MoMusings

Well, I’ve been rather quiet on the blog-front for the last week or so, did you miss me?

Why? Well, I’ve been preparing for and then running a course. Since then I’ve been catching up with all my e-mail and all the work I wasn’t able to do while I was away.

So, what’s new?

Quite a bit, we saw a number of variants of Mytob over the last week, a 25,000 US Dollar bounty for the first ‘in-the-wild’ Mac worm [malware writing contest], a new toolkit to enable rootkit and other malware authors to make their creations more stealthy and less likely to be detected, and I’ve had another paper accepted for a major conference later in the year.

Let’s cover each of these in a little more detail below:

Mytob…

It seems that the Mytobs have been in the sack again, yet more family members. This malware family seems to be expanding at a phenomenal pace. If they continue at their current rate then they will be producing new offspring as fast as Giant African Land Snails [these guys leave rabbits looking on in envy and amazement at their abilities to produce large quantities of offspring in a very short time].

When I used to keep these creatures* I went from having just two of these large snails to over three-hundred in a few months, if I had let them carry on at this rate my house would have been literally bursting at the seams with snails…..but I digress.

So, back to the Mytob variants; at one point we had eight new variants in just five days, now that is just getting silly! The last time we saw that level of new variants being produced was back in the Netsky/Mydoom/Bagle wars of last year!

More details can be found here.

Details on one of the variants [they are all almost identical] can be found here.

Big Mac With Worms…

Oh dear, every now and then some bright spark gets it into their heads that we actually need more malware than we already have, and is amazingly prepared to offer good hard cash for them. In this case it was to write a worm targeted at the Apple Mac [running OS X], so someone was actually willing to pay for a worm in his/her Apple

The kicker was that if a Symantec employee infected the boxes then they would get 50,000 US Dollars, double what any other Tom, Dick or Harriet would get. Is it just me or does this just seem rather surreal? I mean come on guys, this has to be a scam, right?

Thankfully a number of enlightened Mac users suggested to the company offering the prize that it actually wasn’t a very good idea. So guess what, within 12 hours of announcing it they canned it!

You can see the original page that covers the contest here.

More details and analysis can be found here.

Hacker Defender….

Hacker Defender is a user-mode rootkit/trojan that includes a built-in hidden backdoor. Apparently the latest version released by the author called ‘Golden Hacker Defender’ has a per license cost of 390 euros (about 500 US dollars).

Who says that only the good-guys are making money from the malware scene? The bad-guys are increasingly writing and distributing malware for money or to steal data to sell, or to hijack systems to push spam, etc. through for money.

Wonderful, like we really need another tool for the bad guys to make their creations more difficult to detect.

More details can be found here and here.

Another Conference Paper…

After my last posting onMalware and Anti-Malware Training’ I have just been informed that one of the abstracts that I submitted for this years Virus Bulletin International Conference has been accepted. This takes my total of appearances [as a speaker] at this conference to eight, five of those have been since 2001, so since 1996 I have presented at all but two of them [1998 and 2000].

Anyway, on to the paper itself entitled: Bots and Botnets: Risks, Issues and Prevention.

The abstract should be up on the site early next month, if anyone desperately wants to see it beforehand then drop me a line.

This year is getting rather busy with speaking/training engagements; what with guest lecturing at the Univeristy of Warwickshire next week, the EICAR conference at the end of April, running another 3 day course in June, Virus Bulletin in October, probably lecturing at the university again that month and a third and final 3 day course also in October, sheesh! Oh, and I still have my other normal work to do too.

* Don’t ask about my other pets and creatures I keep.

Are there any budding malware researchers or security professionals out there who want to learn about malware and ways to identify and combat them? If so then this blog posting will [hopefully] be of some interest to you?

As any of you that have tried to get training in malware/anti-malware research and related areas may have already found, there is very little available, well very little ‘good’ training and what there is is usually vendor specific.

So, for most of us in this area, training usually consists of lots of reading and research via the web and any ‘good’ books or other publications that can be found. However the number of ‘good’ malware/anti-malware books and other publications have always been fairly limited.

