About the Sana Labs team
 Malware

March 21, 2006

Rootkit.hearse

On March 20th, we here at Sana labs discovered an in-the-wild rootkit and Trojan that has been actively infecting machines since about the 16th of March. This kernel level rootkit was designed to stealth a Trojan that has some pretty scary capabilities. First, the Trojan can survive reboot and does not run as a separate process. Second, it can discover passwords used previously on a machine, so it does not need to log keystrokes. And third, since the Trojan is hidden by the rootkit, end users cannot see the Trojan on their disk.

This Trojan and rootkit was found during the investigation of an in-the-wild worm, named Win32.Alcra. This worm, if not stopped, attempted to contact various websites and download additional payloads. On one of these websites was the installer for this rootkit and Trojan. Once these components were silently installed on a machine, the Trojan invisibly starts communicating to yet another web server located in Russia. This web server acts as the repository for the stolen usernames and passwords.

s1.JPG


One of the sites is still actively infecting machines. It attempts to download several pieces of Spyware, Adware, and Trojans, in addition to the rootkit. The rootkit has two pieces: the first piece is a device driver named 'zopenssld.sys', and a DLL named 'zopenssl.dll'. The device driver appears to cloak any file named 'zopenssld.sys' or 'zopenssl.dll' regardless of where they reside, though the malicious versions are located in the System32 folder.

s2.JPG


While the DLL was invisible on the file system, it is visible as an injected DLL in many running processes. Since zopenssl.dll registers itself as a Winlogon.exe extension and does not run as a process, most users would never see it, and it can survive even in safe mode.

s3.JPG


The Trojan appears not to be active at all times, but it does wake up and start communicating when it sees a user browsing to a website that requires authentication. To view it in action, a virtual machine was infected with the rootkit and Trojan, and then the user browsed to http://bankofamerica.com, and entered a fake username and password. All of the network traffic was recorded, and after ending the web browser session, the Trojan communication became apparent.

s4.JPG


After further investigation, it was determined that this Malware was sending information to a web server located in Russia. Ironically, this web server was not secured, and any user browsing the site could view the information that was being stolen.

s5.JPG

According to the dates on this web server, it has been active since at least the 16th of March. The oldest stolen data observed was from the 19th of March. Based on the sheer amount of data that has been stolen, the infection has been more than tripling in size every day.

s6.JPG

Finally, just want to give a big thanks to sysinternals and the developers of ethereal for making such great tools (rootkit revealer, process explorer, filemon, autoruns, and ethereal).

Posted by Jeremy at 09:54 AM | Comments (25)

September 01, 2005

Reflections on Zotob

Now that the authors of the Zotob worm have been arrested it seems an appropriate time for some reflections.

Many of us were wondering what had happened to all the worms. My take on it was that it was simply due to chance: with usually no more than two major worms in any year, there is a high probability there will be no worms at all.

There are a few very interesting features about the Zotob incident. One is the loss of the patching window - the worm started spreading 5 days after Microsoft announced the vulnerability. Myself and other security experts have been talking about this likely occurrence for years, although 5 days still seems slow to me. I expect that soon it will be no more than 24 hours.

And what will we do then with patches and AV signatures if the worm prevents an infected machine from getting help? This truly could be the death of signature-based systems, as Vincent Weaver, senior director of Symantec's security response team said:

"Using signatures as a primary defense is no longer effective today"

No wonder there is a growing emphasis on heuristics and behavioral approaches that don't need signatures.

Another interesting aspect is the "war" that erupted in the wake of Zotob. Evidently, multiple varieties of malware (11 different types according to F-Secure) were all attacking the same vulnerability, and competing for control of the host, for example, trying to remove competing bots. Clearly, there are multiple worm writers on the loose, so the idea that no one wants to write worms any more is just dead wrong (see point 2 in my previous post).

Even more interesting, from the point of biomimicry, is that computers are becoming battlefields for malware, just as our bodies are battlegrounds for microbes. This could be a dangerous trend, because it gives malware authors the incentive to make their malware more virulent, so that they get to the victim first. On the other hand, it may be a good thing, by increasing the soft selection on malware. Who knows, perhaps Zotob would have been worse if it weren't for all the subsequent competing variants? Whatever the case, digital life progresses apace - this will not be the last worm we shall ever see!

