Security Response Weblog

Casino Spam Rolling Higher

Amanda Grady — 2008-11-28T18:17:57+00:00

In recent weeks, Symantec has observed an increase in messages promoting online casinos, typically offering a cash bonus or VIP treatment. Leisure spam (defined as email attacks offering or advertising prizes, awards, or discounted leisure activities) has accounted for up to 10% of spam globally during early November.

As we reported in the March 2007 State of Spam report, these attacks are often translated into many different European languages in order to maximize the reach of the attack. The URLs are quickly changed from message to message, with a simple directory change for each European language–a French example is shown below. Spammers change the URLs frequently in order to try and stay ahead of URL-based anti-spam filters. Symantec uses more than 20 different filtering technologies in order to ensure comprehensive blocking of spam attacks no matter what techniques spammers employ.

Despite the fact that online gambling in the U.S. has many legal restrictions, most notably the Unlawful Internet Gambling Enforcement Act of 2006, which made transactions from banks or similar institutions to online gambling sites illegal, this hasn’t stopped spammers from targeting Americans, because clearly the potential size of the market is too large to ignore.

Free webhosting URL redirects have been notably used in the spam attacks targeting the U.S. market, presumably not only in an effort to evade spam filters, but also to make it more difficult to track down the hosts of the ultimate destination website.

In both examples shown, the objective of the email is to get the end user to download software running the various games. The software may attempt to steal sensitive information such as login credentials. But don’t be tempted by the offer of seemingly free money. In addition to the fact that a deposit is required in order to play, the terms and conditions state that 25 times the deposit and bonus must be wagered before cashing out, and it’s likely the house will have long won by then.

Symantec Report on the Underground Economy – Malicious Tools

David McKinney — 2008-11-27T13:16:30+00:00

The newly released Symantec Report on the Underground Economy discusses a number of topics, including the supply and demand of goods and services that were advertised for sale in the underground economy. This information was gathered by monitoring various IRC channels devoted to the commerce of these good and services. In particular, I’d like to highlight some of the things we observed in analyzing the trade in malicious tools.

One of the things we observed is that the underground economy is self-sufficient. What this means is that the tools necessary to produce goods and services are also available for sale in the underground economy. This indicates that the market has matured enough that productivity gains can occur through the division of labor; i.e., the economy makes it viable for individuals to increasingly specialize in the tasks they excel at. This is where malicious tools come into play.

Malicious tools of many different varieties are offered for sale in the underground. This includes exploits, vulnerability scanners, botnets, autorooters, spam/phishing kits, and tools for obfuscating malicious code. These tools play a part in generating many of the other goods and services marketed in the underground economy, such as credit card numbers, personal information, shells, banking credentials, etc. Therefore, the demand for these goods and services creates an opportunity for individuals with the skills required to develop malicious tools, and this helps to foster increasing specialization.

While the market for malicious tools is relatively small in comparison other goods and services such as stolen credit card numbers, the market appears to be productive enough to support the demand for these goods and services. One of our findings is that tools for discovering and exploiting Web application vulnerabilities were popular. This is because compromised websites can generate many different types of goods and services such as personal information, email addresses, shells, spam mailers, credit card numbers, etc.

Here are a few examples (all prices in USD):

•    A scanner for remote file include vulnerabilities sold for an average price of $26, and ranged from $5 to $100.
•    A scanner for cross-site scripting vulnerabilities was advertised for an average price of $20, and prices ranged from $10 to $30.
•    Exploit links to websites that are affected by remote file include vulnerabilities were sold in bulk—100 links could be obtained for an average price of $34 and 200 links could be obtained for an average price of $70.
•    SQL injection tools were sold for an average price of $63, and ranged from $15 through $150.

The trade in attack tools and exploits for Web-based vulnerabilities is one more example of how attackers are increasingly motivated by profiting from their malicious activities. Our report helps to show how the underground economy is maturing and becoming a viable source of alternative income for hackers, exploit developers, and authors of malicious code.

I should also note there is one small correction to the report based on recent events. In the report, we discuss the news that development of the Neosploit toolkit had ceased due to competitive from cheaper, less advanced toolkits. It appears that this no longer the case. A new version—Neosploit 3.1—has been spotted in the wild, sporting new exploits and features. Like legitimate software vendors, the developers of Neosploit are also concerned about the effect of piracy on their bottom line. To counter piracy, they have included new anti-piracy measures into this version. It is not known whether the news of its demise was merely a red herring or whether the developers decided to start developing a new version that incorporated features that could recoup some of the losses experienced from piracy or the prevalence of cheaper toolkits.

More information about malicious toolkits and other trends in the underground economy can be found in the Symantec Report on the Underground Economy.

Message Edited by SR Blog Moderator on 11-27-2008 05:19 AM

Can’t Read English? Ecco lo Spam Italiano!

Mayur Kulkarni — 2008-11-26T21:15:22+00:00

You may have come across multilingual translations of your favorite book or a popular movie. It’s a surefire way to extend one’s work to a wider audience. The desire for an extra buck has driven spammers to adapt to similar tactics for their campaigns. Recent messages observed offered a job that included relaying payments between banks. In return, the “recipient” is allowed to retain some percentage of the amount transferred. This is a type of scam which involves the illegal activity of money laundering.

Initial English language spam attacks were followed by an Italian version within a space of ten days. The nature of the spam source (source IPs from different geographical locations) indicated that this attack was carried out through spamming bots.

Sample headers in English:

Subject: Vacancy! –cB
Subject: New Proposal! –aAzs

Sample headers in Italian:

Subject: IL lavoro facile! –Tvtqp
(Translated: THE easy job! –Tvtqp)

Subject: Il lavoro buono! -eI
(Translated: The good work! eI -)

Italian Version Translation:

"A prosperous business is looking for representatives. Our company was founded in 2004 and there are many of our representatives all over the world. If you have 3 hours free per week, you could start an international collaboration with our firm and earn more than $2,000. If you are interested in our vacancy, write to our email address developmentgrou@[message details removed] and we will send you more information. Please write your address et cetera...

The [message details removed] Group"

OSX.Lamzev.A – The Mac OS X Trojan Kit

Alfredo Pesoli — 2008-11-26T20:45:05+00:00

Let me introduce you to the new "Trojan kit," which is a member of the "…no, I don't require root privileges…" malicious code targeted toward Mac OS X. A while ago we received a sample of a new Trojan affecting the Apple operating system. OSX.Lamzev.A is the first sample we’ve seen from this threat family. It’s an easily customizable Trojan kit that could be the first of a long list of malicious code clones.

So, what do we mean by Trojan kit and what makes it stand out from the crowd? The only noteworthy feature is the way in which it infects clean applications—what this Trojan does is hijack a common feature that Mac OS X applications use to launch themselves—a smart but simple hack!

Initially, when the Trojan is run, a command prompt will appear, in which the attacker can configure the application that he or she wants to “Trojanize” (figure 1). The Trojan needs to be executed inside the same path as the targeted application.

Figure 1: What a waste of such an interesting command prompt!

The way that the Trojan manages to convert a clean application is by changing the CFBundleExecutable key inside the chosen application’s Info.plist file. So, what does this mean? “Plist” stands for Property List, and it's the main file used by OS X applications to hold user settings, as well as information related to the application itself. "CFBundleExecutable" is the key that identifies the bundle's main executable file that will be executed when you double-click on the application from Finder (or from the terminal: $ open Application.app). If an attacker changes that key and points it toward a malicious file, guess what the result is? Whenever the affected application is launched, first the back door will be executed, and then the original application will be started. Simple, but effective!

