Sony Electronics phoned us today. They wanted to thank us for bringing the MicroVault incident to their attention. And they also wanted to apologize for not responding to our earlier queries regarding the incident.
We have now opened direct discussion channels with Sony Electronics and are assisting them with the investigation. We have also provided them with our internal investigation notes on the case.
We were also promised a direct contact point for future use. Just in case we would again discover a rootkit or something in Sony's products. After all, we have already done it twice…
Earlier today we saw a blog post from the good people over at Sunbelt about a compromise of Bank of India's website and so we checked it out.
On the front page of the site a hidden IFrame has indeed been inserted and it loads a URL from another website.
This file in turn uses three IFrames to load three other URLs.
Update: The malicious IFrame has been removed from the front page and it's now safe to visit the site again.
Monday's post disclosed our investigation of Sony's MicroVault USM-F fingerprint reader software. Sony's software installs a driver that creates a hidden folder using rootkit techniques.
This raises the question – while the techniques employed are similar – is this case as bad as the Sony BMG XCP DRM case (i.e. the music rootkit)?
In a nutshell, the USB case is not as bad as the XCP DRM case. Why? Because…
The user understands that he is installing software, it's on the included CD, and has a standard method of uninstalling that software.
The fingerprint driver does not hide its folder as "deeply" as does the XCP DRM folder. The MicroVault software probably wouldn't hide malware as effectively from (some) real-time antivirus scanners.
The Microvault software does not hide processes or registry keys. XCP DRM did.
It's also trickier to run executables from the hidden directory than with XCP. However, it can be done.
And lastly, there seems to be a use-case: The cloaking is most likely used to protect fingerprint authentication from tampering. Sony is attempting to protect the user's own data. In the DRM case, Sony was attempting to restrict you – the user – from accessing the music on the CD you bought. So their intent was more beneficial to the consumer in this case.
However – this new rootkit (which can still be downloaded from sony.net) can be used by any malware author to hide any folder. We didn't want to go into the details about this in our public postings, but we suppose the cat's out of the bag now that our friends at McAfee blogged about this yesterday. If you simply extract one executable from the package and include it with malware, it will hide that malware's folder, no questions asked.
We still haven't received any kind of response from Sony International. Sony Sweden did however confirm in a public IDG story that the rootkit is indeed part of their software.
Hypothetical: Imagine that you visit your local mall and browse around for stuff to buy. And you decide to buy a new CD from your favorite artist and you also buy a brand new cool USB stick thingy on an impulse. You go home and stick the CD into your laptop's CD drive. It prompts you to install some software. You do so and while you are listening to the music, you open the USB stick package and start experimenting with your new toy. It has a fingerprint reader so you install the software for that as well. Guess what… you might have just installed, not one, but two different rootkit-like software on your laptop.
We received a report that our F-Secure DeepGuard HIPS system was warning about a USB stick software driver. The USB stick in question has a built-in fingerprint reader. The case seemed unusual so we ordered a couple of USB sticks with fingerprint authentication. We installed the software on a test machine and were quite surprised to see that after installation our F-Secure BlackLight rootkit detector was reporting hidden files on the system.
Many of our regular readers will remember the huge Sony BMG XCP DRM rootkit debacle of 2005. Back then malware with rootkits were not very common but since then a lot of malware families have adopted rootkit cloaking techniques. It is unclear if the "rise of the rootkit" would have happened in this magnitude without the publicity of the Sony BMG case. In any case, a lot more people now know what a "rootkit" is than back then.
This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation.
The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.
In addition to the software that was packaged with the USB stick, we also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality.
It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here. As with the Sony BMG case we, of course, contacted Sony before we decided to go public with the case. However, this time we received no reply from them.
It should be noted that MicroVaults with fingerprint authentication appear to be an older product and may no longer be manufactured. At least we had some trouble finding a reader of this type in Helsinki. Nevertheless, we did manage to find them on sale.
Yesterday Der Spiegel magazine broke the story about targeted attacks against the German ministry of the interior.
As is typical in cases like this, the malware was sent to key employees via e-mail as booby-trapped DOC and PPT files, and the stolen data was sent out to unknown location via servers located in China.
We highlighted the risk of attacks like this in our video lecture last March. The video was recorded pretty much exactly at the time when these attacks were taking place.
