marklon

Measure and counter measure – malware and anti-malware

marklon — Mon, 21 Apr 2008 23:04:00 GMT

There is a small, high-tech and rather geeky war going on and the battlefield is your PC. Like any war, each side is trying to learn from the other. This war is for the ownership of resources – and ultimately for money. Maybe most wars are. Let us look at some of the details.

Much as it irritates users, sometimes the kindest thing that an administrator can do is to limit the abilities of an unskilled user to harm themselves. There is also the corporate network to consider – the safety of organization sometimes requires that individuals are limited. IE has features to limit what the user can do which an administrator can set. They are detailed here:

http://technet.microsoft.com/en-us/library/bb457144.aspx

These can be turned against the user by malware and that does sometimes happen. Let us consider a few of them and how malware has used them to protect itself rather than the user:

Download signed ActiveX controls – disable that and pretty much every online virus scanner will stop working.

Various settings allow the administrator to block the downloading of various file types including .exe files – which would prevent the user from downloading a lot of the “quick fix” type of malware removers.

Sites can be added to the restricted zone – and if security sites are added to this zone, the user is effectively blocked from them.

Group policies can also be set even if the machine is not in a domain.

We have seen malware doing these things lately. Of course, if the user is an admin (and home users generally are) then the changes can be reversed if the user knows how - but many home users do not.

For quite a while, one tool in the arsenal of the techie removing malware is to alter the rights on an executable using cacls to prevent it running. The same trick has been used maliciously to block access to cmd.exe – The black hats have access to all the same tricks as we do.

The white hat community has stolen a trick or two in their turn. Anti-virus solutions increasingly hijack the kiservicetable or overwrite function prologues to try to prevent malware doing the same or to detect malware by getting underneath it. One of the truisms of malware detection is that you can only trust the layer above you because you have complete visibility of it. Conversely, it is hard to see what has happened below you because it may be changing your behavior without you knowing – a malicious kernel fooling a benign application. The phrase that we most commonly use is “He who hooks lowest wins”. Anti-virus and virus are both heading down the stack from userland to kernel and eventually to hypervisor level.

Malware tries to hide from antivirus programs and kills AV products when it can. Some AV software is now using stealth technology to hide from malware and try to avoid being killed or more commonly, crippled to leave the appearance of function without actually blocking the malware. It can be a challenge to work out whether subversion of the kernel is benign or malicious without a good rummage around in the debugger.

So, we have measure and counter measure, each sharing the same tools. The legitimate software community has more resources but the malware industry has everything to play for. The balance shifts all the time and it may well be that user education and not technology has the most to contribute. Social engineering remains the number one way to compromise a system… and maybe limiting the user is the lesser of the two evils.

Of course, we have done this in a very small but important way. Later versions of the browser on later operating systems run content with fewer rights. Most users never notice.

We live in interesting times, my friends

Signing off

Mark

Please, put me out of a job here!

marklon — Tue, 15 Apr 2008 20:31:00 GMT

Hello readers

I am sorry that I haven’t updated my blog for a while. It has been a bit of a busy time. Since there have been press releases and other people have blogged, I suppose that I can talk a bit about what I have been doing.

As I have mentioned, I have been writing lots of training material. Microsoft have been working with Law Enforcement for a while and helping them to understand some of the deeply technical elements of the cybercrime landscape. This training is targeted at LE and, since I wrote a small part of it, I get to go meet a lot of policemen and talk to them… and that is really all that I can or will say about that.

Of course, I still help corporate customers who have malware or who have been hacked or who are in some other way compromised. No names and no pack drill here but there is one thing that I am seeing over and over and over. It has become so common that it is now the first thing that I look for.

Administrators should not browse the web or do their email using a domain admin account. They really, really, really should not do this on the domain controller. They should have a separate account with (at most) ordinary user rights that they use for this sort of activity. Ideally, they should do this from a Vista box as they are hardest to compromise because of the Address Space Layout Randomization (ASLR) means that most compromise types just crash harmlessly.

Of course, you already know this. I am sure that you always use the right account for the right job but not everyone does. Six malware cases in a row and I have found the same thing. It is late at night and the admin is bored. He starts browsing the web from the (P)DC or a file server and looking for something to entertain him. He is looking for a fun game or a video (possibly a “saucy” one) and he has to download an ActiveX or a video codec. He downloads the unsigned component from some website somewhere and he gets owned. Better yet, because he is domain admin, his domain just got owned.

In each of those cases, the malware was a bot that joined the machine to a botnet and the botherder didn’t apparently pay any special attention to the machine but that was sheer luck.

So, I haven’t told you anything that you didn’t already know but if you pass on the word and someone in a branch office or a new hire or the guy covering for the admin while he is off with flu, well, then maybe his life will be a little easier, the black hats life a little harder and maybe, just maybe I will get some more sleep.

