MoMusings

Another new trend has appeared during the last few months; this being malware written to target the newer handheld games consoles, such as the PlayStation Portable [PSP] and the Nintendo DS.

This is an interesting trend as it is now very rare that we see malware that attempts to render its host unusable [outside of malware written for mobile phones/PDAs anyway], or at least requiring a full reinstall of the relevant OS. So, let me update you on the currently known threats for your beloved handheld consoles.

PlayStation Portable:
F-Secure originally posted this on the discovery of the PSP Trojan which effectively turns the ‘patched’ PSP in to a very expensive electronic brick.

This is what they had to say:

“Older versions of the PSP firmware (eg. 1.50) have a vulnerability that allows easy execution of custom code on the device. Every since Sony has fixed the flaw in newer versions, the firmware downgrade to 1.50 became the “Holy Grail” of PSP homebrew development. After the discovery of a buffer overflow in version 2.0 of the PSP firmware, many rushed to be the first to release a working firmware downgrader.”

They have now posted a very interesting followup, actually showing a fully-working ‘donated’ PSP being turned into a non-functional one. They recorded the whole thing for ‘posterity’.

The ‘thriller’ can be found here: http://fsck.f-secure.com/archives/bricking_psp2.wmv (14427k file)

More data on this ‘fake’ firmware patch can be found on PSP Updates who offer the following warning:

“For anyone who has seen a “patcher” floating around the net by PSP Team. Its fake. It will brick your PSP and will void your warranty. Skylark has disassembled the binary and the results can be found here:
[Disasm By Skylark (http://mirror.toc2rta.com/disasm_skylark.txt)][Pspupdates thread (http://forums.qj.net/showthread.php?t=19249)]”

Conspiracy theorists everywhere are seeing ‘Black Helicopters’; here’s an example of feedback posted on the above article:

“Does anyone besides me find it a little “Coincidental” that a poison hack was found roughly at the same time an update was posted to stop all hacks?I think “someone” is forcing updates on the masses, for our own protection, of course.”

Quick, where did I put my tinfoil hat

As a final note: Sony state that running any unauthorised code on the PSP will immediately void your warranty, so you have been warned.

Nintendo DS:
F-Secure reported that a trojan for the Nintendo DS has been found which does a similar thing to the DS that the PSP trojan does to the PSP; turns it into an expensive electronic brick. F-Secure has imaginativley named it ‘DSBrick’.

The good news is that ‘DSBrick’ will only run on modified Nintendo DS systems; so it isn’t a threat to non-moded versions.

More details on this threat can be found on Engadget who have the following to say on this risk:

“So if you happen to be of the dubious persuasion to run 3rd party DS roms claiming to be hentai viewers (ahem), don’t come whining to us when you’re stuck with a fancy paperweight trying to figure how to restore your DS to a playable state.“

I really like their style of reporting!

So, the burning question in my mind right now, is:

“How many of you PSP or DS users are prepared to ‘brick’ your handheld gaming devices, just so that you can run some…er….’interesting content’ or hacked games?”

Hands up, so that I can count !

Well the annual Virus Bulletin International conference has come and gone again. This year it was held in Dublin, Ireland between the 5th and 7th of October. The change this year was a move to extending the conference to an ‘almost 3 day’ format.

As usual there were over thirty top speakers there to present their papers. These ranged from discussing ‘Symbian Malware’ to panel discussions on ‘Who is hiding the virus writers’ and ‘Dying for information in the information age’. There were numerous excellent technical and corporate presentations.

The ‘Technical’ stream was once again the most interesting (from my perspective), although I did sit in on several ‘Corporate’ stream presentations as well.

Tuesday the 4th - Pre-conference activities:
I took part in the AVIEWS/AVIEN discussing the upcoming ‘Virtual Conference’ amongst other topics and general chit-chat, such as catching up with old friends.

The following were the top presentations that caught my interest:

Day 1 - October 5th:
We kicked off early in the morning with a number of vendor presentations. The ones I managed to see were the ones from Eset [Presented by Andrew Lee] and Trend [Presented by David Perry]. As usual David’s presentation was both informative and very funny. He also made some very nice comments about my paper during his talk.

The conference officially started at 14:00 with Helen Martin’s Welcome pitch. The conference them split into two streams [as usual], one being the technical stream and the other being the corporate stream.

The keynote presentations for each stream were:

• Technical: Igor Muttik talking about ‘Manipulating the Internet’.
• Corporate: Martin Overton talking about ‘Bots and Botnets: risks, issues and prevention’.

