Anti Rootkit Blog

The Storm Worm has been doing it’s latest round since 23rd December. It has been masquarding as a christmas strip show enticing users to get infected. Prevx have been tracing the movements of the worm and have seen over 700 variants in a few days.

The worm is proving very elusive because of its fast flux method of evading detection.
“Fast-flux is basically load-balancing with a twist. It’s a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.”

Then on Christmas day it changed its form to now entice people to click on a New Years Card called happy2008.exe and happynewyear.exe which users would download from legitimate looking sites called happycards2008.com and newyearcards2008.com

Here are the whois for these domains….

Domain name:             HAPPYCARDS2008.COM
Name Server:             ns.happycards2008.com 75.53.216.142
Name Server:             ns10.happycards2008.com 70.142.192.219
Name Server:             ns11.happycards2008.com 72.128.113.26
Name Server:             ns12.happycards2008.com 72.128.30.86
Name Server:             ns13.happycards2008.com 74.130.106.75
Name Server:             ns2.happycards2008.com 76.237.206.65
Name Server:             ns3.happycards2008.com 64.30.118.241
Name Server:             ns4.happycards2008.com 75.23.73.65
Name Server:             ns5.happycards2008.com 76.253.189.137
Name Server:             ns6.happycards2008.com 74.69.168.236
Name Server:             ns7.happycards2008.com 71.195.165.21
Name Server:             ns8.happycards2008.com 88.171.125.18
Name Server:             ns9.happycards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status:                  DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  32089
Registrant Country:      US

Registrar:               ANO Regional Network Information Center dba RU-CENTER

Domain name:             NEWYEARCARDS2008.COM
Name Server:             ns.newyearcards2008.com 75.53.216.142
Name Server:             ns10.newyearcards2008.com 70.142.192.219
Name Server:             ns11.newyearcards2008.com 72.128.113.26
Name Server:             ns12.newyearcards2008.com 72.128.30.86
Name Server:             ns13.newyearcards2008.com 74.130.106.75
Name Server:             ns2.newyearcards2008.com 76.237.206.65
Name Server:             ns3.newyearcards2008.com 64.30.118.241
Name Server:             ns4.newyearcards2008.com 75.23.73.65
Name Server:             ns5.newyearcards2008.com 76.253.189.137
Name Server:             ns6.newyearcards2008.com 74.69.168.236
Name Server:             ns7.newyearcards2008.com 71.195.165.21
Name Server:             ns8.newyearcards2008.com 88.171.125.18
Name Server:             ns9.newyearcards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status:                  DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  32089
Registrant Country:      US

Registrar:               ANO Regional Network Information Center dba RU-CENTER

as we can see both are using a lot of nameservers which each can be used to point the person who clicks on either HAPPYCARDS2008.COM or NEWYEARCARDS2008.COM to one of millions of computers in a botnet which has the infected happy2008.exe or happynewyear.exe waiting to be downloaded.

As we can see the Domain names were registered in Russia.

Subject Lines and the Email Text include….

Happy New Year To You!
Wishes for the new year
Opportunities for the new year
New Year Postcard
New Year Ecard
New Year wishes for you
Happy New Year To You!
Message for new year
Blasting new year
As you embrace another new year
It’s the new Year
As the new year…
Happy 2008 To You!
Joyous new year
Lots of greetings on new year
A fresh new year

There is then a link to one of either happycards2008.com or newyearcards2008.com

Current Variants of the worm have a rootkit element that can be used to hide from many antvirus and antispyware scanners.

“Last versions of Stormy worm are using a rootkit component to hide infection components.

After launched, the dropper create a new service and a driver under Windows System directory called clean[4 random chars]-[4 random chars].sys or bldy[4 random chars]-[4 random chars].sys

Driver will hook three Windows native API: ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile. Goal is to hide its registry keys and files.

As side effect, it’ll hide every file that contains the strings “clean” or “bldy” in its name.”
From Prevx..

