By using Mandiant’s Redline tool, I’ve identified three of the seven new samples that VirusShare has just added:

  • GLOOXMAIL - 3de1bd0f2107198931177b2b23877df4
  • BISCUIT - 12f25ce81596aeb19e75cc7ef08f3a38
  • TARSIP-MOON - bd02b41817d227058522cca40acd390

This week marks the first week that I have integrated APT1 samples into the graded practical exercises in the Reverse Engineering class I teach at Mississippi State University. The use of real-world malware attributed to state-sponsored actors in my classroom has been the focus of some recent positive media attention. If you’re interested in following along, this is the assignment my students are working on this week:

The students have been excited about applying what they’ve learned to malicious software that’s been making headlines recently. Most of the APT1 samples are easy enough to analyze to be good exercise material for the students at this point in their reverse-engineering-education, and it’s interesting to look at the software that’s been responsible for the theft of so much information. I’m very impressed with my students’ progress so far, and I hope they’re enjoying getting their hands dirty this week.

 

EDIT: Below is all of my personal manual tinkering around with strings and the descriptions to identify samples roughly. That being nice and all, I’ve managed to point Mandiant’s Redline tool at the set using the IOC appendix to generate a much nicer, complete, and accurate report, which I’ve exported and made available here:

http://mcgrewsecurity.com/codedump/apt1_ioc/

The “hits” marked in the above report represent samples available in the 281-sample VirusShare.com set. Enjoy! (Looks like there’s a few below that aren’t in the above report, (SWORD for example) so the rest of this post will still be of some use).

(Edit: By the time you read this, there’ll be more hashes on the VirusShare list. I’ll take a look at those tonight, but for now this list isn’t complete, obviously.)

(Edit Edit: Took a look at the 34 samples added to VirusShare)

(Third edit: Added some rough classification of the 281-sample set that VirusShare now has as a torrent)

(Tiny fourth edit: I’m pretty sure I was wrong classifying what I had as MANITSME. Not sure what I was thinking there.)

Earlier today, I took the set of MD5 hashes from Mandiant’s report on APT1 and ran it against the set of hashes of malware stored and provided by the VirusShare.com repository. Out of a little more than 1,000 hashes provided by Mandiant, 22 hashes matched files that are on VirusShare. The list is here. If you fit the description of someone who should have access to malware samples, you can read about signing up here.

In the Mandiant report and appendices, they use a set of codenames for samples and families of malware being used by APT1. With a very quick comparison of indicators and strings, I’ve managed to map MD5 hashes of some of the 22 samples available on VirusShare to the names they have been given in the Mandiant report. This is very rough, incomplete, and possibly inaccurate, but if you’re interested in picking apart some of this malware, it’s a start:

  • BISCUIT – 15901ddbccc5e9e0579fc5b42f754fe8
  • GOGGLES - 9fc3ed6c9b8056fbf155f79569ca7cb1
  • HELAUTO - 47e7f92419eb4b98ff4124c3ca11b738
  • STARSYPOUND - c0a33a1b472a8c16123fd696a5ce5ebb
  • TARSIP-MOON - 0908d8b3e459551039bade50930e4c1b
  • WEBC2-CLOVER - 29c691978af80dc23c4df96b5f6076bb
  • WEBC2-CSON - 73d125f84503bd87f8142cf2ba8ab05e
  • WEBC2-HEAD - 649d54bc9eef5a60a4b9d8b889fee139
  • WEBC2-GREENCAT - fab6b0b33d59f393e142000f128a9652

The following were added to VirusShare after the above quick analysis (34 samples were added that match Mandiant’s MD5s). I’ve taken a quick look to see if I can identify a few of them too.

  • BISCUIT - 034374db2d35cf9da6558f54cec8a455 , 70a55fdc712c6e31e013e6b5d412b0d6
  • LONGRUN - a2cd1189860b9ba214421aab86ecbc8a , 0496e3b17cf40c45f495188a368c203a
  • STARSYPOUND - 2ba0d0083976a5c1e3315413cdcffcd2 , 65018cd542145a3792ba09985734c12a , 8442ae37b91f279a9f06de4c60b286a3
  • TABMSGSQL - 052ec04866e4a67f31845d656531830d
  • WEBC2-BOLID - 5ff3269faca4a67d1a4c537154aaad4b , d8238e950608e5aba3d3e9e83e9ee2cc
  • WEBC2-GREENCAT - 36c0d3f109aede4d76b05431f8a64f9e , e83f60fb0e0396ea309faf0aed64e53f , 36c0d3f109aede4d76b05431f8a64f9e , b3bc979d8de3be09728c5de1a0297c4b , 55fb1409170c91740359d1d96364f17b , e54ce5f0112c9fdfe86db17e85a5e2c5 , 57e79f7df13c0cb01910d0c688fcd296
  • WEBC2-YAHOO - 2b659d71ae168e774faaf38db30f4a84 , a8f259bb36e00d124963cfa9b86f502e
  • WEBC2-Y21K - 4cabfaef26fd8e5aec01d0c4b90a32f3 , 2479a9a50308cb72fcd5e4e18ef06468

Again, this is all based off of a brief glance at matching strings. Some of the unidentified samples so-far may be packed, preventing them from being matched in this way, and some of the ones that appear to be a match may turn out to behave differently. If you’re interested in something specific from the Mandiant report, however, the above may point you to what samples you’d like to look at first.

