ESET Threat Blog

It has only been a day since the last strategy shift from the Nuwar gang and they have already gone away from the love letter theme.  By monitoring computers infected with Nuwar, we can keep track of their social engineering schemes.  They are now using a common theme used by the Zlob threat for a couple of months.  They use fake codecs to entice users into downloading and executing their malware.

The screenshot below shows that web pages are used to display advertisement of a codec (piece of software used to read certain video formats).  If a user clicks on the image or the text link, he is redirected to an executable named StormCodec.exe (detected as Nuwar.GG by ESET NOD32 Antivirus).  It is funny to note that the Storm Worm gang uses a name given by the security industry in their malware.  We also noticed that the latest scheme is not completely polished: the title of the fake codec page still reads “I love you”.

 The quick pace of changes in Nuwar’s social engineering is a proof that its controllers are paying close attention to the performance of their social engineering campaigns.  When they see that a theme is not efficient, they quickly change their strategy.  We are facing a rapidly evolving adversary!

Pierre-Marc Bureau

Researcher

Since Yesterday evening, the gang behind Nuwar (also called the Storm Worm), have registered a number of blogspot accounts to spread their malware. The malicious pages look like the following screen shot.

Clicking on the image will redirect the browser to an executable called love.exe while clicking on the link in the text below the image will download a file named withlove.exe. Both executables are variants of Nuwar. Our antivirus detects both files through our Web access protection module.

Pierre-Marc Bureau

Researcher

The gang behind Storm missed Easter but they were not going to miss two opportunities in a row! We are witnessing a new Storm campaign around the theme of April Fool’s day. Electronic mails are being sent with titles like "Happy April Fool’s Day.".The body of the message contains a small sentence and a link. The link points to a page that looks like the following screen shot.

The file that is downloaded automatically is called funny.exe. Upon execution, it will copy itself to the Windows folder with the name aromis.exe. ESET Antivirus detects this malicious file as Nuwar.CG. Nuwar also creates a file called aromis.config which contains the peer-to-peer network configuration file. This version contains the coordinates of 271 other peers that are contacted by newly infected hosts to join the botnet.

It is interesting to note that this version of Nuwar doesn’t use any rootkit technology and have stopped using kernel mode drivers. These behavior changes are clearly aimed at reducing detection rate by security solutions.

Pierre-Marc Bureau

Researcher

CanSecWest is already over!  This year’s conference was great.  There has been a good mix of talks touching various security related topics including hardware, software and humans.

Tom Liston and Sherri Davidoff presented on memory forensics.  They demonstrated that inspecting the RAM of a computer after its reboot can yield a gold mine of information including sensitive documents, encryption keys and, of course, passwords.  Jan "starbug" Krissler and Karsten Nohl presented on Radio Frequency Identification (RFID) security and showed a great analysis they made on a commercial RFID tag.

On the software side, Marty Roesch gave an interesting overview of his upcoming Snort 3 intrusion detection engine.  A lot of time was dedicated to fuzzing this year.  In my opinion, Kowsik Guruswamy’s presentation on the topic was the most interesting one.  He showed various ways to express data dependencies inside file format.  Rob Hensing’s presentation on Microsoft Office malware had some very good examples of the evolution in malicious software writing.  Most of the malware samples described were clearly professional and very hard to spot for a normal user.

On the human side, that last presentation received a lot of attention.  Stroz Friedberg, a doctor in psychology, showed how he can extract information on the author of anonymous messages simply by looking at writing style and vocabulary used.  The main objective of his research is to identify authors of extortion.

A lot more information on the conference can be found on their website: www.cansecwest.com.

Pierre-Marc Bureau

Researcher

These are interesting times for Mac users.And I’m not just referring to Apple’s remorseless expansion into gadgets and gizmos, or even the very occasional Proof of Concept malware intended to prove that OS X is exploitable, but to the fact that the security industry, the media and the bandits are all paying the platform much more attention. Last year, the arrival of a Mac version of the DNSchanger Trojan caused a great deal of excitement, and this year we’ve seen reports of a Mac version of a well-known rogue anti-spyware program, Linux backdoors ported to OS X, and a (not in itself malicious) bot compiled for Linux, FreeBSD and Darwin. Last week the forums at macvirus.org were flooded with links to sites harbouring the DNSchanger (RSPlug) Trojan. (By the way, that’s nothing to do with the older macvirus.com domain which I (occasionally) maintain in my copious free time.)