Prevx provide a free scanner called Prevx CSI that can detect these new variants..Download Prevx CSI for free …

Have a Happy New Year… no really…

Keep Safe

Steo - www.antirootkit.com

“The Rise of the Rootkits has begun” are the words of Jacques Erasmus from Prevx who commented recently on the increase in the use of Rootkits.

“Significantly, although rootkits were detected on 15.6 percent of PCs during October 2007, that figure had risen to 22 percent by early December.”

This indeed shows that there has been an enormous increase in the use of Rootkits in one month alone and the trend is very much upward. The Rootkit List shows that since Nov 1st there has been 79 rootkit related stealth malware creations found by leading IT Security Companies. November has been one of the biggest months of the year so far for new found rootkit creations and variations. This could be down to the fact that online criminals are getting their arsenal ready for Christmas when a lot of people will be buying presents online.

The Prevx results have come from information gathered from the Prevx Online Scanner. This online scanner was used mostly by users who suspected something was wrong with their PC. The Rootkit files found by the Prex online scanner include NDT2.SYS , SROSA.SYS, UNPR.SYS, FMTR.SYS, and INDT2.SYS.

It seems also that a lot of businesses are being caught off guard by Rootkits. “In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14 percent, had one or more PCs harbouring rootkit infections.”

To check your PC for Rootkits check out the Antirootkit Software Page.

To check out the Free Prevx Scan http://www.prevx.com/freescan.asp.

Keep Safe,

regards

Steo

Frank Boldewin, a German IT security specialist has recently published a clear and concise analysis of Peacomm.C code, otherwise known as The Storm Worm, Nuwar or Zhelatin.

The Storm Worm has been hitting hard since Jan 2007 when it was unleashed as spammed emails duping users into following news about the large storms that were hitting Europe at the same time. The Storm Worm has resurfaced under many guises throughout the year. Coming up to Valentines Day millions of emails were spammed out duping the users into viewing a message from a loved one.

This code and underlining Rootkit has helped criminals setup a major Botnet comprising of captured zombie PC’s from all around the world. Most of these PC owners are oblivious to the fact that their PC is part of a Botnet and is in control of criminals intend in using it to make money for themselves.

Frank dissected the code after receiving a spammed out email which had a link to malware which when installed would have installed the Peacomm.C rootkit and the PC would become part of the botnet.

“On 22th August 2007 I received an email informing me about “New Member Confirmation”, including Confirmation Number, Login-ID and Login-Password. To stay secure I should immediately change my Login info on a provided website link. So I’ve started investigating what surprises are awaiting people clicking on such kind of links. Next to a friendly message telling me that my download should start in some seconds, I also got a browser exploit for free, to ensure the “software package” gets really shipped. “Hey that’s cool”, I thought by myself. “It’s like Kinder Surprise® - three in one!” Unfortunately, at this time I hadn’t enough incentive for a deep analysis and so I just stored the malicious file called applet.exe in my archive for later fun with it.”

Frank goes into some depth in his analysis including topics such as:

• First stage XOR decrypter
• Second stage TEA decrypter
• TIBS Unpacker
• Anti-Debugging code
• Files dropping
• The driver-code infection
• Finding the OEP to the native Peacomm code
• Finding and patching the VM-detection tricks
• SSDT file hiding
• Shellcode injection for process spawning
• System files locking

This excellent in-depth analysis in PDF format along with the Peacomm.C binaries can be downloaded from Frank’s site www.reconstructer.org.

A html version is available from antirootkit.com

Have fun, enjoy the read and be cautious with the binaries.

regards

Steo
www.antirootkit.com

With so many mobile devices around these days and so many running Windows Mobile or Windows CE it is no wonder the boys at the top are already thinking about how these devices can be hacked and Rootkits installed

The rootkit could be used to hide a keylogger ( or would that be stylus presslogger ) and send the  valuable information back to the author.

The article on the Symantec Blog today shows us that their researchers have already looked into the possibilities of rootkits hiding keyloggers and they have produced an Internal Whitepaper ( no doubt it will be leaked:-) )

 ”The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.”

