Packers, Packers, Packers for sale !

04.20.2007 - 10:06 AM
Recently, we have noticed a huge increase of files packed with custom tools.A lot of them are really simple and naive, but a few of them are highly polymorphic, and uses interesting tricks. We also noticed that a few totally different packers were using similar functions for very specific tasks, which could mean that a few people are working together, and sharing their functions, to protect malicious applications against detection. While browsing some locations looking for new released packers, we found some interesting sites. One of them was selling modified/hacked version of a two years old malicious packer, made to be sold: <font face="Arial, Helvetic...
Read more »

Analysis of Malware Spread via SPAM and ANI vulnerability

04.05.2007 - 6:22 PM
We recently discovered a large email spam run that includes links to sites that are hosting ANI exploit code. Users receive an email with the subject line "Hot Pictures of Britiney Speers" that is written in HTML and has anti-spam avoidance text within the HTML comments. You can read more informationin our alert at: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=764. This blog post focuses on the installed binary file: 200.exe (MD5: b017cae51e4498c309690b8936f2fa79) It's a variant of the GRUM Virus. The File Infector Component When disassembling the malicious application, we notice the entry point instructions are meaningless, implying the use of a TLS callback to decrypt it before the entry point is actually called. This is a common technique to fool reverse engineers. The TLS callback uses a few huge loops to generate useful values to decrypt the entry point code. Once decrypted, the TLS exits, and the decrypted entry point kicks in. 200.exe copies itself as WINLOGON.EXE in the current user's temp directory, executes itself to remain resident, and generates a .bat to delete itself. "Software\Microsoft\Windows\CurrentVersion\Run" is modified, a new key is created, and the value is the full path to the malware, so that it can run again when Windows restarts. All files present in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run are also infected by code appending in order to restart every time the operating system boots (without adding a new registry key). Therefore, this malicious code is also an appender PE infector. See Figure 1: The virus makes a backup copy of all infected files as ".RGN" files, making disinfection a little easier. Here is some code from the Appender virus: .rsrc:01057CEB mov edi, [esi+IDH.e_lfanew] .rsrc:01057CEE add edi, esi .rsrc:01057CF0 movzx eax, [edi+INH32.FileHeader.NumberOfSections] .rsrc:01057CF4 dec eax .rsrc:01057CF5 imul eax, 28h ; Go to last Section HEADER .rsrc:01057CF8 movzx edx, [edi+INH32.FileHeader.SizeOfOH] .rsrc:01057CFC lea edx, [edi+edx+18h] .rsrc:01057D00 add edx, eax .rsrc:01057D02 push edi .rsrc:01057D03 mov eax, [edx+ISH.VirtualAddress] .rsrc:01057D06 add eax, [edx+ISH.SizeOfRawData] .rsrc:01057D09 mov [edi+INH32.OH.AddressOfEP], eax ; Virus Entry Point .rsrc:01057D0C mov edi, [edx+ISH.PointerToRawData] .rsrc:01057D0F add edi, [edx+ISH.SizeOfRawData] .rsrc:01057D12 add edi, [ebp+var_C] .rsrc:01057D15 lea esi, ds:401000h .rsrc:01057D1B mov ecx, 227B3h ; Virus Size <span style...
Read more »

Large scale compromise with ANI exploit code

04.03.2007 - 8:19 AM
This is a follow-up to our post from yesterday (see: http://www.websense.com/s...
Read more »

Compromised sites using ANI exploit code

04.02.2007 - 3:15 PM
Websense's ThreatSeeker(tm) technology has discovered that a large set of websites have been compromised within the Asia Pacific Region and have embedded IFRAMES within them pointing to a site that is hosting the ANI exploit code. An IFRAME or "invisible frame" is an element which makes it possible to embed another HTML document inside the main document. From Wikipedia: <font face="...
Read more »

Automated Defacement through Search Engines

04.02.2007 - 11:09 AM
Today's Web page defacements are most often accomplished through file inclusion attacks, where the attackers exploit a vulnerability in the Web application and then inject a remote scripting file (also known as a remote shell). This allows the attackers to take control over the server and easily deface the Web site. The question is: how do they find Web applications that are vulnerable to such attacks? The answer is: by using the search engines on the Internet to do the legwork. This is not a new technique, but lately we've seen this incorporated in malicious scripts and malware. This week, I examine some of the automated tools used for Web site defacements, where the key element in the operation is the use of a search engine. Search Engine + IRC = True This first example shows how a malicious script uses Google for its mining process. Other search engines are commonly used as well. The process starts with a script that goes onto the Google site and injects known Google parameters to discover Web servers that contain specific Web applications. The script above targets p...
Read more »

ANI Zero-Day Event Timeline

04.01.2007 - 8:42 PM
March 27th, 2007 (11:00 PM Beijing time, 3:00 PM UTC) malware-test a Chinese Anti-Virus research site reported that a new Microsoft Windows exploit had surfaced on the web see (http://malware-test.com/blog/archives/2007/03/28/894). Several vendors had follow-up reports and Microsoft released an advisory. There have been several reports of attacks in the wild, proof-of-concept code (POC) has been released, and online toolkits are available to create you own attack code.&nbsp; There have also been reports of SPAM runs with embedded URL&rsquo;s with exploit code, compromised websites, and potentially a worm propagating. Screenshots of post original post with fake ESPN site infection: The exploits are using Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability and Internet Explorer and Outlook users are at risk of having programs launch without user-interaction (see: http://www.microsoft.com/technet/security/advisory/935423.mspx) The original report to MS was in Dec, 2006...
Read more »