MoMusings

Yet again, I come down at the start of the day only to find that annoying malware-mutt, Beagle [aka Bagle] has created a new mess for us to clean up.

I think it’s high time that the owner of this mutt had their nose rubbed into the mess, so they learn not to do it again!

This new variant is known by Symantec and Trend as Bagle.AZ. And, as usual most other vendors can’t agree on a single name or variant version, see below:

Aliases:
• Bagle.AX
• Bagle.AY
• Bagle.BK
• Email-Worm.Win32.Bagle.ay
• I-Worm.Bagle.AY
• probably
• W32.Beagle.AY@mm
• W32.Beagle.AZ@mm
• W32/Bagle-Gen
• W32/Bagle.BK.worm
• W32/Bagle.bk@MM
• Win32.Bagle.AU
• Win32/Bagle.BE@mm
• Worm/Bagle.AX
• WORM_BAGLE.AZ

What is more worrying is that we’ve seen an increase in new MyDoom as well as new Bagle variants over the last few days, I do hope we are not going to see a repeat of the ‘Malware Wars’ of last year!

So, what do we currently know about it?

The e-mail it produces to spread itself is made up of the following characteristics:

Subject: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

Message body: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

Attachments: (any of the following file names)
guupd02.exe
Jol03.exe
siupd02.exe
upd02.exe
viupd02.exe
wsd01.exe
zupd02.exe

(with any of the following extensions)
COM
CPL
EXE
SCR

Like it’s many predecessors it forges the from and reply-to e-mail headers, so don’t bother contacting the claimed sender as they are probably not infected.
Furthermore, it spreads not only via e-mail but also via network shares.

The good news is that this variant is detected by my generic Snort signature for Bagle and that most vendors should have updates available to detect this new threat by the time you read this.

Links to descriptions:

• Secunia [Bagle.bk]
• Symantec [W32.Beagle.az@mm]
• Trend [BAGLE.AZ]
• F-Secure [Bagle.ay]
• McAfee [W32/Bagle.bk@MM]

How many of you use instant messaging?

Loads if not all of you, I suspect, and probably you all have accounts on the top two or three IM services too?

I hear you ask “Why is he writing about instant messaging, is there a problem?”

And my reply would be “You bet there is a problem, and it is getting bigger everyday.”

So, let me shed some light on the issues:

Instant messenging clients are vulnerable to worms, trojans and other malware. You did know that didn’t you?

Well, if you did or didn’t, the last time I looked there were over 1,700 known pieces of malware that used IM as either their primary, secondary or tertiary, etc. infection vector.

So far the main ones targeted are:

• Microsoft
• Yahoo
• AOL
• ICQ

In most cases the IM malware arrives as a link or a file in the IM client window, once the recipient clicks on it [runs the file], the malware will carry out its programmed tasks. These may include dropping or downloading other components and installing them on the compromised system and sending copies of itself to all people in the victims buddy list to further the malware’s propagation.

If it drops and installs a backdoor or remote access trojan [RAT] or a bot, then you have probably lost control of your system. These backdoors may allow the malware author or bot herder to steal or upload data/files from/to your system, use your system to send SPAM through, use you system as a proxy or webserver to host cracked software, porn or a phishing site.

The possibilities are only limited by the malware authors programming skills. Your compromised system could also be used to attack others as part of a DDoS [Distributed Denial of Service] attack.

Don’t scrap your IM client just yet

Why? Because most IM viruses and worms can’t propagate automatically, they [currently] require the recipient [potential victim] to click a link or download the infected file or dropper and run it. You can avoid many of the threats if you practice safe computing [SafeHex]. Also, many anti-virus companies now have either plugins to detect/protect against these threats or the features are built-in in the main anti-virus application.

I purposely haven’t covered IRC here as it [IRC] is widely used as the communication and control mechanism for botnets, so is a complete topic on its own.

