There seems to be a lot of discussion about virtualization, and rightly so. Virtualization promises dramatic, immediate benefits for many customers.  The purpose of this post is not to reiterate those benefits; a tremendous amount of information already exists.  However, as a security professional, I am concerned with the sensationalizing of virtualized security and how it is proposed as an entirely new sector of security within a virtualized environment.  With a few quick Internet searches, we are met with a barrage of articles from proposed consulting expertise to unique virtual appliances promising a solution to a yet-to-be explained virtual problem (pun intended).

The first question I always ask is, “how is virtualized security different than traditional security?”  The resounding response I most often hear when I ask industry peers is that virtual security is a way to secure virtual server environments (obviously).  When I dig a little deeper, I get the response of, “if a virtual server has been compromised (lets say a virus/worm), it will be able to cross-infect all of the other virtual servers co-residing within the same physical server hardware.  Therefore customers need to provide a virtual security layer between each of the virtual servers.”  Sounds like a logical conclusion – if you follow this argument.

While I feel there is some validation to that argument, I am concerned that there is a lot of misinformation and FUD (fear, uncertainty, doubt) being spread based on a lack of understanding of the technology and potential security threats focused on virtualization.  Consider a classic data center before virtualization appeared.  The design often consisted of a server farm front-ended by a load-balancer / application accelerator, which often lies behind a layer of security solutions (firewall, web content filtering, antivirus filtering, IPS etc.).  In a traditional design, the servers were optimized for performance by the application acceleration layer and the security layer protected the overall infrastructure from the threatscape.  In reality, this physical server farm infrastructure is prone to the same potential fate as its virtualized counterpart – co-resident physical servers can just as easily infect each other if compromised, but that doesn’t mean we implement  additional security layers between every server, it just meant that we strengthened the policies and security measures surrounding the server infrastructure.

By comparing the virtualized server farm and the physical server farm, the security concerns are indeed similar.  But currently we are told that we need to implement another approach to securing our virtualized server farm just because it has been virtualized?  Why is this the focus?  Can’t we follow the traditional architectures?  If you were of the higher-security model and you had each server compartmentalized behind a dedicated security device, you can still achieve the same with virtualization by only allowing each virtual server to communicate via an external security device – which will also provide increased visibility into the communications between each server.

I will agree that virtualization provides a tremendous amount of flexibility that is difficult to achieve with traditional server infrastructures, and yes, with flexibility comes potential security concerns opening up the door for new security measures. However, by rethinking traditional security solutions we can surely adapt to secure this new frontier of virtualization.

My argument is not with virtualization, as I wrote above I do believe it provides immediate tangible benefits for many customers.  However I am concerned that a lot of vendors are trying to ride the wave of the virtualization success by manufacturing concepts and concerns that are not 100 percent accurate, or worse, not in the best interest of the customers.

It’s been two months since we revealed the 3rd Generation Pushdo/Cutwail/Webwail Botnet communication protocol and encryption. Recently, while researching a new bot (GoolBot), we found another Pushdo-like malware spreading with its help. After reversing, it became clear that it was a brand new evolution of the infamous multi-malware loader, for two essential reasons:

• While it used the 2nd generation Pushdo communication protocol (with minor varations), it encrypted its communications and routed them through the SSL port (443); while this encryption looked like SSL at first sight (which would be consistent with the choice of the port), it is actually NOT.

• There is a routine which generates some actual SSL traffic to a list of 339 known web sites (legitimate, for the most part), obviously to drawn bot-to-C&C communication in a sea of decoys.

This latter point explains why so many webmasters are reporting that SSL traffic (coming from different IPs) is much higher than normal these days. The good news for them is that the additional traffic is not malicious (application-wise, that is), and the bad news is that an increase of actual viewers is not the cause of it: it’s just some dummy data generated by calls to the QueryPerformanceCounter API in the latest Pushdo evolution.

Memory snapshots (from a pushdo infected machine) below illustrate the former point about encryption.

Before encryption:

After encryption (same memory space), just before sending:

The response from the C&C server, encrypted alike, contains the rootkit and spam engine modules (classic Pushdo process).

As an interesting side note, as we will see below, here is a list of those C&Cs:

We have written much on Pushdo and its associated spamming component Cutwail over the years: for in-depth information on these botnets, check out our analysis. Cutwail has been observed with many spam campaigns over the past year, and today is no exception. As of writing, we observed 6 separate e-mail campaigns being sent from different Cutwail binaries — all within the last 24 hours. The images below show the said emails, with a description. Since the campaigns range from malware to links and scams with different affiliate identifiers, it is likely that Pushdo/Cutwail is operating spam services for not just one or two customers.

