September 2004 VECTORBLOG

September 23, 2004

Over here now

Looks like the major vendors all catch the latest released 'sploits for MS04-028. Keep in mind this is not a vulnerability unique to Microsoft products, check with your vendor for packages that render JPEG images and may utilize the GDI+ library.

The frenzy continues to swell for this exploit, the vectorblog continues to speculate that this makes the most profound impact as part of a phishing attack, if you find yourself in a traditionally targeted sector (financial insitutions), ensure the patch is circulating. Mass mail is the only vector that makes much sense here; even if its just a link or message sent in HTML.

September 22, 2004

Keep at it

Additional code has been released that takes advantage of the GDI+ JPEG rendering vulnerability (like the ones at Securiteam's site). If iv compiled one of them correctly, they are still caught by the Symantec heuristics engine (more products to follow as testing becomes available).

September 21, 2004

Magic bullet

Although the costs of an infection are great, the costs of prevention are often higher. This is generally true when organization's attempt to protect themselves against worms that don't exist. One particular client, an organization with enough size to create multiple ad hoc groups to deal with emergency patching, auditing, etc. typifies this overreaction with respect to the clamor over MS04-028 (the GDI+ library flaw, also known as the magic jpeg vector). Companies that expect that someone will craft a worm that is not detected by the generic signatures most big AV companies have for the exploit are giving virus coders a lot of credit. Anyone who conceives of a worm that can exploit the JPEG rendering vulnerability without user intervention in Sasser-style fashion is really giving the coders a lot of credit. For all the fear over the LSASS vulnerability, in the end, the worm that did the most damage was concocted from publicly available 'sploit code (just like the ones likely to be crafted from MS04-028's flaw). Those things can be monitored as they develop and are placed into other worms, like Agobot. It won't be a Blaster-like worm, it will probably be incorporated into a mass mailer with a link to a web site. Maybe it will be a PNG file attached to an email (that's correct, any graphics extension will work, Windows will process it as a JPEG once it inspects the actual file constructs). 

By no means should anyone ignore the patching process though. The threat is as real as any spyware vector that you have probably patched. The regular cycle for a critical vulnerability still includes testing and controlled rollouts though. Beyond wrecking expensive applications and productive work sessions, the hysteria over perceived emergencies can be costly. 

The hysteria is damaging for two reasons: it weakens the enterprise response capabilities and it hurts the security business. By chasing down ridiculous vector blocking strategies like dumping JPEG attachments or filtering web content the organization only succeeds in expending valuable resources on endeavors that take away from doing the small tasks that actually improve network defense. Things like looking at logs regularly, reading about real worms, and educating users on actual threats. These are the first things to go when IT folks are saddled with wild contingency planning. There may be a devastating worm associated with this vulnerability, but it will probably cost less than the misplaced preparation work taken on by so many companies today. If you find yourself doing more work for fake worms than real ones, take a look at the general contingency plans and training programs in place at your company. And help make them better. That's the magic bullet against these threats.

September 20, 2004

2-0

The news today has been split between hair-raising stories about what may happen with the GDI+ flaw in certain Microsoft products and the job offer Netsky/Sasser author Sven Jaschen received from a German security company. Maybe the MyDoom guys have a better chance at finding work than I thought (see entry below). The security industry will no doubt debate the merits of hiring a virus coder for information assurance positions over the next few weeks. Most AV companies have public statements published against hiring criminals, and have pointed them out recently because of the MyDoom text and Mr. Jaschen's new post. Does everyone deserve a second chance? Maybe, but rewarding virus coders won't help deter the next 17-year-old.

On the GDI+ front, no new exploit has hit the wild over the weekend. infectionvectors has tested the publicly available proof-of-concept and found it to be reliable in crashing Windows with the products listed in the advisory. The word on the street is that additional products are on the way for inclusion, although this is unconfirmed at the time of this entry.

September 17, 2004

Welcome to the Web

Two weeks ago, I added a new mailbox to the infectionvectors.com space, and only published on the site. The only thing that left the account was a single email to another personal account. Basically, I was waiting to see how long it would take the spam spiders to find it. As you have probably guessed, it took 2 weeks. This morning I received a pair of messages.

