Recently in Research Category

There seem to be quite a few of these in circulation over the past day or so:

Download the latest version! <URL Removed>

About this mailing:
You are receiving this e-mail because you subscribed to
MSN Featured Offers. Microsoft respects your privacy.
If you do not wish to receive this MSN Featured Offers e-mail,
please click the "Unsubscribe" link below. This will not
unsubscribe you from e-mail communications from third-party
advertisers that may appear in MSN Feature Offers.
This shall not constitute an offer by MSN. MSN shall
not be responsible or liable for the advertisers' content
nor any of the goods or service advertised. Prices and item
availability subject to change without notice.

2008 Microsoft | Unsubscribe <http://www.msn.com>  |
More Newsletters <http://www.msn.com>  |
Privacy <http://www.msn.com>

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052


As you might have guessed, it's fake. Microsoft don't send out EMails asking you to download files from random, non-Microsoft websites. This:

ie71.jpg

....is not what it appears to be. Run the file, and instead of IE7, you're actually more likely to see a fake antivirus program appear on your desktop:

top106.jpg

Click to Enlarge

By the time you see this, its probably too late.  This threat also i known to send the user fake infected alerts to provoke the victim into buying the product.  It also utilizes the Sysinterals fake Blue Screen of Death Screen Saver to scare the victim.  As you can see below, there have been several options taken out of the desktop properties window to hinder users from restoring the default settings.

background.png

This particular product is detected by us as Fake.AV, and is also being pushed quite heavily via the recent CNN videos scam. You can see another example of these emails here. There is more than one URL being used for this attack, so be alert!

Additional Research: Chris Mannon, Senior Threat Researcher

Sysda Act

| | Comments (0)
Oh hi there.  Apologies for the Whoopee movie reference, but its hard to come up with something catchy.  This latest threat coming through the Facetime Security Labs steals passwords related to chinese sites.  This is not really a threat to most businesses in the US, but judging from the malware trend coming from China and spreading to the rest of the world I'd say its only a matter of time before we start seeing the same method of theft.  The name of this new threat has been named SysdaSysda lies dormant until a certain site is navigated to.  This site is generally related to when a user attempts to change their password for the site.  After that it simply posts the information back to the attacker.  Users should be on the look out for a file called "sysdajchv.dll".  All it really needs is to hook into iexplore.exe to steal your user credentials. 

crack.PNG
The above illustrates that Sysda is attempting to steal login credentials to Sohu.com.  Whether this is simply a new way to phish for information, or something more sinister along the lines of fraud are still unclear at this point.  I'll let you know what I found out.

SoundBot Exploits Network Vulerabilities

| | Comments (0)
Hey there.  It is time for another thrilling adventure into the world of security threats.  This time I'll be going over a worm we like to call SoundBot.  This worm has the potential to leak sensitive information to the attacker about the victim's network infrastructure.  It manages to do this by not only blocking many of the security applications designed to detect it, but also by using legitimate processes that make removal difficult.

The main culprit in this infection is a file called Soundman.exe.  If you see this file on your computer don't panic just yet.  Its also a legitimate process.  Here are some things you should watch for:

One of the first things SoundBot does is disable any type of program that would detect or remove it.  It uses 2 separate methods to do this.  When installed, it disables several legit services related to security applications such as:
kmailmon.exe
kavstart.exe
shstat.exe
runiep.exe
360safe.exe
360tray.exe
cacls.exe
ccenter.exe
rav.exe
iris.exe
vpcmap.exe
vmsrvc.exe
vmusrvc.exe

It also sets up Image File Execution Options to make sure if the processes are restarted they are ineffective.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe       
...360safe.exe       
...360safebox.exe       
...360tray.exe       
...CCenter.exe          
...KPPMain.exe       
...KWatch.exe       
...QQDoctor.exe       
...QQKav.exe       
...RavMon.exe       
...RavMonD.exe       
...safeboxTray.exe
AND finally,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe    Debugger    "SoundMan.exe"

This shows us that Soundman.exe is ran instead of ctfmon.exe whenever executed.  This is an effective way of making sure the worm file is ran.  This effectively removes the need to have an Autostarter value (which are common investigative techniques used when attempting to pinpoint the actual infection in a forum environment).


soundman.PNG This is a closer look at the actual worm file.  Upon closer inspection of Soundman.exe we see that it is iterating through a common network structure looking for open ports.  This gives the attacker certain advantages when/if he ever decides to infiltrate the victim's network.

endpoint.PNGThe above picture depicts just exactly what is going on while Soundman.exe is running.  It makes ARP requests and epmap requests throughout the entire network looking for potential holes.

A malware infection  just wouldn't be a malware infection unless it phoned home to install numerous other infections.  Soundbot is no different.  It contacts a site to download a .jpg file that is no mere picture file.  It is actually collection of download links to more bad files.

jpg2.PNG
The final blow to this worm is dealt by another file that poses as a legitimate process.  It creates a service called "helpsvc" related to another file that intializes soundman.exe.

helpsvc.PNG
Network administrators should look for any unnecessary or suspicious traffic happening on their network as explained above.  If you suspect your organization is under attack from this threat, then I suggest using our handy MicroScanner!








