DECEMBER 2004
The International Publication on Computer Virus Prevention, Recognition and Removal
CONTENTS IN THIS ISSUE
2 COMMENT DEAR SANTA ... Spammer baby, slip a Rolex under the What do you get a spammer for Christmas? Graham tree, for me … Cluley looks back at a year that has seen the arrests 3 NEWS of more Internet criminals than ever before – and provides a couple of suggestions for Santa. Season’s greetings page 2 Academic research journal FBI’s virus blunder SNAIL’S PACE
3 VIRUS PREVALENCE TABLE Was the 3,000 rouble fine given to 29A virus writer Eugene Suchkov (aka ‘Whale’) last month a fitting 4 VIRUS ANALYSIS penalty for creating viruses? VB doubts it, but make Look at that escargot up your own mind after you’ve read Peter Ferrie’s analysis of one of Suchkov’s creations: the FEATURES Microsoft .NET-infecting Gastropod. 5 Are metamorphic viruses really invincible? page 4 Part 1 8 How ‘dare’ you call it spyware! CALLING ALL SPEAKERS Virus Bulletin is seeking submissions 13 BOOK REVIEW from those wishing to present at Dictionary definitions VB2005 in Dublin – so set aside some time between the season’s festive parties to 14 LETTERS get writing! 15 PRODUCT REVIEW page 19 Trend Micro PC-cillin Internet Security 2005
18 ERRATA
19 CALL FOR PAPERS VB2005 Dublin This month: anti-spam news & events; spam on 20 END NOTES & NEWS mobile devices; ASRG summary. ISSN 0956-9979 ‘2004 saw the malware-making cyberbabe. Whether her court case results in conviction remains to be seen – the authorities image of the are challenged to discover if her seldom seen in-the-wild virus writer change viruses caused damage or whether she incited others to once and for all, cause mischief. Sven Jaschan, the German lad who admitted to having and take a more written the Sasser and Netsky worms, will be spending sinister shape.’ Christmas wondering about his fate in the new year too. The recent announcement that he has started working for a firewall company may play well to those who wish Graham Cluley, Sophos, UK to hear he is rehabilitating, but it leaves a nasty taste in the mouth for those who believe the firm may have SPAMMER BABY, SLIP A ROLEX employed him purely as a publicity stunt. UNDER THE TREE, FOR ME … Jaschan was extraordinary. Not in the way we would wish anyone to be proud of, but astonishing in terms of What do you give a spammer for Christmas? The the impact his worms had during 2004. Over 70 per cent question struck me the other day and set my mind of the virus incidents sighted in the first half of 2004 wandering. After all, they have all the septic tanks, fake were written by the German teenager. His worms degrees, imitation luxury watches and herbal, er, pick- continue to spread and infect innocent users to this day, me-ups they could ever need – even medication for that and have had a bigger impact on computer users than painful Boxing Day hangover. other names from the chamber of horrors: ILOVEYOU, For those like email con man Nick Marinellis, who Anna Kournikova, Sircam, Nimda and Blaster. defrauded millions of dollars from Internet users who But 2004 saw the image of the virus writer change once thought they’d won the lottery, a file hidden inside a and for all, and take a more sinister shape. Sophos’s global Christmas cake may be the most they can hope for – network of laboratories has seen a marked shift in the Marinellis has been sentenced to at least four years motives behind the viruses written in the last 12 months. behind bars. In February 2004, the MyDoom worm launched a denial In fact, 2004 has been remarkable for having seen the of service attack against SCO’s website, forcing the arrests of more virus writers, spammers and other company to switch to another domain name for several Internet villains than ever before. There may be more weeks and to offer a $250,000 reward for information crime on the net than at any point in its history, but the leading to the conviction of the worm’s author. Other authorities are at least having some success. attacks were equally sinister as viruses (written, Belgian teenager Kim Vanvaeck courted the media for presumably, with active encouragement from the years under her nom de plume Gigabyte of the spamming community) targeted the websites of Metaphase virus-writing gang. You can still find her anti-spam organisations, trying to make them less effective. guestbook online where lonely teenage boys post love Every month it becomes more obvious that a prime letters, imagining her to be just as the newspapers, radio motivation for writing viruses today is to steal information and television stations portrayed her – a Lara Croft-style and resources from infected computers, and create networks of zombie computers that can be used to launch new virus attacks, a spam campaign or denial of service attacks. Never have those behind virus attacks been better organised or more serious in their criminal intentions. If you want to give a virus writer or a spammer something for Christmas, give them a hard time. Make sure your computer, and those of your friends and family, are properly protected with automatically updating anti-virus software, properly configured firewalls and the latest Microsoft security patches. Do something good this holiday season by ensuring that the spammers and virus writers find it more difficult to exploit innocent computers in 2005. VIRUS BULLETIN www.virusbtn.com
NEWS
SEASON’S GREETINGS Prevalence Table – October 2004 The VB team wishes all Virus Bulletin readers a Virus Type Incidents Reports very happy Christmas Win32/Netsky File 148,405 74.35% and a prosperous new year. Continuing the Win32/Bagle File 42,291 21.19% custom of making Win32/Bagz File 1,339 0.67% charitable donations in Win32/Zafi File 1,138 0.57% lieu of sending Christmas Win32/Mabutu File 963 0.48% cards, VB’s donations for Christmas 2004 will be Win32/Funlove File 930 0.47% made to The International Win32/Dumaru File 842 0.42% Cheers! Season’s greetings Committee of the Red from the Virus Bulletin Win32/Mydoom File 686 0.34% Cross (http://www.icrc.org/) team (clockwise from top Win32/Klez File 495 0.25% and the WWF left): Helen, Matt, (http://www.wwf.org/). Bernadette and Tom. Win32/Lovgate File 364 0.18% Win32/Valla File 312 0.16% Win32/Bugbear File 208 0.10% ACADEMIC RESEARCH JOURNAL Win32/Mimail File 193 0.10% October saw the announcement and first call for Win32/Swen File 177 0.09% papers of the European Research Journal in Computer Virology – a twice-yearly independent Win32/MyWife File 161 0.08% scientific journal dedicated to computer virus and Win32/Elkern File 104 0.05% anti-virus technologies. The aim of the journal is to Win32/Parite File 102 0.05% promote constructive research in computer Redlof Script 95 0.05% virology. All papers submitted will undergo peer review and those accepted will be published within Win32/Fizzer File 79 0.04% a year of submission. For more information contact Win32/Mota File 78 0.04% the editor-in-chief, Eric Filiol ([email protected]). Win95/Spaces File 71 0.04% Win32/Kriz File 67 0.03% FBI’S VIRUS BLUNDER Win32/Yaha File 67 0.03% It has come to light that a virus infection nearly Win32/Hybris File 59 0.03% blew the cover on a secret FBI fraud investigation Win32/Magistr File 34 0.02% two years ago. Win95/Tenrobot File 33 0.02% The FBI had been investigating Dr Rafil Dhafir, Win32/BadTrans File 26 0.01% who was suspected of breaking US sanctions Win32/Plexus File 25 0.01% against Iraq. Shortly after the FBI began monitoring Win32/Evaman File 23 0.01% Dr Dhafir’s email, however, the Bureau’s computer system became infected with Klez.h, causing an Win32/Nachi File 17 0.01% email to be sent from the FBI to their suspect. Win32/Sobig File 17 0.01% Understandably concerned that Dhafir might become Win32/Nimda File 14 0.01% suspicious, the FBI investigators sent him a second Others[1] 48 0.10% email, creating an elaborate ruse to try to convince him that they were investigating the virus – even Total 199,611 100% encouraging him to call the Bureau if he had any problems. Luckily for the investigators Dhafir [1]The Prevalence Table includes a total of 196 reports across seemed to fall for the trick and he was arrested ten 48 further viruses. Readers are reminded that a complete listing is posted at http://www.virusbtn.com/Prevalence/. months later. One hopes that rather more robust IT security mechanisms are now in place at the Bureau.
DECEMBER 2004 3 VIRUS BULLETIN www.virusbtn.com
VIRUS ANALYSIS LOOK AT THAT ESCARGOT detects if a file is already infected. The infection marker can only be found by opening each file and examining Peter Ferrie each method corresponding to each type that is stored Symantec Security Response, USA within each module. The file is considered to be infected if any type and length of a method matches that of the In 2003 I wrote ‘A recompiling virus virus itself. like W95/Anxiety, but without If the file is not already infected, the virus will construct a needing the source code, combined list of types, marking those that can be renamed safely. with an inserting virus like Fortunately, the virus will rename only its own classes and W95/ZMist, but without rebuilding methods. If the current method being examined is the the file manually ... The beast is entrypoint method, then the virus will place its classes at unleashed’ (see VB, April 2003, p.5). the top of the list, before adding those of the host. Now, hot on the heels of MSIL/Impanate (see VB, November 2004, p.6), which was the first GARBAGE MAN inserting virus for the .NET platform, comes Once the list is complete, the virus disassembles both itself MSIL/Gastropod, which brings the full set of techniques and the host, using the well-known ILReader.dll utility, one step closer. which is carried by the virus. The virus appends this DLL to the host during replication, which accounts for nearly 60kb DO NOT PASS ‘GO’ of the total infection size. Gastropod begins by calling a method named ‘Go’, which The disassembly is used by the virus to insert garbage calls another method, which calls two other methods, instructions throughout the code of itself and the host. The which … The virus appears to have been written by garbage instructions are either a NOP (with 20 per cent someone who has been introduced to classes in C#, and has chance), or a LDLOC and POP combination (with 10 per embraced them with such enthusiasm that every few lines cent chance, and only if the current method contains local of code are candidates for a method. It is rather like the variables). saying, ‘when all you have is a hammer, everything looks If the LDLOC instruction is used, then the virus will choose like a nail’. the index randomly from the local variables of the current This virus searches the current directory, and all parent method. The virus also removes these instructions if they directories, for files whose suffix is ‘exe’. For each file it are found during the disassembly process. finds, Gastropod checks if a file exists with the same name, It is unclear why the virus detects and removes those but preceded by an ‘_’ (underscore). If such a file does not instructions, but one possible explanation is that this is exist, then the virus attempts to rename the original file to an artifact from the development of the metamorphic this name. The renamed file will be used as a backup in case engine, prior to the addition of the virus body – since the infection fails for some reason, however the virus will legitimate programs usually do not contain such instruction delete the file if the infection is successful. sequences. If that is the case, that means that Gastropod VB There are several bugs in the handling of files, often shares some similarities with W95/ZMist (see , March resulting in the virus exiting with errors, claiming that the 2001, p.6), which contained a routine that inserted ‘_[filename]’ file cannot be found, or that a file cannot be redundant JMP instructions into the host, without adding created because it exists already. the virus body.
