SophosLabs blog

With April 1st already upon us in some timezones, the much feared meltdown of the world’s computer systems, has, as expected. Simply not happened!

Yes, the new algorithm for polling websites has started as scheduled, but to quote another blog “So far, nothing has actually happened”.

Despite the fact that the number of machines infected with the variant of Conficker that actually uses the ‘new’ algorithm being relatively small. The hysteria around this seems to continue unabated.

I’m currently in SophosLabs Canada, and we’re hearing news reports saying that this is a virus that no one can detect (untrue, all major security vendors can detect all the variants) and conficker will cause untold damage to millions of computers.

Even our own support department are reporting huge volumes of worried customers wondering what is about to happen.

The simple answer is “nothing”. If you aren’t infected with conficker, nothing will happen. If you have machines in your network that are infected, firstly you will know about it (because the protected machines will be able to detect it trying to spread), and secondly, it will probably be one of the earlier variants, and finally, if it is conficker.c, there is only a 1% chance that your infected machine will contact the right domain, if the malware author decides to post an update.

As you can see, there are a lot of “if’s”

Millions of computers going into meltdown?

There’s more chance of a television satellite being infected with a virus, or spaghetti growing on trees.

Just after my colleague posted a blog about “Skype Me/Spam Me” a few days back, I received a MSN spam message from one of my friends. The message claimed to be a “risk free” weight loss program and contained a link to a domain, which has already been blocked by SophosLabs about one month back. When opened, the page looks as follows:

After receiving the spam message I notified my friend and asked him to scan his computer for any malware infection on his system. However, no malware was found. Upon further investigation, I’m almost sure that my friend gave his username and password to some dodgy site which claimed to “legally” use customers’ login info.

My immediate suggestion to my friend is to change the passwords ASAP. Customers should be aware that it is important to protect their IM’s usernames and passwords to stop them getting into the wrong hands. When customers are asked to provide confidential information, it should be necessary to ask whether the information is relevant and how it will be used.

The Internet Storm Centre blogged back in February about how the startup code of Conficker would do a quick check, using the SLDT instruction, to see if it was running in a virtual machine. If so, it would Sleep() forever and take no further action. The most recent variant of Conficker, detected by Sophos as Mal/Conficker-B, also does this check — but that isn’t quite the full story. Deeper within the obfuscated code in Mal/Conficker-B is an extra set of virtual machine detection tests.

One interesting thing here is that Conficker doesn’t bail out if any of these detect that it’s running inside a virtual machine. Instead, for each test Conficker will set a bit in a bitfield to specify whether the test “passed” or not. This bitfield is within a data structure to which Conficker also saves information about the operating system version and the language ID of kernel32.dll on the Windows drive. This set of data seems to be used when Conficker initialises its peer-to-peer communications — the most obvious explanation would be that the owners of the Conficker botnet are harvesting that data to get a better idea of the computers they have available.

Still more interesting is another VM detection test that Conficker does in the same function. This is a variant of what’s sometimes known as the Red Pill detection method using the SIDT instruction. Trawling through our database of malicious code I managed to find almost exactly the same implementation in an old Trojan from 2006 which we detected as Troj/Agent-DJQ. This is actually part of the malware family known to different vendors as either LinkOptimizer, Stresid or Gromozon. The family is detected generically by Sophos as Mal/LinkOpt-A.

Take a look at this code from Conficker:

Mal/Conficker-B SIDT detection loop

And compare with this code from the LinkOptimizer variant:

Troj/Agent-DJQ SIDT detection loop

The only practical difference between these two implementations is that the LinkOptimizer version will wait for an extra third of a second before deciding that it isn’t in a VM. That isn’t the only similarity, however.

Both of these samples share almost exactly the same “spaghetti code” obfuscation method, where functions and basic blocks are split up with direct and indirect jmp instructions — though in Conficker the system seems to have been toned down a little so that, on average, there are a few more instructions per “slice” between jmps (possibly an attempt to make the technique harder to detect generically). This trick is commonly used in malware, but the implementation of it is almost identical between LinkOptimizer and Conficker.

