Archive for the ‘Underground’ Category

Security Flaw in Vista and XP – Rootkit exploit in the wild

Thursday, January 3rd, 2008

In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).

This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.

This rootkit is using the MBR flaw. The MBR can be written to from within Windows.

The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.

GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.

Indeed GMER’s Anti Rootkit Software can find the rootkit.

 gmer-finds-mbr-rootkit.jpg

The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.

Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.

Keep Safe,

regards,

Steo – www.antirootkit.com

 

Posted in Analysis, Debate, GMER, MBR Rootkit, Master Boot Record Rootkit, Microsoft, NT, New Rootkits, News, Other Malware, Rootkit Scanners, Underground, Vista, XP | 11 Comments »

Another Storm Worm Rootkit domain name – familypostcards2008.com

Saturday, December 29th, 2007

Another domain is being used to host the latest version of the Storm Worm. Millions of emails were spammed out from unsuspecting PC users enticing users to download the malware and rootkit.

familypostcards2008

If a user clicks on the link they will be shown a page like this,

newyearcards2008-site

If they click on the link a file called happynewyear2008.exe will be downloaded.

At this moment in time only 9 out of 32 scanners used by Virustotal can detect the current file as malware.

virustotal-happynewyear2008

Here is the whois details for familypostcards2008.com with a hint of humor – registered by Larry Claus…

 Domain name:             FAMILYPOSTCARDS2008.COM
 Name Server:             ns.familypostcards2008.com 66.215.91.63
 Name Server:             ns10.familypostcards2008.com 76.112.151.191
 Name Server:             ns11.familypostcards2008.com 76.107.40.165
 Name Server:             ns12.familypostcards2008.com 193.77.249.129
 Name Server:             ns13.familypostcards2008.com 77.202.25.169
 Name Server:             ns2.familypostcards2008.com 24.210.99.223
 Name Server:             ns3.familypostcards2008.com 66.159.176.149
 Name Server:             ns4.familypostcards2008.com 67.163.236.85
 Name Server:             ns5.familypostcards2008.com 98.196.175.5
 Name Server:             ns6.familypostcards2008.com 71.200.65.128
 Name Server:             ns7.familypostcards2008.com 71.12.160.177
 Name Server:             ns8.familypostcards2008.com 72.134.39.155
 Name Server:             ns9.familypostcards2008.com 98.226.9.190
 Creation Date:           2007.12.29
 Updated Date:            2007.12.29
 Expiration Date:         2007.12.29
 Status:                  DELEGATED
 Registrant ID:           X05O1TC-RU
 Registrant Name:         Larry Claus
 Registrant Organization: Larry Claus
 Registrant Street1:      1874 str.  office 923
 Registrant City:         Los-Angeles
 Registrant State:        CA
 Registrant Postal Code:  320784
 Registrant Country:      US
 Administrative  Technical Contact
 Contact ID:              X05O1TC-RU
 Contact Name:            Larry Claus
 Contact Organization:    Larry Claus
 Contact Street1:         1874 str.  office 923
 Contact City:            Los-Angeles
 Contact State:           CA
 Contact Postal Code:     320784
 Contact Country:         US
 Contact Phone:           1 320 5216723
 Contact E-mail:          larryknower931@yahoo.com
 Registrar:               ANO Regional Network Information Center dba RU-CENTER
 Last updated on 2007.12.30 02: 15: 52 MSK/MSD

We will keep you posted as new Storm Worm domains appear.

Keep Safe,

regards

Steo – www.antirootkit.com

Posted in Analysis, E-Cards, New Rootkits, News, Nuwar, Underground, peacomm | 1 Comment »

How to promote your Storm Worm Peacomm Rootkit via Google and newyearcards2008.com

Saturday, December 29th, 2007

Whats the first thing people all over the world do when they want to find out about something…they Google it!!! “Googling” something has become a keyword in so many people’s lives these days. Googling has an entry on popular online dictionaries http://dictionary.reference.com/browse/google which means it wont be long before you can actually use the word Googling “legally”.

So when millions of people recently got an email with a link to newyearcards2008.com where they could pick up their New Years E Card Greeting they went to Google and did a search for newyearcards2008.com and they would have seen newyearcards2008.com at the very top,

newyearcards2008

From Google….

Happy New Year!

Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press
newyearcards2008.com/ – 1k – CachedSimilar pages

Most Google users would think it is legitimate such is the trust in Google these days. When clicked on the user would have seen a page delivered via someones PC whether it be in their front room, bedroom, office, factory floor even unsuspecting Internet Cafe’s all over the world.

newyearcards2008-site
Snapshot from newyearcards2008.com

These infected PC users do not suspect a thing because their Anti Virus program shows that everything is ok, all is well. Why? The latest Storm Worm is using a rootkit … http://www.antirootkit.com/blog/2007/12/27/happy-new-rootkit/ . Nothing shows because of the stealth capabilities of the rootkit. It hides all traces of itself from normal anti virus and anti spyware scanners. Different scanners are now required for checking for rootkits. Scanners that know exactly how the rootkit operates are required, check out the Antirootkit Software page for list of new scanners.

Why does a search of newyearcards2008.com show the main infection site up first on a Google search? It’s all about how many pages on the internet link to newyearcards2008.com. Even by me putting newyearcards2008.com in this blog will help the name climb the Google ladder so that it shows at the very top and stays top for as long as it can, fooling people into thing it is legitimate ( I mention newyearcards2008.com a lot here so that this blog entry will raise higher than newyearcards2008.com and people will read this warning before getting their New Year’s “Surprise” E-Card).

The people who registered newyearcards2008.com, they went about getting the domain name mentioned on a lot of internet pages around the world, mostly on blog pages belonging to Google. Most of the Blogspot pages have been disabled by Google but many Blogspot and Blogger owners who are using their own domain name have links to newyearcards2008.comnewyearcards2008-blog-site in thier “hacked” blogs.

 

 

If you suspect a site as being unusual with unusual activity then you can report it to Google and help them mark it as suspect. You can report to Google, suspect sites, via http://www.google.com/safebrowsing/report_badware/

A recent Trend Micro Blog entry highlights Blogger pages being used to harbor links to newyearcards2008.com… http://blog.trendmicro.com/hundreds-of-blogger-pages-harboring-new-years-storm-links/trackback/
So far as of 29th Dec GMT newyearcards2008.com is showing tops, lets see when it is highlighted as a suspect site by Google on a web search.

Also keep an eye out for newyearwithlove.com

(Asked whois.nic.ru:43 about newyearwithlove.com)

 Domain name:             NEWYEARWITHLOVE.COM
 Name Server:             ns.newyearwithlove.com 24.161.84.89
 Name Server:             ns10.newyearwithlove.com 69.179.23.34
 Name Server:             ns11.newyearwithlove.com 70.241.145.212
 Name Server:             ns12.newyearwithlove.com 69.137.25.197
 Name Server:             ns13.newyearwithlove.com 82.67.135.130
 Name Server:             ns2.newyearwithlove.com 71.201.48.186
 Name Server:             ns3.newyearwithlove.com 68.114.62.80
 Name Server:             ns4.newyearwithlove.com 76.226.178.239
 Name Server:             ns5.newyearwithlove.com 70.128.122.94
 Name Server:             ns6.newyearwithlove.com 76.201.158.149
 Name Server:             ns7.newyearwithlove.com 75.49.2.123
 Name Server:             ns8.newyearwithlove.com 67.8.191.249
 Name Server:             ns9.newyearwithlove.com 71.12.83.79
 Creation Date:           2007.12.26
 Updated Date:            2007.12.26
 Expiration Date:         2008.12.26
 Status:                  DELEGATED
 Registrant ID:           XHAEJUS-RU
 Registrant Name:         Bill Gudzon
 Registrant Organization: Bill Gudzon
 Registrant Street1:      1920 str.  office 345
 Registrant City:         Los-Angeles
 Registrant State:        CA
 Registrant Postal Code:  32089
 Registrant Country:      US
 Administrative  Technical Contact
 Contact ID:              XHAEJUS-RU
 Contact Name:            Bill Gudzon
 Contact Organization:    Bill Gudzon
 Contact Street1:         1920 str.  office 345
 Contact City:            Los-Angeles
 Contact State:           CA
 Contact Postal Code:     32089
 Contact Country:         US
 Contact Phone:           1 320 5427834
 Contact E-mail:          bgudzon1956@hotmail.com
 Registrar:               ANO Regional Network Information Center dba RU-CENTER
 Last updated on 2007.12.29 05: 07: 05 MSK/MSD