DUE PROCESS UNEXCEPTIONAL The virus is aware of the exception handling mechanisms in Gastropod was named ‘Snail’ MSIL, and handles them mostly correctly – however not by its author, because of the everything goes according to plan. slow speed with which it executes. Of course, this is There are a number of bugs in the parsing, resulting in not helped by the poor coding always duplicating ‘endfinally’ instructions, and producing style of the virus author, but unreachable (and, in some cases, incorrect) ‘leave’ an additional slowing factor is the way in which the virus instructions. These are things that would have been obvious
4 DECEMBER 2004 VIRUS BULLETIN www.virusbtn.com
FEATURE 1 to a tester, since they are visible in the sample that the virus ARE METAMORPHIC VIRUSES author released. REALLY INVINCIBLE? PART 1 This also makes it extremely difficult to restore a file to its state prior to infection. To complicate matters further, the Arun Lakhotia, Aditya Kapoor and Eric Uday Kumar virus extracts the managed resources from the host and University of Louisiana at Lafayette, USA stores them externally, in a file whose name is the same as the host, with ‘.resources’ appended. Finally, if the host In the game of hide and seek, where a virus tries to hide and contained unmanaged resources, the virus will move the AV scanners try to seek, the winner is the one that can take resources to the end of the file, and place them in a newly advantage of the other’s weak spot. So far, the viruses have created section that is always named ‘.rsrc’. enjoyed the upper hand since they have been able to exploit If the entrypoint method ends with a ‘ret’ instruction, then the limitations of AV technologies. the virus inserts code to abort the thread. This prevents Metamorphic viruses are particularly insidious in taking the process from hanging around in memory, instead of such advantage. A metamorphic virus thwarts detection by terminating, and waiting for the virus code to complete, signature-based (static) AV technologies by morphing its which would be suspicious to some users. A similar problem code as it propagates. The virus can also thwart detection exists for Win32 viruses that hook the ExitProcess() API of by emulation-based (dynamic) technologies. To do so it a host. needs to detect whether it is running in an emulator and After disassembling the virus code and the host code, the change its behaviour. virus renames its classes and methods. The renaming is So, are metamorphic viruses invincible? done using 6–15 letters, with a 12.5 per cent chance of an upper case letter. The virus avoids renaming the ‘Go’ method though, since the way in which the virus inserts the INTRODUCTION code into the host’s Main method results in a hard-coded When you consider all the tricks that a virus writer can method name. use to break AV scanners, metamorphic viruses, such as Win32/Evol, Metaphor (aka W32/Simile, see VB, May 2002, p.4) and W95/Zmist (see VB, March 2001 p.6), CONCLUSION appear invincible. These viruses transform their code as The acceptance of the .NET platform has been slow so they propagate, thus evading detection by analysers that far, but it is increasing, and the complexity of viruses for rely on static information extracted from previously that platform has already progressed much further, in a observed virus code. The viruses also use code obfuscation much shorter time, than was the case for earlier Windows techniques to hinder deeper static analysis. Such viruses versions. can also beat dynamic analysers by altering their behaviour when they detect that they are executing in a controlled The full potential of the platform has not yet been realised environment. by virus writers, but it is clear that they are working hard to reach that goal. We have received the warning, and our Lakhotia and Singh have discussed at length how a virus anti-virus engines must be prepared. For some companies, can fool AV scanners, even those based on the most the .NET platform might be the next OLE2. advanced formal techniques (see VB, September 2003, p.15). The limits of an AV scanner stem directly from the limits of static and dynamic analysis techniques, the MSIL/Gastropod foundation of all program analysis tools, including optimizing compilers. For AV scanners, the limits are Size: 77828 bytes. debilitating for they operate in an environment where a programmer (virus writer) is the antagonist. Type: Direct action, parasitic inserter. Metamorphic viruses enjoy their apparent invincibility because the virus writer has the advantage of knowing the Infects: Microsoft .NET files. weak spots of AV technologies. However, we could turn the Payload: None. tables if we could identify similar weak spots in metamorphic viruses. Indeed, Lakhotia and Singh close Removal: Delete infected files and restore their otherwise gloomy article with one optimistic thought: them from backup. ‘The good news is that a virus writer is confronted with the same theoretical limit as anti-virus technologies… It may be
DECEMBER 2004 5 VIRUS BULLETIN www.virusbtn.com
worth contemplating how this could be used to the MUTATION ENGINES advantage of anti-virus technologies.’ At the heart of a metamorphic virus is a mutation engine, This article investigates the above remark and identifies the part of the virus responsible for transforming its what promises to be the Achilles’ heel of a metamorphic program. A mutation engine takes an input program and virus. morphs it to a structurally different but semantically The key observation is that, in order to mutate its code for equivalent program. generation after generation, a metamorphic virus must Figure 1 identifies the three modules of any mutation analyse its own code. Thus, it too must face the limits of engine: disassembly module, reverse engineering module static and dynamic analysis. Beyond that a metamorphic and transformation module. Development of each of these virus has another constraint: it must be able to re-analyse modules poses different challenges and limitations. the mutated code that it generates. Thus, the analysis within the virus, of how to transform the code in the current In order to mutate its program, the virus must first generation, depends upon the complexity of transformations disassemble it. One of the important tasks of disassembly is in the previous generation. to differentiate between the virus code and data. If a virus cannot distinguish between code and data, it may transform To overcome the challenges of static and dynamic analyses, the data, leading to incorrect behaviour. There are two the virus has the following options: do not obfuscate the known strategies for disassembly: linear scan and recursive transformed code in every generation; use some coding traversal (see Schwarz et al., 2002, Ninth Working conventions that can aid it in detecting its own obfuscations; Conference on Reverse Engineering). Each of these or develop smart algorithms to detect its specific strategies has its own limitations (see Linn and Debray, 2003 obfuscations. Conference on Computer and Communications Security). So, are metamorphic viruses really invincible? They are The third module, transform, generates a transformed surely not as invincible as they first appear. A metamorphic version of the original program. A program must be virus’s need to analyse itself is its Achilles’ heel. If a virus transformed significantly in order to avoid being detected can analyse itself, then an AV scanner should also be able to by a signature-based AV scanner. In the simplest case, the analyse it by using whatever method the virus uses to work module may transform one instruction at a time. At the around its own obfuscations. It is therefore conceivable other extreme the module may analyse blocks of code and that one could create a ‘reverse morpher’ that applies the replace them with equivalent code fragments. To ensure transformation rules of the virus in reverse, thus undoing its accuracy of transformation a block must be a single entry, attempt to hide from scanners. single exit piece of code. That means that control should not Is there a catch? Before one can use a virus’s methods on jump into the middle of the block, or else it becomes harder the virus itself, one has to extract those methods. One must to create semantic-preserving transformations. One could first have a sample of the virus in order to extract its also imagine transformations that replace segments of transformation rules, assumptions and algorithms. control flow graphs (CFGs) with other control flow graphs. This chicken-and-egg problem is no different from that The second module, the reverse engineering (RE) module, faced by the current AV technologies for extracting supports the transformation module. The challenges for this signatures and behaviours. The important thing is that, once module depend upon the technique chosen for a set of tricks has been identified and countered by the AV transformation. As the transformations become more software, the virus writer is forced to invent new tricks, thus complex, so does the work of reverse engineering. If the raising the bar for the virus writer. Because of the additional transformation module works on one instruction at a time constraints, the virus writer has to be more imaginative than then the RE module does not need to do anything. However, the makers of AV scanners. The rest of this two-part article is organized as follows. The next section provides an overview of mutation engines. It is followed by a discussion on the Achilles’ heel of a Program Program metamorphic virus. In the second part of the article (which Disassemble Reverse Transform will appear in the January 2005 issue of Virus Bulletin) we Engineer present a case study by analysing the metamorphic engine of Win3/Evol. This leads to a discussion on developing reverse morphers to undo the mutations performed by a Mutation Engine mutation engine. The article closes with our conclusions. Figure 1. Stages of program transformation.
