ESET Threat Blog

…the more they remain the same. It’s sometimes too easy to forget that it’s not all about the technical analysis of malware. Often, it doesn’t matter how startlingly sophisticated or innovative malware is: if the social engineering hits the spot, and technical defences fail, as all too often they do, that’s enough. Depressingly, the engineering doesn’t have to be great either: over the years, I’ve noticed (as have the bad guys) that the same ploys work over and over again.

 Of course, I have a couple of recent examples in mind. There have been reports on many mailing lists this week about an email that purports to come from the Department of Justice. There are variations in the exact wording, but a typical one includes (beneath a DoJ banner) text like this:

Dear Mr. [Targeted individuals name] ,

A complaint has been filled against the company you are affiliated to ( [Company Name] ) in regards to the domain of business activity.

The complaint was filled by Mr. James Palmer on 25/02/2008 and has been forwarded to us and the IRS .

Complaint Case Number: #[case number] Date: [date]

A copy of the original complaint and the contact information of Mr. James Palmer has been attached to this e-mail.Please print and keep this copy for your personal records.

There’s more to it, of course. And very similar messages have long been received, apparently from other official bodies. The attached complaint document is actually a zipped and packed executable that downloads and drops various objects onto your system that you really don’t want. Spear phishing meets mass mailer social engineering meets bang-up-to-date obfuscation. And, while the English isn’t perfect, it’s not the conspicuously "foreign" English we’ve become accustomed to see in low-grade phishing emails.

The English in this 419-style email is rather rougher, but I guess you don’t necessarily expect literary polish from a hitman.

 Nice. Of course some of the detail changes, such as the sum demanded. Incidentally, while I routinely anonymise this sort of thing when I use it for blogs and alerts, I didn’t change the recipient’s name in this one. Either a lot of people are called Xxxxxx, or the extortionist on this occasion couldn’t be bothered to replace a placeholder. Nonetheless, a lot of people have been disturbed by this one, which has been seen from time to time for some years now. And that, I suppose, is the point. The world is full of people, some of them highly educated, who don’t raise their implausibility shields when they put on their cyberspace suits.

David Harley

Research Author

A government committee in the United Kingdom have  been debating whether to force providers (such as Microsoft) to include content filters in their software (that they already do to some degree is not something you’d expect a government body to understand).

http://www.theregister.co.uk/2008/02/27/culture_committee/

It seems that Microsoft have made the argument that adding filters would ’send Britain back to the dark ages’. Leaving aside the hyperbole (the early 1990’s – before the advent of the commercially ubiquitous internet  – was hardly the dark ages in the UK!), this article is interesting to me for reasons not directly related to the article.

While the committee isn’t really addressing the malware question, rather, one of violent content in video games and so on, it does raise an interesting question.  One of the arguments against automatic filtering is that it seems many people don’t actually want things to be filtered – personally, I want to be able to access whatever (legal) things I like on the internet, and as an adult, I basically feel it’s ok to do so.

However, that’s a political question, but the really interesting thing is that in some research that ESET conducted (a Harris Poll a couple of years ago), we found that a huge percentage of people don’t update their anti-virus software, because, ostensibly it’s a difficult process, and a few other reasons, for instance people just don’t necessarily realise that the software needs updating – the trial version they bought with their machine perhaps will just go out of date, and they ignore the warnings.

