----- Anti-Malware ----- Analysis and Defense

Virus Bulletin Conference 2008, Ottawa, Canada

noreply@blogger.com (Eric Uday Kumar) — Fri, 10 Oct 2008 02:19:00 +0000

I had the opportunity to present at the Virus Bulletin Conference this year in Ottawa, Canada. This is one of the big security conferences and a lot of well known personnel from the AV-industry attend it. It was really good interacting with the attendees, developing relations, and learning about new cutting-edge technological developments in the area of anti-malware.

My presentation was about "Applying User-mode Memory Scanning on Windows NT based systems". A copy of this paper can be downloaded from here.

The keynote talk on the first day of the conference by Alex Eckelberry from Sunbelt Software was interesting and explained the expectations of a typical desktop consumer and enterprise customer from AV-vendors. He stressed the importance of customer support in gaining consumer confidence and keeping the business running. The presentation about MBR rootkit by Kimmo Kassilin from F-Secure was very technical and particularly gripping to me. This explained one of the most sophisticated piece of malware we have seen in recent times.

There were some thought provoking discussions and presentations surrounding AV-software testing and one of them was by Dr. Igor Muttik from McAfee. There was also the new proposal from Dr. Richard Ford from Florida Institute of Technology about malware sample sharing that seemed very practical. His new approach and concept is sure is help the AV-industry. Last but not the least, the one presentation I was really looking forward to was by Peter Szor from Symantec, along with Dimitris and Adami from Graduate Institue of Applied Life Science. The presentation was about the evolution of computer programs (such as malware) into new forms that are functionally different from their parent, much like mutation creating new species in biological life. The presentation was very interesting and clearly exceeded my expectations.

The gala dinner on the second day of the conference was simply fun. They had each table form a team and compete against other teams in a frenzy of intelligent questioners. Although our team did not win, we still had a good time. All in all, the conference was informative and fun.

I got to stay around Ottawa a day after the conference, rent a car, and drove up the mountains in Quebec to look at the beautiful fall foliage. The sights were really pretty.

EICAR 2008 Conference, Laval, France

noreply@blogger.com (Eric Uday Kumar) — Sat, 24 May 2008 00:38:00 +0000

It has been a while since I have posted anything on my blog. Life has been busy with work and family, but things have been good. I had the opportunity to present a paper at the EICAR 2008 conference, which was held in Laval, France. It was great to be able to know some of the well respected people from computer security academia and the industry. During this time, I was also able to do some traveling with my wife and see some amazing places and meet fascinating people. It has truly been a pleasurable experience.

The conference - merging academia and industry

The EICAR 2008 conference I attended was very interesting and informative. It provided for an atmosphere of personal interaction with the attendees. The good thing about the EICAR conference is that people who attend are from a diverse group of academic and and industry backgrounds. This allows technology and knowledge transfer between the two sectors, which in my opinion, is a key factor for the growth of both. While I represent the industry steam, some of the academic presentations helped me understand how theoretical ideas could or could not be applied for practical purposes. In turn, the people in academia get insight of whether their work is relevant (or useful) to real-world practical use. I must admit that some of the technologies being developed at Universities can very well find a place in the commercial market and be used for malware analysis and mitigation. One such technology is the VILO malware defense suite being developed at University of Louisiana at Lafayette (from where I had graduated in Dec 2004 with a Masters in Computer Science). This tool demonstrates how program-matching techniques can help in triage, in-depth malware analysis and signature generation.

Presentation

The paper I presented was about "User-mode memory scanning on 32-bit & 64-bit Windows". It details about the background and theory of implementing the memory scanner as well as its pros and cons of using it from user mode. You can find the paper and presentation here.

The fun part

We were treated to a nice gala dinner on the evening of first day in the old castle (Vieux Chateau). It was quite fun and I also had the privilege of bringing my wife to it as well. We definitely had a good time and the group at our table were a fun and lively bunch to interact with. The evening was well spent while listening to authentic French live band playing in the background.

Me and my beautiful wife, Amy Adams.

Click Here to see more pictures about our stay in Laval, France.

My wife likes to blog as well and she has a nice one about this trip to Europe. Click Here to visit her blog.

Fun with Ubuntu

noreply@blogger.com (Eric Uday Kumar) — Sun, 06 Jan 2008 19:27:00 +0000

A distribution of Linux I recently tried is Ubuntu. "Ubuntu" is an ancient African word, meaning "humanity to others". The operating system is extremely slick, cool, and user-friendly. Actually I like it! It is based off of Debian GNU/Linux. You can download its latest version (7.10 Gutsy Gibbon released on 18 October 2007) from the official website here. You can also learn about its desktop and server editions. Like most Linux distributions, it is free and open source.

There are also a number of interesting derivatives of Ubuntu such as:
Ubuntu Studio - Designed for multimedia editing and creation.
Kubuntu - Ubuntu with the K Desktop Environment (KDE).
Edubuntu - Ubuntu for Education.
Xubuntu - Ubuntu with the XFCE desktop environment.
Gobuntu - A flavour of Ubuntu that strives to be completely devoid of software, drivers or firmware with restrictive licenses.

Dell also offers some of its consumer systems with Ubuntu pre-installed!

My adventure with Ubuntu began with trying to evaluate a certain piece of software that required installing QEmu on Linux. In this particular case, choosing Ubuntu as the Linux flavor meant "life is easier" (i.e. I would not have to deal with missing dependencies or packages).

Installing Ubuntu

So I downloaded the ISO for the latest version (Ubuntu 7.10), for a 32-bit machine (i386 or x86), from the official website and burnt it to a CD. Note that sometimes when you burn the CD at 40x speed, the final disk acts funny or gets corrupt! A burn speed of 10x seems to give no problems. In my case, I got the server edition of Ubuntu which unfortunately does not come with the nice GUI like the desktop edition. I learned the hard way, and below I will describe how to install the GUI for the server edition.

Simply follow the installation instructions and soon you will have Ubuntu installed on your system. Note that Ubuntu does not have a "root" user nor does it prompt for a "root password" during installation. This is because, for security reasons, it does not want anyone to login as "root". In order to perform any tasks or actions via command line that require administrator privileges, simply use "sudo ". This prompts for a password for the currently logged-on user. In case of GUI programs, a pop-up box asks to enter the password for the currently logged-on user (much like UAC on Window's Vista).

Note that "sudo" will only escalate privileges of the current command and won't work in case of re-directions. Example: Say you want to write to a system file that requires administrator privileges and you type the following command:

sudo echo 1 > /proc/sys/net/ipv4/tcp_sack

You would still get "Permission denied". This is because "sudo" only performed on "echo 1" but not on "writing to file". There are two ways of tackling this:

(1) Escalate privileges of entire shell, execute your command withing the escalated shell, and then exit escalated shell. This is done as shown:

sudo bash
echo 1 > /proc/sys/net/ipv4/tcp_sack
exit

(2) A second method is by using the following command:

sudo bash 'echo 1 > /proc/sys/net/ipv4/tcp_sack'

Good ole GUI, where are you?

Well, after installing the server version of Ubuntu, I noticed that I wasn't presented with a nice GUI to play around, instead was faced with the command prompt. Nothing against command lines, but I like my GUIs :)

So I learned that typing the command "startx" will start the X server and associated GUI environment. But on executing the command, I am confronted with the following errors:

xauth: creating new authority file /root/.serverauth.38.66
xauth: creating new authority file /root/Xauthority
xauth: creating new authority file /root/Xauthority

X: cannot stat /etc/X11/X (no such file or directory), aborting
giving up
xinit: Connection refused (errno111): unable to connect the x server
xinit: No such process (errno 3): Server Error.

Aah! so I am missing X server and a GUI environment. I needed to install them first. For that, I used the following commands:

sudo apt-get install kde
sudo apt-get install xorg

This installs the KDE GUI environment and X server.

