ESET Threat Blog

Recently a security company was hired to test the security of a Credit Union. The security company (MSI) ran a penetration test and mailed a letter with a couple of CDROMS to the Credit Union. The letter appeared to come from a reliable source, but it was unexpected and the employee who received it was well trained and sounded the alarms. The result was that the National Credit Union Administration (NCUA) sent out an alert to their members and the press picked up the story as well.

A penetration test is no test at all if it is expected. The result of this test was that all of the credit Union’s, and many other people, learned a valuable lesson in security.

You can read about what happened, and the explanation of the story at http://stateofsecurity.com/?p=766#comment-19560

Randy Abrams
Director of Technical Education

I forwarded this to myself from another account yesterday because I thought it was one of the laziest 419 scam messages I’d ever seen.

From: British Tobacco Company
Sent: 27 August 2009 19:46
Subject: Contact Mr Paul Adams

Congratulations! Your e-mail ID was among the selected lucky winners of £1,000.000.00 GBP in our BRITISH TOBACCO PROMO.Get back to us with your Name..Coutry..Occupation..Age

Well, short and to the point, I suppose. The hard sell social engineering will follow if you’re naive enough to follow this up. However, I’ve removed the mailto address at lo.com. Here’s another, received today.

From: British Tobacco Company
Sent: 28 August 2009 08:47
Subject: Claims Of 1,000,000 GBP

We are pleased to inform you that your e-mail address has won the British America Tobacco Programme. reply today with your full names

 Even better. The mailto, which I’ve removed here, too, indicates that it was sent from an educational site in Taiwan. You’d think the British American Tobacco company would be consistent about its own name, and would be able to afford its own domain in Britain (or even the US).

Still, £2 million in two days is a nice bonus. Maybe I can afford to retire next year.

By the way, have you ever noticed that "scam" spelt backwards is "Macs"? No, I’m not indulging in a little gratuitious Macfreak-baiting. (Not that I’m above that…) That’s just a rather forced segue to a warning that there are reports of sites offering free copies of Snow Leopard that are actually not Snow Leopard, but malware. Ironically, a DNSchanger-type program that isn’t detected by Snow Leopard’s File Quarantine utility.

Since I’m not here to taunt Mac fanboiz, I won’t even think about asking why it is that Mac malware is so often disguised as porn or as pirated software.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Mac User has reported in a little more detail than I’ve seen elsewhere so far on the Trojan detection in Snow Leopard, quoting freelance OS X and iPhone developer Matt Gemmell. In fact, the meat of the story is Gemmell’s tweets, which state that:the system checks for only two known Trojans, RSPlug and iServices, and that only certain files are checked.

Mac User has been quick to remark that "…the only way to get malware onto Macs is to persuade the user to install it…" That’s misleading, guys. What you mean is that you only know of malware that works by tricking the user into installing by social engineering. That’s approximately true, at least of contemporary Macs, but it doesn’t mean that there is no way to install malware without the active participation of the computer user. It simply means that "self-launching" exploits aren’t being seen in the wild right now. Let’s not perpetuate the urban myths that:

• It isn’t possible to write a "drive-by download" or other self-launching exploit for OS X. Of course it’s possible. That doesn’t mean it’s easy, or necessarily likely at this time, but there is nothing magic about the OS X security model. See, for instance, "OS X Exploits and Defense".
• Malware doesn’t matter if it’s user-launched, Some Mac users are fixated on the idea that all that Windows malware is self-launching: this is not, and never has been the case. If social engineering by the bad guys was ineffective, the malware problem would be much, much less significant.

Still, this does represent a step nearer to the real world for Mac users (as does Apple’s inclusion of this rudimentary malware-specific enhancement to the File Quarantine utility). Even a year or two ago, the inevitable responses on Mac lists to any mention of Mac malware were along the lines of:

• Mac viruses can’t happen and Trojans don’t matter
• Mac users are too smart to fall for social engineering
• If they do, it’s their own fault.
• Go away and stop bothering me with this stuff.
• Not listening. La-la-la-la-la….

Wider recognition that a Mac system could be compromised is a Good Thing. However, initial comments on the Mac User site indicate that, as I feared, some users are already overestimating the likely effectiveness of this countermeasure.

Mac World’s coverage is more comprehensive and, I’d say, a little more realistic. It gives more information about the mechanism, and sounds a note of caution about the likelihood or otherwise that Apple will offer timely updates for future malware, pointing out also that the utility doesn’t offer any form of disinfection. Full marks for responsible coverage!

