Security Response Weblog

New Variants of W32.Downadup.B Find New Ways to Propagate

Symantec Security Response — 2009-01-09T15:11:30+00:00

Symantec has observed an increase in infections relating to W32.Downadup over the holiday period and is urging organizations to apply the patch for Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability as soon as possible.

A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords. These propagation methods are nothing new; W32.Spybot, W32.Randex, and W32.Mytob variants all use almost identical methods to spread, but this variant requires more effort to protect corporate networks.

W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible. The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out. This means infected users may not be able to update their security software from those websites. This can be problematic as worm authors generally dish out new variants constantly.

Symantec researchers are seeing considerable detections of both variants of W32.Downadup and W32.Downadup.B. As illustrated by the following infection maps based on data from the past 60 days, the infections are geographically quite widespread. The highest infection rates typically correspond to countries with high rates of computer/Internet usage.

Infections of W32.Downadup

Infections of W32.Downadup.B

Symantec strongly encourages users to patch their system against the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, take steps to control the execution of applications referenced in the autorun.inf files that may be located on removable and network drives, and enforce a strong password policy on all computers within their networks. Particularly during holiday periods patch updates can be missed and is an opportune time for malware to spread. Consider implementing an automated patch management solution to help mitigate risk.

Click here to obtain more information about how to prevent a threat from spreading using the "AutoRun" feature.

For more detail on the evolution and infection statistics of this threat, check out the earlier Security Response blog posting - W32.Downadup Infection Statistics - posted on January 6th.

Message Edited by Trevor Mack on 01-09-2009 09:07 AM

New Year Brings New Spam Attacks

Dermot Harnett — 2009-01-08T13:41:28+00:00

Happy New Year! At this time of year, personal and professional resolutions are often made. These resolutions are often broken within a few days, but it is clear that one resolution will not be broken in 2009. Spam levels are slowly creeping back up to their pre-McColo shutdown levels and spammers have come back fighting. You may remember that on November 11, 2008, McColo-hosted systems were shut down based on abuse complaints. As a result, spam volumes dropped dramatically across the world. However, recent statistics indicate that spam volumes have slowly crept back up to 80 percent of their pre-McColo shutdown levels.

In recent days, Symantec has also observed that spammers are continuing to piggyback on legitimate newsletters and using the reputation of major social networking sites to try and deliver spam messages into recipients’ inboxes. The social networking spam messages were carefully crafted to closely mimic the legitimate notification emails often distributed from social networking sites.

The recent holiday season was also used as a vehicle by spammers to distribute a wide host of spam messages including adult, leisure, finance, and meds spam messages. These spam attacks were not limited to the English language but included non-English language spam too.

To read about these or other trends in the Symantec Monthly State of Spam Report, such as spammers using the recession to get into your inbox, new year brings new fraud attacks, and Obama-related spam messages, please visit the State of Spam website and the January State of Spam Report.

Message Edited by Trevor Mack on 01-08-2009 09:30 AM

A Spammer Has Sent You a Message

Amanda Grady — 2009-01-07T19:20:24+00:00

Symantec has observed at least two major social networking sites being spoofed in spam attacks this week. The spam is likely hitching a ride on the back of a recent phishing scam, as discussed on our Norton Protection Blog. The spam emails appear to be official notifications from the social networking sites, with identical subject line formats. The headers of the messages, such as message ID, received lines, and even the custom X-headers have been carefully crafted to closely mimic a legitimate email as closely as possible.

The lure of the emails is the promise of a free mobile phone. There are two different attack vectors being used. In the first variation the user is invited to click directly on a link in the email. In some cases, a free blogging site is used as an intermediary to redirect end users to the ultimate destination URL in order to avoid spam filters. In other cases, as in the example shown below, the spammer has linked directly to a suspicious site.

The domain being utilized was recently registered anonymously via a third party on December 19, 2008, and the site has already been taken down.

In the second variation the user is invited to join a group on the social networking site. In this case the link in the email actually goes to a real group that was created on the social networking site by the spammers. The group then links to a free blogging site as an intermediary to redirect end users to the ultimate destination URL. So far, many of the messages observed are using the same single social networking group. It may be because this was an experiment by the spammers or because the creation of multiple groups associated to multiple accounts could be too time-consuming.

Once the user arrives at the destination URL they are requested to fill out a form collecting personal information. This information can be sold on to marketing companies and/or used in future spam campaigns. Symantec recommends that you do not accept any social networking invitations from names that are unfamiliar to you.

Message Edited by Trevor Mack on 01-07-2009 11:37 AM

Not-For-Profit Phishing

Téo Adams — 2009-01-07T11:16:20+00:00

A recent phishing scheme that targets users of Twitter (http://blog.twitter.com/2009/01/gone-phishing.html) may be related to a string of Web attacks against several high-profile celebrities and no doubt many other users. The most recent attacks apparently began when stolen credentials were distributed by a user on the Digital Gangster website. The noticeable result was a spontaneous defamation free-for-all, whereby the credentials were used to post humorous and sometimes vulgar messages on the compromised accounts. Some of the posts also redirected users to advertising websites.

This sort of activity is nothing new; however, it is interesting that the user gave out the credentials for free instead of selling them for a profit. As discussed in the recent Symantec Report on the Underground Economy, user credentials can be sold for a profit and the fact that some of the credentials were for high-profile celebrities would likely add to the value of such information. It could be that the person was only after credibility and enjoys the act of phishing but has no interest in keeping the catch. Sport-phishing, anyone?

Update

According to the (overlooked) Monday post on the Twitter Blog, the attacks on the celebrity accounts were not related to the phishing scam as was first speculated. A hacker gained unauthorized access to some of Twitter’s administrative support tools and subsequently used them to take control of 33 accounts. According to other sources, the hacker used a brute-force dictionary attack to determine the administrative password.a brute-force dictionary attack to determine the administrative password.

Twitter has addressed the issue, having restored the hacked accounts, and is currently undergoing a full security review to mitigate future attacks. As quoted from Twitter's Monday post, "We immediately locked down the accounts and investigated the issue. Rick, Barack, and others are now back in control of their accounts."

Message Edited by Trevor Mack on 01-08-2009 08:22 AM

W32.Downadup Infection Statistics

Security Intel Analysis Team — 2009-01-06T20:39:43+00:00

The W32.Downadup.A worm was the first worm discovered in the wild that was successfully leveraging MS08-067 in a widespread fashion. Symantec carried out an in-depth analysis of this threat and discovered that infected hosts will generate 250 pseudo-random domain addresses each day, in preparation of attempting to contact them later on to download and execute an update binary.

This is an interesting and increasingly popular technique that malicious code authors have been deploying. It allows them to more easily evade domain and server takedowns, because until they choose to register a domain associated with a given day, the security industry is unable to know for sure which domain will be used and therefore has little to target. Fortunately, by reverse engineering the domain-generation algorithms, we are able to proactively identify and blacklist the domains.

