| |
Home / Weblog / June 2008
Analyst's Diary
| Roel | June 27, 2008 | 16:25 GMT |
comments (5)
|
Quite a long time ago I contacted Microsoft regarding what I thought was a XSS vulnerability in IE. Microsoft disagreed, preferring to call it a 'feature'. This feature allows javascript embedded into GIF files to be executed under certain circumstances. The javascript may point to an alternate domain (as is the case with XXS vulnerabilities). And this is what I saw yesterday - a compromised site containing a modified GIF file which exploits this XSS vulnerability. The GIF file contains an embedded iframe pointing to a malicious site. (Thankfully, the site is currently presenting a 'file not found' error message.) Here's the GIF: 
This is one step more on from today's common web site compromises where some javascript gets added to the main page. Clicking "view source" doesn't reveal any malicious code – and this makes a quick analysis of the threat more difficult. Following this discovery we've contacted Microsoft again – hopefully they'll reconsider their position on this issue.
Another way of restoring files after a Gpcode attack |
| VitalyK | June 26, 2008 | 12:58 GMT |
comment
|
Our previous blog on Gpcode said we'd managed to find a way to restore files in addition to those files that can be restored using the PhotoRec utility. It turns out that if a user has files that are encrypted by Gpcode and versions of those same files that are unencrypted, then the pairs of files (the encrypted and corresponding unencrypted file) can be used to restore other files on the victim machine. This is the method that the StopGpcode2 tool uses. Where can these unencrypted files be found? They may be the result of using PhotoRec. Moreover, these files may be found in a backup storage or on removable media (e.g., the original files of photographs copied to the hard disk of a computer that has been attacked by Gpcode may still be on a camera’s memory card). Unencrypted files may also have been saved somewhere on a network resource (e.g., films or video clips on a public server) that the Gpcode virus has not reached. We can't guarantee that files will be restored, as the method used relies not only on the user having unencrypted versions of the affected files but also on the characteristics of the infected machine. All the same, the results we achieved during testing (80% of encrypted files were restored) suggest that it's worth doing if you need to recover your files. The more pairs of files that can be found the more data that can be restored. Detailed instructions on the use of the StopGpcode2 tool can be found in the description of Virus.Win32.Gpcode.ak.
| VitalyK | June 19, 2008 | 19:15 GMT |
comments (1)
|
We have discovered one interesting technique to hide malicious code from researchers. The initial infection was common iframe injection on a web page. The iframe page loaded tiny shockwave file, which was only 158 bytes long! This file uses internal ActionScript global variable ("$version") to get the version of user's OS and plugin for handling Shockwave files. The $version variable evaluates to something like "WIN 9,0,12,0", which is short platform name, version and revision numbers of Adobe Flash Player plugin. After that 4561.SWF tries to download and run another .SWF basing on this string. In the case above it tried to download "WIN 9,0,12,0i.swf" file. The server replied with famous ERROR 404: “File Not Found”. But that was done for purpose. If the 4561.swf file was tested on an automated sandbox a researcher may have not notice the fact that unavailability of the second .SWF file was not due to the absence of malicious code on the server, but due to the different Adobe Flash Player plugin that was used in the sandbox. I have checked all the possible versions and found 6 different .SWF exploits. Here is the list of files that I found:
WIN 9,0,115,0i.swf
WIN 9,0,16,0i.swf
WIN 9,0,28,0i.swf
WIN 9,0,45,0i.swf
WIN 9,0,47,0i.swf
WIN 9,0,64,0i.swf The files were already detected by our engine as Exploit.SWF.Downloader.c but they were new variations and were not in malware collection. The first sample of Exploit.SWF.Downloader was detected on 2008-05-27. This exploit uses a vulnerability of Adobe Flash Player, built on incorrect handling of DefineSceneAndFrameLabelData tag with negative value of SceneCount parameter. The shellcode can be discovered in SWF file as an embedded image file with wrong image size. So, to draw the line, I would like to repeat that this technique allows to carefully download specific exploits for specific version of the vulnerable Adobe Flash Player plugin and at the same time allows to hide the actual malicious code from curious researchers.
| Dmitry | June 17, 2008 | 22:45 GMT |
comments (4)
|
Do you like e-books? Free ones? They’re easy to find: e-books are often uploaded to public servers such as rapdishare, megaupload and others. Anyone who finds the link can download books from such websites for free. Is is safe? Well – judge for yourself. Just the other day I found a browser plug-in on BitRoad dot net that people can download and use as a tool to download e-books. The plug-in is browser independent and attacks both IE and Firefox. And yes…it was malware - AdWare.Win32.Kitsune.f. I checked for detection on Virus Total and the results were not great – 9/32 (26.13%). And this is just one incident. In reality, this occurs every day. Plug-ins on any open freeware website can be malicious - there are no guarantees and obligations, after all. So...stay safe and surf cautiously. As ever.
