Anti Rootkit Blog

Whats the first thing people all over the world do when they want to find out about something…they Google it!!! “Googling” something has become a keyword in so many people’s lives these days. Googling has an entry on popular online dictionaries http://dictionary.reference.com/browse/google which means it wont be long before you can actually use the word Googling “legally”.

So when millions of people recently got an email with a link to newyearcards2008.com where they could pick up their New Years E Card Greeting they went to Google and did a search for newyearcards2008.com and they would have seen newyearcards2008.com at the very top,

From Google….

“Happy New Year!

Most Google users would think it is legitimate such is the trust in Google these days. When clicked on the user would have seen a page delivered via someones PC whether it be in their front room, bedroom, office, factory floor even unsuspecting Internet Cafe’s all over the world.

Snapshot from newyearcards2008.com

These infected PC users do not suspect a thing because their Anti Virus program shows that everything is ok, all is well. Why? The latest Storm Worm is using a rootkit … http://www.antirootkit.com/blog/2007/12/27/happy-new-rootkit/ . Nothing shows because of the stealth capabilities of the rootkit. It hides all traces of itself from normal anti virus and anti spyware scanners. Different scanners are now required for checking for rootkits. Scanners that know exactly how the rootkit operates are required, check out the Antirootkit Software page for list of new scanners.

Why does a search of newyearcards2008.com show the main infection site up first on a Google search? It’s all about how many pages on the internet link to newyearcards2008.com. Even by me putting newyearcards2008.com in this blog will help the name climb the Google ladder so that it shows at the very top and stays top for as long as it can, fooling people into thing it is legitimate ( I mention newyearcards2008.com a lot here so that this blog entry will raise higher than newyearcards2008.com and people will read this warning before getting their New Year’s “Surprise” E-Card).

The people who registered newyearcards2008.com, they went about getting the domain name mentioned on a lot of internet pages around the world, mostly on blog pages belonging to Google. Most of the Blogspot pages have been disabled by Google but many Blogspot and Blogger owners who are using their own domain name have links to newyearcards2008.com in thier “hacked” blogs.

If you suspect a site as being unusual with unusual activity then you can report it to Google and help them mark it as suspect. You can report to Google, suspect sites, via http://www.google.com/safebrowsing/report_badware/

A recent Trend Micro Blog entry highlights Blogger pages being used to harbor links to newyearcards2008.com… http://blog.trendmicro.com/hundreds-of-blogger-pages-harboring-new-years-storm-links/trackback/
So far as of 29th Dec GMT newyearcards2008.com is showing tops, lets see when it is highlighted as a suspect site by Google on a web search.

Also keep an eye out for newyearwithlove.com

(Asked whois.nic.ru:43 about newyearwithlove.com)

 Domain name:             NEWYEARWITHLOVE.COM
 Name Server:             ns.newyearwithlove.com 24.161.84.89
 Name Server:             ns10.newyearwithlove.com 69.179.23.34
 Name Server:             ns11.newyearwithlove.com 70.241.145.212
 Name Server:             ns12.newyearwithlove.com 69.137.25.197
 Name Server:             ns13.newyearwithlove.com 82.67.135.130
 Name Server:             ns2.newyearwithlove.com 71.201.48.186
 Name Server:             ns3.newyearwithlove.com 68.114.62.80
 Name Server:             ns4.newyearwithlove.com 76.226.178.239
 Name Server:             ns5.newyearwithlove.com 70.128.122.94
 Name Server:             ns6.newyearwithlove.com 76.201.158.149
 Name Server:             ns7.newyearwithlove.com 75.49.2.123
 Name Server:             ns8.newyearwithlove.com 67.8.191.249
 Name Server:             ns9.newyearwithlove.com 71.12.83.79
 Creation Date:           2007.12.26
 Updated Date:            2007.12.26
 Expiration Date:         2008.12.26
 Status:                  DELEGATED
 Registrant ID:           XHAEJUS-RU
 Registrant Name:         Bill Gudzon
 Registrant Organization: Bill Gudzon
 Registrant Street1:      1920 str.  office 345
 Registrant City:         Los-Angeles
 Registrant State:        CA
 Registrant Postal Code:  32089
 Registrant Country:      US
 Administrative  Technical Contact
 Contact ID:              XHAEJUS-RU
 Contact Name:            Bill Gudzon
 Contact Organization:    Bill Gudzon
 Contact Street1:         1920 str.  office 345
 Contact City:            Los-Angeles
 Contact State:           CA
 Contact Postal Code:     32089
 Contact Country:         US
 Contact Phone:           1 320 5427834
 Contact E-mail:          bgudzon1956@hotmail.com
 Registrar:               ANO Regional Network Information Center dba RU-CENTER
 Last updated on 2007.12.29 05: 07: 05 MSK/MSD

Keep Safe,

Steo - www.antirootkit.com

The Storm Worm has been doing it’s latest round since 23rd December. It has been masquarding as a christmas strip show enticing users to get infected. Prevx have been tracing the movements of the worm and have seen over 700 variants in a few days.

