SophosLabs blog

Recently we’ve seen an awful lot of spam aimed at spreading Pushdo Trojans, something we mentioned a few days ago. In fact in the last week we’ve seen at least 5 extremely aggressive campaigns, each containing new variants of the Trojans.

The author keeps changing elements of his code each time he spams out a new variant, in an attempt to break as much generic detection as possible. His tricks so far have included adding junk instructions to the code, deliberately changing the starting bytes, encrypting portions of his strings and code, generally reordering and restructuring his functionality, and changing the way he performs calls to his core API functions (for example loading some or all of them dynamically, and trying to hide the way he does so).

Flipping back and forth between techniques like these can make it very difficult to detect this sort of file proactively, and it’s something that the Dorf author is very aware of as well, which is why we sometimes update our generic Troj/Pushdo-Gen identity. In particular though I was pleased that we caught both Thursday and Friday’s campaigns before they’d even started, not least since it seems that we were one of the few vendors ahead of the game on Thursday, and the only vendor to catch Friday’s run proactively.

So what exactly do these ever-changing Trojans attempt to do? Basically they’re just glorified droppers, decrypting another file and running it directly in memory. Along the way they also employ more methods to try to evade detection, including starting new dummy threads in suspended states, then changing them to point to real code as the original code sits in an infinite loop, and shifting control to the decrypted file using the slightly unusual approach of directly modifying the system’s Process Entry Block before creating a new thread to the decrypted code.

This dropped file is a member of the Troj/Pushu-Gen family of Trojans, a family that emerged several months before the Pushdo droppers. This new file in turn attempts to drop more files, though the number and the naming depends on what operating system and file system the Trojan finds. At most two are dropped as system files to provide stealthing for the Trojan and make sure it’s always running, while the third is injected directly into Internet Explorer in order to download and execute more files. All three are detected as Troj/Pushu-Gen, though at this time detection for the four components by many other AV companies is still somewhat patchy.

How many more times will the campaigns change, and will we have to update our proactive detection again? Only time will tell.

As is often the case with high profile news stories, malware authors are quick to theme the social engineering of their attacks accordingly. Today, SophosLabs received a submission of the following email message which had an attached Word document:

Dear Friends & Colleagues, Please find enclosed a massage from His Holiness the Dalai Lama in support of the recent pro-democracy demonstrations taking place in Burma. This is for your information and can be distributed as you see fit.

Best wishes.

Tenzin Taklha
Joint Secretary
Office of His Holiness the Dalai Lama


The attachment (filename: hhdl burma_001.doc) is a malicious Word document (proactively detected as Exp/1Table-B), crafted to exploit a vulnerability in Word in order to drop and run a malicious Trojan (proactively detected as Troj/Agent-GCU). The message also contained a link to the website of the Dalai Lama.

As ever, be alert for social engineering tricks used by malware authors, particularly those that are themed on topical, global news items.

Today SophosLabs observed a typical PayPal phishing email which I found rather amusing. At first glance it seems to be your usual phishing attempt, where they claim they’re trying to do you a service due to a potential security risk where someone in another country tried signing in as you. They ask you to login via a link to verify your account, which is a site mirrored to look like the PayPal site. That’s the same old thing, no big surprises. What was funny though was the Internal Revenue Service (IRS) in the From header, where it seems the person sending out this phish email got their campaigns confused and forgot to change it to the PayPal address.

After doing a bit of digging around, I found this news article on the official IRS website which is just from last week. If I were a betting man I’d say the people behind this PayPal phishing campaign are the same people behind the IRS scam.

Traditionally, SophosLabs see male enhancement products spammed. Over the past few years the spamvertised product range has changed (it is no longer just porn and viagra).

Today, I saw the following:-


Embarrassment of small breasts and low self-esteem are buried in the past for those women who have discovered a natural breast enhancement SizeUp. Herbal capsules are safe for your health and even improve it by removing blockage of veins, for example. It has no side effects.
We do our best to provide all our customers with the highest quality products and introduced money back guarantee for you. Fast delivery and confidentiality is guaranteed.

http://xxxxxx.net/

Improve the size and shape of your breasts and surprise your partner.

The link would take you to the following site:-

Like male enhancement products this spam wasn’t well targeted going to a Rex, Hector and Mike as well as a Sharon and Patty.

We were sent a sample this week written by a self-pronounced “Whitehat Hacker” for a worm written using the .NET framework, that we’re detecting as Mal/Fallblo-A. What makes this malware unusual is its intention to be able to run on any platform that supports .NET, including both Windows- and Unix-based systems.

In this case the worm attempts to send itself via email, and in fact will choose the message characteristics based on the language of your system, the language of the recipient’s email address, the platform you are running, and whether or not it believes you to be a “professional” or an “average” user (based on the software you have installed). So an “average” user with an English, Windows-based system might send out an email to a “.co.uk” address saying:

Hi,
I have recently started to try out programming!
This is one of my first programms. What do you think of it?

A “professional” user with a German, Windows-based system might send out an email to a “.de” address saying:

Hi,
Ich habe beim Schreiben dieses Programms einen neuen Ansatz verfolgt. Sag mir bitte was du davon hälts.