Rough Edit: The following is a dump of matching unique strings from Mandiant’s report with the 281-sample set being served up by VirusShare via torrent. This is rough among rough things and quite possibly wrong. If and where it contradicts the above, you may be better off with the above. Double-check for yourself if it’s very important what sample you’re looking at. There are a lot of samples that don’t match up very closely with the descriptions in the Mandiant appendix C, but are obviously of the same family, authorship, and likely functionality.

I hesitated to share this set of results just yet for the above reasons, but I’d rather be able to point someone interested in a particular named-malware to a set of samples that “probably” match it, than nothing at all, as feedback seems to be that this is more useful than nothing. I intend to post more detailed analysis once I finally get to prioritize on a specific sample and dig in.

BISCUIT
Binary file VirusShare_268eef019bf65b2987e945afaf29643f matches
Binary file VirusShare_43b844c35e1a933e9214588be81ce772 matches
Binary file VirusShare_5a728cb9ce56763dccb32b5298d0f050 matches
Binary file VirusShare_c6a4bb1a4e4f69ec71855d70d6960859 matches
Binary file VirusShare_da383cc098a5ea8fbb87643611e4bfb6 matches

COOKIEBAG
Binary file VirusShare_0c28ad34f90950bc784339ec9f50d288 matches
Binary file VirusShare_5bd5a22d42c04db7ac1343a2a9f471fe matches
Binary file VirusShare_f3611c5c793f521f7ff2a69c22d4174e matches

GOGGLES
Binary file VirusShare_51326bf40da5a5357a143dd9a6e6a11c matches
Binary file VirusShare_a5b581c0600815b1112ca2fed578928b matches
Binary file VirusShare_bcb087f69792b69494a3edad51a842bb matches

GREENCAT
Binary file VirusShare_15901ddbccc5e9e0579fc5b42f754fe8 matches
Binary file VirusShare_268eef019bf65b2987e945afaf29643f matches
Binary file VirusShare_43b844c35e1a933e9214588be81ce772 matches
Binary file VirusShare_70a55fdc712c6e31e013e6b5d412b0d6 matches
Binary file VirusShare_c6a4bb1a4e4f69ec71855d70d6960859 matches
Binary file VirusShare_da383cc098a5ea8fbb87643611e4bfb6 matches

HACKSFASE
Binary file VirusShare_0d0240672a314a7547d328f824642da8 matches
Binary file VirusShare_17199ddac616938f383a0339f416c890 matches
Binary file VirusShare_1a0c7e61bcc50d57b7bcf9d9af691de5 matches
Binary file VirusShare_7712d05c8b499fc7a1f4a6a6b6dee825 matches
Binary file VirusShare_9e860622fee66074dfe81dcfcc40c4e2 matches
Binary file VirusShare_bcbdef1678049378be04719ed29078d2 matches
Binary file VirusShare_f7c63592ffb87b81ce45c89d207e9403 matches

HELAUTO
Binary file VirusShare_da6b0ee7ec735029d1ff4fa863a71de8 matches
Binary file VirusShare_fe8ff84a23feb673a59d8571575fee0b matches

KURTON
Binary file VirusShare_15901ddbccc5e9e0579fc5b42f754fe8 matches
Binary file VirusShare_268eef019bf65b2987e945afaf29643f matches
Binary file VirusShare_43b844c35e1a933e9214588be81ce772 matches
Binary file VirusShare_5a728cb9ce56763dccb32b5298d0f050 matches
Binary file VirusShare_c110f08399c5dca64d7dc4539eb82083 matches
Binary file VirusShare_c6a4bb1a4e4f69ec71855d70d6960859 matches
Binary file VirusShare_da383cc098a5ea8fbb87643611e4bfb6 matches

LONGRUN
Binary file VirusShare_13f0b56c28995e4efc8da784ad862853 matches
Binary file VirusShare_b3848edbabfbce246a9faf5466e743bf matches

MACROMAIL
Binary file VirusShare_c110f08399c5dca64d7dc4539eb82083 matches

NEWSREELS
Binary file VirusShare_0dd3677594632ce270bcf8af94819caf matches
Binary file VirusShare_17f5a2e0997b59449ca2120b20b5b7ce matches
Binary file VirusShare_523f56515221161579ee6090c962e5b1 matches
Binary file VirusShare_d271ae0f4e9230af3b61eafe7f671fde matches