There have also been reports of the earliest variants of Conficker being mislabelled as LinkOptimizer by some vendors’ anti-virus products — though it’s not clear whether this was due to generic detection code designed to spot this kind of obfuscation or simply a misclassification by the vendors when analysing samples. In any case, I don’t think it would be a stretch to suggest that Conficker and LinkOptimizer might have been written by the same people.

Sophos is continuing to analyse Mal/Conficker-B and we intend to publish more information soon. People looking for details on this threat can read our virus description and Mike Wood’s blog post regarding the worm’s new call-home functionality. There is also a detailed analysis of the latest variant available from the SRI Malware Threat Centre.

For anyone looking to remove a Conficker infection, the Sophos Conficker clean-up tool is available to do just that!

SophosLabs has received a disturbing report from a UK Local Government customer which we feel need a wider audience.

People are receiving SMS messages saying that their bank details are on the internet. These text messages are 100% malicious in nature and users should not follow the links.

The report from the local government states:

The user received an SMS message to say that his bank account details had been posted on the Internet and gave him a URL to go to. He attempted to access the site using a library PC but failed and queried the librarian about the security on the PC who raised a support call with us.

and

The obfuscated script inserts an iframe which attempts to download malware which Sophos blocks.

I haven’t seen details of a scam like this before and have looked for a site on which to report it without success. I’m assuming you’ll know what to do with it.

So, what are we at SophosLabs doing about it?

• Making the general public aware of this malicious attack
• Adding detection and blocking for the malicious website
• Making samples available for security professionals via the usual channels

SophosLabs will be publishing detection for the malicious website as Troj/Iframe-BS and the malware that Sophos already blocked was detected as Troj/PDFJs-B.

I’ve been a Yahoo and MSN’er for years, but over the weekend I decided to give Skype a go, as a simple means of saving money on International phone calls to my parents. Hard times, credit crunch, you know how it is. Working here at Sophos it’s easy to get a little bit obsessed with spam and malware, but I genuinely couldn’t believe the number of spam messages that flew across my screen in a matter of minutes after signing in. Even working in the lab and doing spam shifts it’s rare that I see that volume of messages that quickly.

So why are there so many more spammers using Skype? or was I just randomly unlucky? The messages I was getting were many and varied, from women with cams and friendly wet bits,  men with cams and friendly firm bits, to horribly poor fake anti virus alerts and even a long lost uncle who had recently passed on and wanted to transfer $6 million to my bank account. IM-ing from beyond the grave. I’m wondering if it could be because the userbase on Skype tends to be a little older, so the spammers are much more likely to find victims with credit cards than the largely teen-based MSN for example.

Not only was I getting these pop-up chats left right and centre, but I was also getting a flood of incoming calls as well. VoIp spam is new to me, and much harder to ignore than just text on your screen. I didn’t answer any calls from unknown users, and no voicemails were left, but I can only assume that they were recorded message spam, after my credit card or bank details in time honoured tradition.

As each spam message and call appears you can block each user in turn, but this is blatantly not a fun way to spend an evening. The only way to reliably stop the phone ringing off the hook and the message insanity is to configure your privacy settings so that only your authorised contacts can message you.

IM systems lack the spam protection that email offers, and it’s important to remember never to click on links in unsolicted chat messages. Spammers will inevitably be lurking on whichever IM client you choose.

Last week, SophosLabs received several reports of some new Mac malware (Intego and Threat Researcher). So I asked around for samples (sample exchange) and was able to write detection on for OSX/RSPlug-F (and updated it for a minor variant).

Like the last few pieces of Mac malware (OSX/iWorkS-A and OSX/iWorkS-B) OSX/RSPlug-F arrives via hacked/cracked files purporting to be a legitimate application (in this case MacCinema).

When it is installed however this users will see:

The authors of OSX/RSPlug-F have a bizarre set of influences (as mentioned by Intego and Threat Researcher) the file names of the scripts dropped name check various things.

Snippets from the scripts:


niagasekirtsogetni 666 nigeb
yksrepsak 777 nigeb
enialbdivad 777 nigeb


Looks strange until you see the rest of the script and realize that this is uuencoding reversed.