What’s also interesting about this method of obtaining binary updates is that it does allow for the number of infections to be approximated by monitoring contact attempts against generated domains. By pre-calculating and registering future domains, the Symantec Intelligence Analysis Team was able to observe contact attempts made by numerous infections. Over the course of a week, we observed over three million unique IP addresses attempting to obtain a download file from our server. However, we believe that the number of infections is higher than this estimate due to multiple internal infections that may be using network address translation (NAT) behind a single external IP address. Also, it’s possible that an infected computer does not contact all 250 generated domains each day. If this latter possibility is the case, then we may only be seeing a subset of the actual total number of infected computers in this bot network.

For instance, we have been able to show that multiple infections are coming from a single IP address by identifying unique user-agent strings coming from the same IP. The following graph shows the statistics, over a 72-hour period, of unique IP addresses versus unique IP address and user-agent pairs:

While on the topic of user-agents, when contacting one of the generated domains to obtain a binary, an infected computer sends a specific user-agent string as part of the HTTP request. User-agent strings contain version information about the associated operating system (OS) and Web browser, and can be used to collect interesting statistics. For example, Windows XP SP1 can be identified by a user-agent containing Windows NT 5.1. Systems running Windows XP SP2 and later can be identified by Windows NT 5.1; SV1. By analyzing the user-agent strings associated with each unique request, we are able to approximate the distribution of infected operating system types. The following graphic shows the OS distribution observed over a 72-hour period:

As can be seen, the most commonly infected systems appear to be Windows XP SP1 and earlier. Over 500,000 of the infected computers that contacted our server were running these operating system versions. Close behind was Windows XP SP2 and later systems. Windows 2000 and Windows 2003 had smaller shares.

We believe that the W32.Downadup.A propagation routine has been very aggressive. It will continue to infect computers in the near future and receive updates via the aforementioned mechanism. Symantec discovered a new variant of this worm on December 30, 2008, dubbed W32.Downadup.B. This updated version contains additional propagation routines and what appears to be an altered domain generation routine. It’s not currently known if this new version was seeded to W32.Downadup.A infections or has independently spread through its own propagation routines.

We strongly encourage all users to ensure that the patches available in MS08-067 have been applied and that antivirus products are fully up-to-date to ensure that this threat does not find its way onto computers.

2008—Ending With a Bang

Security Intel Analysis Team — 2008-12-31T00:07:48+00:00

This has been an interesting year for high-profile vulnerabilities and security research. In 2008, awareness has been raised about a number of high impact, remote code-execution vulnerabilities affecting both server- and client-side applications. Published attacks targeted important protocols used by critical Internet infrastructure. A number of flaws in the implementation of a number of cryptographic implementations have also been made public. In addition to the aforementioned issues, new exploitation techniques were demonstrated that emphasized the growing trend toward application-specific attacks targeting Web technologies.

Let's begin with a few high-profile memory corruption flaws on the Microsoft Windows front. The year started with a bang, MS08-001, which is a remotely exploitable memory-corruption vulnerability affecting the Microsoft Windows kernel. Then, in October we saw in-the-wild exploitation of a previously undisclosed RPC vulnerability affecting Microsoft Windows (MS08-067). In December we saw in-the-wild exploitation of a previously unknown and unpatched vulnerability affecting Internet Explorer (MS08-078).

On the critical infrastructure front, research was published regarding the targeting of two protocols that are critical to supporting Internet infrastructure. The first was Dan Kaminsky's much talked about DNS vulnerability that allowed attackers to easily insert arbitrary DNS records into an affected DNS server. The second piece of research demonstrated a man-in-the-middle attack abusing BGP.

On the cryptographic front, June marked the disclosure of a high-profile vulnerability affecting SNMPv3. Due to an implementation flaw, attackers were able to perform brute-force attacks against the HMAC authentication routine used in some SNMPv3 implementations. In May, a flaw in Debian's OpenSSL package was publicized. Due to a mistake made during testing, the entropy pool for the generation of cryptographic keys was limited to using Process IDs (PIDs), making brute-force attacks trivial.

The aforementioned cryptographic vulnerabilities make for an interesting segue into some research that was disclosed today. It looks like 2008 is going to end on an exceptionally high note (or a low one, depending on how you look at it). Today (December 30, 2008), three security researchers added to the list of cryptographic-implementation flaws when they gave a talk at the 23rd Chaos Communication Congress in Berlin. Their talk disclosed a vulnerability affecting certificate authority (CA) signing. A CA “signs” digital certificates, operating as a trusted third party to help ensure the validity of a certificate. The ability to create a rogue, signed certificate for an arbitrary site has extremely dangerous implications. This is what the attack presented today does.

First, a little bit of background information is required. In the past couple of years, researchers have identified a few attacks that leverage hash collisions computed using the MD5 algorithm. A hash collision means that computing a collision for a particular hash algorithm means finding two different messages, such that the hashes of those messages are the same, effectively proving the hash algorithm is technically not cryptographically secure. Computing hash collisions is not particularly easy and often requires large amounts of time and computational resources. The researchers who published this research overcame that limitation by using a cluster of PlayStation 3 video game consoles to brute-force hash collisions in MD5.

The attack targets CAs that specifically use the MD5 hash algorithm to issue certificates. According to the summary, in a nutshell, the attack breaks down like this:

1.    Identify a CA that is accepted by most/all common Web browsers and uses MD5 to issue certificates.
2.    Use a crafted request to obtain a certificate from the CA, which will collide with a specially crafted intermediary CA certificate (already in the attackers’ possession).
3.    Copy the digital signature from the certificate issued by the CA into the attacker-generated intermediary certificate, effectively creating a trusted and signed CA under the attackers’ control.
4.    Use the attacker-controlled certificate to sign arbitrary certificates, making them appear to come from a legitimate CA and thereby be trusted by third parties.
5.    Use arbitrarily signed certificate for nefarious purposes.

Step two, listed above, is of course the non-trivial portion of this attack and a detailed explanation is certainly out of scope for this blog entry. For a detailed explanation of all the caveats and complexities involved, please refer to the link included at the end of this article.

The effects of this attack are important for several reasons and a particularly interesting use (a case noted by the authors of this research) is in creating convincing phishing scams. Used in conjunction with something like the DNS vulnerability published by Dan Kaminsky earlier this year, attackers would be able to create highly convincing websites to steal user credentials and all sorts of confidential information.

For example, say an attacker wanted to obtain legitimate authentication credentials to a specific financial institute’s online banking site. The attacker would set up a fake site designed to appear identical to the legitimate site. The attacker would then direct unsuspecting victims to this site in the hopes of luring them to attempt to log in and thus exposing their authentication credentials. This may be carried out via cross-site-scripting, distributing fake emails, or as previously mentioned leveraging a localized DNS poisoning attack. This is a common phishing scenario and is an easy way for an attacker to drain money from the accounts of victim users.

Previously, under most attack scenarios, the malicious and fake banking site would not contain a legitimate and/or trusted certificate and a users browser would flag it as untrusted. However, an attacker with a maliciously crafted CA certificate created using the aforementioned vulnerability would be able to sign a certificate for the malicious site, and due to the implied trust of the root CA that was manipulated to sign the malicious intermediary CA, the browser would trust the site and unknowingly flag it as safe.

When all of these conditions are fulfilled and carried out successfully, an attacker would be left with an extremely convincing and seemingly legitimate banking site that most users would never know to be malicious. By supplying a trusted certificate an attacker could greatly improve the chances of obtaining credentials.