To minimise the chance of infection, keep your IM client updated and follow these tips:

• Be wary of files sent via IM, especially those with .exe, .pif, .bat, .cmd and .scr extensions, or ones purporting to be games. For best protection, verify with senders before opening.
• Never click an unsolicited link fed via IM, or one lurking in another member’s profile or away message.
• Check your antivirus company’s home page or a general virus site for news on current threats.
• Evaluate your protection at Eicar.org, which has an antivirus test.

Links to papers/articles:

• http://www.trendmicro.com/en/security/white-papers/overview/w32-rodok-a.htm
• http://securityresponse.symantec.com/avcenter/reference/secure.instant.messaging.pdf
• http://securityresponse.symantec.com/avcenter/reference/malicious.threats.instant.messaging.pdf

So, why am I covering this now?

Simple, a new IM worm was released this year which seems to be actually working and causing problems, in fact I was sent a new variant this morning that someone spotted. Even more worringly, it is a new version that is not widely detected. In other words only a few AV products currently detect it.

So what does it look like?

This worm arrives as a IM which contains the infected dropper, this when clicked on will drop an Sdbot variant, but otherwise works in much the same way as earlier variants.

Details on the original version can be found here:

• McAfee
• F-Secure

Details on samples seen:

FileName: LOL.scr
FileDateTime: 26/01/2005 11:48:50
Filesize: 196608
MD5: e8435f10643f2a53f29afe443d9b0d0d
CRC32: BDDE64B0
File Type: PE Executable
Detected By: KAV IM-Worm.WIN322.vb.C, McAfee W32/Bropia.worm.d

Here’s a Snort signature that should detect it until the Av vendors get updates out. Samples have been sent to them for analysis.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”W32/Bropia.worm.d [McAfee] - IM”; content:”|87 CC DF C6 CB 99 63 53 05 2E CF 96 AF FC BC 41 96 4E 6E 7E 76 3C B9 27 3A 4F AD 33 99 66 CF 11|”; classtype: misc-activity;rev:1;)

At this time only two [listed above] vendors detect this out of the 14 scanners I have at hand.

Well, another year has come and gone [where do they all go!] and the malware authors have excelled themselves for the second year running.

The following section is a modified [and annoted] extract from my “Malware Review of 2004″ report:

The year 2004 was the 21st anniversary of the birth of malware and it was a real ‘game of two halves’. What do I mean by that?

The first half of 2004 was mainly dominated by the ‘Malware Wars’ between the authors of MyDoom, Netsky and Bagle, this resulted in dozens of variants for each family.
The peak of this war was in April, by May it had started to slow and by the end of June the war had degenerated into the occasional bout of name calling and handbags at six-paces.

The top performers were, Netsky.P which accounted for more than a quarter of all reported virus incidents (source: SOPHOS) and was the most prevalent threat for eight months; Furthermore four other Netsky variants also made it into the top ten. The other big worm that caused a lot of grief was Sasser. The thing to note here is that the author of Netsky and Sasser are one and the same; Sven Jaschan, an 18 year-old German who was arrested in May 2004. Ironically Jaschan was ‘fingered’ by one of his friends who were after the Microsoft Bounty of $250,000 USD. Even more ironically Jaschan now works for a computer security company in Germany.

The second half of the year has been more dominated by the Bots and other network worms, The Agobot, Rbot, SdBot and Protoride families have been particularly fecund; producing new variants with increasing frequency and features to boot. The SDbot family now has over 3,000 variants [members] in its family.

The other major shifts this year have been the rise of Phishing which has grown around 5,000 percent over the last year, Spyware becoming a major headache for home users and showing signs that it will become a headache for many companies during 2005. The move from very visible ‘in-your-face‘ malware, to more sneaky and stealthy worms that are almost invisible as they spread without user intervention. The methods used include: Open Windows Shares, exploiting vulnerabilities in the OS and applications and carrying password files to perform dictionary attacks on Windows shares.

