Creative has reported it has accidentally shipped almost 4000 MP3 players with a Windows virus. This happened in Japan with the 5GB Zen Neeons players that have been shipping for two months now. The filesystem on the players contains one file that is infected with the Wullik.B (also known as Rays.A) email worm. The worm won't infect PCs unless user browses the player files and clicks on the infected file.
The worm in case is over two years old and spreads by emailing copies of itself and dropping itself to shared folders.
Creative is reporting (in Japanese) that the virus affects players with serial numbers between 1230528000001 and 1230533001680.
The big news of the weekend was the arrest of two guys related to the Zotob worms ("Diabl0" and "Coder").
But who are these guys really? And who's behind the other PnP worms that were found during the last two weeks?
Well, we know that "Diabl0" had also authored several of the Mytob variants since February this year. However, he's not behind all of them. There's around 70 known variants of Mytob and practically all of them create botnets of the infected machines. Some of these botnets have been controlled by unrelated groups, such as Blackcarder. And we've found new Mytob variants just yesterday, which obviously are not written by Diabl0. So several people have access to Mytob source code and have been making their own variants.
However, we do know that Diabl0 aka Farid Essebar was associated with 0x90-Team. For example, some earlier Mytob variants downloaded additional components www.0x90-team.com/~diablo/.
The website of 0x90-team has been operating as an underground gathering site for bot authors for quite a while:
Interestingly enough, right after Diabl0 and Coder were arrested, someone defaced the site with an educational message - and a threat: "If you continue to hold this place to train script kiddies, we will come back".
This is what the site looked like on Saturday:
And then again, there are the competing groups, such as m00p. They seem to be behind several of the IRCBot variants that were using PnP vulnerability to spread. This group seems to be active although they had at least one of their members arrested last year.
We've now seen the first medium-scale internal infection of a company that was caused by a mobile virus.
On Wednesday this week, we were working on a case where a single company had a serious run-in with the Commwarrior.B virus. Several dozens of employees of the company received Bluetooth or MMS transmission of the virus during the day-long outbreak and over twenty of them actually opened the message on their phones and got infected with it.
Obviously such an incident would affect the operation of any company. This highlights the importance of writing clear guidelines on Bluetooth and MMS operation for corporate use.
On a related note, I was travelling in UK on Thursday...and received the Cabir.B mobile virus to my own phone in the lobby of the Hilton Bracknell hotel! This is now the second time I've received a mobile virus in a real live situation.
So while we tell everyone else to keep Bluetooth off or hidden, we're actually keeping our own phones open and discoverable (and protected by our own antivirus). This way we get some kind of feel on just much of these things are really happening out there.
LURHQ has released their report on Myfip worms. It makes a fascinating read. Myfip is important because, unlike most worms, it is designed to steal documents from infected computers. Forbes Global has more on malware being used in intellectual property theft.
Myfip is of particular interest also because Myfip.h is a kernel-mode rootkit - it removes its process from Windows kernel process list. The worm does this without using a driver, which is unusual.
On a related note: BlackLight, F-Secure's rootkit detection technology, will be included as an integrated scanning engine in F-Secure IS2006 security suite due to be released during autumn 2005. You can download a beta version of IS2006 and see for yourself. The integrated rootkit scanner gives the following benefits over the stand-alone version: 1) It is easier to use, 2) it is updated automatically with anti-virus updates, 3) hidden files found by BlackLight are scanned with anti-virus engines.
In the previous weblog entry Mikko mentioned age issues. Well, it does not matter how old we are, important is how young we feel - and we feel young :-)
However, here is the status update on PnP related malwares.
A new trojan Viran.c that uses PnP vulnerability has been spammed today, appearing to be a message from Microsoft. It disguises itself as a removal tool for Zotob and other bots.
The spammed email contains the trojan as MS05-039.exe attachment and the email subject is "What You Need to Know About the Zotob.A Worm". If you decide to search the web for more information on this text, the first hit is Microsoft's page about the Zotob incident last week.
