NEWS FROM THE LAB - July 2004
 

 

Saturday, July 31, 2004

 
Greetings from DEFCON 12 Posted by Mikko @ 02:07 GMT

This is a short conference report from DEFCON 12 conference in Las Vegas. DEFCON is the largest computer underground event in the world with thousands of black, grey and white hat hackers (as well as security professionals, law enforcment members and undercover agents) gathering for a weekend in extreme heat (41 C today) in Las Vegas.

defcon at day

This year's program is especially interesting from antivirus point of view, as several conference speakers focus on the issue. Today we've heard two presentations on mobile phone and PDA security, with direct implications for future mobile viruses. It seems perfectly possible that we will see totally automated Bluetooth worms in the future. Such worms would spread airborne among the mobile phone population, and really would spread much like flu - to get infected, it's enough to be close enough.

There has also been lots of discussion on Windows XP Service Pack 2, which should be out in August. This service pack includes a firewall which monitors traffic in both directions and which will be on by default. SP2 will also have generic protection against overflows. Consensus is that once SP2 becomes commonplace, it will make it much harder to create automatic network worms like Blaster or Sasser.

Also, I've seen three Feds spotted so far...

Signing off, Mikko

defcon at night

 
 

 
 
Thursday, July 29, 2004

 
Mabutu worm - the next in the row this summer Posted by Katrin @ 08:53 GMT

One more worm known as Mabutu is circulating around.
 
 

 
 
Tuesday, July 27, 2004

 
Zindos' piggyback ride Posted by Gergo @ 17:40 GMT

Zindos and Mydoom.M work together. Mydoom.M laid out the path by infecting a large number of systems and preparing a list of them. Judging from the coding style the two worm were created by the same author, which further emphasizes the idea that this is a two-stage attack.

Zindos hitches a ride on the Mydoom.M highway. It uses the lists and the backdors, prepared by Mydoom.M, to quickly spread and hit its target, which is www.microsoft.com.

Detailed information is has been posted to the Zindos description.



 
 

 
 
Zindos worm Posted by Katrin @ 16:24 GMT

A new worm Zindos is spreading over the backdoor dropped by Mydoom.M. More information will follow shortly.
 
 

 
 
The side effect of Mydoom.M on Google, Yahoo, Lycos and Altavista Posted by Katrin @ 10:45 GMT

Mydoom.M uses Google, Yahoo, Lycos and Altavista search engines to find email and domain addresses. As a side effect the infected computers can not access these sites.

This is not the first Mydoom that affects a particular web site. Previous Mydoom variants intentionally targeted SCO and Microsoft. We don't think Mydoom.M prevents access to Google, Yahoo, Lycos and Altavista intentionally - this looks like a side effect.

 
 

 
 
Monday, July 26, 2004

 
More reports of Mydoom.M Posted by Katrin @ 14:34 GMT

We have received several reports of the new Mydoom.M from USA and different countries in Europe.
 
 

 
 
Mydoom is at .M Posted by Gergo @ 14:09 GMT

A new variant of the Mydoom worm family was found. The next variant letter is M.

The worm is under analysis and more information will be posted when available.

 
 

 
 
Friday, July 23, 2004

 
DDoS hackers arrested Posted by Mikko @ 20:57 GMT

One of the hot topics over the last months has been the continuing DDoS & extortion attacks against mostly UK-based gambling sites.

According to a recent article in The Financial Times (titled "Internet gambling extortion racket broken up"), three men in their early 20s were arrested in raids in Russia.

Apparently they were launching big DDoS attacks from botnets against gambling sites, then emailing them and asking $50,000 for not doing it again.

The extortion money was rerouted to Russia via Caribbean and Latvia, but nevertheless the UK police was able to trace it, leading eventually to the arrests.

So...so far, the year looks pretty good:

Month  Country
July   Russia: Three DDoS hackers arrested
June  Hungary: Magold virus author sentenced
June  Finland: VBS/Lasku virus author arrested
May   Taiwan: Peep backdoor author arrested
May   Canada: Randex variant author arrested
May   Germany: Agobot variant author arrested
May   Germany: Sasser & Netsky author arrested

 
 

 
 
Saturday, July 17, 2004

 
More on the first PocketPC virus Posted by Mikko @ 09:49 GMT

The first PocketPC virus is now known as WinCE.Duts.1520.

This case is very similar to the Symbian Cabir worm which was found a month ago.

This is a new proof-of-concept virus. It has not been found in the wild. It's been written by a member of the 29A virus-writing group. The worm is not known to be spreading in the wild at all. It will be never become a problem in the real world.

