SophosLabs blog

Yesterday saw the release of Grand Theft Auto IV (GTA IV), arguably the most eagerly awaited game of the year. Never ones to drag their feet, spammers are already hoping to catch gamers out with the offer of a free copy of the game for PS3. Heck, they’re even throwing in a Playstation 3 as well in case you haven’t got one yet!

Needless to say, if you click on the image you need to enter your email address to be in with a chance of winning. Rather than getting your hands on a free console and game you’re going to end up being inundated with spam for the foreseeable future.

The game itself follows two cousins “as they slip into debt and get dragged in a criminal underworld by a series of shysters, thieves and sociopaths,” - I’ll let you draw your own conclusions about any possible links between the game and spammers themselves… ;)

Over the weekend the Spyware Sucks blog talked about Yahoo! serving up poisoned adverts via one of their websites. Subsequent posts suggested that Sandi Hardmeier had not received a favorable resolution after informing Yahoo! of this issue. On Monday The Register highlighted this issue.

Currently, the malicious adverts are still on Yahoo! servers and can be downloaded at will.

The poisoned adverts are very similar to those on the ITV website in February. SophosLabs have released detection for Troj/Gida-D.

Last week, at InfoSec, one of the topics discussed on the Industry expert panel was ‘responsibility for malicious website content?’

• Who do you think is responsible?
• What time scales are acceptable for cleaning up malicious content after you have been informed?
• Should websites be subject to putative damages?

Contact SophosLabs at sophosblog@sophos.com.

Many people with even a vague interest in security will be aware of Defcon. The Vegas-based hacker conference is held as a yearly event where security experts and enthusiasts alike are able to present and attend lectures addressing various issues in modern IT security.

In addition to all-night parties, no-holds gambling and other Vegas orientated activities the Defcon organisers aim to keep all attendees entertained and occupied with a multitude of games and contests; most notably ‘Capture-the-Flag’, where a network is set up and the goal of each team is to hack the other team’s computers.

This year however the organisers of Defcon 16 are diversifying their entertainment by introducing a new game entitled ‘Race To Zero’[1]. The game provides contestants with malware samples, that are actively detected by anti-virus software, and then rewarded for altering the code to result in a non-detected variant of the said sample.

It seems odd that the focus be on building awareness (that is already present) that signature-based detection is not enough by itself, it has been dead since the early 1990s when utilisation of polymorphic engines became widespread. Essentially Defcon appears to be promoting the development of malicious software, the same set of nasties that infect computers, steal bank details and propogate spam e-mail etc. Is it not enough that malefactors of the world are writing and distributing new Malware every day? Or that identity and credit fraud are becoming more popular criminal endeavours? Now, pseudo-benevolent coders are being challenged to add to the quagmire of nasties under the guise of promoting more widespread and generic detection.

Defcon has, in the past, been the venue for many new and interesting developments in IT security and their beneficial position to security cannot be disputed. I feel, however, that the introduction of this new game will not benefit the security industry in the way it is intended. There are many organisations that perform anti-virus testing on a regular basis. These groups collect the very latest ‘in the wild’ samples and compare detection rates of each vendor. The past results show that Sophos has performed very well when taking part in these anti-virus tests and generic identification of new samples is always kept to a high standard. SophosLabs is constantly developing new technologies to advance generic detection, and handle all submitted samples in fully contained and controlled environments so that there is no chance of an outbreak.

For those who do wish to test vendors’ proactive detection capabilities, taking an older version anti-virus software and measuring its ability to detect the most recent malware is a better method. This method will not contribute to the ever growing body of malcode distributed in the world.

Creation of malware, in any sense, should be condemned, especially when the goal is to produce ‘live’ samples against which users are unprotected (the goal itself is malicious in nature). Personally, I’m against a game that essentially encourages the development of live and potentially destructive software, and believe that protection should be provided by anti-virus vendors that are dedicated entirely to the defence of users against this kind of threat. Unlike other hacker related developments that occur at Defcon, viral code has the potential to escape into the wild and propogate autonomously. Even if the new variants are detected, not everybody has sufficient anti-viral software installed to protect themselves.

