The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – More on Nyxem

More on Nyxem

Published: 2006-01-23,
Last Updated: 2006-01-23 22:13:35 UTC by Bojan Zdrnja (Version: 1)

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it’s still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).

This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can’t be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// webstats.web.rcn.net/ [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven’t seen in other analysis of the worm says:

“Additional Registry Changes

  • The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered “safe” and digitally signed.”

The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can’t trust it, but this looks like another (big) problem for the average user out there.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 24, 2006 Posted by | Antivirus News, Virus Outbreaks | 2 Comments

SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info

I have been watching this one since yesterday.  Hopefully the information out there will be clearer now that the AV companies have had time to analyze the virus. F-Secure reports that this virus is already ranked third in their Virus Statistics at the time of this writing, so this is spreading fast.

Symantec now has a cleaner for this virus, which can be found here: http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

McAfee and F-Secure also have descriptions for this virus, with completely different names.

McAfee: W32/MyWife.d@MM

F-Secure: Email-Worm.Win32.VB.bi

Trend Micro is also tracking a WORM_NYXEM.E, that may be another variant of this worm, but no details are available of this writing.

Published: 2006-01-18,
Last Updated: 2006-01-18 03:15:12 UTC by Bojan Zdrnja (Version: 1)

We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX – which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR
M35J0“,““$““__\“+@““““`0“““““““““““““`
M““““““““““H““`X?N@X`M`G-(;@!3,TA5&AI<R!P<F]G<F%M

You can also see a typical “insert a lot of spaces before the real extension” trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D – go figure!).
Seems like we’ll have to wait more for CME.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 18, 2006 Posted by | Antivirus News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – New email virus making the rounds

Handler’s Diary January 11th
2006

New email virus
making the rounds
(NEW)

Published: 2006-01-11,
Last Updated: 2006-01-11
22:28:25 UTC by Daniel Wesemann (Version: 1)
We are currently analyzing a copy of .. something.
Attachment name “message.zip”, detection by AV is still thin to nonexistent.
When run, the code tries to pull additional files from web servers in Russia, so
if you have a chance, you might consider blocking the following TLDs on your
proxy / perimeter:1gb.ru / t35.com / hzs.nm.ru / users.cjb.net /
h16.ru

UPDATE
2200UTC: message.zip contains
a file named “Secure E-mail File.hta”, which is according to
current Virustotal output only detected by Panda and Kaspersky, the latter calls
it Worm.Win32.Feebs.k . Samples we’ve seen come in an email with subject “Secure
Message from HotMail.com user”. The HTA file is nicely obfuscated, it has 2
obfuscation functions, one being easy unescape, while the other one is a bit
more complex. Once it is executed by a user, it will run in the local zone, so
it can use various ActiveXObjects. It will try to download executables from 5
web sites (domains listed above), all of which are up and working at this
moment.

MD5 sums for the original exploit file and the two variants of
EXEs it downloads when run:
7eb24b4c7b7933b6a0157e80be74383c
Secure E-mail File.hta
9cbd9710087bff6f372b1e3f652d8f7c
feebs1.exe

983bf330aae51535c7382dc82429364b
feebs2.exe

Analysis and write-up by fellow handler Bojan
Zdrnja. Thanks! :)

SANS – Internet Storm
Center – Cooperative Cyber Threat Monitor And Alert System
.

January 14, 2006 Posted by | Antivirus News, Virus Outbreaks | Leave a comment

F-Secure : News from the Lab – Targeted WMF email attacks

F-Secure : News from the Lab – January of 2006.

Targeted WMF email attacks Posted by Mikko @ 12:17 GMT

Our colleagues and business partners at Messagelabs have stopped a very interesting WMF attack today.

A new WMF exploit file was spammed to a targeted list of a few dozen high-profile email addresses.

The email urged recipients to open the enclosed MAP.WMF file – which exploited the computer and downloaded a backdoor from http://www.jerrynewsdotcom.

What makes the case really interesting was the cloak-and-dagger language used in the email which was spoofed to originate from US State Department’s security unit.

Confidential

Attached is the digital map for you. You should meet that man at those points seperately.

Delete the map thereafter. Good luck.

Tommy” title=”From: tommy@security.state.gov

Confidential

Attached is the digital map for you. You should meet that man at those points seperately.

Delete the map thereafter. Good luck.

Tommy”>

Oh yeah? And should you get killed, we will disavow any knowledge of your actions. This tape will self-destruct in five seconds…

January 2, 2006 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

More WMF Exploit Info from the Internet Storm Center

Trustworthy Computing (NEW)

Published: 2006-01-01,
Last Updated: 2006-01-01 17:58:01 UTC by Tom Liston (Version: 1)

Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don’t believe has ever been said here in the Handler’s diary before: “Please, trust us.”I’ve written more than a few diaries, and I’ve often been silly or said funny things, but now, I’m being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.

We’ve received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.

Acceptable or not, folks, you have to trust someone in this situation.

To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn’t asked for your trust: we’ve earned it. Now we’re going to expend some of that hard-earned trust:

This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice – unregister shimgvw.dll and use the unofficial patch. You need to trust us.