During the “Trojanizing” phase, the attacker is asked to choose an application that:
•    Must reside in the same path as the Trojan executable.
•    Must match a service name from /etc/services with a port higher than 1024 (no root privileges required).

At this point, the attacker only needs to type in the “hack” command (figure 2):

Figure 2

The Trojan will then perform the following actions to infect the application:

1.    The target application’s info.plist file will be Trojanized (CFBundleExecutable)

2.    File "1," which is the loader of the back door (see below), will be copied inside $ApplicationName.app/Contents/MacOS/. This file will be executed every time the Trojanized application is launched.

3.    The bundle's original main executable will be renamed as file "2" inside the same directory ($ApplicationName.app/Contents/MacOS)

Up to this point we have talked about the Trojan component and the back door component, but where are these things on your system? Once the affected application is launched, the loader (file 1) will drop a plist file in /tmp and will then move it back to ~/Library/LaunchAgents. The LaunchAgents folder holds all the login items for the given user (or eventually for the system /Library/LaunchAgents). In this case, it will hold the property list for running /bin/sh listening on the port of the chosen service (supplied earlier – see screen shot above), named com.apple.DockSettings, which is why the Trojan requires a service name that matches /etc/services:

<key>SockServiceName</key>
<string>$ServiceName</string>

This will ensure that even after a reboot, the back door will still be running, thanks to launchd. After all of this, the Trojanized application is ready to be run on system start-up or whenever the target application is launched.

OSX.Lamzev.A has nothing new to show to the anti-reversing/debugging scene, it is just using strip on the binaries in the same way as “all of the others.” The current version of this Trojan kit has several restrictions—the most important one is that somebody needs to be there on your machine, Trojanizing your application. In the future, one thing we could expect to see is an automated OSX.Lamzev.A.

In order to ensure the safety of your system, never trust an application if you don't know where it has come from. Also, keep your system patched with the latest security updates. For information on the removal of OSX.Lamzev.A, you can check out our write-up here.

More and more malware has emerged for Mac OS X recently. All of the Mac OS-targeted malware we’ve seen is still affecting the BSD subsystem or are BSD-style infections. We haven’t yet seen anything that completely relies on the Mach Subsystem or Cocoa.

Certainly, the number of threats for the Mac OS are still small when compared to the hordes of families aimed at more traditional OS targets. However, at the moment, it seems as if more malware writers are seeing Mac OS as a world worthy of exploration. As they continue to push the boundaries of the threat landscape, we’ll be there to keep you informed!

Message Edited by SR Blog Moderator on 11-27-2008 02:52 AM

Symantec Report on the Underground Economy – Goods and Services Advertised

Marika Pauls Laucht — 2008-11-26T10:22:03+00:00

The online underground economy has evolved into a full-fledged marketplace where participants advertise and traffic stolen information, provide services to aid in the use of this information, and perform other illegal activities. Like any market-based economy, it is governed by the laws of supply and demand and, given enough supply, the goods available for purchase are virtually limitless.

As stated in the Symantec Report on the Underground Economy, credit card information was the most popular category of goods and services available for sale, accounting for almost one-third of the total observed. This category included credit card numbers, CVV2 numbers, expiry dates, and credit card dumps. (The CVV2 number is a three- or four-digit number on the credit card and is used for card-not-present transactions, such as Internet or phone purchases. This number helps to verify that the person completing the transaction is, in fact, in possession of the card. A credit card dump is the information contained within the magnetic stripe on the back of a credit card and contains the account number, expiration date, and may contain additional information such as the cardholder name.)

Credit card information is relatively easy to obtain and also easy to use. Some methods for obtaining this information include phishing schemes, using card skimmers to copy the magnetic stripe information, and hacking into databases that contain this sensitive information. The frequency of credit card usage may also contribute to increases in the rate of this type of theft, as it gives criminals more opportunity to steal the information. For example, in 2006 there were 22 billion credit card transactions in the United States alone.

Once obtained, it is often very easy to fraudulently use this information to generate a profit; individuals can make online purchases and then fence the goods acquired. Many online retailers are improving protections for their customers against these fraudulent transactions by instituting more security measures, such as requiring the CVV2 number when making a purchase. However, credit card numbers with corresponding CVV2 numbers, while more expensive than credit card numbers alone, are also available for purchase in the underground economy. Prices for credit card numbers ranged from $0.10 to $25 USD per number, depending on the country of issue of the card, sizes of bulk/discounted packages, and whether or not extra value items such as the CVV2 number or PIN were included.

Another popular category advertised on underground economy servers was bank account information. While this information may be trickier to use than credit card information, the ultimate payouts can be much larger. The average credit card limit advertised was $4,000 USD, whereas the average bank account balance advertised was a somewhat staggering $40,000 USD.

One added appeal of bank account information over credit card numbers is that the added step of having to fence the purchases to realize a profit is not required because true currency can be withdrawn directly from the account. Prices for bank account information ranged from $10 to $1,000 USD per account, depending on the amount of funds available, the location, and the type of account. Advertised corporate and business accounts were more expensive, as they usually have higher advertised balances.

Symantec determined that the total potential worth of credit cards and bank accounts observed on the underground economy amounted to $7 billion USD. This value was based on the use of the goods, such as making fraudulent credit card purchases or cashing out bank accounts. Symantec used the median value for credit card fraud, average bulk purchase sizes, and average advertised bank account balances to calculate this potential worth.

It is evident that the online underground economy is a rapidly growing sector of the criminal world, and consumers and enterprises should be extremely vigilant in protecting their personal information and being aware of any breaches to their data. Criminals may be getting smarter but there’s no reason why we can’t be as well.

The Cost of Software Piracy

Téo Adams — 2008-11-25T12:24:21+00:00

One topic of discussion in the recently released Symantec Report on the Underground Economy is software piracy. Software piracy occurs primarily in two basic forms: physical counterfeiting and file sharing. Counterfeiters create unauthorized physical copies of software intended for sale as legitimate products (though often the attempt to create a realistic valid copy is minimal). The motivation of counterfeiters is typically financial gain, and customers who know that the software is counterfeit are likely trying to save money. In contrast, piracy by means of file sharing—whether by copying a disc for a friend, uploading files using a peer-to-peer (P2P) application, or some other means—is not typically profitable for the people who share the files. The advent of rapid P2P file-sharing protocols has provided a readily available means for people to distribute and obtain software essentially free of charge.

While both methods of piracy financially affect the legitimate software producers, P2P-based piracy may also affect counterfeiting operations. As broadband Internet penetration increases and digital distribution becomes more mainstream, many people who knowingly purchase counterfeit software may turn to P2P-based piracy to save money, thus cutting into the profitability of counterfeiting. This is an interesting perspective that in some ways makes P2P-based software piracy seem like the lesser of two evils. However, the effect on legitimate producers could be substantial either way. While analyzing data for the report, Symantec observed software piracy that represented over $83 million (USD) in retail costs. Considering that this was only a small sample of the total software piracy occurring over one protocol over a brief period of time, the value is substantial. A study conducted in 2007 estimated the annual cost of software piracy worldwide to be nearly $40 billion (USD).

