H1 2006 Threat Summary
The first six months of 2006 seemed quiet on the surface. But a lot of new criminal malware development and exploits were happening under the surface, despite the decreased publicity. The new threats are often more expertly targeted and extremely well hidden, and criminals are continuously finding new ways to deliver their payloads behind the lines of defense.
The beginning of 2006 was also the 20th anniversary of the first PC virus, Brain, which infected computers via floppy disks. Things have changed quite much since then as the following report demonstrates.
At present there are over 185,000 viruses and the number continues to grow rapidly. The biggest change over these 20 years has not been in the types of viruses or amount of malware; rather it has been in the motives of the virus writers. The most significant change has been the evolution of virus writing hobbyists into criminally operated gangs writing viruses for financial gain. And this trend is continuing with most new malware having a financial motive, turning infected PCs into bots being used for distributed spam or phishing e-mails or being used to steal personal and financial information.
In March 2005 F-Secure launched its Blacklight engine for detecting rootkits. Rootkits are effectively cloaking devices, which allow malware authors to enter a computer under the radar and go about their business completely undetected. Since that time, we’ve seen a steady growth in the number of various kinds of malware using rootkit technology to hide. Interestingly, most other data security vendors still fail to offer rootkit detection technology in their offerings, even after the Sony DRM Rootkit case made the headlines late last year. And the stakes are getting higher - already in May 2006 a backdoor scam was found from an online gaming site using rootkit technology to covertly glean information from players downloading an apparently useful poker utility program. Luckily this showed up on our Blacklight radar and was successfully neutralized.
In other news, 2006 was the year that saw the mobile malware count reach and exceed the 200 mark. If you compare the figures against the PC world, this does not warrant a state of alarm but it certainly indicates a growing trend. As mobile phones become more like computers offering the possibility to make financial transactions, it’s certain that the malware community will follow suit with new exploits.
Hectic Start to the Year
2006 started in a very hectic way with the zero-day exploit in the Windows Graphics Rendering engine and the way it handles Windows Metafiles (WMF) images - an exploit which was found at the end of 2005. In just a few days a large number of malicious files using the exploit were found and with no vendor patch available, Ilfak Guilfanov at DataRescue, was first to create a temporary patch for the vulnerability. Microsoft broke their pattern of only providing updates once a month by shipping an update on the 5th of January. One of the incidents we saw was a highly targeted attack on the UK parliament. E-mails like the one below were sent from a South Korean computer to a few dozen high-profile e-mail addresses.
The e-mail encouraged users to open the attached MAP.WMF file - which exploited the computer and installed a backdoor that allowed full access to all the data on the machine. What made the case really interesting was the social engineering texts used in the e-mail. It was obviously crafted to look like a message from a spy movie with a secretive tone - of course raising the curiosity of the recipients and getting them to open it.
January continued being a very busy month with yet another e-mail worm appearing on the 17th of the month and spreading very aggressively. The new worm, called Nyxem.E, (with aliases such as MyWife, Blackworm and Blackmal) was interesting on two counts; it used a web counter to keep track of the number of infected computers and it was set to overwrite files on a certain date every month. In the days of cyber crime, it’s not very often we see malware with destructive payloads like this one. The web counter was another interesting thing about this malware. It’s not the first malware to use a web counter but this time we were able to get the statistics from the counter provider in order to create a breakdown on all the IP addresses having visited the counter. We mapped the IP addresses with our F-Secure Worldmap technology to create a world map showing all the affected machines.
The most infected countries were India, Peru, Turkey and Italy. Fortunately, by the time the malware activated on February 3, most users had already cleaned their computers, much thanks to the warnings distributed via the news media. However, thousands of users still had their Excel spreadsheets or Word documents overwritten. All in all, the worm overwrote 11 different file formats. Nyxem.E continues to be active on the 3rd of every month, trying to overwrite files on infected machines. Most reports of affected users continue to originate in India.
The virus-free Macintosh honeymoon is over. In February the first virus ever for Mac OSX was found when Leap.A appeared. The malware was originally posted to the MacRumors discussion forum. The virus, spreading via iChat and by infecting local files, was soon followed by other viruses for the same platform, amongst others a proof-of-concept virus named OSX/Inqtana.A, which uses vulnerability in the Bluetooth OBEX Push functionality to spread from computer to computer.
Rootkits Still a Problem
One of the big issues in 2005 was the Sony BMG rootkit case where CDs were sold with a DRM (Digital Rights Management) copy protection scheme using rootkit technology to hide its presence from users. Rootkits continued to be a problem in the first quarter of 2006 where lots of new malware used rootkit techniques to hide the installed files. Examples of these were variants of the Feebs worm, hiding its presence with a rootkit. It spreads as an e-mail attachment but instead of generating e-mails by itself, it waits until the users sends an e-mail and automatically attaches the malicious attachment to the e-mail in transit without the user’s knowledge. The benefit is of course that the e-mail will always look like a proper e-mail message, because it is! However, the spreading rate will be much slower compared to other e-mail worms.
