work

is without doubt the hands-on management aspects of the whole suites.

Every month I read news, blogs and press releases from both vendors and independents on detection effectiveness. Sometimes these news are about the accuracy of the vendors signatures, sometimes about the files the sig’s missed, sometimes it’s about the vendors brand new and shining behavioural analysis engines. But it is almost never about the technical management features of the products. What eventually makes the news in this aspect is either the new administration consoles that pop up every two to three years or if something fail in a spectacular fashion.

That kind of information is not really as newsworthy as a remedy to the latest threat, but one thing is for sure and that is that it doesn’t matter how good the detection ratios are if the client protections remain unmanaged, defunct or unlicensed.

Most of the time this is not a problem in larger networks where the appropriate funds and technical resources has been allocated, but if reviewing smaller companies or organizations (<500, sometimes larger) without dedicated security management you will often find problems.

The problems range from client communication malfunctions to management servers dropping dead for no particular reason. Often, these issues requires human interaction to resolve and this in turn increases the IT-services overhead. Sometimes this happens with our (Panda Security's) solutions and sometimes some other vendors (I consult for another company in the PCM Group and meet a lot of different environments).

I’m not saying this is the AV vendors fault, as it often turns out to be erroneous customer configurations and/or secondary system malfunctions (thank you Microsoft for your most excellent AD/DHCP/DNS solutions, thank you).

My point is that these problems, from a software point of view, should be a calculable risk.

People will make mistakes. People will be incompetent. People will be lazy. People will “install and forget”. People will be People. And we should be better at understanding and counteracting these factors.

The latest versions of Panda AdminSecure has some of this in functions that repair failing client protections automatically, but it surely is not enough. People should not be able to set permissions or deactivate polices that might be a danger to the protection functioning without some serious alarm bells going off. People should not be able to setup firewall policies that cripple the communication required and by that degrading the level of protection without the central management consoles showing large red flashing screens. If something is done by a Microsoft patch which might or do disrupt the correct functioning of any server components, the management tools should be able to tell the administrators this in a reliable fashion.

Surely there are those that think that this is complete bullshit and have the “if they’re morons and fail, plz let them burn” attitude. These people are ignorant of the overall picture and do not understand the underlying problem.

If there were no unprotected (not installed or malfunctioning protection) clients, there is a much smaller market for “corporate” malware creation. One effect of this is less money for the bad guys. Less money for the bad guys means they have less money to spend on maintaining developing new malware.

And of course, Less malware development => good for all.

In conclusion,

Security systems is all about reliability. How come AV’s are lagging on this particular point?

Users and less experienced technicians are unpredictable, but how hard can it be? We have built engines that can detect hostile code based on behavior, why not do the same to the admins

… and now have their pages full of malware infecting and object dumping <iframe>’s.

Tracking the iframe’s I found a series of different servers hosting the malware and exploits, the flow is as follows:

• hxxp://boc.sbb22.com/home/index.htm (This is the inserted Iframe)
  • hxxp://boc.sbb22.com/
    • hxxp://aa.llsging.com/ww/new82.htm
      • hxxp://aa.llsging.com/a2/haha.htm
      • hxxp://aa.llsging.com/a2/pps.htm
      • hxxp://js.users.51.la/1299644.js
        • hxxp://vip2.51.la/go.asp
      • hxxp://ww4.tongji123.com/g1.aspx?id=42916235
        • hxxp://ww4.tongji123.com/s.aspx
  • hxxp://nn.mm5208.com/nn.htm
    • Not reachable at the time
  • hxxp://xx.9365.org/
    • hxxp://5.xqhgm.com/sha1.htm
      • hxxp://5.xqhgm.com/new/1.gif (ANI exploit, loads on page).
        • Downloads and runs hxxp://1.xqhgm.com/x.exe
      • hxxp://5.xqhgm.com/new/1.htm (other exploit, not investigated)
        • References hxxp://1.xqhgm.com/x.exe
      • hxxp://5.xqhgm.com/new/2.htm
        • Not reachable at the time
      • hxxp://5.xqhgm.com/new/3.htm
        • Returns empty page
      • hxxp://5.xqhgm.com/new/4.htm
        • Tries to load hxxp://3.xqhgm.com/zs.exe as an object
      • hxxp://s30.cnzz.com/stat.php?id=658703&web_id=658703
        • Seems to be a statistics engine
      • hxxp://js.users.51.la/1402795.js
        • Not reachable at the time
  • hxxp://a.2008yi.com/hu.htm
    • Not reachable at the time
  • hxxp://acc.jqxx.org/ac.htm
    • hxxp://dfs.jfkdlirjnfirpocr.com/web/6619038.htm
      • Not reachable at the time