Now type "startx" and you will be presented with the KDE desktop. Do not type "sudo startx" which will cause all your applications to run with administrator privileges, and hence reducing security. On logging out, you will once again be presented with the command shell.

To rather be presented with the GUI (all the way), without having to encounter the command shell each time and typing "startx", simply install one of the GUI desktops all together, instead of the above two packages (kde and xorg). For installing one of the GUI desktops, type any one of the following commands:

To install the default GNOME desktop:
sudo apt-get install ubuntu-desktop

To install the KDE desktop:
sudo apt-get install kubuntu-desktop

After install, reboot your machine and you will be presented with a nice GUI based desktop :)

Some things I learned

In the process of trying to figure out these things, I learned some new things, which I would like to share here. Most Linux distributions have the file "/etc/inittab" that defines the "runlevel" into which the kernel boots up. Typically a runlevel of 2 means you will be presented with a command prompt, and a runlevel of 5 means you will be presented with a GUI. Example: for runlevel 5, the entry in "/etc/inittab" would be as such:

id:5:initdefault:

The following command gives the current runlevel you are in:

who -r

The following command will change your runlevel to 2 by shutting down unnecessary process's and starting up all runlevel 2 processes:

telinit 2

Each defined runlevel will have an "/etc/rcX.d/" directory where "X" is the runlevel number. The contents of the "rcX.d" directory determines what happens at that runlevel. For Ubuntu, the default runlevel is 2. Also, the runlevels 2 through 5 on Ubuntu are all the same. There is no distinction between them, i.e. the contents of /etc/rc2.d/, /etc/rc3.d/, /etc/rc4.d/, /etc/rc5.d/ directories are all the same. This presents you with the default command line shell when you boot up, if you hadn't installed any of the GUI desktops.

Note that in Ubuntu, "init" has been replaced by "upstart". So, if you wish to change you runlevel, "upstart" still looks for the "inittab" file for a user set runlevel. Just create the "/etc/inittab" file and put the following line in it to boot to runlevel 5:

id:5:initdefault:

And then you have to add some new content to the directory "/etc/rc5.d/" in order to start the X server and GUI environment by default on boot up (instead of the command line shell). This I am not sure how to do yet!

Accessing a Window's share from Ubuntu

In order to access a Window's shared folder in Ubuntu, over the network, you need to install "smbfs". Select System > Administration > Synaptic Package Manager and search for "samba server". Then select "smbfs" for install. This will install the and insert the "smbfs" kernel module (.ko - kernel object file) into the running kernel. This facilitates mounting of remote SMB share (such as the Window's share) on Linux. You can find if the kernel module has been properly inserted by executing the following command:

lsmod | grep smbfs

If you do not see it inserted, then you can manually insert the associated kernel object (.ko file) by issuing the following command:

modprobe smbfs

Also make sure that the "smb server" is up and running. In order to check this, type the following command:

netstat -antupo

Check to see if the "smb server" is listening on ports 139 and 445. If not, you can start it by issuing the following commands:

cd /etc/init.d/
./smb start

Now say the IP address to your Window's machine over the network is "192.168.1.1". Then type the following command:

smbclient -L 192.168.1.1

When prompted for "Password" simply hit "Return". This will list all shared folders on the Window's machine that do not require a password for read access. Say one of these shared folders is called "Documents". Then type the following command:

sudo mkdir /mnt/share
sudo chmod 755 /mnt/share
sudo mount //192.168.1.1/Documents /mnt/share

The first two commands will create the directory "/mnt/share/" and give appropriate permissions. The third command will mount the Window's share onto "/mnt/share/". If prompted for "Password", simply hit "Return".

In order to un-mount the share, type the following command:

sudo umount /mnt/share

Useful info and links

During my learning experience with Ubuntu, I also stumbled upon a number of useful resources, that I would like to share here:

Loads of help at Ubuntu Forums.

Documentation for Latest Version of Ubuntu.

Useful documentation for Ubuntu, browse by title.

Switching to Ubuntu from Windows.

Switching to Ubuntu from MacOS.

Ubuntu equivalents to Windows applications.

Software Equivalents in Ubuntu.

How-To: Setting up QEmu on Ubuntu with TUN/TAP and NAT.

How-To: Install and run Windows 2000 under QEmu on Ubuntu 5.10.

How-To: Install and run Windows XP under QEmu on Ubuntu.

How-To: Install and run any release of Ubuntu under QEmu on Ubuntu.

How-To: Install and run Ubuntu under QEmu or VMware on Windows.

How-To: Install and run VMWare Server (or Workstation) on Ubuntu.

Wiki page: About QEmu, and installing it on Slackware Linux

Installing Wine on Ubuntu.

Installing Internet Explorer on Ubuntu.

Seamless Virtualization with Ubuntu.

Kernel Virtual Machine on Ubuntu.

Hope this information has been useful.
Happy Ubuntu-ing... :)

Digg This | Slashdot This | Add to del.icio.us

Moderating Blogger Comments

noreply@blogger.com (Eric Uday Kumar) — Sun, 06 Jan 2008 17:47:00 +0000

Today I noticed a strange comment to one of my blog posts that I hadn't approved. At first I thought my blog has been hacked and some spammer or malicious writer posted this comment or inserted malicious links/IFrame tags into my posts. I quickly checked all my posts for these (by clicking on "edit post", then "edit Html", and checking each "http href"and searching for "iframe") and found everything to be clean. I then looked at the comment...

While hovering my mouse cursor on the hyper link "here it is", I see the URL "hxxp://www.yourtypingbiz.info/billion-dollar-market.php" in the status bar at the bottom of my Firefox browser window. Clearly, this is a case of SPAM.

Now how did this comment get into my post without me approving it first? Well, I found out that my comments were actually "NOT moderated"! I thought I had turned on moderation of comments, but apparently I didn't. So some spammer simply posted such a comment (with a link to their phishing website) to all blogger blogs that do not have comment moderation turned on. They probably do this via a script in order to reach a multitude of blogs.

My next step was to simply delete the comment and turn on moderation of comments.

Digg This | Slashdot This | Add to del.icio.us

Malware via exploits

noreply@blogger.com (Eric Uday Kumar) — Sat, 01 Dec 2007 14:00:00 +0000

Malware authors are constantly banking on the "next-big-thing" in order to deliver their malicious payload/content onto un-suspecting user machines. Due to its huge user base, the Windows is un-undoubtedly the most targeted of operating system platforms.

Source of image: HorseHats.com

Malware delivery mechanisms have constantly been evolving from the old floppy disk days to the fast spreading Internet worms (attachments via e-mail). Today's malware delivery mechanisms are shifting more and more toward web technologies. Instead of directly delivering malicious content to user machines via e-mail attachments, malware are being hosted on a myriad of web servers world wide. Users are then enticed into somehow visiting these websites either by spamming out an e-mail with a link to a malicious website or by tainting search results to obtain a higher ranking to their malicious website. Such malicious links are also delivered via IM (Instant Messaging), bulletin boards, forums, etc.

Usually malicious websites also host recent (or in some cases older) browser/application/system exploits along with malware. An unsuspecting user who visits such a malicious website with an un-patched system or browser application is easily exploited and malware is delivered onto their system (drive-by-downloads). In case of fully-patched systems, all it takes is to entice the user or fool them into downloading and executing the malware. Such malicious web servers could be made accessible via HTTP or FTP and malicious code (HTML, JavaScript, PHP, CGI, etc.) embedded within web-pages. Malware authors could hack legitimate websites and redirect visitors to a host of malware via invisible IFrame tags. With the birth of Web2.0 technologies, and mobile platforms, newer avenues are being explored in terms of malware delivery.

In regards to Windows related vulnerabilities, with Microsoft scheduling its patch release on every second Tuesday of each month popularly known as "patch Tuesday", hackers and malware authors have coined the term "exploit Wednesday" where they exploit an un-patched vulnerability the day after Microsoft has released its patches for that particular month.

