Strange Case of W32.Xpaj.B: Patient Zero

A number of days ago, we observed a new variant of the W32.Xpaj.B virus and we blogged all of the initial details about its new features and how the outbreak sample is the patient zero of the infection. We have now done more analysis and the conclusion is in: there is no outbreak and W32.Xpaj.B is not coming back, at least for now.

From the analysis we uncovered the following:

  • Samples infected by patient zero do not have the capability to infect other samples
  • A 64-bit kernel mode payload injects a Dynamic-Link Library (DLL) into the target processes, but the DLL is empty
  • Infected samples do not carry a copy of the virus body from patient zero, but they are infected with a substantially smaller version of the virus

All of these facts seem to suggest that this patient zero was meant to be just a test sample; the virus is not attempting to run any meaningful payload functionality and the self-replication feature is not present. This is also confirmed by our telemetry data. If we take a look at the number of master boot record (MBR) infections observed in the wild (note that MBR infections are only from the new variant of W32.Xpaj.B, not from the old one), we can count less than 50 at the moment, which is surprisingly low.

This sample was simply not meant to be released to the public for a pandemic infection. My guess is that it might have been pushed out to some specific target just for a small test on the field, or that it was somehow leaked from its writers.

Basic structure

Patient zero infects the MBR and copies its payloads at the end of the disk. When the compromised computer is booted, the MBR will cause the payloads to be extracted and loaded.

Figure 1. Payloads installed to disk

The payloads are:

  • 64-bit user mode DLL: It is the DLL injected into targeted processes on 64-bit Windows
  • 32-bit user mode virus body: Samples infected (32-bit .exe files and DLLs only) will carry this viral body, not the one from “patient zero”
  • 64-bit kernel mode payload: Code that runs in 64-bit kernel mode
  • 32-bit kernel mode payload: Code that runs in 32-bit kernel mode

As stated in my last blog entry, the virus will not infect kernel mode drivers; the kernel mode payload is only loaded through the MBR.

Reduced viral body payload

During our tests, a simple problem showed up: the infected samples, when run, were not infecting other samples. In other words, the only way to replicate infections was to run patient zero and generate a first generation of infected files. None of these files, when run, were infecting anything; therefore we were not able to produce a second generation of infections.

I decided then to dig deeper into the problem and I found that there is quite a difference between the viral body found in patient zero and the viral body found in the first generation of infected samples—the size! The viral body from patient zero is about 170 KB, while the one from infected sample is about 50 KB—a big difference!

The viral body from infected samples comes from the compressed payloads that are stored at the end of the physical disk during infection from “patient zero”. I analyzed this attenuated version of the virus and I found it lacking the code to perform infection of other samples. It also lacks the code to infect the MBR and it does not carry the compressed payloads.

So what does it do? Well, it seems that all it does is this:

  • Read and write encrypted data to a randomly named file in %Windir%
  • Handle encrypted network communication towards the command-and-control (C&C) server

It is possible that the virus may receive an update of itself but, at the moment, the C&C server is not alive (so we cannot confirm this).

Kernel mode payload

Part of the kernel mode functionality has been already described in my previous blog entry and in other articles, however, after more analysis; I have found some interesting details. Some Application Programming Interfaces (APIs) and symbols are present, but not called or used in the current payload. This suggests they may be included in future versions of the virus. A couple of interesting ones:

  • KeServiceDescriptorTable: Possibly used for installing kernel mode function hooks, or maybe to end security products by removing their own function hooks.
  • IoCreateDriver: Can be used to load any driver. Maybe the authors want the possibility to load other drivers for particular tasks when needed.

We can also find KeGetCurrentIrql, which is not really interesting on its own, but the code seems to be using it in a particular way:

Figure 2. KeGetCurrentIrql is loaded dynamically, based on which PE module it is in

The code retrieves the API and saves information about which module it is in. This happens because in Windows versions up to XP the API was located in hal.dll, while from Windows Vista and later, it is located in ntoskrnl.exe. So, this tells us the malware authors are testing this thing in Windows Vista and Windows 7, maybe even in Windows 8 as well, who knows!

Finally, some of the kernel mode code that used to be in the viral body itself (in the old version) has been moved to the kernel mode payload in the new version. Yet, there is still kernel mode code in the viral body of patient zero, so it may look like the authors of the virus are abandoning the idea of infecting drivers, and moving the intended kernel mode functionality into a dedicated payload.

This is probably also dictated by the fact that the virus can only infect 32-bit .exe files and DLLs: if the author wants his code to be run in kernel mode then he has to add the functionality to infect 64-bit Portable Executable (PE) files as well, and must also support drivers. Basically, one single virus body should be able to run both in 32 and 64-bit, and both in user mode and kernel mode. This is clearly overkill in terms of writing and maintaining such a malware. Instead, the malware authors have used dedicated payloads, thereby adding modularity to the code, which allows faster development.

