MoMusings

Don’t you just love it when you come down bleary-eyed first thing in the morning and tread in something that the dog has deposited just where it knew you’d find it?

Yes, our faithful Beagle (Bagle) is at it again! More deposits than the local gold mine.

Came down this morning to find yet another new variant of the Bagle e-mail worm in-the-wild’, to make matters worse this one has got lucky. Since then two other new deposits (variants) have been found, what a messy mutt!

What do I mean by ‘lucky’? Simply this, it managed to establish a beach-head and spread effectively before the anti-virus vendors knew about it.

I suppose you’d like some details about this so that you can protect yourself?

OK, here you are:

Arrives via e-mail and it spoofs the sender address:

From: (spoofed)

Subject:(any of the following)

Re Hello

Re Hi

Re Thank you!

Re Thanks

Message body:

)

Attachment:(so far we’ve seen the following, only one is used per e-mail)

PRICE.CPL

PRICE.COM

PRICE.EXE

PRICE.SCR

JOKE.CPL

JOKE.COM

JOKE.EXE

If you are naive enough to run the attachment, the worm will run, drop and install a copy of itself as ‘WINGO.EXE’ adds a key to the registry so that it will always load when the system is restarted. Then is roots around in the system to find new e-mail addresses and domain names to use to send itself to, and to make up the forged from: mail header.

Other than that it also spread via P2P by dropping a copy of itself to directories on the local hard disk that contain the text ‘SHAR’ in them.

This worm also tries to connect to certain Web sites (supposedly to update itself, or to download new components?), and will terminate many antivirus and security-related programs.

Finally, it deletes several registry entries associated with the many Netsky variants.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Oh, and the attachment is packed using PeX.

Links to write-ups:

TREND are calling it WORM_BAGLE.AT: http://www.trendmicro.com/vinfo/virusen cyclo/default5.asp?VName=WORM_BAGLE.AT

Symantec can’t seem to decide what it is at the moment so they have three pages up
on new Beagle variants (AU, AV and AW)!

http://www.symantec.com/avcenter/venc/data/w32.beagle.au@mm.html

http://www.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html

http://www.symantec.com/avcenter/venc/data/w32.beagle.aw@mm.html

McAfee are calling it W32/Bagle.bb@mm: http://vil.nai.com/vil/content/v_129509.htm

F-Secure are calling it Bagle.at (although they also mnetion two other new variants): http://www.f-secure.com/v-descs/bagle_at.shtml

As you can see there is the usual cornucopia of names from the vendors, one of these days we will get a single naming standard and the vendors will stick to it (yeah, I know I’m a dreamer ).

Other mitigation/detection methods:

My Bayesian
Filtering caught it fine, without being re-trained, also my Bagle SNORT signatures (which detect the manufactured mail headers it creates) also flagged it. So, it was sitting there harmlessly in my malware folder waiting for me to review it.

Oh well, let me get these new Beagle’s mess off my foot, Yuk!

Well, the annual Virus Bulletin International Conference has come and gone again. This year it was held in the ‘Windy City’ (Chicago, USA) between the 29th of September and the 1st of October.

As usual there were over thirty top speakers there to present their papers. These ranged from ‘Spammers Trickery’ on the new SPAM stream added this year, to a number of panel discussions on diverse malware related topics, and numerous excellent technical presentations.

The ‘Technical’ stream was once again the most interesting (from my perspective), although I did sit in on several ‘Corporate’ stream presentations as well.

Pre-conference activities:

I attended the WildList meeting held the day before the conference.

Later the same day I also took part in the AVIEWS session where I presented on ‘Defence in Depth’ as part of a panel session. The other panel members were: David Phillips, Shawn Campbell, Shane Coursen, and Jeanette Jarvis.

The following were the top presentations that caught my interest from the conference:

Day 1:

• A traveller’s diary – one organization’s journey to improve its anti-virus infrastructure - Margaret Patton, Government of British Columbia.
• Gatekeeper II: New approaches to generic virus prevention - Richard Ford and Jason Michalske from the Florida Institute of technology.
• The return of script viruses – an overview of Microsoft shell - Eric Chien, Symantec
• Unpacking strategies - Alex Shipp, Messagelabs

The Gala Dinner:

Well, what can I say, the gala dinner was excellent as usual, this year we were entertained by Husband and Wife team (Ross and Eliza Hartzell) that liked to shoot arrows at each other, using a variety of bows and crossbows! They also have the World record for the ‘Most Crossbows Triggered in an Arrow Relay’, which they performed for us live on stage. You can see the original recording of this record here. RealPlayer version or Windows Media Player version

This was followed up by a wonderful menu, and more entertainment; this time in the form of Chicago’s own Blooze Brothers band and dancers, so lots of blues and rock-n-roll music was enjoyed by all!

Day 2:

• Advanced survival techniques in recent Internet worms - Gabor Szappanos, VirusBuster
• A worm’s evolution - Tomer Honen, Aladdin
• Secure by design, a new start for file formats - Daniel Wolfe, McAfee
• How to achieve 10Gbps performance for integrated anti-virus and anti-spam network-based security systems - Jon Curnyn, Detica
• Trapping worms in a virtual net - Hamish O’Dea, Computer Associates

Conclusion:

VB2004 was the best attended of the VB conferences over the last 4 years or so (330 delegates), lots of new faces, lots of old faces too. This has helped to keep VB fresh and interesting and, as far as I’m concerned the best security conference for the area that I’m interested in.

For those that are interested this is the seventh time I’ve presented at a Virus Bulletin International Conference; the paper I presented this year can be found here.
This covers the use of Bayesian Filtering to detect/block e-mail borne malware. All feedback is most welcome.

This paper was written for the 2004 Virus Bulletin Conference, entitled:

‘Canning More Than SPAM With Bayesian Filtering’ and is available in PDF (Adobe Acrobat) format.

This paper covers how Bayesian Filtering can be used to detect not just SPAM but also scams and malware (viruses, worms, trojans).

The conference was held in Chicago, USA on the 29th and 30th of September and the 1st of October 2004.