Monday, February 25, 2008

About VMWare Exploit

A few days ago, Core Security Technologies reported about a new vulnerability that was discovered in all versions of VMware's desktop products.

It normally takes some time until vendors release their patches. Meanwhile, most of the researchers have not much choice left as to wait.

Being armed with the knowledge that Core Security Labs researchers have shared with us, let’s give a quick look at what’s actually going on inside the VM host’s brains.

The trouble is caused with the way the executable file vmware-vmx.exe is making an API call MultiByteToWideChar(), as shown below when the executable is loaded into the disassembler:

Now, let’s run the VMWare Workstation (in this example, build # was used).

Inside the VM, we need to execute the code that relies on the exploit. On the host, you will need to run a debugger and attach it to the process vmware-vmx.exe.

Setting up a breakpoint is tricky, as it will be hit every time you move your mouse in the guest OS. Thus, you’ll need to disable the breakpoint, run the exploit code with some delay before it, then switch back into the host, and re-enable the breakpoint.

When the breakpoint is hit, right before the MultiByteToWideChar() API call is made at 0x00467DDE, the debugger window may look similar to:

As you may see, the parameter #1 is the Code Page. It’s specified as 0xFDE9, which is declared as CP_UTF8 in the header file Winnls.h.

Parameter #2, according to MSDN, is a flag that specifies how to deal with the invalid characters.

VMWare has this flag set to 8, declared as MB_ERR_INVALID_CHARS.

That’s how VMWare protects its users – if some nasty kid intentionally places some malformed characters, VMWare bets that this single flag will save us all by saying “Nah, your character is illegal – who are you trying to cheat here?”.

Let’s see what the parameter #3 is. It’s a pointer to the multi-byte string that needs to be converted. In our case, it's a malformed string.

The picture shows the contents of memory pointed by the 3rd parameter. Its ASCII representation looks Ok, excepting a few weird characters displayed on the place of 0xC2.

Now, let’s see if the API and the MB_ERR_INVALID_CHARS flag will protect us against such malformed string.

The picture below shows what happens after the MultiByteToWideChar() API call is made.

As seen on the picture, the malformed string has been perfectly converted. Moreover, 0xC2 characters became dots.

In the result of such conversion, the dot-dot syntax will provide an “escape” from the secured shared directory back up into the host’s parental directories, giving the exploit code full access to the host’s environment. This trick is known as a Directory Traversal Attack.

Obviously, if a malware researcher needs a practical solution that works now, the vmware-vmx.exe executable can be patched manually.

Firstly, the parent procedure from which the call occurs, may want to push 0x0FDE8 instead of 0x0FDE9. This will change the first parameter of the MultiByteToWideChar() API from CP_UTF8 to CP_UTF7. Thus, the malformed characters will not be converted into the dots – they’ll stay as they are, failing other checks down the execution flow.

Secondly, the second parameter responsible for the malformed string protection should be also be modified or otherwise the MultiByteToWideChar() function will fail.

The best bet, however, would be to wait for the official patch from the vendor. Let's hope their second attempt to patch this exploit has more luck than the first one.

Tuesday, February 19, 2008

Malware Employs a Memory Injection Technique Patented by Microsoft

Digging inside the internals of one little piece of malware introduced one interesting discovery.

It’s been a few months since the first Pushdo threat analysis reports appeared in the blogs of other researchers.

It started from a Sophos blog entry, followed by an excellent research by Joe Stewart from SecureWorks and some other interesting papers.

At first sight, the Pushdo intrigues with its HIPS-killer capability, mentioned in the earlier ThreatExpert blog post.

Next, Cutwail/Pandex component that Pushdo downloads and installs, grasps attention with quite unusual encryption key used to encrypt its communication with the server:

It’s a greeting message in Russian to malware analysts to “get lost” by using an offensive slang. Please note the decryption string below is a reverse of the same greeting message.

But let’s go a bit deeper and try to figure out how it starts and infects the legitimate Internet Explorer process.

As seen from the code, the mailbot constructs the full path filename of Internet Explorer, and then uses that name as a command line to start up a new process with the CreateProcess() API.

Have a look at its parameter #6 – it’s a creation flag. This value uses a value of 4, which is a constant CREATE_SUSPENDED.

MSDN documents this flag constant as:

“The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called”.

Soon after that, the trojan allocates memory inside Internet Explorer with VirtualAllocEx(), injects malicious code at its image base with WriteProcessMemory(), and finally, it launches a remote thread in the injected code with CreateRemoteThread() API:

Immediately after infecting Internet Explorer process, the trojan submits a control code to its kernel mode driver runtime.sys that instructs it to hide the newly created and infected Internet Explorer process.

