Shots from the Malicious Wild West - Sample Four

My previous "shots" related to various pieces of malware, packers, or on the fly malicious URL analysis will continue to expand with the idea to provide you with screenshots of things you only read about, but never get the chance to actually see. In the first shot I discussed ms-counter.com, in the second the Pohernah crypter, and in the third The Rat! Keylogger. You may also find a recent post related to the dynamics of the underground's economy, as well as the related screenshots very informative.

In this virtual shot I'll discuss the High Speed Verifier, a commercial application spammers use to filter out the fake and non-existent emails in their spam databases in order to not only achieve a faster speed while sending their message out, but also improve the quality of their databases which I love poisoning so much. What the High Speed Verifier all about? As its authors state :

"HSV detects about 20-30% of invalid addresses in a mailing list, though theoretically it is possible to detect up to 60-70% using a software product. This figure seems relatively small, but actually it might make 10% of a list. Besides, HSV provides for optimal checking mode in terms of time and data traffic. More thorough checking (with which the rest 40% of invalid addresses could be detected) takes 10 times longer and requires 5 times greater traffic for each address, hence it's not that advisable with huge lists."

So once emails are harvested, they have to be verified and then abused for anything starting from phishing attacks to good old fashioned social engineering tricks decepting users into executing malware or visiting a site for them to do so. Don't get too excited, the advanced version has even more interesting features :

"The program works on the same algorithm as ISP mail systems do. Mail servers addresses for specified address are extracted from DNS. The program tries to connect with found SMTP-servers and simulates the sending of message. It does not come to the message sending — AMV disconnect as soon as mail server informs does this address exist or not."

The old dillema is still place - direct online marketing VS spam or what's the difference these days if any? Marketed as tools to assist online marketers these programs are logically abused by spammers, phishers and everyone in between.

Month of Malware Bugs Coming

This will prove to be interesting as it's directly related with a previous discussion on hijacking or shutting down someone else's botnet through exploiting vulnerabilities in their code :

"During each day of the Month of Bug Bugs McAfee Avert Labs will provide analysis of flawed malicious code (aka bugs). These are viruses that don’t spread, password stealing Trojans that can’t leave the stable, drive-by attacks that crash and burn, phishing attacks that phlop, denial of service attacks that are denied, etc. Our analysis will highlight the errors made by authors, and show how these threats can be fixed and in most cases optimized for maximum potency."

Have you ever imagined that as a pen tester or security consultant you'll have to exploit XSS vulnerabilities in a botnet's web C&C in order to take a peek inside? Botnet polymorphism in order for the botnet to limit the possibility of establishing a communication pattern -- an easily detectable one -- is just as important as is the constant diversification towards different communication platforms. Despite that malware authors are consistently creative, and efficiently excelling at being a step ahead of the security measures in place, they're anything but outstanding programmers, or at least don't put as much efforts into Q&A as they could. Aren't malware coders logically interested in benchmarking and optimizing their "releases", do they have the test bed in terms of a virtual playground to evaluate the effectiveness of their code, or are they actually enjoying a "release it and improve it on the fly" mentality? It's all a question of who the coders are, and how serious are their intentions.

In a very well structured paper courtesy of Symantec, the author John Canavan looks are various bugs in popular malware such as the Morris worm, Sobig, Nyxem, OSx.Leap, as well as Code Red Worm, W32.Lovgate.A@mm, W32.Logitall.A@mm, VBS.SST@mm, VBS.Pet_Tick.N, W32.Beagle.BH@mm, W32.Mytob.MK@mm. Rather interesting fact about the much hyped Nyxem :

"However something that was overlooked in a lot of reports at the time was this bug in the code, which meant that the worm would not overwrite files on the first available drive found. For example if the first available drive is the C drive, the worm will overwrite files in available drives from D to Z."

Looking forward to seeing the bugs due to be highlighted in the MoBB.