What is most interesting though, is that neither of the messages is just an ad for Viagra or cheap software. One is the old Nigerian fortune routine the other is a copy of a Beagle variant from March. The bank scam is entertaining as it points to the state of the Internet today.

The Beagle code has me thinking for many reasons. First, the Beagle worm holds special interest for me, as evidenced by the great amount of research published here. The second is the fact that a freshly harvested address made its way onto a list for a 6-month-old worm before any “legitimate” advertiser’s list. Why would this be true? Here are the possibilities I’ve come up with: the spammer/virus coder link is stronger than I thought, the people running the spam-list spider were infected with Beagle.F-I, or virus writers are customers for spam lists.

The first possibility makes the most sense to me right now, based on the facts that follow. At least one group has spidered the site for email addresses, that list has been provided to or lifted by an application that distributes copies of Beagle (which so far, is only known to be the mass mailer code itself) and to something that generates scam mail. If the spidering box (where the list of harvested email rests) was infected, we would likely be witnessing the largest outbreak of a 6-month-old mailer ever, Beagle.I would be back in the top ten most seen lists. Not to mention that it would have spraying the emails for months now. Currently, it is in Trend’s Top Ten for South America only (but only as part of a generic detection for 6 variants of the worm).

Is it possible that the spider list was sold to a virus writer? I suppose, why wouldn’t a spammer sell the list to whoever had the cash? The problem is, why would the virus coder distribute such an old worm? Certainly it’s possible, but it defeats the reasons for updating the code and attempting to dodge detection.

It seems to me that the most likely scenario is that the list was put into “circulation” by dropping it into the spam-net infrastructure. This infrastructure is composed of a lot of machines compromised by Beagle.I, not to mention MyDoom, SoBig, and other Beagles. The list is pushed, the spam (such as the Nigerian fortune scam) is delivered and the resident worm grabs the text file’s addresses as well. That’s where I am now. It’s documented with diagrams in “Welcome to the Web: Here’s Your Spam.”

September 16, 2004

Towards one common goal

The latest MyDoom variants (at least two discovered today) are taking on a lot of the features that made Beagle successful. The attachment names are more refined, by which I mean simpler, more likely to be similar to messages people actually receive (you know, generic subject lines, like "the document"). Sometimes they look just like Beagle's ("fotos"). It has the familiar (very long) list of services to kill that Agobot made accessible and fashionable. The emails look like other mass mailers that indicate "No virus, scanned by __." Of course, MyDoom was initially successful all on its own, and it retains those features: a From field composed of permutations of hard-coded first/last names, short believable messages, high distribution rates, dodging certain domains/addresses, etc. Virus coders learn what works just like "legitimate" business people do, and they borrow and improve the contributions of others in their sphere. 

On a related front, the MyDoom cousin (known as Evaman at Panda & Symantec), has an interesting mutex name this time around (on its 4th iteration currently). The tag is "BigUptoMDauthor_thx4sharing," a possible reference to a release of the source code to another individual or someone who acquired the code via Doomjuice. Of ocurse, as has been established by other coders, it could be a red herring placed by the MyDoom/Evaman author. Credit to Panda Software for the mutex name. 

September 15, 2004

About_Me

The discovery of MyDoom.W came with a couple of added surprises not mentioned on the major AV sites as of yet. One is a picture that the worm drops, which appears to be the black and white photo of Sven Jaschan, Sasser/Netsky author, that has been used on a number of web sites. The other is a text document named “about_mydoom.txt” that accurately lists a few of the actions the worm takes on an infected machine:

1- ATTACK www.symantec.com On Sept 29 2004 starting at 2

2- drops yahoo keylogger that open 4321, http://victim_ip:4321/

3- drops 2 pictures that will not be showing to the victim

4- drops a downxz.bat which download Bacdoor.Nemog.c

5- drops services.exe , zincite.a

6- Retrieves email addresses from the Outlook address book and files on fixed disks, ram disks, and in the following registry key and folders:

%Userprofile%\Local Settings\Temporary Internet Files

%Userprofile%\Desktop

%Userprofile%\My Documents

%Userprofile%\Application Data      , etc

queries

HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name and searches for emails.

