CONTENTS in THIS ISSUE Fighting Malware and Spam

CONTENTS in THIS ISSUE Fighting Malware and Spam

AUGUST 2012 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT ICE AGE IP addresses and privacy-sensitive data: a Aditya Sood and colleagues present an analysis of different point of view ICE IX bot, a descendent of the Zeus bot which demonstrates how one bot can give rise to another. page 8 3 NEWS VB2012: Call for last-minute papers Researchers discover extent of data collected HIDE AND SEEK by iPhone apps There are multiple ways to hide the decoder, such as by forcing Windows to apply a relocation delta, or by 3 MALWARE PREVALENCE TABLE using obscure instruction side effects. Now, W32/Tussie shows us a way to hide the encoded data. Peter Ferrie has the details. MALWARE ANALYSES page 16 4 ZAccess detailed analysis 8 Inside the ICE IX bot, descendent of Zeus 16 Tussling with Tussie A LOAD OF JUNK As a form of anti-debugging/anti-emulation, some 18 FEATURE malicious programs insert garbage code within their instructions. Raul Alvarez looks at the use of Garbage collection garbage code and unsupported or rarely used APIs by recent malware. 22 END NOTES & NEWS page 18 ISSN 1749-7027 COMMENT ‘[In] the digital realm ... In reality, of course, I would have called the emergency services without hesitation and without a second thought we tread very carefully to the sensitive data involved. Privacy infringement would and avoid reporting not have entered the minds of the victims, the police, the [incidents] for fear of fi re brigade, or even the privacy commissioner. However, as soon as we enter the digital realm and a divulging sensitive data, break-in is discovered (whether in real time or after the i.e. the IP address.’ event), a DDoS attack is noticed, or spam is seen being sent from a machine, we tread very carefully and avoid Wout de Natris, De Natris Consult reporting the incident for fear of divulging sensitive data, i.e. the IP address. In my opinion there is no difference IP ADDRESSES AND between this and the ‘real-world’ situations described PRIVACY-SENSITIVE DATA: A above: a law has been broken or an emergency situation has arisen, and it should immediately be reported to the DIFFERENT POINT OF VIEW proper authority. For as long as I have been involved in spam enforcement By giving the street address in the two real-world and the sharing of data between entities, public and examples, I do not say anything about who’s living there private, the discussion as to whether an IP address is (I may not even know). The most important thing is personal data has been on the agenda. that someone needs help. On the Internet someone also There is no doubt that providing an IP address to an entity needs help – perhaps a private individual, a company, a can lead to the identifi cation of the end-user. (Although government or other organization – but here that does this may be changing somewhat because of IPv4 depletion not seem to count for as much. If someone discovering a and the introduction of carrier-graded NATs, where more crime on the Internet says ‘from this IP address a crime and more end devices are behind one IP address.) or violation has happened/is happening’, they do not say anything about the owner of the machine (just like To look at the issue from a different angle, consider the reporting a fi re or burglary). The only difference is that following scenario: I’m walking down the street – it’s a (regulatory) enforcement agency or botnet mitigation very quiet, nobody else is around. I notice that a fi re has centre may be asked for assistance rather than the police broken out in an apartment block and someone is trapped, or fi re brigade. shouting for help. I shout: ‘Do you give consent for me to hand over your personal data (your address) to the If a government has provided the (regulatory) enforcement emergency services?’ The person in the building replies agencies with the proper powers to investigate (not all ‘No, I don’t’. There is nothing I can do but walk on. regulatory enforcement agencies have these powers), they have the right to ask for privacy-sensitive data under Next, I see two people on the street, one of whom appears specifi c circumstances. It is up to a judge either to approve to be attacking the other. They are standing in a doorway. the information request beforehand or judge afterwards, I shout ‘do you want me to call the police?’ ‘Yes!’, replies depending on the choice made in the law. No privacy is the person being attacked, but the attacker shouts ‘No! I infringed by reporting, and if it is, a judge will set it right. live here and by giving the police this address you would be infringing on my privacy!’