Nearly half of all the software piracy activity that Symantec observed was of desktop games, with none of the other software categories even coming close. The assumption from that might then be that the desktop game business sector would be the most affected financially; however, the multimedia applications category (which includes photo editors, 3D animation applications, and HTML editors) accounted for substantially more of the total piracy costs observed than desktop games, despite a substantially lower volume of pirated files. This is because the average manufacturer’s suggested retail price (MSRP) for multimedia applications is typically much higher than those of desktop games, $1,300 (USD) for multimedia compared to just $50 (USD) for desktop games. Thus, of the $83 million estimated total for software piracy observed, multimedia applications accounted for over $53 million of that and desktop games for just over $8 million.

For a complete analysis of the software piracy activity observed by Symantec as well as discussion on other cybercrime activity occurring in the underground economy, please see the Symantec Report on the Underground Economy.

Message Edited by SR Blog Moderator on 11-25-2008 04:30 AM

Clean Data, Clean Data! Read All About It!

Thomas Parsons — 2008-11-25T10:44:34+00:00

As part of our continuous false-positive prevention efforts for antivirus signatures at Symantec, we research different areas that may help us in our quest. One area of particular interest is the utilization of clean data to prevent the manifestation of antivirus signatures that cause false positive conditions. As a result of this work, earlier this year Bartek, Julie, Catherine, and I co-authored a paper entitled “Clean Data Profiling.” The paper was subsequently published at the Virus Bulletin 2008 Conference in Ottawa in October and is made
available here courtesy of the same organization.

http://www.symantec.com/business/security_response/whitepapers.jsp

Spam Volumes Making a Comeback After the McColo Shutdown?

Dylan Morss — 2008-11-24T23:45:04+00:00

Although spam levels remain at a relatively low volume following the takedown of the spam host McColo last week, there is some evidence that spammers are starting to prepare for a rally. Late last week we observed the spam volume spike as much as 150% in an hour-to-hour comparison, which is about a seven percent increase since McColo was shut down.

In addition to overall spam volumes, the percentage of spam messages containing the text/HTML content type mime part jumped to 55% of all spam, indicating a change in the overall makeup of spam. Prior to the McColo takedown, the overall percentage of spam messages containing the text/HTML content type mime part was over 55%, but after the takedown the average has been around 34%. This change indicates that a return to normal spam activity could be in the works.

When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML. The spam messages were typical “Canadian Pharmacy” spam messages that were using short HTML messages with a varying set of domains in the URLs. The spam messages were being sent from compromised hosts around the globe.

A copy of one of the spam emails shows the advertisement for Canadian Pharmacy, offering various medications:

The URLs in the messages observed contained hundreds of domains that used the Chinese top-level domain (.cn TLD). The URLs all redirected to a smaller set of domains. Both the domains in the spam emails and the domains that they redirected to were being hosted on the same set of IP addresses located in China. The URLs in the messages used different name servers from the domains that they redirected to. All of the name servers were hosted on either the same IP addresses as the domains, or additional IP addresses also located in China.

The spam messages were sent from various locations around the world and appeared to be coming from compromised servers or botnets. The top sources of the spam were the United States, Brazil, and China.

The content of the actual website is familiar—it has appeared in association with Canadian Pharmacy spam messages sent out by SanCash/Affking, which was taken down earlier this year, as well as other spam networks.

Although worldwide spam volumes have only increased slightly overall since the McColo takedown, this recent spam activity indicates that spammers are still willing and able to continue sending spam out on previously seen levels. It seems to be only a question of when they are ready, so it is now just a matter of time.

Symantec Report on the Underground Economy: Self-Sustaining Economy

M.K. Low — 2008-11-24T14:42:14+00:00

Underground economy servers are black market forums used to advertise and traffic stolen information. The information can include government-issued identification numbers such as Social Security numbers, credit card information, bank accounts credentials, personal identification numbers, email address lists, and email accounts. They can also provide services to facilitate these illegal activities and can include cashiers who withdraw funds from the stolen accounts, scam page hosting, and job advertisements for roles such as scam developers or phishing partners.

Symantec's Report on the Underground Economy shows that there are a wide variety of goods and services being advertised on underground economy servers, and many of these goods and services form a self-sustaining marketplace. Participants in this fraud can obtain goods by a variety of means; credit card and banking information can stolen by phishing schemes, monitoring merchant card authorizations, the use of magnetic card skimming devices, or breaking into databases and other data breaches that expose sensitive information; as well, email addresses can be obtained by downloading the contact lists in hacked email accounts, or even harvested from public areas of the Internet such as social networking sites and public forums, or from personal websites.

The profits from the sale of goods such as credit card information can be re-invested to develop better spam and phishing exploits for obtaining more data. Credit card information was advertised in the underground economy for between $0.10 and $25 USD per card and often sold in bulk packages. Participants can either buy new exploits and scams or hire developers to produce new ones. Not only can they use these spam and phishing exploits and attempts to build up their supply of sensitive information, but they can also sell these improved exploits to others. Also, profits from one exploit can be reinvested and used to hire developers for other scams, used to purchase new malicious code or new phishing toolkits, and so on. Spam and phishing exploits were advertised for an average of $10 or less.

Participants in the underground economy can use email addresses obtained from hacked databases or hacked email accounts in tandem with mass-mailers for sending out substantial amounts of spam or phishing emails. A botherder can program a botnet to automatically distribute spam to thousands of addresses. He or she can also buy email addresses in the underground economy, which were advertised for as little as $0.30 per megabyte of data.

In addition, compromised email accounts will often provide access to additional sensitive personal information such as bank account data, medical or school information, or access to other online accounts (social networking pages, etc.). From there, it is often simple for someone to go online and use the password recovery option offered on most registration sites to have a new password sent via email and gain complete access to these accounts. This danger is compounded by the habit many people have of using the same password for multiple accounts.

For more information about the underground economy, please Symantec's Report on the Underground Economy.

Message Edited by SR Blog Moderator on 11-24-2008 12:53 PM

Increase in Exploit Attempts Against MS08-067

Security Intel Analysis Team — 2008-11-22T18:13:04+00:00

Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.

Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated attacker on Windows 2000, Windows XP, and Windows 2003. But, it is not exploitable on default configurations of Windows XP because the Windows Firewall blocks connect attempts to the required RPC interface. However, if the firewall is disabled, or the firewall is enabled but file/printer sharing is also enabled, then the issue is remotely exploitable on Windows XP. An attacker would need to authenticate to Windows Vista and Windows Server 2008 in order to exploit this issue.

Several public exploits are currently available that leverage this issue. Typically an exploit needs to be reliable for a worm to incorporate the exploit into its propagation routines. The nature of this vulnerability made it difficult for exploit authors to construct a single exploit that would successfully leverage the issue for all versions of Microsoft Windows at once. So, exploits were released that targeted specific versions of Microsoft Windows first, and the first public exploit to surface that wasn't a simple crash proof-of-concept leveraged the issue on Microsoft Windows platforms that were localized for traditional Chinese markets. Over the past month, exploit authors have discovered far more reliable methods to exploit this vulnerability and have released more stable exploits. The most reliable public exploit is incorporated into the Metasploit Framework—it contains many configurations that can be used to leverage this issue for a large array of Windows versions.

