MoMusings

Sony seems to have jumped ‘out-of-the-frying-pan-and-into-the-fire’ with regard to the ‘rootkit-like’ technology they employed to help ‘protect’ their CD contents. Even though you had bought the right to use it, they revoked a number of your ‘normal’ fair-use rights when you installed their ‘player’ on your Windows system.

The latest news is as follows:

Sony have decided not only to cease the use of XCP, for now while they review their ’strategy’, they are also now recalling ALL CDs that have XCP on them. It is believed that there are around 20 CD titles that have been ‘protected’ with XCP.

It is also rumoured that existing customers who have bought CDs protected by XCP will be allowed to return them for a non-XCP protected version, although the details on how this would work have not been made clear at this time.

Shortly after my last posting on this subject, Microsoft decided to add detection for XCP into their anti-spyware tools, and SOPHOS released a free tool to detect and remove XCP, effectively removing the ‘rootkit’ stealthing functionality of Sony’s DRM solution.

However, it seems that Sony have yet to see an end to their woes due to the use of XPC; the malware that followed seem to be well understood and as welcome as Sony’s XCP technology which they use to hide with. The latest ‘twist’ in this tale of woe, subtefuge and underhand DRM protection techniques is that the ‘un-installer’ that Sony offer, also has security holes!

Here’s an extract from the latest from the BBC:

“Before now any customer wanting to rid their PC of XCP had to go through a several stage process of telling Sony what they wanted to do and then waiting for it to respond. As well as being criticised for its inconvenience security researchers found that the uninstaller left Windows machines vulnerable to several exploits. The XCP copy protection system only installed on machines running Windows.

Writing on the Freedom to Tinker blog, researchers J Alex Halderman and Ed Felten found that cleverly written webpages could exploit the programming code used to remove XCP to install their own potentially malicious programs.

The pair also provided tools that help people work out if their Windows machines have been left vulnerable in this way.”

They also cover some analysis work carried out by Dan Kaminsky:

“…more than 500,000 networks have at least one machine on them using XCP and although the CDs containing XCP were only released in the US, Mr Kaminsky found that 44,000 copies were installed on machines in the UK. “

Why all the fuss?
Well, the ActiveX uninstaller, after removing the ‘rootkit’ files, never gets removed. This ‘uninstaller’, known as ‘CodeSupport’ and created by the same people that are responsible for the ‘rootkit’ technology and XCP itself, First4Internet, can be used to inject new code into the system. Here’s an excerpt from the ‘Freedom to Tinker‘ web blog entry:

“CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.”

No sooner had I finished preparing this blog entry than I was made aware that there is already exploit code ‘in-the-wild’ which uses the ‘unistaller’ as a means to install malicious software onto vulnerable [those systems that have used the ‘CodeSupport’ ActiveX uninstaller]. At least one known malicious web page, which employs this exploit code to install malicious software on to a vulnerable system, has been found so far.

If you want to know if your system is vulnerable then visit the web page created by Princeton computer science professor Ed Felten and researcher Alex Haldeman which will test your computer and report if your computer may be at risk as a result of running the uninstall tool.

Don’t bother visiting it if you have NOT used the unistaller or if you use Firefox/Mozilla as the test will only work with Microsoft’s Internet Explorer.

Jeff Dwoskin and Alex Halderman have developed a simple tool that can be used to immunize a Windows system against the dangerous CodeSupport ActiveX control. Instructions on how to use the tool can be found here.

Sony, it has emerged, is creating a new uninstaller. Let’s hope [for their sake] that this one has no security flaws; well we can dream…..

Links:

• http://www.f-secure.com/weblog/#00000709
• http://www.freedom-to-tinker.com/?p=928
• http://www.freedom-to-tinker.com/?p=927

Yesterday a number of new Sober variants were spammed out, this has been followed up by further variants overnight. In all [so far] we have seen around 5 new Sober variants. The really interesting thing is that the Bavarian Police issued a warning on Monday evening about new a Sober variant run!

