MoMusings

Further disclosures on the WMF vulnerability and the increasing use of the exploit by malware; this just in from Kaspersky:

“We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to “http://[snip]/xmas-2006 FUNNY.jpg”.
This may well turn out to become a local epidemic(in NL), however so far it has not become big.(Not even 1000 bots at this moment)

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.
Looking at this IRCBot it’s extremely likely that it has been made for cyber criminals.”

So, another of my predictions contained in my original posting of the WMF problem was spot on. Be very suspicious of instant messages that contain links, even, and let me make this very clear, even if they come from someone you know as many IM worms will send such links to everyone that exists on the infected systems buddy list.

More Mitigation Solutions:
As suggested by some of the ‘wags’ out there, you can use Linux, FreeBSD or any other *NIX based system as a solution as they are not vulnerable to this exploit or the malware that are using it. The same goes for Mac OSX [which is based on BSD]. But you already knew that didn’t you?

Another option, for the brave, paranoid or those that like to visit the greyer areas of the ‘net is described on the F-Secure lab weblog :

“Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem.“

The fix is available here: http://www.hexblog.com/2005/12/wmf_vuln.html

It appears that the problem [vulnerability] may not be limited or ‘rooted’ in the ’shimgvw.dll’ as suggested by Microsoft, as according to some sources you can still get infected even if this is unregistered and even if the file is deleted.

If you look at the data from F-Secure on the fix offered by IIfak you will see that this patches ‘gdi32.dll’, not ’shimgvw.dll’…..the plot thickens!

And on that note, as this is probably my last post of 2005, I would like to wish you all a very happy new year!

Yesterday I covered this exploit in some detail [see Microsoft WMF 0-Day Exploit Roundup]; what it affects and how to mitigate the problem until Microsoft release a patch for it.

However, as things have developed, more data and findings have been released since then. The most worrying, in the eyes of many companies, is the discovery that Lotus Notes version 6.x and later is also vulnerable to this exploit.

I know, you are all going to say “Not after you’ve unregistered the Windows Picture and Fax Viewer, that will stop it, right?“, well that should be the case, but as usual in the ‘Real World ^[TM]‘ this is, sadly, not the case.

So, the upshot of this is that the bad guys can use this to infect Lotus Notes users by just sending them an e-mail [as predicted yesterday] with a malicious WMF file attached [even if it is disguised as another file format, such as a jpeg or gif file].

Simply viewing or opening the ‘bogus’ graphic attachment will cause the embedded exploit code to run - game over! - Pack up and go home, your Windows system is no longer yours, it belongs to the bad guys.

The good news is that the ‘bogus’ graphic file can only be an attachment, not an inline image, as it isn’t a real image file.

This was reported by John Herron from NIST. Here is a link to the posting on this discovery: http://www.nist.org/nist_plugins/content/content.php?content.25

IBM is aware of this issue so expect an advisory soon!

If you want to reclaim your system, you currently will have a long battle as lots of different malware is being installed via this exploit; spyware, adware, trojans, keyloggers [yes, the Phishing crews are now using this, as I predicted] and pretty much anything they wish to install on your exploited system.

So, you’ll need up-to-date anti-virus, anti-adware/spyware and anti-rootkit tools for starters [not forgetting backups and your original media disks], but which ones to use? You do know that there are many ‘bogus’ anti-spyware tools out there that are actually spyware, don’t you?

Fear not, dear reader! I have a cunning plan. I have a web page which lists good tools from reputable vendors [many are FREE] - You can find this list here: http://arachnid.homeip.net/free.htm

Suggested workarounds, at this time include:

1. Filter all common picture file extensions at the network perimeter.
2. Remove [strip] all picture attachments from e-mail at the server level.
3. Anyone receiving graphic file attachments from UNTRUSTED sources should NOT open or view them.
4. Anyone receiving graphic file attachments from TRUSTED sources should verify with the alleged sender that they actually sent them, before they open or view them.

Expect other products to be reported as vulnerable from many vendors over the next few weeks, it’s going to be a bumpy ride, hang on tight!

It appears that the malware authors have been busy coming up with an unexpected ‘Christmas Gift’ for all the Windows users in the World; in this case simply browsing an infected website will run the exploit code and allow the ‘bad-guys’ to install malware onto the compromised system without the assistance or knowledge of the victim.

Yes, you read that correctly, just BROWSING a site which contains a malicious WMF file will infect your Windows system.