All very novel and interesting, but is it significant? Well, certain vendors whose product ranges include a Mac product evidently think so, since they’re laying increasing stress on potential Mac vulnerabilities and issues. Furthermore, they’re in the process of being joined by other vendors who’ve never had a Mac product up to now.

How big a market is there? Bigger than you might think.

General Mac users may, if you follow the comments on The Register and many Mac sites, seem to fall into two groups: those who insist that there is no Mac malware, there never was any Mac malware, and there never could be any Mac malware; and those who believe them. (The Register, by the way, seem to fall somewhere in between: while they’ve run quite a few Mac-related malware stories, they seem to be under the curious impression that there’s been no Mac malware since 1992, but I’ll pursue that oddity another time.)

Probably not much of a market there, at any rate until some form of malware really spreads far and fast across the Mac community as macro viruses and AutoStart did in the 1990s. Corporates with mixed platforms, however, may be in a better position to have noticed that there’s a difference between the interesting but low-impact Proof of Concept viruses of the past few years and today’s Mac malware, which reflects, in its own small way, the dramatic changes in the Windows threat landscape this century. The Mac fanboiz do have at least one thing right: Mac viruses aren’t a big deal. Arguably, nor are PC viruses, nowadays. Self-replication used to be an end in itself for much malware, but it turns out not to be all that useful in terms of making money, and it’s Return On Investment (ROI) that drives most malware development nowadays, not bragging rights ("Look at me! I wrote a Mac virus!").

The Mac malware I’m alluding to above is crimeware, the means to a (criminal) end, not an end in itself. So the real significance of the fact that there’s most of it doesn’t lie in the (rather low) number of people it’s affecting at present, but the fact that the blackhats think that there are enough potential Mac-using victims to be worth their present development costs. They could be right: the biggest potential threat to the Mac-owning community isn’t any intrinsic vulnerability in the platform: it’s their susceptibility to social engineering attacks. I believe that susceptibility is raised by a complacent "can’t happen here" mindset. It appears that (at least) one Mac user had an unproductive discussion with Apple support analysts who wouldn’t believe that he could be having a problem with OSX/DNSchanger because they weren’t aware of any malware that targets OS X. That doesn’t surprise me, because Apple’s own web site is not immune to marketing masquerading as security advice. But it’s disconcerting that a site associated with a Mac security product seems so unaware of the Mac threatscape that as of this afternoon, it still hasn’t noticed that its forum is flooded with links to sites known to have been serving malicious software.

David Harley

Research Author

I’ve already posted something about this chainletter [http://www.eset.com/threat-center/blog/?p=112], but figured it was worth expanding on which parts of it are useful and which aren’t.

A friend who is a computer expert received the following directly from a system administrator for a corporate system.

This kind of opening is characteristic of many hoaxes and urban legends (we sometimes use the acronym FOAF, for Friend Of A Friend, to describe the fact that the person to whom whatever it is actually happened is always someone the sender doesn’t know personally, someone a few links down the chain of forwarders). Assumptions here are that:

• Invocation of expertise and authority, even though the individuals concerned are totally anonymous and may or may not exist at all, corroborates the authenticity of the message. Making it two "experts" rather than one is a nice touch.
• Being a "computer expert" or a system administrator makes you an expert on spam, malware and so on. Actually, many people who may fit the "computer expert" description in some senses and/or do administer systems perfectly competently, nevertheless know less than you might think about the specifics of security. In fact, in my years as a security analyst, sysadmin, and security manager, I came across many instances where IT staff, system managers, support staff, even security specialists, nevertheless distributed poor or misleading information, even hoax emails. Remind me to tell you sometime about what Rob Rosenberger calls "False Authority Syndrome".

It is an excellent message that ABSOLUTELY applies to ALL of us who send e-mails.

Of course it is and does. I just read it on the Internet.

Please read the short letter below, even if you’re sure you already follow proper procedures.

