雅思口语 Golden Holiday_百度文库
两大类热门资源免费畅读
续费一年阅读会员,立省24元!
评价文档:
2页免费52页免费47页免费3页免费44页免费 32页免费16页免费11页免费2页免费1页免费
喜欢此文档的还喜欢2页免费2页1下载券2页免费3页1下载券20页免费
雅思口语 Golden Holiday|
把文档贴到Blog、BBS或个人站等:
普通尺寸(450*500pix)
较大尺寸(630*500pix)
你可能喜欢F-Secure Weblog : Monthly Archives - December of 2005
Saturday, December 31, 2005
@ 18:46 GMT
First worm using the new WMF vulnerability has been found. This is what we were afraid of. Thankfully it doesn't seem to be too bad.We only have second hand reports of this case so far. It' a MSN Messenger worm sending links to an image file (link ending with "xmas-2006 FUNNY.jpg"). The link actually contains a web page with a malicious WMF file. F-Secure Anti-Virus does detect? the WMF file in question with our generic detection.For more information see .
@ 11:12 GMT
Here's an alternative way to fix the WMF vulnerability.Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But
isn't just anybody. He's the main author of
(Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.More details from Ilfak's blog: .Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.
Friday, December 30, 2005
Posted by Stefan @ 12:29 GMT
The amount of trojans using the zero-day WMF exploit is increasing rapidly.Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer - even though WMF images still show as normal. What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush). And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.
Thursday, December 29, 2005
@ 08:30 GMT
Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:Microsoft's bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003. They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:&Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) &1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" &(without the quotation marks), and then click OK.&2. A dialog box appears to confirm that the un-registration process has succeeded. &Click OK to close the dialog box.&Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started &when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. &To undo this change, re-register Shimgvw.dll by following the above steps. &Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.We got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.toolbarbiz[dot]biztoolbarsite[dot]biztoolbartraff[dot]biztoolbarurl[dot]bizbuytoolbar[dot]bizbuytraff[dot]biziframebiz[dot]biziframecash[dot]biziframesite[dot]biziframetraff[dot]biziframeurl[dot]bizSo far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon.We've seen 57 different versions of malicious WMF files so far. We detect them all as .
Wednesday, December 28, 2005
@ 15:30 GMT
Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as
.A, .B and .C.Fellow researchers at Sunbelt have also
about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:&&Crackz [dot] ws&&unionseek [dot] com&&www.tfcco [dot] com&&Iframeurl [dot] biz&&beehappyy [dot] bizAnd funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:&&Registrant Name:
Mikhail Sergeevich Gorbachev&&Registrant Address1:
Krasnaya ploshad, 1&&Registrant City:
Moscow&&Registrant Postal Code:
176098&&Registrant Country:
Russian Federation&&Registrant Country Code:
RU"Krasnaya ploshad" is the Red Square in Moscow...Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.
Posted by Mika @ 08:38 GMT
There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.The exploit is currently being used to distribute the following threats: &&Trojan-Downloader.Win32.Agent.abs&&Trojan-Dropper.Win32.Small.zp&&Trojan.Win32.Small.ga&&Trojan.Win32.Small.ev. Some of these install hoax anti-malware programs the likes of .Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file. In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.F-Secure Anti-Virus detects the offending WMF file as
with the _01 updates.We expect Microsoft to issue a patch on this as soon as they can.
Tuesday, December 27, 2005
@ 08:38 GMT
There is no MSN Messenger 8 yet. Not in public beta anyway. However, there's a new virus going around pretending to be "MSN Messenger 8 Working BETA". There's two ways to catch it. First, by downloading it from a fake site where it has been supposedly "leaked":If you download and run BETA8WEBINSTALL.EXE from that site, you won't get a new chat client. Instead, your existing MSN Messenger will start to send download links to everyone in your contact list. It also connects your machine to a botnet server.The download link always contains the recipients' email address. For example, if you'd have a friend with email address , he would get a download link like </im.php?msn=:We've just added detection for this one as Virkel.F.
Saturday, December 24, 2005
@ 08:24 GMT
Merry Christmas to all of our readers!And happy holidays!With best wishes,F-Secure weblog staff
Friday, December 23, 2005
Posted by Katrin @ 21:27 GMT
It started almost 3 hours ago with 2 new Bagle downloaders and now there are 2 more. Looks like
another Bagle night. Actually one more just arrived.
