SophosLabs blog

Its been a busy day in SophosLabs today, not because there is a huge increase in malware or spam, but because of the renewed interest in bots following the conclusion of the second phase of the FBI’s “bot roast“. News of the arrest of an 18 year old from New Zealand has brought a number of enquiries from TV and Radio our way.

We’ve already had one BBC TV crew in the Lab today, and BBC Radio 4 are due in later today (although this was already scheduled for a planned documentary on bots).

These sort of distractions make a change from our usual work and we welcome the efforts of law enforcement tracking down the criminals. Bots still remain a significant problem and the ‘bot-herders’ are getting more and more sophisticated in trying to defeat anti spam techniques like IP blocking (blocking the address of a machine known to send spam). IP reputation systems can very very effective at dropping the connection from the Bot without having to accept any part of the spam message. But now the spammers are simply retrying with other bots immediately. This can result in a flood of connection attempts that can be worse than receiving the spam message and deleting it later. A blend of techniques are required, and this blend needs to be continuously improved and modified before the bad guys find a way to get past your defences.

This is what takes up most of our day, so a little light relief from media is (usually) welcome

SophosLabs have been monitoring a bunch of blog spammers utilizing various malicious SEO techniques to get their pages on Google. We wrote a blog article about it at the start of the month.

Researchers at Sunbelt have also kept an eye on such activity and have written some interesting analysis regarding a recent malware push.

Are these the same attacks which we have been monitoring?

Take an example of one of the Monitor domain (B4 in the diagram below) for illustration below. The action string which we are investigating is:

http://zold?????.com/search.php?gzapr=<keyword generating the page>&mzapr=<google referrer used>

Previously, the domain redirected to a page like this:

(Note that the space in the page was serving Google adword which is how the revenue was generated, which has now been disabled.)

(In case you are wondering about the reference to Rooney, it was the main keyword used to generate the keyword stuffed page source page of B2 in this particular example.)

Now when visiting the same domain, we got this:

The HTML file is detected as JS/Dload-X in this particular instance of attack.

(Note that the script mentioned by Sunbelt’s researchers is a particular example of script on step B2. Such scripts include variants which are heavily obfuscated)

In conclusion, this attack is similar to the previous one. The only element that has changed is the code on the redirecting site. Instead of redirecting to innocent pages with Google adware or porn affiliate site, it takes you to a site which pushes malware (the malware is Zlob related, and detected by Sophos as Troj/Zlobar-Fam).

At the end of our last blog, we mentioned:
“Currently none of these blog-spammers seems to be hosting malicious files on their website. However, within SophosLabs we classify the relevant URLs so that they are blocked at our web appliance.”

The good news is that Sophos customers are proactively protected both at the gateway by the web appliance product by URLs being blocked, and also at the Endpoint due to data in our anti-virus product.

Looking at how successful this attack is by checking the popularity of this redirection domain (courtesy of whois.domaintools.com):

Recently a friend linked me to a rather interesting Microsoft Knowledge Base article entitled “Computer Randomly Plays Classical Music”. The basic premise behind the article is that some BIOS manufacturers are using certain well known tunes in order to alert users to possible hardware failures on their motherboard.

After much disappointment upon finding out that my motherboard is not lucky enough to have this particular BIOS feature, I noted that the article mentions that these symptoms may point to the possibility of a malware infection. Luckily it goes on to explain that this is not the case, and suggests that you have your computer checked to avoid more serious hardware problems.

However, all of this raises an interesting issue. What happens when your computer does start playing music unexpectedly, and it most certainly is not the soothing tones of “It’s a Small, Small World”? The question intrigued me, so I took some time to go back over the various examples of music playing malware that we have seen over the years.

W32/Music (November 2000) - Plays the first few bars of the song “We wish you a Merry Christmas”.

Troj/Cdopen-E (November 2005) - Plays a short tune on the internal speaker before opening and closing the CD Drive…repeatedly.

Joke/Anthem-A (December 2005) - Plays the French national anthem through the internal speaker.

While none of these are particularly malicious or difficult to get rid of, they really do drive home a very simple message. If your car started to drive erratically and flash its lights randomly, you’d take it in to have it checked. The same thinking should apply to your computer. Keep your security software up to date, and make sure you investigate any strange system behaviour before it gets out of hand.

Last week, I enjoyed a long weekend and consequently had to fit 5 days of work into 4 days! Because of that, I didn’t have time to blog about a few things that we saw.

Framer

A week ago, SophosLabs saw and analyzed another piece of code that injected malicious Iframes into HTML and other files associated with web content. We also provided specific detection for the inserted Iframes as JS/Frame-A. The graph of detections after 7 days is already quite revealing.

If you click the image you will see, along the top sites infected with JS/Framer-A. These sites range from a legal site to a church in the State Washington.

