Archive for the ‘Other Malware’ Category

« Older Entries

A Stormy Valentines Day ahead of us…

Tuesday, January 15th, 2008

It looks like the Storm Worm is with us once again.

Emails have been spammed out with a Subject Line that contains one of the following,

loveheart.jpgFalling In Love with You
Special Romance
You’re In My Thoughts
Sent with Love
Our Love Will Last
Our Love is Strong
Your Love Has Opened
You’re the One
A Toast My Love
Heavenly Love

If a user clicks on the link in the email then they are brought to a website that gets unsuspecting users to download their Love ecard. If run, the “ecard” will turn the users PC into a bot. The PC will then join the many others in the Storm Worm Botnet.

It seems a bit early for Valentines Day though! Maybe the authors mistakenly released it?

If not, then we could be in for a long run in to Valentines Day.

Keep Safe

Steo – www.antirootkit.com

 

Self help credit repair
Credit repair attorney
Understanding credit report
A credit report
Commercial mortgage refinance
Auto loan interest rates
Consumer debt settlement
Credit repair after bankruptcy
Uk credit card offer
Debt consolidation loan denver
Health insurance premium
Online credit report
California best refinance mortgage rate california home loan
For credit reporting
Card credit debt free
Free equifax credit report
Online credit scores
Discover business credit card
Instant experian credit report
Auto home insurance
Credit score of
Student loans without credit check
Application aspen card credit
Consumer credit report
Free credit rating report
Life insurance uk
Disability insurance canada
Of fair credit reporting
Credit free instant report
Auto loans for people with bad credit
Home equity loan rate
Home equity loans online
New home loans
0 credit card offers
Creditscore
Accept credit card services
Fax payday loan
Cash til payday loan
College student loan consolidation
Credit card processing terminals
California health insurance quote
Mbna credit card application
Credit score management
Free instant credit reports
Missouri payday loan
Lower payment debt consolidation ma
Refinance home mortgage interest rates
Instant payday loan
Home loan mortgage rates com refinance
Insurance sexual health clinics
Lincoln long term care insurance
Insurance barts sexual health
Florida repay teacher student loans title i
Credit plus score
Bad credit debt consolidation
Your credit score in
Credit counseling debt consolidation
Credit card debt counseling
Credit card application canada
By credit score
Nj disability insurance
Equifax credit reporting agency
Obtain free credit report
Debt negotiation credit card
Illinois auto insurance
Home insurance quote
Quick cash payday loan
Deal on credit card
Mortgage loan home mortgage rates mortgage refinance rates
Types of home loans
Just credit score
Credit reporting burea
Debt consolidation loan
Commercial construction loans
Credit report repair services
Chase secured credit card
When is the right time to refinance your mortgage

Posted in Analysis, Debate, E-Cards, News, Other Malware, Storm Worm | Comments Off

Security Flaw in Vista and XP – Rootkit exploit in the wild

Thursday, January 3rd, 2008

In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).

This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.

This rootkit is using the MBR flaw. The MBR can be written to from within Windows.

The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.

GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.

Indeed GMER’s Anti Rootkit Software can find the rootkit.

 gmer-finds-mbr-rootkit.jpg

The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.

Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.

Keep Safe,

regards,

Steo – www.antirootkit.com

 

Posted in Analysis, Debate, GMER, MBR Rootkit, Master Boot Record Rootkit, Microsoft, NT, New Rootkits, News, Other Malware, Rootkit Scanners, Underground, Vista, XP | 11 Comments »

New Storm Worm Rootkit Domain happy2008toyou.com appears on the stroke of Midnight

Tuesday, January 1st, 2008

Another Storm Worm domain as popped up on the radar,

happy2008toyou.com

The whois…

Domain name:             HAPPY2008TOYOU.COM
Name Server:             ns.happy2008toyou.com 68.251.106.142
Name Server:             ns10.happy2008toyou.com 89.35.121.187
Name Server:             ns11.happy2008toyou.com 58.9.65.61
Name Server:             ns12.happy2008toyou.com 222.209.139.28
Name Server:             ns13.happy2008toyou.com 82.59.136.43
Name Server:             ns2.happy2008toyou.com 68.36.252.81
Name Server:             ns3.happy2008toyou.com 71.230.66.163
Name Server:             ns4.happy2008toyou.com 68.61.185.117
Name Server:             ns5.happy2008toyou.com 70.232.142.1
Name Server:             ns6.happy2008toyou.com 66.75.86.71
Name Server:             ns7.happy2008toyou.com 85.29.202.180
Name Server:             ns8.happy2008toyou.com 86.139.75.35
Name Server:             ns9.happy2008toyou.com 86.130.251.39
Creation Date:           2007.12.29
Updated Date:            2007.12.29
Expiration Date:         2008.12.29
Status:                  DELEGATED
Registrant ID:           X05O1TC-RU
Registrant Name:         Larry Claus
Registrant Organization: Larry Claus
Registrant Street1:      1874 str.  office 923
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  320784
Registrant Country:      US
Administrative  Technical Contact
Contact ID:              X05O1TC-RU
Contact Name:            Larry Claus
Contact Organization:    Larry Claus
Contact Street1:         1874 str.  office 923
Contact City:            Los-Angeles
Contact State:           CA
Contact Postal Code:     320784
Contact Country:         US
Contact Phone:           1 320 5216723
Contact E-mail:          larryknower931@yahoo.com