The sky isn’t falling: however, it’s good to see some recognition of the fact that MacLand is getting to be a more dangerous place.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

I really ought to be working towards some really urgent deadlines, but I can’t resist a quick comment on the antimalware detection feature in Snow Leopard – darn, I’m going to have to upgrade to get a proper look at it – since several AV people, including our own Aryeh Goretsky have commented.

I have to agree that it’s a positive step for Apple to have recognized the reality of Mac-specific malware, however trivial the threat might seem by comparison to the deluge of Windows-specific malware that we see. After all, it’s not many months since Apple decided not to recommend that Mac users make use of anti-virus after all, and their support staff were telling end users that they weren’t aware of any Mac malware, while some of their advertising is still based on the "Macs are secure out of the box" fallacy. (That should guarantee me another deluge of hatemail from fanboiz…)

There is also a negative side to this, though. Back in the 1990s, I did a presentation (actually, it was at Apple’s offices in the UK!) in which my conclusion was that I didn’t really want to see an Apple equivalent of Microsoft Anti-Virus (the horrible object shipped with MS-DOS 6, many years before Microsoft started to gain real credibility in the anti-malware industry). Not because I didn’t want Apple scrumping in the AV industry’s orchard, because at that time I was earning my crust in the medical research sector.

But I am concerned that:Apple may not take the threat seriously enough to produce and maintain a consistently effective defence: while you can argue that any defence is better than none, the likelihood is, in the long run, that mediocre protection would do more harm than good. That’s because Apple’s customer-base will tend to overestimate the effectiveness of any measure Apple do take, the same way that they already overestimate the value of the free anti-malware tools already available.

There’s a historical precedent for this, too, going back at least as far as the 90s, when macro viruses started to become a major problem in the Mac arena. Macro viruses rarely delivered a working payload on Macs, but most of them infected documents just fine, if the victim was using a vulnerable version of Microsoft Office (i.e. Word 6, at that time), Most Mac users were relying on Gatekeeper and Disinfectant (an excellent utility, by the way), which were totally ineffective against that particular threat, and for a while were the Typhoid Mary of the macro virus, spreading infected documents left, right and centre…

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

I feel like the learned judge in the ’60s who asked, in the course of a trial, "What is a Beatle?" since until recently I couldn’t have given you an accurate answer to the question "What is a Jessica Biel?"

In fact, I’d probably have said something like ""Wasn’t she in Flashdance?" (The answer is no: she would apparently have been a baby when I saw Jennifer Beals in that film, back in the days when I had a social life.) Clearly, I need to do something about my work/life balance, and the fact that I now only ever see movies on television or on planes.

Or perhaps not, since McAfee have reported, according to Yahoo News, that web searches for Ms Biel are "more likely to lead to online threats such as spyware and viruses than searches for any other celebrity."

There’s a certain irony here, in that the media and the blogosphere have picked up so readily on McAfee’s latest report, based on statistics from their SiteAdvisor site rating database. Well, celebrity stories are not only the stock-in-trade of many journalists and a major preoccupation of much of their readership (clearly there’s a correlation between those two factors!) but also a favoured target among spammers, scammers and purveyors of malware, who are always ready to use a topical story (real, fabricated, important or trivial) as social engineering bait in order to spread Badness.

Why is it ironic? Because even while they’re pointing to the dangers of celebrity hunting on the ‘net, they are, to some extent, perpetuating it. Of course, it’s a good thing if more people become aware of the dangers that malicious search engine optimization (SEO) poses, and I don’t blame McAfee for using the "cult of celebrity" to make that point, but it’s a pity that the media is focused on that narrow aspect of a much wider problem.

McAfee researchers Shane Keats and Eipe Koshy came out with a substantial research document earlier this year, using a number of statistical resources as well as SiteAdvisor. Rather than focusing on celebrities, it looked at a whole range of hooks used by the bad guys to lure the unwary, using search categories like screensavers, free games, taxes and viagra, as well as personalities from the entertainment world and politics.

Why is it ironic? Because even while they’re pointing to the dangers of celebrity hunting on the ‘net, they are, to some extent, perpetuating it. Of course, it’s a good thing if more people become aware of the dangers that malicious search engine optimization (SEO) poses, and I don’t blame McAfee for using the "cult of celebrity" to make that point, but it’s a pity that the media is focused on that narrow aspect of a much wider problem.