Keep Safe,

Steo – www.antirootkit.com

 

Posted in Analysis, Blogger, Blogspot, Debate, E-Cards, Google, New Rootkits, News, Nuwar, Prevx, Rootkit Scanners, Storm Worm, Underground, peacomm, wincom32 | 2 Comments »

Forecast – Massive Storms clouded by Rootkits

Friday, April 13th, 2007

Update: July 9th 2007 - see Abnormal activity from your IP…yeah sure 

Over the last 2 days there has been what seems to be a massive Virus outbreak caused by the Storm Worm. The Storm worm was first introduced to us January when large storms were battering Europe a worm was spammed out disguised as important news on the storm with subject lines like “230 dead as storm batters europe”.
The next time the Storm Worm was unleashed was around Valentines Day when emails pretending to be from a lover were spammed out to millions of people across the Internet. Then last weekend a new Storm surge was spammed out as news of World War 3 starting against Iran and love related subjects like “A kiss so gentle” or “I dream of you”.

The latest Storm run was seen on the radar about 6 PM GMT on Thursday and within 24 hours over 55 million emails were sent out by the Worm according to Postini, an email security company. This is over 60 times the normal rate for a “normal” 24 hour period.

The subject lines currently being used are:
Worm Detected!
Virus Detected!ected!
Virus Activity Detected!
ATTN!
Spyware Alert!
Spyware Detected!
Warning!
Trojan Alert!
Trojan Detected!
Worm Activity Detected!
Virus Alert!

The Body of the email may look similar to the following:

From: Customer Support

Dear Customer,
Our robot has detected an abnormal activity from your IP address on sending e-mails.

Probably it is connected with the last epidemic of a worm which does not have official patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch because the worm can modify unpacked exe files. You should open the archive file, enter the password and run the patch immediately.

Password: {Random}

Customer Support Center Robot.

Attachment: Patch-{Random}.zip
Attachments:

It arrives with 2 attachments. One attachment is normally a gif, more about this later and the other attachment is a zip file with a password.

The format the zip files take is one of the following:
patch-[RANDOM 4 DIGITS].zip
removal-[5 RANDOM DIGITS].zip
hotfix-[5 RANDOM DIGITS].zip
bugfix-[5 RANDOM DIGITS].zip

The use of a password protected zip file is a new tactic used by the Storm Worm. Random numbers and letters are used for each attachment in the email that is sent out. The password for the attachment is given with the email. The file within the zip, when run, will install the Storm Worm on your PC and hide itself from Virus Scanners by using a Rootkit. The Rootkit component is wincom32.sys and from using anti rootkit software it can be seen to ensure its visibility by hooking the following:

Rootkit Elements: 

SSDT
ZwEnumerateKey
C:\WINDOWS\system32\wincom32.sys

SSDT
ZwEnumerateValueKey
C:\WINDOWS\system32\wincom32.sys

SSDT
ZwQueryDirectoryFile
C:\WINDOWS\system32\wincom32.sys

IRP
\Driver\Tcpip->IRP_MJ_DEVICE_CONTROL
\\??\C:\WINDOWS\system32\wincom32.sys

and it also hides registry entries pointing to the wincom32.sys.

Although Anti Virus Scanners will not “see” these files you can get a dedicated Anti-Rootkit program from our Anti-Rootkit Software Page.
Anubis have an extremely in-depth analysis of a sample submitted to them.
http://analysis.seclab.tuwien.ac.at/result.php?taskid=0ce16256cab3e414c180082fafc8d4b4&refresh=1&embedded=1

Tactics:

The reason this particular Storm Worm run has become so massive is that the authors have employed some new tactics and some old trustworthy tactics.The new tactics include using an image file which has the text of the message. This means that anti virus scanners can not scan an email for suspicious text. This tactic has been recently employed by spammers to bypass anti spam mechanisms.
The tactic of the password zip file is not new and has been used in the past by many worms including the infamous Bagle. What is new to the Storm Worm is the polymorphic features of the code. Each worm is going to be slightly different so as to better avoid detection by anti virus email scanners.
The tactic of informing people that they have malware on their PC is not new either but it is effective. This is especially effective because of the limited run a few days before. This run got the Storm Worm in the media and then the Thursday run with all its new mechanisms may have piggy backed on the fear people may have that they are infected.

