Regarding “Homer Simpson and the Kimya Botnet“, a new away message for Chunkylover53 (Homer Simpson’s AOL account, revealed in one of the episodes, and since hijacked) drops some names:

KRYOGENIKS EBK and DEFIANT RoXed HOMER sHouTz To VIRUS Warlock elul21 coll1er and Slacker.

I wouldn’t advise keeping him on your buddy list at this point, as the account is pushing out malware occasionally.

Trend Micro & Software Patents

So it seems that Trend Micro is trying to push themselves around on other antivirus products with a patent that they have on performing antivirus detection on SMTP and FTP gateways. Some commercial vendors have already settled with them over this, however Trend Micro are now suing Barracuda for their use and distrribution of ClamAV. ClamAV is an open source product, which Trend Micro feels infringes upon their patent. A few links on the subject, then I’ll move on to my personal Trend Micro story:

• A good summary of the situation on linux.com
• Scriptum libre’s call for a boycott
• Patent 5623600 - Virus detection and removal apparatus for computer networks

In my opinion, whatever the open source community decides to do with Trend Micro at this point is fine by me. I started my personal boycott of Trend Micro just under a year and a half ago. Why, you might be asking? Story time…

The Tale of the Trend Micro Lunchless Lunch-and-Learn (or why I will never purchase or recommend a Trend Micro product)

A colleague and I attended SANS Network Security in October of 2006, for the purpose of attending Ed Skoudis’ excellent “Hacker Techniques and Incident Handling Class”, leading up to the GCIH exam. At these larger SANS conferences there is a vendor expo with booths, and also “Lunch and Learn” events throughout the week that vendors take care of. These events are win-win. The vendors get a captive audience for a presentation, and the attendees get a free, and very convenient lunch. Especially at events like NS in Vegas, it can be very difficult to leave the event, eat lunch, and get back in time for class, so the “Lunch and Learns” are very nice.

At the vendor expo, Trend Micro had a booth with a computer running an IRC client, and a setup where they were replaying a packet dump of a carding-oriented IRC channel. Having investigated incidents that involve these channels in the past, I made attempts to discuss the nature of carder/info trading channels with the Trend Micro representative, however he was very reluctant to talk to me (even though there was no one else around). He stated that if we wanted to know more, we could attend his presentation later in the week. I should have known at this point that this guy wasn’t worth the time and forgotten about the whole thing.

On Friday of that week, we left class to attend the talk, and let me tell you it was a train wreck. What many attendees will remember about it was that there was no Lunch, an important aspect of a talk billed as a “Lunch and Learn”. This is bad enough, with 150 or so attendees being unable to get lunch before their training began again (once the presentation got started, it was already too late to feasibly leave and eat lunch).

What was worse was the quality of the presentation. The representative was not a very good presenter, and had no sense of time or pacing. To our astonishment, the slides used had IRC logs similar to those that were scrolling by on the screen at the vendor expo, and these logs contained personal information being traded about the victims of credit card fraud, uncensored. It seems like the least they could have done was attempt to prevent the further spread of data like this.

When the presentation was over (and it ran over-time by a significant amount), a SANS representative informed the audience that Trend Micro was going to “make up” for the lack of lunch, which the presenter seemed very upset about. Later, we were all given gift-cards good for the restaurants in the hotel, with enough money on them to cover a buffet dinner that night, which at least helped after having not eaten that day.

There was, however, never an apology about this from Trend Micro. When I emailed Trend Micro to inform them of how unprofessional their chosen representative was, and how poorly they were represented, I never received a response. It seems to me that they are fine with what has happened regarding this, and not eager to present themselves well to others in the computer security community.

And for that, I completely support this boycott, as I have since long before it started.

Finally, someone gets the point of this thing and starts some discussion about what this malware is doing scarily right, instead of dwelling on the fact that this week it is sending itself out as greeting cards or whatever. Does it surprise me that “someone” is Bruce Schneier? Not really :) , although it is a little more technical than his usual posts, which is a good thing:

http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html

He discusses the decentralized command-and-control, plus a bit on the rate at which it spreads. This is the correct focus.