STARSYPOUND
Binary file VirusShare_1f2eb7b090018d975e6d9b40868c94ca matches
Binary file VirusShare_2ba0d0083976a5c1e3315413cdcffcd2 matches
Binary file VirusShare_2dd892986b2249b5214639ecc8ac0223 matches
Binary file VirusShare_33de5067a433a6ec5c328067dc18ec37 matches
Binary file VirusShare_65018cd542145a3792ba09985734c12a matches
Binary file VirusShare_650a6fca433ee243391e4b4c11f09438 matches
Binary file VirusShare_6576c196385407b0f7f4b1b537d88983 matches
Binary file VirusShare_6faa4740f99408d4d2dddd0b09bbdefd matches
Binary file VirusShare_785003a405bc7a4ebcbb21ddb757bf3f matches
Binary file VirusShare_8442ae37b91f279a9f06de4c60b286a3 matches
Binary file VirusShare_8b75bcbff174c25a0161f30758509a44 matches
Binary file VirusShare_99a39866a657a10949fcb6d634bb30d5 matches
Binary file VirusShare_9ea3c16194ce354c244c1b74c46cd92e matches
Binary file VirusShare_a316d5aeca269ca865077e7fff356e7d matches
Binary file VirusShare_b07322743778b5868475dbe66eedac4f matches
Binary file VirusShare_c0a33a1b472a8c16123fd696a5ce5ebb matches
Binary file VirusShare_ca6fe7a1315af5afeac2961460a80569 matches
Binary file VirusShare_d9fbf759f527af373e34673dc3aca462 matches
Binary file VirusShare_ec8aa67b05407c01094184c33d2b5a44 matches
Binary file VirusShare_f6655e39465c2ff5b016980d918ea028 matches
Binary file VirusShare_f8437e44748d2c3fcf84019766f4e6dc matches

SWORD
Binary file VirusShare_b3848edbabfbce246a9faf5466e743bf matches

TABMSGSQL
Binary file VirusShare_001dd76872d80801692ff942308c64e6 matches
Binary file VirusShare_002325a0a67fded0381b5648d7fe9b8e matches
Binary file VirusShare_052ec04866e4a67f31845d656531830d matches
Binary file VirusShare_2f930d92dc5ebc9d53ad2a2b451ebf65 matches
Binary file VirusShare_3e87051b1dc3463f378c7e1fe398dc7d matches
Binary file VirusShare_55886d571c2a57984ea9659b57e1c63a matches
Binary file VirusShare_8a86df3d382bfd1e4c4165f4cacfdff8 matches

TARSIP-MOON
Binary file VirusShare_0908d8b3e459551039bade50930e4c1b matches
Binary file VirusShare_6808ec6dbb23f0fa7637c108f44c5c80 matches
Binary file VirusShare_95f25d3afc5370f5d9fd8e65c17d3599 matches
Binary file VirusShare_a5d4ebc0285f0213e0c29d23bc410889 matches
Binary file VirusShare_c91eacab7655870764d13ba741aa9a73 matches

TARSIP-ECLIPSE
Binary file VirusShare_123505024f9e5ff74cb6aa67d7fcc392 matches
Binary file VirusShare_4f763b07a7b8a80f1f9408e590f79532 matches
Binary file VirusShare_ca327bc83fbe38b3689cd1a5505dfc33 matches

WARP
Binary file VirusShare_15244d2321faa3a271ff0b1e5a23148f matches
Binary file VirusShare_36cd49ad631e99125a3bb2786e405cea matches
Binary file VirusShare_5100f0a34695c4c9dc7e915177041cad matches
Binary file VirusShare_77fbfed235d6062212a3e43211a5706e matches
Binary file VirusShare_7acb0d1df51706536f33bbdb990041d3 matches
Binary file VirusShare_81b03cbcfc4b9d090cd8f5e5da816895 matches
Binary file VirusShare_bc723e4f93a3bf85f4d1e1910393d1a3 matches
Binary file VirusShare_c0134285a276ab933e2a2b9b33b103cd matches
Binary file VirusShare_d7796209412da17b2ee2ccf2309b4abf matches
Binary file VirusShare_ddf3db31f9fa21cd43ff19dde393aba8 matches

WEBC2-ADSPACE
Binary file VirusShare_523cf1c9741f5f9d11388a58de6a83a4 matches
Binary file VirusShare_ab00b38179851c8aa3f9bc80ed7baa23 matches

WEBC2-BOLID
Binary file VirusShare_1ea61a0945bde3c6f41e12bc01928d37 matches
Binary file VirusShare_53b263dd41838aa178a5ced338a207f3 matches
Binary file VirusShare_5ff3269faca4a67d1a4c537154aaad4b matches
Binary file VirusShare_d8238e950608e5aba3d3e9e83e9ee2cc matches