From 16:20 and for rest of the afternoon I was chairing sessions in the ‘Technical Stream’. Both of these talks were interesting. The talks were about ‘Tracing execution paths’ and ‘Defeating polymorphism: beyond emulation’.

I also participated in a ‘Round Table’ session on ‘Malware Trends’ after the end of the day’s presentations. Although this was interesting and lively, the down side was that 3 of the 4 invited guests were misquoted by the press. As usual, this caused a certain amount of annoyance to those affected. But, this is a known [and grudgingly accepted] risk when dealing with the press.

After that a well deserved drink was had by all at the ‘Welcome Drinks’ event [Guinness and Jameson, of course], and this spilled over into another ‘Private Drinks’ session after the official VB ‘Welcome’ party finished.

Day 2 - October 6th:
As usual on the second day I spent the whole day in the technical stream. The following caught my interest:

• Solving the Bagle jigsaw - Scott Molenkamp and Hamish O’dea.
• The evolution of malicious IRC bots - John Canavan.
• What makes Symbian malware tick - Jarno Niemela.
• Hide ‘n seek revisited - full stealth is back - Kimmo Kaslin et al.
• Dying for information in the information age - Gaby Dowling [I was a panel member on this session].

The day was finished off by the ‘Gala Dinner’, which is always a good event. As usual we were entertained by a local act. In this case it was a ‘Riverdance’ type troupe of dancers.

Day 3 - October 7th:
I split my day between the technical and corporate stream as there were a number of interesting looking talks I wanted to attend. These were the ones that I found most interesting:

• Genotype spam detection - Dmitry Samosseiko.
• Why user authentication is a bad idea - Nick Fitzgerald.
• Psuedo-words for spam filtering in an unmodified Naïve Bayesian text classifier - John Graham-Cumming.
• The strange case of Judith C. - David Perry.
• Techniques of adware and spyware - Eric Chien.

Conclusion:
VB2005 was the best attended of the VB conferences over the last 5 years or so (380 delegates), lots of new faces, lots of old faces too. This has helped to keep VB fresh and interesting and, as far as I’m concerned, the best security conference for the area that I’m interested in, and long may it stay that way!

If you are interested in security and malware/anti-malware and related things then this is a must attend conference!

For those that are interested, the paper I presented at this conference can be found here: http://arachnid.homeip.net/papers/

This covers Bots and Botnets, discussing what they are, how they work, the risks they bring and what techniques and methodologies you can use to help counter them.

September has come and gone, and another interesting month, although rather quieter one it has been, on the malware front at least. Shame the same couldn’t be said for SPAM, 419s and Phishing. However this trend is challenged by the latest data from F-Secure. They report that they see Phishing stabilising, but SPAM is up significantly.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for September.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 2711 samples during September, which have been catalogued as 103 distinct families and variants. In comparison during August 2005 I captured a massive 8315 samples which were catalogued as 82 distinct families/variants. As you can see September was significantly quieter than August and was more in line with an average month.

During September I captured and submitted 26 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

During September I reported 43 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

The share-crawling virus PE_TENGA.A [TREND] was the sample with the highest number of captures [accounting for over 28 percent of all captured files]. As usual there are a number of Mytob variants in the top 10 [5 in fact; ch, ce, u, HN and HC. Agobot has managed to claw its way back into the top 10 after a short absence. In this case it is W32/Agobot.ECW [FRISK]. The Ranky family of Trojans is represented as is the Sdbot family. Both of the samples in the top 10 were dropped by a multi-component dropper, which is an increasingly common trick used by the malware authors.

It seems that this has been a ‘bad’ month for Mytob as the numbers of variants captured is down significantly; hopefully this is a new trend which will continue.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.
As you can see the top 10 from Kaspersky is dominated this month by Zafi.d, Mytob.c and Zafi.b. Between these three malware variants they account for over 45 percent of reported samples to Kaspersky. The rest of the chart is made up of more Mytobs [q, t, u and bk], two Netsky variants [b and q] and Lovgate.w.

In the SOPHOS chart we see a different pattern, with Netsky.p as the leader of the pack with 2 Mytob variants [BE and AS] hot on it’s heels. Just like in the data from Kaspersky we have Zafi.D, but no sign of the B variant. The rest of the chart is taken up by yet more Mytob variants and Netsky.D.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. The table is headed up by Tenga, with over 28 percent of all sample caught, and this is only one variant.

The Mytob family have managed to capture second place with over 24 percent of the total, which is significantly down from August where they dominated the chart taking over 81 percent.

