When Malware Attacks Malware

PetManimal writes "Researchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware. Symantec sounded the alarm, and says that the exploit launches in AOL, Google Talk, and Yahoo Messenger windows that are already open, making it appear to be a legitimate message from a known user. The worm has modified the code from last year's Nuwar worm, and when activated, enables a DDoS attack against any site, including antispam services and servers supporting rival malware: 'Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.'"

that's...

[User+956]

When Malware Attacks Malware

You get total protonic reversal.

Re:that's...

[geeksdave]

OK important safety tip.. thanks Egon..

Stronger malware

[eviloverlordx]

It just means that, in a few years, all of the malware will be significantly harder to kill. All of the weaker 'species' will have been driven to extinction (via changes in coding). It had to happen eventually. We may even see 'anti-viral resistant' strains.

Re:Stronger malware

[frosty_tsm]

We may even see 'anti-viral resistant' strains. Uh, don't we already see this?

Re:Stronger malware

[morgan_greywolf]

No way. Malware is made by an Intelligent Creator. It is what it is. Intelligent Malware Design is just as good a theory as Malware Evolution.

A New Variation of Life...

[__aaclcg7560]

So is there going to be a screen saver that will show the good and bad malware attacking each other as the computer keeps waving a white flag?

Re:A New Variation of Life...

[$RANDOMLUSER]

Yes, the rival malware attacks are Germany and the Soviet Union and the Windows PC is Poland. Mac would be England and Linux is the United States. If this was a World War II scenario.
You were a math major, right?

Old News

[140Mandak262Jamuna]

The well known malware Internet Explorer has been attacking another well known malware WinXP for quite sometime. So why get worked about these obscure ones?

It begins

[inviolet]

esearchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware.

Thus begins the ecology of internet software. CPU cycles are simply too valuable (en masse) for one piece of malware to share with others.

Eventually, look for malware to get better and better and rooting out rival malware in order to take its place. As well, look for malware to be more cautious about consuming host resources, lest it get noticed by a user or antivirus package.

It's no different than Earthly biology. We think nothing of the colossal number of parasitic microorganisms currently hitching a ride on our metabolism. Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?). Symbiosis carries major advantages along the lines of "division of labor". How many years before real symbiosis is realized among internet-connected computers?

It would also evolve the antivirus landscape. The "OMG sterilize all machines!!!1!" mantra would change into a more relaxed problem: calculate the most efficient amount of CPU cycles to allocate among the competing tasks of:

• detect malware through behavior analysis (the current cutting edge)
• detect malware through recognition scanning (the tried and true way)
• tolerate malware as long as it doesn't eat up too much CPU

That's how our bodies do it, anyway.

Re:It begins

Ummmm... well right idea, wrong microorganisms!

Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?).

The stuff in yogurt is Lactobacillus acidophilus.

The stuff you DON'T want in your (upper) GI is Escherichia coli.

Re:It begins

[AeroIllini]

That's an interesting analogy, and I agree that malware will get consistently more advanced, eventually creating mutatable (and thus evolvable) strains that will evade anti-malware programs without the intervention of the programmer.

However, there's a rather glaring flaw in the analogy, and it's this: in the biological world, the various bacteria that live in or on us do not have purpose. They are simply life forms, doing the things that life forms do (which is eat, shit, and make babies) in an environment that suits them. If they end up overrunning that environment and making us sick, it's not because they wanted to make us sick. If our bodies happen to be the perfect environment for them, and they happen to eat things in a way that is beneficial to us, it's not because they decided to help us out. They are just being bacteria. Symbiosis and infection are merely products of parallel evolution and happy coincidence.

In contrast, malware is written by people, and people do have motives for the things they do. Bacteria don't do this; they just do their thing with the eating and the shitting and the baby-making, and any macroscopic results are not due to the decisions of the bacteria.

Malware is written with purpose. That purpose could be to show the user ads, or participate in a botnet, or collect spammable email addresses, or whatever. But saying that anti-virus programs will ignore the "harmless" malware overlooks the fact that there is no harmless malware. There doesn't exist any malware that's going to go to the trouble of infecting your machine and propogating, and then not do anything. No one would program one. That means that all malware is either black hat (adware, botnet, spyware, etc.) or white hat (attacks other malware). Even if it's not using CPU resources, it is doing some other damage, such as annoying the user or enabling spam (in the case of black hat) or violating the freedom of a user to choose what software they have installed on their machine (in the case of white hat). Either way, all malware should be cleaned by anti-malware programs. In the world of software programmed by people, there's no such thing as harmless piggybacking.