Not too many worms let you know what they are doing, in fact, I can’t think of any that have laid things out like this. It is an interesting communication from the author and also gives some insight into how virus writers test their products. It looks like the writer ran the new variant against AV software (which is common for virus coders) before releasing it. Possibly the Symantec product was used for the text above, as Nemog.C and Zincite.A would be their terminology (and the flow of the text looks like the Symantec Security Response-style report, numbering each line of the action, which Trend, McAfee, Sophos, Panda, F-Secure do not do). Of course, Symantec is also the target of the DoS, so this is not altogether surprising.

Symantec does mention that the worm drops “About_Mydoom.txt” and “Doompic.jpg,” but does not mention what the files contain.

In a move that doesn’t mean anything on its face (but will be interesting to researchers), the text file also includes the poem found in Beagle.Y:

In a difficult world

In a nameless time

I want to survive

So, you will be mine!!,second author

Besides that, the worm looks much like the last few versions: mass mail, spam engine, drops the Trojans, dodges a long list of addresses, etc.

September 14, 2004

Anna?

What if Anna Kournikova (by which I mean VBSWG.J, not really her), actually had a photo to look at? Thousands of people clicked the mass mailer attachment, even after they knew it was a virus in hopes of seeing the pictures. Today Microsoft announced its security patched for September, and of the two, one is a critical vulnerability that is exploited by opening a custom-crafted JPEG. This malcode would then execute code of the author's choosing (probably not benign software). So, if you could round up all the people that double clicked the last Beagle attachment that just pretended to be a photo, or the guys who opened AnnaK years ago before something is released taking advantage of this vulnerability, it may save you some trouble later. 

No known worm out at this time, and maybe there never will be one. But, it's also a perfect vector for phishing scams, especially the targeted ones financial institutions have seen recently. Check out the details and download the patch for testing asap. 

September 13, 2004

Seeking employment

With the release of another MyDoom variant (V with Symantec) and Nemog, it looks a lot safer to say that the author has made the same move with the worm that Beagle did with Mitglieder. Nemog (or Gavvo, as it is referred to on CA’s site) creates a mail relay and attempts to grab new applications from hard-coded servers once it infects a machine (oh, and it uses the LSASS exploit to spread). It also allows the controller to change the IE start page, possibly the next item that can be sold to spammers in bulk, a kind of “Your Ad Here” sign for the Internet. Speaking of which, the latest few versions of MyDoom have included “We searching 4 work in AV industry” in the code, anyone interested will need to do some digging, the “Reply to” is spoofed…

September 12, 2004

Common names

An article on Wired News last week (http://www.wired.com/news/infostructure/0,1377,60281,00.html) discusses the naming problem that all virus researchers have been combating (or exacerbating) for years. At a talk that also occurred last week (DoD Malicious Code Conference), a researcher from MITRE talked about attempting to solve the problem with a database of viruses similar to the CVE database. That makes a lot of sense, but what a tremendous task. Just having everyone agree on what malicious code is may take a while.

September 10, 2004

Mail call

I think that based on the analysis of Nemog it is possible to legitimately ask, is this the Mitglieder of the MyDoom world? If so, it represents the beginnings of a mini-trend toward improving the mass mailer, which some analysts believe are on the way down (most recently Dave Perry of Trend Micro presented this belief in the gradual fall of mailers at a Malicious Code conference). Having the mailer grab a new Trojan instead of immediately mailing thousands of messages hampers detection and improves the life of the worm (Trojan is smaller, likely to include no easily fingerprintable items like an SMTP engine, etc.).

Mailers still make a good choice for the attacker as mail scanning is less prevalent than IDS scanning for network worms and mailers have a much better shot at reaching a user protected by a firewall than any other worm. The email vector still represents a weakness in configuration (not blocking EXEs) and the human/social engineering vector. 

Trend Micro is one of the best AV vendors when it comes to providing an insight to what their labs are tracking. Their Top Ten maps are exceptionally helpful to anyone watching what worms are successful at any given time. Today, the top 10 includes 6 mass mailers (positions 2-7). Granted, Sasser still dominates the list, with 8 times the reports of 2nd place Netsky, however, the mass mailer still proves to be effective at reaching hosts. Further, the real measure may need to be longevity, where mailers seem to win hands down, with some super successful iterations and the ease with which new versions can be created by changing technically trivial pieces (like subject headings, From fields, etc.). Longevity is a good measure of success as it is difficult to keep malcode of any kind in the wild for along period of time. As long as it is around, there will be flare ups and new compromises. 

