So Predictable: St. Patrick’s Day Scams

I have blogged many times about how cybercriminals and scammers use holidays, sporting events, and disasters as lures in their never-ending schemes. Just like with tax season, every Valentine’s Day we see more scams. Most high-profile sporting events, such as the FIFA World Cup, inspire them; and certainly recent events like the earthquakes in Haiti, Chile, and Japan server as bait for these schemes. St. Patrick’s Day finds itself in the same situation.

Just a bit ago I received a few examples that I would like to share:

This one leads to a fairly uninteresting ecard site that distributes a “free” toolbar most of us detect as FunWeb, but I did find the next one a bit more interesting:

This one, as you can clearly read, launches right into a sales pitch about making money online. It also uses shortened URLs (a common tactic) to hide the actual site they are sending the recipient to. Various forms of short URL abuse is something McAfee Labs highlighted in our yearly predictions paper, which is definitely worth the download and read. The short links lead to the following site:

This site, which is flagged “yellow” by our SiteAdvisor technology, proclaims to have techniques, knowledge, and software that can turn anyone into the next Internet millionaire! Pretty odd when you consider it came from an email that wished you Happy Paddy’s Day, no? Predictable as these are, they are nonetheless effective and will be with us for years to come.

Stay informed. Stay updated. Stay safe.

Highlights of CanSecWest Day 2: Hacks Both Common and Sublime

Another day has passed here at CanSecWest with a mixed bag of results. Overall the content was, again, quite good, PWN2OWN shows us the future, HallCon and BarCon were all kinds of awesome, and I had two distinct “a ha!” moments.

My first “a ha!” came during DongJoo Ha and KiChan Ahn’s “Is Your Gaming Console Safe?: Embedded Devices, an AntiVirus-free Safe Hideout for Malware.” You might ask “Marcus, what is so compelling here? They’re just gaming consoles,” and that’s true. You know what they also are? Embedded devices with distinctly powerful CPUs. With the growth of home-brew builds (customized operating systems) available for many gaming consoles, more and more these are being looked at as attack and attacker platforms.

One example I found particularly powerful was a Nintendo DS running metasploit to compromise Windows devices. Clearly, a gaming console is just like any other device on the network. The second demo (and the actual “a ha!” moment) was when the presenters actually injected code into the gaming files themselves. Yes, boys and girls, you read that right. It is possible to inject code into games just as you would inject code into any DLL or application. They showed this on both installed games and games downloading from the Internet. I was left a bit unclear as to the limitation on an unbroken gaming console, but the implications are far reaching–a networked device is a networked device. They can all be 0wned. When you combine this with the fact that there is no awareness that malware or attacks can happen on these types of embedded devices along with the fact that people will download and install almost anything without a second thought, the potential for abuse is clear.

The Adobe sessions at CanSecWest this year were one of the main reasons I attended. Adobe is a huge target for cybercriminals and malware writers lately as client-side exploits are quite the trend. While attending Haifei Li’s “Understanding and Exploiting Flash ActionScript Vulnerabilities,” I was very disappointed–mainly because I could not understand the speaker. Later in the day, however, I reviewed the slides and enjoyed my second “a ha!” moment.

The slides are remarkably clear in explaining the essence of ActionScript vulnerabilities. They are due, according to Li, to various program flow-calculating errors in the Verification/Generation Process, and that the Verification Flow and the Execution Flow are not the same. This is a very big deal because code can pass verification mode but during execution mode can still trigger a vulnerability. Byte-code blocks make it difficult for the verification process to recognize the correct flow, which can then result in many ActionScript vulnerabilities. Clearly, ActionScript vulnerabilities and exploits will be with us for quite some time.