Thursday, December 22, 2005
Posted by Sami @ 21:07 GMT
We are up to Bagle.FJ. The count for this evening is already 6. Update version number _07 is on its way.
Posted by Katrin @ 19:32 GMT
We have now four new Bagle downloaders - all are very similar varianats. We detect them as W32/Bagle.FE, W32/Bagle.FF, W32/Bagle.FG and W32/Bagle.FH. They are detected with the update _05.
Posted by Alexey @ 17:00 GMT
Looks like the guys behind Bagle don't have a life. Instead of shopping for Christmas they keep creating and spreading new downloaders. We just got a few reports about a new Bagle-related downloader that is now being spammed as a ZIP attachment containing a file named DFC00027.EXE. The mass-mailer that is responsible for this Bagle round was uploaded to one of the websites that are monitored by old Bagle downloaders some time ago. I hope that this round will be as short as the
one.Detection for the mass-mailer is already available as . The new downloader will be detected as
with the _03 updates that are expected shortly.
Tuesday, December 20, 2005
@ 12:35 GMT
Remember ? The one which sends fake emails from FBI, CIA and German police.One of the emails it sends to German recipients goes like this:&& Das Herunterladen von Filmen, Software und MP3s ist illegal und&& somit strafbar. Wir moechten Ihnen hiermit vorab mitteilen, dass&& Ihr Rechner unter der IP erfasst wurde. Der Inhalt Ihres Rechner&& wurde als Beweismittel sichergestellt und es wird ein&& Ermittlungsverfahren gegen Sie eingleitet.&&&& Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird&& Ihnen in den naechsten Tagen schriftlich zugestellt.&&&& --- Bundeskriminalamt BKA&& --- Referat LS 2&& --- 65173 Wiesbaden&& --- Tel.: +49 (0)611 - 55 - 12331 oder&& --- Tel.: +49 (0)611 - 55 - 0...which goes on to explain that illegal material has been found from your computer, an investigation against you has been started, contents of your hard drive has been seized as evidence and you should execute the attachment without thinking twice about it.Now, turns out somebody in Padenborn, Germany got this message, freaked out about it and decided to turn himself in. Whoa. German police investigated his computer and found child porn from it.Thanks to Micha for the tip. Full story from .
Posted by Alexey @ 12:01 GMT
We have received reports about a Bagle-related downloader being posted on one of the sites, that were used for distribution of Bagle files in the past. This is the second level downloader that just downloads one file and runs it. The downloaded file is a minor variant of the previous Bagle mass-mailer, we detect it as . The mass-mailer sends out ZIP archives with a new Bagle-related downloader that we detect as
in the latest updates.
@ 09:11 GMT
Ryan Naraine wrote an interesting
on how Google is indirectly profiting from typosquatters.We wrote about the basic problem : clowns from Panama and elsewhere have been registering domains like ,
and are using them to show ads.According to the eWeek article, most of the misspelled URLs are parked . This is a domain parking server owned by Google.When people mistype web addresses and end up to these sites, the sites show Google AdSense advertisments, profiting the fraudsters - and indirectly profiting Google. comments in the article: "By dramatically increasing the revenue that cyber-squatters can earn, Google encourages the cyber-squatting business and makes marginal squatting domains profitable — further increasing the scope of this problem".Here's a nice example: typosquatting domain "" is showing Google Ad Sense ads that we pay for, pointing to our Client Security :Oh, and here's another nice trick. The WHOIS data for a fraudulent domain "www-" contains Javascript which tries to launch a new window and load the fake site when viewing the record.
Monday, December 19, 2005
@ 14:10 GMT
We're finally getting some decent temperatures this winter. It's around -10 &C (that's 14 &F) right now in Helsinki and the sea around our headquarters has now frozen.And by the way: we have plenty of open positions in our Helsinki office. Check out
if you're interested in working with us!So come to Finland! Surf's up!