Registrar:               ANO Regional Network Information Center dba RU-CENTER
Last updated on 2008.01.01 03: 36: 27 MSK/MSD

The full list of domains we currently have is:

familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
Santapcards.com
Santawishes2008.com

The filename downloaded is happy_2008.exe

Most Virus Scanners find it,

Have a happy New Year,

Keep Safe,

regards,

Steo

Posted in Analysis, E-Cards, McAfee, Microsoft, New Rootkits, News, Nuwar, Other Malware, Rootkit Scanners, Rootkit Unhooker, Storm Worm, peacomm, wincom32 | 2 Comments »

Happy New Rootkit

Thursday, December 27th, 2007

The Storm Worm has been doing it’s latest round since 23rd December. It has been masquarding as a christmas strip show enticing users to get infected. Prevx have been tracing the movements of the worm and have seen over 700 variants in a few days.

The worm is proving very elusive because of its fast flux method of evading detection.
“Fast-flux is basically load-balancing with a twist. It’s a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.”

Then on Christmas day it changed its form to now entice people to click on a New Years Card called happy2008.exe and happynewyear.exe which users would download from legitimate looking sites called happycards2008.com and newyearcards2008.com

Here are the whois for these domains….

Domain name:             HAPPYCARDS2008.COM
Name Server:             ns.happycards2008.com 75.53.216.142
Name Server:             ns10.happycards2008.com 70.142.192.219
Name Server:             ns11.happycards2008.com 72.128.113.26
Name Server:             ns12.happycards2008.com 72.128.30.86
Name Server:             ns13.happycards2008.com 74.130.106.75
Name Server:             ns2.happycards2008.com 76.237.206.65
Name Server:             ns3.happycards2008.com 64.30.118.241
Name Server:             ns4.happycards2008.com 75.23.73.65
Name Server:             ns5.happycards2008.com 76.253.189.137
Name Server:             ns6.happycards2008.com 74.69.168.236
Name Server:             ns7.happycards2008.com 71.195.165.21
Name Server:             ns8.happycards2008.com 88.171.125.18
Name Server:             ns9.happycards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status:                  DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  32089
Registrant Country:      US

Registrar:               ANO Regional Network Information Center dba RU-CENTER

 

Domain name:             NEWYEARCARDS2008.COM
Name Server:             ns.newyearcards2008.com 75.53.216.142
Name Server:             ns10.newyearcards2008.com 70.142.192.219
Name Server:             ns11.newyearcards2008.com 72.128.113.26
Name Server:             ns12.newyearcards2008.com 72.128.30.86
Name Server:             ns13.newyearcards2008.com 74.130.106.75
Name Server:             ns2.newyearcards2008.com 76.237.206.65
Name Server:             ns3.newyearcards2008.com 64.30.118.241
Name Server:             ns4.newyearcards2008.com 75.23.73.65
Name Server:             ns5.newyearcards2008.com 76.253.189.137
Name Server:             ns6.newyearcards2008.com 74.69.168.236
Name Server:             ns7.newyearcards2008.com 71.195.165.21
Name Server:             ns8.newyearcards2008.com 88.171.125.18
Name Server:             ns9.newyearcards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status:                  DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  32089
Registrant Country:      US

Registrar:               ANO Regional Network Information Center dba RU-CENTER

as we can see both are using a lot of nameservers which each can be used to point the person who clicks on either HAPPYCARDS2008.COM or NEWYEARCARDS2008.COM to one of millions of computers in a botnet which has the infected happy2008.exe or happynewyear.exe waiting to be downloaded.

As we can see the Domain names were registered in Russia.

Subject Lines and the Email Text include….

Happy New Year To You!
Wishes for the new year
Opportunities for the new year
New Year Postcard
New Year Ecard
New Year wishes for you
Happy New Year To You!
Message for new year
Blasting new year
As you embrace another new year
It’s the new Year
As the new year…
Happy 2008 To You!
Joyous new year
Lots of greetings on new year
A fresh new year

Happy2008toyou

There is then a link to one of either happycards2008.com or newyearcards2008.com

Current Variants of the worm have a rootkit element that can be used to hide from many antvirus and antispyware scanners.

“Last versions of Stormy worm are using a rootkit component to hide infection components.

After launched, the dropper create a new service and a driver under Windows System directory called clean[4 random chars]-[4 random chars].sys or bldy[4 random chars]-[4 random chars].sys

Driver will hook three Windows native API: ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile. Goal is to hide its registry keys and files.

