Trust that content?

The ISC and Fergie's Tech Blog are both reporting Microsoft was the target of a defacement. Someone who calls him/herself Cyber-Terrorist hit the website at ieak.microsoft.com. The server is not actually hosted by Microsoft, but it does use their domain services. The digital defacement site Zone-H shows the image of Bill Gates with pie on his face and the statement 'Owned by Cyber-Terrorist --Cyb3rT--'

Normally I don't find website defacements news worthy, however this is a great example of how even trusted websites can be compromised with hostile code. Had this been a bank, the attacker could have been sniffing web data. High profile targets like the Dolphins Stadium, during Super Bowl XLI, have been used to infect the masses without their knowledge. Its not a stretch to suggest valid applications could be replaced with corrupted versions.

Please be cautious when visiting websites and entering details about yourself. Does the site you're visiting really need the information they're asking for? If not, I see no harm in falsification.

When downloading applications online, we suggest verifying MD5 and SHA1 hashes, if the author provided the hashsum. Running all your downloads through an antivirus engine should be done on every downloaded application, trusted or not.

-----------------------------

A Shadowserver team member who uses the handle DigitalNinja has done an excellent whitepaper on Identifying Malware using fuzzy hashing. While I don't usually approve of white papers authored by people who won't identify themselves by their real name, this paper is pretty decent. The techniques aren't new, in fact this was a hot topic at last years Defcon convention in Las Vegas. I'd like to see more research done in this area.

Shadowserver, king of the hill

When I left Shadowserver in August of 2006, I couldn't have guessed how prime time they were going to turn. With dozens of feature articles on them, nearly anyone who has ever worked on botnets knows the name.

Today they added a new virus stats page to their site, proudly showing the world that they are not only the king of the botnet monitoring hill, but they are also the king of the malware collection hill!

Shadowserver is reporting they have over 566k malicious binaries, with the anti-virus software from AntiVir catching an amazing 95.58% of those binaries! (thats 541730!)

They're also monitoring over 1320 botnets and over 2.2 million drones.

I'm told they are putting this data to good use too, by notifying ISP's, law enforcement and others involved in the fight. I look forward to whitepapers, tools, and raw data that they're bound to release soon!

Storm worm goes nuclear.

We've received reports about malware spreading with war related subject lines. The user reporting did not have a copy of the malware, but one of my email drops did. The binary appears to be communicating with several other systems over high, semi random UDP ports. The ISC has posted a diary related to this event. It can be found here.

File: Click Me.exe (95c563731b7828d6e98eae81ee08869f)

Subject lines in email:

USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more than 20000 Iranian citizens
Missle Strike: The USA kills more than 1000 Iranian citizens
Missle Strike: The USA kills more than 10000 Iranian citizens
Isreal Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III

Spreads as one of the following attachments:

More.exe
Read More.exe
Click Here.exe
Read Me.exe
Movie.exe
News.exe
Video.exe

Opened port UDP 11274 listener. (visible with netstat -ao)

Communication via UDP with over 200 peers:

124.111.241.36, 124.150.75.126, 124.240.126.252, 125.131.29.176, 125.177.33.8, 125.25.203.140, 128.2.223.2, 131.114.13.230, 134.95.128.1, 141.30.123.42, 151.37.79.55, 154.37.66.117, 154.37.66.118, 154.37.66.119, 154.37.66.140, 154.37.66.163, 154.37.66.164, 154.37.66.186, 154.37.66.187, 154.37.66.209, 154.37.66.210, 160.75.14.190, 161.53.119.17, 193.198.36.3, 193.238.109.16, 194.15.147.40, 194.226.192.151, 195.111.2.70, 195.146.64.57, 195.158.117.39, 195.208.208.23, 195.5.19.34, 200.40.182.198, 202.71.93.14, 203.59.209.219, 207.212.26.3, 207.226.112.34, 209.222.54.55, 210.107.134.172, 211.178.169.34, 211.201.180.65, 211.51.122.173, 211.54.19.45, 212.42.91.82, 213.112.20.102, 213.251.132.34, 213.96.139.108, 216.130.188.168, 216.151.155.28, 216.151.155.52, 216.224.114.210, 217.127.81.254, 217.147.35.23, 217.160.208.201, 217.216.190.61, 217.229.107.161, 217.255.238.238, 217.8.61.68, 218.169.117.123, 219.7.138.42, 220.240.123.155, 220.78.177.58, 220.86.152.249, 222.101.241.112, 24.185.38.143, 24.232.127.169, 24.23.233.158, 24.91.13.235, 58.231.142.136, 61.228.201.222, 62.112.100.44, 62.1.122.240, 62.117.184.135, 62.121.113.97, 62.131.242.45, 62.149.227.219, 62.16.233.229, 62.204.120.132, 62.233.197.214, 62.234.51.180, 62.45.4.26, 64.229.75.158, 65.100.22.172, 66.90.79.226, 66.97.29.33, 67.15.4.10, 67.170.214.104, 68.13.18.8, 68.42.150.171, 69.26.174.131, 69.26.191.34, 69.63.60.170, 71.114.0.6, 71.133.154.97, 71.62.123.187, 72.224.137.213, 72.232.137.18, 72.36.146.114, 76.169.66.144, 80.102.127.102, 80.116.163.193, 80.132.226.44, 80.146.66.14, 80.171.187.9, 80.178.220.187, 80.62.149.20, 81.173.164.247, 81.174.12.96, 81.202.135.20, 81.202.47.48, 81.203.146.158, 81.204.129.108, 81.220.135.194, 81.2.209.136, 81.244.78.93, 81.248.26.210, 81.251.130.12, 81.37.253.45, 81.56.28.52, 81.57.135.146, 81.68.144.107, 81.83.232.171, 81.88.117.121, 81.9.204.210, 82.143.237.175, 82.156.34.116, 82.159.247.33, 82.225.194.86, 82.231.107.108, 82.231.149.214, 82.231.223.75, 82.235.41.53, 82.238.26.118, 82.241.209.40, 82.245.157.248, 82.55.220.212, 82.59.77.21, 82.66.238.182, 82.67.168.28, 82.74.157.18, 82.92.253.142, 83.160.229.119, 83.165.141.129, 83.180.72.197, 83.19.165.243, 83.19.172.30, 83.199.215.211, 83.22.0.248, 83.222.14.114, 83.29.217.233, 83.37.140.132, 83.38.133.154, 83.40.205.158, 83.45.120.73, 83.97.181.149, 84.10.255.230, 84.115.20.205, 84.121.30.130, 84.123.166.106, 84.123.216.174, 84.134.174.205, 84.137.122.192, 84.157.114.165, 84.16.225.19, 84.16.230.162, 84.16.234.75, 84.16.239.110, 84.186.113.5, 84.205.2.117, 84.40.221.36, 84.48.106.96, 84.57.181.194, 84.58.177.68, 84.73.206.231, 84.74.226.207, 84.80.109.203, 84.82.181.136, 84.94.92.106, 84.97.208.35, 84.97.223.102, 85.118.33.111, 85.118.37.162, 85.118.41.93, 85.136.165.33, 85.137.87.194, 85.214.40.169, 85.216.228.7, 85.219.217.113, 85.234.37.43, 85.249.225.64, 85.25.136.89, 85.66.37.33, 85.76.252.138, 86.149.162.197, 87.0.79.250, 87.10.167.240, 87.1.102.103, 87.167.190.214, 87.184.146.152, 87.234.144.208, 87.5.76.207, 88.1.156.113, 88.191.11.45, 88.191.13.247, 88.191.15.80, 88.191.20.102, 88.191.21.31, 88.191.28.48, 89.145.34.71, 89.220.0.127, 89.85.252.147, 90.197.74.155, and 90.27.33.59

Communication made through a random UDP port. The most common port is 30191 followed by 1857, 4061, 1859 and 1853.

