TechnoBlogic

A year or two ago, the malware author’s preferred way of spreading their wares was via e-mail attachments. We all remember mass outbreaks like Bagle, Mydoom and Warezov.

Well, sending EXE attachments in e-mail doesn’t work anymore. Almost every organization is now dropping such risky attachments from their e-mail traffic.

So virus writers have made a clear shift away from e-mail attachments to the Web: drive-by-downloads. This attack often still starts with an e-mail spam run; there’s just no attachments in the e-mail anymore as it has been replaced by a web link.

Some of these malicious web sites use exploits to infect you just by visiting a web page, others use compelling stories to fool you into downloading and running a program from the page.

Many have missed this shift of attacks from e-mail to the web. There’s a lot of companies measuring their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn’t.

Those organizations that are not scanning their web traffic for malware should seriously consider starting to do it, right now.

However, virus writers are moving again. We’re now seeing more and more malicious e-mails that link to malware — not via HTTP but via FTP links.

Case in point, a fake Hallmark greeting card spam we saw today:

As you can see, the link takes you to an owned computer which has an FTP site setup on it.

And when the executable is downloaded, it turns out to be a Zapchast mIRC-bot variant.

Better make sure your gateway scanner is configured to scan FTP traffic as well. Our F-Secure Internet Gatekeeper does this by default.

On 07/03/08 At 10:03 AM

Alex Dragulescu’s Malwarez “is a series of visualization of worms, viruses, trojans and spyware code.”

Readers Feher and Dalibor recently sent us the link to MessageLabs’ gallery. They’re the ones that commissioned the series from Dragulescu.

Check ‘em out.

On 11/03/08 At 04:09 PM

Microsoft just released the March 2008 updates. This time there are four critical updates that all fix vulnerabilities in different Office components and at least one of them have been used in targeted attacks lately. We advise everyone to install these updates as soon as possible.

On 11/03/08 At 11:12 PM

We saw this email being spammed a week ago:

Hey, great opportunity for growth? High salary?

Sounds good. Maybe I should apply.

So I did. Here’s what I wrote back (do note that I used my normal F-Secure work address for this):

Well, I got a reply two hours later. Here’s the answer in full (emphasis added):

Date: Mon, 3 Mar 2008 03:55:44 -0800From: “Dexter Union Inc.” Organization: Dexter Union Inc.To: “Mikko H. Hypponen”Subject: Dexter Union Inc. Employment Details

Greetings.Thank you for being interested in our work proposal. Please note we looking forcandidates from United States Only!

Let me introduce myself. I`m Adam Nelson, director Dexter Union Inc.

Dexter Union Investment Company is an asset management firm focused on the singular strategy of attempting to maximize realized gains through the implementation of the Dexter Union Strategy®. Based in Canada  Dexter UnionInvestment Company is an independently owned, licensed general securities broker/dealer and registered investment advisor.

Here is more detailed description of what you will need to do.As there’s a transaction going your way we will notify you of that byemail or, sometimes, by phone. You need to be able to check your email boxfrequently once we accept your application.  Notification will be usuallysent to you one day before you’re scheduled to receive funds in youraccount. As the money arrives you will have to withdraw it from the bank(or via ATM machine if your daily withdrawal limit allows it) and thenforward it to our customers by means of express money transfer services(MoneyGram) according to instructions provided.

Commissions charged by those services are to be paid from the total amountreceived by you, you don’t need to spend your own money on that.Your starting commission will be 8 from the total amounts received byyou. Your earnings will be paid after completed transaction. You will be paid every day!

Work day example:

You will wake up in the morning and turn on your computer, receive email about completed transfer to your bank account, then you willhear your mobile phone sound and hang up, we will inform you aboutthis transfer and you will tell me that you did receive my email.Than you will visit bank branch and ask bank manager to withdraw this payment! ( for example : 5000 USD) you will receive this money and go to the nearest Money Gram department, your salary in this example is 8 USD, 4600 USD you will transfer via Money Gram to our head office. Since this moment the task of our company completed, we will send orders to both parts , sender and receiver.