MSNAgent attempts to hide from security analysts

| | Comments (0)

Recently I came across a threat facing MSN messenger users that employs extremely devious means of infection.  The actual executable for this MSN worm is hidden in a .jpg file.

 

picture.PNG

The reason there is no preview available is that this isn't a picture, but executable code in the guise of a picture file.

 

The thing that makes this so interesting is the length at which the attacker is willing to go in order to hide themselves from detection of commonly used security applications.  Only by using certain tools can you see the threat running behind the scenes.  Here you can see an ominously almost legitimate application running called "MSNAgent".

 

txtfile.PNG

MSN Agent starts up when the computer boots up.

 

MSNAgent has the ability to connect to a remote server for the purposes of stealing your MSN username and password.  The file "gf1008.exe" is originally saved in the Temporary Internet Files to avoid too much suspicion.  Its on the Desktop in this example for the purposes of testing. 

 

autostart.PNG

This is shown to the user whenever the computer is restarted.

 

Taking a closer look at gf1008.exe shows you the following:

bintext.PNG

You can see here that this file is directly related to the autostart value "MSNAgent".  It also shows us that it's trying to make a connection to a remote server as well as get the user to change their password presuming for the purpose of phishing the user.

 

 

Attempting to find this threat running with other free security apps might be a problem.

 

Hijackthis:

 


Thumbnail image for hijackthis.PNG

 

Regcrawler:


Thumbnail image for regedit.PNG

MSNAgent can't be found in the registry through traditional means either.

 

Hijackthis is one of the common security applications used to verify if there is an infection when users try to get help from other users on a forum.  Most of the time, Hijackthis is the first step when trying to find the threat.

 

Never fear though.  We detect this threat as MSNAgent.  Using our Microscanner should reveal if you are currently under surveillance.



Based on recent research Facetime has found security incidents targeting public IM and P2P channels increased by 5 percent in Q2 2007 compared with Q1 2007. In contrast, last year we saw a 35 percent decline over the same period, from Q1 to Q2 2006. We didn't cover this report recently on the blog, as the GTA story was rolling out full steam, but it is worth the time to read the analysis.

Some Highlights

A total of 317 incidents were reported during Q2 2007, bringing the total since Jan. 1, 2007, to 618 incidents. Ongoing research reaffirms a cyclical nature to malware threats with peaks in each year, typically in the spring and fall, followed by lulls in the summer and winter. In 2007, security incidents declined somewhat during the first quarter from a high in January. In the second quarter, security threats climbed again, but appear to have peaked in June. If previous patterns hold, we can expect a decline in the summer, followed by an upswing in the early fall.

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

Some Key Findings


-- Increase in IRC attacks

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

-- Single channel attacks vs. multichannel

Similarly, single channel attacks?security incidents that propagate via only one vector, such as AOL, Yahoo or IRC?now account for almost three-fourths of all attacks. The percentage of attacks that are single-channel has also risen in each of the last six quarters, growing from a 46 percent share in the first quarter of 2006 to 71 percent in Q2 of 2007.

View the full report here along with past reports. It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated.

While single channel attacks continue to dominate, in May we covered this example of an attack through Skype (the ultimate payload being the Stration Worm) with the built-in intelligence to go after other IM services. I feel this is a good example of what we can expect long-term.


Research and Summary Write-Up: Wayne Porter, Senior Director of Special Research

Here's an interesting roundup of unrelated Chinese oddities for you to get your teeth into. First off, let's look at something that redirects you to....er.....well, you'll see.....

poo1.jpg

From this file leaps great things - or at least, a bizarrely named hijack:

http://blog.spywareguide.com/upload/2007/05/poo2-thumb.jpg
Click to Enlarge

That's right, your IE homepage is hijacked to....Pooo.cn (Beta!) and restrictions are placed in the IE settings so you can't change it back easily. The site itself is a typical Chinese multimedia website, with an endless collection of videos and flash animations:

http://blog.spywareguide.com/upload/2007/05/poo3-thumb.jpg
Click to Enlarge

...yeah, makes no sense to me either. So there we have it, short, sweet and, er, odd.

Next up, something that I came across while looking for something else - sadly, the main site this stuff launches from is apparently dead but that doesn't mean we can't take a look at it:

sweet1.jpg

...well, we all like sweets, right? If you run the executable, you'll see what is presumably a EULA:

http://blog.spywareguide.com/upload/2007/05/sweet2-thumb.jpg
Click to Enlarge

Of course, I have no idea what it says but let's press on anyway:

http://blog.spywareguide.com/upload/2007/05/sweet3-thumb.jpg
Click to Enlarge

I can't be sure, but it looks like some sort of media player. Another offering from the same people gives us a (very limited) web browser:

http://blog.spywareguide.com/upload/2007/05/sweetbrowser1-thumb.jpg
Click to Enlarge

...again, with the main site down it doesn't currently do much other than sit there and look nice. However, thanks to the wonderful Internet Archive, we can go back and have a look at the main site:

http://blog.spywareguide.com/upload/2007/05/sweet4-thumb.jpg
Click to Enlarge

...so, it looks like a good bet that both of these applications were simply there to serve up the movies and videos from that website. If the site ever comes back online, we might be able to get a firm answer and wrap everything up in a neat little bow or something...