Running the scripts through a simple perl script:


#!/usr/bin/perl

while (<>) {
my $str = $_;
my $rev_str = reverse($str);
print $rev_str;
}


We would get:


begin 666 integostrikesagain
begin 777 kaspersky
begin 777 davidblaine


While anti-malware products often get mentioned in malware this is the first time I have seen an “illusionist”.

Update: This malware has also been seen on websites, posing as a legitimate download. You can read more about this over on Graham Cluley’s blog, or watch the video below:

Apple Mac malware: Caught on camera from Sophos Labs on Vimeo.

Members of the Anti-Virus software vendor community regularly exchange malware samples (secure PGP, of course) with each other. This fact is difficult for several visitors, eg customers, partners, etc, to SophosLabs to fathom.

In a “dog-eat-dog” capitalist global economy why would SophosLabs want to aid its main competitors by sharing its malware samples with them, thereby allowing them to improve their detection rates?

It is important to bear in mind that the process does involve a quid pro quo. Ergo SophosLabs receives samples of malware from other members of the AV software community with whom it shares its own samples. Hence the description “sample exchange”.

Different AV vendors may have different customer bases and different sources of malware samples. The sample exchange gives each AV vendor the opportunity to increase its coverage, thereby providing a more robust protection for its respective customer base.

The underlying rationale for the sample exchange is hardly altruistic. Notwithstanding, the end result is a higher general detection rate for the industry as a whole; an enhancement of the protection levels for the global public over and above what they might have been in the absence of the sample exchange system. Therefore the sample exchange system is a social good. QED.

In the persistent battle against the criminal organisations who write, distribute and profit from malware and spam it is perhaps imperative for the members of the security community to collaborate with each other. This is somewhat akin to the exchange of information which occurs between various intelligence organisations in the global fight against terrorism. After all, as the age old adage goes, in the end good must prevail over evil!

• Credits: The image is courtesy of artjumble.blogspot.com.

I was having a look at some of the sites serving up Fake Anti-Virus malware, and came across this interesting content on one of the pages:

Whoever wrote that really has antique chairs on the brain, they seem to keep writing that phrase when they mean to be talking about health problems associated with tobacco.

The main text actually seems to come from a government report titled “Strategies for Reducing Exposure to Environmental Tobacco Smoke, Increasing Tobacco-Use Cessation, and Reducing Initiation in Communities and Health-Care Systems”, but some random website content generation tool has taken it and replaced random words with the rather incongruous phrase “antique chair”. Bizarrely I found a lot more auto-generated web content that seems to use this same report as a basis.

If you go to another part of the same site, you get accosted by an all-too-familiar page touting the malware, detected as Mal/FakeAvJs-A:

Altogether a most antique chair method that I expect to see used antique chair, and one that definitely leads me to believe that the authors are absolutely antique chair.

As I’m sure you’re by now aware, a security researcher named Charlie Miller was able to pwn Safari in 10 seconds at CanSecWest yesterday! A truly spectacular feat! I’m not even sure how he was able to type so fast! Let me read on…

Hmmm. Okay, so he didn’t actually do anything in those 10 seconds except copy and paste a URL into the browser. Still, it’s not like he had lots of time to prepare for his moment of supreme glory!

Oh wait. According to this Reg story, he actually had over a year to prepare. (No wonder he was able two weeks ago so confidently to “predict” that Safari would be the first to fall! Not so much his assertion that IE and Firefox would remain standing, though.) And, as numerous alarmed commentards have pointed out, he didn’t tell Apple about this critical security flaw in a piece of software used by millions of people every day.

As one of those users, I have to say I’m not exactly delighted to discover that a so-called security researcher was so breathtakingly cavalier about the safety of my data and the privacy of my personal information. Apparently I’ve been vulnerable to this “idiot-proof” exploit for at least a year, and have only good luck to thank for the fact that no-one used it to drain my bank accounts in the meantime.

Of course, discovering a bug is not the same thing as discovering a ready-to-go exploit, and he had to dig at it with his hacking implements before he was able to make it bleed. But arguably the very fact that he sat on it so long implies he knew it at least had the potential to be exploitable (read: profitable). So rather than reporting the bug to Apple to ensure Safari users around the world would be protected as soon as possible, Miller filed it away so that he might bag himself yet another laptop.

