In Korea, the ruling party performed a DDoS attack, and as result the chairman and most of its officials will resign. Most likely, it will be disbanded completely.
This is probably the most severe result of a cyber attack yet. Of course, the only reason they know who to blame, is because the guy responsible for the attack admitted guilt. DDoS is all fun and games until the guy you hired to do it spills the beans.

I seem to be back on the air.

A few observations over this whole affair:

(Sorry, I’ve not had time to put these in particular order, and some of the point may duplicate or relate …)

1) I still have absolutely no idea why Shaw cut me off.  They keep blaming Spamhaus, but the only links they offer me as evidence clearly show that there is no “bad reputation” in the specific IP address that I am currently using, only a policy listing showing one of Shaw’s address ranges.

2) I got absolutely no warning from Shaw, and no notice after the fact.

3) Shaw’s spam filtering is for the birds.  Today I got two messages flagged as spam, for no clear reason I could see.  They were from a publisher, asking how to send me a book for review.  The only possible reason I could see was that the publisher copied three of my email addresses on the same message.  A lot of people do that, but it usually doesn’t trip the spam filter.  Today it did.  (Someone else with Shaw “service” tried to send out an announcement to a group.  Since he didn’t have a mailing list server, he just sent out a bunch of messages.  Apparently that got *his* account flagged as spamming.)  I also got the usually round of messages from security mailing lists tagged as spam: Shaw sure has something against security.  And at least one 419 scam got through unflagged today, despite being like just about every other 419 in the world.  (Oddly, during this period I’ve noted a slight uptick in 419s and phishing in general.)

4) Through this episode I had contact with Shaw via email, phone, “live chat,” and Twitter.  I follow ShawInfo and Shawhelp on Twitter.  On Twitter, I was told to send them a direct message (DM).  I had, in fact, tried to do that, but Shaw doesn’t accept direct messages by default.  (Since I pointed that out to them, they now, apparently accept them from me.)  They sent me public messages on Twitter, and I replied in kind.  Through the Twitter account they also informed me that error 554 is “poor reputation” and is caused by sending too many emails.  They didn’t say how many is too many.  (Testing by someone else indicated something on the order of 50-100 per hour, and I’ve never done anything near that scale.)

5) The “live chat” function installs some software on your (the client) machine.  At least two of the pieces of software failed the digital signature verification …

6) The “information” I got from Shaw was limited.  The first (phone) support call directed me to http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.169  If you read the page, the information is almost entirely about the “network” with only a few (and not informative) pieces about the IP address itself.  (I did, separately, confirm that this was my IP address.)  The bulk of the page is a report on addresses that aren’t even in the same range as I am.  About halfway down the right hand side of the page is “DNS-based blocklists.”  If you click the “[Show/Hide all]” link you’ll notice that four out of five think I’m OK.  If you click on the remaining one, you go to http://www.spamhaus.org/query/bl?ip=70.79.166.169  At the moment, it shows that I’m completely OK.  At the time I was dealing with Shaw, it showed that it’s not in the SpamHaus Block List (SBL) or the XBL.  It was in the PBL (Policy Block List), but only as a range known to be allowed to do open sending.  In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam.

7) The second (live chat) support call sent me to http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+  Again, this page showed a single negative entry, and a whole page of positive reports.  The single negative entry, if pursued, went to the same Spamhaus report as detailed above.

8) At the time, both initial pages, if followed through in terms of details, led to http://www.spamhaus.org/pbl/query/PBL164253 giving, as the reason, that “This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated ‘direct-to-mx’ email to PBL users.”  Again, Shaw’s problem, not mine.  However, that page has a link to allow you to try and have an address removed.  However, it says that the “Removal Procedure” is only to be used “If you are not using normal email software but instead are running a mail server and you are the owner of a Static IP address in the range 70.79.164.0/22 and you have a legitimate reason for operating a mail server on this IP, you can automatically remove (suppress) your static IP address from the PBL database.”  Nevertheless, I did explore the link on that page, which led to http://www.spamhaus.org/pbl/removal/  Again, there you are told “You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server, and (B) if you have a specific technical reason for needing to run a ‘direct-to-MX’ email service, such as a mail server appliance, off the Static IP address. In all other cases you should NOT remove an IP address from the PBL.”  This did not refer to my situation.  Unfortunately, THESE TWO PAGES ARE INCORRECT.  If you do proceed beyond that page, you get to http://www.spamhaus.org/pbl/removal/form  This page does allow you to submit a removal request for a dynamic IP address, and, in fact, defaults to dynamic in the form.  It was only on the last part of the second call, when the Shaw tech gave me this specific address, that I found this out.  For this I really have to blame Spamhaus.

