The Avira Team wishes you a happy new year! May the new year be successfull for you!

With the new year our TechBlog is officially opened for the public. We hope that you find interesting and useful information here!

Dirk Knop
Technical Editor

After last years christmas I thought that the producers of digital picture frames, USB-sticks and MP3-players would have learned their lesson and do a better quality assurance – just to make sure they don’t deliver malware on their devices. Obviously, I was wrong.

Samsung managed not just to ship infected digital picture frames, but also there is malware on the CD with some software for Windows XP – it contains a variant of the Sality trojan family. Additionally, if you plug-in the digital picture frame to the USB port of your computer, most likely it’ll automagically start the autorun.inf that sits there. Avira AntiVir detects it as TR/Dldr.VB.egl. There are 4 copies of differently named executable files in the root directory, where the autorun.inf-file tries to start the Recycled.exe from. The malware authors added the icon of directories to the trojan so it would look like a folder in Windows Explorer. This Trojan is generically detected as TR/Dropper.gen.

Samsung issued a warning (PDF) and offers non-infected software for Windows XP in their download center. They just talk about the infected driver CD though – as well as the media – and don’t mention the danger of plugging the infected photo frame itself into the computer.

Please be careful when plugging such USB connected gifts to your computer. At least press the Shift-key for some time while plugging in the device, this will stop Windows from executing the autorun.inf file. And always use an up-to-date antivirus solution – the malware found on the most devices is known for some time already.

Dirk Knop
Technical Editor

All Avira team members wish you a Merry Christmas! We hope that you had a successfull, malware-free year 2008 and that you can enjoy some days with your family and your beloved ones.

May Santa bring nice gifts for you!

Dirk Knop
Technical Editor

Our malware analysts stumbled over a small archive which turned out to be a ZBot construction kit. It is very simple to use. The version we found is from end of August this year, newer versions are already available on the malware market.

ZBot construction kit from end of August.

It works with simple text configuration files. Pre-configured are plenty of online banks and social networks. The generated trojan will attempt to steal login information for the configured targets. Also the data dump and the control server get configured in the configuration file.

The configuration file of the ZBot construction kit is text-based.

Also included is a file with search strings for different online sites. With this list, the trojan tries to collect the data which is worth some bucks on the black markets.

The ZBot variant searches within the web pages for certain strings which promise valuable data.

Many popular banks and social network sites are targeted, from different countries. The binary form of the configuration file which the drones on infected computers will download gets built by a simple mouse click. This way, the bot herder can update the targets for his drones very easily.

The configuration file for the drones is fetched from an online server and gets built with a simple mouse click.

The trojan binary has to be built accordingly to this configuration so it connects to the right servers and data dumps. This process needs yet another single mouse click, and the cyber criminal has his perfectly tuned trojan.

The trojan gets built with another mouse click.

Even for the data dumps and the control servers there is PHP software included, so you don’t need to know much about programming at all. Just upload those PHP files to a hacked, maybe even fast-flux’ed and/or bulletproof hosted control server and start the PHP install script and you’re done with everything.

Comfortable command & control of the botnet and the data dump is also included in the package.

In case this is all too complicated for the cyber criminal, a help file is included as well. It’s russian though instead of english, other than the rest of this malware construction kit.

If the kit is too complicated, a russian help file is of assistance.

It is amazing how sophisticated the malware and the malware construction kits in the underground are meanwhile. For very little money you get everything you need to start your own botnet and steal valuable information.

Luckily the ZBot construction kit and it’s generated trojans are detected by Avira products as TR/Spy.ZBot.dyy and as TR/Crypt.XPACK.Gen, respectively. But only 13 of 38 antivirus products from virustotal warn that there’s malware – some products from major players in the antivirus market still don’t detect these old ZBots.

Dirk Knop
Technical Editor

Even though parasitic malware accounts only for a small part of all malware these days, it seems that file infector viruses are making a comeback. File infectors modify existing files by injecting code into them.

When an infected file is started, the virus code takes control and may infect other files. As a rule, control is passed back to the original host program after the virus has done its dirty work, so the user doesn’t notice anything wrong. Sophisticated techniques such as encryption, obfuscation, polymorphism and stealth capabilities are often used by this kind of malware to make detection harder and to hide its presence.

While detection isn’t necessarily more difficult compared to other types of malware, removal is usually a less trivial task (which may be the motivation for malware authors). In many cases, files cannot simply be deleted as this would affect the stability or even basic functionality of the operating system and other software.