Information Gathering - Vulnerabilities and Exploits

Malware authors are constantly looking to find vulnerabilities in software in order to exploit them. The software they target could be Operating system libraries, application software, kernel mode drivers, etc. They either hack these up themselves or obtain them from published material on Fulldisclosure mailing list, or from published material via blog posts of vulnerability researchers and enthusiasts, or from a community of hackers, etc. There is also the open source vulnerability database (OSVDB) where detailed vulnerability information is published on or before the same day that a vendor patch is released.

Information and advisories about vulnerabilities can also be obtained from from the following sites listed below:

@Risk: The Consensus Security Alert
Bugtraq mailing list
Bugtraq archives at neophsis
CERT
CERIAS
CIAC.org
CVE
eeye advisories and ZeroDay tracker
Finjan Vulnerability List
FrSIRT
GovernmentSecurity (forum1, forum2)
IBM ISS (X-Force)
IDefense advisories
LWN.net
Microsoft security bulletin - List of vulnerabilities fixed since 1998
milw0rm
National Vulnerability Database
Net-Security
NIST.org
NTBugtraq
NTSecurity.net archives at neohpsis
Rapid7 vulnerability database
Rain Forest Puppy Advisories
SANS top20 list
Secunia
SecuriTeam
Security Alert Consensus
Security-database
SecurityFocus
SecurityLab
SecurityReason
SecurityTracker
Security Threat Watch archives at neohpsis
SecurityVulns
SecWatch
US-Cert
Virus.org
VulnDiscuss archives at neohapsis
VulnWatch archives at neohapsis
Xdisclose
Zone-H
Zero Day Initiative (TippingPoint)

A unique blog-roll of "month of vulnerability disclosure" was also started by certain people who decided to find vulnerabilities in various software and simply disclose them via independent blog posts. Listed below are a few:

MOAB - Month of Apple bugs
MOKB - Month of Kernel bugs
MOBB - Month of Browser bugs
MOSEB - Month of Search Engine bugs
MOAxB - Month of ActiveX bugs
MOBiC - Month of bugs in CAPTCHAs

Before the details of a vulnerability gets into Fulldisclosure, OSVDB, or such independent open blog-rolls, the researcher or hacker has several options as what he or she can do with the discovered vulnerability:

- Responsibly disclose the entire details of the vulnerability to the software vendor alone, for free.

- Sell it to certain companies that buy vulnerabilities such as IDefense (now part of VeriSign), Digital Armaments, Argeniss (now acquired by Gleg Ltd), Netragard, TippingPoint (now a part of 3com), and Immunity, that gives the buying company exclusive rights to the vulnerability.

- Place the vulnerability for an auction at Wabisabilabi and sell it to the highest bidder.

The ethics behind disclosing vulnerabilities has always been a subject of debate. Microsoft has coerced a few software vendors to join their Organization for Internet Safety (OIS) that strives to actively suppress vulnerability disclosure within their organizations.

The number of vulnerabilities have been increasing since 2006. Here are some stats:
Full stats from CERT.
A post on "The Register".

Windows Libraries - a haven for malware exploits

A large number of Windows applications leverage Windows libraries (modules that contain functions and data) as dynamic-link libraries (DLL) or OCX (libraries containing ActiveX controls). Such libraries allow their functionality to be updated and reused easily while reducing significant memory overhead when several applications use the same functionality synchronously. Thus, the discovery of a critical vulnerability in a library usually affects a wide range of applications from Microsoft and other third-party vendors that use that library. Hackers and malicious authors then try to find multiple attack vectors in order to exploit the vulnerability. For instance, a vulnerability in an image processing library could be exploited via Internet Explorer, Microsoft Office and Image Viewing software. Considering the massive base of Windows users, such an exploit ensures huge deployment.

Several such vulnerabilities have been discovered in the recent past, for which, many had exploit codes either made available or discovered before patches were released. This scenario is also known as "zero-day". Listed below are a few:

VML Exploit - (CVE-2006-4868, MS06-055) - a vulnerability in Vector Graphics Rendering engine (vgx.dll) could allow remote code execution via a specially crafted Vector Markup Language file. The vulnerable library is used by applications such as Microsoft Outlook and Internet Explorer which can be used as attack vectors.

WebViewFolderIcon Exploit (via setSlice method) - (CVE-2006-3730, MS06-057) - a vulnerability in Windows Shell, due to improper validation of input parameters when invoked by the WebViewFolderIcon ActiveX control via setSlice method, could allow remote code execution.

WMF Exploit - (CVE-2005-4560, CVE-2005-2124 MS06-001, MS05-053) - a vulnerability in the graphics rendering engine (GDI32.DLL) could allow remote code execution while handling a specially crafted Windows Metafile (WMF) image.

EMF Exploit - (CVE-2005-2123, CVE-2005-0803) - a vulnerability in the graphics rendering engine (GDI32.DLL) could allow remote code execution via a heap-based buffer overflow or cause a application crash while handling a specially crafted Enhanced Metafile (EMF) image.

ANI exploit - (CVE-2007-0038, CVE-2004-1049, CVE-2004-1305, MS07-017, MS05-002) - a vulnerability in Cursor and Icon format handling could allow remote code execution or denial of service (kernel or application crash).

Web View exploit - (CVE-2005-1191, MS05-024) - a vulnerability in Web View DLL (webvw.dll) could allow remote code execution.

PNG exploit - (CVE-2004-1244, CVE-2004-0597, MS05-009) - a vulnerability in PNG Image Processing (by Windows Media Player 9 or via libpng 1.2.5 and earlier) could allow remote code execution.

JPEG exploit - (CVE-2004-0200, MS04-028) - a buffer overflow vulnerability in JPEG (JPG) parsing engine in GDIPlus.dll could allow remote code execution.

iPhone exploit - H.D. Moore (creator of the Metaspoilt Framework) has several blog entries consisting of step-by-step descriptions of how to exploit the Apple iPhone. Here, he exploits a vulnerable version of the libtiff library that is shipped with the latest update to the iPhone.

URL handling exploit - (CVE-2007-3896, MSA-943521) - a URL/URI handling bug in Shell32.dll with Internet Explorer or Mozilla Firefox installed could allow remote code execution. Attack vectors could be applications such as mIRC, Outlook, Adobe Reader, Skype, etc.

Microsoft Office file formats - have always been a target for digging out vulnerabilities that could be exploited by malicious authors. The SANS 2006 list and SANS 2007 list of office file format vulnerabilities provides information about a number of these bugs. This Security Focus article discusses the extent of vulnerabilities in Microsoft's Office documents in recent months, while this blog entry by Symantec discusses about malware exploiting such vulnerabilities. Ryan Naraine's blog also talks about malware authors creating tools to exploit vulnerabilities in Microsoft Word document format, while Microsoft itself releases a tool called MOICE with an intent to isolate potential exploitable elements.

Vulnerabilities in Applications

Vulnerabilities or un-patched bugs in commonly used applications such as image viewers, media players, browsers, file readers, etc. are also sought to be exploited by malicious authors. Listed below are a few examples:

- A vulnerability in Windows Media Player (CVE-2006-0006, MS06-005) while processing of a specially crafter BMP image could allow remote code execution.

- A vulnerability in Windows Media Player plugin (CVE-2006-0005, MS06-006) for non-Microsoft browsers could allow remote code execution.

- A recent vulnerability in Adobe Reader for Windows (CVE-2007-5020) while processing a specially crafted PDF file could allow remote code execution via another vulnerability in Shell32.dll (CVE-2007-3896). Adobe has already released a patch for this here. This vulnerability was discovered by Petko D. Petkov of gnucitizen.

- Several vulnerabilities in Adobe Reader (SA23483) could allow remote code execution or aid CSRF attacks. Improperly handled input passed to a hosted PDF file via a vulnerable Adobe Reader browser plugin could allow remote code execution. Improperly sanitized returned values by a vulnerable Adobe Reader browser plugin, when input is passed to a hosted PDF file, could allow remote code execution. Improperly sanitized input values to a hosted PDF file via a vulnerable Adobe Reader browser plugin could allow requesting of arbitrary URLs and hence facilitating a vector for CSRF attacks.

