Slashdot Mirror

It's possible that there is more to this than what I have divined from the 'uber-secret-vendor-only' disclosure but this seems to be little more than traditional cache poisoning with random-number-generator (RNG) prediction. Both of these situations have been well known and documented within the security community for a number of years.

Cache poisoning was predicted long ago by Dan Bernstein (as mentioned by a previous poster or two)[1]. (Nobody listens to me either, DJB.) The combination of this and RNG prediction was wrapped up nicely by Joe Stewart in his 2002 (I think) paper [2]. Joe used Michal Zalewski's free TCP/IP sequence number prediction software [3] to visualize random number generator attacks on DNS responses from various resolvers. The paper is well worth a look if you made it through the last sentence and are still reading this one.

Incidentally, Paul Vixie (BIND author,) posted a potential fix to this (or a surprisingly similar) problem to the Namedroppers mailing list at the end of February [4]. Time will tell whether the two events are connected.

This whole saga appears to be another case of 'marketing department run amok' but we'll have to wait for the BlackHat presentation to find out if all of this is just regurgitated previously ignored security advice.

[1] http://cr.yp.to/djbdns/dns_random.html
[2] http://www.lurhq.com/dnscache.pdf
[3] http://razor.bindview.com/publish/papers/tcpseq/vseq.tgz (currently down)
[4] http://www.ops.ietf.org/lists/namedroppers/namedroppers.2008/msg00378.html

Actually it's been around on the order of two and a half years - http://www.lurhq.com/grams.html

More technical version:

http://www.lurhq.com/mocbot-spam.html

There are more interesting papers on lurhq's site:

http://www.lurhq.com/research_threat.html

-ft

More technical version:

http://www.lurhq.com/mocbot-spam.html

There are more interesting papers on lurhq's site:

http://www.lurhq.com/research_threat.html

-ft

The actual quote in my analysis is "unless you are a malware expert..."

Running a liveCD with a rootkit scanner and an antivirus isn't going to cut it - you have to have the knowledge to know what to go after - you'd be surprised at how much malware doesn't get detected by scanners even months after its been released.

Although I might use liveCDs myself to do malware recovery, average users are going to be in over their heads. So I didn't mention it.

-Joe

LURHQ

"You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations)."

From lurhq:

"Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password."

Does anyone else find this funny? =P

The files aren't encrypted at all.

http://www.lurhq.com/arhiveus.html http://blog.washingtonpost.com/securityfix/2006/05 /ransomware_rising_1.html

For references, these are the enumeration names and where to go to make sure you have the latest anti-virus signature. Remember, this variant will uninstall and delete most anti-virus software so it's important to recognize it before it goes active tomorrow. Most virus definition software refers to it as CME-24. This is important since this worm has many different names including Nyxem.E, BlackWorm, Grew and Mywife.E.

More on the worm and its permutations and statistics on spreading.

A very detailed analysis with all types of files that may be affected.

And, if it's worth anything to you, the Microsoft advisory which seems to tout that Windows Live Safety Center Beta can protect against it. If you're in charge of computer security at your workplace, I would send out an e-mail instructing everyone to verify that they have the correct anti-virus definitions and to scan their computers before leaving tonight. Luckily, that's not my job where I work.

This virus is very likely a POC and an advance guard to hold doors open for future infection or botnets.
As stated by others already, LURHQ has distribution stats. http://www.lurhq.com/blackworm.html US infections only number about 5% of total. Peru and India have most of the worldwide population of this. (this is ip-based, and may not be reliable.)
I haven't seen another mention, but SANS Storm Center has been following this - and actually has made an offer to sysadmins to share info. They limit the info they will give; if you can reasonably establish that you are the RP for a network or subnet - they will send you a list of known infections in your IP range. They have already sent out notice messages to admins of record (whomever the abuse or tech contact is currently on the whois lookup) using a script. [Check the ISC pages if you really want to know - I don't want to flood them by posting a direct email link here.]
Referred to in the SANS/ISC history on this http://isc.sans.org/blackworm and previous pages - Fortinet has done extensive analysis. This virus has several actions. Most folks already know it deletes files, breaks AV software, and spreads over Windows shares. What hasn't seen much daylight is that it drops a bunch registry entries that grant "trusted" status to the virus. http://www.fortinet.com/VirusEncyclopedia/search/e ncyclopediaSearch.do?method=viewVirusDetailsInfoDi rectly&fid=119856 I'm not an expert on this mechanism - but I'd assume that any machine with these "bad" trusts in place could easily be compromised later using code that is authenticated against these bad keys.
I read M$' page on this virus, http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=Win32%2FMywife.E%40mm as well as a few AV pages. None mention these keys, so I would assume they don't fix this problem.
Any system that has been infected and then cleaned will probably retain these falsified certificates. This leaves a big hole in place, while some users (even the " all your AV is updated hourly folks.. return to your seats" IT guy) - will have a false sense of security on this.
Thankfully, many AV programs discovered this virus Heuristically. (see links to LURHQ & others) McAfee, Panda, NOD32, and several others identified blocked this virus without needing a signature update. This may be why we don't have 2 million AOL/Comcast sheep spreading the virus.
This should serve as a strong reminder to backup religiously, use defense-in-depth, and enforce strong registry policies when Windows systems are implemented.

