Editor’s Note: This is the concluding article in Symantec’s multi-part series covering specific and interesting aspects of W32.Downadup.
The conclusion of my previous blog posed an interesting question to readers: “...seeing as the list of the future domains was publicly disclosed on the Web, why hadn’t any other cyber criminals taken advantage of the predictions?” Antivirus companies and many independent security researchers were able to crack the domain prediction algorithm used by the worm, so it is reasonable to believe that other people were able to achieve the same result, but with different intentions. In fact, predicting what the next domain will be creates the perception that someone can take control over the botnet, and, for example, start pushing a bank Trojan to these millions of...
Back in 2008, the infamous MBR rootkit (a.k.a. Mebroot or Sinowal) proved to be one of the most complicated pieces of malicious code ever seen. Clearly written by professional developers, the Mebroot rootkit has pushed stealth technologies to an extreme level in order to support a bigger criminal project.
In fact, Mebroot can be considered as a real e-crime platform that binds itself to the core of the operating system in order to provide support to the higher layer of modules, designed to steal sensitive information for access to bank accounts. This speculation became a fact in November 2008, when law enforcement and a group of researchers were able to gain access to a remote server used by the Mebroot gang, where it was soon discovered that the servers contained around 500,000 stolen credit card and bank account numbers.
Editor’s Note: This is the fourth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
Back in November 2008, Symantec raised the ThreatCon level in response to a significant increase of exploitation activity of MS08-067, even when other vendors were still downplaying or ignoring this large increase of network attacks. This was just the beginning of W32.Downadup saga.
Downadup wasn’t the first worm exploiting MS08-067, but it clearly had something “special” when compared to its previous competitor threats (see W32.Kernelbot.A and W32.Wecorl). From the programming style, the tricks, and the ideas used in Downadup code, we could easily say that Downadup wasn’t the average threat that we would normally see in the wild. The first...
Back in final weeks of 2007 the GMER team discovered the emergence of a new rootkit that hooked into the Windows master boot record (MBR)in order to take control of a compromised computer. The peopleresponsible for this threat kept busy cranking out newly compiledversions of this Trojan in the weeks following its discovery. However,near the beginning of January the output of new variants mysteriouslyhalted. Taking a quick look at the following table of Trojan.Mebrootsample data it appears as though a massive QA plan was performed by thegang, starting back in November 2007.
There have been recent reports of an MBR(Master Boot Record) rootkit in the wild and, of course, we have beenfollowing up these reports and doing our own analysis. An MBR is thefirst sector of a storage device such as a hard disk, and is generallyused for bootstrapping the operating system after the computer's BIOShas done its startup checks. Basically, if you can control the MBR, youcan control the operating system and therefore the computer it resideson.
MBR-based attacks have been around since the MS-DOS era. Virusessuch as Stoned, Michelangelo, Junkie and Tequila used this technique toinfect systems, and it is quite incredible to see that almost ten yearslater, we are again facing attacks on the MBR. As we have seen,malicious code that modifies a system's MBR is not a new idea – notableresearch in the area of MBR-based rootkits was undertaken by DerekSoeder of eEye Digital Security in 2005. Soeder created “...
What we saw in the first Trojan.Peacommoutbreak during January was only the beginning of the “storm-worm” war.The initial outbreak seemed to be an experiment in setting up apeer-to-peer (P2P) bot network, and to test the potential of theTrojan. The bad guys who were behind those criminal activities used thefirst variant of Peacomm to distribute a set of single-module Trojansthat were programmed to send spam, perform DDoS attacks, gather mailaddresses, and distribute new versions of the Trojan.
Following further research and also some feedback received fromSunbelt (thanks to Alex for that) we are posting a short follow upabout the Windows Live hijack story reported yesterday.First of all, we notice that some of the domains returned by WindowsLive open popup boxes and pages with false Windows errors and problems.
This is the usual social engineering scam to induce people toinstall programs like WinFixer or ErrorSafe. Those programs aresecurity risks that may give exaggerated reports of threats on thecomputer, and they only get installed on the machine if users agree andclick “Yes” to begin the installation.
Today we were able also to verify that a subset of the bad domainsreturned by Windows Live redirect Italian computers to some maliciousWeb sites hosting several exploits and delivering malwares. Thisbehavior affects, at the...
Windows Live is “everything you need, all in one place” and it looks like the search engine really does know what exactly it is that Italians need! Today, we came across a story that was reported by Sunbelt about a takeover of the Italian version of the Windows Live search engine. We decided to do a bit more investigating into those rumors.
At the moment, the problem is that when someone searches a combination of specific Italian keywords on the Windows Live portal, that person will always get a set of weird links in the search results. These weird links will most likely be related to the Linkoptimizer gang (aka Gromozon)—so this likely means that the Gromozon gang has managed to take over and manipulate the search results of Windows Live by getting their links to end up on the top of the search result lists.
People using Web 2.0 have personal Web spaces, blogs, and online discussions on forums and public boards. Everyone can create Web content from his or her own computer just by using the browser. So what would be the perfect vector for spreading malwares in the Web 2.0 world? The Web itself, of course.
On Monday we posted a blog about a new variant of Trojan.Mespam distributed via StormWorm/Peacomm botnet. We noticed that this new Mespam takes advantage of new Web technologies and spreads by injecting malicious links when users interact with the Web.
What does it mean? When users are going to post something on any Web site running VBulletin or phpBB, the Trojan will sneakily add a malicious link into the outgoing Web packet. The same also happens when users are sending emails using clients such as Gmail, Yahoo,...
In a letter to the editor of CrossTalk magazine, “Rubey” of SofTech Inc. exhorted developers to “go beyond the condemnation of spaghetti code to the active encouragement of ravioli code.” It was 1992 and the "pasta theory of programming" was officially born. Since we first talked of the “spaghetti code” used by Trojan.LinkOptimizer, at least one blog reader has asked for more details about it, so I decided to post a brief explanation and a visual demonstration of what is exactly spaghetti code is.
Programmers talk about spaghetti code when a program has a complex and tangled control structure that uses many jumps (GOTOs) or other unstructured branching constructs. Now, take a second to solve the following visual quiz. Look at the images below, which show three different graphs generated by IDA Professional (a well-known disassembler program). Each graph is the result of the analysis of the function flow of an executable file. Which one seems...
Since we last talked about Trojan.Linkoptimizer (a.k.a. Gromozon) and the Italian Spaghetti saga, there have been some significant developments. What we had originally dubbed "spaghetti threats" now look much more like multi-layered "lasagna threats". Several new features and improvements were integrated into the latest incarnation of this Trojan by the authors, who are probably getting paid well for all of their efforts.
How do users get infected with Linkoptimizer/Gromozon variants? We noticed that the complicated distribution scheme of Trojan.Linkoptimizer (shown in Figure 1) introduced a few significant changes, compared to the original scheme of the previous blog article. Here are the new...
The never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter. Recently our lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). We consider it to be an advanced example of "stealth by design" malicious code. [1]
So, why is Rustock.A so special? Many rootkit detectors use a cross-view based detection algorithm. This means that they detect hidden objects by finding the discrepancies between a high-level view and a low-level view. For example, a simple rootkit detector can enumerate the...
