Five of the Dirtiest Malware Tricks

March 8, 2008 – 7:01 PM

If the crooks behind viruses, Trojan horses, and other malicious software were as stupid as they are scummy, we’d have a lot less to worry about. But as protective measures get better at stopping the obvious attacks, online creeps respond with underhanded moves to invade your PC. Here are five of their dirtiest tricks, all based on Trojan horses.Don’t mind me–I’m only here to break your PC: It’s like sending in a different scout each time to open the gate for the rest of the invaders. The “Glieder Trojan” and many others use a multistage infection process whose first step is a tiny program that the crooks can change constantly so your antivirus watchdog is less likely to recognize it. Once it gets in, the downloader tries to disable your security before pulling down the real payload, which could be a data stealer or anything else the attacker wants.Locked and encrypted Web sites? No problem: Web sites can and should use secure socket layer (SSL) to encrypt and protect sensitive data such as bank account log-ins. (When a lock icon appears in the address bar, that indicates the site is using SSL.) But the “Gozi Trojan” and its ilk evade SSL protections by making Windows think they’re part of the process, so your data leaves IE and goes through Gozi before it’s encrypted and sent out on the network. Instead of spying on your keyboard, which many security programs watch for, these apps roll into the OS as fake layered-service providers (LSPs).

Malware that scans your PC for malware: An extra antivirus scan can only be a good thing, right? Not when it just gets rid of rivals to the “SpamThru Trojan.” This nasty introduced a pirated, pared-down version of Kaspersky AntiVirus (which Kaspersky has since shut down) to delete other malware so it could have the victim PC to itself to use as a spam sender. If the PC had a real antivirus app, SpamThru would attempt to block its updates, preventing it from identifying new threats.

Equal-opportunity encryption: Encrypting sensitive data and protecting it with a password helps shield it from prying eyes. But the “SpyAgent Trojan” enters the encryption game, too. When installed on a Windows PC with the Encrypting File System (which is included in Windows 2000, XP Pro, 2003 Server, and 2005 Media Center), SpyAgent establishes its own administrator-level user account and uses this account to encrypt its files. You–or your antivirus software–would have to guess the account’s random password to decrypt and scan the malicious files to confirm they weren’t supposed to be there.

Hi, firewall. I’m Windows Update. Honest: Firewalls protect computers and networks from bad guys’ efforts to go in or out. So the “Jowspry Trojan” masquerades as something known and approved–Windows Update. The crafty malware makes its connections look like the Background Intelligent Transfer Service used by Windows Update, and unsuspecting firewalls let it download more attack programs to your PC.

To pull off these sneaky ploys, malware first has to get on your PC. If you keep Windows and other programs up-to-date, avoid opening attachments or clicking links in unsolicited e-mail, and use a good antivirus program, you won’t give the crooks a chance to put their Trojan horses to work.

Descriptions based on research and analysis from Peter Gutmann at the University of Auckland, Craig Schmugar and Aditya Kapoor at McAfee’s Avert Labs, and Joe Stewart at SecureWorks.

http://www.pcworld.com/article/id,137364/article.html?tk=nl_dnxnws

Faster USB 3.0 Is Coming

March 8, 2008 – 7:01 PM

Intel and other companies have formed a group to promote the USB 3.0, which should deliver more than ten times the speed of the existing USB 2.0 standard.

The third-generation Universal Serial Bus interconnect will transfer data at speeds up to 4.8Gbit/s, ten times faster than USB 2.0’s 480MBit/s. It will be backwards-compatible with USB 2.0, which is backwards-compatible with the first USB 1.1 definition.

Intel stated that the USB 3.0 specification would be optimized for low power and improved protocol efficiency. The USB 3.0 ports and cabling will be designed with both copper and optical cable capabilities, meaning even higher speeds will be possible in the future.

The USB Implementers Forum (USB-IF) will act as the trade association for the USB 3.0 specification.

There is also a Wireless USB (WUSB) transfer format and this operates at 480Mbit/s, the same as USB 2.0, in its 1.0 incarnation. Intel also revealed a WUSB 1.1 interconnect format, operating at a speed of up to 1Gbit/s.