Have a look at LURHQ's stats for this worm. The short answer is, the 300,000 infections are mostly in non-US countries. India shows the highest infection rate.

A result of a quick google search: http://www.lurhq.com/reverseengineering.html

Please stop talking since you're getting more and more off topic.

Is there a long history with this virus writer/group?

Two years now and no end in sight.

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Actually, to further the theory of coinciding dates, now that I look at my notes, the logic in the worm is more specifically "start spreading after 68 days after October 29". October 29 is the birth date of Joseph Goebbels, Reich Minister of Propaganda.

-Joe

Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Given his use of the worm to spread neo-nazi-type propaganda in the past, it's likely that he is indeed a neo-nazi or sympathetic to the cause. However, one thing I've determined from my analysis of the worm is that the download date isn't scheduled to occur until Friday, January 6. The logic in the code is actually "check if date > Jan 5", not "check if date == Jan 5". So then there might not even be a correlation OR a coincidence.

-Joe

Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Even more sad, the AV companies couldn't even detect that this was 95% Slapper code! C'mon, the kiddie who released this didn't even strip the debug symbols much less pack it in any way.

With that said, my writeup of the worm is here:

http://www.lurhq.com/slapperv2.html

Includes some previously unreleased facts about who wrote most of the code recycled in Slapper and in Lupper.

And of course a flood of spam will follow this like night follows day. This has been going on for some time; LURHQ wrote up some good articles about the virus/spam connection: Sobig.a and the Spam You Received Today, Sobig.e - Evolution of the Worm, and Sobig.f Examined.

And of course a flood of spam will follow this like night follows day. This has been going on for some time; LURHQ wrote up some good articles about the virus/spam connection: Sobig.a and the Spam You Received Today, Sobig.e - Evolution of the Worm, and Sobig.f Examined.

And of course a flood of spam will follow this like night follows day. This has been going on for some time; LURHQ wrote up some good articles about the virus/spam connection: Sobig.a and the Spam You Received Today, Sobig.e - Evolution of the Worm, and Sobig.f Examined.

others will point out that the entropy estimation is really hard to do

It is not a religous issue nor is (p)rng quality evaluation hard to do - see some other comments here for the test suites involved and how even /dev/random still rates poorly on those tests. People who are serious about the quality of their random numbers evaluate their prng output continuously with multiple statistical tests. See the VIA documents which evaluate the entropy per bit for their onchip hardware rng system.

And the quality of one's prng code can have real world consequences Do you think that Sun, Cisco, SGI, BIND et al intended to create code that looked so spectactularly lame in the plots and output such easily guessable sequences? Developing high quality rng related code is not easy and the code must be tested to determine the quality.

http://www.lurhq.com/dnscache.pdf

Thank god. Please mod parent up, so people will stop suggesting /dev/*random.

Can you comment on a few other random topics?

Have you used the Diehard tests and if so, how do you feel they compare to the 800-22 tests you used.

What do you think of the tests attempting to show anomalies in random number generation around the time of significant (to humans) events?

Do you think the type of test used on prngs in this paper could add any value to the tests you are already using?

Yep, I cringed when I saw it too. The other posters' comments about reporters is right on - you can talk for 15 minutes and give them a clear picture of the issue, but they'll pick the most impacting statements instead of the ones that explain it. And if you happen to say something that sounds fucktarded out-of-context, you can rest assured you'll see that quote in the article :)

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Yes, simple steps as in reverse-engineer and write a decryptor for it. I've already done this, in fact.

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Yes, funny funny. In context, though, you have to know the question the reporter asked me, which was, "Do you think this software was a test, or do you think it was malicious?"