Although this exploit works invisibly on ‘Fully Patched’ Windows systems [including Windows XP SP2] using Internet Explorer, all the Mozilla/Firefox users out there are also vulnerable, although the malicious image requires some help to infect via Mozilla/Firefox.

On Mozilla/Firefox you may see a message asking you to open the WMF file in ‘Windows Picture and Fax Viewer’, don’t do it as your system will be exploited and malware will probably end up being installed on your system as a result of allowing the WMF file to be viewed. You can also get infected by downloading the MALICIOUS WMF and then simply clicking on or opening the file in explorer, or by just browsing the directory that contains the malicious WMF file via explorer!

This is a zero-day exploit which can be used to execute code on a vulnerable machine at the same level of system rights as the user currently logged in. There is currently NO PATCH available from Microsoft [at the time of writing this].

The exploit works by using a specially crafted SETABORTPROC [escape] record in a malicious WMF file. This allows arbitary code to be called via a user-defined function when the file is rendered and triggers the ‘escape’ record when the file fails.

So far we have seen this exploit being used to install Spyware and trojans [such as backdoors and droppers]. However, it is expected that this will include bots shortly.

What is WMF?

WMF is the Windows Metafile image format which is usually rendered via the Windows Picture and Fax Viewer and the rendering engine [shimgvw.dll] is also used to create thumbnails when you browse a directory that contains graphics files. Any users of ‘Google Desktop’ should be aware that it uses this engine when indexing files, and therefore may be responsible for infecting a system that contains a ‘malicious WMF’ file.

Please be aware that the malicious WMF file may not have a .wmf file extension, as Windows can correctly identify a disguised WMF file from it’s internal structure; the so-called ‘magic-bytes’. So, we will almost certainly see malicious wmf files disguised as .gif, .jpg, .jpe, .jpeg, .bmp, .dib, .rle, .emf, .ico, .tif and .tiff [there may well be others used too].

How do I protect myself?

1. Make sure you anti-virus is updated regularly; at least once a day.
2. Keep a close eye on your personal firewall; be especially suspicious of new programs/files asking to connect to the internet after visiting an untrusted site.
3. Use Firefox or Mozilla web browser instead of Internet Explorer as this offers some protection; you’ll at least be warned.
4. If you must use Internet Explorer set the security level to High which allegedly will stop automatic explotation via a malicious WMF.
5. Do not go to untrusted URLS [websites] even if they are sent to you via e-mail or instant messaging from someone you know; this may well be the next method to be used to get users to infect their Windows computers.
6. It is strongly suggested that you unregister the offending DLL from the registry as this will stop you becoming infected via a browser or explorer.
7. For administrators/security staff there are SNORT signatures available from Bleedingsnort.
8. For administrators/security staff you can also block the currently known web sites that are hosting the malicious WMF files.

It is expected that we will see e-mail worms using this exploit very soon, other malware using other distribution methods may well follow within the next 5-7 days.

Unregistering the Windows Picture and Fax Viewer
Do not do this on a computer that you are not responsible for, such as a work computer. If in doubt check with your support/security staff first.

Click ‘Start‘, then ‘Run‘ and type the following ‘regsvr32 -u %windir%\system32\shimgvw.dll‘ (without the single quotes), and then click ‘OK‘.

This will stop the Windows Picture and Fax Viewer from being run when a registered extension is double-clicked, and will also disable the thumbnail function in associated programs as well as in explorer.

Re-registering the Windows Picture and Fax Viewer
Click ‘Start‘, then ‘Run‘ and type the following ‘regsvr32 %windir%\system32\shimgvw.dll‘ (without the single quotes), and then click ‘OK‘.

More information can be found from the links offered below:

• http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html
• http://www.isc.sans.org/diary.php?date=2005-12-29
• http://www.microsoft.com/technet/security/advisory/912840.mspx
• http://www.f-secure.com/weblog/
• http://secunia.com/advisories/18255/
• http://vil.mcafeesecurity.com/vil/content/v_137760.htm
• http://www.securityfocus.com/bid/16074/info
• http://www.bleedingsnort.org/

The bottom line is that ANYTHING can be installed onto a vulnerable system using this exploit!

I would not be surprised if the Phishers started to use this to steal confidential data or install a keylogger.

