そろそろ今年も終わりなので10月以降の第4四半期の脅威動向をまとめてみます。
(さらに…)
I didn’t visit mIRC for a while so I intended to visit it at the start of my shift. I join a couple of channels then after sometime I received a private message with a link pointing a binary file. Yeah, just as I expected, malwares still use MIRC for their own purposes.
The binary file is an undetected WORM_DREFIR.A and is already being processed by the Service Team. This malware caught my interest because aside from having a destructive payload wherein this malware replaces all files that it can access with an empty file of the same filename, it has the ability to add a copy of itself into a RAR file that is found in affected user’s computer. It uses a random generated filename for the copy of itself to be added to the RAR file.
A computer affected by this malware is used as a host to spread the malware. It opens port 80 [http] where potential victims will be able to get a copy of the malware through this port. The malware sends private messages to potential victims through the MIRC channel it has connected. The message sent contains a link to a copy of the malware using the IP of the affected computer.
Example:
A potential victim receives the following message via IRC
— “http://www.google.com/url?q=http://xxx.yyy.zzz/TrialXXXView.scr”
Where: http://xxx.yyy.zzz will be the IP address of a compromised machine hosting the malware.
The payload of the malware is activated every 29th of the month where the system time seconds is above 30. Here’s the displayed messaged:
It is a good practice not to click and click URL links from IRC messages even if it comes from a known acquaintance. It is possible that your friend’s computer was compromised and it is the malware who sent you the message. :)
Have your antivirus pattern files updated regularly to be secured from malwares which are being discovered in-the-wild.
続きを読むGood day blog readers!
As part of our efforts to keep you updated with the latest happenings on the malware scene, we’ve decided to write a monthly round up report, like this one, using data gathered from our honeypot systems, actual infection reports, and news within the industry.
Anyway, enough with the formalities and let’s get it on!
For e-mail borne malwares, TROJ_STRAT is undisputed king for November. Aggressively spammed and targeted to known e-mail addresses, not a week passed by without at least three waves of STRATION spamming. No e-mail borne malware came close to the volume of e-mail traffic TROJ_STRAT generated this November. With 31 new STRATION incarnations, each seeding chokes our honeypots with 90% of malicious e-mails belonging to STRATION alone.
Why it can get worse:
STRATION has slowly evolved from a single file mass-mailing worm to a two component Trojan-worm partnership. The malware authors have also changed the release into the wild timing of STRATION. From releasing it into the wild after MS patch Tuesday, STRATION is now released into the wild every other day. These not so subtle changes on STRATION patterns and behavior may indicate that its authors are constantly monitoring how their malware performs. And I’m quite sure the tweaking of STRATION’s characteristics is aimed to infect more and more users.
European malware writers had a busy November – registering new domains, creating new websites, and making TROJ_ZLOB variants available for download… as pseudo-video codecs!
For November, we’ve seen at least 10 domains hosting TROJ_ZLOB where you can download anywhere from 1 – 1000 unique binaries. The ZLOB sites is carefully laid out to look legitimate and professional, which speaks greatly about the malware authors’ efforts, and monetary returns
Why it can get worse:
With all the digital video formats out there, your favorite video player is bound NOT to have the codec you need in order to watch say, a freshly downloaded porn clip. So you Google for codecs and your search leads you to a site that promises an all-in-one codec complete with amazingly sharp resolution and unbelievable picture quality. Convinced, you download and install. Then, a message box appears saying the codec cannot be installed. Well, you’ve just been Punk’d… err, I mean… infected.
See, this method of infecton is different in such a way that it waits for the victim to download the file. Not like a targeted attack where a hunter tracks his prey, then fires with accuracy, ZLOB’s method is – present a lure, then wait for prey to take the bait.
For as long as there is a need for codec updates, people will surely be lured by fake Trojan codecs.
Messenger worms are having a small revival after being almost invisible for the first two quarters of this year. This time WORM_SOHANAD is leading the charge.
Why it can get worse:
This is one area where malware social engineering can get better. Why give links pointing to unknown sites when you can hack a social networking site to make the link more believable? Ooops… did I say it out loud?
WORM_BLASTER Wikipedia Entry Gets Real!!!
Websites that allows users to insert HTML code or link on their pages presents itself as a possible host for malicious code, exploits, or links
Why it can get worse:
User customization is the “in” thing when it comes to forums and social networking sites, thus allowing HTML code modification and linking to other sites. Expect other malware writers to pull off this trick on other sites who still offer the user a great amount of HTML freedom.