The Sdbot family has gained significant share over the last month accounting for 13 percent of all captured samples. As mentioned before Agobot is back, although their share is a mere 6 percent.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of September] here. This clearly shows that September was significantly quieter than August, in fact as you can see the last time it was this quiet was back in March and April 2005 [as far as e-mail based malware was concerned].

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 150,324 [as at the end of September 2005]. That’s a growth of 37,886 so far this year! Last year in total we saw 28,327 new malware strains, so we have already eclipsed last year.

Looks like we could see 50,000 new malware strains by the end of the year!

What’s New?
Bagles, Bagles, everywhere:
During the course of September we saw over 20 new Bagle variants, during its peak we were seeing as many as 5 or 6 new variants a day.
When I say Bagle variants, I must add some clarification as many vendors actually call the last lost of so-called Bagle by a different name; Mitgleider. In many cases these latest so-called Bagles are nothing more than SPAMmed out droppers and downloaders, often sent through botnets, containing no replicating code in their payload at all. They simply connect to a list of servers, when executed, and download the extra functionality instead.

Whither Mytob?
As mentioned earlier in this report Mytob suffered a setback during September, and other malware rose to take its once dominant place. Why? Some of the reasons for this are fairly straightforward:

• As you are all aware, a new Microsoft Windows vulnerability [and patch], known as MS05-039, was released. This flaw affected the Plug’n'Play service in Windows 2000 and XP. The malware authors took advantage of this new vulnerability and started to divert their attention away from email worms and back on to network worms. The first result of this switch was Zotob. Many bot families where also updated to use this vulnerability.
• The arrests of two individuals in Morocco and Turkey accused of creating a number of variants of the Mytob worm family seem to have caused somewhat of a hiatus in the development and release of the more usual large number of new Mytob variants. Furthermore, those arrested are also accused of being the creator and distributor of Zotob.A. It is still unclear just how pivotal these individuals are in the creation and distribution of Mytobs. If they are the ring-leaders, then expect more arrests over the next month or two. If not, then expect the new Mytob worm variants to start to increase again shortly.

CardTrap
This is a new threat that has been discovered for mobile phones which use the Symbian OS, and attempts to infect windows systems whenever a memory card is inserted in a reader on the Windows PC.

Described by F-Secure as: “SymbOS/Cardtrap.A is otherwise unremarkable Symbian trojan, except that it also tries to infect users PC if user inserts the phone memory card to PC.“

They go on to say:
“When infecting Symbian phone the Cardtrap.A copies two Windows worms Win32/Padobot.Z and Win32/Rays into the phones memory card. The Padobot.Z is copied with autostart.inf file in attempt to start automatically if the card is inserted to PC using windows. The Rays is copied with filename System and same icon as system folder, this is done as social engineering attempt so that user would click on Rays instead of System folder.”

So, it seems to be just a ‘Proof-of-Concept’ which at this time is unlikely to actually infect Windows systems as they currently do not support ‘autorun’ from a memory card [such as SD or MMC cards].

More details can be found here: http://www.f-secure.com/weblog/#00000659 and here: http://www.f-secure.com/v-descs/cardtrap_a.shtml

Conclusions:
Well, as you can see the domination of the Mytobs has now been broken, at least temporarily. Agobot and Sdbot are back in the Top 10, although Tenga.A is now taking control of the number one position in both the individual variant table and the family table too. So, it is a clean sweep for Tenga.

Links:
Virus Top Twenty for September 2005 [Kaspersky]
Top ten viruses and hoaxes for September 2005 [Sophos]

As promised I have finally managed to find a few minutes to modify and post my much promised article on Zotob!

This article is a rewrite of one I wrote for the Virus Bulletin magazine and it was published in the October 2005 edition. The modified version posted here is authorised by Virus Bulletin

The published [Virus Bulletin] version will be made available here: http://arachnid.homeip.net/papers/ from the begining of November. This has also been authorised by Virus Bulletin.

It All Started…
Monday the 15th of August passed fairly quietly until around 4PM [GMT] something started to spread quickly on the Internet which caused many companies Windows 2000 systems to reboot themselves automatically. Once that had completed it was quickly followed by the unexplained slowdown of internal networks, were these things related? You bet they were! We were once more under attack by a new fast spreading network worm.