We are aware of at least two other similar attacks against governments in Europe.
We've been meaning to perform a few updates to our RSS feed for quite some time now. But until now it's taken a backseat to more important work.
This week we (specifically Kamil) found the time and made some upgrades.
So if you notice this button in your Firefox browser:
It now points to this:
This RSS feed should now be compatible with Internet Explorer 7. The RDF feed has been updated as well. We're still making modifications, so it isn't absolutely official yet. Those of you that are willing to test – please do so – you can provide us feedback using the e-mail address listed at the top of the Weblog. Cheers!
The Zhelatin/Storm Gang has been very busy lately. Their spamming tactics have changed from sending an attachment to sending a link that directs recipients to an IP Address. The HTML used by their sites is variable, and also differs depending on the browser.
Yesterday we made a short video highlighting the details:
A few times over the last week we've posted on how the e-mails used by the Zhelatin/Storm gang have changed, so we weren't too surprised to see them change once again. This time though, they look very different as they talk about "you" having signed up for different services such as MP3 World or Internet Dating.
Subjects we've seen used in the e-mail messages so far are:
Cat Lovers Dated Confirmation Internal Support Internal Verification Login Info Login Information Login Verification Member Confirm Member Details Member Registration Membership Details Membership Support New Member Confirmation New User Confirmation New User Details New User Letter New User Support Poker World Registration Confirmation Registration Details Secure Registration Tech Department Thank You For Joining User Info User Verification Your Member Info Welcome New Member Tech Support Internet Tech Support
And the senders have been:
Bartenders guide Bartenders Guide Coolpics Dog lovers Entertaining pics Entertaining pros Fun World Free ringtones Free web tools Game Connect Internet Dating Job search pros Joke-a-day Mobile Fun MP3 world Net gambler Net-jokes Online hook-up Poker world Resume Hunters Ringtone heaven Web Web cooking Web connects Webtunes Wine Lovers
Once someone visits the website the text has changed a bit. Now it talks about that you need a Secure Login Applet to be able to use the service and the link points to applet.exe which is of course the infected file.
Similar to previous attacks it also uses exploits in an attempt to automatically infect the user when you view the page – so don't do it.
UPDATE: The spam runs of these e-mail messages continues and we've updated the list of subjects and senders used. Feel free to mail us if you've seen any others that we don't have on the list. Use the e-mail address listed at the top of the page.
Thanks to everyone who has sent us updates on the subjects and senders used.
Most of the worldwide Skype network has been down for a day now and it still has not recovered.
Skype's official word is that the problem was caused by "a deficiency in an algorithm within Skype networking software that controls the interaction between the user's own Skype client and the rest of the Skype network". Our own internal contacts within Skype also say that this was not a DDoS attack or anything else like that.
Then again: Skype's main development unit is in Estonia. Estonia's infrastructure was targeted by massive denial-of-service attacks earlier this year. This tied together with the fact that a new Denial-of-Service exploit against Skype server software was posted to securitylab.ru just hours ago has created lots rumors about what's really going on.
The exploit is quite simple and causes Skype client software to generate a large amount of calls, freezing the server it's connected to – and causing a reconnect to another server.
Last week, I attended the Usenix Security conference held in Boston. In addition to attending the conference, I also had a couple of free evenings to tour around the city. In one of the shops I just had to get a "hamster cube" puzzle as a souvenir to bring back to the office.
Looks scary, doesn't it?
So after some time of trying to solve it, I decided to write a program that would do it for me. Yes, it was a slow day in the office.
This simple C program took five seconds to generate a correct solution, while it took my colleague Stefan at least fifteen minutes to solve it by hand! OK, it took a while to write the program, but still…
Over the last few weeks, we've seen tons of ecard.exe spam, where fake greeting card mails have been spammed out.
The messages have not contained an attachment, but just links to web sites that offer a download of one ecard.exe to your machine.
Since last night, the messages have changed. You still get the normal greeting card spam:
But when you follow the link, the web site now talks about the need for you to install "Microsoft Data Access" to your computer. Conveniently, they have it available for download, for free.
Of course, the downloaded file msdataaccess.exe turns out to be the gift that keeps on giving. Avoid it like the plague.
In general, it's a bad idea to follow such unsolicited links from e-mail. Don't even try the above URL just for fun. For example, if you access the page with an outdated version of Firefox or IE, the page will render with a nasty exploit code that will try to infect your computer immediately. Opera doesn't seem to be targeted at the moment.
