MoMusings

I know that many of you out there have MP3 players, and most, if not all of your music is stored on hard disks as MP3 files? Of course all of the MP3 files you have are legal, either paid for, ripped from your own CDs or public domain files, yes?

How many of you use, or have used Peer to Peer [P2P] networks such as Gnutella, WinMX, Kazaa, eDonkey, eMule, etc. to download music, applications or other things?


Now, what would be you reaction if all your MP3 files, legal or otherwise, were corrupted or erased? Horror, outrage, or worse?

Did you realise that malware [viruses, trojans,worms, etc.] are widespread on these networks? Why am I telling you this?

Well, malicious software is spreading on these P2P network, in fact it has been happening for a number of years. However, the latest malware threat spreading on these P2P network assumes that if you use P2P ALL your MP3 files are illegal, and deletes them, all of them! Ouch!

This new malware is known as Nopir-B, and it appears to have originated in France. This worm pretends to be a program to make copies of commercial DVDs on P2P networks. The reality is that it offers no such function instead it attempts to delete MP3 music files on infected PCs. Futhermore it also attempts to disable various system utilities and erase .COM programs whilst displaying an anti-piracy graphic.

The worm will also disable Windows taskmanager, registry tools, and access to the control panel. Finally it will check for debuggers and may attempt to disable any such software that it finds.

W32/Nopir-B copies itself to [Program Files]\Projects Visual Studio.NET\Nctrup.exe, [Program Files]\Restore\[[random name].exe, [Program Files]\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.

Nopir-B only infects Windows machines and is currently considered to be a low risk.

Malware capable of hunting down and killing or damaging MP3 files are rare but not unknown. If we look back through the ‘mists of malware-history’ we can find several previous MP3 attacking malware. The widespread and long-lived Klez worm, for example, overwrote MP3 files (and other file types too) on certain trigger dates each and every month. Scrambler was programmed to scramble MP3 files to sound like a scratched record, however I doubt most youngsters would even know what a record actually is now? Finally, Mylife-G overwrote MP3 files with the words “my lIfE”.

Don’t get me wrong I don’t condone piracy, likewise I don’t condone vigilantes. Nopir-B is the malware version of a ‘lynch-mob’ [pitchforks and torches optional]. It makes a rather large assumption that if you got infected by it then you are a pirate [eye-patch, wooden-leg, hook, cutlass and/or parrot, are optional] and makes all the MP3 files it can find on your system, ‘walk-the-virtual-plank’ to be gobbled up by the waiting sharks! So, you are guilty as charged, even if you are innocent, or only slightly guilty [some legal and illegal MP3s].

Don’t think this will be the last malware to do this, the war has only just started after numerous drunken brawls…..yo-ho-ho and a bottle of rum, me hearties!

Cut to a scene with a certain well known Welsh actor wearing a leather face mask and a natty white jacket with tie-back arms…..

“I ate his liver with some fava beans and a nice bottle of Chianti…..” says the man, oozing menace from every pore. I hear you ask, what is he on about this for, what has this to do with malware, scams or related scummery?

Well, read on and you’ll find out, make sure you have your tongue-firmly-embedded-in-your-cheek or are wearing your skeptics hat, here goes….

Eat your fellow human:
So, if you’d like to follow in Dr. Hannibal Lecter’s footsteps and “eat your neighbour” or “meet and eat your fellow man/woman” then this extract from a website is for you!

“For the last 19 years ManBeef has been the worlds leading human meat distributor. We have established a reputation for having only the highest quality human meat products and dedicated customer service representatives. Because we only cater to a select group of people, we try to keep a close relationship with all of our customers. The allows us to help you get the best quality human meat for your budget, and ship it right to your front door. And after 19 years of business, you can now access our products and services online!”

The site that this was on [www.manbeef.com] is no more. If you go to that site now you’ll be offered ‘adult material’, no I’m not talking about fully-developed cloth.