WEBC2-CLOVER
Binary file VirusShare_065e63afdfa539727f63af7530b22d2f matches
Binary file VirusShare_29c691978af80dc23c4df96b5f6076bb matches
Binary file VirusShare_2fccaa39533de02490b1c6395878dd79 matches
Binary file VirusShare_689dcd40d5eae8c0d315265f3d90ffae matches

WEBC2-CSON
Binary file VirusShare_277964807a66aeeb6bd81dbfcaa3e4e6 matches
Binary file VirusShare_4192479b055b2b21cb7e6c803b765d34 matches
Binary file VirusShare_50f35b7c86aede891a72fcb85f06b0b7 matches
Binary file VirusShare_575836ebb1b8849f04e994e9160370e4 matches
Binary file VirusShare_73d125f84503bd87f8142cf2ba8ab05e matches
Binary file VirusShare_7d3140bd028f70f1fa865364b69c5999 matches
Binary file VirusShare_a38a367d6696ba90b2e778a5a4bf98fd matches
Binary file VirusShare_d22863c5e6f098a4b52688b021beef0a matches
Binary file VirusShare_f1e5d9bf7705b4dc5be0b8a90b73a863 matches
Binary file VirusShare_f802b6e448c054c9c16b97ff85646825 matches

WEBC2-GREENCAT
Binary file VirusShare_1ce4605e771a04e375e0d1083f183e8e matches
Binary file VirusShare_36c0d3f109aede4d76b05431f8a64f9e matches
Binary file VirusShare_55fb1409170c91740359d1d96364f17b matches
Binary file VirusShare_5e42780f52763c77d592044e535e4b01 matches
Binary file VirusShare_7388d67561d0a7989202ad4d37eff24f matches
Binary file VirusShare_95d85aa629a786bb67439a064c4349ec matches
Binary file VirusShare_a241eec892637dec971bd925a40d3efb matches
Binary file VirusShare_ba0c4d3dbf07d407211b5828405a9b91 matches
Binary file VirusShare_c044715c2626ab515f6c85a21c47c7dd matches
Binary file VirusShare_c41e44045cebebfba234063de8fd7c4d matches
Binary file VirusShare_e54ce5f0112c9fdfe86db17e85a5e2c5 matches
Binary file VirusShare_e83f60fb0e0396ea309faf0aed64e53f matches
Binary file VirusShare_f4ed3b7a8a58453052db4b5be3707342 matches
Binary file VirusShare_fab6b0b33d59f393e142000f128a9652 matches

WEBC2-KT3
Binary file VirusShare_476fea8761a03bef16e322996c2f6666 matches
Binary file VirusShare_e689b1fb0610b752f42adafc403fa49f matches

WEBC2-RAVE
Binary file VirusShare_438983192903f3fecf77500a39459ee6 matches
Binary file VirusShare_a2534e9b7e4146368ea3245381830eb0 matches

WEBC2-YAHOO
Binary file VirusShare_0149b7bd7218aab4e257d28469fddb0d matches
Binary file VirusShare_1415eb8519d13328091cc5c76a624e3d matches
Binary file VirusShare_1c16bd1488163c03cd506c2f71486a0f matches
Binary file VirusShare_2b659d71ae168e774faaf38db30f4a84 matches
Binary file VirusShare_36d5c8fc4b14559f73b6136d85b94198 matches
Binary file VirusShare_37ddd3d72ead03c7518f5d47650c8572 matches
Binary file VirusShare_4c9c9dbf388a8d81d8cfb4d3fc05f8e4 matches
Binary file VirusShare_5c6f30cc369cd164d44941d381e282cc matches
Binary file VirusShare_7a670d13d4d014169c4080328b8feb86 matches
Binary file VirusShare_a8f259bb36e00d124963cfa9b86f502e matches
Binary file VirusShare_aa4f1ecc4d25b33395196b5d51a06790 matches
Binary file VirusShare_cc3a9a7b026bfe0e55ff219fd6aa7d94 matches
Binary file VirusShare_d16947b200afa74a917f055597b772c0 matches
Binary file VirusShare_f7f85d7f628ce62d1d8f7b39d8940472 matches

WEBC2-Y21K
Binary file VirusShare_2479a9a50308cb72fcd5e4e18ef06468 matches
Binary file VirusShare_4cabfaef26fd8e5aec01d0c4b90a32f3 matches
Binary file VirusShare_7d3140bd028f70f1fa865364b69c5999 matches