This infection method is different from the one that is used by Pushdo’s competing botnet Storm.

Storm relies on a memory injection method that was firstly suggested by Mailbot/Rustock, that is, allocating space on a heap memory of a legitimate process services.exe, infecting and then starting remote thread in it.

Rustock’s method is different as it infects a process that is already running, taking advantage of the fact that the infected process is critical for the system – it cannot be terminated, and there is no reason to hide it as it’s a legitimate process. Also, a hidden process could be detected by an anti-rootkit, and thus, draw an unnecessary attention to the compromised system.

This makes Pushdo/Cutwail/Pandex memory injection method something new.

Did they invent it to beat the competing Storm gangsters?

The answer to this question is No. They did not invent it. Microsoft did.

United States Patent 6698016


Title: Method for injecting code into another process

Let’s read its description.

“The invention allows the module to be injected into the target process as soon as the target process starts. The module is injected before any target process instructions are executed.

The target process is then started, resulting in the execution of the inserted instructions.

One of the flags that can be set in this command is CREATE_SUSPENDED. When this flag is set, the process is created in a suspended state. This means that the process is loaded into memory, but does not run until the ResumeThread command is called.

Overwriting a target process starting instructions with replacement code is done by preparing a structure in memory which contains the code and its associated parameters. This structure is then copied into the target process memory at the starting address by running the WriteProcessMemory command. The target process is then allowed to resume execution with a call to ResumeThread.”

Pushdo’s deviation from the Microsoft patent is that it does not inject instructions that load an addition module – it rather directly injects the malicious instructions as it does not need to restore the original process execution.

We’ve seen before how Microsoft’s “hot-patching” techniques are similar to the inline hooks installed by the rootkits.

However, replicating a technique documented in a software patent must be something new for malware.

The danger of this situation is that while a software patent cannot be adopted by a legitimate business without proper licensing agreements in place, a malware must have no problem with that.

Thus, the basic questions are:

- what purpose does this software patent serve?

- whatever the benefit of this software patent is, does it actually outweigh the danger of its "infringement" by malware?

Sunday, February 17, 2008

Worms can’t be friends

If you happen to have a lock on your door that can easy be picked by the burglars, does it grant police any right to pick your lock and enter your private property without any authorization?

Does it give your bank or your landlord any right to do the same?

The “friendly worm” idea is based on an assumption that if your door is equipped with such a lock, then it should be opened without your permission, so that the lock can be changed and your place can further be inspected.

Law? Privacy? Forget these funny words. With the “friendly worm” in place, your privacy boundaries are determined by the strength of your locking mechanism only.

You might ask, well, “even if” the purpose of doing so is legitimate, can it still be exploited by others?

Good question.

The answer is: Yes, it can.

A malware that infects the “friendly worm” will also easily enter all unlocked premises.

Having such perfect propagation mechanism must be a wild dream for the malware authors: they don’t need to dig underground forums searching for any published exploits anymore - just hop on the tail of the “friendly worm” and enjoy the ride!

Thursday, February 14, 2008

Malware Hit Parade

We all know the old practice of presenting "Hot Ten" or "Hot Twenty" malware families for a given month or a year.

But if you look closer, in the old times we were all dealing with just a few common threat categories. The charts were precise enough to reflect the real situation at the battlefield between the AV vendors and the "nasty kids".

These days, the situation is different.


Have a look at the charts displayed by other AV vendors. Aren’t you asking yourself what the 5-year old threats are doing there? How come the old Netsky, Mytob, or Beagle still rule the parade?

Isn’t it the sheer volume that drives them up so high?

While the volume itself might be a good indicator of threat "nastiness", it’s not the only parameter that should be counted in. Threat complexity, its adoption of new techniques, its stealthiness, the malicious payload it carries in, the challenge it represents for the analysts to detect and clean it - all these factors should ideally be considered.

Thus, to make things worse, we decided to make a slight drift away from the “Hot N” malware classification approach, and present a few "hot" malware categories instead. Then, identify what threats were “the worst" in each category.

By saying “the worst”, we mean the most dangerous, the most difficult, or the most intriguing – it all depends on a threat itself.

Well, let’s start then.

Ladies and Gentlemen,

We welcome you to our "Worst Malware" Award Ceremony!

January 2008 was an interesting month. We've seen the reincarnation of some old tricks such as MBR infection, or PE-file infection.

Thus, our first nomination category is "The Worst Malware Infector".

At first sight, it seems like Virut and Jeefo are the old "guys" who rule on this block now.

