SophosLabs blog

We’ve been following the Clomp family of malware, also known as Clampi, for some time now. It’s a strange beast, and its nasty polymorphic packed code changes with each new release. It also has some slightly unusual features; we’ve already talked about how Clomp injects code into Internet Explorer, and how this helps our HIPS technology spot and stop the malware. Something else that’s interesting is how it spreads across a network - rather than write the code themselves, the authors had a little help from Microsoft in the form of PsExec.

PsExec is part of a suite of tools from Sysinternals, which got bought by Microsoft in 2006. It’s a light-weight program that allows you to connect to remote machines and run software. Which coincidentally is exactly what Clomp wants to do.

When Clomp runs (often as a file called 2.exe), it drops a copy of PsExec (usually as 1.exe) and uses it to try to connect to other computers on the network. If it manages to get access (for example if the infected computer is logged in as admin), then it runs itself on that remote machine. Hey presto, Clomp just used PsExec to spread like a worm!

The good news is that we detect PsExec as a potentially unwanted application - clearly it’s a tool that some people are going to want to use on their networks, but not everybody, and not everywhere. By stopping PsExec from running carefree on the network, you effectively cut off Clomp’s ability to spread, while giving an excellent early-warning signal against any new or broken forms of the malware that still use the same technique.

Our detection of the PsExec and the Internet Explorer injection technique shows how Clomp has squarely shot itself in the foot - its “clever features” mean that it announces its presence to anybody who cares to listen.

End of July is the time of the year when SophosLabs, prompted by press coverage, start receiving a lot of questions about newly published undetectable pieces of malicious code that will change the threat landscape once and forever. It is the Black Hat Briefings time!

As everybody knows, the real value of a conference is meeting fellow researchers, having fun, crashing parties and hopefully learning a few tricks from presenters. The Black Hat conference is so big that it gets increasingly difficult to choose which presentations to see. As a malware researcher I know I should see presentations given on the subject of malware but I often feel that it is more useful to attend non-malware related streams where I can learn more about other security issues I am not so familiar with. Being in SophosLabs allows me to analyse the latest malware so I can be unimpressed by some talks, especially the ones with subjects that keep cropping up every year.

One of those repeating subjects is MBR rootkits, often referred to as bootkits, since they replace the original boot sector code. While I do appreciate the importance of launching your code as soon as possible, for both attackers and defenders of the operating system, I cannot say I see the point of having another bootkit talk, like this year’s Peter Kleissner’s Stoned bootkit (caution, angry blog writer) framework talk.

I failed to find a motive behind the publishing of yet another bootkit source code except for self-promotion and showing-off your technical skills. What is the novelty of Stoned bootkit? Through a structured bootkit framework with its own API, Stoned bootkit gives less skilled malware writers an opportunity to create sophisticated malware by reusing the published bootkit framework source code and following simple steps outlined in Kleissner’s paper. Another advantage over previously seen bootkits is that it is allegedly more stable, supports several Windows versions, allows the writer to load other drivers using its own loader (Sinowal rootkit driver is mentioned as an example) and works even if the drive is encrypted with TrueCrypt.

You may wonder why the author is calling the new bootkit Stoned. Well, it is an homage to the Stoned boot sector virus which was widespread in DOS time, sometime in mid 1990’s. The most obvious similarity between the original Stoned and the new bootkit is that both infected MBRs contain the code to display the text “Your PC is now Stoned!” with a 1in 8 probability when the system boots.

Worst of all, Peter Kleissner seems to be working as a contractor for an anti-virus company, which unfortunately gives material to people claiming that security companies first employ malware writers so that they can later create commercial tools to get rid of it.

The components of the new Stoned bootkit are detected by Sophos products as Mal/BKitDrp-A and Troj/BKit-A.

Two very talented researchers from CoreSecurity have recently presented at BlackHat about a new twist in the saga of security products whose presence may actually be a security risk. Anibal Sacco and Alfredo Ortega have exposed the presence, and potential security risk, of a post-theft-recovery product that may already be installed on your laptop.

