Anti Rootkit Blog

A Stormy Valentines Day ahead of us…

steo — Tue, 15 Jan 2008 23:09:57 +0000

It looks like the Storm Worm is with us once again.

Emails have been spammed out with a Subject Line that contains one of the following,

Falling In Love with You
Special Romance
You’re In My Thoughts
Sent with Love
Our Love Will Last
Our Love is Strong
Your Love Has Opened
You’re the One
A Toast My Love
Heavenly Love

If a user clicks on the link in the email then they are brought to a website that gets unsuspecting users to download their Love ecard. If run, the “ecard” will turn the users PC into a bot. The PC will then join the many others in the Storm Worm Botnet.

It seems a bit early for Valentines Day though! Maybe the authors mistakenly released it?

If not, then we could be in for a long run in to Valentines Day.

Keep Safe

Steo - www.antirootkit.com

Anti Rootkit Software Scanners for Vista

steo — Fri, 11 Jan 2008 16:50:44 +0000

We are often asked what Anti Rootkit Scanners are available for Windows Vista. There are currently only 7, out of the 20 or so scanners available, that will work with Vista. These scanners will also only work with 32 Bit versions of Vista.

Here is a list of the 7 in alphabetical order. Please click on the scanner name or screenshot to bring you to a more detailed page where you can download the software.

F-Secure Blacklight

GMER

Icesword

Rootkit Hook Analyser

Rootkit Revealer

Rootkit Unhooker

Unhackme

Keep Safe,

Steo - www.antirootkit.com

Security Flaw in Vista and XP - Rootkit exploit in the wild

steo — Thu, 03 Jan 2008 19:28:32 +0000

In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).

This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.

This rootkit is using the MBR flaw. The MBR can be written to from within Windows.

The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.

GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.

Indeed GMER’s Anti Rootkit Software can find the rootkit.

The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.

Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.

Keep Safe,

regards,

Steo - www.antirootkit.com

New Storm Worm Rootkit Domain happy2008toyou.com appears on the stroke of Midnight

steo — Tue, 01 Jan 2008 00:54:29 +0000

Another Storm Worm domain as popped up on the radar,

happy2008toyou.com

The whois…

Domain name:             HAPPY2008TOYOU.COM
Name Server:             ns.happy2008toyou.com 68.251.106.142
Name Server:             ns10.happy2008toyou.com 89.35.121.187
Name Server:             ns11.happy2008toyou.com 58.9.65.61
Name Server:             ns12.happy2008toyou.com 222.209.139.28
Name Server:             ns13.happy2008toyou.com 82.59.136.43
Name Server:             ns2.happy2008toyou.com 68.36.252.81
Name Server:             ns3.happy2008toyou.com 71.230.66.163
Name Server:             ns4.happy2008toyou.com 68.61.185.117
Name Server:             ns5.happy2008toyou.com 70.232.142.1
Name Server:             ns6.happy2008toyou.com 66.75.86.71
Name Server:             ns7.happy2008toyou.com 85.29.202.180
Name Server:             ns8.happy2008toyou.com 86.139.75.35
Name Server:             ns9.happy2008toyou.com 86.130.251.39
Creation Date:           2007.12.29
Updated Date:            2007.12.29
Expiration Date:         2008.12.29
Status:                  DELEGATED
Registrant ID:           X05O1TC-RU
Registrant Name:         Larry Claus
Registrant Organization: Larry Claus
Registrant Street1:      1874 str. office 923
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code: 320784
Registrant Country:      US
Administrative Technical Contact
Contact ID:              X05O1TC-RU
Contact Name:            Larry Claus
Contact Organization:    Larry Claus
Contact Street1:         1874 str. office 923
Contact City:            Los-Angeles
Contact State:           CA
Contact Postal Code:     320784
Contact Country:         US
Contact Phone:           1 320 5216723
Contact E-mail:          larryknower931@yahoo.com

Registrar: ANO Regional Network Information Center dba RU-CENTER
Last updated on 2008.01.01 03: 36: 27 MSK/MSD

The full list of domains we currently have is:

familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
Santapcards.com
Santawishes2008.com

The filename downloaded is happy_2008.exe

Most Virus Scanners find it,

Have a happy New Year,

Keep Safe,

regards,

Steo

Another Storm Worm Rootkit domain name - familypostcards2008.com

steo — Sat, 29 Dec 2007 23:49:06 +0000

Another domain is being used to host the latest version of the Storm Worm. Millions of emails were spammed out from unsuspecting PC users enticing users to download the malware and rootkit.