Oh, and software vulnerabilities? I haven’t seen one of those exploited this year.

Signing off

Mark

Malware that wants to stay - Some passive protection tricks

marklon — Thu, 20 Mar 2008 22:31:00 GMT

Hello again

I wanted to talk about some of the things that malware does to make itself hard to remove. Most Trojans are designed to work on an average XP workstation and make assumptions based on that – which typically breaks servers in rather nasty ways.

I was recently looking at a Russian written malware implemented in VB6 – a curious choice and the developer had an odd style to his coding. It didn’t use a kernel mode rootkit which is the more common approach but relied on registry settings to do the dirty work. You might want to check these if you find yourself cleaning up a box:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

DisableSR = 0x00000001

If it is a 1, you can’t do a system restore. Simple enough to fix if you can edit the registry.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0x00000001

DisableRegistryTools = 0x00000002

Except that you can’t because he disabled the registry tools and task manager. Well, task manager is no great loss. Process explorer from http://technet.microsoft.com/en-us/sysinternals/default.aspx will do the job at least as well. Disabling the registry tools is more of a problem unless you are on a network and able to remotely edit.

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC]

RestrictToPermittedSnapins = 0x00000001

This was used to make MMC effectively useless. By default, no snap-ins (things like perfmon or event viewer or SQL management or whatever) are in the permitted list.

Disabling CMD.EXE is a pain when trying to remove malware so he setting the following registry key

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]

DisableCMD = 0x00000001

That is especially problematical for some tools that rely on batch files and some security tools do since old school can sometimes be the only way of doing something.

In this case, a few minutes work with WinPE was enough to rain on his parade but a bit of remote registry manipulation would have done the job just as well.

Hope that this helps someone

Signing off

Mark

Small glitch - MS08-017 for Office 2000 is not currently downloadable

marklon — Wed, 12 Mar 2008 18:29:00 GMT

Hi folks

Just a quick heads up - we know that the link from the bulletin is broken. We had a problem with propagating out the file to the web farm (it is a big old webfarm) and so the file is not universally available just yet.

We have a lot of operations guys running around looking at all sorts of things to get this fixed and it should be fine in a few hours

Sorry about the delay

Mark

Firewalls and old school attacks

marklon — Fri, 07 Mar 2008 23:55:00 GMT

I saw a really old fashioned denial of service attack today. A customer was concerned that they were seeing odd ICMP packets. ICMP is the protocol used for pings. Very few system admins bother to monitor them because they are generally rather dull. However, they used to be (and apparently still is) a denial of service attack called “The ping of death”. Basically, it is an ICMP packet with a big old buffer full of nonsense added to the packet. It would cause a buffer overflow in kernel mode and it would be lights out for that system. It isn’t a common attack any more because it doesn’t work – we fixed the last of the vulnerable MS operating systems back in 2000. Most other operating systems fixed it before then. The other reason is that many organizations block pings at the firewall for almost all addresses. There isn’t really a downside to this; why would you want people outside your firewall to be able to ask systems if they are online? The requests are normally just ignored.

I was discussing the matter with my colleague Lesley who is much more network oriented than me – and a smart cookie as I believe that I have mentioned before. She commented that there were some very clever people who thought that firewalls had reached the end of their life. Now, my first thought was “Sure, you can have my firewall when you take it from my lifeless hands” but now I am not so sure.

Most attacks are not against the OS any more. Blackhats go for the applications (specially created documents/streams) or the webserver (cross side scripting) or whatever. Sure, there have been some vulnerabilities that could have been exploited and people always look for more but that is not where successful attacks seem to be in practice.

Does that mean that it is safe to let any packet in? Would it be safe if every service on the network was 100% bullet proof? Well, no and no. It would be possible to flood the network even if nothing could be exploited. Anything that offers a degree of control is a help. There is also the question of disclosure. While security by obscurity is no security at all, it seems a gift to an attacker to let him know anything at all. There is a lot to be said for your company’s network being a black box to the outside world. However, the conventional firewall is not that useful. A lot of nasty things can route through port 80. Some good things too such as SOAP or whatever it is called these days. Marketing comes up with the names. We called it RPC over HTTP among ourselves. A nasty thing is often just a good thing misused. A firewall is not much use there.

NAT (network address translation) solutions have a lot going for them. To the outside world, you have a single address or a couple of addresses that represent some computers (probably) and have ports that represent something. No easy way of knowing what the ports represent. No easy way of knowing if 2 ports are on the same real system. No way of knowing what the topology is – and the conversation is set up by a request from the inside although some things have to be open such as email. So far so good.

But does this mean the death of the DMZ? Do you just replace the firewalls with NATs? That isn’t so clear yet… but yes, maybe the conventional firewall has served its time.

