Binarycse Blog

There’s a new way of stealing data from your PC. Hackers are using Adobe Acrobat file format — commonly called PDF files — to siphon off sensitive data from your PC to China.

Adobe files are considered very safe for viewing documents. So safe, that even credit card companies send their bills in this format and almost all banks use them to send online documents, statements and bills. It is this faith on Adobe files that hackers are trying to cash in on.

According to Websense Security Labs, a Zbot Trojan virus is spreading rapidly through emails and the security firm has already discovered about 2,200 such mails in India. Zbot (also known as Zeus) is an information stealing virus that remains hidden in a PC (Trojan) collecting confidential data from each infected computer.

The modus operandi for the virus is to trick users into opening a mail with a PDF file attached to it. Once a user clicks on the file, the PC gets infected and there is an outflow of sensitive information to the programmer of this virus somewhere in China.
The attacks come less than a week after other experts predicted that hackers would soon exploit the “/Launch” design flaw in PDF documents to install malware on unsuspecting users’ computers.

The just-spotted Zeus variant uses a malicious PDF file that embeds the attack code in the document, said Dan Hubbard, CTO of San Diego, Calif.-based security company Websense. When users open the rogue PDF, they’re asked to save a PDF file called “Royal_Mail_Delivery_Notice.pdf.” That file, however, is actually a Windows executable that when it runs, hijacks the PC.

Zeus is the first major botnet to exploit a PDF’s /Launch feature, which is, strictly speaking, not a security vulnerability but actually a by-design function of Adobe’s specification. Earlier this month, Belgium researcher Didier Stevens demonstrated how a multistage attack using /Launch could successfully exploit a fully-patched copy of Adobe Reader or Acrobat.
Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, that’s not enough to stop users from launching the bogus document, said Websense’s Hubbard. “No one is blanket-blocking PDFs at the gateway,” he said. “There’s so much business value in PDFs, and they’re very pervasive.” In other words, people trust PDFs, he said — much more even than some other popular document formats, such as Microsoft Word.

Websense has tracked several thousand Zeus attacks using the embedded malware and /Launch function. “The attacks are still going on,” Hubbard said.

While the attack technique may be new, the behind-the-scenes malware and the gang that produces it is standard Zeus fare, Hubbard continued. Zeus is best known for planting identity theft code on victims’ PC to steal, for instance, online banking logon usernames and passwords. “The motives aren’t any different here,” said Hubbard.

Hackers who write bot-type viruses have one goal in mind: infect as many machines as possible and preserve the network of zombie (virus-infected) computers. This network of infected machines is called a botnet. Once a machine is infected with a bot, the virus sits quietly in the background and waits for a command from the hacker. For this reason many people are not aware that their computer has been infected with a bot.

The infection cycle looks like this:

1. Virus author sends out email spam containing viruses, or uses some other method of social engineering to trick people into installing the virus on their computer.
2. Infected computers log into an IRC server or other communications medium to form a network of infected systems. This is known as a botnet.
3. The author uses the botnet to send out more spam using the infected computers.
4. Users infect their computers by clicking on links in spam, and the process starts again.
5. At any time, a spammer may purchase access to this botnet from the author to send spam, or a cybercriminal may do this and use the infected machines to attack critical network resources, such as a company server or a website.

Researchers have discovered a new variant of the Conficker Worm on April 9, 2009. This variant updates earlier infections via its peer to peer (P2P) network as well as resuming scan-and-infect activity against unpatched systems. Public reporting indicates that this variant attempts to download additional malicious code onto victim systems, possibly including copies of the Waledac Trojan, a spam-oriented malicious application which has previously propagated only via bogus email messages containing malicious links.

US-CERT is aware of public reports indicating a widespread infection of the Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft.

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet – in the case for home users.

Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:

Symantec:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:

http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistanc

The Storm botnet or Storm worm botnet is a remotely-controlled network of “zombie” computers (or “botnet”) that has been linked by the Storm Worm, a Trojan horse spread through e-mail spam. Some have estimated that by September 2007 the Storm botnet was running on anywhere from 1 million to 50 million computer systems. Other sources have placed the size of the botnet to be around 250,000 to 1 million compromised systems. More conservatively, one network security analyst claims to have developed software that has crawled the botnet and estimates that it controls 160,000 infected computers. The Storm botnet was first identified around January 2007, with the Storm worm at one point accounting for 8% of all malware on Microsoft Windows computers.

The Storm botnet has been used in a variety of criminal activities. Its controllers, and the authors of the Storm Worm, have not yet been identified. The Storm botnet has displayed defensive behaviors that indicated that its controllers were actively protecting the botnet against attempts at tracking and disabling it. The botnet has specifically attacked the online operations of some security vendors and researchers who attempted to investigate the botnet. Security expert Joe Stewart revealed that in late 2007, the operators of the botnet began to further decentralize their operations, in possible plans to sell portions of the Storm botnet to other operators. Some reports as of late 2007 indicated the Storm botnet to be in decline, but many security experts reported that they expect the botnet to remain a major security risk online, and the United States Federal Bureau of Investigation considers the botnet a major risk to increased bank fraud, identity theft, and other cybercrimes.

The botnet reportedly is powerful enough as of September 2007 to force entire countries off the Internet, and is estimated to be capable of executing more instructions per second than some of the world’s top supercomputers. However, it is not a completely accurate comparison, according to security analyst James Turner, who said that comparing a botnet to a supercomputer is like comparing an army of snipers to a nuclear weapon. Bradley Anstis, of the United Kingdom security firm Marshal, said, “The more worrying thing is bandwidth. Just calculate four million times a standard ADSL connection. That’s a lot of bandwidth. It’s quite worrying. Having resources like that at their disposal—distributed around the world with a high presence and in a lot of countries—means they can deliver very effective distributed attacks against hosts.”
First detected on the Internet in January 2007, the Storm botnet and worm are so-called because of the storm-related subject lines its infectious e-mail employed initially, such as “230 dead as storm batters Europe.” Later provocative subjects included, “Chinese missile shot down USA aircraft,” and “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel.” It is suspected by some information security professionals that well-known fugitive spammers, including Leo Kuvayev, may be involved in the operation and control of the Storm botnet. According to technology journalist Daniel Tynan, writing under his “Robert X. Cringely” pseudonym, a great portion of the fault for the existence of the Storm botnet lay with Microsoft and Adobe Systems. Other sources state that Storm Worm’s primary method of victim acquisition is through enticing users via frequently changing social engineering schemes. According to Patrick Runald, the Storm botnet has a strong American focus, and likely has agents working to support it within the United States. Some experts, however, believe the Storm botnet controllers are Russian, some pointing specifically at the Russian Business Network, citing that the Storm software mentions a hatred of the Moscow-based security firm Kaspersky Lab, and includes the Russian word “buldozhka,” which means “bulldog.
The botnet, or zombie network, comprises computers running Microsoft Windows as their operating system. Once infected, a computer becomes known as a bot. This bot then performs automated tasks—anything from gathering data on the user, to attacking web sites, to forwarding infected e-mail—without its owner’s knowledge or permission. Estimates indicate that 5,000 to 6,000 computers are dedicated to propagating the spread of the worm through the use of e-mails with infected attachments; 1.2 billion virus messages have been sent by the botnet through September 2007, including a record 57 million on August 22, 2007 alone. Lawrence Baldwin, a computer forensics specialist, was quoted as saying, “Cumulatively, Storm is sending billions of messages a day. It could be double digits in the billions, easily.” One of the methods used to entice victims to infection-hosting web sites are offers of free music, for artists such as Beyoncé Knowles, Kelly Clarkson, Rihanna, The Eagles, Foo Fighters, R. Kelly, and Velvet Revolver. Signature-based detection, the main defense of most computer systems against virus and malware infections, is hampered by the large number of Storm variants.

Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread. Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop virus hosting sites and mail servers. In short, the name and location of such machines are frequently changed and rotated, often on a minute by minute basis. The Storm botnet’s operators control the system via peer-to-peer techniques, making external monitoring and disabling of the system more difficult. There is no central “command-and-control point” in the Storm botnet that can be shut down. The botnet also makes use of encrypted traffic. Efforts to infect computers usually revolve around convincing people to download e-mail attachments which contain the virus through subtle manipulation. In one instance, the botnet’s controllers took advantage of the National Football League’s opening weekend, sending out mail offering “football tracking programs” which did nothing more than infect a user’s computer. According to Matt Sergeant, chief anti-spam technologist at MessageLabs, “In terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It’s very frightening that criminals have access to that much computing power, but there’s not much we can do about it.” It is estimated that only 10%-20% of the total capacity and power of the Storm botnet is currently being used.

Computer security expert Joe Stewart detailed the process by which compromised machines join the botnet: attempts to join the botnet are made by launching a series of EXE files on the computer system in question, in stages. Usually, they are named in a sequence from game0.exe through game5.exe, or similar. It will then continue launching executables in turn. They typically perform the following:

1. game0.exe – Backdoor/downloader
2. game1.exe – SMTP relay
3. game2.exe – E-mail address stealer
4. game3.exe – E-mail virus spreader
5. game4.exe – Distributed denial of service (DDos) attack tool
6. game5.exe – Updated copy of Storm Worm dropper

At each stage the compromised system will connect into the botnet; fast flux DNS makes tracking this process exceptionally difficult. This code is run from %windir%system32wincom32.sys on a Windows system, via a kernel rootkit, and all connections back to the botnet are sent through a modified version of the eDonkey/Overnet communications protocol.

About Conficker

On October 23, 2008, Microsoft released a critical security update, MS08-067, to resolve a vulnerability in the Server service of Windows that, at the time of release, was facing targeted, limited attack. The vulnerability could allow an anonymous attacker to successfully take full control of a vulnerable system through a network-based attack, the sort of vectors typically associated with network “worms.” Since the release of MS08-067, the Microsoft Malware Protection Center (MMPC) has identified the following variants of Win32/Conficker:

* Worm:Win32/Conficker.A: identified by the MMPC on November 21, 2008
* Worm:Win32/Conficker.B: identified by the MMPC on December 29, 2008
* Worm:Win32/Conficker.C: identified by the MMPC on February 20, 2009*
* Worm:Win32/Conficker.D: identified by the MMPC on March 4, 2009**
* Worm:Win32/Conficker.E: identified by the MMPC on April 8, 2009

*Also known as Conficker B++
**Also known as Conficker.C and Downadup.C
What Happens on April 1, 2009?

Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the “peer-to-peer” updating channel in the latest version of Conficker.
Protecting PCs from Conficker

1. Apply the security update associated with MS08-067. View the security bulletin for more information about the vulnerability, affected software, detection and deployment tools and guidance, and security update deployment information.
2. Make sure you are running up-to-date antivirus software from a trusted vendor, such as Microsoft’s Forefront Client Security or Windows Live OneCare. Antivirus software may also be obtained from trusted third parties such as the members of the Virus Information Alliance.
3. Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. The Microsoft Active Protection Program (MAPP) provides partners with early access to Microsoft vulnerability information. For a list of partners and links to their active protections, please visit the MAPP Partners page.
4. Isolate legacy systems using the methods outlined in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
5. Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.
6. Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 967715. Microsoft released Security Advisory 967940 to notify users that the updates to allow users to disable AutoPlay/AutoRun capabilities have been deployed via automatic updating channels.
NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 967715 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.