When we first noticed worm-like malicious applications exploiting this vulnerability they were using the primitive exploits that were available at the time. In other words, exploits that targeted Chinese Windows systems. However, over the last 24 hours we are observing a new worm. It exploits MS08-067, but it uses the routines from the Metasploit Framework to exploit the following platforms:

•   Windows 2000 Universal
•   Windows 2003 SP1 English
•   Windows 2003 SP2 English
•   Windows XP SP2 English
•   Windows XP SP2 Arabic
•   Windows XP SP2 Portuguese
•   Windows XP SP2 Russian
•   Windows XP SP2 Danish
•   Windows XP SP2 Dutch
•   Windows XP SP2 Finnish
•   Windows XP SP2 French
•   Windows XP SP2 Greek
•   Windows XP SP2 Hungarian
•   Windows XP SP2 Hebrew
•   Windows XP SP2 Italian
•   Windows XP SP2 Norwegian
•   Windows XP SP2 Polish
•   Windows XP SP2 Italian
•   Windows XP SP2 Spanish
•   Windows XP SP2 Swedish

The routine to attack Windows 2000 systems is very reliable; however, at the moment, the reliability of the routines that attack other platforms is not known.

The worm targets TCP port 445 to exploit the issue, and if it successfully exploits the issue, the worm then creates an HTTP server on the compromised computer on a random port, for example:

http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]/[RANDOM STRING]

The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

We are currently observing an increase in IPs generating activity over TCP port 445 and we believe that this activity is at least in part related to the propagation of this malicious code:

SANs are also reporting a spike in activity on TCP port 445. However, this was not the main reason behind our ThreatCon update. The aggressive propagation of this malicious threat in our honeypot network was the main reason behind the update. We decided that the activity was significant enough to remind our customers of the importance of installing the MS08-067 updates. Symantec antivirus currently detects this threat as W32.Downadup, so please make sure that your antivirus software is up to date.

We also recommend that the following mitigating strategies are applied:

•    Block access to TCP port 139 and 445 at network perimeters.
•    Ensure that computers that are connected to the network have host-based firewall software installed.
•    Ensure that antivirus software is installed on all clients connected to the network and that the software is up to date.

And, please install the update from MS08-067 as soon as possible. Microsoft has suggested a number of additional workarounds in the security bulletin, such as disabling the browser service. We advise customers to review their suggestions as well.

* Update

Symantec IPS will detect and block this attack with the following signatures:

• MSRPC Server Service Buffer Overflow
• RPC Server Service BO2

Message Edited by SR Blog Moderator on 11-26-2008 07:19 AM

Increase in USB-Based Malware Attacks

Security Intel Analysis Team — 2008-11-20T00:17:03+00:00

Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method. Just as a clarification for any of our readers that are not familiar with the term “USB flash drive,” a USB flash drive is typically a removable portable storage device that uses a USB (universal serial bus) port to interface to a computer. USB ports are part of most modern computers and they are designed to allow many peripherals to be easily connected (plug-and-play) to a computer through a standardized interface. These USB flash drive storage devices are very useful and are becoming fairly ubiquitous in the workplace.

The USB flash drive storage medium is designed to be portable, making it easy to connect to many computers in its lifetime. This, unfortunately, exposes the flash drive to the risk of infection. There are many malicious applications that propagate simply by making a copy of themselves on all drives that are attached to a computer. The portability of the USB device and its small form factor can also make it easy for attackers to plug it into computers that they have limited physical access to, potentially granting them remote access at a later time.

At the moment, there are two popular methods that malicious applications use to infect USB flash drives:

Simple file copy method

With this method, a malicious application that is installed on an infected computer simply makes copies of itself to all storage devices that are attached to the infected computer. A copy of the malicious code will be placed on network shares, local drives, and removable media (such as USB flash drives) that are connected to the computer. Usually the malicious application will also attempt to copy itself to peer-to-peer (P2P) file-sharing shared folders as well. With this method, a malicious file is often named with a sensational filename to lure a victim into launching the file and causing malicious code to be executed. Quite often there are familiar file icons such as Microsoft Windows icons for videos and images that are used to trick unsuspecting victims into thinking that an executable file is a harmless image or video. This infection method requires that the victim manually execute the malicious file from their computer to become infected.

AutoRun.inf modification method

Microsoft Windows and some other operating systems have a functionality that is called “AutoRun” (sometimes also referred to as Autoplay). AutoRun functionality is basically designed to perform some actions that are automatically executed when removable media is inserted or removed from a computer.

On Microsoft Windows platforms, “autorun.inf” is the file that contains instructions for the AutoRun functionality. The autorun.inf file can instruct AutoRun to use a certain type of icon; add menu commands; and among other things, start an executable.

With this infection method, the malicious application modifies or creates an autorun.inf file on all of the network shares, local drives, and removable media (including USB flash drives) that are connected to the computer. When an infected USB flash drive is inserted into another computer, the copy of the malicious application is automatically executed. Under a default configuration of Windows, this infection method does not require any interaction from the victim other than physically attaching the media to the computer.

Increasing trend of drive-infecting malicious code

Symantec has recently observed that both of the above methods are becoming an increasingly popular propagation method for malicious code. We have noticed the following percentile increase in several pieces of malicious code that Symantec antivirus currently blocks:

This trend is substantiated in vol. XIII of the Symantec Internet Security Threat Report (quoted from page 56, Propagation mechanisms subsection of the Malicious Code Trends section):

"In the second half of 2007, 40 percent of malicious code that propagated did so as shared executable files (table 9), a significant increase from 14 percent in the first half of 2007. Shared executable files are the propagation mechanism employed by viruses and some worms that copy themselves to removable media. As stated in the “Malicious code types” section above, the increasing use of USB drives and media players has resulted in a resurgence of malicious code that propagates through this vector.

This vector lost popularity among malicious code authors when the use of floppy disks declined and attackers instead concentrated on other more widely used file transfer mechanisms such as email and shared network drives. However, as use of removable drives has become more widespread, attackers have again begun to employ this propagation technique. Although current removable drives differ from floppy disks, the principle remains the same, enabling attackers to make simple modifications to old propagation techniques.”

How to mitigate this threat

There are many policy- and configuration-based mitigations that can be used to adequately limit the propagation of these threats. Network administrators are advised to:

•    Ensure that antivirus software is up to date.
•    Disable AutoRun functionality for removable media, which should be possible using endpoint security systems. For personal computers, there are many detailed tutorials on how to disable AutoRun. Also, holding down the SHIFT key while inserting a USB flash drive can temporarily disable AutoRun.
•    If removable drives are not required, endpoint security systems can distribute policies to prevent removable media from being recognized.
•    User education should be a priority to educate network users about these threats.

Message Edited by SR Blog Moderator on 11-20-2008 04:03 PM

Spammers Continue Their “Acquaintance” With the IRS – in November!

Dermot Harnett — 2008-11-19T17:21:14+00:00

January to March is traditionally the time when taxpayers in the U.S. become reacquainted with their tax advisers as the mid-April “tax day” deadline looms. Unfortunately, this period has also become a time when phishing directed towards the IRS becomes more prevalent. As reported in the Symantec State of Spam report for April 2008, spammers continued to attempt to disguise themselves as the IRS, dangling an offer of a tax refund to unwitting recipients.

