TechnoBlogic

We’ve seen tons of banking trojans lately, but now we’ve run into something quite unique.

This new banking trojan was found today from a drive-by-download site. We’ve added detection for it as Win32.Pril.A

It not only infects the MBR of the machine, but also reflashes the boot code in the Flash BIOS, making disinfection problematic.

Once an infected machine is online, the trojan monitors the users actions, waiting him to go to go to one of several hundred online banks, located all over the world.

Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim.

Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn’t withdraw money from you - it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts.

The drive-by-download site is still up. Normally, we wouldn’t list the URL for such a site, or we would at least obfuscate it in a screenshot. However this time we’ll make an exception. We will even make the link clickable: http://aprilbanking.cjb.net/

On 01/04/08 At 07:22 AM

A wave of April Fool’s Day related Storm mails have just been sent out. Similar as the other times with a link that points to an IP address.

On 31/03/08 At 07:45 PM

A while ago we blogged about the MBR rootkit, which has been getting attention from all the security vendors. We’re glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.

BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we’ve seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.

You can download standalone BlackLight here.

On 31/03/08 At 01:47 PM

A year or two ago, most malware was spread via e-mail attachments, which resulted in mass outbreaks like Bagle, Mydoom and Warezov. Nowadays sending .EXE attachments in e-mail doesn’t work so well for the criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic.

The criminals’ new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP.

Infection by a drive-by download can happen automatically just by visiting a web site, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware.

There are several methods criminals use to gather traffic to these websites. A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link. Messages like “There is a video of you on YouTube”, or “You have received a greeting card”, or “Thank you for your order” have been popular baits.

Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites. So when you do a search for something innocuous like “knitting mittens” (as a random example), and click on a search result that looks just like all the others, you are actually getting your computer infected. Typically, an infection by an automatic exploit happens without you realizing it or seeing anything strange on the computer screen.

The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today’s criminal hackers don’t change the front page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there. Everything works and looks as normal.

This has happened to the web sites of some popular magazines which can have a million users every single day. People trust sites that are part of their daily routine, and they couldn’t suspect that anything bad could happen when they go there.

Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don’t have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites.

It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn’t.

Individuals and companies should therefore be scanning their web traffic for malware – as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links.

This report was an excerpt from our Quarterly Security Wrapup, which has been released today.

Download the full wrapup.

On 31/03/08 At 12:26 PM

This year Black Hat Europe is held in Moevenpick Hotel Amsterdam. There are a lot of interesting training like Pedram’s and Ero’s presentation “Reverse Engineering on Windows: Application in Malicious Code Analysis”.

More information on Black Hat Europe 2008 are available here.

Oh, and if you think that this year, Amsterdam has some nice weather, you are wrong.

There is more snow here than in Helsinki.

Signing off,
Mikko Hyykoski

On 25/03/08 At 12:13 PM

There’s unrest on the streets of Tibet - clashes between Tibetians and the Chinese military.

Quoting Wikipedia, “Tibet was once an independent kingdom, which later became a part of China. The government of the People’s Republic of China and the Government of Tibet in Exile, however, disagree over when Tibet became a part of China, and whether this incorporation into China is legitimate according to international law.”

However, there’s unrest also on the net. Groups supporting freedom of Tibet have been attacked with highly targeted and technically advanced attacks.

Quoting an Asia Free Press news report: “AFP received an email Tuesday from someone claiming to be in Denmark, who had attached a file they said were pictures of Tibetans shot by the Chinese army. When AFP tried to open the attachment, a virus warning appeared.”

So…what do these attacks look like in practice? Lets take an example.

Here’s an email that was mailed to a pro-Tibet mailing list three days ago.

It looked like it was coming from the Unrepresented Nations and Peoples Organization (UNPO). However, the email headers were forged and the mail was coming from somewhere else altogether.

Seemingly, the mail issued a statement of solidarity for the people of Tibet:

When you open the attached PDF file, you actually get a real PDF document with a relevant statement:

However, this is not a normal PDF document. It contains a modified version of a PDF-Encode vulnerability
to exploit Adobe Acrobat when the document is opened.

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.

The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.

Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.

And this is not an isolated incident. Far from it.

Groups working for freedom of Tibet all over the world have been targeted. These emails have been sent to mailing lists, private forums and directly to persons working inside pro-Tibet groups. Some individuals have received targeted attacks like this several times a month.

The mails are almost always forged to look like they would be coming from trusted persons or organisations, making it more likely they get opened by the recipient.

