A while ago we blogged about the MBR rootkit, which has been getting attention from all security vendors. We're glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.
BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we've seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.
A year or two ago, most malware was spread via e-mail attachments, which resulted in mass outbreaks such as Bagle, Mydoom, and Warezov. Nowadays sending .EXE attachments in e-mail doesn't work so well for criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic.
The criminals' new preferred way of spreading malware is via drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP.
Infection by a drive-by download can happen automatically just by visiting a website, unless you have a fully patched operating system, browser, and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware.
There are several methods criminals use to gather traffic to malicious websites. A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link. Messages such as "There is a video of you on YouTube", or "You have received a greeting card", or "Thank you for your order" have been popular baits.
Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites. So when you do a search for something innocuous such as "knitting mittens" (as a random example), and click on a search result that looks just like all the others, you are actually getting your computer infected. Typically, an infection by an automatic exploit happens without you realizing it or seeing anything strange on the computer screen.
The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today's criminal hackers don't change the front page at all. They simply insert a line of JavaScript on the front page which uses an exploit to infect your machine when you visit. Everything works and looks as normal.
This has happened to the websites of some popular magazines that can have a million users every single day. People trust sites that are part of their daily routine, and they don't suspect that anything bad could happen when they go there.
Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don't have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites.
It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't.
Individuals and companies should therefore be scanning their web traffic for malware — as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links.
This report was an excerpt from our Quarterly Security Wrapup, which has been released today.
This year Black Hat Europe is being held at the Moevenpick Hotel in Amsterdam. There are a lot of interesting training sessions such as Pedram's and Ero's presentation Reverse Engineering on Windows: Application in Malicious Code Analysis.
More information on Black Hat Europe 2008 is available here.
Oh, and if you think that this year, Amsterdam has some nice weather, you are wrong.
There's unrest on the streets of Tibet — clashes between Tibetans and the Chinese military.
Quoting Wikipedia, "Tibet was once an independent kingdom, which later became a part of China. The government of the People's Republic of China and the Government of Tibet in Exile, however, disagree over when Tibet became a part of China, and whether this incorporation into China is legitimate according to international law."
There's also unrest on the net. Groups supporting the freedom of Tibet have been attacked with highly targeted and technically advanced attacks.
Quoting an Asia Free Press news report: "AFP received an email Tuesday from someone claiming to be in Denmark, who had attached a file they said were pictures of Tibetans shot by the Chinese army. When AFP tried to open the attachment, a virus warning appeared."
So… what do these attacks look like in practice? Lets take an example.
Here's an e-mail that was mailed to a pro-Tibet mailing list three days ago.
It looked as if it was coming from the Unrepresented Nations and Peoples Organization (UNPO). However, the e-mail headers were forged and the mail was coming from somewhere else altogether.
Seemingly, the mail issued a statement of solidarity for the people of Tibet:
If you open the attached PDF file, you actually get a real PDF document with a relevant statement:
However, this is not a normal PDF document. It contains a modified version of a PDF-Encode vulnerability to exploit Adobe Acrobat when the document is opened.
The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.
The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.
Somebody is trying to use pro-Tibet themed e-mails to infect computers of the members of pro-Tibet groups to spy on their actions.
And this is not an isolated incident. Far from it.
Groups working for the freedom of Tibet all over the world have been targeted. These e-mails have been sent to mailing lists, private forums and directly to persons working inside pro-Tibet groups. Some individuals have received targeted attacks like this several times a month.
The mails are almost always forged to look like they would be coming from trusted persons or organizations, making it more likely they'll be opened by the recipient.
Just the filenames of some of the recent malicious attachments tell a lot: UNPO Statement of Solidarity.pdf Daul-Tibet intergroup meeting.doc tibet_protests_map_no_icons__mar_20.ppt reports_of_violence_in_tibet.ppt genocide.xls memberlist.xls Tibet_Research.exe tibet-landscape.ppt Updates Route of Tibetan Olympics Torch Relay.doc THE GOVERNMENT OF TIBET.ppt Talk points.chm China's new move on Tibetans.doc Support Team Tibet.doc Photos of Tibet.chm News ReleaseMassArrest.pdf Whole Schedule and Routing for Torch Relay.xls
As you can see there's a variety of "trusted" file types used in these targeted attacks, including DOC, XLS, PPT, PDF, CHM.
The contents of these bait documents have been crafted very well. Below are some examples of what the user sees after he has been duped into opening one of these files. The content is mostly recycled from real announcements and messages of the pro-Tibet groups.
Let's see. There's fourteen hours to go before the next Formula 1 Grand Prix starts at the Sepang circuit in Kuala Lumpur, Malaysia — not too far away from our Malaysian research lab. Will it be R�ikk�nen, Kovalainen, or Rosberg winning this time?