Posted by Jarno @ 13:43 GMT
In August 2004 we warned people about a
in Widcomm Bluetooth stack used by many PC Bluetooth dongles. The Widcomm stack contains vulnerability which allows remote code execution over Bluetooth, so that an attacker or a worm can take a PC over just by being inside the Bluetooth communication range. Last week people at Digital Munition have found another
that allows unauthorized remote access to PC Bluetooth audio profile. Basically this means that anyone with proper software can eavesdrop a PC that has Widcomm Bluetooth software and a microphone, or play audio on the target PC.While this vulnerability is not nearly as dangerous as the remotely exploitable buffer overflow, it is a good reminder that nobody should be using the old and vulnerable Widcomm software anymore.However, as Widcomm was bought by another company (Broadcomm), no security fixes have been made for devices that don't use Broadcomm chipset. Fixing this problem is not easy.The best advise we can give to people is to look for some other Bluetooth stack, for example many Bluetooth devices work without any extra drivers with Windows XP Service Pack 2.If there is no compatible Bluetooth stack available, we recommend to set authentication for the Headset Audio Gateway profile, as described in the advisory, and set PC Bluetooth to non-discoverable mode. Setting your PC Bluetooth to non-discoverable will not remove the problem completely, as your PC can still be found by brute force scanning. But it will significantly limit the exposure.
Sunday, December 18, 2005
@ 16:47 GMT
Fairly quiet weekend, except some small-scale Dasher action. Latest version is now using a ftp server 61.177.237.66 (feel free to filter that at your corporate gateway).So why not liven up the weekend by copying some security-related Podcasts to your MP3 player?Clark Boyd from BBC's
on the latest virus situation. He interviewed me, Graham Cluley, Bruce Schneier and Alan Pallers (SANS). Do note the huge difference in sound quality between me and Graham. Graham was using an ISDN line to talk with Clark in Boston, while I was using just a normal GSM phone. Can't wait for voip-based phone interviews to become commonplace...the sound quality would be superior.And while on the topic of security podcasts, check out
by Leo Laporte and Steve Gibson. Especially their episodes
were good ones to listen to.
Friday, December 16, 2005
Posted by Dan @ 16:41 GMT
Stefan has spent a considerable amount of time lately here in the Anti-Spyware lab looking into .
Downloaded and installed by Trojan-Downloader.Win32.Zlob, SpyAxe is nice enough to detect the Trojan that downloads it, but it won't disinfect it unless you pay for a SpyAxe license, $49.50 U.S. (plus a nonimal $2.95 transaction fee).
I wouldn't dare pay for a licensed copy to verify that removal is actually done, but I have my doubts.An annoyance at first, but there seems to have recently been a huge spike in the distribution of Zlob.
We found a way to see how many unique registration IDs have been handed out by the site Zlob registers with.
Most of the day, there seemed to be about 1,000 new infections per hour, but now that the U.S. is waking up & powering on their computers, that number has risen to about 2,500 infections per hour.
I'd guess that we can expect to see many more variants to come.We have published detection for today's Zlob variant, named , in the _02 Virus update.
Thursday, December 15, 2005
Posted by Alexey @ 15:57 GMT
The mass-mailer for
downloader has been found. It sends out a ZIP archives that contains Bagle.EX downloader file named as S3700020.EXE. Detection for the mass-mailer will be available shortly as .
Posted by Jarkko @ 15:02 GMT
Shortly after Dasher.A, we got a sample of another variant, . This time the whole exploit chain is complete - the remote server where exploited machines connect to is currently up and running. The server instructs infected machines to download two files: a copy of the worm itself and a keylogger. The keylogger hides itself with a rootkit driver. Both Dasher variants are using the same exploit code, released by "Swan" earlier this month.Thanks to SANS ISC and Georg Wicherski of the German Honeynet Project for sending a sample of this variant!
Posted by Katrin @ 15:01 GMT
A new Bagle-related downloader - , has been spammed a lot. We have just published urgent detection for it in the _06 updates.
Posted by Jarkko @ 10:00 GMT
We just received a sample of the first known malware exploiting the vulnerability in Microsoft Windows Distributed Transaction Coordinator (). We call it "". The actual exploit is based on publicly available exploit code which was released on first of December. This worm doesn't appear to be very successful because of two flaws:- It uses a central server in China for distribution (which is currently down)- The exploit code itself is quite unstableAs far as we can see, the situation with Dasher.A is already over.
Wednesday, December 14, 2005
@ 06:22 GMT
We forecasted this
ago: first phishing emails in Finnish have just been sighted. Although the language used in these emails is so horribly bad it's just funny.Unfortunately the hilariousness is pretty much untranslatable for our international readers, but trust us: the language here is baaad. The links point to at least 4 different web sites, located in Australia and elsewhere. Nordea has a public
out on this.After this incident, we're aware of phishing cases done in 18 different languages:EnglishChineseGermanFrenchItalianSpanishPortugueseRussianDutchGreekSwedishNorwegianDanishHungarianEstonianRomanianTurkishFinnish
Tuesday, December 13, 2005
@ 13:52 GMT
We've received several reports of emails, warning about a new virus called "Kongo31.XRW" (which doesn't exist).The email links to a fake McAfee site, hosted in Canada:The download link gets you a file called ak26xrw-patch-installer-win32.exe - which (surprise, surprise!) is infected with Trojan-Downloader.Win32.Hanlo.h.We have warned our colleagues at McAfee about the fake site.