On Sunday the 14th we found a new virus around noon. Nothing special there, except that this one was using a brand new exploit against a brand new vulnerability: the MS05-039 PnP hole. I was the viruslab oncall manager for the week, so I called up other oncall people to work on the case. Jarkko analysed the virus from his home office and Jarno made his way to the office to test and publish a new update to detect this critter.
We added detection with the name "Zotob". I wrote a short blog entry on the incident and we moved on.
On Monday evening I got a call from Eki from our sales team. He's passing on a request from a customer who was having hard time fighting something in their network. Turns out the customer had done many things right: they had up-to-date antivirus in their network. They had installed latest Microsoft patches on their machines. But they hadn't rebooted the machines, and they were not running firewalls on the individual machines. And now they were hit with something that was causing hundreds of their Windows 2000 machines to reboot almost constantly.
I called up Alexey who was on call now. He had just left the office but he turned back to look at the case. It seemed to be a new Ircbot variant that had been modified to use the PnP exploit. Jusu was called in too to get out an update to everybody. Alexey stayed in for several hours to build a special tool to help the customer. Late in the evening I wrote a short blog note which contained a paragraph saying "Once again, patch now."
Otherwise things looked fairly calm, with very few reports of real-world problems from the field. But there was storm in the air.
On Tuesday evening I'm going out to theatre with my wife and couple of friends. "Hairspray" is playing in Helsinki. I'm worried that if something big happens I might need to leave during the show. Katrin is nice enough to stand in for me for the evening although I'm on call.
The show is excellent and we have a great night. On my way home I send a text message with thanks to Katrin. Her response "no problem" arrives at 22:36 on Tuesday night.
I wake up right after 02:00: Rich from Microsoft is calling, asking if we're seeing increased PnP activity in the net. Literally while I'm speaking with him, my phone receives an automatic alert regarding network worm activity. Uh-oh. Better check out the situation.
I get to my computer to see that Ero in our US viruslab is already hard at work on the problem: there are at least two new worms spreading aggressively. Too bad, but I have to wake up Jusu again. He sounds wake enough and starts to make his way to the office.
We're getting reports of CNN having problems. I place two calls to CNN techies to get some kind of a handle of the situation, and it doesn't look good. Big companies have lots of Windows 2000 machines in their networks. Many of them haven't simply had enough time to test and deploy the patch everywhere.
Jusu gets the update out in high-speed mode and we issue a Radar alert at 03:36.
I'm chatting on the Messenger with Simon from Microsoft's Security Response Center and he seems to think the whole case is mostly media hype. But I'm not so sure. There are now several reports of infections at places like the Financial Times, New York Times and ABC.
Bob Sullivan from MSNBC calls me for a comment and we discuss at length on how in most places the infection must have entered via infected laptops. I'm walking around my work room while talking, trying not to wake the rest of the house. Bob ends up writing a pretty sensible piece on the situation.
In the wee hours I send Ero home with thanks and start to type out a blog entry titled "The global PnP problems".
My wife wakes up around 5 in the morning. It has been really cold during the night and I'm wearing one of her pink pullovers, which she finds highly entertaining. Oh well.
I receive couple of calls from CNN Center and they are asking if I could do a live phone interview. We do this at 05:15. It ends up being broadcasted in Asia and USA but not in Europe so I didn't see it. However, old friend Nick Fitzgerald from New Zealand sends an email and says he saw it over there. I'm mailing back to confirm what he actually saw, because the last time I did a phone interview with CNN they - get this - ended up showing archived footage of Symantec's headquarters with my voice-over! This time they had actually managed to find a JPEG of me from the web.
My wife takes the 6 o'clock bus to work and I doze off on the couch, only to be waken up 15 minutes later for another automated alert text message which didn't really tell me anything new and really was the last thing I needed right now.
I wake up again at 07:30 to check out the morning news. The CNN weathergirl makes a comment about how her forecast isn't very detailed today because only one of her computers is working...
I get to the office before 9 and we try to make some sense of the mess of all these different bot variants with Alexey, Jarkko and Katrin. Katrin posts the now-legendary high-tech illustration on the topic to the web.
