Technique Microsystems Ltd.

Symantec has observed an increase in the use of image spam attacks over the past few weeks. Symantec defines image spam as an unsolicited message containing an image in the body.

In August, image spam attacks accounted for approximately 1.6% of total spam. In September we observed that image attacks almost doubled, representing approximately 2.6% of total spam. Over 50% of image attacks observed are English, and the second largest group of messages is Russian. In the first ten days of October, image spam messages have averaged approximately 8.6% of total spam. This is the highest mark to date over the last 90 days. From May of this year up to September, image spam was relatively quiet. As stated above, these numbers have been increasing since mid-September. We have not seen image spam of this volume since February of this year.

Commonly seen image spam messages have included Russian online dating offers, random product offerings with an image opt-out, and the all too familiar Viagra offers. Nothing is blatantly new here, but the recent volume increase is notable enough for us to ask if this old trend could be trying for a comeback.

Another observation with image spam is its connection to phishing attacks. Several phishing attacks have used images recently, which have in turn classified them as image attacks. We recently observed some large phishing attacks on banks with attached logo images. The good news is that anti-spam effectiveness is not being negatively impacted due to this trend. Symantec is effectively protecting our customers from these attacks with our anti-spam products.

Hello and welcome to this month's blog on the Microsoft patch releases. This is another fairly heavy month, with 11 bulletins covering 20 vulnerabilities.

There are 10 critical issues this month affecting Internet Explorer, Excel, Active Directory, and the RPC service of Host Integration Server. All of them are remote code-execution issues, but the issues affecting Host Integration Server and Active Directory do not require any user interaction, making them potentially the worst of the bunch. The remaining issues (rated Important and Moderate) affect Message Queuing Service, Internet Printing Protocol (IPP), Windows Kernel, Ancillary Function Driver, Virtual Address Descriptors (VADs), and Server Message Block (SMB).

As always, customers are advised to follow these security best practices:

- Block external access at the network perimeter to specific sites and computers only.
- Avoid sites of questionable or unknown integrity.
- Never open files from unknown or questionable sources.
- Run all software with the least privileges required while still maintaining functionality.

Microsoft's summary of the October releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

Some of the notable vulnerabilities this month are:

1. MS08-058 Cumulative Security Update for Internet Explorer (956390)

CVE-2008-3472 (BID 31615) HTML Element Cross-Domain Vulnerability (MS Rating: Critical /Symantec Urgency Rating 8.5/10)

A cross-domain remote code-execution and information disclosure vulnerability affects Internet Explorer because it incorrectly interprets the origin of script code. An attacker can exploit this issue by enticing a victim into viewing a specially crafted web page. Code execution in the context of another domain or security zone is only possible when exploited through Internet Explorer 6 SP1 running on Windows 2000 SP4, otherwise a successful exploit will result in information disclosure only.

Affects: Internet Explorer 5.01 SP4, Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7.

CVE-2008-3473 (BID 31616) Microsoft Internet Explorer Event Handling Cross Domain Security Bypass Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)

A cross-domain remote code-execution and information disclosure vulnerability affects Internet Explorer because it incorrectly interprets the origin of script code. An attacker can exploit this issue by enticing a victim into viewing a specially crafted web page. Code execution in the context of another domain or security zone is only possible when exploited through Internet Explorer 6 SP1 running on Windows 2000 SP4, otherwise a successful exploit will result in information disclosure only.

Affects: Internet Explorer 5.01 SP4, Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7

CVE-2008-2947 (BID 29960) Microsoft Internet Explorer 'location' & 'location.href' Cross Domain Security Bypass Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)

This is a previously documented cross-domain security-bypass vulnerability affecting Internet Explorer originally disclosed on June 26, 2008. The problem occurs when handling the "location" or "location.href" property contained in a window object. An attacker can exploit this issue to execute arbitrary code in another browser window's security zone.

Affects: Internet Explorer 5.01 SP4, Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7

CVE-2008-3475 (BID 31617) Microsoft Internet Explorer Uninitialized Object Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Internet Explorer when it accesses an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking a victim into viewing a specially crafted web page. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Internet Explorer 6, and Internet Explorer 6 SP1

CVE-2008-3476 (BID 31618) Microsoft Internet Explorer HTML Objects Uninitialized Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Internet Explorer because it attempts to access uninitialized memory in certain situations. An attacker can exploit this issue by tricking a victim into viewing a specially crafted web page. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Internet Explorer 5.01 SP4, Internet Explorer 6, and Internet Explorer 6 SP1

2. MS08-059 Microsoft Host Integration Server RPC Remote Code Execution Vulnerability (KB956695)

CVE-2008-3466 (BID 31620) HIS RPC Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)

A remote code execution vulnerability affects the SNA Remote Procedure Call (RPC) service of Host Integration Server. An attacker can exploit this issue by sending a malformed RPC request to the affected service. A successful exploit will result in the execution of arbitrary code in the context of the affected service. This could facilitate a complete compromise of the affected computer.

