Archive for the ‘News’ Category

« Older Entries
Newer Entries »

Happy New Rootkit

Thursday, December 27th, 2007

The Storm Worm has been doing it’s latest round since 23rd December. It has been masquarding as a christmas strip show enticing users to get infected. Prevx have been tracing the movements of the worm and have seen over 700 variants in a few days.

The worm is proving very elusive because of its fast flux method of evading detection.
“Fast-flux is basically load-balancing with a twist. It’s a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.”

Then on Christmas day it changed its form to now entice people to click on a New Years Card called happy2008.exe and happynewyear.exe which users would download from legitimate looking sites called happycards2008.com and newyearcards2008.com

Here are the whois for these domains….

Domain name:             HAPPYCARDS2008.COM
Name Server:             ns.happycards2008.com 75.53.216.142
Name Server:             ns10.happycards2008.com 70.142.192.219
Name Server:             ns11.happycards2008.com 72.128.113.26
Name Server:             ns12.happycards2008.com 72.128.30.86
Name Server:             ns13.happycards2008.com 74.130.106.75
Name Server:             ns2.happycards2008.com 76.237.206.65
Name Server:             ns3.happycards2008.com 64.30.118.241
Name Server:             ns4.happycards2008.com 75.23.73.65
Name Server:             ns5.happycards2008.com 76.253.189.137
Name Server:             ns6.happycards2008.com 74.69.168.236
Name Server:             ns7.happycards2008.com 71.195.165.21
Name Server:             ns8.happycards2008.com 88.171.125.18
Name Server:             ns9.happycards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status:                  DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  32089
Registrant Country:      US

Registrar:               ANO Regional Network Information Center dba RU-CENTER

 

Domain name:             NEWYEARCARDS2008.COM
Name Server:             ns.newyearcards2008.com 75.53.216.142
Name Server:             ns10.newyearcards2008.com 70.142.192.219
Name Server:             ns11.newyearcards2008.com 72.128.113.26
Name Server:             ns12.newyearcards2008.com 72.128.30.86
Name Server:             ns13.newyearcards2008.com 74.130.106.75
Name Server:             ns2.newyearcards2008.com 76.237.206.65
Name Server:             ns3.newyearcards2008.com 64.30.118.241
Name Server:             ns4.newyearcards2008.com 75.23.73.65
Name Server:             ns5.newyearcards2008.com 76.253.189.137
Name Server:             ns6.newyearcards2008.com 74.69.168.236
Name Server:             ns7.newyearcards2008.com 71.195.165.21
Name Server:             ns8.newyearcards2008.com 88.171.125.18
Name Server:             ns9.newyearcards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status:                  DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  32089
Registrant Country:      US

Registrar:               ANO Regional Network Information Center dba RU-CENTER

as we can see both are using a lot of nameservers which each can be used to point the person who clicks on either HAPPYCARDS2008.COM or NEWYEARCARDS2008.COM to one of millions of computers in a botnet which has the infected happy2008.exe or happynewyear.exe waiting to be downloaded.

As we can see the Domain names were registered in Russia.

Subject Lines and the Email Text include….

Happy New Year To You!
Wishes for the new year
Opportunities for the new year
New Year Postcard
New Year Ecard
New Year wishes for you
Happy New Year To You!
Message for new year
Blasting new year
As you embrace another new year
It’s the new Year
As the new year…
Happy 2008 To You!
Joyous new year
Lots of greetings on new year
A fresh new year

Happy2008toyou

There is then a link to one of either happycards2008.com or newyearcards2008.com

Current Variants of the worm have a rootkit element that can be used to hide from many antvirus and antispyware scanners.

“Last versions of Stormy worm are using a rootkit component to hide infection components.

After launched, the dropper create a new service and a driver under Windows System directory called clean[4 random chars]-[4 random chars].sys or bldy[4 random chars]-[4 random chars].sys

Driver will hook three Windows native API: ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile. Goal is to hide its registry keys and files.

As side effect, it’ll hide every file that contains the strings “clean” or “bldy” in its name.”
From Prevx..

Prevx provide a free scanner called Prevx CSI that can detect these new variants..Download Prevx CSI for free …

Prevx CSI Download

Have a Happy New Year… no really…

Keep Safe

Steo – www.antirootkit.com

 

Posted in Analysis, E-Cards, New Rootkits, News, Other Malware, Prevx, Storm Worm | 5 Comments »

EP_X0FF and Rootkit Unhooker off to Microsoft

Sunday, December 23rd, 2007

EP_E0FFMicrosoft have just gained one of the best anti rootkit teams on the planet. EP_X0FF and the development team of Rootkit Unhooker have joined Microsoft. They are currently making plans to ship off to Wittenberg in Germany ( where Martin Luther is buried ) where the Rootkit Unhooker team will finish off work on their, up to now,secret project called Secured Eye (SEye),“…in a two words this is project mix of software/hardware related to distributed calculations and virtualization technologies based on Vanderpool / Pacifica extensions. Not a Blue Pill. To be more correct some parts of SEye can be used as a pill for any kind of Blue Pill variations ;)

Old MS LogoMicrosoft now owns Rootkit Unhooker and SEye….”As you can guess all our source code and concept were sold to MS. This was happened in the beginning of November and includes all variants of our test programs, RkU, including last 4.1 version and SEye which is ready on 3/4.”

