Rootkits, Downloaders, and Natalie Portman

By: Jose -

Got a round of these in my inbox this morning. These are EXEs being spammed out in e-mail messages to get you to install malware. The names of Hollywood stars used in the emails include Nicole Kidman, Angelina Jolie, and Natalie Portman.

Here’s a sample email:

Subject: Pictures

Parts/Attachments:

1 Shown 5 lines Text (charset: ISO-8859-1)

2 19 KB Application

—————————————-

Good evening, man!

Shocking pictures of nude Nicole Kidman. See it in your attachment.

Bye.

[ Part 2, Application/ZIP 26KB. ]

[ Cannot display this part. Press "V" then "S" to save in a file. ]

The attachment, “amazing.zip”, contains “shocking.exe”.Analyzing the malware reveals that the malware installs a rootkit via a hooked TCP/IP driver:

Object-Type: IRP-hook

Object-Name: DriverTcpip->IRP_MJ_DEVICE_CONTROL

Object-Path: ??C:WINDOWSSystem32driversruntime.sys

Once executed, shocking.exe will delete itself. It will also use Internet Explorer to download files from the following IP addresses (all on TCP port 80): 208.66.194.241, 66.246.252.213, 66.246.252.215, 66.246.72.173, and 67.18.114.98. It downloads a binary that appears to be used in spamming. It will also install a registry key, RegistryMachineSystemCurrentControlSetServicesip6fw, as one of the means to ensure it runs.

ip6fw rootkit

Detection is weak at this point.

Complete scanning result of “shocking.exe”, processed in VirusTotal at 08/02/2007 15:27:56 (CET).

[ file data ]

* name: shocking.exe

* size: 20992

* md5.: c0c2b29e1bdf9e4b1dcd6be02858c399

* sha1: 3e1f327881d3c9a5d27fff1069860225b5b2c81c

[ scan result ]

AhnLab-V3 2007.8.3.0/20070802 found nothing
AntiVir 7.4.0.57/20070802 found nothing
Authentium 4.93.8/20070802 found nothing
Avast 4.7.1029.0/20070802 found nothing
AVG 7.5.0.476/20070801 found nothing
BitDefender 7.2/20070802 found nothing
CAT-QuickHeal 9.00/20070801 found nothing
ClamAV 0.91/20070802 found [Trojan.Downloader-12155]
DrWeb 4.33/20070802 found [Trojan.DownLoader.29243]
eSafe 7.0.15.0/20070731 found nothing
eTrust-Vet 31.1.5026/20070802 found [Win32/Cutwail!generic]
Ewido 4.0/20070801 found nothing
F-Prot 4.3.2.48/20070801 found nothing
F-Secure 6.70.13030.0/20070802 found nothing
FileAdvisor 1/20070802 found nothing
Fortinet 2.91.0.0/20070802 found nothing
Ikarus T3.1.1.8/20070802 found [Win32.Outbreak]
Kaspersky 4.0.2.24/20070802 found nothing
McAfee 5088/20070801 found nothing
Microsoft 1.2704/20070802 found nothing
NOD32v2 2432/20070802 found nothing
Norman 5.80.02/20070802 found nothing
Panda 9.0.0.4/20070802 found nothing
Rising 19.34.32.00/20070802 found nothing
Sophos 4.19.0/20070801 found nothing
Sunbelt 2.2.907.0/20070802 found nothing
Symantec 10/20070802 found nothing
TheHacker 6.1.7.160/20070801 found nothing
VBA32 3.12.2.2/20070801 found nothing
VirusBuster 4.3.26:9/20070802 found nothing
Webwasher-Gateway 6.0.1/20070802 found nothing

Links around the net:

When Spambots Attack — Each Other!

By: Danny McPherson -

So, you’ve read plenty about when botnets attack. You’ve also seen plenty about when spambots attack, though it’s usually only in the form of spam email flooding in the course of spambot offspring performing the functions for which their creator intended. There’s even been plenty of press about when Botnets Battle Over Turf, attacking each other. So, let’s delve into one example of why that is, and take a terse look at one such set of attacks.

Over the past two days we’ve seen a reasonably large number of attacks in ATLAS that exhibit a common target set, and appear to be traceable to bot on bot attacks, or more interestingly, attacks targeting competitive bot building infrastructure. Based on the data, one might surmise that some of the Storm bot herding folk appear to be perturbed with their MPack brethren automating uninstalls of competitive root kits on compromised assets, in particular that of wincom32.sys (employed by the Storm Worm). I nice explanation of the host-level attributes of these rootkits as it relates to this post is available from the Symantec folks here.

