Just happened to review our signature against virut-infected Web pages, and I would say, the infection is still very active until now. W32/Virut.CE is known to infect Web pages (HTML, ASP, and PHP) by injecting malicious iframe that redirects visiting users to Web sites serving malicious PDF and SWF files with different kinds of exploits. However, Virut is not the only agent of this iframe injection. Just minutes ago, I’ve searched a couple of infected Web sites specific for this injection compromise, and here’s a good example.

Figure 1 shows a Myspace account with injected iframe related to Virut.  The malicious code injected, disguised as a JPG file, is actually a Web server directory that has its own main page index.html file. The index.html (detected as JS/SWF.CE!exploit) is an obfuscated HTML with malicious JavaScript inside (Figure 2).

Below is the prettyprinted code of the malicious script, which has simple obfuscation strategies.

De-obfuscation Process
First layer of obfuscation is the randomly created style name that is changing in a regular interval time. This also may serve as a simple evasion from signatures with static strings or applying script checksum with simple script normalization algorithm.

The de-obfuscation though is trivial, specially when you have the beautified malicious code in hand. If you’re still doubting your instinct, any script debugger (eg. Firebug, Spidermonkey, Malzilla, etc) will do to trace the decoding process.

First, it removes the numbers (or digits) in the HTML DIV tag with the instruction in Line 25 to get the word eval:

<div class=”bVPI9TaPJwh6″ id=”sfd”>

1e2v345a6l —–> “eval”

</div>

Next, the text in the <B> tag (Bold Text) will be split to remove the dots (‘.’).

The text is actually the malicious code, represented as decimal, and separated with dots.

Next, it converts each decimal number back to character type using String.fromCharCode() and concatenating the result to yield the final malicious iframe.

Nothing really interesting with this old exploit until, when I used flare, swfscan, and swfdump tools to examine the content of the files, they both unable to do the job!

Maybe because of some unknown tags or the files are simply over crafted that effectively defeats the parsing and dumping ability of the tools.

During my tests, flare was spitting out: “Unexpected end of file”, while swfscan was complaining:”Malformed data in SWF Header”,  and swfdump got the worst: it was unable to handle the malformity and crashed!

So I rummaged through the hard disk to find my old, simple SWF dumper I wrote a year ago, and luckily it’s still able to do the trick:

Here’s the output of the tool against one of the SWF files:

The tool was able to skip unknown tags until it finds the END tag.  It has a simple exploits scanner option too to spot the vulnerable tag – DEFINESCENEANDFRAMEDATA.

You can recall that most of the malicious SWF files related to this bug were using the DEFINEBITS and DEFINEBITSJPEG tags as the shellcode container.

The tool can also dump the SWF file to check the data inside each (known) tags.  Check out the SWF specification for more details about an SWF file format.

And here’s the output of the tool when you dump the SWF file:

###########################################################################

We will not bother to show you how to decode the shellcode as its very old already and there are pretty much available resources for doing that.

It’s just a typical shellcode that opens another malicious URL for the stage 2 malware downloader.

If you would like to reminisce how the bug was discovered, just check out Mark Dowd’s paper.

The good new is, there’s not much to worry about on this year-old exploits, because protections are very well in place.

The SWF and HTM files are proactively detected as W32/SWF!exploit.CVE2007071 and JS/SWF.A!exploit respectively by Fortinet FortiClient and FortiGate.

Last week, an online user reported to us that he cannot access some AV websites while he doesn’t have problem with Google.com and Yahoo.com.   He also added that he thinks his computer might be infected with the notorious Virut malware.

Hmm… wait a minute, Virut doesn’t include web site blocking capability just like how Conficker.C did a couple of months ago.  So we asked a couple of samples immediately for us to verify his intuitions.  Not surprisingly, its indeed a slightly modified version of W32/Virut.CE.

Whats hot and whats not?

There’s no doubt its the same Virut variant which we currently detect as W32/Virut.CE, with just some face lift and other added functionalities.  For instance, the following characteristics are still intact:

1. Garbage instructions and too many jumps.  This is how Virut.CE attain polymorphism – code full of garbage instructions and jumps connecting those code chunks.