The Internet threat landscape for 2009 is going to be interesting. So-called esoteric or “difficult” attacks are beginning to become reality. Time and time again new research has proven that seemingly “un-exploitable” scenarios are indeed exploitable given a sufficient period of time.

For further reading:

MD5 considered harmful today - Creating a rogue CA certificate

Merry Christmas from Arnold Schwarzenegger! (?)

Liam O Murchu — 2008-12-29T12:06:47+00:00

While investigating the worm W32.Waledac recently, we got a shock (and a few laughs) from what popped up on ours screens (yes, unfortunately this is what passes for kicks in the virus lab during the holiday season):

(to see how we received this – skip to “Arnold Surprise” below)

First, I’ll tell you a little bit about the worm. W32.Waledac is a worm that sends emails containing a link to an apparent Christmas e-card that you have received. However, when the link for the e-card in the email is visited, you receive a copy of the worm instead of a greeting card. The file name used by the worm is ecard.exe and the links are all Christmas related, such as:

hxxp://[removed]fatherchristmas.com
hxxp://b[removed]christmascard.com
hxxp://white[removed]christmas.com
hxxp://christmas[removed]snow.com
hxxp://[removed]christmasworld.com

The emails look something like the following (although the template changes slightly all the time):

From: "[FirstName]" <random@random>
To:victim
Subject: Merry Christmas wishes just for you
Date: Tue, 23 Dec 2008 20:14:17 -0000

[FirstName] has just posted Merry Christmas Wishes.
To pick up your greeting card, click on the following link:
http://white[removed]christmas.com?8d02cdcc97
The greeting card will be stored for you for 14 days.

And, when the link is visited, you will get a message like this:

(Please don’t run the .exe!)

Even if you don’t accept the download of the ecard.exe “greeting card,” the attackers are already hard at work trying to exploit vulnerabilities in your browser. The page currently attempts to exploit many different vulnerabilities, including the zero-day vulnerability in Microsoft Internet Explorer discovered last week (patches from MS available here http://www.microsoft.com/technet/security/Bulletin/MS08-078.mspx).

The list of exploits includes:

MDAC Exploit (of course)
Adobe PDF Exploit
MS IE7 Exploit MS08-078
Qiucktime RSTP exploit
Snapshot Viewer exploit
WebfolderIcon exploit
NCTAudioFile2 ActiveX exploit
KingSoft UpdateOcx2.dll SetUninstallName() Heap Overflow Exploit
Yahoo! Webcam image upload ActiveX Exploit
Yahoo! Webcam view utilities ActiveX Exploit
Aurigma ImageUploader ActiveX Exploit
RealNetworks RealPlayer ActiveX Exploit
Creative Software AutoUpdate Engine ActiveX stack buffer overflow Exploit
CA BrightStor ARCserve Backup r11.5 AddColumn() Exploit
WebEx Meeting Manager ActiveX Control Exploit

(Patches for all of the exploits mentioned above have been released by the respective vendor previously, i.e., there are no new exploits here.)

The worm contains a long list of IP addresses that appear to be the control servers [see the writeup here for details]. The worm communicates with the control servers via a series of post requests to randomly named pages at these IP addresses and the data sent appears to be encrypted. The worm also appears to communicate with other infected hosts via a peer-to-peer channel. We are still analyzing the communication channels used by the worm. We will update this blog at a later stage with more info.

Arnold Surprise

While monitoring activity on the botnet we mostly saw encrypted info being sent via post requests to the control servers. Then we noticed a large image being sent down. Curious as to what the image might be we grabbed the image from the wire and hesitantly opened it. I’m not sure what we were expecting exactly, but this old picture of Arnold certainly wasn’t it! That caught us off guard completely and gave us a good laugh (thanks?). It seems that the speed of our connection was being tested, because shortly after this the worm tried to start sending spam.

The spam that the worm was trying to send was mostly Christmas e-card emails that the worm uses to try and spread itself as mentioned above. However, we also saw the following emails being sent (we also enjoyed the poor English that is usually employed in these types of emails—it keeps us laughing too):

From: "Random Name" <random@email.address>
To: <victim >
Subject: Flexible Hours career_ promotion possibilities for you
Date: Tue, 23 Dec 2008 20:14:11 -0000

Hello

We found your ad of work search. First of all let me introduce. We are
the large financial company. The main types of activity:
securities,exchange services,trading services,broker intermediary.
During the global crisis we have obtain a lot of customers who are
waiting for jump of the basic stock quotes. Most of the newly acquired
customers is in the Canada. Due to features of the legislation we
cannot work directly with physical persons. To do this we need an
authorized representative or official representation. As we did not
expect huge interest from the Canada - the opening of representation
is not included in our plans. In connection with the aforesaid, we are
looking for responsible person for mediation services which will be
the official representative in your region. In more details we will
tell to you in case of your interest. Send your interest note ONLY to:
[removed]@gmail.com

Symantec originally detected this threat as a downloader and it has now been renamed to W32.Waledac, so be sure to update your definitions. Our IPS signatures also detect exploit-related traffic from the URLs listed above and our browser protection also triggered when we visited the sites listed above.

A tip of the hat goes out to my colleague, Vikram Thakur, who shared in the research on this threat and also helped compile the info for this article. Also, over at Arbor Networks, Jose Nazario also posted a blog about this threat that you can find here.

That’s all for now, but we’ll keep you posted on any new info. So, from everyone here in the virus lab, Happy Holidays!

Message Edited by Trevor Mack on 12-29-2008 04:29 AM

Phishing Attacks Utilizing Port Numbers

Sai Nayaran Nambiar — 2008-12-23T21:00:55+00:00

There are varying types of technologies used by online attackers these days. There are old tricks and of course new ones, but it is the newer ones that make it even more difficult to handle the dilemmas faced in the world of Internet security. One of the trends of attack that was noticed a little while ago was an attack based on a website’s “port number.” A port number is a way to identify a specific process to which an Internet or other network message is to be forwarded when it arrives at a server. We can identify a port number after a colon (“:”) following the host name. For example, consider http://1.1.1.1:8080/, in which the port number in the URL is 8080.

According to the IANA (Internet Assigned Numbers Authority), the port numbers are divided into three ranges: well known ports, registered ports and the dynamic and/or private ports.

1.    The “well known” ports are those ranging from 0 through 1023.
2.    The “registered” ports are those from 1024 through 49151
3.    The “dynamic” and/or “private” ports are those from 49152 through 65535.

Statistics were taken for the phishing websites and it was seen that the maximum utilized port number was 82. It also came to light that the maximum amount of fraud against different port numbers came from the United States and Korea. The question then arises, why is there such a higher rate of attacks on port 82?

With further research we see that port 82 is used for the “Xfer Utility.” The Xfer utility is a utility used for DNS zone transfers. This means that if data has to be transferred or replicated from the database of one DNS server of a particular zone to another, then the Xfer utility would be used. Only the administrator of that particular server, however, can perform this transfer. The cause of such a higher number of frauds in this protocol may be due to the vulnerabilities faced by the zone transfers.