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

It's not a command in the trojan that decrypts the files, it's a program the trojan author sends you after you send him $200. However, the encryption is trivial and just about any reverse-engineer could write a decryptor for you.

-Joe

Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

bind 8,9 and djbdns
original
update
You might want to check out some of his other stuff, too - http://lcamtuf.coredump.cx/

Basically it comes down to this - the attack was used to hijack searches for pay-per-click engines. It was done in the most obvious way and got a lot of attention. If they had been smarter, they would only have redirected defunct sites instead of cnn.com and the rest of the .com TLD.

Now that the cat is out of the bag, people are watching for the traffic, so a second, more malicious attack probably won't see nearly as much success. So there's no reason to panic - it's a 4-year-old vulnerability as it is, and fixed by a simple registry edit. Most people will be unaffected by it.

-Joe

Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Basically it comes down to this - the attack was used to hijack searches for pay-per-click engines. It was done in the most obvious way and got a lot of attention. If they had been smarter, they would only have redirected defunct sites instead of cnn.com and the rest of the .com TLD.

Now that the cat is out of the bag, people are watching for the traffic, so a second, more malicious attack probably won't see nearly as much success. So there's no reason to panic - it's a 4-year-old vulnerability as it is, and fixed by a simple registry edit. Most people will be unaffected by it.

-Joe

Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Jesus, this has been going on for years! cache poisoning

If you think that's clever I guess you never heard of Phatbot.

Not that there's anything clever about writing these sorts of viruses, though.

Worms need not be benign in order to propagate and destroy. The Witty worm probably infected within 45 minutes every vulnerable machine which was exposed on the internet and powered up at the time -- and then wrecked them.

The Spread of the Witty Worm
Witty Worm Analysis -- LURHQ

A hybrid worm/mass-mailer-virus could have the best of both worlds -- lying "dormant" for a while on filesystems, in email systems ready to infect any systems that wake up late in the day -- even after it's destroyed the bulk of the vulnerable Windows systems on the net. If it were further hybridized with worms that can be delivered as adware/spyware it would crawl down browsers, bypassing both your firewall and your antivirus program, and then spew itself out via email and network probes to infect the soft candy center that exists at the heard of most networks. We've seen worms that do each of several very clever things. A worm that does all of them won't be stopped in time on today's networks.

If Witty had exploited LSASS instead of a second-tier firewall product, people in Hawaii would have woke up that morning to a Windows-free world. Kinda like the computer version of 28 Days Later where we *NIX users would be wandering around a nearly-empty internet wondering, "where did everybody go?" (Well, OK, most of us would be wondering, "Why is my network connection so fast today?")

It could happen with the next buffer-overflow exploit in anything on Windows that listens on any of the ports that we all know and loathe. A Witty/LSASS worm would have destroyed a significant percentage of the Windows systems in the world within two hours. I am left with questions.

Would managers of IT shops continue to act as though Windows insecurity isn't a problem?

Would Microsoft be able to get the CERT advisory revised a couple days later to strike the recommendation that customers consider using a more secure system?

If the world keeps licking the Microsoft Windows Tootsie Pop, eventually we're gonna know how many licks it takes.

Well, not exactly. You are forgetting the witty worm which appeared in march this year.

My writeup of the trojan and the incident is here:

http://www.lurhq.com/berbew.html

Earlier worms used IRC channels, which could be monitored. A version of Agobot known as Phatbot creates a little P2P network which can be controlled with the correct password. This would be very hard to trace.

LURHQ's analysis says that the code to exploit the LSASS vulnerability came from houseofdabus. who posted it to BugTraq. Given that exploit code, it would be pretty trivial to make Sasser...

Who told you that? I've analyzed both, and there is no relation between them at all in terms of code. The source code to Phatbot is public, and the compiled binary is around 250-300K as opposed to Sasser's 15K. Maybe you're thinking about Phatbot being a derivative of Agobot.

My writeups of both can be found here:
http://www.lurhq.com/phatbot.html
http://www.lurhq.com/sasser.html

Who told you that? I've analyzed both, and there is no relation between them at all in terms of code. The source code to Phatbot is public, and the compiled binary is around 250-300K as opposed to Sasser's 15K. Maybe you're thinking about Phatbot being a derivative of Agobot.