McAfee researchers Shane Keats and Eipe Koshy came out with a substantial research document earlier this year, using a number of statistical resources as well as SiteAdvisor. Rather than focusing on celebrities, it looked at a whole range of hooks used by the bad guys to lure the unwary, using search categories like screensavers, free games, taxes and viagra, as well as personalities from the entertainment world and politics.

Bizarrely, while celebrities did rank number 7 in the list of high-risk keywords in the US, the top two items in the table "Top 50 riskiest search terms in the United States" were "word scrambler" and "lyrics", so perhaps Lady Mondegreen is even more dangerous than Jessica.

But the paper deserves much closer attention than I can give it in a short blog. If you’re interested in what other psychological quirks the bad guys are finding it useful to exploit, take a look.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Mac security firm Intego blogged about Apple’s decision to include an antimalware component in Mac OS X 10.6 "Snow Leopard" and we agree that it is a good step, security-wise, to provide some basic protection against malware.  Apple has long mocked Microsoft, up to and including this 2006 advertisement which implied there were no viruses for Macs.  While the nature of threats constantly evolves and viruses have long been supplanted by bots, Trojan horses, spyware and other threats as the dominant form of malware, it is important to keep in mind that two decades ago this was not the case. 

At the close of the 1980s, there were more Mac-based viruses than there were for DOS.  While simplistic and slow to replicate by today’s standards, viruses like INIT19, the MacMag Peace virus, MBDF, MDEF, nVIR, Scores and so forth were in the wild and did cause disruption when found.  While the virus explosion that took place in the 1990s was primarily for Microsoft platforms (DOS, then 32-bit Windows and Office) there were still worms, Trojan horses, HyperCard infectors (a type of scripting toolkit) being created for MacOS and even some Microsoft Office macro viruses were portable.  While these Macintosh threats never reached the epidemic and pandemic proportions of malware seen on Windows, they were nuisances, especially to those who had to disinfect a lab of computers.

Today’s malware for Mac OS X is starting off as a dribble, however, as the Mac gains in popularity it is a given that the criminals who steal using malicious software will follow.  After all, they care far less about your operating system than the credentials for your bank account.  In the last year, two proof of concept rootkits have been released, one by Dino Dai Zovi at Blackhat and one by nemo in the infamous Phrack magazine.  ESET has responded by adding detection for around eight different families of malware specifically targeting Mac OS X.
 

Aryeh Goretsky
Distinguished Researcher
 

Microsoft has released the patches required to make autorun work with only CD and DVD drives. There is one little catch, a USB drive can be configured to look like a CD, but this patch definitely helps reduce risk.

I highly recommend you install the patch so that you can connect most thumb drives, GPS systems, digital picture frames, and other USB devices with storage, to you computer safely.

For Windows XP users the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=96ca61f6-8b16-4157-9635-8cfc0bbf4c35#tm

For Windows Vista Users the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=dd6a61a3-b3c6-4b0a-a848-7b32be9f31c5

For Windows Vista 64 bit the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=12e3fe0f-db79-4a27-aa7d-a456ee1c6ac4

For Windows Server 2003 the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b8df9256-cbb0-418d-a336-d29dc4415a65

For Windows Server 2003 64 bit the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b8df9256-cbb0-418d-a336-d29dc4415a65

For Windows Server 2003 Itaniun the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=5a21cbb8-da7b-42e0-924b-485950e7de52

For Windows Server 2008 users the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9c404a99-537f-4fee-874d-e50fd6efea3b

For Windows Server 2008 64 bit the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=d43a9947-f0e0-47dc-9dad-5c8942a3cc91

For Windows Server 2008 Itanium systems the patch is at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cfbc98c5-3ba5-4164-83e0-9397e2722ea0

I recommend you install this patch now!

Randy Abrams
Director of Technical Education

News came out today that Michael Jackson’s death has been ruled as a homicide.

Expect to see spam and hoax emails coming around soon trying to exploit this news. It seems that Michael Jackson just can’t die. It’s a good thing we didn’t have the internet when Elvis died.

If you get emails for pictures, videos, and other news of Michael Jackson, then delete them and assume they are attempts to infect your computer. The only exceptions would be from news sources you have subscribed to.

It is sad, but the bad guys have always tried to capitalize on misfortune and morbid curiosity.

Harness you curiosity. The video that requires you to download a “codec” isn’t really a video.

