Posts filed under 'Antivirus'
March 31st, 2008 by Robert McArdle (Threats Analyst)
We’ve spotted a new variant of a well-known threat cashing in on April Fool’s Day in the last few hours. Anyone want to hazard a guess as to what it is?
Wasn’t that hard of a question, I guess. The Storm gang is at it again.
Too lazy to actually create their own image to represent the holiday, the group simply Googled “April Fools” and used the first image that showed up. So far emails are being spammed out with the Subject Line “April Fool’s Day”, and the executables on the site are called foolsday.exe or funny.exe. However if the gang’s past behavior is any indication, these file names will change several times over the next 48 hours to similarly themed names. They’ve already added Kickme.exe in the time it took me to type this.
Needless to say, Trend Micro customers are already being protected using our Web Threat Protection technology — blocking access to the sites themselves, preventing the user from any exposure to the threat. We are also adding detection proactively for the binary files themselves.
Overall I doubt that this incident will be remembered in the same way as other classics such as the value of pi being changed to 3.0 and the hotheaded naked ice borer, but this is definately one prank you do not want to fall for.
Robert McArdle, Senior AntiVirus Specialist
March 23rd, 2008 by Edward Sun (Software Engineer)
The combination of MBR rootkits with Web threats is becoming more and more popular these days, as detailed in this previous post.
Security providers and independent anti-rootkit authors also started to update their solution for the detection of this new rootkit threat. After those detection tools were released to the public, anti-rootkit makers might think the case is over. However the war has never stopped. Over the last weekend, a new MBR rootkit variation got released in the wild with new technology to prevent detection.
In the previous version, the MBR rootkit hooks the dispatch routine of storage driver (like disk.sys) to hide the real content of MBR. The method that anti-rootkits used to detect this is bypassing of this hook. Because the original dispatch routine of storage driver is an unreported routine of Classpnp.sys which called “ClassPnpReadWrite”, this makes it possible for anti-rootkits to bypass the hook via direct calling of “ClassPnpReadWrite”.
In order to call the “ClassPnpReadWrite” directly, anti-rootkit tools like “Gmer” will first locate the address “ClassPnpReadWrite” from Classpnp.sys in the memory. The algorithm they used to locate “ClassPnpReadWrite” address is by searching it with the disassembly code of “ClassInitialize”. Since the “ClassInitialize” is exported and it will reference “ClassPnpReadWrite” internally for initialization, anti-rootkits can easily go over the disassembly code of this routine, to find assembly code corresponding to the following C statement:
DriverObject->MajorFunction[IRP_MJ_READ] = ClassReadWrite;
DriverObject->MajorFunction[IRP_MJ_WRITE] = ClassReadWrite;
Then they get the address of “ClassReadWrite” from the raw assembly code.
However, the MBR rootkit author has discovered this, and made a clever and effective update for anti-rootkit in their new variation. What they did is not hook enhancement or going deeper, but replaced some special data in the assembly code of “ClassInitialize” to make anti-rootkits find the wrong “ClassPnpReadWrite”:
From the above screenshot, we can see the rootkit alternated the MOV instruction with their own address 0×8176742A, which is an address that exceeds Classpnp’s driver range, and an obvious rootkit routine address. With this method, the rootkit then successfully escapes from current anti-rootkits’ detection.
Trend Micro advises users to scan systems using the latest pattern file versions to block the rootkit. The content security feature of our products can block all related domains as well.
March 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)
February started off with some compromised tour sites, one about Thailand and the other about the Pyrenees Mountains in Spain. As Valentine’s Day approached, numerous mailboxes probably received spammed messages containing a link where NUWAR’s latest variant could be downloaded. The rest of the month was filled with spammed messages, uncovered exploits and compromised Web sites and towards the last few days of February we witnessed another wave of the Italian Job. Here is last month’s malware roundup.
Notable Malware
TSPY_LDPINCH.FE
This malware is the one behind the compromise of Udiya Northern Thailand Tours Web site. Early in February, several pages in the Web site have been compromised. When a link on the landing page of the Web site is clicked, the user’s browser is redirected to a series of URLs, eventually leading to a download of this LDPINCH variant. On a similar note, the same technique is also used in the compromise of this Pyrenees Mountain tours Web site, only a different malware family is involved.
JS_IFRAME.HX
This is a malicious Javascript that downloads a variant of ZLOB. The malicious code is present in a PHP page that is returned as a Google search result when a use enters the search string “Japanese schoolgirls.” Hentai has been previously seen as a social engineering technique, particularly around October last year, when a Trojan detected as TROJ_PUSHDO.AD was received via spammed email messages bearing a Hentai image.