6 DECEMBER 2004 VIRUS BULLETIN www.virusbtn.com
if the transformation module works on blocks of code, the Location Hex Disassembly
RE module must identify blocks. Similarly, if the 00403E5F B8 6E3E4000 MOV EAX, 00403E6E transformation module works on CFGs, the RE module … should identify CFGs. 00403E64 8000 28 ADD BYTE PTR DS:[EAX],28
…
THE ACHILLES’ HEEL 00403E6E 90 NOP 90 Lakhotia and Singh argued that virus writers enjoy the 00403E6F CB RETF upper hand because they can exploit the limitations of 00403E70 76 DB 76 static analysis as well as dynamic analysis to hide their 00403E71 39 DB 39 code. Junk byte insertion, jump into the middle of 00403E72 FF DB FF instruction and self-modifying codes are a few obfuscation 00403E73 50 DB 50 techniques that make it even harder to distinguish statically Figure 2a. Obfuscation through runtime code modification. between data and code in a binary executable. Insertion of large loops and anti-debugging techniques test the patience Location Hex Disassembly and speed of dynamic analysis. A mutation engine that 00403E5F B8 6E3E4000 MOV EAX, 00403E6E changes the virus code with every few generations as well as adding the complex obfuscation techniques to the … newly created virus body might create a virus that is close 00403E64 8000 28 ADD BYTE PTR DS:[EAX],28 to invincible. … B8 CB7639FF MOV EAX, FF3976CB Figure 1 shows that the steps involved in mutating a 00403E6E program are very similar to the steps outlined by Lakhotia 00403E6F and Singh for checking whether a program is malicious 00403E70 using program analysis techniques. There are two 00403E71 differences. First, a metamorphic virus uses the analysis of 00403E72 the first two steps for creating a transformed program. A 00403E73 50 PUSH EAX scanner would use similar information to determine whether a program is malicious. Second, the output of the last step Figure 2b. Modified code. of a metamorphic virus becomes its input, albeit in a Now suppose a metamorphic virus writer has mutated its different execution of the program. code such that the current generation is self-modifying. In The feedback loop in Figure 1 has catastrophic order to mutate its code further it has to know statically the consequences for a virus. A metamorphic virus has to instruction that is changing at runtime. This challenge poses analyse its own mutated code in order to mutate it further. a serious limit to the obfuscation techniques a metamorphic If, after transformation, the virus introduces obfuscations virus can impose during mutation. that prevent its disassembly, then in the next generation the This highlights the Achilles’ heel of a metamorphic virus: a virus may not be able to diassemble itself. If it introduces metamorphic virus must be able to disassemble and reverse obfuscations that prevent reverse engineering of the virus engineer itself. Thus, a metamorphic virus cannot utilise code – say, for instance, identifying its program blocks, then obfuscation techniques that make it harder or impossible for the virus will also not be able to detect its own blocks. Thus, its code to be disassembled or reverse engineered by itself. the virus cannot introduce obfuscations that prevent those analyses that are performed by the virus itself. To understand the problems faced in writing a metamorphic WIN32/EVOL virus, let us analyse an obfuscation technique introduced by Win32/Evol is a relatively simple metamorphic virus. a non-metamorphic virus, W32/Netsky.Z. Nonetheless, it is a good example for a case study since the The virus Netsky.Z introduces an obfuscation using a virus demonstrates properties common to metamorphic technique known as self-modifying code. Here, the virus is viruses – i.e. it obfuscates calls made to system libraries and modifying code at location 00403E6E at run time. It adds it mutates its code before propagation. Part two of this 28h to the opcode 90h, which converts the NOP instruction feature will describe the details of these methods and to MOV instruction, thus modifying the code, as shown in discuss the development of reverse morphers to undo the Figure 2b. If we try to analyse it using a static technique we mutations performed by a mutation engine. [Part two will get the wrong analysis, as shown by Figure 2a. appear in the January 2005 issue of Virus Bulletin - Ed]
DECEMBER 2004 7 VIRUS BULLETIN www.virusbtn.com
FEATURE 2 HOW ‘DARE’ YOU CALL IT invoked after every time the system is restarted or on the occurrence of some system event. Hence, one or more of SPYWARE! the following activities may be observed during spyware/ Prabhat K. Singh, Fraser Howard and Joe Telafici adware installation: McAfee, AVERT Installation of a service to ensure that the application is active even when a user is not logged on Anti-virus vendors frequently receive queries, objections The information relating to the services installed on the and legal notices from software vendors whose applications local machine is stored in the Service Control Manager are detected as spyware or adware. As a result, the task of (SCM) database. The Win32 SCM APIs may be used to add, ‘proving’ whether a given sample is a spyware/adware or query or control the status of the services installed. clean application demands careful judgment on the part of the researcher. COM class registration Several such applications cannot be ignored as benign Frequently, spyware/adware applications use COM objects software just because of the legal risks associated with to achieve software reusability and adaptability. An detection. Adware and spyware may be described as understanding of the relevant parts of the system which applications that may carry out one or more unsolicited may be altered during a COM object’s installation is actions, such as spying on a user’s PC activities, gathering important in order to understand the behaviour of the data about the user’s browsing habits or pushing unwanted spyware/adware program. and/or offensive advertisements into the user’s system. A COM server is a binary file that contains the code for The majority of researchers in the AV industry are aware of methods used by one or more COM classes. This server can these descriptions, yet almost everyone has a different be packaged either as a DLL or as an executable file. There interpretation of adware/spyware behaviour and companies are two types of activation request for an object: an in-process tend to add detection for applications that may not warrant activation request and an out-of-process activation request. inclusion in this category, or vice versa. An in-process activation request requires a DLL-based Despite a rash of legislative activity in the US and the EU, version of the COM server to be present and loaded in the definitions of spyware, adware and associated terminology client’s memory space. An out-of-process activation request vary widely. This article presents a description of spyware/ requires the executable to be used to start the server process. adware behaviour and visits a few criteria that may be used In order to allow client programs to activate objects without by researchers to prove that a program can be detected as concern for which type of package is used or where the adware/spyware. We break malware behaviour into six areas executables or DLLs are located, COM stores configuration to achieve an environment within which spyware/adware information in the registry that maps the class IDs (CLSIDs) can be compared with malware programs. onto the server that implements that class. Whenever an activation request is made for a CLSID in a given machine, the registry is consulted. If the configuration information is MALWARE PROGRAM BEHAVIOUR not available in the registry, the request may be redirected to In the following sections we will discuss six areas of a remote host from which the relevant code may be malware behaviour and structure: installation, survey, downloaded and installed. COM stores most of the replication, concealment, injection and payload (for more configuration information in the registry key information on this method of malware analysis see ‘HKLM\Software\Classes’, although most programs use the http://downloads.securityfocus.com/library/masterthesis.pdf). more convenient alias ‘HKCR’. COM keeps machine-wide information related to CLSIDs in the registry key ‘HKCR\CLSID COM’ and also looks into per-user class Installation information in the ‘HKCU\Software\Classes\CLSID’ key. An installer creates and maintains an installation qualifier COM stores all the locally known CLSIDs under either of so that the malware can execute on the victim system, and the above two keys, with one subkey per CLSID. For ensures the automatic interpretation of malware code. example, let there be a class named ‘JoeSpy’ which is used to implement spyware functionality. In this definition there are two criteria for a segment of code in the malware to qualify as an installer. First, the code This will have a registry entry as: should cause a permanent change in the machine’s security [HKCR\CLSID\{571F1680-CC83-11d0-8C48-0080C73925BA}] state. Second, the code may ensure that the program is @=”JoeSpy”
8 DECEMBER 2004 VIRUS BULLETIN www.virusbtn.com
In order to allow local activation of ‘JoeSpy’ objects, Both of these key entries ensure that the spyware/adware JoeSpy’s CLSID entry in the registry will have a subkey that program is executed every time the user logs into their indicates which file contains the executable code for the account. The difference between the two keys is that the JoeSpy class’s methods. If the COM server is packaged as a HKLM key executes the program before the appearance of DLL, the following entry will be required in the registry: the desktop, while the HKCU key executes the program [HKCR\CLSID\{571F1680-CC83-11d0-8C48- after the appearance of the desktop. 0080C73925BA}\InprocServer32] @=”C:\JoeSpyware.dll” LSP and NSP installation If the COM server is a package that uses an executable file, Spyware and adware installations (e.g. a version of the following entry will be required in the registry: MarketScore) use Winsock 2 Layered and Network Service Provider implementations to redirect network traffic to [HKCR\CLSID\{571F1680-CC83-11d0-8C48- 0080C73925BA}\LocalServer32] specific sites. The network data emanating from and @=” C:\JoeSpyware.exe” entering the machine can be sent to a ‘central’ site and then sent to the user’s application. If the environment does not cope easily with raw CLSIDs to make activation calls, a programmer may use ProgIDs. The For example, when the user types ‘www.google.com’ into CLSID to ProgID translation is achieved through the their Internet browser, the browser will connect silently to following registry entry: www.marketscore.com and send part of this data, before [HKCR\CLSID\{571F1680-CC83-11d0-8C48- connecting to www.google.com. This is a more powerful 0080C73925BA}\ProgID] mechanism than that achieved through a BHO because the @=”JoeSpyware.JoeSpy.1" interception of network traffic is not application-specific (i.e. not limited to IE using a BHO). This is because LSPs Conversely, to support the reverse mapping (ProgID to work at the TCP implementation level. CLSID), the following keys are needed: [HKCR\JoeSpyware.JoeSpy.1] LSP is a component that intercepts winsock2 calls and has the ability to manipulate them, and then optionally pass @=”JoeSpy” them to the winsock2 provider. There are two kinds of LSP, [HKCR\JoeSpyware.JoeSpy.1\CLSID] the transport service provider and the name space service @=”{571F1680-CC83-11d0-8C48-0080C73925BA}” provider. The former is used frequently by adware/spyware A well-implemented COM server will implement the for implementing LSPs. An LSP is implemented as a DLL following two functions to support installation and and should be registered with the system. The usual registry uninstallation: location is ‘HKLM\System\CurrentControlSet\Services\ DllRegisterServer(void); Winsock2’. DllUnregisterServer(void); The LSP will always export the WSPStartup() function. However, most adware/spyware programs do not follow This function is invoked whenever a user calls the this practice. WSAStartup() function. LSPs are organized in a chain wherein a network-related function call invokes the first Browser Helper Object (BHO) installations node in the chain. This node processes the call and invokes These are frequently used by adware applications for the next node in the chain and so on, until the last node installing toolbars or redirecting network traffic in Internet invokes the winsock2 function. An exhaustive treatment of Explorer and the Windows Explorer. The BHO is installed this topic can be found at http://www.microsoft.com/msj/ as a COM in-process server registered under the 0599/LayeredService/LayeredService.aspx. ‘HKLM\Software\Microsoft\Windows\CurrentVersion\ Explorer\Browser Helper Objects’ registry key, and registers Survey the CLSIDs for all the BHOs installed in the system. Survey behaviour identifies appropriate targets, network Assuring execution at system initialization hosts or objects and their locators so that other behavioural units can perform correctly. Here, a locator is an address or This is usually achieved by using Run and RunOnce registry path information to the target. keys. These keys are present in the HKCU and the HKLM hives of the registry. Generally either ‘HKCU\SOFTWARE\ Survey behaviour is the reconnaissance activity that Microsoft\Windows\CurrentVersion\Run’ or ‘HKLM\ malware programs carry out to find more vulnerable host SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ addresses for the purpose of replication. This activity is is used. observed in viruses and worms and is absent from adware
DECEMBER 2004 9 VIRUS BULLETIN www.virusbtn.com