I’m sure of nothing but how little I know. But I’m always ready to learn.

Do you really know how to forward e-mails? 50% of us do; 50% DO NOT.

And 97.6935% of statistics are made up on the spot.

Do you wonder why you get viruses or junk mail? Do you hate it?

I think that’s called a rhetorical question. And rhetoric is what you use to sell an idea to people who are easier to persuade with psycholinguistics than with logic and pure fact. :-/

Every time you forward an e-mail there is information left over from the people who got the message before you, namely their e-mail addresses & names.  As the messages get forwarded along, the list of addresses builds, and builds, and builds, and all it takes is for some poor sap to get a virus, and his or her computer can send that virus to every e-mail address that has come across his computer.

Well, there’s some truth in this. A message that’s forwarded does contain header information that can include the email addresses of other individual recipients, and it is possible for malware to scan a hard disk for addresses to send itself to, or for spamming purposes. But the steps listed here make virtually no difference in that respect, except to mislead those of us who aren’t particularly computer-literate.
 

Or, someone can take all of those addresses and sell them or send junk mail to them in the hopes that you will go to the site and he will make five cents for each hit.  That’s right, all of that inconvenience over a nickel!

Well, taken as a whole, it’s a great many nickels. Unfortunately, though, this is far from the only (or even the most common) means by which spammers harvest addresses. So this isn’t going to fix the spam problem (or even just your spam problem) any more than all the other instant fixes of the past 10-20 years.

How do you stop it?  Well, there are several easy steps:

The 11th Law of Data Smog: "Beware stories that dissolve all complexity." ("Data Smog", by David Schenk, Abacus 1997)

(1)    When you forward an e-mail, DELETE all of the other addresses that appear in the body of the message (at the top).

Well, that’s often good netiquette. Many people forward or reply to messages without editing them at all, which can result in unnecessarily long and difficult-to-read messages. However, email addresses are often listed in the body of the message in a form that doesn’t give spammers anything to harvest. For instance:

> —–Original Message—–
> From: David Harley
> Sent: 07 March 2008 10:28
> Subject: bcc test
>
>
>
>
> –
> David Harley
> Research Author
> ESET, LLC

That’s right, DELETE them. Highlight them and delete them, backspace them, cut them, whatever it is you know how to do.   It only takes a second. 

And leaves the headers intact. But at least it shortens the message, and, if you’re careful about -what- you delete, may make it more readable.

If you want to strip the superfluous addresses from the headers, the easiest way is to paste the parts of the message you want to forward into a new message. By the way, if you’re not familiar with email headers, here’s a shortened version of a set of headers (with some of the detail edited).

Received: from DAVID ( [xxx.xxx.xxx.xxx])
        by mx.google.com with ESMTPS id d38sm3486984and.17.2008.03.04.07.19.37
        (version=SSLv3 cipher=RC4-MD5);
        Tue, 04 Mar 2008 07:19:39 -0800 (PST)
Reply-To: <someone@somewhere.com>
From: "Joe Bloggs" <someone@somewhere.com>
To: "’Josephine Bloggs’" <someoneelse@somewhereelse.com>
X-ASG-Orig-Subj: FW: News
Subject: FW: News
Date: Tue, 4 Mar 2008 15:19:30 -0000
Message-ID: <005801c87e0b$25dc6540$4101a8c0@DAVID>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="—-=_NextPart_000_0059_01C87E0B.25DC6540"
X-Mailer: Microsoft Office Outlook 11

You MUST click the "Forward" button first and then you will have full editing capabilities against the body and headers of the message.  If you don’t click on "Forward" first, you won’t be able to edit the message at all.

Well, it’s true you can’t usually edit the original of a message that you’ve received until you forward it, reply to it etc.

(2)  Whenever you send an e-mail to more than one person, do NOT use the To: or Cc: fields for adding e-mail addresses.

What the writer doesn’t seem to have remembered is that often you actually want to share addresses! Also, blind copied mail can actually confuse the recipient.

Always use the BCC: (blind carbon copy) field for listing the e-mail addresses.  This is the way the people you send to will only see their own e-mail address.

That isn’t automatically a good rule for every occasion. For a start, it’s exactly what a lot of spam messages do, which means that some crude filters may automatically reject it.