November was declared the Month of Kernel Bugs by Info-pull.
Why it can get worse:
Thankfully this did NOT get worse!!! 30 kernel bugs were discovered but not one was translated into actual malicious code (thank you responsible disclosure). Else, it would’ve been a very, very, very busy month for AV.
These two malwares serves as downloaders for other malwares to enter the infected machine, elaborately designed to turn those infected into spam zombies sending out Viagraand pump-and-dump stockspams.
Why it can get worse:
Actually, it is getting worse. WORM_NUWAR and WORM_MEDBOT is constantly updating their downloaded components. WORM_NUWAR has updated its spammer component at least 99 times, its downloader component at least 200 times, and itself at least 475 times. WORM_MEDBOT on the other hand updated its spammer component at least 131 times, and itself at least 103 times.
The constant update of files may mean that the two worm malwares either have 1. a large install base, 2. is currently infecting more, 3. or both! The constant update of component files just shows the component files are still being downloaded to infect new or existing infected machines.
PE_LOOKED is known for downloading Trojan spywares that targets online games Lineage and World of Warcraft. Towards the end of the month, at least 26 new variants of PE_LOOKED were released in the wild. A few days after, the new variants’ download sites are making available for download TSPY_LINEAGE, TSPY_WOWSTEAL, and even TSPY_QQPASS variants.
Why it can get worse:
We recently discovered a PE_LOOKED inspired virus named PE_PARDONA.
Say you are a new hire for any company. Your boss asks you to develop a well-researched and well-documented company policy on, say for example, company employee travels. Most often than not, you will have to start of with a Google search. And that is exactly what you do. Open Google and type in “travelpolicy”. This will be the result:
You don’t choose the first hit simply because you see it’s a .GOV site and information found in .GOV sites may seem too lengthy for your objectives. You just need a simple do-it-yourself tutorial in how to create and implement a travel policy guide for your business – which is exactly the description for the second hit encircled in the above image. So you click on it.
And then the site opens…
Seems like the site is pretty much taking more time in downloading images and content. So you wait… And wait… And when you observe that it’s been taking forever for the site to complete, you close the window and move on to other sites that can offer the information that you need.
End of story?
Not quite.
As you waited for the site to completely show up, something was already happening in the background that goes unobserved…
The site, www.travelpolicy.com, has an IFRAME at the very top which leads you to the 81.95.146.98/index.html. The index.html file actually has a script that exploits the MS Internet Explorer (MDAC) Remote Code Execution Exploitdescribed in MS06-014. The original exploit code is also modified in an attempt to bypass AV scanners that detect the original code.
It sure is nasty! An executable file, win.exe, is downloaded to your system and executed. This file is actually a backdoor with rootkit features, and is a variant of the notorious family of backdoor rootkits known as Haxdoor!
So what happens next? Well… you can actually see the following files suddenly added to your System32 directory in Windows:
kgctini.dat
klo5.sys
lps.dat
yvpp01.dll
yvpp02.sys
You’ll also see a newly-added Registry key with numerous data perverting WinLogon:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvbb01
The following services will also be added:
NAME: yvbb01
DISPLAY: Miniport FT32
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\yvbb01.sys
NAME: yvbb02
DISPLAY: Miniport FT
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\yvbb02.sys
If you have all of these in your system, then it will surely be hell cleaning these all up – especially with rootkits! But it’s a good thing you don’t have these tell-tale signs of a drive-by-download-backdoor-rootkit infection. It’s a good thing that your system is not compromised with a stealthy backdoor installed in your machine that can allow remote malicious hackers to do at most anything with your computer and with your files…
You simply don’t have to worry because these things haven’t happened at all. At the first click on the travelpolicy.com site, Trend Micro already flagged a detection of HTML_DLOADER.BHF so the downloading and execution of the backdoor rootkit as well as its other malicious components, which by the way are detected by Trend as BKDR_HAXDOOR.JG, will not occur. You were actually protected from this threat. It was just a bad dream – a nightmare. You were actually safe.
Everything is secure. It’s a good thing you are using Trend Micro.
NOTE: The above malicious URL is still alive at the time of this posting. Google has already been notified of this and we’re hoping that the site will be taken down immediately. In the meantime, we strongly advise users to stay clear away from this site.
続きを読むJust a couple of hours after the reportedly 0-day VML exploit there were also reports that this has been implemented by the Web-Attacker as described on this post.