and spyware. This activity should not be confused with the again. Such attacks are used more often in the conventional spyware behaviour that involves collecting information worm and virus-style attacks than in adware/spyware. from the user’s PC for market survey-related purposes. The second approach to achieving PPID uses code evolution. We define code evolution as the process of creating program Replication equivalents in such a way that, given an identical input sequence of symbols, they produce an identical output Replication behaviour provides the logistic mechanisms for sequence of symbols. The variations of this are: polymorphism, the transfer of malware code. Logistic mechanisms are metamorphism and packing – these are well known by virus technical and/or social engineering methods for the transfer researchers and will not be discussed in this article. of malware from an infected host to another target host. Although spyware and adware may carry out a lot of Injection network activity, they do not exhibit replication behaviour Injection as defined above. Replication using social engineering The injector behaviour causes an injection of malware should not be confused with installation using social components into the victim object such that one or more of engineering methods where the user is duped into installing the malware components is placed in the execution space of the program onto their PC. Currently, it is safe to say that the victim object. The copy of the malware may be exact or adware and spyware are characterized by the absence of an evolved instance of the original malware, after being replication behaviour – otherwise they could be put into the processed by the concealment behaviour. The execution category of self-propagating programs (worms) and there space of an object is the code/text segment of the victim would be no question about the legality of their detection object or the environment in which the interpretation of the by any AV software. object will take place. Injection may or may not be present in adware/spyware. Concealment While carrying out concealment and installation, a malicious program may need to inject all or parts of its Concealment behaviour prevents the discovery of the components into another program in the memory. Common activity and structure of a malware program in order to activities may involve DLL injection into the address space avoid detection, forensics and removal. of another process. This is usually achieved using the Software forensics can be used for author identification and following methods: characterization. The absence of author information or DLL injection using the registry presence of conflicting information may be a strong indication of concealment. The use of concealment in This is achieved by adding the DLL pathname as a data spyware/adware is intended to increase the complexity of value for a subkey in the following registry key: analysis and thus increases the difficulty in ‘proving’ an HKEY_LOCAL_MACHINE\Software\Microsoft\Windows adware/spyware program. In many cases, variable CLSID NT\CurrentVersion\Windows\AppInit_DLLs values are generated during several instances of installation of the same sample. The proving process may not be reliable During system initialization when user32.dll is mapped into if we base our conclusions only on the CLSID ‘blacklist’ to a process’s address space it automatically reads these identify known malicious COM objects (e.g. a version of registry key entries and loads any DLL mentioned in the Virtumonde). data value field. Concealment has been classified into two categories, DLL injection using Windows hooks namely, concealment that prevents any dissemination of This is achieved by implementing a system-wide hook using program information (PPID) and concealment that is the SetWindowsHookEx() function. When a system-wide achieved through attacks on the system’s security mechanism hook is called from the context of another process, the (ASM). Currently, the concealment approaches for system loads the DLL containing the hook into the process’s achieving PPID in spyware/adware are trivial and nearly all address space. of these have been borrowed from the virus-writing domain. The first approach to achieving PPID ‘blocks’ the availability DLL injection using remote threads of a program’s executable image to the researcher. In this Most Windows functions will allow a process to manipulate case the executable image of the program remains in the its own address space. Some functions do exist that can be memory of the infected system. Once the system is rebooted, used for manipulating other processes. In order to load a the malicious program needs to be installed on the system DLL in another process and get loadlibrary() to load a DLL
10 DECEMBER 2004 VIRUS BULLETIN www.virusbtn.com
into the other process, the program creates a new thread in the other process using the CreateRemoteThread() function. Victim host 1 Since the CreateRemoteThread()API is not present in Infected host Windows 9x, this method will not work on all platforms. Victim host 2 Injection targets Spyware/adware programs usually inject themselves into Victim host n processes like Internet Explorer and Windows Explorer. Figure 1. Replication network behaviour. Payload The payload is a behaviour programmed into the malware Central host 1 that is used to achieve a specific purpose for which the malware was created. Infected host Two types of payload behaviour are observed both in Central host 2 spyware/adware and in malware. Host payload behaviour Central host n This type of payload carries out activities such as displaying a text message that may be a threat, warning, joke or an Figure 2. Payload network behaviour. advertisement banner on the user’s computer. Payloads may malware behaviour: installation, injection, concealment and include excessive consumption of computation resources payload behaviour. The presence of survey and replication leading to a denial of service or complete destruction of a behaviour is sufficient to eliminate a sample from the specific resource on the user’s computer. adware/spyware category. In this section we discuss some Network payload behaviour criteria that will aid the decision process. Network payloads collect information from the host Each criterion in this section is based on at least one of the computer and send information to another host on the following factors: integrity, privacy of user information and network. The main difference between replication and uninterrupted availability of system resources. Two types of payload-related network behaviour is shown in Figures 1 criteria are discussed here, one is based on the program and 2. In both cases we observe the use of email addresses, structure (achieved through static analysis) and the other is URLs, IP addresses or IRC channels for connecting to based on observations of program execution (achieved network targets, but in the case of replication, network through dynamic program analysis). addresses are variable in nature (obtained from the infected host itself). In network-based payloads, the network targets are usually hard-coded in the malware program or are Static analysis received in the form of command/control information from A product should not misrepresent its creator. For example, fixed source hosts on the Internet (these may come bundled if the sample has a resource section that falsifies a in the malware code). Network-based payloads may be CompanyName resource attribute, it should be interpreted further categorized on the basis of the direction of relevant as abuse of user’s trust and hence violation of system information flow occurring during the network activity: integrity through concealment. We have seen this in at least • Outward flow – the information flows from the infected one spyware sample. object to a remote object. Several known adware and spyware programs have been • Inward flow – the information flows from the remote found to be packed using a packer or an obfuscator. Packers object to the infected object. such as UPX, do not fall into this category since these come The outward information flow is observed more in spyware, with an unpack option. However, there are patched UPX while the latter activity has been prevalent in adware. variants that have been used in packing adware and spyware programs – these will be considered malicious. A number of executable packers are used solely or almost entirely by CRITERIA DISCUSSION malicious software. Thus the use of ‘questionable’ packers In the previous section we observed that adware and or obfuscators, such as morphine, UPX (Redir), telock, spyware programs display only four of the six areas of petite, pepatch, fsg, pecompact, exestealth, obsedium, ezip,
DECEMBER 2004 11 VIRUS BULLETIN www.virusbtn.com
pespin, krypton, exe32pack, pex and pediminisher, may be a START
strong indicator of questionable intent. Packing is used to YES NO c1 c2 conceal the URL strings or IP addresses embedded in the NO YES c3 NO c4 data, resource or text section of the sample. These are c8 NO addresses of sites to which the adware program will YES STOP YES NO connect. A good example for this is a version of Adware-Lop, c5
which encrypts and stores all URL strings (in the resource NO YES c6 section of the program) to which it may connect. C1 is installer present
C2 is surveyor present NO YES C3 is polymorph/metamorph c7 is spyware C4 is replicator present Dynamic analysis C5 is there any control information flow C6 is there any outward information flow is adware During the installation phase, the product should inform the C7 is there any inward information flow user (through the end user licence agreement, or EULA) C8 is packed STOP means no Adware/Spyware exactly what the program will do. Sufficient information in Figure 3. A possible procedure for determination of spyware the EULA should be provided, which can convince the user or adware. that the program will not invade their privacy or tamper with the system’s integrity (with respect to security). If the program sends information over the network without the user’s consent (e.g. email address, banking or credit card The presence of ‘fine print funny business’ in the EULA is a information, account names or passwords), this is an strong indicator that an adware/spyware program will be indicator of spyware behaviour. Sometimes information installed (see http://grc.com/oo/cbc.htm). Also, we need to gathered about the user’s browsing habits may also be check for the availability of a privacy notice from the transmitted by spyware, which may not be acceptable to the developer during the installation process, or at least some user. If the injection of the program or one of its information that points to the developer’s website indicating components is done in Explorer or a browser program, there the same. is strong reason to believe that this is done to achieve The privacy policy and the EULA should hold true for all concealment from outgoing firewall rule sets. This activity the components that are installed by the product at a current may carry out transmission of sensitive data which would or later stage. Programs which announce and do not respect have been blocked by a firewall. These types of activity well-defined privacy and anonymity constraints will violate the user’s privacy. If the program receives command generally be classified as adware. and control information from a machine outside the user’s If the program exhibits a ‘silent’ installation behaviour, domain of control, this indicates a network payload wherein the components are downloaded and installed on behaviour which eventually violates the privacy, integrity the user’s PC while the user is browsing a website, this is a and resource usage policy of the user. strong indicator of spyware/adware. This violates the Based on the behaviour studied in the previous section system integrity of the user’s machine and also consumes Figure 3 is a flow chart that summarizes the criteria we network and system resources which may be paid for have discussed. unknowingly by the user. The product should not install and execute hidden CONCLUSION processes. Also, the product should not install and run programs that masquerade as well known system programs At the time of writing, adware and spyware account for nine (e.g. svchost.exe). This is a form of concealment that of the top 20 threats detected by McAfee users (see violates the system’s integrity since the information on the http://vil.mcafee.com/mast/viruses_by_continent_internal.asp). system is altered without the user’s knowledge or consent. If Large ISPs and IHVs report that a large portion of their the program modifies the browser settings or launches a technical support calls arise from the side effects or browser automatically and displays arbitrary content, it is a degraded performance resulting from the presence of violation of system integrity policy and warrants detection spyware or adware programs on their users’ systems. as adware. While legislative activity and litigation may alter definitions For a product to qualify as ‘well-behaved’, it is very of spyware and adware in the future, it behooves us as an important that an uninstall feature be available and functional. industry to develop consistent criteria and definitions. This Some adware programs, such as a version of CommonName, will ensure better customer understanding and reduce legal will automatically conceal or ‘morph’ themselves to an exposure. It also allows us to assist those vendors who are undetectable form when their uninstaller is executed. making an honest effort to clean up their acts.
12 DECEMBER 2004 VIRUS BULLETIN www.virusbtn.com
BOOK REVIEW DICTIONARY DEFINITIONS The emphasis throughout the book is on concepts, rather than implementations. Because the concepts are often Eddy Willems complicated, readers may find that a definition makes sense NOXS and EICAR, Belgium only after it has been illustrated by an example – as a consequence, the explanations and illustrations are Title: The Information Security Dictionary sometimes longer than the definitions themselves. Author: Urs E. Gattiker ISBN: 1-4020-7889-7 As in any language, more than one word may be used to Publisher: Kluwer Academic Publishers express the same idea. In such cases the author has included a full definition for what he believes to be the more Earlier this year I found myself commonly-used term, while the other terms are defined searching for a book which would briefly and cross-referenced. help my co-researchers (see VB, The rules used for the dictionary’s listings are minimal August 2004, p.10) to define some but important to understand. For instance, when a term of the terms they would come across such as ‘virus’ has several related terms (e.g. polymorphic within the field of information virus), the related definitions may all appear as sub-entries security. It was at that moment that under the definition of the main term (‘virus’). Under The Information Security Dictionary appeared. the entry ‘polymorphic virus’ the reader is simply referred The Information Security Dictionary attempts to explain the to the ‘virus’ entry for further explanation. This helps terms that define security for e-business, Internet, non-specialist readers to find their way around faster when information and wireless technology. It is written by Dr Urs dealing with unfamiliar terms. E. Gattiker, who has co-authored other security-related The following is an example of a definition from the books, such as Viruses Revealed (in 2001 with David dictionary: Harley and Robert Slade). ‘Virus is a segment of a computer code or a program The book has what I would call ‘something for everyone’. that will copy its code into one or more larger ‘host’ The first edition defines over 1,200 of the most commonly programs when it is activated. Unfortunately, it also used words in the security field, with particular attention may perform other unauthorized actions at that time being paid to the terms used most often in computer (see also Merging of Attack Technologies, Trojans, forensics, and those relating to malware, viruses and Virology). vulnerabilities. ‘To illustrate, Virus is a program that searches out other This dictionary will help non-specialist readers understand programs and infects them by embedding itself in them, the information security issues they encounter in their work so that they become Trojans. When these programs are or in studying for certification examinations – but it will executed, the embedded virus is executed as well, also help the real IT security expert in pinning down a thereby propagating the “infection”. This process tends definition for a specific term or word. to be invisible to the user.’ The goal throughout has been to provide a comprehensive The book is well and logically structured, with clear figures dictionary of terms that will increase access to works in all and tables. The appendices provide one of the most sciences. Even statistical definitions are included, since IT comprehensive listings I have seen of informational security is moving rapidly towards becoming a more dictionaries and other resources, with a good selection of established scientific discipline. URLs for some interesting and useful websites. Special attention has been paid to terms which may prevent I was not always fond of the illustrations and definitions I educated readers from gaining a full understanding of found in this book. Certainly some experts will feel that a journal articles and books in cryptology and security and number of the definitions are not complete or that the information systems, as well as applied fields that build on illustrations are not always sufficiently strict. The dictionary these disciplines. could be considered a little too general for the more A number of definitions have been included for terms that experienced security or anti-virus experts. Nevertheless, in might not strictly be associated with information security my opinion the author has done a good job, and this – for instance: validity, reliability, attitudes and cognition. dictionary is a must-have for anybody who works with or The author reasons: ‘[These words] meet the main criteria who is interested in information security. for inclusion: the words pop up fairly often, and many This is yet another book to add to my ever-expanding people are unsure of the meaning.’ anti-virus and IT security library. When will it end?
