Malware delivered over Google and Yahoo Ad's?
www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/
A reader called this article to our attention today. It is purported that Google, Yahoo and an possibly other websites were victims of cyber crooks yesterday. It appears that somehow the crooks managed to sneak malware into the syndication services. According to the article in The Register:
"End users visiting sites that used the ad syndication services often saw nothing more than a brief flash as the malware-laced ads caused their browsers to open - and then close - a booby-trapped PDF file. But behind the scenes, the payload installed Win32/Alureon, a trojan that drops a backdoor on infected machines".
Looks like once again simply surfing the net can be deadly to your computer. Just another example of why Anti Virus, IDS and other protective measures are so important to every one.
Deb Hale Long Lines, LLC
Conficker Continues to Impact Networks
It appears that Conficker is still alive and well.
www.abc.net.au/news/stories/2009/09/23/2694401.htm
I heard about a local company today who on Monday of this week started having some pretty strange goings on in their network and called in their consultants to try to figure out what was happening. It turns out after much time spent trying to determine what was going, it was "just another Conficker Outbreak". (Still working on it as a matter of fact). They do have anti virus however the infection went undetected for quite some time. Why? Because Conficker did what Conficker does and it over rode the security software and antivirus software to allow them to do their dastardly deeds while remaining undetected. This company has close to 100 computers and more than 50% of them have been infected, some for a while it seems. Conficker has continued to grow its little Botnet and the BotHerder is still spreading their damage. If you look at the "pictorial" representation of the spread in the US alone from January to July it is pretty amazing.
www.f-secure.com/weblog/archives/00001646.html
We also received an email today from a reader whose company was experiencing Conficker activity. So perhaps there is a new wave of the bad guy coming. So just a reminder - quick check -
www.confickerworkinggroup.org/infection_test/cfeyechart.html
If this Eye Chart doesn't display the logo's for 6 of the top security sites in the world, you may be infected and will be the next to fall to the plight of the Conficker Worm.
Deb Hale Long Lines, LLC
Categories of Common Malware Traits
When examining malicious software, the analyst looks for several categories of traits that malware often possess. Keeping these categories in mind during the reverse-engineering process helps avoid gaps in coverage, leading to a comprehensive report about the specimen's characteristics:
- Propagation: How does the specimen spread? Malware may spread using networks and mobile media. It may exploit vulnerabilities in server or client-side software. It may have an element of social engineering, and may be loaded by the intruder manually. Propagation may be autonomous (as is the case with many worms) and may require user involvement (such as launching an email attachment).
- Infection: How does the specimen embed itself in the system? Malware may run once, or may remain on the system via auto-run features. Run-once specimens may store themselves solely in memory. Malware may be packed, or may assemble itself dynamically by downloading additional components. Malware may attach itself to benign programs, or may function as a standalone process. Specimens also differ in the degree to which they resist disinfection attempts.
- Self-Defense: How does malware conceal its presence and resist analysis? Malware may attempt to avoid signature-based detection by changing itself. It may time its actions to take place during busy time periods or to occur slowly, so that they don't stand out. It may embed itself within existing processes or network streams, modify OS functionality, and take other creative measures to decrease the chances that its presence will be discovered. Malware may include anti-reversing capabilities, perhaps by using a packer that encrypts the original executable, decrypting it at runtime.
- Capabilities: What "business purpose" does the specimen serve? Malicious software may be designed to collect data, perhaps by sniffing the network, recording keystrokes and screenshots, and locating sensitive files. Malware may also be programmed to wreck havoc on the system, perhaps by deleting or corrupting data, or to act as a pivoting point for attacking other systems. It may also provide the attacker with remote access to the system via a backdoor.
There are several additional categories of traits to consider. These may be considered a subset of the "capabilities" category. However, because modern malware often exhibits these characteristics, it makes sense to call them out separately:
- Exfiltration: How, if at all, does the specimen transmit data out of the affected environment? Malicious software may send captured data over the network using clear-text and encrypted channels, and may rely on ICMP, HTTP, SMTP, and many other standard and custom protocols. Malware may also store data locally, waiting for the attacker manually copy it off the infected system.
- Command and Control: How, if at all, does the specimen receive updates and instructions? Malicious software may receive commands from the attacker by opening a local network port or by making outbound connections to the attacker's system using protocols such as DNS, HTTP, SMTP, or other client-server and peer-to-peer protocols. Malicious executables often have the ability to upgrade themselves according to a predefined schedule or via the attacker’s request.
Update 1: Andrew Brandt from Webroot wrote to us, recommending another category of traits: Post-Operation behavior. He wrote, "For instance, many Trojans drop or download a payload, execute it, and then self-delete. How does that self-deletion happen? Does it drop a batch file or execute a shell command? Does the file remain memory resident or does it terminate after adding a Scheduled Tasks .job file, so it "wakes up" periodically to ensure the payload is still installed. Sometimes the fact that a Trojan self-deletes is the only observed behavior, because that Trojan may have a narrow time window during which it is coded to execute, and outside of that time window the Trojan fails to execute."
Update 2: The category that's now called "Self-Defense" was originally called "Stealth." I changed the name and expanded it to mention anti-reversing capabilities, base on feedback from an anonymous ISC reader.
Are any common malware characteristics missing from the groupings above? If so, please let us know.
Liked this? Post it to Twitter!
-- Lenny
Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.
Comments