During Wednesday, Thursday and Friday we find dozens of new worm and bot variants, all recycling the same 'Houseofdabus' exploit code. New infections are reported from several large companies and I spend almost on hour on phone on Thursday with one Swiss company trying to fight it.
But overall, the situation starts calming down. Many companies were not affected in any way during the whole outbreak. Most others started getting their patches out by the end of the week.
From our point of view, this PnP saga is now a case closed. I suppose we're now waiting for the next big thing.
These outbreak weeks are getting harder to recover from every year. And we aren't getting any younger, are we?
We had three core members of the Trifinite group visiting us this week. Trifinite is known for their Bluetooth hacking expertise and development of tools such as Bloover, Blueprint and Car Whisperer.
During two days we looked at lots of interesting subjects: we tested several different Bluetooth viruses in our RF Lab, looked for security holes in the built-in Bluetooth phone of the new Audi A8 (found none), tried crashing various different phones with Bluetooth ping-of-death attacks (and managed to crash some of our most common phone models), soldered together couple of modified Bluetooth dongles and did some long-range Bluetooth scanning from the sauna balcony on the 8th floor our office to a nearby pier…
All in all, very interesting stuff. Thanks for the visit, Adam, Martin and Marcel!
This started picking up today as more and more people spotted it. Definitely worth mentioning.
The Msdds.dll component is not installed by default with Windows, but might come with several other Microsoft applications. A vulnerability on it allows for malicious exploitation upon visiting a website.
Here is a status update on the malware using the Plug-and-Play vulnerability (MS05-039).
For the last four days we got 11 different samples of malware using this vulnerability. Currently there are three Zotob variants (.A, .B and .C), one Rbot (.YK), one Sdbot (.ADB), one CodBot, three IRCbots (.ES, .ET and .EX) and two variants of Bozori (.A, .B).
Variants from both IRCBot and Bozori families are deleting competing PnP bots.
It seems there are two groups that are fighting: IRCBot and Bozori vs Zotobs and the other Bots.
There's now nine different worms or bots using the week-old Plug-and-Play vulnerability. Most of the recent problems are caused by a worm we call Zotob.D and a two bots we call Ircbot.es and Ircbot.et.
The main scenario remains the same: these things will only infect you via the MS05-039 vulnerability if you're running Windows 2000 with port 445/TCP open - and you haven't installed last weeks patches. Or you have installed the patches but haven't rebooted.
The big organizations that are getting hit right now have most likely introduced the infection to the internal network via infected laptops.
The Internet Storm Center reports that the case being followed by CNN is, most likely, mainly restricted to their network. Either Zotob or an RBot variant seem to be behind this. RBot has been discovered today and exploits LSASS and the PnP vulnerabilities.
Apparently there was a good deal of unpatched systems. As it seems, even computers at CNN, ABC and The New York Times have been going down. No extact culprit at this point but one or several of the recently released worms epxloiting MS05-0039 such as Zotob are probably the ones responsible.
Autumn is coming with several interesting conferences. Now is the time to book if you plan to attend any.
Here's three conferences we can recommend.
15th-16th of September: T2'05 Data Security Conference in Helsinki, Finland
We're sponsoring this conference and have three presentations from our viruslab staff in the program.
The rest of the program is pretty good too, including presentations from Fravia, Dan Kaminsky and Job de Haas.
26th-29th of September 2005: HITBSecConf2005 in Kuala Lumpur, Malaysia
HITBSecConf is known as the best computer security conference in Asia. Past and future speakers in the conference include Captain Crunch, Bruce Schneier, The Grugq, Adam Gowdiak, San, Roberto Preatoni and Theo De Raadt.
5th-7th of October 2005: Virus Bulletin 2005, in Dublin, Ireland
This is the 15th annual installation of the most important antivirus conference.
The conference program contains several gems, including presentations from Jarno Niemela and Kimmo Kasslin from our staff. And there's a presentation from Dr. Vesselin Bontchev, titled "Current status of the CARO malware naming scheme". This should be a blast.