There are typically two security risks with regard to zone transfers:

1. Exposure of data: A zone transfer means an entire DNS record being exposed. If a hacker catches a hold on this transfer with some malicious code, he or she can view the entire set of listings of hosts in that domain. This gives the hacker a lot more control on the servers, which could allow a larger range of malicious practices to be attempted.

2. Denial of Service (DoS): If malicious code captures a DNS zone transfer, then the attacker could launch a DoS attack by overloading the servers with multiple requests. This would make the servers slow and unresponsive. In a more serious case it would block legitimate requests as well.

There are possibilities that port 82 is used simply as an alternate to the regular ports of 80 and 81. However, it is difficult to prove the exact reason for witnessing this trend of port 82 frauds and the above two vulnerabilities are only a possible explanation. In the below images there are some interesting statistics that were collected earlier this year over a three-week period. They show the coverage of fraud attacks against certain port numbers, as shown:

Another reason for the attacks based on port numbers might be to escape anti-phishing technologies. Attackers continue to randomize the ports they use, which may possibly help in evading anti-phishing toolbars and at the same time try to target specific customers. For example, there were fraud sites coming from an IP that was phishing a specific brand, but was reported with several ports:

http://IP number:722/update/secure/
http://IP number:306/update/secure/
http://IP number:9306/sharethisfolder/refunds.php
http://IP number:9277/EBSec/index.html
http://IP number:9777/xxx.NET/login.php
http://IP number:8444/logon/index.html
http://IP number:8444/haide/refunds.php
http://IP number:844/recycler/refunds.php

Here we can see that the IP remains the same but the ports randomize as 722, 306, 9306, 9277, and so on. The attack is also phishing only on a specific brand. This gives us an idea that the port randomization isn’t a coincidence in this case; rather, it looks like an intentional attempt by the attacker. Certain antifraud measures today might perform a check on a website for a certain port, but may not look into whether the site is active on any other port, which gives the attacker a chance to escape. Some of these ports, however, might also be accessible to the customer. This way, the attacker might escape anti-phish toolbars and succeed in targeting the customers.

A method to detect and fight this form of attack would be to monitor the websites that seems to be dead by viewing them irrespective of the port number. We have to view the website, which may be alive on a different port. Best practices include being wary of sites that both ask for confidential information and that contain a port number in their URL. Please take the time to verify that the website is run by the original brand/company and only then provide information to the site.

Message Edited by Trevor Mack on 12-23-2008 01:07 PM

An Early Holiday Gift—The Return of Spam

Dylan Morss — 2008-12-20T00:26:04+00:00

After the shutdown of McColo, which was aiding the distribution of about half of all spam on the internet globally, spam volumes dropped. However, since mid-November, spam volumes have been slowly inching their way back up as old botnets are being brought back online and potential new botnets are being created.

At this point, spam volumes have slowly crept back up to 80 percent of their pre-McColo shutdown levels (when reviewing daily averages):

The types of spam being seen in new attacks are similar to what was being sent around the Internet prior to the shutdown. The spam messages can be categorized into the following groups:

Replica watches
Generic pharmacy
Erectile dysfunction drugs
Weight loss
Software

The spam is being sent from various countries around the world and is associated with botnets. The top three senders of spam reviewed for this post were Brazil, the United States, and Russia.

Geographic origins of this spam:

The makeup of the spam is varied. Some of the messages are very short, containing only a single URL, while others are slightly longer with some basic HTML that links to images. The longer spam messages contain both text and HTML parts. When looking at the URLs contained in spam, URLs containing the .cn top level domain (TLD) make up almost 10% of the URLs in spam, holding the second spot in the top eight TLDs appearing in spam, behind the .com TLD only.

TLD breakdown for URLs appearing in spam:

Some sample spam messages:

Missing Email Headers? Find Them in the Body.

Mayur Kulkarni — 2008-12-18T15:37:59+00:00

Spammers always try to come up with new tricks to bypass antispam filters. This time, they have shown an ability to partly (or sometimes completely) hide essential headers, ruling filters on headers out of picture. Except for the "Received" lines, we do not find any headers in the message.

Analyzing the samples, we see very few SMTP commands before the actual message. We think that spammers may be using a slamming technique where all of the SMTP commands necessary to transmit an email message to another mail server are fired without waiting for the normal SMTP responses from the remote machine. Most of the time the remote server will end up accepting the message, although this clearly disobeys SMTP behavior as per various Internet standards. Slamming is primarily done to send unsolicited emails as rapidly as possible or, in this case possibly to hide all of the headers.

Symantec is keeping a close watch on this trend and ensuring that your inbox is free of such spam. Users are advised to use caution opening messages without subject lines, especially from unknown senders.

A Caution During the Season of Giving

Mayur Kulkarni — 2008-12-18T15:31:21+00:00

Like so many forms of donations today, contributions to cancer research and treatment can be made online. Unfortunately, any online business or charity can be prone to phishing attacks against unsuspecting users. We have come across messages posing as though they have been sent from a legitimate cancer institute, but with spoofed URLs inside. These spoofed URLs redirect users to fake websites where online donations can be made. When a user enters their email address and password for making payments, an error is shown and they are redirected to the legitimate site. This is common behavior seen with such attacks. The actual intention of these phishing websites is to harvest email addresses and steal confidential information.

Simple preventive measures such as manually typing legitimate URLs directly in the browser can be employed to make your contributions. It is the season of giving, but please make your online contributions with caution.

Rise of IE Zero-Day Through SQL Injection

Peter Coogan — 2008-12-15T19:08:45+00:00

Since our blog Yes, There’s a Zero-Day Exploit for Internet Explorer Out There was posted in relation to the now known Microsoft Security Advisory (961051) for IE, we have been closely monitoring the
uptake of this vulnerability. Symantec provides the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users againstthis exploit. To date, since the release of our antivirus signature for this vulnerability, we have observed over 33,000 hits on Symantec customers. Abreakdown of the top 10 countries or regions reporting detections can be seen below:

At present, Asia is clearly leading the way for potential infections through exploitation of this
vulnerability. This is not surprising because we have also observed SQL injection attacks that
specifically target Asian websites and use this Internet Explorer vulnerability. The following iframe examples below have been seen to be injected into over 100,000 compromised
websites, mainly South Korean in origin.

hxxp://s.a[removed]shanghai.com/s.js

hxxp://s.caw[removed].com/s.js

Once a compromised site containing one of these iframes is visited, the IE Exploit (961051) is one of several vulnerabilities run against the visiting computer user's system. Symantec currently has protection against the exploits served. If the system is exploited, it drops various malicious code onto the exploited system such as Downloader and Infostealer.Gamler. At present, Symantec has detection for this malicious code, but recommends that you keep your definitions up-to-date because the malicious code being served is changing on a regular basis.

Message Edited by Turlas on 12-16-2008 12:53 PM

Just a Reminder

Steve Trilling — 2008-12-13T00:47:53+00:00

You may have seen an article in the New York Times on December 6, 2008, by John Markoff, entitled "Thieves Winning Online War, Maybe Even in Your Computer." As we've previously discussed here, we're exploring an exciting new reputation-based security approach to protect against the continuing proliferation of the types of threats described in the article.

