W32.Neeris.C Alert!!

W32.Neeris.C is yet another Worm that exploits the Microsoft Server Service RPC buffer overflow vulnerability described in the Security Advisory MS08-067 (KB958644). It also targets the USB Removable drives to propagate.

W32.Neeris.C drops a driver %System%\drivers\sysdrv32.sys that works as a rootkit. It starts a Service called "Play Port I/O Driver" by creating the below registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32

The worm creates the following autorun entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"netmon" = "%System%\dllcache.exe"

It creates the below registry entry, to get access through the Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"C:\WINDOWS\system\dllcache.exe" = "C:\WINDOWS\system\dllcache.exe:*:Microsoft Enabled"

It also creates the below registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dllcache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dllcache

It opens a back door on TCP port 4545 and connects to the following domain:

hxxp:// www . ninjawarlord . com (link deactivacted with hxxp)

-------------------------------------------------------------------
Domain Registration Details:
Registrant Contact Information : JOYCEWANG HEBEI TAGNGUO LTD.
Email: li_wangshang@yeah.net
Address: JIANKANG, 300452

Domain Name Server :
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com

Registration Date :2009-4-27
Expiration Date : 2010-4-27
-------------------------------------------------------------------

It also propagates through USB Removable drives by creating the below files in the drives root:

%DriveLetter%\strongkey-rc1.3-build-208.exe
%DriveLetter%\autorun.inf

Update to disable Autorun feature for non optical media

This is in reference to the below blog post (Tuesday, April 28, 2009 9:37 AM) in MSRC:

http://blogs.technet.com/msrc/archive/2009/04/28/changes-in-windows-to-meet-changes-in-threat-landscape.aspx

This is a MUCH REQUIRED modification in Windows OS.

This is definitely a very positive move and would help the entire Microsoft User Base. Protection from a third party Antivirus software is required only when we have no other option to fight back the ever changing / increasing Malware Threat. However, if the Windows OS keeps on evolving like this and provides us with some much needed protection from basic threat vectors, we as end users will be benefited to a great extent. This would significantly bring down the propagation of a vast majority of active Malwares running loose in the wild.

I hope that we get a Win XP and Vista update for this at the earliest.

Updated - 06 May 2009
Nice post about the Autorun Menace and why Microsoft is willing to change the Autorun feature:

Windows Addresses the Changing AutoRun Threat Environment

Article links to MMPC Blog Post

How DNS Servers & Network Routers Can Help In Malware Tracking?

“Malware Calling Home” is an activity where an infected system tries to connect to a remote host, often the command control or Malware update center, from where it can download either an undated binary for the infection or it will connect back to this host to receive commands passed on by the Malware herder. This scenario is typically true for Malwares that create Bot Nets. One of the most common symptoms in such a scenario is where multiple infected systems try to connect to this remote host simultaneously. During such an event, there may be complaints of unnecessary and high network usage, CPU utilization of certain Servers like the DNS Server or devices like the Network Routers etc may spike up for apparently unknown reasons.

The below figure shows a pictorial representation of the components and activities of a DNS Server. Some of the components are knowingly left out from this figure to keep it simple.

Now these details can help us to track Malware activities of a specific kind in the network during its initial stages if we know a few things about the Malware’s tendencies to connect to its parent source and correlate it with the DNS Domain Name Resolution methodology. In this way we would know what things to look for and where to look for so that we can get sure of the presence of infected systems in the network.

As an infected system tries to connect to a remote host say for e.g. abc.bad-domain. biz then the first thing that would happen is, it would try to resolve the IP Address of this remote host and will query the DNS Server. Once the DNS Server finds out that its namespace doesn’t have the said domain (in case of authoritative servers) then it tries to use the Root Hints so that the respective Servers can try to forward the request to an authoritative server which in turn will respond back with the requested IP Address.

If we smell that there is probably some Malware related activity happening, which has infected maybe a chunk of systems in the network infrastructure, then we can try to locate these rogue systems by monitoring the traffic in the DNS Server. We can use a network sniffer, you can use WireShark, Ethereal etc, and try to identify if there is a pattern where more than one system is trying to access this abc.bad-domain. biz. We may not know that abc.bad-domain. biz is in reality a bad host so we can try to find out more details about this host, we can try to find out how many systems are trying o resolve this host name. The source systems from where these resolution requests are coming have to be checked thoroughly and manually. The DNS Server is one of the hot spots from where we can, from time to time monitoring, identify and stop a possible outbreak situation proactively.

Another hot spot for a similar kind of scenario is the Network Router. We can also occasionally monitor the Router Cache for Null traffic or traffic that’s targeted to remote destination port 01BD (445 - RPC). If there are multiple and frequent instances this kind of traffic in the Router Cache, then these can be indicators for a possible Malware Activity. Refer t the figure below.