These two have exposed a vulnerability in the security model of Absolutes Corp’s Computrace Anti-Theft Agent, that comes included in the BIOS of most notebooks sold since 2005. The Absolutes Computrace technology is designed to report the location of a laptop, and in the event of theft, allow the data on the laptop to be deleted.

When activated, the BIOS component of Computrace directly alters the Windows filesystem to install and activate its agent. Once Windows has started up, this agent runs as a Windows service which connects out to a remote server to wait for instructions. At BlackHat2009, Anibal and Alfredo demonstrated how an unauthorized privileged user could hijack the agent to contact a server of their choice. Unfortunately for AV vendors, a hijacked agent is identical to legitimate ones. The only changes on the system are to a region of memory that direct where the agent reports to. The agent’s executable remains unchanged.

Many security professionals (including the authors) are referring to this as a rootkit. I personally think this is more of an extremely persistent backdoor. But those that call it a rootkit, have a decent reason for doing so. Unlike most rootkits, this doesn’t actually hide anything. The purpose of rootkits is typically to avoid detection so that hackers control of a system can persist as long as possible. The parallel between this insecurity and most rootkits is the persistence aspect. If abused, this could potentially be used to provide an indirect backdoor into your system that could survive reformats, and even the complete replacement of your hard drive.

So… Do you think Sophos should detect the Computrace Agent? Let us know what you think!

While in the process of analysing a recent malware sample, I noticed that there was a kernel rootkit involved. This rootkit wasn’t loaded via direct kernel injection but via the old-school technique of dropping and loading a kernel driver file.

Usually, this means that a new kernel driver file turns up on disk with a believable but made-up name in the usual place of <System>\drivers\ and to analyse the rootkit, you simply grab the new file, decompile it, and grok it.

What’s interesting about this sample was that there is no new file to grab – just a brief and temporary change to an existing driver. So how does this turn into a kernel rootkit? Thanks to (entirely legitimate!) driver development work during a former life, I can tell you how.

When you stop and start an already-running driver (assuming it supports stop/unload methods), Windows simply reloads the driver from disk, using the driver’s ImagePath value in the registry or the default driver location. If however the on-disk file has been replaced in the meantime, the replacement driver is loaded on restart!

That’s how this malware works, by replacing beep.sys and null.sys, which are part of the base install of Windows and can be stopped and restarted without introducing any system instability or showing any obvious side-effects. Thus by stopping beep.sys, replacing its driver image on disk and then restarting the fake beep.sys, the malware loads its rootkit.

The malware then immediately overwrites the hacked beep.sys with a copy of the original driver so that the on-disk rootkit sample magically vanishes.

This raises the question – is this poor man’s stealth, or clever man’s stealth?

If you follow the world of security news at large, you’re probably aware that the BlackHat conference is currently taking place in Las Vegas. This year there appear to be quite a number of fascinating talks. For those that would like to see conference materials as they become available, keep an eye out here.

Twitter is also a good way to keep up with the latest news. Just be careful with those shortened urls.

I’ve been noticing a lot of spam on Twitter recently, especially tweets touting the latest and greatest malware, er I mean “PC cleaners”. How are all these tweets being generated in such a short period of time? The answer - a Twitter bot.

We got a hold of one of these bots recently and it looks relatively harmless. They even stole the image of Eve from Wall-E to make it look more innocent. It has a EULA and a fairly standard install:

Once the installation is complete, this is what you see:

All that remains is to log in and start spamming.

Sophos detects this as Troj/Twambot-A.

Michael Jackson’s record sales have risen dramatically since his death. It is thus not surprising that spammers will not pass up on this great commercial opportunity. Today, SophosLabs received a Chinese spam campaign advertising Michael Jackson albums on DVD (highlighted by the red circle in the following picture):

The link in the above spam directs to a website offering illegal copies of software, movies and music. Apart from Michael Jackson albums, you can buy almost any digital media you want in there, such as the latest Transformers 2 movie as well as Microsoft Office 2007.

While I’m all for entrepreneurship, piracy unfortunately does not fall into this category. In Asia, more than 10 billion U.S. dollars are lost through piracy^[*], therefore it is not surprising to see spammers sending more and more spams to sell pirated products. SophosLabs analysts will continue to monitor and block such kind of spam campaigns.