If a user clicks on the link they will be shown a page like this,

If they click on the link a file called happynewyear2008.exe will be downloaded.

At this moment in time only 9 out of 32 scanners used by Virustotal can detect the current file as malware.

Here is the whois details for familypostcards2008.com with a hint of humor - registered by Larry Claus…

Domain name:             FAMILYPOSTCARDS2008.COM
Name Server:             ns.familypostcards2008.com 66.215.91.63
Name Server:             ns10.familypostcards2008.com 76.112.151.191
Name Server:             ns11.familypostcards2008.com 76.107.40.165
Name Server:             ns12.familypostcards2008.com 193.77.249.129
Name Server:             ns13.familypostcards2008.com 77.202.25.169
Name Server:             ns2.familypostcards2008.com 24.210.99.223
Name Server:             ns3.familypostcards2008.com 66.159.176.149
Name Server:             ns4.familypostcards2008.com 67.163.236.85
Name Server:             ns5.familypostcards2008.com 98.196.175.5
Name Server:             ns6.familypostcards2008.com 71.200.65.128
Name Server:             ns7.familypostcards2008.com 71.12.160.177
Name Server:             ns8.familypostcards2008.com 72.134.39.155
Name Server:             ns9.familypostcards2008.com 98.226.9.190
Creation Date:           2007.12.29
Updated Date:            2007.12.29
Expiration Date:         2007.12.29
Status:                  DELEGATED
Registrant ID:           X05O1TC-RU
Registrant Name:         Larry Claus
Registrant Organization: Larry Claus
Registrant Street1:      1874 str. office 923
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code: 320784
Registrant Country:      US
Administrative Technical Contact
Contact ID:              X05O1TC-RU
Contact Name:            Larry Claus
Contact Organization:    Larry Claus
Contact Street1:         1874 str. office 923
Contact City:            Los-Angeles
Contact State:           CA
Contact Postal Code:     320784
Contact Country:         US
Contact Phone:           1 320 5216723
Contact E-mail:          larryknower931@yahoo.com
Registrar:               ANO Regional Network Information Center dba RU-CENTER
Last updated on 2007.12.30 02: 15: 52 MSK/MSD

We will keep you posted as new Storm Worm domains appear.

Keep Safe,

regards

Steo - www.antirootkit.com

How to promote your Storm Worm Peacomm Rootkit via Google and newyearcards2008.com

steo — Sat, 29 Dec 2007 01:46:46 +0000

Whats the first thing people all over the world do when they want to find out about something…they Google it!!! “Googling” something has become a keyword in so many people’s lives these days. Googling has an entry on popular online dictionaries http://dictionary.reference.com/browse/google which means it wont be long before you can actually use the word Googling “legally”.

So when millions of people recently got an email with a link to newyearcards2008.com where they could pick up their New Years E Card Greeting they went to Google and did a search for newyearcards2008.com and they would have seen newyearcards2008.com at the very top,

From Google….

“Happy New Year!

Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press …
newyearcards2008.com/ - 1k - Cached - Similar pages“

Most Google users would think it is legitimate such is the trust in Google these days. When clicked on the user would have seen a page delivered via someones PC whether it be in their front room, bedroom, office, factory floor even unsuspecting Internet Cafe’s all over the world.

Snapshot from newyearcards2008.com

These infected PC users do not suspect a thing because their Anti Virus program shows that everything is ok, all is well. Why? The latest Storm Worm is using a rootkit … http://www.antirootkit.com/blog/2007/12/27/happy-new-rootkit/ . Nothing shows because of the stealth capabilities of the rootkit. It hides all traces of itself from normal anti virus and anti spyware scanners. Different scanners are now required for checking for rootkits. Scanners that know exactly how the rootkit operates are required, check out the Antirootkit Software page for list of new scanners.