These new Sober variants appear to have been spammed via GMX.NET [via a stolen account] and also via Yahoo. All samples seen so far are in either English or German; Sober is a multilingual malware family.

So far, the variants we have seen have all been ZIP and EXE files in the range of 100-140KB in size.

Some of the ZIP/EXE file names I’ve seen [so far] include:

• Exceltab-packed_list.exe
• Liste.zip
• Reg-List-Dat_Packer2.exe
• reg_text.zip
• Word-Text.zip
• Word-Text_packedList.exe
• Word-Text_packedList.zip
• excel_table.zip
• registration.zip
• email_photo.zip
• Accept_e-Text.zip
• accept_emailtextdata.exe
• packed-password_text.zip

However, the above may not be the only names used.

All of these when unzipped [or run in the case of EXE attachments] and the file inside is executed. This will cause a false error message, “WinZip Self-Extractor. WinZip_Data_Module is missing Error” [each variant may use a different false error message, see images] to be shown, however the worm has installed itself in memory and added a call to the executable to the registry to ensure it gets loaded whenever Windows is started.

Next the worm will search the hard disk for e-mail addresses to use to form the From: address [Forging the sender] and the To: address. Once it has sufficient e-mail addresses to use , the worm then creates infected e-mail and uses its own SMTP [E-mail] engine to send these infected e-mail in either English or German.

In the meantime [as not all Anti-Virus tools detect all the new variants yet], be VERY suspicious of any e-mail you get with a ZIP attachment and little or no text. Please be aware that in many cases the from address will have been spoofed. You have been warned!

All of the variants I have seen so far will only infect a system if you unzip the attachment and run the file inside [or run the attachment if it is an EXE file].

I’ll post more data when I have it.

Links:
http://www.f-secure.com/weblog/#00000708
http://www.f-secure.com/weblog/#00000706
http://www.sarc.com/avcenter/venc/data/w32.sober.s@mm.html
http://www.sarc.com/avcenter/venc/data/w32.sober.w@mm.html
http://www.sarc.com/avcenter/venc/data/w32.sober.t@mm.html
http://www.sarc.com/avcenter/venc/data/w32.sober.v@mm.html

As mentioned yesterday, the first piece of malware that uses the so-called ‘rootkit’ technology that Sony install [without your knowledge, or approval] when you use one of their ‘Protected’ CDs in a Windows system, has been discovered.

However, this ‘malware’ was, it appears after all, just very badly written as it failed to install itself on systems that had the Sony ‘rootkit’ already in place, which was rather ‘a silly mistake’ as it was supposed to use it to hide from anti-virus and other security software.

Systems that were not ‘rootkited’ by Sony could become infected, but after a reboot the malware couldn’t reload itself.

As speculated yesterday, these coding errors have now been fixed and three new variants have now been found which seem to work as the author intended.

It seems that we may well see more malware authors using this technique to hide from anti-virus. We may also see the Sony ‘rootkit’ being included in other malware, in much the same way that other rootkit code is increasingly being added to malware code-bases, or just as a component or plugin.

If Sony are currently unconcerned about the lawyers coming after them, due to disgruntled customers who have a ‘licenced’ version of their malware, just wait until ‘their’ technology is being installed and abused by malware authors who have ‘pirated’ their software. The lawyers are going to be the only ones that come out of this scenario ‘better off’.

Sony, have not only stepped over the line, they have effectively given the ‘bad guys’ a weapon to use against them, as well as the rest of the Windows computing World. No wonder many anti-virus products are ‘adding in detection’ for the Sony ‘rootkit’, they can see what is going to happen, and will deal with the legal issues later, if required.

Talking of ’suits’, the latest news is that six class-action lawsuits have now been started against Sony. The mis-use of their ‘rootkit’ technology by malware authors may well make the case against them stronger and harder for them to defend against.