DECEMBER 2004 13 VIRUS BULLETIN www.virusbtn.com
LETTERS
GENERIC DETECTION – A SPECIFIC CASE this so that all files containing that string are detected by a single search. This subject has effectively been glossed over for some 10 years. One reason is that anti-virus researchers who The bad news? Well, the 1,340 files came in a collection could write about it have been slightly scared to do so, lest of 13,500 files of virus-associated material. I still need to the information be of value to competition. I feel I can risk look at those. No doubt, the question of whether virus or it now. Trojan source code should be detected will raise its ugly head once more! McAfee received (from Andreas Clementi of the University of Innsbruck) a collection of some 1,350 *.HTM files. Peter Morley These are text files. Any of our customers can look at McAfee, UK the contents. The files are mostly from virus/Trojan writing groups, although some are from AV experts, about virus/Trojan authors and their techniques, backgrounds COFFEE-TIME AMUSEMENT and attitudes. Whilst drinking my coffee and scanning the funnies one Should we detect these files, for any reason other than the morning, I happened across a message which stated that fact that we may be reviewed against them? I took a good Microsoft was evil – it turned out to contain a link to a look. My conclusions may surprise you. website that rates the ‘goodness’ of other websites using a numerological method. Some 340 of the files are ones we should certainly not detect. These include: Being a long-time member of the anti-virus community I decided to run a number of anti-virus sites through the • An interview with Dr Alan Solomon, by virus author ‘goodness’ test. The results (at the time of testing) were Dark Fiber. as follows: • A report of the death of an Australian virus author. http://www.bitdefender.com is rated 18% evil, 82% good • The well reported interview with Dark Avenger by AV http://www.ca.com is rated 34% evil, 66% good researcher Sarah Gordon. http://www.f-secure.com is rated 62% evil, 38% good • Innocent (and valid!) expressions of opinion by people in the AV industry. http://www.kaspersky.com is rated 55% evil, 45% good However, we should detect most of the others, nearly all of http://www.mcafee.com is rated 23% evil, 77% good which were written to educate and inform virus authors. http://www.messagelabs.com is rated 14% evil, 86% good There are three more reasons: http://www.nod32.com is rated 98% evil, 2% good • IT Managers like to know if this type of material is http://www.norman.no is rated 45% evil, 55% good residing on any of their machines. http://www.pandasoftware.com is rated 13% evil, 87% good • Internet companies which pass high message volumes like to know if they are being used for malware group http://www.sophos.com is rated 50% evil, 50% good communication. http://www.sybari.com is rated 2% evil, 98% good • Detection will inconvenience the malware groups, and http://www.symantec.com is rated 30% evil, 70% good make them slightly less productive. http://www.trendmicro.com is rated 63% evil, 37% good Initially I decided to write the detections so that reviewers http://www.virusbtn.com is 7% rated evil, 93% good could use them, and to make them available for general use later if we decided to do so. The files will, of course, be If you would like to try some of your own visit detected as applications, not as viruses or Trojans. http://homokaasu.org/gematriculator. So, I had just over 1,000 detections to write, and they Anon, UK needed to be written efficiently. They had to be generic, in [Disclaimer: Virus Bulletin would like to point out that the order to minimise the workload. I could see it was easy, above has been included as a frivolous coffee-time because the files contained lots of very strong detection distraction, and the inclusion of this letter should not be strings, many of which occurred in more than one file. taken to be a statement about the content of the websites or The generic technique used was simple: where a detection their associated companies – furthermore, the fact that string occurs in more than one file, search for it in a Virus Bulletin’s own website is rated as 93 per cent good is slightly extended area, rather than at a specific offset. Do pure coincidence …]
14 DECEMBER 2004 VIRUS BULLETIN www.virusbtn.com
PRODUCT REVIEW TREND MICRO PC-CILLIN Installation of PCCIS was, therefore, remarkably free from user interaction. Information boxes appeared on an INTERNET SECURITY 2005 unpatched version of XP, stating that an older version of 12.0.1330 Microsoft Installer existed (though these were absent in the SP2 version of Windows). Once the user has accepted the Matt Ham licence agreement an initial scan is performed for Trojans and viruses, after which the user’s name and organisation It is a pretty much universally accepted fact that, in software are checked. Next there is the option to select a different development terms, a release date of ‘next week’ can mean installation location from the default, after which a delay of anything up to 12 months. Proving the exception installation completes without further ado. A reboot was to that rule, however, is Trend Internet Security 2005 which not required on installation, though it was necessary after has become available to all and sundry well before those 12 uninstallation. months have commenced. Within the product the name used Following installation only three items had been added to Trend Micro PC-cillin Internet Security 2005 is . For the the Start menu: PCCIS itself, the uninstallation application sake of brevity therefore, the product will be referred to and the associated help files. Removal of the program could PCCIS throughout this review as . also be achieved by running the installation program again, At a cursory glance PCCIS has much the same interface and which makes a change from the usual situation where this functionality as previous Trend anti-virus products. merely reinitialises the installation. However, PCCIS contains numerous new features as well as Updating the product was similarly user-friendly. Once additions to older ones. This is also an application that has installation had been performed no further adjustments to been introduced after the release of Windows XP SP 2, so the settings were required before the update could be one would hope that it has been designed to integrate with triggered. One update was provided prior to registration, the operating system upgrade. allowing the demonstration product to have at least a few days of fully updated capabilities upon which to be judged. COMPANY OVERVIEW By default, updates are set to occur every three hours, with Trend Micro has a geographically varied history. My first longer delays available if required (though not shorter experience with Trend was with the ‘Trend Chipaway’ ones). Updates seemed to be triggered by booting the BIOS-based boot sector protection method, when the machine, however, so the three-hour delay should be the company was based in Taiwan. From here Trend moved its maximum update delay under any circumstances. Updates centre of operations to Japan. Later still, the company can be silent if became more associated with the US, but it retains a large required. Partially presence throughout the Asia-Pacific region and especially offsetting this is the Philippines. the Outbreak In terms of its products, latterly the company has Warning pop-up, concentrated mostly on anti-virus solutions, along with which allows for some aspects of security which impinge upon that core dangerous new business. For years, server-based products were the malware to be mainstay of Trend’s corporate presence, but as other announced and companies started to introduce their own gateway solutions an update to be Trend strengthened its presence in the desktop field. Trend offered without has also produced hardware anti-virus solutions, most going through the notably for the home user market. generic update process. As is standard, INSTALLATION AND UPDATE proxy connections Where home user products are concerned it is not are supported by unreasonable for the developer to reduce user interaction to the update a minimum, working on the theory that the bulk of users procedure. More will be not be helped by the option to set up exclusion lists obscure, though, or to determine how many levels of recursion should be is the ability to set used when scanning inside archives. the updates
DECEMBER 2004 15 VIRUS BULLETIN www.virusbtn.com
separately for application files, anti-spam and anti-virus functionality is not notable in this offering, the typos present plus firewall functionality. This seems a rather pointless on the results page are entertaining. area of control. Context-sensitive help is available throughout the main Given a network where PCCIS is installed, any machine may application, in addition to the standalone help offered in the be used to update any other on the network. Of course, there Start menu. These both arrive at the same set of help are caveats. For one, it seems necessary for the products on material, which combines information on how the software these machines to be PCCIC 2005 rather than any previous should be operated with corresponding information as to version or any other version of PC-cillin. Various products why this is the case. In most instances the information is were tried and only the newest version could be updated in well written and will be useful to an average user. In some this way. Furthermore, all the products to be updated must cases, however, the information is at best perplexing and at be password-protected in their settings, and the password worst misleading. For example, when discussing quarantine must be identical on all machines being updated. handling it is stated that ‘Most Trojans can be identified by the name: TROJ_, VBS_, or JS_.’ This may be true due to the Trend method of file description within logs, but as a DOCUMENTATION AND WEB PRESENCE general statement it is not likely to help the user gain a Trend Micro was fast, insightful or lucky enough to lay greater understanding of how to identify a Trojan. claim to the ‘www.antivirus.com’ URL, which offers a memorable portal for Trend access. Another of Trend’s URLs is www.trendmicro.com. This resolves to a selection GENERAL SECURITY FEATURES of regional sites (in an impressive piece of regionalisation it With the standard anti-virus functionality much as might be seems that PCCIS 2005 is named PCCIS 12 in Europe, expected, the real interest in PCCIS 2005 lies with its adding more than a little to the naming confusion). additional security features, many of which are directly or The contents of all regional Trend sites are much the same indirectly related to virus threats. and will hold no surprises for regular visitors to any The Email section of the main GUI demonstrates this mix anti-virus website. Of note, however, are the virus of functionality. The standard offerings of SMTP and POP3 descriptions. These contain a general section for each virus, scanning are clearly present. By default, these are limited to along with a more technically in-depth description. The one level in their archive recursion and to 3 MB in size, technical descriptions contain a wealth of information on presumably as a method of limiting overheads. As home such matters as the registry changes made and filenames users are the major target market, however, webmail used by the virus in question. These are sufficiently scanning is offered as a second category, with much the complete that competing anti-virus products have, in the same default settings. past, been known to false-positive on these pages. All is not dominated by viruses, however, and the third An online scanner, HouseCall, is also available from the category within the Email area is devoted to spam. Here, website. This requires some slackness in browser security settings in order to operate, as well as a java platform – which does make for a rather slow experience for the first scan on XP (since not only the engine and virus database must be downloaded, but also the java platform). Subsequent scans are far speedier however. In a blatant attempt to throw a spanner in the works, the online scanner was run on a machine on which PCCIS was already installed. Even while running HouseCall, a standard on-demand PCCIS scan and on-access scanning, there were no terrible ill effects. My mp3 player stuttered somewhat under the onslaught, but otherwise matters proceeded as normal. In line with the wider security coverage in PCCIS, the website also offers an online security scanner known as Hackercheck. This is a rather basic port scanner, and as such contains several warnings that running the application in a corporate environment may result in the descent of blood-crazed sysadmins upon the hapless user. Although the
16 DECEMBER 2004 VIRUS BULLETIN www.virusbtn.com