The malware problem in 2004 mainly concentrated on the Windows platform. No new major malware were detected for Linux, although there is an increase in malware specifically written to target Linux. The Apple Mac was targeted this year by a ‘rootkit’. A small but growing number of viruses aimed at PDAs or mobile phones were discovered, this is a real change and I suspect that this will fast become the new battleground. The source code for the Cabir worm has now been released so expect a flurry of copycats using this as the basis for new PDA/Mobile Phone worms which infect via Bluetooth or other mechanisms.

During the last few weeks in December we saw the rise of PHP worms, originally just targeted at a specific Bulletin Board package, but then extended to try and attack all PHP based websites. In all cases the worm uses a search engine to find new hosts to attack.

The number of known viruses grew by 28,327 in 2004 to bring the known virus running total to 112,438 by the end of the year. This compares to 2003 with growth of 20,077 to bring the running total to 84,111 and 2002 when known viruses grew by only 4,551 to bring the running total as the end of 2002 to 64,034. That is an overall increase of 25% in 2004 over 2003 compared to a 23% increase in 2003 over 2002…..So you can see that the bad guys are still going full tilt on producing new malware.

So let us look at my own statistics for 2004 from my ‘personal’ early-warning systems running on an aDSL link from my home; first the Top 10 malware trapped by my WormCharmer:

As you can see from the pie chart above, e-mail worms took seven of the ten slots overall for 2004. The other very active malware that didn’t spread via e-mail were three of the many, many, Opaserve share-crawling worms.

Overall during 2004 my WormCharmer trapped 437 distinct malware [and variants], 56,478 samples were caught in total.

Below are my statistics from my Bayesian Filtering tool. Bayesian filtering is mainly used for filtering SPAM, however I trained mine to classify not only SPAM but also Malware, 419s and Phishing scams too.

The first graph [above] shows the percentage of malware trapped each month of 2004. You can clearly see the effect of the malware wars of the first half of the year.

Below is the graph that shows the data for Phishing scams which I trained the system to classify during June of 2004. As you can see the growth has been pretty amazing.

The next graph shows the percentage of 419 scams each month of 2004. If you don’t know what 419s are then I suggest you read some of my earlier postings to this blog. In a nutshell they are scams; advance fee fraud.

The final graph shows all the classifications I currently use on my Bayesian Filtering project for all my personal e-mail accounts:

This shows the overall percentages for each classification compared the all the others. Phishing is a tiny proportion at the moment however the growth is almost double every month. Spam is currently running at around 39 percent [January 2005], but if I add in the other ‘rubbish’ then that figure jumps to 57 percent! Now, compare that to last year and in February 2004 over 70 percent of all my incoming mail was ‘rubbish’ [Spam, 419s or Malware]

So, what of 2005? What will we see when I scrutinise the intestines of sacrificed malware whilst chanting incantations in hex…….That’s another installment….Stay tuned!

Do you think you know all about malware authors?

Well, if you read my earlier blog posting on malware authors being employed by computer security firms, then you might know something, but there is more to tell…let us scratch the surface a little more…

The ’standard’ stereotype used for malware authors has always been: “aged between 14 and 21, male and socialy inept“. However, many of us that have been in the anti-malware industry for a number of years know that this is far from accurate. It may well be a valid stereotype for script-kiddies and wannabe malware authors, but not for the core, more adept and technicaly competent malware authors.

For instance, I know a number of malware authors that are in their late 30’s or early 40’s. Many of these have good jobs and are socially adept, and many of them have now stopped writing malware, having now realised their youthful folly. To prove there is always an exception to a rule, did you know that there is at least one known female malware author? Yes, there really is.

I often get asked if those that write malware are “very bright but misguided individuals?”, my answer is always the same; “A few [very few] are, the vast majority are script-kiddies who steal and modify others code and release it as their own”. 99.9% of malware authors are not ‘Uber-geeks’, they are all criminals, the electronic equivalent of vandals, bullies and graffiti artists at the very least, and at worst thieves, liars, con-artists, mercenaries and pimps.