If you prefer rabbit(s):
The following is a chilling threat from a web site known as SaveToby.com:

“Toby is the cutest little bunny on the planet. Unfortunately, he will DIE on June 30th, 2005 if you don’t help. I rescued him several months ago. I found him under my porch, soaking wet, injured from what appeared to be an attack from an alley cat. I took him in, thinking he had no chance to live from his injuries, but miraculously, he recovered. I have since spent several months nursing him to health. Toby is a fighter, that’s for sure.

Unfortunately, on June 30th, 2005, Toby will die. I am going to eat him. I am going to take Toby to a butcher to have him slaughter this cute bunny. I will then prepare Toby for a midsummer feast. I have several recipes under consideration, which can be seen, with some pretty graphic images, under the recipe section.”

This is not the only “pay-up-or-I-eat-the-bunny” site, here is another one: Save Bernd! (http://www.krohm.net/bernd.htm), run by an operator who threatens to turn his bunny, Bernd; which he found outdoors on a rainy night, into “Rabbit with Chanterelle” for his dinner if visitors don’t donate 1,000,000 Euros.

Warning: The “Save Bernd!” site is heavily laced with pop-ups. So, if you go to that site expect lots of advertising popups. There are rumours that the site may have some adware/spyware or other malicious content, you have been warned!

At the time of writing Bernd was allegedly ‘no-more’, ‘gone to bunny heaven’, ‘was an ex-bunny’…..

If you prefer felines:
What would you do if you received the following in a e-mail?:

“In New York there is a Japanese who sells “bonsai-kittens”. Sounds like fun huh? NOT! These animals are squeezed into a bottle.

Their urine and faeces are removed through probes. They feed them with a kind of tube. They feed them chemicals to keep their bones soft and flexible so the kittens grow into the shape of the bottle. The animals will stay their as long as they live. They can’t walk or move or wash themselves. Bonsai-kittens are becoming a fashion in New York and Asia.

See this horror at: http://www.bonsaikitten.com

Please sign this email in protest against these tortures. If you receive an email with over 500 names, please send a copy to: anacheca@hotmail.com”

Would you sign the electronic petition, phone the RSPCA or other animal protection society or would you laugh?

Calm down dear it’s only a….
It’s OK you can put away the pitchforks and torches and disband your lynch-mob, these are all ficticious sites setup to purposely outrage people, and to make some cash on the side too in a few cases. In some cases, especially the bunny related ones, those responsible have made some serious money from what is nothing more that a joke, a joke in bad taste. In Toby’s case his owner has allegedly* received donations totalling $24,515.62!

* If you click on the ‘Donate’ link it will take you to PayPal, however the following error message is given:
‘Error Detected This recipient is currently unable to receive money’.

The above sites may be spoofs or downright jokes with the occasional scam thrown in for good measure, so if you must donate money please don’t line a scammer or cyber-extortionists pockets. Instead, give your donation to the real animal charities who really are desperate for your help and really do have to put animals down because they can’t afford to pay for their upkeep.

More details on each of these can be found below:
http://www.snopes.com/inboxer/hoaxes/manbeef.htm
http://www.cluestick.me.uk/ManBeef.htm
http://www.snopes.com/critters/crusader/bonsai.asp
http://www.cluestick.me.uk/Bonsai_Kitten.htm
http://www.snopes.com/critters/crusader/savetoby.asp

So, let me finish up in much the same way as I started this posting…”I do wish we could chat longer, but I’m having an old friend for dinner. Bye”

Rootkits have been around for *NIX systems for many years, however they are now a growing problem for Windows systems. This entry will cover what a rootkit is, how they work and more importantly how to detect and remove them.

What is a rootkit?
A rootkit is a collection of tools an intruder brings along to a victim computer after gaining initial access, usually via hacking into the box manually or by getting the a user to execute a Trojan or Worm which will install a backdoor for them to slither onto the system in the first place. A rootkit generally contains network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities. There is however another type which don’t tend to replace system files, these are: Kernel [LKM] rootkits which subvert the system by attaching themselves to, or by otherwise modifying the kernel of the targeted operating system.