| VitalyK | June 17, 2008 | 17:23 GMT |
comment
|
Our StopGpcode project has attracted a lot of attention from individual researchers and organizations who are interested in solving the puzzle of the blackmailing virus. Thanks for all the feedback. Among other things, we've been asked a lot about how the virus propagates. Having analyzed a number of infected computers we've come to the conclusion that the virus gets onto the victim machine with the help of another malicious program – a bot with Trojan-Downloader functionality. The victim machines had been infected with this malicious program well before Gpcode appeared on them; and the bot downloaded a whole range of other Trojan programs in addition to the Gpcode virus. The RSA private key hasn't been found, but some interesting ideas have surfaced. For instance, a detailed analysis of the algorithm used by Gpcode has shown that the author of the virus made an error which makes it possible (under certain circumstances) to decrypt encrypted files without the private key. This method restores from 0% to 98% of all encrypted files on the computer. The results depend on a number of factors, beginning with the system that was attacked. At the moment it's impossible to give an average number of files that could be recovered from a 'typical' computer. Kaspersky Lab researchers are currently working on creating a file restoration utility that will utilize this new method.
Restoring files attacked by Gpcode.ak |
| VitalyK | June 13, 2008 | 12:37 GMT |
comment
|
Currently, it's not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition. When encrypting files, Gpcode.ak creates a new file next to the file that it intends to encrypt. Gpcode writes the encrypted data from the original file data to this new file, and then deletes the original file. It's known that it is possible to restore a deleted file as long as the data on disk has not been significantly modified. This is why, right from the beginning, we recommended users not to reboot their computers, but to contact us instead. We told users who contacted us to use a range of utilities to restore deleted files from disk. Unfortunately, nearly all the available utilties are shareware – we wanted to offer an effective, accessible utility that could help restore files that had been deleted by Gpcode. What did we settle on? An excellent free utility called PhotoRec, which was created by Christophe Grenier and which is distributed under General Public License (GPL). The utility was originally created in order to restore graphics files (presumably that's why it's called PhotoRec, short for Photo Recovery). Later, the functionality was extended, and the utility can currently be used to restore Microsoft Office documents, executable files, PDF and TXT documents, and also a range of file archives. You can find a full list of supported formats here. The official PhotoRec utility site is here. The PhotoRec utility is part of the TestDisk package, and you can find the latest version of TestDisk, including PhotoRec here.
It should be stressed the PhotoRec excels at the task it was designed for: restoring file data on a specific disk. However, it has difficulty in restoring exact file names and paths. In order to address this issue, we've developed a small, free program, called StopGpcode. If you've fallen victim to GpCode, don't pay the author of the virus to restore your data. Use PhotoRec instead – if you want, you can make a donation to the developer of the program. The description of Gpcode contains detailed instructions on how to manually restore files attacked by the virus using PhotoRec and Stopgpcode.
Malware Miscellany, May 2008 |
| Yury | June 12, 2008 | 12:30 GMT |
comments (2)
|
- Greediest Trojan targeting banks
Trojan-Spy.Win32.Banker.mrj comes out as the greediest banking Trojan in May, targeting the clients of 103 banks simulataneously. - Greediest Trojan targeting payment systems
Although Trojan-PSW.Win32.Staem only targets a relatively modest three payment systems, it still comes out top in this category. - Greediest malicious program targeting payment cards
This month, one of the new modifications of Trojan-Spy.Win32.Banker.tq takes the prize, targeting five payment card systems at once – no mean feat for malware in this category! - Stealthiest malicious program
May's stealthiest piece of malware is from an old family: the winning modification of Backdoor.Win32.Hupigon.bxbu is packed nine times over. - Smallest malicious program
Trojan.Bat.KillWin.dg, in spite of being a minimal 15 bytes in size, is still able to destroy Windows on the user's disk. - Largest malicious program
Although this month's winner, Trojan-Spy.Win32.Banker.fgw is a chunky 30MB in size, that's by no means a record for this category. - Most malicious program
A modification of Backdoor.Win32.Agobot.pgj wins the prize for maliciousness in May, as it combats antivirus solutions by deleting security software from victim machine. - Most common malicious program in email traffic
For the nth time, we've got Email-Worm.Win32.Netsky.q leading this cateogory, as it made up 23.12% of all malicious mail traffic in May. - Most common Trojan family
There's another old-timer here: 3301 new variants of the Backdoor.Win32.Hupigon family appeared in May. - Most common virus/ worm family
This category shows more variation than the preceding two: Net-Worm.Win32.Kolab.c, in 276 modifications, is a new winner of this nomination.
|
The whole new Gpcode outbreak has set me thinking about attackers and victims in general. Yes, decrypting the key used by the new Gpcode is a thorny problem and there's no guarantee of success. So I'd like to remind everyone that common sense is as improtant as good technology. Passivity on the part of victims gives cyber-attackers free rein. If you've lost your data to Gpcode and are desperate to recover it…even if you give in and rush to purchase an egold account, you can still help stop whoever's behind this. Don’t just send the PIN code to the blackmailers. Send a copy to the support service of the e-payment system you are using. This will help the investigators track the criminal. And tracking the criminal means s/he might even be caught red-handed. On the other hand, victims failing to take any action guarantees that the criminal will never be caught – which means there will be new victims – or the same victims will suffer again…and again...and again. Final thought – I hope that a fourth post on this subject isn't misleading anyone. There is no Gpcode epidemic; we've seen a limited number of infections to date. However, technical threats aside, it's user awareness that continues to be a global issue. Stop being a victim, back up your data and take my comments above in context of Gpcode's history. And then review your own information security in this context as well.