9) In trying to determine if, by some weird mischance, my computer had become infected, I used two AV scanners, one spyware scanner, and two rootkit scanners.  (All results negative, although the Sophos rootkit scanner could have been a bit clearer about what it had “found.”)  Of course, I’ve been in the field for over two decades.  How would the average user (or even a security professional in a non-malware field) even know that there are different types of scanners?  (Let alone the non-signature based tools.)

As noted, Shaw is not very helpful with spam.  I’ve been getting spam from Marlin Travel, and from a band of people selling recuriting seminars, for a number of years.  I have been reporting this spam (to Shaw, and their supposedly automated spam filters) on at least a weekly basis for years.  Occasionally they deign to mark one of the messages as spam, but not on anything like a consistent basis.

Spam filtering is not transparent.  You can turn it on, or off.  You can have the spam go to the bit bucket, or get flagged.  There are no other options, and you have no information on how it works (or doesn’t).  (Heck, Vancouver Community Net [formerly Free-Net] does better than that.)

On my non-support call with Shaw, the agent did correctly identify the IP address I am (currently) using.  I have no idea when last it was switched.  Looking it up on senderbase is not supremely informative: there doesn’t seem to be any information on the address itself, other than the fact that it’s not in the SpamHaus Block List (SBL) or the XBL.  It is in the PBL (Policy Block List), but only as a range known to be allowed to do open sending.  In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam.

Meantime I have confirmed that, as I already knew, there is nothing malware or spam related on my machine.  Nothing that MSE detects.  Nothing that Vipre detects.  Nothing that Spybot detects.  At the moment I’m running the Sophos rootkit detector, and F-Secure’s Blacklight.  They haven’t found anything either.  I am, of course, morally certain that Shaw was lying to me about the possibility, but, unlike them, I’m not arrogant enough not to check.  I was right: they are idiots.  And, with their non-support, have cost me a lot of valuable time checking a clean machine.  (Plus not providing the Internet service I’m paying for.)

BKEXTDET.RVW   20101023

“Extrusion Detection”, Richard Bejtlich, 2006, 0-321-34996-2,
U$49.99/C$69.99
%A   Richard Bejtlich www.taosecurity.com taosecurity.blogspot.com
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-34996-2
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321349962/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0321349962/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321349962/robsladesin03-20
%O   Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   385 p.
%T   “Extrusion Detection:Security Monitoring for Internal Intrusions”

According to the preface, this book explains the use of extrusion detection (related to egress scanning), to detect intruders who are using client-side attacks to enter or work within your network.   The audience is intended to be architects, engineers, analysts, operators and managers with an intermediate to advanced knowledge of network security.  Background for readers should include knowledge of scripting, network attack tools and controls, basic system administration, TCP/IP, as well as management and policy.  (It should also be understood that those who will get the most out of the text should know not only the concepts of TCP/IP, but advanced level details of packet and log structures.)  Bejtlich notes that he is not explicitly addressing malware or phishing, and provides references for those areas.  (It appears that the work is not directed at information which might detect insider attacks.)

Part one is about detecting and controlling intrusions.  Chapter one reviews network security monitoring, with a basic introduction to security (brief but clear), and then gives an overview of monitoring and listing of some tools.  Defensible network architecture, in chapter two, provides lucid explanations of the basics, but the later sections delve deeply into packets, scripts and configurations.  Managers will understand the fundmental points being made, but pages of the material will be impenetrable unless you have serious hands-on experience with traffic analysis.  Extrusion detection itself is illustrated with intelligible concepts and examples (and a useful survey of the literature) in chapter three.   Chapter four examines both hardware and software instruments for viewing enterprise network traffic.  Useful but limited instances of layer three network access controls are reviewed in chapter five.

Part two addresses network security operations.  Chapter six delves into traffic threat assessment, and, oddly, at this point explains the details of logs, packets, and sessions clearly and in more detail.   A decent outline of the advance planning and basic concepts necessary for network incident response is detailed in chapter seven (although the material is generic and has limited relation to the rest of the content of the book).  Network forensics gets an excellent overview in chapter eight: not just technical points, but stressing the importance of documentation and transparent procedures.

Part three turns to internal intrusions.  Chapter nine is a case study of a traffic threat assessment.  It is, somewhat of necessity, dependent upon detailed examination of logs, but the material demands an advanced background in packet analysis.  The (somewhat outdated) use of IRC channels in botnet command and control is reviewed in chapter ten.

