|
Archive for the ‘Virus Bulletin’ Category
Wednesday, August 6th, 2008
Black Hat Las Vegas 2008. If the latest Dns exploit research performed in part by Dan Kaminsky comes up in casual conversation for you, then these are your people. The ~4,500 nameless researchers and geeks at this conference rush into Ceasar’s Palace event halls to hear about recent software security research and reports.
Jeff Moss kicked off the con this morning with a mention that the generous BH sponsors step up to defray rising costs and not to monopolize discussion as a form of advertisement. I’m witnessing that promise realized right now, as Tom Stracener slams one of their very generous sponsors in his presentation. The knowledge is not censored here and flows freely.
One of the topics near and dear to our PC Tools hearts happened to be the focus of Joe Stewart’s presentation on reversing Storm titled “Protocols and Encryption of the Storm Botnet”. It was somewhat of a Virus Bulletin style presentation, but he added a lot of information regarding offensive techniques for joining the Bot network, disrupting it, and details of his findings about the bot network’s communications. It was great stuff.
Also interesting was Jonathan Rom’s talk on implementing a javascript based persistent rootkit. While it was somewhat stealth, I don’t know that it classified as a rootkit. However, the malcode was fairly well hidden in the plain text file he discussed. And while the design flaw that the code is dependent on for functionality has been patched in Firefox 3 and wasn’t as platform dependent as the intro suggested, the idea was well implemented against XP systems in their demo.
Off to another talk on the development and functionality of dns tunneling reverse shellcode.
Posted in Blackhat, Bot, Reversing, Storm, Virus Bulletin | No Comments »
Tuesday, January 15th, 2008
Ok, we’re running out of little pill colors to match up with Matrix analogies. But simply put, the red pill and the subsequent blue pill work attempted to achieve the goal of detecting and abusing virtual machines.
Maybe chartreuse isn’t what we’re looking for, maybe it is, but worms we are currently monitoring in the wild are mixing up their own colorful pill recipes. The authors’ intent is to detect and evade research environments. These virtual or sandboxed environments are frequently the sort of environments that security researchers have been using to automate malware analysis. We are seeing prevalent worms target VirtualPC, VMWare, and now Anubis for detection and evasion (Anubis is connected with an Austrian security group, somewhat similar in purpose to the very effective ThreatExpert).
Here is an assembly code chunk we extracted from an ITW worm. This code is an attempt to detect Anubis:
sub esp, 104h
lea eax, [esp+0]
push ebx
push offset aCInsidetm ; “C:\\InsideTm\\”
push eax ; str1
xor bl, bl ; status (bl) = 0
call ds:strstr
The disassembly matches up somewhat with some proposed Anubis-detecting c code fairly recently posted to an underground forum:
char ModulePath[MAX_PATH];
GetModuleFileName(NULL, ModulePath, MAX_PATH);
p = strstr(ModulePath, “InsideTm”);
if(p != NULL) return true;
From some of the code posted recently on the same underground forums, Sandboxie’s turn is coming up next.
The older VMWare detection used in the worm is a bit off color from the red pill itself. But it looks like a duplicate copy of what is showing up in the current valentine’s day Storm worm variants we are seeing. The code is being used and reused in current malware:
mov eax, ‘VMXh’ ; VMWare magic number
mov ebx, 0 ; default
mov ecx, 0Ah ; get vmware version command
mov edx, ‘VX’ ; port #
in eax, dx ; read port
cmp ebx, ‘VMXh’ ; check vmware reply
setz [ebp+bool_VMWare] ; set vmware status accordingly
pop ebx
pop ecx
pop edx
jmp short @@check_vmware
Anyways, the good folks developing Anubis, and any researchers running automated sandbox technology on top of VirtualPC or VMWare should be aware that these functions are showing up today in prevalent password stealer dropping worms that we’ve seen rereleased multiple times each day for a couple weeks now.
If you attended VB2007 and checked out Sergei’s talk, you’d have seen that ThreatExpert already solves this sort of little pill problem with a goat on a leash.
Posted in Evasion technique, Virus Bulletin, Worm | No Comments »
Monday, December 31st, 2007
What a generous way to bring in the new year. The Storm/Peacomm gang, the same group whose activities we presented at VB2007 and posted about previously, has not disappeared. The holidays brought a round of Christmas-themed spam, complete with a simple link to a njinx servers and the promise of a friendly xmas related message. In the past couple of days, they have turned towards a new year theme:
“Happy New Year!
Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!”
Consistent with their past attacks, the executable name is themed as well. We have seen “happynewyear2008.exe”, “happy_2008.exe” located on servers in Poland and multiple sites around the world. But in a small departure from using just unregistered ip addresses, these malware serving web hosts are now registered with cute, related DNS .com domains, like “newyearwithluv” or “hellosanta”. The gang broke another trend and flashy graphics on the sites are not present either.
We are seeing a strong uptick in the number of users actually running these files (happy-2008.exe, happynewyear2008.exe, happy_2008.exe, happy_2008.exe, happynewyear.exe) on their systems. Please exercise caution when visiting links that were sent to you, update all of your system patches at the Microsoft Update site, and if using Quicktime or Firefox, update them as well.
Cheers to secure computing and happy New Year!
Posted in Exploit, Social Engineering, Storm, Virus Bulletin, Vulnerability | No Comments »
|
|
|
|