- A vulnerability in Adobe Photoshop for Windows (FrSIRT-1523) while processing specially crafted BMP, DIB, RLE files could allow remote code execution.

- A vulnerability in Apple QuickTime (FrSIRT-3155) while processing the "qtnext" parameter withing QuickTime Link Files (.qtl files), could allow remote code execution by tricking a user into visiting a specially crafter webpage or opening a malicious file. This vulnerability was discovered by Petko D. Petkov of gnucitizen.

- A vulnerability in Apple QuickTime (US-CERT-659761, CVE-2007-6166) while processing a specially crafted RTSP (Real Time Streaming Protocol) stream could allow remote code execution. Since QuickTime is a component of Apple iTunes, all such installations are vulnerable to the attack on all supported Windows and Mac operating systems.

- A vulnerability in Adobe Flash Player (CVE-2007-3456, APSB07-12) could allow remote code execution due to a "input validation error" (buffer overflow) via a specially crafted FLV or SWF file. Another recent vulnerability (CVE-2007-3457) due to insufficiently validating HTTP referrer headers, could allow remote attackers to conduct a CSRF attack via a specially crafted SWF file.

- A vulnerability in Database Component in MPAMedia.dll in RealPlayer (CVE-2007-5601, ) could allow remote code execution via certain play-list names via the import method to the IERPCtl ActiveX control in ierpplug.dll. RealNetworks has released a patch for this here. Malicious authors have known to be exploiting this vulnerability.

- A vulnerability in RPC on DNS server (CVE-2007-1748, MS07-029) could allow remote code execution.

- Multiple vulnerabilities in Microsoft PowerPoint (MS06-058, SA22127) could allow remote code execution.

- A vulnerability in the cPanel software (control panel software that is widely used by hosting providers such as Apachi web-hosting), could allow a remote attacker to gain access to the web servers and taint web-pages with malicious iFrame links.

- A vulnerability in Winamp could allow the execution of malicious code via a specially crafter MP4 file. Here is a post on "The Register" about it.

- A myriad of Anti-Virus products as well were reveled of vulnerabilities, according to a blog post here.

- A blog post by Aviv Raff here, details the vulnerabilities discovered in Gadgets (script-able applications) on Vista.

- A post here describes a myriad of security issues with Google such as a vulnerability in Google desktop and an XSS error in Gmail, among many others.

- A recently discovered XSS vulnerability in common Shockwave Flash files.

- A vulnerability in an ATI driver allows malicious code to be loaded into Vista's kernel, in spite of its latest security measures (such as PatchGuard and only allowing signed drivers to be loaded).

And the saga continues...

Digg This Slashdot This Add to del.icio.us

Emerging Malware Trends

noreply@blogger.com (Eric Uday Kumar) — Sun, 18 Nov 2007 03:27:00 +0000

Mobile Malware

With the growth in modern mobile platforms and devices, newer avenues are being explored in terms of malware delivery.

Source of image: http://iphonic.tv/iphone.jpg

Here are a few resources that show the introduction of malware in the areas of mobile platforms:

An overview of mobile device security by Kaspersky Labs introduces recently discovered worms and viruses on the Symbian, Windows CE, Palm OS and Linux platforms for devices such as PDAs, Pocket PCs, Windows Mobile, Cell Phones, SmartPhones, Handhelds, etc.

McAfee has an interesting white paper as well about mobile malware - threats and prevention.

An interesting presentation by Dr. Vesselin Bontchev at the Virus Bulletin 2007 conference is about the Virusability of modern mobile devices.

Another interesting paper by Peter Szor (security architect at Symantec Security Response) in June 2007 edition of Virus Bulletin magazine introduces to attacks on Linux iPod.

It is also worth mentioning of a "quality control process" gone bad on part of Apple Inc. that shipped a small number of its video iPods with an old Windows virus.

Threats and viruses on WAP (Wireless Application Protocol) enabled devices have already been predicted quite a few years ago. Viruses have also been found on the PalmOS (such as Phage and Vapor).

There are quite a few security companies offering anti-malware solutions for mobile platforms. Prominent among them are:

- Symantec's mobile security for handhelds (Symbian and Windows mobile)

- McAfee's VirusScan mobile

- Trend Micro's PC-cillin for mobile

- F-secure's mobile anti-virus

- Kaspersky's mobile anti-virus

- Airscanner - is freely available for personal and non-commercial use.

Digg This | Slashdot This | Add to del.icio.us

About Computer Security & the Average Computer User

noreply@blogger.com (Eric Uday Kumar) — Mon, 29 Oct 2007 07:23:00 +0000

The fact of the matter is, "the average computer user could care less about computer security if everything seems to be working fine". Largely attributed to ignorance and their naive reliance on security software, a typical user would choose ease of usability over security. Adding to their ignorance are the people who market security products as "perfect solutions" or as the "silver bullet". Some of these so called "marketing geniuses" tend to claim unrealistic and ridiculous statements of how their product can protect users from every piece of malware out there, thus giving them a false sense of security.

Who is the average computer user?

Recently I had the chance to visit an older couple who complained of having trouble using their computer. Their computer was previously infected with malware, but has since been cleaned up by another so called "computer expert", essentially reinstalling the OS and wiping out their data. The couple mentioned that the person who cleaned up their computer did not give them an option of backing up personal information or data. It could be possible that the malware on their system had encrypted their data (ransom-ware). Because everything was installed from scratch and things changed around (probably a newer OS version, newer software updates, etc.) they could not find their way around since things did not "look", "feel", and were not "located in the same place" as before! They had a hard time comprehending the change, which is no surprise since they did not seem very computer literate. They simply could not figure out how to browse the internet now, or open, receive and send e-mail, which is what they mostly used their computer for. A quick look at their computer revealed that it was clean of any malware (as of now!) and they simply needed help with using it. So I had to go over with them a basic computer-101 course demonstrating how to open, read, send e-mail and how to browse the internet. During the course of this session I tried my best to explain to them some of the security implications of being logged on as a admin-user. I also explained the dangers of browsing the internet, opening spam messages, clicking on links and clicking the "yes" pop-up-box, etc., (obviously due to my inclination towards computer security). No wonder, they had a hard time comprehending or following the things I was telling them.

Security vs. Usability

The whole experience made me realize - the average computer user simply wants usability. Most people simply want to use the computer for their purpose, get the job done, and move on... Security? - they are either ignorant about it or just do not get it or just do not care as long as their computer seems to work fine...

Where does this place the average user? - An easy target for identity and personal information theft.

Where does this place the malware author? - Easy money-making off of the average user especially due to todays' shift in intent to develop and deploy malware for monitory gain.

Where does this place the anti-malware community? - Fighting a loosing battle...

In my case of visiting the couple, they obviously did not know much about computer security and unfortunately these are the vast majority of computer users, who are un-wittingly contributing to the rise of a plethora of malware on the internet today. Such users are potential zombies or waiting to become part of a huge botnet spewing spam or unknowingly partaking in a DDoS (Distributed Denial of Service) attack. Sadly, it is only a matter of time when their computer will be compromised again and this time they may never ever know, even with the best of the breed of security solutions installed. This is because, by nature, security solutions are defensive, and all it takes is for that one "undetected" malware to get past through due to that "one click". It is just like a typical real world virus that attacks the human body. The doctors cannot come up with a vaccination for it until first a few people get sick due to the virus. This leads to the awareness of the existence of the virus in the first place and then the doctors are able to analyze it and come up with a vaccination for it. This vaccination will then protect all other human beings from that particular strain of virus if taken before hand. Same is the case with anti-malware software.

