Virus

Anything related to viruses, Trojans and backdoors.

Sophos Threatsaurus

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

Submarine patent torpedoed …

For some years I have been peripherally involved (hired to research prior art, etc.) in some of the submarine patent/patent troll cases in the AV world.

I’ve got plenty of prior art.  Programs demonstrating and using technologies that were granted patents years after those programs were available.  Email discussions showing that concepts were obvious and well-known years before patent applications were filed.

Of course, as the “expert” I’m not privy to the legal strategy.  Bt I can figure it out.  US patent office issues patent that never should have been granted.  Troll sues Big Firm for $100M.  BF’s lawyers go to IP law firm.  IP lawyers find me.  IP lawyers ask me for the weirdest (and generally weakest) evidence.  IP lawyers go back to BF’s lawyers.  BF’s lawyers go back to BF.  (At this point I’m not privy to the discussions, so I’m guessing.  But I suspect that …)  IP and BF lawyers advise that evidence available, but patent fight expensive.  BF offers troll $100K to go away.  Troll happy with $100K, which is all he wanted anyway.  BF lawyers happy with large (and now more secure) salaries.  IP lawyers happy with $1M fees.  BF happy to have “saved” $99M.  The only person not happy is me.

Well, Kaspersky got sued.  Kaspersky fought.  Kaspersky won.

So, today I’m happy.  (I just wish I’d been part of *this* fight …)

(By the way, patent trolls cost money …)

Flame on!

I have been reading about the new Flame (aka Flamer, aka sKyWIper) “supervirus.”

[AAaaaarrrrrrggggghhhh!!!!!!!!  Sorry.  I will try and keep the screaming, in my “outside voice,” to a minimum.]

From the Telegraph:

This “virus” [1] is “20 times more powerful” than any other!  [Why?  Because it has 20 times more code?  Because it is running on 20 times more computers?  (It isn’t.  If you aren’t a sysadmin in the Middle East you basically don’t have to worry.)  Because the computers it is running on are 20 times more powerful?  This claim is pointless and ridiculous.]

[I had it right the first time.  The file that is being examined is 20 megabytes.  Sorry, I’m from the old days.  Anybody who needs 20 megs to build a piece of malware isn’t a genius.  Tight code is *much* more impressive.  This is just sloppy.]

It “could only have been created by a state.”  [What have you got against those of us who live in provinces?]

“Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats.”  [So?  We had RATs that could do that at least a decade ago.]

“… a Russian security firm that specialises in targeting malicious computer code … made the 20 megabyte virus available to other researchers yesterday claiming it did not fully understand its scope and said its code was 100 times the size of the most malicious software.”  [I rather doubt they made the claim that they didn’t understand it.  It would take time to plow through 20 megs of code, so it makes sense to send it around the AV community.  But I still say these “size of code” and “most malicious” statements are useless, to say the least.]

It was “released five years ago and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.”  [Five years?  Good grief!  This thing is a pretty wimpy virus!  (Or self-limiting in some way.)  Even in the days of BSIs and sneakernet you could spread something around the world in half a year at most.]

“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about.”  [Yeah.  Like “not reproducing.”]

“The file, which infects Microsoft Windows computers, has five encryption algorithms,”  [Gosh!  The best we could do before was a couple of dozen!]  “exotic data storage formats”  [Like “not plain text.”]  “and the ability to steal documents, spy on computer users and more.”  [Yawn.]

“Components enable those behind it, who use a network of rapidly-shifting “command and control” servers to direct the virus …”  [Gee!  You mean like a botnet or something?]

 

Sorry.  Yes, I do know that this is supposed to be (and probably is) state-sponsored, and purposefully written to attack specific targets and evade detection.  I get it.  It will be (marginally) interesting to see what they pull out of the code over the next few years.  It’s even kind of impressive that someone built a RAT that went undetected for that long, even though it was specifically built to hide and move slowly.

But all this “supervirus” nonsense is giving me pains.

 

[1] First off, everybody is calling it a “virus.”  But many reports say they don’t know how it got where it was found.  Duh!  If it’s a virus, that’s kind of the first issue, isn’t it?

Ad-Aware

I’ve used Ad-Aware in the past, and had it installed on my machine.  Today it popped up and told me it was out of date.  So, at their suggestion, I updated to the free version, which is now, apparently, called Ad-Aware Free Antivirus+.  It provides for real-time scanning, Web browsing protection, download protection, email protection, and other functions.  Including “superfast” antivirus scanning.  I installed it.

And almost immediately removed it from the machine.

First off, my machine bogged down to an unusable state.  The keyboard and mouse froze frequently, and many programs (including Ad-Aware) were unresponsive for much of the time.  Web browsing became ludicrous.