Posted by Jarno @ 08:49 GMT
When looking at Anti-Virus research conference calendar, the time after new year seems to be quite active indeed.Jarno is speaking at two Blackhat conferences in coming year. First at
in Washington DC that is held on January 23-26, 2006, and then in
that is held in Amsterdam on March 2-3, 2006.In both Black Hats the topic is how to combat and handle Symbian malware. The goal of the presentation is to give necessary tools and information to how to clean infected devices and how to prevent the malware from spreading further.In Blackhat Federal the presentation is from Federal and Law enforcement point of view and in Blackhat Europe the presentation is from system administrator point of view. Mikko is speaking on similar topics in three conferences during first half of the year: in , in
in Australia.While being on the topic of handling Symbian malware, we have noticed that it is rather difficult to clean infected mobile device. So we have created a set of training slides that give instructions what to do when encountering a infected device.And since the regular readers of this blog are people who are quite likely asked to help if employees or friends phone gets infected, we have decided to publish this information in hope that it helps in case where one gets infected phone in his hands and needs to figure out what to do.Download the slides here:
Sunday, December 11, 2005
@ 21:00 GMT
Almost any online shop can be a target of phishing scams. , being one of the largest online shops in the world, is a popular target.Here's a recent example. Somebody sent out a fairly large mailing of "Order enquiry" emails from "", directing people to a
look-a-like site hosted in South Korea:But this site is not just about stealing your Amazon username and password. Once you "log in", you get a new page, asking you to update your credit card information:Here's a nice detail: see the "DFFDFD'S STORE" button above? The hacker was logged into the
with that user account when he stole the graphics.Next you might notice that the site is also asking for your credit card PIN number. Funny that, I don't remember Amazon asking for this before...let's see the details.Oh, it's for security. To fight identity theft and credit card fraud. Great.
Friday, December 9, 2005
Posted by Era @ 16:32 GMT
Just a quick one for our dear domestic readers: The
is back, with a slightly different message. But by and large, it's familiar enough that there isn't really anything new. It's still in English, the sites are still on faraway servers, predominanty in the Far East from what we've gleaned from the samples we have seen so far, and the risk that actual Nordea customers would fall for it would seem rather small, considering how much publicity the previous incident stirred up in the Finnish media, for one thing.The generic phishing detection rules of our spam filter already classify these messages correctly, but we are putting out a database update with a specific rule for this case, just to be on the safe side.
Thursday, December 8, 2005
@ 16:02 GMT
First Sober variant was found in October 2003. Since then, we've found over 20 different variants.Most of these variants contain a routine that activates the virus at later date. After this the virus will try to periodically download and run a file from several websites. This is the way most new Sober variants are distributed: the author uploads a new version and all the infected machines will suddenly get infected with the new variant.Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 6th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever. The virus even synchronizes the machines via atom clocks so the activation will not happen before January 6th, even if the clock of the computer is incorrect.So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don't exist.However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally in hundreds of thousands of machines.The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local
as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.So what do these pseudorandom URLs look like?They look like this. These are the download sites Sober.Y will start using after 5th of January. We're leaving out the filename of the actual executable, but this should be good enough list of addresses you might want to block at your corporate firewall, if you're a system administrator:&&home.arcor.de/dixqshv/&&people.freenet.de/wjpropqmlpohj/&&people.freenet.de/zmnjgmomgbdz/&&people.freenet.de/mclvompycem/&&home.arcor.de/jmqnqgijmng/&&people.freenet.de/urfiqileuq/&&home.arcor.de/nhirmvtg/&&free.pages.at/emcndvwoemn/&&people.freenet.de/fseqepagqfphv/&&home.arcor.de/ocllceclbhs/&&scifi.pages.at/zzzvmkituktgr/&&people.freenet.de/qisezhin/&&home.arcor.de/srvziadzvzr/&&people.freenet.de/smtmeihf/&&home.pages.at/npgwtjgxwthx/Right now, none of these URLs exist. If they are to be used, the virus writer will register them just before the activation.However, the list will change every 14 days. After 19th of January the list becomes:&&people.freenet.de/idoolwnzwuvnmbyava/&&people.freenet.de/mhfasfsi/&&people.freenet.de/nkpphimpfupn/&&people.freenet.de/ozumtinn/&&people.freenet.de/bnfyfnueoomubnw/&&people.freenet.de/kbyquqbwsku/&&people.freenet.de/mlmmmlmhcoqq/&&scifi.pages.at/ikzfpaoozw/&&home.pages.at/ecljoweqb/&&free.pages.at/wgqybixqyjfd/&&home.arcor.de/ykfjxpgtb/&&home.arcor.de/oodhshe/&&home.arcor.de/mtgvxqx/&&home.arcor.de/tucrghifwib/&&home.arcor.de/ftpkwywvkdbuupw/Last thing: Several earlier Sober variants (most notably ) have been sending out neonazi propaganda messages. According to , the activation date of January 5th is an anniversary date for the nazi party.UPDATE: More on Sober activation dates .ERRATA: The original entry contained errors in the URL lists. They should be accurate now. Also, the activation date is not the 5th of January, but day after that.