Instead, the infected host program must be disinfected by removing the virus code from it and by carefully restoring the original contents and file structure if possible. The threat posed by this type of infection seems greatly underestimated nowadays, as the frequency of trojan infections is much higher. However, one must keep in mind that an infection with a static trojan binary is usually limited to one or very few systems in a networked environment. For file infectors, which nowadays often come with worm-like spreading routines, this is not the case. A full network-wide infection, including network shares and sometimes operation-critical software, can prove to be a much bigger issue to deal with than a single trojanized workstation.

This means detection and removal are still an issue for antivirus software. As an example, this blog entry discusses the removal of the Almanahe virus that appeared in 2007 in different variants. Almanahe is a polymorphic virus that infects Windows executable (PE) files on the local system and spreads via network shares. It has also rootkit capabilities to hide its presence on the infected system. The variant covered here is detected by AntiVir as W32/Alman.BB.

When infecting an executable file, the virus performs the following modifications to the host file:
It overwrites parts of the original code section (about 1400 bytes) and redirects the entry point to the start of the injected virus code. The original code, which has been overwritten, is compressed using a run-length encoding algorithm (RLE) and is appended to the last section, along with the dropped component, which is also compressed (roughly 36 kB in size). It modifies the PE header to reflect the changes made to the file. Since most of the virus code is encrypted, it also sets the writable flag on the code section, so the virus can decrypt itself when it is started. To prevent multiple infection of the same file, the virus inserts an infection marker into the MZ header.

Layout of infected PE file

In order to disinfect a file infected by this virus, the following steps must be performed:
First, the original code, which has been appended to the last section, must be located and decompressed. Then, the original code can be restored by overwriting the virus code in the code section. The entry point has to be redirected to its original location. The data appended to the file is cut from the file and the original size of the last section is restored. Last but not least, the header values need to be adjusted and the infection marker is removed.

Doing this is not as trivial as it may sound at first, because the data is encrypted/compressed and the offsets and sizes are different for each file. So let’s have a closer look on how disinfection works:

The virus entry point code starts with about 200 bytes of randomly generated junk instructions in order to prevent detection by a simple signature. At the end of this non-encrypted block, there is a simple decryption loop that decrypts the remainder of the virus code injected into the code section upon execution of the file. The decryption scheme is a simple SUB, ADD, or XOR operation with a single byte key. So as a first step, we need to decrypt this code.

The decrypted code contains the decompression routine for the data appended to the last section. In the next step, we locate the code where the decompression routine is called:

Call(s) of decompression routine

As we can see, the decompression routine is called twice. With the first call, only the first part of the data appended to the last section is extracted, which is the original code from the code section. In the second call, the dropped file is extracted (which is static). What we need to do is to locate the first call and extract the parameters for the decompression routine. That is the relative start offset (0xFA00h) and the decoding length in bits (0x27AAh).

As already mentioned before, the (de)compressor is some kind of run-length encoder (RLE). If there are recurring byte sequences, only the position and the length of the (previous) byte sequence is stored in the encoded data. When decoding the data, a single bit signals whether the next byte is directly extracted from the encoded data or if an already extracted byte sequence must be copied to the current position in the destination buffer. In the latter case, only the position and the length are encoded in the input stream. The following picture illustrates the decoding mechanism:

Decoding mechanism (output stream)

Now that we have located the offset and size of the compressed original code, we can restore it by decompressing the first part of the data appended to the last section. We write it to its original location in the code section, and thus overwrite the virus code.

We still need to restore the original entry point RVA, which we can also extract from the decrypted virus code:

RVA of original entry point

In the next step, we truncate the file to its original size by cutting off the appended data and adjusting the size of the last section. We also adjust the header values to the appropriate values where possible. Unfortunately, not all header values can be restored to the original values since some information is irretrievably lost. Therefore it is not guaranteed that all repaired executables will run again, although most will. This is particularly the case if the integrity of the binary is checked using a checksum or digital signatures. Finally, the infection marker in the MZ header is removed.

After performing these steps, all parts of the virus code are removed and the original contents of the file are restored except for some of the mentioned header values. Of course, the other modifications to the system caused by the virus, like dropped files or registry entries, must also be revoked. This, however, is beyond the scope of this blog entry.

Although antivirus software today is fairly sophisticated, it should be mentioned that it is not always possible to completely restore a system to its pre-infection state. In general, it’s always recommended to reinstall the system from scratch after a virus infection has been discovered.

