Fake Bin Laden Death Pics/Videos Probably on the Way

 malware  2 Responses »
May 012011
 

Just a quick note to readers in security roles that might be responsible for end-user actions: Tonight’s announcement that Osama Bin Laden has been killed will likely spawn a large number of malware purporting to be videos or pictures of the body or operation. You may want to pre-empt this by reminding users of the dangers of clicking and running things from untrusted sources.

I think most of the readers of this blog are smart enough not to fall for this themselves (and might even seek it out for the malware samples!), and that a good percentage are in offensive security roles, but this could be a big problem for the readers in defensive roles. So, heads up!

 Posted by wesley at 10:08 pm

Conficker.C Lecture Slides (and a couple of comments)

 analysis, malware  4 Responses »
Apr 012009
 

I guest-lectured the computer security class here today, and with it being the day Conficker.C starts looking for a payload, I figured it would be an excellent opportunity to deviate from the normal lesson plan.  With the well-written Honeynet Project and SRI papers out there that describe the technical details of Conficker.C, it’s a great time to expose the students to malware analysis.  There’s some really interesting and clever things that this worm/botnet does, and discussion of it filled an hour’s lecture nicely.

As I promised to the class and to several people on Twitter, I’ve made the slides available here:

…although I fear it won’t be as useful without having been there.  It’s more visual aid and points for discussion than a standalone set of slides you can just read.  Either way, enjoy!

One thing I’d like to talk about in addition to this: the speculation about what Conficker.C will actually do.  The pendulum has been swinging between two extremes of media speculation (“will destroy the internet”-like garbage) and equally ridiculous complete dismissal (“nothing has happened and nothing will”).  Many security professionals, including those that are blogging and posting to twitter, are swinging a little bit too far to the latter I think.  It seems just as dangerous to completely dismiss it as it is to give it too much hype.

Here’s a few things one needs to keep in mind when speculating about Conficker.C and its effects:

  • April 1st isn’t the only important day.  It attempts to find a payload every midnight (local time).  April 1st is just the first day that it does this–it’s not necessarily the day the operator/originator will register domain(s) and deploy a payload.  He/she/they can do this, at their leisure, from now until enough of the infected machines are fixed or go offline to make it not worth it (some time).
  • There’s no reason for the operator to walk away from it.  There’s tons of computers infected, and a really solidly-written means of getting potential payloads spread around.  A lot has been invested in this, and there’s some significant power and revenue to be claimed by whoever can sign a payload for it.
  • Chances are, it’s not going to be loud.  There’s no money in melting the Internet or indiscriminately destroying Windows installations.  This isn’t the Slammer worm choking large parts of the internet with UDP packets spreading itself.  Nowadays folks want to make money with malware, and that means routing spam, harvesting information, and things like that.  The longer an infected computer acts normally, the longer the malware can stay there, run, and generate revenue

So there you have it.  It’s not likely to destroy the Internet, but I would also be very surprised if we don’t see a payload distributed (widely) through it at some point.

 Posted by wesley at 11:54 am

Ethan Frome macro virus at Disney

 malware  4 Responses »
Feb 022009
 

Hopefully I won’t be asked to take this one down:

I was just looking for hours of operation for the Picabu buffet/cafeteria here at Disney’s Dolphin resort while I’m here for the SANS SCADA Summit.  I just can’t do anything anymore without stumbling across something security related, I guess.

If you haven’t spotted what’s “wrong” in the above image, don’t feel bad.  It’s an oldie but goodie:

This is a Word 97 (yeah, the nineties) macro virus that will randomly change the names of documents you create to “Ethan Frome”.  The computer used to create the document is infected with it.  Don’t panic though, because:

  • The document above has been exported to PDF, so it‘s safe isn’t spreading the Ethan Frome macro virus.
  • There only seems to be one malicious variant of this macro virus, and it modifies your autoexec.bat (lol) to format your C: drive…

Not much more than a curiosity :) .  I have a friend who had the misfortune of having his resume retitled “Ethan Frome” from this same macro virus several years ago.  He didn’t realize it till I pointed it out.  Funny stuff.

I met some great people at the Summit today (or rather, yesterday.  It’s late.), and I’m looking forward to attending some more talks in the morning.