For more detail, please take a look at these two previous blog articles by Carey Nachenberg:

It's All About Reputation, and Losing Touch with Fingerprinting

Protecting Zero-Day

Security Intel Analysis Team — 2008-12-13T00:02:41+00:00

Hello, this is Anthony from the Symantec Intelligence Analysis Team. Earlier this week we had the opportunity to analyze an interesting shellcode that is associated with the initial malicious exploit attempts against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability (BID 32721). Currently this vulnerability is not patched and there are several public exploits available to leverage the issue. The vulnerability exists due to a flaw in how Internet Explorer handles XML data bindings. Specially crafted XML can lead to object corruption and code execution. I am not going to go into describing the vulnerability in detail because this has already been done well elsewhere. However, I think that the shellcode is unique enough to warrant some discussion.

When the shellcode executes, it uses GlobalAlloc() to relocate itself into memory that is safe. This is to make sure that the shellcode is not corrupted by the Internet Explorer process before it can finish executing. This is a common technique in modern shellcode payloads. However, after this relocation, the shellcode begins installing hooks into several key functions:

•    UnhandledExceptionFilter
•    MessageBeep
•    LdrShutdownThread

The hook is fairly straightforward. The shellcode gets the address of the target function and then uses VirtualProtect() to change the memory permissions for it. It then writes “mov eax, addr_of_new_code; jmp eax” into the function prelude. This has the affect of hijacking execution flow from the hooked function so that it executes code that the attacker supplies. This can be seen in the following disassembly of the hook for UnhandledExceptionFilter():

seg000:00000043    call    get_addr_Kernel32_UnhandledExceptionFilter
seg000:00000048    mov     edi, eax
seg000:0000004A    call    VirtualProtect_EDI_Mem_PAGE_EXECUTE_READWRITE
seg000:0000004F    call    HOOK_UnhandledExceptionFilter

EDI now points to target function and the target function memory is marked EXCUTE_READWRITE. This means that the shellcode can now overwrite parts of the target function prelude:

Hook_UnhandledExceptionFilter:
seg000:000001A1 call hook_function

The function below “hook_function” writes “mov eax, addr_of_new_code; jmp eax” into the target function prelude:

hook_function:
seg000:000000CE    pop     ebx    ;ebx = addr_of_new_code
seg000:000000CF    mov     byte ptr [edi], 0B8h     ; mov eax, addr_of_new_code seg000:000000D3    mov     [edi+1], ebx
seg000:000000D7    mov     word ptr [edi+5], 0E0FFh ; jmp eax
seg000:000000DE    retn

In this case the hook makes the UnhandledExceptionFilter() function return a generic Windows error. This can be seen below:

addr_of_new_code:
seg000:000001A6 mov eax, 80040111h ; Make function return a ‘normal’ error.
seg000:000001AB retn 0Ch

Separate hooks are installed for the MessageBeep() and LdrShutdownThread() functions. These functions are redirected to a routine that uses EnumWindows() and GetClassName() to find the Internet Explorer window. After it finds the window it uses DestroyWindow() to kill the Internet Explorer window, and ExitProcess() to exit the process cleanly.

After all of these hooks are installed, the shellcode is very ordinary; it simply downloads a tertiary executable payload that acts as a vehicle to deliver a number of malicious binaries to install on the compromised system. So, I guess the question now is, why are these function hooks installed? I have not seen this type of behavior in shellcode before, and consequently I don’t think hooking these functions is a common technique. Though, I could be mistaken.

My best guess is that these hooks are designed to hide the malicious nature of the browser crash. A zero-day vulnerability loses its value in relation to the number of people that know about the vulnerability. It is most valuable when the vulnerability is not known by a large number of people. So, it makes sense that an attack using a zero-day would be as covert as possible. I am not intimately familiar with how this particular vulnerability affects the process memory of Internet Explorer yet, but perhaps it leaves the process in an unstable state. If this is the case, hooking functions that are likely to be triggered during a browser crash such as UnhandledExceptionFilter(), MessageBeep(), and LdrShutdownThread(), could be a covertness tactic. If the shellcode payload causes the process to exit cleanly with generic errors, the victim of an attack may not be suspicious of a crash and therefore less likely to investigate and discover the vulnerability.

Message Edited by Trevor Mack on 12-12-2008 04:55 PM

IDNs in Phishing

Mathew Maniyara — 2008-12-12T17:47:58+00:00

What is an IDN? IDN stands for “internationalized domain name.” These are the domain names that contain one or more characters that do not belong to a Latin-based western language (or characters that are not available in the ASCII character set).

Domain Name System or DNS (a naming system that links domain names to IP addresses) has the technical support for these IDNs, but many applications such as Web browsers, email services, etc. are not yet able to support them. Such compatibility issues arising from IDNs necessitated a conversion from an international character to a suitable ASCII character. The conversion is achieved by the use of certain algorithms that converts these characters into a code called Punycode. A Punycode contains ASCII characters prefixed with the string “xn—.”

The following is an example for a Chinese domain converted to its Punycode:

Domain name - 例如.com

Punycode - xn--fsqu6v.com

The Punycode can be converted back to its original form. Many online conversion tools are available to do the conversion to Punycode and back. So, the next time you see the four character string “xn—” in the domain of a website, you may be looking at an IDN in its Punycode form.

Unfortunately there is a danger involving IDNs, where the similarity of certain non-ASCII characters with western, Latin-based alphabets is being taken advantage of in phishing attacks. Typosquatters take advantage of such similarities. For example, the character “ä,” which is German, resembles the letter “a” in English. A typosquatter can create a phishing site with the string “bänk,” which resembles “bank.” Internet users can then be tricked into entering their confidential information into the phishing site for the purpose of identity theft.

In the month of October, Symantec observed 10 phishing websites that contained IDNs that were in German, Korean, and Vietnamese. One of these phishing Web sites was leveraging international characters resembling ASCII characters to spoof a western brand’s domain name.

Stay on your toes when visiting domains with names based on Punycode and/or non-ASCII characters. Take a look around and use some of the online conversion tools to check on any unfamiliar domain names, and please don't click on any unfamiliar links and be wary of any links received in emails that have come from an untrustred or unexpected source.

Phishing Messages Evolve as Webmail Phishing Comes Along

Dermot Harnett — 2008-12-11T15:13:13+00:00

Webmail phishing was first reported earlier this year, but it has gained a higher profile in recent times. The call to action or general purpose of this attack is to obtain webmail credentials such as passwords and contact list email addresses. A number of different scenarios have been employed by webmail phishers to try and secure this information and have included:

Scenario 1

“We write to bring to your notice that we will be caring out some temporary maintenance on our service due to congestion in all email accounts and we are afraid that during this process email accounts of our customers will be deactivated; but just to avoid your email account from been deactivated and to enable your records remain in our database we advice you provide us with the below information or your email account will be suspended within 48 hours for security reasons.” (sic)

Scenario 2

“Due to spam complaints of email users in our [Name Removed] webmail system, our investigation shows that your email address is compromised and is used to send out spam message in our [Name Removed] webmail system. As a result, your Username will be disabled if you do not send us the required information within 24hrs.” (sic)

As with other phishing messages, these are adapted to look like they are coming from a specific organization and are then targeted towards members of that organization. One of the common features of webmail phishing is that the message is only in text. Unlike traditional phishing messages, the message does not contain a fraudulent URL link. The recipient is asked to use the address in the "Reply To" header or an email address in the message body to respond to the webmail phishing message.

