SophosLabs blog

This morning I found yet more proof that your average malware author is male.  I don’t think many people will take issue with the fact that the majority of men are not known for their ability to multi-task. When a malware author is setting up his file to drop sneaky little dll’s into your system32 folder he has a lot on his plate. He’s got to sort his internet connectivity out, give his files innocent looking icons and find as many ways as possible to convince you to run his malware on your system.  With so much to do it’s really no wonder he sometimes forgets to add convincing version information to his files. Here’s one we spotted this morning:

If you found that file in your System32 folder how likely would you be to trust it? Whilst you can never 100% trust decent version information as being an indication of a clean file, dodgy version information is often a dead giveaway.

As you can see he had the best intentions, he just didn’t get around to doing it properly. The “TO DO” mistake is something that we also see a lot of in various broken spam campaigns. Now that I come to think of it though, To Do lists are an infinitely female trait…

Image courtesy of Fox

Amidst growing concern for the destruction of habitat and the extiction of rare species, it is startling that worms, especially of the “USB” ilk, have had a population explosion, somewhat akin to the Cane Toad in Australia.

The USB worm is a scion of the now effectively extinct boot sector virus. Evolution has meant that the USB worm has adapted to its new environment. It is widely acknowledged that the success in the breeding patterns of the USB worm is due to the enhanced and favourable habitat available for its progeny. USB worms sometimes thrive on USB sticks and tend to venture forth onto hard disks as well, equally at home on both media. The interchange of large numbers of USB sticks, both locally and internationally, makes the life of the USB worm, regarded as an irritating pest, far easier.

One breed of USB worm, of the genus “Folder Icon”, is particularly common. This worm uses its cover of masquerading as a Windows folder to protect itself against potentially hostile parties that may seek to destroy it. In fact the only known species which is, or ought to be, hostile to USB worms is that of the human. Unfortunately using the Windows folder camouflage appears to encourage the curious human to aid the spread of the USB worm by the process of “double-clicking”.

Despite pockets of resistance the spread of the USB worm is far and wide. This scenario is beginning to have a large negative impact on other species such as the human. One simple action that any human can take is to prevent these USB worms from being able to invoke themselves on hard drives from a USB stick. The choice of habitat may also be restricted by USB device control. Finally human education and vigilance is a must if the species of USB worms and its distant cousins are to be eradicated.

Credits:

• The USB image is courtesy of nomads4ever.com
• The folder icon image is courtesy of gimp-tutorials.net
• The image of the Cane toad is courtesy of www.bio.usyd.edu.au

As a quick follow up to my previous IE8 post, I would like to alert users to an easily overlooked consequence of using the new InPrivate browsing mode.

Users will use the InPrivate browsing mode when they wish to leave no trail of their browsing on the machine. Whilst playing around with the RC1, I noticed that by default, IE8 disables all add-ons whilst in this mode. This is not surprising - the browser has no control over what third-party plug-ins may do with browsing data (history, page contents, form data etc) and so they have to be disabled in order for “private” browsing to be possible.

However, the side-effect of this is that security related plug-ins, such as the Sophos web content scanner, are also disabled by default in this browsing mode! Do not be deceived by the status shown in the ‘Manage Add-Ons’ dialog. Whilst browsing in InPrivate mode with all add-ons disabled, opening the dialog suggests something different:

There is some irony in this situation.

The types of site users may want to cover their browsing tracks on correlate quite closely to those commonly used by the bad guys to distribute malware (sex sells, humans are weak) [1,2].

Users can choose to enable plug-ins via the Tools - Options - Privacy tab, but there does not appear to be a way of configuring individual plug-ins separately (within InPrivate mode specifically, not globally). Well, at least users do have the option of getting their security plug-ins enabled.

Remember though, with plug-ins comes the loss in privacy (why Microsoft had to make this choice in the first place).

Consider a security plug-in detecting malicious content on a site - the URL (and perhaps page content) will most likely be stored locally, or reported centrally (product quarantine, report logs etc).

Similarly content management or viewing plug-ins - these will typically manage their own content cache separately to the browser.

So make your choice, privacy or security. I know which side of the fence I sit on.

