H2 2006 Threat Summary
Click on the link below to jump to the section:
- Bogus domain names support phishing
- Warezov makes headlines and headaches
- Social networking sites under worm threat
- VML Exploit put IE users at risk
- Research team boosted by Kuala Lumpur security laboratory
- Mobile malware - the usual suspects and a few notable oddities
- Commwarrior - again...
- Mobile spyware - legitimate or not?
- And finally
As 2006 winds to a close, the basic trends in the data security world and its counterpart in the malware community seem, for the time being, relatively predictable.
Although the number of known viruses kept growing at a steady pace, year 2006 witnessed a remarkable step down in the volume of visible attacks by worms, viruses and other malware. At the same time, however, targeted attacks using backdoors, booby trapped document files and rootkits became increasingly commonplace. Also spam reached new record-breaking heights.
In place of widespread malware assaults, 2006 has been characterized by targeted attacks which do not make the headlines and which have typically one motivation - money. In such scenarios, a hacker may target a single company, use a cloaking device like a rootkit to conceal a backdoor and extract valuable information for their own financial gain or that of the person(s) interested in having such data. Many of these cases use forged emails with a booby-trapped Microsoft Office document as the way to gain entry.
The other more visible malware assault motivated by money is phishing. 2006 has seen a significant increase in the kinds of scams that use clever social engineering techniques and well-engineered bogus websites to separate the unwary from their money. And obviously phishing works since the attacks continue to build in force and complexity. Lately, phishers have been using websites with an average life of just one hour to try to entice web users before disappearing off the radar.
PayPal and eBay continue to be the most targeted organizations for phishing attacks, but some German banks are climbing up the ranks. This finding was confirmed In November by Phishtank, a service run by OpenDNS which published their first set of phishing statistics.
In October, the F-Secure Research team’s interest was piqued in the active aftermarket in domain names. These are domain names that have already been registered and are now being resold. For example, such sites as hell.com and auction.com which came up for sale in October were expected to be sold for several million dollars each - quite a price mark up for sites that were originally registered for something like 5 to 15 USD.
Typically, however, most domain names are resold for a few hundred or a few thousand dollars and the largest domain resellers for such transactions are Sedo and Moniker. The Research team was particularly interested in the resale of domains that obviously belong to banks or other financial institutions -domains like chasebank-online.com, citi-bank.com and bankofameriuca.com.
The list included something like 30 more sites for resale and all very similar in name to their legitimate counterparts. The question is, why would anybody want to buy these domains unless they are the bank themselves - or a phishing scammer?
The Research team also found out that the companies in question are reselling accented domain names that have been created using the letters "á" and "í" with an apostrophe instead of the normal "a" or "i" to create highly deceptive domain names like vísa.com, pàypal.com and paypàl.com - almost indistinguishable from the legitimate sites. Sedo responded to the questionable nature of selling site names which appear to be legitimate sites but are not. Sedo's general counsel, Jeremiah Johnston, said his company wants to "balance the rights of all users" and added that at times, trademark owners "harass a lot of legitimate domain owners.
Continuing the phishing line, in late August the Research team were given a heads-up to a PayPal phishing site apparently designed to perform a man-in-the-middle attack on a user’s password. The site displayed a genuine-looking login box, and the user had to type in a valid PayPal user name and password. The assumption by the team was that the scammer had created a shadow login to the real PayPal site behind the scenes. Anybody falling victim to the phisher would relinquish both their password and most likely their credit card number too if they fell for this highly convincing ruse. Luckily, the alert came before it was actually spotted in the wild and abuse notices about the phishing site were sent to the appropriate authorities.
We expect man-in-the middle phishing to become a real issue in the future.
On the same theme of legitimate companies supporting the activities of illegitimate enterprises, at the end of August, Tripod, the free web hosting service from Lycos was found to have a number of phishing sites hosted on their servers. Some examples of sites that were active included:
The Research team wondered why Tripod had not done more to prevent people from creating new hosts with names like "pay-pal-redirect" or at least every now and then scanning user-created content to find obvious copies of eBay or PayPal login pages. In all instances, abuse messages were sent about the above sites to both Tripod and PayPal ten hours after which, five had been taken offline by Tripod.
During 2006, we've only seen two large "traditional" email worm outbreaks: Nyxem and Warezov.
The Warezov mass-mailing worm attacks started in August. Warezov and its many variants sent themselves as e-mail attachments to addresses found on computers it had infected. In some cases, the infected attachment could start automatically. In other cases, the system was infected when the user opened the attachment. Warezov also attempts to download updated variants of itself from specified website(s) on the Internet.
After the worm's file is run, it shows a message box as a decoy. It installs itself so that it runs when Windows is started. When activated, it installs itself to the system and creates a startup key for itself in the Windows registry. It then stays active in the system's memory. While active, the mass-mailer searches for specific files (HTML files for example) on all available hard disks for e-mail addresses. Finally, it connects to an available mail server and sends itself to all the addresses it has found.