The other way of picking up knowledge in this area is via conferences and social networking [contacts made at these conferences]. This means that if you are new in this arena unless you have someone to vouch for you who is already well known and trusted by a good percentage of the researchers it can be very, very hard to get trusted and get access to detailed and accurate information. In other words it is a ‘catch-22′ situation.

EICAR 2005

This is an international conference which is run every year and attracts many of the top malware researchers and other security professionals both from academia, corporations and the industry itself.

This years conference is being held in Malta starting on the 30th of April and ending at the close of the conference on the 3rd May.

As hinted at in a previous posting to this blog I will be representing IBM and presenting a paper this year. The paper is entitled: Anti-Malware Tools: Intrusion Detection Systems. This covers the use of Snort [A free IDS system for Windows and *NIX systems alike] for detecting and blocking malware. The paper covers how I create malware specific signature/rules for use with Snort. The abstract can be found here.

The complete schedule for the conference can be found here.

Virus Bulletin 2005

This is the premier malware/anti-malware conference, anyone that is anyone in this sphere of security attends and/or presents at this international conference. This year it will be close to home [well for me at least]; Dublin in the Republic of Ireland. A mere 1 hour flight, rather than the recent 8-10 hour flights I’ve had to endure [in coach] for the last 3 years I’ve attended.

The conference site can be found here. They haven’t yet published the schedule as the call for papers has only just closed.

Not only do Virus Bulletin run the premier conference in this area, they also publish a monthly magazine which is a must for all those interested in this area of security.

If you really want to see the papers and articles I’ve written for the various conferences and Virus Bulletin magazine too, they can be found here.

I hope to find some time in the next few weeks to blog about the ‘good’ malware/anti-malware books that I’ve found.

Last time I covered Fport. This time I will cover another useful tool for finding spyware, adware and other malware programs running on your system via one of the registry keys which ensures that the ’scumware’ is running whenever it wants to; such as at system startup or when a specific application is launched.

To try and assist in this situation I will cover one of the ‘tools-of-the-trade’ that can be used to list registry keys and related launch points that are being used by the ’scumware’ when it gets on to your system.

Introduction:
HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents and provides the ability to remove any unwanted stuff.. These areas are used by both legitimate applications and hijackers.

Installation:
Download the HijackThis zip file to your computer and unzip it. I would recommend first creating a folder named ‘HijackThis’ for it located someplace easy to find like ‘My Documents’ and place the file into the same folder.

Now to make opening the program simple create a shortcut to the desktop. This is done easiest by right clicking on the HijackThis exe file, scroll down to ‘Send To’, and scroll across to ‘Desktop (create shortcut’) and click it.

Usage:
Now open the program and click ‘Scan’. When the scan is done click ‘Save log’ and save the log file to the same folder HijackThis is in. Please do not check or fix anything.

Open the log file. Double-clicking on the file should open the log file with notepad or similar text editor. If asked to choose a program to open it with select Notepad. Using Notepad click ‘Edit’, scroll down to ‘Select All’ to highlight all the text in the file. Click ‘Edit’, scroll down to ‘Copy’ and click.

Download HijackThis

So, what does it look like? Like this [this list of programs, BHOs, etc. will not in most cases be the same as the ones shown in this screenshot]:

The beauty of HijackThis is that it is useable by most non-technical users, it is small and currently is not being defeated/manipulated by malware, unlike a number of other system diagnostic tools. So, if you think you are infected and have tried all the usual things to track down the rogue application, then give HijackThis a go. What have you got to lose, apart from the scumware?

If you don’t understand the output then feel free to send it to me for analysis. I can’t promise to solve the problem or deal with it immediately, but I will see what I can do.

I’ve finally managed to find some time to create some graphs and perform some trend analysis from the raw data from my WormCharmer for February. Hope they are of some interest?

I have included three sources of information for the graphs and pie-charts, these are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2+ years, Malware Bayesian Filter 1+ year.

In total I captured 2234 samples during February, which have been catalogued as 166 distinct families and variants. In comparison in January 2005 I captured 2814 samples which were catalogued as 144 distinct families.

