09 Jun Don't be a victim
24 Apr News from the Mobile Front
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The whole new Gpcode outbreak has set me thinking about attackers and victims in general. Yes, decrypting the key used by the new Gpcode is a thorny problem and there's no guarantee of success. So I'd like to remind everyone that common sense is as improtant as good technology.
Passivity on the part of victims gives cyber-attackers free rein. If you've lost your data to Gpcode and are desperate to recover it…even if you give in and rush to purchase an egold account, you can still help stop whoever's behind this. Don’t just send the PIN code to the blackmailers. Send a copy to the support service of the e-payment system you are using. This will help the investigators track the criminal. And tracking the criminal means s/he might even be caught red-handed.
On the other hand, victims failing to take any action guarantees that the criminal will never be caught – which means there will be new victims – or the same victims will suffer again…and again...and again.
Final thought – I hope that a fourth post on this subject isn't misleading anyone. There is no Gpcode epidemic; we've seen a limited number of infections to date.
However, technical threats aside, it's user awareness that continues to be a global issue. Stop being a victim, back up your data and take my comments above in context of Gpcode's history. And then review your own information security in this context as well.
There have been numerous unrelated web-sites intrusions lately. The result is that a malicious script (usually a modification of Trojan-Downloader.JS.Psyme) is put on the server in place of the original index* file, so that when a user visits the web-site the script is immediately executed. During the script execution a known/patched Microsoft IE vulnerability is exploited, which leads to the user's PC getting infected with a Trojan spy. Inside the script, links to the Trojan usually (but not always) refer to some "sp.php".
How could the intrusions have been conducted? There are a few possible scenarios:
1. A live hacker intrusion.
The large number of very similar cases reduces the probability of this scenario to zero.
2. Massive automatic exploitation of web-server services.
Some of the logs of infected systems that I’ve had access to show that the malicious scripts are being uploaded via FTP and using existent FTP logins. This means that a hacker (whoever or whatever s/he/it may be) has had access to the server's logins+passwords - at least to some of them. OK, so the password file could be got via a server vulnerability & the passwords could be cracked - given the MD5 algorithm isn’t the most up-to-date thing these days. But this scenario isn’t at all likely - according to the system logs, no tampering with system services have been registered. The only intrusion-related action registered is a direct FTP logon followed by files being uploaded - it may seem like a contradiction in terms, but the intrusion was absolutely legal.
So what are the remaining probable/ possible intrusion scenarios?
Discarding the idea of sniffing, which is very unlikely, the only possibility left is…
3. Passwords stolen from end user machines.
What I’m picturing is a Windows Trojan, which could harvest passwords if it was being run on a website admin's Windows box with FTP passwords stored on it (i.e. in Total Commander). This theory seems even more likely if we think about why the scripts are found where they’re found, on servers for sites ranging from well known media sites to private unindexed sites. There’s no obvious logic in it. But it can be explained by a Trojan, because FTP user/password data is stored in FTP client software along with IP-address data.
If the malicious program has got access to the IP/user/password FTP data, it doesn’t even have to send this data anywhere. It just needs to initiate an FTP session and infect the server with a malicious script - (assuming the user has appropriate FTP privileges, of course).
I strongly believe that #3 is the correct scenario, although I don’t have all the facts to prove it yet.
It may be very boring, but there’s an easy way to stop this epidemic of infected web sites:
- up-to-date MS patches,
- up-to-date AV bases,
- and a firewall.
plus all the common sense anti-virus precautions such as ‘Do not run suspicious programs’, Disable ActiveX in the browser’ etc. etc.
And finally, a specific solution to this particular problem: avoid saving user/password data for FTP services (or, more generally, any user/password data) in Windows clients. The only question is, whose memory is good enough to follow this advice?
We've been receiving a number of new samples of Trojan-Downloader.Win32.Delf.awg from users. It looks like this program, which will download Email-Worm.Win32.Scano, Trojan-Proxy.Win32.Xorpix and Trojan-PSW.Win32.LdPinch, has been widely spammed.
Delf.awg hides its network activity from firewalls by invading the svchost.exe process. The Trojan creates its own thread and uses it to download the malware, thus avoiding firewalls, which naturally allow network activity for svchost.exe.
The bad news is that you always need to be careful, and never open suspicious attachments. The good news is that KAV 6.0 and KIS detect these new modifications of Delf proactively. So even if you haven't managed to update recently, you're still protected.
It is October 5th, 8:40 am. I am standing in the middle of the Shinjuku metro station helplessly staring at a spacious maze of entries, exits and crossings that is completely crowded with people. I am trying to find at least one sign written in English. In 20 minutes, I have to be in the Keio Plaza hotel, in which the BlackHat Japan conference takes place this year.
At the conference, all my preconceptions about the type of people who would attend a Black Hat event are proven wrong: instead of finding a crowd of suspicious-looking characters in black hats, I am met by several hundred highly civilized IT specialists, most of whom are regular Japanese office workers. People told me that you are more likely to come across a “hacker” atmosphere at the Las Vegas Black Hat, which takes place every August.
