Malware evolution: April – June 2006

Superficially at least, the second quarter of 2006 appeared to be one of the most peaceful in recent years. Significant email or network worm epidemics were almost completely non-existent, and the majority of leading antivirus vendors released either beta or fully functional new generation products. Virus writers took time off to develop new methods of combating anti-virus programs. Because of this, the main battles were fought over technical issues, and were invisible to normal users. However, sometimes the aftermath of these hidden wars reached the print, broadcast, and most frequently the online media. This report provides a more detailed look at the events which remained in the shadows and those which attracted the attention both of users and antivirus manufacturers.

Multiple vulnerabilities in MS Office Products

It’s common knowledge that the last three years brought a huge number of critical vulnerabilities in Windows. Terms such as RPC DCOM, LSASS, WINS and PnP not only became topics of discussion for system administrators and programmers, but also caused headaches for virus analysts and real problems for rank and file users. Serious loopholes in Windows applications gave virus writers access to tens or hundreds of millions of computers around the world. And they didn’t hesitate to take advantage. These vulnerabilities effectively gave birth to such historic worms as Lovesan, Sasser and Mytob, not to mention hundreds of others which, although less well known to the general public, were actually no less of a threat.

Step by step, by autumn 2005, Microsoft had more or less managed to stem this flood of vulnerabilities. The active promotion of Service Pack 2 for Windows XP helped a great deal. Hackers then switched their attention from the main Windows modules to secondary ones. This was most successful in December 2005, when they managed to exploit a loophole in the parsing of WMF files. Another part of the hacking community focused on identifying security issues in antivirus solutions and networking equipment. And finally, at the end of spring/ beginning of summer 2006, MS Office, Microsoft’s second most important (and actually most profitable) product was targeted.

IT security experts had long ago highlighted security issues in the way which MS Office applications work with OLE files. In spite of the fact that this file format is relatively well documented, it remains, to a certain extent, a black box with a multitude of cells. There are too many critical areas and the interaction between OLE object fields is structured in too complex a way. In 2003, all of this led to the appearance of a critical vulnerability in MS Office documents (MS03-037). The vulnerability made it possible for random code to be executed if a specially crafted document was opened. For a long time this vulnerability was frequently exploited by a number of Chinese hacker groups, and there is reason to believe that these groups were involved in the events which started taking place in March 2006.

The MS06-012 vulnerability affected all MS Office products starting from the year 2000. This was the first warning bell which attracted the attention not only of Microsoft but also of many hackers, who started to intensively investigate the format of OLE documents. Unfortunately, it has to be admitted, that the hackers were more effective in their research than Microsoft. The loopholes detected in the last three months differed from each other only slightly. The same problem lay at the heart of all these vulnerabilities: incorrect checking of certain data in the OLE description. Microsoft restricted itself to releasing a limited patch, effectively a band-aid, which did not take into account the fact that surrounding fields in the files needed to be checked. The day after the patch was released information about a new vulnerability surfaced. It’s somewhat ironic that these multiple problems in MS Office, and in particular in Excel, came to light almost at the same time as Google launched its own spreadsheet program.

The information below, provided by US-CERT, shows the course of events

• 03/14/2006 Microsoft Office routing slip buffer overflow
• 03/14/2006 Microsoft Excel malformed record memory corruption vulnerability
• 03/14/2006 Microsoft Excel fails to properly perform range validation when parsing document files
• 03/14/2006 Microsoft Excel malformed graphic memory corruption vulnerability
• 03/14/2006 Microsoft Excel malformed description memory corruption vulnerability
• 03/14/2006 Microsoft Excel malformed parsing format file memory corruption vulnerability
• 05/19/2006 Microsoft Word object pointer memory corruption vulnerability
• 06/13/2006 Microsoft PowerPoint malformed record vulnerability
• 06/16/2006 Microsoft Excel vulnerability

The vulnerability identified on the 19th of May was the main threat. The vulnerability was made public only once it was discovered that a Trojan program which exploited the vulnerability had been mass mailed using spammer technologies. This was the case where virus writers once again used a vulnerability which no one else had heard of – a so-called zero-day exploit. Such vulnerabilities are extremely dangerous because software developers have to spend time developing and releasing a patch, even though malicious code is already circulating and spreading on the Internet.

