PC Tools’ Kurt Baumgartner presented a survey of Peter Ferrie’s series of papers on anti-unpacking techniques, and how these techniques are and are not implemented within the “worst families” of 2008-2009. Slides here from the Virus Bulletin 2009 slides page. It was exciting to discuss with at least a dozen other researchers the questions and answers we provided about Waledac and its consistent use of Int 0×2e within its packer. We examined other families and specific decryption algorithms implemented by each, and unusual techniques malware writers are using to throw off automated research and file scanners. You can find Peter Ferrie’s “Anti-Unpacker Tricks” Virus Bulletin papers at his web page, under his “International Publications” section.

Righard Zwienenberg presented on the progress AMTSO is making, a group that PC Tools has actively participated in since its start. There was much interest in its activity and some of its current work that we are pleased to take part in driving forward. The upcoming meeting in Prague will bring with it discussion over one of its most controversial papers, “Issues in the Creation of Malware” [for testing purposes], which hopefully will be voted on and released soon. We encourage testers and reviewers to join and actively participant in this group.

Topics of interest included “The real face of Koobface” by Ivan Maclintal, and “Brazil, land of plentiful bankers” from Dmitry Bestuzhev. The Brazilian banker presentation discussed many issues resulting in the thriving banking password stealing efforts and groups in Brazil, and the surprising presence of the Induc virus infecting Bancos password stealers that ThreatFire effectively prevents. Also of interest is the malware working group connecting the AV industry, with Igor Muttik discussing the Industry Connection Security Group’s proposed xml structure and content for sharing samples and information amongst vendors and testers. It’s something we’ll probably exchange thoughts on at the upcoming AMTSO meeting.

In the meantime, Peter Szor’s Virus Bulletin 2008 Conference presentation on the possibility of the true evolution of malcode is a fascinating idea, and must have been a lot of fun to work on, but does not hold a lot of weight. While Peter Szor deserves credit and respect for writing the book on malware in “The Art of Computer Virus Research and Defense”, this presentation didn’t seem to have the same impact. The abstract suggested that an evolution could occur in software code that attacks behavioral based products such that, “As a consequence, we predict behaviour-based virus detection would quickly become ineffective if malware can evolve based on the Darwinian paradigm.” A friend thought that such an occurrence is as likely as a pack of monkeys in front of keyboards eventually typing out Shakespeare. Too true.
Szor’s paper co-author C. Adami provided the academic efforts and study of evolution to back up their thoughts. The open source software Avida that he used to display potential can be found on sourceforge (was developed at the Michigan State Devolab), and creates an extraordinarily dynamic and fascinating evolutionary environment right on your laptop, with the text version looking much like this:

While it is apparent that bypass techniques can be designed against most any software solution, it will continue to require a human to figure out bypass techniques. It is interesting when malware authors write a separate and legitimate looking set of actions into their code for times when it is run in a VMWare environment, or if a debug dll is loaded. But no additional number of monkeys or amount of time will make it probable that randomly mutated software will figure them out in a sequence that will morph into such an evasive danger. Szor provided a couple examples of corrupted infections that their research team has found including macro viruses, and examples of viral payloads piggybacking on worms for crossbreeding, but there really isn’t any evidence that malcode payloads exist containing random mutations resulting in evasion of behavioral based security technologies.

The Yahlover script will continue making the rounds in Vietnam and elsewhere, infecting AV scanner-protected machines. No realistic amount of accidental corruption is going to help it past behavioral based protection, but maybe an unemployed script writing monkey could help.

Chief Threat Officer of our research group Kurt Baumgartner was selected to present a timely last minute technical presentation on Thursday of this week on “Recent rogueware” at Virus Bulletin 2008 in Ottawa, Canada. The presentation will focus mostly on technical aspects of Rogueware currently in the wild including a couple of software packages listed in the complaint, the ridiculous but popular MonaRonaDona hoax, and various methods of delivery.
Regardless of the filings, the threats continue to evolve online and are active today, much like the image above.

One of the topics near and dear to our PC Tools hearts happened to be the focus of Joe Stewart’s presentation on reversing Storm titled “Protocols and Encryption of the Storm Botnet”. It was somewhat of a Virus Bulletin style presentation, but he added a lot of information regarding offensive techniques for joining the Bot network, disrupting it, and details of his findings about the bot network’s communications. It was great stuff.

Also interesting was Jonathan Rom’s talk on implementing a javascript based persistent rootkit. While it was somewhat stealth, I don’t know that it classified as a rootkit. However, the malcode was fairly well hidden in the plain text file he discussed. And while the design flaw that the code is dependent on for functionality has been patched in Firefox 3 and wasn’t as platform dependent as the intro suggested, the idea was well implemented against XP systems in their demo.

