Cloudy Skies

Before the StormImage by premasagar via Flickr

Storm talk is thundering across the security blog horizon. Despite the consensus that this spam monster is indeed a Storm relative, there is some argument over just how NEW this new Storm is.

Several people have taken a look at the spam spewing samples, digging into the malware’s functionality as well as its communication, and the templates used for generating the various spam emails. They have found major similarities between several aspects of the new and old Storm fronts, including filename usage and user-agent typos (Windoss instead of Windows), but the more recent version has excluded the peer to peer portion of the code.

Atif Mushtaq at FireEye writes that these are all details he observed on a Storm variant back in 2008. So is this old news? Nothing about what is being called Pecoan (another name in the long list: Nuwar, Peacomm, Zhelatin, Dorf) is really more sophisticated than its predecessor and the samples I ran only connected with one static IP, so I don’t think this Storm will be as violent as the last. The creators of the original Storm have had enough time to code a better botnet so perhaps this is just a rediscovery of a forgotten remnant.

Right now compromised systems are sending out online pharmacy, adult dating, and nude celebrity emails. The template design allows for a wide array of sender names, subjects, message content, and destination URLs. The malware harvests email addresses from the victim machines and sends Base64 encoded POSTS to pass information and report in to its C&C.

As always, be cautious while online and when in doubt, don’t click.

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

Private Discussion

User privacy is of major concern to just about everyone, because just about everyone needs some level of privacy. Google, with its massive user following and array of product offerings, has a huge responsibility to keep their users’ data confidential and safe. The Google Buzz bungle is an example of how Google’s handling of private user information doesn’t always live up to expectations.

Privacy/Data/Information commissioners from 10 countries sent a joint letter to Google CEO Eric Schmidt on April 20, expressing their concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

The letter made various statements like Google Buzz “betrayed a disappointing disregard for fundamental privacy norms and laws” and that “launching a product in “beta” form is not a substitute for ensuring that new services comply with fair information principles before they are introduced.” Also included were suggested principles to be used by Google to ensure user privacy, such as “collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service” and “ensuring that all personal data is adequately protected.”

While the letter seems well intentioned, its message is a bit late to the stage. U.S. congressmen John Barrow penned his own joint letter to the Federal Trade Commission at the end of March over the same Buzz/privacy issues. Congressman Barrow’s letter cites the Electronic Privacy Information Center’s (EPIC) previously filed complaint “alleging that Google Buzz violates federal privacy law.”  In a manner of public response, Google issued a letter to the Federal Trade Commission regarding their policies on information privacy. In this ten page letter, Google shared their efforts to “develop products that reflect strong privacy standards and practices.” They also stated their support for “strong industry commitments to ensure transparency, user control, and security in Internet services for consumers” as well as “strengthened protections from government intrusion.”

To demonstrate a small history of various government “intrusion”, Google created the government requests page ( The page maps out content removal requests and user data requests made by government agencies for the second half of 2009.  The leaders in user data requests are Brazil (3663), the U.S. (3580), the U.K. (1166) and India (1061).


Also displayed through this map is the inclusion of  every country who signed the privacy letter to Google. Government agencies from France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain, Canada and the United Kingdom all scolded Google for inadvertently disclosing  personal user information, but prodded them for the same information months earlier.

Though data protection departments may not be the ones who made the requests, government is often looked at as a collective entity, causing some to consider these actions as hypocrisy. In the FAQ for the government requests page, Google says “the statistics primarily cover requests in criminal matters.”  Does this justify cooperation from Google? When is it okay to abandon privacy for the sake of law enforcement? I don’t know. It is a difficult balance for Google and world governments in protecting both privacy and national laws.

The Electronic Communications Privacy Act (ECPA) is a key part of finding this balance. Find out more:

If you want to see what Google has on you, start with:

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

Bitdefender Gets a Bit Too Defensive

BitDefenderImage via WikipediaBitdefender antivirus unwittingly released a signature update to its users on March 20th that detected and quarantined key Windows system files as malware, causing general OS failures.

