MoMusings

Your anti-virus doesn’t seem to update, Windows update doesn’t work and you can’t get to any of the anti-virus vendor sites. Is the source of this problem ‘WetWare’ [aka an ‘end-user’ problem aka a code ID10T as they say in the help-desk] or Malware or something else?

Well, we have seen many pieces of malware which change the Windows HOSTS file to stop systems being able to connect to security and Microsoft web sites and update servers for some time now. This is done to stop the malware being detected and removed. However, it seems that the malware authors know that a reasonable number of ‘victims’ now know to look at the HOSTS file to see if it has been modified by a piece of scumware. Usually this is done with hosts-file by redirecting hostnames to localhost [127.0.0.1]. To counter this they appear to have come up with a new way to achieve the same result, without having to modify the HOSTS file at all.

The Malware authors seem to have added a new trick to their existing ‘bag-of-tricks-and-scummery’. This is the first malware that we have seen which is known to use this new trick. The malware is known as Fantibag and is a Trojan which uses packet filtering to achieve the same goal. Think of it as a malicious firewall!

Fantibag has been distributed as a PeX-packed Win32 executable. This Trojan may have been automatically downloaded onto machines which were infected by the recent spate of Bagle droppers [which we saw earlier this week] which when installed downloads and executes arbitrary files from particular website addresses encoded in the dropper.

Details:

Installation
When Fantibag’s file is executed, it copies itself to the Windows directory using the filename ‘firewall_anti.exe’. It then adds a call to load itself to registry. This ensures that it will be automatically started when the operating system starts:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“firewall_anti” = “%WinDir%\firewall_anti.exe”

Fantibag then drops a DLL [Dynamic Loadable Library] file called ‘firewall_anti.dll’ (this file is 139,264 bytes in size) in to the Windows directory and ‘injects’ this file in to the address space of Internet Explorer so that it runs under the guise of Explorer.

Packet filtering
When the firewall_anti.dll file is activated, it modifies the network interface with Microsoft RAS packet filtering API. It adds a filter which effectively blocks access to following AV companies and other security related sites:

212.113.20.69
216.200.68.152
63.210.193.12
84.53.142.22
84.53.142.6
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
antivir.de
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
bitdefender.com
ca.com
clamav.net
click.atdmt.com
clicks.atdmt.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads-eu1.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
downloads.microsoft.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
drweb.com
drweb.ru
engine.awaps.net
f-secure.com
fastclick.net
ftp.avp.ch
ftpav.ca.com
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kasperskylab.ru
ftp.sophos.com
go.microsoft.com
grisoft.com
ids.kaspersky-labs.com
kaspersky-labs.com
kaspersky.com
kaspersky.ru
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
pandasoftware.com
phx.corporate-ir.net
rads.mcafee.com
ravantivirus.com
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
us.mcafee.com
vil.nai.com
viruslist.com
viruslist.ru
windowsupdate.microsoft.com
www.antivir.de
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.bitdefender.com
www.ca.com
www.clamav.net
www.drweb.com
www.f-secure.com
www.fastclick.net
www.grisoft.com
www.kaspersky-labs.com
www.kaspersky.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.pandasoftware.com
www.ravantivirus.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.viruslist.ru
www3.ca.com

Fantibag blocks access to these sites by creating input and output filters to drop [discard] all network packets [requests] between the infected machine and any of the filtered IP addresses [or DNS names in the list].

For each of the specified domain names, a DNS lookup is performed and Fantibag creates filters for each IP address within the same class C (255.255.255.0) network, if such a filter does not already exist.

Conclusions:
So, to sum it up Fantibag installs a packet filtering policy [effectively a firewall] which will block access to a number of anti-virus companies, certain Microsoft sites, some other security-related sites, and a few other non-security related sites.

Some of you may have noticed that some of the addresses which are included in the list are advert servers, I’m not quite sure why the author decided to include them, but it is an interesting side-effect of being infected by this Trojan. Maybe the malware author responsible for Fantibag despises advertising almost as much as we despise the malware authors, including the author of Fantibag?