Underneath that though, there may be a feeling of wanting to be one of the ones who ‘got hit’ by the big scary virus. This is certainly a phenomenon encountered by beleaguered support personnel in businesses throughout the world who get calls from users who ‘just wanted to see what happens’. It seems that people, at times, deliberately disable their defenses, even though they know there will be consequences. Humans seem to like ‘horror stories’ and the media glamourizes the humble virus in such a way that it makes it appealing to people. There’s a sort of mystique to the whole ‘malware’ thing, and some strange cachet to having been affected by a virus. In popular opinion, malware is given mythical properties, to the extent that almost anything that goes wrong with a computer system must somehow be the result of ‘a virus’. A case in point, I recently spent a couple of hours on the ‘phone with a relative who was having trouble reaching some websites, and who insisted it was malware (despite nothing showing up during scans with an updated version of ESET Smart Security). In the end, it turned out he had some static DNS entries pointing to servers that were no longer working correctly (his ISP had been purchased by another), nothing to do with malware at all, this same relative has a ‘friend’ who has previously rebuilt my relative’s computer several times, ostensibly because it was ‘infected’ with malware. Who knows if it was really the case – personally, I doubt it. Not to say that malware isn’t a threat, of course it is, but with sensible internet usage practices, and maintaining good, updated defenses, one can be reasonably safe.

This may all just be a result of human nature, we don’t like restrictions placed on us (because, rightly or wrongly we think we can handle the consequences of our actions), we don’t necessarily calculate risk very well (we are afraid to fly, but will drive at high speed on a crowded highway) and we like to be able to recount horror stories (oh, I once got my leg bitten by a virus, and had to have it amputated…). With malware though, there is a very real risk of not only infection if we disable defenses, but of a compromise to our personal identity, funds and security. Far from being the hobbyist activity of tradition, virus writers no longer want to ‘melt your screen’, in fact, they would rather be totally unobtrusive, because that increases the chances of the malware surviving on an affected system long enough to be useful. If your system can be added to a botnet, it becomes something of value to the attacker, and it’s not in hir interest to let you know about it. This can lead to loss of your funds, credit card fraud, impact on your credit rating, loss of crucial data and so on. Not only that, but you could find yourself being a part of the problem, with your machine attached to a botnet spewing out spam and malware updates to infect thousands of others. Is it really worth the risk to turn off your filter just because you want to see what happens?

Andrew Lee
Chief Research Officer

I’ve just found out that I have another book out. Well, a single chapter in a three volume set called The Handbook of Computer Networks. (The chapter is on E-Mail Threats and Vulnerabilities: thank you for asking.)

"I’ve just found out…" probably sounds quite disingenuous. How could anyone not know they had a book published? Well, the pace can be astonishingly leisurely in academic publishing. I was invited to write it in 2005, and returned the corrected copy-edits last summer, and apparently it came out in December: I didn’t know that until I mailed the Editor-in-Chief to ask how the project was going. 

That’s not the longest incubation period for a book that I’ve experienced, though. An article I wrote in 2000 for the American Society  for Industrial Society turns out to have been repackaged in 2005 as an eBook. As far as I know, you can still buy it, but I’m not going to recommend it. Apart from the fact that I don’t get any money for it (what am I doing wrong that JK Rowling is doing right?), it’s very dated. The malware scene has changed a bit since 2000, and if they’d actually asked or even told me about the eBook, I’d have suggested that it needed updating if they were going to charge $5.95 for it.

The Handbook of Computer Networks is a little more up-to-date – well, as up-to-date as you can expect an accumulation of three-year-old chapters to be - and a lot more expensive. Don’t feel you have to go out and spend $750 for my benefit, though. I don’t get any of the money. Just a copy of the book and some witty remarks from my wife about not needing any more doorstops. But I know what my next book is going to be. "Harry Potter and the Ping of Death."

David Harley

Research Author

Sometimes it seems that we are fighting a battle that we are destined to lose. To some extent, win or lose depends upon your definition of the terms. We have never completely beat crime, but we still have victories against criminals… sometimes.

Today it is a very great pleasure to wish a happy 6th anniversary to the tremendous folks at CastleCops and their very dedicated volunteers. Paul and Robin Laudanski are some of the most wonderful people anyone could ever hope to meet (I hope to meet them some day). Their work to help internet users has been inspiring.

Despite the most worthless dregs of humanity, the type that beat 90 year old women with sticks because that is as brave as those cowards can get, trying to shut down the CastleCops site, CastleCops is up and running and doing wonderful work for the community.

