Anti Rootkit Blog

There is another Storm Worm outbreak at the moment. The attackers are using the same social engineering tactic that was used last April, see Forecast - Massive Storms clouded by Rootkits
The way it works is that after a Storm Worm outbreak such as the 4th of July E-card outbreak users get an emails saying they are infected and should download a patch to fix it or their account will be suspended.

On the 4th of July emails were spammed out to millions of users with a link pretending to be an E-card for the 4th of July celebrations.
The subjects included:

4th Of July Celebration
American Pride, On The 4th
America’s 231st Birthday
Americas B-Day
America the Beautiful
Celebrate Your Independence
Celebrate Your Nation
Fireworks on The 4th
Fourth of July Party
God Bless America
Happy 4th of July
Happy B-Day USA
Happy Birthday America
Happy Fourth of July
Independence Day At The Park
Independence Day Celebration
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show
Your Nations Birthday

If a user clicked on the link they would have downloaded Troj/JSEcard-A and this would have in turn downloaded a Nuwar variant ( WORM_NUWAR.HC )

The same attacking spammers have sent out millions of emails warning users that their PC is infected and they should download a patch file to fix the PC.
The email looks like this below ( thanks Dan ).

Worm Alert!
Dear Customer,Our robot has detected an abnormal activity
from your IP adress on sending e-mails. Probably it is connected with the
last epidemic of a worm which does not have official patches at the
moment.We recommend you to install this patch
to remove worm files and stop email sending, otherwise your account will be
blocked.
Administrator

The attackers are playing on the publicity the 4th of July worm got. Many users may have this in the back of their mind as they read the latest email. Many will think that it is a legitimate email and “install” the patch only to be added to the massive bot net that has arisen from these spamming campaigns.
If you feel that you have downloaded your 4th of July Ecard or installed the patch to correct it then you should download some anti-rootkit software from our software page and check your system out as NUWAR is known to contain a rootkit to hide it’s suspicious activity.

Keep Safe
regards
Steo
www.antirootkit.com

References:
4th of July Ecard
Postcards or patches?

With so many mobile devices around these days and so many running Windows Mobile or Windows CE it is no wonder the boys at the top are already thinking about how these devices can be hacked and Rootkits installed

The rootkit could be used to hide a keylogger ( or would that be stylus presslogger ) and send the  valuable information back to the author.

The article on the Symantec Blog today shows us that their researchers have already looked into the possibilities of rootkits hiding keyloggers and they have produced an Internal Whitepaper ( no doubt it will be leaked:-) )

 ”The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.”

What we are left with now is not a case of “if” we will have Windows CE/Mobile Rootkit, it is a case of when. From their research it shows that rootkits are possible on Windows CE/Mobile devices it is just a matter of when it will become profitable for a malware author to actually actually create and put one into practice.

At some stage in the future we could get to the stage where if you answer a phone call on your Windows Mobile device you could get a keylogger and rootkit installed via some vulnerability.

Keep Safe,
regards

Steo
www.antirootkit.com

Referances: Windows CE/Mobile Rootkits

Secure Computing has released information about a new Spammed email telling users that they have won a new iPhone from an online store. The email has a link that promises the email reader a free iPhone and when the user clicks on the link they are brought to a website that then downloads a Spam Bot and a Rootkit.

The subject of the message is “Congratulations, you have won a new iPhone from our store!”

“Should the victim fall for the social engineering attack, clicking on a link directs the user’s browser to a web page that contains malware that exploits 10 Active X vulnerabilities in order to install a malicious payload including an MSODataSourceControl vulnerability.”

There  is also website analysis on the servers that host the malware. If a person is seen to revisit the malware site then they are being redirected to the correct authentic site. This is to make it hard for researchers to have a good look at the site.

This technique of infecting websites and in turn getting them to infect PC’s is being used more and more by hackers and malware authors. Using social engineering and spam techniques malware authors have a great platform to spawn their creations.

Take Care,

regards

Steo

References:
http://www.itpro.co.uk/news/118791/new-malware-exploits-iphone-popularity.html

http://www.itwire.com.au/content/view/13268/53/

In the last few days there has been an appearance of a new rootkit that has capabilities of bypassing Firewalls and Intrusion Detection systems.

The rootkit hooks the following kernel functions to hide its registry keys:
ZwOpenKey
ZwEnumerateKey

It also hooks the following kernel routine of NTFS filesystem driver to hide its files: \FileSystem\Ntfs\IRP_MJ_CREATE
\FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL

It patches TCP/IP network drivers chain to bypass completely firewalls, IDS systems, and network sniffer tools. The rootkit also works in Windows Safe Mode.

The rootkit is used to hide a Trojan that is used to send out spam. The trojan connects to servers to collect the configuration data it needs to send out the spam.

This rootkit also tries to delete competitor rootkits found on the users PC. ntio256.sys and wincom32.sys are two of its known targets.

The rootkit is currently being sent to users PC’s via hacked websites. Recently it was estimated that over  10000 websites were hacked and the rootkit installer was planted on the sites waiting for visitors to come along. When an unsuspecting user visited one of these sites an iframe is launched and various vulnerabilities are checked for by the malicious installer.

Here is a Youtube video showing the websites using Iframes and the MPack installer attacking a PC.

From the Symantec Blog….
“Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.”

“We guess that the author of Trojan.Srizbi could be the same as Rustock’s because the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced.”

No doubt the rootkit writers are on an interesting path and this just goes to show that every day that passes newer techniques are being invented by malware authors.

Keep Safe,
regards

Steo
www.antirootkit.com

The Authentium Virus Blog posting shows how anti malware programs need to be extremely user friendly for the average user out there. We feel that this is especially true when it comes to Anti Rootkit programs.

There should be a straight forward, non threatening way for users who do not have much computer experience to remove rootkits.

From the Authentium Virus Blog…
“On average we have removed 2 pieces of malware from the machine per day and I suspect that there are at least two different potentially unwanted applications and at least one piece of malware left on the machine. This malware removed includes 2 bots, 1 rootkit, 1 executable that controlled the rootkit and 1 dropper. I suspect that there are still a mass mailer and/or network worm left to be removed. Compliments of a good defense in depth strategy this seems to be contained by the security suite. But it still does not leave the machine in a usable state.”

Read the full posting here…

Keep Safe,

regards

Steo

There is an interesting article over at Astalavista about how new Intel based machines will have rootkit functionality “available” to the user. This will surely turn out to be another avenue to be utilised by malware writers.

From the article…
“Essentially, all new Intel machines (and a number of current Intel servers)
come with free hardware rootkit functionality, which is operational and
accessible when the machine is powered off, and in the case of laptops, even
when they are unplugged and powered off.

There is the mention of code signing, TLS and PKI magic to allay your security
concerns however…”

Read the full article here…

Keep Safe,

regards

Steo