With all the recent media flutter about Conficker [1,2,3,4] and the advice by security software vendors to patch and update, it’s no wonder that the FakeAV crowd are doing good business, as detailed by Paul Ducklin.

Playing on the media hype and the sometimes exagarated infection reports the FakeAVers need no spam runs to peddle their wares. A few compromised websites, a tantalising YouTube video, a long lost friend on FaceBook or the latest celebrity gossip are all excellent vehicles of penetration. Once visited or downloaded, the FakeAV window appears, be it flash, javascript or an actual executable, and warns you of the impending doom if you do not make the small investment of $29.95 to rid your apparently infected computer of the nasty malware the media has been talking about. And let’s face it, for that warm fuzzy feeling of knowing you’re once again safe and protected in this world of Trojans, worms, viruses and malware, $29.95 isn’t a king’s ransom.

It is no surprise, then, that users, tech savvy or otherwise believe the fake warnings (and they are often quite believable) and polished interfaces, and give the latest AntiVirus2009 a chance. After all, they are just following “good security practice”!

So where has it all gone wrong? Are our fears of an unsafe net being exploited by the malware authors to their own financial gain? Do the computer users among us need our own patch for the old grey-matter?

Here is a good start to hot-patching the old noggin. Let’s first start with addressing the “is this even a legitimate security product” issue - VirusTotal (who provide a malware scanning service by utilizing a number of anti-virus products) have a reasonable list of the major players (free and otherwise) available on their website. If the FakeAV’s name isn’t on their list of vendors it’s probably not worth the bandwidth.

If its name looks like it wants to draw your undivided attention, consider why it may be doing this. All that glisters is not gold!

If it claims to find lots of malware yet requires a fee to eradicate it, consider this suspicious (evaluation versions should allow evaluating the cleanup and disinfection facility as well).

If it nags you for a registration more than your significant other nags you to take the garbage out, its probably time to trash it.

Generally practice safe hex and avoid spreading malware by unsafe removable media.

Consider these rules of thumb as a hot-patch to your brain and avoid getting pwned by the latest FakeAV as it exploits your sense of doing the right thing - or you could be driving away with those brand new square wheels :-P

In the recent article, Delete files that don’t exist, Stephen described a malware using the registry to delete a certain file upon launching. The same registry key is used in another way now. By adding the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<command to hijack>

with value name of “Debugger” and Value containing the path to a handler, malware can disable applications or launch itself whenever the user attempts to launch the hijacked application. Below is a demonstration.

Modifying the registry with registry editor

I have added a new registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

and added the value Debugger to point to Notepad.exe

Upon modification, each time i run cmd.exe, notepad.exe will open and load the binary cmd.exe.

Loading cmd.exe binary with Notepad.exe

Yet another way to exploit the poor registry.

Sophoslabs has received reports (Passionate about Information Security and Dancho Danchev) that India’s Embassy in Spain has been the victim of a malicious attack.

We can confirm that the site is indeed infected with Mal/Iframe-F. The site embajadaindia.com imports content via Iframes from embajadaindia.net (both sites are registered to the Embassy). The embajadaindia.net imports more content via Iframes from indexENG.html and it is this file that contain the malicious Iframes.

As mentioned in Dancho’s blog several other embassies have been hit in the past including the US Consulate in St Petersburg.

The interesting thing from my point of view is that Ismael’s screenshot (on Passionate about Information Security) suggests he is using Sophos Anti-Virus for Mac.

This morning SophosLabs noticed, via feedback from installation of WS1000 web security appliances, that the website Pravda.ru (which coincidentally celebrated its 10th birthday yesterday) has been serving up malicious content (Mal/Iframe-F).

That doesn’t seem a great way to celebrate your website’s birthday with your many readers.

>>> Virus 'Mal/Iframe-F' found in file ad.pravda.ru/cgi-bin/iframe?7,7,*

The good news is twofold:

• that the website the Iframe is pointing to is currently not serving up further malware, however, that may not always have been the case.
• Firefox 3.0 will warn you that the site is a suspect attack site.

Pravda, which means ‘The Truth’ in Russian, is not the only site that has malicious iframes and will not be the last.

SophosLabs recommends that webmasters keep their servers patched and updated, and remember to monitor their servers logs for suspicious activity.

As of yesterday the much awaited first Release Candidate (RC1) of Internet Explorer 8 became available for download [1].

