Aug 31 2011

Morto worm sets a (DNS) record

 

There has been a lot of coverage of the recent RDP capable W32.Morto worm, but one of the more interesting aspects of the worm’s behavior appears to have been overlooked. Most malware that we have seen recently has some means of communication with a remote Command and Control (C&C) server. The actual vector of communication tends to vary between threats. For example, W32.IRCBot uses Internet Relay Chat channels whereas the recent high profile threat, Trojan.Downbot, is capable of reading commands embedded in HTML pages and image files. W32.Morto has added another C&C communication vector by supplying remote commands through Domain Name System (DNS) records.
 
DNS is primarily used to translate human readable URLs, such as “Symantec.com”, into numerical network identifiers (216.12.145.20). Every URL on the Internet is eventually resolved to an associated IP address using this system, typically using a DNS A record for IPv4. The A record is what we usually think of when we discuss DNS. These records map domain names to their associated IP addresses with a PTR record used for the inverse operation of IP to host. But DNS is not limited to these records types; there are a number of record types that have been defined in various RFCs over the years to address the changing needs of the system. The record type that W32.Morto uses for its communication protocol is the TXT record. 
 
The DNS TXT record type was originally used to allow human readable text to be stored with a DNS record and later evolved to store machine useable data. To experiment with this, you can use the Microsoft nslookup.exe tool. By querying the TXT record type for “Symantec.com” you can retrieve the SPF information associated with the Domain. 
 
 
While examining W32.Morto, we noticed that it would attempt to request a DNS record for a number of URLs that were hard-coded into the binary. This is by no means unusual or unique, but when we examined the URLs, we noticed that there were no associated DNS A records returned from our own DNS requests. On further investigation, we determined that the malware was actually querying for a DNS TXT record only –  not for a domain to IP lookup –  and the values that were returned were quite unexpected.
 
 
The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record. The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution.
 
[MALICIOUS ADDRESS]/160.rar
 
Once downloaded, W32.Morto immediately executes the threat and waits for a specified timeout before requesting another TXT record.
What is interesting about this method of command propagation is that there was no A record for these domains, which means that they existed primarily to serve these commands to the W32.Morto worm.  A number of other domains have been hard-coded into the worm and they all display the same unusual DNS characteristics.
 
W32.Morto has a number of interesting characteristics, including: the RDP propagation that has been generating much interest of late; saving encrypted payload code in the system registry; and replacing some minor system DLLs with its own payload code. The worm’s use of DNS TXT records is an unusual method of issuing commands to the remote threat while keeping the C&C vector under the radar.
Aug 31 2011

Woman sues after firm tracking stolen laptop records nude video chats

Late night flirtingImagine the scene.

You buy a second-hand laptop using it to, among other things, have secret sexy video chats with your significant other. Unbeknownst to you, naked photos of you are being taken by a company hired to track down the stolen laptop.

Ouch.

This is what has happened to Ohio-based Susan Clements-Jeffrey and her boyfriend.

Absolute Software is in the business of helping people recover their computers. Fair enough. But is taking nude snaps of the person using the stolen laptop a step too far?

U.S. District Judge Walter Rice thinks so, saying that Absolute Software may have violated 52-year-old widow Susan Clements-Jeffery’s rights to privacy.

What does the judge have to do with this? Well, Susan is suing Absolute Software.

She is a substitute teacher who reportedly bought the computer from one of her students in 2008 for $60. The student told her it was a gift from his relatives, that he had got a new one, and this one was now for sale.

Turns out the laptop was stolen from Clark County School District in Ohio. They had purchased and installed Absolute Software’s theft recovery service – called LoJack – onto their computers, so when the stolen laptop was connected to the internet, LoJack collected the teacher’s IP address.

Rather than handing the information over the police to track her down, Absolute Software employee Kyle Magnus reportedly decided to intercept communications, including Susan Clements-Jeffery’s saucy video chats.

Magnus then forwarded the collected information, including revealing pictures and sexy conversations to a police detective. According to Wired, the cops arrested Susan for receiving stolen property, but charges were soon dismissed.

Lying downSusan now is suing the lot of them: Absolute Software, their employee Kyle Magnus, the city of Springfield in Ohio, and the two cops who arrested her (did I mention the cops apparently waved the nude snaps when they first knocked on her door?)

So my take on this? I have no problems with Absolute Software and the cops trying to get the stolen laptop back. Fine. But using saucy pics to embarrass who ended up using the stolen property just screams ‘a step too far’ to me.

You can read a much more detailed report, written by Kim Zetter, on Wired.


Aug 31 2011

LulzSec hacking suspect denied access.. to his girlfriend

Chester, UKAs one hacking suspect is denied access to his girlfriend, another is charged with a series of internet attacks.

A teenage boy from Chester has been charged by British police in connection with a series of internet attacks by the Anonymous hacktivist group.

The 17-year-old, who has not been named, is scheduled to appear next month before magistrates. According to a press release, posted on the Metropolitan Police’s website, the boy faces charges of:

"conspiracy to do an unauthorised act in relation to a computer, with intent to impair the operation of any computer or prevent or hinder access to any programme or data held in a computer or to impair the operation of any such programme or the reliability of such data - contrary to Sec 1(1) of the Criminal Law Act 1977".

Anonymous, LulzSec and other hacking groups have claimed responsibility for a series of DDoS attacks against government and company websites in the last year.

The teenager has been granted bail to appear at City of Westminster Magistrates’ Court on 7th September.

22-year-old student Peter David Gibson, of Hartlepool, County Durham, was charged with the same offence last week and is due to appear at City of Westminster Magistrates’ Court on the same day.

Girlfriend trouble
Ryan Cleary. Image source: BBCMeanwhile, the Daily Mail reports that a British judge has refused permission for suspected LulzSec hacker – Ryan Cleary – to see his girlfriend without his parents being present.

Under the conditions of his bail, 19-year-old Cleary is not allowed to leave his home address without an accompanying parent.

Cleary’s arrest in June was greeted with excitable news headlines, and he is alleged to have been involved in a distributed denial-of-service (DDoS) attack on the website of SOCA (Serious Organised Crime Agency).

Cleary and a fellow alleged LulzSec member Jake Davis, who was arrested in the Shetland Islands last month, are both bailed to appear in court for pleas on January 27 2012.

Clearly the authorities are taking their investigations into DDoS attacks seriously. Those who are considering participating in such illegal attacks might be wise to think about the consequences.


Aug 31 2011

Spam makes me angry. Do you have a course to help with that?

Dear British Association of Anger Management,

Thank you for your unsolicited email, inviting me to a course on anger management.

Email from the British Association of Anger Management

You know what makes me angry? Flipping spam makes me angry.

I don’t remember signing up to receive emails from you, but maybe I lashed out at one of my work colleagues, and perhaps they thought I could do with some help and so gave my email address to you.

Even so, I would have hoped that you would have followed industry best practices and confirmed via a double opt-in that I *really* wanted to sign up for your messages.

The best mailing lists not only require people to ask to receive their messages, but then verify the subscription just in case an email address was given to you by by mistake or by a mischief-maker.

Anger management. They seem happy, why aren't I?

I’m delighted that you’ve had such success helping people deal with their anger issues. Help me with mine, by not just honouring my unsubscribe request – but also adopting a better standard in future, confirming that any email address you are given really wants to receive your emails.

What next? Will the Tourette Syndrome Association start sending me f@#king spam – would you f!#king f$%khead f*%k believe it?

Yours sincerely,

Angry from Naked Security