Editor’s Note: This is the concluding article in Symantec’s multi-part series covering specific and interesting aspects of W32.Downadup.
The conclusion of my previous blog posed an interesting question to readers: “...seeing as the list of the future domains was publicly disclosed on the Web, why hadn’t any other cyber criminals taken advantage of the predictions?” Antivirus companies and many independent security researchers were able to crack the domain prediction algorithm used by the worm, so it is reasonable to believe that other people were able to achieve the same result, but with different intentions. In fact, predicting what the next domain will be creates the perception that someone can take control over the botnet, and, for example, start pushing a bank Trojan to these millions of...
Back in 2008, the infamous MBR rootkit (a.k.a. Mebroot or Sinowal) proved to be one of the most complicated pieces of malicious code ever seen. Clearly written by professional developers, the Mebroot rootkit has pushed stealth technologies to an extreme level in order to support a bigger criminal project.
In fact, Mebroot can be considered as a real e-crime platform that binds itself to the core of the operating system in order to provide support to the higher layer of modules, designed to steal sensitive information for access to bank accounts. This speculation became a fact in November 2008, when law enforcement and a group of researchers were able to gain access to a remote server used by the Mebroot gang, where it was soon discovered that the servers contained around 500,000 stolen credit card and bank account numbers.
Editor’s Note: This is the fourth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
Back in November 2008, Symantec raised the ThreatCon level in response to a significant increase of exploitation activity of MS08-067, even when other vendors were still downplaying or ignoring this large increase of network attacks. This was just the beginning of W32.Downadup saga.
Downadup wasn’t the first worm exploiting MS08-067, but it clearly had something “special” when compared to its previous competitor threats (see W32.Kernelbot.A and W32.Wecorl). From the programming style, the tricks, and the ideas used in Downadup code, we could easily say that Downadup wasn’t the average threat that we would normally see in the wild. The first...
A new and previously unknown vulnerability affecting the Microsoft Internet Explorer 7 browser has been reported, just at the start of the Microsoft “Patch Tuesday” cycle for the month of December. Bad luck, or an intentional strategy by the attackers? It’s not clear at the moment, but the reality is that users around the world started to download and patch their systems just yesterday, while at the same time a new and dangerous exploit surfaced on the Web, trying to infect computers in China and other parts of Asia.
We ran some tests and confirmed that the new vulnerability is, unfortunately, not fixed by the current set of patches released yesterday. The attack is indeed new and it works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches. Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit,...
Following Dan Kaminsky’s research on DNS insecurities, we saw attackers racing with their DNS servers to hijack network connections. It was only a matter of time before the bad guys decided that racing against DNS was not enough.
DHCP is a widely used network protocol that has been around for a while—it’s used to automatically assign IP addresses on a local network. When you connect your laptop on the wireless router at your home or to your office network, it is most likely that a DHCP server assigns an IP address to your machine and will provide all of the important parameters such as a gateway IP and DNS servers. The DHCP protocol is simple, transparent, and efficient for end users, but it is also non-secure. There’s nothing new and sensational in that statement, because it’s something well known and is really just a lack of authentication. Wikipedia has a pretty good description...
Digging into our honeypots and spam-trap systems to look for malicious attachments is always an interesting exercise. We can identify different spam campaigns and map together malicious binaries by correlating attachments and filenames. Nevertheless, it's also funny to see how the bad guys are still trying to entice users to run executable attachments-pushing their creativity and social engineering skills to extreme levels. Invoices, contracts, delivery notices, and all types of tickets are travelling by mail everyday, hitting millions of mailboxes; all in the hope that a few users, sooner or later, will be fooled by a perfectly orchestrated malicious e-mail (yes, it does still work, and old tricks are always the best).
Just for fun, I tried to create a picture of the breakdown of the most common malicious spam campaign observed on a set of emails received...
Vulnerabilities in Microsoft Access and MSJET40.DLL have been discussed in many blogs recently. Our friends at Panda blogged about a possible (new?) vulnerability of the MS Jet library on March 3rd and McAfee also blogged this past December about a different vulnerability reported on Bugtraq. Here at Symantec we also reported some of these vulnerabilities to Microsoft and also the many targeted attacks carried with .mdb files since March 2006, but this is almost the usual sort of response:
"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330"
This sentence translates into a very simple equation: .mdb = .exe...