If you don’t see your BCC: option click on where it says To: and your address list will appear. Highlight the address and choose BCC: and that’s it, it’s that easy.

That depends on which mail client you use, actually. But it does (kind of) happen if you use Outlook, give or take a menu or two and one or two other variables.

When you send to BCC: your message will automatically say "Undisclosed Recipients" in the "TO:" field of the people who receive it.

There’s nothing automatic about it. It depends on a number of variables. Which casts doubt on the "expertise" of the person who wrote this. But maybe the point is to appear authoritative, rather than informative?

(3)  Remove any "FW :" in the subject line.  You can re-name the subject if you wish or even fix spelling.

Hopefully, someone will explain to me how this reduces virus/spam dissemination. What am I missing?

(4)    ALWAYS hit your Forward button from the actual e-mail you are reading.

Well, that’s one way of getting to edit it, but ALWAYs is a BIG WORD.

Ever get those e-mails that you ha ve to open 10 pages to read the one page with the information on it?  By Forwarding from the actual page you wish someone to view, you stop them from having to open many e-mails just to see what you sent.

That’s a netiquette issue. Perhaps this is one of those instances of a hoax mail intended to reinforce "good" practice, but unless we get the chance to talk to the anonymous originator, we may never really know. Certainly it would be nice if people sometimes removed the unnecessary bits of email they reply to or forward.

(5)     Have you ever gotten an email that is a petition?

Of course. A few of them have constituted serious chain letter hassle, and they’re not generally a good idea. There’s a place for electronic petitions, but not in the form of chain letters, which are hardly ever justified.

It states a position and asks you to add your name and address and to forward it to 10 or 15 people or your entire address book.  The email can be forwarded on and on and can collect thousands of names and email addresses.

That’s a rough and ready definition of a chain message. I’ll come back to that thought at the end.

A  FACT: The completed petition is actually worth a couple of bucks to a professional SPAMMER because of the wealth of valid names and email addresses contained therein.

So such a petition is (1) a professional spamming exercise (2) only going to make a couple of bucks difference to the spammer? Hmmm… But I have seen chain letters that appeared to be intended for address-harvesting purposes.

If you want to support the petition, send it as your own personal letter to the intended recipient. Your position may carry more weight as a personal letter than a laundry list of names and email address on a petition.   (Actually, if you think about it, who’s supposed to send the petition in to whatever cause it supports?  And don’t believe the ones that say that the email is being traced, it just ain’t so!)

Certainly there are problems administering a petition by email: it may be much better to do it by way of a web form, for instance.

(6)    One of the main ones I hate is the ones that say that something like, "Send this email to 10 people and you’ll see something great run across your screen." Or, sometimes they’ll just tease you by saying something really cute will happen. IT AINT GONNA HAPPEN!!!!!

Poor cynical chap. People are always sending me cute stuff. I don’t always want them to, but that’s another issue.

(Trust me, I’m still seeing some of the same ones that I waited on 10 years ago!)  I don’t let the bad luck ones scare me either, they get trashed.  (Could be why I haven’t won the lottery??)

Those "if you don’t forward this you’ll have bad luck" messages are sometimes referred to as "St Jude letters", after a particular example: Richard Dawkins, among others, has written about them in some detail. They are, in fact, pointless and mildly evil…

(7) Before you forward an Amber Alert, or a Virus Alert, or some of the other ones floating around nowadays, check them out before you forward them.   Most of them are junk mail that’s been circling the net for YEARS!  Just about everything you receive in an email that is in question can be checked out at Snopes.  Just go to www.snopes.com/

An excellent resource. I recommend it.

Its really easy to find out if it’s real or not. 

Unless it’s a new one. And hoaxers can be quite inventive: it sometimes takes significant research to establish truth or falsity, even for an expert.

If it’s not, please don’t pass it on.

Even if it is, it’s rarely appropriate to pass on a warning to everyone you know. Well-administered corporates usually forbid this except by people who are explicitly authorized to pass on a warning.

So please, in the future, let’s stop the junk mail and the viruses.

If only it were that easy…

Finally, here’s an idea!!!  Let’s send this to everyone we know (but strip my address off first, please).   This is something that SHOULD be forwarded.