Meanwhile all the *NIX and Mac users can sit smuggly on the sidelines watching Windows users in headless-chicken mode once again

I mentioned a while ago that some of the 419 scams I had seen recently had become quite ‘professional-looking’, as if the 419ers had taken a leaf out of the Phishers book. This is especially true of the so-called ‘Lottery‘ variants.

The ‘Lottery’ variant of the 419 Advanced Fee Fraud has been around for about two years now and was a major shift in the 419ers method of enticement. What usually happens is that you receive an e-mail stating that you have won a sum of money. Hang on don’t get too excited as it is a scam, there is no money, and you will end up being fleeced as you will be informed that you need to pay a ‘handling or administrative fee’.

To illustrate this, I have taken a number of screenshots of them, and I have included two screenshots below:

Here are links to larger versions, for those of you that can’t read them:
http://arachnid.homeip.net/images/419-lottery1.jpg
http://arachnid.homeip.net/images/419-lottery2.jpg

If I received all the alleged winnings from all the copies of the Lottery scams I get each day, then I’d now be richer than Bill Gates

In fact, by now I should own most of the planet, so you all owe me rent, come on pay up!

As I’m in a ‘festive’ frame of mind, and just for a bit of fun, here’s a modified version of the last verse of ‘The Twelve Days of Christmas‘, Please feel free to sing along, yes and that means you in the back - stop hiding I can see you:

On the twelfth day of Christmas,
my true love sent to me
Twelve phishers phishing,
Eleven carders carding,
Ten data stealers,
Nine e-mail worms,
Eight pirates a-pirating,
Seven spammers spamming,
Six password stealers,
Five 419 scams,
Four new exploits,
Three bot-nets,
Two Trojan horses,
And a scam from e-Bay!

And if anyone can do better, and I’m sure you can, then please post them as comments. The same goes for any other Christmas carol you feel you can be creative with; the only rule is you must use computer security and malware terms.

Links to other screenshots:

• http://arachnid.homeip.net/images/419-lottery3.jpg
• http://arachnid.homeip.net/images/419-lottery4.jpg
• http://arachnid.homeip.net/images/419-lottery5.jpg
• http://arachnid.homeip.net/images/419-lottery6.jpg
• http://arachnid.homeip.net/images/419-lottery7.jpg
• http://arachnid.homeip.net/images/419-lottery8.jpg
• http://arachnid.homeip.net/images/419-lottery9.jpg
• http://arachnid.homeip.net/images/419-lottery10.jpg

November has come and gone and another interesting and busy month, on the malware front at least, it has been. We saw the return of Sober; but more on that later!

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for November.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 2489 samples during November, which have been catalogued as 59 distinct families and variants. In comparison during October 2005 I captured 4484 samples [above average for this year] which were catalogued as 78 distinct families/variants. As you can see November was slightly below the average malware haul for 2005 and is almost 2,000 captured samples less than October. As a guide, an average month’s captures for 2005 is around 3,000 samples.

During November I captured and submitted 5 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].
The low haul in November is partly due to an apparent drop-off in new samples being spread via SMB [Windows shares], the relatively low impact of the latest Sober strains [via E-mail], and finally but not least; I was presenting at a conference which meant that it was difficult for me to process any new samples that were captured while I was out of the country.

During November I reported 15 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] stormed back into pole position during November, stealing the crown back from last month’s winner; W32/Mytob.u@MM [McAfee]. Tenga accounted for over 38 percent of all captured files during November. Although the Mytobs were ejected from pole position they are still making their presence felt; 6 Mytob variants appear in the top 10 [LY, AT, NA, IC, BH and AA] which accounts for a massive 34 percent of all samples captured during November. The Sober family has reappeared in the top 10 after a noticeable absence; in this case it is W32/Sober.Z@mm [Frisk].

The reappearance of Sober during November caused a certain amount of concern as this family has been responsible for a number of serious outbreaks. However, in the case of W32.Sober.Z@mm which appeared during November, it appears that a proportion of end-users have learnt from their past encounters with earlier Sober family members. Let us hope that this is a trend that continues.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month is yet again dominated by Mytob.c, Doombot.b [most other vendors have included this as a member of the Mytob family] and Zafi.d. Between these three malware variants they account for over a third of all reported samples to Kaspersky. The rest of the chart is made up of more Mytobs [bi, bk, u and t], two Netsky variants [q and b] and Lovgate.w. Doombot [d] has fallen out of the top 10.