As side effect, it’ll hide every file that contains the strings “clean” or “bldy” in its name.”
From Prevx..

Prevx provide a free scanner called Prevx CSI that can detect these new variants..Download Prevx CSI for free …

Prevx CSI Download

Have a Happy New Year… no really…

Keep Safe

Steo – www.antirootkit.com

 

Posted in Analysis, E-Cards, New Rootkits, News, Other Malware, Prevx, Storm Worm | 5 Comments »

The Rise of the Rootkits has begun

Wednesday, December 12th, 2007

“The Rise of the Rootkits has begun” are the words of Jacques Erasmus from Prevx who commented recently on the increase in the use of Rootkits.

Upward Trend for Rootkit Detections“Significantly, although rootkits were detected on 15.6 percent of PCs during October 2007, that figure had risen to 22 percent by early December.”

 

This indeed shows that there has been an enormous increase in the use of Rootkits in one month alone and the trend is very much upward. The Rootkit List shows that since Nov 1st there has been 79 rootkit related stealth malware creations found by leading IT Security Companies. November has been one of the biggest months of the year so far for new found rootkit creations and variations. This could be down to the fact that online criminals are getting their arsenal ready for Christmas when a lot of people will be buying presents online.

The Prevx results have come from information gathered from the Prevx Online Scanner. This online scanner was used mostly by users who suspected something was wrong with their PC. The Rootkit files found by the Prex online scanner include NDT2.SYS , SROSA.SYS, UNPR.SYS, FMTR.SYS, and INDT2.SYS.

It seems also that a lot of businesses are being caught off guard by Rootkits. “In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14 percent, had one or more PCs harbouring rootkit infections.”

To check your PC for Rootkits check out the Antirootkit Software Page.

To check out the Free Prevx Scan http://www.prevx.com/freescan.asp.

Keep Safe,

regards

Steo

Posted in Analysis, New Rootkits, News, Other Malware | No Comments »

Rootkit used in Vodafone Phone Tapping Affair

Thursday, July 12th, 2007

We have all heard about Rootkits and how they are aimed mainly at normal users of Windows XP and Linux. I have written about Rootkits in Corporate Espionage and how custom designed and targetted Rootkits will allways be hard to spot. They are carefully  created using undocumented features within the system kernel. If only the creator knows then who can find it? Now if this rootkit is used for one unique purpose, installed on one system, then the chances of it being found soon after it’s installation are small.
 
This is exactly what happened in what is known as The Athens Affair.

From Wikipedia:
“More than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year. The phones tapped included those of the Prime Minister Kostas Karamanlis and members of his family, the Mayor of Athens, Dora Bakoyannis, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, and the Ministry for Public Order, members of the ruling party, ranking members of the opposition the Panhellenic Socialist Movement party (PASOK), the Hellenic Navy General Staff, the previous Minister of Defense and one phone of a locally hired Greek American employee of the American Embassy. The phones of Athens-based Arab businessmen were also tapped.”
 
Vodafone LogoBasically what happened was someone had installed software to listen in on phone calls on an Ericsson Exchange within Vodafone Greece. The software included a back door to the system. The software and backdoor were hidden for almost one year from detection by an installed rootkit. The rootkit hid all evidence of any breach of security including diverting call audit log entries to its own memory space. The system the software was installed on did not need a reboot after installation helping the attackers to avoid detection. The rootkit also hid the hackers tracks as they infiltrated the system.

The software worked in conjunction with what is called the IMS ( Interception Management System ) section of the Ericsson switch. The IMS can be used by authorities to tap into phone calls. What makes this most interesting is that the switch system called AXE has software written in a language called PLEX.
“PLEX (Programming Language for EXchanges) is a special-purpose, pseudo-parallel, event-based real-time language developed by Ericsson. The language is designed exclusively for telephony systems and is used in central parts of the AXE telephone switches. It has been continuously evolving since the 1970’s when it was originally designed”
 
The breach of security was eventually found because the hacker had updated the software on the switch which in turn had an adverse affect on the text messaging service. Vodafone called in Ericsson who manufactured the switch and they eventually discovered the installed software and rootkit. The malicious software was made up of 1000’s of lines of code.

The attackers were never found. The malicious software was shut down when found and this would have given a signal to the attackers to destroy any evidence they may have like the phones used to listen in on the calls.

If this level of infaltration was carried out and kept hidden for a year then I think that we will see more of it’s type in the future. Rootkits are too good to be true to attackers when it comes to hiding malicious software. The Athens Affair proves that.

Keep Safe
regards
Steo

References:

IEEE Spectrum: The Athens Affair

A Formal Semantics for PLEX

Ericsson Interception Management System Manual

Posted in Corporate, Ericsson, New Rootkits, News, Other Malware, Vodafone | No Comments »

« Older Entries