The primary payload of these iframed pages seems to be “x.exe” and “zs.exe”. When dumping the strings from these executables (no obfuscation used) it becomes apparent that both are droppers for a whole bunch of malware files (possibly the same files, just recompiled/packed/encrypted for AV evasion). The downloads referenced in the files were:

• hxxp://1.xqhgm.com/1.exe
• hxxp://1.xqhgm.com/2.exe
• hxxp://1.xqhgm.com/3.exe
• hxxp://1.xqhgm.com/4.exe
• and so on up to…
• hxxp://1.xqhgm.com/24.exe

File number “1″ and “16″ resulted in a 404 not found.

“23.exe” seems to be the same malware that I found some time back (see this post). As said in that post, the main infector do not want to run in my sandbox. As a cause of that I have not yet been able to get the pcihdd.sys rootkit component as I do not have a computer to “waste time restoring” atm. If someone would like to infect themselves, contact me for a sample

Another thing linking this infection to the other that I found is the use of the same stats engine, hxxp://s30.cnzz.com/.

Cheers and stay safe !

WARNING: PANDA SECURITY CENTRIC / ANGRY RANTING POST -> See “About this blog”.

Earlier on this month a potential “bug/security implication/design flaw/non-issue?” (the definition is not totally clear in this particular case) was reported to Panda Security by the security firm n.runs.

The issue at hand is that if a RAR-file header is formatted in a specific way, the contents of the archive cannot be analyzed by the antivirus kernel and as such might pass through perimeter defenses and actually be written to disk. Due to WinRar being extremely tolerant to illegally formatted archive headers (steganography someone?) this archive can still be opened with WinRar.

However, if the archive is extracted or if a file is run from it, Panda will have no problems catching it with either the signature based engine or the behavioural analysis engine. Of course there is also the possiblity of us not being able to detect the malware, but then why evade us? Our perimeter products would also catch these kinds of files if not reconfigured from default (content-filter->Files with inconsistent format, extension or MIME-type). However, if these settings have been changed, I see the attack vector more clearly. And of course, even if this is correctly configured it is not good that something possibly can slip by the signature engine.

This issue being reported is not a problem to us. It is a good thing and it enables us to provide better protection as we eliminate potential bypass vectors. What is a problem though (not only for us I think) is irresponsible disclosure. You can see Pedro’s thoughts about this here, but I’d like to share some of my own views as well.

As Pedro points out, most of the security problems reported to Panda by researchers or security companies are handled seriously and in a timely manner. This was also the case this time. In return for the diligence in response time and issue resolution, we do expect the reporting party to follow common policies for public disclosure, especially if the discussion and investigation of the flaw is still in the lab. This is for several reasons including (but not limited to) the security of our customers, the security of our customers (yeah, I wrote that twice), the continued cooperation with the security community in these issues and the open communication style used in these cases.

What n.runs did next while this issue was being investigated and its impact clarified was to publicly disclose the issue complete with technical details. As pointed out in this post by Kurt Wismer there are other issues with the document, but I’ll try to stay out of that discussion. I do however recommend reading his post as he is making some very good points not only in the article but also in the comments that followed.

The timeline for this issue was described in the Panda Research blog as:

Nov. 6: n.runs initial vulnerability report and PoC to Panda
Nov. 7: Panda acknowledges receipt and starts investigating
Nov. 13: n.runs publicly discloses Panda as vulnerable
Nov. 16: Panda sends comments on vulnerability and PoC to n.runs
Nov. 16: n.runs responds to Panda comments (fails to mention the issue is already public)
Nov. 21: Panda sends final response to n.runs

I understand that if you do not have a final response from the vendor in a reasonable time (that not being less than two month’s if initial contact is established), you might want to release an advisory or two highlighting the issues to pressure the vendor to provide a fix, but come on. That was surely not the case here.

Anyways, after seeing this behaviour I can’t help but wonder what motivated this line in their presentation referenced above:

“The solution developed by n.runs under the code name “ParsingSafe” will build on and work together with the customer antivirus products that are already in place or that are planned to be put in place ….. Based on this, the antivirus vendors are very important technology partners for our solution. The goal of the customer is still primarily to have the highest rate of virus recognition possible …..”

Could someone please explain to me how prematurely disclosing an issue like this can help our customers have “the highest rate of virus recognition possible” because I do not get it. Of course, the statement was regarding the goal of the customer. Not n.runs.