It is truly the successes of Jedi’s like the CastleCops community that keeps hope alive for the rest of us fighting the dark side of the force!

ESET congratulates CastleCops on another year of Excellence in Humanity

Randy Abrams
Director of Technical Education

Bot-hunters were somewhat puzzled recently when a botnet called Mega-D suddenly started grabbing headlines as the successor to the Storm (or Nuwar) botnet. Though the Storm network does seem to have declined in overall numbers over recent months, reports of its demise still seem exaggerated, and no-one seemed quite sure what Mega-D was and where it had come from. However, an excellent analysis by the estimable Joe Stewart casts some light on the subject.

According to Joe’s investigations, the Mega-D network seems to have grown to a formidable 35,000 or so machines, virtually unnoticed. (By his estimate, Storm currently runs at around 85,000 bots.) Why did the size of Mega-D come as such a surprise?

It seems that Mega-D is using the Ozdok bot family, which Joe describes as "little known". He’s also pointed out, having submitted a sample to VirusTotal, that while most vendors detected it (yes, of course we did, but thank you for asking!), very few detected it by that name. So, as Shakespeare said, what’s in a name? If you detect it, does it matter what name you identify it by? Well, usually, no. In fact, the sheer volume of malware variants nowadays means that it’s more efficient  to use more generic detection techniques such as heuristic analysis and generic signatures wherever possible. So this doesn’t represent a detection failure in terms of bot-compromised PCs: it’s unlikely that the botnet would be any smaller if all companies were using the same identifier.  However, it would probably have taken much less time to flag the existence of what turns out to be a fairly hefty botnet, because we’d have recognized the commonality of the infections. Whether that would have had any mitigating effect on the scale and impact of Mega-D is another question.

You could see this as an illustration of the problem this industry has with naming: no-one has the time and resources to crossmatch all the samples we see so that everyone can use the same name for every variant or subvariant.

On the other hand, there’s something quite reassuring about the way the name can change as we learn more about a specific family or variant. Pierre-Marc checked back on some of the samples we’ve received over the past month or so. If NOD32 picked up an Ozdok compromise on your network, the actual identifier it would have used might have varied quite a lot, according to which variant it picked up and when. Some of those samples were identified generically as a bot or agent: for example, programs using obfuscation techniques characteristic of malware families ring an immediate alarm bell. Some were identified as specific Ozdok variants, and those are usually the ones that have been around long enough for more detailed analysis. But what matters most is that they’re detected as malicious programs, and as early as possible in their evolution.  

David Harley, Research Author

Last week our home town of San Diego was host to the Network and Distributed System Security Symposium held by the Internet Society. This conference represented a good opportunity for us to learn the latest research topics under investigation by the academic community.

David Dagon and his team from GA Tech presented an interesting paper on malicious domain name resolution. Their research showed that 2.4% of investigated DNS servers produce incorrect or malicious name resolution. eExtrapolating based on the number of hosts on the Internet, there may be almost 300,000 malicious name servers out there! While this is not surprising, as we have seen malware that changes the DNS configuration of infected hosts to redirect their browsers towards phishing sites, this is the first research we have seen on the scope of the problem.

Thorsten Holz also gave an interesting presentation on how to measure and detect fast flux DNS service networks. Fast flux is a technique used to increase the reliability and availability of malicious web sites. To do so, DNS servers are configured to answer lookup requests for malicious sites with a wide range of different IP addresses every time a request is made for a domain. The IP addresses actually point to compromised hosts participating in a botnet and serve up more malicious content , host phishing sites and so forth. The increased number of computers available to respond to such requests "improves" the reliability of the service for the attacker and makes it harder for security companies and law enforcement agencies to stop malicious operations.

Other sessions at the conference focused on topics such as intrusion prevention, reverse engineering, hardening software,and malware. For more information, visit the conference website at: http://www.isoc.org/isoc/conferences/ndss/08/.