Do you want to be a victim of this game?

I read an interesting paper this morning written by folks at the University of Mannheim and Institut Eurecom. In the paper they present results of research in which they monitored the P2P botnet of Storm, with a view to understanding, measuring and potentially being able to disrupt it [1]. The work was presented in the recent LEET 08 meeting [First Usenix workshop on large-scale exploits and emergent threats 2].

In the paper, Holz et al. infiltrated the Storm P2P networks in order to better understand the communications used. Of course, there has been previous research in this area, including some excellent articles published by Joe Stewart [3,4]. Nonetheless, the paper is definitely still worth a read.

Certain areas of information security research come with the baggage of legal and ethical issues. Even if an activity is deemed legal, the researcher may be faced with the question of whether it is ethically permissable. The monitoring of botnets is definitely an area where the researcher hits such dilemnas. Researchers may choose to execute malware within some form of controlled environment in order to monitor its behaviour. Historically, the controlled environment may have had no external connectivity (for many types of malware it is unnecessary). But increasingly, effective behaviour monitoring dictates some external connections, usually involving modified firewalls and the like in order to have some ‘control’ over incoming and outgoing data.

If the research is to go beyond pure monitoring, additional issues have to be considered. In their paper Horz et al. discuss the feasibility of actually polluting the Storm P2P network, that is, interacting with it in some way in order to cause disruption. The goal of this type of research is clear and many would consider well-intentioned (to ultimately lessen the malicious capability of the botnet). But researchers have to take extreme care to avoid falling foul of the law. In particular (within US law at least), potential violation of the Computer Fraud and Abuse Act (CFAA) needs to be considered (intentionally sending code/data, causing damage, without authorisation, etc etc).

Within the same LEET 08 meeting, I noticed another paper that attempts to address some of the legal issues [5]. Again, a worthy read, particularly for any researcher working in an area ‘close to the line’.

Even in an otherwise quiet Saturday there are several phishing campaigns worth mentioning. The first is a campaign targeting Abbey UK bank. This is a standard but well orchestrated and sustained spamming using several newly created domains. A botnet (or few) is used to send emails that vary both the Abbby owned domain name and the domain name used in phishing.

The second campaign targets the insurance site of the Brazilian Bradesco bank. Emails use the bank’s secure authentication token software upgrade as an excuse for luring the user to download and run an executable hosted on a web page setup by the attacker.

The Portugese text of the email translates to:

Please be advised that since 14/06/2007, the use of Key Security Bradesco - Electronics for access to Bradesco Net Company has become mandatory.

Since the date 25/03/2008 the system of identification of Bradesco Net Company has been updated to version 2.2.25 to better interact with the current security system.

Please be advised that to continue visiting the Bradesco Net Company you will have to upgrade this component.

To perform the upgrade just click one of the options below and then click download and soon after a run wait a few seconds and follow the installation instructions.

The executable, proactively detected by Sophos as Mal/DelpDldr-D downloads another executable - a banking Trojan detected proactively as Mal/Banspy-I. The Trojan installs itself in to spy on the user’s banking transaction using a man in the middle attack. As the final step the executable file detected as Mal/Banspy-I downloads the last executable detected proactively as Mal/EncPk-CU. Relatively comples attack that will (luckily) cause no problems for Sophos users as our proactive detection kicks in very early in this infection cascade. This is also a very good news for us in the lab as we can use the quiet Saturday to work on further improving our proactive protection.

With all the excitement of my vacation and Infosec, the fact that the SophosLabs blog is now one year old escaped me.

I posted the first entry on April 19th last year following a malware attack using the tragedy at Virginia Tech.

Since then we have posted over 700 articles on a wide range of topics, everything from the latest Storm / Dorf outbreaks, incompetent 419 scammers, detailed analysis of the latest web attacks and even poetry!

My personal favourite, was the entry from Dmitry on the Russian spam message, offering an entire factory for sale!