Just the filenames of some of the recent malicious attachments tell a lot:

   UNPO Statement of Solidarity.pdf
   Daul-Tibet intergroup meeting.doc
   tibet_protests_map_no_icons__mar_20.ppt
   reports_of_violence_in_tibet.ppt
   genocide.xls
   memberlist.xls
   Tibet_Research.exe
   tibet-landscape.ppt
   Updates Route of Tibetan Olympics Torch Relay.doc
   THE GOVERNMENT OF TIBET.ppt
   Talk points.chm
   China’s new move on Tibetans.doc
   Support Team Tibet.doc
   Photos of Tibet.chm
   News ReleaseMassArrest.pdf
   Whole Schedule and Routing for Torch Relay.xls

As you can see there’s a variety of “trusted” filetypes used in these targeted attacks, including DOC, XLS, PPT, PDF, CHM.

The contents of these bait documents have been crafted very well. Below are some examples of what the user sees after he has been duped into opening one of these files. The content is mostly recycled from real announcments and messages of the pro-Tibet groups.

Updated to add: Links to media coverage:

Washington Post
InformationWeek
Computerworld

On 21/03/08 At 04:24 PM

Let’s see. There’s 14 hours to go before the next Formula 1 Grand Prix starts in the Sepang circuit in Kuala Lumpur, Malaysia - not too far away from our Malaysian research lab. Will it be Räikkönen, Kovalainen or Rosberg winning this time?

This was the question in the mind of one of our engineers when he today tried accessing the official home page of Malaysian Grand Prix. Instead of the latest news on the heroic efforts of the Finnish F1 drivers, he got a picture of a box of laundry detergent:

It seems that somebody has defaced the official home page, just hours before the race starts.

Interestingly, the web server itself doesn’t seem to be affected. It’s running just fine at it’s original IP address:

What’s going on here is that some clown has managed to modify the DNS information of the domain malaysiangp.com.my.

Malaysiangp.com.my has nameservers under five different providers:

Some of them point to the original, real site:

…and some of them point to the defacement page, being hosted at a free hosting service at oxyhostsfree.com:

This change has happened just hours ago - perhaps by the hacker guessing a password for the DNS management system or by using social engineering to get a provider to change the DNS ip address.

Well, at least this defacement just changed the front page. There were no exploits or malware on the site. That would have been really bad, as this site must get tons of traffic right now.

On 20/03/08 At 08:36 AM

We have just released security advisory FSC-2008-2.

The Secure Programming Group at Oulu University has created a collection of malformed archive files. These archive files break and crash products from at least 40 vendors — including several antivirus vendors… including us.

We’ve fixed a long list of our products to resolve these issues. Home users will get these fixes via the normal update system and they don’t have to do anything. However, we do recommend that all system administrators using our products read the advisory to make sure all necessary upgrades or hotfixes have been applied within their organizations.

Our guidance here is the same as for patches from any other vendor: Patch now before someone figures out how to exploit the vulnerability. At the moment we are not aware of any public exploit methods for these vulnerabilities.

For more information, please consult F-Secure Security Advisory FSC-2008-2 and CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats.

On 17/03/08 At 12:00 PM

Once again, SecurityFix has a great scoop.

Thursday’s post from Brian Krebs is about Dmitri Golubov. Golubov was convicted in 2005 for selling credit card details (”dumps”) stolen via trojans. He was accused of causing multi-million dollar damages.

Turns out Mr. Golubov is now out of jail — and is running a political party in Ukraine, possibly seeking a position the Ukrainian government (which would grant him automatic immunity from prosecution for criminal activities). His party IPU has — wait for it — promised to fight against public corruption.

While Mr. Golubov was active in the computer crime underground and part of the “Carderplanet” gang, he went by the handle “Script“.

That handle brought back memories, and we went digging through our archives. We found several interesting snippets saved during our research in 2003 and 2004. These include quite impressive flash animations the Carderplanet gang was using to promote their criminal services, as well as screenshots from forums showing “Script” selling stolen credit cards.

We’ve made these available on a separate page over here.

On 14/03/08 At 10:21 AM

Big news today.

Usenix, the advanced computing systems association, has today announced open public access to all of its conference proceedings.

This is relevant to us working with computer security, as Usenix Security Symposiums have been among the best technical conferences on the topic anywhere in the world. Unfortunately, most of the published material has only been accessible to Usenix members.

Well, that changed today.

All Usenix conference proceedings can be found at:
http://www.usenix.org/publications/library/proceedings/

And specifically, Usenix Security Symposium proceedings are here:

Usenix Security Symposium 2007 proceedings
Usenix Security Symposium 2006 proceedings
Usenix Security Symposium 2005 proceedings
Usenix Security Symposium 2004 proceedings
Usenix Security Symposium 2003 proceedings
Usenix Security Symposium 2002 proceedings
Usenix Security Symposium 2001 proceedings
Usenix Security Symposium 2000 proceedings
Usenix Security Symposium 1999 proceedings
Usenix Security Symposium 1998 proceedings
Usenix Security Symposium 1996 proceedings

On 13/03/08 At 02:05 PM