SophosLabs blog

We have seen a few malicious PowerPoint documents come through the labs in the past few days. These malicious documents exploit the MS06-028 vulnerability, for which a patch has been available since June 21… 2006. Yes, that’s right — a patch has been available for more than 3 years.

If you were one of the responsible ones, having patched your system at some point before now, then by opening one of these malicious documents, you would see the following:

Though if you saw this message, it is debatable how responsible you are — you let yourself be coerced into opening a malicious PPT on your machine.

For the completely irresponsible out there — not having patched your system and remaining blissfully unaware of the many recent zero-day Microsoft Office vulnerabilities — when you double-clicked one of these malicious PPT’s, you would notice a brief flicker on-screen before seeing the PowerPoint open a presentation to the following first slide:

Despite the fact that PowerPoint is now displaying a valid PPT file, you can be sure the malicious payload Troj/Protux-Gen has been dropped on your machine. The screen flicker is caused by the shellcode, which drops and runs another executable Troj/ReopnPPT-A that kills any open PowerPoint processes, removes the shellcode from the malicious PPT and re-opens PowerPoint with the newly disinfected presentation.

Sophos detects the malicious documents as Troj/ExpPPT-G. Clever buffer overflow protection mechanisms cannot help defend against these documents, since the exploit takes advantage of unchecked data in file parsing logic. In short, the vulnerability allows a pointer into the memory-mapped image of the PPT file to be calculated

and subsequently called.

For extra piece-of-mind, you can also check your PPT documents before opening them using Microsoft’s OffVis tool for parsing Office documents, which was released to the public about a month ago. It detects the exploit of several MS Office vulnerabilities, and indeed displays the following when examining a Troj/ExpPPT-G:

But this is all moot because you have already patched your system, right?

With the release of the new version of OS X today (Snow Leopard OS X 10.6) Apple have added some malware protection. XProtect (we are calling it this as this is the name of the detection data file) provides a level of protection against variants OSX/iWorks-A (OSX.Iservices) and OSX/Jahlav-C (OSX.RSPlug.A).

Users who upgrade to Snow Leopard (OS X 10.6) and who encounter the Trojans while browsing for:

• hardcore porn
• Erin Andrews peepshow
• free software

and are not running a Mac specific security product (e.g. Sophos Anti-Virus for OS X), may receive a pleasant surprise:

As opposed to the message from Sophos:

When files are downloaded through the following applications:

• Entourage
• Safari
• Mail
• Firefox
• Thunderbird
• iChat
• and other programs that use LSQuarantine

then the files are tagged with an extended attribute called com.apple.quarantine. When the downloaded file is run (automatically or manually), this triggers the use of Launch Services. Launch Services then triggers the XProtect scan of the file.

Unfortunately, if variants of these threats find their way on to your system via an application that doesn’t set the com.apple.quarantine extended attribute, for example via:

• Skype
• Adium
• BitTorrent
• and Finder (via USB keys, network share, etc …)

XProtect is never triggered and thus these threats can run unfettered. However OSX/iWorks-A was distributed through infected torrents and so wouldn’t be blocked by XProtect.

Users who have Sophos Anti-Virus installed with the on-access scanner enabled will never see this new XProtect functionality - the malware is detected by Sophos long before Launch Services gets to search for it.

XProtect seems to be a natural progression from the functionality that Apple added in 10.5, that warned the user before running installers/applications which had been downloaded from the Internet or an untrusted source.

Thanks to Michael Shannon, Researcher, SophosLabs UK and Ben Jupp, Senior Mac Specialist, Sophos Global.

It looks like a new Trojan for Skype has been written, and the source code distributed. A “researcher” wrote and published this Trojan (the author himself calls it a Trojan) “for educational purposes only”. Enough said.

The Trojan injects a dll component into a running process of Skype. The dll then hooks the “send” and “recv” APIs in this Skype process to the Trojan’s own custom functions. This allows the Trojan to extract and save the audio and video data, and send it back to the attacker. We’re detecting both the executable and the injected dll as Troj/Skytap-Gen based on samples we’ve seen so far.

The code leverages the fact that, however cleverly Skype secures the data while it’s being transmitted between callers, it is still possible to jump in at either end of the call and intercept the conversation if done carefully.

And of course this is yet another reminder that trust is a dangerous game. In this case, you yourself can be secured to the hilt, but if the person you’re talking to on Skype has a Trojan installed then it’s still going to steal the words right out of your mouth.

Image source: aussiegall’s Flikr photostream (Creative Commons 2.0)

UPDATE: This appears to have been a pen-test.

There are reports (via ISC) that US Banking institutions have been subject to phishing attempts via snail mail.

Reportedly, the Credit Unions receive a package containing a letter from the NCUA and a CD with training material on it. If indeed the training material is actually malware, then one would suspect it is most likely to consist of some backdoor Trojan or a keylogger.

