SophosLabs blog

Today we have observed some messages which at first glance appeared to be somebody trying to correct their mistakes on the CV they sent out.

All messages had the same body text that read as follows:

Thank you for the chat yesterday, it really helped me get a clearer idea
of recruitment as well as exploring any potential opportunity.

I have just spotted a mistake on the CV I sent in which my email was incorrect.

Apologies for any inconvenience caused if you have already sent me any information on anything we discussed.

My CV is an updated!
CV with the correct email on this link: http://<censored>/mycv.doc.exe

The link was broken.

It was obvious that somebody was trying to trick people into downloading executable files disguised as CV documents but had made some mistakes in the course of doing so.

Then at a later time during the day, this was observed in quantity:

Thank you for the chat yesterday, it really helped me get a clearer idea
of recruitment as well as exploring any potential opportunity.

I have just spotted a mistake on the CV I sent in which my email was incorrect.

Apologies for any inconvenience caused if you have already sent me any information on anything we discussed.

My CV is an updated!
CV with the correct email on this link: http://<censored>/mycv.docx

It is exactly the same text body except the last line.

The link is now live, and the linked file is detected by Sophos as Mal/Zbot-U.

SophosLabs has discovered a technique in anti-virus marketing, which we detect as Spin/BigNumber-P. Typical behaviour involves phrases such as “Product detects X viruses!”, where X is a large, rather exact-sounding number. Some variants involve high-tech numerical displays updated in real-time with ever growing numbers. This technique has been spotted in the wild.

Never one to be left out, SophosLabs would now like to publish the number of malicious files we detect:

Yes, that’s right: We currently detect an infinite number of malicious files. While that shouldn’t surprise those familiar with SophosLabs, let me explain.

Talking about a specific number in relation to total malicious file detections reveals a misunderstanding of how malware and malware detection operate. The vast majority of threats we see are polymorphic, meaning we see many variations of each threat. Some are modified by the malware authors, others are generated by server-side programs and others modify themselves as they spread. And then there are file infecting viruses, which potentially modify any clean file on a system into a malicious one. An infinite number of threats.

When a quick response is required, our analysts and automated systems can block a specific file. But the bulk of our protection comes from generic detection which looks for characteristics of known malware, rather than an exact match. Just one such identity might detect hundreds, thousands, or an infinite number of variants.

Let me be clear: There are no practical limits on the number of different files we can detect, nor the number of identities our product can handle. If we were relying solely on exact files matches using checksums, we might quickly run into performance issues and memory limits, or restrict detection to only the most active threats (a practice followed by some other vendors). Instead, we maintain a multi-layered detection framework based on static characteristics and/or run-time behaviours.

Even with such an impressive detection number, we’re not about to rest on our laurels. In fact, by this tomorrow, our detection number will be an even larger infinity. If that seems paradoxical to you, you probably didn’t take Pure Mathematics in University. But I did, so let me offer an example: The set containing all positive, even numbers (2, 4, 6…) is infinite. So is the set of all positive numbers (1, 2, 3, 4, 5, 6…), but it is larger because it contains everything in the first set plus infinitely more.

Too theoretical? Consider Troj/VB-EUH which, when run, creates about 100 variations of itself on the host system. Running any of these variants on a new system will create 100 more variations. It’s easy to see an automated system left running could quickly create hundreds of thousands of new, malicious files which would all be detected at Troj/VB-EUH.

Hmmm, maybe it is time to get our own real-time counter.

Recently, creators of Fake Anti Virus software have been getting quite creative and somewhat “professional” in designing the look and feel of their fake software.

Today I came across one with sounds.

Whenever the malware does a fake scan and finds something wrong with the user’s computer, a lady’s voice (in typical GPS style, I might add) booms out “New virus found!!”

If that’s not irritating enough, you get to hear her sweet voice again when she pesters you to “Please activate your Antivirus software”.