What was interesting about this worm was the fact that it was able to spread on its own, just like e-mail worms from earlier years, and it was by far the most actively spammed attack during 2006. All the variants initially used the same website to download additional components and updates: gadesunheranwui.com. - a domain registered by the authors of this malware just for this reason.
By November, the Warezov’s purpose had been revealed as a highly coordinated exercise in spam propagation. Warezov-infected machines were shown to download additional components which, after a variable delay, started sending out spam messages advertising Viagra, Vialis, Valium, and Xanax clones. Spam messages like the following:
The Research team made the connection between the virus and the spam just by looking at the domain names used by the Warezov gang for both the virus component download and for the hosting of the fake Viagra sites.
Warezov is spread by spamming slightly modified versions of the downloader component. This is modified by the spammers as soon as major antiviruses add detection for that particular component. Once the downloader is executed on a computer, it connects to a download URL. A typical URL would be, for example:
The spam messages link to fake Viagra sites like these:
Interestingly, the domains used by the fake Viagra shops not only have similar sounding names to the downloader URLs but also have the same registration information. All the domains we've seen can be categorized according to just three different groups: domains registered to "Wang Pang", "Dima Li" or "Bai Ming".
And when comparing the domain names used in the virus to domains shown in the spam messages, we can see that they overlap, proving that these are all part of a single operation:
Still in November, Warezov continued its run, and F-Secure continued to add detections at the same rate. With many of the parts of the jigsaw falling into place, new variants of the worm are now automatically blocked using F-Secure Internet Security 2007's System Control feature. Nevertheless, the Warezov worm seems to be a malware that will continue to cause headaches for researchers and users for some time to come.
At the end of July, the Research team came across further examples of Web Application Worms exploiting persistent Cross Site Scripting (XSS) vulnerabilities in websites. This is a new category of malware and a growing concern for popular websites. Social Networking sites seem to be the most popular target right now thanks to their immense popularity and user bases. MySpace has already been hit by two such worms - the Samy worm in October 2005 and by a "Flash" worm in July 2006. Samy was written by somebody who wanted to become popular on MySpace. The malware author in question designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million "friends" in a couple of hours. The MySpace Flash worm exploited vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage.
In July, MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines.
And here’s something to consider: The WMF banner ad successfully reached about one million users. An automated worm utilizing a similarly malicious WMF exploit or a similar browser exploit - maybe even a zero-day exploit, could potentially reach a much, much larger audience of unpatched machines. Theoretically, this could be the entire user base...
We recommend end users to patch their computers and that web application developers start taking security seriously. XSS issues have stopped being funny for a long time now. They are a real danger with the advent of phishing and Web application worms that can exploit a mass user base of millions of users within a very short time. Of course, the Research team reported the issues to the affected websites and are working with them to get the issues fixed. The writing is on the wall - let’s hope the malware community can’t read that quickly.
In late September, F-Secure reported a VML Exploit on Internet Explorer in the wild that allowed for the remote execution of code with the only action necessary to become infected being to view a malicious webpage using Internet Explorer or an HTML formatted e-mail.
Fortunately for IE users, Microsoft published a prompt Microsoft Security Advisory (925568) regarding the issue and an update was scheduled for October. Users were advised to unregister the susceptible dll from the system as a workaround for the vulnerability.
For most users, the vulnerability represented a limited threat since the vgx.dll component solely handles Vector Markup Language (VML) - something not too many websites use these days. Microsoft's Outlook e-mail client was also potentially vulnerable to this exploit but fortunately again, e-mail is treated as if from Restricted Sites by default, where Binary and Scripting Behaviors are disabled.
F-Secure opened a new Asian Technology Centre in Malaysia in September 2006. This is the home to the F-Secure Security Labs in Kuala Lumpur. Malaysia was selected as a key hub for Asian operations for its well qualified human resources, the country’s initiative to encourage high tech companies to set up business there and its strategically optimal time zone.
Given the time difference between the F-Secure labs monitoring the global malware situation, work shifts are conveniently split without much overlap. In this way, F-Secure is able to maintain its promise to respond faster to virus outbreaks than its competitors.
On the mobile front, there was the usual steady advance of mobile malware and their variants in the last half of 2006. By July the number had exceeded the three hundred mark and continued its rise. As in earlier times, Symbian continues to be the platform of choice for the majority of mobile malware authors reflecting the preponderance of the platform in the smartphone market.
Cross-platform worms - the malware of the future?
In late autumn, the Research team encountered a cross-platform worm that is theoretically capable of spreading from a PC to a mobile device and back again. The "Mobler" worm as it has been labeled, moves between Symbian and Windows platforms. Although its payload on the Windows side is significant, it doesn't cause much harm on the Symbian device rather copying itself to the memory card and trying to trick the user into infecting his or her PC.