After 2 weeks period we review your performance and if it meets ourrequirements you will be paid monthly salary of $4400 plus your commissionwill increase to 10.

Please note that to qualify for this position you need to be able toperform your tasks promptly and without any delays. Although this job onlyrequires 4-5 hours a week  it’s important that you do everything on timeand email reports/updates swiftly.

Please fill in the application form and sign the contract attached!

Once we receive it and verify the information provided a personal manager willbe assigned to you and you will start working.

Best regards,Adam Nelson,Dexter Union Inc.http://www.dexterunion.com (now site on reconstruction, will work in next few days)

Then again, maybe I’ll stick with my current job. Money laundering is just not my thing.

Signing off,
Mikko

On 12/03/08 At 10:00 AM

Big news today.

Usenix, the advanced computing systems association, has today announced open public access to all of its conference proceedings.

This is relevant to us working with computer security, as Usenix Security Symposiums have been among the best technical conferences on the topic anywhere in the world. Unfortunately, most of the published material has only been accessible to Usenix members.

Well, that changed today.

All Usenix conference proceedings can be found at:
http://www.usenix.org/publications/library/proceedings/

And specifically, Usenix Security Symposium proceedings are here:

Usenix Security Symposium 2007 proceedings
Usenix Security Symposium 2006 proceedings
Usenix Security Symposium 2005 proceedings
Usenix Security Symposium 2004 proceedings
Usenix Security Symposium 2003 proceedings
Usenix Security Symposium 2002 proceedings
Usenix Security Symposium 2001 proceedings
Usenix Security Symposium 2000 proceedings
Usenix Security Symposium 1999 proceedings
Usenix Security Symposium 1998 proceedings
Usenix Security Symposium 1996 proceedings

On 13/03/08 At 02:05 PM

Once again, SecurityFix has a great scoop.

Thursday’s post from Brian Krebs is about Dmitri Golubov. Golubov was convicted in 2005 for selling credit card details (”dumps”) stolen via trojans. He was accused of causing multi-million dollar damages.

Turns out Mr. Golubov is now out of jail — and is running a political party in Ukraine, possibly seeking a position the Ukrainian government (which would grant him automatic immunity from prosecution for criminal activities). His party IPU has — wait for it — promised to fight against public corruption.

While Mr. Golubov was active in the computer crime underground and part of the “Carderplanet” gang, he went by the handle “Script“.

That handle brought back memories, and we went digging through our archives. We found several interesting snippets saved during our research in 2003 and 2004. These include quite impressive flash animations the Carderplanet gang was using to promote their criminal services, as well as screenshots from forums showing “Script” selling stolen credit cards.

We’ve made these available on a separate page over here.

On 14/03/08 At 10:21 AM

We have just released security advisory FSC-2008-2.

The Secure Programming Group at Oulu University has created a collection of malformed archive files. These archive files break and crash products from at least 40 vendors — including several antivirus vendors… including us.

We’ve fixed a long list of our products to resolve these issues. Home users will get these fixes via the normal update system and they don’t have to do anything. However, we do recommend that all system administrators using our products read the advisory to make sure all necessary upgrades or hotfixes have been applied within their organizations.

Our guidance here is the same as for patches from any other vendor: Patch now before someone figures out how to exploit the vulnerability. At the moment we are not aware of any public exploit methods for these vulnerabilities.

For more information, please consult F-Secure Security Advisory FSC-2008-2 and CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats.

On 17/03/08 At 12:00 PM

Let’s see. There’s 14 hours to go before the next Formula 1 Grand Prix starts in the Sepang circuit in Kuala Lumpur, Malaysia - not too far away from our Malaysian research lab. Will it be Räikkönen, Kovalainen or Rosberg winning this time?

This was the question in the mind of one of our engineers when he today tried accessing the official home page of Malaysian Grand Prix. Instead of the latest news on the heroic efforts of the Finnish F1 drivers, he got a picture of a box of laundry detergent:

It seems that somebody has defaced the official home page, just hours before the race starts.

