The Eye of the Storm

The recent massive spam run by the makers of the infamous “Storm Trojan” resulted in numerous variants hitting our honey pots. Dynamic re-packing and server-side polymorphism allows the creators of the "Storm Trojan" to create new binaries every few minutes. The variants are then spammed out using the strong de-centralized botnet they have created in an attempt to thwart signature based detections. The "Storm" botnet is several million computers strong, most of which are un-suspecting users who have become victim to the trojan's social engineering tactics.

( Source of the picture: sro.hse.gov.uk )

Newer attack vector…

The most recent variants are being spammed as encrypted zip file attachments via spoofed e-mails. The password for the encrypted zip is included as a GIF image within the e-mail. The GIF image also includes a message posing as a security patch being offered by some arbitrary Customer Support Center. This new variant employs numerous anti-debugging techniques in order to thwart analysis. It is also packed with a polymorphic packer.

The Intent…

The Trojan displays tactical use of social engineering techniques arriving as an attachment to an e-mail. The goal is to lure an un-suspecting user to execute the Trojan which would render the victim machine part of a huge botnet. The primary purpose of the botnet being to send out penny stock spam (also called pump-and-dump penny stock) or to initiate Distributed Denial of Service (DDoS) attacks. Subsequent versions of the Trojan were distributed by means of embedding it within an open source e-mail worm.

Shying away from IRC!!

The botnet that is being created communicates over a peer-to-peer network (P2P) for its Command and Control (C&C) rather than the traditional IRC communication. This ensures creation of a “headless” botnet that is not bogged down by a single point of failure. The Storm Trojan’s implementation of Web HTTP and P2P methods of communication are indicative of the shift toward stealthier means of building a botnet. Such a de-centralized network allows for data and information to be "sync-ed" among each of the nodes of the botnet and to any of the newer nodes that are being added to the botnet. Each of the infected nodes will also carry a "peers list".

What drives the Storm?

When the Trojan is executed, it drops a kernel mode driver (wincom32.sys) that it registers as a service via the Service Control Manager (SCM). Initial versions of this driver did not attempt to hide any files or registry entries but did include stealth in order to execute its payload. Subsequent versions of this driver program started to incorporate more and more rootkit like functionalities in order to hide registry entries, files, and active communication ports.

This driver program is instrumental in executing the Trojan’s payload. The payload is an embedded executable within the driver program. In order to execute the payload the driver employs stealth techniques. The payload is injected from kernel space into the user space of “services.exe” and scheduled for execution by queuing an Asynchronous Procedure Call (APC) for it. Due to this, there is no “visible” process executing the payload if we were to use tools such as Window’s Task Manager or Process Explorer. Initial versions showed significant network activity via newly opened ports (UDP traffic). Subsequent versions of the driver program incorporated rootkit techniques in order to hide files and registry keys (by hooking the Service Descriptor Table) as well as any active communication ports (by hooking IRP_MJ_DEVICE_CONTROL of the ‘\Device\Tcp’ object).

Digg This | Slashdot This | Add to del.icio.us

ANI Exploits, NX-bit, DEP, Protected Mode… jargon

Since its discovery in the wild, there are now hundreds of specially crafted websites that host malicious ANI files that exploit the “Windows Animated Cursor Handling” vulnerability. This vulnerability is exploitable on fully patched Windows XP SP2 and Vista running Microsoft’s Internet Explorer 7 or Mozilla FireFox 2. Simply visiting such a rigged website will render a victim machine infected. The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. When such an attachment is viewed or opened with Outlook or Outlook Express the victim machine will be infected by a host of malware. Also, if a malicious ANI file is viewed using Explorer (file extension matters in this case), the exploit will be triggered.

Speaking of browsers, the damage is mitigated if Internet Explorer 7 is running in Protected Mode. This will still permit the malware to have read-only access to a user’s files, allowing it to steal and copy personal data, but will not be able to alter or delete any data. UAC (User Account Control) in Vista might only be able to prevent installation of persistent malware, but won’t prevent damage to user’s data unless the browser is running in Protected Mode. FireFox does not have Protected Mode under Vista, and if exploited using the ANI file vulnerability, will allow malicious code to execute with similar privileges as the logged on user allowing complete disk read and write. Do not get confused with “Safe Mode” in FireFox which is purely for debugging purposes.

The ANI exploit is preventable by enabling DEP (Data Execution Prevention) in Windows XP SP2 or Vista. When enforced with hardware NX/XD support, DEP will prevent the exploit from being triggered. Beginning with Windows XP Service pack 2 and Windows Server 2003 Service Pack 1, the NX features were implemented for the first time on x86 architectures. The NX bit (as termed by AMD which stands for No eXecute) or XD bit (as termed by Intel which stands for eXecute Disable), is a technology used in CPUs to separate areas of memory for storage of processor instructions (i.e. code) and for storage of data. The section of memory designated with the NX attribute indicates it to be used for storing data. Hence, even if processor instructions reside in such a section of memory, they cannot be executed. This prevents malicious programs from executing their own code which they might have inserted into another program’s data storage area. This is precisely what the ANI exploit does, and DEP (OS feature) combined with NX/XD (CPU feature) can prevent this from happening.

But Microsoft ships most of its Window’s operating systems with DEP turned off by default. It is on the user to turn DEP “on” for all applications. This might render a few applications not functioning properly, but I believe this is a price well worth the bargain. This should also teach application developers to adhere to safe programming practices.

Microsoft will be releasing an out-of-cycle patch for this vulnerability today.

Digg This | Slashdot This | Add to del.icio.us