Affects: Microsoft Host Integration Server 2000 SP2, Microsoft Host Integration Server 2000 Administrator Client, Microsoft Host Integration Server 2004, Microsoft Host Integration Server 2004 SP1, Microsoft Host Integration Server 2006 32-bit, and Microsoft Host Integration Server 2006 x64.

3. MS08-057 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)

CVE-2008-3477 (BID 31702) Microsoft Excel Calendar Object Validation Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Excel when processing a VBA Performance Cache. An attacker must trick a victim into opening a malicious project file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Excel 2000 SP3, Excel 2002 SP3, and Excel 2003 SP2 and SP3

CVE-2008-3471 (BID 31705) Microsoft Excel File Format Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Excel when processing a malformed Excel file. An attacker must trick a victim into opening a malicious file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Excel 2000 SP3, Excel 2002 SP3, Excel 2003 SP2 and SP3, Excel 2007, Excel 2007 SP1, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 SP3, Microsoft Office Excel Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac.

CVE-2008-4019 (BID 31706) Microsoft Excel Formula Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Excel when parsing a malformed formula embedded in a cell. Specifically, a REPT function call can be exploited to cause an integer overflow. An attacker must trick an unsuspecting victim into opening a malicious file to exploit this issue. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Excel 2000 SP3, Excel 2002 SP3, Excel 2003 SP2 and SP3, Excel 2007, Excel 2007 SP1, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 SP3, Microsoft Office Excel Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1, Microsoft Office SharePoint Server 2007, Microsoft Office SharePoint Server 2007 SP1, Microsoft Office SharePoint Server 2007 x64 Edition, Microsoft Office SharePoint Server 2007 x64 Edition SP1*, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac.

4. MS08-060 Vulnerability in Active Directory Could Allow Remote Code Execution (957280)

CVE-2008-4023 (BID 31609) Microsoft Windows Active Directory LDAP Request Handling Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)

A remote code execution vulnerability affects Active Directory on Windows 2000 because of insufficient validation of LDAP requests. A remote attacker can exploit this issue by sending a malformed LDAP packet to an affected server. A successful exploit will result in the execution of attacker-supplied code in the context of the affected service. This may facilitate a complete compromise of the affected computer.

Affects: Active Directory

More information on this and the other vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

On Monday we saw that Trojan.Silentbanker had added rootkit functionality in order to hide its own files. Today we'll look at another change that the new version of the Trojan has introduced, namely, the new configuration file format that the Trojan uses.

Trojan.Silentbanker's configuration files have always been protected, ever since the first version of the Trojan that we encountered. The reason for this protection is to make it difficult to understand what the Trojan is doing, and in particular, to hide which sites the Trojan is targeting. The original version targeted over 400 banking pages. Although, the actual list of pages being targeted was only clearly visible after the protection had been removed from the configuration files.

In order to discover the list of sites being targeted by any version of the Trojan the protection needs to be removed from the configuration files first. The old version of the Trojan used some simple tricks to hide its configuration; however, upon inspecting the new version of the Trojan, it is immediately obvious that something has changed. The protected configuration files look very different from previous versions.

Here I will describe the new configuration files and the steps necessary to view these files in plain text. The old protection technique was to first use character translation (a=x, b=s, c=f, etc.) on the plain text configuration files and then to compress the resulting character translated text to a smaller binary format that could be downloaded quickly.

Here are some examples of what the old configuration files looked like-I'm showing the fully decrypted configuration file format first and working backwards towards the encrypted file that was downloaded by the Trojan. This is the plain text configuration file; it contains URLs to send the stolen data to, URLs to download updates from, and the URLs of targeted bank sites (the data shown has been sanitized to remove dangerous or targeted URLs):



Each new section of the configuration file starts with [..]. So, the first section is [dfgdf]. Inside each section there is a list of data for the Trojan to use. Each string of data to be used is stored after an identifier (e.g. bg1=, bg2= , bg3=, etc.).

