QQ Updates on Dns Port over Http?

Usually, port 53 is used for DNS queries and transactions over both tcp and udp, while http GET request traffic is handled over tcp 80 or 8080 (or ssl encrypted over 443).

Instead, currently we have an unusual set of files, often named "qq_updates.cab" that are being renamed and run on a fairly high number of user systems (they are not cab files. They are malicious executables) and querying http servers hosted in China over tcp port 53 for gif files (1.gif, 2.gif, 3.gif, B.gif, c.gif, etc). These queries are not standard dns lookup requests as a network admin might expect, or standard http requests for image files.

The responses for these gif file requests are either location information and directions to download more spyware executables or are additional spyware executables themselves, designed to steal a user names and passwords from multiple gaming applications. Some of the writers are becoming more clever and using encoded data over that port as well. Prevalence is high, and network admins may want to monitor dns ports for unusual http traffic for .gif files carrying nothing but executable content.

Return of Rustock?

Return is a powerful concept in many ways. In literature, return can touch on the limits of faith, love, loyalty, friendship, fidelity and mortality.

Homer's Ulysses wanders for years, returning to his home and his family in disarray. Initially, the only witness to recognize Ulysses in his home is his old dog Argus, faithfully waiting for his master's return over those 20 years: "As soon as he saw Odysseus standing there, he dropped his ears and wagged his tail, but he could not get close up to his master. When Odysseus saw the dog on the other side of the yard, dashed a tear from his eyes...But Argos passed into the darkness of death, now that he had seen his master once more."

Edward Fitzgerald's "The Rubaiyat of Omar Khayyam" speculates on the importance of understanding the inability to return:
"Then to the lip of this poor earthen Urn
I lean'd, the Secret of my Life to learn:
And Lip to Lip it mumur'd -- "While you live
Drink! -- for, once dead, you never shall return"

Unfortunately, in our last round of spambots, we find lots of return. However, these returns do not provide deep insight or wistful second comings. Instead, these returns serve to obfuscate the functionality of the rootkit driver component ("pgasghjd.sys") that appears to be the newest project of one of the rustock creators:
C:\progz\NewWork2\driver\objfre\i386\driver.pdb

Return is a powerful computing concept, and an important part of any CPU instruction set. The "RET" or "Return from procedure" instruction "transfers control to a return address located on the top of the stack".
These returns are used in an unusual way in the unpacking stub of the driver, avoiding making standard calls early in the routine. Here is the driver's entry point.



Notice the push of a hard-coded offset and the immediate return. This unusual sequence of assembly instructions simply pushes a return address to the stack, only to take control when the "ret" or "retn" is executed and control flows to this new offset. This sequence can be used as an effective emulator evasion trick.

These returns do not provide anything all that valuable, instead, these returns help to produce the unwanted spam, clogging global network pipes and peddling "male enhancement" drugs. These are the messages that are crass and vain, including with them a link to a couple of these "drug" peddling web sites. Obscene messages are not reproduced here, but here are a few examples:
"Give your chick a night to remember"
"Make sure you don't get left out of the action at parties"
"Fantastic results guaranteed"

Some returns come with really bad literature.

New Undetected Worm

We're seeing a new version of the worms that we previously posted info about.

Some slight changes in the newest version: circulating with the name "newphoto011.jpeg-www.myspace.com", which I'm sure will change soon enough. This time, it hides a new process that loads "msnp2pmgr.exe". The authors keenly call it their "MSN P2P Manager". It connects back to xili.zerolost.org, hosted at a number of ip's...Addresses: 64.34.203.207, 66.135.32.35, 195.137.213.67, 195.149.74.40, 195.149.74.67, 64.34.161.89, 64.34.202.227.


The authors seem to be getting a bit more aggressive against security solutions, delivering a long list of modifications to the hosts file with their worm that can be seen on this ThreatExpert report (look to the bottom of the report under "The HOSTS file was updated with the following URL-to-IP mappings"). These modifications prevent a user from visiting sites that may describe this worm as malicious, and also block security solutions from downloading signature updates as well.


AV scanner detection catching up:

Myopic Vision

Mary Landesman nailed it with a couple of posts on her about.com "Antivirus Software Blog", when she commented on the numbers games that AV vendors play when attempting to inflate their credibility in the eyes of consumers and corporate decision-makers. Her comments relate to both the numbers themselves and Microsoft's underlying MSRT tool's effectiveness.
I recommend checking out her blog.