Patch or Zotob? The Choice is Yours!
On the 9th August, Microsoft released security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000 which was rated as critical. Microsoft also released a fix to patch the loophole. The race was now on, how long until a worm appeared to take advantage of the flaw or more than 70 percent of the vulnerable systems were patched - which would reach the finish post first? Place your bets now

A mere five days after the Microsoft Security Bulletin, a worm called Zotob appeared that exploited the loophole. This meant that all those systems which were not yet patched, or were not protected by other methods [such as personal firewalls, IDS, IPS or AV with buffer overflow protection] were now vulnerable to coming down with a case of the digital pox known as Zotob.

Zotob’s Entrails
According to the F-Secure Lab Weblog, Zotob was captured and an initial analysis was made of it at around 12:00 [GMT] on the 14th of August [a Sunday]. This confirmed that the rumours of a worm targeting systems not patched by MS05-039 were true; a new worm using this exploit was indeed ‘in-the-wild’, albeit in small numbers at that time.


The initial analysis mentions that the worm may be using the ‘houseofdabus’ exploit code and when a system becomes infected it scans the network for other systems via port 445/tcp, at a rate of 300 threads per infected system. Each thread will attempt to connect to a random IP address, made up from the first two octets of the current systems IP address and randomising the last two octets. E.g. if the system infected has an IP address of 10.10.10.1 then it will attempt to scan random IP addresses in the range 10.10.0.0 to 10.10.255.255.

Any system that reports that the port is open will be sent a copy of the exploit code, whether it has been patched or not, or is vulnerable or not. Zotob isn’t fussy, and is certainly hedging its bets. In theory a *NIX box running Samba listening on 445 would also be sent the exploit code, even though it can’t be exploited or infected by Zotob. If it fails to exploit the target system or if port 445 is not open, it generates another IP address to target.

If the system is not yet patched and is a Windows 2000 system, then the exploit code should run and cause a buffer overflow unless the system is protected in other ways. If the exploit code runs successfully then this will create a shell (CMD.EXE) which listens of port 8888/tcp. The scanning [infected] computer, will then try and send an FTP script to the newly listening shell on the victim computer. This script is written to the victim’s hard disk as ‘%SYSTEM%\2pac.txt’ which tells the newly exploited victim to download a copy of the worm binary from the same infected attacking system that sent it the exploit code in the first place.

The attackers FTP server runs on port 33333 and this purely acts as a pickup point for the worm’s binary, which is called ‘haha.exe’.

This downloaded file when run creates a copy of itself in the %SYSTEM% directory [e.g. C:\WINNT\SYSTEM32 or C:\WINDOWS\SYSTEM32] as a file called ‘botzor.exe’. Once done it creates a mutex of ‘B-O-T-Z-O-R’ to ensure that only one copy of itself is running on the newly infected system. Guess where the name Zotob came from? Hint: Look at the Mutex used.

Zotob now adds itself to the system registry to ensure that it gets loaded each time the system starts, and also adds a key which disables the shared access service [Internet Connection Sharing and Internet Connection Firewall].

The newly infected system now connects to an IRC server on port 8080, effectively signing in for service as part of a botnet. In the case of Zotob.A, the IRC server in question is ‘diabl0.turkcoders.net’. Later variants use other IRC servers.

Zotob also adds a list of common anti-virus and security related sites to the hosts file on the newly infected system. This is to try and stop the owner getting to the sites for updates or information. All entries are redirected to 127.0.0.1 [the local loopback address to the system].

Here’s a list of some of the entries:

avp.com, ca.com, ebay.com, f-secure.com, kaspersky.com, mcafee.com, microsoft.com, moneybookers.com, my-etrust.com, nai.com, networkassociates.com, pandasoftware.com, paypal.com, sophos.com, symantec.com, trendmicro.com, viruslist.com, virustotal.com, www.amazon.com, www.avp.com, www.ca.com, www.ebay.com, www.f-secure.com, www.grisoft.com, www.kaspersky.com, www.mcafee.com, www.microsoft.com, www.moneybookers.com, www.my-etrust.com, www.nai.com, www.networkassociates.com, www.pandasoftware.com, www.paypal.com, www.sophos.com, www.symantec.com, www.trendmicro.com, www.virustotal.com…

If you were infected and tried to visit one of the listed sites, the request would fail. So, you would not be able to get information or even update your anti-virus. Even Windows update would fail.

Coder and Death Threats
Zotob also writes other strings, one of them quite chilling, into the hosts file of the newly infected system, these strings are:

“Bozor2005 Made By …Greetz to good friend Coder. Based on HellBot3″

And

“MSG to avs: The first who detects this worm will be the first killed in the next 24 hours!”

Just in case there was any doubt, the mention of HellBot3 in the first string clearly shows that Zotob was based on Mytob and not any other worm code.