The final session that struck home for me was “Welcome To Rootkit Country,” from Graeme Neilso. His targets were atypical of traditional rootkit targets as he focused on firewalls and routers. Neilso’s question “Can the integrity of the OS be trusted?” had many heads nodding in agreement. (I was one of them.) Even I was surprised by the amount of firmware that still uses hardcoded passwords and no integrity checking. Let’s be honest: You are just asking for trouble here. Neilso walked us through rolling your own rooted firmware as well as methods of installing both remotely and locally across a wide variety of firewalls. Again, I walked away believing this more firmly than ever–any device, any OS, any application can be broken or 0wned. At this point I was roped into hallway discussions on the future of embedded-device security, rootkits, and what PWN2OWN really means for the future of the security industry.

When you consider how much infrastructure runs on embedded devices and how enterprises are more and more rapidly adopting mobile technologies, these types of conferences are becoming more relevant than ever.

Although it was really no surprise, the iPhone 0wnage by Charlie Miller during PWN2OWN was a portent of the near future of iPhone exploits and attacks. Miller used a drive-by download attack to 0wn the phone. Like many attacks, the phone user is simply required to surf to a rigged website. This caused a browser crash, but once it was relaunched Miller was able to hijack the entire address book. Pay attention to this type of attack, as it has far-reaching implications. Far more impressive to me was the BlackBerry attack by Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann. By using vulnerabilities in WebKit, an open-source browser recently added to Blackberry, they were able to steal the device’s contact list, image database, and even write a file into it by chaining together a series of bugs. What makes this so impressive? The fact that BlackBerry is an almost unknown system. The attackers had to rely on assumptions on Java Virtual Machine and browser functionality. RIM is said to be planning to add ASLR and DEP in the future; however, because there are established evasions for these defenses, we shall see where this goes.

Today holds one more Adobe session for me, stale pointer theory, and some cool fuzzing.

Malware in Recent Korean DDoS Attacks Destroys Systems

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns. (Click on chart for details.)

This is further supported because the list of first-layer servers can be updated at any time.

The red code blocks deal with contacting the first-layer C&C server, the green code blocks retrieve the list of the second-layer servers, and the blue code blocks handle file downloads from the second-layer servers.

Botnets of infected computers usually receive commands directly and carry out the nefarious intent of their controllers. In this case, however, the C&C application behaves more like a downloader. Instead of directly interpreting commands, the application simply downloads files to the local hard disk. Secondary malware components that run independently of the main service find these files and then evaluate their contents to carry out an attack.

The two layers make it harder to analyze the malware because an analyst must understand many components and cannot simply follow the code flow within one malware binary. However, forensics are easier because in postmortem we can identify which task files have been created on an infected computer.

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The list of file extensions that will be overwritten is particularly interesting. It contains typical document data:

  • doc, docx, docm
  • xls, xlsx
  • pdf, eml (Outlook Email)

The list also contains some programming-language file extensions, such as c, cpp, h, and java. Wonder what they thought would be on the infected machines? Or did they already know?

One thing is clear: This is a serious piece of malware. It uses resilience techniques to avoid a takedown and even has destructive capabilities in its payload. This year is quickly shaping up to be a period of serious attacks and escalations on the cyberfrontier.


Our standalone malware-removal tool Stinger has been updated with a more generic detection of the malware involved in this attack. Stinger is available for download here.

Heroin, Cocaine & Rockets – But please don’t panic…

This little gem of a spam run was widely broadcast last night and caused some alarm. Take a look, I’m sure you’ll see why.

1. Heroin, in liquid and crystal form.
2. Rocket fuel and Tomohawk rockets (serious enquiries only).
4. New shipment of cocaine has arrived, buy 9 grams and get 10th for free.
Everyone is welcome, but not US citizens.
ATTENTION. Clearance offer. Buy 30 grams of heroin, get 5 free.
Prices upon reqeust:
Our email: <redacted>@<redacted>.COM
PHONE 0093 (0) 20 <redacted>
FAX 0093 (0) 70 <redacted>

This is actually a really old prank, originally targeted at the Dark Profits website in 2003. This is simply a prank twist of a traditional email Joe Job., designed to flood a mailbox/phone/fax with responses.

We saw a couple of different flavors of this campaign targeting different entities however all were appropriately caught.

Snopes have a great article in their archive if you’d like a refresher.

Don’t panic. Nothing to see here!