Unlike Cabir, Duts is a traditional parasitic virus. It infects other programs in the PocketPC PDA, and spreads from one PDA to another when people exchange programs (for example, by beaming a game).

When an infected file is executed the virus asks for permission to infect:

Dust question

When granted the permission, Duts attempts to infect all EXE files in the current directory.

Duts contains two messages that are not displayed:

One is a reference to the science-fiction book Permutation City by Greg Egan, where the virus got its intended name from:

Dust

As usual, virus writers don't get to name their viruses - we do. So we named it Duts instead of Dust.

The other message is:

 This is proof of concept code. Also, i wanted to make avers happy.
 The situation when Pocket PC antiviruses detect only EICAR file had to end ....

Do note that this virus would also be capable of infecting mobile phones running ARM-based version of PocketPC.

F-Secure have shipped an update for F-Secure Anti-virus for PocketPC to detect WinCE.Duts.1520.

Read eWeek's editorial on the issue.

 
 

 
 
Friday, July 16, 2004

 
First PocketPC virus Posted by Mikko @ 21:21 GMT

We've received information according to which the first virus for PocketPC environment has been found. PocketPC is the Microsoft operating system for handheld devices (such as Ipaqs, Jornadas and Looxs) and some new mobile phones.

PocketPC viruses have been a target of great speculation for years, as the operating system is fairly common, easily accessible, easily programmable and there's tons of viral source code for other Windows operating systems available.

FS Mobile Anti-Virus

F-Secure has been researching mobile platforms for years, and we have F-Secure Anti-Virus for PocketPC already available.

Stay tuned for more information.

 
 

 
 
Jigsaw Piece - 236 Posted by Mikko @ 21:21 GMT

Jigsaw
 
 

 
 
Bagle.AF quieting down Posted by Mikko @ 11:50 GMT

The beginning of the Bagle.AF outbreak last night looked pretty bad, as the initial burst of infections was big and worldwide. However, since then the amount of infections has leveled out and we don't expect this to become any bigger problem. It seems that the virus was seeded much more aggressively than some of the other recent Bagle variants.

Seeding is when the virus author sends the virus to a long list of email addresses to start the outbreak. This is typically done with spammer tools, from third party computers the virus writer controls and owner of which knows nothing about this.

 
 

 
 
Bagle source code relations Posted by Gergo @ 09:13 GMT

With the release of the Bagle worm's source code we expected new variants based on that to appear. The source code itself is a somewhat stripped down version of Bagle.Z. Bagle.AF however, is much closer to Bagle.Z in functionality. This suggests that the author of Bagle.AF had the source code of Bagle.Z in his posession and was not a third party.

 
 

 
 
Several reports of a new Bagle variant Posted by Mikko @ 00:10 GMT

We've received several reports of the Bagle.AF email worm. Detection has been published in update 2004-07-16_01.

This one seems to be based on the source code distributed with the Bagle.AA variant over a week ago.

Bagle source code snippet

 
 

 
 
Thursday, July 15, 2004

 
Sven still tops the charts Posted by Mikko @ 19:46 GMT

It's been 10 weeks now since Sven Jaschan, the alleged author of the Netsky and Sasser worm families was arrested. Even though he stopped writing and distributing his viruses two and half months ago, his viruses still top the charts.

For example. in our virus stats, 8 out of the top 10 viruses right now in the wild are Netsky variants.

F-Secure stats

Sasser is also still in found in the wild, although it's no longer nearly as common as Netsky. Sasser was a network worm, Netskies are email viruses. Network worms typically cause big peaks and then fade away...but won't die off totally for many years.

 
 

 
 
Tuesday, July 13, 2004

 
Microsoft patch day Posted by Mikko @ 19:43 GMT

Today is the second Tuesday of the month, and it's the Microsoft security patch day.

In July's patch batch Microsoft is releasing patches against 7 new vulnerabilities, two of which are critical. Most likely some of these new vulnerabilities like MS04-022 will eventually end up used in future internet worms.

 
 

 
 
Monday, July 12, 2004

 
Atak attacks Posted by Mikko @ 15:38 GMT

A new massmailer called Atak has been found. We haven't seen too many reports so far, probably because many office workers are enjoying holidays and are not reading their email.

Atak drops itself in a file called HINT.EXE to \WINDOWS\SYSTEM32 directory and employs lot of anti-debugging tricks.

It also contains this text written in k-rad elite speak...meaning "attack against Netsky, Bagle, Mydoom, Lovgate, Nachi and Blaster".

