My colleagues and I recently analyzed TDL4—a variant of the well-known TDSS malware family. TDSS, as you may already know, is an advanced malware that evades detection by going back to where we stopped looking long ago—in the boot sector. Back in the 16-bit DOS days, boot viruses spread from disk to disk, wreaking havoc on systems  until 32-bit Windows came along and made them obsolete. However, the boot sector as a malware container is making a comeback, with bootkits like TDSS at the forefront.

Malware writers have figured out that the boot sector is a good way to circumvent detection—a lot of antivirus software no longer perform rigorous checks on this as in the past. As such, using it is a good way to circumvent Microsoft’s security settings.

So how does TDL4 work?

After getting a handle to the disk through ZwOpenFile, it then uses ZwDeviceIoControlFile to directly access it. This allows ZwDeviceIoControlFile to directly access an object (in this case, the disk), instead of looking for its name.

.text:00401780 push 48h ; OutputBufferLength
.text:00401782 mov eax, edx
.text:00401784 shr eax, 8
.text:00401787 mov [ebp-2Dh], al
.text:0040178A lea eax, [ebp-50h]
.text:0040178D push eax ; OutputBuffer
.text:0040178E push 48h ; InputBufferLength
.text:00401790 push eax ; InputBuffer
.text:00401791 push IOCTL_SCSI_PASS_THROUGH_DIRECT ; IoControlCode
.text:00401796 lea eax, [ebp-8]
.text:00401799 push eax ; IoStatusBlock
.text:0040179A xor eax, eax
.text:0040179C push eax ; ApcContext
.text:0040179D push eax ; ApcRoutine
.text:0040179E push eax ; Event
.text:0040179F push FileHandle ; FileHandle
.text:004017A2 mov [ebp-50h], cx
.text:004017A6 mov byte ptr [ebp-4Ah], 0Ah
.text:004017AA mov byte ptr [ebp-49h], 12h
.text:004017AE mov dword ptr [ebp-40h], 1388h
.text:004017B5 mov [ebp-2Fh], bl
.text:004017B8 mov [ebp-2Ch], dl
.text:004017BB call ds:ZwDeviceIoControlFile

However, using ZwDeviceIoControlFile is not an easy task, as it needs to set up a lot of structures before being able to directly access the disk. Notice here that aside from pushing arguments into the stack, it also fills in values to a structure that is needed for the operation, which explains the push statements interspersed with mov [ebp+location], register statements.

Read the rest of this entry »

Last week, we reported a new kind of attack that uses specially crafted .MOV files and a certain feature in QuickTime to trick users into downloading malware. The said attack raised some questions on how it was done and whether or not an exploit was used. To clear things up, here are the answers to some questions you may have in mind:

Where was this type of threat initially found?

Trend Micro encountered the QuickTime .MOV files from peer-to-peer (P2P) networks such as LimeWire and torrent portals.

What happens when the user opens the .MOV files using QuickTime? How about when using other media players?

Opening the said .MOV files using QuickTime triggers the loading of certain URLs, which lead to the download of malicious files detected by Trend Micro as TROJ_TRACUR.SMDI and TROJ_DLOAD.QWK. The said .MOV files are detected as TROJ_QUICKTM.A. The functionality to load URLs from .MOV files does not appear to be implemented in all media players that are compatible with QuickTime files. Testing with the VLC media player indicates that this particular feature is not implemented.

Was this done through an exploited vulnerability?

This did not exploit a vulnerability, contrary to speculations. It instead abused an existing feature in QuickTime to open URLs while playing the .MOV files back. This feature exists in QuickTime for the purposes of interactivity and has the same level as the scripting controls (better known as “wired actions”) in replaying the movie from the start, going to the end, skipping forward or back, or setting the movie volume.

Wired actions are set to be triggered by specific events while the movie is played or by interacting with the user. In this attack, the wired action was connecting to the URL while the event used to trigger it was the loading of a movie frame. Thus, the URL will be accessed whenever the .MOV file is loaded.

This threat is similar to the ones that used the PDF /launch feature, as it also used a valid feature for malicious purposes. As in the /launch incidents, the fact that this used a valid feature makes it a more relevant threat. Creating .MOV files that connect to URLs does not require any special technical knowledge and can easily be done. Cybercriminals can thus very easily create a construction kit for this from which malicious QuickTime movies can be easily generated in batches.

What are the common characteristics of threats similar to this?

