D-Link is adding captcha support to its line of home routers. While default password lists have been abundant for many years, it was only recently that we started seeing the them implemented in malware. Last year, zlob variants started logging into routers and changing their DNS settings. It’s an interesting situation since the people who need the captcha feature are the ones who will never see it, since they won’t log in to change the default password.
“Reformat it”. That’s pretty much our default answer when someone calls us complaining of malware and viruses. Though many can be removed, it can sometimes be quicker and less frustrating just to reformat it. Some of us even have specific ways that we organize all of our files just to make the quarterly reformat go smoother. Unfortunately, reformatting may no longer be the absolute cure. Researchers have developed a piece of malware that infects the BIOS. It is un affected by reformating or flashing. This means that it is also OS independent. They tested it on Windows and OpenBSD as well as a machine running VMware Player. This is a grim sign for the future.
It seems some enterprising individual in Grand Forks, North Dakota has been placing fake parking violations on cars. If the recipient visited the URL on the flyer, they would be told to install a toolbar to view pictures of their vehicle. That piece of malicious software would then attempt to install several more. The actual vehicle pictures were from Grand Forks, but we wouldn’t be surprised to see a similar attack happen in a much larger city.
PandaLabs has identified a botnet running a malware campaign impersonating president-elect Obama’s website. The front page of the site features a sensational story titled “Barack Obama has refused to be a president”. Clicking the link will download the malware and make the target’s machine part of the botnet. They’re using fast-flux to assign the malicious domains to the massive number of compromised nodes that are hosting the actual site. The team has contacted the domain name registrar in China to get the domains removed. Using a sensational headline is not new to malware; it’s how the Storm Worm got its name.
Zero Day has an interview with German researchers who have found a way to take down the Storm Worm botnet. Their program, Stormfucker, takes advantage of flaws in Storm’s command network: Nodes that are NAT‘d only use a four-byte XOR challenge. Nodes that aren’t NAT’d are only using a trivial 64bit RSA signature. Their solution can clean infected machines and also distribute to other nodes. Unfortunately, installing software without the user’s consent is the exact same behavior as malware. Don’t expect to see this in any sort of widespread use. The researchers did point out that some ISPs have moved to shutting off service for infected customers until their machines are cleaned.
Philosecurity has an interview with [Matt Knox], a former coder for Direct Revenue, an adware company which was sued in 2006 by New York governor Eliot Spitzer. The interview contains some interesting details of how the adware code worked internally: it created a Browser Helper Object, then ensured that the Browser Helper Object stayed up by creating a poller to check every ten seconds and regenerate the Browser Helper Object if it had stopped running. The poller ingeniously masked itself partly by exploiting Windows’ Create Remote Thread function to run itself as a series of threads instead of as an executable.
The truly fascinating bit of the interview is how [Knox] defies your initial suspicion that he’s a complete scumbag; he started off writing spam filtering software, was hired by Direct Revenue to do traffic analysis, started writing tiny bits of code to improve the adware, and eventually wound up knee-deep in the code. [Knox] notes that you can get ordinary people to do incredibly distasteful things if you break those things into small enough chunks and introduce them gradually.
Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.
[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.