WORM_NUWAR.AR
As expected, the infamous Storm worm (Nuwar) made its appearance once again shortly before Valentine’s Day. The malicious link contained in its spammed email messages led to a copy of the worm variant. It seems that this particular Nuwar variant contained routines bypass heuristic detection mechanisms of antivirus software. Upon close inspection of its code, Nuwar contained references to bogus API functions, clearly a ruse to avoid detection.
BKDR_AGENT.AKJZ
On February 18, a lunar eclipse occurred. Unfortunately this astronomical event was taken advantage of by malware authors to lure users into downloading a malware into their systems. A spammed email message spread around during this time, with a link to a video of the eclipse. Of course, clicking on the link brings no video but downloads a copy of BKDR_AGEN.AKJZ instead.
RTKT_PUSHU.AC
This rootkit is a component of the malware families of WORM_NUWAR, TROJ_PUSHDO and TROJ_PANDEX. The catch: RTKT_PUSHU.AC actually disables other rootkits previously installed on the system, but only to infect the system with its own rootkit components or update components previously installed on the system.
Web Incidents
For February there were more than 10 web threat incidents that were reported. 43% of the reported incidents are actually legitimate Web sites that have been compromised to distribute malware. With respect to Web site category, 20% of the reported incidents are related to entertainment.
Exploit
EXPL_PIDIEF.O
Discovered by iDefense Labs researcher Greg McManus, this exploit was initially reported to Adobe in October 2007 but remained unacknowledged. SANS Internet Storm Center reported that the flaw remained unfixed, only to be patched three weeks after the first report of an exploit was found in an Italian forum. Served up through banner ads or spammed through email, the malicious PDF file designed to exploit this vulnerability connects to a certain IP address to download possibly malicious files.
Myspace Exploit
A vulnerability in the image uploader used by MySpace and Facebook was recently discovered by security researchers, bringing about issues of the possibility of exploits and malicious users gaining access to affected systems. Aurigma’s Image Uploader Control Library was found to have a buffer overflow vulnerability that could be exploited by an unknown user to compromise systems. MySpace and Facebook use the application for their image uploading functions.
That’s all for today. What’s in store for March? As of this writing, we’ve just received reports of an email message being spammed around, apparently containing news of Fidel Castro’s death. The link contained in the message supposedly leads to a backdoor … More of this on next month’s malware roundup.
March 6th, 2008 by Jovi Umawing (Technical Communications)
MonaRonaDona may be far from the thought of a wild combination of popular women paintings than initially thought, but this nifty little malware has been making headlines in security Web sites for the last couple of days, bringing to light the latest “artistic” persuasion only a social engineer scammer will attempt to pull off.
The exact source of the malware remains unclear, but some security analysts surmise that this threat comes packaged with “system optimization tools” available for free on the Internet. However, our analysts are also inclined to believe that this threat arrives on computers that are already infected, specifically those that are already part of a botnet. The malware remains inactive (and impervious to detection) until users restart their systems. Mona then displays a message upon startup, aiming to introduce itself to the user and at the same time pique his/her interest:
Through the years, it has become natural for computer-savvy users to start looking for solutions or a cure for malware once they get their systems inadvertently infected over the Web. Thus, this natural human response becomes an opportunity for social engineers to exploit. Researchers have found out that keying in “MonaRonaDona” in a search engine (i.e. Yahoo!, Google) would result to a list of Web sites pointing to several references and discussions about a cure for the MonaRonaDona strain. The sites include YouTube video sites and Web forums. Not that Mona is quite popular at that side of cyberspace, but further investigation reveals that these sites were also the doing of the malware writers.
In a sample article that turned up in the searches, for instance, an antivirus software known as the Unigray Antivirus was mentioned, which claims to scan and detect 679,871 threats, including the MonaRonaDona strain. Though detecting and cleaning the said strain was true, investigation results disputed the fact that Unigray can also (supposedly) detect and clean the remaining 679,870. Furthermore, the Web site where Unigray was housed had only been up in the Web for a couple of weeks, which would probably make anyone think twice before actually purchasing the product. One can assume that most likely, the people behind MonaRonaDona were also the same people who developed Unigray.