Some examples of such kernel rootkits on Linux include: Knark, Adore, and Rtkit.

Although *NIX rootkits have been around for many years and are generally considered the major threat to *NIX security, there are also a growing number of Windows rootkits. This ‘rootkit’ scenario is a complete about-face when compared to other classes of malware, where DOS/Windows is the most targeted and *NIX is little more than a drop in the malware ocean.

Some examples of Wintel rootkits include: Hacker Defender, FU and Vanquish.

One of the rootkits mentioned above [Hacker Defender] was originally released about a year ago, and as mentioned in a previous posting has been recently updated to be even more stealthy, uses encryption to protect outbound communications [phone-home and remote control communications].

So, in conclusion there are two currently known classes of rootkits; application level and kernel level.

How do they work?
The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access trojan [daemon or application aka a RAT].

Application level rootkits come with modified system binaries that replace the existing ones on the target system. Why do they use modified system binaries? To hide their presence and the actions of those that are using the rootkit of course. In other words, to cover their tracks…..out of sight is out of mind!

How do I detect and remove them?
Most rootkits will mimic the creation dates and file sizes of the original system binaries while replacing them with infected versions, keeping records of these file statistics is not [and has never been] sufficient. The best way to make an inventory of system file information that can be used to identify suspicious activities on the system [server or workstation] is to calculate the cryptographic checksums [effectively ‘electronic fingerprints’ using strong hash-functions such as MD5, SHA1 or better] of these files and store this information in a safe location, such as on a CD.

These ‘electronic fingerprints’ can then be compared to the recomputed ‘electronic fingerprints’ of files on a regular schedule. This would then highlight files that have been changed as they would no longer have the same ‘electronic fingerprint’. In other words, the replaced files would be unmasked and the game would be over for the rootkit!

Suitable tools are listed below, along with the OS that they are suitable for:

Tripwire [*NIX GPL]
Tripwire [*NIX, Wintel, Commercial]
AIDE [*NIX]
AFICK [*NIX, Wintel]
GFI LANguard [Wintel]
ADinf [Wintel, Commercial]
Integrity Master [Wintel, Commercial]

There are a number of tools available that claim to be able to detect and remove rootkits, these are listed below, along with the OS that they are suitable for:

ChkRootkit [*NIX]
Rootkit Hunter [*NIX]
RootkitRevealer [Wintel]
UnHackme [Wintel]
Blacklight [Wintel]

Links to pages with more details on rootkits:
http://en.wikipedia.org/wiki/Rootkit
http://www.linuxdevcenter.com/pub/a/linux/2001/12/14/rootkit.html
http://www.computerworld.com/securitytopics/security/story/0,10801,99843,00.html
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

It has been a few weeks since I last covered the area of mobile malware and to be honest there has been some new threats that I’ve wanted to cover. In this posting I will just cover the most interesting one, for now.

Last time I covered allegedly infected Cars, nothing quite so grandiose this time.

You too can have the latest malware automatically sent to you when you text [SMS] or send an MMS to a mobile device running Symbian Series 60 OS which is infected by Mabir. Yes, that’s right, Mabir not Cabir.

As it’s name might suggest, this new threat is based on the source code for the mobile device malware Cabir which uses Bluetooth to spread from mobile phone to mobile phone [or PDA to PDA, etc.].

So what is different with this new variant?

Well, as hinted at in the first paragraph of this blog entry, it can also spread via MMS, as well as Bluetooth [in the same way that Cabir does]. So, if you text [SMS] someone or send them an MMS and you get a reply containing no text but a SIS file only, guess what they are infected with!

However, unlike many mass-mailing worms this MMS based malware doesn’t rummage around in the OS looking for new contact details to send itself to, it just patiently sits and waits for incoming SMS or MMS messages instead.

