SophosLabs blog

As we’ve blogged about previously, the current form of the constant flood of Dorf spam has been taking advantage of Valentine’s Day which is quickly approaching. An interesting twist observed by SophosLabs this week is the same IP addresses used in the spam messages that are hosting the Dorf malware (also known as Storm), are also being used to redirect to websites selling penis enlargement pills.

Here are two message samples, the first linking to the Valentine’s Day Dorf malware, the second redirects to a penis enlargement website, though both use the same IP address:

While we have seen examples of the same machines hosting both malware and spam many times before, this is the first time we have seen the machines hosting the Dorf malware (part of the Storm botnet) also being used to host/redirect to spam websites. It’s just yet another example of how close the ties between malware and spam really are.

I wonder if it is just a coincidence that they decided to spam out penis enlargement products at the same time they are pushing Dorf malware making use of the holiday most associated with romance. The penis enlargement website suggests that it will take 4-6 months to see the full effects of their product so those planning on using this to spice up this year’s Valentine’s day are likely to be out of luck.

Past posts about testing anti-virus products have shown how simple detection tests do not always paint the complete picture. A recent test by AV-Test.org has shown that there is more to testing than just raw detection numbers. The full details about the test can be found at Sunbelt’s excellent blog so I won’t repeat them here. In the article it is explained how the tests were conducted and the subsequent results achieved.

Two PDFs are available with the breakdown of all the companies chosen to participate.

The first PDF shows the overall results for 5 different categories tested. The categories are:

• detection rate
• false positives
• proactive detection
• response time
• rootkit detection.

The scoring system uses ++, +, 0, -, — to go from best to worst.

Sophos is one of only five companies (28 were tested in total) to score ++ or + in all the categories.

In these new tests the highlight for Sophos is our proactive detection which gets the best rating available and beats offerings from Kaspersky, McAfee, Symantec and Trend Micro. The guys in the labs and development have put a lot of effort into the design of behavioral genotypes and the HIPS capabilities of the products and this test reflects just how worthwhile that effort has been.

The other categories show Sophos to have:

• a detection rate of just under 98% over more than 1 million files - full detection rates are available in the second PDF.
• just one false positive in 65,000 files
• response times of between 2 and 4 hours
• just 1 miss in the rootkit detection test.

This type of testing better reflects the needs of customers when making informed decisions about which product to buy. I believe you can expect to see much more of these types of tests in the future.

Curiosity killed the cat…. and sometimes it infected many users’ systems.

Others, like you, that were intrigued by a similar headline, downloaded and opened what they thought was just a Power Point presentation containing several pictures of scantily-clad US soldiers.

Unfortunately those users probably infected their system. What’s worse is that this presentation came bundled with not just 1, but 6 different pieces of malware.

(Troj/Dropper-TK, Troj/Bckdr-QLM, Troj/Dropper-TL, Troj/Bckdr-QLN, Troj/Dropper-TM & Troj/Bckdr-QLO)

This is nothing new - most users these days know not to download and run files from untrusted sources. But as long as the old tricks still work, the bad guys will keep using them…..

This particular bundle of malware didn’t get onto users systems by exploiting the latest vulnerability, but rather by leveraging the weakest security component present on all systems. The connection between the chair and the keyboard.

You’ve heard it before and you’ll hear it again; most users could have avoided this by adhering to Sophos’s best practices.

In the meantime - what are you doing clicking on links like this at work?

If you thought that writing malicious programs could not get any easier thanks to readily available online kits, think again… This viruz maker I came across today creates customized batch files for a variety of different functionality, ranging from displaying a particular message to deleting and formating drives. We tried some of the functionality and it does mean business!

Interestingly some text in its interface seems to suggest that the targeted market is chat program users and social networking site members. Another not-to-miss is the copyright information ;-)

This viruz maker kit is detected as Troj/Agent-GOF.

Distributed Denial of Service (DDoS) attacks have been hitting the headlines more than normal in the last week following a number of high profile news stories. 

For those who don’t know, a DDoS attack is when compromised zombie computers around the world are instructed by a hacker (known as the botmaster) to flood a website with traffic. The website can become so swamped with traffic from computers based around the globe that it can be slowed down considerably, or even made utterly inaccessible by the outside world. 

If it makes it easier to picture it, think of 20 hippos trying to get through a revolving door - the whole thing gets clogged up, and no-one is able to get in or out.

DDoS attacks are frequently used for blackmail.  We have reported in the past on some of the Russian hackers who have been sentenced for blackmailing British gambling websites and online gift retailers who have been struck in the run-up to Christmas.   

What is becoming clear, however, is that money is not the only motivation for some hackers to launch DDoS attacks against websites.