This was the question on the mind of one of our engineers when he today tried accessing the official home page of the Malaysian Grand Prix. Instead of the latest news on the heroic efforts of the Finnish F1 drivers, he got a picture of a box of laundry detergent:
It seems that somebody defaced the official home page, just hours before the race starts.
Interestingly, the web server itself doesn't seem to be affected. It's running just fine at its original IP address:
What's going on here is that some clown managed to modify the DNS information of the domain malaysiangp.com.my.
Malaysiangp.com.my has nameservers under five different providers:
Some of them point to the original, real site:
…and some of them point to the defacement page, being hosted at a free hosting service at oxyhostsfree.com:
This change happened just hours ago — perhaps by the hacker guessing a password for the DNS management system or by using social engineering to get a provider to change the DNS IP address.
Well, at least this defacement just changed the front page. There were no exploits or malware on the site. That would have been really bad, as this site must be getting tons of traffic right now.
We have just released security advisory FSC-2008-2.
The Secure Programming Group at Oulu University has created a collection of malformed archive files. These archive files break and crash products from at least 40 vendors — including several antivirus vendors… including us.
We've fixed a long list of our products to resolve these issues. Home users will get these fixes via the normal update system and they don't have to do anything. However, we do recommend that all system administrators using our products read the advisory to make sure all necessary upgrades or hotfixes have been applied within their organizations.
Our guidance here is the same as for patches from any other vendor: Patch now before someone figures out how to exploit the vulnerability. At the moment we are not aware of any public exploit methods for these vulnerabilities.
Thursday's post from Brian Krebs is about Dmitri Golubov. Golubov was convicted in 2005 for selling credit card details ("dumps") stolen via trojans. He was accused of causing multi-million dollar damages.
Turns out Mr. Golubov is now out of jail — and is running a political party in Ukraine, possibly seeking a position the Ukrainian government (which would grant him automatic immunity from prosecution for criminal activities). His party IPU has — wait for it — promised to fight against public corruption.
While Mr. Golubov was active in the computer crime underground and part of the "Carderplanet" gang, he went by the handle "Script".
That handle brought back memories, and we went digging through our archives. We found several interesting snippets saved during our research in 2003 and 2004. These include quite impressive flash animations the Carderplanet gang was using to promote their criminal services, as well as screenshots from forums showing "Script" selling stolen credit cards.
Usenix, the advanced computing systems association, has today announced open public access to all of its conference proceedings.
This is relevant to us working with computer security, as Usenix Security Symposiums have been among the best technical conferences on the topic anywhere in the world. Unfortunately, most of the published material has only been accessible to Usenix members.
So I did. Here's what I wrote back (do note that I used my normal F-Secure work address for this):
Well, I got a reply two hours later. Here's the answer in full (emphasis added):
Date: Mon, 3 Mar 2008 03:55:44 -0800 From: "Dexter Union Inc." Organization: Dexter Union Inc. To: "Mikko H. Hypponen" Subject: Dexter Union Inc. Employment Details
Greetings. Thank you for being interested in our work proposal. Please note we looking for candidates from United States Only!
Let me introduce myself. I`m Adam Nelson, director Dexter Union Inc.
Dexter Union Investment Company is an asset management firm focused on the singular strategy of attempting to maximize realized gains through the implementation of the Dexter Union Strategy�. Based in Canada Dexter UnionInvestment Company is an independently owned, licensed general securities broker/dealer and registered investment advisor.
Here is more detailed description of what you will need to do. As there’s a transaction going your way we will notify you of that by email or, sometimes, by phone. You need to be able to check your email box frequently once we accept your application. Notification will be usually sent to you one day before you’re scheduled to receive funds in your account. As the money arrives you will have to withdraw it from the bank (or via ATM machine if your daily withdrawal limit allows it) and then forward it to our customers by means of express money transfer services (MoneyGram) according to instructions provided.
Commissions charged by those services are to be paid from the total amount received by you, you don’t need to spend your own money on that. Your starting commission will be 8 from the total amounts received by you. Your earnings will be paid after completed transaction. You will be paid every day!
Work day example:
You will wake up in the morning and turn on your computer, receive email about completed transfer to your bank account, then you will hear your mobile phone sound and hang up, we will inform you about this transfer and you will tell me that you did receive my email. Than you will visit bank branch and ask bank manager to withdraw this payment! ( for example : 5000 USD) you will receive this money and go to the nearest Money Gram department, your salary in this example is 8 USD, 4600 USD you will transfer via Money Gram to our head office. Since this moment the task of our company completed, we will send orders to both parts , sender and receiver.
After 2 weeks period we review your performance and if it meets our requirements you will be paid monthly salary of $4400 plus your commission will increase to 10.
