MoMusings

A new variant of the Bagle (Beagle) family was released tonight!

According to my Bayesian Filter, WormCharmer and SNORT I caught my first sample of this new e-mail worm at 18:38 (BST, GMT+1). Another copy arrived a minute later and then no more until over an hour later.

Here are some early test results from the few that currently detect it (out of 13 scanners):

F-Prot flags them as:
foto.html infection: HTML/ObjData@exp
foto1.exe  could be infected with an unknown virus
	
McAfee (Daily Dats) flag them as:
foto.html found the JS/IllWill Trojan
foto1.exe found the W32/Bagle.dll.dr Trojan

Also:

My Bayesian Filter flagged this fine without any retraining required.
The Bagle PCRE rule/sig for SNORT that I created also flagged it correctly without needing any modification.

More naming confusion…..

McAfee are calling it: W32/Bagle.dll.dr Description
Symantec are calling it: Download.Ject.D Description
F-Prot are calling it: Mitglieder.?
F-Secure are calling it: Bagle.AK
Kaspersky are calling it: TrojanDropper.Win32.Small.kv
TREND are calling it: WORM_Bagle.AI Description
SOPHOS are calling it: Troj/BagleDl-A Description

It arrives as an e-mail message with the following attributes:

Subject: foto
Body: foto
Attachment: fotos.zip or foto.zip

More details to follow…..

E-by-gum, it’s e-Jihad Day Today

Well today was supposed to be e-Jihad, the day the Internet died! More data can be found here

Not from where I’m standing, posting, whatever…..

Cut to a hospital scene in CyberSpace, complete with simulated smell of disinfectant:-
Nurse: “Doctor the patient is still breathing and has a pulse, he’s ‘Alive’….oh, Doctor you are wonderful!”
Doctor: “Oh, it was nothing really.”

Nuff said!

XP SP2 Ate My Network Card….

I’m well aware that life on the bleeding edge can be fraught with danger; involving numerous tantrums, occasional rebuilds and much gnashing of teeth and hair loss to boot, but Windows XP SP2 takes the prize for the all time pain factor stakes (well for me anyway)!

….A long time ago in an uncharted universe, on a easily missed and unremarkable small planet there lived a malware researcher who was happy capturing and analysing new nasties from a global network, known by the inhabitants of this planet as the ‘Internet’. As global networks go, it was not perfect, binary nasties patrolled it looking for ‘Internet Virgins’ and ‘Clueless Newbies’ and their tasty systems to penetrate and use for their own twisted purposes, such as a breeding ground and cache for their offspring, cousins and other badly behaved relatives (You know the sort that come and stay, eat you out of house and home, have wild parties, trash the place, and then depart, leaving you to pick up the pieces, explain to the police and deal with the disgruntled neighbours ). They also used these ‘infiltrated’ boxes to attack other systems…..

This lowly malware researcher used the predominant Operating System on his ‘personal’ system; this being Windows XP Home. One day the ‘manufacturer’ decided to make an upgrade to fix numerous flaws, bugs and security holes in the ‘Swiss-Cheese’ product known as XP……they called this SP2. Martin the Malware researcher, being a responsible and security aware individual, duly installed SP2, and then promptly wished he hadn’t [see 2004-08-16 for details].

OK, enough of the story….

Anyway the point is that my network cards details disappeared from the ‘Network and Dialup Connections’ folder and also from the ‘Device Manager. No amount of coaxing, tweaking and even uninstalling SP2 would bring it back from where it had gone. Even replacing the card with another (in another slot) refused to get XP to see a network card….sheesh talk about stubborn!

Yes there is a happy ending!

I installed Mandrake 10 (Linux) and have moved most of my data across and it seems to be fine, put it this way the same network card that Windows XP SP2 ate…..is working just fine under Linux, go figure!

Oh, to use the odd Windows tools I installed VMware and am using Windows 2K in that so that I still have access to Windows for the (very) few things I still need it for…..bye,bye XP don’t come calling again as I’ll be out with my new friend Mandrake.

I’m back from two weeks vacation and raring to get the bit back between my teeth……truth to tell, even though I’ve been (officially) on leave, I’ve still been keeping my finger on the pulse of the malware scene, and caught a number of new worms….but that’s another story.

We’re All MyDoomed Yet Again!

What a welcome back! No sooner than I get back in the ’saddle’ than along comes a new MyDoom variant; known as MyDoom.s (or MyDoom.q or MyDoom.[insert letter here]*). It is a simple mass-mailer which when launched will download a backdoor from a number of sites that have been seeded. More details can be found below and by following the links to several AV companies:

The e-mail that arrives from an infected host has an attachment called “photos_arc.exe” and has the following subject and body text:

 Subject: photos
 Body Text: LOL!;))))

When the attachment is run, the virus copies itself to the WINDOWS (%WinDir%) directory as rasor38a.dll , and to the SYSTEM (%SysDir%) directory as winpsd.exe.

The virus creates the following registry key values:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
ComDlg32
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
ComDlg32
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 \"winpsd\" = C:\WINDOWS\System32\winpsd.exe

The virus then downloads the backdoor component from one of two different websites:

Links to full descriptions from a selection of AV vendors:

F-secure
SOPHOS
Symantec

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

My generic MyDoom SNORT signature flagged it fine, as did POPFile (I’m using Bayesian Filtering techniques to identify new malware, as well as SPAM et al). However I also created distinct SNORT signatures to detect it (and the backdoor too).