Technically speaking, there is no automatic spreading mechanism for Mobler to copy itself from one platform to another. It just creates a Symbian installation package that inserts a Windows executable on the mobile device's memory card. This executable is visible as a system folder in Windows Explorer so potentially it is possible for the user to accidentally open it and infect their PC while browsing the memory card's files.
Mobler poses no immediate risk to mobile device users in its present form. However, it's possible that virus writers might use it as a basis for more malicious malware. But then again, that could be said of previous cross-platform viruses and thus far a heavy hitter has failed to materialize.
Also in late autumn, the Research team received a new Commwarrior sample - SymbOS/Commwarrior.Q. Nothing remarkable about that except the fact that Commwarrior.Q is not just a hexedit of Commwarrior.B. but rather a new variant with additional functionalities.
Commwarrior.Q is based on Commwarrior.C and has the same functionality as Commwarrior.C and more. Like Commwarrior.C, the Q variant spreads via Bluetooth and MMS messages, and infects any memory card inserted into device. Additionally, Commwarrior.Q searches the infected device for any SIS file installation packages and injects itself into any that it finds.
That means that in addition to trying to spread by itself, Commwarrior.Q also tries to get users to distribute it. For example, if the user has a game installation SIS that he might copy to his friend.
Commwarrior.Q is also the first Symbian malware that uses a random SIS installation file size when it replicates. The file size of the Commwarrior.Q SIS file varies between 32100 bytes and 32200 bytes making it difficult to exclude.
When Commwarrior.Q is installed it will display an HTML page to the phone's default browser after a random delay. Although Commwarrior.Q was detected in the wild, the fact that Commwarrior.Q displays the HTML page that states that the phone is infected means that it is unlikely that it will lead to a large scale outbreak - that and the fact that Commwarrior.Q is detected by F-Secure Mobile Anti-Virus with database update 103.
Also on the mobile front, F-Secure continued to investigate commercially available spying trojans for mobile phones that run on the Symbian OS as well as on other mobile phone platforms.
The Research team originally thought that such software would still be a rather limited phenomenon and that there would be only a couple vendors making spy tools for smartphones. But it turns out that there's quite a cottage industry that has been lying low and by and large has been able to escape attention. In fact, there are several vendors either making software for Symbian smartphones or are making hardware-modified versions of just about any phone available. All the phones and software under investigation yielded rather similar features.
A typical feature set includes SMS forwarding, SMS and voice call log information, remote listening and covert conference calling. Some even include localization services. This basically means that if the victim has a full-featured spy application in their phone, they have no privacy whatsoever for their calls while the one controlling the software has access to all the information available.
Spyware software vendors state that their software should only be used in accordance with local laws and that a typical application for such tools is to keep track of a cheating spouse or to monitor children’s phone usage. Naturally, of course these tools have darker applications such as industrial espionage, identity theft and stalking.
One of the spyware applications under investigation, Acallno.A. is an SMS spying tool that forwards all sent or received messages to an additional number configured by the individual who installed it. Just to be sure, the Research team added detection of Acallno.A into F-Secure Mobile Anti-Virus as spyware. Acallno.A is by the way, a pseudonym for the real software name since F-Secure is in the business of informing our customers of potential malware, not promoting commercial spy utilities.
Fortunately, Acallno.A is limited by the target device's IMEI code, so in the absence of familiar access to the phone, it is impossible to download to just anyone. Nor can it be just included into a trojan or other method of mass installation. As monitoring tools are not always illegal, and there might be some legitimate uses for Acallno.A or any other such software, it is possible for users to release the detected spyware so that Anti-Virus allows for its use. In such cases, please consult the product documentation.
Centrino vulnerabilities open potential window on WLAN viruses
In early August, Intel published a set of patches for Intel Centrino. Nothing particularly significant about that but the fact is that Centrino is not just a processor but also integrates WLAN and other features for laptops. The vulnerabilities are not related to the processor itself but to the wireless features - one of the more common applications in use for modern computer users on the move.
The vulnerabilities being patched are significant. The worst of them "could potentially be exploited by attackers within range of the Wi-Fi station to execute arbitrary code on the target system with kernel-level privileges". So at least in theory, somebody could write a WLAN virus that would jump from one laptop to another if the laptops within range of the access point are too close to each other. This vulnerability is not solely the problem of Intel Centrino with other operating systems such as Mac showing potential windows for hackers to exploit in their drivers. In all instances, our advice is to make sure your Wi-Fi drivers are up to date.
The Swedish toy manufacturer, Brio, has decided to create a lovable collection of figures that ‘live’ inside a typical computer for children to play with.
The wooden toys also include a number of virus figures. Not only that they have even built a dedicated website to support the activities including an active desktop feature and related mini movie. Our only hope at F-Secure is that children fall in love with the little computer helpers and not the viruses...