MAPIGET
Binary file VirusShare_01e0dc079d4e33d8edd050c4900818da matches
Binary file VirusShare_0908d8b3e459551039bade50930e4c1b matches
Binary file VirusShare_0b506c6dde8d07f9eeb82fd01a6f97d4 matches
Binary file VirusShare_0c28ad34f90950bc784339ec9f50d288 matches
Binary file VirusShare_123505024f9e5ff74cb6aa67d7fcc392 matches
Binary file VirusShare_1ea61a0945bde3c6f41e12bc01928d37 matches
Binary file VirusShare_277964807a66aeeb6bd81dbfcaa3e4e6 matches
Binary file VirusShare_3107de21e480ab1f2d67725f419b28d0 matches
Binary file VirusShare_3120fc8630c5252002f26f6e11b09eca matches
Binary file VirusShare_321d75c9990408db812e5a248a74f8c8 matches
Binary file VirusShare_3b1b190407b868406c5c155a79f3d146 matches
Binary file VirusShare_4f763b07a7b8a80f1f9408e590f79532 matches
Binary file VirusShare_50f35b7c86aede891a72fcb85f06b0b7 matches
Binary file VirusShare_5100f0a34695c4c9dc7e915177041cad matches
Binary file VirusShare_53b263dd41838aa178a5ced338a207f3 matches
Binary file VirusShare_543e03cc5872e9ed870b2d64363f518b matches
Binary file VirusShare_57326cd78a56d26e349bbd4bcc5b9fa2 matches
Binary file VirusShare_5bd5a22d42c04db7ac1343a2a9f471fe matches
Binary file VirusShare_5c6f30cc369cd164d44941d381e282cc matches
Binary file VirusShare_5ff3269faca4a67d1a4c537154aaad4b matches
Binary file VirusShare_649d54bc9eef5a60a4b9d8b889fee139 matches
Binary file VirusShare_6808ec6dbb23f0fa7637c108f44c5c80 matches
Binary file VirusShare_6e8f302794cfaae731840e345063e652 matches
Binary file VirusShare_7712d05c8b499fc7a1f4a6a6b6dee825 matches
Binary file VirusShare_7b42b35832855ab4ff37ae9b8fa9e571 matches
Binary file VirusShare_830a748959bdd1ad3b6a1f72aab6f063 matches
Binary file VirusShare_88c7c50cd4130561d57a1d3b82c5b953 matches
Binary file VirusShare_8934aeed5d213fe29e858eee616a6ec7 matches
Binary file VirusShare_95f25d3afc5370f5d9fd8e65c17d3599 matches
Binary file VirusShare_973f4a238d6d19bdc7b42977b07b9cef matches
Binary file VirusShare_989b797c2a63fbfc8e1c6e8a8ccd6204 matches
Binary file VirusShare_a5d4ebc0285f0213e0c29d23bc410889 matches
Binary file VirusShare_b3848edbabfbce246a9faf5466e743bf matches
Binary file VirusShare_b74022a7b9b63fdc541ae0848b28a962 matches
Binary file VirusShare_c0134285a276ab933e2a2b9b33b103cd matches
Binary file VirusShare_c110f08399c5dca64d7dc4539eb82083 matches
Binary file VirusShare_c39e272e9ea15d61e0c8e6b749a1ad46 matches
Binary file VirusShare_c4c638750526e28f68d6d71fd1266bdf matches
Binary file VirusShare_c9172b3e83c782bc930c06b628f31fa5 matches
Binary file VirusShare_c91eacab7655870764d13ba741aa9a73 matches
Binary file VirusShare_ca327bc83fbe38b3689cd1a5505dfc33 matches
Binary file VirusShare_d262cb8267beb0e218f6d11d6af9052e matches
Binary file VirusShare_d8238e950608e5aba3d3e9e83e9ee2cc matches
Binary file VirusShare_db2580f5675f04716481b24bb7af468e matches
Binary file VirusShare_ec3a2197ca6b63ee1454d99a6ae145ab matches
Binary file VirusShare_f3611c5c793f521f7ff2a69c22d4174e matches
Binary file VirusShare_f627990bbe2ec5c48c180f724490c332 matches
 

Just a quick note to readers in security roles that might be responsible for end-user actions: Tonight’s announcement that Osama Bin Laden has been killed will likely spawn a large number of malware purporting to be videos or pictures of the body or operation. You may want to pre-empt this by reminding users of the dangers of clicking and running things from untrusted sources.

I think most of the readers of this blog are smart enough not to fall for this themselves (and might even seek it out for the malware samples!), and that a good percentage are in offensive security roles, but this could be a big problem for the readers in defensive roles. So, heads up!

 

I guest-lectured the computer security class here today, and with it being the day Conficker.C starts looking for a payload, I figured it would be an excellent opportunity to deviate from the normal lesson plan.  With the well-written Honeynet Project and SRI papers out there that describe the technical details of Conficker.C, it’s a great time to expose the students to malware analysis.  There’s some really interesting and clever things that this worm/botnet does, and discussion of it filled an hour’s lecture nicely.

As I promised to the class and to several people on Twitter, I’ve made the slides available here:

…although I fear it won’t be as useful without having been there.  It’s more visual aid and points for discussion than a standalone set of slides you can just read.  Either way, enjoy!

One thing I’d like to talk about in addition to this: the speculation about what Conficker.C will actually do.  The pendulum has been swinging between two extremes of media speculation (“will destroy the internet”-like garbage) and equally ridiculous complete dismissal (“nothing has happened and nothing will”).  Many security professionals, including those that are blogging and posting to twitter, are swinging a little bit too far to the latter I think.  It seems just as dangerous to completely dismiss it as it is to give it too much hype.