Last week, for example, it was announced that an Estonian court had fined 20-year-old Dmitri Galushkevich for a denial-of-service attack that hit the website of Estonia’s ruling political party.  The hacker’s punishment was interesting, because at the time of the attacks in April 2007, the Estonian Minister of Defense had accused the Russian government of sponsoring the attacks against it, and even called on NATO to recognize the incident as “military action”.  As we discussed in the Sophos Security Threat Report 2008, no proof was ever put forward showing that the Kremlin was involved.

Meanwhile, the controversial Church of Scientology has been forced to defend its websites from a DDoS attack. The anonymous group of hackers behind the attacks even went so far as to rally support for their attacks on the Scientology organization by posting YouTube videos calling on others to participate in the disruption.  Even if you strongly disagree with an organization’s activities it seems fundamentally wrong to take the law into your own hands, and engage in criminal activity against them.  In a development that further damaged the hackers’ arguments it was  reported that a Dutch school website was accidentally affected by their attack on the CoS. 

Whatever the motivation for the DDoS attack, you can imagine that the damage down to a business by having its website blasted off the net can be considerable, and we have seen some cases where companies have offered substantial rewards for information leading to the conviction of those responsible for an attack.

Most DDoS attacks are happening because home users have not properly secured their PCs against hackers - but it is possible for corporate computers to be compromised too.  A reliable anti-virus, firewalls, and up-to-date patches can all help better secure your computer from becoming a part of the zombie problem. 

The Dorf spammers are still suffering from ACS, what with the rather premature Valentine’s Day campaign. Perhaps they are attempting to emulate the millions of ridiculously early marketing campaigns attempting to entice us into spending our cash on trinkets for our “loved ones”.

Despite the Dorf spammers’ temporal incompetence we can spot a general pattern for the themes of their campaigns over the past few months. The themes reflect major events in the annual calendar, especially for the Western world:

Let us attempt to predict the campaigns over the next few months, if possible:

We may even consider giving odds on the above, assuming that the Dorf spammers last a whole new year. Who knows, they may tire of being thwarted on a regular basis or just retire to a beach somewhere with their millions.

Our advice is to make sure you are vigilant enough to ensure that you do not get caught out. Of course, we shall do our bit by stopping the campaigns on both the spam and malware sides. The latest variant of the Dorf family is detected as Mal/Dorf-K.

Earlier this week, we published the Sophos Security Threat Report 2008, looking at some of the key events in the field of computer security that we’ve seen over the past 12 months and making some predictions about the future.

The report has ruffled a few feathers online, with debates firing off on sites like Slashdot and The Register around the number of infected webpages we see hosting malware (In 2007, we saw around 6000 new infected pages each day - that’s a mind-boggling one every 14 seconds).

One of the most interesting developments in 2007 was the arrival of financially-motivated malware for the Macintosh.  This is important because it has been money that has been driving the huge growth of Windows-based malware in recent years.  If the bad guys are now investigating doing something similar on Apple Macs, that could mean more attacks on a platform that many home users have hardly bothered defending in the past.  Of course, any debate of Apple Macintosh security is bound to bring a variety of different opinions out of the woodwork - you’ll see conflicting views in the comments posted on this story on The Register, for example.

The report isn’t all about Apple Macs and web-based attacks, of course.  We also examine the top malware threats assaulting businesses today, the impact that the Storm worm continues to have on the internet, the mysterious topic of government-sponsored cyberwarfare, the issues surrounding data leakage and how increased adoption of Wi-Fi devices like the iPhone, iPod Touch and Asus Eee might influence the threat landscape in the future.

Feel free to enter the debates on the Slashdot and Register websites - it’s always healthy to have a hearty discussion of the security landscape, and hopefully it will mean a few people will take security more seriously in 2008!

A few weeks ago I was chatting with a colleague about the ways in which social bookmarking sites are abused. Over the past few years there has been growth in both the number of such services available, and their usage. The fact is that Web traffic is money nowadays. Common ways of guiding that traffic are:

• SEO techniques: packing a site with keywords in order to rank highly in search engine results (see previous blog posts [1,2])
• Compromising sites: modifying the content of other legitimate pages such that the desired content is silently loaded. (Most commonly used for delivering malware [3].)
• Spam: sending spam email messages containing a URL link, or posting the URL as comment spam to other online services (blogs, forums etc).
• Malware: once malicious code is running on a victim machine there are numerous ways in which web content can be directly or indirectly loaded (including DNS owning, as with recent Zlobs [4]).

This is where social bookmarking sites fit in. The web is a big place and time is increasingly short - services that collate, prioritize and present a digest of articles (the core role of a social bookmarking site) help us to sort the wheat from the chaff. The main advantage of such services is that it is us, the humans, that have control. How?

We have the ability to rate articles and affect their position within the digest provided from that service. In an ‘honest’ system, content that is popular and highly rated will float to the top, uninteresting poorly rated content will rarely waste your time.

