Archive for the ‘Embedded trojan’ Category

Newer Entries »

Greetings

Tuesday, July 8th, 2008

Kill the messenger? In this case, yes.

A round of “hallmark.exe” files are being downloaded and run by some of our community. Some pop images of pleasant scenes like strangely named “xmas.jpg”, which doesn’t look much like xmas anywhere to me:


In the background, however, this hallmark greeting is unpleasantly dropping and installing multiple IRCbot components. It copies out what looks like a common windows system file “spoolsv.exe” to windows\temp\spoolsv, but it really is a common IRC application. Multiple other configuration files are copied out so that the application connects back to the common IRC port 6667 on a number of undernet.org and servebeer.com sites for further instruction.

On its own, the mIRC application provides plenty of legitimate uses. But when packaged up and performing unexpected actions, this app can be severely misused.

As always, stay wary of links that are sent to you via email.

Note: these types of emails are arriving with varying flavors. This one is definitely related to the recent 4th of July “july.exe” IRCbot variants that were sent out and mistakenly associated with the Storm gang by some of the research community.

Posted in Bot, Embedded trojan, Social Engineering | No Comments »

Return of Rustock?

Thursday, July 3rd, 2008

Return is a powerful concept in many ways. In literature, return can touch on the limits of faith, love, loyalty, friendship, fidelity and mortality.

Homer’s Ulysses wanders for years, returning to his home and his family in disarray. Initially, the only witness to recognize Ulysses in his home is his old dog Argus, faithfully waiting for his master’s return over those 20 years: “As soon as he saw Odysseus standing there, he dropped his ears and wagged his tail, but he could not get close up to his master. When Odysseus saw the dog on the other side of the yard, dashed a tear from his eyes…But Argos passed into the darkness of death, now that he had seen his master once more.”

Edward Fitzgerald’s “The Rubaiyat of Omar Khayyam” speculates on the importance of understanding the inability to return:
“Then to the lip of this poor earthen Urn
I lean’d, the Secret of my Life to learn:
And Lip to Lip it mumur’d — “While you live
Drink! — for, once dead, you never shall return”

Unfortunately, in our last round of spambots, we find lots of return. However, these returns do not provide deep insight or wistful second comings. Instead, these returns serve to obfuscate the functionality of the rootkit driver component (”pgasghjd.sys”) that appears to be the newest project of one of the rustock creators:
C:\progz\NewWork2\driver\objfre\i386\driver.pdb

Return is a powerful computing concept, and an important part of any CPU instruction set. The “RET” or “Return from procedure” instruction “transfers control to a return address located on the top of the stack”.
These returns are used in an unusual way in the unpacking stub of the driver, avoiding making standard calls early in the routine. Here is the driver’s entry point.

Notice the push of a hard-coded offset and the immediate return. This unusual sequence of assembly instructions simply pushes a return address to the stack, only to take control when the “ret” or “retn” is executed and control flows to this new offset. This sequence can be used as an effective emulator evasion trick.

These returns do not provide anything all that valuable, instead, these returns help to produce the unwanted spam, clogging global network pipes and peddling “male enhancement” drugs. These are the messages that are crass and vain, including with them a link to a couple of these “drug” peddling web sites. Obscene messages are not reproduced here, but here are a few examples:
“Give your chick a night to remember”
“Make sure you don’t get left out of the action at parties”
“Fantastic results guaranteed”

Some returns come with really bad literature.

Posted in Bot, Embedded trojan, Evasion technique, Obfuscation, Rootkit, Spam, Undetected malware | No Comments »

Oak Ridge visitor db compromised

Thursday, December 13th, 2007

While the Oak Ridge National Lab may be known for high tech research like analytical chemistry, neutron science, and providing technology and expertise to support national and homeland security needs, they also might become known for a recent breach of security at their own premises. Granted, the only data they are reporting as having been compromised is their visitors database. Seriously.

“Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country. A hacker illegally gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications. When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees’ computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory.”

Targeted attacks like this one are more common than they were a couple of years ago. Be wary of incoming email attachments and hyperlinks.

UPDATE (12.13.2007): Speaking of data breaches and network intrusion, Bruce Schneier has a related post on his blog today about a newly released study. The UC Berkeley Samuelson Law, Technology, & Public Policy Clinic recently completed and released a study on “Security Breach Notification Laws: Views from Chief Security Officers“. It evaluates the profound effects on practices within U.S. companies resulting from the implementation of security breach notification state laws. Great read.

Posted in Embedded trojan, Notification, Security breach, Targeted attack | No Comments »

Newer Entries »