In the SOPHOS chart we see a different pattern, with Netsky.p knocked off the pole position by none other than Sober-Z. Netsky.p has to make do with second place this month. 5 Mytob variants [GH, EX, AS, BE and C] appear in the top 10. Just like in the data from Kaspersky we have the Zafi.D variant too, however the B variant appear in the Sophos top 10 but is missing from the Kaspersky chart. Netsky.D gets a look in once more coming in ninth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up [only just] by Mytob accounting for over 38 percent of all samples caught. This just kept Septembers leader [Tenga] down in the runner-up spot for the second month running.

The Sdbot family has lost more of its share over the last month accounting for a mere 2.1 percent of all captured samples. The new entry this month is the Sober family making a comeback and grabbing 5th place and beating Sdbot into sixth place.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of November] here. This clearly shows that November was significantly quieter than October; in fact it was only slightly busier than September. This data includes Sober.Z.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 162,987 [as at the end of November 2005]. That’s a growth of 50,549 so far this year! Last year in total we saw 28,327 new malware strains, so we have already eclipsed last year.

Looks like we could see 60,000 new malware strains by the end of the year, which is significantly more than I expected when I started the year with my first estimate!

What’s New?

Sober Again?
Yes, Sober is back again: We first saw it in October 2003 where it caused a mild splash. However two of the members of the Sober family were responsible for ’significant’ outbreaks; these being variants c and e.

Sober seems to be targeting Internet users in Western Europe and the author uses tends to focus on political views and combines that with very effective social engineering tricks; this double-whammy seems to lower the defences of most users.

Sober.Z [aka Sober.y, Sober@MM!M681, SOBER.AG, etc.] used a trick which worked well for an earlier version of the family; it sent forged e-mail messages which claimed to have come from the FBI which claimed that the recipient had violated copyright by downloading music from filesharing networks. The e-mail message instructs the recipient to open the attachment, which, the e-mail claims, contains data relating to the alleged offence.

Carole Theriault from Sophos had this to say about the latest version of Sober:

“Since we saw the first Sober worm back in October 2003, its author has tried to improve upon tried-and-tested tricks to dupe computer users into launching infected attachments“

“This latest worm purports to be a warning from CIA and FBI agents, accusing recipients of visiting illegal websites. Mocking the feds is a sure-fire way of goading the authorities, and you can’t help but wonder whether the author is desperate to be caught.”

Sober variants are often bilingual [not many malware strains have used this trick] to enable them to spread in both English and German, and infect both English and German speaker/readers as well as anyone else that is naive enough to run the attachment.

An interesting side note, with the latest version is that the message included a genuine telephone number for the FBI! It appears that a number of recipients who received the Sober .Z generated e-mails actually rang the FBI on the number supplied. This caused the FBI number being spammed by Sober.Z to effectively be under a ‘telephone’ DoS [Denial of Service] attack.

Not only did it claim to have come from an FBI or CIA agent, Sober.Z also uses the German version of ‘Who Wants to be a Millionaire’ and uses the old ’sex’ sells trick by using Paris Hilton as bait.

Furthermore, in a rather odd ‘Twilight Zone’ type occurrence; the Bavarian police issued a warning about a new variant [of Sober] being launched in the next 48 hours; lo and behold they got it right as the warning appeared before the latest family member was unleashed, and allowed to cause havoc on the internet. This would suggest that the Bavarian police may know who the author is and are keeping a close eye on them. This may be a simple case of allowing them to effectively incriminate themselves further. Hopefully, this will lead to an arrest at some point, and another malware author will be re-educated.

I also attended the EMEA SecureWorld Conference and I have blogged about that as a seperate entry.

Conclusions:
As you may have noticed SPAM and Phishing scams have been very aggressive during November and I expect that this trend will escalate during December. On that note; not only will I be writing a review for December but I will also be putting together a ‘Malware Review for 2005′ which will cover the whole year and make some predictions on the probable threats and trends for 2006.

Links:
Virus Top Twenty for November 2005 [Kaspersky]
Top ten viruses and hoaxes for November 2005 [Sophos]

As some of you may have noticed this blog has been rather quiet over the last month or so, why? Well this posting should give you some idea why I haven’t been able to find much ’spare’ time to post here. Hopefully things should get back to something resembling ‘normality’ [if there is such a thing], at least for a while.

The EMEA SecureWorld conference was held in the beautiful city of Prague in the Czech Republic between the 21st and 24th of November at the Prague Hilton about a mile from the historic centre of Prague.