Posted by sana at 05:05 PM | Comments (0)

June 16, 2005

On the Virulence of Malware

In a previous post, I talked about the evolution of malware and speculated that we might see malware that evolves to be useful, similarly to the way mitochondria have evolved to be useful to us. So it was with great interest that I read a recent article in Security Focus about the evolution of malware, in which they argue that malware is becoming more stealthy and more benign (non-destructive) in terms of damage done to the host computer. They claim that because malware is more useful to the attacker (eg for financial gain) the malware is less likely to have a destructive payload. To support this, they present data that shows a distinct trend of the last five years in the growth of non-destructive malware. This is the key graphic in their paper:

The authors claim that this is a perfectly logical consequence of the fact that malware is becoming a "truly successful parasite". They list three conditions for a parasite to be "truly successful":

1. it spreads rapidly and effectively;
2. it does not cause a violent adverse reaction in its host such that it is rapidly destroyed;
3. it is able to extract valuable resources from its host.

This is a rather naive view of parasites, at least from a biological perspective. In the biological world, "success" is defined purely by survival and propagation: the more copies there are of a parasite, the more successful it is. We can look at this measure of success in different ways, for example, if a parasite can retain high numbers across a variety of environmental changes, then it is even more successful (robustness to environmental perturbations). The issue is that this definition of "success" introduces a new tension that may favor destructive behavior towards the host: increasing the number of copies of a parasite greatly increases the chance of it being virulent, i.e. harming the host.

In fact, the evolution of virulence of a parasite is not well understood and is very complex, depending on a variety of factors, including:

1. Transmission mode is theorized to be the main determinant of virulence, but the relation is complex; for example, virulence in malaria is postively correlated with transmission up to a certain limit, but after that excessive virulence is selected against because harm to the host will cause prevention of transmission.
2. Some results indicate that the more "durable" the pathogen (its ability to survive outside the host), the more virulent it will be because it has low reliance on host survival. This has been termed the "curse of the Pharoah" because Lord Carnarvon was thought to have died of an extremely durable pathogen he was infected with upon opening the tomb of Tutankhamun.
3. Hard selection (the death of an individual is independent of others) results in higher virulence because there is pressure to produce more copies, which causes harm. An example of this is a model demonstrating that immune responses boost virulence.
4. By contrast with the previous point, soft selection (the death of an individual is dependent on others, e.g. through competition) can actually lead to lower virulence. This is a consequence of interference between pathogens reducing host exploitation.
5. Vaccinations can have differing effects on virulence: imperfect vaccines are likely to increase virulence, whereas perfect vaccines that block transmission are likely to decrease virulence.

The above list is by no means exhaustive and there is a lot of debate about these various factors. One thing that is clear is that it is extremely hard to generalize. An article in Proc Biol Sci (2001 Nov 22;268(1483):2331-7) cogently makes this point:

Consequently, a detailed mechanistic description of how parasites and other mortality sources combine to cause host mortality is required before reliable predictions about virulence evolution can be made.

Given the complexity of the evolution of virulence in biological parasites, it is interesting to speculate on how particular factors in computer systems could influence the evolution of virulence in computer malware. As in biological systems, the picture is anything but simple.

First, we have to understand what it means to be successful for malware. This can be quite varied. For self-replicating malware such as worms and viruses, success could be very similar to that in biological systems: the number of copies extant. But if we define success in terms of the malware writers' goals, then there could be many definitions. Some goals will lead to destructive malware and some won't. Here are some ideas:

1. Attackers that want to steal information or use the resources of victims for spam relays or other such purposes are likely to favor reduced virulence, because the computers are valuable resources.
2. Attackers might alternatively want to take down machines in Denial-of-Service style attacks, or corrupt data, either as part of an extortion racket, or industrial sabotage, or terrorism or for other reasons. In this case, damage to the host is probably mandatory.
3. The increase in the variety of malware and the number of malware authors, and the increase in the number of malware on any one computer is likely to lead to increased virulence because there will be more buggy malware causing problems, and there will be more unforeseen contention between malware. We can already see evidence of this in the way spyware can clog up machines and render them virtually unuseable.
4. Some of the biological results mentioned above indicate that an immune response can increase virulence. Does this imply that security mechanisms for computers would also be likely to cause virulence?
5. What are the effects of hard and soft selection? In the biological world, there is some evidence that soft selection decreases virulence. Does this imply that having multiple varieties of malware on your computer will decrease their virulence as they compete amongst themselves? This would be counter to the argument I made in point 3 above!
6. What about malware that causes harm as a side-effect of spreading very rapidly, like the SQL Slammer worm? Clearly, if the malware authors intent is to get it on every machine for purposes such as information stealing, then a noisy, visible worm that overloads the network is a bad idea. However, what happens if a new vulnerability emerges and multiple worm writers decide to exploit it in order to get malware on as many machines as possible? If each worm closes off the vulnerability behind it, then the worm that moves the fastest will be the most successful in compromising the most machines. But that very factor increases virulence, at least in terms of network load. It is unavoidable, just as it is in the biological world. Will we see such races in future, increasing virulence?