Links:
F-Secure’s Description
Computer Associates Description

It has been a while since I last covered the area of mobile malware and I think it is time for an update, don’t you?

Happy Birthday Cabir!
On the 14th of June Cabir [the first mobile phone malware] had it’s first birthday. Exactly one year ago on that date the virus writing group known as 29a [29a hex = 666 decimal] sent a sample of their latest proof-of-concept malware to AV vendors. Kaspersky Lab, have claimed that they were the first to detect it, but most of the research since then on mobile malware has been carried out by F-Secure. Cabir once analysed was found to be a worm which could infect mobile phones running the Symbian 60 OS with Bluetooth capabilities. The worm actually uses BlueTooth to spread from phone to phone.

The source code for the original Cabir variant written by 29a showed up on a number of public sites on the Internet in December 2004. Not surprisingly, this led to the sudden appearance of new variants; mainly created by copycats and script-kiddies. Many of these first appeared in-the-wild [they were released by their creators and allowed to spread] during December 2004 and January 2005. Cabir has [to date] been seen spreading in over 30 countries. This level of spread is not bad for a Bluetooth worm that requires the end-user to accept and install the infection themselves.

Also, as some of you may remember there were rumours that Cabir could infect the on-board computer in some cars via the BlueTooth interface, this luckily turned out to be a false. If it had turned out to be true, then it would have brought a whole new meaning to suffering from a “malware induced crash”.

The latest known variant of Cabir is Cabir.Y.

Anti-Virus Malware?
A new variant of the Trojan family known as Skulls, has been found in-the-wild; this new variant is known as Skulls.L. The interesting thing about this new variant is that is takes social engineering to a new level for mobile malware as it pretends to be a ‘cracked’ [pirated] version of F-Secure Mobile Anti-Virus.

This new variant is apparently a minor modification of the Skulls.C Trojan. The Skulls.L SIS file is given the same filename as the F-Secure Mobile Anti-Virus installation package. The Trojan shows the following dialog text “F-Secure Antivirus protect you against the virus. And don’t forget to update this!” The twist is that the so-called anti-virus is actually the malware itself! When run the Skulls.L Trojan breaks the system applications on the phone; the smartphone functions of the phone no longer work!. The phone is now an expensive paperweight.

CommWarrior - coming to a phone near you soon?
CommWarrior, like Cabir [aka Carib] spreads via Bluetooth, but more interestingly it can also spread via MMS [Multimedia Messaging Service].

CommWarrior seems to be spreading more quickly in-the-wild than Cabir. F-Secure report that they have had reports of it “in three new countries, Malaysia, Austria and Brunei” in the last few weeks.

This brings the total countries it is know to be at large in to eleven, these include:

1. Ireland
2. India
3. Oman
4. Italy
5. Philippines
6. Finland
7. Greece
8. South Africa
9. Malaysia
10.Austria
11.Brunei

More data on it appears below:

CommWarrior is a worm that operates on Symbian Series 60 devices, the worm is capable of spreading both over Bluetooth and MMS messages.

When CommWarrior infects a phone it will start searching other phones that in can reach over Bluetooth and send infected SIS files to the phones it finds.

In addition of spreading over Bluetooth CommWarrior will also read the users local address book for phone numbers, and start sending MMS messages containing the a copy of itself in a SIS file.

Why do people install the infected SIS file when it arrives via MMS? The same reason that some users open e-mail attachments; it [appears] to have come from someone they know and/or trust, such as a friend or as F-Secure put it “...people just are unwilling to mistrust something coming from a friend“.

So what does this mean for most mobile phone users?
Well, unless you have a mobile based on Symbian or PocketPC [WindowsCE] then mobile malware will be unlikely to bother you, at this time.

However, if you have a Symbian Series60 or PocketPC based phone/PDA then expect malware to come calling some time soon, it may even arrive via MMS from someone you know…..you have been warned!

Conclusions:
There are now around 100 mobile malware strains/variants targeting mobile phones. Luckily many are Trojans, and therefore can’t spread on their own, however the small number that can spread via MMS or BlueTooth are doing rather well.