Whatever, my own opinions are probably just being clouded by me working with security professionally for such a long time. I remember back in the days when I was a kid and me and my “31337 h4×0rcr3w” threw out our newfound vulnerabilities as soon as we even saw a wiff of them. That was fun

Point made. Have a nice night

Last week I held and on-demand seminar out at a company in Stockholm, Sweden.

This is my retelling of that seminar and I wrote this down mostly for my own sake, for learning and seeing the areas in which I had to improve in order to be more clear to non-technical people that is on the other end of my message being transmitted.

The CTO of the company had asked us to help him educate his users on their responsibilities when it comes to keeping a network secure, and what potential harm they could cause themselves and the company if not doing so.

This is the neverending problem. Educating users. So how did I go about re-inventing the wheel?
I started out by presenting six simple questions and statements:

• Do you think that the information in your home computer is valuable?
• Do you think that your home computer is adequately protected from viruses and other kinds of malware?
• Do you think that the information in your work computer is valuable?
• Do you think that your work computer is adequately protected from viruses and other kinds of malware?
• Is the statement “There is less malware today than two years ago” true or false?
• Is the statement “There is less risk for getting infected now than two years ago” true or false?

I asked the participants to consider the questions and statements and keep their answers in their head. Of course, they might have understood that a person from an anti-malware vendor might have a hidden agenda in these questions

After this I presented some of the results from an internal study that concludes that most users of our anti-malware solutions think that the two last statements are true. That is, they think that there are less malware in the world and that there is less risk to get infected now than two years ago.

I then continued on to talk on how this is fundamentaly wrong and backed that up with the statistics from PandaLabs and the recent “InfectedOrNot”-survey of home users computers. I did not mention the corporate study, but if you are interested you can find both of these at Panda Security’s Research blog.

This study (of home users) are based on 1,5 million PC’s that were scanned with the online service www.infectedornot.com between May and July 2007. Among other things it concludes that out of all scanned computers with running and up-to-date antiviruses, almost 23% have active malware on their system. That is almost 1 in 4.

Why is this? Well, one thing that is largely responsible for this situation is the change of objective and goal of the malware today. Just a couple of years ago there were no banking or creditcard logging trojans, no spam-enabling botnets etc. Back then it was all about fame for the author, and that made it very easy for us antivirus guys. Today we are seeing a lot of new malware pop-up and a large amount of these are created with only one goal in mind, and that is financial gain for the creators. And as we all know, where there is money coming in there is money spent and what we are seeing today are professional malware writers making a business out of it. They have business plans and a whole development cycles and spends a lot of resources on pumping out variations on their goods to avoid the anti-malware radar. The “Storm worm” is a good and quite obvious example of this.
Of course this variation flood of the same malware creates a lot of strain on our (Panda Security’s) and other vendors virus-labs and forces us to either become selective, or to have a huge backlog of malware. Up until recently this was the situation for us.

We have had to adapt to this situation more and more during the last couple of years and we are finally catching up thanks to different things. First, we have increased the amount of automated processes and minimized the human factor in malware analysis and second we have created and implemented new technology that helps us to proactively detect and report potential threats (TruPrevent). Other new technology such as our “Collective Intelligence” also helps in detecting new malware family’s at an early stage.

Anyways, the end result of this massive onslaught of new modifications is that we (all security vendors) are bound to miss at least one which in many cases leads to a user being compromised in one way or another.

Now I turned the focus to where the real impact is and that is; Who is the Target and who is the Victim?

As the motivation behind the malware has changed, it is more than ever the actual user behind the keyboard that is the target. It is her information, her payment cards, her banking info and it is her computer that the malware authors want to use in DDoS attacks and other criminal activities.

This is very important for the average user to understand because if they do not, they will not think before they act and fall prey for the criminal gangs of the digital world (OMG, that sounded like a SecurityFocus line hehe).

OK, so what can the user do to secure his computer against these different kinds of threats? Well, as a start you (the user) should make sure that the following four bases are covered:

• Check that your computer is up to date
  • Windows Update
  • Secunia Personal Software Inspector (great tool)
• Check that you have an anti-malware solution installed
  • And turn on all protection modules, they are there for a reason
• Check that your anti-malware solution up to date
  • If it’s not, it is almost useless
• Check that you have a firewall installed
  • If not included in your anti-malware, use XP/Vista’s builtin firewall

However, as I mentioned in the start of this article, there will be things that can slip through. So what do we do next? How do we protect ourselves from threats that even the largest companies that offer protection cannot touch? Many times this is just a matter of:

Sound reason & Knowledge

I then continued on to illustrate what sound reason is when you browse the internet, use your e-mail and use community’s or instant messaging. In this section I talked about issues such as attached files or filetransfers from unknown users or senders, why you should not just click Yes/I Accept/Next without reading and seriously considering why you are asked. I also discussed the social issues and identity security issues posed by sites like MySpace and in particular Facebook. You know, the real essentials of this whole seminar. What you really really should not do when being asked to do something, to use your sound reason.