Why does a search of newyearcards2008.com show the main infection site up first on a Google search? It’s all about how many pages on the internet link to newyearcards2008.com. Even by me putting newyearcards2008.com in this blog will help the name climb the Google ladder so that it shows at the very top and stays top for as long as it can, fooling people into thing it is legitimate ( I mention newyearcards2008.com a lot here so that this blog entry will raise higher than newyearcards2008.com and people will read this warning before getting their New Year’s “Surprise” E-Card).

The people who registered newyearcards2008.com, they went about getting the domain name mentioned on a lot of internet pages around the world, mostly on blog pages belonging to Google. Most of the Blogspot pages have been disabled by Google but many Blogspot and Blogger owners who are using their own domain name have links to newyearcards2008.com in thier “hacked” blogs.

If you suspect a site as being unusual with unusual activity then you can report it to Google and help them mark it as suspect. You can report to Google, suspect sites, via http://www.google.com/safebrowsing/report_badware/

A recent Trend Micro Blog entry highlights Blogger pages being used to harbor links to newyearcards2008.com… http://blog.trendmicro.com/hundreds-of-blogger-pages-harboring-new-years-storm-links/trackback/
So far as of 29th Dec GMT newyearcards2008.com is showing tops, lets see when it is highlighted as a suspect site by Google on a web search.

Also keep an eye out for newyearwithlove.com

(Asked whois.nic.ru:43 about newyearwithlove.com)

Domain name:             NEWYEARWITHLOVE.COM
Name Server:             ns.newyearwithlove.com 24.161.84.89
Name Server:             ns10.newyearwithlove.com 69.179.23.34
Name Server:             ns11.newyearwithlove.com 70.241.145.212
Name Server:             ns12.newyearwithlove.com 69.137.25.197
Name Server:             ns13.newyearwithlove.com 82.67.135.130
Name Server:             ns2.newyearwithlove.com 71.201.48.186
Name Server:             ns3.newyearwithlove.com 68.114.62.80
Name Server:             ns4.newyearwithlove.com 76.226.178.239
Name Server:             ns5.newyearwithlove.com 70.128.122.94
Name Server:             ns6.newyearwithlove.com 76.201.158.149
Name Server:             ns7.newyearwithlove.com 75.49.2.123
Name Server:             ns8.newyearwithlove.com 67.8.191.249
Name Server:             ns9.newyearwithlove.com 71.12.83.79
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26
Status:                  DELEGATED
Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str. office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code: 32089
Registrant Country:      US
Administrative Technical Contact
Contact ID:              XHAEJUS-RU
Contact Name:            Bill Gudzon
Contact Organization:    Bill Gudzon
Contact Street1:         1920 str. office 345
Contact City:            Los-Angeles
Contact State:           CA
Contact Postal Code:     32089
Contact Country:         US
Contact Phone:           1 320 5427834
Contact E-mail:          bgudzon1956@hotmail.com
Registrar:               ANO Regional Network Information Center dba RU-CENTER
Last updated on 2007.12.29 05: 07: 05 MSK/MSD

Keep Safe,

Steo - www.antirootkit.com

Happy New Rootkit

steo — Thu, 27 Dec 2007 22:34:45 +0000

The Storm Worm has been doing it’s latest round since 23rd December. It has been masquarding as a christmas strip show enticing users to get infected. Prevx have been tracing the movements of the worm and have seen over 700 variants in a few days.

The worm is proving very elusive because of its fast flux method of evading detection.
“Fast-flux is basically load-balancing with a twist. It’s a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.”

Then on Christmas day it changed its form to now entice people to click on a New Years Card called happy2008.exe and happynewyear.exe which users would download from legitimate looking sites called happycards2008.com and newyearcards2008.com

Here are the whois for these domains….