Presented below is the text configuration file after character translation has been carried out. The character translation is only used on strings that are preceded by an "=" sign. An example of the translation is:

"b" was changed to "o"
"l" was changed to "y"
"a" was changed to "n"
"h" was changed to "u"
So that "blah" becomes "oynu"


(b=o,l=y,a=n,h=u,.=8,c=p,o=b,m=z,/=#,e=r,u=h,r=e,/=#,i=v,n=a,d=q,e=r,x=k,.=8,p=c,h=u,p=c)

The file shown above is not exactly what the Trojan downloads though, what the Trojan downloads is a compressed binary configuration file, shown here:



We can see that the compressed binary format starts with FF and on the right we can still make out some of the character translated text, too. The fact that the file starts with FF is one tell tale sign that this is a Trojan.Silentbanker configuration file, and the Trojan also stores its configuration files in files named [9-11 digits].cpx. The current Trojan.Silentbanker configuration files look different though:



As we can see, there is no 0xFFh at the start. So, the Trojan must be using some other type of encryption on these new configuration files. After some analysis of the Trojan we come to the following routine:



This is the decryption routine for the configuration files. Now we can start to make some sense of the configuration file shown above. Searching online for the constants used in the code above, namely C6EF3720 and 61C88647, shows us that the code used is probably a TEA encryption routine (tiny encryption algorithm) or a modified version of it.

After we run the decryption routine shown above, we end up with a file that looks like this:



Does this look familiar? This is, in fact, the same format as the Trojan was using previously. Notice that it starts with FF. (The "x"s on the right were an IP address that has been removed.) The latest version of the Trojan has just added a layer of encryption on top of the old protection layers. Once the TEA encryption layer has been bypassed, we can decode the configuration files in exactly the same way as for the older version of the Trojan.

P.S.> there is also a short cut to get to the decrypted files, but I'll save that for another time.Message Edited by Liam O Murchu on 10-10-2008 02:06 AM

Last week's Cutting Edge event was an absolute blast. Cutting Edge is our internal technical conference where we gather top engineers, architects, and researchers from across Symantec globally to share ideas, best practices, technologies, imagination and energy. The goal is to keep Symantec at the cutting edge of technology, which we view as critical to winning in the marketplace. Besides that, it's just tremendously stimulating to be around four or five hundred really smart people.

The theme of this year's conference was "How We Win." In a way, everything we discussed boiled down to one thing: we win by making our customers win. We win by helping to solve their problems, adding value to their businesses, and making their lives more secure. Sounds obvious, but how do we do that? We touched on a number of approaches, from the macro down to the micro. For example, at the macro scale we talked about our Open Collaborative Architecture which uses open standards and API's to allow our products (and third party products) to take advantage of and leverage each other. We also shared lots of cool technologies and approaches that can be used across our products to improve reliability, scalability, usability, availability, and flexibility. Actually, I think we touched on virtually every "-ility" you can imagine.

As the leader of Symantec Research Labs (SRL), I was proud of the large number of engineers presenting papers on our latest research, demonstrating new technologies, and generally soaking up and dispensing as much information as possible. At Symantec, our job is to focus on winning through innovation, whether it is a revolutionary change to the way we approach a problem, an idea in a space that we aren't currently in, or an algorithm that improves an existing product. To win, we have to create differentiated innovation at many different scales and we have to do it over and over again.

Cutting Edge is a really effective way of facilitating all of these forms of innovation as well as sharing the excitement and fun of designing and building world leading products. This year's event did a great job of both.

I've always been surprised by how much of an effect the "Buy One, Get One Free" slogan has on my psyche. For example, I lived in New York during grad school and whenever it rained, within minutes a small cottage industry of street vendors would pop up like daisies all around the city. All of these vendors would be selling umbrellas, with most offering a two-for-one deal. Sometimes if I was already out and about and unprepared for the rain I'd feel compelled to purchase an umbrella, but then since the second one was free, I'd take the second one too so that I was then carrying two umbrellas. After this happened a few times, I owned a half dozen umbrellas, and really, how many umbrellas does one man need?