Trend Micro detects MonaRonaDona as TROJ_MONAGRAY.A. The following component files are also detected:
- RegistryCleaner2008.txt (1,990,711 bytes) - detected as ADW_REGCLEAN.A (TMASY detection is Adware_RegClean)
- unigray_antivirus.txt (1,377,566 bytes) - detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
- Unigray Antivirus.txt (6,721,536 bytes) - detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
- SRVSPOOL.txt (2,170,880 bytes) - detected as TROJ_MONAGRAY.A
One can not help but feel a little impressed as to how much social engineering has “come of age.” The people behind such acts are nevertheless putting more thought and effort into their new schemes than usual, attempting to make something out of the smallest opportunities for profit. Social engineering is really no small business, as users are still found to fall prey to its lures.
Trend Micro advises users to be more wary of new social engineering techniques being practiced in the wild. Lastly, keep pattern and scan files updated.
January 27th, 2008 by Trend Micro
The very first computer virus did not happen on a Windows machine, or a Mac or an Apple II. The first virus did not travel via the Internet or in an email or in a floppy disk. The first virus was not on a minicomputer, nor was it on a mainframe. That’s because the first computer virus didn’t exist on any computer hardware or software of any kind.
It was in a work of fiction.
By the late1970’s, movies books and television shows had given the public a very strong impression of hackers, viruses, and other computer threats.
Unfortunately, these dramatic ideas have nothing at all to do with reality.
In the movies, viruses destroy computer hardware, sometimes leaving a trail of smoke and fire. In reality, no virus was ever known to damage any computer hardware. Ever.
In the movies, a virus or worm always has an immediate and dramatic visual effect. There is always an animated screen (HACKERS) or a warning message (SNEAKERS) or you can actually see the data being destroyed before your very eyes (THE NET). In reality most malware leaves no visible trace of it’s existence.
On the big screen, malware is used to open bank vault doors, to tip over an oil tanker, to blow up a power plant or even to crash an alien spacecraft. In reality, the most insidious virus ever would locate a spread sheet and randomly change one number.
Computer geeks (like me) get a real laugh out of movies about hacking and cybercrime. When a “hacker movie” opens you will find theaters in Silicon Valley or other computer tech havens full of people laughing at all the wrong things, and at all the things gotten wrong. To our amusement and dismay, these overblown, crazy overdramatic portrayals of hacking and cybercrime are what sets the public’s understanding of all things cyber. People believe in the world described by these movies. It frequently makes them less safe behind the keyboard.
So I was very interested by an ad for a movie called UNTRACEABLE. It portrayed a criminal Web site and the FBI effort to bring it down. I got ready to watch another travesty of technical misrepresentation, and talked my boss into letting me watch the very first screening.
And I was wrong. They got every single technical detail right. When they talk about spoofing, or IP addresses, or keyloggers, they get it exactly right. Now all of those old school movies did research. (One of them sent the screenwriter to talk to me personally, some years ago) and still got it wrong. They couldn’t let go of the idea that in a visual medium, the computers needed to respond with something visual. They couldn’t get over the fact that fighting computer crime is primarily done at a computer keyboard, staring at long columns of numbers.
But not UNTRACEABLE, they got it all right. The Web page was only used for a limited period of time, and was proxied and mirrored and botnetted all over the place, standard operation in cybercrime. The social engineering used to get a backdoor into the FBI agent’s home Wi-fi network was right out of the real world. None of the computer screens at the FBI headquarters had magic graphics to show where the Web site was hosted. All in all, very very believable — well done to the screenwriters and researchers involved.
Just one little problem. The movie was about horror porn online, and a serial killer with a need to invent ever escalating and absurdly disgusting ways to kill people, while feeding video to a growing internet spectator crowd. Now I know there is a long tradition of graphic violence in drama (Oedipus Rex, anyone? Romeo and Juliet?) but the modern craft is so convincing that a Grand Guignol fest like this was too much for me. I covered my eyes, I went for a diet soda, coming back to watch the plot. Diane Lane was actually quite good, as was the rest of the cast, and the procedural/plotting of the mystery and denouement were clever and inventive — but the movie has a LOT of problems, and is too preachy. It got a Rotten Tomato score of 14 (out of 100). Notably, Roger Ebert liked it a lot, and pretty much everyone else did not. Several reviewers refused to even see it.
So we have a movie that is finally getting the tech right (thanks again, guys) and pretty much nobody will see it. Not on my recommendation, anyway.
I leave with the hope that more movies get the tech right (help is offered if anyone is interested) and the prayer that nothing like this movie ever happens this side of the projector.
This post was authored by David Perry, Trend Micro’s Director of Global Education.