Signing off

Mark

I passed my CISSP exam

marklon — Wed, 05 Mar 2008 13:35:00 GMT

Well, nothing like getting all of my news out of the way in one go.

Because of my self imposed rule that all blogs must have some technical content:

Most bots don't use hard coded IP addresses for their command and control mechanism. Sometimes the engine of the bot is passed the IP address as a parameter but generally the malware does a DNS lookup. This helps the malware writer since it is fairly easy to kill a site and the DNS deref means that the site can be resurrected if WhiteHats take it down. However, it also gives us another tool.

Back in the history of the internet, there was a time when it wasn't that hard to recall the IP addresses of all the sites that you used because there were perhaps 5. When there 70 or so, people would download a list of sites and their IP addresses - the hosts file. Now we use DNS servers that look up any domain name but Windows will use the address in the hosts file first. This file is at %SystemRoot%\system32\drivers\etc\hosts and is just a plain text file with no file name extention. So, if a bit of malware wants to connect to www.mybadsite.com and you add an entry to the hosts file to 127.0..0.0 (remember that there is no place like home) then the malware will not be able to get commands or pass out information. That has largely broken it, buying you some time without otherwise breaking your infrastructure

Signing off

Mark

Testing times

marklon — Mon, 03 Mar 2008 21:21:00 GMT

Hello all

I am sorry that I haven’t blogged for a while. It has been a bit of a busy time. After developing all that training (and I would love to be able to say who the audience were but I really can’t), I was on the receiving end of some for a change.

It has been decided by the powers that be that accreditation is necessary for someone in my role. Ok, fair enough. I was offered the choice between all of the exams for MCSE+Security or CISSP. I enjoy exams rather less than root canal work so I went for the 1 rather than the many. In order to maximize my chances, I went on a weeklong cramming session in a training centre in central nowhere, Oxfordshire. A splendid Canadian called John Glover was teaching us and I am sure that he will not mind me saying that he has been around the block once or twice and knows where the bodies are buried.

The CISSP exam is 6 hours long and covers a massive range of topics including but by no means limited to:

Risk management

Continuity planning

Crisis management

Ethics

Law (and that is fun in a multinational)

Encryption

Access control

Telephone systems – no, really

International Standards

Physical Security

I have never had to consider what sort of barrier would be most effective against explosives and whether a fondness for gambling was in and of itself reason why someone should be denied a contract.

After the exam, I was sure that I had done a lot worse than the easy pass that I had in the mock and I was concerned that I had made a pig’s ear of it. The same was apparently true of pretty much everyone who has sat that exam so we shall see. If I have failed (a real possibility) then I will have publically revealed myself as a dope..

So, have I been busy learning about the latest malwares and controlling mass mailer worms rampaging through networks? Actually, no.

We are not getting that many reports of new infections and I have mostly been looking at some hacks against the application layer – typically SQL injection attacks. These still seem as popular as ever but the focus has changed a little. We used to see a lot of web defacement cases from script kiddies and these are still not uncommon but more recently, the bulk of these attacks seem to be targeting PII (Personally Identifiable Information) which can then be used for identity theft or inserting links to malware in the hope of compromising the clients who visit the legitimate website.

We have noticed a decrease in the number of malware cases coming to us over the last few months. I think that user awareness is a large factor; people are more reluctant to open strange executables. The anti-virus solutions are also getting better with updates often being daily. Whatever the reason, the business is changing.

Oh, there is also a small milestone to commemorate. According to Cenzic, Internet Explorer had the fewest reported vulnerabilities of any of the major web browsers. Firefox had 3 times as many and Opera nearly 4 times more that IE. Oh, and none of their top 10 vulnerabilities for the quarter were in MS products. That is the first time that has happened :-)

Until next time

Mark

Security Updates - Are they the answer?

marklon — Tue, 12 Feb 2008 16:23:00 GMT

Ah, another “update Tuesday” – known to the rest of the world as “patch Tuesday” but we are not supposed to call it that.

We have a fine crop of updates for you but I am not going to talk about those, partially because we won’t be releasing them for several hours and partially because that is the province of my much respected colleagues in the MSRC – you can always get the straight dope here: http://blogs.technet.com/msrc/

This month so far has been a fairly quiet time for me. We are seeing fewer new infections recently though the ratios of where this stuff comes from are pretty consistent. You might find the threat map at www.threatexpert.com to be an interesting read.

The Storm botnet is recruiting again, this time with Valentine cards instead of Christmas cards or promises of applications to help you track football scores. A lot of people are now aware of the techniques used by this bot and infection rates seem to be dropping a little though it is a little hard to tell. Storm uses a peer to peer protocol for its command and control mechanism and so there is no one place to monitor the network. The packets look very much like eDonkey file share activity unless you know to look for the 40 byte encrypted packet at the start.