 

Behind the Scenes:

So what and who is behind the Storm Worm. It is thought that the worm is originating from Eastern Europe and is spammed out so as to get as many victims to start the ball rolling initially. The worm the spreads from PC to PC via its own email program using addresses from the users email address book. Once on a users PC the worm joins the PC up to a massive Botnet comprised of thousands of unsuspecting users PC’s. The Botnet is then used to send out massive amount of what is called Pump and Dump Spam. This is where  Stock is advertised at low prices and it expectant value is very high. When unsuspecting users buy this stock they will help the price of the stock to go up. When the price of the stock goes up the Stock is sold off by the originator of the Pump and Dump spam at emmense profits.

The Storm Worm runs on Windows 98, ME, NT, 2000, XP, and Windows Server 2003.

The fact that this Storm run is so massive just goes to show that PC users all over the world are opening up encrypted zipped attachments from strangers and running the code. :-(

Keep Safe
regards

Steo
www.antirootkit.com

References:

The Eye of the Storm

Storm Worm blows up, breaks records

WORM_NUWAR.AOP

Consumer alert: Massive virus outbreak

Massive spam shot of ‘Storm Trojan’ reaches record proportions

Posted in Analysis, New Rootkits, News, Underground, peacomm, wincom32 | 4 Comments »

Rootkit Unhooker Author to release new Undetectable Rootkit

Thursday, January 18th, 2007

The anti rootkit software author who goes by the name of EP_X0FF has released information recently about a new rootkit that he has created. EP_X0FF is the author of Rootkit Unhooker one of the best antirootkit scanners at the moment. The rootkit he has created is undetectable by all anti rootkit software. The new rootkit is to be called Unreal Test Rootkit.

Here is some information on the rootkit from the Rootkit Unhooker site:

We are introducing new generation of rootkit technology.
Unreal Test Rootkit v1.0Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems.

It is Not malicious.

This rootkit is not intended to be runned with Host Intrusion Prevention Systems.
This rootkit intended ONLY for testings with AntiRootkit software.

Rootkit tech information

File system: NTFS
Implementation: DKOM
Predecessors: partially RkDemo, phide_ex and Rustock

ARK TESTS:
========================================
1. Rootkit Unhooker v3.01 BYPASSED
2. Rootkit Revealer v1.71 BYPASSED
3. F-Secure Blacklight BYPASSED
4. DarkSpy v1.05 BYPASSED
5. DarkSpy v1.05fixedbeta2 BYPASSED
6. IceSword v1.20 BYPASSED
7. GMER v1.012 BYPASSED
8. Helios v1.1a BYPASSED
9. SVV v2.3 BYPASSED
10. McAfee Rootkit Detective BYPASSED
11. Sophos AntiRootkit BYPASSED
12. TrendMicro RootkitBuster BYPASSED
13. AVG AntiRootkit BYPASSED
14. AVZ v4.23 ARK Module BYPASSED
15. BitDefender Rootkit Uncover BYPASSED
16. Panda AntiRootkit BYPASSED
17. Panda Tycan BYPASSED
18. modGreeper v0.3 BYPASSED
19. flister BYPASSED
20. UnHackMe BYPASSED
21. SEEM v4.x BYPASSED
22. SafetyCheck v1.5.x BYPASSED
23. Avira AntiRootkit BYPASSED
24. HiddenFinder v1.301 BYPASSED
25. RkDetector v0.6 BYPASSED
========================================

There are no best antirootkits.

Rootkit sources are available only by preliminary request.

Release date: very soon

regards

Steo
www.antirootkit.com

Posted in New Rootkits, News, Rootkit Scanners, Underground | 6 Comments »

Rootkit Guru: AntiVirus Makes Me Do It

Tuesday, December 20th, 2005

The author of Hacker Defender, holy_father, explained recently why he writes rootkits and why is doing the public a good service by letting the public know what the capabilities of rootkits are, what they can do and how the can be used. This information should then be used by security companies to provide better security for their computer users. Anti virus companies have long known that rootkits will thwart the scanning of viruses and spyware.Anti virus comapnies have asked for the code of Hacker Defender. They have not faced up to the real reality that viruses and spyware can be hidden from their scanners by rootkits. Unless they provide a way to stop rootkits taking hold or better scanning technology then they will never be able to overcome rootkits.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in News, Underground | No Comments »