Domain name:             HAPPYCARDS2008.COM
Name Server:             ns.happycards2008.com 75.53.216.142
Name Server:             ns10.happycards2008.com 70.142.192.219
Name Server:             ns11.happycards2008.com 72.128.113.26
Name Server:             ns12.happycards2008.com 72.128.30.86
Name Server:             ns13.happycards2008.com 74.130.106.75
Name Server:             ns2.happycards2008.com 76.237.206.65
Name Server:             ns3.happycards2008.com 64.30.118.241
Name Server:             ns4.happycards2008.com 75.23.73.65
Name Server:             ns5.happycards2008.com 76.253.189.137
Name Server:             ns6.happycards2008.com 74.69.168.236
Name Server:             ns7.happycards2008.com 71.195.165.21
Name Server:             ns8.happycards2008.com 88.171.125.18
Name Server:             ns9.happycards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status: DELEGATED

Registrant ID:           XHAEJUS-RU
Registrant Name:         Bill Gudzon
Registrant Organization: Bill Gudzon
Registrant Street1:      1920 str., office 345
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code: 32089
Registrant Country:      US

Registrar: ANO Regional Network Information Center dba RU-CENTER

Domain name:             NEWYEARCARDS2008.COM
Name Server:             ns.newyearcards2008.com 75.53.216.142
Name Server:             ns10.newyearcards2008.com 70.142.192.219
Name Server:             ns11.newyearcards2008.com 72.128.113.26
Name Server:             ns12.newyearcards2008.com 72.128.30.86
Name Server:             ns13.newyearcards2008.com 74.130.106.75
Name Server:             ns2.newyearcards2008.com 76.237.206.65
Name Server:             ns3.newyearcards2008.com 64.30.118.241
Name Server:             ns4.newyearcards2008.com 75.23.73.65
Name Server:             ns5.newyearcards2008.com 76.253.189.137
Name Server:             ns6.newyearcards2008.com 74.69.168.236
Name Server:             ns7.newyearcards2008.com 71.195.165.21
Name Server:             ns8.newyearcards2008.com 88.171.125.18
Name Server:             ns9.newyearcards2008.com 67.38.7.98
Creation Date:           2007.12.26
Updated Date:            2007.12.26
Expiration Date:         2008.12.26

Status: DELEGATED

Registrar: ANO Regional Network Information Center dba RU-CENTER

as we can see both are using a lot of nameservers which each can be used to point the person who clicks on either HAPPYCARDS2008.COM or NEWYEARCARDS2008.COM to one of millions of computers in a botnet which has the infected happy2008.exe or happynewyear.exe waiting to be downloaded.

As we can see the Domain names were registered in Russia.

Subject Lines and the Email Text include….

Happy New Year To You!
Wishes for the new year
Opportunities for the new year
New Year Postcard
New Year Ecard
New Year wishes for you
Happy New Year To You!
Message for new year
Blasting new year
As you embrace another new year
It’s the new Year
As the new year…
Happy 2008 To You!
Joyous new year
Lots of greetings on new year
A fresh new year

There is then a link to one of either happycards2008.com or newyearcards2008.com

Current Variants of the worm have a rootkit element that can be used to hide from many antvirus and antispyware scanners.

“Last versions of Stormy worm are using a rootkit component to hide infection components.

After launched, the dropper create a new service and a driver under Windows System directory called clean[4 random chars]-[4 random chars].sys or bldy[4 random chars]-[4 random chars].sys

Driver will hook three Windows native API: ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile. Goal is to hide its registry keys and files.

As side effect, it’ll hide every file that contains the strings “clean” or “bldy” in its name.”
From Prevx..

Prevx provide a free scanner called Prevx CSI that can detect these new variants..Download Prevx CSI for free …

Have a Happy New Year… no really…

Keep Safe

Steo - www.antirootkit.com

EP_X0FF and Rootkit Unhooker off to Microsoft

steo — Sun, 23 Dec 2007 17:23:22 +0000

Microsoft have just gained one of the best anti rootkit teams on the planet. EP_X0FF and the development team of Rootkit Unhooker have joined Microsoft. They are currently making plans to ship off to Wittenberg in Germany ( where Martin Luther is buried ) where the Rootkit Unhooker team will finish off work on their, up to now,secret project called Secured Eye (SEye),“…in a two words this is project mix of software/hardware related to distributed calculations and virtualization technologies based on Vanderpool / Pacifica extensions. Not a Blue Pill. To be more correct some parts of SEye can be used as a pill for any kind of Blue Pill variations ”

Microsoft now owns Rootkit Unhooker and SEye….”As you can guess all our source code and concept were sold to MS. This was happened in the beginning of November and includes all variants of our test programs, RkU, including last 4.1 version and SEye which is ready on 3/4.”