But don’t let her melodious voice fool you; she’s certainly out to get you.

Sophos detects this piece of malware as Mal/FakeAV-EI.

Most typical modern malware variants tend to hide critical parts of their functionality (strings, URLs/IPs of its dodgy servers, etc.) using some form of encryption. In most cases only trivial algorithms are used. However, these suffice as the intention is usually not to create unbreakable encryption, but merely to obscure their malicious intent from anti-virus engines.

Although some authors choose to cloak their malware in complete paranoia, such as the ZBot family that encrypts everything with an industry-standard RC4 implementation with enormously long keys, typically, you would not find anything more serious (such as AES, or BlowFish) even in the most complex of polymorphic viruses.

The most overwhelmingly-common method of string encryption is to use an XOR operation with a key. A big appeal of this technique is that the same simple operation can be used to perform both encryption and subsequently decryption of the data, ie: E[i] = (E[i] Xor Key) Xor Key.

But sometimes it is not just simple, its even more than simple - where there is no need for ANY decryption key to decrypt data!

While analyzing one of the recent samples, I found a very curious encrypted string (hexadecimal representation):

67 02 11 17 0C 01 08 0F 0E 49 5E 18 18

In the line above there is one single encrypted string. You don’t need any additional key to decrypt it - it is all available using a very simple algorithm. The decrypted string is:

67 65 74 63 6F 6E 66 69 67 2E 70 68 70 ; getconfig.php

To transform this string from the original, each byte is decoded by performing an xor operation with the previous byte (first one is not encrypted); so:

0×67 xor 0×02 = 0×65 (”e”), 0×65 xor 0×11 = 0×74 (”t”), …

Brilliantly simple although this will not hamper Sophos detecting it (Troj/Agent-OFC).

PS Other strings from this malware which uses this encryption technique include:

&hddsz=%I64x
ntd11.dll ; (sic)
htmlfile
Installer\Products
SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Providers
ROOT\CIMV2
Error setting admin rights

… and so on (about ~100 different strings)

The following internet advice, which may have a subject title such as above, could just get you killed.

Like any other middle aged, balding, over-weight chap my mother still worries about me. So when her friend sent this to her and many other people, she forwarded it to me first:-

Just in case!!!

Let’s say it’s 6.15pm and you’re going home (alone of course), after an unusually hard day on the job.

You’re really tired, upset and frustrated.

Suddenly you start experiencing severe pain in your chest that starts to drag out into your arm and up into your jaw. You are only about five miles from the hospital nearest your home. Unfortunately you don’t know if you’ll be able to make it that far. You have been trained in CPR, but the guy that taught the course did not tell you how to perform it on yourself.

HOW TO SURVIVE A HEART ATTACK WHEN ALONE

Since many people are alone when they suffer a heart attack, without help, the person whose heart is beating improperly and who begins to feel faint, has only about 10 seconds left before losing consciousness.

However, these victims can help themselves by coughing repeatedly and very vigorously. A deep breath should be taken before each cough, and the cough must be deep and prolonged, as when producing sputum from deep inside the chest.

A breath and a cough must be repeated about every two seconds without let-up until help arrives, or until the heart is felt to be beating normally again. Not sure I can cope with this - takes me more than 2 seconds to draw breath these days.

Deep breaths get oxygen into the lungs and coughing movements squeeze the heart and keep the blood circulating. The squeezing pressure on the heart also helps it regain normal rhythm. In this way, heart attack victims can get to a hospital. Tell as many other people as possible about this. It could save their lives!!

A cardiologist says if everyone who gets this mail sends it to 10 people you can bet that we’ll save at least one life.

