Archive for January 3rd, 2008
January 3rd, 2008 by Paul Ferguson (Advanced Threats Researcher)
Amazing enough, social engineering works — and it manages to dupe ordinary users into clicking on links which masquerade as legitimate content — fake greeting cards, holiday greetings, etc.
And people keep on clicking on them.
Why should cyber criminals try harder when there is so much “low hanging fruit”?
Of course, that’s a rhetorical question.
But having said that, the Storm botnet is an amazing example of social engineering prowess — how people can be suckered into clicking on anything, and unfortunately, allow criminals manage to steal their login IDs, their credit card credentials, and remotely control & use their PCs for various other nefarious purposes.
The good folks over at the German HoneyNet Project have some interesting statistics which indicate that, due to renewed efforts over the course of the Christmas and New Year’s holiday, the puppet masters controlling the Storm Botnet managed to increase the Storm Botnet size by more than 200%.
These numbers also reflect the increases we have also seen in Storm “seeding” activity over the holidays, and this translates into an increasing number of detections.
But given that the newest iterations of Storm includes (and revolves around) a new promulgation of a rootkit component, it can be somewhat difficult to ascertain specific detection numbers.
Forget about what you may have heard in the popular trade press about other botnets — the Storm Botnet network is proving to be the “Energizer Bunny” of botnets.
It keeps going, and going, and going, and… unfortunately, users keep on allowing themselves to fall prey to these tactics.
Social engineering continues to be a major, major threat vector.
No worries — we’re staying vigilant, ensuring that our customers remain protected.
Paul “Fergie” Ferguson,
Network Security Intelligence,
Advanced Threats Research
Image source: Moritz Steiner, Honeyblog.org
January 3rd, 2008 by Bernadette Irinco (Technical Communications)
Considered to be one of the most successful game consoles of all time, Nintendo Wii seems to be invulnerable, until now. According to The Register, security researchers Michael Steil and Felix Domke had successfully hacked the Nintendo Wii gaming console during a presentation at the 24th Chaos Communication Congress held last week.
In the presentation, the two demonstrated that it was possible to run unofficial code on the console, though access to system resources and support for hardware was limited. The presentation highlights and proves the possiblity to create countless homebrew applications and games for Wii.
The hack requires extracting keys for signing Wii code, which becomes possible due to Nintendo’s use of an unencrypted drive. So far, no news of the hack being exploited has been reported in the wild, and the gaming company may be expected to retaliate by providing a patch, or voiding support for compromised systems.
Currently, the Nintendo Wii system requires manually installing modchips if one wishes to run custom code, though the code would only be restricted to Nintendo Game Cube functionality. This is due to backward support offered by Wii to the Game Cube. Vulnerabilities in the Wii’s flash player also exists, though some have been already patched by the vendor.
Further exploration of this latest hack may soon expand the Wii’s capability to make full use of the Wii’s functionality. This means a myriad of possibilities for developers, software creators and even malware authors — so let the games begin….
January 3rd, 2008 by Robert McArdle (Threats Analyst)
The latest wave of Storm (See previous posts here, here, here and here) has thrown up some interesting new techniques to make analysis even more difficult.
HIDDEN LINKS
The first is quite clever, specifically targeted at any security company monitoring the Storm botnet. When looking at the latest Web page used by the threat, we noticed a number of commented out HTML hyperlinks:
< !– a href=”fck2008.exe” –>
< !– a href=”fck2009.exe” –>
These in turn where followed by a small fragment of JavaScript:
< script language=”javascript”>
document.write( unescape( ‘%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%5F%32%30%30%38%2E%65%78%65%22%3E%0D%0A’ ) ); click here
When decoded the script above directs the user to download from:
< a href=”happy_2008.exe” >
The two commented links are obviously being used to fool any automated crawlers used by security companies. Most crawlers will check all of the Storm pages for any presence of links (a href) and follow these links to download new samples. A normal victim will access the site, be completely unaware of the commented out links and download the actual binary (happy_2008.exe). However, the crawler may not see the obfuscated link and instead access the two fake ones.
At this point the attackers know that they are dealing with a “non-legitimate” user and can block their IP, launch a DDoS attack against them, or even serve them up an older version of the threat so that the automated crawler does not think the threat has been updated.
ROOTKIT IMPROVEMENTS
Previous versions of the Storm family have had 2 components: an EXE that does the main work and a SYS file to hide it. The latest version however, has done away with the EXE and all operations are now carried out by the SYS file alone. Previously, researchers have been able to disable the SYS file, hence preventing the threat from hiding its activities. This is no longer an option as disabling the SYS file disables the entire threat.
