A Storm Rages
Sunday, January 21, 2007
(Don't think that I've been remiss in not keeping this blog updated -- after writing a magnum opus of a post, I had to scrap it to protect the security of some of the sites mentioned. When the bad guys are willing to do anything to keep the cash flowing, sometimes discretion truly is the better part of valor).
The malware story to beat lately has to be the Storm Worm. This bad boy has gone from initially being a dangerous trojan with some limited spreading capabilities (here), to a zombie-creating bot with massive spreading tactics (here and here), all the way to its current version, complete with kernel-mode rootkit and the aforementioned Botnet-creation capabilities (here and here). It's worth noting that the Botnet created is a P2P Botnet with a decentralized Command and Control (C&C) structure, making it much harder to simply knock out the C&C Server and watch the cards fall, Shadowserver-style.
And the speed at which this monster is spreading is rather impressive. Consider F-Secure's video of client detection locations:
I doubt it's slowed-down all that much, either, if at all. All the programs are named with astounding headlines ("First Nuclear Act of Terrorism," for example), and we're one big, happy world of media-crazed, double-click-any-attachment-regardless-of-common-sense people, right? Someone's Botnet must be getting a heck of a lot bigger...
"All the better to DDoS you with, my dear."
Regards,
David
posted by David @ 9:49 PM,
,
Interesting Rootkit
Thursday, January 18, 2007
Found an interesting piece of malware on a victim's laptop -- the rootkit killed GMER when I first tried to run it, but renaming the executable was enough to trick it. The file's (random) name is "brazhmqltx.exe", found in C:\Windows\system32.
Size: 275,968 bytes (276KB)
MD5: 909b3f5072ec3228b9d596d3bb5cb22e
SHA1: da799a12ae69a2d00e026e54291d54ccac4504fc
Packers: PecBundle, PECompact
Detection is almost nonexistent as of right now on VirusTotal:
| AntiVir | 7.3.0.21 | 01.18.2007 | no virus found |
| Authentium | 4.93.8 | 01.17.2007 | no virus found |
| Avast | 4.7.936.0 | 01.17.2007 | no virus found |
| AVG | 386 | 01.18.2007 | no virus found |
| BitDefender | 7.2 | 01.18.2007 | no virus found |
| CAT-QuickHeal | 9.00 | 01.17.2007 | (Suspicious) - DNAScan |
| ClamAV | devel-20060426 | 01.18.2007 | no virus found |
| DrWeb | 4.33 | 01.18.2007 | no virus found |
| eSafe | 7.0.14.0 | 01.18.2007 | no virus found |
| eTrust-InoculateIT | 23.73.116 | 01.18.2007 | no virus found |
| eTrust-Vet | 30.3.3334 | 01.18.2007 | no virus found |
| Ewido | 4.0 | 01.17.2007 | no virus found |
| Fortinet | 2.82.0.0 | 01.18.2007 | no virus found |
| F-Prot | 3.16f | 01.17.2007 | no virus found |
| F-Prot4 | 4.2.1.29 | 01.17.2007 | no virus found |
| Ikarus | T3.1.0.27 | 01.09.2007 | no virus found |
| Kaspersky | 4.0.2.24 | 01.18.2007 | no virus found |
| McAfee | 4941 | 01.17.2007 | no virus found |
| Microsoft | 1.1904 | 01.18.2007 | no virus found |
| NOD32v2 | 1988 | 01.18.2007 | no virus found |
| Norman | 5.80.02 | 01.18.2007 | no virus found |
| Panda | 9.0.0.4 | 01.17.2007 | Adware/NaviPromo |
| Prevx1 | V2 | 01.18.2007 | no virus found |
| Sophos | 4.13.0 | 01.17.2007 | no virus found |
| Sunbelt | 2.2.907.0 | 01.12.2007 | VIPRE.Suspicious |
| TheHacker | 6.0.3.149 | 01.18.2007 | no virus found |
| UNA | 1.83 | 01.17.2007 | no virus found |
| VBA32 | 3.11.2 | 01.18.2007 | no virus found |
| VirusBuster | 4.3.19:9 | 01.18.2007 | no virus found |
I'm going to attempt a bit more analysis this afternoon -- I'm curious as to just what this is. (The computer seemed clean otherwise).
~ Nexus7
Labels: malware analysis, rootkit
posted by David @ 7:59 AM,
,
P2P Programs: The Good, the Bad, and the Kazaa-Ugly
Friday, January 12, 2007
I revisited and added some new programs to MalwareRemoval's Safe/Unsafe P2P Programs Listing. If you're a helper at a malware forum, consider looking at it and educating yourself for when you see a program in a log. Feel free to link to it -- it's used as a reference by Firetrust's SiteHound toolbar, and I'd be thrilled to see users avoid suffering the legions of adware that Kazaa installs (at least they're upfront about it), or Warez P2P's unsolicited install of LOP adware, which is a royal pain to get removed.
As far as I know, it's the only list of its kind still updated every so often, and you can expect it to be kept-up a lot more in the future. Many thanks to ChrisRLG for hosting the list and reminding me to keep it updated! Please contact me with any issues about it via the address on the page (Nexus7 [at] malwareremoval [dot] com), but forgive me if I miss your message, as I'm barraged with spam on that account. Better-yet, leave me a comment here!
Letting loose another salvo in the war on malware...
~ Nexus7
Labels: malwareremoval, p2p
posted by David @ 9:37 PM,
,
A Brief Interlude
You all (read: both of you) might be wondering what happened with Malwhere -- no new posts, comments, etc. Or you might not. Either way, I've been away from University on vacation, and have not had nearly as much malware work and interaction to deal with, so I've had less to comment on. Mind you, I'm a blog junkie, but out of my 24 security blogs I track, there's been little of great import...
On the other hand, I've been looking at my future work with the Information Security world, and my current activities/plans/goals include:
- Continued work at my University in their Clean Room (student computer troubleshooting/repair)
- Continued work on the excellent MalwareRemoval site, and helping in the other forums I'm a trainee helper at (Spyware Warrior, CastleCops, Process Library, TomCoyote)
- Updating the MWR Safe and Dangerous P2P Application list I run
- Attaining my BS in Computer Science, perhaps with an honors thesis
- Heading to Grad School for my MS in Information Security
- Making a life out of poking my finger into the eyes of spammers, thieves, and all the script kiddies out there
1. The world is full of fascinating problems waiting to be solved.
2. No problem should ever have to be solved twice.
3. Boredom and drudgery are evil.
4. Freedom is good.
5. Attitude is no substitute for competence.
The article's recommendations concern everything from learning programming languages (see also the excellent "Teach Yourself Programming in Ten Years") to social interaction all the way to learning a musical instrument (I'm not kidding). It is quite practical, and much of it is sound advice. Note that this has nothing to do with crackers, or those who use computers to commit crimes and theft. Mr. Raymond is very clear on this.
Anyways, that's a short introduction to where I'm at -- I'll also post-up the results from my P2P retesting. Should be enlightening. ;)
~ Nexus7
Labels: education, forums, hacking, p2p
posted by David @ 8:33 AM,
,