 Posted by wesley at 11:39 pm

Homer Simpson's AIM Account Hackers Own Up (sort of)

 exploitation, malware  1 Response »
Jul 122008
 

Regarding “Homer Simpson and the Kimya Botnet“, a new away message for Chunkylover53 (Homer Simpson’s AOL account, revealed in one of the episodes, and since hijacked) drops some names:

KRYOGENIKS EBK and DEFIANT RoXed HOMER sHouTz To VIRUS Warlock elul21 coll1er and Slacker.

I wouldn’t advise keeping him on your buddy list at this point, as the account is pushing out malware occasionally.

 Posted by wesley at 10:51 pm

Trend Micro Boycott, and the Tale of the Lunchless Lunch & Learn

 malware  1 Response »
Feb 112008
 

Trend Micro & Software Patents

So it seems that Trend Micro is trying to push themselves around on other antivirus products with a patent that they have on performing antivirus detection on SMTP and FTP gateways. Some commercial vendors have already settled with them over this, however Trend Micro are now suing Barracuda for their use and distrribution of ClamAV. ClamAV is an open source product, which Trend Micro feels infringes upon their patent. A few links on the subject, then I’ll move on to my personal Trend Micro story:

In my opinion, whatever the open source community decides to do with Trend Micro at this point is fine by me. I started my personal boycott of Trend Micro just under a year and a half ago. Why, you might be asking? Story time…

The Tale of the Trend Micro Lunchless Lunch-and-Learn (or why I will never purchase or recommend a Trend Micro product)

A colleague and I attended SANS Network Security in October of 2006, for the purpose of attending Ed Skoudis’ excellent “Hacker Techniques and Incident Handling Class”, leading up to the GCIH exam. At these larger SANS conferences there is a vendor expo with booths, and also “Lunch and Learn” events throughout the week that vendors take care of. These events are win-win. The vendors get a captive audience for a presentation, and the attendees get a free, and very convenient lunch. Especially at events like NS in Vegas, it can be very difficult to leave the event, eat lunch, and get back in time for class, so the “Lunch and Learns” are very nice.

At the vendor expo, Trend Micro had a booth with a computer running an IRC client, and a setup where they were replaying a packet dump of a carding-oriented IRC channel. Having investigated incidents that involve these channels in the past, I made attempts to discuss the nature of carder/info trading channels with the Trend Micro representative, however he was very reluctant to talk to me (even though there was no one else around). He stated that if we wanted to know more, we could attend his presentation later in the week. I should have known at this point that this guy wasn’t worth the time and forgotten about the whole thing.

On Friday of that week, we left class to attend the talk, and let me tell you it was a train wreck. What many attendees will remember about it was that there was no Lunch, an important aspect of a talk billed as a “Lunch and Learn”. This is bad enough, with 150 or so attendees being unable to get lunch before their training began again (once the presentation got started, it was already too late to feasibly leave and eat lunch).

What was worse was the quality of the presentation. The representative was not a very good presenter, and had no sense of time or pacing. To our astonishment, the slides used had IRC logs similar to those that were scrolling by on the screen at the vendor expo, and these logs contained personal information being traded about the victims of credit card fraud, uncensored. It seems like the least they could have done was attempt to prevent the further spread of data like this.

When the presentation was over (and it ran over-time by a significant amount), a SANS representative informed the audience that Trend Micro was going to “make up” for the lack of lunch, which the presenter seemed very upset about. Later, we were all given gift-cards good for the restaurants in the hotel, with enough money on them to cover a buffet dinner that night, which at least helped after having not eaten that day.

There was, however, never an apology about this from Trend Micro. When I emailed Trend Micro to inform them of how unprofessional their chosen representative was, and how poorly they were represented, I never received a response. It seems to me that they are fine with what has happened regarding this, and not eager to present themselves well to others in the computer security community.

And for that, I completely support this boycott, as I have since long before it started.

 Posted by wesley at 7:26 pm

Bruce Schneier on the Storm "Worm"

 malware  2 Responses »
Oct 042007
 

Finally, someone gets the point of this thing and starts some discussion about what this malware is doing scarily right, instead of dwelling on the fact that this week it is sending itself out as greeting cards or whatever. Does it surprise me that “someone” is Bruce Schneier? Not really :) , although it is a little more technical than his usual posts, which is a good thing:

http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html

He discusses the decentralized command-and-control, plus a bit on the rate at which it spreads. This is the correct focus.