Wednesday, December 7, 2005
@ 16:50 GMT
Yeah, we still have three weeks to go before the end of the year, but we're publishing our year-end summary already. In a nutshell: We're seeing less widespread outbreaks. This is the result of smaller targetted attacks launched by professional criminals - instead of the large outbreaks inititated by hobbyists. So while the situation seems to be getting better, it's actually getting worse.F-Secure's Data Security Summary for 2005 is available in PDF:
and .You can also watch a 10-minute
(WMV, 19MB) or download the same as an
(MP3, 7MB) for your iPod or whatever.And for the hard core: the same in Finnish. The , the
and the .&
Posted by Mika @ 09:35 GMT
Since F-Secure is the first vendor to have a built-in rootkit scanner in its , we are very often asked how many rootkit variants there exist. This question is not that easy to answer with precise numbers, as there are very few malware named "Rootkit.Win32.Something". Most malware that uses rootkit techniques is called "Backdoor.Win32.Something", "Worm.Win32.Something", "Virtool.Win32.Something", etc. However, since our
(generic rootkit detection) has now been available for 9 months we have a pretty good feel on what the rootkit menace currently is all about.In a recent
Microsoft says that more than 20 percent of all malware it has removed from its Windows XP sp2 customers are rootkits. "The open-source FU rootkit ranks high on the list of malicious software", the article states.We definitely can agree that FU has been extremely widespread during 2005. There is a simple explanation to this. FU is a very simple rootkit to
into worms and bots. It should be noted that FU only hides processes -- not files or
registry keys. Currently worm and bot authors are mainly interested in hiding their processes from Task Manager. They are not
that keen on hiding files since most Windows users do not know which files should be in their "System32" folder, anyways.In our view,
(Backdoor.Win32.HacDef) is not as common as FU. However, various bots and backdoors use the HacDef rootkit to do their hiding.
In addition, we regularly see this rootkit being used by hackers on compromised corporate servers. Therefore, despite the infection numbers of HacDef are most likely much below those of FU, these infections are usually far more serious.One might say that the
has to be the most common rootkit, because it was shipped on a huge number of music CDs. This would be a logical assumption, but we have not received that many reports of BlackLight finding this particular rootkit. BTW, Sony has finally released a stand-alone
for their DRM software.We believe that since October 2005 the most common rootkit out there has clearly been . The reason for Apropos to use rootkit techniques is very different
from your average worm or bot. Usually rootkit malware tries to avoid detection. Apropos, on the other hand, shows the user
pop-ups 'ad nauseam'. Therefore, the motive of Apropos is not to use rootkits for hiding itself. The very advanced rootkit
functionality in Apropos is designed to prevent uninstallation and removal.