On the subject of Storm, this is a malware that, in its most recent versions, has been very much based on social engineering. It is apparently remarkably easy to persuade people to install malware on their computers. No really, I am not making this up. Independent research shows that around 75% of malware on systems got there because a user installed it while under the impression that it was a good idea. Some of it is installed because a popup tells them that they need a video codec so they download an EXE file. Some of them respond to a popup saying that there is evidence of malware or visiting adult sites on their computer. They download the program to “fix” this problem and then the problems start. Now, you, gentle reader, I know that you would never fall for such blatant social engineering but consider your cousin, the person at the supermarket checkout, yourself when you were a kid still learning what you know now… well, they will. Not every unskilled user will fall for these tricks but enough will that it is a fertile recruiting ground. 75% of malware gets on systems this way. Who needs security vulnerabilities to spread malware?

Is it heresy to say that on a patch Tuesday? Of course, vulnerabilities matter. Wormable vulnerabilities matter a lot. A corporate network can be taken down in less than an hour by an aggressive worm if there are no mitigations in place. Targeted attacks pretty much always use some vulnerability in software. Vulnerabilities matter a lot. Updates are critical. What they are not is all of the story. Many people seem to think that they are.

One of the most common questions that I get asked when people learn what I do for a living is “Why don’t Microsoft make Windows more secure?” The answer is “We did. Look at Vista and Server 2008. We are. Look at the bulletin release schedule. Look at the malicious software removal tool.” I don’t generally say the next bit. We work very hard to improve security but we don’t have much control over the things that get exploited most often: People.

Ah, but wait a minute, I hear you say. If vulnerabilities are not the be all and end all, why are there so few malwares on (insert name of alternate OS here). The answer to this is simple and I am far from the first to say it. Why do criminals rob banks? Well, that is where the money is. Malware used to be written for bragging rights. Now it is written for money. Either way, the malware writer wants as many systems as possible affected. 19 out of 20 desktop systems run some flavor of Windows. If I want to affect as many systems as possible, which do I attack? It is a no-brainer. You develop exploits for the biggest payoff.

Does this depend on which system has the most vulnerabilities? No, not at all. If Linux had 5 times as many vulnerabilities as Windows (which I don’t think for a moment that it has) and you had a 100% success rate at compromise Linux desktops then you would have… 5% of the market. If you had a 10% success rate at compromising Windows systems then you have 9.5% of the market. It doesn’t make sense to go for Linux as a platform for malware.

All that said, vulnerabilities in the OS are less of a factor all the time. A lot of exploits target applications these days. The antivirus product, the reader for one of the common formats like Flash or PDF or Java or whatever it is this month are at least as good a target. The people are at least as good a target. In fact, looking at the numbers, the people are 3 times better targets. We can’t make better people – and we don’t want to limit what people can do because people resent that. Look at the reputation that user access control in Vista has.

It is a tricky problem. We can make better operating systems. We can not make better people.

(Edited - The original said that we could make better people - so not what I meant)

Signing off

Mark

Antimalware tools and tricks

marklon — Mon, 21 Jan 2008 19:50:00 GMT

Ah, I am back in the office and settling into to my normal day to day work.

I am fairly often asked to remove malware from systems which the anti-malware programs on that particular PC system can’t handle. In fairness, it is often not the AV products fault. Most (more than 75%) of malware is actually installed by the users of the system after some social engineering. I know that none of you out there in blog land would do that sort of thing but it does happen. We have all downloaded drivers from the web, codecs from the web and utilities. It is easy enough to get it wrong and some of the Blackhats can make some very convincing webpages and emails that would fool your brother/mother/dentist. Anyway, that is how a lot of this nasty stuff gets on systems and one of the first things that it normally does is try to break the AV solution. Sometimes it succeeds.

I am yet to find an instance in which this has happened where the machine could not be cleaned up with the SysInternals tools and a little ingenuity. I know that I have mentioned this before but I hadn’t linked to the excellent video presentation by Mark Russinovich video: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid =359

I would also like to mention a really good tool called Rootkit Unhooker. This was written by a Russian team who have since joined Microsoft. It is excellent for finding hijacks in the kiservicetable, hidden files and processes and similar rootkit tools. If you work with malware on a regular basis and haven’t tried this tool then you might want to search it out. I have had considerable success with this tool where some others have not been as useful.

Anyway, hopefully I will be back to some more code related posts soon but thought that this tools update could prove useful

Signing off

Mark

Don't you hate blogs which are updates with no technical content?

marklon — Sat, 12 Jan 2008 00:46:00 GMT

I know that I do - but I don't want you to think that I have dropped off the face of the planet.

The honest truth is that I have been stuck on a long term project which I can't really talk about. It is not "scary secret, Die Hard 4.0" stuff but it is not something that I can share with my readers. However, I was called in on an interesting case.