On the F-Secure weblog there have been a number of related postings about malware authors in the news. Below you will find short clips from some of those postings as well as links to the original F-Secure Research Weblog postings, and the media pieces that they refer to.

• The case of Mr. Marcos Velasco from Brazil

• mobilemonday.net

• Police raided another virus writer

• Benny Interviewed Again
• news.com

• Antivirus vendor suing a virus writer for finding bugs

• p2pnet.net

If I get sufficient interest [feedback] I may well write an article on the motivations that the malware authors often cite to justify their ‘hobby’….

Last night I suddenly started to receive some very odd e-mails, which frankly absolutely reeked of being malware, but NONE of the 14 virus scanner I had available detected anything suspicious! Not a good sign.

Here is an example of the e-mail:

Subject: Important notice for user xxx@xxx.xxx
From: “Support” xxx@pxxxxxx.xxx
Message-Id: 1ipBgH7ZN5.IaKxl@v
Reply-To: xxx@pxxxxxx.xxx

Dear user of [domain]
Your account has been used to send a large amount of spam messages during
the recent week.Most likely your computer had been infected by a recent
virus and now runs a trojaned proxy server.

We recommend that you run in attach free spyware remover
software to keep your computer safe.

Password to archive: 7831
License key: 15-5-2795

Best regards,
The [domain] team

Attachment: SpyKiller.zip

As you may have noticed the attachment is a ZIP file, password protected using a password of 7831.

The attachment and text would lead you to believe that you are infected and that you should run the attached FREE tool to fix the problem [yeah right, like I’m going to do that!].

So, I extracted the file from the ZIP. The extracted file is called SpyKiller.exe and scanned it again with the 14 up-to-date scanners, still not one of them detected anything suspicious. So, at 19:29 on the 19th of January I dutifully sent it off to the AV companies for analysis [as I usually do with suspicious files].

Below are more details on the ZIP and the extracted EXE file:

FileName: SpyKiller.zip
FileDateTime: 19/01/2005 19:10:31
Filesize: 9852
MD5: 826856f2d2f7c0e3849391176bddfec5
CRC32: 4EF3957E
File Type: ZIP Archive File

FileName: SpyKiller.exe
FileDateTime: 20/01/2005 02:13:54
Filesize: 10133
MD5: f2d29276bf087e9fc4993eae109c19d8
CRC32: B3D23EC4
File Type: PE Executable
Packer: FSG

And to detect it until the anti-virus firms got round to it I created the following SNORT signature which will detect the incoming infected e-mails:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”Troj/Lohav-Q [SOPHOS] - MIME”; content:”CyXouhfNUeJ9i3t0N7k993sVScEjojNh78DVeU12dvLEjLHRNqIW5YI+EE5yLSFMEAXw3icA5xh2″; classtype: misc-activity;rev:1;)

A Result!
At 13:00 today [20th January] I finally received a response from ONE of the anti-virus companies confirming my suspicions, thanks go to Sophos for having the courtesy to respond and give me useful data.

Below is the data they supplied [please check their site for latest details]:

The file spykiller.exe that you sent to us for analysis was a Trojan, Troj/Lohav-Q, that also downloads the Trojan, Troj/Padodor-U. There are descriptions below.

Troj/Lohav-Q is a backdoor proxy Trojan.

Troj/Lohav-Q may arrive with a filename of SPYKILLER.EXE as part of an email, with the subject “Important notice for user [user@domain]” and body text:

Dear user of [domain]

Your account has been used to send a large amount of spam messages during the recent week. Most likely your computer had been infected by a recent virus and now runs a trojaned proxy server.

We recommend that you run in attach free spyware remover software to keep your computer safe.

Password to archive: [password]
License key: [key]

Best regards,
The [domain] team

Troj/Lohav-Q will attempt to download and run an executable file detected as Troj/Padodor-U.