Bitdefender had this statement on the news portion of their site:

“Saturday around 8:20am PST, an update that we were working on was uploaded prematurely in our servers. This update affected only products running on Windows 64-bit systems.”

The premature update caused various .exe and .dll files to be quarantined for both the Windows software and the Bitdefender software, each file detected as Trojan.FakeAlert.5.

“Consequently, for some systems, BitDefender did not run anymore, applications did not work or Windows could not start.”

This caused quite an uproar among the AV’s users as well as Bullguard antivirus users, whose software relies on Bitdefender’s engine and signatures. Though both companies have offered assistance in remediating the situation, many customers are outraged, especially when the only compensation offered to users so far has been free usage of the very software that caused the problem. A blunder like this also does nothing for the image of AV whose credibility and effectiveness has been in question for the last few years.

Detection rates by some AV groups is often low and the gap between release of new malware and its detection by AV is currently too significant, allowing for the growth of large botnets like Mariposa. False alarms, especially when automatically quarantined, can disrupt or severely damage home user and business systems, as it has with this update mishap.

I’m sure many of the Bitdefender/Bullguard users will be jumping ship, scouting alternative antivirus software, but how will they know which one to choose and which one to trust? A lot of AV company blogs end with something like, make sure you are completely updated with the latest signatures or software versions to ensure your protection.

Well, that’s not working for Bitdefender. What are they going to say now?

Bitdefender’s help page:

Bullguard’s help page:

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

Malware Spread Optimization

Mt. San Miguel is on fire.  San Diego County w...Image by slworking2 via FlickrWhen I heard of Corey Haim‘s death, shortly after fond recollections of License to Drive and The Lost Boys cinema moments, I wondered how soon the unfortunate news would be used in the spread of malware. Well it didn’t take long. Hours after the announcement of Haim’s death, search results for his name came up with domains used to spread rogue antivirus software.

Using search engine optimization (SEO), online criminals force their malware hosting sites into higher billing slots within search engine results. Often a series of redirection sites are traveled through by the user before the final malicious domain is contacted. This creates a level of separation from the actual malware and allows a variety of domains to be constantly created, altered, and moved around, evading detection and termination. Using timely and highly popular topics of interest. domains referring to these topics stay in the leading search engine results. Recent topics covered in SEO campaigns include the Haiti disaster, the Olympics, the Oscars, and unnamed Facebook applications.

So why do these attacks work so well? Amazingly there is still a level of trust by users for top resulting sites of search engine queries. It is common for people to see familiar sites time and again on the first page of search results, and popular sites deemed primarily benign usually take dominant billing. Perhaps this is why folks rarely question clicking on the initial links provided by their favorite search engines. They hadn’t been burned in the past when trusting the top resulting URLs, so why should they now question the validity and intention of every suggested link? Malware is why.

I don’t always keep up with the latest events, but with a little social interaction and casual reading I hear about most events I find interesting and usually several others I don’t, all within a reasonable amount of time. When I want to receive my news from a specific source I usually go to one location online or watch Robin Meade on HLN in the mornings. (There’s no such thing as bad news when Robin reads it.) I use search engines like everyone else to gather information on various inquiries but I don’t do grab bag research, blindly clicking on any keyword matching domains. I’ve never used the “I’m feeling Lucky” button because I never felt that lucky about randomly visiting unknown domains across the internet, and I certainly don’t want to be a punk. (nod to Dirty Harry in case that was missed)

Choosing a default news site to read about all things newsworthy would seem to be an obvious point to suggest here, just as a safety precaution. However, the simple facts behind these breaking stories are not commonly what people are after. There is usually a promise of a sex tape or footage of a celebrity’s death, which can’t be found on CNN. What they can’t find on news sites is what sends users searching, which is ironic because most people only go searching for this bonus material after reading about its availability outside of regular news sites. Maybe news site restriction or loyalty would keep more users safe from attack. But then there’s always Facebook and Twitter and forums/comment/email spam to shield your eyes from as well.