According to Symantec, Trojan.Srizbi, after compromising a host and doing a few nifty things, attempts to connect to URLs on abr.srizhopa.biz or bu.srizhopa.biz in order to download a zip file that contains configuration files to send spam. Given this, if you’re a bot herder and MPack activity as of late has been depressing your bot herds, you might look at this and say, “Hrmm.. You know, if I were to take those srizhopa.biz hosts offline, I might just be able to buy myself some time to tighten things up from an operations perspective, and perhaps even come up with a longer-term plan to counter MPack’s unwarranted virulence”.

So, what next… Well, easy enough, let’s just lookup the IP addresses of abr.srizhopa.biz and bu.srizhopa.biz and have our bots attack them. So, what’d some of this attack traffic look like? Let’s have a gander..

Note: When I first looked at this both these hostnames were mapped to a single IP address, 208.72.168.131, the other targets were correlated via looking at attack flows directed at more than one target.

Over the past 48 hours we saw 85 discrete attacks directed towards three IP addresses that appeared in some way associated with these spambot wars. Attack counts and targets are as follows:

Attacks Target IP Address

41 208.72.168.131/32
32 208.72.168.50/32
12 208.66.194.151/32

All of these attacks were ICMP Ping Floods (40-byte ICMP Echo request packets). The maximum packet per second (pps) from any of these attacks was 91.09 Kpps, the maximum bits per second (bps) from any of these attacks was 43.73 Mbps. Summing the totals of the max_pps and max_bps from each of the attacks in order to quantify their effective scale yields an aggregate max_bps of 1.194 Gbps, and max_pps of 2.484 Mpps. That’s more than enough attack traffic to cause pain for most targets, with a likely result of negative impact to some innocent bystanders as well (aka. collateral damage).

These attacks don’t appear to be spoofed as they exhibit relatively fixed source address sets. They could be easily mitigated by filtering on ICMP Echo Request packets towards the targets, but given the number of attacking sources and the scale of the attacks, such filtering policy would likely need to be implemented well upstream from the targets themselves. In addition, source-based filters are likely implausible in most hardware today, given the large base of unique attack sources observed across the aggregate attack set. So, dropping all ICMP Echo Requests (if possible) towards the targets is the most likely mitigation technique, but could have negative side effects of breaking Ping-based diagnostics tools. The attacks would perhaps be a bit more effective if they weren’t scoped to 40-byte packets, though larger packets would allow for additional attack flow discrimination, enabling more granularity on the mitigation front.

Of course, given that these are bots attacking malware distribution sites, I suspect the miscreants involved on the receiving end of this particular incident aren’t overly keen about talking to their ISPs regarding possible subscription to DDoS mitigation services.

When correlating target data I saw another 15 attacks towards 208.66.194.155 from January 29-30, 2007. These were ICMP Ping flooding attacks as well, and quite likely related to a similar feud.

If you’re wondering, that domain that was hosting the malware distribution sites, srizhopa.biz, is registered to a one “johhnie walker” of “19 avenue drive, New York, 02002″, with, as you may guessed, bogus phone numbers, zip codes, etc..

The good news is that the existence of the srizhopa.biz domain seems to have disappeared completely from DNS over the past day or so, which for the attackers is even more effective than flooding them with attack traffic. For the target, they’ve likely just moved on.

So there you have it, another edition of spamwars and THEIR impact on OUR assets.

AV, how cam’st thou in this pickle?

By: Danny McPherson -

While I’ve seen and heard random spatterings about why AV isn’t effective, or analyst reports from the likes of Yankee declaring “AV is Dead”, there’s been very little qualitative or quantitative study on precisely why. Well, beyond the endless flurry of new malware families and subseqent offspring, that is.. As such, I find myself borrowing from Shakespeare’s The Tempest, and asking: “AV: how cam’st thou in the pickle?”

That’s why I’m pleased some of my colleagues at Arbor, with some co-collaborators at the University of Michigan, published Automated Classification and Analysis of Internet Malware (pdf).