I like SunbeltBLOG a lot (and I recommend that you add them to your reader), however, like most of the content in my RSS reader that I really like, I occasionally find myself disagreeing with them. Today’s post, For shame: Thawte trusts Gromozon is one of those times. While I can certainly understand people not liking anything that helps out malware, I think this is a case of people’s expectations about what security mechanisms are supposed to provide not matching up with the reality. Another good recent example of this is the embassy password incident, revealing the fact that many people were under the impression that Tor provides privacy (which it doesn’t), when it’s designed to provide anonymity (which is does, if you use it right).

Picking this apart, let’s see what people think code signing is supposed to provide. This is easy: a lot of people are guilty of assuming that something being signed means that it’s safe to install. This comes from impressions that people have formed about what a signature means, and what role the certificate authority takes in the matter. Let’s take a look, starting with the title of the SunbeltBLOG post:

“For shame: Thawte trusts Gromozon”

Certainly sounds shameful, after reading what Gromozon does. But does Thawte really trust Gromozon? Is that really what the certificate means? If you follow the link from SunbeltBLOG to SpywareGuide then you’d be inclined to think so. They spell out what they think the certificate means:

“

• The publisher: The software really comes from the publisher who signed it . Publishers most go through a process to verify their identity and that they are who they say they are.
• The content: The software has not been altered or corrupted, and is therefore safe to install and run.

”

Hit the brakes there! You’ve gone a little too far. This was right, up until the last bit about “…and is therefore safe to install and run”. The certificate authority does verify the identity of publishers, and the process of signing code, and verifying that signature on the client does mean that it hasn’t been altered or corrupted between the publisher and client. It does not speak for the content, actions, and motives of the software or the publisher! People think that digital signing of code “solves” the problem of malware, however it only means that the malicious code has been there since the publisher signed the code. It may deter people from putting their signature on malicious code, since it can be tracked back to them easily, however this demonstrates that this doesn’t bother or stop some authors.

Go to the horse’s mouth. See what Thawte has to say about their code signing certificates. Having code signed by the publisher “effectively verifies the source of your software before it is downloaded”, and “Ensures that your active content or code cannot be maliciously modified” (”your” referring to the publisher). For the end-user of signed software, it gives them “recourse to the person who published it”. This is all consistent with signing something like Gromozon. The only time it really comes close to speaking of the content of the signed code is when it says that the process “Promotes the Internet as a secure and viable platform for content distribution”. This might be mistaken to mean the end-user’s security from malicious code, but it’s really in reference to the threat of modification by third parties.

So, code signing is a good idea, but people need to understand the problem that it is meant to solve, and the problems that it does not.

Lately I’ve been reading Eldad Eilam’s “Reversing: Secrets of Reverse Engineering”, working through all of the exercises and such. I need to build up my skills at really low level workings of Windows, static analysis of disassembled code, and debugging a live process more effectively. This is the perfect book for that, so I’ve been really enjoying it.

When I received some malware, attached to a “Message could not be delivered” email, I figured I’d play with it bit, as I often enjoy doing. Now, this is the sort of thing VMWare Server is excellent for. If you ‘re running Ubuntu, check here for a nice writeup on getting it going on 6.10. For Feisty, check my comments :) . I can create a checkpoint before I load the malware onto the system, and then rewind it back to that clean state whenever needed.

I already had an Windows XP VM that I was using OllyDbg in, working through Eilam’s examples, so I figured it’d be fun to load up some malware and see what I could do. Unfortunately, I’m not far enough into the book yet to beat this malware’s executable packing and anti-debugging features ;) . Not to be discouraged, I dropped back to my one of my usual techniques for analyzing malware: seeing how it interacts with the network.

For this, I could run Wireshark in the host OS (Linux) without fear of the malware affecting it. Here’s some notes:

As you can see, this executable tries hard to make itself look like an HTML file (that’s a “.com” at the end of all those spaces). A proper icon would have helped though.