BANG!!!! Credibility blown to blazes… After all that, it’s just another chain letter, no different to all the other chain letters the author is railing against.

Err… No. It isn’t something that SHOULD be forwarded, thank you. Even if it were much better advice than it actually is, chain letters that turn up again and again don’t usually make up in usefulness for the irritation they cause…

Here’s an idea. Let’s not forward this blog to everyone we know, either. But  feel free to post possible hoaxes to hoaxchecker@gmail.com, and I’ll endeavour to confirm that it’s true or false.

David Harley

Research Author

Another week, another scheme from the Nuwar gang.  We started receiving reports early this morning that new variants of Nuwar are being advertised through spam.  Some of the e-mail subjects include "Please open your ecard." and "This ecard is hillarious!".  The e-mail contains, as usual, a very simple text and a link to a host infected by Nuwar that acts as a proxy to serve malware.  The malicious page doesn’t include any exploits this time.  It simply tries to convince visitors to download and execute a file called "ecard.exe" or postcard.exe.

After execution, the executable writes two files in the C:\windows\system32\ folder.  One file called diperto.ini, this is the peer-to-peer configuration file.  The other file is called dipertoXXXX-XXX.sys where the ‘X’ are random number and letters.  This is the system driver that injects code into other processes and has rootkit capabilities to hide this malware.  Our antivirus detects the electronic card executable as "probably a variant of Win32/Nuwar.Gen" and the system driver as "Win32/Nuwar.BW worm".

Pierre-Marc Bureau

Researcher

Last Friday, a television report was aired on Canadian television, produced in collaboration with ESET.  The topic of the report was, of course, computer security and, specifically, zombie networks (botnets).  To show the viewers the dangers of poor security practice, we plugged a computer without security patches on the Internet and waited to see how long it would take for it to be compromised.

A couple of minutes after connecting the vulnerable machine to the Internet, we started receiving queries from other computers wanting to display advertisement through the NT Message protocol. Most of these advertisements originated in Europe and were promoting fake antivirus products.  It took a couple of hours before the first real attack was reported.  This surprised us slightly since the Honeynet Project (www.honeynet.org) states that it usually takes less than an hour for an unsecured machine to be compromised, once connected to the Internet.  The attack in question exploited a security flaw in the Windows file sharing system and installed a bot on our vulnerable computer.

We received a lot of comments on this TV report.  Many people reacted by saying that they would be more cautious when browsing the Internet, and this is a good thing.  Some others stated they would never again go to an unfamiliar web site.  I think this is overreacting.  The Internet is a great resource to have and the advantages of being able to browse it overcome its downsides.  I think the lesson to remember from our television report is that before connecting a computer to the Internet, you should make sure all security patches have been applied and you have proper security applications installed.  When browsing unknown websites, you should be particularly cautious of what you download and execute.

The report (French only) can be viewed at the following address: http://tva.canoe.com/emissions/je/reportages/21083.html

Pierre-Marc Bureau

Researcher

I don’t, in general, have much time for virus writers: not, at any rate, the guys who can’t keep their creations to themselves, and don’t care if they cause damage. They’re not all like that, of course: I’ve talked to virus writers who seem nice enough guys, and even to some who are almost as clever as they think they are. Cyber criminals, scammers, phishing gangs and so on, preying on the rest of us, are contemptible, but in a society that equates worth with wealth, theft is understandable. But I sometimes like to think that there is a special corner of hell reserved for hoaxers who make themselves feel special by exploiting the good intentions of other people, for instance by getting them to spread chain mail in the belief that they’re doing something that benefits others. Some hoaxes (or semi-hoaxes) arise out of genuine misunderstandings and misconceptions, of course. However, many are started by an individual who feels that he’s proved himself superior to the rest of us, every time his victims are made to feel stupid when they realize they’ve been hoaxed.