64-Bit DLL payload

As discussed above, the 64-bit DLL that is supposed to be injected in some targeted process is basically empty. You can see it in this image:

Figure 3. Dummy 64-bit payload DLL

There is no real code, only some test strings. Also, the format of the DLL PE and the string from the data section would suggest that this DLL was written directly in assembly language rather than compiled from a C/C++ compiler.

In conclusion, there is still no outbreak, but this patient zero clearly shows a dangerous evolution of the threat. There is no way to tell when (or even if) we are going to see this new variant released, but my guess is that it won’t happen too long from now. Thanks to this sample we have been vaccinated—we have been able to perform a pre-emptive analysis and we are one step ahead—but rest assured, we will keep monitoring this threat and we will be ready for it when it spreads in the wild.

Google Says It Removes 1 Million Infringing Links Monthly

Each month, Google removes more than 1 million links to infringing content such as movies, video games, music and software from its search results — with about half of those requests for removal last month coming from Microsoft.

The search and advertising giant revealed the data Thursday as it released sortable analytics on the massive number of copyright takedown requests it receives — adding to its already existing data on the number of times governments ask for users’ personal data.

The Mountain View, California-based company removes links to comply with the Digital Millennium Copyright Act. The DMCA requires search engines to remove links to infringing content at a rights holder’s request or else face liability for copyright infringement itself. Google said it complies with about 97 percent of requests, which are submitted via an online form and usually approved via a Google algorithm.

The disclosure marks the first time a major internet search engine divulged its DMCA compliance numbers. The development comes months after some lawmakers blasted Google’s position against the Stop Online Piracy Act, an anti-piracy measure that would have fundamentally altered the DNS system, a core part of the net’s infrastructure in the name of piracy.

Google rejected some of the requests, Fred von Lohmann, Google’s senior copyright attorney said, because “the form is incomplete, the web page doesn’t exist or we look at it and say we don’t think it is infringing.”

The top rights holders demanding removal of links were Microsoft, at 543,000 last month, the British Recorded Music Industry at 162,000 and NBC at 145,000. The top targeted sites hosting allegedly infringing content were at more than 43,000, at more than 23,000, and at more than 22,000.

The Pirate Bay, the most notorious online haven for copyrighted content, came in at an unimpressive 13th place, with 10,245 requests for takedowns of links to the site.

Von Lohmann said the data could be useful as lawmakers debate laws aimed at combating online infringement.

“Obviously, we know that policy makers in the U.S. and elsewhere are trying to think of proposed solutions to the online infringement problem,” he said. “In our view, those discussions are benefited by accurate data.”

Overall, Google received 1.24 million requests from 1,296 copyright owners for removal the past month. They targeted 24,129 domains.

The data largely goes back nearly a year, around the time Google began automating its removal procedure and making it easier for rights holders to issue demands via an online link. Sortable data before that time was not readily available, von Lohmann said.  But before the removal process became automated, Google said in a blog post that it removed less than 250,000 links in all of 2009.

Removal of links has become big business, as rights holders often farm out such duties. Marketly, of Redmond, Washington, issued almost 462,000 demands for link removal, earning it the top spot last month. The British Recorded Music Industry came in second last month, with more than 190,000 links.

NBC was apparently the only major organization working on its own behalf, according to Google’s data.

Google Releases Google Chrome 19.0.1084.52

Google has released Google Chrome 19.0.1084.52 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Google Chrome Release blog entry and update to Chrome 19.0.1084.52.

This product is provided subject to this Notification and this Privacy & Use policy.

The Hack That Wasn’t: Sec. Clinton and Operation AdWords

When news outlets recently quoted U.S. Secretary of State Hillary Clinton claiming that State Department operatives hacked the websites of al-Qaida affiliates in Yemen, we didn’t know whether to be proud of the feds’ leet skills or appalled at the administration’s hypocrisy regarding hacking.

Turns out the hacks who wrote the stories got it wrong – though Danger Room’s David Axe, who was on the scene, got the story right the first go-around. And now, with the hyped headlines dialed back, we’re just disappointed.

Turns out the team simply purchased anti-al-Qaida ads on the websites to counter anti-American ads the sites were running.

Call it Operation AdWords, if you like.

Clinton was delivering a keynote speech at the Special Operations Command gala dinner in Tampa, Florida, when, as the Associated Press reported, she described how State Department specialists attacked sites tied to al-Qaida, which were trying to recruit new members by “bragging about killing Americans.”

“Within 48 hours, our team plastered the same sites with altered versions of the ads that showed the toll al-Qaida attacks have taken on the Yemeni people,” Clinton said, according to the AP. “We can tell our efforts are starting to have an impact because extremists are publicly venting their frustration and asking supporters not to believe everything they read on the internet.”