Arrested Development
Several weeks and many Zotob variants and copycats later, and breaking news arrives stating:

“Moroccan authorities, working with the FBI, arrested Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker ‘Diabl0′ Arrested in Turkey was Atilla Ekici, aka ‘Coder’, age 21. Both individuals will be subject to local prosecutions, the FBI said.”

The news article goes on to state:

“According to a report on an Arabic new site, Essebar and Ekici allegedly used the information they stole from infected computers to facilitate a bankcard forgery scam”.

Just in case you didn’t already believe that the malware authors have generally moved to a ‘for-profit’ model then this is yet more proof of the shift. Likewise that those that hire them are seasoned criminals, many of them now moving into cyber-space and welcoming the malware authors with open arms and fat wallets.

Further breaking news came on August 30th stating:

“The FBI today confirmed that Turkish law enforcement officials are investigating 16 more suspects in connection with the Zotob worm and its variants”.

So, we may yet see more arrests in relation to Zotob.

Infect Me Baby One More Time…
It has been suggested that well over 100 large companies were badly hit by Zotob. These include CNN, who seemed to be openly covering their own massive outbreak; very much an insider’s view of the problem. They seemed to think that the problem was world-wide and only cut back on their coverage when it transpired that it wasn’t a case of “TEOTWAWKI*” after all!

The New York Times and ABC News were also reported as suffering from a widespread infection of Zotob. One report also suggests that systems the U.S. Department of Homeland Security uses to screen airline passengers entering the United States was thought to have been temporarily disabled by the worm.
Other large multinationals allegedly infected included: UPS, General Electric, Caterpillar, the Canadian Imperial Bank of Commerce and BMO Nesbitt Burns.

Time Line**

• August the 9th 2005: Microsoft releases six security patches as part of the scheduled black Tuesday patch release. These were, MS05-038-43). Four of the six released are rated as critical. Initial exploit code is written and released for two of the vulnerabilities; MS05-038 and MS05-041.
• August the 11th 2005: Exploit code is written and released to take advantage of the vulnerability patched in MS05-039, This is the PnP [Plug and Play] vulnerability
• August the 12th 2005: Snort signatures are released to detect the exploits and code for another MS05-039 exploit is written and released.
• August 14th 2005: A new worm based on Mytob code and containing exploit code as its attack vector is released and discovered by F-Secure, who imaginatively name it Zotob. The exploit code used in Zotob is from the ‘houseofdabus’ hacking group. Interestingly exploit code from the same group was used in the Sasser worm.
• August 15th 2005: The source code for the widespread IRCbot family is updated to take advantage of the MS05-039 exploit. New variants of Zotob start to appear. Microsoft releases guidance and an encyclopaedia entry on Zotob. Snort signatures for detecting the binary and well as the IRC traffic are written and released. Most anti-virus products can now detect Zotob.A.
• August 17th 2005: There are now seven variations of Zotob, one Rbot, one SDbot, one CodBot, three IRCbots and two Bozori variants using the PnP vulnerability. The Bozori and IRCbots are deleting other bots. Bot-wars have now begun!

Now there are at least fifteen variants of the Zotob worm, as well as several other worms which use this exploit as just one way of getting them onto target systems.

*The End Of The World As We Know It
**These are excerpts from a full timeline which can be found here: http://singe.rucus.net/blog/archives/510-MS05-039-and-the-Zotob-summary.html

Or gone down with a virus!

Sorry for the lack of blog entries over the last month or so, but I’ve been writing a conference paper and creating a presentation for the Virus Bulletin international conference in Dublin Ireland, last week.

Later this week I will be lecturing at the University of Warwick on malware and internet security.

I have also been asked to present at the upcoming EMEA SecureWorld conference to be held in Prague in November. In fact I will be presenting twice during that conference, and guess what I will be doing now that I’m back from VB2005? Yes, that’s right, creating the two presentations for SecureWorld!

I will also be submitting an abstract or two for next years EICAR conference to be held in Germany.

All of these above presentations and papers are extra work on top of my more usual workload.

Can anyone clone me?…..Oh alright, one of me is enough, or one too many

Normal, [once or twice a week postings] service will be resumed as soon as I can find that elusive 25th hour in the day, or I decide to give up trying to get any sleep at all!

Now that the Virus Bulletin conference is over [and a good conference it was too] I can make the paper available, here’s a link to it: Bots and Botnets: Risks, issues and prevention.

The promised Zotob posting is coming soon, honest.