Her first post, "Tunnel Vision", criticized Microsoft's claims of insight into the volumes of malware actually running on user systems. She points out that Microsoft asserts 'Zlob is among the most common type of Trojan downloaded onto Windows machines." The assertion was based on data collected by Microsoft's Malicious Software Removal Tool (MSRT). But the MSRT is only programmed to see 111 (as of today's date) malware families.'
Microsoft frequently implies grand claims of their own strong perpective into (here comes my oh-so-favorite marketing term) the "malware landscape", based on the reported findings of this MSRT tool, simply because it runs on 400 million systems. She contradicts their ability to make these MSRT-based claims with her own estimates of the tool's effectiveness:
'"In other words, Zlob is not "among the most common type of Trojan downloaded onto Windows machines". Instead, Zlob is among the most common malware detected by the MSRT, which currently detects only about 5% of active malware families.'

On yesterday's "The Numbers Behind Detection", she updates that number by extrapolating numbers from a recent straightforward, informative and respectable post from McAfee, humorously shouting "and I say we are detecting between 400,000 and 10,000,000 malware!":
'That makes my comments in Tunnel Vision even more pertinent as it effectively drops the MSRT detection percentage from 5% of all families to .03%.'
Tunnel vision? The MSRT tool may be very beneficial to the Windows community at large, but the sight that tool provides is more myopic than anything. Put some glasses on it and send it to class!

On a daily basis, the ThreatFire community provides us with some insight into not only what malware users really are running on their desktops (and not just showing up in their inbox, a P2P directory, or downloaded and not run), but the unfortunate volumes of malware that go undetected by AV scanners when first released into the wild. Even time-worn and sophisticated scanners developed by talented groups have a difficult time detecting and keeping up with the volumes, the changing nature, and the evasive techniques of today's "cash is king malware" while not bogging down users' systems. It is often difficult to best classify these changing samples as well for these burdened groups. Keeping on top of those volumes to make sweeping claims about percentages takes a keen vision indeed.

Fakealert Variant

Another Fakealert variant is effecting our user base.



Passing itself off as the usual "mediatubecodec_ver1.1277.0.exe" (do not run this file -- it really does not deliver useful codec components for playing videos), this downloader connects back to hxxp://xpantivirussecurity.com, and drops files like "1.exe" that deliver scary popups to alarm our users with false malware detections in an effort to coerce them into paying for a product that they don't need. Unfortunately, detection has been spotty, with some heuristics performing effectively.

Removal Tool? No.

A little detected "tool" is downloading and executing bots. A version of "driveguard.exe", with promises of cleaning up your system from infections and keeping it clean, is worming its way onto machines and downloading strains of Poison Ivy as "WinSecSys.exe", a bot capable of stealing screenshots, keystrokes, spreading to other machines, etc. We wrote about these "RAT" tools in previous posts and the characters behind them, some of whom are sentenced to prison terms now. TF detects it as a worm.

Rustock Crackz

Last Thursday's post commented on malware commonly bundled with crackz. A large number of users are running files that appear to be distributed from a number of crack sites. We will not publish those domains on this post.

The filename bundles carry a common theme for a downloader that delivers more than a user would expect. Crack.exe, keygen.exe, patch.exe and install.exe have been bundled within phony cracks and released to a number of sites. They contain trojan downloaders, among other things, pulling down and executing spambot variants and many other malware executables, including our old friend Vundo. Here are just a handful of the bundle names that we've been seeing:
Microsoft_Office_Professional_Plus_2007.txt.exe
WINDOWSXPSP2ACTIVATIONCRACK.ZIP.EXE
popcapzumadeluxe!v1.0crack.zip.exe
COMMAND_AND_CONQUER_GENERALS_ZERO_HOUR_MULTI_KEYGEN_BY_FFF.ZIP.EXE
MAGICISO_V3.5_BUILD_0064.ZIP.EXE
WINDOWS_XP_HOME_EDITION_OEM_BUILD_2600_ACTIVATION_CRACK_BY_AMOL_A._MORE.ZIP.EXE
nero_8.2.8.0_serial.txt.exe
DYNOMITE_DELUXE_V2.71.ZIP.EXE
WARCRAFT_3_REIGN_OF_CHAOS_BY_RAZOR.ZIP.EXE
osadobephotoshopcs2tryouttofullactivationkeygenoscaria.zip.exe
SONIC_FOUNDRY_ACID_PRO_V4.0B.ZIP.EXE
ADOBE_PHOTOSHOP_CS2_CS2_SERIAL_NUMBER.TXT.EXE

Notice the clever(?) use of the double file extension, ending in .zip.exe or .txt.exe. DO NOT download and run these files.

In our labs, we find that running these files results in a ridiculous attack. The volume of malware that ends up running on the system is so large that the system becomes entirely unusable. We haven't seen an attack quite so bad since the 2nd-thought.com site was taken down.