Back in February I covered a useful browser tool called ‘SpoofStick‘ which would help you in combating Phishing web sites, as it shows which site you are really on. At the time I was aware of at least one other similar tool, but I had not had time to look at it or to test it, well I finally got round to installing and testing it, was it worth the wait…..

To put it simply, yes it was well worth taking the time to look at this other tool.

What is this other tool, and where do you get it? All will be revealed below:

This other Anti-Phishing browser tool is produced by Netcraft, and it is cunningly called the ‘Netcraft Toolbar‘. As with SpoofStick it only works with Internet Exploder and Mozilla Firefox at this time.

Here is some blurb from the site which describes it:

The Toolbar community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing frauds. Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.

The Toolbar also:

* Traps suspicious URLs containing characters which have no common purpose other than to deceive.
* Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls.
* Clearly displays sites’ hosting location, including country, helping you to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union).

Right, so now you know what it is and how it is supposed to work, but does it really ‘cut-the-mustard’ when used? To test this I downloaded and installed it on Firefox and the results of the testing appear below:

So, what does it look like in action against a real Phishing site? Here’s one from a Phishing scam e-mail I received just this morning…

Here’s the actual e-mail in all it’s glory:

Looks very official and not at all suspicious, right? The only strange thing is I don’t remember having an account with this bank . Anyway, let’s click on the link in the e-mail and see what happens:

Something smells very ‘Phishy’ about this site, don’t you think? The popup above is from the Netcraft Toolbar, if I didn’t have it installed I wouldn’t have seen this warning popup.

OK, let me pretend I’m monumentally naive and actually ignore this warning, what do I see if I click on the ‘Yes’ button? Or what would I see if I didn’t have the Netcraft Toolbar installed.

Looks like a bank site, apart from the odd domain name, ‘jturkopp.com’, that doesn’t sound right, does it?

So, let’s check the Verisign certificate by clicking on the Verisign graphic on the right-hand corner of the page. This is what we get:

This tells us that the certificate has expired and belongs to ’southtrustonlinebanking.com’, is that the same as ‘jturkopp.com’, I don’t think so!

Furthermore, it claims to be a ’secure site’, this usually mean that it is using SSL encryption. If you look at the status bar at the foot of the browser window [for the so-called ‘banking site’] you will see that there is no ‘padlock’ [unlike the Verisign site], so it isn’t a secure site at all!

So, even without the help of the Netcraft Toolbar, we can surmise that this site is not what it claims to be. With the help of the Netcraft Toolbar we know with 99.9999 percent certainty it is a bogus site. How?

1. The popup warning.
2. The risk rating ’solid red’

So, all in all this is a useful addition to your browser to help combat Phishing scams, well worth the download and toolbar space it uses.

Where do you get this useful tool?
Here: http://toolbar.netcraft.com/

Other useful links:
Gone Phishing, Back Later, as You!
SpoofStick
Anti-Phishing Working Group

“Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt.” Or so the e-mail that has been widely spammed around the World would have you believe!

Yes, this is another disgusting ploy to get you to infect your [or your companies] computer with malware. This new one uses the same social engineering techniques that we’ve seen in the past from scumware authors who rely on using famous/infamous peoples names, such as Osama Bin Laden, Saddam Hussein, Nick Berg and many others to create fake headlines and/or stories, so that you will run the attachment or click on the link.

What does the e-mail look like?

The subject line looks like this: Re: Suicidal aattempt

The e-mail body contains the following text:

Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt.

They suggest this attempt follows the last claim was made against the king of pop. 46 years old Michael has left pre-suicid note which describes and interpretes some of his sins.

Read more…

Please note: The Neverland picture is not part of the e-mail, this is just used as an illustration for this article.

If you are foolish or curious enough to click on the web site link; then all you will see is an error message stating that the website is too busy. However, in the background the website is downloading and installing the malware onto your computer without your knowledge or approval, very sneaky!