Monday, December 5, 2005
@ 23:13 GMT
I was searching my hard drive for something else and I happened to run into this: a story I wrote over 12 years ago. It's about analysing a virus called Crepate. I hope you enjoy it.An
testing F-PROT's OS/2 version, answering support calls and writing the upcoming Update Bulletin. It's over five o'clock, time to get home - the fall is far advanced and I'll have to get my lawn sown before winter sets on.The phone rings and shatters these thoughts. The call comes from Symbolic, our distributor in Italy. Jeremy Gumbley, who works in Symbolic's technical support, is on the line.Jeremy gives it to me in a nutshell: A person had just dropped by and told him that a new, unknown virus had been found in one Italian university. There are probably tens of infected computers - the exact number is not known, because none of the antivirus programs that have been tried has been able to identify the new virus. The situation is serious and all the computers will remain on hold until the virus is under control. The visitor brought along a disketteful of files suspected to be infected.Jeremy has already taken a look at the files and is quite certain thatthey contain a new virus. I tell Jeremy that the I'll start working onthe subject immediately. Via modem, Jeremy transfers a sample packet tothe F-Secure BBS system, and the examination begins. I extract thesamples and put them through an automated examination system, whichchecks the files with thirteen different antivirus programs and storesthe reports in an easily readable form. The system reports no alarms,although some programs report that certain sample files have counterfeittime stamps: in their creation date, the clock's seconds field shows animpossible value, 62. Some viruses use this trick to mark files theyhave already infected.I give the files a quick once-over with a hex editor, enough to conclude that if they contain a virus, it is a brand-new one. Certain files have the text "(c)Crepa" at their end. Via Internet, I transfer the files to Frisk Software International's FTP server in Iceland. Just to be sure, I call Iceland and recount the incident to Fridrik Skulason. He says that the files will be taken under close inspection right away. We decide to divide our forces: I and Jeremy will concentrate on examining how the samples function, in other words find out what the virus really does. The people in FSI will focus on building detection- and disinfection routines for the new virus. We'll keep contact by phone and E-mail. I hang up and start the classification of samples. Seems like I won't get any time off for my lawn today.I find out quickly that there are three different kinds of samples. Some of the files contain extraneous code at their end. This is not caused by a virus but the "Immunize" function of the Central Point Antivirus program. To be on the safe side, I remove the Immunization code and check the original programs. The files are clean. Some of the other programs contain code which seems to have been added to their beginning. The remaining files have the text "(c)Crepa" at their end. It seems that we need to divide the analysing task if we want to resolve the problem as quickly as possible. I call back to Iceland, and we agree that they will start working on incorporating the detection and disinfection of the virus while I and Jeremy start to disassemble and document the functioning of the little beast.I give the Crepa files a closer look. There are four of them, all parts of the Italian MS-DOS 6. I choose to , since it is a comfortably short program to examine and I know its structure of old. First I take a hex dump of the program by using Borland's TDUMP application. Then I proceed to run a debug listing of it with good old DEBUG. It proves extremely difficult to follow the program's execution with a DEBUG listing: the virus completes only one or two instructions at a time before jumping to somewhere else in the code. Therefore I turn to Zanysoft Debugger, and use it to analyze the . Along with Borlands Turbo Debugger, I have found ZD to be a handy tool to examine virus samples with. The program's execution is easier to follow with ZD, and it soon becomes clear that the author of the virus has wanted to make the program difficult to examine by coding it full of jump instructions. However, a careful inspection of the code reveals that the commands executed between jumps form a complex routine that decrypts 3900 bytes at the end of the file. At this point it becomes obvious that this is a self-encrypting virus.I execute the virus one command at a time until it has decrypted itself. Then I store the virus code back on the diskette. When I go over the decrypted virus code, I notice that two new lines of readable text have surfaced from beneath the encryption:
COMcomEXEexeOV?ov?