Given the well know fact about the trade-off between "ease of use" verses "depth of security", the average user is most inclined to choose "ease of use". Deeper security comes with a price - loss of the ease of use. A typical example of this is the innovativeness of growing Internet today. The growing technologies in the Web2.0 world that are banking on Java-Script, AJAX, IFrames, etc. in order to make life easier, render richer user experience, and to bring usability and abstraction. These technologies have been exploited since their inception by malware authors in order to deliver malware to benign users. One way of overcoming this is by giving up the usability features effectively cutting off malware delivery paths. For example: Using NoScript plugin extension with Firefox browser will not allow Java-Script or ActiveX content to run on a user machine, effectively blocking a wide range of malware exploits such as drive-by-downloads. But then, it comes with a price - loss of ease of usability. Some web-pages (even legitimate ones) will not function properly or up to their full potential, without Java-Script or ActiveX support in the web-browser. An analogy to this is the use of "condoms". With modern day education and marketing, more people use condoms today than years ago in order to protect themselves from Sexually Transmitted Diseases (STD). But still some people do not use condoms and are willing to take the risk for the sake of convenience, comfort and ease of usability. Similarly, in the case of computer security, most people would rather have all the good stuff and ease of usability while willing to take the risk by not having all security solutions "turned on". Having to maintain the newer and richer features of the Internet that are still susceptible to malware, pushes the limit of security software to come up with complex but efficient solutions that are good at providing complete protection while not hogging up the machines processing power and memory.

The crutch to computer security

The biggest hole, glitch or crutch to the world of computer security (anti-malware) is the average computer user.

There are three facets to an average computer user that I would like to mention here:

1. The user who knows or has vaguely heard about computer viruses and threats but just doesn't care. They are either not very interested in educating themselves about existing computer threats or are not too worried about it. They are the people who just do not want to be bothered with such things.

2. The user who just doesn't get it. Such a user usually does not know any better and lives in a world of "ignorance is bliss", thinking somehow they would never get infected with malware and there is no need to practice safe computer-usage habits or pay and maintain an updated security solution. An analogy to this is the typical human mind-set to think they can go and have all the sex they want and whomever they want and nothing will happen to them. These people are knowingly choosing to take the risk reasoning somehow in the possibility of all things they will not get a STD, which is obviously an unintelligent assumption.

3. The user who cares but naively relies on promised security solutions (usually a victim to hyped marketing) living under the assumption of complete protection.

A typical user perspective is - "if I have a security solution installed (such as an anti-virus software, a firewall, etc.), then I should be protected, right?" They tend to treat security software as perfect defenses. But what they fail to understand is that security software are not any better than other computer software and are far from being perfect. They are what they are - "software" - buggy, vulnerable and exploitable. There is no "silver bullet" and there are no "perfect solutions". But again, the average user is not entirely to blame for such a mind set. The so called "marketing geniuses" of security products have not done a good job either in educating the average user or providing them with facts. An analogy to this is "birth control pills". They help prevent a woman form getting pregnant but does not protect her from various STDs. While it is the doctor's responsibility in letting know the limitations of the pill to a patient, it is also the patients responsibility to ask and know about it themselves. It is sad to notice that in order to survive and stay in business, companies that sell/market security products as an add-on to their own products, aid the average computer user to remain ignorant by giving them a false sense of security. The average user believes and assumes that they have the best security product installed, and since they pay good money to keep it updated, they should be safe and protected at all times from all threats out there. This unfortunately is a naive assumption. I personally think that if people who market security products were to be more honest about their strengths and weaknesses it will actually get them a long ways and do greater good to users and the community as a whole, making the Internet a safer place to enjoy.

What needs to be done

The only way to overcome malware is by overcoming ignorance. Needless to say, the average computer user stands as the weakest link in maintaining computer security. Empowering the user with knowledge and education about computer security, instead of making them (totally) rely on security software to protect themselves, is the only way to gain an upper hand in the fight against malware. As it is rightly said "Knowledge is Power", and when this power is vested in the hands of the average computer user, they will make intelligent choices and employ safer practices in turn reducing the amount of malware traffic on the internet. Users should be taught to practice safer browsing habits, apply commonsense, and install "defense in depth" strategies. Here is a paper from VB2007 on user education for computer security and here you will find a learning guide for end-user education. Microsoft too has an online user education guide here and an anti-virus defense in depth guide here.

But again, people can only be taught if they are teachable, i.e. willing to be taught, and sadly, the fact of the matter remains that most people in general do not take computer security seriously. For most of them, it is not the need of the hour. They will only take it seriously when one day they wake up and realize that they are in deep trouble. Until then, the average user could care less about computer security. Although most of them obviously do care about personal privacy, they still fail to understand their role in protecting themselves from exposure. This type of attitude will only worsen the situation. This is because of the shift in intent of the malware authors who are now employing stealth techniques and tending to hide their malicious activity. They prey on unsuspecting users by committing identity theft, compromising accounts and personal information, with the use of stealthier techniques to accomplish their task. Hence, the average user who doesn't take computer security seriously will never know about their compromised status and will never really learn to avoid it or care to avoid it. They would reason - "well, everything seems to be working fine, I can still use my computer for music, movies, dating, games, e-mail, information-search, create a document, print, read the news, check the weather, buy stuff on-line, check my accounts, chat, etc. I have an anti-virus software, and it keeps me safe and good." This is purely naive thinking!! Because of the nature of malware on the Internet today, an infected user might not known about about their infected status for a long time to come. Even though everything might "seem" to be working fine on the outside, the malware has already carried out its malicious activity behind the scenes. The only way an infected user might know that they are actually infected is if the user had chosen to install and maintain a frequently updated anti-malware solution and if eventually their installed anti-malware software has detection and disinfection available for that particular piece of malware. But what people need to understand is that having such defenses and protection alone is not enough. They still need to use commonsense in order to avoid malware and infection.

Some of the safer computer-usage habits that need to be practiced are:

1. Not downloading or viewing attachments from unknown sources/senders.

2. Not opening e-mails or clicking on links embedded within e-mails from unknown sources/senders.

3. Using a safer browser such as the freely available FireFox browser with NoScript plugin installed.

4. Not logged on as an Administrator while browsing the Internet.

5. Maintaining fully updated security solutions (notice the plural).

6. Actually taking time to read what a certain pop-up message is about and making a intelligent (or at least a semi-intelligent) decision.

7. Not installing software you do not actually need or from unknown sources.

8. Keeping the system fully updated/patched by installing all released security updates by frequently checking for them.

9. Frequently checking for updates to your favorite application softwares.

10. Getting familiar with a process monitoring tool such as the freely available and very efficient Process Explorer that allows you to know the process name of each process running on your computer. It is a good practice to frequently check the process names on your computer and then use Google to verify that each process name is either a legitimate system process or belongs to a legitimate application.

11. Last but not the least, I would advocate completely avoiding browsing of porn websites because 90% of these websites host malware. Porn websites are the biggest source of malicious software and exploits. But no matter what I advocate about porn, I know most people will turn a deaf ear to me because statistics have shown that pornography in the biggest industry today (it is larger than the revenues of the top technology companies combined: Microsoft, Google, Amazon, eBay, Yahoo!, Apple, Netflix and EarthLink: stats are here) and is one that generates the most amount of traffic on the Internet today (you will find stats here). So even if you are "compelled" and "your arm twisted" to browse porn, please do so with caution and avoid downloading and installing any offered software from such type of websites (especially ActiveX components or browser plugins).

12. Educating yourself about the things I just mentioned above if you do not have a clue about what I am talking.

Nonetheless, having a security solution installed is highly recommended along with "defense in depth" strategies. It is always better to have some protection rather than nothing.

For what it is worth, some people will argue that end-user education does not solve the problem with today's malware. Their argument is it simply doesn't work. You will find some interesting articles here: link-1, link-2, link-3, link-4.

I personally think having some user education is better than no user education.

An interesting analogy of user education to automobile safety education can be found here.

A point and counter-point debate about user education: Point and Counter-Point.