So what are MMS messages?

MMS stands for Multimedia Message Service; MMS messages are multimedia messages that can be sent between phones that support MMS messaging. As the name suggests MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files. You have been warned….

The good news is that Mabir doesn’t spoof the sender, unlike most e-mail based worms, so DO contact the sender of the infected SMS/MMS message to let them know that they have a dose of electonic pox.

More good news is that Mabir hasn’t yet been seen in the wild, but the same was said about Cabir some time ago; now it has been seen in 17 countries world-wide.

More data can be found by using the following links:

Symantec
F-Secure

I’ve finally managed to find some time to create some graphs and perform some trend analysis from the raw data from my WormCharmer and Bayesian filter for March. Hope they are of some interest?

I have included three sources of information for the graphs and pie-charts, these are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2+ years, Malware Bayesian Filter 1+ year.

In total I captured 2326 samples during March, which have been catalogued as 148 distinct families and variants. In comparison in February 2005 I captured 2234 samples which were catalogued as 166 distinct families.

During March I captured 19 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The first pie chart below shows the Top 10 distinct malware by percentage. As you can see this includes not only mass-mailers but also seven share-crawling worms [3 Opaserv variants and 4 Agobot variants]. The mass-mailing worm W32/Zafi.B@MM was the sample with the highest number of captures closely followed by W32/Agobot.DAJ [Frisk] and another Agobot variant WORM_AGOBOT.AKW [Trend] and W32.Netsky.P@MM falling to 4th place.

If you compare the above to the data from Kaspersky you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties. As you can see the top 10 from Kaspersky is dominated by e-mail worms.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of March] here. This clearly shows that March was quieter than February as far as e-mail based malware was concerned. In fact it was the quietest month [e-mail malware wise] since October 2004. However, as mentioned previously other malware [bots, worms, multi-component malware] have been even more active during March.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 121,469 [as at the end of March 2005], this is a growth of 9,031 during the first quarter of this year. At the end of last year I estimated that we would probably have a growth of 33,000 new malware in 2005. As you can see that figure needs to be revised upwards.

In March we saw the following new malware appear:

Mytob. This is a brand new family of worms which is based on MyDoom, but with a twist, it was modified to also spread using the LSASS exploit [ala Sasser], as well as via the more common e-mail vector that MyDoom used.

Conclusions:

Well, as you can see there are a number of old malware strains still actively spreading via the Internet, why is this the case?

Simply this, unpatched and/or systems with either no anti-virus or out-of-date antivirus products or signature databases.

I could accept this scenario if there were no free anti-virus, anti-spyware or personal firewall software available at no cost. I could also understand it where malware uses a known [and patched] vulnerability, if Microsoft actually charged for the patches to their OSes and applications, but this is not the case……

Here’s a link to one of my personal webpages where you can find links to FREE security products, such as AV, firewalls, Anti-Spyware and other useful tools and information.

Sheesh, the malware authors have been rather active over the weekend, which meant that I got to analyse more samples than I’d like, rather than doing something more fun, or even just getting away from my desk for a while.

Why oh why does it always seem to busier when the kids are off school, are they really responsible for the jump in new samples that I trap during these periods, or is it just some great cosmic coincidence or conspiracy?

Those of you who are interested in new malware, especially new malware that is not detected by most of the major players in the AV market place may want to take an occasional look at my external blog, as that is where I post data on these new critters.

So what did I actually trap that was new?

• 3 new droppers which when executed drop 2 distinct pieces of malware, these being a Ranky variant and also yet another SDbot variant [like we actually need more of these or the Ranky variants either!]
• 1 new Bropia/Kelvir variant. Detected by no anti-virus at the time of submission.
• 1 new bot which is dropped when a new Bropia/Kelvir variant I also trapped gets executed. Detected by no anti-virus at the time of submission.
• 1 new IRCbot which was only detected heuristically by 3 out of the 14 scanners I have.