various levels of detection are offered – and, of course, there users. Finally in this area are security options for Wi-Fi are addresses for submitting emails to Trend which are networks, which were not tested. either false positives or false negatives. The Network Virus Emergency Center area is a function As noted during installation, an anti-Trojan function is whereby various worms are recognised through their included in the application. This is integrated with the network activity and a direct response can be set if these are general virus scanning however, so does not really count as detected. What is more useful than might at first appear to new material. The fact that this functionality has been given be the case, is the fact that the activities that can be detected its own category is perhaps a sign that users are more aware are not based solely upon known worms. Although there are of Trojans as a threat. some specific entries, such as WORM_BAGLE.AU, the list Along the same lines, though less virus-oriented and a also includes much more loosely-defined attacks, such as separate function, a scan for spyware can be performed. ‘MS02-039_SQL_SERVER_RESOLUTION_EXPLOIT’. By default this option is not activated. Activation of This is directly related to a Microsoft security alert and is spyware scanning reveals a number of categories, of which that which was used by the SQL/Slammer worm to great hack tools, diallers and password crackers are the default and terrible effect. In this case it is the exploit that is options. Judging by these categories, Trend’s definition of detected, rather than Slammer’s particular implementation. ‘spyware’ covers a multitude of sins. The definition of In many ways this is a preferable method of detection. If spyware is a contentious one (see p.8), but the help any of these worms or exploits are detected the user may resources for this function are well detailed and cover the either be sent a pop-up to this effect (the default action) or, possibilities that some files may be desirable even if they more sensibly, the user can opt to halt all Internet traffic are detected here. pending investigation. In the Network Control area of the GUI the security issues Of course, the presence of known security exploits is in are more closely associated with virus prevention. The many cases followed by the presence of patches which Personal Firewall is primary among these. Although nullify the effect, at least on patched machines. With SP 2 detailed investigation of the firewall was not performed, installed an XP user will be bombarded with instructions to there were certainly no open ports available amongst those scan for updates and patches, but of course not all everyone which were investigated. In addition, the ports scanned were will be using XP SP2. It is therefore welcome that, among logged in the appropriate log-file. By its description the the scans offered within PCCIS, is one for known security firewall seems to be an update to the Windows XP inbuilt ICF. vulnerabilities. This seemed to work variably, having no issues on machines where vulnerabilities were present Also falling under the category of network control is the (these were detected), but it left an unclosable dialog box if Private Data Protection function. With an increasing number no problems were detected. of worms attempting to transmit personal data to undeserving recipients, this function is certainly virus (and spyware) related in scope. INTEGRATION WITH WINDOWS XP SP2 Although it was not tested, the Private Data Protection Some users, myself included, are sufficiently irritated by the feature purports to prevent sensitive personal information balloon pop-ups within Windows XP that they remove them from being exported by HTTP, SMTP or instant message. via an assault on the registry. However, for those who are The relevant information must first be entered into a PCCIS not quite so rabid in their dislike of intrusiveness these can database of such items – suggested terms are: name, credit be a source of useful information. Windows Security Center card number, login name and the like. There is only a is a new feature in SP2 which makes liberal use of these suggestion, albeit a strong one, that this information be alert bubbles as well as providing an area where firewall, password-protected, so this is an area in which security anti-virus and Windows Update status are described. This could be compromised by any person with physical access description warns in no uncertain terms if settings are not in to the machine. Such a collection of personal data in one a Microsoft-declared list of acceptable states. place would be a huge labour-saving device for those in The default installation of Windows XP cares little whether search of personal information if passwords are not enforced. there is an anti-virus product installed. This changes under In the same area of the GUI is the ability to block URLs by SP2 where small balloons will pop up if no known product type. This, however, does not include a type which relates is found. Of course, there should be heavy stress on the directly to virus distribution sites – which seems an odd word ‘known’. An anti-virus product must be recognised by oversight. Sites which offer ‘resources to affect or influence Windows XP in order for this alert to be laid to rest. In the real events through the use of spells’ can be blocked, case of PCCIS the first hurdle is crossed easily – upon however, which is rather telling about the priorities of some installation the balloon was replaced by another, which
DECEMBER 2004 17 VIRUS BULLETIN www.virusbtn.com
CONCLUSION Whenever more than one anti-virus specialist is gathered in a room there is much talk concerning blended threats and the blurring of general security and the traditional enclaves of anti-virus technology. That this is now considered to have reached the mainstream is apparent in this latest offering from Trend Micro. The addition of anti-spam, anti-spyware, anti-Trojan and security scanning functionality to the product is not much of an innovation – though there are additional features which certainly are innovative. What is more noteworthy, in some ways, is that these extra features are included in a product which is deliberately intended to be easy to use. Trend clearly considers that its users will consider these features to be valuable additions and have sufficient knowledge to appreciate them. The idea that general users are aware of the importance of declared that the installed product was out of date. This state security may be somewhat optimistic but, one hopes, it is a of affairs was echoed by the larger descriptive GUI, which sign that the future may be easier than the recent past. If used almost inch-high text to drive the point home. users are becoming more educated, some of the major flaws As hoped, the updating process put a stop to these warnings. in human behaviour upon which viruses have relied, should The alerts, or at least a subset of them, could be reactivated begin to decline. I am tempted to hope that Trend’s market however, by turning off on-access scanning. This is an area researchers have judged their customers correctly. where a warning might be very useful. Many commercial Technical Details software products, usually in a spirit of overblown paranoia, request that anti-virus software be disabled during Test environment: Identical 1.6 GHz Intel Pentium machines with 512 MB RAM, 20 GB dual hard disks, DVD/CD-ROM and installation. The alert this will engender is no bad thing, 3.5-inch floppy drive running Windows XP Professional. Athlon although it is somewhat paranoia-inducing when the alert is XP1600+ machine with 1 GB RAM, 80 MB hard disk, triggered momentarily during updates to the product. DVD/CD-ROM and ADSL Internet connection running Windows XP Professional Service Pack 2 Although the irritation factor of these alert balloons is high, . it is not at all undesirable. One of the long-term problems Developer: Trend Micro Inc., 10101 N. De Anza Blvd, Cupertino, CA 95014, USA; Telephone +1 877 268 4847; email with anti-virus programs is that, for the bulk of the time, it [email protected]; website http://www.antivirus.com/. is more irritating than not to have them fully operational and updated. The big-bang event where infection occurs is not often considered by home users for the sake of day-to-day convenience. Scanning overheads and any interaction with ERRATA – WINDOWS SERVER 2003 updates, however, are likely to be considerably less irritating COMPARATIVE REVIEW than a never-ending tirade of noisy alert bubbles. VB regrets that three mistakes crept into the Comparative Other aspects of the installation showed that integration was review published in the November issue: occurring with the security features of Windows XP. • The version number for Sophos Anti-Virus should have Although available in earlier versions of Windows XP, the read 3.86, not 3.83 as published. Internet Connection Firewall (ICF) is not activated by default until Service Pack 2. The fact that this was activated • The values for CAT Quickheal in the standard was noted during installation of PCCIS as a potential on-demand test set should read ‘Misses: 169, Detection conflict. The conflict mentioned was only one of possible 92.91%’ in all occurrences (the on access results were slowing of data transmission and thus for much of the erroneously duplicated). testing period both ICF and the PCCIS firewall were • Norman Virus Control did not reproducibly operating. This did result in an almost imperceptible miss detection of any samples in the In the warning appearing on the Windows Security Center page Wild test set and thus is due a VB 100% stating that it was preferable to operate only one firewall. award. When ICF was disabled, Trend’s firewall component was VB apologises for the errors. recognised as being in operation and no warnings resulted.
18 DECEMBER 2004 VIRUS BULLETIN www.virusbtn.com
CALL FOR PAPERS VB2005 DUBLIN • Corporate patch management • Phishing • Spyware and adware detection – legal issues Virus Bulletin is seeking • Corporate anti-virus/spyware/adware case studies submissions from those wishing to present at • Zero day virus infections in a corporate environment VB2005, the Fifteenth • Malware and the law Virus Bulletin • Anti-virus performance and quality testing International Conference, • Management of anti-virus infrastructures which will take place 5–7 October 2005 at The Burlington, • Proactive detection mechanisms Dublin, Ireland. • IDS/IPS The conference will include two full days of 40-minute • False positive prevention presentations running in concurrent streams: Technical AV, • Vulnerability management Corporate AV and Spam (both technical and corporate). • Government security policies Submissions are invited on all subjects relevant to the • IT outsourcing and associated risks anti-virus and anti-spam arenas. VB welcomes the • Integration of protection technology on the desktop: submission of papers that will provide delegates with ideas, anti-virus/firewall/IDS/spyware advice and/or practical techniques, and encourages • Blackhat view of malware presentations that include practical demonstrations of • Demonstrations of threats techniques or new technologies. • IM threats • Anti-virus and anti-spam managed services SUGGESTED TOPICS SPAM The following is a list of suggested topics elicited from • Corporate anti-spam case studies attendees at VB2004. Please note that this list is not • Spam tricks exhaustive, and papers on these and any other AV and spam-related subjects will be considered. • How spammers operate • Spam from a legal point of view TECHNICAL AV • Anti-spam performance testing • Honeypots • Mobile spam • Longhorn • New anti-spam techniques • Threats and protection for mobile devices • Emulation, engine level sandboxing, unpacking and other static code analysis HOW TO SUBMIT A PAPER • Wireless security Abstracts of approximately 200 words must reach the Editor • Rootkits of Virus Bulletin no later than Thursday 10 March 2005. Submissions received after this date will not be considered. • ZA64/AMD64 viruses Abstracts should be sent as RTF or plain text files to Windows • Emulators/heuristics/PE unpacking on non- [email protected]. Please include full contact details platforms with each submission. • Neural networks Following the close of the call for papers all submissions • HTML exploits will be anonymised before being reviewed by a selection • Email encoding committee; authors will be notified of the status of their • Viruses in new formats paper by email. • Hardware anti-virus solutions Authors are advised in advance that, should their paper be • Tools of the trade (deobfuscation, IR, etc.) selected for the conference programme, the deadline for • Behavioural analysis and detection submission of the completed papers will be Monday 6 June 2005 and that full papers should not exceed 8,000 words. CORPORATE AV Further details of the paper submission and selection • How to raise public awareness of malware/cybercrime process are available at http://www.virusbtn.com/ • Use of personal firewalls with anti-virus protection conference/.
