SophosLabs blog

Many you of you will have read the regular postings on the SophosLabs blog from Zoe.

She has become our resident expert on all matters regarding malware and internet gaming, as well as covering subjects like World of Warcraft in-game spam, safe surfing on the Sony PlayStation 3 games console, and criminals taking advantage of Manchester United’s football tournament success.

As well as fighting malware on our behalf she is now also helping her mother go through chemotherapy.

Zoe’s chosen way of supporting her mother is to shave her head and raise money for a Cancer charity. It is clearly a daunting prospect for a woman to lose her hair so we are all supporting her in this generous act.

As Zoe herself says, “Hair loss is probably the scariest part of chemo, especially for women. Blokes can look great with shaved heads whereas women just tend to look wrong.”

If you would like to support Zoe in this endeavour then you can donate online at http://justgiving.com/baldymarkham.

She has promised there will be pictures!

The author of Pushdo is still sending out new campaigns of his malware seeded in spam. I posted before about him using obscure APIs followed by GetLastError, so I thought I’d document some variations he’s used since then.

While still calling obscure APIs, he dropped the GetLastError, choosing to get the error values through a round-about system method instead:

Having dropped the direct calling of GetLastError, next came the dropping of directly calling the obscure APIs themselves - instead he chose to dispatch system calls directly by calling a hardcoded address in order to call SYSENTER with certain parameters (an approach which will limit the versions of Windows on which his code will run):

The most recent code has been similar to this, but calculating that hardcoded address on the fly in an attempt to obscure what it’s doing:

And while the debug names in his injected files used to look forward (”Back to the Future”, “Future Generation”, “Mutant of the Future”), they’re now looking in a different direction entirely - more specifically, to Siberia:

I’ll keep you all updated on where he looks next.

Yesterday we received several queries regarding a new memory corruption vulnerability affecting Adobe Flash Player and malware that exploits this vulnerability via malicious SWF files.

We have received samples and can confirm that the threat is valid. Detection was issued yesterday for Sophos customers in the form of Troj/SWFexp-A, Troj/SWFexp-B and Troj/SWFexp-C. We have also issued generic detection in the form of Sus/SWFScene-A.

We do not consider this vulnerability to be significantly dangerous but advise users to ensure that they are running the latest version of Adobe Flash Player (currently 9.0.124.0), and remain vigilant when browsing the internet and particularly when viewing SWF content. 

• Test which version of Adobe Flash you are running
• Download the latest version of Adobe Flash Player from Adobe’s website
• Read more about the Adobe Flash vulnerability

Coincidentally a second SWF issue was brought to our attention yesterday after SANS published an article on their blog page. This issue involves the hosting of malicious SWF files that attempt to download further malware.

We have been seeing SWF malware for some time and do not consider the issue to be a zero-day vulnerability. Some detections for threats of this type include Troj/SwfDL-A, Troj/SWFdldr-A and Troj/SWFdldr-B.

An interesting website was brought to our attention yesterday. The server hosted a php file that can send out over 1500 different versions of the same malware.

Each version was slightly different in an attempt to avoid detection. Most likely, the author had a script that generated each file. This rudimentary attempt at script writing was not quite successful, however. All the files in the Zlob mob were detected by Sophos as Troj/Zlobar-Fam.

In the meantime, we’re keeping an eye on this Zlob blob to see what else the author tries.

Since the last blog entry about Google-redirected malware, the spam campaign has not varied for some time. For those who have not seen this particular spam campaign, the Google-redirected links have the form of

http://www.google.com/some_stringhttp://malicious_site_link

Any user clicking on a link thinking it was a safe would end up at the malicious site.

Today we noticed a new wave of of these spam messages without the “celebrity/neighbour video” theme. Here is one of the new samples:

This latest spam message has a similar look and feel as the still-ongoing campaign from a month ago, as shown below:

The latest spam messages contain various email subjects, with many masquerading as mail delivery errors, challenge/response requests, or conversational messages. Here is a partial list of subject headers we’ve seen:

Aside from the normal looking message subjects, there are a few bizarre ones, such as “Submit a virus sample”, “Proof of concept”, “Virus sample”, and “Spam”. It is as though the malware authors are taunting users to click on the link to see what would happen. Curiosity in this case would have dire consequences.

Fortunately for Sophos users, our spam solution has been detecting the spam campaign since the early days, even with the latest change. Sophos Anti-Virus has also been effective against this campaign, with the latest malware detected by the Mal/EncPk family of identities.

It seems like weekends are good opportunities for spamming out Trojans. About two hours ago we started receiving samples of the Trojan horse we now detect with Sophos Anti-Virus as Troj/Agent-HAH. The attachment name always seems to be xjolie.zip but message subjects vary and include:

• Something hot
• Hot news
• Paris Hilton
• Hot pictures

Unfortunately I have not managed to make the Trojan to run successfully under our controlled environment. Every time launched the file causes an exception so I cannot give you more details about what it would do if it would run successfully. But that is not so important as long as you are protected.