Imagine our surprise when we observed a phishing attack using the IRS brand in November—nearly five months before the next deadline for individual taxpayers. This phishing email indicated that the recipient was eligible to receive a tax refund and directed them to a website where the refund would be processed. The fraudulent site, branded with the IRS logo, is being used as a collection tool for credit card and other personal information.

The spam attack could be trying to take advantage of individuals who filed for a tax extension with an October 15th deadline and who might be looking for their tax refund. In addition, the IRS recently reported that it is looking for taxpayers who have not yet received their economic stimulus checks (checks totaling about USD $163 million were returned by the U.S. Postal Service due to mailing address errors). By law, economic stimulus checks must be sent out by December 31st of this year.

So, email users beware of these attacks. "If it looks too good to be true, then it probably is!" And, as the IRS indicates on its website, it “does not initiate communication with taxpayers through email.”

Lost and Found

M.K. Low — 2008-11-17T15:16:26+00:00

A while back I came across an article about a website that tries to reunite lost photos with their owners. People who come across cameras, memory sticks, or photos are asked to upload a few of them onto the site with information such as location, date, or other specific details that may be recognizable by the owner. These photos are public to everyone on the Internet and the goal of the website is for people to browse through the pictures and to connect the photographer back to the photos.

While I can appreciate the spirit of the site, as a security person, I'm very skeptical about introducing a found memory stick or photo memory card into my computer. As noted in the ISTR XIII, memory sticks (or USB thumb flash drives) represent a serious security concern because they can be entry points for malicious code into a computer or network. As with the floppy disks of the past, these USB drives can be infected with malicious code, such as viruses, worms, or Trojans, which can propagate when inserted into a computer. A user who finds this type of removable drive may unwittingly copy the infected files onto his or her own computer and, if the computer is connected to an enterprise, may potentially infect the network. Also, since many USB drives have huge storage capacities, a small infected file among hundreds of MB-sized photographs would be difficult to detect.

As part of any best practices, be suspicious of introducing any foreign media into your computer, especially if you don't know where it came from. Some lost things may need to stay on the island!

Message Edited by SR Blog Moderator on 11-18-2008 11:43 AM

A Smart Worm for a Smartphone – WinCE.PmCryptic.A

Andrea Lelli — 2008-11-13T22:41:15+00:00

We have already seen a file infector working on smartphones (see WinCE.Duts.A) and a worm that could spread by infecting storage cards (see WinCE.Infomeiti). Now, we have the first polymorphic worm (although some refer to it as a companion virus) that affects smartphones running Windows CE platform on ARM processors—it is known as WinCE.Pmcryptic.A. It spreads by generating new polymorphic copies of itself each time, and can cause a severe nuisance on a compromised phone (including unwanted phone calls to toll numbers).

After analyzing the sample, we discovered it contained many interesting payloads. So, we executed it on a test smartphone to see the threat in action. It started with an error message box:

Image 1: It begins with this message box.

A few minutes later, the phone started feeling lonely and decided to call someone:

Image 2: A phone call is started automatically.

The call is to 1860 and lasts a few seconds. 1860 is a toll number that differs between telephony providers, but is often directory services. The compromised phone will dial this number approximately every 11 hours, so pay close attention. If your phone gets infected by this worm, you may receive a very high bill next month!

Eventually PMCryptic got bored and decided to change its look:

Image 3: The phone starts cycling through different combinations of colors. This is just one of the many combinations!

Woah! The system colors started changing randomly, making it more difficult to actually analyze the phone. Unfortunately, the color party was over pretty soon, and the phone set itself to a black theme. This is what the phone looked liked in the end:

Image 4: “Fade to black” goes the smartphone.

Dead. Well, the phone was actually working, but I could not see anything I was clicking. And, a restart did not help, the color stayed black.

Also, for each payload, the worm seems to create a thread and therefore saturates the smartphone capacity pretty quickly. I often experienced system delays and unresponsiveness, forcing me to restart the device:

Image 5: These files have been created by the worm. Notice how the files’ dates and sizes seem to be random.

The worm isn’t just a nuisance. It also copies itself in a polymorphic fashion to flash storage cards and the Windows directory. Each replication will have a different size and MD5, and will also use a randomly created date time stamp. The worm will choose random existing folders on the device, enable the hidden attribute for them (so they will not be visible in the file explorer), and then create a copy of itself with the same name as the hidden folder(s). The icon of this worm is the icon of a folder, so its very easy to be tricked into thinking you are seeing the actual folder and not an executable file. When these files are clicked, they will run and display the content of the folder they are trying to mimic, in order to deceive the user into believing he or she actually clicked a folder and not a file.

Having hidden folders causes an unintended side-effect: the “Today” screen can’t show some of the folders anymore, therefore it shrinks in size:

Image 6: Where did the menu items go?

You can see that the main menu behind the message box is smaller than it should be (you can check Image 1 above to see how the menu might normally look). The same also applies to the Start menu. This is already annoying, and the best part is yet to come.

Time to go for deeper analysis! During the tests, several new generations of the worm were generated, so I compared them and it was pretty easy to spot the differences. First, the worm appends random data to itself at every generation, so that the file size will be slightly different from each other copy of the worm. Second, the worm changes almost all of its code, leaving unchanged the various data sections. As one can imagine, the code has a common stub that will decrypt the real viral part of the worm.

In fact, the first 400 bytes of the code section contain a small loader, which will decrypt the following bytes. It is also interesting to note that these bytes are interwoven with randomly generated junk instructions, in order to make everything more dynamic and messy. The encryption scheme is a simple XOR operation with a repeating 8 bytes long key. So, every generated worm will have random appended data, a common loader that has random junk instructions, and a block of encrypted code—where the encryption key is random in every generation. This makes every generated worm different from its other brothers both in size and MD5. The encryption is also not unique: there are three different layers of encrypted data that need to be undone before you can actually see all the original code.

Once decrypted, the analysis is quite straight forward, all the described functionality was observed in the code:

Image 7: Here is the viral code responsible for the ghost phone call.

For an ARM threat, this is very interesting! Once all of the worm executables have been deleted, one still has to unhide the folders on the file system and return the system colors back to their default values. Unfortunately, WinCE does not provide, by default, tools for doing this, so it is likely that an infected user will need to download and run third party tools in order to bring order back to the compromised device.

Always apply the following general precautions and you will avoid many painful troubles:

1) Pay attention to what you are running.
2) Pay attention to the storage cards you are plugging into your phone.

* Note: Thanks to Eric Chien for his precious help during ARM analysis and our friends at Kasperksy for providing a sample.

Hosting Company Shutdown Causes Spam Volumes to Fall - For Now!

Dermot Harnett — 2008-11-13T19:59:49+00:00

The recent shutdown of a San Jose-based Web hosting company named McColo.com appears to have resulted in a significant short-term drop in spam traffic worldwide. At approximately 21:30 GMT on November 11, 2008, multiple upstream network providers shut down access to McColo.com hosted systems, based on abuse complaints. One of the results of this action was a quick and dramatic decrease in spam sent worldwide.