 Posted by wesley at 7:52 am

Thoughts on signed malware

 defense, malware  No Responses »
Sep 122007
 

I like SunbeltBLOG a lot (and I recommend that you add them to your reader), however, like most of the content in my RSS reader that I really like, I occasionally find myself disagreeing with them. Today’s post, For shame: Thawte trusts Gromozon is one of those times. While I can certainly understand people not liking anything that helps out malware, I think this is a case of people’s expectations about what security mechanisms are supposed to provide not matching up with the reality. Another good recent example of this is the embassy password incident, revealing the fact that many people were under the impression that Tor provides privacy (which it doesn’t), when it’s designed to provide anonymity (which is does, if you use it right).

Picking this apart, let’s see what people think code signing is supposed to provide. This is easy: a lot of people are guilty of assuming that something being signed means that it’s safe to install. This comes from impressions that people have formed about what a signature means, and what role the certificate authority takes in the matter. Let’s take a look, starting with the title of the SunbeltBLOG post:

“For shame: Thawte trusts Gromozon”

Certainly sounds shameful, after reading what Gromozon does. But does Thawte really trust Gromozon? Is that really what the certificate means? If you follow the link from SunbeltBLOG to SpywareGuide then you’d be inclined to think so. They spell out what they think the certificate means:

  • The publisher: The software really comes from the publisher who signed it . Publishers most go through a process to verify their identity and that they are who they say they are.
  • The content: The software has not been altered or corrupted, and is therefore safe to install and run.

Hit the brakes there! You’ve gone a little too far. This was right, up until the last bit about “…and is therefore safe to install and run”. The certificate authority does verify the identity of publishers, and the process of signing code, and verifying that signature on the client does mean that it hasn’t been altered or corrupted between the publisher and client. It does not speak for the content, actions, and motives of the software or the publisher! People think that digital signing of code “solves” the problem of malware, however it only means that the malicious code has been there since the publisher signed the code. It may deter people from putting their signature on malicious code, since it can be tracked back to them easily, however this demonstrates that this doesn’t bother or stop some authors.

Go to the horse’s mouth. See what Thawte has to say about their code signing certificates. Having code signed by the publisher “effectively verifies the source of your software before it is downloaded”, and “Ensures that your active content or code cannot be maliciously modified” (“your” referring to the publisher). For the end-user of signed software, it gives them “recourse to the person who published it”. This is all consistent with signing something like Gromozon. The only time it really comes close to speaking of the content of the signed code is when it says that the process “Promotes the Internet as a secure and viable platform for content distribution”. This might be mistaken to mean the end-user’s security from malicious code, but it’s really in reference to the threat of modification by third parties.

So, code signing is a good idea, but people need to understand the problem that it is meant to solve, and the problems that it does not.

 Posted by wesley at 1:41 pm

Playing With Fire: Malware in VMs

 analysis, forensics, malware, network  No Responses »
May 162007
 

Lately I’ve been reading Eldad Eilam’s “Reversing: Secrets of Reverse Engineering”, working through all of the exercises and such. I need to build up my skills at really low level workings of Windows, static analysis of disassembled code, and debugging a live process more effectively. This is the perfect book for that, so I’ve been really enjoying it.

When I received some malware, attached to a “Message could not be delivered” email, I figured I’d play with it bit, as I often enjoy doing. Now, this is the sort of thing VMWare Server is excellent for. If you ‘re running Ubuntu, check here for a nice writeup on getting it going on 6.10. For Feisty, check my comments :) . I can create a checkpoint before I load the malware onto the system, and then rewind it back to that clean state whenever needed.

I already had an Windows XP VM that I was using OllyDbg in, working through Eilam’s examples, so I figured it’d be fun to load up some malware and see what I could do. Unfortunately, I’m not far enough into the book yet to beat this malware’s executable packing and anti-debugging features ;) . Not to be discouraged, I dropped back to my one of my usual techniques for analyzing malware: seeing how it interacts with the network.

For this, I could run Wireshark in the host OS (Linux) without fear of the malware affecting it. Here’s some notes:

As you can see, this executable tries hard to make itself look like an HTML file (that’s a “.com” at the end of all those spaces). A proper icon would have helped though.

I was very happy that, when I ran the malware, the Windows Firewall popped up to ask me if I wanted to let it access the network. The malware was smart enough to call itself “services”, which is innocuous enough for a lot of people. For the purposes of testing, I went ahead and allowed it.