When first run, Troj/Lohav-Q will copy itself to the Windows system folder as WINHOST.EXE. In order to run automatically each time a user logs in, Troj/Lohav-Q will set the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winhost.exe
%SYSTEM%\winhost.exe

Troj/Lohav-Q will also set the following registry entries:

HKCU\Software\Timeout
uid
[number]

HKCU\Software\Timeout
port
[listening port number in hexadecimal]

HKCU\Software\Timeout
pid
[process identity number]

where the default listening port number is 9010.

Periodically, Troj/Lohav-Q will contact a number of websites in order to register the computer as being infected.

Troj/Lohav-Q can be used to route internet traffic from other computers via the proxy component and can be used to forward spam email.

Troj/Lohav-Q will attempt to terminate the following security-related processes:

AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE,
APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE,
ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE,
AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE,
AVprotect9x.exe, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE,
BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE,
BIPCPEVALSETUP.EXE,
BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE,
CDP.EXE, CFGWIZ.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIADMIN.EXE, CFIAUDIT.EXE,
CFIAUDIT.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET.EXE, CFINET32.EXE,
CFINET32.EXE, CLEAN.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER.EXE, CLEANER3.EXE,
CLEANPC.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMGRDIAN.EXE, CMON016.EXE,
CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE,
CWNTDWMO.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE,
DRWATSON.EXE,
DRWEBUPW.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE,
EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE,
FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE,
FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE,
HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMAPP.EXE,
IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE,
ICSUPP95.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE,
IRIS.EXE,
JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE,
KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE,
KILLPROCESSSETUP161.EXE,
LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE,
LUALL.EXE, LUCOMSERVER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE,
MCUPDATE.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGUI.EXE, MINILOG.EXE,
MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.EXE, MSSMMC32.EXE,
MU0311AD.EXE, NAV80TRY.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE,
NAVW32.EXE,
NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE,
NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE,
NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE,
NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE,
NTVDM.EXE, NUPGRADE.EXE, NVARCH16.EXE, NWINST4.EXE, NWTOOL16.EXE,
OSTRONET.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE,
PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE,
PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCFWALLICON.EXE,
PCIP10117_0.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE,
PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE,
PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE,
PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE,
PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDIT.EXE,
REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE,
RTVSCN95.EXE, RULAUNCH.EXE, SAFEWEB.EXE, SBSERV.EXE, SD.EXE,
SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE,
SH.EXE,
SHELLSPYINSTALL.EXE, SHN.EXE, SMC.EXE, SOFI.EXE, SPF.EXE, SPHINX.EXE,
SPYXX.EXE, SS3EDIT.EXE, ST2.EXE, SUPFTRL.EXE, SUPPORTER5.EXE,
SYMPROXYSVC.EXE, SYSEDIT.EXE, TASKMON.EXE, TAUMON.EXE, TAUSCAN.EXE, TC.EXE,
TCA.EXE, TCM.EXE, TDS-3.EXE, TDS2-98.EXE, TDS2-NT.EXE, TFAK5.EXE,
TGBOB.EXE,
TITANIN.EXE, TITANINXP.EXE, TRACERT.EXE, TRJSCAN.EXE, TRJSETUP.EXE,
TROJANTRAP3.EXE, UNDOBOOT.EXE, UPDATE.EXE, VBCMSERV.EXE, VBCONS.EXE,
VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VFSETUP.EXE,
VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC42.EXE,
VPFW30S.EXE, VPTRAY.EXE, VSCENU6.02D30.EXE, VSECOMR.EXE, VSHWIN32.EXE,
VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE,
VSWINNTSE.EXE,
VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBSCANX.EXE,
WGFE95.EXE, WHOSWATCHINGME.EXE, WHOSWATCHINGME.EXE, WINRECON.EXE, WNT.EXE,
WRADMIN.EXE, WRCTRL.EXE, WSBGATE.EXE, WYVERNWORKSFIREWALL.EXE,
XPF202EN.EXE,
ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZAUINST.EXE, ZONALM2601.EXE,
ZONEALARM.EXE

====

Troj/Padodor-U is a password stealing Trojan.