My writeups of both can be found here:
http://www.lurhq.com/phatbot.html
http://www.lurhq.com/sasser.html

Phatbot is insanely well-written. A while ago I read a web page about what Phatbot can do:
- Exploits all kinds of vulnerabilities.
- Sniffs network traffic for usernames and password.
- Steal IRC operator passwords.
- Can kill many other viruses and anti-virus software.
- Can steal CD keys for popular games.
- Can steal AOL passwords.
- Can harvest emails for spam purposes.
- And more.
Whomever made Phatbot sure spent *a lot* of work into it.

More details at: http://www.lurhq.com/phatbot.html
Also contains instructions to manually remove it from an infected system.

You speak the truth. Consider the existence of trojans like phatbot, which spread by exploiting poor administration practices (weak admin account passwords, weak MS-SQL sa account passwords, etc), the back doors opened by netsky, bagle, and mydoom, as wells as every major windows vulnerability announced in the last two years.

Blaster brought networks to a standstill by exploiting one vulnerability. This thing has the potential to wreak some serious havoc. In fact, imo if so many admins hadn't gotten burned by blaster, this worm's impact would have been much worse. Regardless, this trojan and its variants could easily be modified to become worms (such build in an algorithm to self-propagate and voila) and could bring every network running windows machines to a standstill.

Learn to swim.

You can find more information here.

Someone did this just recently. Meet Phatbot.

From the page:

What sets Phatbot apart from its predecessors is the use of P2P to control the botnet instead of IRC. Although Agobot has a rudimentary P2P system, IRC is still the main control vector. The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL).

Granted, it's not intended to do file swapping per se (the P2P bit is a control vector intended to upload crap like spam relays), but it'd be trivial to point the shared folder to "My Music". Bingo. You're P2P, and it's not your fault.

It's Microsoft's. And wouldn't it be a hoot to watch the RIAA go after them demanding they plug the security holes that make this possible. ;^)

Weaselmancer

The worm's functionality is as follows:

1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1

(emphasis mine)

From LURHQ

"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."

Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.

It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).

I think this will be with us for a while, particularly when mutations start showing up.

I was analyzing something very similar around October of last year when I worked here. They probably aren't installing a virus, per se -- more like an autoproxy which they will use to send spam or install more malware (e.g., to steal passwords or credit card numbers).

All the vulnerabilities mentioned in the article have been known for quite some time. Liu Die Yu's Unpatched IE vulnerabilities page documents several of these in detail, with exploit examples. (Note that some of the links on Liu Die Yu's site may result in popups, ironically.)

When I took a look at it, the proxy flavor of the month was most commonly referred to as ap216.exe the filename is irrelevant, obviously). A good description of it is here, in the context of its use in a phishing scam.

Note that everything done in this attack will blithely go through most firewalls -- almost all connections are initiated from within the network. Firewalls are an increasingly inadequate means of protecting users from organized and motivated attackers. IMO, any network admin who doesn't run deep-packet inspection firewalls, intrusion prevention, or security-minded filtering application proxies is asking for it.

Sure, someone could write something to quietly delete all the files on your hard drive. I'm sure he'd rather have all the spam your machine can send, or all the money from your bank account.

phil

My writeup of Doomjuice: http://www.lurhq.com/mydoom-c.html

The name MyDoom.C came from me, since I was the first to post an analysis of it at http://www.lurhq.com/mydoom-c.html

The AV companies decided to rename it because it isn't a variant by their strict definition. Apparently in the AV world, a variant doesn't even have to be by the same author, as long as it is very similar.

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

The name MyDoom.C came from me, since I was the first to post an analysis of it at http://www.lurhq.com/mydoom-c.html

The AV companies decided to rename it because it isn't a variant by their strict definition. Apparently in the AV world, a variant doesn't even have to be by the same author, as long as it is very similar.

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Most of the spam does NOT come from the US.

It DOES. It's only RELAYED through foreign computers.

Professional American spammers set up boxes and rape relays outside of the US to avoid being linked with the originating IP of their spam.

Some of the best known spammers are known to have hired servers at Asian and Third World providers. And then there are the current waves of mail viruses that turn the victims' computers into spam relays, also with the primary intention of setting up a network of spam relays to hide the spam's origin.

But most of the professional spammers DO operate from Northern America. Look up the listings on Spamhaus.

(And yes, we in Europe have the same problem. There is a Swiss professional spammer who has set up his computers in South America and a German spam gang using computers in Holland and Eastern Europe. It's easy to hide your tracks that way. But the spam DOES originate in Switzerland and Germany, it's only RELAYED through other countries.)