Please note that to qualify for this position you need to be able to perform your tasks promptly and without any delays. Although this job only requires 4-5 hours a week it’s important that you do everything on time and email reports/updates swiftly.
Please fill in the application form and sign the contract attached!
Once we receive it and verify the information provided a personal manager will be assigned to you and you will start working.
Best regards, Adam Nelson, Dexter Union Inc. http://www.dexterunion.com (now site on reconstruction, will work in next few days)
Then again, maybe I'll stick with my current job. Money laundering is just not my thing.
Microsoft just released the March 2008 updates. This time there are four critical updates that all fix vulnerabilities in different Office components and at least one of them have been used in targeted attacks lately. We advise everyone to install these updates as soon as possible.
A year or two ago, the malware author's preferred way of spreading their wares was via e-mail attachments. We all remember mass outbreaks like Bagle, Mydoom and Warezov.
Well, sending EXE attachments in e-mail doesn't work anymore. Almost every organization is now dropping such risky attachments from their e-mail traffic.
So virus writers have made a clear shift away from e-mail attachments to the Web: drive-by-downloads. This attack often still starts with an e-mail spam run; there's just no attachments in the e-mail anymore as it has been replaced by a web link.
Some of these malicious web sites use exploits to infect you just by visiting a web page, others use compelling stories to fool you into downloading and running a program from the page.
Many have missed this shift of attacks from e-mail to the web. There's a lot of companies measuring their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't.
Those organizations that are not scanning their web traffic for malware should seriously consider starting to do it, right now.
However, virus writers are moving again. We're now seeing more and more malicious e-mails that link to malware — not via HTTP but via FTP links.
Case in point, a fake Hallmark greeting card spam we saw today:
As you can see, the link takes you to an owned computer which has an FTP site setup on it.
And when the executable is downloaded, it turns out to be a Zapchast mIRC-bot variant.
Better make sure your gateway scanner is configured to scan FTP traffic as well. Our F-Secure Internet Gatekeeper does this by default.
So, the eagerly awaited SDK for iPhone and iTouch is now publicly available over at the iPhone Developer Program. The SDK is free but you can also join the Apple Developer Network which will cost you $99.
The security model is based on signed applications. The idea is that if someone attempts to develop something bad, Apple can pull the certificate and make the application unusable. This is the same approach as Symbian uses and while it's a great idea in theory, we've seen bad applications such as spy-tools for phones being able to get their applications signed by claiming that they're a backup tool.
Once you have developed an application, you upload it to the newly created App Store. The App Store is an application that will run on your iPhone/iTouch and enables you to download and install third party applications on your phone. Some apps will be free, others you'll have to pay for and for that Apple will take a 30% share of the price.
While we haven't yet had time to look closer at the SDK to see what's possible and if it could potentially be used by malware writers for malicious purposes; what is great is that you now don't have to JailBreak your iPhone to be able to run apps coming from third party developers. We've already seen one trojan targeting those who've used this approach to run applications not coming from Apple.
One interesting thing about all this, you have to have a Mac to be able to use the SDK, it doesn't support Windows.
We'll post more on this topic once we've had a closer look at the SDK.
Update: The Apple developer site seem to be under a very high load at the moment. Seems like we're not the only ones trying to download the SDK.
ZDNet Asia is one of my bookmarked online resources that I frequently visit. The site is NOT compromised per se; rather, their site's search engine was abused by an attacker with queries of popular keywords. Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these 'iFRAME'ed results in the first few pages of the search results. And the objective? To get the unsuspecting user to click on the link.
The last time we checked, 20,600 cached pages loading the iFRAME was found. Upon clicking on the malicious link, you get redirected to some Russian Business Network's IPs and RBN is notoriously known for hosting not only malware but also rouge antivirus and antispyware applications. At the end of the redirects, the unsuspecting user might be a victim of a Zlob trojan.
We detect it as Trojan-Downloader:W32/Zlob.HOG.
Signing off, Fei
Update: This information was first posted on Dancho's blog and he obviously deserves credit. When we last checked on the situation this morning, it seems that we found 18,400 "new" cached pages appearing with the iFrame, which are now redirecting users to a different domain.
Did you know that if you have a FireWire port in your computer and running Windows, anyone who can plug into it has direct access to the memory of your PC?
While this has been a publicly known issue since 2004 when the attack was demonstrated in PacSec 2004 by Maximillian Dornseif, the issue has not gained widespread attention.
The Age reports that Adam Boileau has done excellent work on bringing more attention to this feature of FireWire of which most people are not aware.
If you are running Windows XP, anyone who can connect his laptop or modified iPod to your FireWire port can get complete access to your PC's memory. And by using that access the attacker can do whatever he wants such as unlock Windows, steal encryption keys, or install malware.
