infectionvectors.com - vectorblog

May 2005 VECTORBLOG

May 31, 2005

summer gifts

A quick note on two phishing attempts snatched this weekend. The first offers a "free summer gift" of a shopping coupon for Bank of the West customers. The second is a little more standard, but again resuscitates the "blinder" trick from earlier this year.

var vuln_html= '\x3Cdiv style="height: 100%; line-height: 17px; font-family: \'Tahoma\', sans-serif; font-size:
8pt;">https://www.mainsourcebank.com/msb/index.asp\x3C/div>'

May 30, 2005

another good combination

Well, if you have checked out the Mytob report released this month, then you know one of the points made about the worm is the use of multiple packing techniques instead of changing the user-visible shell of the code. Recently, the authors of Mytob combined the malware with the appearance of a phishing attempt, which is to say it sometimes says its a banking update (and the required "fixes" are contained in the attachment). This represents a new direction for the Mytob code; the author is not changing what a user sees as well as the anti-virus researcher.

May 27, 2005

one, two

The latest vectorspace report leans to the philosophical. The use of the term "professional" when tied to malware or malware authors is examined, specifically with regard to how researchers are affected by the trend. The feature, "One's Complement: On Professional Malware" is a look at the classification of malcode - and includes a table that attempts to place a few of the more well-known worms, etc. As just mentioned, although there is mention of technical topics, the paper focuses on some different issues than are normally tackled, but I think it makes for a very interesting read all the same. If you have thoughts in either direction, please let us know at the contact or vectorblog address.

May 26, 2005

real world

I am still knocked back a little when I see any mention of virus issues on television. Caught the crawl on CNN reporting what I can only assume is the PGPCoder story. Although I like to see popular media covering malware, I hate to see the FUD - I hope anyone they interview mentions that the fear should be tempered by the fact that viruses have been deleting data for a long time, if it gets encrypted and ransomed, that's just a fancier way of taking the files away. I am wondering what may be the fallout of someone paying the ransom though...

May 25, 2004

sum of all profits

Why does phishing work?

A recent study by First Data Corp. asked 2,000 people about email scams (check out the story lots of places, here's one: http://www.msnbc.msn.com/id/7829153/). 43% said they received a scam, 5% of those recipients gave out personal data. A quick evaluation, if you please. Although there is evidence a phisher could pump out millions of emails per day with ease, lets assume just 1,000,000 people receive a scam over its life. The study concedes up to 2.2% error in either direction, we'll assume it is 2.2% high, so 2.8% of the 43% that received a scam were successfully conned. 2.8% of 43% is 1.204%, we'll round that down to 1%, which equates to 10,000 people. The person in the MSN story lost $6,000, let's assume the average loss, however, is just $100 - that's right back to a dollar per email - $1,000,000 US. I'm the first to admit that there a lot of assumptions that go into that equation, but, the result is still astounding: if you're a criminal working under the premise that 2.8% of those that receive a scam will respond and that there is a negligible cost to reaching an audience of millions, you'd send out a continuous stream of phishing attempts. So, how does one unbalance the equation in favor of the good guys? Glad you asked, infectionvectors.com focuses on part of it and there are great resources that identify the rest of the problems. One paper in particular worth checking out is a detailed account of spam and the economies that prop it up, a paper written by 3 analysts at Ciphertrust: http://infosecon.net/workshop/pdf/49.pdf

May 24, 2005

keeping it real

The media attention that “professional” virus writers and their creations receive may make many think that the every piece of malware is created with revenue-generation in mind (although the infectionvectors.com site is aiming at the “business of malware” currently for research, we don’t believe in any regard that every malicious coder, or even the majority, is part of a virus-for-profit enterprise). Destructive viruses can be evil for evil’s sake as well. As opposed to the destructive malware noted in the last vectorblog entry, there have been a few released recently that take us back to the good old days of virus writing when vandalism was the biggest fear of most users. These additions to the malware world overwrite files, make machines unbootable, and cause general mischief. In short, the idea of a cryptovirus is no scarier than one that deletes files, both have the same result (except there is always a chance the file will come back with the cryptovirus). The following sample from the last few days shows that profits are not the only concern of virus authors:

Yami – catalogued last week by Symantec, Yami infects files by splitting itself up and inserting the pieces into open space in PE files (speaking of the good old days, this is the same tactic used by CIH/Chernobyl). Once that is done, the virus also overwrites the first 63 bytes of the hard disk, of course, this has generally undesirable effects on the machine’s start-up capabilities – not something that someone hoping to make a profit from using the machine as a zombie would want to do.