The volume change could be measured directly in the Symantec probe network, which saw a 65% drop in traffic when comparing the 24 hours prior to the McColo.com shutdown to the 24 hours after. It is interesting that shutting down a single hosting company could have such a large impact on overall spam volume, but when you consider that McColo.com was allegedly hosting a significant number of botnet command-and-control systems, it is not totally surprising. Their IP range has, in the past, been linked with reports of serving up Rustock downloaders and also for controlling the spambot component. Simply performing a Web search of the addresses associated with this range returns write-ups from several security company vendors, and all of the articles are related to Rustock. By cutting the link between these systems and the bot-infected machines they control, the ability to send spam from botnets such as Rustock and Srizbi can be significantly impacted. The speed with which spam volumes decreased also demonstrates the fact that while botnets are becoming increasingly robust, there are many that can still be impacted by losing a critical command-and-control link.

However, this decrease in spam volume will not be sustained and it is certain that while this battle may be won, the spam war is not over:

• Command-and-control systems will be re-established and more importantly, this event may drive spammers toward the continued use of peer-to-peer botnets, which are generally more resilient.

• In this turbulent economic climate there may be other hosting companies around the world who might be willing to facilitate this sort of spam activity. In October, Symantec reported that the presence of active zombies around the world was shifting. Turkey, Brazil, and Russia are the top three countries hosting active zombie machines. The U.S. comes in at fourth place, hosting six percent of active zombie machines.

• Historically, the end of the calendar year sees a large increase in spam volume, often driven by the holiday season.

While this event may present an obstacle for spammers looking to get their message out in the short term, the profit motive still exists and will undoubtedly drive new spam campaigns. Look for more to come from us on this as we monitor spam levels during the coming days.

Message Edited by SR Blog Moderator on 11-13-2008 03:54 PM

Image Spammers Show That There is Some Fight Left in the Old Dog

Dermot Harnett — 2008-11-13T15:19:06+00:00

Mark Twain once said, "It's not the size of the dog in the fight, it's the size of the fight in the dog.” And, this idea also seems important when considering image spammers. While image spam has not yet regained the dizzying heights of 2007—when 52% of all spam was image spam—in the last seven days, image spam has hit an average of seven percent of all spam messages. As image spam struggles to find its feet within the overall composition of spam messages, another image spam vector has emerged. By analyzing image spam recorded in the last seven days, Symantec notes that over this period:

• 9.7% of image spam had a message size greater than 100kb
• 48% of image spam had an average size of between 10kb-50kb

In the last 24 hours alone, 28% of image spam had an average message size greater than 100kb:

When you consider spam messages in total for the last 30 days, only six percent fall into the 10kb+ range, with the majority (78%) of messages falling into the 2kb-5kb range. Large message size can put inordinate strains on mail infrastructures and could possibly prevent end users from receiving legitimate email. If image spam continues to fight for its position within the "spamscape" it could indicate trouble for unprotected mail infrastructures. The good news is that Symantec antispam effectiveness is not being negatively impacted due to this trend.

Microsoft Patch Tuesday - November 2008

Robert Keith — 2008-11-11T19:25:23+00:00

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light month, with two bulletins covering four vulnerabilities.

The only “Critical” issue this month is a previously public remote-code execution vulnerability (BID 21872) in Microsoft XML Core Services. The remaining three issues are rated “Important” and include two information-disclosure issues affecting XML Core Services and a remote code-execution issue in Server Message Block (SMB).

As always, customers are advised to follow these security best practices:

- Block external access at the network perimeter to specific sites and computers only.
- Avoid sites of questionable or unknown integrity.
- Never open files from unknown or questionable sources.
- Run all software with the least privileges required while still maintaining functionality.

Microsoft’s summary of the November releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx

1. MS08-069 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)

CVE-2007-0099 (BID 21872) Microsoft XML Core Services Race Condition Memory Corruption Vulnerability (MS Rating: Critical /Symantec Urgency Rating 8.5/10)

This is a previously public vulnerability in Microsoft XML Core Services disclosed on January 4, 2007, and documented in BID 21872. The problem occurs when rendering 'XML' documents that contain an excessive amount of nested tags and are displayed in an 'IFRAME'. If the rendering process is repeatedly disrupted with a JavaScript timer, forcing the page to reload every 50-100 milliseconds, the application becomes corrupted and the vulnerability is triggered. Attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable application. Failed exploit attempts will cause denial of service conditions.

Affects: Microsoft XML Core Services 3.0

CVE-2008-4029 (BID 32155) Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability (MS Rating: Important /Symantec Urgency Rating 6.7/10)

A cross-domain information disclosure vulnerability affects Microsoft XML Core Services due to how it handles error checks for external document type definitions (DTDs). An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful attack will result in the disclosure of potentially sensitive information from other domains. Information obtained may aid in further attacks.

Affects: Microsoft XML Core Services 3.0, and 4.0

CVE-2008-4033 (BID 32204) Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability (MS Rating: Important /Symantec Urgency Rating 6.7/10)

A cross-domain information disclosure vulnerability affects Microsoft XML Core Services due to how it handles transfer-encoding headers. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful attack will result in the disclosure of potentially sensitive information from other domains. Information obtained may aid in further attacks.

Affects: Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0

2. MS08-068 Vulnerability in SMB Could Allow Remote Code Execution (957097)

CVE-2008-4037 (BID 7385) Microsoft Windows SMB Credential Reflection Vulnerability (MS Rating: Important /Symantec Urgency Rating 8.5/10)

This is a previously documented remote code-execution vulnerability affecting the Microsoft Server Message Block (SMB) protocol. The problem occurs because of how SMB handles NTLM credentials. Specifically, if an attacker can trick a victim into connecting to a malicious SMB server, the attacker can reflect the victim’s credentials back, and gain access to the victim’s computer in the context of the currently logged-in user.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems, x64-based Systems, and Itanium-based Systems.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Message Edited by SR Blog Moderator on 11-11-2008 11:55 AM

Acrobat util.printf() Exploit Detected with Existing IPS Signatures

Sean Hittel — 2008-11-07T23:16:59+00:00

It appears that last night, an exploit for the Acrobat util.printf() vulnerability was added to a well known Web attack toolkit. The attack exists as a compressed PDF. Once decompressed, the exploit is encoded with a simple eval()+ concatenation block:

--

function main() {

eval(unescape(""+"%"+"76%61%"+"72%20%7"+

..

this.closeDoc(true);
}

app.setTimeOut("main()", 5000);

--

This decodes into an exploit for the util.printf() vulnerability:

---

var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+ ...);

...

util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);

---

In spite of the two-layer encoding on the exploit, the attack is detected as HTTP Acrobat PDF Suspicious File Download on NAV/NIS/N360, using any IPS definition set after October 3.

There are some reports of detection problems on this attack, but they are not accurate. Symantec products rely on several defensive mechanisms to protect a host, including network and host intrusion prevention, as well as antivirus. Currently, our products do not have antivirus protection for this attack (although an update is being released for Trojan.Pidief.D), but the intrusion prevention systems resident in NAV/NIS/N360 will catch it with existing definitions. I believe this discrepancy is simply a testing issue in some of the public test harnesses.

UPDATE: Bloodhound.exploit.213 has since been released to cover this vulnerability specifically.

We recommend that customers update their Adobe Reader and Acrobat installations if they haven’t already. Please also review Adobe's bulletin here: http://www.adobe.com/go/apsb08-19.