When first run, Troj/Padodor-U will copy itself to the Windows System folder as SYSTEMIL.EXE. The Trojan will also create a copy of itself as IL.DAT.

Troj/Padodor-U will drop the files SYSIE.DLL and SYSIL.DLL. These files are detected as Troj/Padodor-N.

In order to run the Trojan automatically on startup, Troj/Padodor-U will set the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
systemil
(Random CLSID)

HKCR\CLSID\(Random CLSID)\InProcServer32
(Default)
sysil.dll

Troj/Padodor-U monitors access to banking websites in order to steal username and password information.

At the time of writing only the following anti-virus products detect this:

• Sophos

** Yes it was sent to Symantec, Trend and many, many, other anti-virus companies and researchers.

How low will the malware authors go?

Well, real-low or so it seems!

Looks like the malware authors have been mixing with scams artists and other internet scum and villains who prey on the ‘good’ ‘caring’ people out there….so, heads-up all of the ‘good’ people out there in internet-land.

Yes, the malware authors [who as far as I was concerned were already in the gutter] have joined the rest of the internet filth down in the virtual sewers of the ‘net, I hope they rot down there with the rats and other waste…

The VBS/Geven-B worm which was released earlier this month tried to spread a twisted message that the earthquake and resulting tsunami was God’s punishment to “people who did bad on earth”.

The worm, when run creates a text file which it attempts to open on the infected system; the text reads:

It is God’s total avenge!
To those people who did bad on earth…
God has promised, that He will give lesson,
and this is a promise that the End of Day
is just not too far ahead!
Pray, do good and may God bless you!
Tell and share this message with everyone who has faith in God.

Now, we have the VB-Sun-A worm. This worm prompts unsuspecting users to open an infected attachment which of course spreads the worm further. As a further nasty side-effect it will initiate a denial of service [DoS] attack on a German hacking website [www.hacksector.de].

Infected e-mails have the subject line of :

Tsunami Donation! Please help!

The body text reads:

Please help us with your donation and view the attachment
below!
We need you!

The worm is contained in the attachment to the e-mail and is called tsunami.exe.

Phishy Site:
Finally, over the weekend a very convincing fake Red Cross website was set up at www.american-redcross.org [no, this isn’t a real RED CROSS site address] by scammers out to steal credit card data, card and PIN numbers too. The site is now down, but it is unclear as to how many people fell victim to this despicable scam.

Links:
Sophos VBS/Sun-A

Sophos VBS/Geven-B

The ‘Real’ Red Cross site

December 2004 was a very busy month for me, the malware authors [obviously school holidays, again!] and the anti-malware community in general.

This blog entry will look at some of the things that happened during the month.

I submitted twenty-three new [unknown] viruses/worms/bots during the month, which is over double the average number I submit in a ‘normal’ month. This in itself is rather remarkable.

Anyway let’s have a look at some statistics and see what they can tell us:

I have included a number of graphs to show what both I and the anti-virus vendors were seeing during the month and this will hopefully give you a flavour of what was going on.

I have included three sources of information for the graphs and pie-charts, these
are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2+ years, Malware Bayesian Filter 1+ year.

More details on these ‘personal’ projects can be found in the papers section of my website as
both have been written up as conference papers.

The first pie chart shows the top ten malware that were caught by my WormCharmer system, as you can clearly see Sober.j [which was unleashed on the Internet in November] was by far the most prevalent malware that was caught by my ’sample capture’ tools. It also shows that e-mail worms are not always the most prevalent threats, as four out of the ten are share crawling worms and multi-component droppers.

In total during December 2004 I trapped 141 distinct malware types [4878 samples in total], compared to November when I only trapped 106 distinct malware types [4776 samples in total].

If you compare the above to the data from Kaspersky you will see some marked differences.
Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 here. This clearly shows that December was busier than November [but not as busy as April and May] as far as e-mail based malware was concerned. However, as mentioned previously other malware [bots, worms, multi-component malware] have been even more active during December.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site.
If you feel you need access then please contact me to discuss.