Whiter – A virus Panda reports to have been found on machines in Japan, Whiter.F (the most recent incarnation of the malware) replaces every file found on a hard disk with a text file containing “You did a piracy, you deserve it.”

Viperik – Trend catalogued this on May 19. The malicious software deletes files in the Windows and Windows\System32 directories (as well as a few others), again, not especially good for long-term viability of a compromised host (or propagation).

May 23, 2005

pretty good criminal activity

“Extortion-based attacks” in the realm of viruses has been described tremendously by Dr. Adam Young and Dr. Moti Yung in their pioneering work in “cryptovirology”. Their book, "Malicious Cryptography" has been mentioned in infectionvectors.com reports previously and stands out as one of my favorite virus-related works. The types of attacks they describe are extremely complex, as well as scary. The “cryptovirus” as a revenue-generator has not been documented extensively in the wild, making this alert somewhat unique and interesting.

PGPCoder is a Trojan that attempts to take the victim machine’s files hostage, forcing a user to pay for a “decoder” to be able to read documents that are encrypted. The file, which often appears as just encoder32.exe, can arrive via email, file share, or any other means; however, it currently has not been linked to any self-propagation mechanism. Check out the report here.

Although the idea of some programming mastermind holding data hostage is scary, the threat of a crypto-worm should not keep you up at night, it's no worse than malware that simply deletes files from a machine - which has been around for a very long time. Chernobyl was a devastating virus to many computer users, but its impact has been dealt with. If the thought of a piece of malware encrypting all the files one of your boxes is really troubling, maybe it's because you don't feel like the machine is really safe from malware of any kind.

May 19, 2005

spoon, knife, otherwise

Yes, another report on phishing; I know the topic has dominated the feature front this spring, but there are few issues that really encapsulate the whole business of malware as well as phishing (and the technical example used in the paper has some points worth describing). This report is a detailed look at a scam that targets North Fork Bank customers - with the requisite analysis of the email-based crime world in general. Really, the report is designed to ask for some reflection on one's own email security program, whether it's a home-based PC or 100,000-seat enterprise. The paper, Fork in the Road, is available here and as a PDF right here.

May 18, 2005

boxed set

The jokes about needing to get the roll-up Beagle report for the supplement are accepted. Just like all those greatest hits records that have just one (not so great) extra track. Of course, the price for the report is a little easier to choke down isn't it?

May 17, 2005

last retread

After a few requests to roll-up the "Beagle Lessons" reports, they are all available as a single file. In addition to the original parts I-III, there is a new supplement to the series, covering just the last few months of Tooso & Mitglieder fun. The supplement, New Tricks, Old Dog is only available in the roll-up, now a 100-page PDF. The whole enchilada, "Complete Year of the Beagle," is available here.

May 16, 2005

e-commerce

This week marks the anniversary of the Bobax releases. The worm itself did not provide any technical revelations, it did leave its mark on the "commercial virus" market. Bobax was very much in the spirit of Agobot and Agobot-related bot code, except that it was streamlined to fulfill a specific function: creating spam zombies from unpatched (MS04-011) machines. The worm established a more refined version of the zombie; Bobax-infected machines were not simple relays, they took a list of addresses and sent a copy of an email to each - much more efficient than crafting the message at a central email server and sending them one at a time to proxies. The most recently discovered version was catalogued by Symantec in the winter of this year.

Additional information on the Agobot code can be found within last year's feature: Agobot & the Kit-chen Sink.

May 13, 2005

keeping it real

Nothing heavy with the release of two new vectorspace reports this week. There is something so refreshing about a straightforward scam these days - no URL obfuscation, no hidden links, no javascript pop-ups, just an email asking you to go to a fraudulent website. This one showed up yesterday, and there was no need to go to the HTML, all is exactly as it seems. Don't believe it? Check out the source here.

May 12, 2005

heals, heels, etc.