I was recently reading an article by Alan Radding for SearchStorage about VMware backups, and he described how one of the industry's frustrations is that when backing up VMware servers, it's necessary to back up the data twice in order to be able to perform the two types of restores that people perform the most (individual file restores and restores of entire virtual machines). This article really surprised me, because it didn't seem to demonstrate awareness of NetBackup's support for both types of restores based on a single VCB-based backup pass. You see, with NetBackup, backing up once enables you to restore either the entire VM or individual files (like that Powerpoint file your colleague deleted by accident when he borrowed your laptop). This scriptless single-backup, dual-restore capability results from a proprietary Symantec technology that helped us win a "Best of VMworld" award.

So, I feel that running NetBackup is like getting to keep both of your umbrellas; but, unlike with umbrellas, the two-for-one deal is one that you might actually really appreciate when it comes time to restore an individual file or, if it starts to rain inside your data center, your entire virtual machines.

Symantec's Cutting Edge 2008 engineering conference had a remarkable symmetry on the second day. The first keynote was delivered by Enrique Salem, COO of Symantec, and the last one by Chris Hoff, Chief Architect of Unisys.

Remarkably, they spoke with almost color-coordinated phrases. Enrique said that the way Symantec was going to differentiate itself from competitors was to focus on virtualization, information risk management and SaaS (software as a service). Chris Hoff talked about the "virtualization of security" or as he said, the three most important trends in the industry at the moment: virtualization, security and management of risk, and lastly, "cloud computing"/SaaS. Chris described the four horsemen of the apocalypse (be afraid, be very afraid) in trying to focus attention on the challenges posed in the brave new world of network security in a virtualized world.

It brought to mind the biggest opportunity and the biggest challenge facing Symantec at the moment. How do we work better together - using our products and our teams to solve customer problems? Enrique called attention to the unique positioning of the Symantec product portfolio in responding to these challenges. He gave the example of the Symantec Open Collaborative Architecture (OCA) through which Symantec products can share data, workflow, and management capabilities to jointly address customer problems. What is different about the OCA from previous integration efforts? The answer is that it is based on a proven product set--the Altiris (now Symantec) management platform--and on industry web services standards. The Symantec OCA allows products to collaborate through the Symantec Workflow Engine, by exposing web services or by utilizing the Altiris platform and console.

Another takeaway from the conference was Joe Fitzgerald's reference to the number of patents in the Symantec patent portfolio. Fitzgerald, the VP of our legal department, referred to the Wall Street Journal's Technology Index, in part based on the patent portfolio owned by technology companies, which is considered to be critical to success. (Remember, the conference is about "How We Win.") Symantec is 16th on the WSJ Technology Index. Overall, a very insightful day.

The trend of spam messages containing URL links to malicious code and/or carrying malicious payloads has dramatically spiked since May of this year. This trend is the focus of our October State of Spam Report, issued today. From June to mid September, the amount of malicious code detected in scanned email messages increased from a tenth of a percent (0.1%) in June to 1.2 % in the middle of September. Now, that doesn't sound like much, but consider that this represents a 12x increase! The top ten of definitions detected by antivirus rules for this period were led by generic Trojan, Downloader, and Infostealer definitions-making up more than 30% of the malicious code detected.

Also noted in this month's State of Spam Report is the increase in zombie activity. The report notes that while zombie activity decreased from July to August, it increased more than 100% between August and September. For this period, the EMEA region was the leading source of all zombie IP addresses. Countries showing the highest increase in the number of zombies include South Korea, Kazakhstan, Romania, and Saudi Arabia, among others. Not surprisingly, countries with the big increase in zombies also figured in the top five countries by spam sent. However, the United States still leads overall in spam sent.

To read about these or other trends in the report, such as messages leveraging current events (for example, the US presidential race and the US economic concerns), please visit the State of Spam website and the October State of Spam Report.

Trojan.Silentbanker has been in the wild since late last year; however, the most recent release of this Trojan has had some interesting features added to it. Namely, the most recent version has added rootkit functionality to make the Trojan even stealthier. If you are unfamiliar with Trojan.Silentbanker, have a look at this blog first.

In particular, the Trojan tries to hide its own files from the system in order to avoid someone noticing the files and to hide its configuration from prying eyes. This is a common technique used by other Trojans to stay invisible on a system. Trojan.Silentbanker stores its executable files and configuration files in the "system32" folder using a file name that consists of a series of numbers followed by the extension .cpx or .cpl. (I'll explain what the numbers mean a little later.)