During February I captured 26 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The first pie chart below shows the Top 10 distinct malware by percentage. As you can see this includes not only mass-mailers but also five share-crawling worms [2 Opaserv variants and 3 Agobot variants]. The mass-mailing worm W32/Zafi.B@MM was the sample with the highest number of captures closely followed by W32/Netsky.P@MM

If you compare the above to the data from Kaspersky you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of February] here. This clearly shows that February was quieter than January as far as e-mail based malware was concerned. However, as mentioned previously other malware [bots, worms, multi-component malware] have been even more active during February.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

It has been a few weeks since I last covered the area of mobile malware and to be honest there has been some significant new threats and rumours that I’ve been meaning to cover in this area. However, due to other writing commitments I have been unable to find enough time to do it the justice it deserves. Well, the conference paper for EICAR 2005 is all but finished so now seems to be as good a time as any!

Anti-Virus for Cars???
Back in January this year on the Kaspersky Lab Analysts Diary RSS Feed an item was posted regarding an end-user asking how to remove a virus which “infected the onboard computers of automobiles Lexus LX470, LS430, Landcruiser 100 via a cell phone.”


To say that this caused a media feeding frenzy was an understatement!

A few weeks later after much of the hype had died down a posting was made to the F-Secure Lab Weblog, stating the following: “We received an official reply from Lexus to our query about the case of Cabir worm possibly infecting cars”

F-Secure concluded the following after analysing the reply the had received from Lexus:

“Since the Bluetooth interface supports Object Push Protocol it could be possible that when Cabir is looking for a target it might try to send itself to the Lexus navigation system (which as said before is immune to the worm) and this could cause an error message on the system, but not more than that. Before we can afford a Lexus to try this on we’ll just have to speculate however.”

So, it seems that unless the designers of embedded operating systems used in cars and planes have been monumentally stupid then [for now] you shouldn’t need to scan your car or aircraft for malware…..

I do know that the US Navy [and the Royal Navy too] are using Windows for Warships, how on earth do you reboot a Warship when it blue-screens, how about when it catches a digital dose of the pox? Do they have AV for Warships???

MMS Malware
A few days ago a new and interesting malware threat was found which affects mobiles that use the Symbian Series60 Operating System. This new mobile malware is known as CommWarrior.

Like Cabir [aka Carib] it spreads via Bluetooth, but more interestingly it can also spread via MMS [Multimedia Messaging Service].

More data on it appears below [borrowed from the F-Secure description]:

CommWarrior is a worm that operates on Symbian Series 60 devices, the worm is capable of spreading both over Bluetooth and MMS messages.

Analysis of the CommWarrior mobile phone virus has revealed that the infection is not spreading rapidly because of coding flaws in its design. Researchers at F-Secure who have been analyzing the code reported today that, while the infection does send itself on to other phones using the multimedia messaging service (MMS), it does so very slowly.

So what does this mean for most mobile phone users?

Well, unless you have a mobile based on Symbian then this new mobile malware will be unlikely to bother you.

However, if you have a Symbian Series60 based phone/PDA then expect malware to come calling some time soon.

Update on Cabir::
Cabir aka Carib has now been confirmed as in-the-wild in 17 countries, not bad for a Bluetooth worm that requires the end-user to accept and instal the infection themselves.

We now have 21 members of the Cabir family now, the latest being Cabir.U. Remember that malware that infects mobile phones have only been around since June 2004.

We’ve also seen a modified version of Cabir, different enough from the original that it has been given its own name, now known as Dampig.A. The only striking thing about this new mobile malware is that it corrupts the system uninstallation information, and cannot be removed without disinfecting the phone with an Anti-Virus tool…oh Joy!

Locknut:
Another relatively new malware that is targeting Symbian Series60 based phones is Locknut. This trojan pretends to be patch for Symbian Series 60 mobile phones and when run it will cash a critical System component. This will prevent any application from being launched in the phone. Thus effectively turning the phone into an expensive paperweight.

Links:
Cars and Malware
Windows for Warships [Royal Navy]
Windows for Warships [US Navy]

BTW: Does anyone know what OS Airbus use for their planes?

Well, last weekend [and today too] has been a busy time for Instant Messaging malware authors, we’ve seen two brand new families; KELVIR and FATSO.

I originally covered IM worms a while ago and they do seem to be the latest attack vector being used by malware authors.