Final thoughts

Until people take security seriously, the anti-malware industry is only fighting a loosing battle. For those few people who do take security seriously, regardless of what the marketing hype teaches them about security products, only their self interest in protecting themselves along with basic knowledge and practice of safer computer-usage habits can actually really protect them.

Digg This | Slashdot This | Add to del.icio.us

Bashing-up a BACKLOG of Malware - ASGS (Automated Signature Generation System)

noreply@blogger.com (Eric Uday Kumar) — Tue, 23 Oct 2007 01:59:00 +0000

Having to deal with a "backlog" of malware samples is nothing new for a typical AV-company. A backlog typically comprises of malware samples that are considered "not-so-important" at the moment or have not made it into the priority samples set. Each AV-company typically assigns its own priority levels to incoming malware samples. It is also well known that AV-companies co-operate with each other and exchange known malware samples with each other (personally, I think this type of co-operation is of utmost importance in order to fight the battle against todays' malware). Hence, it is not uncommon for an AV-company to treat a certain malware sample with higher priority while for another AV-company to treat the same malware sample with lower priority. Hence, while certain malware samples might be detected by a certain AV-company, the same malware samples might be awaiting to be processed (as backlog) by another AV-company. Typically for any AV-company, their current customer base and the prevalence of particular malware in their region determine their backlog collection.

Adding to the backlog

My recent visit to the Virus Bulletin conference 2007 in Austria, helped establish relations with other AV-companies who are now partnering with us in exchanging malware samples. These are reputed AV-companies based in India, China, Finland, Austria, Spain, etc. further diversifying our malware collection.

Apart from exchanging samples, there are a multitude of trusted sources and customer base from where we obtain malware samples each day. The numbers have been constantly growing within the past two years, contributing to an enormous backlog of malware samples. On a typical day, we could be receiving anywhere from 2,000 to 3,000 samples.

The need for Automation

The rate at which malware are being "thrown at us" is much greater than we (a few malware analysts) can manually analyze and add detection for them. Hence, instead of throwing more individuals at the problem, there is a definite need for "Automation", more so today.

The first step in the automation process is to be able to identify samples from the bulk (waiting to be processed) as "malware" (as reported by other scanners), and then automate the "signature" generation for detection of these malware samples. This takes away a huge chunk of human interaction or manual work, speeding up the process. A huge challenge in such a procedure is generating "safe" signatures, i.e. signatures with the probability of "close-to-zero" false-positives.

Enter ASGS (Automated Signature Generation System)

The ASGS took a few months for me to implement that involved quite a few iterations in improvements and testing. I implemented the system using two of my favorite scripting languages - 4nt and Perl. Most of the iterations were about improving efficiency and minimizing false positives by incorporating extra checks. The system is now fully functional and sits as a Window's-XP Virtual Machine image processing the backlog once a week. As of now, the ASGS automatically generates signatures for only Window's PE files (the most prevalent of malware types on today's Internet, and the larger chunk of existing backlog), but the intent is to eventually automate signature generation for other file types as well. The system is completely automated and takes extreme care in NOT generating signatures that could cause potential false-positives. A typical scenario would be where a malware analyst simply executes a single command line program and the rest is taken care of. Once the signatures are ready, the malware analyst is notified via e-mail and a complete false-positive test is carried out before the signatures are released.

Bashing-up the backlog

Since my initial work developing the ASGS in Nov 2006, followed by several months of tweaking/improvements and testing, the results produced are quite impressive and satisfying. Initially it was sporadically being used to generate signatures for a few thousand samples each week, but was still not fully automated. An initial "automated" first version of the ASGS (by April 2007) tackled about 20,000 malware samples. By June 2007 I had the second version of ASGS tackle another 25,000 malware samples and by August 2007 the third version of ASGS was able to tackle about 27,000 more malware samples. It was exciting to be able to come in and have "safe" and "ready" signatures to be tested and released, detecting thousands of pieces of malware. By September 2007 the final version of ASGS went into production that automatically generated signatures for an astounding 35,000 malware samples. The backlog has since been declining. As of today, the backlog stands at a more manageable number as most of the malware samples left are non-PE files (such as text, scripts, html, Microsoft office documents, *NIX files, etc.).

Future work

1. Automating signature generation for non-PE files.
2. Automating the analysis process and generate an initial report for suspicious files (or those that are not detected by any other scanners).
3. Integrate "automated analysis" and "automated signature generation" with e-mail honeypots and high-priority alert systems to fight todays' growing threats in real-time.

Digg This | Slashdot This | Add to del.icio.us

Detecting the "Storm Trojan" botnet - network traffic anomalies

noreply@blogger.com (Eric Uday Kumar) — Wed, 17 Oct 2007 02:42:00 +0000

Since its first appearance in early January 2007, the "Storm Trojan" has aggregated an astounding number of infected hosts or bots (about 1 million to 10 million computers). The botnet is of command-and-control (C&C or C2) nature over a peer-to-peer (P2P) network and implements the e-donkey or Overnet protocol to communicate data and actions to its nodes. Such a botnet is extremely difficult to track and take down owing to its de-centralized nature.

According to a blog post from Microsoft's Anti-malware team, their Malicious Software Removal Tool (MSRT) - which is updated and shipped once a month on Patch Tuesday - disinfected a large number of computers (about 2.6 million Window's machines) from variants of the "Storm Trojan".

Latest developments in researching the "Strom Trojan" have revealed that certain anomalies or spikes in network traffic can be used to detect hosts (or nodes) belonging to its botnet.

An interesting blog post about this is from eset. It shows the nature of spike in network traffic whenever a new node joins the "Storm Trojan's" de-centralized botnet. You can find the blog post here.

There is also an article by SRI on the Storm Trojan. You can find the article here.

There is also a post on "The Register" about "Storm Trojan's" new encrypted traffic being used to detect its botnet. You can find that post here.

Bleeding Edge research posted more info about this as well. Encrypted storm traffic and Storm side CC channel. They also maintain a list of compromised host IPs.

According to a blog post by Ryan Naraine, the creators of the "Strom Trojan" are now partitioning their botnet in order to make it available for sale to spammers and denial of service attackers. This discovery was done by Secure Work's researcher Joe Stewart who has been tracking the Storm botnet for a while.

A very interesting blog post by Websense, detailing the chronological appearance of the "Storm Trojan" can be found here.

Frank Boldewin recently posted a nice writeup on the internal workings of the "Storm Trojan" based on the variant Peacomm.C. You can find that here.

Note: "Storm Trojan" (a.k.a. Nuwar, Tibs, Peacomm, Zhelatin, Fathom, Storm Worm, Dorf, Trojan.Peed, Trojan-Downloader.Win32.Small.dam, CME-711, etc.)

Digg This | Slashdot This | Add to del.icio.us

Virus Bulletin Conference 2007, Vienna

noreply@blogger.com (Eric Uday Kumar) — Thu, 27 Sep 2007 03:00:00 +0000

I had the privilege of attending the Virus Bulletin 2007 conference in Vienna, Austria and witnessing it first hand. Although this was my second attendance to a security conference (the first one being the AVAR conference in Auckland, New Zealand in Dec 2006 where I presented a paper about Rootkits on Windows), this was my first time attending the Virus Bulletin conference. It has truly been a pleasurable experience. Apart from enjoying the beautiful music, art, monuments and palaces of Vienna, the conference itself was very informative and interesting. The best part was to be able to meet some of the best minds in the AV-industry, as well as to connect with some of the well know and well respected figures in the AV-community.

AVPD and Wild List

I also had the opportunity to attend the AVPD (Anti Virus Product Development Consortium) & Wild List meetings that were held prior to the actual VB conference. Both of these organizations are supported and sponsored by ICSA labs that are known for their certification testing of AV-products (among other security products). Andrew Hayter, who led the AVPD meeting, introduced the current methodology used for testing and proposed some future improvements. The Wild List meeting led by Peter Chung had interesting ideas floating around in order to improve the quality of current Wild List.