Markus Hinderhofer
Engine Core R&D

Not only Microsoft has to deal with security risks. Also Apple released a security update to Mac OS 10.5.6 (Security Update 2008-008), fixing 21 holes in their operating system. Mac users should get the updates via the automatic update mechanism – and apply them ASAP.

As remediation of the risks of the still open security hole in Microsofts Internet Explorer we recommended switching to alternative browsers like Opera or Firefox.

If you use those browsers, make sure to apply the latest patches. The Mozilla Foundation just released Firefox 3.0.5 and the last version with security fixes for the 2.x-tree, you can get them by choosing “check for updates” in the help-menu of the browser. Those versions fix several critical rated vulnerabilities which may lead to execution of injected code, simply by browsing the “wrong” webpages. Opera also published a new version, 9.63. It plugs seven holes, which of two are rated extremely severe and three highly severe. They can get abused to foist malware on the user’s computer as well, simply by browsing the “wrong” webpages.

Meanwhile, Microsoft has developed a patch for the vulnerability in the Internet Explorer. The Redmond company announced to release the patch today, so prepare for applying it in a few hours.

Update December 18, 2008, 7:45 am: The Internet Explorer update is now available. Start Windows Update as soon as possible (in most OSes hit “Start” and choose “Windows Update”, then search for the recent patches and install them as offered.)

Dirk Knop
Technical Editor

Remember our article at the end of November “Phishing on the rise“?

We were monitoring that the Chase phishing is becoming a serious part in our statistics for phishing and malware. Well, after almost three weeks, it seems that the phishers and malware authors are preparing for the holidays.

Fig. 1: Phishing in December

In comparison with the last month, until 16.12.2008, phishing went down by round about 66% percent (from 22031 to 7557 entries). Malware also went down by approximately 45% (from 5818 to 3213 entries). But, do not forget: we are just in the middle of the month. There is still a lot of time to catch up.

Overall, the situation in the last months is looking interesting:

Fig. 2: Middle December statistics

We hope that the trend is going to remain like this, which means for all of us a quiet Christmas and New Year holidays.

Sorin Mustaca
Manager International Software Development

Microsoft updated its Security Advisory for the recently discovered zero-day vulnerability in the way Internet Explorer handles XML. As it seems, not only Internet Explorer 7 contains the security hole, but also IE5, IE6 and IE8 Beta. The range of affected operating systems starts with Windows 2000 SP4 and goes up to Windows Server 2008; also the 64-bit versions – x86 as well as itanium-based architectures – are vulnerable.

So far we didn’t see exploits for the other browser and operating system versions, only those our antivirus products already detect seem to be more widely distributed. But we closely monitor the underground for new exploits.

Update December 12, 2008, 13:00h MET: H. D. Moore published a module for his exploit-framework Metasploit which produces exploits that work on Windows XP SP2 and Vista, no matter if DEP is enabled for the Internet Explorer or not. Using a different browser like Firefox, Chrome or Opera – maybe even Safari – is the only proper mitigation for that problem currently. Microsoft suggest to block access to oledb32.dll via ACL and to set the security level for the internet zone to high, but that might not be enough – like the suggested activiation of DEP.

Dirk Knop
Technical Editor

Our developers just released version 3.5 of our free Avira Rescue-CD. If you think your computer might be infected, but the malware hides from the virus scanner – just download the most recent version from our Tools section, burn it on CD and boot your computer from it.

The new version comes with a simple graphical user interface. With a few mouse clicks everyone is able to analyse her/his computer for infections. The Avira Rescue-CD can work with FAT and NTFS file systems, so it can analyse computers with older Windows 98 as well as the newest Windows operating systems like Vista. It can rename detected malware, try to repair infected files or just protocol everything it detects.

The new graphical user interface of Avira´s Rescue-CD simplifies its usage.

The iso image for burning with existing CD burning software on your computer or the CD image as executable, which includes a burning program, are updated several times a day to include the most recent virus definitions. Just download the most recent image, burn and use it if you need it.

Dirk Knop
Technical Editor

The exploits for the recently detected vulnerability in Internet Explorer 7 are now available on public websites. Most malicous websites currently are hosted in china, but this is expected to change soon: Attackers can simply modify the available Proof-of-Concept (PoC) samples.

The vulnerability affects every operating system from Windows XP to Windows 2008 with IE7. Mitigating the risk is possible by activating DEP for the Internet Explorer and disabling Active Scripting / JavaScript. An update from Microsoft to solve the problem is still not available.

We detect and block the currently known exploits as EXP/XMLSPAN.A and EXP/XMLSPAN.B.

Dirk Knop
Technical Editor