Rather than sending jokes (not sure I agree with this part - keep on sending them they’re probably stopping me getting a heart attack) please contribute by forwarding this mail which can save a person’s life….If this message comes around you ……more than once…..please don’t get irritated…..U need to be happy that you are being reminded of how to tackle….Heart attacks….AGAIN…

It sounds very plausible and if true would be worth spreading to as many people as possible. But I told my mother not to send it on to anyone until I checked it out.  I went straight to the British Heart Foundation website and other sources which revealed that this is dangerous advice and to all intents and purposes not true (except in the most extremely limited of contexts):-

IS47 Cough Cardiopulmonary Resuscitation (IS47_Cough.pdf)

Cough cardiopulmonary resuscitation

What is ‘cough cardiopulmonary resuscitation’?

There is a theory circulating from an uncertain source that you can stop yourself from having a heart attack by practising a technique called ‘cough cardiopulmonary resuscitation’ (sometimes called ‘cough CPR’ or ‘self CPR’). It suggests that coughing vigorously when you think you may be having a heart attack can return the electrical activity of the heart to normal.

The British Heart Foundation (BHF) is not aware of any evidence to support this theory and ‘cough CPR’ should never be used as a first aid technique.

What is the source of the ‘cough CPR’ technique?

You may have heard about ‘cough CPR’ or ‘self CPR’ from an email about an article called How to survive a heart attack when alone. According to the email, the article was originally published in a newsletter from Rochester General Hospital in the USA. However, the hospital claims that they have no knowledge of the source. The email says that vigorous coughing when experiencing sudden, severe chest pain (the classic symptoms of a heart attack) may help to restore or improve the circulation of blood, by maintaining the heart’s normal electrical activity. The advice is very loosely based on reports of people who have used coughing to maintain some sort of cardiac output during cardiac arrest. There is no evidence to support this.

So what should I do if I think I am having a heart attack?

If you experience heaviness or tightness in the chest, accompanied by sweating, sickness, or feeling faint or breathless, you may be having a heart attack. You will need emergency treatment to stabilise your condition, so you need to call 999 for an ambulance immediately.

For more information
———————
www.bhf.org.uk/doubtkills

For more information on what to do if you think you are having a heart attack.

Resuscitation UK Council
www.resus.org.uk

So remember, always verify internet advice if it is not directly from a trusted source.

Please note that Sophos does not certify any medical advice given above.

An interesting phish was just escalated to me for analysis.  Well, ironic more than interesting.

Looking at the following phish:

The message is a typical phish with clues to its nefarious origins.

Dear Valued Customer,

Your New Online Statement Summary is now available to view online.
So, go and take a look, it’s there to keep you in the know by detailing your transactions.

Please remember to always keep your receipts safe, check them off against your statement and dispose of them carefully.
If you spot a transaction that you don’t recognize you can get help from the link on your statement,

if anything still seems wrong contact us straight away.

Log on to view your account statement

Sincerely,

TD Canada Trust

The link pointed to the images folder of a WordPress blog. The funny thing was that the blog is a ‘leg and stocking’ fetish site.

Unfortunately, there were no phish net stockings!

We have been discussing the issue of unsafe DLL loading in the lab since the release of the Microsoft advisory about a potential attack vector that uses the default Windows DLL Search Order to load a malicious DLL into the process space of an application designated for opening a specific file type (e.g. .MP3 or .DOC or .XXX).

To summarize it, when an application dynamically loads a DLL without specifying a full path, Windows tries to locate the DLL by searching through a set of directories, known as DLL Search Order, which consists of

1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable

Now, if the attacker discovers a vulnerable application they can place a malicious DLL and a file to be opened by the vulnerable application (to set the current working directory) on a remote or WebDAV share so that the malicious DLL gets dynamically loaded to handle the designated file type.

Usually, when a new vulnerability is disclosed we publish a SophosLabs vulnerability analysis and write detection for our products to detect attempts to exploit the issue in the wild. However, this time, the cause of the vulnerability could not be classified as one of the usual suspects for remote code execution - buffer overflow, integer underflow or double free, so we decided that we will not write our own advisory knowing that Microsoft decided to put the emphasis for addressing the problem on the developers of the growing number of affected applications.