I won’t bore you with all the details of the features new in this version - you can find that information here. But from a security perspective, the headline items include:

• SmartScreen filter - to restrict access to known bad malicious or phishing URLs (expanding upon the phishing protection included within IE7)
• InPrivate browsing mode - sometimes labeled “porn mode” [2], minimizing any trace of browsing history on the machine
• XSS filtering - to help prevent cross-site scripting attacks
• DEP on by default (for IE8 on Windows Vista SP1)

In this and subsequent blog posts, I will be taking a closer look at IE8, specifically from a security/threat perspective, hopefully trying to reveal some of the actual facts behind the above headline items.

Since version 7.6.0, the Sophos endpoint product has included a web content scanning plug-in, to enhance the handling of malicious web content [3]. The plug-in works happily in IE8, and can be enabled/disabled via the usual ‘manage add-ons’ dialogue. Attempting to access malicious content with the plug-in enabled will show the familiar Sophos warning message.

One of the key features I am keen to investigate is the SmartScreen filter, designed to block access to known bad sites.

Curiously, during my testing thus far, I have been unable to trigger the filter, despite intentionally browsing to well over 50 recent, malicious sites (some of them notorious). Perhaps something amiss with my test setup? (I will continue investigating…)

The InPrivate browsing mode enables users to browse sites without leaving the usual “information trail” in the form of browsing history, cookies, temporary internet files (these are cached, but subsequently deleted) and form data. The address and title bars make it clear to the user when they are browsing in this mode.

When parental mode is enabled, you do not have to worry about InPrivate browsing, it is disabled.

All in all, there is a lot to look forward to in the final version of IE8 (and a lot of features to investigate more fully). It has to be said, with some of the major browser releases recently, users are getting a little spoiled for choice! Usability across the board has improved considerably - lets hope that security features start to feature more prominently in dictating browser choice.

SophosLabs heard some reports today regarding another Trojan affecting dubious downloads from torrent (Intego and Graham Cluley). This Trojan, OSX/iWorkS-B, is affecting Adobe Photoshop CS4 downloads on torrent.

OSX/iWorkS-B has a similar modus operandi to OSX/iWorkS-A.

The differences mean that for the disinfection you will need to kill the service DivX instead of iWorkService.

sudo killall -9 DivX

Plus remove the folder /System/Library/StartupItems/DivX

sudo rm -rfd /System/Library/StartupItems/DivX

Network administrators who monitor network traffic should look for traffic to:

*freehostia.com:1024

OSX/iWorkS-B is yet another reason to have a security program on a Mac.

Yesterday, SophosLabs was made aware of a new Mac OS X Trojan affecting a dubious copy of iWork ‘09 (an update to Apple’s popular rival to Microsoft Office).

In the news and blogosphere there were several write-ups and descriptions (Threat Researcher, Intego, ProtectMAC and our own Graham Cluley), SophosLabs has now written detection for this new Trojan which we identify as OSX/iWorkS-A (aka OSX.iWorkServices.A, OSX.Iwork and OSX.Trojan.IServices.A).

The Trojanised copy of iWork ‘09 was made available on the infamous PirateBay torrent site as a ZIP file. When unpacked you would get a proper Mac .pkg file.

As you can see the ZIP was ~450Mb and there were over 500 torrent sites up last night offering it for download. Looking into the .pkg file (actually a folder) shows that there is a suspiciously new file.

iWorkServices.pkg is the install package for OSX/iWorkS-A. When installed OSX/iWorkS-A will create several files and a process.

Sophos Anti-Virus for Mac will detect and delete the files created under StartupItems and bin. The process called iWorkService can be killed manually.

sudo killall -9 iWorkServices

Network administrators who monitor network traffic should look for traffic to:

*freehostia.com:1024
69.92*:59201

as traffic is indicative of an infection of OSX/iWorkS-A.

The comments posted to the PirateBay blog are quite explicit about the dangers involved in downloading this torrent. Though it appears that the author of this Trojan (or perhaps an accomplice) was posting to say that the file wasn’t a Trojan. Either that or they were quite dim.

Graham asked late last year “Do you really need anti-virus on your Apple Mac?”. This Trojan once again proves the answer to be yes.