This is a short conference report from DEFCON 12 conference in Las Vegas. DEFCON is the largest computer underground event in the world with thousands of black, grey and white hat hackers (as well as security professionals, law enforcment members and undercover agents) gathering for a weekend in extreme heat (41 C today) in Las Vegas.
This year's program is especially interesting from antivirus point of view, as several conference speakers focus on the issue. Today we've heard two presentations on mobile phone and PDA security, with direct implications for future mobile viruses. It seems perfectly possible that we will see totally automated Bluetooth worms in the future. Such worms would spread airborne among the mobile phone population, and really would spread much like flu - to get infected, it's enough to be close enough.
There has also been lots of discussion on Windows XP Service Pack 2, which should be out in August. This service pack includes a firewall which monitors traffic in both directions and which will be on by default. SP2 will also have generic protection against overflows. Consensus is that once SP2 becomes commonplace, it will make it much harder to create automatic network worms like Blaster or Sasser.
Zindos and Mydoom.M work together. Mydoom.M laid out the path by infecting a large number of systems and preparing a list of them. Judging from the coding style the two worm were created by the same author, which further emphasizes the idea that this is a two-stage attack.
Zindos hitches a ride on the Mydoom.M highway. It uses the lists and the backdors, prepared by Mydoom.M, to quickly spread and hit its target, which is www.microsoft.com.
Mydoom.M uses Google, Yahoo, Lycos and Altavista search engines to find email and domain addresses. As a side effect the infected computers can not access these sites.
This is not the first Mydoom that affects a particular web site. Previous Mydoom variants intentionally targeted SCO and Microsoft. We don't think Mydoom.M prevents access to Google, Yahoo, Lycos and Altavista intentionally - this looks like a side effect.
One of the hot topics over the last months has been the continuing DDoS & extortion attacks against mostly UK-based gambling sites.
According to a recent article in The Financial Times (titled "Internet gambling extortion racket broken up"), three men in their early 20s were arrested in raids in Russia.
Apparently they were launching big DDoS attacks from botnets against gambling sites, then emailing them and asking $50,000 for not doing it again.
The extortion money was rerouted to Russia via Caribbean and Latvia, but nevertheless the UK police was able to trace it, leading eventually to the arrests.
So...so far, the year looks pretty good:
Month Country July Russia: Three DDoS hackers arrested June Hungary: Magold virus author sentenced June Finland: VBS/Lasku virus author arrested May Taiwan: Peep backdoor author arrested May Canada: Randex variant author arrested May Germany: Agobot variant author arrested May Germany: Sasser & Netsky author arrested
This case is very similar to the Symbian Cabir worm which was found a month ago.
This is a new proof-of-concept virus. It has not been found in the wild. It's been written by a member of the 29A virus-writing group. The worm is not known to be spreading in the wild at all. It will be never become a problem in the real world.
Unlike Cabir, Duts is a traditional parasitic virus. It infects other programs in the PocketPC PDA, and spreads from one PDA to another when people exchange programs (for example, by beaming a game).
When an infected file is executed the virus asks for permission to infect:
When granted the permission, Duts attempts to infect all EXE files in the current directory.
Duts contains two messages that are not displayed:
One is a reference to the science-fiction book Permutation City by Greg Egan, where the virus got its intended name from:
As usual, virus writers don't get to name their viruses - we do. So we named it Duts instead of Dust.
The other message is:
This is proof of concept code. Also, i wanted to make avers happy. The situation when Pocket PC antiviruses detect only EICAR file had to end ....
Do note that this virus would also be capable of infecting mobile phones running ARM-based version of PocketPC.
F-Secure have shipped an update for F-Secure Anti-virus for PocketPC to detect WinCE.Duts.1520.
We've received information according to which the first virus for PocketPC environment has been found. PocketPC is the Microsoft operating system for handheld devices (such as Ipaqs, Jornadas and Looxs) and some new mobile phones.
PocketPC viruses have been a target of great speculation for years, as the operating system is fairly common, easily accessible, easily programmable and there's tons of viral source code for other Windows operating systems available.
The beginning of the Bagle.AF outbreak last night looked pretty bad, as the initial burst of infections was big and worldwide. However, since then the amount of infections has leveled out and we don't expect this to become any bigger problem. It seems that the virus was seeded much more aggressively than some of the other recent Bagle variants.
Seeding is when the virus author sends the virus to a long list of email addresses to start the outbreak. This is typically done with spammer tools, from third party computers the virus writer controls and owner of which knows nothing about this.
With the release of the Bagle worm's source code we expected new variants based on that to appear. The source code itself is a somewhat stripped down version of Bagle.Z. Bagle.AF however, is much closer to Bagle.Z in functionality. This suggests that the author of Bagle.AF had the source code of Bagle.Z in his posession and was not a third party.
