Coming across a PHP RFI (Remote File Inclusion) exploit is an everyday event. (At least if you're analyzing malware…)
Typically, most of the exploits we see install a web-based backdoor such as the C99 shell for the attacker to use.
Every once in a while we run into something more sinister.
Today we discovered a nice crossbreed of different techniques. We saw a PHP script that was heavily obfuscated and the configuration was encrypted. It's an IRC bot, written in PHP. On top of that, it uses nine DNS's to go to its masters C&C (Command and Control) server.
The domain names are fast-fluxing so this botnet can move around nicely and since most of the compromised machines are webservers this botnet is packing a nice amount of bandwidth.
There are very few places in the world where you can actually study malware analysis.
We decided to do our small part to improve this situation and we're happy to announce that we've started a course at the Helsinki University of Technology.
The course is called Malware Analysis and Antivirus Technologies and is done in association with the Department of Computer Science and Engineering. Lectures are held by senior analysts and researchers from the F-Secure Security Labs and cover a range of topics from reverse engineering to decrypting malware to designing scanning engines.
The commencement lecture (open to the public) of the course was held last week and collected an audience of around 150 people. The course itself is designed for 40 students — unfortunately the course is full already, but we'll consider repeating it if there's lots of interest.
Our automated systems are necessary to manage the flow of new samples. The automation also assists us in predicting which samples are malicious and should be detected. We review the likely samples first.
Human analysts use tools such as IDA to view the code.
This sample wasn't very difficult to confirm as malicious:
The fact that it's a Backdoor is there in the code itself:
Add detection — case closed in only few minutes — time to move on to the next.
We have been working on an interesting Symbian worm over the last few days. It affects S60 2nd Edition phones.
The SymbOS/Beselo family of worms is very similar to Commwarrior. In fact at first we actually misidentified Beselo.A as Commwarrior.Y. Like Commwarrior, Beselo worms spread via MMS and Bluetooth using social engineering to trick users into installing an incoming SIS application installation file.
But what makes Beselo interesting is that instead of a standard SIS extension the Beselo family uses common media file extensions. This leads the recipient believe that he is receiving a picture or sound file instead of Symbian application. He is then far more likely to answer "yes" to any questions the phone prompts after clicking on such an incoming file.
The filenames used by Beselo are beauty.jpg, sex.mp3, and love.rm.
However, just this use of a new social engineering trick was not enough to get more attention from us; we added Beselo.A as Commwarrior.Y back in December. But last Friday and over the weekend a friend working for a major telecom operator became interested in the extensions and did a bit of investigation into what was going on.
It turns out that Beselo.A was in the wild on their MMS network and that it had a big brother, Beselo.B.
Both of these worms have been able to escape attention for at least a while with the simple trick of pretending to be common media files.
So if you have a Symbian S60 phone, and you receive a media file, answer "no" to any installation prompt that appears when trying to open the file. There is no reason for any image file to ask installation questions on the Symbian platform, so any image or sound file that does something else than play immediately is without question something else than it claims to be.
Beselo worms are compiled for S60 2nd Edition phones. Attempting to open the file on a 3rd Edition phone will likely cause an error message rather than an installation prompt.
We can also recommended having Anti-Virus running on your phone. You can find ours from F-Secure.mobi, try it from your phone.
I would like to explain all the situation, about MacSweeper.
We are really trying to make a good software, and you wont find any viruses/spyware/trojans/malware in MacSweeper (test it your self, if you don't believe me, you can use any type of firewalls, dissemblers, or other tools) .
The problem is that we are using selling partners that forces us to use this marketing type. We would like to leave them, we don't want to completely destroy Good Name of MacSweeper application.
Personally I adore Mac Platform, and it hearts to here that the program you wrote is said to be some kind of "Rogue application" , i wouldn't like to destroy good manners of software written for it :((
I would like to say sorry for all inconveniences that we could bring to you, but believe MacSweeper is meant to be a useful application. You can ask Questions, and i will try to answer them!
Thank You! firstname.lastname@example.org
We'd like to ask our readers about their experience with MacSweeper and what they think of it. Leave your feedback as comments to this post.
Update: There's been a number of excellent comments made, so we've posted a short video on the Weblog's YouTube Channel:
That we are keeping track of the Storm gang goes without saying but are they doing the same and watching what we in the security industry are up to?
On Dec 23rd we posted about a bet we had in the lab. When the Storm gang would start sending out Christmas themed e-mails? One day later they did (after having been inactive for weeks).
Yesterday Symantec predicted that the next wave of Storm would be using Valentine's Day as the theme and sure enough, a few hours later we started seeing the love mails that Jojo (Jose) blogged about earlier today. Coincidence?
Yet another wave of the Storm worm is now being spammed widely and this time it's all about love. They were late for Christmas, just in time for the New Year and really early for Valentine's Day. The filename being downloaded now is withlove.exe.