I can tell you I am the president, but that doesn’t make it so.

Randy Abrams
Director of Technical Education

Cristian Borghello, Technical and Education Manager at ESET Latin America, tells us that they’ve noted quite a few sites that pretend to provide information on the fire crisis in Athens, Greece, but actually download malware onto the user’s PC. (Mistakes in translation are down to DH!)

The criminals are using Black Hat SEO (Search Engine Optimization) techniques such as keyword stuffing and hidden text so that search engines will present their sites at or close to the top of the listings in response to keyword searches relating to the fires.

If the user enters one of these sites, he will be redirected through several domains and, in the last of them (http://removeallthreat [ELIMINATED] .com) he will  end up downloading malware of the rogue antimalware type that ESET products detect as Win32/Adware.Antivirus2009. 

As can be seen in a screen dump shown in the ESET Latin America blog page at http://blogs.eset-la.com/laboratorio/2009/08/23/fuego-atenas-pretexto-para-infectar-usuarios/, several intermediate sites exist that are only used to trick the search-engine and the user into accessing the final page, which always contains malware. 

The bad guys make very frequent use of these techniques, using topical events that attract the attention of the media and people in general as social engineering bait to reel in their victims.

Overnight, ESET Latin America have found other domains that use the same techniques and download similar malware: 

• removeallthreat [ELIMINATED] .com
• removepc [ELIMINATED] .com
• scan-my-PC [ELIMINATED] .com
• remove-PC [ELIMINATED] .com
• homevirus [ELIMINATED] .com
• scan-your-PC [ELIMINATED] .com

ESET Latin America advise caution in accessing sites purporting to offer topical information and look out for these particular domains: if possible, block traffic from these sites using firewalls and proxies.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Sebastián Bortnik, Security Analyst at ESET Latin America, has shared with me his translation of an FAQ written with Cristian Borghello, ESET Latin America’sTechnical and Educational Manager, about the malware ESET NOD32 detects as Win32/Induc.A.

I’ve done a little cosmetic editing on the original and added quite a lot of material (so any mistakes and misapprehensions are likely to be mine!)
 
1. What does it mean if a file is detected as Win32/Induc.A?

It means that the file contains a piece of code that includes routines to modify files belonging to the Delphi development tool and thereafter, all applications compiled using Delphi will also contain the virus.
 
2. What sort of development tool is Delphi?

Delphi is a visual development platform that generates compiled programs written in a version of Pascal. Ironically, it’s a tool frequently used by malware authors, and we’ve seen examples of Trojans that are themselves infected with Win32/Induc.A, as described below.

3. What is a compiled program?

As we use it here, the term denotes a stand-alone program generated by a compiler rather than an interpreter: that is, one that can run without the development platform that generated it being present. As computer scientists use the terms, the differences between a compiler and an interpreter are considerably more complex, but the fine detail isn’t really important in terms of this malware - for an end user, at any rate.

4. What damage could my system sustain if I run the infected file?

There’s no such thing as a harmless virus, but this one is not intentionally destructive.For end users, Induc will not cause direct damage to their systems, though they may find that they lose the ability to run infected programs when their antivirus software recognizes the infection (see 11). For programmers, this is a major threat: any application that is compiled after the infection will be malicious, and, if distributed, runs the risk of infecting other systems used for development, as well as causing considerable inconvenience when programs they’ve distributed are found to be infected.
 
5. What changes would the virus make to my system?

In systems where Delphi is not installed, there no changes are made to the system, though there may nevertheless be undesirable consequences arising from the presence of an infected file. On development systems where Delphi is installed, the virus performs the following actions:

• The file SysConst.pas is copied into the %delphi rootdir%\Lib\ directory
• The new Sysconst.pas file is modified to contain the infective code
• The file SysConst.pas is compiled, generating a new file (which will now be infected) as %delphirootdir%\Lib\SysConst.dcu. This file will be referenced when code is compiled, and all the programs that are generated will be infected with the malicious code it contains.
   

6. How do I know if my installation of Delphi is infected?

Firstly, if newly-compiled applications are detected by antivirus as infected with Win32/Induc.A, this is almost certainly because your installation of Delphi is infected. There have been some reports of false positives by developers, but the chances are that this is because they don’t understand the infection mechanism and don’t realize that applications can be infected even when they write and compile the programs themselves. To perform a manual check, there are two alternatives.