This certainly is a complex and fascinating topic. I would love to see the writers of the Security Focus article extend their analyses to consider more factors. I will certainly be an avid reader!

Posted by sana at 10:10 AM | Comments (0)

May 11, 2005

Evolving viruses

The May edition of Virus Bulletin has an interesting analyses of a virus called Zellome ("It's zell(d)ome the one you expect"). Zellome is unique in that it uses a genetic algorithm (GA) to generate decryptor routines for its polymorphic engine. Essentially, it generates a population of possible decryptors (arithmetic expressions), and mutates and combines them to find one that successfully decrypts the encoded data - which has been generated using a random quadratic function.

As the analysts point out, there are much easier ways to do the decryption, and the GA is time consuming (it can take as much as half a day to find a decryptor) and computationally intensive. Furthermore, the virus still contains an unobfuscated decryption loop, so it is easy to generate a signature for Zellome, and the polymorphism does nothing to affect this.

Although Zellome may be a rather useless application of GAs, the idea of an evolving virus is an intriguing one. In fact, the analysts speculate that the author of Zellome may have had the intention of evolving more than just the decryptor, because a 10MB buffer is allocated for the decryptor, which is large enough to easily contain the complete code - around 1.5MB.

There is already an evolutionary process that happens with computer viruses, but humans are closely tied into the loop, at several levels. Humans generate the viruses initially, and other humans define the fitness functions by devising means of eliminating viruses. Mutation is also implemented by humans - a typical virus will have many variants, which are essentially mutations of the original virus.

The polymorphism that we see today is not quite full mutation, because it is only the superficial appearance of some parts of the virus code that change; the functionality of the code does not change, and there are always some non-changing sections for the decryptor. The key to a truly automated mutating virus is one that has the ability to mutate its functionality, just as virus writers often change the functionality when they write the next variant of a virus.

As virus writers develop ways of mutating functionality, so the evolutionary process is likely to become increasingly automated. It will no longer suffice for an Antivirus vendor to develop a signature for a particular instance of a virus, because from one copy to the next, that signature will change - there will be no constant decryptor section to latch onto. This will require more automated response mechanisms that don't rely on detailed human analysis of the virus, because there will be too many variants to cope with. The consequence is that the automated response systems will provide an implicit fitness function for powering the evolutionary process.

We can imagine this ecosystem growing ever more complex and lifelike over time. One possible extension is using crossover: when a virus infects a new host, it scans for other viruses, and if it finds them, it uses parts of the other virus code to generate offspring. Of course, this idea could be taken much further - the virus could use bits of code from any program on the system, sort of like gene swapping in bacteria.

True mutation, crossover and gene-swapping could result in viruses that are completely autonomous, in that they survive without human intervention - in fact, even in the face of humans attempting to get rid of them. Currently, if virus writers stopped producing viruses, it wouldn't take very long for all the viruses out there to die out, because true virus novelty comes from the virus authors, not from an automated evolutionary process.

Truly autonomous viruses will really be alive, and it is fascinating to explore the consequences of this. Viruses will have to exist in a hostile world, where both human users and defense software are trying to eliminate them. Viruses will no doubt evolve to be adaptable, spread rapidly, and evade defenses.

But another bizarre consequence is that some viruses may evolve to be useful: just as our bodies have incorporated bacteria that once may have been parasitic (such as mitochondria), so computer systems may incorporate code from viruses that once were destructive. The key is that the selective pressure in these systems favors co-operation, so any virus that has useful functionality, or modifies existing programs in useful ways, will survive and prosper. For example, imagine a virus that evolves a new way of compressing code in order to transmit itself more efficiently - that compression algorithm would soon become extremely widespread.