I arrived late in the afternoon on the day [Sunday] the before the conference started, and was rather surprised that it had snowed; in fact it was snowing most of Sunday which made it a cold trip from the airport to the hotel.

Having been to Prague before and knowing that the taxi drivers are notorious for:

• Speeding
• Driving like maniacs
• Over-charging tourists

I decided to have a ‘mini-adventure’ and try and get to the hotel via public transport; bus and then metro. I must admit I was feeling rather daunted by the prospect, but apart from the bus driver being rather brusque and awkward, the trip was fairly simple and I arrived about an hour after leaving the airport. All for the cost of around 1 UK Pound [40 Czech Crowns] instead of the 600-1,300 Czech Crowns [Koruna] it would have cost by taxi.

But, don’t just take my word for it. Here’s a picture from the Virus Bulletin 2001 conference featuring Graham Cluley from Sophos with a slide about the ‘risk’ levels of certain things:

The text below the ‘Meteor Strike’ image that he is obscuring, says ‘ LOW, but pretty nasty’, so you can see that if you willing use Prague taxis you are considered to have a ‘Death Wish’, or just don’t know any better!

On the subject of Prague taxi drivers being notorious, they even tried to rip-off [over-charge] the Mayor of Prague when he was disguised as a tourist!

Anyway, back to EMEA SecureWorld:

I was invited to present on the following:

• DI09 - IDS and IPS Another piece of Protection Puzzle [1]
• DI10 - Outsourcing Security, Why and What? [3]
• TM18 - Bots and Botnets: Risks, Issues and Prevention [2]

Two of these presentations [DI10 and TM18] were repeated on the last day of the conference; so I ended up doing five one hour presentations. Not only that but I also was interviewed by a journalist for the Czech version of one of the technology magazines [Professional Computing] and I also participated in a ‘radio interview’ for the Czech republics largest radio station. The radio ‘interview’ will be translated into Czech and will be broadcast in January 2006.

Both of these were about ‘bots and botnets’ as well as SPAM and Phishing.

Representing the US Virus Cert was Chuck Springer who gave a number of presentations on malware related topics.

• TM01 - Introduction to Malware
• TM02 - Worm Wars
• TM03 - First Aid Virus
• SGC04 - Corporate Threat Assessment Model
• TM04 - Will International Law Stop Virus Writers?

Other things to be aware of in Prague are: the pick-pockets, beggars and the the infamous scam where you get approached by someone asking for change, next thing you know a ‘policeman’ is demanding to see your passport, and then proceeds to conviscate it. Next, both the ‘change’ requestor and the ‘policeman’ disappear. Guess what, the policeman was not a policeman and you have been scammed and are now without your passport!

How do I know about this scam? Well I have been to Prague before, to present at the Virus Bulletin 2001 conference and the paper I was doing that year was all about hoaxes, scams, urban legends and related things. So, before I went I did some research in to local ‘known’ scams, hoaxes. etc.

Don’t get me wrong I really like Prague, it really is a very beautiful historic city with some amazing architecture, and I would happily go there again, in fact my Son is very keen to visit as soon as I can be surgically removed from my computers and my desk .

Right, back to the EMEA SecureWorld conference:
There were a number of other interesting presentations which I managed to attend, including a very good one on ‘Secure DMZs’ presented by Jeff Crume. However, it was not possible for me to attend all of the ones I was interested in as I was often presenting at the same time as they were being run, typical!

All in all, this was a useful conference to attend and the feedback we’ve received so far indicates that it was a hit with the delegates too!

On the Friday, the day I was travelling back to the UK, it started to snow again, quite heavily. So I arrived to snow, it didn’t snow during the conference [although it was bitterly cold] but started to snow as I was leaving Prague.

I decided to repeat my ‘mini-adventure’ and try and get to the airport via public transport; metro and then bus. I allowed extra time, however I needn’t have worried as the whole trip was painless and I was at the airport in under 45 minutes and as I bought a ticket for the metro and bus in advance it cost me about 50 Pence [20 Czech Crowns].

[1] This presentation is based on the paper written for the EICAR 2005 conference and can be dowloaded from http://arachnid.homeip.net/papers
[2] This presentation is based on the paper written for the Virus Bulletin 2005 conference and can be dowloaded from http://arachnid.homeip.net/papers
[3] There is no paper for this.