Links:

• BKDR_BREPLIBOT.C [Original non-working version]
• BKDR_BREPLIBOT.D [First new working version]

I have been quiet [so far] on the subject of so-called ‘rootkit’ technology which Sony uses to hide/protect their DRM software which is shipped on all their ‘Protected’ music CDs.

However, things have now developed to a state where it may be useful to review what Sony have done, what they haven’t done and finally what other interesting things are taking place around the whole ‘rootkit’ debacle.

Back in April I blogged about what rootkits are and how, in a limited way they work. So, if you are unsure of what a ‘rootkit‘ is then take a look at that blog entry before you continue reading this one.

Back In Time:
A posting on the Sysinternals blog at the end of October 2005 by Mark Russinovich discussed something odd he dicovered when testing out the latest version of his freeware tool known as ‘Rookit Revealer‘. This is a free tool to detect [reveal] rootkits on Windows systems.

This is what he saw after running his lastest version of ‘Rootkit Revealer’:

He went on to say:

“Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug.”

After much searching and analysing, he found out how it worked:

“I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view. Besides being indiscriminate about the objects it cloaks, other parts of the Aries code show a lack of sophistication on the part of the programmer. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described.”

His conclusion is that this software is badly written and possibly dangerous in the way it works, as it can be easily used to hide other files and directories and may well cause Windows to crash [Blue Screen].

However, although Mark was the first to post about the so-called Sony ‘rootkit’, another security company was already on the case and coming to very similar conclusions, so much so, that when they posted their data, they were accused of plagarism. Who were they? F-Secure who are noted as researchers in rootkit technologies.

They explain how the ‘rootkit’ gets installed:

“When you insert such a CD to a Windows-based PC, the record will display a license agreement and then it will seem install a song player software - while it really installs a rootkit to the system. Once the rootkit is there, there’s no direct way to uninstall it.“

So, you have now been warned !

Suits You Sir!
The latest news [according to the BBC] is that Sony are facing at least three law suits.

This is what the BBC has to say on it:

“Sony BMG is facing three lawsuits over its controversial anti-piracy software.

Revealed in late October by Windows expert Mark Russinovich, the software copy protection system hides using virus-like techniques.

One class-action lawsuit has already been filed in California and another is expected in New York.

Digital rights group, the Electronic Frontier Foundation (EFF), is also gathering information from users to see if a case can be brought.”

Looks like Sony could be in for a very rough ride over this, and I think it serves them right, they have done something very underhand which may well be illegal in at least some countries.

Broken Laws:
Furthermore, it is believed that Sony may have breached ’security’ laws in a number of countries, including the ‘Computer Misuse Act’ in the UK, as they didn’t disclose in the EULA [End User License Agreement] that they were installing ‘hidden’ software on to the users Windows system which can not be easily removed.

The technology which is causing all the ‘hand-wringing’ and much ‘gnashing-of-teeth’ is known as XCP and was was developed by a UK company called First 4 Internet. Sony claims that it has been using XCP for months and have not had any complaint, until now!

Broken Windows:
The DRM technology binds in at such a low-level that it can cause Windows to be less stable than before it was installed. Part of the reason for this is that the ‘cloaking’ technology used by Sony acts like a ‘filter’ hiding files and directories that start with ‘$sys$’, effectively hiding them from the operating system and any software, including anti-virus that runs on that operating system using ‘normal’ Windows calls.

For all you Mac and *NIX users out there, the good news is that XCP doesn’t work on platforms other than Windows.

Malware:
There have already been several stories claiming that ‘malware authors’ are looking at using the ‘cloaking’ technology that Sony use in their DRM software to ‘cloak’ their ‘malware’. Details below:

Trojan using Sony ‘cloaking’ technology.
Just today, a new Trojan has been found which was being sent via e-mail [spammed] which tries to use the Sony ‘rootkit’ to hide itself on an infected system.