There are basically three main issues with AV in the report:

    • completeness – AV does not provide a complete categorization of the datasets, with AV failing to provide labels for 20 to 62 percent of the malware samples examined in the study
    • consistency – when labels are provided, malware is inconsistently classified across families and variants within a single naming convention, as well as across multiple vendors and conventions
    • conciseness – AV systems provide either too little or far too much information about a specific piece of malware

The authors go on to demonstrate how what something does is more important then what you call it (i.e., behaviors are better than labels). By observing state changes associated with files modified, processes created and network connections, a behavioral fingerprint can be generated for the malware. From there, grouping based on these fingeprints can provide some meaningful output and actionable information.

It’s definitely worth the read…

Can I get a WOOT! WOOT!

By: Dug Song -

After Blackhat and DEFCON have blown over, come join us for WOOT! – the first USENIX Workshop On Offensive Technologies in Boston on August 6th, colocated with USENIX Security 07.

We realize this is extremely short notice for authors (just over a month), but are encouraging those presenting at DEFCON, Blackhat, and elsewhere to submit full-paper versions of their presentations to WOOT! for peer review and publication. We’ve assembled an excellent program committee from industry and academia, and are looking forward to the first of hopefully many such collaborations.

Storm Worm, GIFs, Passwords, Zips and Alerts

By: Jose -

I spent a good portion of my day watching the Storm worm mutate from EXEs being spammed through to ZIP files in password protected bodies. This is a change in tactics for the Storm Worm team and has proven to be effective at evading AV. The Storm Worm is malware designed to install spammer toolkits.

Throughout the past day, the Storm Team has been flooding the world with their spams. The attachment is the bootstrap code for the malware, and downloads and installs a few components. The emails that were going out starting in the late morning, early afternoon on the east coast look similar to the one below. Note that the text in the message is actually a GIF attachment.

Storm Worm Body

There was some confusion throughout the day because these new payloads and tactics were being used, AV wasn’t catching it, and vendors have a dozen names for this threat. That said, once we started to analyze it, sure enough it was the Storm Worm, our old friend. Note that we saw Storm this past weekend in “Iran-US War” messages as its hook. This is a new change for the team, moving beyond news events and into the typical tactics used by Bagle and Mydoom. This rootkit analysis report from a third party tool shows us how it hides itself on the machine with a kernel driver (the .sys file) and registry entries.

Storm Worm Hidden Files

AV detection has been improving all day, as we shared samples throughout the community (and info, as well). If you need to block patterns of messages for this, try blocking messages containing the following:

  • a GIF attachment as attachment 1
  • A password protected ZIP as attachment 2

That combination has been seeded heavily in the past 12-18 hours. A friend from an email security company says that they’re seeing more hits for this variant than previous variants.

Updated April 13
Links around the net:

  • sandbox analysis in the Anubis system
  • Storm Worm blows up, breaks records, at InfoWorld.
  • Consumer alert: Massive virus outbreak, from PCWorld
  • Malicious worm detected! No, really!, from the Trend Micro blog.
  • Nurech.Z from the PandaLabs blog

Free AntiRootkit Software

By: Jose -

As a complement to a recent post I made here with a list of free online AV scanners, I’d like to share with you a list of free AntiRootkit software for your PC. Especially in light of this past week’s ANI-related malware spate and the new Grum Trojan, you should make sure that you’re always on the lookout for threats. In the past few weeks we’ve seen even more malware that was simply not detected by AV.

Like the AV software list, this is in no particular order, we endorse no one in particular, we offer no warranties or guarantees, and you use these at your own risk.

I hope this list is useful to you. I use a couple of these products regularly on my personal PC and find them invaluable. That said, bear in mind that rootkits are an area of very active research, and people are constantly finding ways to get their rootkit to defeat all known detection mechanisms. Hopefully tools will keep up.

EDITED to add GMER, GhostBuster, IClean, Blacklight, and to change the Panda link based on feedback. Thanks! Edited on April 5 to add SVV.

How We’ll Miss You So, Black Hat ’06…

By: Sunil James -

Las Vegas was an absolute blast! Not just because Arbor had an awesome turn-out for its annual poker tournament (nice job, Lisa and Robin!), but also because the Black Hat sessions that we attended were amazingly strong. Having attended the conference for a number of years now, I was glad to see that CMP Media’s acquisition of Black Hat hadn’t adversely impacted the content that Jeff Moss is renowned for pulling together. A sincere thanks for what was truly a great con!

