|
Archive for the ‘Rootkit’ Category
Wednesday, September 24th, 2008
No, it is not a link, it is a file that does not have photos that you are interested in, and will not direct you to jpegs you are interested in on the facebook site. Also making the rounds is “newestpicture0021.jpeg-www.imageshack.com”, and other “imageshack.com” files.
Another worm is propagating with a .com extension, which is actually an executable format on Windows systems. The file, when run, drops a copy of itself to the system32 directory as “symlasvc.exe” or “symlssdr.exe”, and hides its process from monitoring tools with rootkit components. In both cases, it adds itself to the Run key as the “Symantec Administration Service” so that it starts at every boot. Among other activities, it kills a set of tools that may be used to identify its presence on the system, and mangles the hosts file to prevent access to security information, security software and security update sites, including this blog. Here is an example:
127.0.0.1 blog.threatfire.com
127.0.0.1 www.threatexpert.com
127.0.0.1 blog.hispasec.com
127.0.0.1 mailcenter.rising.com.cn
127.0.0.1 mailcenter.rising.com
127.0.0.1 www.rising.com.cn
127.0.0.1 www.rising.com
ThreatFire currently is preventing these worms as “Worm.Injector”. In the past, we’ve seen similarly effective social engineering schemes:
MSN IM Worm
Surge in IM worm activity — don’t look at that cute puppy
New Undetected Worm
Bot on the loose — careful with images
Please do not run these files when they arrive.
Posted in Embedded trojan, Rootkit, Social Engineering, Worm | No Comments »
Thursday, July 3rd, 2008
Return is a powerful concept in many ways. In literature, return can touch on the limits of faith, love, loyalty, friendship, fidelity and mortality.
Homer’s Ulysses wanders for years, returning to his home and his family in disarray. Initially, the only witness to recognize Ulysses in his home is his old dog Argus, faithfully waiting for his master’s return over those 20 years: “As soon as he saw Odysseus standing there, he dropped his ears and wagged his tail, but he could not get close up to his master. When Odysseus saw the dog on the other side of the yard, dashed a tear from his eyes…But Argos passed into the darkness of death, now that he had seen his master once more.”
Edward Fitzgerald’s “The Rubaiyat of Omar Khayyam” speculates on the importance of understanding the inability to return:
“Then to the lip of this poor earthen Urn
I lean’d, the Secret of my Life to learn:
And Lip to Lip it mumur’d — “While you live
Drink! — for, once dead, you never shall return”
Unfortunately, in our last round of spambots, we find lots of return. However, these returns do not provide deep insight or wistful second comings. Instead, these returns serve to obfuscate the functionality of the rootkit driver component (”pgasghjd.sys”) that appears to be the newest project of one of the rustock creators:
C:\progz\NewWork2\driver\objfre\i386\driver.pdb
Return is a powerful computing concept, and an important part of any CPU instruction set. The “RET” or “Return from procedure” instruction “transfers control to a return address located on the top of the stack”.
These returns are used in an unusual way in the unpacking stub of the driver, avoiding making standard calls early in the routine. Here is the driver’s entry point.
Notice the push of a hard-coded offset and the immediate return. This unusual sequence of assembly instructions simply pushes a return address to the stack, only to take control when the “ret” or “retn” is executed and control flows to this new offset. This sequence can be used as an effective emulator evasion trick.
These returns do not provide anything all that valuable, instead, these returns help to produce the unwanted spam, clogging global network pipes and peddling “male enhancement” drugs. These are the messages that are crass and vain, including with them a link to a couple of these “drug” peddling web sites. Obscene messages are not reproduced here, but here are a few examples:
“Give your chick a night to remember”
“Make sure you don’t get left out of the action at parties”
“Fantastic results guaranteed”
Some returns come with really bad literature.
Posted in Bot, Embedded trojan, Evasion technique, Obfuscation, Rootkit, Spam, Undetected malware | No Comments »
Tuesday, July 1st, 2008
We’re seeing a new version of the worms that we previously posted info about.
Some slight changes in the newest version: circulating with the name “newphoto011.jpeg-www.myspace.com”, which I’m sure will change soon enough. This time, it hides a new process that loads “msnp2pmgr.exe”. The authors keenly call it their “MSN P2P Manager”. It connects back to xili.zerolost.org, hosted at a number of ip’s…Addresses: 64.34.203.207, 66.135.32.35, 195.137.213.67, 195.149.74.40, 195.149.74.67, 64.34.161.89, 64.34.202.227.
The authors seem to be getting a bit more aggressive against security solutions, delivering a long list of modifications to the hosts file with their worm that can be seen on this ThreatExpert report (look to the bottom of the report under “The HOSTS file was updated with the following URL-to-IP mappings”). These modifications prevent a user from visiting sites that may describe this worm as malicious, and also block security solutions from downloading signature updates as well.
AV scanner detection catching up:
Posted in Rootkit, Social Engineering, Undetected malware, Worm | No Comments »
|
|
|
|