The spammed e-mail arrives with the following characteristics:

• Subject: Requesting Photo Approval
• Name: Article+Photos.exe or article_december_3621.exe [There may well be other file names used]
• Size: 10240 Bytes [This file is UPX packed]
• Body:
  Hello,

  Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.

  Kind regards,
  Jamie Andrews
  Editor
  www.TotalBusiness.co.uk
  **********************************************
  The Professional Development Institute
  **********************************************

F-Secure have just added a blog entry on this, which states:

“Luckily, the bot has a design flaw. If the Sony DRM rootkit is active (hiding) in the system during infection, the bot will not run at all. Moreover, the bot cannot survive a reboot because of a programming error. In any case, this is a very good example of why software should not use rootkit hiding techniques.”

Once installed and active, it connects to an IRC server and joins a specific channel and from then on acts as a bot, waiting for orders to carry out.

The following IRC servers and ports are used by Breplibot.b:

• 68.101.14.76:8080
• 24.210.44.45:8080
• 67.171.67.190:8080
• 35.10.203.93:8080
• 152.7.24.186:8080

Here’s a link to their description of it [Breplibot.b]. Expect more malware to start using this method of hiding.

It seems that this new malware won’t be very viable as the author has made a number of coding errors, expect the ‘c’ and other variants shortly, which may [or not] be more viable! As the current variant stands; it can only install itself if the Sony DRM is NOT installed and it will not be able to reload itself after the system has been restarted.

Is it possible that this was written so badly just to keep up the pressure and media interest in Sony’s so-called ‘rootkit’, or is it [more likely] a case of an inept programmer?

Game ‘cheat tools’ using Sony ‘cloaking’ technology.
There has been a significant amount of discussion on some sites interested in World of Warcraft about using the Sony ‘rootkit’ technology to hide ‘cheat tools’ from the World of Warcraft software which has anti-cheat routines built in to it. More details can be found here: http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/

Many on these boards believe that using the Sony ‘rootkit’ will allow these cheat tools to become invisible to the WoW software’s anti-cheat functions.

Rootkit, Stealth, Spyware or Cloak?
Although traditional ‘Rootkits’ often hid their files and presence on a compromised system, the whole reason they were called ‘rootkits’ was because their main purpose was to gain full access to the operating system; in *NIX speak ‘root’ or for windows users out there: ‘Administrator’. Either way it was all about getting ‘full’ access via privilege escalation, hiding was secondary.

So, taking that view, is Sony’s DRM technology a ‘rootkit’? In my opinion it is more akin to ‘Stealth’ or ‘Cloaking’ technology which we saw in the early days of DOS viruses. Some may also claim that is should be labeled as ‘Spyware’, but it doesn’t ‘Spy’ [as such], so it shouldn’t be classified as that either.

So, what should it be classified as?

Links:
http://www.viruslist.com/en/weblog?weblogid=173255368
http://www.f-secure.com/weblog/#00000695
http://www.f-secure.com/weblog/#00000696

October has come and gone, the clocks have been set back to GMT from British Summer Time [BST] and another interesting and busy month, on the malware front at least, it has been.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for October.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 4484 samples during October, which have been catalogued as 78 distinct families and variants. In comparison during September 2005 I captured a measly 2711 samples [below average for this year] which were catalogued as 103 distinct families/variants. As you can see October was significantly busier than September. As a guide, an average months captures for 2005 is around 3,000 samples.

During October I captured and submitted 16 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

Mytob.u [McAfee] was the sample with the highest number of captures [accounting for over 23 percent of all captured files]. As usual there are a number of Mytob variants in the top 10 [5 in fact; u, BH, gen , HU, LQ and ch. The Mydoom family has managed to claw its way back into the top 10 after a short absence [2 in fact; f and bb]. Netsky.p@MM [McAfee] has once more managed to get back into the top 10 and has in the process pushed out a number of bots and droppers that appeared in last months top 10.