The NCUA press release give slightly more information on this threat with some instructions on what to do if you do receive the letter:

• You should contact your NCUA Regional Office
• or the NCUA Fraud Hotline at 1-800-827-9650

Added to this advice please contact your AV supplier and forward them a copy of the CD.

You can contact Sophos via:

Sophos Inc.
3 Van de Graaff Drive
2nd Floor
Burlington, MA
01803
USA

Tel: 781-494-5800
Fax: 781-494-5801

For the last few days we saw a XSS worm outbreak on renren.com - which is a facebook-like website in China.

The worm itself poses as a flash file for the “Pink Floyd - Wish You Were Here” video - which tries to execute an external javascript file.   The first line for the worm is a friendly greeting:

/ I’m not a malicious worm.^^;

The technique used in this worm exploits a simple XSS hole in the website - with a payload which has a flash component with the AllowScriptAccess=”always” attribute to allow the above “non-malicious” javascript to spread the worm via renren.com’s API. 

This is same technique used back in 2007 by the Okurt worm . 

We now detect the worm as W32/PinkRen-A.

Today SophosLabs received a phishing scam targeting the popular online game “World of Warcraft” (WoW). This scam message disguises itself as an official Blizzard Entertainment (makers of WoW) email and states that the company is about to launch a new trial mounts test. The message includes a fraudulent link which tries to lure unsuspecting victims to it. To make it appear even more legitimate, the link also contains the word “worldofwarcraft“.

The link opens up a webpage which looks exactly like the main login page for WorldofWarcraft.com and requests your account name and password. After entering these details, it subsequently prompts for the player’s current e-mail, security question and answer in order to gain entry to the supposedly new mounts. Naturally, your WoW game account will be stolen once this confidential information has been submitted.

Such social engineering tricks are not uncommon, I have detailed several samples in the previous blog.

Given that online gaming is a billion dollar industry, it is not surprising that scammers are targeting this particular community. In the last few months, SophosLabs have witnessed simliar attempts such as this phishing scam for “World of Warcraft” gamer.

As the online gaming community grows, we anticipate such phishing scams targeting the MMORPG (Massively multiplayer online role-playing game) to continue to proliferate.

To avoid becoming a victim, never click a url in an email to visit websites. Also in this case, it should become alerted when the subsequent page directly requests users’ email, secret question and answer but without popping up any login failure page.

Every day, on my walk to work through downtown Vancouver, I pass a poster for a road safety campaign. It says “Being hit while jaywalking only happens to other people…” As someone who originates from England, where jaywalking is normal practice on all but the busiest roads, it is something of which I need to particularly take notice.

The internet equivalent of jaywalking might be something like peer-to-peer file sharing. If you download a file called “WorldOfWarcraftKeyCrack.exe”, do not be surprised if your anti-virus software detects that it is, in fact, an online gaming password stealer.

However, what does it mean when your anti-virus suddenly alerts on normally legitimate software, from a source you trust?

Golden Rule number 1: What is the nature of the beast? Always read the malware description!

When Sophos products detect malware, the alerts include a handy link to the malware description on our website. Use it! In particular note what type of infection is being reported: If it is a file-infecting virus then it may indeed be infecting otherwise legitimate software.

W32/Induc-A is no exception to this rule.

As Sophos has already blogged, we have seen over 3000 files infected by the Induc virus.

Furthermore, in the last 24 hours there have been at least 11 cases where customers have submitted samples claiming that we are erroneously detecting legitimate software.

All of them have been genuine infections.

Let me underline this point: We have not had a single false positive on W32/Induc-A, nor are we ever likely to see one. If Sophos says you have a W32/Induc-A infection, we mean exactly what we say.

The manner of W32/Induc-A’s infection mechanism makes it even more likely to spread from supposedly legitimate sources.

As was already explained in Richard’s blog article, infected executables do not directly infect other executables. Instead they infect a library module (SysConst.dcu) in the Delphi Development environment. When a software house producing Delphi applications becomes infected in this way, every executable it compiles is infected with the virus.

Internal applications quickly spread the infection to all the company’s developers, while external applications are distributed to customers. Customers may include other Delphi programmers, and thus the virus spreads.

What should I do if I have a W32/Induc-A, W32/Induc-B, Mal/Induc-A or Mal/Induc-B infection?

If you are a customer who has received an application infected with W32/Induc-A or W32/Induc-B, please contact the supplier of the software. Inform them of the infection, and please ask them to contact either Sophos or the technical support of their anti-virus supplier as appropriate. When they have cleaned up their Delphi installation, they should then be able to supply you with clean versions of their software.

If you are a Delphi developer, or if you have Delphi installed and have possibly executed an infected application, then it is not sufficient to simply disinfect infected executables. You will also need to clean your Delphi development environment. The most important part of this procedure is to make sure your anti-virus software can detect infected SysConst.dcu units, and replace these with clean backups. Then recompile clean versions of your software to distribute to your customers.

Of course, you should probably warn your customers about the problem at the same time.