Disables processes with the window names: blackice firewall avg vsmon zonealarm spybot nod32 regedit mcafee taskmgr hijackthis msconfig antivirus nav avp

Creates wincom32.ini with the following data:

[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
...
F4842DAE3B27F129678E1847263CAB26=54506DCB17E800
F63EDCCBDCAF1A1E79DEC78C8666B552=58BF0F50468500
FD6A5500DC3ED6A4E8398E3580A974FA=48249272325D00
FDD38B10A859838455DF59392B3C3F71=51398792233800

Scans files on the harddrive for email addresses to spread to. Spreads with built in SMTP relay.

Rootkit Revealer Output:

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32 4/8/2007 11:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000\DeviceDesc 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32 4/9/2007 12:45 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32\ImagePath 4/9/2007 12:45 AM 74 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32\DisplayName 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32 4/8/2007 11:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000\DeviceDesc 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32 4/9/2007 12:45 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32\ImagePath 4/9/2007 12:45 AM 74 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32\DisplayName 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
C:\WINDOWS\system32\wincom32.sys 4/8/2007 11:45 PM 52.75 KB Hidden from Windows API.

(hint: type c:\windows\system32\wincom32.sys >c:\windowstrojan.sys)

wincom32.sys (f9d04e27f908f9c50fd5ce2aeea72b08) infected: Trojan.Peed.BF (BitDefender)

Jose Nazario with Arbor Networks found some more hashes related to this malware run:

00de52e42e23439f4469f6a0429f80ec8ce3cbd3 "Click Here.exe"
5df70e6794e96adcf68c8f5c0134645dd3f38884 "Movie.exe"
868a8f2dc2cf3d056c4c079c97ef6ea797b5e402 "Read Me.exe"
caf89f7dac0627cf0f523f414cc4e0bc8500debc "Video.exe"
f717291eb5e9edf70007f90a16c7e99fad6f16bb "News.exe"

Thanks Jose! Jose also believes this is closely related to the storm malware we've seen over the month or so.

More information can be found here at secureworks.com

128 (104) bit WEP cracked in a minute.

Researchers with the Technical University Darmstadt have released a whitepaper on a WEP Crack they managed in a mere minute.

I've read this paper and though my crypto skills aren't as good as they should be, I'd be surprised if the Aircrack-NG guys don't implement this code very soon, the Darstadt researchers make it look trivial.

If you're still using WEP and value it for your privacy, please consider switching to WPA.

If you're just using WEP to keep your neighbors focused on other networks, you're probably still safe for awhile.

UPDATE:

The code for this attack has been released by Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann, the researchers from Darmstadt. This code is available to anyone for free.

Anti-virus and Anti-Rootkit Apps

Our friend Jose over at Arbor Networks has come up with a list of recommended (free) Anti-Virus and Anti-Rootkit applications for the Microsoft family of PCs.

ASERT (Jose's Blog) Anti-Rootkit Software
ASERT (Jose's Blog) Anti-Virus Software

I know the Arbor ASERT guys. They do the right thing because they can. Anyone can build a product and make it successful. It takes quality people like those over at ASERT to turn a company into an industry leader.

I highly recommend the applications listed at the links above, and if you haven't yet checked out their blogs, please consider spending some extra time on their site!

ANI Patch released

In response to the ZERT and eEye patches...oh, and the vulnerability...Microsoft has released an out of cycle patch for the ANI parsing vulnerabilities. The malware code was found by a Chinese anti-virus firm, as reported by Websense.

Microsoft released the patch for MS07-017 earlier today, and so far we have not had any problems with the update.

We've been watching the message boards and email lists closely while experts from ZERT, Websense and the ISC have been tracking the malicious urls. Nearly 25 meg of malware, over 430 unique files, have been uncovered related to this vulnerability.

Unfortunately the DISOG team has been busy working on another project and was unable to offer our assistance in this case, however we wanted to get the word out about the patches.

Malformed ANI Generation code has been posted on the usual sites, so if you haven't already patched we suggest you do so as soon as possible.

Update: Reports of problems with the patch have been brought to the ISC's attention. Microsoft is aware of the problem and will release a bugfix next Tuesday with the normal patch cycle.