Off to another talk on the development and functionality of dns tunneling reverse shellcode.

Maybe chartreuse isn’t what we’re looking for, maybe it is, but worms we are currently monitoring in the wild are mixing up their own colorful pill recipes. The authors’ intent is to detect and evade research environments. These virtual or sandboxed environments are frequently the sort of environments that security researchers have been using to automate malware analysis. We are seeing prevalent worms target VirtualPC, VMWare, and now Anubis for detection and evasion (Anubis is connected with an Austrian security group, somewhat similar in purpose to the very effective ThreatExpert).

Here is an assembly code chunk we extracted from an ITW worm. This code is an attempt to detect Anubis:
sub esp, 104h
lea eax, [esp+0]
push ebx
push offset aCInsidetm ; “C:\\InsideTm\\”
push eax ; str1
xor bl, bl ; status (bl) = 0
call ds:strstr

The disassembly matches up somewhat with some proposed Anubis-detecting c code fairly recently posted to an underground forum:
char ModulePath[MAX_PATH];
GetModuleFileName(NULL, ModulePath, MAX_PATH);
p = strstr(ModulePath, “InsideTm”);
if(p != NULL) return true;

From some of the code posted recently on the same underground forums, Sandboxie’s turn is coming up next.

The older VMWare detection used in the worm is a bit off color from the red pill itself. But it looks like a duplicate copy of what is showing up in the current valentine’s day Storm worm variants we are seeing. The code is being used and reused in current malware:
mov eax, ‘VMXh’ ; VMWare magic number
mov ebx, 0 ; default
mov ecx, 0Ah ; get vmware version command
mov edx, ‘VX’ ; port #
in eax, dx ; read port
cmp ebx, ‘VMXh’ ; check vmware reply
setz [ebp+bool_VMWare] ; set vmware status accordingly
pop ebx
pop ecx
pop edx
jmp short @@check_vmware

Anyways, the good folks developing Anubis, and any researchers running automated sandbox technology on top of VirtualPC or VMWare should be aware that these functions are showing up today in prevalent password stealer dropping worms that we’ve seen rereleased multiple times each day for a couple weeks now.

If you attended VB2007 and checked out Sergei’s talk, you’d have seen that ThreatExpert already solves this sort of little pill problem with a goat on a leash.

Consistent with their past attacks, the executable name is themed as well. We have seen “happynewyear2008.exe”, “happy_2008.exe” located on servers in Poland and multiple sites around the world. But in a small departure from using just unregistered ip addresses, these malware serving web hosts are now registered with cute, related DNS .com domains, like “newyearwithluv” or “hellosanta”. The gang broke another trend and flashy graphics on the sites are not present either.

We are seeing a strong uptick in the number of users actually running these files (happy-2008.exe, happynewyear2008.exe, happy_2008.exe, happy_2008.exe, happynewyear.exe) on their systems. Please exercise caution when visiting links that were sent to you, update all of your system patches at the Microsoft Update site, and if using Quicktime or Firefox, update them as well.

Cheers to secure computing and happy New Year!

PC Tools researchers’ papers were selected for two of the “Last minute technical presentations” this year.
My talented colleague Sergei Shevchenko presented his automated analysis system “Threat Expert”. You can check out the system here.

Slides from the “Storm – Malware 2.0 has arrived” presentation can be found at the Virus Bulletin web site here.
Appropriately enough for such a current and relevant threat, there seemed to be quite of bit of interest in my presentation’s content from other AV vendors and researchers. Thanks to everyone for your comments and feedback following the presentation.
As always, our Threatfire product continues to prevent storm’s behaviors in the wild. If you haven’t already, you can download it for free at the Threatfire website.

A couple of other favorite presentations (that weren’t from Sergei and myself) were Alex Hinchliffe’s paper “Patching. Is it always with the best intentions?” and Roel Schouwenberg’s “Targeted Banker malware on demand“. Very interesting and well researched.
The papers were a part of the conference, and other excellent papers can be found at the virus bulletin. If you haven’t subscribed to the Virus Bulletin, you can find it here.

Sergei will be speaking about the “sting operation” that he’s been working on that is ThreatExpert, a bullet-proof system for identifying threats.
Sergei’s technical presentation abstract
You can check out the ThreatExpert system and its reports here:
http://www.pctools.com/threat-expert/

And I’ll be describing my research of the Storm threat’s behaviors and characteristics over the past nine months, a threat best categorized as “Malware 2.0″ (yes, a complete knock off of O’Reilly’s and Dougherty’s statements on Web v2.0).
O’Reilly — What Is Web 2.0
My technical presentation abstract

Should be a another great conference this year! Hope to see you there.