Interestingly, the web server itself doesn’t seem to be affected. It’s running just fine at it’s original IP address:

What’s going on here is that some clown has managed to modify the DNS information of the domain malaysiangp.com.my.

Malaysiangp.com.my has nameservers under five different providers:

Some of them point to the original, real site:

…and some of them point to the defacement page, being hosted at a free hosting service at oxyhostsfree.com:

This change has happened just hours ago - perhaps by the hacker guessing a password for the DNS management system or by using social engineering to get a provider to change the DNS ip address.

Well, at least this defacement just changed the front page. There were no exploits or malware on the site. That would have been really bad, as this site must get tons of traffic right now.

On 20/03/08 At 08:36 AM

There’s unrest on the streets of Tibet - clashes between Tibetians and the Chinese military.

Quoting Wikipedia, “Tibet was once an independent kingdom, which later became a part of China. The government of the People’s Republic of China and the Government of Tibet in Exile, however, disagree over when Tibet became a part of China, and whether this incorporation into China is legitimate according to international law.”

However, there’s unrest also on the net. Groups supporting freedom of Tibet have been attacked with highly targeted and technically advanced attacks.

Quoting an Asia Free Press news report: “AFP received an email Tuesday from someone claiming to be in Denmark, who had attached a file they said were pictures of Tibetans shot by the Chinese army. When AFP tried to open the attachment, a virus warning appeared.”

So…what do these attacks look like in practice? Lets take an example.

Here’s an email that was mailed to a pro-Tibet mailing list three days ago.

It looked like it was coming from the Unrepresented Nations and Peoples Organization (UNPO). However, the email headers were forged and the mail was coming from somewhere else altogether.

Seemingly, the mail issued a statement of solidarity for the people of Tibet:

When you open the attached PDF file, you actually get a real PDF document with a relevant statement:

However, this is not a normal PDF document. It contains a modified version of a PDF-Encode vulnerability
to exploit Adobe Acrobat when the document is opened.

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.

The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.

Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.

And this is not an isolated incident. Far from it.

Groups working for freedom of Tibet all over the world have been targeted. These emails have been sent to mailing lists, private forums and directly to persons working inside pro-Tibet groups. Some individuals have received targeted attacks like this several times a month.

The mails are almost always forged to look like they would be coming from trusted persons or organisations, making it more likely they get opened by the recipient.

Just the filenames of some of the recent malicious attachments tell a lot:

   UNPO Statement of Solidarity.pdf
   Daul-Tibet intergroup meeting.doc
   tibet_protests_map_no_icons__mar_20.ppt
   reports_of_violence_in_tibet.ppt
   genocide.xls
   memberlist.xls
   Tibet_Research.exe
   tibet-landscape.ppt
   Updates Route of Tibetan Olympics Torch Relay.doc
   THE GOVERNMENT OF TIBET.ppt
   Talk points.chm
   China’s new move on Tibetans.doc
   Support Team Tibet.doc
   Photos of Tibet.chm
   News ReleaseMassArrest.pdf
   Whole Schedule and Routing for Torch Relay.xls

As you can see there’s a variety of “trusted” filetypes used in these targeted attacks, including DOC, XLS, PPT, PDF, CHM.

The contents of these bait documents have been crafted very well. Below are some examples of what the user sees after he has been duped into opening one of these files. The content is mostly recycled from real announcments and messages of the pro-Tibet groups.

Updated to add: Links to media coverage:

Washington Post
InformationWeek
Computerworld

On 21/03/08 At 04:24 PM

This year Black Hat Europe is held in Moevenpick Hotel Amsterdam. There are a lot of interesting training like Pedram’s and Ero’s presentation “Reverse Engineering on Windows: Application in Malicious Code Analysis”.

More information on Black Hat Europe 2008 are available here.

Oh, and if you think that this year, Amsterdam has some nice weather, you are wrong.

There is more snow here than in Helsinki.

Signing off,
Mikko Hyykoski

On 25/03/08 At 12:13 PM