The worm is proving very elusive because of its fast flux method of evading detection.
“Fast-flux is basically load-balancing with a twist. It’s a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.”

Then on Christmas day it changed its form to now entice people to click on a New Years Card called happy2008.exe and happynewyear.exe which users would download from legitimate looking sites called happycards2008.com and newyearcards2008.com

Here are the whois for these domains….

Domain name:             HAPPYCARDS2008.COM
Name Server:             ns.happycards2008.com 75.53.216.142
Name Server:             ns10.happycards2008.com 70.142.192.219
Name Server:             ns11.happycards2008.com 72.128.113.26
Name Server:             ns12.happycards2008.com 72.128.30.86
Name Server:             ns13.happycards2008.com 74.130.106.75
Name Server:             ns2.happycards2008.com 76.237.206.65
Name Server:             ns3.happycards2008.com 64.30.118.241
Name Server:             ns4.happycards2008.com 75.23.73.65
Name Server:             ns5.happycards2008.com 76.253.189.137
Name Server:             ns6.happycards2008.com 74.69.168.236
Name Server:             ns7.happycards2008.com 71.195.165.21
Name Server:             ns8.happycards2008.com 88.171.125.18
Name Server:             ns9.happycards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status:                  DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  32089
Registrant Country:      US

Registrar:               ANO Regional Network Information Center dba RU-CENTER

Domain name:             NEWYEARCARDS2008.COM
Name Server:             ns.newyearcards2008.com 75.53.216.142
Name Server:             ns10.newyearcards2008.com 70.142.192.219
Name Server:             ns11.newyearcards2008.com 72.128.113.26
Name Server:             ns12.newyearcards2008.com 72.128.30.86
Name Server:             ns13.newyearcards2008.com 74.130.106.75
Name Server:             ns2.newyearcards2008.com 76.237.206.65
Name Server:             ns3.newyearcards2008.com 64.30.118.241
Name Server:             ns4.newyearcards2008.com 75.23.73.65
Name Server:             ns5.newyearcards2008.com 76.253.189.137
Name Server:             ns6.newyearcards2008.com 74.69.168.236
Name Server:             ns7.newyearcards2008.com 71.195.165.21
Name Server:             ns8.newyearcards2008.com 88.171.125.18
Name Server:             ns9.newyearcards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status:                  DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  32089
Registrant Country:      US

Registrar:               ANO Regional Network Information Center dba RU-CENTER

as we can see both are using a lot of nameservers which each can be used to point the person who clicks on either HAPPYCARDS2008.COM or NEWYEARCARDS2008.COM to one of millions of computers in a botnet which has the infected happy2008.exe or happynewyear.exe waiting to be downloaded.

As we can see the Domain names were registered in Russia.

Subject Lines and the Email Text include….

Happy New Year To You!
Wishes for the new year
Opportunities for the new year
New Year Postcard
New Year Ecard
New Year wishes for you
Happy New Year To You!
Message for new year
Blasting new year
As you embrace another new year
It’s the new Year
As the new year…
Happy 2008 To You!
Joyous new year
Lots of greetings on new year
A fresh new year

There is then a link to one of either happycards2008.com or newyearcards2008.com

Current Variants of the worm have a rootkit element that can be used to hide from many antvirus and antispyware scanners.

“Last versions of Stormy worm are using a rootkit component to hide infection components.

After launched, the dropper create a new service and a driver under Windows System directory called clean[4 random chars]-[4 random chars].sys or bldy[4 random chars]-[4 random chars].sys

Driver will hook three Windows native API: ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile. Goal is to hide its registry keys and files.

As side effect, it’ll hide every file that contains the strings “clean” or “bldy” in its name.”
From Prevx..

Prevx provide a free scanner called Prevx CSI that can detect these new variants..Download Prevx CSI for free …

Have a Happy New Year… no really…

Keep Safe

Steo - www.antirootkit.com