Jeff Ravencraft, Intel’s technology strategist, said: “The digital era requires high-speed performance and reliable connectivity to move the enormous amounts of digital content now present in everyday life. USB 3.0 will meet this challenge while maintaining (USB 2.0’s) ease-of-use experience.”

http://www.pcworld.com/article/id,137551/article.html?tk=nl_dnxnws

Windows Vista Service Pack 1 Revealed

March 8, 2008 – 7:00 PM

With Windows Vista Service Pack 1 (SP1), now due in the first quarter of 2008, Microsoft is deemphasizing the role that service packs play in the ongoing updating and maintenance of its operating systems. That is, Vista SP1 will be a traditional service pack, collecting previously-issued updates into a single installation, and including few new end user features. It will, however, improve the Vista experience in a number of ways and include new device drivers and other improvements. There are a number of reasons for this de-emphasis of service packs with Vista SP1. Most customers of Microsoft’s latest OS releases have pervasive Internet connections and regularly update their systems automatically via the company’s numerous online updating services, which we might collectively think of as Microsoft Update. (These services include Microsoft Update, Windows Update, Office Update, Automatic Updates, Windows Server Update Services, the Microsoft Download Center, and others.) And thanks to new updating mechanisms in Vista itself, Microsoft can drive improvements to customers more quickly than via service packs.

These improvements are delivered in a variety of ways and include such things as security updates, new versions built-in Vista applications (like Windows Mail/Windows Live Mail and Windows Photo Gallery/Windows Live Photo Gallery), new functionality (such as Windows Mobile synchronization via Windows Mobile Device Center), new and updated device drivers, and other system updates (such as the recently released Vista performance and reliability updates). Even Windows Ultimate Extras can be thought of as simply another avenue for deploying new features to Windows users. (Though of course the Extras are delivered via Windows Update.)

Improvements to Vista are driven by customer feedback and Vista’s built-in (and opt-in) Windows Error Reporting (WER) tool and the related Customer Experience Improvement Program (CEIP) and Online Crash Analysis (OCA) services. Thanks to these tools, Microsoft and its hardware and software partners can drive the most-needed improvements directly back into Vista much more quickly than was possible in the past. Thus, as new drivers, security fixes, application compatibility fixes, and other software updates are delivered electronically to customers, Vista gets better and better over time. Previously, customers would have to wait for monolithic service packs, released irregularly and often over long periods of time, to get these improvements.

Microsoft points out two major and recent examples of these types of fixes, which have indeed dramatically improved the Vista experience. Earlier this month, the company issued two reliability and performance updates for Windows Vista. Had the company followed its deployment schedule for previous OS releases, Vista customers wouldn’t have gotten these fixes until SP1.

What is Windows Vista SP1?

With that perfunctory background information out of the way, you’re probably eager to find out what, exactly, is Windows Vista Service Pack 1. Certainly, there’s cause for curiosity. Despite briefing me last year that Windows Vista SP1 would be released alongside Windows Server 2008 and would include a major kernel update, Microsoft subsequently launched a publicity campaign aimed at fooling customers into believing that the company hadn’t yet even decided whether it would ever release SP1. Indeed, I sat and watched, twice, as Microsoft CEO Steve Ballmer publicly appeared confused about the mere mention of SP1, and he denied, both times, that the company was working on that release. The rationale for this decision, however dubious it may be, is that Microsoft was (and still is) quite concerned that its business customers will hold off on deploying Vista until SP1 is complete. That’s because business customers have historically waited on the first service pack before deploying any major Microsoft OS release.

What’s ironic about all this, of course, is that there’s not much to say about SP1. After all the silence, evasiveness, and outright lies, Microsoft this week announced pretty much what I’ve been saying all along (which makes sense, since I got this information from the company in a one-on-one briefing): Yes, Windows Vista SP1 is in active development and will be released concurrently with Windows Server 2008, currently expected sometime in the first quarter of 2008. (There was no mention of the kernel update, however, so I’ll keep digging.)

So here’s what you can expect in Windows Vista SP1.

Quality improvements

As with previous Windows service packs, Windows Vista SP1 will include all of the previously released updates for Windows Vista, including all security, reliability, and performance improvements. Many of these improvements were driven by customer requests and the WER, as noted above.

Microsoft says it will make the following quality improvements in Vista SP1.

Security improvements include previously-announced changes to Windows Security Center that will allow third-party security software makers to more effectively communicate with and replace Microsoft’s security dashboard with their own solutions, new APIs aimed at helping security software makers work with the Kernel Patch Protection feature in 64-bit versions of Vista (also previously announced), changes to RemoteApp and the Remote Desktop Protocol (RDP), the addition of a new Elliptical Curve Cryptography (ECC) pseudo-random number generator (PRNG), and a change to BitLocker Drive Encryption that adds optional multifactor authentication method combining keys protected by a TPM hardware module, a Startup Key stored on a USB memory key device, and a user-generated personal identification number.