This month however, we've seen an explosion of Win32.Trats submissions. When an existing nasty adopts a new file-infection vector, that’s a disturbing sign by itself.

Win32.Trats is an old known threat called Vundo, a tough long-standing trojan that now infects files. When run, it starts searching for other executables on a hard drive to infect them by prepending its own body.

When the prepender gets control, it detaches and runs the original executable.
For example, if you run notepad infected with Win32.Trats, the prepender will detach and run the original notepad. This way, the user thinks nothing happened as the original application was run as expected.

Note: Vundo is also known as VurtualMonde and VurtuMonde.

The next nomination category is "The Worst Rogue AntiSpyware".

There must be something personal going on between the group that produces rogue antispyware and PC Tools.

As soon as PC Tools released ThreatFire, this group has created their own fake product called MalwareBurn.

PC Tools “Spyware Doctor” trademark must be inducing a long string of "brand names" in their sick imagination: SpySheriff, AntispyBoss, Spyware Soft Stop, the list goes on and on.

They either imitate or bundle the authentic PC Tools software with their trojans, or create other fake products that they put into a rip-off of the PC Tools web site.

Why is it so personal and why they target PC Tools?

Well, PC Tools is an old veteran in the battlefront against spyware. When many larger AV vendors concentrated their efforts in hashing Spybot's sample # zillion N and never really gave a dime for the rogue products, PC Tools' Malware Research Center was targeting these guys specifically.

The rogue antispyware makers must have felt the pain of being busted with every new release of their “masterpiece”.

This month, they made a massive rip-off of the PC Tools website.

Just because of that rip-off, this month’s "award" in the category of "The worst Rogue AntiSpyware" goes to .. SpyShredder (well, this time it’s "shredder" – they must be using a dictionary bot that generates them new names).

Good tip: Watch out and buy authentic security solutions from the authentic vendors!

In “The Worst Rootkit" category there are a few nominees this month.

Among them, the most obvious leaders are Cutwail/Pandex and Storm.

The latest Storm nasty seems to be a real challenge for AV vendors to detect.

Not only it is packed with a polymorphic encryptor, it also employs the old tricks firstly introduced by Mailbot/Rustock. That is, it firstly installs a kernel mode driver. Then, the driver will allocate a space in the heap memory of the legitimate process services.exe, inject there malicious code, and finally it will remotely run threads of that code.

Full ThreatExpert report on the latest Storm is available here.

Cutwail/Pandex (also known as DieHard), on the other hand, employs several different techniques.

One of its tricks is a restoration of certain kernel hooks in an attempt to render HIPS (Host Intrusion Prevention System) useless.

HIPS systems (such as pro-active behavior analysis systems), firewalls, and many other legitimate security products are heavily relying on hooks. If their hooks are removed, they would still appear running but their functionality could be severely disrupted.

A demo below shows how Pandex/Cutwail is able to restore SSDT (System Service Descriptor Table) hooks, thus inevitably affecting a security product. Please note that while PC Tools’ Firewall product is shown in this example, it could be any other legitimate HIPS product.

Once the bot compromises a computer, it virtually becomes invisible to AV scanners and firewalls, as it is running within an infected legitimate process.

In case you didn’t know, compromised bots form an army of zombies. A hacker, who controls that army, then goes into an underground hacking forum and posts something like: "Hey, Comrades! I've got an army of bots for rent or sale. Order your botnet now and save 25%!".

Next .. what's next? Check out your own mailbox, mate.

Tuesday, February 5, 2008

Welcome to ThreatExpert Blog!

Dear Reader,

ThreatExpert is a software program that runs on multiple servers and performs an automated analysis of threat samples coming from various sources.

If you want to explore ThreatExpert, read its reports, or submit your own samples for analysis, please proceed here.

This blog was created to help the users of ThreatExpert to better understand how the automated threat analysis works.

The posts at this blog will describe malware techniques and various interesting tricks that malware authors use. We'll provide an insight into how we build our statistics, and how ThreatExpert analyses and reports threats, even those that have zero coverage at VirusTotal.

We'll also share some tools that we build internally with the hope that these tools may help you in your malware research, or the tools that may help our customers to generically detect many high-profile threats.

These days we are seeing a substantial spike in the malware activity: a wider use of the rootkits, that become more and more complex, and in the same time, the reincarnation of the old malware techniques such as MBR or file infections.

Another important point of this blog is to describe complex malware in plain and understandable language, backed up by detailed illustrations and life analogies.

We hope you will enjoy the journey into the world of malware analysis, and we'll do our best to be your guide in it.

Please stay with us,

Your ThreatExpert team.