USB Worms and Government Policy

When federal government systems are hit with malware, the incidents often receive no public reporting. However, the slew of infections from removable drive based worms have become so bad on the U.S. Dept of Defense's infrastructure that they've banned usb drives altogether, according to Wired's reporter Noah Shachtman. It's unfortunate that these drives are not being properly scanned, and that doing so must not be a part of process to this point.

The military's policy decision is somewhat unsurprising, considering that the Gammima worm that made it onto the international space station this past August also spread using the Usb autostart technique. Worms have been very effectively spreading using this technique to deliver password stealing components since early 2007, and it's about time policies are clamping down on the slack. Quick releases of worm variants evading anti-virus scanners continue to use the same autostart technique today. Of course, users running ThreatFire have been protected from these AV-evading autostart worms since they installed it.

Update (11/25/2008): The US-CERT posted information about what they are calling two popular "methods". Basically, the post describes removable drive-based infection vectors -- both to the removable drives, when worms copy themselves to the media from an infected system, and from the removable drives, when a worm abusing Windows' autoplay functionality executes itself on the system. Nice to see awareness increasing -- Autoplay can be dangerous!
It's not always a waste of time anymore. In addition to running TF, you can scan your usb drives on a system with Autoplay disabled with your anti-virus scanner. The scanning solutions have, for the most part, caught up with the two year old technique.

Microsoft Giving Away Live OneCare

Robert Vamosi has a nice writeup on the antivirus market following Microsoft's entrance into it. It's interesting that the massive company, with its marketing prowess along with the advantage of its desktop dominance, still gives anything away for free. But the security space is an unusual one:
'McAfee and Symantec both had something Microsoft did not: effectiveness.

Almost two years ago, independent antivirus-testing organizations faulted OneCare for missing known malware. Andreas Clementi of AV-Comparatives.org wrote in his February 2007 report (PDF) that OneCare did not meet the minimum requirements for participation. "Due (to) that, its inclusion in future tests of this year (will) have to be re-evaluated.'

It seems that effectiveness and innovation still matter. While there may be a stripped-down free version of OneCare, the resource intensive app most likely still will not be picked up by users.
One of their statements has been that there are too many systems out there without security software, so they want to make it free. But that's why Microsoft started the Malicious Software Removal Tool and its updates years ago. Their OneCare project, to this point, failed.

Our free behavioral-based ThreatFire continues to prevent two year old Parite variant infections on real users' machines on a regular basis, so we certainly see and have been meeting the need to provide protection to users from systems that are unprotected. And its performance can't be beat.

ATTENTION! If your computer is struck by the spyware, you could suffer

...from all sorts of bad things. We know.



However, you may be seeing this mis-spelled message, which has changed a little bit over the past few months:
"ATTENTION! If your computer is struck by the spyware, you could suffer data loss, erratic PC behaviour, PC freezes and creahes."

By the spyware? Creahes? Who writes this stuff?

"Detect and remove viruses before they damage your computer!
Antivirus 2009 will perform a 100% FREE and quick scan of your computer for Viruses, Spyware and Adware.
Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)"

Please be wary of this sort of scheme through the end of the year. A number of banner ads on very popular web sites have been redirecting users to sites serving up this garbage. This rogueware "Antivirus 2009" ad in particular will re-direct your browser to a web site using only javascript to mis-represent a common online malware scan of your windows system. As we've discussed before and at Virus Bulletin (slides on flash here), this stuff will attempt to shock you with a number of malware detections that are not really present on your computer, coercing you to pay for phony AV software. They detect the make-believe "Spyware.IEMonster.b", "Zlob.PornAdvertizer.Xplisit", and "Trojan.Infostealer.Banker.s", made-up names which unsurprisingly do not change:

AMTSO on eWeek

Larry Seltzer posted a fine review of the new AMTSO documents over on eWeek.

It's always great to see the words "I'm really impressed with what I'm reading in these standards." He even goes over the "Best Practices for Dynamic Testing" document, which is relevant to properly evaluating ThreatFire and other behavioral-based anti-malware solutions -- delivering malware to the system in the same way that a user would see it attacking their system. We were especially interested in the "Dynamic Testing" document details and crafting at the last Oxford meeting. He understands the issues addressed in the document, including issues with using Virtual Machines in testing, and the article finishes with a hint of the reality of the process: "Don't expect that you'll start seeing results compliant with these guidelines a lot. Testing like this is difficult and expensive and few labs are set up to do it. If all goes well, more will be from now on."
It's great to see positive interest in the testing standards already. Let's hope that Larry and others at eWeek are interested in becoming a member as well.

Rigged pdf files

Pdf malware is being actively distributed. Our user community is seeing a slew of rigged pdf files attacking various buffer overflow vulnerabilities in the Adobe Acrobat Reader software, including the newest publicly known. Sometimes, the user is duped into downloading malicious files appearing to be Microsoft software updates. More often, they appear to be downloading silent malicious installers.

A couple of the downloaded, packed files appear to carry with them tricks that continue to evade AV file scanning with VirusTotal results at 5/36.

For example, a chunk of the standard download and execute shellcode that we are currently seeing pulls a file from hxxp://ascoprguide. net/lel / load.php?xpl=pdf, renames it as c:\\U.exe, and runs it on the victim's system. This "U.exe" then runs and installs other adware and spyware related components.
Other downloads are installing various Rogueware packages, like the ones we presented at Virus Bulletin 2008.


Be sure to visit the Adobe site and update your Acrobat Reader software.

Obama elected U.S. President 44 in a Landslide Victory, but...

any spammed email message claiming to provide a link to information about U.S. culture or foreign policy may likely provide a trojan with rootkit capabilities.

In one of the most prevalent social engineering schemes of this half of the year, users clicking on a spammed link are directed to a web page with a phony video. The user's browser then displays a request to update their Adobe Flash version to play the video. This time, the malicious executable's download name is "Adobe_Flash9.exe". Users seem to be enticed into clicking links with the text "Proceed to the election results news page" and then running this file.
As always, avoid interacting with messages and links that seem questionable.

Another interesting Obama-related file just hitting our community this afternoon has been an infected executable containing a copy of President-elect Barack Obama's entire acceptance speech: "obama's presidential speech.exe". This one just appears to be run from a system previously infected with a virus with the family name of "Nakuru" or "Kespo". Symantec's research team calls it W32.Tupofse.B.
The exe drops the original copy of the .doc file to disk before dropping other viral code, like kspoold.exe. When run, the original .doc file is opened and the entire speech appears:
"If there is anyone out there who still doubts that America is a place where all things are possible; who still wonders if the dream of our founders is alive in our time; who still questions the power of our democracy, tonight is your answer..."
Be sure to pay attention to file extensions before double-clicking on files. The icon for the file is altered by the virus so that it appears to be associated with Word, with a .doc extension, but it only has a .exe extension. Here is an image of the file, on a system that doesn't have Microsoft Word installed on it (the icon normally never appears for .doc files, the wordpad icon should appear by default):