Technical Analysis of the Skype Trojan

During December yet another trojan started making rounds, this time dubbed the Skype trojan -- SEO conspiracy. Was the trojan exploiting a zero day vulnerability in the Skype protocol? Absolutely not, as it was basically using Skype's messaging service as a propagation vector, thus, the gullible and in a Christmas mood end user was still supposed to interact with the malware by clicking on the link. And with required end user's interaction, the possibilities for major outbreaks were very limited. Perhaps the only development worth mentioning is the malware author's use of commercial anti-cracking software -- NTKrnl Secure Suite -- to make the unpacking harder, or at least theoretically improve the time needed to do so compared to using publicly obtainable, and much more easily detectable packers.

Two days ago, Nicolas Brulez from Websense Security Labs released a technical analysis of the trojan itself, and here's your proof for the logical possiblities of specific copy'n'paste malware modules :

"The main protection scheme I faced was the copy pasted from my Honeynet Scan of The month 33 Challenge. The breakpoint detection was 100% identical, even the numbers I had generated randomly. More importantly, the technique I had written based on SEH + cpuid/rdtsc was also copied. The only difference was that they used the EDX register to compare the timing.

Copy pasting protection code without even changing it a little, provides no security at all and allowed me to unpack it even quicker. (gotta love looking at code you wrote 2 years ago)

It apparently included some other tricks, that made it a little harder to unpack, and the file looked like it was corrupted at some point. In order to debug it and comment my disassembly in a readable way, I opted to use a userland debugger, and thus had to write a little shellcode for injection into the packed malware. Basically, it entailed abusing Windows Exception Handling (using a hook), to get past every check. After that, one could attach his favorite userland debugger to the malware and eventually find the Original Entry Point. Although the imports rebuilding for this protector isn't hard at all, it wasn't mandatory in this executable as it only imported one function: ExitProcess"

And while the average malware coder is using commercial tools to make his releases harder to analyze, the almighty jihadist is still living in the Hacker Defender world.

Were you Tracking Santa's Location?

As usual, NORAD were, but there's one minor issue to keep in mind and that's how during the Christmas and New Year holidays Santa Claus is the most successfully targeted victim of identity theft. Hopefully they were tracking the real Santa through the real Rudolph as the weakest link :

"The satellites have infrared sensors, meaning they can detect heat. When a rocket or missile is launched, a tremendous amount of heat is produced - enough for the satellites to detect. Rudolph's nose gives off an infrared signature similar to a missile launch. The satellites can detect Rudolph's bright red nose with practically no problem. With so many years of experience, NORAD has become good at tracking aircraft entering North America, detecting worldwide missile launches and tracking the progress of Santa, thanks to Rudolph."

All rest is a commodity but attitude.

Phishing Domains Hosting Multiple Phishing Sites

Well, well, well. What do we got here? Couple of interesting domains hosting phishing sites of multiple banks for you to take a look at, or at the cached versions to be precise. What's worth mentioning is the rise of phishing sites using the much more easily and anonymously registered .biz ; .info ; .name domains. However, the first part of these is related to 211.137.13.131 :

baldwindy.name
leqwas.biz
noosfo.biz
rsytarai.biz, another one

Multiple hosting:
201.195.156.13
lugers.biz
loreta.biz
tuker.info

Now, try searching the entire .biz space for "Bank Austria Creditanstalt". The good news is that even the average anti-phishing toolbar is capable of detecting these. The bad news is that customers aren't currently using such toolbars as much as they should. And with phishing toolkits lowering the entry barriers in this space by making it easy for wannabe phishers to "make an impact", we've got an efficient problem to deal with.

Google and Yahoo's Shareholders Against Censorship

Collective bargaining tends to achieve the necessary echo effect :

"The New York City Pension Fund wants shareholders to force Google and Yahoo to refuse Internet censorship requests by governments. The fund, which owns nearly $280 million worth of Google shares and $110 million in Yahoo shares, filed resolutions for shareholders at the two Internet companies to vote on at the next shareholder meetings. The resolution states that U.S.-based technology companies "that operate in countries controlled by authoritarian governments have an obligation to comply with the principles of the United Nations Declaration of Human Rights."

Go, go, go, shareholders. So that by the time censorship ends up where it's most aggressive for the time being, we can feel proud of ourselves living in a World 2.0, a world in which we all have universal access to the collective wisdom of everyone. Wait, that used to be part of both, Google's and Yahoo's mission statements once. From another perspective, the companies themselves have their hands tied by the overal Western world's revenues generation greed, and outsourcing inspirations in China's booming economy. But pretending it isn't happening is like ignoring the existence of the thought police these days.