I welcome any comments or suggestions about this post. If anyone of you feel that certain things can be pointed out/corrected/ explained further, then please feel free to send a mail to me and let me know. I would definitely try to make the changes to this article.

Tech.Ed-India 2009 - Hyderabad (May 13th - 15th)

Microsoft Tech.Ed-India 2009 will be held at the Hyderabad International Convention Center (HICC) in Hyderabad, India (May 13th - 15th)

This is an opportunity of a lifetime to interact with some of the leading lights in the business and technology space globally, talk to Microsoft product development teams directly, and get in-depth hands-on-trainings and certifications in some of the most coveted and anticipated technologies.

Tech.Ed-India FAQ - http://www.microsoft.com/india/teched2009/faqs.aspx

Be a Part of the Experience - http://www.microsoft.com/techedonline/default.aspx

Jump in for free Technology sessions - http://www.virtualtechdays.com

Learn more about Tech.Ed-India 2009 - http://www.microsoft.com/india/teched2009/event.aspx

Register Now - http://www.microsoft.com/india/teched2009/Register.aspx

Night of the Living Dead!!

The concept of Zombies has haunted mankind since the dawn of civilization.

Zombies are generally corpses brought back from the dead by supernatural means, and are under someone’s direct control.

Zombies are not the stuff of Hollywood storyline, voodoo witchcraft or black magic anymore. The Night of the Living Dead has come alive in the world of Information Technology. Zombies are no longer fiction; they have come to haunt the tech savvy lives of the 21st century.

Online criminals are harvesting on the concepts of the Zombies. They can use viruses to take control of a large numbers of computers over a period of time, and then turn them into "Zombies" that can work together as a powerful army of infested system called "Bots" to perform malicious activities. The term "Botnet" is used to refer to any group of such bots.

Botnet is a term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of "Zombie" computers controlled remotely. This can also refer to the network of computers using distributed computing software.

The viruses or Malwares that turn a system into a Zombie and make it a part of the global network of botnets do not usually harm the infested system. The reason is Zombie computers must be up and running and connected to the Internet for the botnets to be active so that they can be used for some more devastating activities.

With Conficker around, the Storm of 2008, Rustock, Srizbi and many more, they have become a serious threat on the Internet. Now these attacks are more targetted and usually financial gain is the motive behind them. Gone are the days when DDoS was in the menu. Offlate, Malware Activity is aiding a million $ fraud industry. Botnets comprising of Millions of individual "Zombie" computers (BOTS) or more, can distribute spam, transmit viruses, attack other computers or servers, carry out DDoS as part of Hactivism and commit various other sinister crimes.

Thank You Microsoft

Today I have received my MVP Award Kit. This really was a proud moment for me to hold the award in hand.

MVP Crystal Memento

Thank you Microsoft, once again, for the wonderful Crystal Memento.

Conficker and Traffic Converter

Most of us know why Conficker Worm was named CONFICKER but for those who don’t know why the name CONFICKER was chosen for this Worm, here is a little information.

The name of this Worm was kept as Con-Fic-K-Er because the Reversers who were analyzing this Worm’s first variant (W32/Conficker.A) found the presence of a string called “trafficconverter .biz”. The name of this Worm was taken fro this string by rearranging portions of this string.

Trafficconverter .biz = Traf+FIC + CON+Vert+ER = Con+Fic+”K”+Er = CONFICKER

The purpose of “trafficconverter .biz”, which later became “traffic-converter .biz” and “trafficconverter2 .biz”, was to increase affiliates so that the already existing misleading applications or better known as Rogue Applications can be installed in more and more systems around the world. A quote from “trafficconverter .biz” about the affiliate program is below:

What is Traffic Converter?

Traffic Converter is affiliate program that helps webmasters to convert their traffic into cash.

How it works?

We are selling popular antispyware and security software products to surfers which you send to us. You receive $30 for each sale of our products.

Why does it work so good?

With our direct-marketing approach, aggressive promotion materials and advanced software products you can earn much more than with other affiliate or advertising programs.

The owners of “trafficconverter .biz” were very much involved in spreading these misleading applications or commonly known as Rogue AntiSpyware. Even the Conficker.A variant also attempted to download a payload from their domain. However, this variant was never able to download the payload file hxxp://trafficconverter .biz/4vir/antispyware/loadadv.exe because the “trafficconverter.biz” domain was shut down as an early response to the Conficker Threat.