Here’s a few things one needs to keep in mind when speculating about Conficker.C and its effects:

  • April 1st isn’t the only important day.  It attempts to find a payload every midnight (local time).  April 1st is just the first day that it does this–it’s not necessarily the day the operator/originator will register domain(s) and deploy a payload.  He/she/they can do this, at their leisure, from now until enough of the infected machines are fixed or go offline to make it not worth it (some time).
  • There’s no reason for the operator to walk away from it.  There’s tons of computers infected, and a really solidly-written means of getting potential payloads spread around.  A lot has been invested in this, and there’s some significant power and revenue to be claimed by whoever can sign a payload for it.
  • Chances are, it’s not going to be loud.  There’s no money in melting the Internet or indiscriminately destroying Windows installations.  This isn’t the Slammer worm choking large parts of the internet with UDP packets spreading itself.  Nowadays folks want to make money with malware, and that means routing spam, harvesting information, and things like that.  The longer an infected computer acts normally, the longer the malware can stay there, run, and generate revenue

So there you have it.  It’s not likely to destroy the Internet, but I would also be very surprised if we don’t see a payload distributed (widely) through it at some point.

 

Hopefully I won’t be asked to take this one down:

I was just looking for hours of operation for the Picabu buffet/cafeteria here at Disney’s Dolphin resort while I’m here for the SANS SCADA Summit.  I just can’t do anything anymore without stumbling across something security related, I guess.

If you haven’t spotted what’s “wrong” in the above image, don’t feel bad.  It’s an oldie but goodie:

This is a Word 97 (yeah, the nineties) macro virus that will randomly change the names of documents you create to “Ethan Frome”.  The computer used to create the document is infected with it.  Don’t panic though, because:

  • The document above has been exported to PDF, so it‘s safe isn’t spreading the Ethan Frome macro virus.
  • There only seems to be one malicious variant of this macro virus, and it modifies your autoexec.bat (lol) to format your C: drive…

Not much more than a curiosity :) .  I have a friend who had the misfortune of having his resume retitled “Ethan Frome” from this same macro virus several years ago.  He didn’t realize it till I pointed it out.  Funny stuff.

I met some great people at the Summit today (or rather, yesterday.  It’s late.), and I’m looking forward to attending some more talks in the morning.

 

Regarding “Homer Simpson and the Kimya Botnet“, a new away message for Chunkylover53 (Homer Simpson’s AOL account, revealed in one of the episodes, and since hijacked) drops some names:

KRYOGENIKS EBK and DEFIANT RoXed HOMER sHouTz To VIRUS Warlock elul21 coll1er and Slacker.

I wouldn’t advise keeping him on your buddy list at this point, as the account is pushing out malware occasionally.

 

Trend Micro & Software Patents

So it seems that Trend Micro is trying to push themselves around on other antivirus products with a patent that they have on performing antivirus detection on SMTP and FTP gateways. Some commercial vendors have already settled with them over this, however Trend Micro are now suing Barracuda for their use and distrribution of ClamAV. ClamAV is an open source product, which Trend Micro feels infringes upon their patent. A few links on the subject, then I’ll move on to my personal Trend Micro story:

In my opinion, whatever the open source community decides to do with Trend Micro at this point is fine by me. I started my personal boycott of Trend Micro just under a year and a half ago. Why, you might be asking? Story time…

The Tale of the Trend Micro Lunchless Lunch-and-Learn (or why I will never purchase or recommend a Trend Micro product)

A colleague and I attended SANS Network Security in October of 2006, for the purpose of attending Ed Skoudis’ excellent “Hacker Techniques and Incident Handling Class”, leading up to the GCIH exam. At these larger SANS conferences there is a vendor expo with booths, and also “Lunch and Learn” events throughout the week that vendors take care of. These events are win-win. The vendors get a captive audience for a presentation, and the attendees get a free, and very convenient lunch. Especially at events like NS in Vegas, it can be very difficult to leave the event, eat lunch, and get back in time for class, so the “Lunch and Learns” are very nice.

At the vendor expo, Trend Micro had a booth with a computer running an IRC client, and a setup where they were replaying a packet dump of a carding-oriented IRC channel. Having investigated incidents that involve these channels in the past, I made attempts to discuss the nature of carder/info trading channels with the Trend Micro representative, however he was very reluctant to talk to me (even though there was no one else around). He stated that if we wanted to know more, we could attend his presentation later in the week. I should have known at this point that this guy wasn’t worth the time and forgotten about the whole thing.

On Friday of that week, we left class to attend the talk, and let me tell you it was a train wreck. What many attendees will remember about it was that there was no Lunch, an important aspect of a talk billed as a “Lunch and Learn”. This is bad enough, with 150 or so attendees being unable to get lunch before their training began again (once the presentation got started, it was already too late to feasibly leave and eat lunch).