When I want to know what people are searching for I go to Google Trends: I assume this is what criminals intent on spreading their malware also do. Topics that are “On Fire” and “Volcanic” are being queried the most and make for prime targets. If you want to try a little safer searching, wait for topics to cool down a little before clicking around. Even better, find a news site you trust and go there for your news. Anything outside of seeking the facts may just land you in some fire of your own.

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

Lightning Crashes

statistical chart from

Zeus is undoubtedly one of the most prevalent malware being used for web based criminal activity. It has compromised thousands of systems and, though an exact count is unknown, an example like the Kneber/Zeus botnet reported by Netwitness showed that one collection of infected computers consisted of “75,000 systems in 2,500 organizations around the world.” There have certainly been larger botnets concentrated on data theft, but with fluxing configurations, binaries and the domains used for hosting, the array of zeus botnets have remained both widespread and dangerous. Then, on March 9th 2010, Zeus took a big hit to its infrastructure., who runs the ZeusTracker project, reported a significant drop in the active number of Zeus command and control servers, falling from 249 to 181 overnight. What they discovered was that the ISP Troyak (AS50215), and its dependent networks, had essentially been taken offline. These networks had been considered bulletproof hosting for Zeus domains, which means the hosting groups involved were believed to actively protect the malicious activity, ignore requests for ending it, or otherwise assumed by its users to be a safe zone for malicious domains.

While disconnecting thousands of compromised systems from their C&C domains is a great win, though likely a temporary one, no one knows who to congratulate. Security researchers assume it was an external takedown, but no one has stepped forward to be recognized. What is even more interesting, as mentioned by Brian Krebs, is that, 11 days prior to the Troyak switch-off, spam promoting Zeus also went into decline. On February 27th, as stated in Kreb’s blog, a large Zeus spamming gang stopped sending new spam.

For now we’ll just have to wonder who is behind this mysterious crusade against Zeus. It seems unlikely that it was the work of any security group or company as it is generally in our favor to promote such efforts. Perhaps a rival gang was involved and the “Zeus killer” feature in SpyEye wasn’t enough for them, or maybe somebody just thought to quit while they were ahead. That would be a novel idea.

Matt Sully
Threat Research & Analysis

Moments after posting this, Troyak found a new upstream provider and got back online. They have since moved to yet another provider, trying to evade a second disruption of “services.” Some would say they’re on the run.

Related articles by Zemanta

Reblog this post [with Zemanta]

Browser Bingo

bingoImage by hownowdesign via FlickrWay back in 2007 the European Commission and Microsoft began a legal dispute over competition concerns regarding Microsoft’s domination in the European user space. In December of 2009 the dialogue between the EC and Microsoft ended, culminating in a resolution that would aid in easy interoperability with various software and force Microsoft to force browser choice on its current European users.

A large part of the agreements by Microsoft deals with browser choice for OEMs and end users on Windows 7, XP, and Vista operating systems. Starting the week of March 1st, users in 30 European nations with IE as their default browser may start seeing an introductory screen pop up on their machines. This introductory screen, only seen after installing the relevant Microsoft update and restarting their systems, will explain the purpose behind the subsequent choice screen.

The choice screen will display 12 of the most used browsers in random order, with the top 5 highest ranked browsers displayed randomly in the first positions. The idea behind the settlement is to prevent monopoly holdings for any one vendor and create a fair presentation of consumer options, but this top 5 configuration will obviously give the bigger guns a better aim at end user installment. Internet Explorer, as a major holder of the browsing community, will then always be listed in the first few slots.

So, what will user reaction be to all this? I’m guessing more confusion than anything else. Part of the update being sent out will allow IE to be turned off, it will “unpin” the IE icon from the taskbar and, where IE is turned off, “no icons, links or shortcuts or any other means will appear within Windows to start a download or installation of Internet Explorer.” (microsoft commitments document) Then users will be given a choice to select their browser.