DECEMBER 2004 19 VIRUS BULLETIN www.virusbtn.com
END NOTES & NEWS
Infosec USA will be held 7–9 December 2004 in New York, NY, NetSec 2005 will be held 13–15 June 2005 in Scottsdale AZ, USA. USA. For details see http://www.infosecurityevent.com/. The program covers a broad array of topics, including awareness, privacy, policies, wireless security, VPNs, remote access, Internet The SANS Cyber Defensive Initiative East takes place 7–14 security and more. See http://www.gocsi.com/events/netsec.jhtml. December 2004 in Washington, D.C., USA. Focused training disciplines include security, legal, operations, managerial and audit. Black Hat USA takes place 23–28 July 2005 in Las Vegas, NV, For more information see http://www.sans.org/. USA. A call for papers will open 15 April 2005. For more details see http://www.blackhat.com/. Computer & Internet Crime 2005 will take place 24–25 January 2005 in London, UK. The conference and exhibition are dedicated The 15th Virus Bulletin International Conference, VB2005, will solely to the problem of cyber crime and the associated threat to take place 5–7 October 2005 in Dublin, Ireland. For conference business, government and government agencies, public services registration, sponsorship and exhibition information and details of and individuals. For more details and online registration see how to submit a paper see http://www.virusbtn.com/. http://www.cic-exhibition.com/. The 14th annual RSA Conference will be held 14–19 February 2005 at the Moscone Center in San Francisco, CA, USA. For more ADVISORY BOARD information, including online registration and the conference agenda, Pavel Baudis, Alwil Software, Czech Republic see http://www.rsaconference.com/. Pavel Baudis, Ray Glath, Tavisco Ltd, USA The E-crime and Computer Evidence conference ECCE 2005 Sarah Gordon, Symantec Corporation, USA takes place at the Columbus Hotel in Monaco from 29–30 March Shimon Gruper, Aladdin Knowledge Systems Ltd, Israel 2005. ECCE 2005 will consider aspects of digital evidence in all types of criminal activity, including timelines, methods of evidence Dmitry Gryaznov, Network Associates, USA deposition, use of computers for court presentation, system Joe Hartmann, Trend Micro, USA vulnerabilities, crime prevention etc. For more details see Dr Jan Hruska, Sophos Plc, UK http://www.ecce-conference.com/. Jakub Kaminski, Computer Associates, Australia Black Hat Europe takes place in Amsterdam, The Netherlands, Eugene Kaspersky, Kaspersky Lab, Russia from 29 March to 1 April 2005. Black Hat Europe Training runs Jimmy Kuo, Network Associates, USA from 29 to 30 March, with the Black Hat Europe Briefings following, Anne P. Mitchell, Institute of Spam and Public Policy, USA from 31 March until 1 April. Costin Raiu, Kaspersky Lab, Russia Black Hat Asia takes place 5–8 April 2005 in Singapore. In this Péter Ször, Symantec Corporation, USA case the Briefings take place 5–6 April, with the training on 7–8 Roger Thompson, PestPatrol, USA April. A call for papers for the Black Hat Briefings (both Europe and Joseph Wells, Fortinet, USA Asia) closes on 15 January 2005. For details and registration see http://www.blackhat.com/. The first Information Security Practice and Experience SUBSCRIPTION RATES Conference (ISPEC 2005) will be held 11–14 April 2005 in Subscription price for 1 year (12 issues) including Singapore. ISPEC is intended to bring together researchers and first-class/airmail delivery: £195 (US$310) practitioners to provide a confluence of new information security technologies, their applications and their integration with IT Editorial enquiries, subscription enquiries, systems in various vertical sectors. For more information see orders and payments: http://ispec2005.i2r.a-star.edu.sg/. Virus Bulletin Ltd, The Pentagon, Abingdon Science Park, Infosecurity Europe 2005 takes place 26–28 April 2005 in Abingdon, Oxfordshire OX14 3YP, England London, UK. Now in its tenth year, the exhibition will have over Tel: +44 (0)1235 555139 Fax: +44 (0)1235 531889 250 exhibitors and its organisers anticipate over 10,000 visitors. Email: [email protected] www.virusbtn.com See http://www.infosec.co.uk/.
The 14th EICAR conference will take place from 30 April to No responsibility is assumed by the Publisher for any injury and/or 3 May 2005 in Saint Julians, Malta. Authors are invited damage to persons or property as a matter of products liability, to submit papers for the conference. The deadlines for submissions negligence or otherwise, or from any use or operation of any are as follows: academic papers 14 January 2005; poster presentations methods, products, instructions or ideas contained in the material 18 February 2005. For full details of the conference see herein. http://conference.eicar.org/. This publication has been registered with the Copyright Clearance Centre Ltd. Consent is given for copying of articles for personal or The sixth National Information Security Conference (NISC 6) internal use, or for personal use of specific clients. The consent is will be held 18–20 May 2005 at the St Andrews Bay Golf Resort given on the condition that the copier pays through the Centre the and Spa, Scotland. For details of the agenda (which includes a per-copy fee stated below. complimentary round of golf at the close of the conference) or to VIRUS BULLETIN © 2004 Virus Bulletin Ltd,The Pentagon, Abingdon register online, see http://www.nisc.org.uk/. Science Park, Abingdon, Oxfordshire OX14 3YP, England. Tel: +44 (0)1235 555139. /2004/$0.00+2.50. No part of this publication The third International Workshop on Security in Information may be reproduced, stored in a retrieval system, or transmitted in any Systems, WOSIS-2005, takes place 24–25 May 2005 in Miami, form without the prior written permission of the publishers. USA. For full details see http://www.iceis.org/.
20 DECEMBER 2004 HOTMAIL ORIGINATOR TURNS TO CONTENTS ANTI-SPAM Sabeer Bhatia, the man behind Hotmail, has announced that S1 NEWS & EVENTS he has invested in an anti-spam company. Bhatia, who developed the concept of web-based email in his mid-20s, and subsequently sold Hotmail to Microsoft for a reported S2 FEATURE $400 million, revealed last month that he had turned his A rival for online spam? attention to the problem of spam. Although reluctant to give away any details of his anti-spam project, he told an audience of Australian technology entrepreneurs that he S4 SUMMARY considers there to be ‘intelligent solutions [to the spam problem] by putting an appliance at a network level’. ASRG summary: November 2004
EMAIL AUTHENTICATION IN THE OPEN Last month an open letter was sent to members of the US Federal Trade Commission (FTC), calling for a rapid rollout NEWS & EVENTS of email authentication technologies. The letter was signed by 35 high-profile organisations including Amazon.com, the Anti-Phishing Working Group, the Bank of America, NEWS BY EMAIL CipherTrust, Cisco Systems, EarthLink, eBay, the Email Last month saw the inaugural issue of a twice-monthly Service Provider Coalition (ESPC), IronPort Systems, email newsletter dedicated to news and technical Microsoft, Sendmail, Symantec and VeriSign, and was sent information about the spam and anti-spam arena. The ahead of an email authentication summit held by the FTC newsletter, produced by POPFile and Spammers’ and the US National Institute of Standards and Technology. Compendium author John Graham-Cumming, is a The signatories of the letter pledged their support for email vendor-neutral, technical newsletter aimed at those who authentication standards, saying: ‘We stand united in our wish to keep informed about the latest in spam and fight against spam and phishing and in the support of email anti-spam. As well as news and events, each newsletter will authentication standards. We are committed to deploy[ing] include a technical article on spam or anti-spam techniques. the Sender ID Framework by publishing our records and Those interested in receiving the newsletter should visit advance signing technologies such as Cisco’s Identified http://www.jgc.org/ to subscribe. Internet Mail and Yahoo’s Domain Keys which can be rapidly deployed to meet the needs of consumers and SAVE YOUR SOUL WITH SPAM enterprises worldwide.’ The full letter can be read at http://truste.org/about/sender_id_industry_letter.php. We are all accustomed to receiving spam that advertises herbal medicines, designer watches, new mortgages and The authentication summit itself provided little in the way online degrees – and we are even used to seeing spam that of agreement on standards. Pavni Diwanji, of MailFrontier promises ‘quickie’ ordinations for aspiring ministers – but said, ‘We’ll be lucky if we solve 50 per cent of the problem MessageLabs has reported an influx of spam that goes one [with email authentication].’ However, there was general step further and offers the recipient spiritual salvation. agreement among participants that email authentication is an essential first step toward an anti-spam solution. According to researchers at MessageLabs ‘spiritual spam’ may not push a product of any kind, but may simply urge recipients to accept God into their lives. Some of the MOST-SPAMMED SEES END IN SIGHT messages even provide a prayer that ‘can save you or The world’s most spammed email recipient, Bill Gates, said someone you love’. Perhaps a prayer that can help you to last month that he hopes to have the spam problem under stop spam would be a useful addition.