What was worse was the quality of the presentation. The representative was not a very good presenter, and had no sense of time or pacing. To our astonishment, the slides used had IRC logs similar to those that were scrolling by on the screen at the vendor expo, and these logs contained personal information being traded about the victims of credit card fraud, uncensored. It seems like the least they could have done was attempt to prevent the further spread of data like this.

When the presentation was over (and it ran over-time by a significant amount), a SANS representative informed the audience that Trend Micro was going to “make up” for the lack of lunch, which the presenter seemed very upset about. Later, we were all given gift-cards good for the restaurants in the hotel, with enough money on them to cover a buffet dinner that night, which at least helped after having not eaten that day.

There was, however, never an apology about this from Trend Micro. When I emailed Trend Micro to inform them of how unprofessional their chosen representative was, and how poorly they were represented, I never received a response. It seems to me that they are fine with what has happened regarding this, and not eager to present themselves well to others in the computer security community.

And for that, I completely support this boycott, as I have since long before it started.

 

Finally, someone gets the point of this thing and starts some discussion about what this malware is doing scarily right, instead of dwelling on the fact that this week it is sending itself out as greeting cards or whatever. Does it surprise me that “someone” is Bruce Schneier? Not really :) , although it is a little more technical than his usual posts, which is a good thing:

http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html

He discusses the decentralized command-and-control, plus a bit on the rate at which it spreads. This is the correct focus.

 

I like SunbeltBLOG a lot (and I recommend that you add them to your reader), however, like most of the content in my RSS reader that I really like, I occasionally find myself disagreeing with them. Today’s post, For shame: Thawte trusts Gromozon is one of those times. While I can certainly understand people not liking anything that helps out malware, I think this is a case of people’s expectations about what security mechanisms are supposed to provide not matching up with the reality. Another good recent example of this is the embassy password incident, revealing the fact that many people were under the impression that Tor provides privacy (which it doesn’t), when it’s designed to provide anonymity (which is does, if you use it right).

Picking this apart, let’s see what people think code signing is supposed to provide. This is easy: a lot of people are guilty of assuming that something being signed means that it’s safe to install. This comes from impressions that people have formed about what a signature means, and what role the certificate authority takes in the matter. Let’s take a look, starting with the title of the SunbeltBLOG post:

“For shame: Thawte trusts Gromozon”

Certainly sounds shameful, after reading what Gromozon does. But does Thawte really trust Gromozon? Is that really what the certificate means? If you follow the link from SunbeltBLOG to SpywareGuide then you’d be inclined to think so. They spell out what they think the certificate means:

  • The publisher: The software really comes from the publisher who signed it . Publishers most go through a process to verify their identity and that they are who they say they are.
  • The content: The software has not been altered or corrupted, and is therefore safe to install and run.

Hit the brakes there! You’ve gone a little too far. This was right, up until the last bit about “…and is therefore safe to install and run”. The certificate authority does verify the identity of publishers, and the process of signing code, and verifying that signature on the client does mean that it hasn’t been altered or corrupted between the publisher and client. It does not speak for the content, actions, and motives of the software or the publisher! People think that digital signing of code “solves” the problem of malware, however it only means that the malicious code has been there since the publisher signed the code. It may deter people from putting their signature on malicious code, since it can be tracked back to them easily, however this demonstrates that this doesn’t bother or stop some authors.

Go to the horse’s mouth. See what Thawte has to say about their code signing certificates. Having code signed by the publisher “effectively verifies the source of your software before it is downloaded”, and “Ensures that your active content or code cannot be maliciously modified” (“your” referring to the publisher). For the end-user of signed software, it gives them “recourse to the person who published it”. This is all consistent with signing something like Gromozon. The only time it really comes close to speaking of the content of the signed code is when it says that the process “Promotes the Internet as a secure and viable platform for content distribution”. This might be mistaken to mean the end-user’s security from malicious code, but it’s really in reference to the threat of modification by third parties.

So, code signing is a good idea, but people need to understand the problem that it is meant to solve, and the problems that it does not.

 

Lately I’ve been reading Eldad Eilam’s “Reversing: Secrets of Reverse Engineering”, working through all of the exercises and such. I need to build up my skills at really low level workings of Windows, static analysis of disassembled code, and debugging a live process more effectively. This is the perfect book for that, so I’ve been really enjoying it.

When I received some malware, attached to a “Message could not be delivered” email, I figured I’d play with it bit, as I often enjoy doing. Now, this is the sort of thing VMWare Server is excellent for. If you ‘re running Ubuntu, check here for a nice writeup on getting it going on 6.10. For Feisty, check my comments :) . I can create a checkpoint before I load the malware onto the system, and then rewind it back to that clean state whenever needed.