Message Edited by SR Blog Moderator on 11-08-2008 04:37 AM

Spammers Continue to Wage Their Own U.S. Presidential Campaigns

Dermot Harnett — 2008-11-05T21:24:21+00:00

While the U.S. voters have now been heard and are welcoming their new president, it is important for us to remember that the spam campaign is certainly not over. Spam levels averaged in at 76.4 percent of all messages in October 2008. This spam level represents a year-on-year increase of nearly six percent since October 2007.

Over the last year, Symantec has been monitoring spam related to the U.S. presidential campaign. It all began 12 months ago when spammers cast their first votes for Republican nominee Ron Paul. With spam subject lines such as “IRS Fears Ron Paul?”, it was certainly an early indication that it was going to be an interesting year for spam related to the presidential campaigns. February 2008 saw a round of bogus links to Hillary Clinton videos that were cloaking a malicious Trojan. This tactic emulated a popular technique being used by spammers to link malicious code and spam. This trend continued in amongst other types of spam attacks during 2008.

March 2008 saw the U.S. presidential spam race heat up even further. URLs containing Hillary Clinton’s name were observed in pornography and male enhancement pill spam. After Hillary, spammers moved on to the remaining frontrunners. One spammer cast his vote for Mike Huckabee, with Barack Obama and John McCain having their names linked with "portable dewrinkle machine" spam, medical product spam and get-rich-quick spam messages.

When Obama took his trip to Europe in July, spammers followed up with a presidential spam campaign that contained spam subject lines such as “Kick-up – Obama speaks in London – video.” In August, as McCain was about to announce his VP nominee, a spam email was circulated from spammers with the subject line “McCain chooses Paris Hilton as running mate.”

These Presidential spam attacks were certainly not harmless – if the recipient opened one of these messages, they were often asked to click a URL link that hosted malware. This malicious spam is designed to infect other computers with viruses and Trojans rather than simply promoting a spam product. In October 2008, presidential gift card spam continued to be observed. Recipients were asked to complete a survey on the election with the promise of receiving a free gift card. This gift card spam attack was designed to harvest personal information.

As the race for the presidency entered its final hours, spammers were observed offering one of their last presidential spam products. Dubbed by spammers as a "Barackumentary,” spammers offered a free DVD about Barack Obama. However, in order to receive this "free" video, recipients were asked to provide personal credit card details to the sender. When the race finally concluded on November 4th, spammers persisted and issued a new Obama malicious code/spam attack. One particular message that included the subject line “Obama Wouldn’t Be First Black President” actually noted that Barack Obama had been elected the 44th President of the United States. Recipients were encouraged to click on a link to “Watch His amazing speech at November 5!”, but beware, malicious code would be downloaded if the video player is clicked. As we reflect on the presidential spam campaign of 2008, which was notable for its use of news headlines and the continuing linkage between malware and spam, it serves as a good reminder that we must remain vigilant against spam attacks that are currently in the cooking pot. Especially considering that Thanksgiving and Christmas are just around the corner.

This is what the message body looked like:

"Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page >> [malicious URL removed]
2008 American Government Official Website - This site delivers information about current U.S. Foreign policy and about American life and culture."

Spammers Ride the Economic Roller-Coaster in October 2008

Dermot Harnett — 2008-11-05T12:26:25+00:00

As the gut-wrenching roller coaster that world economies have experienced over the last 90 days continues, it is not surprising that spammers are still attempting to tap into the economic angle to try and deliver their spam messages. Spammers often use the “issue du jour” in their spam campaigns. To borrow a phrase coined by strategists for Bill Clinton in 1992 and apply it to today’s issue: "It's the economy, stupid."

Just like Angelina Jolie, Brad Pitt, Paris Hilton, and Britney Spears, the U.S. Treasury Secretary (Henry Paulson) has joined the list of spammers’ favorite “celebrities.” In October 2008, Symantec observed a spam attack that contained a message claiming to come from the U.S. Treasury Secretary. The message suggested that Paulson had been instructed by the United Nations to "wire a sum of $1m into your Bank Account in a Legal way." [sic] In addition to this attack, Symantec also discovered that the FDIC was being used in a malware-related attack in October.

Although the U.S. presidential election may be winding down, it is clear that spam campaigns are not going to follow suit. Spam levels clocked in at an average 76.4 percent of all messages in October 2008. This spam level represents a year-on-year increase of nearly six percent since October 2007, but a decrease since the 80 percent level in August this year. Image spam has also reemerged. While image spam has not reached the dizzying heights of 2007, in October 2008 image spam averaged nine percent of all spam, which represents an increase of seven percent since September 2008.

To read about these or other trends in the Symantec Monthly State of Spam Report, such as lottery scam messages targeting the London Olympics and South African World Cup, please visit the State of Spam website.

A Double Dose of Worms Exploiting MS08-067

Symantec Security Response — 2008-11-03T18:21:25+00:00

It's nearly been a couple of weeks since Microsoft released their patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). This problem was rated as such a serious risk that Microsoft took the extraordinary step to release an out-of-band patch for it.

There was much speculation as to how and when it was going to be used in worms or other malicious code. Unfortunately, we didn't have to wait long for the first one to appear. First we saw Trojan.Gimmiv.A, which appeared to be already in the wild when the patch was released. However, that Trojan never really got around very far due to its weak method of propagation—manually controlled by the attackers through a channel that was quickly shut down.

Then there was a lull. So we waited. And, we waited. Sometimes waiting for these new malicious code samples to appear is like waiting for the bus. You wait for an age and then out of nowhere comes two or more of them. (Of course, the bus is always full.) Today our wait was over. First we received reports of a new malware targeting users of Chinese versions of Windows 2000. The malware that we detect as W32.Wecorl was first picked up by our honeypots that are based in China.

The second of the new arrivals is W32.Kernelbot.A. This is a worm with bot functionality. We managed to retrieve the configuration file for this botnet (cmd.txt) and it currently contains locations for downloading additional modules (including the propagation and exploit unit) and instructions to perform DDoS attacks against various websites.

Fortunately at this stage, these worms have implemented the exploit as an external module file that has to be downloaded first. Blocking the following addresses may help to prevent their propagation:

• 10Wrj.com

• zz.ushealthmart.com

So, as you can see, we've had a little bit of a window of calm since the original patches were released. However, that window has well and truly slammed shut and we are now seeing more successful and widespread use of this vulnerability by malware in the wild. If you haven't already patched yet, perhaps the appearance of these latest terrible twins will help you to seriously consider doing so.

Vulnerabilities in Malicious Code – Owning the Owners, Part 2

Davide Veneziano — 2008-10-29T15:59:40+00:00

My previous post was intended to demonstrate that malicious software could also be affected by security vulnerabilities. The example considered a remote code execution in a PHP page used in a phishing attack. However, the debate is still open concerning the possibility that the security issue had been intentionally introduced as a back door.

I want to now focus my attention on another piece of malicious code used to control and coordinate the systems belonging to a particular botnet. A botnet is a group of infected zombie machines under a common control infrastructure; usually, a Web application is employed to remotely instruct the systems in order to pursue a variety of illicit purposes.

An authentication bypass vulnerability was found to be affecting the command and control Web interface used in this particular botnet, thereby allowing users to bypass the authentication mechanism and take the control of the botnet and its zombies. The code responsible for authenticating the credentials supplied by the users is shown below:

The application allows the user to enter the administrative interface only if the “logged” variable evaluates to true (line 29). Let’s have a deeper look at the “else” branch, starting on line 18. The “logged” variable is used to temporarily store the value of the authentication cookie, which is supposed to contain the password whose validity is going to be checked on line 20. But, consider the situation of passing a cookie named “logged” that contains an arbitrary value to the page—it will fail this check (so the variable will not be set to true), but the evaluation on line 29 will be true since the value of “logged” is still set to the arbitrary value passed along within the cookie. This would allow access to the Web application without the need to know the valid credentials.