In addition, while anti-rootkit tools, such as Icesword, still reveal the call hooked by a rootkit (which can then be unhooked), the threat has been upgraded to stop Icesword (and others) from revealing what processes, ports, files, etc., it is hiding - again, targeted specifically at making an analyst’s job more difficult. To make things even more fun, the SYS file has a new random name every time a machine is infected.
Neither of these techniques have any real additional effect on the normal victim of the attack, but by making analysis more difficult the authors obviously aim to maximize their malware infection windows.
And here I was thinking it would be a quiet first week back to the office after the holidays :(
January 3rd, 2008 by Jasper Pimentel (Advanced Threats Researcher)
December has always been a festive month and it’s no wonder that most of the malware that surfaced last month wanted to be a part of the holiday action. As expected, most of the malware that have shown up leveraged the holiday season to gain attention and increase their chances of distribution.
———————————————————————————————-
Notable Malware
New Year Storm malware
The Storm worm wasted no time in taking advantage of the New Year celebrations. Shortly before the new year began, a lot of users received spammed Storm emails containing a simple greeting with a link to a spoofed greeting site where an e-card awaits them. To view the card, the user must install a player for it, which is a variant of the Storm malware.
TROJ_PPDROP.K
This Christmas Trojan is spammed through email as a PowerPoint slideshow with the filename Merry Christmas.pps. Through a Microsoft Office vulnerability, clicking open the file extracts and executes Merry Christmas.exe which is detected as BKDR_AGENT.ADGS. The backdoor gathers email account credentials and login information, which it then sends to a specific email address.
BKDR_HUPIGON.MER
It seems like there’s a corresponding malware for each Christmas holiday activity that we do: shopping, traveling, exchanging gifts, etc. Using a website that offers a guide for lowering blood pressure, this backdoor targets health conscious people who happen to indulge in excessive eating during the festivities. As the backdoor runs, it connects to a certain server where it can listen for commands from a remote malicious user who may then take virtual control over an affected system.
Web Threats
Bhutto-Assassination Related Web Threats
The former prime minister of Pakistan, Benazir Bhutto, was assassinated during the last week of December. In light of the event, several malicious websites turned up on Google search results, using the incident as leverage for malware distribution. The websites that turn up in the search results are embedded with JS_AGENT.AEVE, a script downloader that installs a variant of TROJ_SMALL on the affected system.
More ZLOB fake codecs
They’re still the same ZLOB Trojans, trying to get past the common user by disguising itself as a legitimate codec for videos. The only difference is that, this time, they’re making use of poisoned search results to get to the user faster than usual. Furthermore, the search results are suited to holiday-specific activities, mostly in relation to traveling, shopping and gift giving. In addition to that, the fake codecs are hosted on blog sites rather than the usual spoofed codec download sites.
Vulnerabilities
RealPlayer Exploit
A new vulnerability has been uncovered in RealPlayer, which allows the download of malicious files. The vulnerability can be exploited through a stack overflow that can be triggered by visiting a website containing code to exploit the vulnerability on an installed copy of RealPlayer. The downloaded file is saved in the Windows system folder. Trend detects the downloaded file to be a variant of PE_MUMAWOW.
Google toolbar as malware vector
Last December, a researcher has released a proof of concept code that the Google toolbar can be used as a malware distribution vector. Because Google encourages the creation of web tools using the well-documented API functions that they have developed, their web search platform eventually becomes a launching pad for malware attacks and distribution, which is what is happening with this newly discovered vulnerability. To implement this, the code makes use of a specially crafted link that refers to the button’s XML file, which when clicked displays a dialog box summarizing the details of the button to be installed. But the details may be spoofed and instead of installing the toolbar button, a malware is downloaded into the system.
New Ichitaro exploit
Another exploit for Ichitaro has turned up. Ichitaro is a well-known Japanese word processor and, like its other counterparts, has had its own share of exploits and vulnerabilities. The exploit installs a malware when a malicious JTD file is opened with the application. Initial analysis reveals that the affected platform is Windows XP SP2 Japanese version with Ichitaro 2006
HP Laptop software vulnerability
Most HP laptops contain a system software that allows access to system information and hardware configuration. However, a newly uncovered security flaw exists in the software and can be used to allow remote code execution and registry manipulation.