It seems that this has been a ‘better’ month for Mytob as the numbers of variants captured is up significantly. I speculated last month that Mytob production may be seriously impacted due to recent arrests; however it seems clear now that the arrests of the alleged Zotob/Mytob authors caused only a minor downturn in its development. This was discussed in detail in last month’s review. This resurgence in Mytob development can be mainly linked to the fact that the source code is widely available; this means that anyone can easily produce a new variant.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month is dominated by Mytob.c, Doombot.b [most other vendors have included this as a member of the Mytob family] and Zafi.d. Between these three malware variants they account for almost a third of all reported samples to Kaspersky. The rest of the chart is made up of more Mytobs [bi, bk and t], two Netsky variants [q and b], another Doombot [d] and Lovgate.w

In the SOPHOS chart we see a different pattern, with Netsky.p [still] as the leader of the pack with 4 Mytob variants [GH, EX, AS and BE] hot on it’s heels. Just like in the data from Kaspersky we have Zafi.D and the B variant too. The rest of the chart is taken up by yet more Mytob variants and Netsky.D.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up by Mytob accounting for over 64 percent of all samples caught. This pushed last month’s leader [Tenga] down in to the runner-up spot.

The resurgence of the Mytob family this month has managed to regain some of the ground lost during September but they are still short of the August high-point where they dominated the chart taking over 81 percent.

The Sdbot family has lost around half of its share over the last month accounting for a mere 6 percent of all captured samples. The new entry this month is the Spybot family, and we also saw Bagle make a small comeback, just stealing tenth place to make it back into the chart.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of October] here. This clearly shows that October was significantly busier than September, so it seems that September was a blip, and we may well be seeing an early start to the usual Christmas rush [as far as e-mail based malware was concerned].

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 155,802 [as at the end of October 2005]. That’s a growth of 43,364 so far this year! Last year in total we saw 28,327 new malware strains, so we have already eclipsed last year.

Looks like we could see 60,000 new malware strains by the end of the year, which is significantly more than I expected when I started the year with my first estimate!

What’s New?

Zotob Article
As mentioned in the September review I have written an article on Zotob for the Virus Bulletin magazine which appears in the October 2005 edition. The complete article is now available to non-Virus Bulletin subscriber [with the kind permission of Virus Bulletin]. The article can be downloaded as a PDF [Adobe Acrobat] file from here: http://arachnid/homeip.net/papers/

Bots and Botnets
In the September review I mentioned that I would cover ‘bots and botnets’, and true to my word I will, however I will not cover it here. Why? Well bots and botnets are a very large subject and require significant space to do the subject any real justice. So, I have written a paper on the subject instead.
The paper was actually written for and presented at the Virus Bulletin 2005 international conference in Dublin, Ireland which was held between the 5th and 7th of October.

If you wish to read the paper it can be found here [ http://arachnid.homeip.net/papers/ ], along with other papers and articles that I have had published and presented at conferences.

On the subject of ‘Bots and Botnets’; in October the Dutch police arrested 3 people on the suspicion that they were running a large botnet. At the time it was believed that the size of the botnet was around 100,000. However, it was later reported as being 1.5 Million strong! This, if true is by far the largest ever botnet we have seen.

More details can be found here: http://informationweek.com/story/showArticle.jhtml?articleID=171204550 and here: http://www.internetweek.com/172303221

Two new bot families appeared in October, these being: Fanbot and Doombot.

Doombot is an interesting case as most vendors [apart from Kaspersky] have classified them as Mytob variants. This is what Kaspersky has to say on their reasoning for the new name:

“Doombot.d. This worm was originally classified as Mytob.dc. However, it contains the trademark string ‘H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H’ which is only found in Doombots. This led to us reclassifying the worm. Such borderline cases, where similar functionality and basic program structure is present in a range of worm bots, cause classification headaches.”