*One day all AV companies will finally agree on a single naming standard and apply it consistantly [yeah right ], so that we don’t have this horrible mess we have with a number of malware families.

XP2 Breaks Windows Applications!

Well, I took the plunge and updated my Windows XP system to SP2, and boy did it break things!

It broke my Sygate personal firewall installation (caused it to completly fail, even when the ICF was switched off!), it complained about my AV (that I had too many installed?**), it blocked remote access to a number of servers (FTP,HTTP,VNC….) that I use on my private IP address range.

If MS don’t sort out these issues then I feel very sorry for the Joe/Jo Average’s out there that install it, as they (Mr/Mrs/Miss/Ms Average) are going to have a hell of a time sorting out the problems it will cause them.

So, I did some more research and it seems that SP2 for Windows XP breaks and interferes with numerous applications (which worked fine with SP1 incidentally). You can find more details via the links below.

Microsoft’s own page about this issue
ISC shared experiences can be found here

Is this a case where the cure is worse than the disease? Probably not, but it is a close call….Microsoft better fix these problem soon or less than 20% of users will risk the upgrade to SP2!

PS I must clearly state that many of the changes in SP2 are inherently ‘good’, it is just that the implementation is the usual Microsoft one of “Let’s use our customers as Guinea Pigs…”

**No, I don’t have them all running on-access, they are used on-demand for testing new samples.

UPDATE: Oh joy, more flaws have been found in the ‘new’ security features of SP2. I have already discussed the ‘TCP/IP Throttle’ feature and how it can be bypassed, now more revelations…can be found here.

Latest Hackarmy Hoax Posting

Hot on the heals of the Osama and Arnie hanging social engineering postings to USENET which contained a link to ‘alleged’ pictures, but actually contained a Trojan/Backdoor known as Hackarmy comes a new version…..

“Conspiracy theories of Nick Berg being alive and well in Iraq have today been proven true. Aljazeera have released video footage of the supposedly beheaded American captive. The clip was first “discovered” on an Islamic website in Malaysia and has now been released by American Journalists collaborating with Aljazeera. The evidence speaks for itself and can be viewed firsthand here…..” [Link to Hackarmy Trojan Removed]

Comment: Expect more versions soon using other news worthy items…..my bet is that there will be version that uses George Bush, John Kerry
or their running mates….any takers?

PDA Backdoor (Brador) Found

A new WinCE/PocketPC Trojan has been found, called Brador, it is believed to be written by a Russian malicious code writer. The sample came with the accompanying text, “Get to work, folks, the PocketPC market will soon explode”.

Brador is a classic Trojan backdoor program: it opens the infected machine for remote administration. Brador is 5632 bytes in size and it infects handhelds running Pocket PC.

After the backdoor is launched, it creates an svchost.exe file in the Windows autorun folder, thus maintaining full control over the system every time the handheld is turned on.

Brador then identifies the machine’s IP address and sends it to the author, informing him that the handheld is in the Internet and the backdoor is active. Finally, Brador opens port 44299 and awaits further commands.

Brador is created to allow the master full control over the infected PDA via the port that the Trojan opens. Brador is programmed to upload and download files and execute a series of further commands. Like all backdoors, Brador cannot spread by itself: it can only arrive as an email attachment, be downloaded from the Internet or uploaded along with other data from a desktop.

Yet More Multi-component Malware

I trapped yet another Ranky and SdBot RAR SFX dropper package today. The file [mstaskmoni.exe] gets dropped to the root of a Windows share and when launched it unpacks the two components [bvdf.exe and dvdv.exe] and installs them. The samples were duly sent to the AV vendors and researchers that I send samples of new malware to.

Details of the dropper and the extracted files appear below:

File name: mstaskmoni.exe
File Date/Time: 05/08/2004 14:53:19
File Size: 115679
MD5 Hash: 45e5f01aa513edfa0f8cecfda408f38c
CRC32: F680273
File Type: PE Executable, RAR SFX
Packer: UPX
Sample trapped by WormCharmer* Today.

Details of the two files in the RAR SFX detailed above:

File Name: dvdv.exe
File Date/Time: 03/08/2004 22:23:32
File Size: 46592
MD5 Hash: 2d424a40c6df0c50e34508379a1c8002
CRC32: 8C634A91
File Type: PE Executable
Packer: UPX
Other: This is an SdBot Variant
	
File Name: bvdf.exe
File date/Time: 03/08/2004 22:23:54
File Size: 19968
MD5 Hash: f49ab3f8781f46dcc5cbb1b0ffda7231
CRC32: 3F6E38A1
File Type: PE Executable
Packer: UPX
Other: Suspected Ranky Variant

These have now been identified and most AV products should now detect shortly:

dvdv.exe infected: Backdoor.SdBot.nv [Kaspersky]
bvdf.exe infected: TrojanProxy.Win32.Ranky.an [Kaspersky]

Good news for those that use my SNORT signatures, the existing Ranky and SdBot Dropper signature identifies all variants of the droppers that I’ve so far trapped.

This bring my total up to 67 new ones so far this year.

Please drop me a line if you would like me to post future trapped sample data to this blog.

*If you want to find out more about WormCharmer, then see here.