What we are left with now is not a case of “if” we will have Windows CE/Mobile Rootkit, it is a case of when. From their research it shows that rootkits are possible on Windows CE/Mobile devices it is just a matter of when it will become profitable for a malware author to actually actually create and put one into practice.

At some stage in the future we could get to the stage where if you answer a phone call on your Windows Mobile device you could get a keylogger and rootkit installed via some vulnerability.

Keep Safe,
regards

Steo
www.antirootkit.com

Referances: Windows CE/Mobile Rootkits

When Windows Vista  came along we were told that no Rootkits could run in Vista because of all the various security enhancements within. Then over the months since the Beta versions of Vista various people have come up with ways that may be able to install a rootkit ( see Microsoft Vista Kernel Protection is Cracked and MS Watches as Vista Gets ‘0wn3d’ by Rootkit).

Since the official release of Windows Vista earlier this year there has been a concerted effort by Security Researchers to come up with a ways to install rootkits or hide processes within Vista. 

Security researcher Alex Ionescu is one such researcher who has done a lot of work in the area of Protected Processes in Vista.

From Microsoft:

“The Microsoft® Windows Vista™ operating system introduces a new type of process known as a protected process to enhance support for Digital Rights Management functionality in Windows Vista. These protected processes exist alongside other processes in Windows Vista.”

and

“Constraints on protected processes. A typical process cannot perform operations such as the following on a protected process:
· Inject a thread into a protected process
· Access the virtual memory of a protected process
· Debug an active protected process
· Duplicate a handle from a protected process
· Change the quota or working set of a protected process”

So it looks like a Protected Process has some immunity from being interfered with and thus checked for badness. This sounds very Rootkit like to me. Although a rootkit is designed to hide processes, among other things, the main reason is to avoid programs from seeing what it is up to. A rootkit may be hiding a Keylogger from being detected and the same could be said for a keylogger in Vista after it has become a protected process.

Alex Ionescu has released a tool called D-Pin Purr that can both Protect and Unprotect a Protected Process in Vista.

From Alex’s Blog:

“It’s based on the Microsoft documentation which says “Please don’t use a driver to bypass this”, which led me to believe that it would be possible to do this (which wouldn’t work on 64-bit Vista, of course).”

“Unforunately, it is trivial to make a process protected or unprotected by bypassing all the Code Integrity checks and sandbox in which protected processes are supposed to run. I wrote a small application which I called D-Pin Purr which does exactly this. I tried it on the only two protected processes I know on Vista (audiodg.exe and mfpmp.exe).”

“Being able to play with the PMP application isn’t really what I was interested in, since most of the high-level security is in the kernel anyway. The intersting thing is that I can make any application of my choosing protected, and thus undebuggable, uninjectable and with its address space secure.”

Well I’m off to have a good mess around Alex’s tool and I’ll report back some findings.

Keep Safe,
regards

Steo
www.antirootkit.com

References:

Why Protected Processes Are A Bad Idea

Introducting D-Pin Purr v1.0 - 32bit Edition

Microsoft Protected Process Whitepaper

Update: July 9th 2007 - see Abnormal activity from your IP…yeah sure 

Over the last 2 days there has been what seems to be a massive Virus outbreak caused by the Storm Worm. The Storm worm was first introduced to us January when large storms were battering Europe a worm was spammed out disguised as important news on the storm with subject lines like “230 dead as storm batters europe”.
The next time the Storm Worm was unleashed was around Valentines Day when emails pretending to be from a lover were spammed out to millions of people across the Internet. Then last weekend a new Storm surge was spammed out as news of World War 3 starting against Iran and love related subjects like “A kiss so gentle” or “I dream of you”.

The latest Storm run was seen on the radar about 6 PM GMT on Thursday and within 24 hours over 55 million emails were sent out by the Worm according to Postini, an email security company. This is over 60 times the normal rate for a “normal” 24 hour period.

The subject lines currently being used are:
Worm Detected!
Virus Detected!ected!
Virus Activity Detected!
ATTN!
Spyware Alert!
Spyware Detected!
Warning!
Trojan Alert!
Trojan Detected!
Worm Activity Detected!
Virus Alert!