And then we have the “Knowledge” part. How do you teach a user to behave in a secure way and recognise indicators of foul-play in 10-15 minutes? Quite hard wouldn’t you say? I reasoned like this; Knowledge is part experience and part theory. If you have seen someone get their machine infected in some way or another then it is highly unlikely that you will repeat the same mistake (or… hopefully it’s “highly unlikely”). So I decided that the best way to learn users what to avoid was to actually show them some of the warnings they should pay special attention to and also demonstrate some social engineering tricks used by malware today.

One of those examples that worked the best was a login page for a large swedish bank which I had modified to “ring alarm bells” by faking an invalid SSL certificate. I then named that slide to “The internet banking service - Find the error”.

No one was able to spot the error.

And I was even using Vista which showed the whole adress bar in red with a big “Certificate Error”-shield at the end. Anyhow, I went on to tell them why this was a bad thing and from now on they are probably going to pay more attention to these kinds of errors.

Another example that seemed to make some people move around a bit in their chairs was the Storm worm’s halloween spreading mechanism with the dancing skeleton. Specially after I explained what storm was designed to be able to be used for (creditcard gathering, spam, ddos, well… everything). As I saw their reaction I even threw out an old classic a colleague of mine told me to say, “They can even turn on your webcam and see what you do in the room”. Heh.. yeah.. i know, a bit evil but it fit perfectly into my talk and they seemed to get the point now.

Now there was not very much time left for me to spend so I finished of with a recap of the questions in the beginning and also took a short slide on the corporate aspects. If they as private persons could suffer such financial loss and make it easier for others to conduct criminal activities, what could happen if their work-computers or computers that they connected to their workplace with got compromised? I asked them to consider the following possible implications of this kind of intrusion:

• Money. Large amounts of money. Either through direct loss or industrial espionage.
• Money. In the form of work-hours needed to clean up a widescale infection (including specialist help)
• Brand and Reputation. The damage caused by their network spreading malicious software or distributing confidential client information.
• Their personal freedom as in the restrictions put on their browsing, messaging and other aspects. Probably there is some checks on this today, but how will that change after an intrusion? Upper-management will want to restrict as much as possible to prevent this from happening again.

Yes, I know the last one is kind of a moot-point (as everything should already be locked down) but I needed to give them a personal connection to the trouble that could be caused, and -oh my god- if they cannot access their hotmail one day

And then i finished of with the “The End - Questions?” slide and took some of them. What was interesting about the questions was that a lot of them was regarding the Codec-fakes that I had discussed in my “Sound Reason” section. I did not expect this to be as prominent as most issues we recieve through the supportline with infections has entered through the web-browser with the help of security vulnerability’s or other means, we almost never hear anything about the fake codec angle (good thing?/bad thing? :)). But I guess that Sunbelt Software is really doing a good thing drumming on about the sites that are advertising those.

Ok, that was it. I would really like any comments that you might have, so please drop me a line at: daniel(dot)nystrom ( a ) icmpecho(dot)com!

Was doing some digging in google a couple of days back and found an iframe which led to a site distributing a downloader:

hxxp://w.mh8888.cn/ad.htm?a

This page in turn loads almost 10 pages and scripts from different servers, including one that uses a vulnerability in Internet Explorer to download and install a downloader (it hooks it into Internet Explorer as a BHO). If I did not use a vulnerable browser, nothing happened. Many links inside the scripts relate to the domain “cnzz.com”. Anyone have more info about these guys?

Anyhow, the dropper file’s name was “get.exe” and that in turn downloaded another file called “det.exe” which was placed in C:\Program files\Internet Explorer\det.exe.

When this file was run by get.exe (btw, it would not run in my sandbox:/ ), it started downloading and installing a driver called pcihdd.sys, placing it in c:\windows\system32\drivers\ and making the required system modifications to run. It also modified the file c:\windows\system32\userinit.exe. At the time of detection I only got a handful of “related to”, “modification of” or “suspicious file” responses from http://www.virustotal.com.

The .js’s responsible for the infections was obfuscated by simple encoding routines and then run through eval() statements. The binaries themselves had obfuscated only some of their internal strings, but some were left unchanged. One of those strings was a link to an asian site (hxxp://ilove.com/ttt.cer) disguised as a dating site.

All files including the scripts collected has been reported to the AV vendors now and should be included by now.