It is a great thing that EP_X0FF and the team are off to Microsoft. Just like Mark Russinovitch before them, their vision and knowledge alongside money and resources from Microsoft will bode well for us all in the future.

Best of Luck to you all and keep in touch.

You can read EP_X0FF’s blog here…http://www.rootkit.com/blog.php?user=EP_X0FF

Keep Safe

Steo

The Rise of the Rootkits has begun

steo — Wed, 12 Dec 2007 23:11:38 +0000

“The Rise of the Rootkits has begun” are the words of Jacques Erasmus from Prevx who commented recently on the increase in the use of Rootkits.

“Significantly, although rootkits were detected on 15.6 percent of PCs during October 2007, that figure had risen to 22 percent by early December.”

This indeed shows that there has been an enormous increase in the use of Rootkits in one month alone and the trend is very much upward. The Rootkit List shows that since Nov 1st there has been 79 rootkit related stealth malware creations found by leading IT Security Companies. November has been one of the biggest months of the year so far for new found rootkit creations and variations. This could be down to the fact that online criminals are getting their arsenal ready for Christmas when a lot of people will be buying presents online.

The Prevx results have come from information gathered from the Prevx Online Scanner. This online scanner was used mostly by users who suspected something was wrong with their PC. The Rootkit files found by the Prex online scanner include NDT2.SYS , SROSA.SYS, UNPR.SYS, FMTR.SYS, and INDT2.SYS.

It seems also that a lot of businesses are being caught off guard by Rootkits. “In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14 percent, had one or more PCs harbouring rootkit infections.”

To check your PC for Rootkits check out the Antirootkit Software Page.

To check out the Free Prevx Scan http://www.prevx.com/freescan.asp.

Keep Safe,

regards

Steo

In the Eye of the Storm Worm

steo — Sun, 21 Oct 2007 20:05:26 +0000

Frank Boldewin, a German IT security specialist has recently published a clear and concise analysis of Peacomm.C code, otherwise known as The Storm Worm, Nuwar or Zhelatin.

The Storm Worm has been hitting hard since Jan 2007 when it was unleashed as spammed emails duping users into following news about the large storms that were hitting Europe at the same time. The Storm Worm has resurfaced under many guises throughout the year. Coming up to Valentines Day millions of emails were spammed out duping the users into viewing a message from a loved one.

This code and underlining Rootkit has helped criminals setup a major Botnet comprising of captured zombie PC’s from all around the world. Most of these PC owners are oblivious to the fact that their PC is part of a Botnet and is in control of criminals intend in using it to make money for themselves.

Frank dissected the code after receiving a spammed out email which had a link to malware which when installed would have installed the Peacomm.C rootkit and the PC would become part of the botnet.

“On 22th August 2007 I received an email informing me about “New Member Confirmation”, including Confirmation Number, Login-ID and Login-Password. To stay secure I should immediately change my Login info on a provided website link. So I’ve started investigating what surprises are awaiting people clicking on such kind of links. Next to a friendly message telling me that my download should start in some seconds, I also got a browser exploit for free, to ensure the “software package” gets really shipped. “Hey that’s cool”, I thought by myself. “It’s like Kinder Surprise® - three in one!” Unfortunately, at this time I hadn’t enough incentive for a deep analysis and so I just stored the malicious file called applet.exe in my archive for later fun with it.”

Frank goes into some depth in his analysis including topics such as:

First stage XOR decrypter
Second stage TEA decrypter
TIBS Unpacker
Anti-Debugging code
Files dropping
The driver-code infection
Finding the OEP to the native Peacomm code
Finding and patching the VM-detection tricks
SSDT file hiding
Shellcode injection for process spawning
System files locking

This excellent in-depth analysis in PDF format along with the Peacomm.C binaries can be downloaded from Frank’s site www.reconstructer.org.

A html version is available from antirootkit.com

Have fun, enjoy the read and be cautious with the binaries.

regards

Steo
www.antirootkit.com