It took Microsoft almost a month to release patches for the MS06-027 (Word remote code execution) and MS06-028 (Powerpoint remote code execution) vulnerabilities. Users have of course become used to the fact that Microsoft sticks to its patch schedule with almost fanatical precision, releasing patches on the second Tuesday of every month. This might be reasonable if, two days after the patches were released on 13th June, an almost identical vulnerability had not been identified in MS Excel. It’s almost inexplicable that, when developing the patch, the developers did not check for the existence of a similar problem in Excel. In fact, it is inexplicable. The last third of June brought another two vulnerabilities in MS Office – Microsoft Windows Hyperlink Object Library Buffer Overflow and Microsoft Excel ‘Shockwave Flash Object’ Lets Remote Users Execute Code Automatically.

When Kaspersky Lab analysts researched the vulnerabilities, it became clear that the same problem lay at the bottom of them all. Microsoft should have checked all fields of OLE objects (of which there are more than 100) rather than just releasing separate patches for each individual loophole.

The fact that nearly all these vulnerabilities were initially identified by members of the black hat community, and used to spread malicious code, makes the situation all the more critical. Virus writers are currently a step ahead of the game, and are in an excellent position to release new, dangerous programs on the Internet.

Kaspersky Lab strongly urges all users and system administrators to implement and enforce a security policy relating to MS Office documents; not to open files which come from an unknown source; and to scan such files for malicious code. Naturally, where patches are available, they should be installed.

CodeBreakers – the struggle against RansomWare

This topic is one which we’ve been concentrating on for some time now. Almost all of our previous quarterly reports include details of new RansomWare programs. These blackmailing viruses, led by the notorious Gpcode, first appeared at the beginning of 2004, evolved rapidly during 2005, and reached a peak of activity in 2006.

Although initially authors of such viruses limited themselves to using primitive encryption algorithms (in the case of Gpcode) or simply corrupted the system registry (Krotten), they are now using more secure encryption algorithms (RSA) and using specific techniques to place data in password protected archives.

We’ve previously written about Cryzip, a Trojan which targeted American users, archiving data in ZIP files which were protected by passwords more than 30 symbols in length. A similar approach was used in the UK in May 2006 by the MayArchive Trojan, and many antivirus experts feel that this Trojan is simply a new Cryzip variant. Overall, Trojans which archive data tend to present a threat to Western users; Russian virus writers are more likely to use data encryption for blackmail purposes.

January 2006 was the first time that a blackmail virus, Gpcode.ac, used a sophisticated encryption algorithm. The author used the RSA algorithm to create a 56 bit key, and cracking it didn’t pose any problems for antivirus companies. This meant that decryption routines were provided to users who had had their data encrypted. It seems that the speed at which the problem was solved caused the virus writer to rethink his/ her approach. In June, the Russian segment of the Internet was attacked by a new version of Gpcode, but this time a 260 bit key was used. However, this longer key didn’t cause problems for our analysts, who were able to crack it in less than 5 minutes. This was the start of a face off between the two sides – who would be more persistent, who would have better knowledge of cryptography, and who would have access to the most computing power? However, although the author of Gpcode was in a position to give up the struggle, the antivirus companies weren’t; users needed to be protected.

Gpcode’s author responded to the cracking of the 260 bit key by releasing yet another variant. This time the stakes were raised with a 330 bit key, and this appeared to have some antivirus companies beaten. However, Kaspersky Lab analysts managed to crack the key in less than 24 hours.

Nevertheless, the author of Gpcode refused to throw in the towel. On 7th June 2006, Gpcode.ag was downloaded to thousands of Russian computers from an infected site. This latest variant used a 660 bit key, the longest key which has ever been broken. According to estimates, it would take at least 30 years using a 2.2 GHz computer to break such a key. But luck was on our side – our analysts were able to add decryption routines for files which had been encrypted using this key to antivirus databases within a single day. I won’t go into details here; suffice it to say this particular decryption will go down as a milestone in computer virology.

