Anti Rootkit Blog

Update: July 9th 2007 - see Abnormal activity from your IP…yeah sure 

Over the last 2 days there has been what seems to be a massive Virus outbreak caused by the Storm Worm. The Storm worm was first introduced to us January when large storms were battering Europe a worm was spammed out disguised as important news on the storm with subject lines like “230 dead as storm batters europe”.
The next time the Storm Worm was unleashed was around Valentines Day when emails pretending to be from a lover were spammed out to millions of people across the Internet. Then last weekend a new Storm surge was spammed out as news of World War 3 starting against Iran and love related subjects like “A kiss so gentle” or “I dream of you”.

The latest Storm run was seen on the radar about 6 PM GMT on Thursday and within 24 hours over 55 million emails were sent out by the Worm according to Postini, an email security company. This is over 60 times the normal rate for a “normal” 24 hour period.

The subject lines currently being used are:
Worm Detected!
Virus Detected!ected!
Virus Activity Detected!
ATTN!
Spyware Alert!
Spyware Detected!
Warning!
Trojan Alert!
Trojan Detected!
Worm Activity Detected!
Virus Alert!

The Body of the email may look similar to the following:

From: Customer Support

Dear Customer,
Our robot has detected an abnormal activity from your IP address on sending e-mails.

Probably it is connected with the last epidemic of a worm which does not have official patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch because the worm can modify unpacked exe files. You should open the archive file, enter the password and run the patch immediately.

Password: {Random}

Customer Support Center Robot.

Attachment: Patch-{Random}.zip
Attachments:

It arrives with 2 attachments. One attachment is normally a gif, more about this later and the other attachment is a zip file with a password.

The format the zip files take is one of the following:
patch-[RANDOM 4 DIGITS].zip
removal-[5 RANDOM DIGITS].zip
hotfix-[5 RANDOM DIGITS].zip
bugfix-[5 RANDOM DIGITS].zip

The use of a password protected zip file is a new tactic used by the Storm Worm. Random numbers and letters are used for each attachment in the email that is sent out. The password for the attachment is given with the email. The file within the zip, when run, will install the Storm Worm on your PC and hide itself from Virus Scanners by using a Rootkit. The Rootkit component is wincom32.sys and from using anti rootkit software it can be seen to ensure its visibility by hooking the following:

Rootkit Elements: 

SSDT
ZwEnumerateKey
C:\WINDOWS\system32\wincom32.sys

SSDT
ZwEnumerateValueKey
C:\WINDOWS\system32\wincom32.sys

SSDT
ZwQueryDirectoryFile
C:\WINDOWS\system32\wincom32.sys

IRP
\Driver\Tcpip->IRP_MJ_DEVICE_CONTROL
\\??\C:\WINDOWS\system32\wincom32.sys

and it also hides registry entries pointing to the wincom32.sys.

Although Anti Virus Scanners will not “see” these files you can get a dedicated Anti-Rootkit program from our Anti-Rootkit Software Page.
Anubis have an extremely in-depth analysis of a sample submitted to them.
http://analysis.seclab.tuwien.ac.at/result.php?taskid=0ce16256cab3e414c180082fafc8d4b4&refresh=1&embedded=1

Tactics:

The reason this particular Storm Worm run has become so massive is that the authors have employed some new tactics and some old trustworthy tactics.The new tactics include using an image file which has the text of the message. This means that anti virus scanners can not scan an email for suspicious text. This tactic has been recently employed by spammers to bypass anti spam mechanisms.
The tactic of the password zip file is not new and has been used in the past by many worms including the infamous Bagle. What is new to the Storm Worm is the polymorphic features of the code. Each worm is going to be slightly different so as to better avoid detection by anti virus email scanners.
The tactic of informing people that they have malware on their PC is not new either but it is effective. This is especially effective because of the limited run a few days before. This run got the Storm Worm in the media and then the Thursday run with all its new mechanisms may have piggy backed on the fear people may have that they are infected.

Behind the Scenes:

So what and who is behind the Storm Worm. It is thought that the worm is originating from Eastern Europe and is spammed out so as to get as many victims to start the ball rolling initially. The worm the spreads from PC to PC via its own email program using addresses from the users email address book. Once on a users PC the worm joins the PC up to a massive Botnet comprised of thousands of unsuspecting users PC’s. The Botnet is then used to send out massive amount of what is called Pump and Dump Spam. This is where  Stock is advertised at low prices and it expectant value is very high. When unsuspecting users buy this stock they will help the price of the stock to go up. When the price of the stock goes up the Stock is sold off by the originator of the Pump and Dump spam at emmense profits.

The Storm Worm runs on Windows 98, ME, NT, 2000, XP, and Windows Server 2003.

The fact that this Storm run is so massive just goes to show that PC users all over the world are opening up encrypted zipped attachments from strangers and running the code.