In February we received reports of a case very similar to the Sony BMG. The German DVD release of the movie "Mr. & Mrs. Smith" contained a copy protection mechanism, which used rootkit-like cloaking technology.
The Settec Alpha-DISC copy protection system used on the DVD hides its own process but fortunately, and unlike the Sony BMG rootkit, it doesn’t hide any files or registry keys making it impossible to use this rootkit to hide malicious files.
Our message to software companies producing any software (not just copy protection products) is clear. You should always avoid hiding anything from the user, especially the administrator. It rarely serves the needs of the user, and in many cases it makes it very easy for hackers to breach the security system.
Two of the most widespread worms used to install bot-clients have had rootkit technology added to them. In March, variants of both the Bagle and Mydoom families were found, using rootkit technology to hide the worms’ files, processes and registry keys. The Bagle variants are the most interesting in their demonstration of viral evolution and collaboration among virus authors. Two years ago Bagle was a simple virus consisting of one EXE file, e-mailing itself around. It's not like that anymore. Bagle's authors for example maintain a complex network and have constructed a suite of programs that work together as the following diagram illustrates:
The rootkit technique used in both of the cases mentioned is the so-called kernel-mode rootkit, which means that the rootkit has direct access to all system functions, thus making detection even more difficult. If the Bagle authors have seriously decided to turn their attention to upgrading their malware suite with rootkits, then this first step appears to be a dangerous one and one worth keeping an eye on. Fortunately, the F-Secure Blacklight rootkit elimination scanner is able to detect these threats.
In mid-May we saw a new twist using a rootkit exploit. An online poker backdoor, covertly storing gamblers’ information for potential theft was uncovered by F-Secure’s proprietary rootkit detection technology, Blacklight. In this case the online tool RBCalc.exe, also known as a Rakeback calculator, had been unwittingly distributed from a legitimate gaming site, Checkraised.com.
The backdoor, a method for bypassing normal authentication or securing remote access to a computer was created by silently dropping files into the user’s computer using a rootkit driver to conceal the operation. With this in place, the tool’s author could access login information from the user's computer for various online poker websites. Having gained access, the hacker could then play poker against himself, losing on purpose and reaping the rewards.
Shortly after the discovery, Checkraised.com removed the offending exe file from its website and issued an official statement on its website advising users to change their poker site passwords as well as offering instructions for manually removing the malware.
Mobile Malware for Everyone
Mobile malware has now been around since June 2004 but so far damage has been limited. The first Java or J2ME malware was found at the end of February with the emergence of the Redbrowser trojan. This trojan tries to steal money by portraying itself as a way to use WAP services for free. When run, it sends a premium-rate SMS messages to a number in Russia, costing the user around 5 USD for every message sent. Fortunately, the exploit was limited by the use of language - Russian. However, we anticipate seeing attacks of a similar nature in other languages in future.
In March of 2006 the first mobile spyware application was found in the form of FlexiSpy. Being a commercial application, the customer logs into a portal where the software, when installed on the mobile device, monitors all calls, SMS and MMS messages and posts them to the portal. The software is advertised as a clever means for suspicious husbands or wives to keep track of their spouses’ online activities. For those couples with the right data security installed, however, this will not work. F-Secure Mobile Anti-Virus will detect and remove this spyware application as it installs itself without any indication of what the functionality of the software is.
In March, the mobile malware count reached and exceeded the 200 limit.
Launch of F-Secure Worldmap
The F-Secure Worldmap is a system used by the Security Research Labs to monitor the spreading of viruses, in real-time, around the world. The system can also be used to play back earlier events, for example when comparing a new outbreak with a previous one to determine the correct alert level to the press and other bodies. In March, a public version of the tool was launched on our website, making it possible for anyone to see the spreading of viruses around the world. Visitors to the website can easily see the virus situation at any given time and also in a particular location.
Phishing is Popular
F-Secure conducted a simple search across com/net/org/us/biz/info top-level domains for common bank names and other financial institutions and the results show that they are very well represented on the web - clearly some of these are legitimate but typically most are there to separate the foolish and their money.
|Keyword||Number of Domains|
Unfortunately, phishing works. In a recent study examining phishing website techniques, it turns out that the most visually deceptive website spoof was able to fool 90 percent of the study's participants. That 90 percent figure includes the most technically advanced users among the participants. It was the look, not the spoofing of security features that did the job - something that our resident phishing expert found quite interesting.