I’ll post a review of the whole of 2004 as soon as I can find a little spare time.

Back in 2000 we saw the first PDA infectors and Trojans targeting the Palm OS, since then it has been rather quiet until last year (2004).

• More data on Phage
• More data on Liberty

Last year [2004] was a landmark year for malware that attack/infect PDAs and Smartphones, a number of these are known to be in the wild.

In June 2004 we had Carib aka Cabir which used Bluetooth to spread and infect phones that use Symbian OS (Series 60). As of today there are 13 variants known of this Bluetooth worm.

In July 2004 we had Duts which infects Windows/CE aka PocketPC and is a parasitic file infector (virus).

In August 2004 we saw Brador which is a backdoor for Windows CE and PocketPC.

In November 2004 we saw Skulls which is a Trojan for Symbian based phones (Series 60), there are currently 4 known variants.

During December 2004 source code for one of the Carib variants was found circulating on the underground [No, not London Underground or any other metro either ] and since then a number of new variants have been released. Also, the original author of Carib released his/her source code in January 2005.

On the 10th of January this year a new Symbian malware was found which spreads using two distinct ways. This has not been seen in mobile/PDA malware before now.

The new malware, known as Lasco.A spreads by searching all SIS installation files on the infected device, and then inserts itself as an embedded SIS file into them. This means that any SIS file on the infected device that is shared with another phone will also contain a copy of Lasco.A. Additionally Lasco.A will spread by sending itself directly like Cabir.

AV Researchers carried out some tests with known Java infectors on mobiles that have Java capabilities, and they found that all the currently known Java malware will work on mobiles without any modification.

A number of AV products now exist for PDAs, Smartphones and Symbian based mobiles:

• Symantec
• TREND
• F-Secure
• AVAST
• McAfee
• Kaspersky

So what does this mean for most mobile phone users?

Well, unless you have a mobile based on Symbian, Palm or Windows CE (aka PocketPC) or have Java functionality then mobile malware will be unlikely to bother you.

However, if you have one of the listed operating systems on your phone/PDA then expect malware to come calling some time soon.

I suspect that as we have already seen a backdoor for these devices it is only a matter of time before we see the first mobile/PDA bot net*.

[*Yes I know there are technical hurdles still to be overcome before this becomes
a reality].

Do you know about Phishing?

No this isn’t sitting on the bank of a river, stream, pond or in/on the sea dangling your rod over the water…if you are still confused then see this article here and all should become clear.

I hear you ask “What have Mules got to do with Phishing?”

The answer is this:

We are not talking about four legged creatures that are half horse and half donkey….think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea hat what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc.

So, back to the Phishing…..

There have been a number of people who have recently been recruited as Mules by the Phishers to help process the identities stolen during the latest Phishing Trawl, but the Mule doesn’t know that they are helping criminals… They believe that they have a ‘real’ job helping financial companies with ‘excess’ workload or helping to test the companies security by loging in using the stolen credentials and moving money to other accounts…scary huh?

Of course, when the authorities catch up with the Mules and they are arrested and charged, they are often shocked that they had been so naive and feel rather ‘used’.

So next time you see a job ad on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule…

Oh, and this [Phishing and using Mules to process the stolen identities] isn’t something new, this has been happening for at least the last six months or more, but it is becoming more prevalent as Phishing attacks have exploded over the last year growing almost 5,000 percent since November 2003, but that’s another “tail”…

Don’t think it “really” happens? Think again, here are some links to prove it:

• Phishers recruit
  UK computer users into stealing money, ‘Don’t be a mule’ says Sophos
• Aussie crooks
  recruit teen phishing mules
• Gone phishin’

I was discussing how long it would take the 419ers to latch onto the latest way of them making money; taking advantage of the Asian earthquake and the resulting tsunami. I said that we’d see one within 10 days. Sure enough they couldn’t resist using this catastrophe to try and fleece more people.

On the 3rd of January 2005 a mere 9 days later, I have seen the first of these predicted 419s.