It is clear that as long as the profit motive exists, the purveyors of phishing messages will continue to evolve and adapt their techniques to try and scam individuals and organizations.

Yes, There’s a Zero-Day Exploit for Internet Explorer Out There

Elia Florio — 2008-12-10T17:47:52+00:00

A new and previously unknown vulnerability affecting the Microsoft Internet Explorer 7 browser has been reported, just at the start of the Microsoft “Patch Tuesday” cycle for the month of December. Bad luck, or an intentional strategy by the attackers? It’s not clear at the moment, but the reality is that users around the world started to download and patch their systems just yesterday, while at the same time a new and dangerous exploit surfaced on the Web, trying to infect computers in China and other parts of Asia.

We ran some tests and confirmed that the new vulnerability is, unfortunately, not fixed by the current set of patches released yesterday. The attack is indeed new and it works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches. Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit, which seems to target Internet Explorer 7 on Windows XP and 2003 systems.

Initial reports by other security vendors mentioned a malformed XML tag as the possible cause of the vulnerability; however, from a deeper analysis it seems that the problem affects the XML parsing engine of IE7 and the library MSHTML.DLL. The vulnerability depends on how certain elements of HTML pages are terminated and therefore could potentially affect not only XML, but also other objects handled by the browser. This means that attackers may start using different attack vectors in the future to exploit this vulnerability, but at the moment it seems that this recent exploit, which has been publicly released on several Chinese forums, only uses the XML elements and tags.

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0x0A0A” value in it. The image below shows an example of the execution crash in the MSHTML module; EAX is loaded with the value controlled by the attacker and is used later as a function pointer to control execution.

Because of the nature of this attack, it does not depend by any specific ActiveX control, so this time we can’t tell you to disable or set the KillBit for a specific CLSID. However, the attack still requires some JavaScript in order to use heap-spray techniques to achieve a reliable code execution; so, blocking JavaScript for un-trusted websites could help to somewhat mitigate the risk.

Our advice for Windows users is as follows:
•    Update your AV and IPS software with the latest signatures
•    Run Internet Explorer with limited privileges
•    Enable DEP protection for browsers
•    Disable JavaScript in Internet Explorer
•    Avoid following links to un-trusted sites

At the moment, we can trace many attacks back to Chinese domains and websites, which are used by the exploit to install and download additional malicious code components. The downloaded malicious code is a variety of Downloader, Infostealer, and W32.SillyDC variants. We also recommend blocking the following hosts at network boundaries:

•    wwwwyyyyy.cn
•    sllwrnm5.cn
•    baikec.cn
•    oiuytr.net
•    laoyang4.cn
•    cc4y7.cn

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users against this exploit.

* Big thanks go out to Nishant A Doshi and Chintan Trivedi for their valuable help in the analysis of this vulnerability.

November 2008 – A Historic Month in the Political and Spam Landscape

Dermot Harnett — 2008-12-09T21:56:57+00:00

November 2008—what a month! A new U.S. president is elected and spam volumes drop significantly as a hosting company called McColo is shutdown. While both these events were generally welcomed, the new President and the antispam community continue to face tough obstacles in the year ahead.

On November 11, 2008, McColo-hosted systems were shut down based on abuse complaints. As a result, spam volumes dropped dramatically across the world. The Symantec probe network saw a 65 percent drop in traffic when compared to the 24 hours before the McColo.com shutdown. As November drew to a close, Symantec saw that spam volumes have had various upward spikes and are again creeping upwards. These spikes indicate that a return to normal spam activity is in the works. While the profit motive behind spam continues to exist, spammers will regroup to drive new spam campaigns.

While the McColo shutdown may have brought some cheer to email users during this holiday season, spammers have, in 2008, just as in previous years, adjusted their spam campaigns to include a holiday element. It seems that no holiday season would be complete without spam messages offering a fake brand name watch.

To read about these or other trends in the Symantec Monthly State of Spam Report, such as Italian-, casino-, and IRS-related spam messages, please visit the State of Spam website and the December State of Spam Report.

Microsoft Patch Tuesday, December 2008

Robert Keith — 2008-12-09T21:44:25+00:00

Hello and welcome to this month's blog on the Microsoft patch releases. As far as vulnerability counts go, this is the largest patch release since Microsoft started the "Patch Tuesday" program back in late 2003. The release contains eight bulletins covering 28 vulnerabilities.

Of those issues, 23 are rated "Critical" and affect Word, Outlook, Internet Explorer, Visual Basic ActiveX controls, GDI, Windows Search, and Excel. All of the "Critical" issues this month require some sort of user interaction, whether visiting a Web page that contains malicious content or viewing a malicious file. The remaining issues affect GDI, Windows Search, SharePoint, and Windows Explorer; they range in importance from "Important" to "Moderate."

As always, customers are advised to follow security best practices, including:

- Install vendor patches as soon as they are available
- Block external access at the network perimeter to specific sites and computers only
- Avoid sites of questionable or unknown integrity
- Never open files from unknown or questionable sources
- Run all software with the least privileges required while still maintaining functionality

Microsoft's summary of the December releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

The "Critical" issues this month are:

1. MS08-070 Vulnerabilities in Visual Basic ActiveX Controls Could Allow Remote Code Execution (932349)

Multiple remote code execution vulnerabilities affect various ActiveX controls for Visual Basic 6. An attacker can exploit these issues by tricking an unsuspecting victim into viewing a malicious Web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. The issues include:

CVE-2008-4252 (BID 32591) Microsoft DataGrid ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4253 (BID 32592) Microsoft FlexGrid ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4254 (BID 32612) Microsoft Hierarchical FlexGrid ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4255 (BID 32613) Microsoft Windows Common AVI ActiveX Control File Parsing Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4256 (BID 32614) Microsoft Charts ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-3704 (BID 30674) Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability (MS Rating: Critical/Symantec Urgency Rating 8.9/10)

This is a previously public vulnerability in the MaskedEdit ActiveX control detected by Symantec on August 13, 2008, and is documented in BID 30674. A stack-based buffer overflow occurs when the control handles overly large arguments to the "Mask" parameter. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

2. MS08-071 Vulnerabilities in GDI Could Allow Remote Code Execution (956802)

CVE-2008-2249 (BID 32634) Microsoft Windows GDI WMF Integer Overflow Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI when processing a specially malformed header in a WMF file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious WMF file. A successful exploit will result in the execution of arbitrary code in the context of the currently logged in user.