It also appears that the authors of Doombot and Fanbot are having their own little bot-war. This is shown by the following text included in Fanbot:
“HellBot3 have BackDoor in ‘HellMsn.h’. The HellBot3 author is an idiot!!! [Phantom] 2005 Made By Evil[xiaou]. Greetz to good friend x140d4n. Based On sdbot&&mydoom.”

Hellbot3 is the ‘project’ name for what Kaspersky call the Doombot family.

With Fanbot the situation with regard to naming is even more bizarre; with disparate vendors claiming it belongs to the following families:

• Sdbot
• Mytob
• Mydoom
• Fanbot

CME
On the subject of ‘malware naming’ which as you can see from the above is still a mess, Mitre announced the launch of their ’solution’ to the problem, known as CME which is the three-letter-acronym for Common Malware Enumeration.

Here is a short description from the site [ http://cme.mitre.org/ ]:

“CME provides single, common identifiers to new virus threats to reduce public confusions during malware outbreaks. CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware.”

They go on to state:

“Through CME’s neutral, shared identification method, the CME initiative seeks to:
* Reduce the public’s confusion in referencing threats during malware incidents.
* Enhance communication between anti-virus vendors.
* Improve communication and information sharing between anti-virus vendors and the rest of the information security community.”

So, what this means that as well as the current mess that is malware naming, we will also have another name [CME ID] for any new malware that causes an outbreak. Note, CMEs will not be given to all malware only new malware which is causing an outbreak. Confused? You will be.

On the plus side, it will allow malware which is given a CME ID to be easily cross-referenced no matter which vendor malware name is used. However, this depends on the vendors participating in CME and also including CME IDs in their published descriptions.

Conclusions:
Well, as you can see the Mytob world domination plan is back on course, as Mytob has taken back the number one position from the young pretender that usurped it in September [Tenga] in both the individual variant table and the family table too. So, it is a clean sweep for Mytob.

Links:
Virus Top Twenty for October 2005 [Kaspersky]
Top ten viruses and hoaxes for October 2005 [Sophos]

Late yesterday afternoon we saw numerous deposits of a number of new Beagle [the malware mutt] aka bagle aka Mitgleider droppers, this has been followed up by a further clutch of droppers today. In all [so far] we have seen around 8-12 new droppers.

These appear to have been seeded and spammed via bot infected systems [so-called Zombies] which wait for instructions from their new master(s) who control the network of infected systems. These botnets can range in size from a few thousand to over 1.5 million systems in size.

So far, the beagle droppers we have seen have all been ZIP files in the range of 7-15KB in size.

Some of the ZIP file names I’ve seen include:

• max.zip

• sms_text.zip
• The_new_prices.zip
• Health_and_Knowledge.zip
• Text_sms.zip
• Business_dealing.zip
• Business.zip
• Info_prices.zip

However, the above may not be the only names used.

All of these when unzipped and the file inside is executed, install themselves in memory, add a call to the executable to the registry, and attempt to download further malware from a list of sites contained in the droppers code. These new beagle variants do not mass-mail or have any code to allow them to spread on their own. They are self-contained Trojans which download other functionality via the web.

To add further fuel to the fire, the Mytob authors are back at work and we have seen a number of new variants in the last 24 hours.

In the meantime [as not all Anti-Virus tools detect all the new variants yet], be VERY suspicious of any e-mail you get with a ZIP attachment and little or no text. Please be aware that in many cases the from address will have been spoofed. You have been warned!

All of the variants I have seen so far will only infect a system if you unzip the attachment and run the file inside.

I’ll post more data when I have it.

Links:
http://www.sophos.com/virusinfo/analyses/trojbagledly.html
http://www.f-secure.com/weblog/#00000692
http://www.viruslist.com/en/weblog?weblogid=173211243
http://www.viruslist.com/en/weblog?weblogid=173244305