SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares

Posted by Fred Wilson on July 18, 2010 · Leave a Comment 

SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares

CME-24 Analysis: The destruction does not appear to spread across Windows network shares (NEW)

I wanted to share some of the results of some long hours spent looking at this malware.  When the infection occurs, it immediately places copies of itself  locally on each share and on each share/mapped drive that it finds.  Based on this behavior, my initial thoughts were that the destructive payload would be carried out via shares and/or mapped drives as well.

I now have changed my initial thoughts on how the destruction would occur.  Here are some of my notes from my testing of this concept.  Here is the MD5 from the file I was using:

1c66904ecb846da5b1fb2072f9ea6e0e *New WinZip File.exe

The first test I did led me to believe that the destruction would be carried out via the shares and mapped drives.  In my intial test, I had two infected systems (one XP and one W2K) with drives mapped to each other.  I infected each box, changed the system time to Feb 2 at 11:50pm, launched ethereal, filemon and ran the the first shot using RegShot.  After an hour, I stopped the captures and launched my second shot of the hard drive with RegShot.  All my data files were now over written, zip files were corrupted, etc.  Everything was happening as I thought it would.  All my mapped drives had corrupted files. The security logs from each box showed accesses from the other.

For the rest of this in depth analysis, go here: SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.


February 2, 2006 –


Posted by
antivirusguy |
Antivirus News

Filed under General · Tagged with , , , , , , , , , , , , ,

SANS Internet Storm Center – “Malicious” Websites

Posted by Fred Wilson on July 17, 2010 · Leave a Comment 

SANS Internet Storm Center – “Malicious” Websites

 

“Malicious” Websites

Published: 2007-11-10,
Last Updated: 2007-11-10 21:26:57 UTC
by Koon Yaw Tan (Version: 1)

Previously, we often warn people from visiting unknown/suspicious websites as they could contain malicious content. But nowadays, even visiting known websites, you could be affected. It was reported that the India Times website contains hundreds of malicious files that could infected those visit the website.
http://www.theregister.co.uk/2007/11/10/india_times_under_attack/
Legitimate websites containing malicious content is not something new as it has already happened a couple of times. Web administrators must be prudent to ensure their websites are properly secure. Hackers are now clever enough not to deface your websites to alert you but rather plant malicious content on them and wait for victims. Periodically running a vulnerability scan on your web systems is necessary to avoid known holes. Let us know if you have other good tips for the web admin.

SANS Internet Storm Center; Cooperative Network Security Community – Internet Security – isc


November 11, 2007 –


Posted by
antivirusguy |
Security News

Filed under General · Tagged with , , , , ,

SANS – Internet Storm Center – More on Nyxem

Posted by Fred Wilson on June 15, 2010 · Leave a Comment 

SANS – Internet Storm Center – More on Nyxem

More on Nyxem

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it’s still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).

This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can’t be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// webstats.web.rcn.net/ [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven’t seen in other analysis of the worm says:

“Additional Registry Changes

  • The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered “safe” and digitally signed.”

The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can’t trust it, but this looks like another (big) problem for the average user out there.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.


January 24, 2006 –


Posted by
antivirusguy |
Antivirus News, Virus Outbreaks |
|
1 Comment

Filed under General · Tagged with , , , , ,

SANS – Internet Storm Center – BlackWorm Summary – Updated Info

Posted by Fred Wilson on June 14, 2010 · Leave a Comment 

About BlackWorm

Over the last week, “Blackworm” infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This  worm is  different and more serious than other worms for a number of reasons. In particular, it will overwrite a user’s files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.  Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can’t be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( ‘DATA Error [47 0F 94 93 F4 K5]‘).

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm

Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be ‘CME-24′. cme.mitre.org should shortly list this number.

How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new “zip file” icon on your desktop.

What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal

Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild “from scratch”:

  1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
  2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

Filed under General · Tagged with , , , , , , ,

SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)

Posted by Fred Wilson on June 11, 2010 · Leave a Comment 

SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)

Prepraring for Feb 3rd(CME-24) (NEW)

Prepraring for Feb 3rd(CME-24)

We received a lot of suggestions about measures against CME-24. In other words,

how to prepare for Feb 3rd, in despite of the Anti-virus.

What follows bellow is a compiled list of those. Some were tested, but some not.

- The rule bellow, made by Per Kristian Johnsen with Telenor Security Center,

is said to detect attempts to copy WINZIP_TMP.exe to shares. According to the author,

they are being able to detect infected machines where the already published

snort/sourcefire rule couldn’t:

alert tcp any any -> any 135:139 (msg:”Nyxem attempting to copy WINZIP_TMP.exe to shares”; flow:to_server,established; content:”|57 00 49 00 4e 00 5a 00 49 00 50 00 5f 00 54 00 4d 00 50 00 2e 00 65 00 78 00 65|”; reference:url,www.lurhq.com/blackworm.html; classtype:trojan-activity; sid:5000173; rev:1;)

- We had another user that used sms to scan drives files with a size of 95,690 named (Bloggers note: I have been doing this query too, but missed the files size part)

%Windir%\Rundll16.exe

%System%\scanregw.exe

%System%\Winzip.exe

%System%\Update.exe

%System%\WINZIP_TMP.EXE

%System%\SAMPLE.ZIP

%System%\New WinZip File.exe

movies.exe

Zipped Files.exe

- A security Dweeb at a large California municipal government agency wrote a batch script that:

“1) looks for the infected file names existence

on %windir% and %sysdir% using simple DIR /B commands. Output is sent to

uniquely named text file (with a non-standard extension). Infected

workstations will show a non-zero file size. Batch file is below; uses

environment vars that are unique to user and computer name.

2) The batch file will be placed in the login script for all

computers.

3) Ensure that verified backups are completed tonight (Wed).

Batch file:

@echo off

dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh

dir  /b %WinDir%\system\Update.exe  >> %username%_%computername%.rgh

dir /b  %WinDir%\system\scanregw.exe  >> %username%_%computername%.rgh

dir  /b %WinDir%\Rundll16.exe  >> %username%_%computername%.rgh

dir  /b %WinDir%\winzip_tmp.exe  >> %username%_%computername%.rgh

dir  /b c:\winzip_tmp.exe  >> %username%_%computername%.rgh

dir  /b %Temp%\word.zip                                        .exe  >>

%username%_%computername%.rgh

Although dangerous, we think we have a very low chance of a problem.

According to LURQ, there are only 15K computers in US that have

contacted the “counter” site. And we have other protections in place

(blocking of all executables in mail attachments, current anti-virus

updates, etc.)”

—————————————————————–

Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org )

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.


February 2, 2006 –


Posted by
antivirusguy |
Antivirus News |
|
1 Comment

Filed under General · Tagged with , , , , ,