This is not the first time that Jackson’s name, lifestyle or allegations made against him have been used by scumware authors trying to spread their wares. In October 2004 messages were posted on the internet claiming that a number of ‘incriminating home videos’ belonging to Jackson had been discovered, however any user curious enough to click on the link got a case of the digital pox - that time it was the Hackarmy Trojan that they were pushing. This time it is a member of the Borobot family of Trojans.

The Borobot family of worms are remote-access-trojans [aka RATs], this means that they create a backdoor into the infected system to allow the author to take control of the PC. Furthermore, they usually act as a proxy server, routing information from a remote user to their chosen destination and may also connect to an IRC server and may download files from remote locations and execute them if instructed to do so.

Finally, to make sure the malware gets loaded each time Windows starts, it adds itself to the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run. So in true ‘Terminator’ style, it is saying “I’ll be Back!”

Expect to see more of this type of scummery in the next week or so using Jackson’s name as a lure to tempt the unwary or curious.

The worrying and somewhat ironic thing is; there are real fears that Mr Jackson may well be suicidal, see here and here for more details.

So, which famous or infamous personalities would make you click on a link or run an attachment?

Well, May has come and gone, and an interesting month it has been on the malware front!

Like previous months, I will cover some statistics from my own sensors and compare those against some from a major anti-virus company, and finally I will cover new and interesting things that occurred during May.

I’ve created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for May. Hope they are of some interest?

I have included three sources of information for the graphs and pie-charts, these are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2+ years, Malware Bayesian Filter 1+ year.

In total I captured 3631 samples during May, which have been catalogued as 148 distinct families and variants. In comparison during April 2005 I captured 2327 samples which were catalogued as 159 distinct families/variants. As you can see this is a 36 percent increase in samples captured!

During May I captured and submitted 5 brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. However, these were just the ones I had time to process, in all I probably caught 20+ other new malware which I didn’t get chance to submit, due to other commitments and high workload. I’m working my way through them now.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

The e-mail worm, bot and share-crawling worm W32/Mytob.be@MM [McAfee] was the sample with the highest number of captures closely followed by four others of the same malware family W32.Mytob.bf@MM, W32.Mytob.DJ@mm [Frisk], W32.Mytob.ay@MM [McAfee] and the final member of the clan;
WORM_MYTOB.ER [Trend]. Only one Netsky member appears in the top 10 this month; W32/Netsky.d [McAfee], [we had 3 in the top 10 in April]. Hot on it’s heels is a new member of the Sober worm family, W32/Sober.p@MM [McAfee]. The final 3 places in the top 10 are taken by Trojan-Proxy.Win32.Ranky.z [Kaspersky], W32/Backdoor.MY [Frisk] and finally a multi-component dropper.

Interestingly we have no representatives of the Agobot family in this months top 10. Seems that they have been well and truely ousted from the top 10, the best they could do this month was 15th!

If you compare the above to the data from Kaspersky you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties. As you can see the top 10 from Kaspersky is dominated by the Netsky e-mail worms and the Mytobs, followed by 2 Zafi variants, Sober.p and LovGate.w.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of May] here. This clearly shows that May was significantly busier than April, in fact as you can see the last time it was this busy was back in November and December 2004 [as far as e-mail based malware was concerned].

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 130,008 [as at the end of April 2005]. That’s a growth of 17,570 so far this year, and we are not quite half way through the year yet! Last year in total we saw 28,327 new malware strains. Looks like we could see 40,000 new malware strains by the end of the year, sheesh!

In May we saw the following new malware appear:

A number of new Mytob variants. This is family of worms which first appeared in March’s results is based on the MyDoom e-mail worm, but with a twist! The source code was modified to also enable it to spread using the LSASS exploit [ala Sasser], as well as via the more common e-mail vector that MyDoom used.

In May we also saw new variants of Sober, including Sober.q, which was responsible for sending right-wing [Nazi/Neo-Nazi] propaganda SPAM, clogging up everyones e-mail boxes.

Conclusions:

Well, as you can see the Mybots are on the march and causing significant levels of pain; not just to those that are infected, but also to the AV companies.