A customer found that his FTP server was being repeatedly hit by requests from odd IP addresses - all of them attempts to log in. One request would be from Prague and the next would be from Turkey. It was clear from the pattern of names that this was some form of dictionary attack. Abigail would follow Abe who followed Aaron even though the attempts were from far apart - oh, and seperated by perhaps half a second. This is typical of a botnet though they rarely attack FTP servers since it is not a high profit activity compared to some other uses.

Tracing the IP addresses, they were generally from home systems. You might wonder how I could tell that. Well, in truth, there was more than an element of guesswork in it. I can say that they were normally registered with ISPs who cater for home users and they were on slower links. They generally had few if any exposed services. It is a pretty safe bet that they were home systems.

As for where the botnet was located, that is a harder question and I can only guess but most of the addresses were in the middle east or eastern europe and the names that it was trying were typical of Jewish names - A lot of Isaacs and Rachels and Abrahams in there. A bit of research showed that what I was seeing was a typical pattern for this botnet and that it was being used to harvest information when possible.

A more interesting question for the customer who had the server was what he could do about it. The answer, sadly, is not a lot. He could appeal to law enforcement who are probably already doing all that they can to find the botherder and whitelist addresses that he knows on the firewall.

The botnets are out there and they never sleep

More updates after next week when I am back in the office and doing my normal job again.

Signing off

Mark

Silent but not dead

marklon — Thu, 29 Nov 2007 22:00:00 GMT

Hello all

I am sorry that I haven’t updated this blog for a while. I haven’t forgotten, just been busy on other things, most of which I can’t talk about to preserve customer confidentiality. In fairness, most of them were not that interesting in any case.

I have been giving some presentations recently. I was with the “Get Safe Online” tour and spoke to a small audience who seemed to find the information useful. I also gave a talk on Cyberstalking and keeping teens and older preteens safe online. If anyone would like the slide deck, I would be happy to share it. Just drop me a mail.

At present, I am head down at my desk writing training materials and editing it based on reviews – it is hard work and interesting but hardly the sort of thing to provide material for a blog.

I hope to have something a bit more substantial in the next few days after I have broken the back of this job

Signing off

Mark

Doing it yourself.

marklon — Fri, 26 Oct 2007 22:22:00 GMT

Hello again

Two blogs in less than 48 hours? Whatever could be happening? No, this is not a reference to the issue documented in http://www.microsoft.com/technet/security/advisory/943521.mspx which is interesting but certainly not widely exploited in Europe. No, today I would like to relate what I did on Wednesday night.

I was helping a friend redecorate – our American cousins would call it home improvements but we would call it "Do It Yourself". Now, I am a firm believer in having the right tools so I stopped off on the way to get sandpaper, sugar soap, flexible sanding blocks, disposable gloves, the whole nine yards. I was sure that I was well equipped for the job at hand. This turned out not to be the case.

While I was sanding down the paintwork, I had an odd request from one of the two daughters. Could I remove IE from the home PC as it was popping up a lot of windows and they preferred Firefox in any case. Uh, pop-up ads? I went to have a look. Adware was opening a new "message from our sponsors" every 20 seconds or so. Not so good. The PC was also responding very slowly indeed and a quick check showed that an invisible instance of IE was using 1.5GB of memory – rather more than the system had.

I have removed malware from quite a few systems but I normally go armed with some very specific tools and all that I had here was a sanding block and rather slow access to the internet. So, I had to improvise and here are some of the things that I did – I relate them here in case you ever have the need to do the same.

The first thing that I did was check if there was an antivirus solution installed and whether it was current. The engine of the AV was older code but still valid (Sorry, Mr Lucas) and the signatures were current. It had blocked a Trojan the day before and didn’t seem disabled. The event logs showed that it had been removing threats on a fairly regular basis for a couple of years. The system was XP SP2 in an indifferent update state and had 4 users (father, mother, 2 daughters), all admins. A scan from the AV product (intentionally nameless, not OneCare) reported that all was well when manifestly it was nothing of the sort.

Terminating IE resulted in an immediate relaunch, apparently explicitly as it was not the default browser on that system. Hmm. Not a BHO then. A malicious Browser Helper Object can certainly do some interesting things to a loaded instance of IE but not launch a copy when there is no loaded copy of IE to host it. Clearly we were looking at another process. I started killing off processes trying to get down to a manageable list so that I could find the rogue and lo… I got to a state where there were a reasonable number of processes and they were all identifiable as harmless. So, either a legitimate process had been hijacked in some way (unlikely) or there was a hidden process – which strongly suggested a rootkit.