The AP rushed out a story with the headline “Hillary Clinton: U.S. Hacked Yemen al-Qaida Sites,” only to revise the story with a more demure headline later, reading “Clinton: US wars with al-Qaida on the web.”

The latter story included new quotes from a State Department official clarifying that the specialist didn’t actually hack the sites. Instead, he said, they challenged extremists in open forums.

“We parody and poke holes in what they do,” the unnamed official said. He also explained that after al-Qaida supporters launched a new series of banner ads focusing on fighting Americans that depicted U.S.-flag-draped coffins, the State Department team countered the ads with their own.

They essentially launched a counterterrorism-by-AdWords campaign by purchasing anti-al-Qaida ads on the same site, featuring the coffins of Yemeni civilians killed in terrorist attacks.

Smart diplomacy in the internet era, but at best it’s a clever hack, not clever hacking.

UPDATE 2:40pm: A State Department spokeswoman has muddied the waters even further by now indicating that the ads weren’t even ads. She refers to them as “posts” and says they were free. No government funds were paid out to the web site in question. Below is an exchange the State Dept. spokeswoman had with reporters:

MS. NULAND: … So the specific case that the Secretary mentioned was a case where there was a nasty piece of al-Qaida propaganda, and we did our own counter-spoof of that as an effort to try to get our own message across. Whenever we do this, we make clear that we identify ourselves clearly as part of the State Department’s digital outreach team, so it’s always clear who the sponsors of the alternative posts are.

And let me also just make clear that we don’t hack. We don’t engage in covert activities. All of the work is attributed, as I said. In general, we usually do it on free sites and we do it in a free manner. Obviously, if we use YouTube, everybody pays on YouTube, so we do that, too.

QUESTION: So this was not hacking as such?

MS. NULAND: Correct. It was not. It was an alternative.

QUESTION: And can you describe a little bit more, I mean, what – in the timeframe, when this was happening? Was it only Yemen or are there other places?

MS. NULAND: No, the center operates anywhere that – in cyberspaces in particular, where we see propaganda that is put up by al-Qaida, by its affiliates. It posts on any sites where it finds this stuff. In this case, it was countering a site that was based or affiliated with Yemeni terrorists. But it does that anywhere in the world where it finds this kind of thing.

QUESTION: Can you just describe a little bit about what kind of – what your posts look like, what they said, versus what people were reading there?

MS. NULAND: My understanding of this particular post that the Secretary shouted out, the Yemeni site had put up pictures of coffins draped in American flags. We put up a counter-post of coffins draped in Yemeni flags to indicate that it is Yemenis who are dying at the hands of al-Qaida terrorists in Yemen.

QUESTION: Is that in good taste?

QUESTION: Okay. I just want to –

MS. NULAND: This is a matter of countering propaganda that is in the absolute worst taste.

QUESTION: But that’s – but my question is: Why is putting up what you described as a spoof with flags of – with Yemeni flags on top of coffins to try to make the point that it is Yemenis who are dying? You could easily look at that and think, well god, we’re – they’re just talking about killing Yemenis for example. So –

MS. NULAND: No, I appreciate your question, Arshad. The original post took pride in the killing of Americans. The point that we were trying to make in parallel was that, in fact, through this kind of activity, through this kind of propagation of violent extremism, through the kind of violent acts that groups like this are engaged in, it is actually more Yemenis who are meeting their death.

QUESTION: And do you regard it as a tasteful and proper use of U.S. Government funds to – just because somebody else puts out an image that you find offensive doesn’t necessarily mean that you should put up an image to make a point that others may find or may interpret offensively. And I just wonder if a lot of thought was given to the appropriateness and tastefulness for the U.S. Government to be putting up a photograph of coffins with Yemeni flags up.

MS. NULAND: Again Arshad, this is a site that is endeavoring to incite violence. We are simply making the point that the violence that they are inciting is ricocheting back against the local population and is not in service to a strong, stable, peaceful Yemen, but in fact is having the opposite effect.

So we are countering propaganda with a counter-narrative that we believe is closer to the truth of the situation.


QUESTION: I want to clarify: So in this instance, these – posting of these alternative ads was free and you could just post them up on the website, or was this an instance where they were paid for to be posted?

MS. NULAND: The information that I have at the moment is that particular one was one that was – that we did not have to – that was not paid for.


MS. NULAND: There are instances where we do have to pay for it.

QUESTION: Okay. And then, in those instances where you do have to pay for them, what kind of vetting goes into these websites in terms of where those funds for the ads would go?

MS. NULAND: Well again, you are talking about putting up a counter-ad in – on a paid site like YouTube. So something has been paid for by the extremists, and we are paying for the counter.

QUESTION: Okay. So you wouldn’t put it up on the extremist site, I guess is what my question is. Is there like a conscious thought process?

MS. NULAND: There is a full vetting; there is a whole team that does these things. We’re not, sort of, out there.

Photo courtesy U.S. State Dept.