One technique that is becoming more widely used is to SPAM out a small downloder program which can get past AV defences, this once installed, turns off or removes AV, personal firewall and other security tools [lowering/disabling all the defences it can] and then connects to one [or more] of a pre-programmed list of websites where it will attempt to download another component and run/install it [let down the draw-bridge and let it’s allies in to rape, pillage and take over the castle].

At this point your computer is wide open to misuse and may well be part of a botnet, all your financial details may have been captured, and you may well be sending SPAM and/or Phishing scam e-mails by the bucket-load without your knowledge!

I will cover this ability to disable security tools, including anti-virus, personal firewalls, anti-spyware and numerous other system and third party monitoring/status tools in a separate blog posting as soon as I can.

UPDATE: Looks like June is busting out all over! My sample captures already this month [8th June] are significantly higher than usual, if it carries on like this then we could be looking at over 5,000 by the end of the month….

Links:
Malware Evolution: May Roundup [Kaspersky]
Virus Top Twenty for May 2005 [Kaspersky]

Not!

It seems that the author of Bobax is back using his/her preferred social engineering methods. We’ve seen this trick used before by the author [see my Saddam is Worm Food! blog entry from February for more details].

However, this time it seems that instead of just using another variant of Bobax to start the infection by e-mailing itself out, the author has spammed out another malware [TROJ_SMALL.AHE] as a way of trying to bypass filters [both technological and human]…sneaky, but not new!

So what do we know so far about the Trojan?

The spammed e-mail contains the following text:

Turn on your TV. Osama Bin Laden has been captured.

While CNN has no pictures at this point of time, the military channel (PPV) released some pictures.
I managed to capture a couple of these pictures off my TV.
Ive attached a slideshow containing all the pictures I managed to capture.
I apologize for the low quality, its the best I could do at this point of time.
Hopefully CNN will have pictures and a video soon.

God bless the USA!

[random name]

Please note: The CNN and Bert picture is not part of the e-mail, this is just used as an illustration for this article.

The e-mail also has an attachment which is a ZIP file with a random name.

The zip file is quite small [900 bytes], and the file contained in the ZIP file is called ‘pics.scr’ and is 1,536 bytes in size.

If the recipient is curious enough to allow it to overcome common sense and run the attached file; after unzipping it first, the Trojan connects to one of several website addresses and attempts to download a file named ‘D.GIF’, which is really an executable, not a graphics file at all!

This so-called GIF file is actually ‘ WORM_BOBAX.P‘ which is a mass-mailing worm. More details on Bobax.P can be found below:

This memory-resident worm spreads by sending a copy of itself as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

The message it creates and sends out have the following characteristics:

Subject: [blank]

Message body: (One of the following text strings).

• Attached some pics that i found
• Check this out
• Hello,
• I was going through my album, and look what I found..
• Long time! Check this out!
• Osama Bin Laden Captured.
• Remember this?
• Saddam Hussein - Attempted Escape, Shot dead
• Secret!
• Testing

The above text is followed by one of the following strings:

• +++ Attachment: No Virus found
• +++ F-Secure AntiVirus - You are protected
• +++ Norman AntiVirus - You are protected
• +++ Norton AntiVirus - You are protected
• +++ Panda AntiVirus - You are protected
• +++ www.f-secure.com
• +++ www.norman.com
• +++ www.pandasoftware.com
• +++ www.symantec.com

This is to make you believe that the attachment has been scanned for viruses and is safe to run, which it is not.

Attachment: (One of the following names followed by a .ZIP extension)

• bush.1
• funny.1
• joke.1
• pics.1
• secret.2

The author has raised their gaime with this new variant of Bobax as it can now propagate by taking advantage of the Windows LSASS vulnerability [ala Sasser]. The vulnerability that this uses was fixed by: Microsoft Security Bulletin MS04-01.

What’s more is that Bobax.P will modify the system’s HOSTS file in order to prevent users from accessing certain Web sites [these being security and anti-virus vendors sites].

According to the F-Secure Virus Lab weblog “At least one weblog was actually duped by these messages, and as a result they posted ‘breaking news’ about Osama Bin Laden’s capture.“

Well it has been a busy week on the malware front, seems that the school holidays [at least in the UK] have had their usual effect!