A number of proof of concept exploits, including a Metasploit module have already been released and there are reports that the issue has been actively exploited in the wild.

Microsoft has released guidance and tools for mitigating the issue both for the end users and for developers. Unfortunately, there must be hundreds of applications affected by the issue and it will take some time for their developers to fix them. In the mean time, it is important to follow the Microsoft’s guidance to mitigate the threat.

Our colleague Chet also commented the issue on his blog.

Today in Boston is a special day. Yes it’s raining, but today the yellow buses have started their engines. It’s back to school time!

I thought I might use this as a reminder to talk to your kids about computer security. We drill it regularly to our employees and readers, but honestly, kids need to be taught about this as well. First, talk to them about creating a strong password, one that can’t be easily guessed. We blogged about the Top 20 you should never use here:

http://www.sophos.com/blogs/gc/g/2010/01/22/top-20-website-passwords/

We also blogged about how to choose a more secure password:

http://www.sophos.com/blogs/gc/g/2010/02/03/choose-strong-password/

Second, of course make sure the machine is patched with the latest operating system patches, and that the security software is up to date. This can pre-empt a lot of problems right away. But something that gets overlooked is making sure your child’s account doesn’t have admin rights. This way you can control what they download and install. This also cuts down on the amount of spyware and malware issues you’ll have on that machine, simply because much of the malware written needs “escalated privileges” (admin or poweruser rights) to be executed. Yes, your kids may whine and fuss because they can’t install some program that is the latest “GOTTA HAVE IT”, but this give you the opportunity to research and even test the program out to make sure it’s appropriate for your kids.

Another recommendation is to put the computer in a common area, such as the kitchen or the living room. You can monitor what your kids are seeing and doing, but it also means that you and your kids won’t get sucked into hours online. It’s hard to surf, chat, and game while you are around. This will also help with the above points of keeping the machine secure, since it’s right there. Out of sight, out of mind, right?  This is really an important recommendation, given what all we are seeing on the social media sites:

http://www.sophos.com/blogs/gc/g/2010/08/24/i-text-this-facebook-scam/
http://www.sophos.com/blogs/gc/g/2010/08/23/stalk-site-exposes-danger-sharing-photos-online/
http://www.sophos.com/blogs/sophoslabs/?p=10716
http://www.sophos.com/blogs/sophoslabs/?p=8976
http://www.sophos.com/blogs/sophoslabs/?p=10001

That’s just a small sampling of what we are seeing here everyday in SophosLabs. So along with the new clothes, school supplies, and talks of safety, please include cyber-safety in list of things to get ready for the new school year.

Every once in a while, I get the odd spam message that really makes me want to laugh.

Take this one for instance. The spam message says that if I ever want to get a home loan, just feel free to drop an enquiry into the form on the weblink provided and my financial woes are over.

Of course, following the weblink brings me to the following website :

Ok, so far I’m not that impressed. For a finance company that purports to want to lend me money, that website looks a little skimpy. Out of curiosity, I decided to do some browsing around and go to the main webpage where I was greeted with:

I know the worldwide financial markets are still not in the best of health but really, do you seriously expect me to borrow money from you when you look like you can’t even afford a web administrator, much less a website designer? :)

Well, I’ve got more pressing matters to attend to now. Apparently, according to the 2 latest emails I’ve just received, I’m supposed to be both 12 weeks and 33 weeks pregnant at the same time. I wonder what my wife is going to say?

This morning I noticed that SANS were talking about a Perl bot that has been reported on various Unix systems. I went looking for this file and noticed that a colleague had already updated the identity for Mal/PerlBot-A to detect it.

SophosLabs see large numbers of malware affecting Windows everyday and while malware affecting other operating system is rarer no operating system is immune (Linux, Mac).

SophosLabs recommends that all computer users use anti-virus even those running *nixes.