I downloaded Rootkit Revealler from Sysinternals (now a part of MS) and ran that. Sadly, it came back saying that all was well. The MS Malicious Software Removal Tool said that there was no malware on the box. All the while, some hidden process was kicking off instances of IE as if there were no tomorrow.

Since the automated approaches had failed, I decided to use a more manual approach and pulled down the whole SysInternals suite. I was mainly after Process Explorer and Autoruns but show me tools and I am like a big kid. I want them all!

So, I started with Autoruns. If you are not familiar with the tool, it looks for every way of starting a process when Windows starts, lists those applications and enables you to disable them – it also lists some inprocess components too which was useful. There were a couple of known Trojan droppers in the startup so I took them out. There were a lot of legitimate helper processes which seem very common on home machines. iTunes needs these and some other media player needs those and pretty soon it all looks very cluttered. Anyway, I disabled some of the more obviously malicious and rebooted. The system came back in very much the same state – with IE instances spawned over and over and many of the removed startup entries back. Interesting.

I started in with Process Explorer and there were multiple instances of Internet explorer. I terminated one and back it came – damn. Oh, hang on, the launching application flashed up for a moment. I checked and there was no sign of the launching process in the list and it disappeared as the launching process moments after the new instance of IE popped up. Interesting again. I tried a few more times and managed to get the path of the executable – which was off the "My documents" pseudo-folder in a directory with a random name that didn’t show up in explorer when browsing but would open if I gave explorer the full path. Time to dig deeper.

The executable was packed and there were no strings to mention when I opened it with notepad though process explorer was able to make more of the strings in memory of the process – quite handy when looking at malware. Yes, this used all the APIs that I would expect for what it was doing. Ok, now I had a file to look at and that was a good step forward. Now, because it was already pretty late in the day by then and I was representing a member of the public, I felt no shame at all in using www.virustotal.com which can be a very handy site indeed. You can upload a file and they will pass it against a bunch of anti-malware applications and give you the results. I sent the file to the site and that started to give me results in less than 30 seconds… you have to like that. 50% of the scanners came back with nothing detected and the remainder all came back with generic results basically saying that they thought that the file was bad but didn’t have a specific classification. This normally means that it is waiting in a queue for some human to look at. That is pretty common with new malware or new variants of old malware but unfortunately that meant that I had no specifics of how to remove the cursed thing.

Ok, back to basics. Delete the file. Nope. File is in use, can’t delete or rename. Right. The process is hidden by a rootkit but the cover is not perfect and although it doesn’t appear in the process list, I can get the process ID when it hands it to a new instance of IE as parent. Using that, I killed the process and went to delete the file. Again, it was locked. A bit more poking around with process explorer showed that another hidden process was respawning the first one.

I shifted my attention to this newly discovered process and found that I couldn’t delete it because the first process looked after it in the same way – a sort of mutual protection process. I might have been able to write an app to terminate both processes and delete the files but I didn’t have any development tools here – it was just a home PC. Anyway, it would have been a race condition with no synchronization.

Deleting the registry keys that started it on boot was pointless because they came right back – it turned out that it had a thread waiting on the key to restore it.

All in all, quite a clever defense. However, it always launched the user mode processes under the context of the logged on user so that the spawned IE instance would appear on the desktop which made sense. Because all the users were admins (like most home users) this is a good solution for malware. I managed to break it in a reversible way by dropping down to a command shell and using cacls to deny access to the launching user to IE. That caused the first user mode malware process to AV because it didn’t have any error checking and assumed that the API would succeed. The second process turned out to be very much the same and when I changed the rights on the first malware exe, it crashed. I could now pretty much break the user mode components at will.

The kernel mode process was a little tougher but the same basic approach worked and it failed to load on startup.

I would still strongly recommend rebuilding the system but I was unable to find any problems after the service was disabled. It is amazing what you can do with publicly available free tools.

The malware will be submitted to the companies that failed to recognize it – including Microsoft. It is just a shame that I didn’t get more sanding done but Do-It-Yourself malware removal is useful too. I have to thank Christie and Sherry for letting me get this new malware submitted.

Until next time!

Mark

You can't get the staff – Social engineering

marklon — Wed, 24 Oct 2007 19:17:00 GMT

Sometimes I like to talk about software engineering but today I would like to ramble on about a different subject: Social engineering.

Social engineering is a common technique for getting malware on systems and of course, for Phishing. The “419 scam” (named after the section of the Nigerian penal code which addresses fraud schemes) is the best known but it is widely practiced in all parts of the world and not just internet Cafés in Lagos. I would like to look at one that I had only this morning:

““CONTACT OUR FIDUCIARY AGENT !!!

UK NATIONAL LOTTERY
Support Center
Bevan House
51 Bevan Avenue
Conwy LL28 5AF
United Kingdom.