Bejtlich’s prose is clear, informative, and even has touches of humour.  The content is well-organized.  (There is a tendency to use idiosyncratic acronyms, sometimes before they’ve been expanded or defined.)  This work is demanding, particularly for those still at the intermediate level, but does examine an area of security which does not get sufficient attention.

copyright, Robert M. Slade   2010     BKEXTDET.RVW   20101023

Did you wonder what this is used for? The following FAQ may give a hint:

Hi! I want to bypass captcha from my bots. Bots have different IPs. Is it possible to use your service from many IPs?

We have no restrictions about IP: with DeCaptcher you can bypass CAPTCHA from as many IPs as you need.

In other words: Just used a Virus to break into thousands of botnet computers and now you are not sure what to do? These guys will help you take the next step and set up myspace/facebook/gmail/twitter accounts while bypassing the CAPTCHA and you can then use that to spam the world. Thank you DeCaptcher for giving the Internet such a valuable service.

Here’s a weird spam I got last night:

Hello

The route taken through Customs is mainly determined by your point of departure and whether you are bringing into the country more duty payable goods than your free allowance. For those passengers who have flown in from outside the European Community (EC), their baggage will have a white tag and they must pass through either the Red or Green channel according to the amount of duty free goods they have. Those passengers arriving from countries within the EC should use the Blue channel, and their baggage will have green-edged tag.

As part of our routine check and based on the above, we have a consignment in your name; you are advised to come to the office address below

Customs office
Terminal 3
Heathrow Airport

You are required to come with the following:
1. Your ID
2. Diplomatic Tag either white or green-edge tag.
3. Non Inspection document

Your appointment time is 10am GMT, failure to comply; we will have over the matter to Metropolitan and the FBI. I am the officer in charge of your matter.

Thomas Smith
UK Customs
Heathrow Airport

It’s weird, because it contains no advertisement, and no links. There’s nothing “encoded” in it -  it seems to be an old version of this notice.

So why would a spammer waste valuable botnet cycles on sending me the email? The only explanation I could come up with is “a boy who cried wolf” attack. You send this email a few times, and the Baysian filtering systems train themselves that this is a good email (i.e. “ham”). Most Baysian spam filtering systems have a loopback mechanism where spam email is used to train the system further, and ham email is used to teach the system what “good” email is. If this email is seen a few times and considered ham, spam filters will accept something similar to it that contains a link. That link, can be the spam or phishing attack.

Another guess is that it’s simply used to verify email addresses - you read that a scary Customs agent from Heathrow wants you in his office first thing tomorrow morning, and you quickly reply to ask what it’s about; the spammer (whose reply-to address is different than the “From”) gets a confirmation that your email address is valid, maybe with some more details like your phone number. This is a plausible explanation but it seems like too much hard work just to get some valid email addresses.
Any other guesses?

Those in the Australian state of Queensland are having a cull of cane toads, a pest.  I don’t know whether it would work, but the mass reduction of a pest population is, generally speaking, a good thing.  It may not eliminate the problem once and for all, but a sharp decrease in population is usually better than a constant pressure on a species.

So, is there any way we can get some support going for a mass cull of computer viruses?  Most currently “successful” viruses are related to botnets, and botnets are often used to seed out new viruses.  Viruses are used to distribute other forms of malware.  Doing a number on viruses would really help the information security situation all around.  (I have, for some years, been promoting the idea that corporations, by sponsoring security awareness for the general public, would, in fact, be doing a lot to reduce the level of risk in the computing and networking environment, and therefore improving their own security posture.)

Online payment system infected with malware? not good.

You are receiving this message because you are a subscriber to online bill payment services through CheckFree or through a provider who contracts with CheckFree for these services. This message is sent on behalf of CheckFree by Silverpop Systems.

December 11, 2008
AVIRAM JENIK

[address omitted]

Dear AVIRAM JENIK,
We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may have been exposed to software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.

The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

• You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
• You were using a computer with the Windows operating system, and
• You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
• After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. [marketing blurb about an AV vendor that was quick enough to cash in]

CheckFree will never ask for your password via email or via phone.  If you ever receive an email requesting your password, do not respond and delete the email immediately.

We value your business and your trust, and we apologize for any inconvenience this incident has caused.
Thank you,

Art D’Angelo
Vice President, CheckFree Customer Operations

I guess we’ll call this the CheckFree botnet?

I guess one of the signs that your web service is taking off is that spammers are targeting you. In the last few days more and more fictitious followers have surfaced, obviously for the purpose of sending twitter spam once you follow the person who is following you (as most people do almost without thinking).