Also, mentioned below is the WhoIs detail of the “trafficconverter .biz” domain:

Domain Name: TRAFFICCONVERTER .BIZ

Domain ID: D22305317-BIZ

Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY .COM

Registrant Name: Daniel Adams

Registrant Organization: eosads

Registrant Address1: 13 Baterman Street

Registrant City: London

Registrant Postal Code: W1D 3AF

Registrant Country: UNITED KINGDOM

Registrant Country Code: GB

Registrant Phone Number: +41.225349854

Registrant Email: ddarkmaster@gmail .com

Last Transferred Date: Mon Dec 01 14:04:54 GMT 2008

Status: SUSPENDED (This Domain Name is Suspended)

The “trafficconverter .biz” domain operated along with various sister domains viz.

Domain Name: XPANTIVIRUS .COM

Registrant: VerifiedSofts

John Davidson ddarkmaster@gmail .com

London.Barnet str. 12/22

London, Barnet, 12012, GB

Tel. +44.7917722025

Creation Date: 20-Sep-2007

Expiration Date: 20-Sep-2010

Status: SUSPENDED (This Domain Name is Suspended)

Domain Name: ANTISPYGUARD .COM

Registrant: Verified Software

Victor Temchenko verifiedsoftware@gmail .com

Geroev Truda 68 - 136

Kharkov, 61038, UA

Tel. +38.0638550739

Creation Date: 23-Aug-2007

Expiration Date: 23-Aug-2009

Status: SUSPENDED (This Domain Name is Suspended)

Domain Name: ANTIVIRUS2009ONLINE .COM

Registrant: eosads

Daniel Adams ddarkmaster@gmai l.com

13 Baterman Street

London, W1D 3AF, GB

Tel. +41.225349854

Creation Date: 15-Aug-2008

Expiration Date: 15-Aug-2009

Status: SUSPENDED (This Domain Name is Suspended)

Domain Name: TRAFFIC-CONVERTER .BIZ

Sponsoring Registrar: ENOM, INC.

Registrant ID: DI_8661402

Registrant Name: John Davidson

Registrant Organization: VerifiedSofts

Registrant Address1: London. Barnet str. 12/22

Registrant Postal Code: 12012

Registrant Country: UNITED KINGDOM

Registrant Country Code: GB

Registrant Phone Number: +44.7917722025

Registrant Email: ddarkmaster@gmail .com

Refer to McAfee Site Advisor’s details about the online affiliations for “traffic-converter .biz”:

Domain Name: TRAFFICCONVERTER2 .BIZ

Domain ID: D28746672-BIZ

Domain Status: OK

Registrant ID: 43249773

Registrant Name: Privat person

Registrant Organization: Privat person

Registrant Address1: Rue la produit 34

Registrant City: Marseille

Registrant Postal Code: 13004

Registrant Country: France

Registrant Phone Number: +1.33491858954

Registrant Facsimile Number: +1.33491858954

Registrant Email: adultblogz7@yahoo .com

Billing Contact ID: 17289307

Billing Contact Name: XiaMen BizCn Computer & NetWork CO.,Ltd

Billing Contact Address1: 1F - 4F,

Billing Contact Address2: Software Technology Service Builing,

Billing Contact City: XiaMen, FuJian

Billing Contact Postal Code: 361004

Billing Contact Country: China

Billing Contact Phone Number: +1.865922577

Billing Contact Email: domain@bizcn .com

Domain Registration Date: Mon Dec 15 18:29:57 GMT 2008

Domain Expiration Date: Mon Dec 14 23:59:59 GMT 2009

Soon after “trafficconverter .biz” was taken down, the owners came back with a domain “trafficconverter2. biz”. However, they again went down saying that their payment processor had blocked them. Further to plead “Not Guilty” they issued a notice that they had no connection with the Conficker Mayhem. Read the disclaimer below:

This is absolutely unprecedented case when two of the largest payment system called the requirement to block the Merchant. We also have a reason to believe that the situation was caused by the recent publication about us and our products in Washington Post:
http://voices.washingtonpost.com/securityfix

There are, as you can see, some very serious accusations. Including the relation to Conficker, which we actually are not implicated with (and can prove it if necessary).

As a result of this situation:
- No money to pay;
- No capacity to process products (not because we're not working, but because this volume is not endure any processor)
- There is a chance to get ourselves under prosecution and let down Webmasters.

So, the decision was made to default and shut down the Traffic Converter. In case we resolve this issue and manage to refund the money from the bank, we will pay you off all debts as quickly as possible.
If we manage to get the stable traffic conversions we have demonstrated during the year and a half, we will contact you on individual basis.

Thanks to everyone for succesful business cooperation.

These sites are instrumental in distributing Rogue Applications and once a system is infected, they would go to every possible extent to apply the scare tactics and fooling the users to cough out money for applications that are anything but Security Softwares. These rogue applications can also inject code into the search results of Google or the homepage of Google itself (this means that the client system from where we are doing the search or opening the Google homepage is infected). Refer to the screen below:

For more information about these Rogue AntiSpyware Applications refer to the below article:

http://www.malwareinfo.org/files/RogueAntiSpyware.pdf

Another New Variant of Conficker/Downadup

When is it going to stop!!.