Back in final weeks of 2007 the GMER team discovered the emergence of a new rootkit that hooked into the Windows master boot record (MBR)in order to take control of a compromised computer. The peopleresponsible for this threat kept busy cranking out newly compiledversions of this Trojan in the weeks following its discovery. However,near the beginning of January the output of new variants mysteriouslyhalted. Taking a quick look at the following table of Trojan.Mebrootsample data it appears as though a massive QA plan was performed by thegang, starting back in November 2007.
There have been recent reports of an MBR(Master Boot Record) rootkit in the wild and, of course, we have beenfollowing up these reports and doing our own analysis. An MBR is thefirst sector of a storage device such as a hard disk, and is generallyused for bootstrapping the operating system after the computer's BIOShas done its startup checks. Basically, if you can control the MBR, youcan control the operating system and therefore the computer it resideson.
MBR-based attacks have been around since the MS-DOS era. Virusessuch as Stoned, Michelangelo, Junkie and Tequila used this technique toinfect systems, and it is quite incredible to see that almost ten yearslater, we are again facing attacks on the MBR. As we have seen,malicious code that modifies a system's MBR is not a new idea – notableresearch in the area of MBR-based rootkits was undertaken by DerekSoeder of eEye Digital Security in 2005. Soeder created “...
The publicly released exploit works successfully when tested withthe latest stand-alone QuickTime player application version 7.3. Itdoes not seem to execute any shellcode when tested with the QuickTimebrowser plugin even though the browser crashes due to the bufferoverflow.
At the moment we believe the most likely attack scenarios to appear using this vulnerability could be: 1. Email based attacks. 2. Web browser based attacks.
In the email attack scenario the user receives a malicious emailwith an attachment containing a file with...
A few weeks ago, we warned users about a new Local Privilege Escalation vulnerability in Windows XP and 2003.The original exploit was found in the wild and actively used againstWindows-based computers to gain SYSTEM privileges and installadditional malware or bypass other restrictions. It wasn’t justproof-of-concept code, but a malicious exploit used in real (butlimited) attacks. Today, Microsoft posted Microsoft Security Advisory (944653) about this issue.
With the release of this advisory, I’d like to answer a few follow-up questions for blog readers:
Q: I don’t play games and I don’t use Macrovision software, so am I safe? A: No. The vulnerable component affected by the bug is theMacrovision driver...
During the weekend I found an interestingsample exploiting a possibly new and undocumented vulnerability forWindows XP and 2003. The exploit is a local privilege escalationthat allows users with a restricted account to gain a SYSTEM shell withhigher privileges. In my tests the exploit seems to work successfullyagainst a fully patched Windows XP-SP2 and also Windows 2003-SP1. Atthis time, Vista does not seem to be affected by the problem.
(Click for larger image)
We notified Microsoft and they were already aware of this specificissue. The mitigating factor is that the attacker has to be logged onto or have access to the compromised computer with a valid account,...
The early years of the 1980s were marked by great technological advancements, particularly the release of the first integrated and powerful personal computers. Apple introduced the “Apple II” microcomputer in 1977, and by the early 80s it was one of the most popular personal computers for business users, families, and schools. In 1981, computing giant IBM purchased the license to distribute the DOS operating system for their PC machines from an obscure company called Microsoft. At that time, computing companies were popping up quickly. The early 80s saw numerous home computers for sale, such as the Commodore 64 (1982) and the Atari ST (1985).
It sounds funny now thinking of those “extraordinary” computers of 80s while sitting on a desk with a modern hyper-threading CPU, gigabytes of memory, and wireless connection. Still, the 80s were the years during which personal computers established their foothold in homes and offices. For the first time people start...
When SkyLined released in 2004 one of the first proof-of-conceptexploits introducing the “Heap Spraying” technique, he commented [1]his code in this way:
“The JavaScript creates a large amount of heap-blocksfilled with 0x0D byte nopslides followed by the shellcode. This is tomake sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thingin the world but it works like a charm for most IE bugs.”
Well, it was not the most efficient thing in the world, but it hasbeen proven to work so well that it actually is the mostcopied-and-pasted piece of code used to exploit many of the InternetExplorer vulnerabilities discovered since 2004. So, I was surprised to come across an exploit in the wild that uses adifferent heap manipulation technique. The malicious code was hosted ona Russian domain (hxxp://crun[REMOVED].info) and was part of one of thetypical web attacker toolkits developed by Eastern European gangs. Thecode exploited...
We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in our previous blog; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.
The gang behind the attack had successfully compromised the homepagesof hundreds of legitimate Italian websites. We checked many of them andwe verified that they include now a malicious IFRAME (detected asTrojan.Mpkit!html) which redirects to the same bad IP address. The listof compromised sites is huge and from Mpack statistics this attack...