In order to become invisible the Trojan needs to hook the FindFirstFile / FindNextFile functions of the system so that when the system is about to return a listing of files to the user, the Trojan can sanitize the list first and remove any references to the Trojan's files before the user is presented with the list. To illustrate the addition of rootkit functionality to the Trojan, review the table below, which shows the functions that were hooked by the Trojan in January 2008 and in the most recent version:

Fig 1. APIs hooked by Trojan.Silentbanker
(Note: A "?" in the above table signifies that the information regarding whether or not that API was hooked in a specific version was not available at the time of writing.)

The interesting additions to the list are the FindNextFile APIs. Let's take a look at what these functions do now that they are hooked. First though, here is what the FindNextFileW code should look like on a clean system:

Now, here is the code when the Trojan is running and the function is hooked:

We see that the real FindNextFileW code has been replaced with a jump to address 1610000. The code at that address sets some variables and then jumps to the attacker's version of FindNextFileW, which is stored at 0x0A3DF27 and is shown below in IDA:

Here we see that the malicious FindNextFileW will call the real FindNextFileW first. Then, it will check if the filename returned is a file name that should be hidden; it does this in the FilterFindNextResults function. If it is a filename that should be hidden, then the code will call the real FindNextFileW once more. So, even though the system intended to call the real FindNextFileW function once, the attacker causes it to be called twice and to return the results of the second call only. So, the information about the file to be hidden is never returned by the function.

Let's have a look at the criteria that the FilterFindNextResults function shown above uses to hide files. There is various code involved, but the most important is the function shown below. It calculates a hash of the computer name:

The resulting hash - and 8 digit number - is what is used as the numbers before the the .cpx or .cpl extension that I mentioned earlier. For example, the hash of the test pc was 38477686 and during testing the following files were created: 3847768621.cpx , 38477686212.cpx, and 38477686221.cpx (another number is appended to the hash in order to be able to store more than one .cpx file, in this case the numbers appended were 21, 212, and 221, respectively).

So, the malicious FindNextFileW calculates the hash of the computer name and compares that hash to the file names that are returned from the real FindNextFileW. If there is a match the real FindNextFileW is called a second time, effectively causing the last file found not to be reported.

There are a few things to note about this threat, one is that FindFirstFileA and FindFirstFileW are not hooked, only FindNextFileA and FindNextFileW are hooked. This means that if the Trojan's file is the first in a directory listing, it will not be hidden.

Also the hash of the filename is calculated everytime FindNextFileW is called. As well as not being very efficient coding, this means that if you change the name of your computer then the files will no longer be hidden, because the hash of the new computer name will not match the hash that was used when creating the Trojan files in the first place.

Another interesting fact is that no registry APIs were hooked, so the registry entries created by the Trojan can still be seen. The Trojan creates the following registry key in order to start when the computer is restarted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1:"[hash of computer name].CPX"

As well as adding rootkit functionality to the latest version of the Trojan, the authors have also added an extra layer of encryption to the configuration files. I will discuss this extra layer and how to decrypt it tomorrow.

The latest version of this Trojan is detected by Symantec as Trojan.Silentbanker. The writeup, available here, has been updated with the latest changes to the Trojan.

Message Edited by SR Blog Moderator on 10-06-2008 09:05 AM

Symantec's Cutting Edge 2008 conference closed on Friday, October 3rd. As the Chair of this year's Cutting Edge conference, hosted each year by the Office of the CTO, I can say it was a wonderful opportunity to manage an event that brings together engineering groups across Symantec. Known as "a conference by engineers, for engineers," Cutting Edge continues to provide an atmosphere where people feel comfortable discussing ideas across organizations.

This year's theme is "How We Win," and there are three key areas where we see this taking shape. First, we must highlight the Symantec innovation model, which is a balance between organic innovation and innovation by acquisition of leading technologies. Second, the direction of our innovations must be driven first and foremost by our customers. Our customers are telling us that they like our products, and we must continue to listen to their needs and include features to help them do their business better. Third, making our products work together is a priority among our product groups. Many people in the Cutting Edge sessions mentioned that the way we want to get products to work together better is by utilizing the Symantec Open Collaborative Architecture (OCA). The Symantec OCA enables collaboration among Symantec products (and third party products) in several ways: through exposing web services, by utilizing the mature and polished Symantec Management platform and by utilizing the Symantec Workflow engine.

* * *

Random Cutting Edge observations: watching four wild and crazy guys playing Rock Band and capturing at least two "entertaining" videos of the entire performance at the Tuesday night reception was a sight to behold (and to laugh at as well). Engineers congregated around the various exhibits and seemed to be in their element and enjoying themselves.