(c)1992/93-Italy-(Pisa)The first line appears to indicate that the virus is capable of infecting COM, EXE and Overlay files. The second line confirms the virus to be of Italian origin.I discover that the task of separating the virus code and the original
code from each other is too arduous. Instead, I decide to see whether I can get the virus to infect a bait file. As bait, I use a collection of COM and EXE files which contain nothing more than a termination instruction and a lot of zeros to pad the files to a certain length. Such programs do nothing else than terminate their execution, and since the file lengths are even numbers, a change in size caused by a virus can be noticed at the first glance.I transfer the virus to our much-abused test computer, and copy a sampleof clean baits into the same directory with the virus. When I run the, it gives an error message in Italian complaining aboutincorrect parameters. I use a memory mapping program to check forchanges in memory allocation. No changes are evident, which means thatthe virus is either not resident in memory or capable of bypassingmemory mapping applications. I check the bait files - no changes inthose either. I run the
a couple of times to becertain, but the bait programs are simply ignored. Why? There are manypossible explanations. Maybe the virus is picky about the files itinfects. Maybe it won't infect anything on even days. Maybe it doesn'tinfect files in its current directory, but somewhere else on the disk.Maybe it is a stealth virus, in which case the changes cannot be seenanyway, at least not while the virus is active.Jeremy calls while I'm thinking about all this. We get to a discussionon its peculiar jump structure. "I'm sure I have never seen so many jumpinstructions", "For a moment I thought it was a new version of theCommander Bomber virus, but no, at least not that", "I think that thisjump-spaghetti has been added just to confuse heuristic analysis".Indeed - F-PROT's Heuristic Analysis failed to give warning of aninfected file even when the /GURU option was enabled. Goes to show thatany software-based protection can be overcome by software. Jeremy hasmanaged to examine the virus a bit further. We agree to name the virus Crepate forthe time being.Jeremy says that, right after decrypting itself, the virus gets into thebusiness of doing some absolute disk writes. Immediately, I get abrainstorm. - It is a multipartite virus we are talking about here,operating in the same way as, for instance, Tequila. When the virus isexecuted in a clean computer, it infects the hard disk's Master BootRecord but does nothing else. The next time the computer is turned on,the virus stays active in memory and starts infecting other programfiles. I test my theory - and yes! The F-CHECK checksum program reportsan altered Master Boot Record.I use Norton's DISKEDIT to take a copy of the Master Boot Record's codebefore restarting the computer. The boot-up seems to be completelynormal. I run MEM and find the familiar sign indicating the presence ofa boot sector virus: the amount of DOS memory has dropped from the 640kilobytes normally available in this computer. There are only 636kilobytes left, which means that the virus takes up four kilobytes.I go back to the virus directory and run the bait files again. Strangelyenough, the baits are still not infected. The filesizes stay the same,whatever I do. Without giving the matter further thought, I run DOS'sCHKDSK and attain instant enlightenment. CHKDSK reports "Allocationerror" for every COM and EXE file I have executed during this session.The report includes all the files referred to in AUTOEXEC.BAT, all baitfiles, and CHKDSK.EXE itself. This is a clear sign of an active stealthvirus that is operating in the computer and hiding the changes it hasmade to files. However, the virus is not sophisticated enough to hidethe changes from the CHKDSK program, which is reporting errors caused bycontradictions between directory information and File Allocation Table.The closer I look, the more advanced this virus is beginning to seem.When I compare the infected bait files, I notice that the decryptionroutine varies between different samples. In addition to everythingelse, the virus has polymorphic characteristics mixed in.The phone rings - Fridrik is calling from Iceland. His staff has gone through the same sample files, concentrating first on the samples which I and Jeremy had decided to leave alone for the time being. Some of the samples had indeed been clean, though packed by using CPAV. Some other files had been found to contain a new virus, which was named March 25th. In other words, two different viruses are on the loose in the Italian university! Frisk hands me a short account on the characteristics of the March 25th virus: a memory-resident COM and EXE infector that structurally changes COM files into EXEs. The virus activates on the 25th of March and overwrites most data on the hard disk. The size of this virus is only 1024 bytes, and it is much simpler than Crepate.Frisk has also gone over the Crepate files, and he is already well acquainted with the virus's functioning. For some reason, though, the virus does not function in his test computers. Although it manages to infect the hard disk's Master Boot Record, the computer won't boot afterwards. Curious. Fridrik is ready to build a disinfection routine for the virus, but he is hampered by the fact that he cannot get it to spread. I promise to send him a program packet containing both clean and infected versions of the same sample files.After hanging up I take a closer look on the code the virus writes on the Master Boot Record. Aha, it tries to make inspection more difficult with commands that modify the commands next in line...I get another brainstorm. Immediately, I call back to Frisk and ask what kind of a computer he used to test the virus. Frisk tells me he has used his newest virus testing computer, a 33 MHz 386DX. "Does it have internal cache memory", I ask. "Yes, 8 kilos", Frisk answers. The mystery unravels. I had tested the virus in a 16 MHz 386SX computer with no cache memory. The cache memory of