Good ole Wild List

ICSA labs publishes its AV-product testing results in buyer’s guides for security products. Such results clearly influence buyers’ decisions toward AV-products. Another such influential AV-product testing results is published by AV-Test.org which is maintained by Andreas Marx and his team. It is worth mentioning here about Andreas Marx conference presentation on “death of the Wild List" where he emphasized upon known limitations and shortcomings of the current Wild List that render it irrelevant and misleading for AV-product testing. In other words Andreas states that the Wild List collection is non-dependable and trivial. Even though Andreas is quite right in stating so, my personal opinion is that the Wild List has potential. It is supposed to be a diverse collection of self-replicating pieces of malware that are actually prevailing “in the wild”. The quality of the Wild List is only as good as the quality, quantity and consistency of its reporters (malware researchers from reputable AV-companies – the chosen ones). This heavily requires more “active” reporters to respond and submit samples that are found in the wild, more frequently.

An interesting presentation…

An interesting, well versed and technically rich presentation was by Dr. Vesselin Bontchev from FRISK Software. His presentation introduced various points of susceptibility in modern mobile platforms that would allow virus (or self-replicating code) to thrive. He also gave some predictions about the future of viruses on such platforms.

Building relations…

I also had the privilege of connecting with a diverse group of people: from prominent researchers, tech junkies, and marketing personal to people from the academia. I was also able to build relations with representatives from globally know AV-companies as well as with those from localized AV-companies. Some of these localized AV-companies are actually very well known and thriving in their local geographical regions.

A sense of community in the AV-industry

Any AV-company, while always striving to improve its technology, also tries to diversify its malware collection and rely on reputable sources to contribute to an ever-growing set of samples. Attending conferences such as these and building relations helps any AV-company to establish a base line of trust allowing the exchange and influx of newer malware samples from other AV-vendors. This also helps them to see the bigger picture in terms of newer evolving threats. This in turn, also helps the AV-community as a whole, to work and fight as a team against today’s commercialized malware crime.

The Feds need our help…

Finally the conference was commenced with a panel of international law enforcement representatives chaired by David Thomas (FBI special agent, Cyber Crime division). The discussions provided insight into workings of the world police in fighting Internet crime. The panel described that they really take cyber crime very seriously and that the Internet is actually “killing people”. They also admit that they cannot fight this battle all by themselves and require help from the AV-community. Their plea was for partnership and co-operation from the AV-community in providing information about organized computer crime that we might come across on a day-to-day basis. They also acknowledged that as a business, we still have to provide services to our customers and appreciate any time we spend in helping out law enforcement officials. The representatives in the panel admitted that they are limited in their resources and man-power to fight this battle, and that sometimes, reported incidents might seem like un-noticed by them, but those might later be re-surfaced to build up a case against the bad-guys. Hence no information is useless information. My personal opinion: as a community we should be able to, as time and resources permit, provide useful information to law enforcement agencies to help curb this scum of internet crime.

The fun part…

Conferences such as these are specifically geared toward the AV-community (also popularly known as “white hats”), in an attempt to exchange information & technology, educate each other of the types of threats being dealt with, and prepare for emerging threats. The conference was a perfect combination of technology, passion, and fun. The gala dinner on the second day of the conference was profoundly entertaining, presented with good food, and Viennese waltz performance.

They also arranged for a complete casino set for those post dinner partiers. Free chips were given away for those who wanted to try their luck, and needless to say I happened to try my hand as well.

Surprisingly, I won a whole stack of chips (not too bad for a first timer) until in the end I put it “all in” and lost it all!! (a mixture of over confidence and greed I suppose). Oh well! “easy come, easy go”. If only I had followed my wife’s advice and stopped at that moment I might have won her an ipod (which was the first prize to be given away to the person who won the most number of chips). All in all, the conference was a great experience in every respect.

Me and my wife, Amy, at the gala dinner.

Digg This | Slashdot This | Add to del.icio.us

The Eye of the Storm

noreply@blogger.com (Eric Uday Kumar) — Fri, 13 Apr 2007 02:00:00 +0000

The recent massive spam run by the makers of the infamous “Storm Trojan” resulted in numerous variants hitting our honey pots. Dynamic re-packing and server-side polymorphism allows the creators of the "Storm Trojan" to create new binaries every few minutes. The variants are then spammed out using the strong de-centralized botnet they have created in an attempt to thwart signature based detections. The "Storm" botnet is several million computers strong, most of which are un-suspecting users who have become victim to the trojan's social engineering tactics.

( Source of the picture: sro.hse.gov.uk )

Newer attack vector…

The most recent variants are being spammed as encrypted zip file attachments via spoofed e-mails. The password for the encrypted zip is included as a GIF image within the e-mail. The GIF image also includes a message posing as a security patch being offered by some arbitrary Customer Support Center. This new variant employs numerous anti-debugging techniques in order to thwart analysis. It is also packed with a polymorphic packer.

The Intent…

The Trojan displays tactical use of social engineering techniques arriving as an attachment to an e-mail. The goal is to lure an un-suspecting user to execute the Trojan which would render the victim machine part of a huge botnet. The primary purpose of the botnet being to send out penny stock spam (also called pump-and-dump penny stock) or to initiate Distributed Denial of Service (DDoS) attacks. Subsequent versions of the Trojan were distributed by means of embedding it within an open source e-mail worm.

Shying away from IRC!!

The botnet that is being created communicates over a peer-to-peer network (P2P) for its Command and Control (C&C) rather than the traditional IRC communication. This ensures creation of a “headless” botnet that is not bogged down by a single point of failure. The Storm Trojan’s implementation of Web HTTP and P2P methods of communication are indicative of the shift toward stealthier means of building a botnet. Such a de-centralized network allows for data and information to be "sync-ed" among each of the nodes of the botnet and to any of the newer nodes that are being added to the botnet. Each of the infected nodes will also carry a "peers list".

What drives the Storm?

When the Trojan is executed, it drops a kernel mode driver (wincom32.sys) that it registers as a service via the Service Control Manager (SCM). Initial versions of this driver did not attempt to hide any files or registry entries but did include stealth in order to execute its payload. Subsequent versions of this driver program started to incorporate more and more rootkit like functionalities in order to hide registry entries, files, and active communication ports.

This driver program is instrumental in executing the Trojan’s payload. The payload is an embedded executable within the driver program. In order to execute the payload the driver employs stealth techniques. The payload is injected from kernel space into the user space of “services.exe” and scheduled for execution by queuing an Asynchronous Procedure Call (APC) for it. Due to this, there is no “visible” process executing the payload if we were to use tools such as Window’s Task Manager or Process Explorer. Initial versions showed significant network activity via newly opened ports (UDP traffic). Subsequent versions of the driver program incorporated rootkit techniques in order to hide files and registry keys (by hooking the Service Descriptor Table) as well as any active communication ports (by hooking IRP_MJ_DEVICE_CONTROL of the ‘\Device\Tcp’ object).

Digg This | Slashdot This | Add to del.icio.us

ANI Exploits, NX-bit, DEP, Protected Mode… jargon

noreply@blogger.com (Eric Uday Kumar) — Wed, 04 Apr 2007 00:00:00 +0000

Since its discovery in the wild, there are now hundreds of specially crafted websites that host malicious ANI files that exploit the “Windows Animated Cursor Handling” vulnerability. This vulnerability is exploitable on fully patched Windows XP SP2 and Vista running Microsoft’s Internet Explorer 7 or Mozilla FireFox 2. Simply visiting such a rigged website will render a victim machine infected. The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. When such an attachment is viewed or opened with Outlook or Outlook Express the victim machine will be infected by a host of malware. Also, if a malicious ANI file is viewed using Explorer (file extension matters in this case), the exploit will be triggered.