In reality it is just the latest nasty, bad taste version of the boys from Lagos’s attempts to dupe people, in this case not just the usual naive and desperate that don’t mind breaking the law, but also those that are ‘really’ interested in helping out those unfortunates that survived the disaster as well as those that lost loved ones; friends, family and acquaintances alike.

The ‘Boys [and girls too] from Lagos’ should be ashamed of themselves, how much lower will they go?

They are nothing more than heartless thieves and con artists….and I hope they get their just rewards!

Here it is in all it’s sick glory:

Subject: Earthquake and Tsunamis in Indonesia (how
we were affected)

Dear Sir

My name is Marco Nula; I am a victim of the recent
Earthquake followed by the Tsunami that wrecked our whole society of Banda Aceh Province
in Indonesia resulting in painful death of my Parents.

My Late Father Mr. Alfredo Nula is from Paramaribo
in Suriname (South America) and my Mother from Banda of Aceh Province in Indonesia,
they got married in Suriname because Indonesia like Suriname was a colony of The Netherlands,
but they moved to settle in Indonesia when my Sister and I were born and because Indonesia
has better economy than Suriname, but my Sister and I was away in School in the Capital
Jakarta when this sorrowful incidence happened to my late parents and all other Families
affected by the Quake and the Tsunamis all around Sumatra and Aceh Province.

My Father and Mother owned a tourist resort and
grocery store at No 71 Panglima Polim Street, Banda Aceh in Indonesia, it was visited
by numerous tourists from different countries on Holidays each year but this tragic
and devastating Tsunamis took the lives of my parents and many others. My Late Parents
saved much of their money in a Bank in The Netherlands, not only because we were Dutch
Colony but also because we speak Dutch as an official Language in Suriname, I contacted
my Parents Lawyer in Jakarta and he has confirmed to me that my Parents has the sum
of 3.2Million Euros deposited in savings in The Netherlands which will be claimed
by me as next of Kin, but he also explained to me that because I was not nationalized
in Netherlands after Suriname got Independence from the Netherlands I had no permission
to settle there in that Country.

We have recovered the corpses of my Late Parents,
although private, international and government aid is coming in, it will not be any
where enough to settle our problems, please I am hereby soliciting for your assistance
at clearing my Late father’s money Euros 3.2Million in The Netherlands, I have asked
the Lawyer to provide me with all documents, I shall have send them to you when you
show sincere intentions to help me and my Sister, if you are business oriented with
experience in Holiday, Hotel and Resort business or have some idea on how to run a
groceries shop, I am willing to recommit the money for the full benefit of all (My
Sister you and I) apart from that I shall be willing to give a negotiable percentage
of the money to you otherwise or alternatively, please contact me on my email address
as the telephone system is not functioning at the moment.

Thank you,

I hope you understand our predicament and come to
our assistance.

Marco Nula

Whatever you do don’t fall for this scam [or any of it’s relations], it relies on what the Lagos boys call Wad [rich, greedy people]. They also use a less polite name for the people they dupe; Mgbada. It may also catch naive but well meaning people due to the latest sick twist of the scam.

Oh by the way, just in case you didn’t get it, this like all the other multitudinous versions is nothing more than a scam, there is no money [or other valuables, such as Oil, Gold, Diamonds, etc.].

To the boys [and girls] from Lagos [the 419ers that run these scams] it is a business and they don’t care who they rip-off to get the money.

Please help!

If you want to help those affected by the Asian disaster, then please do not let these scammers put you off giving your much needed assistance. However, DO use one of the real charity organisations that are helping such as the ‘Disasters Emergency Committee’ [based here in the UK], their website address is http://www.dec.org.uk and so far the British public have donated over 76 Million Pounds.

This money goes to Member Agencies such as: The British Red Cross, Oxfam, Save the Children, Christian Aid, and many others that are assisting the affected countries in Asia and the many people affected by this disaster.

What Next?

Another prediction: We will see Phishing scams using this disaster within the next 10-14 days.