Email 2: DHL campaign invoice attachment, Sasfis

The above two emails are the infamous DHL campaigns, often associated with a similar UPS template. In the past, these campaigns have been observed to spread Bredolab, Zeus/ZBot, Pushdo/Cutwail itself, and now Sasfis. We just posted an analysis on Sasfis, so have a look here for more details on this emerging botnet. Both Email 1 & 2 spread the same Sasfis binary (that is, they are using the same b= botnet identifier and C&C servers), however, have slightly different templates as you can observe. This version of Sasfis is slightly different from the one we analyzed – it shuffles parameters a bit, and is currently downloading Hiloti – a trojan similar to ZBot.

Email 3: Ecard attachment from 123greetings, FakeAV download

The next email shown above spreads through typical fake greeting cards. Buzus used a similar technique, discussed here in our January 2010 Threatscape Report (Christmas Cards through 123greetings.com). This binary is actually a FakeAV loader, which connects and downloads a product called “Security Tool”. Fortinet detects this attachment / FakeAV loader as “W32/FakeAV.ACP!tr”.

Email 4: VISA phish

This next email is a classic phishing technique, appearing to come from VISA. It goes on to claim that the card was fraudulently used, and that a form needs to be filled out by the authenticated user. While the plaintext link shows a top level domain of “visa.com”, the actual link – anchor reference – points to “visa.com.terrfsr.me.uk”. Always be on the lookout for this, and remember that such unsolicited requests should not be followed. Notice that the link includes a reference and email ID used for tracking.

Email 5: MSN to Cheap Watches

Email 4 shows an email appearing to come Microsoft, telling the user that they have subscribed to a “MSN Features” feed. The social engineering trick here is to dupe the user into not wanting this spam, by clicking on the “unsubscribe” link. All links provided in the email point to “gogolv.net”, a replica watch site under the name of “Watch Store”.

Email 6: Drugs for sale – Best for you health

The last email we observed Cutwail to send out within the last 24 hours was very simple, providing a link for the user to click on. This link redirects to “pushlength.com”, a site under the name of “Best for you health”. This is a classic pharmacy site, with an affiliate identifier pushed through to hand out appropriate commision payouts if users are duped into buying any of these drugs. Cyber criminals running illegal pharmaceutical sites often keep them alive by registering thousands of domains which point back to servers that proxy HTTP content from further upstream servers (motherships). This link (”pushlength.com”), has the same characteristics as those automatically registered in Canadian Pharmacy campaigns — using two dictionary words — using select registrars for safe-havens. Read more here: single IPs often host the same content as shown above in Email 5 & 6 (watches, shoes, pirated software and pharmacy).

This is all happening in parallel – that is, Cutwail’s C&C servers are returning different templates depending on which botnet they belong to. This is a sign of diversification, so they can keep up with growing demand on their spamming services.

Thanks to Fortinet’s Kyle Yang for his binary and spam analysis.

I don’t know if my recent analysis of Java/GameSat set me on divination, but today I feel like predicting a few things for 2010. And as we’re already
at the end of January, I should probably hurry.

1. SymbOS/Yxes will be back and stronger this year. Its authors have probably had time to debug it, and I would be surprised if they do not release a few versions in the wild.
2. The AppStore will be abused, unintentionally offering one (or more) malware to the iPhone community. My crystal ball tells me this malware is likely to be a spyware, i.e a malware particularly targeting our privacy.
3. Hackers will release a Proof of Concept malware for Android.
4. There will be at least 2 new major malware. I mean really new families, with new implementations, new tricks and extensive press coverage.
5. People will keep on thinking their mobile phones are not at threat, even though it’s nothing less than secured.
6. The amount of spyware, dialers and SMS-sending malware will keep on increasing. Those are areas where malware authors make money.
7. Social engineering malware such as Koobface will spread to smartphones from which one can blog or tweet on the go.
8. One of my papers on mobile malware and SymbOS/Yxes will be accepted in a research conference.
9. Mobile malware will start using cryptography more frequently to conceal their malicious deeds. Apart from encryption of some parts, most of the malware’s code will remain unobfuscated.
10. No mobile malware author will be caught, nor sued, sentenced or fined whatsoever.

I may turn out to be wrong on a couple of those, but it will be fun looking at this post end of 2010.