3. MS08-072 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (957173)

Multiple remote code execution vulnerabilities affect Word when handling malicious Office and Rich Text Format (RTF) files. An attacker can exploit these issues by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user. The issues include:

CVE-2008-4024 (BID 32580) Microsoft Word Malformed Record Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4026 (BID 32583) Microsoft Word Malformed Value Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4837 (BID 32584) Microsoft Word Malformed Record Value Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4025 (BID 32579) Microsoft Word RTF Malformed Control Word Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4027 (BID 32581) Microsoft Word RTF Malformed Control Word Variant 1 Remote Code Execution Vulnerabillity (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4030 (BID 32642) Microsoft Word RTF Malformed Control Word Variant 2 Remote Code Execution Vulnerabillity (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4028 (BID 32585) Microsoft Word RTF Malformed Control Word Variant 3 Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4031 (BID 32594) Microsoft Word RTF Malformed String Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

4. MS08-073 Cumulative Security Update for Internet Explorer (958215)

Multiple remote code execution vulnerabilities affect Internet Explorer. An attacker can exploit these issues by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user. The issues include:

CVE-2008-4258 (BID 32596) Microsoft Internet Explorer Navigation Method Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4259 (BID 32586) Microsoft Internet Explorer HTML Objects Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4260 (BID 32593) Microsoft Internet Explorer Deleted Object Access Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4261 (BID 32595) Microsoft Internet Explorer Embedded Object Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

5. MS08-074 Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)

Multiple remote code execution vulnerabilities affect Excel when handling malicious Excel files. An attacker can exploit these issues by tricking an unsuspecting victim into opening a malicious Excel file. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user. The issues include:

CVE-2008-4265 (BID 32618) Microsoft Excel Malformed Object Handling Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4264 (BID 32621) Microsoft Excel Formula Handling Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4266 (BID 32622) Microsoft Excel Global Array Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

6. MS08-075 Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)

CVE-2008-4269 (BID 32652) Microsoft Windows Search 'search-ms' Protocol Parsing Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Windows Explorer in the "search-ms" protocol handler. An attacker can exploit this issue by tricking a victim into viewing a Web page with a malicious "search-ms://" URI. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

More information on these and the other vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

DNS Pharming Attacks Using Rogue DHCP

Elia Florio — 2008-12-05T01:25:16+00:00

Following Dan Kaminsky’s research on DNS insecurities, we saw attackers racing with their DNS servers to hijack network connections. It was only a matter of time before the bad guys decided that racing against DNS was not enough.

DHCP is a widely used network protocol that has been around for a while—it’s used to automatically assign IP addresses on a local network. When you connect your laptop on the wireless router at your home or to your office network, it is most likely that a DHCP server assigns an IP address to your machine and will provide all of the important parameters such as a gateway IP and DNS servers. The DHCP protocol is simple, transparent, and efficient for end users, but it is also non-secure. There’s nothing new and sensational in that statement, because it’s something well known and is really just a lack of authentication. Wikipedia has a pretty good description of common DHCP attacks.

“Having been standardized before network security became a significant issue, the basic DHCP protocol includes no security features, and is potentially vulnerable to two types of attacks… (1) Unauthorized DHCP Servers… (2) Unauthorized DHCP Clients…”

The “Unauthorized DHCP Servers” attack is the main topic of this blog, and the real (bad) news is that today we found malicious code in the wild that actively uses this attack, with the aim of hijacking the DNS configurations of other machines on the same local network. The malicious code is named Trojan.Flush.M.

The idea is simple and evil at the same time: a Trojan installed on an infected machine runs a rogue DHCP server on the local network and serves bogus DHCP packets to other machines when they request a new IP configuration. If the Trojan is fast enough in sending out these DHCP packets, with some luck it can modify the network configuration of other computers. The basic principle of this attack is also described in this Wikipedia article.

The above network capture shows in detail what’s happening on a network with only a single machine (address 192.168.91.129) infected with Trojan.Flush.M. When a second, clean, machine (address 192.168.91.132) is renewing its IP address (e.g., ipconfig /release and ipconfig /renew on a Windows system) it sends a DHCP RELEASE packet and then tries to discover the DHCP server to get the new IP configuration. The configuration requested will have all the vital information that any device (PC, Mac, Smartphone, etc.) needs to access Internet, including the address of DNS servers.

On a clean network we should only see one DHCP OFFER packet sent from the legitimate DHCP Server (192.168.91.254) to the clean machine. This packet is showed in the above capture at entry number 7. However, as shown in the capture, there’s another DHCP OFFER packet (at number 3) that has been sent by the infected machine only a moment earlier. The following diagram provides a clearer picture of what’s happening on this network:

The packet sent by the infected machine arrives first; therefore, it wins the race against the real DHCP server and the clean machine ends up getting the following IP configuration:

Clearly, the IP configuration of the clean machine 192.168.91.132 (which is still clean and is not infected by any kind of threat) has been assigned remotely by the infected machine and now includes some well-known rogue DNS servers: 85.255.112.36 and 85.255.112.41.

Performing an Internet search for these DNS servers leads only to bad comments and results, mostly related to a known family of DNS “changer Trojans,” which include Zlob and the recent Mac OS X threat OSX.RSPlug.A. Once the DNS servers are modified, the attacker can redirect a machine to any malicious or phishing website (for example, you type “www.symantec.com” and your computer brings you to the “6.6.6.6” host).

Some interesting facts of this curious DNS pharming attack include:

•    A single infected machine with this Trojan can virtually compromise the DNS configuration of all other machines in the same network without infecting them.
•    It is difficult for the clean machine to identify if DNS servers in use are legitimate or not (the DHCP server shown in the example is still valid and the machine is not infected).
•    There’s no registry setting or configuration file that is modified on the machine—the attack relies on network protocols.
•    These malicious DHCP packets could affect any device connected to the compromised network, so even a smartphone or Mac could accept the bogus configuration and start using rogue DNS servers.

Since this is a race between the legit DHCP Server and an infected machine running a rogue DHCP Server, it all depends on luck and speed. We noticed that the attack is not always successful; sometimes the DHCP Server packet arrives first and so everything goes fine.

To detect this attack, administrators should scan their traffic for bogus DHCP offer packets coming from a machine that is not the DHCP server. As final note, the attack has been reported in the wild and as suggested by a friend at ISC SANS, network administrators should monitor and/or block traffic on: 85.255.112.0 – 85.255.127.255.

Thanks to my colleague Marian Borucki for help during the investigation of this threat.

Message Edited by SR Blog Moderator on 12-04-2008 05:49 PM

AutoPlay Worms

Ben Nahorney — 2008-12-03T17:02:51+00:00

Banning the use of removable drives may sound like a strict IT policy. But when faced with a worm introduced to your network by such devices, it is the sensible thing to do. Recently, the US Department of Defense has done just that in order to protect their networks from such threats.

As the use of removable drives has increased, they have become a successful vehicle to enter a network and compromise computers. The ease of infection is facilitated by a feature within Windows called AutoPlay. Meant as a feature of convenience, AutoPlay allows programs to automatically launch when CDs, DVDs, removable drives, or any other form of storage is inserted into a computer. However, this convenience comes at a serious security cost, as described in the following video:

So how do you protect yourself from such rapidly spreading threats? Banning the use of removable media does reduce the risk. On many computers you can also disable the USB ports from within the computer’s BIOS, rendering the ports inert. At the very least, Symantec recommends disabling AutoPlay.

• If you are running Windows XP, you can download and install a Microsoft “Powertoy” called TweakUI. There are a number of options within TweakUI for customizing AutoPlay under My Computer > AutoPlay.