Laoairlines

Also last week my colleagues in SophosLabs Australia encountered an infected airlines site. We got some press about this (see 1, 2). Unfortunately, due to the way that this attack was crafted, the system doesn’t allow the generation of a graph :(

At the time of writing, the site is still infected with Troj/Unsc-A, so I wouldn’t advise visiting it . Suffice to say, we have updated our protection to detect what is downloaded from this site.

Gameige

When I saw Trend’s piece on Gameige I thought that it was best to preempt any questions and do some research. Lo and behold our automated website analysis system generated some useful information on this attack.

The graph shows that Gameige has been affected by two distinct attacks that have affected several thousand websites in total. World of Warcraft sites, like Gameige, are generally setup and run by hobbyists who have little or no idea about computer security. The business case for allowing users access to such sites should take this into account.

What do Tesco, John Lewis, iPhones, Los Angeles and Holland have in common?

The first three were all targeted by an Angelenos whose websites were all hosted in Holland.

Spam is normally US-centric and it is rare that we see UK based companies targeted like this. The classic give away that this is spam is the bon mot at the end. Over this campaign the URLs, targets and the bon mots all changed in a recognizable way.

Normally, a week in SophosLabs is rarely as varied and noteworthy as last week’s but with malware and spam changing so quickly, they are likely to remain this busy.

It’s appalling. The loss of millions of people’s personal information by the HMRC shakes the trust that people need to have with government organizations to its foundations. Worryingly, new research conducted by Sophos has found that 58% of those polled believe the Government’s data loss was ”inevitable”. Yes, we know that to to err is human, but to really screw things up it seems you need a Government department.

This isn’t just incompetence on a grand scale, for the individuals affected by the ID theft it could be potentially financially crippling. If criminals get their claws on your personal information they could take out bank accounts, loans, and credit cards in your name, ruin your credit rating, and generally look to inflict as much financial damage as they can, in as short a time as possible.

It seems it’s a case of “Carry on HMRC”, with this just being the latest incident of data on British citizens potentially falling into the wrong hands. In September, a laptop containing personal information on thousands of investors was stolen from the car boot of an HMRC official. Last month, in a separate incident, a courier being used by HMRC lost a CD containing details of 15,000 Standard Life customers.

There have been bigger breaches of data confidentiality in the past of course, but they have involved private firms rather than a national government. The sight of Chancellor of the Exchequer Alistair Darling standing up in the Commons to explain their data disaster will have brought home the risks of identity theft to people up and down Great Britain.

The sad fact of the matter is that no-one knows where the missing CDs are. They could be in the hands of organized criminal gangs, an opportunistic thief who doesn’t understand their worth, or down the back of Alistair Darling’s ministerial sofa.

If you’re worried you may be the victim of identity theft you need to look for the symptoms. If you’ve stopped receiving bills or other mail an identity thief may have given a different address in place of your own. Started receiving credit cards you didn’t apply for? Do your bank statements include withdrawals, payments and money transfers that you can’t explain? Receiving calls from debt collectors and companies about items you did not purchase? These are all the signs that a criminal may have successfully stolen your identity.

What’s obvious is that it’s high time the UK Government put in place proper data-breach notification laws. At the moment British organizations are not compelled to inform customers who may have suffered from a data breach. If they like they can keep schtum, keeping their fingers crossed that no-one finds out the data was lost, and hoping that criminals don’t exploit the mislaid information.

Without rapid notification of data breaches there will always be rumors that governments are deliberately trying to keep news of an incident out of the papers while they continue a frantic hunt for their lost data under the ministerial settee.

Britney Spears has long been a favourite of the malware authors, as early as February 2002, she attracted the unwanted attention of malware writers. Since then there seems to be an endless stream of spam and malware offering pictures of the troubled pop star in various states of undress.

This weekend was no exception with the lastest Pushdo offering “New Britney naked video”, then asking you to ‘Check zip file in attachment’.

Does anyone fall for this? Judging from the number of times the same theme is used, the answer is probably “Yes”. This lastest Britney themed malware was detected proactively as Troj/Pushdo-Gen

Today we detected via our monitoring stations a small number of emails generated by the mass-mailing worm W32/Forbot-FG. This worm was first detected in 2005 and is pretty much your typical bot with backdoor Trojan functionality and spreading capabilities either by exploiting network vulnerabilities or mass-mailing.

However, this case highlights the fact that old malware will always have a life and be an Internet nuisance with even just a single computer infected. It also highlights that security software is not just for today’s, or this month’s current crop of malware. Security software must continue to protect and guard against threats going back years and every day, that number just continues to grow.

Robert, one of my esteemed colleagues (and lucky - he is off on a week long holiday while I am working the weekend) had spotted a recent trend in increase of unpacked IRC bots in the wild.

A lot of malicious executables rely on using packer to disguise themselves. As a side-effect, this will be suspicious to trained eyes since they look quite different from normal clean executables.

There had been a trend of thought that the best way to avoid detection by AV vendors is to leave malicious executable unpacked to avoid suspicion. However, leaving the file unpacked would be leaving it’s functionality naked. Many people would strings an executable before running it, especially IRC bots would have a lot of easily identifiable strings of various command.