2. File Infection. The file infection routine is still intact and did not change that much, with the same targets: EXE, SCR, ASP, HTM and PHP files.

3. Process Injection.  This virus is known to inject its main malicious routine in WINLOGON process, before hooking some NTDLL APIs to trigger its infection routine. Also the SFC disabling function is pretty much the same.

4. IRC Download.  Virut connects to a remote IRC server via HTTP to download more malware or components such as varying kinds of Spambot, rootkits, Injector and the likes.  Clearly, it works as an agent to implant more malware on the compromised machines.

5. File Modification. It modifies the file %System%\drivers\etc\HOSTS to map its own malicious domain as 127.0.0.1. Some believes that this way, the infected machine will prevent from re-visiting the malicious domain to repeat the infection process.

6. Registry modifications. The registry entry to bypass firewall still exists. This is how it attempts to hide its network activity from Firewall.

Now here is the list for the newly added features:

1. Blocking of AV-related websites. This is probably the major enhancement from the modified version. The infected machine will not be able to access websites that has the following domain names, which are hard coded in the virus body:

eset, avg, windowsupdate, wilderssecurity, threatexpert, castlecops, spamhaus, cpsecure, arcabit, emsisoft, sunbelt, securecomputing, rising, prevx, pctools, norman, k7computing, ikarus, hauri, hacksoft, gdata, fortinet, ewido, clamav, comodo, quickheal, avira, avast, esafe, ahnlab, centralcommand, drweb, grisoft, nod32, f-prot, jotti, kaspersky, f-secure, computerassociates, networkassociates, etrust, panda, sophos, trendmicro, mcafee, norton, symantec, defender, rootkit, malware, spyware, virus

The blocking behavior can be best described by the screen shot below which was taken from an infected machine:

Picture 1:  Blocked AV-related websites

2. Autorun. Another added feature is the autorun functionality.  The virus chooses from among the first infected files and drops it in the removable drives. Though this may not work for long as Microsoft is now planning to abandon this feature in the next Windows version to put an end to this heavily abused Windows feature.

Picture 2: Autorun infection

4. Hooking additional API.  The new version also adds additional hook API from NTDLL:

• ZwCreateFile
• ZwCreateProcess
• ZwCreateProcessEx
• ZwOpenFile
• ZwQueryInformationProcess
• ZwDeviceIoControlFile  <– added
  

Picture 3: Hooked NTDLL APIs

3. Type of infection. Based on our generated replicated samples, this new version seems to use only one type of infection, which is Type 4 (See Win32 Infection part from its description).

4.  Hidden Second-Layer Decryption Routine. There is also an interesting behavior from the updated version which I haven’t seen in the old versions.  The second-layer decryption routine is “blocked” or “locked” by a RETN call (opcode 0xC3).  For example, in the following code snippet, at address 0061D078 is initially RETN.  If everything goes well, the RETN (byte C3) will be patched with E8 opcode to transform as CALL operation:

The virus has a simple anti-debug tricks by using GetTickCount() and RDTSC calls, and it avoids multiple instances by checking a mutex named “L30N” (the original versions used an event name “Vx_5” to check its presence).  If it passed these criteria, thats the
only time that the second-layer function call will be unlocked, and continue execution (See address 0061D078 after patching).

I’m sure the malware author will not stop from here, and continue its modification effort to avoid detection from AV scanners. But as long as we also continue our effort in finding better ways to detect such complex virus, we can stay confident that our customers are well-protected.

Many threat trends have continued as we head into August 2009. I have highlighted notable items below from our July 2009 Threat Landscape report, which can be found on Fortinet’s FortiGuard Center.