But it is not an honest world. Such systems are easily abused by the unscrupulous out there. I am sure many of the services make attempts to prevent the abuse, but it is non-trivial.

How about creation of the target site? Easy. Simply use a free domain registration service or more easily one of the online blogging services, and you can have a site running in minutes. Add your content (be it advertising, malicious or whatever) and you are away.

Whilst writing this blog post I have been monitoring the submissions to one such bookmarking service in the hope of finding an example case. Did not have to watch for long!

Clicking on any of the links takes you to a meds site (via a redirect):

Our friend ‘missqimmat’ has been a busy blogger. Here are some of his other blog titles:

• butt cleavage
• brooke burke playboy
• board imdb message
• cause global warming
• brooke burke pics
• brooke burke hot
• awareness2007 global warming
• database imdb internet movie
• hero imdb
• cleavage hot
• cleavage toe
• brooke burke nude
• al global gore warming
• article global warming
• effects global warming
• imdb movie
• cleavage sexy
• cleavage teen
• brooke burke naked
• cleavage leg
• bikini imdb summer
• fact global warming
• comment imdb user

Clearly not alone either. Take a look at one of his comrades ‘kechquruuna’. An equally attractive range of titles:

• tattoo tiger
• lily tiger
• tornado foosball
• tornado fuel saver
• conference irwin news terri
• tornado form
• irwin king larry terri
• irwin jay leno terri video
• tornado siren
• auburn tiger
• tiger wife wood
• tornado season
• lsu tiger
• tiger tyson
• tornado information

Each of which provide a list of enticing links which take you to a meds site (via the same redirect site).

So, this is just one example of how the combination of some of the great online services we know and love present the bad guys with even more tools to clobber us. From research thus far, the bulk of the abuse I see is ’spammy’ (porn, meds) and traffic (ad revenue) focussed, not for the installation of malware. But I predict that will change, in the not too distant future.

We had a couple of queries about the interesting story published yesterday by MSNBC.

It seems that many people, while purchasing digital picture frames as Christmas presents for their friends and family, received more than they were hoping for. The stock of electronic retailer Best Buy allegedly contained a significant number of Insignia’s digital photo frames (model number NS-DPF10A) infected by a virus. The virus attempted to infect users’ computers when the frame was connected to the computer to transfer digital photographs.

Insignia has confirmed that some of the frames did indeed contain a virus. At the moment, it is not known to us which virus infected the frames, but we will try to get a sample and make sure we detect it. Since not all frames contain the virus, we will not be able to simply buy a frame, as was the case with some previous malware (for example, Sony’s DRM rootkit).

Most digital photo frames have a USB interface which allow them to appear as removable drives in Windows and to store data, similar to any other USB removable media. In the past we have been writing about viruses affecting USB media and this digital photo frame infection is not much different.

We can ask ourselves how has the virus infected the frames in the first place, but the answer will be just a guess. Today, most of these electronic devices are manufactured in China for bigger vendors and quality control may not always be sufficient. From the report, it seems that this was an older virus already detected by reputable anti-virus software for some time, which implies that some of the manufacturer’s device testing systems were not protected and got infected when an infected USB media was used. The testing system subsequently kept infecting frames as they were connected to the infected computer for testing of their functionality.

As always with this type of threat, the virus will not be able to infect your computer if you disable the Windows Autorun feature.

Just to prove it is not about to retire any time soon, another Comwarrior variant for mobile phones has struck again. In fact, two new variants have been received (detection for which has been added as Symb/Beselo-A and Symb/Beselo-B) - both of which are reported to be in the wild [1].

Like previous members of the Comwarrior family, these new Beselo variants use Bluetooth and MMS functionality for spreading. Initial analysis also suggests the worm attempts to copy itself to flash memory cards inserted into the device. The worms run on Symbian S60-enabled devices (including Nokia 6600, 6630, 6680, 7610, N70 and N72 phones).

A slight twist in these variants is the use of misleading file extensions - Beselo sends itself out as a SIS file in messages using file extensions such as .jpg, .mp3 and .rm. Despite the fact that the Symbian OS correctly identifies the file type by its content (therefore alerting the user with an installation promt), some users have clearly been fooled by the use of harmless file extensions.

Once installed, Beselo creates the following files:

• c:\system\data\[random_chars].exe
• c:\system\data\[random_chars].dat
• c:\system\data\[random_chars].ini

Beselo sends itself to numbers obtained from the device phone book, and also to numbers it generates itself. Sent MMS messages have the following characteristics:

• Message body: Photo
• Attachment: one of the following
  • beauty.jpg
  • sex.mp3
  • love.rm

Beselo also attempts to send itself via Bluetooth using the same filenames to phones within range.