I think most of the readers of this blog are smart enough not to fall for this themselves (and might even seek it out for the malware samples!), and that a good percentage are in offensive security roles, but this could be a big problem for the readers in defensive roles. So, heads up!

As I promised to the class and to several people on Twitter, I’ve made the slides available here:

• Conficker.C! Discussing technical details while the Internet melts around us (PDF)

…although I fear it won’t be as useful without having been there.  It’s more visual aid and points for discussion than a standalone set of slides you can just read.  Either way, enjoy!

One thing I’d like to talk about in addition to this: the speculation about what Conficker.C will actually do.  The pendulum has been swinging between two extremes of media speculation (“will destroy the internet”-like garbage) and equally ridiculous complete dismissal (“nothing has happened and nothing will”).  Many security professionals, including those that are blogging and posting to twitter, are swinging a little bit too far to the latter I think.  It seems just as dangerous to completely dismiss it as it is to give it too much hype.

Here’s a few things one needs to keep in mind when speculating about Conficker.C and its effects:

• April 1st isn’t the only important day.  It attempts to find a payload every midnight (local time).  April 1st is just the first day that it does this–it’s not necessarily the day the operator/originator will register domain(s) and deploy a payload.  He/she/they can do this, at their leisure, from now until enough of the infected machines are fixed or go offline to make it not worth it (some time).
• There’s no reason for the operator to walk away from it.  There’s tons of computers infected, and a really solidly-written means of getting potential payloads spread around.  A lot has been invested in this, and there’s some significant power and revenue to be claimed by whoever can sign a payload for it.
• Chances are, it’s not going to be loud.  There’s no money in melting the Internet or indiscriminately destroying Windows installations.  This isn’t the Slammer worm choking large parts of the internet with UDP packets spreading itself.  Nowadays folks want to make money with malware, and that means routing spam, harvesting information, and things like that.  The longer an infected computer acts normally, the longer the malware can stay there, run, and generate revenue

So there you have it.  It’s not likely to destroy the Internet, but I would also be very surprised if we don’t see a payload distributed (widely) through it at some point.

I was just looking for hours of operation for the Picabu buffet/cafeteria here at Disney’s Dolphin resort while I’m here for the SANS SCADA Summit.  I just can’t do anything anymore without stumbling across something security related, I guess.

If you haven’t spotted what’s “wrong” in the above image, don’t feel bad.  It’s an oldie but goodie:

• F-Secure Virus Descriptions : Ethan

This is a Word 97 (yeah, the nineties) macro virus that will randomly change the names of documents you create to “Ethan Frome”.  The computer used to create the document is infected with it.  Don’t panic though, because:

• The document above has been exported to PDF, so it‘s safe isn’t spreading the Ethan Frome macro virus.
• There only seems to be one malicious variant of this macro virus, and it modifies your autoexec.bat (lol) to format your C: drive…

Not much more than a curiosity .  I have a friend who had the misfortune of having his resume retitled “Ethan Frome” from this same macro virus several years ago.  He didn’t realize it till I pointed it out.  Funny stuff.

I met some great people at the Summit today (or rather, yesterday.  It’s late.), and I’m looking forward to attending some more talks in the morning.

KRYOGENIKS EBK and DEFIANT RoXed HOMER sHouTz To VIRUS Warlock elul21 coll1er and Slacker.

I wouldn’t advise keeping him on your buddy list at this point, as the account is pushing out malware occasionally.

So it seems that Trend Micro is trying to push themselves around on other antivirus products with a patent that they have on performing antivirus detection on SMTP and FTP gateways. Some commercial vendors have already settled with them over this, however Trend Micro are now suing Barracuda for their use and distrribution of ClamAV. ClamAV is an open source product, which Trend Micro feels infringes upon their patent. A few links on the subject, then I’ll move on to my personal Trend Micro story:

• A good summary of the situation on linux.com
• Scriptum libre’s call for a boycott
• Patent 5623600 – Virus detection and removal apparatus for computer networks

In my opinion, whatever the open source community decides to do with Trend Micro at this point is fine by me. I started my personal boycott of Trend Micro just under a year and a half ago. Why, you might be asking? Story time…

The Tale of the Trend Micro Lunchless Lunch-and-Learn (or why I will never purchase or recommend a Trend Micro product)

A colleague and I attended SANS Network Security in October of 2006, for the purpose of attending Ed Skoudis’ excellent “Hacker Techniques and Incident Handling Class”, leading up to the GCIH exam. At these larger SANS conferences there is a vendor expo with booths, and also “Lunch and Learn” events throughout the week that vendors take care of. These events are win-win. The vendors get a captive audience for a presentation, and the attendees get a free, and very convenient lunch. Especially at events like NS in Vegas, it can be very difficult to leave the event, eat lunch, and get back in time for class, so the “Lunch and Learns” are very nice.