Atak

 
 

 
 
Wednesday, July 7, 2004

 
Companion viruses Posted by Mikko @ 08:22 GMT

In this time when people get mostly hit by email or network worms, it's typical that an infected computer might have just couple of infected files, or even just one. Which might explain why we've been getting confused reports from people who've been hit by some of the latest Lovgate variants.

Lovgate spreads through a variety of ways, one of which is a "companion" infection. A companion virus will rename its target file to make the user run the virus rather than the real program. For example, Lovate.AE will locate EXE files on the hard drive, rename them to have an ".ZMX" extension instead of ".EXE" and drops itself as an .EXE file to the same directory with the same name. Lovgate.AH does the same but uses ".~EX" as the extension.

So for example a directory like this:

Before

Will end up looking like this:

After

The virus might do this renaming operation to hundreds of EXE files in one go. End result: instead of finding one or two infected files, the user will find masses of them. With Lovgate, this is normal.

Companion viruses are really an old idea. In the early 1990s, they typically worked by simply dropping a program called FILE.COM if FILE.EXE existed in the same directory, exploiting the DOS execution order. For example, see the HLLC.Plane featured in our Update Bulletin 2.25 from April 1996:
https://www.f-secure.com/virus-info/bulletins/bull-225.shtml.

 
 

 
 
Monday, July 5, 2004

 
D�j� Vu Posted by Mikko @ 07:32 GMT

Yesterday, on fourth of July, new versions of Lovgate and Bagle were found. Well, same thing just happened this morning. There are minor differences in the new variants, such as changed packers. Detection has been shipped in update 2004-07-05_01.

Also, the email worm we mentioned yesterday has been identified as Evaman.


 
 

 
 
Sunday, July 4, 2004

 
New Lovgate, new Bagle Posted by Sami @ 17:39 GMT

A new variant of both Lovgate and Bagle has been found today. Updates for them will be released shortly, as 2004-07-04_01 and 2004-07-04_02, respectively.

We're also aware of a new email worm which sends fake email bounces to yahoo.com -email addresses and installs itself as WINTASKS.EXE - but we've received no actual samples of this worm yet.

 
 

 
 
Friday, July 2, 2004

 
A new Lovgate variant going around Posted by Mikko @ 19:08 GMT

We've received some isolated reports of Lovgate.AE, but not enough to raise a Radar Alert about it. This is yet another Lovgate variant, spreading over email, Windows shares and the old RPC DCOM vulnerability. It installs a backdoor which can be used by the virus author to control all the infected machines.

The email replication part is nasty, as the virus tries to reply to all unread messages in Outlook inbox and then delete them, before the user has a change to see them. It might append a poem from Rudyard Kipling to the replies it generates. The virus also renames all .EXE files to .ZMX, making recovery a bit laborious.

This variant is also known as Lovgate.AD and Lovgate.Y, depending on the vendor. We detect it as I-Worm.Lovgate.ae.


 
 

 
 
Thursday, July 1, 2004

 
HangUp <-> Padodor link Posted by Alexey @ 11:09 GMT

The Padodor/Qukart trojan discovered on June 25th, 2004, was created using Padodor backdoor code. This is the trojan that was downloaded to computers via hacked IIS sites.

There's now been some discussion on whether the Russian "HangUp team" virus group was involved with this case or not. Unless they provided their Padodor source code to someone else (which is doubtful), they are responsible for the latest Padodor/Qukart incidents too. Up to the .G variant of Padodor they signed the backdoors with their "copyright" signature:

Copyright

In the later variants of this backdoor the copyright string was removed, but the project name "padonok" remained there (Russian word "podonok" means "scum"):

Padonok

We do not directly accuse HangUp hacker's group of writing Padodor, we only provide facts for investigation. We're not the police. It's the job of a court of law to prove that someone is guilty or not after analysing all the evidence.

 
 

 
 
Season of convictions Posted by Ero @ 08:37 GMT

The author of the backdoor Cabrotor (aka Cabronator), the 26 years old spanish man �scar L�pez Hinarejos, has been convited to 2 years in jail. According to Spanish media La Vanguardia, this is the first case in which a virus writer is sentenced to jail in Spain.

More infomation (only in spanish) is given in El Mundo and El Peri�dico. It is also possible to read about it from El Pais and La Vanguardia (both require registration).

A description of the backdoor can be found here.

The following picture shows the configuration screen of he backdoor server. (Picture copyright Kaspersky Labs)

cabrotor (28k image)
cabrotor