The twitter team seem to be doing a good job on suspending those accounts immediately (perhaps automatically?) now they just need to figure out how to prevent them from signing up in the first place.

Update: Definitely not automatically. The last batch of spam followers are still active accounts. Or maybe they figured twitter’s threshold and they are avoiding the automatic suspension.

Xyberpix posted his challenge without giving us any advance notice, but being the ego-driven macho man that I am, even with mediocre writing skills, I can’t not accept it.

So here’s a random thought for the day. AppleTV is a useless brick unless hacked to run something like boxee or another front-end player for custom movie files. It’s safe to say most AppleTV users use it to play content outside iTunes.

The latest AppleTV update (version 2.3) has two interesting qualities.

One, it fixes several vulnerabilities involving playing malformed movie files (kuddos for ZDI for the finds). It shouldn’t be difficult to compare 2.3 to 2.2 and find where the problems are exactly. Some reverse-assembly requires, but definitely doable.

Two, it breaks many of the hacks like mounting external USB drives, and creates problems for applications like boxee.

From problem #2, I’m willing to guess many (most?) of the ATV users that hacked the machine haven’t upgraded. From problem #1 I know that those who haven’t upgraded are vulnerable. They will remain vulnerable for some time, until the hacks improve and find a way around this infamous update.

So will we see an attack targeting AppleTV any time soon? It’s a cute little linux-based device that sits in the network with a connection to the local home LAN. All it takes is the right AVI on the piratebay (or youtube?) to create a little AppleTV zombie net.

Summary:
This is Frequently Asked Questions document about new, recently patched RPC vulnerability in Microsoft Windows. The document describes related Trojan and worm malware as well.
It is worth of noticing that code execution type vulnerabilities in Office programs are widely used to industrial espionage since 2006. This time the exploitation represents the use of non-Office vulnerabilities and e-mail attack vector is not used.

Update: After the weekend the malware analyses shows that the Trojan has designed to steal credential information and to collect a botnet-like network.

Q: What is the recent Microsoft Window RPC vulnerability disclosed in October?
A: This vulnerability is caused by an error when processing malformed RPC (Remote Procedure Call) requests. The issue was disclosed by the vendor after active exploitation of the vulnerability.
Q: How does the vulnerability mentioned works?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine.
This vulnerability is caused due to overflow when handling malformed RPC requests. This enables executing arbitrary code of the attacker. Technically the vulnerability exists in the Server service.

Q: When this vulnerability was found?
A: The exact information is not available. Information about upcoming security update was announced on 22nd October, but this vulnerability has been used in targeted attacks at least two weeks already. The exploitation disclosed the existence of vulnerability.

Q: What is the mechanism in exploitation?
A: Information was not disclosed, but during the exploitation malicious executables are being downloaded and executed from the remote Web site.

Q: Is the exploit code of this vulnerability publicly released?
A: Yes. On Friday 24th October the proof of concept code was released on a blog of security researcher and on public, moderated security mailing list. The PoC has been released at several well-known exploit and security community Web sites too. Metasploit module has been released too (link). PoC’s work against Windows XP SP2, Windows XP SP3 and Windows 2003 Server SP2 machines.

Q: Which Windows versions are affected?
A: Microsoft Windows 2000, Windows XP, Windows Vista, Windows 2003 Server and Windows Server 2008 systems are affected.

Q: I am using the 7 Pre-Beta version of Windows, is my operating system affected?
A: According to the Microsoft it is affected too. An update is available (see MS08-067).

Q: I am a home user, is it possible to update my system in a normal way via Microsoft Update?
A: Yes, visiting the Microsoft Update Web site at http://update.microsoft.com/ will update the system against the exploitation of the vulnerability. If the Automatic Updates is enabled the system will be updated automatically without user’s actions.

Q: Where are the official Microsoft documents related to this case located?
A: The official Security Bulletin MS08-067, entitled Vulnerability in Server Service Could Allow Remote Code Execution (958644) has been released at Microsoft TechNet Security section:
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Updated information released by the vendor has been covered at MSRC Blog (The Microsoft Security Response Center Blog). The address of the blog is blogs.technet.com/msrc/.
File information of the MS08-067 security update has been released at separate Knowledge Base document #958644: support.microsoft.com/kb/958644.
Microsoft Security Advisory #958963 released to notify the availability of the security update is located at
www.microsoft.com/technet/security/advisory/958963.mspx

Q: What the term ‘out-of-band’ means?
A: Normally Microsoft releases security updates once a month, at the second Tuesday of the every month. Very rarely, during the Windows ANI vulnerability etc. the security update will come out outside of this regular update cycle. Out-of-band and out-of-cycle describe the situation when waiting the regular update Tuesday, so-called Patch Tuesday is not enough to protect Windows systems against exploitation.
The next security updates will be released on Tuesday 11th November.