DEAR WINNER,
We are pleased to inform you of the announcement today,22th October 2007, of winners of the UK NATIONAL LOTTERY, Held on 24th October 2007 in Croydon,London.Your email address was attached to ticket number 023-0148-790-459, with serial number 5063-11 drew the lucky numbers 43-11-44-37-10-43, and consequently Won you the lottery in the 3rd category.You have therefore been approved for a lump sum pay Of £500,000.00 Great British Pounds(GBP) in cash credited to file REF NO. UKNL/26510460037/07. This is from total prize money Of £2,000,000.00 Great British Pounds(GBP) shared among the four International winners in this category.
To file for your claim, please contact our fiduciary Agent;

Mr DAVID WALTER.
#999 Edgware Road,
London W2 1EY
United Kingdom.
Email: claimsagent907@yahoo.co.uk
TELEPHONE: +447xxxxxxxxxx
.
Sincerely,
Dr paul white
Zonal Co-ordinator”

Ok, the title is odd. Who would naturally in title such a mail using the word “FIDUCIARY”? Also, in a quick credibility check, why would a fiduciary officer (a much glorified accountant and financial controller) handle claims when they have a claims department? So, that doesn’t seem right.

That address has been used in at least a dozen other scams. How hard would it be to find another address? Sloppy work. A moment of research and this mail is blown sky high.

Hmm… they know my email address and not my name? They can’t even guess? Not from Mark.Long@Microsoft.com? I know that giving my email address like that will probably harvest SPAM but that is OK :-) It will go with the rest.

They announced the result of the draw on the 24th back on the 22nd? Sounds crooked to me.

Grammar alert! My email address drew the lucky numbers? All by itself? How clever is that?

The lucky numbers include 2 number “43”s – I am no expert but don’t numbers have to be unique? How would you tick 43 on the form twice?

“and consequently Won you the lottery in the 3rd category” – uh, pardon? 3rd Category? And why is there a capital “W”?

Observe the sequence of random numbers and letters. The intent is to seem very specific. So, they don’t know my name but they have the number of the ticket and the serial number of the ticket? Not convinced.

“This is from total prize money Of £2,000,000.00 Great British Pounds(GBP) shared among the four International winners in this category.” – the strange Capitalisation continues. International winners? I am not that international, being snug and safe here in Reading. The national lottery is not the international lottery in any case. Additionally, what are the odds of the totals and the share being such round numbers?

# before the number? American convention, not used here in Blighty.

What is the second address for? Am I supposed to write to both of them? Edgware road? Really? For those not from these shores, Edgeware road (note the difference in spelling) is a well known London street and it is equally known for its underground station (one of the 7/7 bombing sites) and links Marble Arch and Edgeware. The street number given was actually that of a rather good Middle Eastern restaurant but I don’t think that is significant.

The email address is at Yahoo.co.uk? And this guy has at least 906 colleagues? Do Camelot (who run the lottery) use free emails accounts these days? It must be because of the 906 people giving away all of the money. These mails normally have a free email account associated with them and it is normally different to the email address in the mail header – it was in this case too. Watch out for

Of course, they could need to use free email accounts because they have a PhD writing their mails. That can’t be cheap. Possibly his degree is in poetry specialising in e.e.cummings since they seem to have the same approach to capitalisation. Another expense must be the mobile phone number given - all UK numbers starting with 7 are mobile (cell) phones.

Zonal? If our friend claims agent 907 is a zonal co-ordinator, how many zones do they have?

Really. C-, must try harder.

So, this was a very unremarkable bit of Phishing SPAM. Next time, I will be looking at some of the mails used to spread the storm Trojan which is often incorrectly called the storm Worm. It isn’t a worm although it does use SPAM as part of attempts to enlarge the botnet.

Oh, on a final note, I am looking at a cube note (a bit of paper dropped on my desk) claiming that an AI called Testaccount23 has escaped and is living at http://test23account.spaces.live.com – I smell a viral campaign. However, I am not sure that is within my remit :-)

Signing off

Mark

Malware: mitigating maladies might matter

marklon — Wed, 17 Oct 2007 20:40:00 GMT

Well, another update Tuesday done and dusted. We are not supposed to use the word "Patch"

So, the question that I left you with was what could be done to make it safer to run on a compromised computer; that is to ask how could you mitigate the risks?

The answer is that it very much depends on the malware in question. Let us consider what would happen with some common types. In each case, I will be assuming that the type is pure and has no function other than that stated – a little unrealistic, I know.

Adware. This is pretty common stuff. It pops up pages advertising various goods or services, often adult in nature and is normally associated with a malicious Browser Helper Object in IE or a Plug-in under Firefox. Adware typically has little effect on applications that don’t use the browser although you might be surprised what does. HTML help? Hosted in ShDocView. That could load malware into a custom application but it is unlikely that the Adware would do anything sensible injected into another process. It might well crash an application though – indeed, the first malware I ever looked at was doing just that. The Adware could have additional functionality making it not a pure Adware component, of course. Is it safe to have it in your process? No. It could be very unsafe if your application is web based.