| Aleks | June 06, 2008 | 17:50 GMT |
comment
|
If you read Vitaly's blogpost yesterday, you'll know that on the 4th June 2008 we detected a new variant of Gpcode, a dangerous file encryptor. Details of the encryption algorithms used by the virus are all in Vitaly's post and the description of Gpcode.ak. Along with antivirus companies around the world, we're faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key. Of course, we don't have that type of computing power at our disposal. This is a case where we need to work together and apply all our collective knowledge and resources to the problem. So we're calling on you: crytographers, governmental and scientific institutions, antivirus companies, independent researchers…join with us to stop Gpcode. This is a unique project – uniting brain-power and resources out of ethical, rather than theoretical or malicious considerations. Here are the public keys used by the authors of Gpcode. The first is used for encryption in Windows XP and higher. Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
c0c21d693223d68fb573c5318982595799d2d295ed37da38be41ac8486ef900a
ee78b4729668fc920ee15fe0b587d1b61894d1ee15f5793c18e2d2c8cc64b053
9e01d088e41e0eafd85055b6f55d232749ef48cfe6fe905011c197e4ac6498c0
e60567819eab1471cfa4f2f4a27e3275b62d4d1bf0c79c66546782b81e93f85d The second is used for encryption in versions of Windows prior to XP. Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
d6046ad6f2773df8dc98b4033a3205f21c44703da73d91631c6523fe73560724
7cc9a5e0f936ed75c75ac7ce5c6ef32fff996e94c01ed301289479d8d7d708b2
c030fb79d225a7e0be2a64e5e46e8336e03e0f6ced482939fc571514b8d7280a
b5f4045106b7a4b7fa6bd586c8d26dafb14b3de71ca521432d6538526f308afb The RSA exponent for both keys is 0x10001 (65537). The information above is sufficient to start factoring the key. A specially created utility could be of great help in factoring. We're happy to provide additional information to anyone involved in stopping Gpcode. To keep everyone up to date, we've set up a dedicated forum.
| David | June 05, 2008 | 18:26 GMT |
comment
|
Following on from Vitaly's post about the new Gpcode variant, I just thought I'd remind everyone to back up their data. That way, if you do fall victim to Gpcode and your files get encrypted, at least you won't have lost any valuable information.
Gpcode: the return of the file encryptor |
| VitalyK | June 05, 2008 | 16:00 GMT |
comments (16)
|
We've detected a new variant of Gpcode – a dangerous file-encryptor. It encrypts a whole variety of user files, targeting files with extensions such as DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc. If you're a regular visitor to Viruslist, you might remember reading about Gpcode a couple of years ago. We recently started getting reports from infected victims, analysed a sample, and added detection for Gpcode.ak to our antivirus databases yesterday, on June 4th. However, although we detect the virus itself, we can't currently decrypt files encrypted by Gpcode.ak – the RSA encryption implemented in the malware uses a very strong, 1024 bit key. The RSA encryption algorithm uses two keys: a public key and a private key. Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program. As I've said above, we've come across Gpcode before (see Blackmailer for the full story). Two years ago we were able to get the private key by detailed analysis of the data at our disposal. However, the maximum RSA key length we've been able to ‘crack’ to date is 660 bits. We were able to do this as the author had made some mistakes when implementing the encryption algorithm. The author has bided his time, waiting almost two years before creating a new, improved variant of this file encryptor. Gpcode.ak doesn't not repeat the errors found in previous versions of the virus. Back in 2006 when we detected the first versions of Gpcode to use RSA, this sounded an alarm: we warned that we wouldn't be able to help decrypt encrypted files if the virus writer implemented the RSA encryption algorithm correctly. It would be a case for law enforcement; encrypting files in this way is tantamount to a cybercriminal copying user files to his own machine, and deleting them from the user's infected machine without consent – an illegal action. Once the virus has encrypted a user's files, it leaves the following text message along with the files it has encrypted: Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com» Unfortunately, at the time of writing it's still not clear how the virus spreads. To protect your machine, you should enable all components of whatever anti-malware protection that you have installed. ATTENTION! If you see the following message on your computer: ...Then, in all probability, you have been attacked by Gpcode.ak. In this case, try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine. Contact us by email stopgpcode@kaspersky.com and tell us the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected: • which programs you have executed,
• which websites you have visited, etc. We'll try and help you recover any data that has been encrypted. Our analysts are continuing to analyze the virus code in search of a way of decrypting files without having the private key. In the meantime, do take extra care as you surf and read email. And if you see the above messages…do follow our instructions. We'll be posting updates here when we have more news.
| |