Mutating viruses may not be all bad.

Posted by sana at 02:28 PM | Comments (2)

May 02, 2005

Oh those spelling errors

Last week F-Secure reported on a nasty web site - gookle.com - that exploits a typing error to infest unsuspecting visitors with at least a dozen pieces of malware.

I would recommend you don't go anywhere near gookle.com, but of course, I didn't take my own advice and had to visit the site to see how well Sana's latest Active Malware Defense Technology (MDT) would work. I was extremely excited to see that it detected and stopped everything! By contrast, when I used several other popular commercial offerings of AV and anti-spyware software, with fully up-to-date signatures (at the time of testing), the best any of those signature-based systems could do was detect half of the malware.

In general, the purpose of this blog is certainly not to push my company's products, since this blog is totally independent from Sana, and intended to be a way of getting my random thoughts and comments out. However, this time around I felt this deserved a mention, because it illustrates something very important about the changing nature of malware and the security arms race.

Sana's Active MDT uses heuristics to look at program behavior to determine whether or not a running program is malicious. As such, it uses no signatures and doesn't need to know anything particular about the malware, as long as the malware does nasty things. Hence it was straightforward to detect all of the malware at gookle with Active MDT. By contrast, signatures aren't good at getting new varieties of malware, a fact that is clearly illustrated by the poor detection rates of traditional technolologies on the gookle malware.

And these limitations in signature-based defenses are only going to become more extreme. In a previous posting I talked about how mutating and changing malware was avoiding signature-based defenses. The gookle attack is a good example of how new malware can avoid signatures. If attackers are going to go to the trouble of putting up such a website, there is no reason why they wouldn't use a tool such as Morphine to ensure that none of the malware on their site is detectable by signatures. Clearly they didn't do that for all the malware on gookle, but I suspect that in future attackers like them will.

Another point about the gookle site: we became aware of it when it was discovered by F-Secure, but gookle.com was first registered on the 30th December, 2000. So the site could have been up for a long time before it was discovered by F-Secure, and could have been infecting people all that time, and their signature-based AV defenses would have been largely useless. Signature-based technologies are playing catch-up, but I'm afraid they're falling further and further behind in the race. It's time for a change.

Posted by sana at 01:50 PM | Comments (0)

March 28, 2005

Malware on every device

The Register has an amusing article on exploiting cell phones. We are seeing these kinds of stories with increasing frequency of late. For example, there is a recent article on a Sybian trojan that is attacking AV. But cell phones are not the only devices that are at risk of being targeted by attackers. As devices with increased computing power proliferate, so more and more of them are going to be vulnerable.

This will extend to all sorts of devices. For example, there was the rumor about a virus in Lexus car onboard computers - which was unfounded, but none-the-less points the way to the future, since such a virus is feasible. Other devices include things such as home entertainment systems, home control systems, even toasters!

The implications of this proliferation of devices for security are huge. We can no longer rely on the old antivirus model of updating signatures to take care of the problem. Signatures are too slow, too reactive and too costly. Furthermore, devices will be vulnerable immediately they are shipped, and signature-based AV is not going to help, because by the time the user gets the device, the signatures will already be out of date, and many people won't be able to or want to keep those signatures up-to-date: according to a NCSA/AOL survey in October of last year, two-thirds of PC users do not have up to date AV.

Think about it: would you want to pay for signature updates for your TV, your car, your computer, your cellphone, your ...?

Posted by sana at 01:09 PM | Comments (0)

March 10, 2005

Where have all the worms gone?

We haven't seen a serious network worm in what appears to be ages. People are beginning to forget about the devastation wreaked by Slammer, Blaster and all the others, especially in the light of other pressing problems such as phishing and spyware.

But why haven't we seen a virulent, destructive network worm? I've heard several different theories and predictions:

1. All the worm writers are just dumb kids who have got scared because they've seen other worm writers put behind bars. This strikes me as a specious argument: I suspect that the testosterone-rich environment of young worm writers who are doing it for the glory is not dissimilar to that around extreme sports such as urban-assault biking or extreme snowboarding, and in those sports, the element of danger adds to the thrill - if one person gets seriously injured, it often doesn't put everyone else off, it just ups the ante.