Crossing disciplines and summing up an article published last summer in the journal Neuron - If you don't see something often, you won't often see it. Perhaps you could also say - If you don't see fakes often, you won't often see fakes. Therefore, many phishers while designing visually deceptive phishing sites count less on technical subterfuge than on the failings of the human brain's power of perception. If it looks like what the brain is expecting, then the brain often won't see that it isn't.
Our experts wonder why don't banks allow users to customize their online banking interface with a picture of preference - for example a passport picture, an image of a pet or other family member - something at least that would indicate authenticity - something that the users would miss if it weren't there. There are companies that are working on visual personalization technology and the data security researchers at F-Secure think it's a good idea that could significantly reduce the size of the phishing net. We are starting to see it happen.
No April Fool
On one day of the year, it’s commonly understood not to believe everything you hear, that day being April 1. For some reason, a surprising number of people thought that our new Moomin-themed security product, Internet Security 2006 was an April Fool's Day joke, which is presumably what you get when you announce something like that on such a day!
But the Moomin- themed product is very real and will be available in Europe this year. It's already for sale in Japan - and there's good reason for that. The worldwide popularity and merchandising of the Moomin family dramatically increased in the 1990's when a Japanese production studio animated the stories, making them massively popular there.
Modern Car Jacking
In a parallel step away from viruses, modern car thieves don’t bother with crowbars or improvised coat hangers to break into modern cars - they use laptops. If your expensive car is using a keyless ignition 40-bit encryption authentication system you might find your ride gone in 60 seconds.
Robert Vamosi has written an article on keyless ignition systems based on a study from Johns Hopkins University and RSA. Vamosi noted in conclusion that the manufacturers of the RFID systems don't seem to think there's a problem. Perhaps they should ask David Beckham who had his BMW X5 stolen in Spain using exactly this technique. So our advice is, until there is any change in the situation, should you have such an ignition key, get yourself a tin foil cover for it! It's an interesting read, check it out at the following address: http://reviews.cnet.com/4520-3513_7-6516433.html?tag=txt
What’s the Word?
In late May there was quite a lot of discussion about the new zero-day vulnerability in Word. According to sources, a US-based company was targeted with e-mails that were sent to the company from the outside but were spoofed to look like internal e-mails.
The e-mails contained a Word DOC file as an attachment. When run, the exploited file ran a backdoor hidden with a rootkit allowing unrestricted access for the attackers, operating from a host registered under the Chinese 3322.org domain.
DOCs are a nasty attack vector for a couple of reasons. A few years ago, when macro viruses were the number one problem, many companies denied native DOC files at their e-mail gateways. Nowadays DOCs typically are admitted. The more important reason to be concerned is that Word has vulnerabilities and users typically don't install Word patches nearly as well Windows patches.
3322.org is a free host bouncing service in China. Anybody can register any host name under 3322.org and the service will point that hostname to any IP address specified. There's actually a series of such services, including 8866.org, 2288.org, 6600.org, 8800.org and 9966.org. If you have any doubt about the origin of a Word doc entering your e-mail, we'd recommend you'd at least check your company's gateway logs to see what kind of traffic you have to such services.
Da Vinci Mobile Virus - Truth or Fiction?
Also in late May, a rumor originating in an online Indian publication caused a stir about a new mobile virus using the name "Da Vinci virus" - malware obviously surfing off the marketing buzz around the general Hollywood release, the "Da Vinci Code".
By the end of May, the F-Secure Data Security Laboratory didn't have a single infection report and no sample of such malware. Is it truth; is it fiction? Time will tell but for a look at the original story go to: http://ww1.mid-day.com/news/city/2006/may/137895.htm
World Cup or Own Goal?
And last of all, eager football fans in Germany might get a bit more than they bargained for if they answer a new mass mailing worm called Banwarum (also known as Zasran and Ranchneg) that is using World Cup themed e-mail messages.
The worm sends itself as a password protected archive and includes in the e-mail the password for it. The e-mails sent by the worm are in German and some of them offer tickets for the football games in Germany in June. There are already three functionally similar variants of this worm. FSAV detects .A and .B variants of the worm with update version number 2006-05-24_04 and variant .C with update version number 2006-05-25_01. One of the e-mails sent by the worm looks as follows in English translation:
I saw that you want to go to the World Cup. Don't ask who am I and why I am doing this. Here you have 5 pieces, which are a special on-line version, print it and sign. Password to the archive is (psw).
With friendly greetings Nobody ;)"
For all soccer fans, we at F-Secure recommend you search for more information on the World Cup and the tickets from the official site for the 2006 FIFA World Cup Germany.
Virus Statistics for the First Half of 2006
The top 10 viruses reported to the F-Secure Worldmap for the first quarter of 2006 were:
By June 2006, just 20 years after the first detected virus, Brain, there were over 185, 000 recorded viruses.
Authors: Patrik Runald, Senior Security Specialist and Mark Woods, Corporate Communicator