Fridrik's computer buffers commands that are to be executed next, and makes it unnecessary to retrieve them all the way from the main memory. Because of that, though, the changes the virus tried to make in its own code never got through. The bytes it tried to change had already been read into the cache memory where they could not be altered. In other words, the Crepate virus cannot function in computers with internal cache memory - it will only crash them during boot-up.I start to create a sample of demo files, beginning with a collection of programs that are different from each other both structurally and in file size. I pack the clean programs and transfer the packet into the infected computer. There I execute, open and copy programs. Any of these operations infects the program in question, but I notice that the virus won't infect the smallest files. I boot the computer from a clean diskette, pack the infected files and transfer them back to my own computer. Again, I open a telnet session and send the sample packet to Iceland via FTP.I continue to examine the virus. It seems that Crepate uses a verypeculiar method to hook the DOS interrupt 21h. The virus would gainnothing by jumping to hijack the interrupt for the first thing it doesafter it has been executed from the boot sector, because DOS takes theinterrupt into use only later on. Instead, at the very beginning thevirus hijacks BIOS's timer interrupt, activating 18.2 times in a second.The virus uses this interrupt to check 18 times in a second whether DOShas loaded itself. When that happens, the virus hooks the interrupt 21hto its own code. That way it gets to be the first program to clam ontothe interrupt.The phone rings again, this time it's Jeremy. We quickly exchange what we have learned from the virus. He tells me he has found a date check and destruction routine further along the code. The virus activates on the 16th day of any month, and executes a remarkably thorough destruction routine. It overwrites all the data on the first hard disk, going through the disk from beginning to end. Since that kind of a routine is quite difficult to code, most viruses use destruction routines that overwrite only a part of the hard disk. For example, even the notorious Michelangelo virus destroys only a certain amount of the hard disk's data. After such partial destruction, it is usually possible to salvage some data from the hard disk without turning to expensive data recovery services. Crepate is a different breed of cat and goes through the disk thoroughly, sector by sector.The 16th day. That was a week ago -- maybe the virus was discovered aweek ago, when the first hard disks were wiped? No matter. It must bestopped now, before it causes further damage.I code a routine that checks files for Crepate infection. Using it, Iscan the test computer's hard disk. Practically all the programs I haveused during the evening have been infected. I wipe the hard disk andrestore a basic combination of clean software on it. I run the routinealso on diskettes I have used to carry files between the test computerand my own. I'm surprised when I notice that the boot sectors on thediskettes have also been infected. What on Earth - to the best of myknowledge, the virus code contained no routines for infecting diskettes.I go over the code more carefully, looking for something that hints atdiskettes. After a time it becomes clear that the virus uses the sameroutine to infect both hard disks and diskettes. Crepate is a truemultipartite virus -- capable of infecting three different file types andtwo kinds of boot sectors. Its maker must have spent a long timefinishing his creation.Fridrik sends a completed search routine via FTP. Using it as the base,I create F-PROT Professional 2.09e. After a quick check to make sure theprogram recognizes both March 15th and Crepate faultlessly, I transferit to the file areas of F-Secure BBS. I call Jeremy to tell him hecan pick it up with his modem. At the moment, he is putting together asummary of the virus to be delivered to the client. He says he will takeF-PROT to the university in the morning.Everything is just about finished for the evening. Frisk E-mails amessage saying that he'll send a sample of the virus to other antivirusprogram developers so they can add the recognition of the new virus totheir own products. After that, Frisk says, he will go home. Jeremysounded tired too.The time is 01.30 in Finland, 00.30 in Italy and 22.30 in Iceland. I'llgo and get some sleep, too - the fall is far advanced and I'll have toget my lawn sown before winter sets on. Originally published 12 years ago in , May 1993.PS. Jeremy, if you're reading this...get in touch!
Thursday, December 1, 2005
@ 07:09 GMT
After announcing
two months ago, we're going deeper into the hardware appliance business. We've today acquired a company called ROMmon - welcome aboard, guys! ROMmon, the brainchild of the networking guru Petri Helenius has been specializing in ultra fast network monitoring devices. One very nice application of this technology is automatic monitoring for rogue nodes in a network. For example, ROMmon devices were used very effectively during the massive
demo party to locate and isolate infected machines in the party network. See some of these .We're launching a new product called
based on this technology. It will tackle spam and computer zombies for service providers automatically. This box will monitor traffic from end-users at the network edge, automatically denying offending computers access to the network. Those using too much bandwidth or operating as spam zombies will automatically get redirected to a self-help web page, explaining what they have to do (like "clean your PC - install patches!") in order to regain network connectivity.This is smart compared to the current model where ISPs and other service providers are manually trying to figure out who is a zombie and who is not -
and when they find one they will just cut the user off, leaving him wondering what's going on and making support calls.This technology works: it is already being used to monitor around half a million subscriber lines.