As many of the blog readers are aware, Advance Fee fraud scammers will abuse any free service they can get their hands on to send out their spam messages. Previously, we blogged about the scammers abusing services such as Yahoo! Calendar invites and web proxies.

In recent days, a group of Nigerian scammers have started abusing the “share-a-comic-strip” feature on Dilbert.com. The scammers do this by including their own fraud message inside the “personal message” portion of the sent messages. This is probably a money-making scheme that Dogbert would approve of.

Here are two of the samples we received today:

The content of the messages are pretty typical of Advance Fee frauds - about assisting in the donation of money to the underprivilaged or the transfer of money out of a politically unstable region. Ironically, today’s strip similarly features Dogbert trying to defraud money from the company by padding his stock options.

I am pretty sure the scams messages above would motivate the Elbonians to follow suit to start running advance fee scams of their own.

Jokes aside, as more and more websites add additional functionality to allow sharing of pages through social networking and communication protocols such as facebook, twitter, email, SMS, etc., we’ll be seeing more and more of these services being abused. It is time for webmasters to start putting in some effort to secure these services from abuse.

One of the updates in the July set of Microsoft security bulletins (MS09-032) addressed a vulnerability which was exploited by instantiating the Microsoft Video ActiveX Control (msvidctl.dll) and seen in the wild on many malicious websites. Sophos published detection for known exploits on 6 July as Exp/VidCtl-A.

The update included kill bits for the vulnerable component, but even before the patch was published it was discovered that the actual vulnerability is not only in Microsoft Video ActiveX Control but in the underlying Active Template Library (ATL) used when the control was compiled.

This effectively means that any ActiveX control using similar functionality and compiled with ATL is potentially vulnerable and that there are several different attack vectors that could be used to reach the exploit condition. As soon as the vulnerability in Active Template Library was discovered guys from Microsoft Security Response Center started working on a solution to fix the issue but they obviously have not been able to finish and test it in time for the July patch Tuesday. Today, two new bulletins and one advisory were published to address the potential issues hopefully more thoroughly.

MS09-034 is a cumulative Internet Explorer patch that includes code to check if a potentially vulnerable component is being loaded and prevent that behaviour as well as the fix for additional three privately reported remote execution vulnerabilities. At the time of writing this blog post SophosLabs are not aware of any malware that attempts to exploit any of the newly fixed vulnerabilities.

MS09-035 fixes the actual ATL code included with several versions of Microsoft Visual Studio so that the new ActiveX components compiled with the fixed ATL code are not affected by the incorrect pointer passing vulnerability in CComVariant::ReadFromStream function. Developers of ActiveX components that use ATL are advised to recompile and update their components using the fixed version of the Active Template Library.

Mark Dowd, Ryan Smith and David Dewey will present their findings about the ATL vulnerability in their presentation at the Black Hat USA conference tomorrow at 3.15 pm PST. Ryan Smith has posted an interesting video showing a proof of concept exploit working even with MS09-032 applied as an introduction to their Black Hat session.

As always we have written our own vulnerability analyses with the SophosLabs Threat Level and SophosLabs comments:

MS09-034 - Cumulative Security Update for Internet Explorer
MS09-035 - Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution

All,

Today I saw what seems to be another dumb effort by some script kiddie to please his girlfriend.

The author attempts to show off his soft side, by dedicating the Japanese band l’Arc-en-Ciel’s hit song “Honey” to his partner.

He then thanks everyone for reading about his dedication.

All very sweet. But this dedication has a malicious twist to it.

The malware deletes some files and replaces it with a copy of itself. It also drops a html (above pic) which lists the lyrics of the song. Quite a few registry entries are also modified. The CD tray is also tinkered with, making it open and close on its own in annoying intervals.  

Tells you something about the levels some people go to, in order to please their significant others.

As this file is seen with a variety of catchy file names (like Honey.exe and Hot Pictures.exe), please always be aware of clicking on files with suspicious and enticing file names ;-).