Here's a weird one - there are hints and suggestions that some sort of advertising mechanism is in place, but with the program being from Korea it's vaguely tricky to know exactly what is going on. Let's take a look anyway...

http://blog.spywareguide.com/upload/2007/05/da0-thumb.jpg
Click to Enlarge

Of course, the site is in Korean and the EULA isn't exactly easy to understand which doesn't really help:

http://blog.spywareguide.com/upload/2007/05/da1-thumb.jpg
Click to Enlarge

In fact, the installer is so fiddly it took a good five minutes to work out what buttons to press to get it to run in the first place! After everything is up and running on the PC, this is what we're left with:

da2.jpg

...and now, it's time to run this thing and see what it does! An icon is dumped onto your Taskbar and into IE itself, and when you click either you see this:

http://blog.spywareguide.com/upload/2007/05/da3-thumb.jpg
Click to Enlarge

......yeah, I have no clue either. If you click into the other tab, things look a little more useful:

http://blog.spywareguide.com/upload/2007/05/da4-thumb.jpg
Click to Enlarge

From the looks of it, one of the primary functions of this program is to store basic "notes" about the sites you visit in the interface. Beyond that, I have no idea if you can do more with the data you input, or if the program has any other "features". Here's where it gets interesting - from the translated page:

To case of the keyword which the user does not register with the site which generally is useful movement
- Ex) Seoul watching -> seoul.go.kr/ and pcfree -> pcfree.co.kr
- -> With www automatic conversion function.
- In compliance with the malignant cord or other Hangul (Korean alphabet) keyword program the function which intercepts the part which is rightly connected with an advertisement characteristic site in the dictionary.
- The user wants search engine configuration feature.
- Up-to-date version connection (DirectConnector) it maintains rightly the automatic update function for. (Default)

Allowing for a hopeless translation, this is effectively saying it grabs keywords and relates them to advertisements in the "dictionary". Of course, I don't know what "dictionary" they speak of. Built in word-list to pop relevant adverts? Or something else altogether? Who knows, but I couldn't get it to pop anything while running it so a final decision on this thing is still pending.

...don't you just hate it when that happens?

Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery: Chris Mannon, FSL Senior Threat Researcher

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

Tap, Tap, Tap...we are waiting on the go ahead to release our presentation from RSA and in the course of it looking at some interesting China-based "mysteryware". Until then...

There is something about this picture that yells "viral". It has popped up in my own inbox more than once and I had to explain I was with said Paperghost while he was wearing the shirt. Actually I had to ask him to stand politely three meters to the left or right (his choice) at all times in case I was taken out by any stray fire. Actually the folks at Homeland Security had a good laugh...good sports...unless you are in a long line.

homeland-spg.jpg

Because if you spin him him around it says "I Am Not A". I think they actually had him pose for a couple more.



waynephone-spg.jpg

Yes there is video of this one where I am talking in a rather animated fashion with someone from an "adware" company...this particular company sent me an e-mail touting their FTC Certification. I don't know about you, but I didn't know the FTC was in the business of making such certifications...must be a new division? I will find out.

Our friends at CastleCops' body of work is truly ground breaking and it has always been a pleasure to collaborate and exchange knowledge with Paul Laudanski, Microsoft MVP Windows-Security, on his projects into malware and phishing research. They will soon be giving away over $130,000 in donations from companies who recognize how valuable CastleCops and their body of volunteers have been to the Net. We have had the honor to work with them over the years and wish them continued success.

FaceTime supports independent efforts like CastleCops.com because they mirror facets of our own research philosophy, recognizing the value of talking to Netizens, listening to clients and participating in the community at large.

Internet security is a vast problem that is not only technological in scope, but social as well. Social problems - by their very nature - are often best tackled by businesses and people working together. Leaders like Paul Laundanski are important catalysts in driving communities which create venues for open dialogue, frank conversation and education. We are grateful to have the opportunity to contribute.

Learn more about CastleCops.com, their 5-year anniversary celebration, and the various prizes made available to members. It is a great place to learn more about computers, security in general, and to be a part of the security community. Their achievement is a glowing testament on the impact motivated individuals, working together toward common goals, can achieve. From training their volunteer staff in anti-malware, phishing, and rootkit academies and through additional services, including forums, news, reviews, and continuing education CastleCops is a genuine and valuable resource for all.


More from CastleCops.com.

Brian Krebbs at Washington Post reports.

Colleague Bill P. of WinPatrol.

More coverage at:

MarketWatch.com

MorningStar News

Forbes.com

Pages

About this Archive

This page is a archive of recent entries in the Research category.

Privacy Issues is the previous category.

Social Networking is the next category.

Find recent content on the main index or look in the archives to find all content.