What makes them particularly problematic, in these recent cases is the use of links to allegedly show you ‘pictures’ but when ‘viewed’ are really executable files and executed so that you become infected. Oh, and by the way WORM_KELVIR.B in-the-wild and has already infected end-users in several large corporations.

What’s more is that the file that is ‘viewed’ then downloads another more worrying component, a bot [backdoor aka remote access trojan]. This allows the attacker to remote control the infected host and use it for their own nefarious purposes. This could include using YOUR system to attack others, upload stolen software, pornograpy, credit card or other financial data to YOUR compromised box, or download YOUR data, software, etc. They could even install other malicious software such as a keylogger [which records all your key-presses].

So what should you do?

Well, if you recieve a link to a file:

• Check with the person that it claims to have come from.
• If it has a .pif extension, then treat it as malicious and just close the window.
• If you are not expecting it, just close the message box.

Whatever you do, don’t use your anti-virus as if it was a authorisation program [e.g. If it is infected then my anti-virus will stop it]. If the worm is not known to the anti-virus it will NOT detect and/or block it and you’ll get infected.

Links to descriptions:

WORM_KELVIR.A
WORM_KELVIR.B
WORM_FATSO.A

Picture: Actual screenshot of Worm_Kelvir.B [Source: TREND]

A common problem when you think you have a rogue [malware/spyware/adware] program running on your system is trying to find it. To try and assist in this situation I will cover one of the ‘tools-of-the-trade’ that can be used to identify open and listening ports that are being used by the ’scumware’ to talk/listen to the internet.

This assumes that you already have scanned the suspect system with at least one ‘up-to-date’ anti-virus product and at least one ‘up-to-date’ anti-spyware product. See here for the things to try first.

Most network technicians will normally first suggest that you use the ubiquitous ‘Netstat’ command found on all Windows and Linux systems.

Netstat when run with the ‘-a’ switch will show all the active and listening ports in use on the TCP/IP stack, which is useful as long as you know what the all port numbers mean!

Here is an excerpt from the output of Netstat -a:

Active Connections

Proto Local Address Foreign Address State
TCP MyPC:epmap MyPC:0 LISTENING
TCP MyPC:microsoft-ds MyPC:0 LISTENING
TCP MyPC:1025 MyPC:0 LISTENING
TCP MyPC:1048 MyPC:0 LISTENING
TCP MyPC:1140 MyPC:0 LISTENING
TCP MyPC:1170 MyPC:0 LISTENING
TCP MyPC:1386 MyPC:0 LISTENING
TCP MyPC:1676 MyPC:0 LISTENING
TCP MyPC:1788 MyPC:0 LISTENING
TCP MyPC:1820 MyPC:0 LISTENING
TCP MyPC:1959 MyPC:0 LISTENING
TCP MyPC:1960 MyPC:0 LISTENING
TCP MyPC:1961 akaimages.mcafee.com:http ESTABLISHED
TCP MyPC:1994 pigginhome.plus.com:http CLOSE_WAIT
TCP MyPC:1995 pigginhome.plus.com:http TIME_WAIT

To understand it you really need to understand networking to a reasonable level, this includes the different protocols, all the port numbers used by common applications and also how to get the output for UDP and well as TCP ports. This is a bit of a minefield for non-technical users!

What if you want to find out which application/program/executable is actually using a specific port [or range of ports]? Well, in that case Netstat can’t help, however there is a simple little tool that can give you just that information and can be very, very, useful in helping to diagnose the presence of a new piece of network-enabled ’scumware’; this tool is Fport.

Introduction:
Fport is a free tool that will show you what programs on your system are opening which ports (both TCP and UDP). You can look at the output and see if you notice any strange programs that don’t belong on the machine. Then you can use a command-line “kill” utility such as PSKill to stop the programs. Typically, trojans and some viruses will open up non-standard ports which can be a great clue to determining if a system is compromised or not. Watch out for open high numbered ports such as 3112, 31337, 12345, and 65000. Fport can be used on Windows NT4, Windows 2000, and Windows XP.

Installation:
Place the Fport.exe file directly on your C drive. Fport works only if you navigate to where it is being stored in the command prompt.