One of the components infects services.exe on the system (often named "axer.exe"), and drops rootkit and spambot components (surprisingly, we see a consistent driver filename "pqasghjd.sys"), sending out waves of spam from this system process. The kernel level driver component hooks SSDT entries NtCreateKey, NtOpenKey and NtTerminateProcess, in an attempt to hide registry keys and prevent termination of the malware's user-mode processes. It also attaches to the Ntfs file system driver, in order to obscure access to its presence on-disk.

The spambot components download updated lists of user accounts and available smtp servers over http, and then peddles rather "adult" themes in outgoing messages. All of the messages include a link to phony "personal growth" pills for men. Here are a couple of "mentionable" subject lines, just to get a small percentage of users to actually open the message:
"Life will get better with this"
"Wanna know why she's hot"
"Jessica Alba bikini pics"
"All the love you need"
"Scarlett Johansson and Justin Timberlake spotted together"
"Get ready for a stunning improvement to your love life"
"Scarlett Johansson and Tom Brady spotted in Mexico"

Beijing Video

Another round of Storm spam is now unscrupulously offering video footage of "details of this terrible disaster", with a link to "beijing.exe". We are seeing a low percentage of users receiving this payload so far, mostly in Dubai, falling for the message:

"A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either "Open" or "Run"."

Do not visit the website:


Of course, instead of a link to a video, the code behind the "mov.gif" image of a video object directs the user to download "beijing.exe", seen as "beijing[1].exe" on TF users' systems. When run, this executable drops and starts "msvupdater.exe" in the windows directory on the system. The msvupdater component carries with it the familiar P2P code that Storm uses, and attempts to send out email from the system.

Hidden away in the last line of html source is tiny iframe linking to "ind.php", as seen here:
iframe src="ind.php" width="1" height="1" style="visibility:hidden;position:absolute"

This php file contains quite a bit of obfuscated javascript. After dissecting the script, we find that it is attacking an older NCTAudioFile2 ActiveX vulnerability, the more recent RealPlayer vulnerability, a older BaiduBar Soba vuln, and a couple of ancient setSlice and WebFolderView vulnerabilities. Basically, these guys have a newer commodity attack kit with some new obfuscation features.

Elevated RBN Ip Range Activity

Currently, we are seeing user systems from all over the world being attacked by a series of rogueware and spyware components. The software is related to a web server at http://74.50.107.165, whose ip address you can find among other Coolwebsearch/Gromozon/RBN addresses in the Russian Federation (still known as the "Russian Business Network", even though much of the group moved operations to Panama and China). The authors continue to use many of the same simple filenames they started out with:
0.exe, 1.exe, 2.exe, 3.exe, 4.exe, 5.exe

Creative stuff, no?

The attack is using a variety of methods. One of the more effective techniques is simply bundling the software with "winpole2.exe" within a setup file, which was available as a another download at http://www.softportal2008-2008.com.

The dialog boxes' appearance are similar to the Microsoft Security Center, with claims that "Windows did not find Antivirus software on this computer", when the pages are not provided by "Windows" or Microsoft at all:



Clicking on one of the links provided by the Center-lookalike takes you to "thespybot.com", a one-off from the legitimate antispyware product SpyBot S&D:



The other link in the Center-lookalike takes the user to a page that reports on phony scan results:



Now, instead of dropping the rogueware known as "Brave Sentry", this new variant drops a variant of phony antivirus software "vav.exe", otherwise known as "Vista Antivirus 2008".


If that's not enough to convince the user to pay for the misleading product, they falsely alarm the user of "Spyware.IEPass.Thief" on their system.


Many of the components have very poor protection for now, see four of the scanners picking up for much of the dropped components:

Will the Real Virtumonde Please Stand Up?

It seems that quite a bit of malware is being classified as Vundo (Virtumonde) these days. With the volume of malware currently being distributed in dynamic link library form, it is not always easy to differentiate one from another. Frequently these modules are statically linked with C and C++ runtimes, compression, and GUI libraries, which can slow analysis down. In addition to all this embedded library code, Vundo's code seems to be under constant development and is updated to fix bugs, add a new piece of functionality, or add more randomization to prevent signature recognition quite frequently.

However, there is one construct that the developers behind the code seem to enjoy using. In almost every place where an event and sometimes registry value names are created, the name is generated by a function which is similar between variants.

The function derives this name from an attribute of the infected computer. The attribute is the serial number assigned to the "C:" drive volume when it was last formatted by the operating system. Then, the serial number is randomized by one or more bitwise cpu instructions against a number selected by the programmer. The result of these operations is converted into a string and returned for use.