Overall, it was a fantastic start and made all of the hard work and preparations worthwhile. "A conference by engineers, for engineers" is our mantra, and the event gets better each year.

Digging into our honeypots and spam-trap systems to look for malicious attachments is always an interesting exercise. We can identify different spam campaigns and map together malicious binaries by correlating attachments and filenames. Nevertheless, it's also funny to see how the bad guys are still trying to entice users to run executable attachments-pushing their creativity and social engineering skills to extreme levels. Invoices, contracts, delivery notices, and all types of tickets are travelling by mail everyday, hitting millions of mailboxes; all in the hope that a few users, sooner or later, will be fooled by a perfectly orchestrated malicious e-mail (yes, it does still work, and old tricks are always the best).

Just for fun, I tried to create a picture of the breakdown of the most common malicious spam campaign observed on a set of emails received during the month of September. As you will notice from the chart below, the "Fees_2008-2009" attachment is still the most prevalent, followed closely by "e-card" and various "video codec" Trojans. A series of fake "Contract, Abstract, and Approved" Trojan files are also making the rounds these days.



Looking from a different perspective, we can still gather interesting information about filenames commonly used by malicious program by digging into generic antivirus detections. Many of these malicious binaries are compressed or encrypted with custom-made packers, often armored with exotic anti-emulation and somewhat funny anti-debugging tricks to evade antivirus detections. Using the polymorphic abilities of a packer, the bad guys generate hundreds of different samples from a single malicious executable in order to minimize the chance of being detected. These bad packers-used only by malicious programs-are very common for a lot of different Trojans and misleading applications, which jump from one packer variant to another every time they are detected by generic detections.

Generic antivirus detections for files created by bad packers are frequently released for our products with the prefix name of "Packed.Generic." It is nice to see a single generic detection catching thousands of different malicious samples in one shot, as shown by the chart below, calculated only during the month of September. Spikes in volumes usually occur either when a new spam campaign starts, or when there's a shift in the threat landscape (with a malicious code family moving from one packer to another).



Packed.Generic detections are also useful for identifying different malware families that share the same bad packer. I always wonder if this fact means that there's a single guy behind the distribution of different Trojans, or if it's just a coincidence.

Here are some filename statistics related to some of our recent generic detections having good hits recently:

Name: Packed.Generic.177
Description: Commonly used by misleading applications such as AntiVirus2008,
AntiVirus2009, AntiVirusXP2008 and their Downloaders.
Filenames:

av2009.exe
av2008xp.exe
AV2009Install_*.exe (e.g. AV2009Install_880401.exe)
xpa.exe
skypecomm.dll
winsrc.dll

Name: Packed.Generic.186
Description: Commonly used by Trojan.Blusod, Trojan.Fakeavalert and Downloaders.
Filenames:

InstallAntivirus_trXP.exe
lphc*.exe (e.g. lphcjooj0ecg4.exe)
mssadv_sp.exe

Name: Packed.Generic.187
Description: Used by AntiVirus2009 droppers and Downloaders.
Filenames:

A9installer_*.exe (e.g. A9installer_770522157731.exe)
MultyCodecUpgr*.exe (e.g. MultyCodecUpgr.7.20765.exe)
av2009.exe
Contract.doc.exe
Approved.doc.exe
msxml71.dll
video*.cfg.exe (e.g. video1055.cfg.exe)
video(*).cfg (e.g. video1054.cfg)

Name: Packed.Generic.188
Description: Used by Trojan.Blusod, Backdoor.Tidserv and AntiVirus2008.
Filenames:

lphc*.exe (e.g. lphcjooj0ecg4.exe)
AV2008install.exe
file.exe
.tt4.tmp
scan.exe
TDSS*.tmp
TDSS*.dll

Regardless of the spam campaign, filenames, and/or packer used, the thing that you may have noticed these days is the fact that pretty much all of these malicious emails and samples are somehow related to misleading applications. In most cases, these misleading apps end up downloading and installing an antivirus clone program or a fake security product. So, now that you know the common filenames used by the bad guys these days, watch what you click when you receive your next email!

Message Edited by SR Blog Moderator on 10-03-2008 02:23 PM

Here at Cutting Edge we have a lot of exciting technological developments and innovations to share. At the top of the list for me is the Symantec Open Collaborative Architecture (OCA), which prescribes a technology direction to enable collaboration among Symantec products and third-party and partner products.