Good news for Sophos PureMessage users is that they were protected by our anti-spam solution only a couple of minutes after the mass-spamming  started. I am very pleased that our SXL infrastructure allows us to react to new outbreaks so quickly. It makes me calmer during the file analysis since I know that our users are protected - so I can take just a little bit more time to make sure that the written detection will not miss something significant.

Following on from my colleague’s post here concerning broken Sality infections, it is quite interesting to look at modern day polymorphic viruses and whether their propensity to junk files is wholly by accident or whether there is the occassional element of intent involved.

Destruction of the host by a file infecting virus has been going on for as long as viruses have been around. In days gone by, it was more common than not for a virus payload to be destructive. Viruses such as W32/Kriz and W95/CIH-10xx would not only destroy files but also attempt to overwrite the system BIOS on their various trigger dates. As recently as 2007 there was W32/Flukan-C which would overwrite all zip files that it could find with a copy of itself while keeping the filename of the original file.

The trend for viruses today is very much to keep a low profile while on an infected system. As a result we rarely see the extremely destructive viruses that cropped up in yesteryear. However, a mass infection that leaves behind a large number of irreparably corrupt files can still be very damaging.

Some members of the Virut/Vetor family will randomly choose not to leave an infection marker after infection. This leaves the way open to multiple infections (more headaches for anti virus companies) but also increases the chances that the end file will be corrupt. Some recent members of the Sality family were found to incorrectly calculate the Entry Point for a file that had a specific Section Table. If all sections had a Virtual Size of zero the virus would take the entry point from the PE header as a file offset rather than a Relative Virtual Address, and write its code there. This will almost always result in a file that crashes.

It is also not unheard of to see viruses accidentally infect files that are not designed for the specific platform that the virus is running on. For example a virus may infect a Windows CE PE file that has been compiled for the ARM processor, while running under X86. This file now has no hope of running, yet a simple check of the MachineID field in the PE header and the virus would have known it was pointless to attempt to infect this file and could have moved on to the next.

It seems that modern day virus authors see a swathe of files left in varying degrees of corruptedness as a perfectly acceptable and possibly desired, side effect of a successfully infected system.

To Junk or not to Junk? The virus authors say: Why Not?

Since its initial appearance back in 2003 the Sality (aka KuKu) parasitic virus has come and gone from the radar as its authors continue to re-release updates but none has caused more interest than the W32/Sality-AM variant due to its propensity to damage files upon infection.

Upon analysis of the most recent samples it was evident that there is a major bug in the infection routine causing files to be incorrectly modified during infection. So called ‘broken infections’ have been observed in a number of states ranging from ‘viable infection, broken host’ to ‘broken infection, broken host’, but unfortunately as far as the customer is concerned they simply want the infection gone and their files fixed.

From a malware author’s perspective such bugs are a non-issue as long as the

virus replicates. However, for an anti-malware vendor this is much more of a problem, not only because disinfection (recovery of the host) may no longer be possible but because some infected files are so corrupt that they avoid detection.

Different anti-malware products use varied techniques to identify an infected file they may not all report broken samples as infectious. This is often difficult to explain to customers who run multiple anti-virus products, and although neither response is wrong, neither is entirely correct.

Traditionally, anti-virus vendors have used four different methods to detect broken replicants:-

• Detect them as the virus and don’t offer disinfection

• Detect them as -Dam (.Dam)

• Detect them via more intensive user initiated scans after detection of main virus.

• Not detect them

Customers seem to understand detection of broken samples however they have some difficulty comprehending non-detection (often requiring support to assure them that the sample is not only not viable but beyond repair.)

As ever the spam queues this afternoon are full of emails containing links to ‘male enhancement’ websites.

One new trick for today is the use of Manchester United in the url name. Perhaps that’s not surprising considering Manchester United’s nail-biting win by penalty shootout over Chelsea at the UEFA Champions league last night in Moscow.

Just two vowels have been removed from the club’s name (mnchsterunited dot com), making it almost conceivable (grin) that tired, hungover Man Utd fans could find themselves stumbling onto the wrong website today.

Emails containing a link to a sub-page on the site came in with all the usual subject lines - surely the spammers missed a trick there by not including some cleverly worded UEFA Champions league or United references? (I could, but I’m not going to).

Some of the more eyebrow-raising subject lines used in this spam campaign today include:

• Change your small trout into a great white shark
• She will remove her loin-cloth
• Get a greater kangaroo pounder

Our spam systems automatically blocked this site before any customer samples were seen.

Yesterday we saw quite a few copies of a new, shameless as ever type of 419 email in our spam queues. The email starts off in the usual manner:

Dear friend,

I do not know your exact name. I can only guess. I ask you to read through my letter up to the end.

It’s at this point that if I was at home I’d hit delete, but here we get paid to read these things through and make sure that our customers are protected from this type of phishing attempt. I’ll spare you the whole text but the gist of the mail is that a poor chap is trying to get to China to find his wife - in other words it’s the usual attempt at pulling on the heart strings of random email recipients.

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

Spammers and scammers are always ready to jump on the latest disaster or big news headline to try and exploit users. Past examples of similar scams include the Concorde air disaster, the London bombings, and the war in Iraq.

We’ve already seen examples of malware being spammed out as a China earthquake news story. As with the earthquake based phishing attempts, Sophos users are protected.