P.S. I Love You

Also up on Trend Micro blog

Valentine's Day (Feb 14th), is a day originally named after 2 Christian Martyrs who died over 1700 years ago. Howadays of course it is a day of love, happiness and men frantically trying at the last minute to find a florist that still has roses in stock. Since the 19th Centuries introduction of greeting cards, Valentines Day has become more commercialised, and for many companies is a huge source of revenue. Not known for being slow on the uptake, the malware industry has for years taken advantage of this holiday to huge effect. With less than a month to go (and with the obvious culprits already jumping the gun), here is short look back down memory lane at the Valentine's Day malware of the 21st century:

2007: WORM_NUWAR.AAI

Storm again the culprit here, with an email containing a large set of Subjects. This was back before Storm really started to use links to sites with vulnerabilities so attachments such as "Greeting card.exe" where the attack vector. An interesting trick used by the malware was to randomly generate the email address in the from field to come from one of a long list of girls names, everything from "Aldora" to "Zilya". Maybe the Authors thought that men would be only ones foolish enough to open the link. Judging by the growth of the Storm botnet around that time, it appears they were right.

2006: WORM_BAGLE.EW

Spread via email with subjects such as "Will You Be My Valentine?" and "Love you with all my heart!" this threat also included 1 of 3 romantic poems, and a background full of images of the classic Valentine's Day heart to entice the user to open the attached "love_me.exe"

2005: WORM_KIPIS.E

Another mass-mailer with all the normal trimmings. Although they had normal attachments with names like "Valentine.exe", other names such "porno_03.exe" where kind of missing the point of the holiday.

2003: TROJ_CUPIDCARD.A

This was actually a piece of Adware instead of a Mass-Mailing Worm. In addition to the normal it would launch a clean file called "VALSDAY.EXE" that showed the following ecard.

2002: VBS_NUMGAME.A

Want to play a game? No its not another awful SAW movie, but a good ol' fashioned threat from the days before we even thought of the word "Cybercrime". Posing as a number-guessing game (hence the clever name) from your Valentine, this nasty little thing proceded to reset the system date...oh, and also delete the contents of the hard drive.

2001: VBS_VALENTIN.A

Another "old style threat" with a payload triggered on the 14th of Febuary. All files on the machine are overwritten by a love note written in Spanish by the author professing his love for "Davinia, the most beautiful girl in the world". The author assures the users not to worry, as their files have not been infected by a virus, merely "sacrified for the love I feel for Davinia". Not very comforting to be honest.

So remember folks, although the Storm crew have already got the show on the road, they won't be the only ones. So if you recieve a romantic email over the next couple of weeks from an address you don't recognise (or one that you do for that matter) for your sake I really do hope its from the Brad Pitt/Angelina Jolie lookalike who started last week in the desk opposite yours.

However, might be an idea to just play it safe and delete it. After all if they really did want to be your Valentine, they would be down in the florists frantically trying to buy those last roses.

Ethical XSS Worm?

Also posted to Trend Micro site

Over on Sla.ckers.org a Security Researcher who uses the handle RSnake (aka Robert Hansen) has proposed a competion (due to end Jan 10th) to create the smallest, self propogating XSS Worm possible. Cross-site scripting (XSS) is a type of computer vulnerability associated with web applications which allows an attacker to inject code into the web pages viewed by other users.

There have been previous examples of XSS worms in the wild. The most famous is most likely the "Samy is my Hero" that affected MySpace, but recently I wrote about another threat which targetted Google's Social Network, Orkut.

Rsnakes idea is that by promoting the writing of such a worm, it will better help researchers to protect against them. This idea opens up the same debate that started in 2003 when Professor John Aycock of the University of Calgary, in Canada, announced that a module in “Computer Viruses and Malware” would be taught in his course. This issue divided security experts back in 2003, and its likely Rsnake challange will do the same. On one side of the fence we have people who argue that “The better we understand something, even if we radically disagree with it, the more likely we are to provide effective mechanisms to counteract it.” (Ken Barker, Head of Calgary Computer Science Dept). The other argument of course is that we do not need to actually create Malicious code in order to understand how it works.

This debate will not wrap up anytime soon, with both sides making interesting points. There is no doubt however that XSS attacks are a major security concern for web users today, and will continue to increase going forward. So far we have been lucky that the majority of XSS worms have been non-malicious in their motives (with the exception of JS_YAMANER.A ). Unfortunately I doubt that this trend will continue in the future.

Storm gets some new toys for Christmas

Crossposted to Trend Micro blog

The latest wave of Storm (See previous posts here, here, here and here) has thrown up some interesting new techniques to make analysis even more difficult.

HIDDEN LINKS

The first is quite a clever technique, specifically targetted at any Security companies monitoring the Storm botnet. When looking at the latest webpage used by the threat we noticed a number of commented out HTML hyperlinks.

< !-- a href="fck2008.exe" !-->
< !-- a href="fck2009.exe" !-->

These in turn where followed by a small fragment of Javascript

< language="javascript">
document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%5F%32%30%30%38%2E%65%78%65%22%3E%0D%0A' ) ); click here

when decoded this JS directs the user to download from

< href="http://www.blogger.com/happy_2008.exe">

The two commented links are obviously being used to fool any automated crawlers used by security companies. Most crawlers will check all of the Storm pages for any presence of links ( a href) and follow these links to download new samples. A normal victim will access the site, be completely unaware of the commented out links and download the actual binary (happy_2008.exe). However the crawler may not see the obfuscated link, and instead access the two fake ones.

At this point the attackers know that they are dealing with a "non-legitimate" user and can block their IP, launch a DDOS attack against them, or even serve them up an older version of the threat so that the automated crawler does not think the threat has updated.


ROOTKIT IMPROVEMENTS

Previous versions of the Storm family have had 2 components - an exe that does the main work, and a sys file to hide it. The latest version however has done away with the exe, and all operations are now carried out by the sys file alone. Previously researchers have been able to disable the sys file, hence preventing the threat from hiding its activities. This is no longer an option as disabling the sys file disables the entire threat.

In addition while Anti-Rootkit tools such as Icesword still reveal the call hooked by the Rootkit (which can then be unhooked), the threat has been upgraded to stop Icesword (and others) revealing what processes, ports, files etc it is hiding - again targetted specifically at making an analysts job more difficult. To make things even more fun, the sys file how has a new random name every time a machine is infected

Neither of these techniques have any real additional effect on the normal victim of the attack, but by making analysis more difficult the authors obviously aim to maximize their malwares infection window.

And here I was thinking it would be a quiet first week back to the office after the holidays :(