Although Kaspersky Lab analysts were busy creating a decryption algorithm, we also put a lot of effort into getting the site which hosted the malware closed. By the next day, the site was no longer accessible. At the time of writing, no new variants of Gpcode have been detected. However, a new variant, with a longer key, could appear at any time.

The methods the virus used to spread are particularly inventive – it targeted one of the most popular Russian recruitment sites. Applicants who expressed an interest in vacancies then received a message which appeared to be in response to their query, but which actually contained a Trojan. This use of social engineering ensured a high infection rate amongst potential victims.

Gpcode turned out to be a real detective story, and it may not have ended yet. Further details can be found in ‘Blackmailer: the story of Gpcode‘ on securelist.com.

Let’s take a look into the future and try and predict how the use of asymmetric encryption in malicious programs may continue to evolve. In spite of the fact that we were able to decrypt 330 and 660 bit keys within a reasonably short space of time, keys of this length are already pushing the boundaries of modern cryptography. If RSA (or any other similar algorithm which uses a public key) were to be appropriately implemented in a new creation, antivirus companies might find themselves powerless, even if maximum computing power were to be applied to decrypting the key. As I see it, the only answer at the moment is to take preventative measures, ensuring that all documents, data and email databases are backed up on a regular basis. Of course, at the same time antivirus companies have to continue working on proactive protection which will make it impossible for malicious users to encrypt or archive users’ data.

Sadly, the authors of Gpcode, Cryzip, and Krotten are still at liberty. Great efforts are being made to apprehend them. However, even if they are arrested, there’s nothing to prevent other malicious users from implementing such techniques in order to make money. Because of this, RansomWare will undoubtedly remain a major headache for the antivirus industry, at least in the near future.

Polymorphic scripts

The term polymorphism has been used in relation to computer viruses since 1990. Polymorphism has evolved from simple single byte xor encryption to intricate metamorphoses which employ complex algorithms, including cryptographic algorithms. Many articles and dissertations have been written on this phenomenon.

Polymorphic viruses continue to evolve up until the beginning of the 21st century, when virus writers decided to concentrate their efforts on developing worms and Trojans instead. It seemed virus writers felt that code which mutated in order to hinder detection by antivirus solutions was no longer a relevant or needed technology.

However, starting from 2003, virus writers again began using polymorphic code in their creations. This was due to the fact that antivirus solutions were becoming better and better. Consequently, using methods such packing – a favorite among virus writers at the time – to hide malicious code was becoming less and less effective. Malicious users dusted down classic polymorphs created by DarkAvenger_a, the Black Baron, and Zombie. These programs were modified using new knowledge and techniques, and a new generation of polymorphic viruses (which are still limited in number) started appearing on the Internet.

Over the past few years, virus analysts have been encountering polymorphic code and garbage code which is included in malicious programs in an attempt to hinder analysis. At the turn of 2005/ 2006, polymorphic techniques were even being implemented in script viruses (i.e. worms), something which would previously have been unthinkable.

Antivirus companies had long since developed a range of emulators and heuristic analyzers in order to combat binary polymorphic code. However, until recently there was no need to develop such tools for script viruses. There had only been a few exploits for browser vulnerabilities and Trojan-Downloaders written in script languages. The heyday of script viruses was reached at the end of the 20th century when the LoveLetter worm hit.

It could be said that one of the most active researchers into using polymorphism in scripts was an Australian schoolboy who went under the pseudonym of Spth. He managed to create a very interesting polymorphic algorithm in Cassa, a Java Script virus. As it turned out, this was an issue which was of interest to others as well; web masters also wanted to make use of this approach in order to protect their site code from being stolen. Several programs which made it possible to encrypt html pages appeared. These programs were based on Java Script functions which would decrypt the page contents on the fly to ensure that the pages were correctly displayed by the browser.</P.

Such programs effectively provided malicious users with virus constructors; no real knowledge of polymorphism was needed to use them. Script-kiddies appeared (here the word ‘script’ can be taken literally) and started to cause headaches for antivirus companies who had to find ways to combat their encrypted exploits and Trojans. The task was complicated by the fact that traditional emulation methods weren’t very useful; checking an Internet page at the moment it is loaded to the browser, and the corresponding small delay would have lead to complaints from users.