I know that some people need to be presented their options in a supermarket fashion, like side by side sodas in the snacks aisle, where Coke is next to Pepsi and the generic version, but I don’t think this is an ultimate solution to the problem. For the less clueful users who “just want to get on the internet”, this may just create problems. Those same users, who are now presented with a browser lineup, may not understand or try to understand what their options actually are. In all likelihood they will recognize Internet Explorer from the list given them and click on install without reading the additional information.

For the users who already understand the choice of browser usage, they have already made their choice. They don’t need any more education and, likely not having IE as their default browser, won’t see the new choice screen. Efforts like this to change bias will likely be ineffective in producing real change or raising awareness to the right people. The bias of users comes from long term ignorance, disinterest, marketing inundation, and comfort level on the internet. None of this will be reversed by what many users will just view as more pop ups.

Matt Sully
Threat Research & Analysis

Microsoft On the Issues

Reblog this post [with Zemanta]

Buzz Words

Neil Armstrong & Buzz AldrinImage by cliff1066™ via FlickrGoogle Buzz is definitely the buzz word of the week and, in this industry, has been quickly put under the microscope. As a result, a cross-site scripting vulnerability was already discovered and fixed in the mobile version of the buzz utility. I’m sure close examination will continue to reveal additional security or operational flaws in Buzz, but security minded folks were not the only active critics of the social networking tool from Google.

Initial users were upset by Buzz’s default “all inclusive” settings. These automatic features included adding yourself as a follower of those you most contact through email or chat, (allowing them to automatically follow you as well), displaying all users involved in the follow-fest on your Google Profile, and instant sharing of activity on your other Google sites like Picasa and Reader. Providing easy display of a lot of information to potentially a lot of people, all of these features raised a lot of concern over privacy issues. In addition, new Buzzers were disappointed with the difficulty in finding settings options regarding these features, most while trying desperately to disable them.

While some may not be all that concerned, instant exposure of this information to user contacts without giving expressed permission has been more than disappointing. Some social circles are meant to be separated. Facebook users have been forced to explore this friends and family cross communication fiasco due to multi-generational interest in the social networking world. For many users this is uncomfortable at best.

Complete testing before release may have prevented the scramble for alterations that Google is now the middle of, but the feasible protection of online privacy is the real issue here. In our efforts to connect with the world, can we expect to keep secrets or achieve selective and exclusive information sharing? When we type something into our network connected devices, can we blame anyone but ourselves when that information spreads beyond the originally intended parties?

Anonymity while on the internet is becoming progressively harder to maintain. With photo tagging and friends who gossip across Facebook, even people who never participate in social networking sites have an online profile, in a sense. While reluctant or non users are losing control over just how much the online world can find out about them, self surveillance is now commonplace. We’ve become comfortable with sharing information about ourselves and living and working online, making us vulnerable to attack over the internet and in the physical world. If the Buzzing is getting a little too close you could be in danger of getting stung.

For those interested in de-Buzzing, the links below can guide you through the process:

For those sticking with it:

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]


PepsiImage by elmada via FlickrGumblar, the massive iframe injection attack that made and sustained front page security news in early 2009, appears to still be going strong. Only slightly altered in its approach, the ongoing attack is still injecting malicious domains into sites on a fairly large scale, each site having the intention of spreading malware to the end user.

Gumblar domains were previously injected into iframes of otherwise benign sites using stolen FTP credentials. The new domains are likely still injected using stolen credentials but are now using obfuscated scripts to generate a formulaic Russian domain. The obfuscated scripts are appended to javascript files and html files within script tags and create rather lengthy domain names.