2. All the worm writers are now in the employ of evil geniuses who are focused on profits and world domination. Hence they are doing more subtle and lucrative things, are too busy for writing worms, and are no longer interested in them either. I don't buy this one either: it doesn't take long to write a worm on the side, and we have no evidence that those people who used to write worms are now employed by crime syndicates. In fact, if worm writers traditionally did it for the glory, they might be the ones least likely to be employed by organized crime, because they can't be trusted to be stealthy. Furthermore, what better a way to phish than getting a trojan on a victim, and what better way to get the trojan there than through a worm? And if you want to own a large number of computers for launching denial-of-service attacks as part of an extortion racket, what better way to get those computers than via a worm?

3. Networks are getting more secure and hence there is less ability for worms to wreak havoc, so worm writers have not bothered writing new worms. This is patently untrue: for example, a recent vulnerability reported on February 8th is a buffer overflow in SMB that affects all Microsoft platforms, including servers and desktops/laptops. It's a prime candidate for a worm because exploiting it can give ring 0 privileges, and it affects so many systems. In fact, Jose Nazario of Arbor Networks has tried to formalize this notion with his concept of "wormability", which refers to how suitable a vulnerability is for use by a worm. He shows that in 2004 there were 11 highly wormable vulnerabilities, only one of which actually had a worm exploit it.

4. Another one I heard recently is a comment by Charles Ahn in which he says that 2005 will be a big worm year, because worms come in two year cycles. To justify this claim, he refers to the fact that 2001 was a big worm year, with Ramen, Nimda and Code Red, 2002 was quiet, 2003 was big again with Slammer and Blaster, and 2004 was quiet. Such reasoning would be considered laughable by anyone with a decent knowledge of statistics: to predict a trend based on what is essentially two data points is rather a wild leap.

Any other ideas out there? Let me know. Personally, I'd be willing to attribute it purely to the vagaries of chance - I don't see any pattern here. The issue is that the impact of one nasty worm can be enormous, but it just takes one twisted individual (and not even a hugely skilled one at that) to write a worm. And the impact is out of all proportion to the occurence. There may be many wormable vulnerabilities, but predicting the occurence of a worm, when so very few of them do occur, is akin to predicting the behavior of a few isolated individuals out of millions. We may have the ability to predict human behavior in some circumstances in large groups, but in this case, I suspect we have no predictability whatsoever.

But then again, perhaps we have already had a few large-scale worms in 2004 and never noticed them. A theoretical possibility is a worm that spreads slowly and surreptitiously, and upon infiltrating a host, installs a kernel rootkit and leaves itself completely untraceable. And perhaps, even when the rootkit is detected, no one realizes that it was deposited via a worm; perhaps, we think, it was merely deposited via a spyware download. In fact, how do we know for sure that amongst the plethora of spyware and trojans on the typical machine, nothing was deposited via a worm?

In conclusion, I believe that the network worm is not dead, just in abeyance, and all hell could break loose at any time, depending on the whims of a few individuals.

Posted by sana at 04:19 PM | Comments (1)

February 28, 2005

Mutating malware: the coming storm

There are some amazingly powerful tools out there for changing the appearance of malware on disk. For instance, with Morphine, for UK50 pounds you can get a unique, mutated version of your malware, and to ensure that your malware will not be detected by antivirus (AV) scanners will cost a mere additional UK10 pounds per AV scanner. Another interesting tool is Execryptor, which will also mutate the code for of any piece of software (or malware!) you choose.

What these tools highlight is that there is a new problem with the old signature-based way of doing security. The signature-based approach that is the mainstay of the AV industry today is based on the assumption that any instance of malware (typically a virus or worm) is very common (worms and viruses tend to replicate, otherwise they are not dangerous). The expense and effort of developing a signature is only justified for malware instances that replicate on a large scale.

But now attackers are able to customize each malware instance for each particular task or attack - this is trivial to do with tools such as Morphine and Execryptor. Consequently, there is an explosion of unique instances of malware, and it becomes infeasible to use signatures as a defense, because we never see the same malware instance twice. By the time a signature is developed for a specific malware instance, it is too late to stop that instance, and you'll never encounter something like it again, so the signature is useless in perpetuity.

The storm is coming...

Posted by sana at 02:41 PM | Comments (0)