• First of all, applications compiled and infected will contain a string of characters that are characteristic of the virus (see the code image at http://blogs.eset-la.com/laboratorio/wp-content/uploads/2009/08/induc2.png)
• Secondly, the malicious code makes a backup file before SysConst.dcu is modified. If you access the folder where the file is hosted, you should find two files: one with a BAK extension (the original, saved as a backup file) and other with a DCU extension (the malicious, infective file). These should differ in size (the malicious file is bigger) asis shown in the picture at http://blogs.eset-la.com/laboratorio/wp-content/uploads/2009/08/induc3.png. 
   

7. What is a .DCU file?

DCU stands for Delphi Compiled Unit. This is a kind of library file or module containing object code used by Delphi when it compiles (builds) a program file. This is why all executables compiled after infection are themselves infective.

8. How can I fix my installation of Delphi?

To repair the Delphi installation, you should delete the sysconst.dcu file and replace it with the backup file (sysconst.bak), changing the file extension to .dcu. Another alternative is to rebuild the file with the original PAS file. That can be done with the following command (however, simply deleting the infected .dcu and renaming the backup file is simpler):

"%delphi rootdir%\Bin\DCC32.exe" "%delphi rootdir%\source\rtl\sys\SysConst.pas"

9. Can I be sure that will work?

There is no absolute guarantee. There may be circumstances under which the backup file is also infected/infective, or no longer exists, in which case simply deleting the infective file will affect the functionality of the compiler. Or there may be new variants or subvariants that aren’t so obliging as to leave the original code available. In such a case, you’ll need to rebuild the .dcu as described in (8). If that fails, you might even have to reinstall the compiler/IDE (Integrated Development Environment). If that happens, you may want to be sure that you’ve backed up all your source code.
 
10. How can I fix applications that have been compiled while the IDE was infected?

Applications that have been compiled with the infected system must be deleted; and therefore they should be re-compiled once the system has been fixed (see question 8). If you have an innocent application that is diagnosed as infected but don’t have Delphi or the source code, you’ll have to get hold of a clean version. Because of the nature of the infection (that is, because the infection takes place at compile-time), there’s no satisfactory way to disinfect without recompiling: simply removing or patching out the virus code may result in an executable that behaves unpredictably.

11. How many infected programs are there?

As Randy already mentioned in his blog at http://www.eset.com/threat-center/blog/2009/08/19/the-retro-virus, we know of several thousand (more than four thousand as of 19th August) in our malware sample collection. These are actually Trojans that have been compiled using an infected version of Delphi. We also know of presumed non-malicious programs that are also infected, and it’s likely that there are quite a few more out there being spread directly (and unknowingly) by vendors, by software (and warez – pirated software) distribution sites, over peer-to-peer networks, and so on.

This suggests that although the number of systems that will be directly affected by this malware is relatively small, there may be an enormous number of infected files on systems that aren’t directly vulnerable. Once these programs are identified as infected by security software, they will normally be deleted or blocked from executing

12. Could this method of attack be used with other development platforms?

In principle, certainly. We can’t exactly say how likely that is, but it’s certainly not impossible. This is a type of attack that’s been recognized hypothetically for many years, and it could in theory be implemented in many environments and on many types of device. The attacker was almost certainly aware of Ken Thompson’s 1984 paper "Reflections on Trusting Trust" and later papers that develop the idea further, such as Ian Whitten’s 1987 paper on "Infiltrating Open Systems."

13. Is it worth bothering with this if it’s mostly harmless?

I don’t altogether agree that it’s harmless, even on a system without Delphi installed’: it certainly could affect a system’s functionality under some circumstances. For instance, what if an innocent program is installed, makes changes to the system, and is then discovered to be infected and has to be removed, but the changes aren’t reversed?

14. So this isn’t just a proof-of-concept attack?

This seems to be a classic "proof of concept" attack in that it probably wasn’t intended to be destructive, though there’s no reason why it couldn’t be adapted to do something more malicious, either something deliberately destructive or something that allows a criminal some form of backdoor access, for instance. (See 12.) If the bad guys see a way to use this for profit, the chances are that it will happen.

Here is the link to the original Spanish FAQ: http://blogs.eset- la.com/laboratorio/2009/08/20/preguntas-frecuentes-sobre-induc/

And here is a link to ESET’s description of the virus:
http://www.eset.eu/encyclopaedia/win32-induc-a-virus?lng=en

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/