The architecture is based on a loosely coupled interoperability model that requires products to adhere to a limited set of technology requirements in order to be considered OCA-enabled. The Symantec OCA enables products to interoperate for the purpose of data/information sharing among multiple products. This allows task and operational control of one product to be initiated by another product while creating loosely integrated process automation solutions for IT domain-specific processes, as prescribed in ITIL, for example. Working across IT domains, sharing and exchanging data, and enabling automation all contribute to greater cost effectiveness and risk management for the enterprise.

Open Collaborative Architecture is neither a product nor a solution in itself and cannot be purchased independently of the products that adopt its technologies. The idea is to prescribe an evolutionary approach to interoperability and solution construction, building on the Altiris solution model that is available today. As a common solutions and software architecture, the OCA enables various forms and multiple models for interoperability, none of which are mutually exclusive.

Using standard technologies around web services, web-based security, workflow management, and configuration management, the OCA provides greater flexibility and openness to build complex, multi-disciplinary, and multi-vendor solutions that can be tailored to meet specific business needs.

In a nutshell, Symantec's new approach to detecting threats automatically derives reputation ratings (e.g. safe, unknown, unsafe) for every executable file available on the Internet. The reputation ratings are derived automatically using algorithms, not unlike Google's Page Rank algorithm, from literally billions of Norton Community Watch file reports from our tens of millions of participating users. Just like you use reputation ratings to choose whether or not to buy a book or a new MP3 player on sites like Amazon.com, the next generation of antivirus software can use the project's data to determine whether or not to allow an application to run on your computer. Think of it as the world's largest list of rated applications.

Unlike traditional antivirus, all of our reputation data is stored in the cloud - that is, in Symantec data centers - meaning that if and when we shift to this model, we can drastically reduce the memory and performance impact of traditional antivirus software. Given this fact, Symantec's approach should work just as well for a cell phone as a desktop PC.

It's different than some of the other "cloud-based AV" systems that are being announced, in that it can detect and protect against entirely new malicious code - even malicious code on just one person's PC that's never been seen by a security company. From what I've read, these other systems still rely on fingerprints to detect new malware. They're just hosting some of those fingerprints on servers instead of on your PC. (This is only my speculation, so take it with a grain of salt.)

We're not quite ready to completely replace our traditional antivirus technology, but soon we hope to release hybrid security products that leverage both old and new techniques. I'd be proud for Symantec to be the first company to finally kick the fingerprint habit.

In any case, I'm expecting a fair amount of spirited debate about the results. I'm not expecting too many people to defend traditional fingerprinting, however. Symantec's R&D leaders long ago agreed that this model is destined for the way of T-rex and Triceratops.Message Edited by SR Blog Moderator on 10-06-2008 12:29 PM

This year's Cutting Edge, Symantec's internal conference "for engineers, by engineers," promises to be an interesting one. Why? The last few years have brought serious challenges to the dominant antivirus fingerprinting approach. Right now, the security industry is built around the fingerprinting model - all of our processes, our automation, our data collection, our publishing systems - they're all designed around the blacklisting model.

Unfortunately, while the industry had its head down honing the blacklisting approach (Symantec can automatically analyze and fingerprint up to 6M samples per week - how's that for honing?), the rest of the world changed. Recent Symantec studies show that the volume of malware released now outpaces good software (potentially representing up to 65% of all unique software apps). Furthermore, industry reviews show that many new malware programs slip past all major antivirus products - it often takes days or weeks for antivirus vendors to catch up and protect against a newly released threat. And, some threats never get detected - a threat that's personalized by an attack server for a single user may never be discovered by security vendors!

And of course, while we could just ratchet up the model and ship 20, 30, or 50 thousand fingerprints per day to customers, before long you'll have no RAM left to run legitimate software. The model is close to being broken. Fortunately, Symantec's been anticipating this problem for a long time. In fact, we started working on a replacement approach to classic blacklisting about two years ago.

This Cutting Edge is exciting for me because for the first time we're sharing the results of our project with our colleagues, and the results are extremely promising: in many use cases it appears to be significantly better than traditional fingerprint-based antivirus software at detecting new threats. So good that the project's lead engineer, Vijay Seshadri, is afraid to publish the initial results, even internally, given the stir they might make.

Stay tuned this week for more information on Symantec's pioneering efforts in this space.Message Edited by SR Blog Moderator on 10-06-2008 01:28 PM