Then, earlier this morning a Web-Attacker exploit penetration statistics website has been reported by an external source. The url points to a statistics page that contains the Total hosts infected by Web-Attacker kit. The website even has a breakdown of each infection based on the browser exploit, the host operating system (OS), and the internet browser used by the affected system. The internet browser statistics section was even broken down into specific version or service packs.
But, this particular site does not show the statistics for 0-day infected systems but rather by the not-so-old browser exploits. So, given that url, I played with it a little with the help of my friend, Google, and there I got 49 urls all pointing to different Web-Attacker control panels. I tried every url one after another and there I saw a convincingly updated exploit penetration statistics page that includes a column of data on 0-day infected hosts.
Since, we recently have two (2) browser related 0-day vulnerabilities, the 0-Day column shown above may or may not be for the VML vulnerability alone.
Now, you know who are the most likely to be hit by the recent 0-days.
I have also listed below the rest of the Internet Browsers that are being monitored/affected by the Web-Attacker. I am suppose to capture it as well as an image but I dare not to, it’s pretty long as you will see.:(
- Firefox 0.10 13
- Firefox 0.10.1
- Firefox 0.10.1
- Firefox 0.8
- Firefox 0.8 (ax)
- Firefox 0.9
- Firefox 0.9.1
- Firefox 0.9.2
- Firefox 0.9.2 (ax)
- Firefox 0.9.3
- Firefox 0.9.5.1
- Firefox 1.0 392
- Firefox 1.0 (Debian package 1.0+dfsg.1-6)
- Firefox 1.0 (Ubuntu package 1.0.2)
- Firefox 1.0 (ax)
- Firefox 1.0 Red Hat/1.0-12.EL4
- Firefox 1.0+
- Firefox 1.0.1
- Firefox 1.0.1 (ax)
- Firefox 1.0.1 StumbleUpon/1.9993
- Firefox 1.0.2
- Firefox 1.0.2 (MOOX M3)
- Firefox 1.0.2 (ax)
- Firefox 1.0.3
- Firefox 1.0.3 (Debian package 1.0.3-2)
- Firefox 1.0.3 (ax)
- Firefox 1.0.3 StumbleUpon/1.9995
- Firefox 1.0.4
- Firefox 1.0.4 (Debian package 1.0.4-2)
- Firefox 1.0.4 (Debian package 1.0.4-2sarge4)
- Firefox 1.0.4 (ax)
- Firefox 1.0.4 (ax) Firefox/1.5.0.2
- Firefox 1.0.4 StumbleUpon/1.9995
- Firefox 1.0.5
- Firefox 1.0.5 (ax)
- Firefox 1.0.6
- Firefox 1.0.6 (ax)
- Firefox 1.0.6 SUSE/1.0.6-4.1
- Firefox 1.0.7
- Firefox 1.0.7 (CK-IBM)
- Firefox 1.0.7 (Debian package 1.x.1.0.7-8)
- Firefox 1.0.7 (Ubuntu package 1.0.7)
- Firefox 1.0.7 (ax)
- Firefox 1.0.7 Firefox/1.5
- Firefox 1.0.7 NLD/1.0.7-0.2
- Firefox 1.0.7 SUSE/1.0.7-0.1
- Firefox 1.0.7 SUSE/1.0.7-0.2
- Firefox 1.0.7 StumbleUpon/1.9993
- Firefox 1.0.8
- Firefox 1.0.8 (Ubuntu package 1.0.8)
- Firefox 1.0.8 SUSE/1.0.8-0.2
- Firefox 1.0RC2
- Firefox 1.4 16
- Firefox 1.4.1
- Firefox 1.5 133
- Firefox 1.5.0.1
- Firefox 1.5.0.1 pango-text
- Firefox 1.5.0.2
- Firefox 1.5.0.2 pango-text
- Firefox 1.5.0.3
- Firefox 1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)
- Firefox 1.5.0.3 Creative ZENcast v1.00.12
- Firefox 1.5.0.3 RTSE/1.0.6
- Firefox 1.5.0.4
- Firefox 1.5.0.4 (Debian-1.5.dfsg+1.5.0.4-1)
- Firefox 1.5.0.4 Creative ZENcast v1.00.12
- Firefox 1.5.0.4 Flock/0.7.1
- Firefox 1.5.0.4 RTSE/1.0.6
- Firefox 1.5.0.4 pango-text
- Firefox 1.5.0.6
- Firefox 1.5.0.7
- Firefox 2.0a1 8
- Firefox 2.0b1 3
- Firefox 3.0a1 2
- MSIE 5.0
- MSIE 5.0 SP2
- MSIE 5.01
- MSIE 5.01 SP1
- MSIE 5.01 SP2
- MSIE 5.01 SP3
- MSIE 5.01 SP4
- MSIE 5.5
- MSIE 5.5 SP1
- MSIE 5.5 SP2
- MSIE 5.5 SP4
- MSIE 6.0
- MSIE 6.0 SP1
- MSIE 6.0 SP1a
- MSIE 6.0 SP2
- MSIE 6.0 SP4
- MSIE unknown
- MSIE unknown SP2
- Netscape
- Opera
- Unknown
We just got a report from an external source about a particular url that exhibits some strange behavior…
So I grabbed the url and investigated on what may have caused the ‘strange behavior’. As soon as I had the copy of the file that is pointed to by the url, http://{blocked}.org/xpl/index.php, I checked its contents and found out that it uses an iframe tag (html tag) to redirect the browser to another page that hosts another strange looking script.