Keep Safe
regards

Steo
www.antirootkit.com

References:

The Eye of the Storm

Storm Worm blows up, breaks records

WORM_NUWAR.AOP

Consumer alert: Massive virus outbreak

Massive spam shot of ‘Storm Trojan’ reaches record proportions

On the 28th March details of a Windows Vulnerability involving ANI files were posted on the Internet. This vulnerability started out as just another vulnerability but it wasnt long before it was obvious that it was different, public exploit code had already been published and the hole was being attacked.

There was a lot of activity from Internet Security companies who had found that the vulnerability was being exploited on web sites dotted around the world but mainly in China. A specially crafted ANI file ( An Animated Cursor File ) could be embedded within a hacked or dubvious website and when a user visited the page their PC would become infected without them knowing anything. You might say well I dont visit dodgy websites so I’m ok but tell that to the surfers who recently got infected via the Superbowl Site by a Keylogger / Backdoor.

As of the 3rd of April Websense were tracking 450 Unique websites that are serving out the code to unsuspecting users. The bogus code was found on every webpage within these sites.

When a user visits one of these sites the bogus Animated Cursor file is loaded which in turn can run any program it wants. Currently there are various payloads being sent out via the exploit. The payloads include Keyloggers for stealing Credit Card details from users, Botnet host software which makes the users PC part of a Botnet ( a centrally controlled network of computers) which are probably sending out Spam, more dodgy Animated Cursors or being used in DDoS attacks.

Since the vulnerability became public hackers are are trying to come up with new ways of fooling people into downloading a malicious ANI file and recently spam emails with subject lines like “Hot pictures of Britiney Speers” have been sent out hoping to fool users into clicking on a link in the email that would bring the user to a hacked PHP site which would serve up the malicious code. Explabs have also reported that along with the malicious payload a rootkit is also being used to hide any trace of infection from the user. The Rustock Rootkit is an example of a rootkit being used.

The following Video shows how a specially created toolkit creates a malicious ANI file and runs the dir command using the file.

Public PoC ( Proof Of Concept ) Code has been released by jamikazu which will allow Calc.exe to run. Again, calc.exe could easily be replaced by a malicious piece of code.

All Microsoft users should go to Microsoft Windows Update and get this dangerous hole patched quickly. If you have Automatic Update enabled then you more than likely had your system updated on Tuesday 3rd April.

This vulnerability also affects Windows Vista. Determina have put together a nice viseo that shows how an attacker might take over a Windows Vista PC using the ANI file vulnerability.

http://www.determina.com/security.research/flash/ani.html

If you have recently received an email enticing you to click on a link and see new photos of Britney Spears and you ”mistakingly” clicked on the link then I think you should download one of the FREE Antirootkit scanners from http://www.antirootkit.com/software/index.htm and check your system for the presence of a Rootkit.

Keep Safe

regards

Steo
http://www.antirootkit.com/

References:

Microsoft Security Advisory (935423) - Vulnerability in Windows Animated Cursor Handling

Download the ANI File patch from Microsoft

Britney fears: troubled pop star exploited by Microsoft ANI vulnerability

Public PoC Code Disclosure (Code Execution - Calc.exe)

Large scale compromise with ANI exploit code

Have you ever wondered how the experts analyse Malware and Rootkits? Well ZaiRoN has submitted an excellent article titled “Malware analysis: Nailuj sys file“. It is a very good analysis of malware that was found around 9th January 2007. The approach from ZaiRoN is one with beginners in mind and indeed he does a very good job of making it easy for relative beginners to understand.

The article goes into detail on how the malware gets into the registry, how it hides itself from the Operating System and how it gets to Auto Start.

Many thanks to ZaiRoN for submitting the article.

Keep Safe

Steo
www.antirootkit.com

References: Malware analysis: Nailuj sys file

In a follow up to the post : New Storm-Worm Rootkit creating Botnets here is an update. 

It has been reported that the authors of the Storm Worm which uses a rootkit called wincom32 have changed their code and tactics to try and avoid detection but in doing so have left bugs in the code.

To check your system for this rootkit please download an anti-rootkit scanner.

First of all there are now more subjects attached to the emails containing the worm:

Chinese missile shot down USA aircraft
Chinese missile shot down USA satellite
Fidel Castro dead.
First Nuclear Act of Terrorism!
Happy World Religion Day!
Hugo Chavez dead.
President of Russia Putin dead
Radical Muslim drinking enemies’ blood.
Russian missle shot down Chinese satellite
Russian missle shot down USA aircraft
Russian missle shot down USA satellite
Sadam Hussein alive!
Sadam Hussein safe and sound!
Safe and Sound
The commander of a U.S. nuclear submarine lunch the rocket by mistake.
The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
Third World War just have started!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
U.S. Southwest braces for another winter blast. More then 1000 people are dead.
Venezuelan leader: “Let’s the War beginning”.

and some love related subjects:

A Bouguet of Love
A Day in Bed Coupon
A Monkey Rose for You
A Red Hot Kiss
Against All Odds
All That Matters
Baby, I’ll Be There
Back Together
Breakfast in Bed Coupon
Can’t Wait to See You!
Cyber Love
Dinner Coupon
Dream Date Coupon
Emptiness Inside Me
Fields Of Love
For You
Full Heart
I Believe
I Can’t Function
I Dream of You
I Think of You
Internet Love
It’s Your Move
Kiss Coupon
Love Birds
Love You Deeply
Made for Each Other
Miracle of Love
Moonlit Waterfall
My Invitation
Our Love
Our Love is Free
Our Two Hearts
Passionate Kiss
Pockets of Love
Puppy Love
Red Rose
Sending You My Love
Showers of Love
Someone at Last
Soul Partners
Summer Love
Take My Hand
That Special Love
The Dance of Love
The Long Haul
The Love Bugs
This Day Forward
This Feeling
Till Morning’s Light
Till Morninig’s Light
The Mood for Love
To New Spouse
Together Again
Together You and I
Touched by Love
Twice Blest
Until the Day
We’re a Perfect Fit
Wild Nights
Will you?
When I’m With You
Worthy of You
Wrapped Up
Wrapped in Your Arms
You are our of this world
You Lucky Duck!
You Rock Me!
You Were Worth the Wait

The attachment may now have one of the following names:

GreetingPostcard.exe
MoreHere.exe
FlashPostcard.exe
GreetingCard.exe
ClickHere.exe
ReadMore.exe
FlashPostcard.exe
FullNews.exe

It firstly drops a file called wincom32.sys in one of the following folders:

C:\Windows\System (Windows 95/98/Me)
C:\Winnt\System32 (Windows NT/2000)
C:\Windows\System32 (Windows XP)

It creates a service and creates the following registry entry to start it when the PC starts up:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32

The worm then tries to connect to various other bots and download more malware so that it can do it’s primary job, to send out penny stock spam. Increased spam has been seen in the last few days.

The latest version of the bot now tries to communicate with other bots on port 7871 instead of 4000 as in the previous version.

The authors have included more rootkit functionality to this version. But this rootkit contains a few bugs and has been known to crash some systems.

“It is now capable of hiding several files and registry keys by hooking several kernel functions and patching the tcpip.sys system driver to hide its ports from commands, such as netstat -o or netstat -b. However, due to some mistakes in the rootkit code, running netstat -an lets you see ports 7871 or 4000 open and waiting for connections. It is also important to note that a personal firewall will also notify you of the process services.exe trying to make connections on these ports. Furthermore, the rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again.”
Symantec

The rootkit also checks to see if the system it is running on is a Windows 2003 machine, as it seems that the authors have not fully tested it on Windows 2003.

This latest attack change is interesting as it shows the attackers are constantly changing their tactics in the light of discoveries by anti malware companies. The attackers are also using new news headlines for the latest attacks and hoping to dupe more people into catching the worm. It seems the attackers are blatantly sticking their noses up at the anti malware industry using their new and expanding peer to peer botnet.

References:

Trojan.Peacomm Part 2 – The Botnet Evolves

Stormy Love

Stay Safe

regards

Steo
www.antirootkit.com

Some of you may have received an email today saying that “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel” or that “230 dead as storm batters Europe”. If you did and clicked on the attachment then you have been infected by the Storm-Worm and your PC is now more than likely part of a Botnet.

Large amounts of the worm were spammed out early this morning to Europe and then to North America.

Some of the subjects of the spammed emails were crafted to coincide with current events in the news. The subjects included:

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
230 dead as storm batters Europe.
British Muslims Genocide
Naked teens attack home director.
A killer at 11, he’s free at 21 and kill again!

The emails arrived with no text, only an attachment which seems to look like a video of the event discribed in the Subject.

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

When the attachment is run it drops a file called wincom32.sys which is a kernel mode rootkit.

It installs itself as a service with the name “wincom32″ by creating the following registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\
Root\LEGACY_WINCOM32] 

This kernel mode driver acts as an advanced payload injector with sophisticated methods such as seen with Rustock.

The worm then tries to contact various IP addresses and tells the Botnet leaders that it is infected. It is then placed on a list of infected machines so that spyware and other malware can be installed at a later date when the Botnet owner wants. The machines that are unsuitable for the Botnet are also placed in a list so as not to visit them again.

The type of Botnet being setup here is called a “Peer to Peer” Botnet. It is different to the normal “Command and Control” Botnet. It shows us that malware authors are taking a new direction when it comes to their Botnets. It is harder to shut down a Peer to Peer than a Command and Control Botnet.

References:
Trojan.Peacomm: Building a Peer-to-Peer Botnet
http://www.f-secure.com/v-descs/small_dam.shtml
YouTube Video showing the speed and extent of the spread of the Storm-Worm

Keep Safe
regards
Steo
www.antirootkit.com

The anti rootkit software author who goes by the name of EP_X0FF has released information recently about a new rootkit that he has created. EP_X0FF is the author of Rootkit Unhooker one of the best antirootkit scanners at the moment. The rootkit he has created is undetectable by all anti rootkit software. The new rootkit is to be called Unreal Test Rootkit.

Here is some information on the rootkit from the Rootkit Unhooker site:

We are introducing new generation of rootkit technology.
Unreal Test Rootkit v1.0Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems.

regards

Steo
www.antirootkit.com