Pierre-Marc Bureau

Researcher

As you might guess, the New Scientist article on the Microsoft research "friendly worms" paper excited more annoyance than admiration, not only here but elsewhere in the research community. However, when a link to the actual paper turned up (thanks to Jimmy Kuo for pointing it out), it turned out be rather less dramatic. While it does refer to malware from time to time to illustrate distribution models, it’s several levels of abstraction away from the self-distributing patch mechanism that New Scientist seems to think it’s about. (Unfortunately, a million other articles have appeared since that have taken their cue from New Scientist, not from the actual paper.

Of course, we don’t know exactly what, if anything, the researchers in question said directly to New Scientist. If a benevolent Microsoft worm does exist as a gleam in someone’s eye, they’ll have to reconcile it at the implementation stage with the fact that Microsoft is also in the anti-malware business, and the industry hates the idea of unnecessary replicative code with a passion. (Even if there are still people out there who think we write all the viruses ourselves.)

In the meantime, the usual objections still apply.

• In the real world, while a self-replicating program can, in principle, do anything a non-replicating program can do, no-one has yet found a job that has to be done by a worm. Well, apart from annoying anti-malware geeks.
• The history of malware is littered with replicative programs that caused more damage than the writer ever  intended because he failed to take into account every possible scenario that could arise. A benevolent worm would likewise have to take into account the additional practical complications that self-replicating code can give rise to. Benevolent intentions are not sufficient excuse for breaking systems that work differently to the way you assumed they would.
• Even the best-coded, best-intentioned replicative code also has to cross so many ethical and legal boundaries that the fastest feasible distribution algorithm is likely to finish up hobbled by so many disclaimers and "are you sure?" messages that its theoretical advantages will be nullified.

But if you’re still not sure, read Vesselin’s paper: it doesn’t leave many stones unturned.

David Harley
Research Author

Every so often, an old wheel is reinvented. In the anti-malware game, an old favourite is what Dr. Fred Cohen used to call the "benevolent virus" or "maintenance" virus. Dr. Cohen’s early research and commentary remains the formal basis for much of the way we think about malware and anti-malware today. Several pages in "A Short Course on Computer Viruses" (Wiley, 1994) addresses the theoretical issues regarding what a benevolent virus could do, and his "It’s Alive: the New Breed of Living Computer Programs" (Wiley, 1994) covers similar ground more thoroughly. The latter work is not to be confused with Larry Cohen’s 1974 horror film, by the way, though there’s a certain irony in the re-use of the title: the anti-malware research community does generally react with distaste if not actual horror when the idea resurfaces, as it does every few years. (It was very popular at the time of the Code Red worm and its siblings.)

According to New Scientist, the latest group to rediscover this idea works for Microsoft Research at Cambridge. It’s not unreasonable to revisit such ideas from time to time, though the thought of using malware like Blaster as a model doesn’t inspire confidence. There are many legal, ethical and practical drawbacks to the use of replicative code for legitimate purposes, though, and  I hope that when this team presents its paper at Infocom in April, they will have looked back at previous research (including Cohen’s, as well as Dr. Vesselin Bontchev’s "Are ‘Good’Viruses Still a Bad Idea?" and considered those drawbacks.

I have a feeling this won’t be my last word on this subject here.

David Harley
Research Author

Well, I am happy to be here, but AMTSO stands for The Anti-Malware Testing Standards Organization. This is an initiative between Anti-Virus companies and anti-virus testers to improve the quality of testing performed on anti-virus products so as to provide consumers with meaningful tests. There have been so many bad tests performed, but “it’s on the web, it’s gotta be true”. Even respected publications continue to publish test results with substantially less scientific merit than the belief in the tooth fairy. A variety of computer magazines throughout the years have published tests that at best are misleading, and often completely incompetent. When I worked at Microsoft a few years ago, before MS has an anti-virus product, I had to evaluate AV products for use in the lab I worked in. There were very few tests of sufficient quality to be useful. None of the tests were found in general computer magazines.

You can find out more about AMTSO at http://www.amtso.org.

Randy Abrams
Director of Technical Education