Update:
Q: Is this a new Slammer worm?
A: No, due to new security features included to SP2 etc. However, on 3rd Nov it was reported about the worm exploiting this vulnerability.

Q: Are there any workarounds available? Our organization is making tests with the patch still.
A: The security bulletin lists the following workarounds:
-Disable the Server and Computer Browser services
-Block TCP ports 139 and 445 at the firewall

Q: Is there Snort rules for this vulnerability available?
A: Yes. Additional details can be obtained at
www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html
known as a ruleset against Microsoft DCE/RPC remote code execution attempts.
The download address is www.snort.org/pub-bin/downloads.cgi
(to paying Sourcefire customers)
Emerging Threats project has released new signatures too, details at
http://www.emergingthreats.net/index.php/component/content/article/17-sigs/125-weekly-new-signatures-october-25-2008.html

Q: What is the situation of Nessus plugins related to this vulnerability?
A: Nessus Plugin ID #34476 has been released. More information is available at
www.nessus.org/plugins/index.php?view=single&id=34476

Q: What are the target organizations etc. of this vulnerability?
A: This information is not available and probably it will never go public. Microsoft has confirmed that fever than 100 organizations are targeted in targeted attacks.

Q: Is there information about file sizes used during the attacks?
A: Yes. The size is 397,312 bytes.
Update: The size can be anything between 49,152 and 417,792 bytes.

Q: How the user can notify the infection?
A: It is reported that the command prompt will appear.

Q: What are the names of malwares exploiting this vulnerability?
A: There are reports about a data collecting Trojan (Gimmiv.A) and a Trojan searching for non-patched machines on LAN (Arpoc.A).

The following names are being used (listed in alphabetical order):
AhnLab - Dropper/Gimmiv.397312 since 2008.10.24.04
Authentium - W32/Gimmiv.A since 23rd Oct
Avira - TR/Dldr.Agent.gcx since 24th Oct, iVDF 7.00.07.81
Bitdefender - Win32.Worm.Gimmiv.A since since 23rd Oct
- dropper detected as Win32.Worm.Gimmiv.B
CA - Win32/Gimmiv.A since eTrust 31.6.6167
ClamAV - Trojan.Gimmiv since 8524
- Trojan.Gimmiv-1…Trojan.Gimmiv-7 since 8526
Dr.Web - DLOADER.PWS.Trojan since 23rd Oct
Eset - Win32/Gimmiv.A since 24th Oct, v.3551
- Win32/Spy.Gimmiv, Win32/Spy.Gimmiv.A since v.3553
- Win32/Spy.Gimmiv.B since v.3555
Fortinet - W32/Gimmiv.A!tr.spy
- name change: W32/Gimmiv.A!worm since 9.676
F-Secure - Trojan-Spy:W32/Gimmiv.A since 2008-10-24_01
- Trojan-Spy:W32/Gimmiv.B since 2008-10-24_05
- Trojan-Spy:W32/Gimmiv.C, D, E, F variants since 2008-10-24_08
- Net-Worm.Win32.Gimmiv.a since 25th Oct 2008-10-25_01
McAfee - PWS.y!C91DA1B9 since DAT5413
- Spy-Agent.da since 23rd Oct, DAT5414, its DLL component detected as Spy-Agent.da.dll
Microsoft - TrojanSpy:Win32/Gimmiv.A[.dll] since 23rd Oct
- since 24th Oct update 1.4005 included signatures
- exploit: Exploit:Win32/MS08067.gen!A
Kaspersky - Trojan-Downloader.Win32.Agent.alce since 24th Oct, 7.0.0.125
Panda Security – detected as ‘Suspicious file’ since 23rd Oct, 9.0.0.4
- Gimmiv.A since 24th Oct
PCTools - Trojan-Spy.Gimmiv.A
Prevx - detected as ‘Cloaked Malware‘
Rising - Trojan.Spy.Win32.Undef.z since 23rd Oct, 21.00.32.00
Sophos - Sus/Dropper-A since 21st Aug (based to heuristic techniques)
- additionally Troj/Gimmiv-A, IDEs since 4.34.0,
- Troj/Gimmiv-Gen since 4th Nov
Symantec - Infostealer since 23rd Oct
- name change: Trojan.Gimmiv.A since 24th Oct, rev. 024
- malicious files detected as Bloodhound.Exploit.212
Trend Micro - WORM_GIMMIV.A since 5.617.00
- TSPY_GIMMIV.A since 5.617.00

where ’2008.10.24.04’ states that these virus signatures or newer include a protection for the malware.