September 9, 2004

FrankenShteiN

New Mydoom variants hot off the presses. It (or they, some AV companies-notably Symantec-discovered multiple versions today, I've only seen 1 so far) attempts to download the recently discovered backdoor app, Nemog.B from various websites. The list is small enough to lock at a firewall or external router, but most cautious organizations should already be dumping the attachments based on file extension: a ZIP with unciphered SCR, EXE, or PIF files inside. The versions found by Symantec appear to be the same except for the mutex name. 

Note: the new versions grab a copy of Neveg just like the previous few did.

September 8, 2004

Finding Neveg

Trend picked up another version of Neveg today, a Trojan that reaches back to web servers for "updates," kills processes, etc. This Trojan has previously been associated with MyDoom. Neveg uses a list of file share names that looks identical to Beagle's. MyDoom and Beagle have been linked, notably in the infectionvectors paper posted at SecurityFocus.com. Is this more evidence for the link?

September 7, 2004

After a long weekend it looks like everyone is back to work, including virus coders. New Spybot and Blackmal variants hit the streets this morning, including a double dose from Blackmal's author. This mass mailer eats up host resources without concern of detection. Check out the Malagent report here.

Added today is part 2 of the "Measuring Success" article, which aim at putting a metric next to training programs and helping the security officer fit awareness into the overall security budget and program. The report, and part 1, are in Emergency Prep. 

Finally, the Agobot Vector is available as a PDF instead of an unwieldy web-only read. Enjoy. And send any feedback to the writer, gordon@infectionvectors.com. 

September 6, 2004

Happy Labor Day to everyone in the US, happy Monday to everyone else. Sasser.B continues to own the top spot on Trend's Top Ten and E is still at a very respectable 8th. Both of these are a little surprising considering the life of worms usually spikes and then trickle off. This likely represents the  number of home machines still unpatched since April. It will be interesting to see how well received SP2 is and its firewall, possibly indicated by the drop of Internet worms like these.

September 5, 2004

Time off.

Nothing exciting so far this weekend, which generally means there's time to take a look at a few things that have gone under analyzed. Microsoft recently updated the Anti-Virus Defense-in-Depth Guide from the spring to include XP SP2 data. This document makes a very good read for virus enthusiasts of all levels.

September 4, 2004

Doom and Bugs by Mail

MyDoom and Bugbear arrived with fresh releases today. The Mydoom (now up to T with Trend if you're keeping score) takes the email domains and automatically prepends them with one of the following common names for mail relays:

gate 
mail 
mail1 
msx 
mx 
mx1
ns
relay
smtp

Which is a rather unique move. It also copies itself to fileshare directories with the names of a few popular viruses, such as SoBig, Netsky, and even identifying itself, MyDoom. It shows up with an attachment that uses the "Wordpad" icon. The following is found in the code, putting into question when this may have been authored and by who:

MSG To SkyNet-Netsky: i know skynet is sucks so fuck off and i will complete my projects ok baby!,the second author for mydoom worms!!, he will complete the project, more is coming soon better than better,Kuwait

Bugbear.M (Symantec) continues to lift keystrokes, open window text, and cookie information from the local machine, making the impact of a Bugbear infection greater than the simlpe annoyance of some mailers. 

September 3, 2004

Combo.

Hearing about another Windows rootkit of sorts, similar in style to the Hackdefender package. This one is composed of one of the Sysinternals PStools (PSexec.exe), a number of service starting/killing utilities, and Regedit4.exe. What else makes this interesting is that it was given "wheels" so to speak, it has all the makings of a network share worm as well, spreading by way of unsecured ADMIN$ shares. It creates a random address, checks to see if ADMIN$ is open (with a known tool named Secfind), and then copies itself if successful. Yet another reason to ensure that network resources have good local admin passwords. This one goes by the name Remadmin or Redadm.  

September 2, 2004

Waiting?

It is has been almost 2 months now since the release of MS04-022, 023, & 024, respectively the Task Scheduler, HTML showHelp, and Windows Shell vulnerabilities, all of which were given fairly good odds of being part of worms. As of now, there has been no worm released that exploits these holes, although there are Trojans/spyware that hit the HTML Help bugs. Hopefully this layoff will not lull large organizations into putting off patching efforts.