Black Hat Japan 2006 was divided into two briefing tracks, which meant that I only managed to see half the presentations. The presentations ranged from general informational overviews to highly technical descriptions of new developments in the field of system programming. A good third of the presentations dealt with malicious code. Joanna Rutkowska (www.invisiblethings.org) presented her already well-known proof-of-concept rootkit, which is based on virtualization technology, and ways of bypassing the Microsoft Vista policy. Darren Bilby from Security Assessment gave a presentation about another proof-of-concept rootkit for defeating live forensic disk and memory analysis. Two other presentations covered systems for collecting and automatically analyzing viruses and current online threats such as phishing.
It is a pity that attendance at IT conferences is lower in Russia than it is in USA and Europe. Some of the most skilled and forward-thinking specialists in the field attend conferences like Black Hat Japan 2006, and I am convinced that events like this do a lot to foster the professional development of attendees.
The first quarter of 2006 marks a turning point in mobile malware development. The era of quantitative development, with its numerous, but primitive Trojans for Symbian OS has ended. The quality of mobile malware has changed visibly.
Let’s consider a chronological list of mobile viruses that appeared in early 2006:
We see that writers of mobile malware have begun to use new programming languages: .NET (".MSIL.") and Java (".J2ME.").
Moreover, a new fashion seems to be emerging: a bias towards cross-platform viruses. For example, Worm.MSIL.Cxover, infects mobile devices that can be accessed via ActiveSync when it is executed on a PC. Yet it also infects the PC using the same mechanism when launched on a mobile device.
Then we have Trojan-Spy.SymbOS.Flexispy: a commercial Trojan that collects information about phone calls and SMS messages. Of course, it is only one example, but it is enough to show that the industry of mobile viruses has at last made headway into commerce on the one hand and into spying on the other.
And I think this is just a beginning.
There's recently been a lot of noise about a new trojan for mobile phones (namely, the so-called Gavno trojan). According to Simworks, the new malware affects certain types of mobile devices, making it impossible to use them to make telephone calls.
Analysis of the malware sample showed that it is nothing more than a small text file pretending to be an application, packed into a standard Symbian archive (SIS). Symbian OS attempting to execute an unexecutable file is probably the reason why an infected device becomes virtually useless.
The new trojan is detected as Trojan.SymbOS.Locknut.a.
We also have samples of Worm.SymbOS.Cabir (detected as Cabir.h and .i) that include the Trojan.SymbOS.Locknut.a installation. So, there is the possiblity of Trojan.SymbOS.Locknut.a spreading in the wild via BlueTooth along with Cabir.
We've received a new variant of Backdoor.Win32.Wootbot, an IRC Trojan. The file is detected as Backdoor.Win32.Wootbot.gen, but contains an additional function: it will penetrate machines with MySQL server installed.
When the malicious program launches it connects to one of a range of IRC servers where it listens for commands, including command to start propagating. Then it scans a given range of IP addresses and if it finds an open MySQL server port on one of the addresses, the program tries to gain administrator access. It does this by bruteforcing the administrator password using a list of passwords coded into the malicious program. If it succeeds, the worm sends its body to the victim machine, penetrating via a vulnerability which was identified in the middle of 2004, and launches itself on the victim machine.
In addition to its propagation routine, the malicious code has standard functions of IRC backdoors, which will give the remote malicious user almost complete control over the victim machine. The worm opens four ports, port 69 and three chosen at random.
Internet Storm Center estimates that several thousand machines have already been infected.
The malicious program doesn't exploit any vulnerability for the initial connection to MySQL server. Bacause of this, administrators can protect their servers simply by choosing a strong password.
Internet Storm Center has been registering high traffic on port 11768 since the end of December. The appropriate graph is available at http://isc.sans.org/port_details.php?port=11768.
There also have been numerous reports from internet systems administrators on getting frequently repeated network packets with source port 445 and destination port 11768 stated. The latter makes the traffic look like activity of a Net-Worm opening a backdoor on 11768 and spreading via 445.
We've recently got a virus that opens a backdoor on 11768 and spreads via 445. The virus is a modification of Net-Worm.Win32.DipNet (Net-Worm.Win32.DipNet.d). Howewer, it seems that the previous modifications of the virus didn't listen on port 11768.
An antivirus database update is already available. A detailed description of the virus will be available in the Virus Encyclopedia in the near future.
Analysis of the new virus mentioned in the previous posting showed that it's a SymbianOS worm, based on Cabir source code, that spreads itself via BlueTooth. It also has a file infection functionality.
Upon execution, the virus searches for nearby BlueTooth devices (those which are in discoverable mode) and tries to transmit itself to any accessible ones. It also initiates a drive-wide scan for SIS-files and tries to infect them by inserting virus code directly into an SIS archive.
We've called this virus Worm.SymbOS.Lasco.a. An antivirus database update is already available.
A detailed description of the virus will be available in the Virus Encyclopedia in the near future.
UPDATE: the description of Lasco.a is now online.
We have just received a new virus for SymbianOS mobile phones directly from its author. The is an interesting speciment because it is the first known SIS-files infector. It is provided in two variants: a Windows application and a SymbianOS SIS application.
We are conducting a detailed analysis of the virus. We will post more information a little bit later.