The Achilles heel of adware and most spyware is that it has to tell you its on the machine, in some way or another, unrequested content has to show up on the user's box. Worms don't have that handicap. Right on the heels of yesterday's Phishing Trip prequel is a Mytob feature. "The Mytob Infantry" which looks at this worms' special strategy for compromising machines. This paper examines how the Mytob authors have chosen to balance the wealth of choices when concocting malware for the masses. Check out this report here and the PDF.

May 11, 2005

construction

The fourth report in the "Phishing Trip" series is out today, sort of. The report is best described as a meta-paper, concerned with the overall structure of email-based crime and is referred to as both Phishing Trip 4 and 0 on the site, you decide which is best. This one covers spam, phishing, mass mail worms, and direct-mail Trojans. The feature, Mail Call: Email Crime fits well with the year's theme of the business of malware, and is really better suited as a "prequel" to the Phishing Trip series (consider it an homage to the new Star Wars film). Anyway, it's available here and as a PDF.

Also, as promised, just a single vulnerability report from Microsoft. This one takes us to #24 for the year so far (not too bad, hopefully I didn't just jinx it). The advisory warns of possible remote code execution if a W2K user previews a malicious HTML document in Windows Explorer. If you're a total W2K3/XP shop, no (new) worries this month. As always, check out the rundown here, and the year's worth, here.

May 10, 2005

tob of the morning

MyDoom and Mytob variants continue to roll in (along with the rash of Lovgate samples - which at 200KB/each can fill a mailbox quota in a hurry, hooray for gmail...). The rise of worm/bots like Mytob makes us wonder about the detection of viruses and why most top ten reports show a proliferation of spyware/adware and not infections from more "traditional" types of malicious code. The answer may be simple: spyware has to tell a user it's on the box, in many ways, the code/infection is only profitable if it is placing (unrequested) content on a desktop. Mytob suffers from no such burden. Is that groundbreaking? Not at all, research focusing on sheer numbers of detections skews the true nature of the malware world; and this fact can't be reported enough.

Work continues on two independent stories, one focuses on Mytob the other on mail scam issues, possibly the 4th Phishing Trip of the year. We have room to take a few more requests like these - send ideas or even submissions to the vectorblog.

May 9, 2005

loving

We're getting lots of reports of Lovgate moving around, although no new strains. So far, the detections have been of the Lovgate.Y variety (Symantec's nomenclature). If you see anything similar or just want more information, feel free to write to the vectorblog. For more on Lovgate, see the Malagent report.

May 8, 2005

hmd

Happy Mother's Day to all Moms that are celebrating today. When it comes to viral parents, many researchers find the release order and influences of popular malware very interesting. We received a little positive feedback on the Agobot report, and consider it to be an interesting piece because of the broad scope it covers, while still remaining squarely in the neighborhood of kit Trojans/worms. Is this something that anyone else focuses on? Something you'd like to see more of? Send it to the blog.

May 5, 2005

scores

The highest number of Sober copies we have in any single Inbox (one address) is 4 [update->8 in 24hrs], which I suppose is a lot for one day, but not quite the number we expected given the distribution of the latest version. Have a high score of your own?

In other mal-mail news, Sophos has an interesting posting today concerning spam tricks, specifically, the inclusion of a joke with the ad to make the email less annoying, even worth digging into your Junk box. That would have to be a pretty good joke. The report is here.

May 4, 2005

in appreciation

The latest version of Kedebe (it appears to be in its 3rd iteration) drops another text file - this message sounds a lot like the messages contained in the early Netsky variants:

Please, Symantec stop doing definitions for my worm. I'm trying to fight Mydoom and Beagle!! And I appriciate your work!!

Now, the worm does in fact attempt to fight a few worms, more Netsky variants than Beagle or MyDoom actually, however, as you might expect from a worm, it also does a few nefarious things (also like its vigilante cousin Netsky). Kedebe prevents the local box from accessign numerous security providers' sites (like Symantec, McAfee, Zonelabs, Sophos, Kaspersky, Microsoft's Windows Update, etc.), it opens a backdoor which allows for remote command execution (including what appears to be a routine that swaps the left-click/right-click functions of the local mouse, attempts to kill the Microsoft/Giant Anti-Spyware tool and Zone Alarm products, tries to shutdown the Symantec opscan process (opscan prevents outside applications from messing with the AV scanner), and changes the local machine's ownership info by adjusting 2 Registry values (for W2K/XP users):

HKLM\Software\Microsoft\Windows NT\CurrentVersion

RegisteredOrganization = "The Kebede Team 2005"
RegisteredOwner = "BiniDogg"

So, it seems they do have great appreciation for the Symantec work, all the way around. Text file details from Trend's site.