Alias names CVE-2008-4250, W32.Slugin.A and W32/NetAPI32.RPC!exploit.M20084250 are in use too.

Update: Added Arpoc section:
BitDefender - Win32.Worm.Gimmiv.B
CA - Win32/Gimmiv.B since 31.6.6172
Dr.Web - Win32.HLLW.Jimmy.3 since unknown signatures
McAfee - Spy-Agent.da since DAT5414, its DLL component detected as Spy-Agent.da.dll

Update: Added RPC worm section:
AntiVir - TR/Expl.MS08-067.G
BitDefender - Trojan.Downloader.Shelcod.A
ClamAV - Exploit.MS08-067 since 8566
Eset - Win32/Exploit.MS08-067.B, C and D since 3576
F-Secure - worm component as Exploit.Win32.MS08-067.g
- kernel component as Rootkit.Win32.KernelBot.dg
Ikarus - Virus.Exploit.Win32.MS08.067.g
Kaspersky - Exploit.Win32.MS08-067.g since 31th Oct
McAfee - kernel component as KerBot!37E73FFB since DAT5422
Microsoft - Exploit:Win32/MS08067.gen!A
- Trojan:Win32/Wecorl.A
- Trojan:Win32/Wecorl.B
Norman - kernel component as w32/agent.jbvo
Prevx - Worm.KernelBot
Sophos - Mal/Generic-A
- Exp/MS08067-A since 4th Nov
Symantec - W32.Wecorl since 3rd Nov (latest daily certified version) rev. 052
- W32.Kernelbot.A since 3rd Nov (latest daily certified version) rev. 041
Trend Micro - WORM_KERBOT.A since 5.637.00
- WORM_WECORL.A since 5.640.05

Q: What kind of payload this Trojan horse has?
A: This is what the Trojan gathers (according to Microsoft’s document):
*User Name
*Computer Name
*Network Adapters / IP Addresses
*Installed com objects
*Installed programs and installed patches
*Recently opened documents
*Outlook Express and MSN Messenger credentials
*Protected Storage credentials

Q: What kind of Trojan has attacked to the targeted organizations?
A: It is a very sophisticated and dangerous Trojan. It encrypts the data with AES and deletes itself after its operations. Before sending the gathered data to the attacker it reports the AV software of the installation (from HKEY_LOCAL_MACHINE\SOFTWARE\) as a parameter (BitDefender, Jiangmin, Kingsoft, Kaspersky, Microsoft OneCare, Rising and Trend Micro).

Q: Are there any changes to Windows registry or the file system made by this malware?
A: The following registry key is being modified:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr
The display name of the service being generated is System Maintenance Service.
The malicious files are being copied to System32\wbem folder including basesvc.dll, syicon.dll, winbase.dll and winbaseInst.exe. NOTE: After being executed the Trojan deletes these files and itself.
Update: According to Arbor Networks the file C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\macnabi.log is being dropped too.

Q: Now I know that my anti-virus software can report computers in my organizations as clean because the Trojan has deleted itself from the system. What are the malicious executables that I can search them and examine logs etc.?
A: There are several names and all of the files has same size mentioned earlier, i.e. 397,312 bytes.
Update: According to McAfee the size varies from 49,152 to 417,792 bytes.

The most common file name is N2.exe. However, file names Nx.exe are widely spreading as well; [x] represents a number from 1 through 9.
The MD5 hash of the one specific N2.exe file in the wild on 23rd Oct is f173007fbd8e2190af3be7837acd70a4.
Update: To list one more the MD5 hash of n5.exe is 24cd978da62cff8370b83c26e134ff4c.

Prevx database knows the following file names too:
15197927.EXE, 00003106.EXE, NVIR/N2.EXE, 18912604.EXE, 54800477.DAT
The format of the file can be NVIR/N3.EXE etc. too.

Q: What type of network connections these malware make?
A: Gimmiv.A sends an ICMP Echo Request packet to multiple IP addresses including the string ”abcde12345fghij6789”.

Q: How can I recognize malicious files spreading RPC worm (Exploit.Win32.MS08-067.g)?
A: The files names reported in the wild are 6767.exe and KernekDbg.exe.