Unfortunately, the developers of some legal programs designed to encrypt html pages went a step further, and made their code public. This meant that anyone who wished could modify some fairly powerful polymorphic algorithms (e.g. HTML Guard).

The result was that during the first six months of 2006 we encountered email worms such as Feebs and Scano which not only spread actively, but which posed a serious threat.

Both worms spread via email as an encrypted Java Script file attached to infected messages. It appears to be a standard HTML page. This naturally allays the user’s suspicion – after all, s/he reasons, viruses arrive as an executable or as an MS Office file. The majority of users do not view HTML pages as executable, nor as objects which potentially contain malicious code.

When such a file is opened, the polymorphic code will be executed. As a result, a standard executable file which contains the body of the worm will be installed to the system. In addition to their other payload, the worms start generating copies of themselves as JavaScript files. These files differ from each other so much that it’s impossible to find even one identical piece of code – this is due to the worm’s polymorphic function. These files are then sent to email addresses harvested from the victim machine, and the whole cycle begins again. To make matters even more difficult for antivirus companies, the authors of these worms launched new variants of their creations every two to three days.

So where exactly does this leave us? Old technologies have been modified to correspond to new conditions. Social engineering is being used to exploit the fact that users do not understand that html pages can contain malicious scripts. There are difficulties in creating detection for such viruses due to the fact that there are certain speed requirements, and there may be false positives caused by pages which are encrypted for legitimate reasons.

All of this leads to the conclusion that in spite of the fact that both virus and antivirus technologies are still actively evolving, classic approaches still remain the most effective. Unfortunately, the antivirus industry has a large number of start-up companies, as well as the old hands, and these start-ups do not have extensive experience in combating old threats. Many new technologies, such as scanning http traffic on the fly, are totally irrelevant in the struggle against polymorphic viruses.

Concepts

Currently, virus writers seem to be suffering from a lack of inspiration. They are using older, almost forgotten technologies more and more frequently. The hot discussed topics of the last few years, such as rootkits, botnets, and vulnerabilities in Microsoft products are no longer anything out of the ordinary. Malicious users are always searching for methods which can be used to infect the greatest number of users possible. Most striking of all are proofs of concept: programs or approaches which may not be widely used in the future, but which still mean that antivirus companies have to respond appropriately to the new potential threat.

2006 was one of the most ‘concept ridden’ years in the history of computer virology. During the first quarter of the year, we encountered creations such as the first Trojan for J2ME (able to function on the majority of mobile phones) and the first ‘real’ virus for Mac OS X, which was rapidly followed by a Bluetooth worm. Researchers from Michigan University, sponsored by Microsoft, gave birth to SubVirt, a rootkit based on virtual machine technology. Our previous quarterly report contains information on all of these inoovations.

This unusual activity can be explained by the fact that, thanks to the efforts of law enforcement bodies around the world, the infamous virus-writing group 29A was dispersed. This group had previously been the main creator of proof of concept code. New people came to fill the void, in a wish to go down in the annals of virology.

And virus writers have not been standing still since our last quarterly report. The section below contains details of the new proof of concept malware which we’ve come across during the last three months.

Let’s start with the first virus for yet another Microsoft product – MS Publisher. This program is one of Microsoft’s oldest, and as the name suggests, it’s a business publishing and marketing materials solution. The program was very popular during the 1990s, but gradually competitors took the market share. Until now, it seemed to be of no interest to virus writers; however, the desire for recognition caused authors of malicious code to take a closer look at this solution. It seems likely that this virus was created purely for form’s sake, to show that it was possible to create malicious code for almost the entire range of Microsoft products.

This virus was created by a female virus writer from the Ukraine, known in virus writing circles as Patiavara. In April 2006 she sent her virus for MS Publisher 3.0 to Kaspersky Lab; we called it Avarta.

Due both to bugs in the replication routine and a far too obvious payload, Avarta would have no chance to make it into the wild. Three or four years ago it would have been an interesting example of the application of new technologies. However, macro viruses have now all but died out, and Avarta was simply proof of a concept which could never become a real threat.