****
Note: I am aware of the parallels of my argument with Intelligent Design. It was not my intent to start a flamewar.

... doing what?

[Savage-Rabbit]

And the Dept of Homeland security is doing what? exactly! Trying to figure out who to bomb?

In Soviet Russia

[Trivial_Zeros]

In Soviet Russia, malware attacks... malware?

If they'd just fix each other...

[queenb**ch]

Will someone please write a worm that 1) turns Windows Update on, 2) turns the Windows Firewall on, 3) turns off the keyboard & mouse ports for Windows 3.1, 95, 98, and ME machines thus forcing the retarded end users running on these platforms to upgrade, 4) installs ClamWIN and scans the hard drive, 5) installs SpyBot Search & Destroy and scans the hard drive, and 6) administers an electric shock to the aforementioned retarded end user for not taking care of this themselves?

If your dog was running around the neighborhood barking at people and biting them, they'd make you do something about the dog. I don't see why your computer gets to the do the same thing on the internet with such impunity.

2 cents,

QueenB.

Re:If they'd just fix each other...

[Tony+Hoyle]

I wouldn't use Spybot - it's getting kinda out of date now, and doesn't detect some of the worst ones. I've *never* seen Windows Defender successfully detect a spyware infestation - it's 100% useless.

I recently had to fix a machine that was declared 100% clean by Spybot, Hijackthis, Windows Defender, etc. - and still kept throwing up random porn popups*. Turns out it was a virtumundo variant... the checker (forget the name) recommended by the hijackthis people could see it, but wanted money to remove it - eventually found an app that does it by doing some clever stuff and forces a bluescreen to stop it reinstalling itself (which it does in realtime.. you *can't* delete it manually). That's now in my machine fixing arsenal for the next time I see it.

Makes me wonder how many of the bleats that 'my machine is clean therefore it must be blizzard being hacked' posts on the Wow forums have variants of similar crapware on there.. and they've fallen into the trap of believing the scanners despite the overwhelming evidence to the contrary.

* And that was a machine without IE on it and fully patched.. the thing apparently got on in a trojanned version of Acrobat Reader.

Re:If they'd just fix each other...

[kabocox]

I've found somethings that you asked for, but not all. I did don't know how to string them all together. ClamWin, and SpyBot, both say that they'll run from a bootCD. I didn't find any easy to follow admin install instructions for them. Mainly everything else is some reg files. I didn't find anything on keyboard or mouse ports of earlier versions of windows. I also didn't find anything about how to shock users. In the spirit of open sourceness, I expect someone else to actually do the real work of building a self installing zip file of ClamWin & Spybot, setting your fav. reg. settings, and having all of them autorun after a shutdown -r. I know that "it should possible." I don't know enough windows scripting in order to do it.

net stop wuauserv

Start -> Run -> gpedit.msc -> Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Re-prompt for restart with scheduled installations. They hid it well but it's there :^)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
"RebootRelaunchTimeoutEnabled"=dword:00000000
"NoAutoRebootWithLoggedOnUsers"=dword:00000001

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer
NoDevMgrUpdate value to 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ WindowsFirewall

Set these to "not configured"
* Windows Firewall: Protect all network connections
* Windows Firewall: Do not allow exceptions
* Windows Firewall: Define program exceptions
* Windows Firewall: Allow local program exceptions
* Windows Firewall: Allow remote administration exception
* Windows Firewall: Allow file and printer sharing exception
* Windows Firewall: Allow ICMP exceptions
* Windows Firewall: Allow Remote Desktop exception
* Windows Firewall: Allow UPnP framework exception
* Windows Firewall: Prohibit notifications
* Windows Firewall: Allow logging
* Windows Firewall: Prohibit unicast response to multicast or broadcast requests
* Windows Firewall: Define port exceptions
* Windows Firewall: Allow local port exceptions

http://sourceforge.net/docman/display_doc.php?doci d=28367&group_id=105508

Preparation

Start by installing the latest version of ClamWin, and download the latest virus definitions. See the ClamWin manual for full details on how to do this. Note that, if you are going to create a CD, you will not be able to update the virus definitions without creating a new CD, since a CD is read-only.
Copy Folders

Create a working folder in a convenient location to hold the files that are to be copied onto CD/USB, eg C:\ClamWin-CD.
In the working folder, create a folder named ClamWin.
Copy the contents of the ClamWin program folder into C:\ClamWin-CD\ClamWin. By default, the ClamWin program folder is installed to C:\Program Files\ClamWin
Create folders named log, db and quara

Re:If they'd just fix each other...