So be mysteriously suspicious or honestly malicious.

What did W32/Unubot comes up with in this case? Let’s have a look at the structure of the file.

The blue line represent the entropy of the data – code would generally around an entropy of 0.8 while packed data would have much higher entropy. As the diagram shows, the file is not packed except having some compressed appended data. This would be similar to a lot of clean self-extracting archive.

Looking at the original strings content, it only contains a few library strings.

Subjecting to analysis – which is very easy since the code is not obfuscated in anyway – we found the following.

1. It creates a process of itself in suspended mode (so it will be loaded into the memory but will not run)
2. Then it deallocates the memory (using ZwUnmapViewOfSection) of this suspended copy of itself
3. Remember that the data appended of high entropy at the end of the file? It is a painstakingly encrypted executable file. Most Windows executable file will starts with the magic word ‘MZ’, and in this case it encrypts it’s magic bytes with a special key, the first e0 bytes of the header with a different key, and different keys for the rest of the file.
4. It then writes the decrypted code to the the suspended process
5. Next it fixes up the suspended thread context of the suspended process to execute properly
6. In the end it resumes the suspended thread

As a result, you will have an unpacked file which runs a packed IRC bot, without writing any packed executable to disk. The technique used here is quite well known - it is coined as the Nebbett’s Shuttle technique in Black Hat 2007, “Stealth Secrets of Malware Ninjas” by Nick Harbour.

So, how good is this Stealthing Ninja?

1. The unpacked loader demonstrates various memory injection technique which is quite suspicious. It would be flagged up by our Behavioral Genotype detection.
2. By leaving itself unpacked, it sacrifice the ability to protect from analysis. Skilled reverse engineer would have no problem with understanding what it is doing.
3. While doing all it’s process injection, registry modification, etc. it had violated at least 3 of Sophos Behavior protection rules - so Sophos’ HIPS detection - if turned on - will detect and block it even if the user decided to turn off our on-access scanning.
4. Last of all, the packed IRC bot was in fact only packed with UPX . So all strings of the IRC bot will be viewable by using tools such as Process Explorer.

So W32/Unubot’s new cloak of invisibility might not be as concealed as it thought.

But interestingly only 3 vendors out of 32 on VirusTotal have detected the sample as I am writing this blog.

.

Today SophosLabs saw another worm that attempts to spread by copying itself to removable storage devices, creating an autorun.inf file in order to run when the device is is connected to a computer. The worm, detected as W32/Autorun-L, also does its best to make it difficult to remove it from an infected system.

Plenty of previous malware has disabled antivirus and system tools, but not quite in the same almost playful way as W32/Autorun-L. In addition to terminating security related processes it also “redirects” the execution of regedit.exe and taskmgr.exe to different games on the host machines by creating the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Debugger
%windir%\system32\sol.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Debugger
%windir%\system32\spider.exe

Once these keys are added, whenever the user tries to start Regedit or Task manager, the sol.exe and spider.exe files are executed. It is kind of the worm to invite the system administrator to play and forget about the infection of the system!

Of course, Sophos customers are protected against this worm even prior to publication of W32/AutoRun-L.

Fortunately Sophos customers using the HIPS Suspicious Behavior Detection technology will have been protected from this threat even before our analysis.

News earlier this week that the British Government has managed to ‘lose’ details of 25 million individuals has raised awareness of data leakage and identity theft. If the information was to fall into the wrong hands it could have significant implications to a large proportion of the UK population (although its currently thought that the disks in question are still lost somewhere in the internal post of Her Majesty’s Revenue and Customs).

Whilst I wouldn’t want to underestimate the seriousness of this blunder, lets put it into context. The huge growth in connectivity in the UK and the rest of the world and the subsequent increase in compromised machines is just as big a concern for me at least. The fact that a 21 month old piece of malware is still accounting for a significant proportion of the malware seen on our spam traps and the continuing growth in spam volumes show that there we still have a long way to go in protecting users from online identity theft.

Even if those 25 million details did fall into the wrong hands, its an awful lot of data to sift through to find the best identity to take over. Whereas a few thousand infections, that collate personal details including bank balances makes the selection (and therefore value) a lot easier.

I was at a recent seminar organised by Experian on fraud, which included an on stage interview with a former fraudster that proved to be a real insight. Having just moved house, I realised how easy it could be for someone to register for a credit card in my name if an ‘invitation’ was sent to my old address.

For the consumers of Britain or anywhere else for that matter there are a host of precautions that should be taken to minimize the risk of identity theft (shredding personal documents, ensuring mail is forwarded when moving, notifying organisations of change of address, etc). There is a wealth of advice for the consumer out there, including GetSafeOnline.org, CIFAS and others (The home office have a good document here).

So whilst data leakage events like this are deeply concerning and embarassing to the organistion they are very much out of the control of the individual, there are however a host of things the individual can do to prevent becoming a victim, not least of which are of course to ensure their home computer is secured.