In some cases, a botnet is like any other software; for example, it is regularly developed and new versions are periodically released. Let’s have a look at the authentication routine implemented in a new version, which was released sometime after the vulnerable one I have just discussed:

Even if a more sophisticated method of managing user sessions is implemented, the application still suffers from an authentication bypass issue. The key is on line 4, which instructs the browser of an unauthenticated user to jump on the “login.php” page; however, the script does not terminate its execution, thus returning to the command and control administrative interface due to a missing “exit” instruction.

The fact that two different versions of the application are affected by the same vulnerability, even if the authentication routine has been completely rewritten, is really quite bizarre. It is again hard to say if we are facing poor coders who lack basic security development principles, or very smart people who are adding back doors to their programs in order to ensure they can regain possession of the software at any time.

Message Edited by SR Blog Moderator on 10-29-2008 09:02 AM

ActiveX File Overwrite/Delete Vulnerabilities - Continued

Parveen Vashishtha — 2008-10-28T18:38:25+00:00

In a blog article from last year, I discussed the rise in popularity of exploits using ActiveX overwrite/delete vulnerabilities due to their ease of use. Since that time, we have seen over 100 such vulnerabilities.

Microsoft requires developers of ActiveX controls to mark their controls “not safe for scripting” if they can arbitrarily write or delete files. However, developers not realizing the security implications or the full capabilities of their ActiveX control often fail to do so, allowing unauthorized remote users to arbitrarily write files to disk. In some cases, the ActiveX control does not even need to be installed by the user—as was the case with the Access Snapshot Viewer ActiveX Vulnerability.

Recently we’ve seen a sharp rise in these types of vulnerabilities and have discovered them being exploited in the wild as part of an exploit pack. Symantec’s DeepSight honeypots observed the exploit pack attack leverage a number of older ActiveX overwrite/delete vulnerabilities, which had not been previously seen in the wild. The attack contained exploits for ActiveX overwrite/delete vulnerabilities in Microsoft, Yahoo, C6, Macrovision, Zenturi, Clever Internet suite, JetAudio, and other ActiveX controls.

Exploits for these vulnerabilities are detected by IPS (NIS, NAV, N360, SEP, and SCS) products as:

HTTP SnapShot Viewer ActiveX File Download
HTTP EDraw Flowchart ActiveX Overwrite
HTTP Yahoo! Messenger CYFT Ctrl GetFile
HTTP Clever Internet Suite Overwrite
HTTP Zenturi PogramChecker DownloadUrl ActiveX File Overwrite
HTTP Cowon jetAudio ActiveX Dir Trav.
HTTP C6 Messenger ActiveX File Overwrite
HTTP MacroVision FlexNet USWA ActiveX BO

Encoded versions of these exploits are detected by Symantec Browser Protection (NIS 2008, NAV 2008, N360 v2) as:

MSIE MS Snapshot ActiveX File Download
MSIE EDraw Flowchart File Overwrite
MSIE Yahoo! Messenger GetFile Method File Upload
MSIE Clever Internet ActiveX File Overwrite
MSIE Zenturi ProgramChecker ActiveX File Overwrite
MSIE jetAudio JetFlExt ActiveX Insecure Method
MSIE C6 Messenger Suspicious File Download
MSIE InstallShield Macrovision ActiveX BO

Additionally, Symantec antivirus programs will detect this attack as Downloader. Various toolkits provide heavily obfuscated exploits to evade IDS. Symantec customers are protected against these attacks because Symantec products have a built-in Browser Protection feature that defends against obfuscated code attacks using ActiveX, JavaScript, VBScript, and drive-by downloads.

While application security improves and technical difficulty in exploiting memory corruption flaws continues to increase, a number of easier to exploit and more reliable attack vectors still remain. ActiveX overwrite/delete vulnerabilities are very trivial to exploit and that’s why many malicious toolkits contain exploits for these vulnerabilities. Unfortunately we can expect continued discovery and exploitation of these vulnerabilities in the future.

Reactive Phishing Defenses - Part 2

Antonio Forzieri — 2008-10-27T18:01:57+00:00

My previous blog article was intended to highlight two new features observed in a number of phishing kits that held the aim of making the lives of security analysts more difficult. I want to now focus my attention on another trick that has been used in phishing kits in order to protect the attack against a technique called "dilution." Dilution is a method of providing a certain amount of false credentials, names, account numbers, and other personal information to a phishing website. With this technique, real credentials are diluted in a sea of false data, making the fraudster's job harder.

There are several different kinds of dilution strategies, classified by the type of data provided to the phishing site:

•    Random Data: a large amount of random unformatted data is submitted. This strategy attempts to fill up the collection point, but has a drawback in that the fraudsters can easily identify fake data.
•    Properly Formatted Data: a large amount of properly formatted data is submitted. This process avoids the drawback of the first dilution type, but still fills up the collection point.
•    Tag Data: this time, the fake data submitted is indeed valid and accepted by the institution's website. The injection of this data allows financial institutions to more easily track criminals and gain additional forensic information.

Fraudsters are aware of these techniques and are continuously trying to optimize their attacks and thus their profits. As a proof of concept, shown below is a piece of PHP code revealed from a phishing attack that is intended to check the validity of the credit card number provided by the user according to card number conventions:

Figure 1. Fraudster checks for a valid card number

After performing this check, the fraudster tries validating the card number by using the Luhn algorithm (figure 2). If both conditions are met (the card number appears to be correct and the Luhn algorithm is verified) the information is delivered to the drop box. This approach makes the Random Data Dilution strategy described above useless, because invalid data won't be accepted.

Figure 2. Fraudster using the Luhn algorithm

Even if Random Data Dilution is useless against phishing sites implementing the tricks described above, the Properly Formatted Data Dilution continues to work because the provided data passes both tests described above and is correctly delivered to drop boxes. However, we have recently observed some phishing kits implementing a new feature that helps fraudsters fight against even the Properly Formatted Data Dilution strategy. The piece of code in figure 3 (below) shows one of these tricks, which checks to see if the credentials provided by the user are indeed valid. It has been implemented by submitting the credentials to the original website and then identifying specific patterns in the response page in order to verify their validity. Only after this validation step is other information requested-such as credit card numbers, cvv2/cvc2 codes, or sometimes even the entire battleship card-and if provided, then delivered to the fraudster's drop box.

Figure 3. User credentials validation

This technique actually makes the second type of dilution ineffective, because fake credentials, even if properly formatted, are no longer accepted. So far, the evidence collected demonstrates how some dilutions techniques may be avoided through the validation of both the card number and the credentials provided. However, "tag data" is a very efficient strategy, allowing financial institutions to more efficiently monitor and identify fraudulent activities. By using this means of detection, and once the source of the attacker is known, organizations can correlate this information with login records in order to identify other compromised accounts and take reactive countermeasures in order to prevent the loss of money in a much more efficient way.

Message Edited by SR Blog Moderator on 10-27-2008 11:05 AM