The point I’m trying to make is that this wasn’t “his exploit” to do with as he saw fit. With today’s highly monetized black market for malware authors this kind of bug must not be permitted to exist even for a day, let alone a year. The public good must trump personal gain if we’re to make any headway against today’s increasingly sophisticated criminals. For an employee of a reputable security company to place in danger through his inaction the security, privacy and finances of millions of people is to my mind grotesquely irresponsible, all for the sake of a few grand and another 15 minutes in the limelight. With a successful drive-by browser exploit now likely to cause many millions of dollars worth of damage - not to mention further erode the perceived viability of the Internet as a safe place to do business - I consider such reckless disregard to be unconscionable.

“If this competition hadn’t existed, I never would have found this bug,” Miller told The Reg, with the implication that we, the unwashed know-nothing iProles, should be grateful to him and TippingPoint and CanSecWest for their altruism. But anything laudable about this misguided competition and the bugs it (eventually) reveals is, in my opinion, entirely negated by the absolute ethical void that must accompany any system that incentivizes such antisocial behavior.

But surely I’m going too far. As The Reg points out, critical browser exploits can fetch up to $100,000 on the black market. Isn’t it “remarkable”, then, that these heroic souls were “willing to [sell the exploits to TippingPoint] for well under the going rate”?

I must agree. If we as an industry really have sunk so low that we’re genuinely impressed by the fact that our colleagues aren’t working for criminals then “remarkable” doesn’t seem to quite do it justice.

Over the past few months SophosLabs have been seeing a relatively new kit being used by attackers in drive-by downloads to infect victims with malware. The kit is known as LuckySploit, and in this blog I will take a brief look at it and what it currently is being used for.

It is a kit that enables attackers to construct malicious sites in order to hit victims with exploits and infect them with malware. Like many previous kits (Mpack, Firepack, Icepack, El Fiesta and the like), the pages it creates contain heavily obfuscated JavaScript in an attempt to evade detection and blocking. However, unlike previous kits, LuckySploit (or at least the recent version of it) also uses encryption.

Over the past few months numerous legitimate sites have been compromised with iframes whose purpose has been to load malicious content from various domains - mainly .cn - being controlled by criminals (also discussed by Danchev). Such compromised pages are being detected as Mal/Iframe-F.

In addition to compromised legitimate sites, I have also seen various “lure” sites that have been posted to trap victims (using celebrities, current news stories and the like to catch user traffic).

Throughout January and February, these sites were redirecting to exploit scripts (perhaps an earlier version of LuckySploit?) detected as Mal/ObfJS-BP, which were serving up exploited, mildly polymorphic PDFs (detected as Troj/PdfJS-Y).

More recently, we are seeing these sites redirecting to what appears to be the latest flavour of LuckySploit. The landing page consists of a heavily obfuscated script that is quickly recognizable. This page is blocked as Mal/ObfJS-BB (and historically as Mal/Baals also).

This script generates a passphrase and encrypts it, before sending it back to the server in another request. This ensures content sent from the server is encrypted in order to evade detection. (Not successfully though, these pages are detected as Mal/EncJS-A.) Ultimately, if exploitation is successful, the executable payload will be sent from the server (seen at the bottom of the figure below).

So what malware is being installed via LuckySploit driven attack sites? Unsurprisingly, financial motivation is driving these attacks. Previously it has been reported that LuckySploit is being used to infect victims with Zbot (the somewhat infamous banking malware also known as ‘Zeus’ that has been mentioned previously). Our findings certainly support this. But it is being used for more than just Zbot. The list below includes all the malware I have seen installed via LuckySploit attack sites over just the past few days:

• Zbot (Mal/Zbot-I, Troj/Zbot-EC, Mal/EncPk-HJ)
• Troj/Goldee-Gen
• Mal/Alureon-C
• TDSS (Mal/TDSS-A, Mal/TDSS-B)
• Autorun worms (W32/Autorun-ABJ)
• Troj/Agent-JDY

Several of these items stealth themselves once installed making subsequent detection and cleanup trickier.

In summary, LuckySploit is just another kit enabling the bad guys to construct attacks with relative ease. And with the financial sting in the tail that these attacks typically hit you with, ensuring you deploy effective web security is as important as ever.