Our goal is to inform, educate and sometimes amuse, but always to bring interesting news of what is happening within SophosLabs. I believe we are meeting that goal, and hope you agree.

With no end of malware these days aggressively targeting peoples’ finances and personal data it was a surprise this morning to see a simple VBS script worm, apparently written with the sole aim of airing a personal grievance.

VBS/AutoRun-DQ displays the following picture:

Writing something like this just to express annoyance with an individual is an interesting, if irritating approach. Presumably this confirms the idea that virus writers aren’t the most socially skilled individuals. If someone winds you up why not have a chat with them about it, rather than spending time making a picture and distributing it via malware?

None of us here in the UK lab recognise the chap in question, nor do we have any idea what it is he’s supposed to have done that’s “bogus”, giving the worm an overall effectiveness total of zero!

The internet is a great place for fraudsters to con naive computers users by appealing to their fears and desires.

Fake/fraudulent anti-malware (anti-virus, anti-spyware etc.) applications have been around for a long time and we see a regular influx of new variants.  More recently we’ve seen a variation on this theme that targets current fears over identity theft.  These applications typically arrive as follows: the user is browsing the internet and a popup browser Window claims that the user’s system is compromised or may be compromised and the user is coerced into downloading and running an executable file with the promise of a free scan and/or solution.  When the fake application is run on a clean computer it finds non-existent threats and then offers to remove them from the computer if the user pays for the full version.

An example of this sort of application that targets fears over identity theft is “Privacy Watcher” (www.privacy-watcher.com) which claims to offer privacy protection.  On a clean test computer “Privacy Watcher” displayed the following: 

Prices start at $49.95 for a 6 month license.

Today was a most unusual day; I analyzed two malware samples which contained religious themes in two completely different contexts. Before I go ahead and talk about these two samples, I want to apologize if anyone is offended by my blog.

W32/Autorun-DP is a malware which targets an Indonesian audience. It is a run-of-the-mill Autorun worm which copies itself to removable storage devices and into different directories on the victim computer. After letting it run for about a half hour, it flashed the following message box asking “Are you Muslim?”:

Pressing “Bukan” which I’m assuming means NO in Bahasa Indonesia, caused the malware to terminate (interesting!?!). Not wanting to wait another half hour, I brute forced the worm with OllyDbg and this time pressed “Ya”. This prompted the next message box which read “Sudhakah Anda Shalat?”. This translates to “Have you prayed?”. Pressing”Ya” brought up this message box:

This roughly translates to “If only God shows forgiveness to you”. The malware did not terminate as before. Is this worm being partial to people of other religions? The answer is NO. The payload was delivered when the worm first executed; impartial to the religion of the user.

Our next malware W32/VB-DZJ is yet another worm. This one copies itself to network shares and creates a whole bunch of text files on the victim computer with the extension “.pdf” e.g. “Spiderman 2.pdf”, “Java Telephony.pdf”. It doesn’t flash any religious messages like W32/Autorun-DP. What is strange is the presence of a large number of passages from the Bible embedded in its code:

This was certainly very strange and analysis of the file showed that the function referencing those passages is never executed. Going over the passages, there is no singular message derived; the passages all talk about different things. This was certainly confusing and cryptic. Checking our databases showed that we have seen a similar sample W32/VB-CUA in the past with the same Bible passages but slightly different behavior. I am not a psychologist, but I assume the malware author is deeply religious?

Back when I was growing up, I remember playing video games such as Super Mario Brothers and thinking to myself, “Boy, I wish I could get star power and become invulnerable!”. Well dream no more, let me introduce you to the worlds first invulnerable stone as seen in a spam message today.

At USD $1,000 it sounds like quite the bargain, and amazingly enough he’s even willing to negotiate. It will be interesting to see as time goes on if other spammers opt to start selling invulnerable stones instead of viagra and replica watches. You can see the stones that are being sold in the photo below.

On a more serious note, don’t fall for these scams. Please. Seriously.