We were contacted some hours ago by an organization that had several hundred Windows computers in their internal network infected by a new variant of Ircbot. While analysing the malware, we noticed that this Ircbot variant had something new up it's sleeve: instead of the usual replication methods of guessing share passwords or probing for RPC/LSASS vulnerabilities, this bot was using the brand new MS05-039 Plug-and-Play vulnerability - just like the Zotob worm.
The organization in case had lots of Windows 2000 machines behind their master firewall. Once one machine got infected, the bot could easily find lots of machines to infect in the internal network.
Once again, patch now.
We named the new critter Backdoor.Win32.IRCBot.es. Full details can be found from the description.
PS. One more Zotob variant (Zotob.C) has been found too. This one spreads over both PnP and ASN.1 vulnerabilities as well as via email.
Shortly after Zotob.A, another variant, named as Zotob.B appeared. This one is almost identical to previous variant. See the description of Zotob.B for more information. We detect this Zotob with update 2005_08_15-02.
Also, there is some confusion on what exploits Zotob uses. The variants we know use only PnP exploit (MS05-039). They don't use any other exploits (for example LSASS). Maybe Zotobs are being confused to other IRC bots using the PnP exploits. There are several of these in the wild now.
New worm known as Zotob using the MS05-39 Plug-and-Play vulnerability has been found.
This is nasty, as patches for this vulnerability have only been available for five days. Patch now.
The worm is based on Mytob and might be using exploit code published by 'houseofdabus' four days ago.
This whole case has a nasty ring to it...the infamous Sasser worm was released two days after houseofdabus released exploit code for the LSASS vulnerability.
However, Zotob is not going to become another Sasser. First of all, it will not infect Windows XP SP2 machines. It also won't infect machines that have 445/TCP blocked at the firewall. As a result, majority of Windows boxes in the net won't be hit by it.
This worm replicates by scanning random machines at port 445/TCP. When a victim is found, the exploit code downloads the main virus file via ftp from the scanning machine, sets up ftp server on the infected machine and starts scanning for more targets.
While we were adding detection of this worm, we found this message hidden inside the virus:
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
These are minor variants of each other, sending emails with attachments related to Taxation, such as The_reporting_of_taxes.zip or To_reduce_the_tax.zip. Once again, these archives contain executable files with misleading icons.
Some of the archives are ZIP files, some of them are RAR files and some of them are ZIP files with a .RAR extension. The wrong extension is used by the virus apparently because some gateway filters might fail to unpack such files while many unpackers used by end users will unpack them fine.
For the record: F-Secure Internet Gatekeeper, F-Secure Anti-Virus for Microsoft Exchange and F-Secure Anti-Virus for Firewalls are able to unpack such archives fine.
The 10th World Championships in Athletics (ie. track & field) are in full swing in Helsinki. This is one the biggest sporting events this year worldwide, and there are spectators from more than 200 countries visiting Finland this week.
The games started on Saturday, and since then we've received several independent reports of Cabir spreading to mobile phones in the stadium area.
This happens easily when you gather tens of thousands of people from all over to world to a very small area. In fact, to some extent the same thing was happening during the Live 8 concerts earlier this summer.
We now have staff at the stadium assisting visitors in cleaning out affected phones.
Almost half of the phishing messages we see currently are targeting eBay. However, we've lately seen a new technique used to lure eBay users to divulge their account password.
Instead of sending a fake message from eBay administrators, this message claims to be from a fellow eBay user, complaining: "I sent you the money , where's the package ? You promised that after i send the money you send the goods asap . is this a fraud?"
The reply link goes to the average phishing site, quering user's eBay login and password.
This fake site is still up, but eBay is very effective in taking down rogue sites like these so it should disappear soon.
Blankfont.A is a SIS file trojan that installs corrupted Font file into the infected device. The corrupted font does not cause device to crash, but if the device is rebooted it will lose the system font, and is unable to display user interface texts.
Even as the display is corrupted no data is lost, and the phone can be disinfected by removing the corrupted file or uninstalling the SIS file. However as the display is corrupted, this is not as easy as it sounds. We are working on a disinfection tool that is easy to use even as the display is corrupted, so that the trojan can be easily removed.