It's been 10 weeks now since Sven Jaschan, the alleged author of the Netsky and Sasser worm families was arrested. Even though he stopped writing and distributing his viruses two and half months ago, his viruses still top the charts.
For example. in our virus stats, 8 out of the top 10 viruses right now in the wild are Netsky variants.
Sasser is also still in found in the wild, although it's no longer nearly as common as Netsky. Sasser was a network worm, Netskies are email viruses. Network worms typically cause big peaks and then fade away...but won't die off totally for many years.
Today is the second Tuesday of the month, and it's the Microsoft security patch day.
In July's patch batch Microsoft is releasing patches against 7 new vulnerabilities, two of which are critical. Most likely some of these new vulnerabilities like MS04-022 will eventually end up used in future internet worms.
A new massmailer called Atak has been found. We haven't seen too many reports so far, probably because many office workers are enjoying holidays and are not reading their email.
Atak drops itself in a file called HINT.EXE to \WINDOWS\SYSTEM32 directory and employs lot of anti-debugging tricks.
It also contains this text written in k-rad elite speak...meaning "attack against Netsky, Bagle, Mydoom, Lovgate, Nachi and Blaster".
In this time when people get mostly hit by email or network worms, it's typical that an infected computer might have just couple of infected files, or even just one. Which might explain why we've been getting confused reports from people who've been hit by some of the latest Lovgate variants.
Lovgate spreads through a variety of ways, one of which is a "companion" infection. A companion virus will rename its target file to make the user run the virus rather than the real program. For example, Lovate.AE will locate EXE files on the hard drive, rename them to have an ".ZMX" extension instead of ".EXE" and drops itself as an .EXE file to the same directory with the same name. Lovgate.AH does the same but uses ".~EX" as the extension.
So for example a directory like this:
Will end up looking like this:
The virus might do this renaming operation to hundreds of EXE files in one go. End result: instead of finding one or two infected files, the user will find masses of them. With Lovgate, this is normal.
Companion viruses are really an old idea. In the early 1990s, they typically worked by simply dropping a program called FILE.COM if FILE.EXE existed in the same directory, exploiting the DOS execution order. For example, see the HLLC.Plane featured in our Update Bulletin 2.25 from April 1996: https://www.f-secure.com/virus-info/bulletins/bull-225.shtml.
Yesterday, on fourth of July, new versions of Lovgate and Bagle were found. Well, same thing just happened this morning. There are minor differences in the new variants, such as changed packers. Detection has been shipped in update 2004-07-05_01.
Also, the email worm we mentioned yesterday has been identified as Evaman.
A new variant of both Lovgate and Bagle has been found today. Updates for them will be released shortly, as 2004-07-04_01 and 2004-07-04_02, respectively.
We're also aware of a new email worm which sends fake email bounces to yahoo.com -email addresses and installs itself as WINTASKS.EXE - but we've received no actual samples of this worm yet.
We've received some isolated reports of Lovgate.AE, but not enough to raise a Radar Alert about it. This is yet another Lovgate variant, spreading over email, Windows shares and the old RPC DCOM vulnerability. It installs a backdoor which can be used by the virus author to control all the infected machines.
The email replication part is nasty, as the virus tries to reply to all unread messages in Outlook inbox and then delete them, before the user has a change to see them. It might append a poem from Rudyard Kipling to the replies it generates. The virus also renames all .EXE files to .ZMX, making recovery a bit laborious.
This variant is also known as Lovgate.AD and Lovgate.Y, depending on the vendor. We detect it as I-Worm.Lovgate.ae.
The Padodor/Qukart trojan discovered on June 25th, 2004, was created using Padodor backdoor code. This is the trojan that was downloaded to computers via hacked IIS sites.
There's now been some discussion on whether the Russian "HangUp team" virus group was involved with this case or not. Unless they provided their Padodor source code to someone else (which is doubtful), they are responsible for the latest Padodor/Qukart incidents too. Up to the .G variant of Padodor they signed the backdoors with their "copyright" signature:
In the later variants of this backdoor the copyright string was removed, but the project name "padonok" remained there (Russian word "podonok" means "scum"):
We do not directly accuse HangUp hacker's group of writing Padodor, we only provide facts for investigation. We're not the police. It's the job of a court of law to prove that someone is guilty or not after analysing all the evidence.
The author of the backdoor Cabrotor (aka Cabronator), the 26 years old spanish man �scar L�pez Hinarejos, has been convited to 2 years in jail. According to Spanish media La Vanguardia, this is the first case in which a virus writer is sentenced to jail in Spain.
More infomation (only in spanish) is given in El Mundo and El Peri�dico. It is also possible to read about it from El Pais and La Vanguardia (both require registration).