The second level domains for these are plentiful. Amazingly, the following list is incomplete and will likely remain so with the constant generation of new redirection domains:

Though the groupings here are obviously all .ru domains, other researchers indicate countless other domains being used in the same way. Many are using dynamic dns 2lds while others have a similar structure to the domains above, only with .cn TLDs, as was the original Others appear to have no theme and are using .cz, .dk, .de, .nl, and several other country code TLDs. The IPs behind these domains are just as widespread and varied. This list is also likely incomplete:

The full unobfuscated domains look something like this, containing popular domain name snippets in an effort to appear legitimate:

The full URLs will include file requests similar to:
:8080/ts/in.cgi?pepsi[variable numbers]

The files are designed to exploit vulnerabilities in Acrobat, Flash, and Office, and redirect to the final domain for download of the actual malware, which consistently appears to be Bredolab.

The Bredolab downloader has been tied to Gumblar from the beginning and is still being served by the malicious domains, ultimately serving up rogue AV and information theft end-goal malware. The information theft malware is to grab the FTP credentials to perpetuate the whole cycle. Bredolab has also been found in mass spam campaigns since late last year, attached to emails purporting to represent DHL, UPS, Facebook, Western Union, ISPs fake ecard senders and “potential girlfriends.”

You may have come across one like:

Subject: Facebook Password Reset Confirmation.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

The Facebook Team

If many benign sites are hosting the final malware download due to the highjacking mechanism, blocking the redirection attempts would to be the best course of action. It is necessary for the owners of the highjacked sites to clean up the injected redirection domains or malicious files, and the end user to keep their software updated in an effort to negate exploits.

The Pepsi Challenge
Many of the files requested on the redirect domains have something similar to

I just find this amusing, because one of the Gumblar sites reported here hosted “/rimages/coke.php”. It’s nice that we have a choice of malicious beverage and, while I prefer Coke, it seems Pepsi is the choice of the new “Rumblar” generation of domains.

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

AV Plays Catch Up

No security or AV company is equipped with a procedure, independent of hardware or personnel requirements, that can easily keep up with the daily barrage of newborn threats. Shadowserver shows they receive daily unique binaries numbering in the tens of thousands. With the mass amount of malware being created and distributed across the internet, each security company is left with the burden of being unable to “catch ’em all.”

They must then employ a prioritization method of analysis, often leaving data too long in the queue, some collecting dust. Some security companies concentrate on searching for malicious domains and IPs while others concentrate on binary identification, many using a hybrid approach. All, however, are in search of a way to efficiently label these variables as malicious or benign, trying desperately to keep pace with the release of new malware.

AV companies have of course felt the strain of keeping up with the Joneses and for fear of looking inferior have made the choice to often “borrow” the conclusions made by other AV groups.

According to this “Analyst’s Diary” entry at Kaspersky Lab, an experiment was used to show just how often AV groups rely on one another to categorize samples as malicious in order to appear up to date. From the blog:

“We created 20 clean files and added a fake detection for 10 of them. Over the next few days we re-uploaded all twenty files to VirusTotal to see what would happen. After ten days, all of our detected (but not actually malicious) files were detected by up to 14 other AV companies…”

I can’t exactly blame those copycat AV companies for trying to stay on par with others. There is constant pressure, of which all security groups are aware, to try and balance reputation, integrity, and effectiveness. Trying to avoid false positives means evil may slip by unnoticed, while avoiding false negatives means sacrifices in accuracy. A series of check systems could be put in place but often there is insufficient detail or time for quality assurance, and delays in the conviction process detracts from the goal of real-time protection.

Security researchers often collaborate in some way, perhaps only in certain circles, but we do so because each performs their own independent analysis in their own area of expertise, bringing unique input to the table. Our products should behave no differently. Only shared information that meets certain quality requirements should be used, according to the individual company’s ruleset. If a company or security product has nothing to contribute and only relies on the work of others then it has little purpose in this industry, (yet may find success with the right marketing). However, a company will struggle greatly if they dismiss or completely separate themselves from the security zeitgeist.

In recognition of this need for both dependence and originality, Defence Intelligence is working to bring security and internet architecture groups together to create something new and more complete. We want to make a product that takes a more global approach to the threats we’re facing, but also bring a confidence and purpose back to our industry that seems to have waned. A strong offence may rely on a good defence but we need both if we’re ever going to make real advancement on this battleground.

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]