Spyware. These monitor user action, normally in a limited context so search strings and keystrokes. A lot of them are browser based. Many of them include an adware component. Spyware tends to replace more of the system functionality but for the sake of clarity, let us assume that we are only talking about spyware that monitors and possibly redirects input in the browser. Well, in that case, all the caveats for Adware apply and some more. It wouldn’t be hard to write a bit of spyware that looked at all WM_CHAR messages processed in a browser window. For a web-based application, this could represent a huge leak of confidential information. For a non-web based app, it would again be less of a threat. Hooking in to the HMTL help would probably only send out search strings that users were entering against the help. That is probably not all that worrying but Spyware has the power to be much more dangerous than Adware – not at all safe.

Remote Admin Tools. Ouch. These are typically classed as Trojans and range from relatively simple bots which churn out bulk mail and are only controllable to a limited degree to more flexible apps that allow file transfer and command lines to be passed. It is pretty easy for a BlackHat controlling one of those to insert a more complete admin tool (several commercially available) to allow proxying of the GUI – oh, and Blackhats rarely pay license fees. Just one of those things. If one of the more flexible ones is running then pretty much all bets are off because it can do pretty much anything that a local admin could do. How much will this affect a given application? It is difficult to say as these are the most variable of malware types. Worst case, your database could change under you, your data could be snooped. Best case? You run slow because you are competing with an application which is churning out SPAM.

Keyloggers. Nasty things, keyloggers and all too common. Go to eBay and hardware and software keyloggers are freely (and legally) available – and there is no way for software to find hardware keyloggers. They generally hook in at kernel level and log all keystrokes. That would steal a lot of data from pretty much any application, browser based or not. It could steal credit card numbers, log-ons or whatever else. There is not much mitigation that is possible against these.

Not much? Well, nothing directly. However, 2 factor authentication is a helpful against these. Ok, a Blackhat could still grab the credentials to log on to your banking application but unless they exploit them on the original system with the second factor present then they have taken less than they otherwise would.

Viruses? We don’t see those so much these days and they have limited functionality typically. They want to be small and that means that they are fairly simple. It is a similar deal with Worms though they often drop Trojans.

So, is there something that mitigates against all of these? Yes, as it happens, there is :-) All of these except Adware needs to be able to contact somewhere else to do its damage. It needs to get out of the local area network and onto the world wide web. A great many companies very sensibly have great protection against packets from outside coming in. Most companies are more relaxed about requests going out.

What does most malware do if it can’t call home? Very little. Remote Admin tools sit idle. Keyloggers send their data nowhere (although beware of those that email the collected data). Spyware reports nothing to no-one.

Good protection against threats coming in can prevent infection. Good protection against data going out can be a good mitigation

Until next time, signing off

Mark

Can you break Law #1 and get away with it?

marklon — Mon, 24 Sep 2007 18:20:00 GMT

To save you scrolling down, let me restate Law #1 of the immutable laws of security:

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore"

Is there any possibility that it is safe to do business with a computer that has malware on it? The blanket answer is "no – there is no way to be sure". Like all generalizations (irony by design), this is not wholly true. Malware comes in many forms and not all malware will affect all aspects of system operation. If you know exactly what the malware does then it may be possible to still trust the machine to some degree. If you know that the malware just pops up unwanted advertising and has no other function at all then it is probably fine to still accept a low value online order from that customer. If the system has a keylogger which records credit card details then it might be perfectly safe for you to accept the order but very dangerous for the user to place it. So, the more accurate answer to the question would be "In general, no, it is not safe. In some specific cases, it may be".

So, the follow-on question is "Can you determine programmatically whether it is safe or not?"

This is, I think, a better question. However, the answer is unfortunately "Almost certainly not".

"Why do I say that?", I imagine you asking. I will be delighted to answer (I am easily pleased). The reason is twofold. The first is that you can’t tell what a bit of detected malware does without extensive reverse engineering. The second is that any machine (other than one in isolation that has been built from known clean sources) could be compromised with malware that hides well. One thing that rootkits do is hide. If something has modified system behavior below the level at which you run, the results of any investigation that you do is suspect – API calls can be subverted by malware. No automated or manual process can guarantee that there is no malware on a system because absence of evidence is not evidence of absence.

The logical conclusion is that since no real world machine is 100% safe then we must regard them as wholly unsafe. However, that is logical rather than sensible. In reality, we must accept a level of risk from the systems that run our applications. Where possible, we must mitigate the risks. We should always recognize them even if we can not mitigate against them.

In my next post, I will be talking about mitigation strategies.

Signing off

Mark