Usage:
Once installed, invoke fport like this:

Start –> Run –> cmd

C:\> cd \

C:\> fport -p

If you want to pipe the output of fport into a file:

C:\> fport -p >> [filename].txt

You can download Fport from here.

The beauty of Fport is that it is very useable by even the most non-technical of users, it is small and currently is not being defeated/manipulated by malware, unlike a number of other system diagnostic tools. So, if you think you are infected and have tried all the usual things to track down the rogue application, then give Fport a go.

If you don’t understand the output then feel free to send it to me for analysis. I can’t promise to solve the problem or deal with it immediately, but I will see what I can do.

I could not resist posting this gem of an article, it seems a tailor-made follow up to my recent Beagle [Trojan-Dog] entry.

The article posted on News.com is entitled: Internet viruses aid flea researchers

Here’s a clip from it:

“The way viruses spread on the Internet is helping ecologists decipher how pests move in the real world.

According to the two ecologists’ theory, the lakes are akin to interconnected nodes in a network, with some open to infection by computer viruses–or, in this case, the spiny water flea. The spread of the water flea by boats and other craft mimics the spread of viruses by e-mail, the theory states, and can help the scientists identify which lakes are likely to become infection hubs from which the flea will spread.”

The full article can be found here.

Now if only we can train malware to do acrobatics, walk a tight-rope and be fired from a cannon, we could have a travelling malware circus!

Hang on a minute, I think we should not use the malware itself as cannon ammunition, let’s use the malware authors instead!

It is about time that Beagle [the malware mutt] aka Bagle was either house trained or even better put in Doggy Prison!

Yet again I woke up to more Beagle deposits, ranging from droppers to full new variants of this fecund family of malware. Details below on what we know of the various new ones out there so far today:

The first one arrived via e-mail and the intended victim was suspicious and sent it on to me for analysis:

Details:
FileName: new_price.zip
FileDateTime: 01/03/2005 05:54:37
Filesize: 15876
MD5: 82859cc5b9e34ede58692d9fb2c84a63
CRC32: AB5D0DD
File Type: ZIP Archive File

Contains:-
FileName: prs_03.exe
FileDateTime: 01/03/2005 13:30:14
Filesize: 34304
MD5: f0851f7b19c9f5e880d2ad03acc48cb3
CRC32: 97C02F70
File Type: PE Executable

Scanner Results:
Kaspersky:-Email-Worm.Win32.Bagle.bc
McAfee:-W32/Bagle.dldr
F-Prot:-W32/Bagle.BL
BitDefender:-Trojan.Bagle.BE
ClamAV:-Trojan.Small-57-3
ESET:-Win32/Bagle.BA worm

Yes, out of the 14 [up-to-date] scanners I have at hand only the above detected anything suspicious, this means that TREND and Symantec miss it completely with their latest definitions [at the time of testing].

There are currently 5 new variants in-the-wild and spreading, however it seems that several of them are trojans not worms. These trojan variants are being spammed out to hundreds of thousands of e-mail addresses at a time. The trojan variants may be classified under another name, such as Trojan.Tooso [Symantec] or a hybrid name such as Troj_Bagle [TREND] instead.

Interestingly the trojan variants [is this a Trojan Dog rather than Horse? ] seem to modify the HOSTS file filling them up with lots of AV and security vendor site and setting them up as 127.0.0.1 [localhost] so that any attempt to go to those sites will fail. It also tries to download a Jpeg [graphic] file from one of the many listed in the trojans code. At this time we are not sure if this is using one of the recent Microsoft JPEG vulnerabilities to execute an infected jpeg file or it is just using a jpg extension to bypass web filtering.

I’ll post more data when I have it.

Oh dear, looks like there are more new variants out there, as I’ve just been informed of another new one that has been found since I originally posted.

This just in from the F-Secure Research weblog:

“These new Bagle variants are using a client / server architecture to spread further. What? A Client / Server virus? Yup.”

“Normally Bagle variants search the local hard drive to find email addresses to send itself to. These new variants connect to a web back-end. The back-end server will then return 50 unique email addresses that it generates using directory harvest techniques. The virus will then send a copy of itself to these addresses and loop over.”

And it apears that there could be 8 new variants out there, 4 droppers and 4 worms!