[dosquatch]

4) installs ClamWIN and scans the hard drive,

What, install by force a package without a realtime scanner 'cause the user can't be bothered, and then think they'll bother doing manual scans? Methinks you've suffered an oversight...

I've taken to suggesting AVG to all of my friends and family. Free, autoupdates, realtime scanner, scheduled daily full scan. Routinely outperforms both Norton and McAfee in lab catch tests. Otherwise, I'm all for your list.

Re:If they'd just fix each other...

[dosquatch]

I wouldn't use Spybot - it's getting kinda out of date now, and doesn't detect some of the worst ones.

Spybot regularly updates both signatures and detection methods. No, it's not perfect, but I've yet to meet the perfect scanner. I find that a combined dose of Spybot, AdAware, and a good AV program does a very good job of keeping Windows systems clean.

Re:If they'd just fix each other...

[MaufTarkie]

I recently had to fix a machine that was declared 100% clean by Spybot, Hijackthis, Windows Defender, etc. - and still kept throwing up random porn popups*. Turns out it was a virtumundo variant... the checker (forget the name) recommended by the hijackthis people could see it, but wanted money to remove it - eventually found an app that does it by doing some clever stuff and forces a bluescreen to stop it reinstalling itself (which it does in realtime.. you *can't* delete it manually). That's now in my machine fixing arsenal for the next time I see it.

I'll give you this advice for free: rename HijackThis. You'll see your Virtumundo in the O2 and O20s. In fact, that's good advice any time you want to see what's on a system. Rename it to a random name, most malware look for a specific executable name and hide themselves.

Also, you can remove Vundo manually w/o a BSOD; you just have to know a few tricks and it's not trivial. There are free tools out there that will do this automatically after you know what the load points are.

Re:If they'd just fix each other...

[that+this+is+not+und]

It could also be said that it's the ISP's fault, for letting machines 'shout' all over the net on ports not ordinarily used by typical end users.

Now, I know that it disturbs people to talk like this, but the aforementioned 'dumb' Windows end user doesn't need more than a few ports open for connection to his/her machine.

So if draconian measures are being bandied about in this thread, maybe anything but Port 80 should be blocked at the ISP at 'the last mile' connection by default. Need anything more, 'by special request' is the way it goes. Why should security be deployed at the end-user level if it's to protect 'a whole network.' That begs any rogue operator to be able to reck havoc at the client level, i.e. the way things are now.

Go ahead and rant, all you folks running 'servers' on your brother's old 486 box in the basement.

Re:Easy to kill

[maxwell+demon]

Given that today's ROMs are typically flash, how long until some malware just reflashes it? This would also allow the malware to take control even before the OS boots up.

Little known facts

[UnknowingFool]

Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.

What isn't generally reported is that Peacomm uses "Your momma's so fat" insults in the DDOS attacks. By far the most devasting and hilarious DDOS this year.

It's more than that

[httptech]

I'm the author of the technical writeup detailing the attack on the rival spam group. But the only reason I was investigating the DDoS attacks launched by the Storm Worm/Peacomm/Nuwar is due to my own site being attacked after I detailed the pump-and-dump stock spam operation of the Rustock trojan. It is getting riskier to publish research on viruses and spam. I believe since spammers were able to take out Blue Security by DDoS attack, they are getting bolder in who they target. There's no downside for them.

Re:Ulimate Vulnerability!

[99BottlesOfBeerInMyF]

Regardless of the operating system or the applications which run upon it, the ultimate weakness at the end of the day lies upon the end user. You can only secure a system to a certain point until the user begins losing functionality, until the end user becomes more educated...well expect to see evolution in Malware.

Your comment is factually correct, but also very misleading. Users are the hardest element to harden in the chain of security, but right now they are by no means the weakest link. The OS development community and security research community could easily eliminate 90% of all malware and reduce the amount of education needed for a user to safely use a computer to a tiny fraction of what they need to know now, if Windows would be modified in order to be secure and deal with the realities of the malware ecosystem.