Meanwhile a user with an English, Unix-based system might send out an email to a “.com” address saying:

If the programm should not work instantly on your non-windows-system you probably need to execute it using mono. (mono-project.com)

Despite the author announcing this malware publicly and providing the source code and binaries, it’s unlikely that we’ll be seeing Mal/Fallblo-A “in the wild”. It does however make a point about the possibility for cross-platform malware, and once again raises the issue of “responsible disclosure”, or in this case the lack thereof.

Today we have seen another large spamming of a downloading Trojan masquerading as something exciting (along the usual theme of a new, hot game or picture).

Happily, the creation is proactively blocked by Sophos products as Troj/Pushdo-Gen. Just as well, since we are seeing this in large numbers; for the past 24 hours, almost 4 out of every 5 infected emails we are seeing is due to Troj/Pushdo-Gen.

As with previous variants, the latest one drops and runs a file in memory, which then proceeds to install the other components involved in this attack.

These repeated mass-spammings used to occur each Wednesday. However, over the past few weeks we have seen the spammings occurring on other days as well. As other attacks move away from using email to deliver threats (e.g. Dorf), the group behind this attack are clearly having sufficient success to continue with it. Then again, maybe not. Maybe they are using other methods as well? We are seeing various malicious web sites attempting to use a variety of browser exploits in order to download and execute Troj/Pushdo-Gen on the victim machine:

As can be seen in this example, the attack site uses a malicious script (detected as Troj/Iffy-B) to attack the client with several exploits, all in an attempt to infect the victim with this Trojan.

Whatever the case, by continuing to monitor these web and email attacks, we can hopefully continue to maintain proactive detection and protect our customers.

This was a fairly quiet weekend at the SophosLabs UK headquarters. It seems all the hackers took a nice weekend out since the malware front was abandoned.

It’s a shame we cannot say the same about the spammers since late Saturday morning a relatively heavy drug campaign started and its last waves could still be observed after 24 hours - which just shows that in the field of computer security ‘evil never sleeps’ and there is always a reason to keep our eyes on our systems.

On Sunday a patcher program was seen among the incoming samples which instead of the usual key-generation tried to patch a specific stock market broker application to make it work without purchase.
This illegal patcher had already been detected proactively by Sophos as Mal/Packer providing continuous protection for Sophos customers. Such programs always make us wonder who would ever trust a cracked financial application with their money.

Just wanted to say hello from all the SophosLabs members here at the Virus Bulletin conference in Vienna. The VB conference is one of the very few events where technical people from the industry meet and present their ideas and research results.

This year the conference is full of excellent presentations and even some controversial topics addressed at today’s presentation about the Wildlist and its relevance to the industry.

Andreas Marx from AV-Test.org thinks that the Wildlist has lost a lot of its relevance. According to Andreas, it is not just that there are not enough active reporters of the new samples so the number of malware on the list (currently around 500) is by the order of magnitude lower than the actual number of active malware. Furthermore, the Wildlist only contains self-replicating malware which makes up a minority of malware we see every day.

Finally, the Wildlist is published once a month and the typical malware campaign is only active for a very short time, so by the time the Wildlist is published it is already out of date.

On the other hand, Wildlist samples are verified by skilled reporters and the quality of samples is very high. With large sets used by testing companies such as AV-Test.org it is not so easy to verify that every sample in the test set is actually malicious. One could, perhaps, rely on the scanning results of anti-virus products, but the fact is that different vendors choose to detect different classes of files, especially one with borderline malware characteristics such as adware and dialers.

After all, the purpose of the Wildlist from its beginning was to provide a basic set of viruses that should be detected by every decent anti-virus product and as such it is still a valuable resource for testers. Despite some of its shortcomings, it is quite interesting that even some major anti-virus products sometimes miss samples from the Wildlist. A good way to track the detection performance of products against the Wildlist test set is to follow the results of the regular VB100 tests conducted by Virus Bulletin.

I certainly enjoyed this discussion and I think both Andreas Marx and the Wildlist organisation had some good arguments about the Wildlist’s relevance and purpose.

If you are interested to find out more about the subject of anti-virus testing and the Wildlist test set please listen to our latest podcast with Mark Harris, Director of SophosLabs.

SophosLabs see lots of ways that spammers and malware authors use to entice victims to vist their sites.

One of the most popular is by using popular products or services.

Here is an example of spam using the popular iPhone brand (in German):

Here is an example of a malware ‘attack’ site using the brand:

With today’s news that the iPhone is set to be sold in the UK I suspect that we will see more abuse of the iPhone brand for spam and malware.

Following the news last week about laptops being shipped with an old boot sector virus. There have been a number of reports about how well modern security products fare against these old types of threats. Third party testers have been checking that vendors are able to detect and remove the threat. The testing so far has focussed on consumer products and Sophos had not been tested so we decided to carry out our own tests.

To find someone with the hands on experience with Boot sector viruses we turned to Paul ‘duck’ Ducklin, from Sophos Australia, his findings are as follows (he’s not normally the shy type I hasten to add).

“As you probably know from Mark’s blog entry here:

So you can use SAV7 to check and fix your Aldi laptop, if you think you might have bought one with this little piece of history on it :-)”

Note, the reference to ‘PINK’ network refers to the fact that we have seperate controlled networks to separate malware analysis from the rest of the company. Live malware only occur on the ‘Pink’ network.