The recognition of this function can help positively ID a Vundo sample. The source code representation of this function would look similar to this:

#include <windows.h>
#define arbitrary_vundo_number 0xFDEC

int generate_number(char *output)
{
    int return_value;
    DWORD volume_serial_number;
 
    return_value = GetVolumeInformation("c:\\", NULL, 0,
        &volume_serial_number, NULL, NULL, NULL, 0);
 
    volume_serial_number ^= arbitrary_vundo_number;
 
    return wsprintf(output, "%08x", volume_serial_number);
}

Actual Vundo assembly code looks like this:

push    esi             ; nFileSystemNameSize
push    esi             ; lpFileSystemNameBuffer
push    esi             ; lpFileSystemFlags
push    esi             ; lpMaximumComponentLength
lea     eax, [ebp+VolumeSerialNumber]
push    eax             ; lpVolumeSerialNumber
push    esi             ; nVolumeNameSize
push    esi             ; lpVolumeNameBuffer
push    offset RootPathName ; "c:\\"
mov     [ebp+VolumeSerialNumber], 123h
call    ds:GetVolumeInformationA
xor     [ebp+VolumeSerialNumber], 34D2121h
push    [ebp+VolumeSerialNumber]
push    offset a08x     ; "%08x"
push    [ebp+arg_0]     ; LPSTR
call    ds:wsprintfA
add     esp, 0Ch
pop     esi
leave
retn

Tracking Coreflood from Shellcode

Sometimes, it can be surprisingly difficult to get malicious code removed from servers. It can be due to a lack of server support by the owners and their support staff, a lack of responsiveness from the ISP, or an intended scheme to profit from malware distribution, as with the groups involved at the RBN this past year.
It's just as surprising when users' systems are getting attacked with malcode that's been in circulation for at least five years and right now, it's almost completely undetected by the major av vendors. Here are some scanning results on the executable. Four of thirty two scanners is not pretty:



Anyways we are observing some download and execute shellcode attacking user systems that pull down the malicious file from a server (that server's admin, the owners of the site, and the ISP have all been contacted over the past couple of days. At least the ISP got back to us with a low priority ticket). Here is an example of the malcode calling "urlmon.UrlDownloadToFileA" on hxxp:// 20x.x16.xx.xx/ white.ccs and copying the undetected "AFCode" or "CoreFlood" variant download to c:\index.tmp. We use a tool and process that we posted last year for shellcode examination:



And here is the call to "kernel32.Winexec" to get that file started on the system, which drops and loads its dll file:



The binary, c:\index.tmp, doesn't carry much of an unpacking stub. We see more xor loops and import redirection tricks than anything, which makes it unusual that the AV crowd can't keep up with this one. It drops a set of unusual looking dat files, and adds CLSIDs and an unusual ShellIconOverlayIdentifiers registry entry for startup. Inside the dropped dll, we find a slew of strings that suggest this malicious component is simply reused Coreflood code:
AFCORE
Removing AF from the system . . .
AF up time: %t
Flooding %s . . .
Flooding of %s has been completed
Processing diskflood log file %s . . .

The file immediately POSTs information about its host operating system, version of the software, etc, back to another server over http, among other things.

It's not especially fun to see this coreflood family back in the wild. Coreflood seems to have caused problems for individuals performing online banking in the past few years, as the Secret Service found it on Joe Lopez's laptop in the disturbing BofA v Lopez. But I suppose we'll never really know for sure about that one. It was settled out of court, and neither side will respond to repeated calls regarding their own settlement.


Update: over the weekend, the malicious "white.ccs" file was silently removed from the server. And the ISP handling the problem interestingly deleted the support ticket they had issued for my request.

Agent again, this time undetected

Several interesting surges in malware activity are showing up today. The most highly propagated that we are seeing is a large increase in the past 24 hours of an old friend that's been labelled "Trojan.Agent". The filename that we are seeing the most of is "wingmmesc.exe", and it continues to run rampant without much in the way of AV detection, including the new and improved engines to detect suspicious obfuscation:




We are investigating its spread and its packing techniques. While the outer layer was packed with upx, another layer of protection needs to be peeled back, which may explain low AV detections. In the past, this sort of stuff was spread via emails with "enticing" (often pornographic) messages with links to urls, like hxxp://aliodsf . com / video.exe. We'll get back with more detail.

Update...It appears to be related to the Sality family, because we're seeing lots of familiar Sality "WINEUJE.EXE" activity related to the downloader, a worm that's run around for a long time now, especially in Asia. It attempts to download .gif files from "kukutrustnet888.info" and "microupdate14.info", both domains that we've seen from this family before. We'll rename this one to a more appropriate Sality label, and more AV detections should begin to pick up, now that we've uploaded it to virustotal for sharing.