The Body of the email may look similar to the following:

From: Customer Support

Dear Customer,
Our robot has detected an abnormal activity from your IP address on sending e-mails.

Probably it is connected with the last epidemic of a worm which does not have official patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch because the worm can modify unpacked exe files. You should open the archive file, enter the password and run the patch immediately.

Password: {Random}

Customer Support Center Robot.

Attachment: Patch-{Random}.zip
Attachments:

It arrives with 2 attachments. One attachment is normally a gif, more about this later and the other attachment is a zip file with a password.

The format the zip files take is one of the following:
patch-[RANDOM 4 DIGITS].zip
removal-[5 RANDOM DIGITS].zip
hotfix-[5 RANDOM DIGITS].zip
bugfix-[5 RANDOM DIGITS].zip

The use of a password protected zip file is a new tactic used by the Storm Worm. Random numbers and letters are used for each attachment in the email that is sent out. The password for the attachment is given with the email. The file within the zip, when run, will install the Storm Worm on your PC and hide itself from Virus Scanners by using a Rootkit. The Rootkit component is wincom32.sys and from using anti rootkit software it can be seen to ensure its visibility by hooking the following:

Rootkit Elements: 

SSDT
ZwEnumerateKey
C:\WINDOWS\system32\wincom32.sys

SSDT
ZwEnumerateValueKey
C:\WINDOWS\system32\wincom32.sys

SSDT
ZwQueryDirectoryFile
C:\WINDOWS\system32\wincom32.sys

IRP
\Driver\Tcpip->IRP_MJ_DEVICE_CONTROL
\\??\C:\WINDOWS\system32\wincom32.sys

and it also hides registry entries pointing to the wincom32.sys.

Although Anti Virus Scanners will not “see” these files you can get a dedicated Anti-Rootkit program from our Anti-Rootkit Software Page.
Anubis have an extremely in-depth analysis of a sample submitted to them.
http://analysis.seclab.tuwien.ac.at/result.php?taskid=0ce16256cab3e414c180082fafc8d4b4&refresh=1&embedded=1

Tactics:

The reason this particular Storm Worm run has become so massive is that the authors have employed some new tactics and some old trustworthy tactics.The new tactics include using an image file which has the text of the message. This means that anti virus scanners can not scan an email for suspicious text. This tactic has been recently employed by spammers to bypass anti spam mechanisms.
The tactic of the password zip file is not new and has been used in the past by many worms including the infamous Bagle. What is new to the Storm Worm is the polymorphic features of the code. Each worm is going to be slightly different so as to better avoid detection by anti virus email scanners.
The tactic of informing people that they have malware on their PC is not new either but it is effective. This is especially effective because of the limited run a few days before. This run got the Storm Worm in the media and then the Thursday run with all its new mechanisms may have piggy backed on the fear people may have that they are infected.

Behind the Scenes:

So what and who is behind the Storm Worm. It is thought that the worm is originating from Eastern Europe and is spammed out so as to get as many victims to start the ball rolling initially. The worm the spreads from PC to PC via its own email program using addresses from the users email address book. Once on a users PC the worm joins the PC up to a massive Botnet comprised of thousands of unsuspecting users PC’s. The Botnet is then used to send out massive amount of what is called Pump and Dump Spam. This is where  Stock is advertised at low prices and it expectant value is very high. When unsuspecting users buy this stock they will help the price of the stock to go up. When the price of the stock goes up the Stock is sold off by the originator of the Pump and Dump spam at emmense profits.

The Storm Worm runs on Windows 98, ME, NT, 2000, XP, and Windows Server 2003.

The fact that this Storm run is so massive just goes to show that PC users all over the world are opening up encrypted zipped attachments from strangers and running the code.

Keep Safe
regards

Steo
www.antirootkit.com

References:

The Eye of the Storm

Storm Worm blows up, breaks records

WORM_NUWAR.AOP

Consumer alert: Massive virus outbreak

Massive spam shot of ‘Storm Trojan’ reaches record proportions