There was no shortage of threat news this month, most notably with the highly publicized attacks – codenamed “Aurora” – on select corporations, including Google. The official CVE identifier for this attack was CVE-2010-0249, with Fortinet’s detection being “MS.IE.Event.Invalid.Pointer.Memory.Corruption”. For more information, please see our advisory and blog post. Details on these attacks through a zero-day Internet Explorer flaw came out in mid-late January: in just a couple of days, this detection rocketed into fourth place in our top ten attack listing for the entire month – in close company with Waledac and Gumblar/Bredolab C&C detections. Gumblar, which has often been observed to drop the Bredolab loader, typically starts an infection through malicious websites hosting obfuscated javascript code. MS08-067 exploit traffic (used by Conficker) remains in second position, meaning our top three attack detections are related to botnet propagation and C&C traffic. Our top six detected attacks are rated as ‘Critical’, typically associated with remote code execution. On top of this, another Adobe Reader PDF exploit (Adobe.Reader.Printf.Buffer.Overflow) climbed into our top ten listing.  There are many PDF exploits active in the wild, most of which use malicious javascript code. Adobe software, like Microsoft, is a popular target for attackers – stay up to date with the latest bulletins (see Fortinet’s here from January 19th, 2010).There is definitely much malicious network traffic out there, so it should be yet another (continuous) reminder to keep your patches up to date and monitor/guard against malicious traffic with a valid IPS solution.

Detected malware volume this period returned to levels before October 2009, when a large surge of Scareware hit cyberspace – no doubt fueled by other prominent threats such as Bredolab. While activity levels have dropped, Bredolab continued its reign this period with variants in the top two spots – together accounting for over 40% of total detected malware volume. This activity continued to happen in large spikes for generally a period of just one day as Bredolab seeded. Even worse, Bredolab is gearing up with a new web mailing engine that will allow it to spam through accounts such as Hotmail and GMail. This will allow an already established threat to seed (distribute itself, and other malicious bits) even more effectively. Distinct malware volume doubled from last report after holding a steady but slowly increasing trend for the past year. We detected more unique pieces of malicious code this period than ever before, most dominantly in the USA. Though the USA had significantly more unique attacks, Japan was number one this period when it came to pure detected volume — most notably with Bredolab. Threats such as Zeus/ZBot are distributed as kits, easily recycled into new code/attacks – which contributes to a rise in the unique pieces of malicious code and attacks in cyberspace. This will likely continue to increase, as this trend has held true for well over a year.

New to the malware top ten this report was Buzus, offering some competition to Bredolab. Buzus had two variants present in our listing, in sixth and third position (detected as W32/AutoRun.BBC!worm). Unlike Bredolab, which seeds on-demand in campaigns, Buzus continuously spreads in mass mail fashion through its own SMTP engine. We saw Buzus seeding through a purported Christmas greeting card from 123greetings.com, attached as a zip file typically over 300KB. Buzus isn’t brand new — it has been around since 2008. In 2009, we observed it being downloaded through a bot via IRC commands. However, its appearance in our top ten indicates it has enjoyed success over those years.

Apart from Buzus spam, we noticed two other interesting campaigns. One came in the form of a simple message with a link, always with the subject “It’s you?”. This spam run began on December 1st, and continues as of writing. The links changed frequently, each leading to a site that redirected the browser to a second domain – most of which were “.cn” top level domains. Some of the first domains also included obfuscated javascript code – another popular tactic used by a frequent visitor to our top ten: “JS/PackRedir.A!tr.dldr“.  The first domain included in the spam emails were mostly free web hosting service providers, here is a list of the ones we observed to be used:

by.ru
zelnet.ru
unl.pl
evonet.ro
h12.ru
com.ru
50webs.com

There were also plain IP addresses. The use of free web hosting for malicious links is a favorite trend that is likely to continue due to the availability of such services (see above), and the fact that private domains may become harder to register. Customised bots such as Bredolab/Webwail can be programmed to automatically register such domains. In December 2009 the CNNIC introduced tougher policies which requires paper-based registration forms for domain registration, hindering cyber criminals from registering many new Chinese top level domains for their attacks. It will be interesting to see how other ccTLD authorities and ICANN follows. The other spam run used a different social engineering tactic.  The email, a series of conversations talking about gambling techniques, appears to accidently land in a users inbox. The conversation talks of an algorithm to win quick cash through online gambling — the social engineering tactic here is to intrigue the user thinking they stumbled upon this “secret” email, follow the link and start gambling to win cash. The website pushes an executable we detect as “Misc/CasOnline”.