The subject lines are the same as was used during January of last year; you can find them here and here.
Here's a sample of the spammed e-mail:
We now detect this as Email-Worm:W32/Zhelatin.PY.
Update: As the file on the websites is changing every 15 to 30 minutes, requiring us to release a new update every time, it's good to see that DeepGuard is proactively able to block this without any updates. No signatures required.
Note: We're only four days away from the one year anniversary of Storm, the first one being found shortly after midnight (in Helsinki) on Jan 19th, 2007.
We've just found the first Mac rogue application and it's called MacSweeper.
It claims to clean your Mac from compromising files and it will always find something to fix/clean but the only way to do so is to buy the program.
Once installed it will also randomly show a big popup window stating that your privacy is compromised and again prompt you to buy the program.
Even more telling that it's a scam is the fact that when you visit the MacSweeper website with a PC and click on "Scan", it will tell you that you have security vulnerabilities in folders that only exist on Mac like system_root/home. Fake? Oh yeah…
Looking more at their website we found that they have copied the text describing the company directly from Symantec and just changed the name.
Rogue/fake applications (scareware) such as this have been around for years on Windows (WinFixer, SpySheriff, et cetera). They're designed to trick people into thinking that they have security problems and that the only way to solve it is to buy the software. Up until now this has been a Windows only problem but that's not the case anymore.
So what does the first Mac rogue application really mean? It means that with Mac's growing popularity and growing user base comes certain problems that can't be ignored. Mac users will increasingly come under attack from bad guys and this new rogue application and the constant stream of new variants of DNSChanger is proof of that. It doesn't mean that Mac is becoming less secure in and of itself. But it does mean that Mac users will have to watch out for social engineering tricks just like Windows users have had to do for years.
MacSweeper's sibling in the Windows world is called Cleanator.
Editor's Note — P.S. from Patrik:
Today I spoke with a journalist about MacSweeper and he said something that stuck in my mind.
"I visited the macsweeper.com website. I know I probably shouldn't have - but I used a Windows PC so I knew I wouldn't get infected."
This time the link wasn't pointing to the spammer's website directly. Instead, it was pointing to Google:
So, it's making a Google search for the words V6J and 5C6 on a page that contains thereseason.com in the URL.
There can't be many pages like that on the net.
The link ends with "btnI=745". On Google, the btnI directive causes the I'm feeling lucky feature to activate and Google redirects the user to the first search result.
As a end result, clicking the spam link takes the user to a spam drugstore.
It's interesting to note that such spam links can be hijacked. All you need to do is to create a pagethat contains the words V6J and 5C6 and has "thereseason.com" in the URL — and have it pop up as search result #1 in Google.
There's lots of this spam going around. Also, the discount percentages of these guys seem to vary wildly…
Last night there was a phishing run using the domain i-halifax.com.
The IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet.
Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar:
Hmm… hellosanta2008.com… postcards-2008.com? Sounds like Storm.
So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before.
But we've been expecting something along these lines.
From our end-of-year Data Security Wrap-up: October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing to sell access to their botnet.
The HM Revenue and Customs office recently lost two CDs containing 25 million people's personal details. Clarkson apparently didn't consider the lost data to be a serious concern. So he published his own bank account details in the Sun Newspaper.
And what was the predictable result? Someone used the details to create a £500 direct debit to a charity called Diabetes UK.
Top Gear is popular among the folks in the lab. It airs on MTV3 here in Finland:
Do you remember the time when the creator of a computer virus would spend days and nights to produce his new malware? Well I don't — but I'm rather new to the job of Response Analyst — nowadays a "malware author's" life is much easier.
For example, the Hupigon family has spread across the Internet with thousands and thousands of variants. You'll find it frequently in our list of database updates.
Hupigon is a very common family of backdoors. Why is it so common? Kits.
I'll give you an example of how variants are made. First, we acquired a copy of the Hupigon kit. It's very easy to use and to control infected computers (for Chinese speakers at least).
This is the main interface. It's highly polished and feels professionally designed:
Okay, next I can choose the option for "Fast Configuration".
Here's what the default setting looks like:
With the Fast Configuration, you only need to check the desired options and then you're ready to create the variant. It's pretty simple.
So what's the purpose of this backdoor?
Many things are possible. You can record the victim's webcam, send a message to them, copy their files, send additional stuff to their computer, steal passwords, and of course use the infected computer for DDoS attacks.
Here are the DDoS options:
Basically, you can control the victims computer remotely.
As I don't speak Chinese very well — I've only spent about six months in a Chinese speaking country — I recruited one of our Quality Engineers from upstairs. A big thanks goes to Feng Ping for her assistance.
Signing off, Mikko Hy2 (Another Mikko in the lab, not Mikko Hyppönen)