I already had an Windows XP VM that I was using OllyDbg in, working through Eilam’s examples, so I figured it’d be fun to load up some malware and see what I could do. Unfortunately, I’m not far enough into the book yet to beat this malware’s executable packing and anti-debugging features ;) . Not to be discouraged, I dropped back to my one of my usual techniques for analyzing malware: seeing how it interacts with the network.

For this, I could run Wireshark in the host OS (Linux) without fear of the malware affecting it. Here’s some notes:

As you can see, this executable tries hard to make itself look like an HTML file (that’s a “.com” at the end of all those spaces). A proper icon would have helped though.

I was very happy that, when I ran the malware, the Windows Firewall popped up to ask me if I wanted to let it access the network. The malware was smart enough to call itself “services”, which is innocuous enough for a lot of people. For the purposes of testing, I went ahead and allowed it.

After a while of sniffing traffic, I stopped the Wireshark capture, and began restoring the VM back to a clean slate. The traffic mostly consisted of email (sending out copies of itself, boring and unsuccessful), and web traffic (much more interesting). So, if you want to take a look at the sort of web requests are being made in a packet dump, here’s a nice display filter…

This filter resulted in a large number of searches on lots of search engines, presumably looking for more email addresses to spread to on sites that it found in my browser history:

I’m impressed by the wide variety of search engines and terms that I’ve seen it use. I do, however, question the practicality of mining debian.org for people vulnerable to Windows malware ;-)

So, for this exercise, I intentionally didn’t search out any information about the virus beforehand, but this is always a good idea. Google the md5 hash of the malware you get your hands on, run strings over it and search for any unique strings, and anything else you can think of. Anytime you can find someone who’s already done analysis for you, you have saved some time. Just be sure to verify their results, because they may not know what they’re doing, or maybe you have a new variant.

For the sake of completeness, here’s what VirusTotal.com had to say about this malware:


Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.16.2007 Win32/MyDoom.worm.40960.B
AntiVir 7.4.0.23 05.16.2007 Worm/Mydoom.BB.1
Authentium 4.93.8 05.16.2007 W32/Mydoom.BF@mm
Avast 4.7.997.0 05.16.2007 Win32:Mydoom-L2
AVG 7.5.0.467 05.16.2007 I-Worm/Mydoom
BitDefender 7.2 05.17.2007 Win32.Mydoom.AQ@mm
CAT-QuickHeal 9.00 05.16.2007 I-Worm.Mydoom.m
ClamAV devel-20070416 05.16.2007 Worm.Mydoom.M-unp
DrWeb 4.33 05.16.2007 Win32.HLLM.MyDoom.54464
eSafe 7.0.15.0 05.16.2007 Win32.Mydoom.bf
eTrust-Vet 30.7.3638 05.17.2007 Win32/Mydoom.BA
Ewido 4.0 05.16.2007 Worm.Mydoom.m
FileAdvisor 1 05.17.2007 no virus found
Fortinet 2.85.0.0 05.17.2007 W32/MyDoom.BE@mm
F-Prot 4.3.2.48 05.16.2007 W32/Mydoom.BC@mm
F-Secure 6.70.13030.0 05.17.2007 Email-Worm.Win32.Mydoom.am
Ikarus T3.1.1.7 05.16.2007 Email-Worm.Win32.Mydoom.m
Kaspersky 4.0.2.24 05.17.2007 Email-Worm.Win32.Mydoom.am
McAfee 5032 05.16.2007 W32/Mydoom.bf@MM
Microsoft 1.2503 05.17.2007 Worm:Win32/Mydoom.BF@mm
NOD32v2 2272 05.17.2007 Win32/Mydoom.AX
Norman 5.80.02 05.16.2007 W32/MyDoom.AU@mm
Panda 9.0.0.4 05.16.2007 W32/Mydoom.AT.worm
Prevx1 V2 05.17.2007 no virus found
Sophos 4.17.0 05.16.2007 W32/MyDoom-BE
Sunbelt 2.2.907.0 05.17.2007 VIPRE.Suspicious
Symantec 10 05.17.2007 W32.Mydoom.BB@mm
TheHacker 6.1.6.115 05.15.2007 W32/Mydoom.am
VBA32 3.12.0 05.16.2007 MalwareScope.Email-Worm.Mydoom.1
VirusBuster 4.3.7:9 05.16.2007 I-Worm.MyDoom.BC
Webwasher-Gateway 6.0.1 05.17.2007 Worm.Mydoom.BB.1
Aditional Information
File size: 41312 bytes
MD5: 34e99b96a132caac09c5f3c4f4db7636
SHA1: 9c25a1841dc4ac0eb0503f1a8707e9cbab9f6eb2
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

I’m going to assume that FileAdvisor and Prevx1 just had a bad day or some kind of glitch, because I’m not sure why else they wouldn’t be able to recognize MyDoom. As long as you’re using pretty much anything else, it looks like you’re safe!

…or you could just use VMWare and restore to a clean state after your questionable activities ;) .

© 2012 McGrew Security Suffusion theme by Sayontan Sinha