• If you are running Windows Vista, there is now a Control Panel applet dedicated to AutoPlay customization. To reach it, open the Control Panel and then go to Hardware and Sound > AutoPlay.

• If you are managing a network of computers, you can use the Group Policy editor to create Group Policy Objects to assign to your clients. In Windows 2000/XP/2003’s Group Policy editor, AutoPlay options are under Computer Configuration > Administrative Templates > System > Turn off AutoPlay. For Windows Vista/2008, go to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies.

• Administrators using Symantec Endpoint Protection Manager have the option to disable programs from running from removable drives entirely. In the management console, go to Policies > Application and Device Control > Add an Application and Device Control Policy > Application Control, select Block Programs from running from removable devices and then push the changes out to your clients. Alternatively, you can prevent autorun.inf files from running entirely by following the instructions in this support document.

• Norton users- no need to do anything. By default, all Norton products that contain antivirus will scan removable drives when they are plugged into the computer.

• Sometimes AutoPlay doesn’t behave as expected after making changes. Microsoft has a knowledge base article that covers these situations and how to get AutoPlay working as you’d like it to.

• Finally, disable AutoPlay on network drives as well. While these worms are often introduced to the network via a removable device, many copy themselves to all drive letters on a compromised computer, regardless of the device type. When a compromised network drive is accessed, AutoPlay will launch the malicious code.

Completing any of these tasks should significantly reduce the risk posed by removable drives and help prevent you or your users from being an unwitting agent for spreading malicious code.

Message Edited by Trevor Mack on 12-03-2008 01:11 PM

Spammers Attempting to Cash in on Mumbai Terror

Mayur Kulkarni — 2008-12-02T17:20:03+00:00

India recently suffered a shocking terrorist attack, with hostage situations in Mumbai involving Indian nationals as well as tourists and travelers from all over the world. Updates on the terrorists’ activity are still being followed closely. Sadly, spammers would never want to miss the chance to capitalize on the fast-spreading news of this tragic incident, using the headlines for their fraudulent emails with product advertisements or malicious links/attachments. Symantec has come across spam messages showing news headlines regarding the Mumbai terror, but the content inside is completely unrelated and is advertising pills.

In the past, we have seen similar methods being used, where topical news headlines are used to lure recipients into opening unsolicited emails. Users are advised not to click on links found in such spam emails. Be wary of emails that have been delivered to you from an unknown sender or source, or if the email is unexpected and/or out of the ordinary, even if it appears to have been sent to you from a known contact. If you are looking for updates on recent news, please search for them on trusted news websites.

Casino Spam Rolling Higher

Amanda Grady — 2008-11-28T18:17:57+00:00

In recent weeks, Symantec has observed an increase in messages promoting online casinos, typically offering a cash bonus or VIP treatment. Leisure spam (defined as email attacks offering or advertising prizes, awards, or discounted leisure activities) has accounted for up to 10% of spam globally during early November.

As we reported in the March 2007 State of Spam report, these attacks are often translated into many different European languages in order to maximize the reach of the attack. The URLs are quickly changed from message to message, with a simple directory change for each European language–a French example is shown below. Spammers change the URLs frequently in order to try and stay ahead of URL-based anti-spam filters. Symantec uses more than 20 different filtering technologies in order to ensure comprehensive blocking of spam attacks no matter what techniques spammers employ.

Despite the fact that online gambling in the U.S. has many legal restrictions, most notably the Unlawful Internet Gambling Enforcement Act of 2006, which made transactions from banks or similar institutions to online gambling sites illegal, this hasn’t stopped spammers from targeting Americans, because clearly the potential size of the market is too large to ignore.

Free webhosting URL redirects have been notably used in the spam attacks targeting the U.S. market, presumably not only in an effort to evade spam filters, but also to make it more difficult to track down the hosts of the ultimate destination website.

In both examples shown, the objective of the email is to get the end user to download software running the various games. The software may attempt to steal sensitive information such as login credentials. But don’t be tempted by the offer of seemingly free money. In addition to the fact that a deposit is required in order to play, the terms and conditions state that 25 times the deposit and bonus must be wagered before cashing out, and it’s likely the house will have long won by then.

Symantec Report on the Underground Economy – Malicious Tools

David McKinney — 2008-11-27T13:16:30+00:00

The newly released Symantec Report on the Underground Economy discusses a number of topics, including the supply and demand of goods and services that were advertised for sale in the underground economy. This information was gathered by monitoring various IRC channels devoted to the commerce of these good and services. In particular, I’d like to highlight some of the things we observed in analyzing the trade in malicious tools.

One of the things we observed is that the underground economy is self-sufficient. What this means is that the tools necessary to produce goods and services are also available for sale in the underground economy. This indicates that the market has matured enough that productivity gains can occur through the division of labor; i.e., the economy makes it viable for individuals to increasingly specialize in the tasks they excel at. This is where malicious tools come into play.

Malicious tools of many different varieties are offered for sale in the underground. This includes exploits, vulnerability scanners, botnets, autorooters, spam/phishing kits, and tools for obfuscating malicious code. These tools play a part in generating many of the other goods and services marketed in the underground economy, such as credit card numbers, personal information, shells, banking credentials, etc. Therefore, the demand for these goods and services creates an opportunity for individuals with the skills required to develop malicious tools, and this helps to foster increasing specialization.

While the market for malicious tools is relatively small in comparison other goods and services such as stolen credit card numbers, the market appears to be productive enough to support the demand for these goods and services. One of our findings is that tools for discovering and exploiting Web application vulnerabilities were popular. This is because compromised websites can generate many different types of goods and services such as personal information, email addresses, shells, spam mailers, credit card numbers, etc.

Here are a few examples (all prices in USD):

•    A scanner for remote file include vulnerabilities sold for an average price of $26, and ranged from $5 to $100.
•    A scanner for cross-site scripting vulnerabilities was advertised for an average price of $20, and prices ranged from $10 to $30.
•    Exploit links to websites that are affected by remote file include vulnerabilities were sold in bulk—100 links could be obtained for an average price of $34 and 200 links could be obtained for an average price of $70.
•    SQL injection tools were sold for an average price of $63, and ranged from $15 through $150.

The trade in attack tools and exploits for Web-based vulnerabilities is one more example of how attackers are increasingly motivated by profiting from their malicious activities. Our report helps to show how the underground economy is maturing and becoming a viable source of alternative income for hackers, exploit developers, and authors of malicious code.

I should also note there is one small correction to the report based on recent events. In the report, we discuss the news that development of the Neosploit toolkit had ceased due to competitive from cheaper, less advanced toolkits. It appears that this no longer the case. A new version—Neosploit 3.1—has been spotted in the wild, sporting new exploits and features. Like legitimate software vendors, the developers of Neosploit are also concerned about the effect of piracy on their bottom line. To counter piracy, they have included new anti-piracy measures into this version. It is not known whether the news of its demise was merely a red herring or whether the developers decided to start developing a new version that incorporated features that could recoup some of the losses experienced from piracy or the prevalence of cheaper toolkits.

More information about malicious toolkits and other trends in the underground economy can be found in the Symantec Report on the Underground Economy.

Message Edited by SR Blog Moderator on 11-27-2008 05:19 AM