This type of threat greatly relies on social engineering techniques to urge users to download and view the file and to prevent them from suspecting that any malicious activity is going on. It makes use of the latest movie attraction as file name, in this case, “Salt” starring Angelina Jolie as well as keywords such as DVDrip, xtrancex, and btjunkie, which are possible top search tokens in torrent or P2P sharing sites. It then displays text like “Please install Media Song Player” or “Error:codec update is required” in the window title once the user loads the file using QuickTime so that the users will allow the download and execute it.

What should users do to prevent system infection?

Since this kind of malicious file is and will typically be deployed through P2P sharing sites, users are advised to refrain from downloading files from illegal file-sharing sites. Aside from the fact that it is illegal, the files that are shared in these portals are unregulated and may contain unverified and possibly malicious components.

Users should also double-check the legitimacy of product updates before downloading and installing them. If there is a product update for QuickTime, as what the malware in this case suggests, Apple should provide official information on its website. If no patch or update announcement has been made, do not install it.

Do you have any other questions about this threat? Just put them in the comment box below this post and we will try our best to address them.

TSPY_ZBOT.CQJ is one of the new ZeuS/ZBOT 2.0 variants spotted earlier this year. Let’s take a look at one of the methods it uses to steal users’ banking credentials.

These new ZBOT variants intercept the information users enter into a bank’s Web page by inserting predefined JavaScript code into the said page. At present, this threat successfully inserts its predefined code when affected users use Internet Explorer and Firefox.

A downloaded ZBOT configuration file contains a list of target websites. It also specifies how these targets will be modified. In some cases, Web forms are added for users to fill in. Here’s a screenshot of part of a targeted bank’s website:

Here is the modified version. Note the added field, Clavo de Operaciones, which refers to another security key:

The latter version has been extensively modified with the addition of a script that was not present in the original version:

This script performs the actual information theft, capturing any entered credential. It prompts the user to fill in the inserted Web form field if left blank/empty.

This second password is used by institutional accounts that have different levels of user privileges. The bank’s website will ask for this second password if transactions involve money (such as paying bills, transferring funds, etc.) are made by the user. Clearly, this is something that cybercriminals would like to steal.

Added fields in forms are not the only tactic used. In other cases, a fake secondary login page asking for the second password is displayed instead:

The goal here is similar to the first instance wherein secondary passwords needed to complete financial transactions are stolen.

In addition to detecting the ZBOT files themselves, Trend Micro products now also detect the scripts inserted into Web pages as JS_ZBOT.SM and JS_ZBOT.CNX. A white paper detailing the activities of the ZeuS/ZBOT botnet is also available here.

Additional information provided by Advanced Threats Researcher Ranieri Romera.

Only a little more than a week after September Patch Tuesday, expect to download more software patches to keep your computer updated and protected from malware threats.

Update 1: Microsoft Service Pack 3
Microsoft recently released Service Pack 3 for Microsoft Office 2003, incorporating SP1, SP2, and other Office 2003 updates up to August 2007. The new service pack also incorporates other bug fixes that affect the user experience.
Related links: Download page KB Entry

Update 2: Mozilla Firefox 2.0.0.7
Mozilla Firefox recently updated to version 2.0.0.7, preventing a vulnerability of the Apple QuickTime Plug-in from performing remote code execution.
Related Link: Download Page

Unpatched Vulnerability 1: Apple QuickTime version 7.2.0.240
The Firefox update above resolves the issue raised by Petko D. Petkov, which details how a simple quicktime file can execute arbitrary code from the said browser. In his report, a QTL file which serves as an encapsulation for loading a real media file, can contain a qtnext field which may have parameters in execution of code thru Firefox. So, users can just avoid the link from a Web site if the file in the link has an extension in .QTL, right? Wrong. The file can be renamed as .MP3 or .MOV (or any file extension supported by QT) and the file would still be processed as a QTL file. The exploit has been verified to work on Firefox 2.0.0.6 (thus necessitating the update) and the latest QuickTime version 7.2.0.240 (still unpatched).
Related Links: Mozilla Vulnerability Page Petko D. Petkov’s Blog CVE Entry

Unpatched Vulnerability 2: Microsoft MFC42 and MFC71 Heap Overflow Allows RCE
Jonathan Sarba from GoodFellas Security Research Team recently disclosed the Findfile Class implementation in the MFC42 and MFC71 library lacks checking of the buffer, allowing a heap overflow to execute arbitrary code. Any application using CFileFind::FindFile from MFC42.DLL and MFC71.dll may be susceptible to this attack. If you remember, a previous MFC vulnerability was patched last June. Considering the possibilities, could there be an upcoming Month of MFC Bugs?
Related links: Jonathan Sarba’s Disclosure MS07-12