Reliability. For reliability, Vista SP1 will include better reliability and compatibility with newer graphics cards, improved reliability when using notebook computers with an external display, improved networking configuration reliability, improved reliability of systems that are upgraded from XP to Vista, better compatibility with many printers, and increased reliability and performance when entering and resuming from sleep mode.

Performance. Vista SP1 adds a number of performance improvements as well by increasing the speed of copying and extracting files, increasing the performance of Hibernate and Resume, increasing the performance of domain-joined PCs when working offline from the domain, improving the performance of Internet Explorer (IE) 7 by reducing CPU utilization and speeding JavaScript parsing, improving battery life on certain mobile systems by reducing screen redraws and thus CPU utilization, increasing the performance of the CTRL+ALT+DEL logon dialog, and improving the performance of browsing network file shares.

Administrative improvements

Vista SP1 will include a number of changes aimed at the system administrators who deploy, support, and maintain Vista-based systems. These changes include:

BitLocker Drive Encryption. In the initial version of Vista, BitLocker could only automatically encrypt the C: drive. Now, in SP1, BitLocker can also optionally encrypt other drive volumes (D:, E:, and so on), as is possible with Windows Server 2008.

Terminal Service printing. Local printing from a Windows Terminal Services session will be improved.

Network Diagnostics. Windows Vista SP1 will add a new version of the Network Diagnostics tool that will also help administrators and end users diagnose common file sharing problems. (Available from the Diagnose and Repair link in Network and Sharing.)

Disk Defragmenter. The built-in Disk Defragmenter service will be updated so that customers can configure exactly which volumes are automatically defragged.

Group Policy. Vista SP1 will include a number of Group Policy (GP) changes. Most controversial, the Group Policy Management Console (GPMC) will be uninstalled so that the GPEdit management console can be used to manage local policies. Microsoft will also ship a tool before SP1 that will let admins add comments to Group Policy Objects (GPOs) and individual GP settings.

Support for new hardware and standards

Since Windows Vista shipped in early 2007, a number of emerging new hardware types and international standards have emerged. SP1 will address these changes by adding support for them to Windows Vista. They include:

Extended FAT (exFAT) file system. A future standard for flash memory storage and consumer-oriented mobile devices. Based on FAT, exFAT adds support for longer file names and other improvements.

Secure Digital (SD) Advanced Direct Memory Access (DMA). This update to SD technology improves transfer performance while decreasing CPU utilization. It will require SD DMA-compliant host controllers.

EFI network booting on x64 systems. In the initial shipping version of Windows Vista, 64-bit (x64) versions of the OS could boot on EFI-compliant PCs, which replace ancient BIOS technology with a more modern solution. With SP1, EFI-based x64 Vista systems can also support network boot, a feature that was previously available only on 32-bit (x86) Vista versions on BIOS-based PCs.

DirectX 10.1. Vista SP1 will support Microsoft’s latest multimedia and gaming libraries.

ecure Socket Tunneling Protocol (SSTP). Vista SP1 will add support for the SSTP remote access tunneling protocol.

Other details about Vista SP1

As you can see reading through the list above, SP1 will not dramatically impact your day-to-day usage of Vista, though it will of course add many desirable low-level improvements. This is in keeping with Microsoft’s traditional view of service packs, though nothing like Windows XP Service Pack 2 (SP2, see my review), which of course should be viewed as a major Windows release and not a simple service pack, despite the name. (Credit ex-Microsoft exec Jim Allchin for this: Mr. Allchin felt that Microsoft could have simply issued SP2 as a new version of Windows XP, but wanted to get it out to customers for free and thus decided to ship it as a service pack.)

What this means is that Vista SP1 will look, feel, and quack (er, ah, act) like a service pack. It will feature only minor changes to the Vista user interface, and will impact (in a negative sense) application compatibility in only minor ways as well. It will be a relatively small download–Microsoft estimates the Express download will be about 50 MB–when compared to the overall size of Vista. This 50 MB download is just 2 percent the overall size of Vista. (Windows 2000 SP4, at 15 MB, was about 3 percent the size of Windows 2000.)

Final thoughts

While Microsoft’s continued requests for businesses to not wait for SP1 before deploying Windows Vista may seem self-serving, this week’s revelations about the feature set of the service pack suggest that this advice is sound. Windows Vista SP1 looks like a solid and necessary update, but it will not dramatically impact the end user at all. If you’re a Windows enthusiast, Vista SP1 is more a curiosity than something to get excited about. It will not include anything interesting or compelling, in an end user sense, such as a new Media Center version. (Which is also overdue, incidentally.) Hopefully, this will end the speculation. I only wish Microsoft had been this upfront about SP1 months ago. It’s been a long time coming.