The problem has not been verified with Windows Vista, but we cannot state that Vista would be safe either.
Currently there is no known fix for this problem, so if you have a computer that has a FireWire port and you don't use it for anything, we recommend disabling it.
What's really funny to us is that we were recently discussing the fact that people at large don't know about the FireWire memory access problem. And we were thinking about creating a demonstration video a couple weeks back. Well, Adam, you beat us to it.
Basically the "decision voided a broadly formulated law in the western German state of North Rhine-Westphalia, which had explicitly allowed the use of Trojan software since January 2007."
But the decision allows Intelligence agencies "to collect data secretly from suspects' computer hard drives if there is evidence that [human lives or state property] are in danger."
"Law enforcement authorities must get permission from a judge before they secretly upload spyware."
News broke out earlier this year of a new breed of rootkit using techniques never before seen in modern malware. The most notable of them is the fact that the rootkit replaces the infected system's Master Boot Record (MBR).
The MBR is the first physical sector of the hard drive and contains the first code loaded and executed from the drive during the boot process.
In the competition between rootkits and rootkit detectors, the first to execute has the upper hand. And you can't execute earlier than from the MBR. Of course, MBR viruses used to be very common in the DOS days, 15 years ago or so. But this is 2008.
This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.
The MBR rootkit — known as "Mebroot" — is very advanced and probably the stealthiest malware we have seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.
Below are some details about the MBR rootkit's stealth features:
The ntoskrnl.exe module hook that executes the kernel-mode downloader payload is set to the nt!Phase1Initialization function which resides in the INIT section. This means that after the system has initialized the section is wiped out from memory and no sign of the hook is any longer present.
The rootkit stores data that's required to survive reboots in physical sectors instead of files. This means that the data, including the real payload, is not visible or in any way accessible to normal applications. Therefore the rootkit does not have to hook the normal set of interfaces to keep them hidden.
The MBR is the rootkit's launch point. Therefore it doesn't need to make any registry changes or to modify any existing startup executables in order to launch itself. This means that the only hooks it needs to make are used to hide and protect the modified MBR. Essentially this means that the rootkit hooks only two DWORDs from the disk.sys driver object which is shown in the picture below.
Another interesting feature of the MBR rootkit that has not received very much public discussion is its networking layer and firewall bypassing capabilities. One reason for this might be that this part of Mebroot's code is heavily obfuscated and time consuming to analyze.
It is known that the rootkit's main purpose is to act as an ultimate downloader. To be stealthy and effective it is essential that the rootkit does not trigger nor is blocked by personal firewalls. It is able to achieve this by operating in the lowest parts of the NDIS layer just above the physical hardware.
Only a single DWORD is hooked at all times from the NDIS internal structures. To send packets the rootkit uses the SendPacketsHandler function implemented by the actual hardware specific driver.
The rootkit uses its own unmodified versions of NDIS API functions it needs to operate. This has been done before by some malware, such as Rustock and Srizbi. However, what we have not seen before is the fact that the MBR rootkit uses a "code pullout" technique to only load the relevant code from the ndis.sys driver instead of loading the whole ndis.sys driver as its private module into memory.
This means that the memory fingerprint of the malware is smaller and there are no additional modules loaded into the system address space which might trigger some forensic tools.
This malware is very professionally written and produced. Which of course means it's not written for fun. Initial samples from December 2007 and January 2008 were at beta stage. Now it appears that the malware is fully-baked and more active distribution has begun. During the weekend our Security Lab started to receive information about multiple drive-by exploit sites spreading the latest version. (However, at the moment these attacks cannot be considered as widespread.)
The actual site hosting the exploit code utilizes the following exploits:
Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014) AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820) Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018) GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779) Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730) Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777) Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow
Proof of concept code for two of the exploits was publicly disclosed just less than a month ago.
The downloaded payloads seem to clearly target online banking and other financial systems.
We detect the latest MBR rootkit variant as Backdoor.Win32.Sinowal.Y. The exploit site is currently resolving to an IP address of 216.245.195.114 and seems to still be active.
Here's some more information on Mebroot from Gmer, Prevx, and Symantec:
We haven't seen new Storm sites since the spam run they did over Valentine's Day… until early this morning.
Right now they are sending a wide variety of mails regarding ecards, along these lines:
If you follow the link, you end up with a malicious site that looks like this:
Depending on what you do, you end up with either e-card.exe (clicking the picture), e-card.exe (clicking the link) or postcard.exe (waiting for a few seconds). The files are variable but they always do the same thing: infect your system with the latest Storm/Zhelatin variant.
Thursday's post from Brian Krebs 
Usenix, the advanced computing systems association, has today announced open public access to all of its conference proceedings.