Yet another variant of Downadup has been detected in the wild. Symantec has called it the W32.Downadup.E variant. Again rated as a Level 2 Threat.

Refer below for the technical details of the worm:

The worm may be downloaded or delivered silently through Web exploits and then executed.

> It patches “tcpip.sys” in order to increase the number of concurrent network connections available on the system.

> The exploitation of the MS08-067 vulnerability, which had not featured in W32.Downadup.C, is now included in W32.Downadup.E.

> This variant also uses the SMB protocol to identify the target system before attempting to exploit it. This is most likely an attempt to increase the chances of successful exploitation.

> The threat exploits weaknesses in certain routers to allow access to compromised machines from external networks. This variant has the UPnP capabilities that that has been seen in previous versions of Downadup.

> It shows a strange behavior as on May 3, 2009, the worm sets itself to be removed when the computer restarts. However, it does not removes the dropped W32.Downadup.C infection.

Writeup Taken from Symantec:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-040823-4919-99

PowerPoint Zero-Day Vulnerability - Security Advisory (969136)

Microsoft Security Advisory (969136)
Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/969136.mspx

Products affected:
Microsoft Office PowerPoint 2000 Service Pack 3
Microsoft Office PowerPoint 2002 Service Pack 3
Microsoft Office PowerPoint 2003 Service Pack 3
Microsoft Office 2004 for Mac.

Product not affected:
Microsoft Office PowerPoint 2007

Microsoft will take the appropriate action to protect their customers, which may include providing a solution through their monthly security update release process, or an out-of-cycle security update, depending on customer needs.

More information about the vulnerability can be referred to from the below links:

Security Focus
http://www.securityfocus.com/bid/34351/info

CERT - Vulnerability Note VU#627331
http://www.kb.cert.org/vuls/id/627331

There are three viruses in the wild that exploits this vulnerability.

Please refer below for more details:

Detection:

> Symantec detects the malicious PowerPoint file as: Trojan.PPDropper.H.

> Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.AB. The files dropped are detected as TROJ_KUPS.F and BKDR_KUPS.F

> Microsoft detects the malicious PPT as Exploit:Win32/Apptom.gen. The dropped files are detected by Microsoft as TrojanDropper:Win32/Apptom.A, TrojanDropper:Win32/Apptom.B, TrojanDropper:Win32/Apptom.C and Trojan:Win32/Cryptrun.A.

Behavior:

The Trojan arrives as the following email attachment:
[RANDOM FILE NAME].ppt

Once the .ppt is opened, it drops and executes an additional file by exploiting the following Microsoft Power Point vulnerability:
Microsoft PowerPoint File Parsing Remote Code Execution Vulnerability (BID 34351)

The dropped file may create additional files on to the compromised computer and then the Trojan deletes the dropped file. At the time of writing, the following files were created:

%Temp%\PeerCM.exe
%ProgramFiles%\Internet Explorer\IEUpd.exe
%ProgramFiles%\Internet Explorer\IEXPLORE.hlp
%ProgramFiles%\Internet Explorer\ws2_42.dat
%ProgramFiles%\Internet Explorer\ws2_42.dll
%ProgramFiles%\Internet Explorer\ws2help.dll

MD5 & SHA1 hashes:
Please be careful about files with the below MD5 & SHA1 Hashes:

MD5: 8fa472db5f85ce73d589b22979efff8f
SHA1: e50c6512d307d41f61e1150128add91b416fe330

MD5: ea1fb578a65098f1813cbf0d5f1fa97a
SHA1: cc2b9284b9396f36b61aca17b06a420ed56a30ee

MD5: 301d3e6dff463163c15e9a612048a001
SHA1: b08d1ca322e8de04bb920a227ad34c3b93e56e1a

MD5: 5de89ec7545b90d42c417501a810e948
SHA1: f9b5b020d96540695d76c9a43ca9daa35b54cb28

An analysis of the exploit can be referred to from the below link:

Investigating the new PowerPoint issue
http://blogs.technet.com/srd/archive/2009/04/02/investigating-the-new-powerpoint-issue.aspx

Source MMPC Blog
http://blogs.technet.com/mmpc/archive/2009/04/02/new-0-day-exploits-using-powerpoint-files.aspx

Microsoft MVP - Consumer Security (2009)

I just can say one thing...

WOW!!!!

I have received the prestigious Microsoft MVP - Consumer Security (2009) award...

https://mvp.support.microsoft.com/profile=62F27767-F7D0-448F-84C7-F28501B6ECCB