–Paul Thurrott
August 29, 2007

http://www.winsupersite.com/showcase/winvista_sp1.asp

Trojan on Monster.com Steals Personal Data

March 8, 2008 – 6:59 PM

A new Trojan is successfully attacking online recruiting sites and already has accessed data on hundreds of thousands of users, researchers said last Friday.

Researchers from Symantec and SecureWorks separately reported finding surprisingly effective penetrations by the new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Website, Monster.com. Other versions of the Trojan, which is a variant of the Prg Trojan, were also found to be attacking other online job sites.

Interestingly, Monster.com and a security business partner, Cyveillance, warned the industry about increasing attacks on recruiting sites less than a month ago. (See Help Wanted: ID Theft Victims.)

The new Trojan, which is usually delivered via phishing messages that Monster.com and Cyveillance warned users about, has allowed attackers to collect as many as 1.6 million pieces of data affecting “several hundred thousand” users on Monster.com alone, according to Symantec. Working independently, SecureWorks last Friday reported finding at least a dozen caches of personal information, totaling about 100,000 identities.

“The Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the [Monster.com] Website and perform searches for resumes of candidates located in certain countries or working in certain fields,” Symantec says in its blog. “The Trojan sends HTTP commands to the Monster.com Website to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.”

The personal data is then extracted from the resumes and uploaded to a remote server, Symantec says. The Symantec researchers found all of the 1.6 million pieces of compromised data on a single server, but SecureWorks found at least a dozen smaller caches, so the number of users affected likely is higher than either of the research teams has reported so far.

“Such a large database of highly personal information is a spammer’s dream,” Symantec says. “In fact, we found the Trojan can be instructed to send spam email using a mail template downloadable from the command and control server.”

The latest exploit is not the first instance of a Trojan attacking Monster.com, Symantec reports. “The main file used by Infostealer.Monstres, ntos.exe, is also commonly used by Trojan.Gpcoder.E, and both also have a similar icon for the executable file that reproduces the Monster.com company logo. [This is] hardly a coincidence.”

“Furthermore, Trojan.Gpcoder.E has reportedly been spammed in Monster.com phishing emails,” Symantec says. “These emails were very realistic, containing personal information of the victims. They requested that the recipient download a Monster Job Seeker Tool, which in fact was a copy of Trojan.Gpcoder.E.

“This Trojan will encrypt files in the affected computer and leaves a text file requesting money to be paid to the attackers in order to decrypt the files” Symantec explains. “The code for Gpcoder is rather similar to that of Monstres, which may indicate the same hacker group is behind both Trojans.”

The researchers say they have informed Monster.com of the exploits so that the presumably-stolen recruiter accounts can be shut down. In the meantime, they advise users not to put personal information — such as Social Security numbers — into their online job postings. Users should not give out this sort of data until they have established that a potential employer is legitimate, they say.

http://www.darkreading.com/document.asp?doc_id=131953

Evil Javascript mutates to evade detection

March 8, 2008 – 6:59 PM

Hackers have hit on a new technique for invading desktop computers via compromised websites, while avoiding anti-virus detectors, according to the SANS Institute.

SANS’ Internet Storm Center (ISC) said on Thursday it has come across the attack on a compromised website, where an iframe was used to deploy various pieces of malicious code via Javascript. Iframes allow content from one website to be embedded in another website.

This technique in itself isn’t new, but researchers found that the server deploying the malicious Javascript was heavily modifying it – “obfuscating” it – so as to be undetectable by antivirus detectors, the ISC said. Moreover, the obfuscations were generated randomly and on the fly, according to ISC handler Bojan Zdrnja.

“What makes this new is that the hosting website generates this code dynamically,” he wrote in an analysis. “Every time you request this web page it will use completely random names for all variables and functions… changing variable and function names even causes the payload information to change.”

The technique makes the script code effectively undetectable by common types of malware scanners, Zdrnja said.

“Such heavy obfuscation makes signature-based detection much more difficult, if not impossible,” he wrote. None of the anti-virus programs Zdrnja tested were able to detect the modified code.

The code contains what Zdrnja called a “typical” set of exploits, making use of known vulnerabilities in ADODB, QuickTime, WinZip and other software.

The code also included a less well-known, but highly pernicious exploit for the NCTAudioFile2 ActiveX control, Zdrnja said.

“A fully working exploit was publicly released in April, and what’s worse is that the affected ActiveX control is delivered with dozens of popular audio/video applications,” Zdrnja wrote.

http://www.techworld.com/security/news/index.cfm?RSS&NewsID=9703