At the vendor expo, Trend Micro had a booth with a computer running an IRC client, and a setup where they were replaying a packet dump of a carding-oriented IRC channel. Having investigated incidents that involve these channels in the past, I made attempts to discuss the nature of carder/info trading channels with the Trend Micro representative, however he was very reluctant to talk to me (even though there was no one else around). He stated that if we wanted to know more, we could attend his presentation later in the week. I should have known at this point that this guy wasn’t worth the time and forgotten about the whole thing.

On Friday of that week, we left class to attend the talk, and let me tell you it was a train wreck. What many attendees will remember about it was that there was no Lunch, an important aspect of a talk billed as a “Lunch and Learn”. This is bad enough, with 150 or so attendees being unable to get lunch before their training began again (once the presentation got started, it was already too late to feasibly leave and eat lunch).

What was worse was the quality of the presentation. The representative was not a very good presenter, and had no sense of time or pacing. To our astonishment, the slides used had IRC logs similar to those that were scrolling by on the screen at the vendor expo, and these logs contained personal information being traded about the victims of credit card fraud, uncensored. It seems like the least they could have done was attempt to prevent the further spread of data like this.

When the presentation was over (and it ran over-time by a significant amount), a SANS representative informed the audience that Trend Micro was going to “make up” for the lack of lunch, which the presenter seemed very upset about. Later, we were all given gift-cards good for the restaurants in the hotel, with enough money on them to cover a buffet dinner that night, which at least helped after having not eaten that day.

There was, however, never an apology about this from Trend Micro. When I emailed Trend Micro to inform them of how unprofessional their chosen representative was, and how poorly they were represented, I never received a response. It seems to me that they are fine with what has happened regarding this, and not eager to present themselves well to others in the computer security community.

And for that, I completely support this boycott, as I have since long before it started.

http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html

He discusses the decentralized command-and-control, plus a bit on the rate at which it spreads. This is the correct focus.

Picking this apart, let’s see what people think code signing is supposed to provide. This is easy: a lot of people are guilty of assuming that something being signed means that it’s safe to install. This comes from impressions that people have formed about what a signature means, and what role the certificate authority takes in the matter. Let’s take a look, starting with the title of the SunbeltBLOG post:

“For shame: Thawte trusts Gromozon”

Certainly sounds shameful, after reading what Gromozon does. But does Thawte really trust Gromozon? Is that really what the certificate means? If you follow the link from SunbeltBLOG to SpywareGuide then you’d be inclined to think so. They spell out what they think the certificate means:

“

• The publisher: The software really comes from the publisher who signed it . Publishers most go through a process to verify their identity and that they are who they say they are.
• The content: The software has not been altered or corrupted, and is therefore safe to install and run.

”

Hit the brakes there! You’ve gone a little too far. This was right, up until the last bit about “…and is therefore safe to install and run”. The certificate authority does verify the identity of publishers, and the process of signing code, and verifying that signature on the client does mean that it hasn’t been altered or corrupted between the publisher and client. It does not speak for the content, actions, and motives of the software or the publisher! People think that digital signing of code “solves” the problem of malware, however it only means that the malicious code has been there since the publisher signed the code. It may deter people from putting their signature on malicious code, since it can be tracked back to them easily, however this demonstrates that this doesn’t bother or stop some authors.

Go to the horse’s mouth. See what Thawte has to say about their code signing certificates. Having code signed by the publisher “effectively verifies the source of your software before it is downloaded”, and “Ensures that your active content or code cannot be maliciously modified” (“your” referring to the publisher). For the end-user of signed software, it gives them “recourse to the person who published it”. This is all consistent with signing something like Gromozon. The only time it really comes close to speaking of the content of the signed code is when it says that the process “Promotes the Internet as a secure and viable platform for content distribution”. This might be mistaken to mean the end-user’s security from malicious code, but it’s really in reference to the threat of modification by third parties.

So, code signing is a good idea, but people need to understand the problem that it is meant to solve, and the problems that it does not.

When I received some malware, attached to a “Message could not be delivered” email, I figured I’d play with it bit, as I often enjoy doing. Now, this is the sort of thing VMWare Server is excellent for. If you ‘re running Ubuntu, check here for a nice writeup on getting it going on 6.10. For Feisty, check my comments . I can create a checkpoint before I load the malware onto the system, and then rewind it back to that clean state whenever needed.

I already had an Windows XP VM that I was using OllyDbg in, working through Eilam’s examples, so I figured it’d be fun to load up some malware and see what I could do. Unfortunately, I’m not far enough into the book yet to beat this malware’s executable packing and anti-debugging features . Not to be discouraged, I dropped back to my one of my usual techniques for analyzing malware: seeing how it interacts with the network.