DECEMBER 2004 S1 SPAM BULLETIN www.virusbtn.com
FEATURE control within two years. However, this is not the first A RIVAL FOR ONLINE SPAM? time Gates has quoted this time frame – ten months ago the VB website reported that Bill Gates had ‘explained John Clark that spam would not be a problem in two years’ time, TeleCommunication Systems due to Microsoft’s movements on sender-pays email’ (see http://www.virusbtn.com/news/virus_news/2004/ After a difficult period, the 02_03.xml). It was revealed last month that, with an mobile phone industry is average of four million incoming email messages per booming once again. It has day, Bill Gates ranks as the world’s most spammed email been reported (by EMC) that recipient [and we thought we’d got it bad! - Ed]. There’s one sixth of the world’s little reason to feel sorry for Gates though, since he has an population owns a mobile entire team dedicated to dealing with his emails. handset – which accounts for one billion people. This figure is set to double by 2006. EVENTS According to the Mobile Data Anti-Spam Asia takes place in Shanghai, China, on Association an average of 55 7 December 2004. The seminar will feature a number of million text messages (or speakers including representatives from Shanghai Computer Short Message Service, SMS) per day were sent across the Anti-Virus Center, anti-spam and anti-virus company UK’s GSM networks in August 2004. But, while millions of Sophos, and Hong Kong University of Science and people are using SMS to communicate with their friends, Technology. For more information or to register email buy data services or even vote for their favourite contestants [email protected]. on TV talent shows, an increasing proportion of the total The ISIPP’s National ‘Spam and the Law’ Conference will number of messages sent is made up of unsolicited be held on 28 January 2005 in San Francisco, CA, USA. commercial SMS messages, or spam. Subject areas covered by the conference include the current A study by British technology firm Empower Interactive state of the law regarding spam, the laws under which you revealed that 65 per cent of European mobile phone users operate when you send email, and the rights and obligations receive at least five spam SMS messages a week. In of email recipients. The conference is aimed at anybody addition, complaints about spam are increasing: in the UK involved in the email sending or email receiving industries, the number of complaints about unsolicited SMS including email service bureaus, email service providers, advertisements grew from 65 in 2002 to 393 in 2003. The ISPs and online marketing agencies. For details see Advertising Standards Authority recorded only six such http://www.isipp.com/. complaints in 2001. The 2005 Spam Conference will be held in Cambridge, All this suggests that we need to find a solution to guard MA, USA in early to mid January 2005 (date yet to be against the onslaught of mobile spam – mobile phones are confirmed). As in previous years the intensive, one-day beginning to swarm with unwanted messages, and we might conference will comprise a succession of quick (20-minute), end up with another spam epidemic on our hands. concentrated talks, with attendees going out for dinner together in the evening. See http://spamconference.org/. The International Quality and Productivity Center (IQPC) MOBILE SPAM AND NETWORK SPAM will hold a two-day conference on managing and securing The spam that affects mobile users and operators falls into corporate email from 1–2 February 2005 in Las Vegas, NV, two categories. The first, ‘mobile spam’, refers to unwanted USA. The conference will include case studies on tackling or unsolicited messages received on wireless devices and spam, viruses, compliance issues and instant messaging. For handsets. The second, ‘network spam’, refers to multiple more details see http://www.iqpc.com/. messages sent to solicit or harass a carrier’s subscribers and The Second Conference on Email and Anti-Spam (CEAS intended to have a negative impact on an operator’s network. 2005) will be held in summer 2005 (date and venue yet to Spam can take the form of solicitations, harassments, scams be announced). A low-volume mailing list has been set up or frauds. for CEAS conference-related announcements – sign up by As with any new phenomenon, it is hard to predict the sending a message with the body ‘subscribe ceas-announce’ progression of the problem or what the ramifications will to [email protected]. Information will also be be. An obvious parallel for mobile spam is email spam posted on http://www.ceas.cc/. – although there is still some question as to whether we
S2 DECEMBER 2004 SPAM BULLETIN www.virusbtn.com
should regard the Internet industry as a direct case study for and mobile device manufacturers will have to view spam as the mobile world. an ongoing threat to the industry. Mobile operators need to In August 2004, MessageLabs reported that 68 per cent of learn from both the successes and the mistakes made in the all emails sent were spam. Spam is now regarded as the Internet arena. principal issue of email subscriber discontent, it has a In addition, operators will need to look at how to address negative effect on productivity in the workplace, and has led what is the largest revenue driver in the Internet industry, to legislation that can bring criminal prosecution against the the adult content business. Operators must tread a fine line spammer in a number of countries. between providing their subscribers with the services they ask for, and protecting minors and those who do not wish to subscribe to the adult content services. Status quo RECOGNITION subscriber opt-in mechanisms will not be sufficient in this Mobile operators in Europe have recognised that, while scenario. A more complex approach that takes into account mobile spam is annoying to the end user, it (currently) a combination of business agreements, age verification represents a small percentage of the total number of text solutions, filtering, blocking and parental handset security messages sent. However, the subset of spam messages will need to be addressed. known as scams (fraudulent messages offering prizes and holiday deals if the recipient responds to a premium rate text or dials a premium rate number) has caused more FIRST STEPS concern among subscribers and is an issue that operators are Mobile operators are taking steps to make it harder for looking to address via business agreements and legislation, spammers to reach the end user. In Europe, operators prefer in addition to technical solutions. the ‘closed garden’ network approach – there has been a The concept of spam in the mobile arena has been tightening of commercial in-country and overseas roaming acknowledged and steps are being taken to ensure that the agreements between the national and international operators issue is not ignored. The EU Directive on Privacy and that now also cover data delivery. This has had the effect of Electronic Communications, which came into force on 31 making bulk SMS significantly more expensive to send October 2003, ruled that any company wishing to send an across their networks. Additionally, operators will look to electronic communication (including SMS) that originates permanently block overseas operators/vendors that try to in the EU must have the permission of the recipient in order harvest their subscribers’ mobile numbers or send to do so. The recipient must ‘opt in’ unless they already inter-carrier bulk spam via the SS7 signalling network. receive communications from the source – in which case the Another approach to curbing mobile spam – which is more recipient can opt out if they no longer wish to receive prevalent in the North American markets – is for operators messages from that source. to install anti-spam gateways at the edges of their networks. However, loopholes have been found in the legislation – as These can be configured to block, filter or quarantine any with email spammers, organisations sending SMS spam and messages that are not from recognised sources or domains, scam from outside the EU are unaffected by the directive. messages that are being sent in bulk (higher than a This means that it must fall to the EU’s mobile operators to predetermined volume), or that contain certain types of content. control the spam and scams being sent to their subscribers. While mobile spam may not ever become as prevalent as it LOOKING TO THE FUTURE has become in the Internet world, mobile devices are such personal items that an influx of even a small percentage of Mobile spam is a growing problem – and September this spam will not be tolerated by the users. Subscribers will year saw the first confirmed reports of mobile phone virus hold their mobile operators accountable, which will have SymbOS/Cabir (see VB, August 2004, p.4) in the wild. a serious negative impact for the operator, both financially With the increasing convergence of viruses and spam on the and in terms of subscriber loyalty. Internet, mobile operators should start thinking about the not-so-distant future. Viruses will become more widespread on mobile handsets and there is no doubt that they will LESSONS FROM THE INTERNET become more sophisticated. A little more consideration is Scams are currently the main issue which mobile operators needed from the mobile operators, along with a stricter set are looking to address in Europe, but as handsets become of regulations to which they must conform – otherwise the increasingly advanced and the ability to surf the Internet via mobile world may face a problem that has disastrous mobile devices becomes increasingly widespread, operators consequences for the industry.
DECEMBER 2004 S3 SPAM BULLETIN www.virusbtn.com
SUMMARY ASRG SUMMARY: tests could do so: http://www.hjp.at/mail/spam/mtamark/ mtamark.pl. NOVEMBER 2004 Markus Stumpf revealed that, at his organisation, they have Helen Martin added MTA Mark records to around one hundred of their mailservers and that they perform greylisting, and disable November was a notably quiet month for the ASRG mailing greylisting in case there is an MTA Mark = yes record. He list – perhaps because there was a physical meeting of also pointed out that there is native support for MTA Mark ASRG members at the 61st IETF in Washington, D.C. The in the current sendmail versions – and Markus said he 62nd IETF meeting (at which there will almost certainly be hoped to have a qmail interface/patch ready very shortly. another ASRG meeting) will take place 6–11 March 2005 in Last year Kurt Magnusson put forward a proposal for an Minneapolis, MN, USA. anti-spam system which used a blacklist comprising the The month began with a discussion of MTA Mark, the contact details (telephone numbers and URLs) contained in extensible system for determining whether an MTA should spam messages. The method was criticised at the time, with be running on a given IP address (see VB, May 2004, p.S2). group members suggesting that such a list could be tainted. Peter J. Holzer pointed out that the MTA Mark system However, for the last year and a half Kurt has been running requires only a couple of TXT records and that no change of a proof of concept system, using a simple shellscript with DNS or BIND is necessary. However, since his ISP does not some grep lines, and has had encouraging results. delegate reverse DNS for /29 networks, Peter said he would Kurt explained that he compiled his blacklist using both be unable to implement MTA Mark for his home network – spam he received in his own inbox and Spamarchive.org he would need his ISP to do this. repositories. He reported that, prior to ‘the Rolex Douglas Campbell pointed out that having to rely on the explosion’, he was receiving an average of just two to three controller of his address range to implement MTA Mark out of around 35 spams per day. He said, ‘to cope with should not pose a problem, saying, ‘I’d expect them to be Rolex, I added SURBL DNS list to the [proof of concept], eager to cut spam transiting their network.’ Douglas said he which thankfully decreased the post-Rolex hits from 20–30 would even be willing to pay a fee to allow his mailserver out of 40–50 spams a day to six to eight passing in.’ access to the network – although he acknowledged that the John Levine’s Internet draft ‘DNS Based Blacklists and big spammers would look upon the maximum fee he would Whitelists for E-Mail’ was added to the IETF’s database be willing to pay as ‘chump change’ (throwaway money). for Internet drafts this month. The draft documents the Peter Holzer, who works as a sysadmin for WSR, the structure and usage of DNS-based blacklists and whitelists, Austrian Computing Centre for Economics and Social and the protocol used to query them – it can be found at Sciences, revealed that he had tested all 155,000+ of the http://www.ietf.org/internet-drafts/draft-irtf-asrg-dnsbl- IP addresses which connected to his organisation’s MX 01.txt. during October 2004 for MTA Mark records. The results Indeed it was a busy month for ASRG chair John Levine, as were as follows: he was called as an expert witness for the prosecution in the 155,173 MTA = unknown criminal trial of prolific spammer Jeremy Jaynes (aka Gavin Stubberfield) and his sister Jessica DeGroot. The case was 8 MTA = no brought under Virginia’s state anti-spam law, which is 6 MTA = yes considered to be stronger than the Federal CAN-SPAM act. The Virginian law makes it a crime to send unsolicited bulk While these results were more encouraging than a similar mail using forgery, meaning that the prosecutors had to test Peter had carried out three months previously, he prove not only that Jaynes sent lots of unsolicited mail, but pointed out that they indicate clearly that, currently, there that it was sent using forgery. John Levine was asked to are not enough MTA Mark records to bother implementing testify as an expert on email technology and was questioned filters on them. briefly by the defence lawyers about his involvement with Furthermore, Peter revealed that the MTA Mark = no the ASRG. Although the trial progressed slower than the records he encountered seemed a little suspicious – he prosecutor had expected, Jaynes and DeGroot were suspected that in some of the cases someone had created an convicted of violating the anti-spam law. Jaynes was MTA Mark = no record for the whole network but had sentenced to nine years imprisonment, while DeGroot was omitted to add the MTA Mark = yes records for the mail fined $7,500. John’s fascinating account of his involvement servers. Peter posted a link to the script he used to run the in the trial can be found at http://www.circleid.com/article/ stats, so that anyone interested in carrying out their own 804_0_1_0_C/.
S4 DECEMBER 2004