Q: What is the size of these files?
A: The size are various, but many of them are 16,384 bytes long.

Q: What kind of network connections the worm makes and are there any modifications made to Windows registry?
A: It connects to robot.10wrj.com, ls.cc86.info, ls.lenovowireless.net and ls.playswomen.com. Yes, the worm will add the new value to HKLM\SOFTWARE\Licenses and HKLM\SOFTWARE\Google.

Q: Are there any changes to Windows HOSTS file?
A: Yes, the lines
127.0.0.1 dnl-cn1.kaspersky-labs.com
127.0.0.1 alert.rising.com.cn
127.0.0.1 www.mcafee.com
will be added yo the HOSTS file.

Q: Is there CVE name available to this issue?
A: Yes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has released the following CVE candidate CVE-2008-4250:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Q: What is the CVSS severity of this vulnerability?
A: The CVSS (Common Vulnerability Scoring System) score is 10.0 (High).

Q: Is there a CWE class assigned?
A: The CWE (Common Weakness Enumeration) ID of the vulnerability, in turn, is #119, i.e. Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer class:
cwe.mitre.org/data/definitions/119.html

Q: Is there a CME name available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier for these malware.

Q: When exploiting this RPC vulnerability is the authentication needed?
A: On Windows 2000, XP, and Windows Server 2003 systems arbitrary code can be run without authentication. On Vista systems the authentication is needed.

Q: What is the vulnerable component?
A: It is netapi32.dll (Net Win32 API DLL). On Windows 2000 SP4 the non-affected version is 5.0.2195.7203, on Windows XP SP3 5.1.2600.5694 and on Vista SP1 there are several 6.0.6000.xxxx versions, see KB958644 for details. The vulnerable Windows API call is NetPathCanonicalize(), in turn.
Secunia has renamed its vulnerability advisory to Windows Path canonicalisation vulnerability. It states that processing directory traversal character sequences in path names enables to send drafted RPC requests to the Server Service.

(c) Juha-Matti Laurio, Finland (UTC +2hrs)
The author has released several Microsoft Office 0-day vulnerability FAQ documents, e.g.
blogs.securiteam.com/index.php/archives/759
and Windows Vector Markup Language vulnerability FAQ’s
blogs.securiteam.com/index.php/archives/640
since 2006.

Revision History:
1.0 25-10-2008 Initial release
1.1 26-10-2008 Updated document and some minor fixes
1.2 26-10-2008 Major updates to Trojan section, added credits, information of non-affected dll versions and Snort rule reference
1.3 27-10-2008 Added information about the various file names and sizes, a separate Arpoc section and Nessus plugin reference and [UPDATED] to the title
1.4 27-10-2008 Several virus description release dates and ID’s added, updated the summary to clarify the characteristics of the exploitation
1.5 28-10-2008 Added Microsoft Security Advisory #958963 link
1.6 29-10-2008 Added names to Arpoc Trojan section
1.7 03-11-2008 Updated the exploit/PoC section and added information about the worm exploiting the vulnerability
1.8 04-11-2008 Added names to RPC worm section, updated the summary
1.9 05-11-2008 Added information about Windows HOSTS file modification and new worm names

Credits: Microsoft, AV vendors, Prevx Malware Center

“How did you two meet? Did you mark her, or was it the other way around?”

- Robert Redford to Brad Pit, Spy Game

Con man 101: The best way to gain someone’s confidence is to make them think they contacted you. Scammers just love having potential victims contacting them.

Now, it seems they figured an interesting way to draw potential victims to their web site, in a way that is much easier than sending billions of spam email messages.
The idea is simple: take the person’s name (real people’s names are available for harvesting in places like linkedin, facebook, and other social networks) and put it in a web page. Doesn’t really matter where, as long as google indexes it.

Wait a while, and have that person google himself. Many people (myself included) have a ‘google alert’ on their name which sends them updated list of links to new pages where their name is mentioned.

Everyone likes to see where they are mentioned, so they will click on the link. And voila! They arrive to the spammer’s page. In some cases I’ve seen, the name was already gone from the page (but was still in the google cache). But all this doesn’t matter: as soon as the person reached the page, the web spammer’s job is done – he got his message in front of you, and maybe you’ll even dig deeper into his web site trying to figure out what the connection is to you.

There are many advantages to this method. First, you are not restricted by the message: the web page can openly have the words Viagra, Credit card debt and mortgage assistance without the fear of triggering anti-spam software. Also, people will pay more attention to the page since they think it has to do with them.