Cross platform viruses (i.e. viruses which can function on two or more platforms at once, for instance Windows and Linux) also raised their head over the parapet during this period. The concept of cross platform malware has been around for a while; in April we received a sample of the latest program of this type. Bi.a is capable of infecting files in the current directory and determines which OS (Windows or Linux) it has been launched under. It then uses the appropriate algorithm to infecting files.

Our announcement about this virus raised a certain amount of fuss in the Linux community. Even Linux Torvalds joined the discussion. Having seen the analysis of Bi, and information that the code contained errors which meant that Bi would be unable to work under certain Linux kernels, he released a patch. This meant that the virus did become fully functional. Whatever the ethics of this discussion, cross platform viruses for Windows and Linux remain of interest to virus writers, and they will undoubtedly continue to develop such malicious code.

Another curiosity was Gabol, a virus targeting the Matlab data manipulation software package. It appeared in April/ May. It is written in Matlab’s inbuilt script language, and is designed to infect all working files by writing its body to the start of each file. Xic.a, another virus for Matlab, was more complex and used polymorphic technologies (see above). It’s difficult to see how such viruses could be used to cause a large number of infections due to the fact that Matlab is not widely used. It’s clear that these programs were written to demonstrate the author’s abilities.

A more dangerous proof of concept was StarDust, a macro virus which targeted StarOffice. This program package is one of MS Office’s main competitors, and is very popular among Linux users. There is also a version of StarOffice available for Windows. Until now, macro viruses only targeted MS Office. However, the fairly powerful script language used in StarOffice, and the desire of virus writers to show that it wasn’t only Microsoft programs that could provide a fertile environment for malicious code led to the appearance of StarDust. Strictly speaking, this malicious program is a Trojan rather than a virus, but the concept remains the same. Yet another product has been added to the list of those which are vulnerable to attack by malicious code.

The most dangerous proof of concept this quarter was, without a doubt, the Yamanner worm. This is one of a very small group of worms which use a unique propagation method. In fact, there are so few worms in this group that each one is a technological innovation and nearly all of them immediately appear in the wild, making the headlines.

Here we are talking about worms which use a vulnerability and bugs in the script engines of popular web resources such as free email and blogging sites. The worms do not need to penetrate the victim machine in order to infect them. The malicious code simply has to be activated in one way or another, either by the user viewing the message within the browser, or by visiting a site which contains the malicious code. Nearly all of the worms used the cross site scripting vulnerability. A couple of examples are the worm which infected the Mail.ru web interface, and SpaceHero, a worm which infected millions of blogs on MySpace in October 2005.

In June 2006 almost 200 million users of Yahoo! Mail were potential victims of such a worm. Yamanner is interesting in that the user does not have to anything except open an email using the Yahoo! Mail web interface in order for the malicious code to be activated. When the user opens a message, a script is executed which sends the worm to all addresses containing the domain @yahoo.com or @yahoogroups.com in the user’s address book. In addition to this, a certain web site (which is currently not functioning) is opened and the address book of the infected account is send to a specified server.
The only Yahoo! Mail users who were not at risk were those who used POP3 to receive their mail via a separate mail client. As the platform for the worm’s propagation was JavaScript, which is supported by all fully functional browsers, the user’s choice of browser was irrelevant in terms of security.

The only way to protect against such worms is to disable scripting in the browser. However, this makes it impossible to use the Yahoo! Mail web interface. Yahoo! took steps to filter mail messages which exploited this vulnerability, modified the interface, and encouraged users to migrate to Yahoo Mail Beta, a new version of the service which does not contain the vulnerability.

This whole history could be repeated with any other online service. Any mail service which uses a web interface (such as gmail) is potentially vulnerable. Only the number of patches installed on a system will restrict the functionality of a JavaScript virus or worm. Naturally, this may change at any moment with the discovery of a new vulnerability. Errors in programming which can lead to the cross site scripting vulnerability are extremely common and great efforts have to be made to detect them.

It’s clear that the boundary between personal computers and internet resources has long since been destroyed; a computer may not contain the body of a virus, but you may still be involved in propagating malicious code simply by updating your blog or reading your mail. This is clearly a threat which will be significant in the future, particularly with the advent of Web 2.0.