Also appreciated today is the distribution of the latest Sober worm. It is very similar in function and philosophy to its previous versions; updates available in the malagent report.

¦569    loc_0_42E569: ; CODE XREF: seg001:0042E58Fj
¦569    mov    al, [edi]
¦56B    inc    edi
¦56C    or     al, al
¦56E    jz     short loc_0_42E54C
¦570    mov    ecx, edi
¦572    jns    short near ptr loc_0_42E57A+1
¦574    movzx eax, word ptr [edi]
¦577    inc    edi
¦578    push   eax
¦579    inc   edi

May 3, 2005

then join 'em, part 2

Last week the vectorblog pointed out the eerie feel of the Netsky.AI worm reported by Symantec. This best-of-breed worm took the functionality of Nemog's code and blended it with the undeniably successful propagation engine of the Netsky mass mailer. This, combined with the Opanki worm and ViruSystems hoax mentioned below created enough interest (also see below) for a new Hotzone report: Adworms, where we continue to flesh out our central theme for 2005, the business of malware. It is a short, amusing tale the begins with parts of the ViruSystems hoax. As always, send feedback to the vectorblog.

May 2, 2005

inevitable

We're following an interesting development from the weekend: the use of an IM worm (like Bropia) to deliver spyware (lots of it). Trend Micro is calling it Opanki. It harkens back to a hoax that circulated years ago - maybe you remember it - the email appeared to be an interview with the CEO of a company named ViruSystems, which was auspiciously a virus-for-hire outfit set to create and distribute malware on order. As mentioned, it was of course a hoax. But recently this issue seems to be less fiction and more reality, especially in light of Opanki.B, which attempts to drop 14 different spyware packages on a victim box. This might make an interesting topic for a short paper - if there is interest it will be up tomorrow.

For today, there is a new report that looks at a small, but important issue that always tags along with virus research: the collection sites where anyone can acquire live samples for fun, hobbyist, or other purposes. The paper, Poison Ivy Farmers, is in the Community Issues section.

May 1, 2005

fire with fire, again

Last week, one of the spam/phish-catching accounts we have received a helpful notification that we should ignore any email that asks us for personal data under the guise of updating security information. Maybe you got one too, it looks like this:

From: <warning@youvebeenscammed.com>
Date: Mon, 25 Apr 2005 23:26:16 -0400
Subject: Fraud Prevention Measures DO NOT OPEN EMAILS WITH THAT SUBJECT
The email you recieved about bank fraud protection measures is a scam designed to steal your username and password. It is really a fake site on a computer in buenos aires argentina. ;)

Late last year we posted the Unfections report, examining the possibility of a "beneficial virus" in the wild. The conclusion, and that of most researchers, is that there is no good virus because even in the best case scenario it would be making changes to systems without an owner's knowledge, would absorb resources on hosts, and always have the potential for getting out of control. The idea that we could use spam to fight phishing is slightly different, but carries the same concerns. Upholding spamming to defeat phishing is dangerous, and carries some of the same costs that "good" worms like Welchia/Nachi carry.

Anyway, the domain "youvebeenscammed.com" is not actually registered to anyone (before you rush over to buy it, consider you may have some spam questions to resolve). In fact, there seem to be very few TLD's with "youvebeenscammed" registered: SR and AT (Suriname and Austria, respectively). Of course, there are sites registering ".sr" domains as "Senior"-focused and not Suriname, like Tuvala's ".tv" domain I suppose; that only seems funny since the stereotype of senior citizens is to assume they are more likely to be scammed via Internet technology than younger folks.

The header contained the following:

Status: U
Return-Path: <apache@orchia.uni.cc>
Received: from orchia.uni.cc ([80.55.20.238])
Received: by orchia.uni.cc (Postfix, from userid 48)id 3DB509837D; Tue, 26 Apr 2005 05:26:16 +0200 (CEST)

Which points to a domain registered to (coincidentally) Argentina and the IP address of a provider in Poland.