I don’t get the spammers’ marketing statistics, but I’m sure that the infamous spam text “it came to our attention that you’re in dire need of financial help” which sounds very much like a sincere, personal message, is a huge success. But this message has to get through the spam filters and include a real email address and a correct first/last name. The spam web page doesn’t need to bypass spam filters, and already has the correct name. In addition, you gain interesting information about the visitor: browser version, IP location and of course, the name he was searching for (that would be in the ‘referrer’ that is sent automatically by the browser to the web site). Oh, and of course – it’s cheap. You only need to put together a nice looking web page, and wait for google to do the rest. No buying of email lists and no cost of sending spam (which is nowadays the cost of hiring a zombie botnet for a couple of days).

For those aspiring scammers who are reading this, you should understand that it’s not a foolproof method. Obviously, it requires people to do a vanity search to reach you in the first place (though it also works on people who google their dates, their parents or their teachers). It also requires time – days, weeks or months (which may be difficult if your web site is on a zombie computer that might disappear by the time google indexes and the user comes to the site). But due to the fact the costs are very small, and there are no effective countermeasures at the moment, I think we will see more and more such attacks in the near future.

So-called Koobface case was covered in the IT news quite widely, but security mailing lists received the information on Thursday 7th August.

Kaspersky Lab reported about the existence of the worm on 31th July. Hey, it’s more than a week ago, but it took several days until the anti-virus protection was notable.

Remarkable anti-virus vendors have the following detection now:
(listed in alphabetical order)

McAfee – W32/Koobface.worm
BitDefender – Win32.Worm.KoobFace.A
Kaspersky Lab – Net-Worm.Win32.Koobface.b
Panda Security – Boface.A [Technical name: W32/Boface.A.worm]
Sunbelt Software – Net-Worm.Win32.Koobface.b
Sophos – detected proactively as Mal/Heuri-D, Mal/Heuri-E, Mal/Emogen-N and Mal/Packer
Symantec – W32.Koobface.A

There is no write-up available from F-Secure, Norman, TrendMicro etc. yet.

The AV industry knows the alias KoobFace too.

The size of the worm is 16 384-16 652 bytes. It is written in Visual C++ 6.0 and packed with UPX and Upack.
The second malware, attacking Facebok users since 7th Aug, is a Trojan horse (Sophos uses name Troj/Dloadr-BPL), spreading as Google video links posted to Wall and is a separate issue.

It’s time to remember that if you don’t see a detailed write-up from your own AV vendor later today - it’s a DEFCON weekend and Facebook has started blocking these from its side already.

But the protection - that’s we need with a delay less than 4 or 5 days.

Joe has a nice write up on the inner working of the Pushdo Trojan.

Pushdo is interesting since it was written for “future use” - i.e. it updates itself to obey his master’s latest needs and requests. It also has intelligence-collecting routines and in general shows how sophisticated the bad guys are getting.

urls in this post should be considered as unsafe.

fake sites and se poisoning are nothing new. the use of blogs for this is far from new, either. thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

web spam is a subject i have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

a new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a google alert on my name.

i get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
this time around they really over-did it.

the page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

then the site shows the youtube video which can be found under my name.
following that is a post i made to a mailing list recently (poorly formatted).
then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

they finish the page off by adding comments, which are actually some old securiteam posts by me.

heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. their auto-creation tools seem to be getting more impressive, and i believe we will see much improved believable sites, soon.

google blog search displays this site as (nasty words replaced with beep):

gadi evron
2 sep 2007
gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. teen cherry action - nice brunette teen beeped hard on the bed and getting a beepy beepshot. beep beeping boy beep teen legs, …
untitled - h ttp://n ewadult.celeberia.com/

url:
h ttp://n ewadult.celeberia.com/sun-shine

again, i am unsure if these urls are safe.

for those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). then of course, there is advertising and google ads.
it works. and the advertising space on unrelated key words is a plus.

the concept is very similar to comment spam. comment spam may not contribute to se ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. nofollow is crap, and what shows up when you search is what matters.

as an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://sunshine.livejournal.com/8859.html for the example).

he left a url for his legitimate python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘a jew in a german camp’ (about the ccc camp in germany). he is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

gadi evron,
ge@beyondsecurity.com.

following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.

this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

if you are interested in this realm of internet security operations, take a look at isoi 3’s schedule, and perhaps submit something for the next workshop.

some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:

afilias ltd.: http://www.afilias.info/
icann: http://www.icann.org/
the internet society: http://www.isoc.org/
shinkuro, inc.: http://www.shinkuro.com/

it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id.

gadi evron,
ge@beyondsecurity.com.