Each of us from the ASERT that attended this year had various thoughts on the sessions we attended. So, instead of a stream of overlapping blog posts, I compiled our thoughts into what you see below. We encourage you to follow the links and learn as much as you can about the various research these folks are doing…you can be certain we’ll be doing the same.

Device Drivers
Jon Ellch aka johnny cache & David Maynor

These two scared everyone who brought their laptop to the conference in the hope of using the wireless network. In the first half of their talk, they described the process of enumerating wireless drivers. Driver enumeration is interesting, but innocuous, and they both must have known that starting with such an innocuous topic would calm the audience before the storm. In the second half of their talk, Maynor proved that enumeration was very helpful when you’ve already done vulnerability analysis of several wireless drivers. To avoid disclosing the actual shellcode used in their exploit, Maynor showed a video in which a Dell laptop attacked an old PPC-based Mac laptop to install a rootkit. Then, Maynor simply connected to the backdoor (a bound shell listening on a socket) and had a root shell (albeit without any line buffering or shell prompts) on the Mac. Needless to say, none of us used our laptops for wireless Internet access anywhere near the conference.

PDB: The Protocol DeBugger
Jeremy Rauch & Dino Dai Zovi

Jeremy glued together some disparate pieces of code (including libevent) to create a C-written gdb-style protocol debugger with a modular interface allowing it to load Ruby-written modules (of which they’ve two). The demonstration was interesting, but not without issues, as the problem of TCP re-transmits isn’t currently handled by the debugger. Definitely an interesting concept, regardless. The proof-of-concept revealed that Python would have been a much more natural choice for developing the system. Sure, there’s a divide between the Python and Ruby camps, however, in our collective opinion, Python is the “lingua franca” of high-level languages in security. Taking into account the fact that libdnet has built-in Python extension, the existence of Dug’s pyevent and dpkt modules for Python libevent and protocol decoding/composing respectively, the amount of work spent developing the underlying glue could have been spent improving the debugger itself. Not trying to be too hard on Jeremy, though. He’s a sharp dude with some interesting ideas.

Punk Ode—Hiding Shellcode in Plain Sight
Michael Sutton & Greg MacManus

An excellent talk all-around. They had clearly explained and demonstrated how simple it was for anybody to hide exploits in plain-sight for specific kinds of attacks. Using their methods, which simply hide the malicious data as legitimate data inside of images, and presumably video, any attacker could leverage this technique to easily bypass many network security products that analyze network packets looking for specific attacks. While this kind of attack is very interesting, there are also many others ways of achieving the same results. More information available here.

Hacking World of Warcraft: An Exercise in Advanced Rootkit Design
Greg Hoglund

This was one of the best talks at the conference. Very entertaining, and it definitely had something for everybody. Hoglund described “The Supervisor,” a kernel-level rootkit made specifically to bypass “The Warden,” Blizzard Entertainment’s anti-cheating technology. This effectively allows anyone running “The Supervisor” to cheat and get away with it. Supervisor allows Hoglund to inject his own instructions into the World of Warcraft client, allowing him or others to take control of the client while also cloaking the contents of the injected instructions by replacing page tables corresponding to the modified memory with another page table filled with A’s. When The Warden next attempted to scan the system’s memory in order to look for any signs of cheating, it would only come across as bunch of As, rather than the actual instructions. Brilliant…and Hoglund’s presentation was flawless and entertaining as ever.

Subverting Vista Kernel For Fun And Profit
Joanna Rutkowska

Joanna’s presentation on exploiting the 64-bit version of Microsoft’s Windows Vista operating system was, without question, our favorite talk of the conference. She skipped the introductory section found in many technical talks and jumped right into a very straightforward method of exploitation: consuming enough system resources to force the OS to page non-wired memory to disk, thereby allowing her to modify the on-disk representation of this memory, and finally releasing those system resources, allowing the modified memory to be paged back in to the system. She then described how to exploit the virtualization features found in AMD’s newest dual-core processors to inject a hardware virtualized rootkit while seamlessly world switching a non-virtualized and running Vista platform into a hardware virtualized context. If Paris Hilton had been in the audience, she’d have agreed that this portion of talk was “hot”. The first half of the talk and, more so the second half, seemed to be a bit technical for some members of the audience, judging by the questions asked. That said, most people we spoke with afterwards agreed that it was the best session of all of Black Hat 2006.