I verified the contents of the script to see if it has anything to do with the ‘strange behavior’ and I was surprised because it did look pretty strange… Looking closely, I found some interesting keywords prodding me to continue my analysis and my interest to unravel the mystery behind the ‘strange behavior’. The script is obfuscated but still gives out some clues on what it might do. See below for the part of the obfuscated script, especially the words enclosed in a box.
Now, my intuition runs into a conclusion that this obfuscated code has an embedded shellcode (because of the ‘unescape’ keyword followed by unicode characters) that will download and execute a possibly malicious file to the affected system as pointed to by the url included in the script. Since there is a shellcode (a code snippet, must be injected to an intended process space to execute successfully), there should also be a particular process/application that this shellcode will be applied to. Then, I noticed the “.wmv” string which is associated with Windows Media Player by default when executed. To prove my little theory I executed the script in my infect machine and there I saw a Windows Media Player object on the page being rendered on the browser.
Then, at the bottom part of the obfuscated script is a readable JavaScript-disciplined code that seems to be helpful in cleaning up (to de-obfuscate) the obfuscated code shown above. I modified the code a bit so that it will stop executing as soon as I have the de-obfuscated code as shown below.
There it is! — It just told half of the story but this is sort of misleading because the shellcode is already embedded in the script which the “spray” variable holds. The exact url to be accessed by the malicious shellcode is now clear as well. On the lower part of the de-obfuscated script I have noticed a html tag that was given a very strange looking value.
So, I googled every keyword that may seem to help from the image above and not surprisingly, I was directed to a popular web site that posts exploits for particular vulnerabilities and I found similarities from one of the published exploits. Based on the behavior I have seen in my testing and the sample exploit posted on the site, I have confirmed that the ‘strange behavior’ was caused by a vulnerability exploited by the Windows Media Player Plugin EMBED Exploit (MS06-006).
Even though this is not a new vulnerability, there are still malicious people that are trying to take advantage of this bug as evidenced by this incident. This only shows the importance of up-to-date patching of systems AND applications to protect our systems from malicious attacks like this.
More information on MS06-006 can be found in the Microsoft website.
All malicious samples together with the urls related to this incident are already being processed for inclusion in Trend solutions.
続きを読むWe have just received yet another variant of WORM BAGLE from our honeypot system and it seems like it is made for the valentines as you will see below. This is actually the bagle’s style to increase its infection rate, its seasonal email contents. It helps the bagle to spread rapidly by the help of its seasonal and convincing email messages. This adds up to bagle’s popularity and good social engineering techniques.
You will see below the sample email of the initial seeding of worm bagle. This is not the actual email that the worm itself uses to propagate but just a spammed email. It has an executable attachment named e-card.exe, which is the copy of the worm.
Other details about the worm
Possible Subjects
- Will You Be My Valentine?
- Love you with all my heart!
- See you tonight!
- Come Be With Me, my Love!
- My dream is coming true!
Possible Attachments
- love_me.exe
- mplay.exe
- love_me_now.exe
Update(JJ, 16 February 2006 00:32:55)
The Bagle author is now quoting Robert Frost’s “Love And A Question” and “To Earthward” (check out the Advisories section for the spammed emails). Here’s one sample:
Yes, i just googled it, i didn’t exactly know it was by Robert Frost the first time :p At least that’s what Google said (disclaimer if ever it’s wrong hwehehe).
続きを読む