So far we have received only one sample of the Blankfont.A, so it is not widespread. And like other Symbian trojans it pretends to be pirate copied software, so people who don't install software from illegal sources are not at risk.
The controversy around the "Danom" MSH/Monad virus family and whether it is the first virus for Windows Vista or not is clearing up.
Last night Microsoft Security Response Center's Blog wrote - and I quote: "Monad will not be included in the final version of Windows Vista".
This is the first time Microsoft in any official way announced that Monad will not be in the release version of Windows Vista (until this there were just various rumors). So I mailed Stephen Toulouse who wrote the blog entry. And he confirmed: "The current plan of record is that it won't be in Windows Vista".
So that's it. The Danom viruses will not run in the default Windows Vista. They are not Windows Vista viruses. They are just MSH viruses.
While talking about MSH: many people have asked us how to get the beta version.
Get it by following these instructions (thanks to Adam Barr):
1. Go to beta.microsoft.com 2. Sign in using your Passport account 3. Enter guest ID "mshPDC" 4. Click on "Microsoft Command Shell Preview" link 5. Follow directions - OR - 1. Download and install the WinFX SDK Beta 1 2. From the Start menu, choose "All Programs", then "Microsoft Windows SDK", then "Install Windows Command Shell"
Latest beta of MSH works fine under Windows XP - and it is a very nice and very powerful shell!
Apparently someone took the Bagle's source code and added some new functionality into it. Usually, Bagles try to download Mitglieder trojans for opening up spam proxies on infected computers. Yesterday we got sample of a new Bagle that has Mitglieder-like proxy and SMTP relay functions built-in.
In addition of typical Bagle backdoor, Bagle.bw can also act as SOCKS v4/5 proxy, HTTP CONNECT proxy and SMTP relay.
An Austrian virus writer has published five simple viruses targeting Microsoft MSH in a virus writing magazine. These proof-of-concept viruses will never became a real-world problem, but the case is interesting historically, as these are the first viruses for a totally new platform.
MSH, or Microsoft Command Shell, is a command line interface and scripting language. It's basically a replacement for shells such as CMD.EXE, COMMAND.COM or 4NT.EXE and will ship in 2006. As a command-line front end, MSH resembles many Unix shells quite a bit.
As MSH (codenamed 'Monad') was scheduled to ship as the default shell for Windows Vista (which went to first beta last week), you could argue that these are the first viruses for Windows Vista. However, it has lately been rumoured that MSH might not ship with Vista at all - instead might be part of Microsoft Exchange 2006 or something. We won't know for sure until later.
The possibility of MSH viruses was forecasted last year by researcher Eric Chien (of Symantec) in his presentation in the Virus Bulletin 2004 conference titled "The return of script viruses - an overview of Microsoft Shell". In his presentation Eric concluded: "While Microsoft Shell is still in development, the current versions have enough functionality to allow a variety of malicious threats including file-infecting viruses". Right on.
The RISKS Digest is now 20 years old. And this forum for discussion on risks to the public in computers and related systems in as invaluable as ever. It is an excellent source to read about the risks of modern computing equipment.
Over the 20 years, RISKS has covered a wide variety of topics, from computer problems in the Shuttle to a runaway car from hell to a thousands of flight getting canceled because of an overflow of a single integer.
Thanks for RISKS goes to Dr. Peter G. Neumann, who has been editing RISKS from day one and has published several books on the topic.
Nowadays RISKS is also of course available as an feed from ncl.ac.uk.
The Trifinite group has come up with a new and interesting development again. They've just released an auditing tool called "The Car Whisperer".
Equipped with this software running on a Linux laptop and a suitable Bluetooth antenna, it is possible to connect to cars that have an unsecure Bluetooth hands-free unit. After this, it is possible to eavesdrop on the discussion inside the car, or use the hands-free unit to talk to whoever is in the car.
This attack is made possible by the fact that many car manufacturers use a constant Bluetooth passkey such as "0000" or "1234". Which is a bad idea.