It is a great thing that EP_X0FF and the team are off to Microsoft. Just like Mark Russinovitch before them, their vision and knowledge alongside money and resources from Microsoft will bode well for us all in the future.

Best of Luck to you all and keep in touch.

You can read EP_X0FF’s blog here…http://www.rootkit.com/blog.php?user=EP_X0FF

Keep Safe

Steo

 

Posted in Debate, EP_X0FF, Microsoft, News, Rootkit Scanners, Rootkit Unhooker | 7 Comments »

The Rise of the Rootkits has begun

Wednesday, December 12th, 2007

“The Rise of the Rootkits has begun” are the words of Jacques Erasmus from Prevx who commented recently on the increase in the use of Rootkits.

Upward Trend for Rootkit Detections“Significantly, although rootkits were detected on 15.6 percent of PCs during October 2007, that figure had risen to 22 percent by early December.”

 

This indeed shows that there has been an enormous increase in the use of Rootkits in one month alone and the trend is very much upward. The Rootkit List shows that since Nov 1st there has been 79 rootkit related stealth malware creations found by leading IT Security Companies. November has been one of the biggest months of the year so far for new found rootkit creations and variations. This could be down to the fact that online criminals are getting their arsenal ready for Christmas when a lot of people will be buying presents online.

The Prevx results have come from information gathered from the Prevx Online Scanner. This online scanner was used mostly by users who suspected something was wrong with their PC. The Rootkit files found by the Prex online scanner include NDT2.SYS , SROSA.SYS, UNPR.SYS, FMTR.SYS, and INDT2.SYS.

It seems also that a lot of businesses are being caught off guard by Rootkits. “In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14 percent, had one or more PCs harbouring rootkit infections.”

To check your PC for Rootkits check out the Antirootkit Software Page.

To check out the Free Prevx Scan http://www.prevx.com/freescan.asp.

Keep Safe,

regards

Steo

Posted in Analysis, New Rootkits, News, Other Malware | No Comments »

In the Eye of the Storm Worm

Sunday, October 21st, 2007

Frank Boldewin, a German IT security specialist has recently published a clear and concise analysis of Peacomm.C code, otherwise known as The Storm Worm, Nuwar or Zhelatin.

The Storm Worm has been hitting hard since Jan 2007 when it was unleashed as spammed emails duping users into following news about the large storms that were hitting Europe at the same time. The Storm Worm has resurfaced under many guises throughout the year. Coming up to Valentines Day millions of emails were spammed out duping the users into viewing a message from a loved one.

This code and underlining Rootkit has helped criminals setup a major Botnet comprising of captured zombie PC’s from all around the world. Most of these PC owners are oblivious to the fact that their PC is part of a Botnet and is in control of criminals intend in using it to make money for themselves.

Frank dissected the code after receiving a spammed out email which had a link to malware which when installed would have installed the Peacomm.C rootkit and the PC would become part of the botnet.

“On 22th August 2007 I received an email informing me about “New Member Confirmation”, including Confirmation Number, Login-ID and Login-Password. To stay secure I should immediately change my Login info on a provided website link. So I’ve started investigating what surprises are awaiting people clicking on such kind of links. Next to a friendly message telling me that my download should start in some seconds, I also got a browser exploit for free, to ensure the “software package” gets really shipped. “Hey that’s cool”, I thought by myself. “It’s like Kinder Surprise® – three in one!” Unfortunately, at this time I hadn’t enough incentive for a deep analysis and so I just stored the malicious file called applet.exe in my archive for later fun with it.”

Frank goes into some depth in his analysis including topics such as:

  • First stage XOR decrypter
  • Second stage TEA decrypter
  • TIBS Unpacker
  • Anti-Debugging code
  • Files dropping
  • The driver-code infection
  • Finding the OEP to the native Peacomm code
  • Finding and patching the VM-detection tricks
  • SSDT file hiding
  • Shellcode injection for process spawning
  • System files locking

This excellent in-depth analysis in PDF format along with the Peacomm.C binaries can be downloaded from Frank’s site www.reconstructer.org.

A html version is available from antirootkit.com

Have fun, enjoy the read and be cautious with the binaries.

regards

Steo
www.antirootkit.com

 

Posted in Analysis, E-Cards, News, Nuwar, Storm Worm, peacomm, wincom32 | 1 Comment »

Rootkit used in Vodafone Phone Tapping Affair

Thursday, July 12th, 2007

We have all heard about Rootkits and how they are aimed mainly at normal users of Windows XP and Linux. I have written about Rootkits in Corporate Espionage and how custom designed and targetted Rootkits will allways be hard to spot. They are carefully  created using undocumented features within the system kernel. If only the creator knows then who can find it? Now if this rootkit is used for one unique purpose, installed on one system, then the chances of it being found soon after it’s installation are small.
 