I was very happy that, when I ran the malware, the Windows Firewall popped up to ask me if I wanted to let it access the network. The malware was smart enough to call itself “services”, which is innocuous enough for a lot of people. For the purposes of testing, I went ahead and allowed it.

After a while of sniffing traffic, I stopped the Wireshark capture, and began restoring the VM back to a clean slate. The traffic mostly consisted of email (sending out copies of itself, boring and unsuccessful), and web traffic (much more interesting). So, if you want to take a look at the sort of web requests are being made in a packet dump, here’s a nice display filter…

This filter resulted in a large number of searches on lots of search engines, presumably looking for more email addresses to spread to on sites that it found in my browser history:

I’m impressed by the wide variety of search engines and terms that I’ve seen it use. I do, however, question the practicality of mining debian.org for people vulnerable to Windows malware ;-)

So, for this exercise, I intentionally didn’t search out any information about the virus beforehand, but this is always a good idea. Google the md5 hash of the malware you get your hands on, run strings over it and search for any unique strings, and anything else you can think of. Anytime you can find someone who’s already done analysis for you, you have saved some time. Just be sure to verify their results, because they may not know what they’re doing, or maybe you have a new variant.

For the sake of completeness, here’s what VirusTotal.com had to say about this malware:

Antivirus	Version	Update	Result
AhnLab-V3	2007.5.16.1	05.16.2007	Win32/MyDoom.worm.40960.B
AntiVir	7.4.0.23	05.16.2007	Worm/Mydoom.BB.1
Authentium	4.93.8	05.16.2007	W32/Mydoom.BF@mm
Avast	4.7.997.0	05.16.2007	Win32:Mydoom-L2
AVG	7.5.0.467	05.16.2007	I-Worm/Mydoom
BitDefender	7.2	05.17.2007	Win32.Mydoom.AQ@mm
CAT-QuickHeal	9.00	05.16.2007	I-Worm.Mydoom.m
ClamAV	devel-20070416	05.16.2007	Worm.Mydoom.M-unp
DrWeb	4.33	05.16.2007	Win32.HLLM.MyDoom.54464
eSafe	7.0.15.0	05.16.2007	Win32.Mydoom.bf
eTrust-Vet	30.7.3638	05.17.2007	Win32/Mydoom.BA
Ewido	4.0	05.16.2007	Worm.Mydoom.m
FileAdvisor	1	05.17.2007	no virus found
Fortinet	2.85.0.0	05.17.2007	W32/MyDoom.BE@mm
F-Prot	4.3.2.48	05.16.2007	W32/Mydoom.BC@mm
F-Secure	6.70.13030.0	05.17.2007	Email-Worm.Win32.Mydoom.am
Ikarus	T3.1.1.7	05.16.2007	Email-Worm.Win32.Mydoom.m
Kaspersky	4.0.2.24	05.17.2007	Email-Worm.Win32.Mydoom.am
McAfee	5032	05.16.2007	W32/Mydoom.bf@MM
Microsoft	1.2503	05.17.2007	Worm:Win32/Mydoom.BF@mm
NOD32v2	2272	05.17.2007	Win32/Mydoom.AX
Norman	5.80.02	05.16.2007	W32/MyDoom.AU@mm
Panda	9.0.0.4	05.16.2007	W32/Mydoom.AT.worm
Prevx1	V2	05.17.2007	no virus found
Sophos	4.17.0	05.16.2007	W32/MyDoom-BE
Sunbelt	2.2.907.0	05.17.2007	VIPRE.Suspicious
Symantec	10	05.17.2007	W32.Mydoom.BB@mm
TheHacker	6.1.6.115	05.15.2007	W32/Mydoom.am
VBA32	3.12.0	05.16.2007	MalwareScope.Email-Worm.Mydoom.1
VirusBuster	4.3.7:9	05.16.2007	I-Worm.MyDoom.BC
Webwasher-Gateway	6.0.1	05.17.2007	Worm.Mydoom.BB.1