Looking back over the past year, the ISC handlers have faced up to any number of challenges: from worms and viruses to DNS poisoning and hurricanes. We’ve done our best to keep you informed and to tell it like it is. Somehow, it seems fitting that on the last day of 2005 we rang in the New Year in what can only be described as typical ISC style.

On December 31st, we received word that a “new and improved” version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act.

And so, as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created. Some tested the exploit, some talked to AV vendors, some worked toward finding a means to mitigate the vulnerability, some tested “fix” ideas and the resulting patches.

I was privileged to be a part of that team, and I’m incredibly proud of everyone who participated. As it became obvious that the “fix” that we were working toward was essentially what had already been created by Ilfak Guilfanov, we wrote to him to ask if we could redistribute his patch from the ISC. He was incredibly gracious and courteous in allowing us to do so and we were able to work with him to verify several changes that allowed the patch to work on a wider variety of Windows systems.

We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.

The word from Redmond isn’t encouraging. We’ve heard nothing to indicate that we’re going to see anything from Microsoft before January 9th.

The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

It’s time for some real trustworthy computing. All we’re asking is if we’ve proved ourselves to be worthy of your trust.

Recommended Block List (NEW)

Published: 2006-01-01, Last Updated: 2006-01-01 18:11:26 UTC by Swa Frantzen (Version: 1)

I hate block lists… maybe because I have been on the ‘wrong end’ of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
InterCage Inc.: 69.50.160.0/19 (69.50.160.0 – 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 – 85.255.127.255)

The list may be updated later. We do not expect to make this a “regular feature”. But at this time we find that it is necessary to point out these particular two netblocks. They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.

Updated version of Ilfak Guilfanov’s patch / ,msi file (NEW)

Published: 2006-01-01,
Last Updated: 2006-01-02 03:26:26 UTC by Tom Liston (Version:
2(click to highlight changes))
Ilfak Guilfanov has released an updated version of his unofficial patch for the Window’s WMF issue. We have reverse engineered, reviewed, and vetted the version here. Note: If you’ve already successfully installed the patch, this new version adds nothing new. It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed.(Note: the version information in the installation script indicates that this is version 1.2 – but it really IS version 1.3… the version info in the install script is incorrect…)

MD5: 14d8c937d97572deb9cb07297a87e62a – wmffix_hexblog13.exe
PGP Signature (signed with SANS ISC key) is
here

We have also created a .msi file suitable for unattended installation from version 1.3 of the patch. It can be downloaded from a link on this page.

MD5: ae6bb95196853843f4aceb7fca5a78ee – WindowsMetafileFix.msi
PGP signature is
here

January 2, 2006 Posted by | Security News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – 2nd generation WMF 0day Exploit Spammed

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary January 1st 2006

2nd generation WMF 0day Exploit Spammed (NEW)

Published: 2006-01-01,
Last Updated: 2006-01-01 11:06:07 UTC by Patrick Nolan (Version: 1)
According to F-Secure’s blog today, the 2nd generation WMF exploit has been spammed and “When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com.”.Trend Micro is calling it TROJ_NASCENE.H

January 1, 2006 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

Trend Micro- TROJ_NASCENE.E – Yet another WMF exploit Trojan

Come on Microsoft, where is that patch??

TROJ_NASCENE.E – Description and solution.

Description:

This Trojan is a Windows Metafile (WMF) that exploits a known vulnerability in the way specially-crafted WMF images are handled that can lead to arbitrary code execution. For more information about this vulnerability, please refer to this page:

This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

Upon successful exploitation of this vulnerability, this Trojan connects to a certain Web site and downloads a certain file. Trend Micro detects the said file as ADW_EXFOL.A.

December 30, 2005 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

Microsoft finally releases a security advisory on the 0-day WMF exploit.

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

For full details, see the following: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution..

December 28, 2005 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – * Update on Windows WMF 0-day

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

 Handler’s Diary December 28th 2005

* Update on Windows WMF 0-day (NEW)

Published: 2005-12-28,
Last Updated: 2005-12-28 20:02:19 UTC by Daniel Wesemann (Version: 1)

Update 19:07 UTC: We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv . Don’t go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).

The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.

While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive – see the F-Secure Weblog mentioned above for details.

December 28, 2005 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

F-Secure : News from the Lab – Be careful with WMF files

F-Secure : News from the Lab – December of 2005.

Be careful with WMF files Posted by Mikko @ 15:30 GMT


Over the last 24 hours, we’ve seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

  Crackz [dot] ws
  unionseek [dot] com
  www.tfcco [dot] com
  Iframeurl [dot] biz
  beehappyy [dot] biz

And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:

  Registrant Name: Mikhail Sergeevich Gorbachev
  Registrant Address1: Krasnaya ploshad, 1
  Registrant City: Moscow
  Registrant Postal Code: 176098
  Registrant Country: Russian Federation
  Registrant Country Code: RU

“Krasnaya ploshad” is the Red Square in Moscow…

Do note that it’s really easy to get burned by this exploit if you’re analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That’s it, it was enough to download the file. So how on earth did it have a chance to execute?
Google desktop
The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you’re handling infected files under Windows.

December 28, 2005 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

Follow

Get every new post delivered to your Inbox.