This is exactly what happened in what is known as The Athens Affair.

From Wikipedia:
“More than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year. The phones tapped included those of the Prime Minister Kostas Karamanlis and members of his family, the Mayor of Athens, Dora Bakoyannis, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, and the Ministry for Public Order, members of the ruling party, ranking members of the opposition the Panhellenic Socialist Movement party (PASOK), the Hellenic Navy General Staff, the previous Minister of Defense and one phone of a locally hired Greek American employee of the American Embassy. The phones of Athens-based Arab businessmen were also tapped.”
 
Vodafone LogoBasically what happened was someone had installed software to listen in on phone calls on an Ericsson Exchange within Vodafone Greece. The software included a back door to the system. The software and backdoor were hidden for almost one year from detection by an installed rootkit. The rootkit hid all evidence of any breach of security including diverting call audit log entries to its own memory space. The system the software was installed on did not need a reboot after installation helping the attackers to avoid detection. The rootkit also hid the hackers tracks as they infiltrated the system.

The software worked in conjunction with what is called the IMS ( Interception Management System ) section of the Ericsson switch. The IMS can be used by authorities to tap into phone calls. What makes this most interesting is that the switch system called AXE has software written in a language called PLEX.
“PLEX (Programming Language for EXchanges) is a special-purpose, pseudo-parallel, event-based real-time language developed by Ericsson. The language is designed exclusively for telephony systems and is used in central parts of the AXE telephone switches. It has been continuously evolving since the 1970’s when it was originally designed”
 
The breach of security was eventually found because the hacker had updated the software on the switch which in turn had an adverse affect on the text messaging service. Vodafone called in Ericsson who manufactured the switch and they eventually discovered the installed software and rootkit. The malicious software was made up of 1000’s of lines of code.

The attackers were never found. The malicious software was shut down when found and this would have given a signal to the attackers to destroy any evidence they may have like the phones used to listen in on the calls.

If this level of infaltration was carried out and kept hidden for a year then I think that we will see more of it’s type in the future. Rootkits are too good to be true to attackers when it comes to hiding malicious software. The Athens Affair proves that.

Keep Safe
regards
Steo

References:

IEEE Spectrum: The Athens Affair

A Formal Semantics for PLEX

Ericsson Interception Management System Manual

Posted in Corporate, Ericsson, New Rootkits, News, Other Malware, Vodafone | No Comments »

Abnormal activity from your IP…yeah sure

Monday, July 9th, 2007

There is another Storm Worm outbreak at the moment. The attackers are using the same social engineering tactic that was used last April, see Forecast – Massive Storms clouded by Rootkits
The way it works is that after a Storm Worm outbreak such as the 4th of July E-card outbreak users get an emails saying they are infected and should download a patch to fix it or their account will be suspended.

On the 4th of July emails were spammed out to millions of users with a link pretending to be an E-card for the 4th of July celebrations.
The subjects included:

4th Of July Celebration
American Pride, On The 4th
America’s 231st Birthday
Americas B-Day
America the Beautiful
Celebrate Your Independence
Celebrate Your Nation
Fireworks on The 4th
Fourth of July Party
God Bless America
Happy 4th of July
Happy B-Day USA
Happy Birthday America
Happy Fourth of July
Independence Day At The Park
Independence Day Celebration
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show
Your Nations Birthday

If a user clicked on the link they would have downloaded Troj/JSEcard-A and this would have in turn downloaded a Nuwar variant ( WORM_NUWAR.HC )

The same attacking spammers have sent out millions of emails warning users that their PC is infected and they should download a patch file to fix the PC.
The email looks like this below ( thanks Dan ).

Worm Alert!
Dear Customer,Our robot has detected an abnormal activity
from your IP adress on sending e-mails. Probably it is connected with the
last epidemic of a worm which does not have official patches at the
moment.We recommend you to install this patch
to remove worm files and stop email sending, otherwise your account will be
blocked.
Administrator

The attackers are playing on the publicity the 4th of July worm got. Many users may have this in the back of their mind as they read the latest email. Many will think that it is a legitimate email and “install” the patch only to be added to the massive bot net that has arisen from these spamming campaigns.
If you feel that you have downloaded your 4th of July Ecard or installed the patch to correct it then you should download some anti-rootkit software from our software page and check your system out as NUWAR is known to contain a rootkit to hide it’s suspicious activity.

Keep Safe
regards
Steo
www.antirootkit.com

References:
4th of July Ecard
Postcards or patches?

Posted in E-Cards, New Rootkits, News, Nuwar, Other Malware, Storm Worm, peacomm, wincom32 | 1 Comment »

« Older Entries
Newer Entries »