. Again, there is nothing I I think it’s time to set the record straight on privacy and if can do but put my phone away and walk on. necessary set rules on what’s allowed and what isn’t. The fact that breaking and entering in the form of accessing Editor: Helen Martin or taking over a computer (and its subsequent use for ill Technical Editor: Morton Swimmer purposes) cannot be reported just does not sit right with me. Test Team Director: John Hawes I wonder whether privacy is really the reason for not Anti-Spam Test Director: Martijn Grooten reporting such incidents. It’s time to fi nd out what the Security Test Engineer: Simon Bates other reasons could be and for governments, where Sales Executive: Allison Sketchley possible, to provide the ideal situation for entities to Perl Developer: Tom Gracey report in. Reporting would greatly enhance safety and Consulting Editors: Nick FitzGerald, Independent consultant, NZ security in the online world and in the real world too Ian Whalley, Google, USA – hacked computers and online intrusions are in the Richard Ford, Florida Institute of Technology, USA end real-life threats as money and identities are stolen, sensitive data is abused and organizations are threatened. 2 AUGUST 2012 VIRUS BULLETIN www.virusbtn.com NEWS VB2012: CALL FOR LAST-MINUTE PAPERS Virus Bulletin is seeking Prevalence Table – June 2012 [1] 2012 submissions from those wishing DALLAS to present last-minute technical Malware Type % papers at VB2012. Autorun Worm 10.97% The last-minute presentations will be selected by a Downloader-misc Trojan 6.88% committee consisting of a number of industry members Iframe-Exploit Exploit 5.98% including members of the VB advisory board. The committee will be looking for presentations dealing with Sirefef Trojan 5.41% up-to-the-minute specialist topics, with the emphasis on Confi cker/Downadup Worm 5.13% current and emerging (‘hot’) topics. Heuristic/generic Virus/worm 4.85% Those selected for the last-minute presentations will be Crypt/Kryptik Trojan 4.48% notifi ed 18 days prior to the conference start, and will be Exploit-misc Exploit 4.05% required to prepare a 30-minute presentation to be given on Adware-misc Adware 3.28% Thursday 27th September at the Fairmont Dallas hotel in Dallas, TX, USA. Injector Trojan 2.64% Sality Virus 2.58% Those selected for the last-minute presentations will receive a 50% discount on the conference registration fee. Heuristic/generic Trojan 2.53% Agent Trojan 2.37% The deadline for submissions is 30 August 2012. FakeAV-Misc Rogue 1.99% The full call for papers, including details of how to submit Dorkbot Worm 1.81% a proposal, can be found at http://www.virusbtn.com/ conference/vb2012/call/. Crack/Keygen PU 1.59% Blacole Exploit 1.56% Encrypted/Obfuscated Misc 1.49% RESEARCHERS DISCOVER EXTENT OF Jeefo Worm 1.31% DATA COLLECTED BY IPHONE APPS Dropper-misc Trojan 1.30% Bitdefender researchers have found that almost one in fi ve Wimad Trojan 1.29% iOS apps can access a user’s iPhone address book, 41% can track the user’s location, and more than one in three store Virut Virus 1.26% user data without encrypting it. Backdoor-misc Trojan 1.15% The researchers looked at more than 65,000 apps available LNK-Exploit Exploit 1.14% from Apple’s App Store and found that an alarming number Ramnit Trojan 1.02% of applications access user data without explicitly seeking FakeAlert/Renos Rogue 0.99% the user’s permission. Although it was clear that many AutoIt Trojan 0.97% of the apps required such data and privileges in order to function, the researchers found many others that seemed Brontok/Rontokbro Worm 0.83% to have no requirement for the data they were collecting. PDF-Exploit Exploit 0.83% Furthermore, 42.5% of the applications did not encrypt user Lethic Trojan 0.79% data when storing it – thus potentially putting the data at Kuluoz Trojan 0.75% risk after collecting it. Redirector PU 0.74% Of the apps analysed, 18.6% were able to access the full contents of the user’s address book – the researchers Others [2] 16.01% considered it unlikely that all of these apps would Total 100.00% legitimately require access to the address book. Meanwhile, 41.4% of the apps analysed had [1] Figures compiled from desktop-level detections. location-tracking functionality – making it likely that the [2] Readers are reminded that a complete listing is posted at majorty of iPhone users have at least one app on their http://www.virusbtn.com/Prevalence/. device that knows their location. AUGUST 2012 3 VIRUS BULLETIN www.virusbtn.com MALWARE ANALYSIS 1 ZACCESS DETAILED ANALYSIS are different fi lenames in that cabinet fi le, based on different computer architecture (32 bits versus 64 bits).

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    22 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us