After a while of sniffing traffic, I stopped the Wireshark capture, and began restoring the VM back to a clean slate. The traffic mostly consisted of email (sending out copies of itself, boring and unsuccessful), and web traffic (much more interesting). So, if you want to take a look at the sort of web requests are being made in a packet dump, here’s a nice display filter…

This filter resulted in a large number of searches on lots of search engines, presumably looking for more email addresses to spread to on sites that it found in my browser history:

I’m impressed by the wide variety of search engines and terms that I’ve seen it use. I do, however, question the practicality of mining debian.org for people vulnerable to Windows malware ;-)

So, for this exercise, I intentionally didn’t search out any information about the virus beforehand, but this is always a good idea. Google the md5 hash of the malware you get your hands on, run strings over it and search for any unique strings, and anything else you can think of. Anytime you can find someone who’s already done analysis for you, you have saved some time. Just be sure to verify their results, because they may not know what they’re doing, or maybe you have a new variant.

For the sake of completeness, here’s what VirusTotal.com had to say about this malware:

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.16.2007 Win32/MyDoom.worm.40960.B
AntiVir 7.4.0.23 05.16.2007 Worm/Mydoom.BB.1
Authentium 4.93.8 05.16.2007 W32/Mydoom.BF@mm
Avast 4.7.997.0 05.16.2007 Win32:Mydoom-L2
AVG 7.5.0.467 05.16.2007 I-Worm/Mydoom
BitDefender 7.2 05.17.2007 Win32.Mydoom.AQ@mm
CAT-QuickHeal 9.00 05.16.2007 I-Worm.Mydoom.m
ClamAV devel-20070416 05.16.2007 Worm.Mydoom.M-unp
DrWeb 4.33 05.16.2007 Win32.HLLM.MyDoom.54464
eSafe 7.0.15.0 05.16.2007 Win32.Mydoom.bf
eTrust-Vet 30.7.3638 05.17.2007 Win32/Mydoom.BA
Ewido 4.0 05.16.2007 Worm.Mydoom.m
FileAdvisor 1 05.17.2007 no virus found
Fortinet 2.85.0.0 05.17.2007 W32/MyDoom.BE@mm
F-Prot 4.3.2.48 05.16.2007 W32/Mydoom.BC@mm
F-Secure 6.70.13030.0 05.17.2007 Email-Worm.Win32.Mydoom.am
Ikarus T3.1.1.7 05.16.2007 Email-Worm.Win32.Mydoom.m
Kaspersky 4.0.2.24 05.17.2007 Email-Worm.Win32.Mydoom.am
McAfee 5032 05.16.2007 W32/Mydoom.bf@MM
Microsoft 1.2503 05.17.2007 Worm:Win32/Mydoom.BF@mm
NOD32v2 2272 05.17.2007 Win32/Mydoom.AX
Norman 5.80.02 05.16.2007 W32/MyDoom.AU@mm
Panda 9.0.0.4 05.16.2007 W32/Mydoom.AT.worm
Prevx1 V2 05.17.2007 no virus found
Sophos 4.17.0 05.16.2007 W32/MyDoom-BE
Sunbelt 2.2.907.0 05.17.2007 VIPRE.Suspicious
Symantec 10 05.17.2007 W32.Mydoom.BB@mm
TheHacker 6.1.6.115 05.15.2007 W32/Mydoom.am
VBA32 3.12.0 05.16.2007 MalwareScope.Email-Worm.Mydoom.1
VirusBuster 4.3.7:9 05.16.2007 I-Worm.MyDoom.BC
Webwasher-Gateway 6.0.1 05.17.2007 Worm.Mydoom.BB.1
Aditional Information
File size: 41312 bytes
MD5: 34e99b96a132caac09c5f3c4f4db7636
SHA1: 9c25a1841dc4ac0eb0503f1a8707e9cbab9f6eb2
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

I’m going to assume that FileAdvisor and Prevx1 just had a bad day or some kind of glitch, because I’m not sure why else they wouldn’t be able to recognize MyDoom. As long as you’re using pretty much anything else, it looks like you’re safe!

…or you could just use VMWare and restore to a clean state after your questionable activities ;) .

 Posted by wesley at 10:05 pm
© 2012 McGrew Security Suffusion theme by Sayontan Sinha