For this, I could run Wireshark in the host OS (Linux) without fear of the malware affecting it. Here’s some notes:

As you can see, this executable tries hard to make itself look like an HTML file (that’s a “.com” at the end of all those spaces). A proper icon would have helped though.

I was very happy that, when I ran the malware, the Windows Firewall popped up to ask me if I wanted to let it access the network. The malware was smart enough to call itself “services”, which is innocuous enough for a lot of people. For the purposes of testing, I went ahead and allowed it.

After a while of sniffing traffic, I stopped the Wireshark capture, and began restoring the VM back to a clean slate. The traffic mostly consisted of email (sending out copies of itself, boring and unsuccessful), and web traffic (much more interesting). So, if you want to take a look at the sort of web requests are being made in a packet dump, here’s a nice display filter…

This filter resulted in a large number of searches on lots of search engines, presumably looking for more email addresses to spread to on sites that it found in my browser history:

I’m impressed by the wide variety of search engines and terms that I’ve seen it use. I do, however, question the practicality of mining debian.org for people vulnerable to Windows malware

So, for this exercise, I intentionally didn’t search out any information about the virus beforehand, but this is always a good idea. Google the md5 hash of the malware you get your hands on, run strings over it and search for any unique strings, and anything else you can think of. Anytime you can find someone who’s already done analysis for you, you have saved some time. Just be sure to verify their results, because they may not know what they’re doing, or maybe you have a new variant.

For the sake of completeness, here’s what VirusTotal.com had to say about this malware:

Antivirus	Version	Update	Result
AhnLab-V3	2007.5.16.1	05.16.2007	Win32/MyDoom.worm.40960.B
AntiVir	7.4.0.23	05.16.2007	Worm/Mydoom.BB.1
Authentium	4.93.8	05.16.2007	W32/Mydoom.BF@mm
Avast	4.7.997.0	05.16.2007	Win32:Mydoom-L2
AVG	7.5.0.467	05.16.2007	I-Worm/Mydoom
BitDefender	7.2	05.17.2007	Win32.Mydoom.AQ@mm
CAT-QuickHeal	9.00	05.16.2007	I-Worm.Mydoom.m
ClamAV	devel-20070416	05.16.2007	Worm.Mydoom.M-unp
DrWeb	4.33	05.16.2007	Win32.HLLM.MyDoom.54464
eSafe	7.0.15.0	05.16.2007	Win32.Mydoom.bf
eTrust-Vet	30.7.3638	05.17.2007	Win32/Mydoom.BA
Ewido	4.0	05.16.2007	Worm.Mydoom.m
FileAdvisor	1	05.17.2007	no virus found
Fortinet	2.85.0.0	05.17.2007	W32/MyDoom.BE@mm
F-Prot	4.3.2.48	05.16.2007	W32/Mydoom.BC@mm
F-Secure	6.70.13030.0	05.17.2007	Email-Worm.Win32.Mydoom.am
Ikarus	T3.1.1.7	05.16.2007	Email-Worm.Win32.Mydoom.m
Kaspersky	4.0.2.24	05.17.2007	Email-Worm.Win32.Mydoom.am
McAfee	5032	05.16.2007	W32/Mydoom.bf@MM
Microsoft	1.2503	05.17.2007	Worm:Win32/Mydoom.BF@mm
NOD32v2	2272	05.17.2007	Win32/Mydoom.AX
Norman	5.80.02	05.16.2007	W32/MyDoom.AU@mm
Panda	9.0.0.4	05.16.2007	W32/Mydoom.AT.worm
Prevx1	V2	05.17.2007	no virus found
Sophos	4.17.0	05.16.2007	W32/MyDoom-BE
Sunbelt	2.2.907.0	05.17.2007	VIPRE.Suspicious
Symantec	10	05.17.2007	W32.Mydoom.BB@mm
TheHacker	6.1.6.115	05.15.2007	W32/Mydoom.am
VBA32	3.12.0	05.16.2007	MalwareScope.Email-Worm.Mydoom.1
VirusBuster	4.3.7:9	05.16.2007	I-Worm.MyDoom.BC
Webwasher-Gateway	6.0.1	05.17.2007	Worm.Mydoom.BB.1

Aditional Information
File size: 41312 bytes
MD5: 34e99b96a132caac09c5f3c4f4db7636
SHA1: 9c25a1841dc4ac0eb0503f1a8707e9cbab9f6eb2
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

I’m going to assume that FileAdvisor and Prevx1 just had a bad day or some kind of glitch, because I’m not sure why else they wouldn’t be able to recognize MyDoom. As long as you’re using pretty much anything else, it looks like you’re safe!

…or you could just use VMWare and restore to a clean state after your questionable activities .