Sophos has issued Genotype detection (Mal/Induc-A, Mal/Induc-B) for all infected versions of SysConst.dcu and SysConst.pas that we are aware of.

However, we would still like to see more samples of SysConst.dcu, SysConst.bak and SysConst.pas from any Delphi developers potentially affected by this virus, especially if you have customized versions of these units.

Sophos customers needing further assistance with W32/Induc-A, W32/Induc-B, Mal/Induc-A and Mal/Induc-B infections can always contact Sophos technical support.

In the last 2 days there has been considerable interest in the Delphi source code infecting malware that Sophos is detecting as W32/Induc-A. Richard Cohen initially blogged about it here and Graham Cluley later posted here. In his post, Graham mentioned the fact that SophosLabs has over 3000 files that are being detected as W32/Induc-A.

I decided this was worth some investigation. At first glance it seems a significant number of files for such a short space of time. The first thing I did was to look at detection rates. I ran a selection of the files through different vendors scanners and discovered very mixed detection rates. As they were files Sophos already had and detected our detection rate was 100% but detection rates for other vendors varied between 100% and just 6%. Most vendors still have work to do on detecting these files.

Whilst doing this work I noticed that some vendors were not detecting the files as Induc but as various banking Trojans. This led me down the path of suspecting that some of the files were possibly malware themselves, built on infected systems.

I got the files from our database and it totalled 3352 files. As you would expect they are all Windows executables or DLLs. I then looked for a way of determining how many of the files were legitimate applications or possibly something else. I elected to look at the version info which is normally available in legitimate files.

Out of 3352 files that Sophos currently detects as W32/Induc-A, only 1200 had something in the CompanyName field of the resources. I then removed the entries where the Company name was blank or contained question marks. That got me down to just 796.

By now, I have just 25% of the original batch of files that contain some information. Judicious use of sort and uniq leaves me with just 275 unique entries. The list makes interesting reading. Make your mind up whether these are genuine files that you want on your system

• CheatsAdvanced.net
• Grand Chase Hackers
• LoveYou
• MRs.Romanha
• nnnviiririri
• RadicalCheats
• SearchLink (in fact several different variants of upper and lower case)
• ThunderCheats
• XxX13

These types of names form the basis of most of the files I was left with. The inescapable conclusion is that a significant number of these files are not wanted on customer systems so let me reiterate Graham’s advice - if you believe the file is from a legitimate vendor then go to that vendor and request that they provide clean copies. After all, they either are, or have been, compromised in their build environment.

If you are at all suspicious of the origin of the file then delete it. It has a very high chance of being something you just do not want anyway.

As virus analysts, all of us have to be constantly on our toes because honestly we never know what to expect.

Let me take you through a quick summary of what happens in a typical analysis of a malware sample.

Today I encountered a sample (which I subsequently created detection for as Troj/FakeAV-XR). When I ran it on my test system, the sample proceeded to send out an HTTP message to an IP address and created a few new files.

As is customary, I check my log files and now my monitoring tools are strangely signalling to me that the innocent and humble Windows file, beep.sys has not only changed but also mysteriously grown in file size.

Oooh, my interest has definitely been raised.

A quick load of the malformed beep.sys in my trusty IDA revealed at first nothing strange at the file’s Entry Point as shown below.

So far so good. However, peering deeper into the file, something caught my eye:

It doesn’t take Einstein to realise that this is a list containing the names of various anti-virus and security related applications and processes. Naturally, if we follow on the code from there, we arrive at this location:

From the code, we can now clearly see that the new malformed beep.sys has now acquired the ability to terminate various anti-virus and security applications and processes. A subsequent analysis of the remainder of the file only proved what I had known, the file beep.sys is malicious.

The interesting part of all of this is that instead of following the tried and trusted method of adding/modifying the appropriate registry entries so as to load the malware on startup or logon, this particular malware practically loads by default by Windows itself.

My colleague, Pete, highlighted this trick in an earlier blog post so I won’t dwell on it again but suffice to say, it’s just another way of stealthing malware.

Oh, did I forget to mention that Sophos pro-actively detects this malicious beep.sys as Mal/FakeAle-C? Nice, eh? ;-)

Here’s something you don’t see every day - a virus that infects Delphi files … at compile-time.

When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system - some of the strings from the inserted code look like this:

If you find detections of this in 3rd-party software, you might want to contact your suppliers to let them know they need to have a look at their system … and also take care to check machines you might have with Delphi installed.

There’s a classic paper called Reflections on Trusting Trust, that concludes that you can’t trust code that you didn’t write yourself from the very lowest level - this is a great example of where compiling the code yourself doesn’t necessarily mean that it’s clean.

Update: Please be aware - this virus isn’t just a threat if you are a software developer who uses Delphi. It’s possible that you are running programs which are written in Delphi on your computers, and they could be affected. Sophos has received thousands of reports of programs infected by W32/Induc-A. Learn more on Graham Cluley’s blog.