This operation is apparently the work of the same gang that did the original "Storm worm" run in January 2007.
We detect the latest variants as Email-Worm.Win32.Zhelatin.gg.
It's the second Tuesday of this month and as scheduled, Microsoft has released several security bulletins with six critical and three important updates.
The updates resolve vulnerabilities found on several applications including Office Excel, Internet Explorer, and GDI. Most of these vulnerabilities allow remote code execution and one allows an elevation of privileges.
During the summer holidays, many people probably missed news stories about the sentencing of Mr. Tariq al-Daour in London.
According to this article by Brian Krebs, Mr. al-Daour had been running online fraud operations together with Waseem Mughal (aka "Abuthaabit") and Younis Tsouli (aka "IRH007" or "Irhabi007").
The trio used Windows-based trojans to steal information such as credit card numbers from normal net users. These credit card accounts were then used to make purchases at hundreds of online stores.
What kind of purchases were they making? Gear for insurgents in Iraq: plane tickets, GPS devices, night-vision goggles, sleeping bags, survival knives, and tents.
The money was apparently laundered through online poker sites (including AbsolutePoker.com, NoblePoker.com and ParadisePoker.com) as well as betting sites like Canbet.com.
The group was allegedly also planning real-world bomb attacks.
According to Newsweek, Mr. al-Daour and his accomplishes were caught after a Swedish-Bosnian terrorist Mr. Mirsad Bektasevic (aka "Maximus") was caught. Bektasevic had saved one of the men's phone numbers on his personal cell phone.
The concept of Cyberterrorism has been discussed for years, but we've never really seen any concrete examples. Here we have a case where cyber-attacks are being used to fund real-world attacks.
So: It's not always just bits and bytes that get hurt as a result of online attacks.
Our 2007 Reverse Engineering Challenge for Assembly was held last week…
It was a bit tricky to pull off this year as many members of the lab were attending Black Hat Briefings/DEF CON and were working remotely. And then there were vacations and office moves too. (An active week.)
But despite a few small glitches, everything seems to have gone off rather well. Our thanks to Sami Rautiainen for his assistance with the Khallenge.com domain.
Our three top prizewinners are: Kaspars Osis – Latvia; Otto Ebeling – Finland; and Attila Suszter – Hungary. They won, in the order named an 80GB, 4GB, and 2GB iPod.
Kaspars was also last year's winner and retains his title. Regular weblog readers will also recognize our second place prizewinner. Otto Ebeling was the designer of last year's Khallenge during his 2006 summer employment.
Our website's statistics show that Level 1 was downloaded about 2215 times. At the time of this posting we have received 442 responses. Level 2 has yielded 136 and Level 3 has 35 correct responses. So let's say that's roughly a 20/30/25 percent completion rate.
For those of you still working with Level 2 – it's possible to debug the binary and produce a dialog box with "lucky numbers". But you need to fully reverse engineer it to determine to one true parameter that produces a valid e-mail address. That's part of challenge. Hint: use the original binary with your parameter to test.
Black Hat Briefings 2007 are safely behind us and DEF CON 15 is in full swing.
What was hot this year? VoIP. Detecting and hiding virtual rootkits. Gaining access to intranets via users that are browsing public websites. iPhone.
Of course, having around 4000 (!) attendees in one location creates quite real problems for any conference. Regardless of having seven simultaneous tracks in huge rooms, popular talks still left lots of audience sitting on the floor. As an example, here's a photo taken during HD Moore's and Valsmith's presentation.
And seeing 4000 people eat lunch complete with table service together at the same time in one hall is frankly quite amazing. On the first day lunch was chicken. I think we emptied a medium-sized chicken farm.
We did a presentation on the Status of Cell Phone Malware in 2007. A big thanks for Jarno Niemela for helping out with the live demos.
The presentation went very well and all demos succeeded although we were worried about the sometimes spotty connectivity of some US carriers. Slides are available here (PDF). Audio will be available later on Black Hat's media archives.
Greetings from Assembly 2007. The action will start at 12:00 local time, and our still empty booth is waiting for the visitors to start pouring in. We hope to see you all there! Also, some of you may have already noticed that the F-Secure Reverse Engineering Challenge II is now open!