Right now, even in vista, the granularity of security is piss poor. You have three levels: 1) don't run software, 2) run software, and 3) run software and enter your password. This is wholly insufficient. Further, the UI used to present these levels is abysmal. I don't mean bad I mean abysmal. Whether MS hires the worst UI people in the world or whether they hire good people and their decisions are overridden by marketing and management, the end result is horrible from a UI/security perspective.

If I was running the show at MS and had a shred of human decency and respect for innovation in the industry this is what I would create. First, applications both included and third party now have a new format that is contained within a single directory including temp space for writing files and what is now a DLL. It would optionally include an ACL, one or more certificates for verification of the origin and binary, and location for updates. Based upon the certificate, users would be given the option to subscribe to verification services that provide a trust level for a given application and MS would provide the same. The trust level for an application would be determined by the consensus of verifications applied and the weight given them by the user and if it is pre-installed, downloaded, or loaded from CD or DVD. Based upon that trust level, the application would be restricted by a mandatory access controls framework to obey the ACL that shipped with the program combined with the ACL for that trust level (with the default being to restrict the application more stringently). If any application wanted to exceed that ACL, the user would be presented with a very strongly worded warning, explaining exactly what it wanted and presented via a good UI with no OK/Cancel crap.

This means if a user downloads some program via IM or the Web and if they run it the OS will look at the included ACL and cert and see what permission it wants and who will certify it as trustworthy, if anyone. Then, if it tries to exceed its authority, the OS will present a warning such as, "The program 'Storm' is not verified as trustworthy and would like to connect to the internet on a port normally used for sending instant messages. (Stop it from sending messages)(let it send messages once)(always let it send messages)(advanced options)."

If the user lets it send IM messages it can spread, but do nothing else. They also have to explicitly let it connect on other ports and access other resources if it is to be useful to a spammer or DoS user. Since almost all software on most machines is pre-installed and since most other software will be verified by at least one other party, these messages will be exceptionally rare and thus stand out as important and weird to users. Even if the attacker uses a buffer overflow to take over a thread, their malware will still be limited by the ACL for that originating application, so if they want to send spam they better find a buffer overflow in your e-mail client specifically.

When such a system is implemented the required user education will be a manageable level, a hour long class instead of a master's degree in computer technology. Then, if a user stil

Popular spinoff

[physicsboy500]

I vote they make a spinoff of Robot Wars

I can see it now...

Malware wars... watch rival malware rip each other apart!

"Oh my god, Malwarior just executed an amazing kill maneuver!"

"it looks like Spymaster is only hanging on by a thread!

"Oh... and he's done for. Spymaster is terminated... add him to the hexdump!"

Re:OS?

[99BottlesOfBeerInMyF]

The real problem is security models that assume very few levels of security. Either you install it and it can hose your machine and kill babies, or you don't run it and don't know if it was malware or not. That's just crazy. Back in the day MS Word used to pop up a dialogue box and say something along the lines of "this .doc file contains macros that may be viruses (ok)(cancel)." I knew a manger who offered $1000 to anyone who could add a button that said "open the file but don't let it infect my computer with anything." The problem, aside from the terrible UI, was the control was not granular enough. Sometimes people want to run software or open a file, but don't want to trust it with their computer security for all time. Software should run in a sandbox by default. The inconvenience of having to explicitly allow my new e-mail program to send e-mail, once is worth it if I know no other software I download will ever send any e-mail or access my address book until I explicitly permit it. Some executable that shows up in my e-mail or over IM should never, ever, be granted that permission by default. Until MS gets their head out of their butt and realizes that, we'll suffer from this crap.

hasn't...

Hasn't norton a/v been doing exactly this for years? Malware, fighting malware? :)

Two wrongs make a right? / Swordfish

[Zantetsuken]

I'm not really sure, and depending on how vicious this is, but sometimes maybe 2 wrongs do make a right... For those of you who haven't seen the movie "Swordfish" they pretty much use terrorism to dissuade other terrorist actions. Perhaps this type of virus/worm/etc could be a good thing for us, that for most virus/worm/spam creators it will become such a pain in the ass to wreak their havoc, it won't be worth it for them (would you keep intentionally making/distributing virus/etc if it meant you got DDoS'ed so hard your server melts every month, costing you money on hardware?)

But then again, perhaps 2 wrongs don't make a right...