Thursday, February 14, 2008

Malware Hit Parade

We all know the old practice of presenting "Hot Ten" or "Hot Twenty" malware families for a given month or a year.

But if you look closer, in the old times we were all dealing with just a few common threat categories. The charts were precise enough to reflect the real situation at the battlefield between the AV vendors and the "nasty kids".

These days, the situation is different.


Have a look at the charts displayed by other AV vendors. Aren’t you asking yourself what the 5-year old threats are doing there? How come the old Netsky, Mytob, or Beagle still rule the parade?

Isn’t it the sheer volume that drives them up so high?

While the volume itself might be a good indicator of threat "nastiness", it’s not the only parameter that should be counted in. Threat complexity, its adoption of new techniques, its stealthiness, the malicious payload it carries in, the challenge it represents for the analysts to detect and clean it - all these factors should ideally be considered.

Thus, to make things worse, we decided to make a slight drift away from the “Hot N” malware classification approach, and present a few "hot" malware categories instead. Then, identify what threats were “the worst" in each category.

By saying “the worst”, we mean the most dangerous, the most difficult, or the most intriguing – it all depends on a threat itself.

Well, let’s start then.

Ladies and Gentlemen,

We welcome you to our "Worst Malware" Award Ceremony!

January 2008 was an interesting month. We've seen the reincarnation of some old tricks such as MBR infection, or PE-file infection.

Thus, our first nomination category is "The Worst Malware Infector".

At first sight, it seems like Virut and Jeefo are the old "guys" who rule on this block now.

This month however, we've seen an explosion of Win32.Trats submissions. When an existing nasty adopts a new file-infection vector, that’s a disturbing sign by itself.

Win32.Trats is an old known threat called Vundo, a tough long-standing trojan that now infects files. When run, it starts searching for other executables on a hard drive to infect them by prepending its own body.

When the prepender gets control, it detaches and runs the original executable.
For example, if you run notepad infected with Win32.Trats, the prepender will detach and run the original notepad. This way, the user thinks nothing happened as the original application was run as expected.

Note: Vundo is also known as VurtualMonde and VurtuMonde.

The next nomination category is "The Worst Rogue AntiSpyware".

There must be something personal going on between the group that produces rogue antispyware and PC Tools.

As soon as PC Tools released ThreatFire, this group has created their own fake product called MalwareBurn.

PC Tools “Spyware Doctor” trademark must be inducing a long string of "brand names" in their sick imagination: SpySheriff, AntispyBoss, Spyware Soft Stop, the list goes on and on.

They either imitate or bundle the authentic PC Tools software with their trojans, or create other fake products that they put into a rip-off of the PC Tools web site.

Why is it so personal and why they target PC Tools?

Well, PC Tools is an old veteran in the battlefront against spyware. When many larger AV vendors concentrated their efforts in hashing Spybot's sample # zillion N and never really gave a dime for the rogue products, PC Tools' Malware Research Center was targeting these guys specifically.

The rogue antispyware makers must have felt the pain of being busted with every new release of their “masterpiece”.

This month, they made a massive rip-off of the PC Tools website.

Just because of that rip-off, this month’s "award" in the category of "The worst Rogue AntiSpyware" goes to .. SpyShredder (well, this time it’s "shredder" – they must be using a dictionary bot that generates them new names).

Good tip: Watch out and buy authentic security solutions from the authentic vendors!

In “The Worst Rootkit" category there are a few nominees this month.

Among them, the most obvious leaders are Cutwail/Pandex and Storm.

The latest Storm nasty seems to be a real challenge for AV vendors to detect.

Not only it is packed with a polymorphic encryptor, it also employs the old tricks firstly introduced by Mailbot/Rustock. That is, it firstly installs a kernel mode driver. Then, the driver will allocate a space in the heap memory of the legitimate process services.exe, inject there malicious code, and finally it will remotely run threads of that code.

Full ThreatExpert report on the latest Storm is available here.

Cutwail/Pandex (also known as DieHard), on the other hand, employs several different techniques.

One of its tricks is a restoration of certain kernel hooks in an attempt to render HIPS (Host Intrusion Prevention System) useless.

HIPS systems (such as pro-active behavior analysis systems), firewalls, and many other legitimate security products are heavily relying on hooks. If their hooks are removed, they would still appear running but their functionality could be severely disrupted.

A demo below shows how Pandex/Cutwail is able to restore SSDT (System Service Descriptor Table) hooks, thus inevitably affecting a security product. Please note that while PC Tools’ Firewall product is shown in this example, it could be any other legitimate HIPS product.

Once the bot compromises a computer, it virtually becomes invisible to AV scanners and firewalls, as it is running within an infected legitimate process.

In case you didn’t know, compromised bots form an army of zombies. A hacker, who controls that army, then goes into an underground hacking forum and posts something like: "Hey, Comrades! I've got an army of bots for rent or sale. Order your botnet now and save 25%!".

Next .. what's next? Check out your own mailbox, mate.