Virus hoaxes have been around almost as long as computer viruses: in fact, I sometimes think the hoaxes will outlive the real thing. I’ve seen some instances this week of one that’s quite interesting, though: it actually gives as "corroboration" a link to snopes.com, where many a hoax is described. The trouble is that the Snopes link actually describes a series of emails spammed out last summer in a bid to spread our old friend Nuwar, whereas the "virus" described by the hoax mail is largely a recycling of the old "Olympic Torch" hoax, and is described like this:

"You should be alert during the next few days.  Do not open any message with an attachment entitled ‘POSTCARD,’ regardless of who sent it to you.

It is a virus which opens A POSTCARD IMAGE, which ‘burns’ the whole hard disc C of your computer.

This virus will be received from someone who has your e-mail address in his/her contact list.  This is the reason why you need to send this e-mail to all your contacts.  It is better to receive this message 25 times than to receive the virus and open it.

If you receive a mail called’ POSTCARD,’ even though sent to you by a friend, do not open it.!  Shut down your computer immediately.

This is the worst virus announced by CNN.  It has been classified by Microsoft as the most destructive virus ever.  This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept."

 Some versions of this hoax, however, do something even more interesting. They include "instructions" on how to forward email "properly". Some of the advice is naive, some is OK. In fact, checking a virus alert before you forward it is a pretty good idea, though in the corporate world, we tend to think that it’s an even better idea not to forward even a genuine alert unless you’re authorized to. It even suggests that you check out virus alerts with snopes.com. Unfortunately, it then suggests that the advice is so good that it should be forwarded to everyone you know. Well, there may be occasions where a chain letter is justified, but this isn’t it.

Of course, here at ESET we mostly focus on real malware rather than viruses that don’t actually exist. However, much of my previous career has been concerned with hoax management, and I plan to return to this subject before too long.

Update: hopefully, no-one is going to read this and think, "Oh, so virtual postcards aren’t a threat then." Especially if they read Randy’s posts last year about the problems with eCards, eVites and other eVils. But just to reinforce the point, I notice that we’re enjoying another wave of Nuwar/Storm mails with subjects like "Someone sent you an ecard!" or "We have an ecard greeting for you." Happily, even Storm isn’t going to set fire to your hard disk, but there are plenty of other unhappy consequences of being "botted" (bot-infected). Normal cautions and caveats apply….

David Harley

Research Author

…the more they remain the same. It’s sometimes too easy to forget that it’s not all about the technical analysis of malware. Often, it doesn’t matter how startlingly sophisticated or innovative malware is: if the social engineering hits the spot, and technical defences fail, as all too often they do, that’s enough. Depressingly, the engineering doesn’t have to be great either: over the years, I’ve noticed (as have the bad guys) that the same ploys work over and over again.

 Of course, I have a couple of recent examples in mind. There have been reports on many mailing lists this week about an email that purports to come from the Department of Justice. There are variations in the exact wording, but a typical one includes (beneath a DoJ banner) text like this:

Dear Mr. [Targeted individuals name] ,

A complaint has been filled against the company you are affiliated to ( [Company Name] ) in regards to the domain of business activity.

The complaint was filled by Mr. James Palmer on 25/02/2008 and has been forwarded to us and the IRS .

Complaint Case Number: #[case number] Date: [date]

A copy of the original complaint and the contact information of Mr. James Palmer has been attached to this e-mail.Please print and keep this copy for your personal records.

There’s more to it, of course. And very similar messages have long been received, apparently from other official bodies. The attached complaint document is actually a zipped and packed executable that downloads and drops various objects onto your system that you really don’t want. Spear phishing meets mass mailer social engineering meets bang-up-to-date obfuscation. And, while the English isn’t perfect, it’s not the conspicuously "foreign" English we’ve become accustomed to see in low-grade phishing emails.

The English in this 419-style email is rather rougher, but I guess you don’t necessarily expect literary polish from a hitman.

 Nice. Of course some of the detail changes, such as the sum demanded. Incidentally, while I routinely anonymise this sort of thing when I use it for blogs and alerts, I didn’t change the recipient’s name in this one. Either a lot of people are called Xxxxxx, or the extortionist on this occasion couldn’t be bothered to replace a placeholder. Nonetheless, a lot of people have been disturbed by this one, which has been seen from time to time for some years now. And that, I suppose, is the point. The world is full of people, some of them highly educated, who don’t raise their implausibility shields when they put on their cyberspace suits.

David Harley

Research Author