Speaking of browsers, the damage is mitigated if Internet Explorer 7 is running in Protected Mode. This will still permit the malware to have read-only access to a user’s files, allowing it to steal and copy personal data, but will not be able to alter or delete any data. UAC (User Account Control) in Vista might only be able to prevent installation of persistent malware, but won’t prevent damage to user’s data unless the browser is running in Protected Mode. FireFox does not have Protected Mode under Vista, and if exploited using the ANI file vulnerability, will allow malicious code to execute with similar privileges as the logged on user allowing complete disk read and write. Do not get confused with “Safe Mode” in FireFox which is purely for debugging purposes.

The ANI exploit is preventable by enabling DEP (Data Execution Prevention) in Windows XP SP2 or Vista. When enforced with hardware NX/XD support, DEP will prevent the exploit from being triggered. Beginning with Windows XP Service pack 2 and Windows Server 2003 Service Pack 1, the NX features were implemented for the first time on x86 architectures. The NX bit (as termed by AMD which stands for No eXecute) or XD bit (as termed by Intel which stands for eXecute Disable), is a technology used in CPUs to separate areas of memory for storage of processor instructions (i.e. code) and for storage of data. The section of memory designated with the NX attribute indicates it to be used for storing data. Hence, even if processor instructions reside in such a section of memory, they cannot be executed. This prevents malicious programs from executing their own code which they might have inserted into another program’s data storage area. This is precisely what the ANI exploit does, and DEP (OS feature) combined with NX/XD (CPU feature) can prevent this from happening.

But Microsoft ships most of its Window’s operating systems with DEP turned off by default. It is on the user to turn DEP “on” for all applications. This might render a few applications not functioning properly, but I believe this is a price well worth the bargain. This should also teach application developers to adhere to safe programming practices.

Microsoft will be releasing an out-of-cycle patch for this vulnerability today.

Digg This | Slashdot This | Add to del.icio.us

New “Zero Day” Vulnerability in Windows Animated Cursor Handling

noreply@blogger.com (Eric Uday Kumar) — Sat, 31 Mar 2007 01:15:00 +0000

A new zero day vulnerability has been discovered in the way Microsoft Windows handles animated cursor files (.ANI files). The ANI file format is based on Microsoft's RIFF file format. There have been reports of specially crafted ANI files being hosted on websites that exploit this vulnerability. When an unsuspecting user visits such a "rigged" website, using any of the popular browser applications such as IE7 or Mozilla Firefox, the vulnerable Window's code will be invoked in order to parse/render the specially crafted ANI file which in turn will invoke the exploit code. Resulting this, malware will be silently downloaded and launched on the victim machine (drive-by downloads). Remote code will be executed with the privileges of the logged on user.

The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. The exploit works independent of file extensions making it useless to simply block .ANI files on e-mail gateways. Simply configuring Outlook or Outlook Express to read mail in plain text will still parse the ANI file and hit the exploit. Simply "viewing" such a malicious ANI file using Window's Explorer will allow the exploit code to be triggered.

Microsoft has released a security advisory regarding this: http://www.microsoft.com/technet/security/advisory/935423.mspx

A CVE-2007-0038 has been assigned to this vulnerability.

It seems like the vulnerability is already exploited in the wild:
http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Digg This | Slashdot This | Add to del.icio.us

Back from New Zealand (AVAR2006 Conference)

noreply@blogger.com (Eric Uday Kumar) — Fri, 15 Dec 2006 03:30:00 +0000

I am back from the AVAR2006 conference in Auckland, New Zealand. This was my first security conference while pursuing my first professional job as an Anti-Virus Research Engineer. I am delighted to have been able to attend the conference. It was also a great experience to be able to present at the conference as well. I surely had a wonderful time.

You can access my "Rootkits on Windows" presentation and paper from my website: Anti-Malware Research

The best part of the conference was being able to meet and connect with some the well renowned researchers in the AV-industry, many of whom I highly revere and respect. Prominent among them are Peter Ferrie, Peter Szor, Dr. Vesselin Bontchev, Dr. Igor Muttik, Joe Telafici, Andrew Lee, Randy Abrams, and Tony Lee, to name a few.

Here is a picture of me just before delivering my presentaion :)

You can find some more of the pictures taken at the conference on the AVAR2006 website.

I was fortunate to be able to bring my wife with me on the trip as well. After the conference, we spent a few days vacationing in the North Island of New Zealand. A truely amazing and beautiful place I must say. We both had a great time. The people are very nice and laid back. There is so much fun and adventure stuff to do with such beauty surrounding, it was absolutely amazing!

My kind of adventure: "Free Flying"

We highly recommend visiting New Zealand for all those who love to travel. As for us, we will have to go back and visit the South Island next time, which the New Zea-landers say is much more awesome...

Digg This | Slashdot This | Add to del.icio.us

Presenting at AVAR2006, Auckland, New Zealand

noreply@blogger.com (Eric Uday Kumar) — Thu, 30 Nov 2006 03:42:00 +0000

Exciting news to share!!
I am preparing for my visit to Auckland, New Zealand for the AVAR2006 conference (Association for Anti-Virus Asia Research) to be held from 3rd Dec through 5th Dec. I will be doing a presentation about “Rootkits on Windows”. This is about the "rootkit-like" techniques used by today's Window's based malware to “subvert” the kernel and about the co-evolution of anti-rootkit techniques. The presentation will extensively cover the well-known tricks to the latest developments in the rootkit area. Apart from the long flight journey (24 hrs), I am looking forward to visit the beautiful land of New Zealand :)

Digg This | Slashdot This | Add to del.icio.us

Rootkit techniques in today’s Windows based Malware

noreply@blogger.com (Eric Uday Kumar) — Fri, 13 Oct 2006 03:00:00 +0000

Recent Malware trends on Windows NT based platforms are adopting more and more Rootkit like techniques, i.e. employing cloaking and stealth. Such techniques are either embedded within the malware itself or simply assist the malware while existing as a third-party application. Two such proliferating malware that embed "rootkit-like" functionalities within them are W32/Haxdoor and W32/Goldun. The wide range of today's Window's based malware such as Trojans, Mass-mailers, Backdoors, Spyware & Adware Programs, use stand-alone/third-party rootkit programs in order to cloak files/folders, processes, registry entries, memory modules, handles, TCP/UDP communication ports, logins, log files, and any other resource used of the Operating System to conceal their malicious activity.

There are two types of rootkits: the ones that operate at Window's kernel level and the ones that stay at the user level. Kernel-mode rootkits are more powerful and much harder to detect, disinfect or de-activate. But these are more complicated to implement and require administrator privileges to be installed on a machine. A kernel-mode rootkit is usually a kernel mode device driver program which is loaded by the malware. User-mode rootkits are less powerful but still very efficient and much easier to implement and deploy. The most popular among the publicly available rootkits are the FU-rootkit (Kernel-mode rootkit) and Hacker Defender (User-mode rootkit).

The wide usage of rootkits in today’s malware is attributed to their ease of availability via the web. They are downloadable as ready to use rootkits or as source code for those who want to compile custom rootkits. Ther are online resources for both rootkit developers and security professionals who could use this information to educate themselves and learn the ways of the attacker in order to develop anti-rootkit techniques. Most advances in Windows based rootkits are posted on the internet in the form of discussion groups, news reads, blog posts etc.

Another reason to which the use of rootkits can be attributed is “a shift in intent of writing malware”. Viruses and worms are no longer written to prove skill or to draw attention but rather as a means to bank the green bucks! This shift in intention or rather the commercialization of malicious intentions has greatly increased the creation and proliferation of “crime-ware” (or snoop-ware such as spyware, keyloggers, backdoors, Trojans, etc.). These applications demand the use of stealth in order to "own the box" for as long as possible without being detected and without being able to be traced back to.

In order to combat today’s rootkits we require more of a pro-active approach rather than the traditional reactive approach. Merely adding signatures to definition files (i.e. if we are lucky enough to get our hands on the rootkit in the first place), is only “pushing the problem under the rug”. More wide-spread use of rootkits among malware is predicted in the near future and so will co-evolve the sophistication of rootkit detection tools and methods.

Digg This | Slashdot This | Add to del.icio.us