Mobile threat development continues: In July we saw the emergence of SymbOS/Yxes.E and SymbOS/Yxes.F, the latest updated variants of Yxes that we first reported on in February. For further details, check out this blog post that is well worth the read: in particular, Yxes’ served up dynamic content via JSP indeed shows the beginning steps as to how cyber criminals are addressing a market that is largely fragmented due to multiple platforms. This is important, because malicious binaries are often written for a single target (ie: Windows, OS/X). On traditional desktops, these targets are limited: however, in the mobile market, they are growing and diversifying. Thus, dynamically addressing which malware packages to serve up, as Yxes has done, is a technique which helps alleviate this issue and hints of what is to come in this area in the near future.

Virut posts record levels while online gaming trojans flood cyberspace: W32/OnlineGames.BBR maintained and built heavily from its first place position last report – accounting for 43 percent of total detected malware activity. This latest attack saw much of its volume from July 5th onward, with a peak of activity on July 8th. This campaign continues, and comes in very frequent activity on a daily basis. Besides that, the regular faces of W32/Virut.A and JS/PackRedir built on their activity from our last report period. In fact, detected activity for W32/Virut.A this period climbed to record levels, underscoring the fact that this behemoth has become a dominant threat – particularily in Asia. New to this report’s top ten is W32/FakeAlert.EI – another rogue antivirus (“scareware”) trojan. Scareware fraud continues to be vastly popular in the digital underground, now quite diversified since we first reported on heavy attack waves nearly one year ago in August 2008.

Two in the wild exploits were making waves this period: One is the highly discussed MS ActiveX Video control (CVE-2008-0015, FortiGuard Advisory here) first patched on July 14th by Microsoft through MS09-032. Exploit activity for this vulnerability was frequent throughout the month, but remained relatively low, with most prevalent activity detected in Korea, China and Japan. As of writing, the second mentioned vulnerability, MS Office Web Components (CVE-2009-1136, FortiGuard Advisory here) remains unpatched / zero-day, also with relatively low detection rates with leading activity in China, India and Japan. Nonetheless, it should be reminded that any successful exploit can cause significant damage; exploits against the latter (zero-days) tend to be more successful since patches are not readily available. FortiGuard IPS detects and blocks malicious activity against both of these attacks as mentioned in their respected advisories above. The FortiGuard Global Security Research team first spotted public exploit code for this second mentioned vulnerability on July 11th and immediately reported the findings.

Canadian Pharmacy assaults google groups, tinypic: This month, we witnessed a flood of eCard spam continuing from last month, using various techniques – a majority of them ultimately leading victims to Canadian Pharmacy’s domains. These domains, automatically registered by combining two dictionary words as described in our January 2008 write-up, continue to be registered well over two years since the process began. Canadian Pharmacy’s success, fueled by an affiliate sponsorship model, invites many cyber criminals to advertise the fraudulent pharmaceuticals and drive traffic to the aforementioned domains on their behalf. The net result lands rather large chunks of change in both the Canadian Pharmacy gang and affiliates’ pockets. This period, the eCard spam primarily used direct links, Google Groups and the photo sharing service Tinypic.

While the automatic redirection used by the Google Groups campaign is not new, Tinypic is quite interesting as it serves as another example of how spam continues to reach out to emerging platforms. While traditional spam has not ceased to exist through email, we have predicted and reported on many spam attacks through new “Web 2.0″ platforms such as social networking sites. To help evade detection, cyber criminals have used services such as Tinyurl in the past to obfuscate their malicious URLs. Tinypic is a similar, recent example of how legitimate service providers are commonly used nowadays to piggyback malicious resources. Regardless of the image, or what the link appears to be, always observe where any hyperlink will actually take you and exercise due care. Finally, the Waledac gang was at it once again with another typical spam campaign, this time on July 4th just in time for the USA’s Independence Day. In terms of overall activity, spam rates continue to hold at high levels, while Japan jumped ahead of the USA into 2nd position for spam volume this period.

With modern threats moving to multiple attack vectors, end users and clients need to be extra cautious. Malicious links are coming fast and furious through layered attacks – bundled up in obfuscated javascript, or on your favorite social networking site. The core of these attacks are quite primitive, and in fact, in most cases nearly identical with the end goal to install malicious payload on a target. Ultimately, the front end of these attacks have moved up higher into the application layer, riding on complex services while the back end (core) remains the same: malicious links, exploits and file attachments.