Cleaning Systems of Conficker

Manually download the Windows Malicious Software Removal Tool (MSRT) onto uninfected PCs and deploy to infected PCs to clean infected systems.
Conficker Timeline

* On November 21, 2008, the MMPC identified Worm:Win32/Conficker.A. This worm seeks to propagate itself by exploiting the vulnerability addressed in MS08-067 through network-based attacks. The MMPC added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
* On November 25, 2008, the MMPC communicated information about Worm:Win32/Conficker.A through their weblog.
* On December 29, 2008, the MMPC identified the second variant, Worm:Win32/Conficker.B, and added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
NOTE: Worm:Win32/Conficker.B can be successful against systems that have applied the security update associated with MS08-067.
* On December 31, 2008, the MMPC communicated information about Worm:Win32/Conficker.B through their weblog.
* On January 13, 2009, the MMPC included the ability to remove both Worm:Win32/Conficker.A and Worm:Win32/Conficker.B in the January 2009 release of the Windows Malicious Software Removal Tool and communicated information about this through their weblog.
* On January 22, 2009, the MMPC provided consolidated technical information about Worm:Win32/Conficker.B on their weblog.
* On February 12, 2009, the Microsoft Security Response Center (MSRC) released information about domains that Conficker-infected systems try to connect to. Microsoft also announced information on a partnership with technology industry and academic leaders designed to disable domains targeted by Conficker.
* On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, in accordance with the laws of that country, because Internet viruses affect the Internet community worldwide.
* On February 20, 2009, the MMPC provided technical information about Worm:Win32/Conficker.C on their weblog.
* On March 27, 2009, the MMPC provided more details about the new P2P functionality in Worm:Win32/Conficker.D on their weblog.

The Conficker virus, which has infected millions of computers around the world, is finally activating itself in a bid to become a money-making machine for cybercriminals.
Infected machines have started to update themselves and download a fake anti-virus program aimed at tricking users into paying out for useless security software, security researchers said.
The virus may also be destined to be used by its cybercriminal creators to send millions of spam emails and steal passwords from infected computers by creating a “botnet” of “zombie” machines.
Ivan Macalintal, a Trend Micro advanced threats researcher, said Conficker began showing activity on Tuesday, a week after the expected April 1 activation date that had computer security experts on alert around the world. Infected machines were contacting each other to download new malicious software, he said.
“As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update,” Macalintal wrote in a post on the TrendLabs Malware blog. “The Conficker/Downad P2P communications is now running in full swing!” Researchers at Kaspersky Labs found that Conficker was downloading a fake $49.95 security scanner called Spyware Protect 2009, which may mean millions of Confickerinfected machines will start getting pop-up messages

• PC usually becomes slow as virus consumes a lot of your hardware resources.
  Files from your machine get detected as a virus under a virus scanner of some other machine.
• Unusual behaviour of your machine.
• Few files missing and windows system error messages pop up.

• Always scan a CD or a Floppy before copying the data into your machine.
• Never download a suspicious file in the e-mail attachment before scanning it with an antivirus software.
• Never accept executable files from someone on live chat service like messengers; if accepted, do remember to scan it before execution.

• Annoying popups while browsing.
• Automatic setup of your default homepage in the internet browser.
• Disabled task manager and registry tools.

• Do not open unknown sites, mostly warez, wares, cracks, serials, and porn sites.
• Do not open untrusted websites.
• Do not download from unreliable peer-to-peer software, which  these days are growing source of infection.
• Install an anti-spyware software and update it at least once a week and also do scan your system weekly to avoid and remove any infections.

• There are not sure symptoms, as a vulnerability can cause a hacking attack or a virus attack or a spyware attack on your system.

• Your private data is available with someone else, this means your machine might be hacked.
• You feel your machine or to be more specific your mouse is been controlled by someone else.
• You get disconnected from the net or your network speed drops significantly (this is mostly due to DOS attacks).

• Enable the windows firewall available with the Windows XP service pack 2.
• You can also your one of the freeware firewall software.
• A proxy server is a very good option that must be adopted.
• Unknown or non-trusted software accessing your computer or accessing internet form your computer must be avoided.