Many of these new variants are using new packers and/or compressors which make life difficult for many of the anti-virus products in use.

For those that are interested there is even a separate RSS feed just for the announcements on what I’m finding.

More data on the other RSS feeds I have and the blog(s) [and sub-blogs] can be found here on my personal external Web Server.

I hope to get some time to post a review of the malware data I accumulated during March, and how this compares with the last few months. My current estimate of the number of malware that will exist by the end of the year may well need to be increased as we have had almost 10,000 new malware strains/variants already this year and it is only the end of the first quarter!

It seems that a new gang of conmen, currently operating in Slough, Berkshire [UK] has taken the PC* scam to a hitherto unplumbed depth.

Never before has a scam been so cool and refreshing as this one. I wonder do they offer both a still and carbonated Laptop, and whether they offer the ones with a fruit flavour too?

What am I on about?

This report from the BBC website:

Laptop scam hits bargain-hunters

A gang of conmen is tricking people into thinking they are buying cheap laptop computers before handing over bags containing bottles of drink.

Police in Slough, Berkshire, say they have received a “steady stream” of reports from victims of the con.

In one recent incident, a woman handed over £400 in a car park to two men for a laptop and was given a case she later found to contain water bottles.

On 15 March, three people handed over more than £600 in separate incidents.

Police warning

One victim was left empty-handed, one with a case containing a can of petrol and one with a bag containing two bottles of lemonade.

Thames Valley Police are warning people to be wary of those offering cut-price goods in the street.

A spokeswoman added: “We would also like to point out that buying property they know or suspect is stolen is an offence in itself.

“Not only that, but it creates a market that encourages robbery and theft.”

So what do you call a person from Berkshire who falls for this scam?

* PC = Potato Computer [see this blog entry for more details]

It seems that malware has now managed to jump from a PC to a person, just like the evolution we see in real viruses such as those that start off affecting only Pigs, Monkeys or Birds and then by some strange evolution managing to quickly adapt themselves to infect a new host - humans. This trick is known as species jumping.

More details below:

Man Catches Computer Virus - Bizarre illness jamming up his brain waves!

Caption: SICK COMPUTER passed on a bizarre virus to programmer John Stevens, after it became ill from an infected software program. By Michael
Todd, Special Correspondent, {Weekly World News}, 31 March 2005

John Stevens has a lot in common with his home computer: Both think logically, both like numbers and both have come down with something - a virus; in this case it is the same virus which has infected both the man and his machine!
Stevens, a computer programmer who works out of his home in a Philadelphia suburb, is convinced his lingering and debilitating illness is something he got from his sick computer. And the victim’s doctor agrees.

“I’ve run every test I can think of to trace the origin of his illness,” said Dr. Mark Fordland. “He has a virus, but it’s not like any virus I’ve ever seen.”

Stevens, 32, said his computer began to show signs of a virus - a software program designed to eat up an destroy other software data - about a week before he got sick. “I was careless about borrowing software programs from other people I didn’t know well,” Stevens admits.

Dr. Fordland, himself a computer expert, agrees. “Borrowing software programs from friends and strangers is like having sex with someone you don’t know well. When you sleep with someone, you sleep with everyone they’ve ever slept with. When you borrow someone’s software program, you’re connected to everyone who’s ever used that program.”

Dr. Fordland concludes that Stevens’ symptoms are identical to that of a software virus’ attack on a computer. “Stevens has become forgetful, like something is eating up his memory, his data. He has less and less energy. He can’t hold onto thoughts. Even an EEG electroencephalogram) of his brain waves keeps changing. It’s becoming more and more erratic. “This virus could just eat him up until his mind is a blank and he’s like a vegetable,” the doctor said.

Yes, this is a joke, just in case you didn’t get the significance of the date it was posted on
If you want more of these then look here.