Since the world wide web and HTTP have become so widely adopted for new complex services, security holes and cloaking methods have arisen. In turn, this realm has become a playground for malware authors, driven by the vast amount of client traffic integrating with the aforementioned services. To successfuly attack clients, servers have increasingly been in focus as a primary attack point. We have witnessed this not only with classic SQL injection, PHP code injection, SEO campaigns, etc – but also with malware recently, turning servers into spawning grounds for all successive client side attacks. For instance, Gumblar was known to siphon FTP account credentials to gain access to servers. The most recent variation of Virut (W32/Virut.CE) targets server side pages – HTM, ASP, and PHP. These pages are injected with further malicious links, leading to a chain of infections. We detect this injected server code as HTML/Virut.CE, and have noticed success on Virut’s part with this methodology.

While Virut.CE has only been in the wild for less than six months, its predecessor who I have written about before – Virut.A, has had much success over the past two years and remains very prevalent to date. Virut.CE seems to be following a similar path, with increasing detection not only on client side infections – but server side as well. Indeed, detections for HTML/Virut.CE, the infected server page component of Virut.CE, rose significantly in April 2009 as infections of W32/Virut.CE begin to pick up. Given Virut.A’s track record, servers may be under attack for quite some time with this threat. While this is only an example of one such attack, it should serve as a reminder that a valid security framework is required for both servers and clients to tackle next generation threats. Such a framework will effectively attack the spawning grounds of modern threats and will surely go a long way in terms of mitigation.

Our April 2009 Threat Landscape Report is now available, recapping a month of threat activity from exploits and malware, to spam. Here are some key movements from the report along with comments:

Waledac is one of the most active malware families to be on the lookout for. This period, we saw a fifth campaign hit since the beginning of this year, serving up malicious variants disguised as SMS spying software. With frequent campaigns, heavy server side polymorphism, binaries packed with fluctuating seed lists (portions of its network), and peer to peer HTTP communication through fast fluxed zombies, it is no wonder this malicious network has been so resilient. Waledac, like many blended threats, is multi-functional with the ability to receive and spew custom spam templates, launch denial of service attacks, and download further components. It was also spotted on Conficker’s network, which, in concert with its own various campaigns, has further helped this family gain momentum.

Four new variants landed in our malware top 10 this period, two of them online gaming trojans. Next to Virut, the three most prevalent threats were gaming trojans with a fourth variant narrowly missing a ranking in our top 10. Collectively, these threats formed a significant portion of our detected activity. The lucrative marketplace created through online gaming certainly has attracted cyber crime with haste, as we have reported over the past year. Real money trading (RMT) is now an estimated $2 billion USD annual market, that is surrounded by illegitimate practices, fueled by threats like the ones you see present in third and fourth position in our malware top ten this period.

W32/Virut.A is still king of the hill in our malware top 10, claiming first position for the second month in a row, building on a year-long run within the top ten. This virulent file infector has a rather consistent daily activity rate, similar to mass mailers – indeed this could be due to self-distribution via mass mailers through its hybrid effect. As we anticipated, no significant activity occurred with Conficker.C on the much hyped April 1st date: however, soon after Conficker.C’s newly established peer to peer network became active.

Exploit activity with MS.DCERPC.NETAPI32.Buffer.Overflow (MS08-067) picked up once again during the first week of April, returning to February levels after a significant drop in March. The drop was due to Conficker.C variants ceasing exploit activity, while the subsequent increase can be linked to several factors outside of Conficker. Most notably, a different malware family was observed to exploit the same vulnerability during this period. This is not too surprising, as vulnerabilities are very much a shared resource that are leveraged for years after disclosure. Over 31% of new vulnerabilities this period (96 in total) were reported to be actively exploited: 36 of the new vulnerabilities were rated as ‘Critical’, marking a year high, up from 30 last period.