There are some settings in the application.  For my purposes (as a malware researcher) they were inadequate.  There is an “ignore” list, but I was completely unable to get the program to “ignore” my malware zoo, even after repeated efforts.  (The interface for that function is also bizarrely complex.)  However, I’m kind of a non-typical user.  However, the other options would be of little use to anyone.  For the most part they were of the “on or off” level, and provide almost no granularity.  That makes them simple to use, but useless.

I’ve never used Ad-Aware much, but it’s disappointing to see yet another relatively decent tool “improved” into non-utility.

Michelangelo date

OK, having now had this conversation twice, I’ve gone back to the true source of all wisdom on all things viral, “Viruses Revealed.”  I got it off my shelf, of course, but some helpful vxer (who probably thought he was going to harm our sales) posted it on the net, and saved David and I the bother.  (Remember, this guy is a vxer, so that page may not be entirely safe.)

Michelangelo is covered between pages 357 and 361, which is slightly over halfway through the book.  However, since I guess he’s missed out the index and stuff, it turns out to be at about the 3/4 mark on the page he’s created.

Anyway, Michelangelo checks the date via Interrupt 1Ah.  many people did not understand the difference between the MS-DOS clock and the system clock read by Interrupt 1Ah. The MS-DOS DATE command did not always alter the system clock. Network-connected machines often have “time server” functions so that the date is reset to conform to the network. The year 1992 was a leap year, and many clocks did not deal with it properly. Thus, for many computers, 6th March came on Thursday, not Friday.

Michelangelo

Graham Cluley, of Sophos and Naked Security, posted some reminiscences of the Michelangelo virus.  It brought back some memories and he’s told the story well.

I hate to argue with Graham, but, first off, I have to note that the twentieth anniversary of Micelangelo is not tomorrow (March 6, 2012), but today, March 5.  That’s because 1992 was, as this year is, a leap year.  Yes, Michelangelo was timed to go off on March 6th every year, but, due to a shortcut in the code (and bugs in normal comptuer software), it neglected to factor in leap years.  Therefore, in 1992 many copies went off a day early, on March 5th.

March 5th, 1992, was a rather busy day for me.  I was attending a seminar, but kept getting called out to answer media enquiries.

And then there was the fact that, after all that work and information submitted to the media in advance, and creating copies of Michelangelo on a 3 1/2″ disk (it would normally only infect 5 1/4″s) so I could test it on a safe machine (and then having to recreate the disk when I accidentally triggered the virus), it wasn’t me who got my picture in the paper.  No, it was my baby brother, who a) didn’t believe in the virus, but b) finally, at literally the eleventh hour (11 pm on March 4th) decided to scan his own computer (with a scanner I had given to him), and, when he found he was infected, raised the alarm with his church, and scanned their computers as well.  (Must have been pretty close to midnight, and zero hour, by that time.)  That’s a nice human interest story so he got his picture in the paper.  (Not that I’m bitter, mind you.)

I don’t quite agree with Graham as to the infection rates.  I do know that, since this was the first time we (as the nascent antivirus community) managed to get the attention of the media in advance, there were a great many significant infections that were cleaned off in time, before the trigger date.  I recall notices of thousands of machines cleaned off in various institutions.  But, in a sense, we were victims of our own success.  Having got the word out in advance, by the trigger date most of the infections had been cleaned up.  So, yes, the media saw it as hype on our part.  And then there was the fact that a lot of people had no idea when they got hit.  I was told, by several people, “no, we didn’t get Michelangelo.  But, you know, it’s strange: our computer had a disk failure on that date …”  That was how Michelangelo appeared, when it triggered.

I note that one of the comments wished that we could find out who created the virus.  There is strong evidence that it was created in Taiwan.  And, in response to a posting that I did at the time, I received a message from someone, from Taiwan, who complained that it shouldn’t be called “Michelangelo,” since the real name was “Stoned 3.”  I’ve always felt that only the person who wrote that variant would have been that upset about the naming …

PC Support Sites: Scams and Credibility

Just as 419-ers seem to have been permanently renamed in some quarters as “the Lads from Lagos”, I wonder if we should refer to those irritating individuals who persist in ringing us to offer us help (for a not particularly small fee) with non-existent malware as the “Krooks from Kolkata” (or more recently, the Ne’erdowells from New Delhi). It would be a pity to slur an entire nation with the misdeeds of a few individuals, but the network of such scammers does seem to be expanding across the Indian continent.

Be that as it may, I’ve recently been doing a little work (in association with Martijn Grooten of Virus Bulletin) on some of the ways that PC support sites that may be associated with cold-call scams are bolstering their own credibility by questionable means. Of course, legitimate businesses are also fond of Facebook likes, testimonials and so on, but we’ve found that some of these sites are not playing altogether nicely.

I’ve posted a fairly lengthy joint blog on the topic here: Facebook Likes and cold-call scams

David Harley CITP FBCS CISSP
ESET Senior Research Fellow