binaries. Setup.exe files archived in "american pie full dvd movie.zip" and many other misleading filenames are floating around the P2P networks with the exact same payload as the downloaders described in the news.




It wouldn't make much sense that an entire "full dvd movie" could be contained in a 94kb zip file, but some users don't make that connection. Instead of a full dvd, the user gets multiple pieces of adware installed on their system, like Adware.Agent!sd5, Adware.PlayMP3z /Adware.PlayMP3z.
The old adage follows, "If it seems too good to be true, it probably is."

Antivirus Fraud 2008

2008 continues to live up to the title "The Year of Rogueware". So far this year, bots, worms and viruses, all seem to live in the shadow of this type of activity. Users are actually trying to run this constantly changing stuff on their systems, with AV scanners missing them during their effective window ITW altogether. Rogueware themes are changing, the binaries change, and the websites change somewhat according to thematic content. You can see a lack of scanner detection here.

Accelerated numbers of "AntiVirus2008" software installs are popping up, created by our familiar developer friends in the Ukraine (yes, that is sarcasm), which can be found at "hxxp://www.antivirus-scanner.com". We're seeing installs from a file named "antvrsinstall.exe", which is dropping "antvrs.exe". Here's another fraudulent screenful from its distributors. There are no dangerous files or viruses detected on the system as they state, because the web site isn't really scanning my system:




Quarantine it if you see a popup from threatfire, warning you of "PuA.Rogueware".

AMTSO and CARO Workshop

The AV industry was busy this past week amongst the blooming tulips in Hoofddorp, the Netherlands. Both an AMTSO conference and a CARO workshop was held the last three days of the week.

A large group of attendees arrived for the Wednesday all-day testing standards meeting, with more journalists in attendance than before. It was encouraging to see, because one of the AMTSO's formative goals has been to invite and include representatives from all parts of the computer security industry. Progress is being made toward a set of testing standards for anti-malware products for everyone involved.

The CARO workshop followed on Thursday and Friday, with presentations focusing on malware obfuscation from the AV industry's perspective (googling "datasecurity event caro" provides a link to the home page). The opening talk by Paul Ducklin from Sophos set the tone for most of the event -- legitimate compressors/packers are acceptable and good (according to a number of individuals in the AV scanner business), while software protection solutions like Themida and SVKP are unacceptable and evil (to a number of individuals in the AV scanner business).
It was interesting that while AV vendors and Ilfak Guilfanov of IDA Pro/Hex Rays spoke and gave presentations over the two days, none of the developers or vendors from Themida or ASProtect (a couple of software protection systems that were referred to in the presentations) were invited or presented their thoughts.

Even at the workshop, it seems that there remains disagreement on how the industry should handle software obfuscation, and there remains a sense that software obfuscation is a major source of problems for the AV industry. Whether it's due to difficulties in emulation, performance issues when unpacking, the complexities of the virtualization packers (where Sophos' Boris Lau showed that a single NOP instruction can be easily and inexpensively be translated into over 50 virtual instructions) or simply disagreement over how to identify what is behind software protection, it continues to be a weakness for traditional AV scanners.
Just to give an idea of the volume of difficulties and tricks that researchers have to develop methods to deal with, Peter Ferrie's paper was presented by Mady Marinescu of Microsoft, and in it he enumerated over 50 anti-unpacking tricks commonly seen in packers and often seen in malware.
Presenters also included evaluations of the proportions of malware seen packed by specific packers and various approaches to dealing with them, including blacklisting. It seems that it is easier to include this approach in a scanner than to have to actually implement an unpacker in a scanner for all the different varieties of packers. Blacklisting is cheap and easy, but is more prone to causing fp's, and often decisions to blacklist may be debatable.
We will see what this turn away from extremely low false positive rates will do to the major advantage that the scanners had over behavioral based solutions.

From the perspective of an individual pushing a behavioral solution that solves for the difficulties that scanners have with obfuscation, it is somewhat easy to be critical of AV scanner products' inability to continue performing with such a low level of false positives and exacting matches in the face of ongoing obfuscation and "server-side polymorphism"/"rapid release" techniques currently used by malware distributors to evade the AV solutions. The complexity and difficulties are high for the guys trying to develop elegant and effective AV solutions to these problems.
We'll see more of this obfuscation topic, but from the "hackers" perspective, when defcon's "Race To Zero" contest is held this fall.