Malware Evolves

24 08 2006

Malware hit another milestone in evolution – or even worse, it’s only been noticed now.

Previously, malware would arrive as a whole executable, being downloaded, emailed or dropped by passing worms.  Then, the “dropper” arrived, which is small code that contains just enough evil to download other parts of itself from other systems.  The worst ones hit random websites from a long list. Mitgleider comes to mind, where it connected to one of many IPs to get a list of other IPs to connect to.  The smallest dropper I’ve seen in the wild was 4KB (FSG-packed ect.exe – detected as Downloader-NE by McAfee).   Later, instead of downloading executables, they started downloading image files that were actually executables. 

The ISC now reports that a handler found malware that downloads what looks like garbage (ASCII strings) from other websites ONLY when fed with the proper malware headers.  Seems fair enough – whack a site (or host one) that feeds normal web pages, but when called with a special header, serves other purposes. We’ve all seen that before, I’m sure.  The last one I saw was a control channel that served code 302 web pages (permanently moved) to  So, even if you hit it with text browsers, etc, you would see nothing wrong.  But when given a specific code, it would give instructions to do something else. 

The scary part with this one is that the ASCII strings downloaded is actually an encoded executable. Encoded how? However the attacker wants. In this case, it was bit shifted and XORd by 0x13. Attackers could easily create their own “encoding” scheme and the download would be, well, undetectable. This leaves the workstation AV as the last line of defense. 

This worries me, especially since there seems to be an elitist, this-is-how-AV-will-work mentality in the AV industry.  Check the Matasano blog for some AV companies and researchers crying foul about a recent Consumer Reports test of AV products here and here.  The current mentality seems to be that modifying an existing virus for testing purposes is unethical and is an “unscientific” method of testing anti-virus products.  Uh, ok.  And test driving a car on a test track at top speed is also unethical and proves nothing.

Me? I’m preparing for the day an encrypted, time-dilated, port-hopping, host-hopping, TOR-using control channel to appear via an intelligent morphing virus spread by a fully functional disappearing Trojan delivered by a short-lived, network only worm that exploits device drivers.

Or maybe that day is already here, and we just don’t know it.


[FINALLY!] Google to warn over unsafe sites

7 08 2006

Although this does nothing to come close to mitigating this threat, this does help and at least brings attention to the matter.  Now if only people practiced more safe web browsing

Link to article on 

Internet search engine Google is to begin warning users about potential spyware or adware risks associated with websites it links to.
The world’s most popular search engine will present users with a warning message if they are about to enter a site that it known to contain spyware or other programmes that can seriously damage personal computers, allowing them to option of return back to the search results page instead of continuing on to the page in question.

The new feature, part of a growing raft of security measures introduced by Google, is set to go live this Friday, presenting what security experts call the first significant step in the fight against so-called ‘Badware’ – software designed to harm a user’s computer or scam them in some way.

It is estimated that, on average, around five per cent of all websites retrieved via search engines contain badware, making the measure increasingly necessary if web users are to continue trusting Google’s content.

© 2006 Adfero Ltd.

War Rocketing?

5 08 2006

If there was every a story that deserved a LOL it’s this one:

War driving by rocket at 6,800 feet

Some funny excerpts:

“The hobbyists equipped three rockets with wireless access points capable of scanning for networks during the rockets parachute-assisted descent, a technique they dubbed “war rocketing””

Let’see: war-driving, war-walking, war-talking, war-rocketing???  What are they war-smoking?

“While the largest rocket, known as a Nike Smoke, could scan more than 50 square miles of land for wireless networks, the rocket could only be launched in rural areas, where such hardware is rare.


“Unsurprisingly, the rocket only detected two other networks.”

At this point, I’m snickering.

“The two smaller rockets–one of which was launched in a rural area–found 3 access points in the sparsely populated area and 7 networks in near the college town of Charlottesville, VA. “These access points were scattered across rural farms that we could not detect from the ground,” Hill said.”

Oh, I see.  So you have access points that you cannot detect from the ground?  What direction were the access point antennas pointed??!?

Seriously, though, scanning for wireless networks is so common that some people wanted to do something new with it.  And, you CAN detect just about any wireless device, unless it’s in a tempest-rated room inside of a solid concrete structure with no windows.  Yes, this was a very geeky thing to do, but this smells like a publicity stunt.

“The rockets were built for less than $1,000 in total, and each launch cost $35 for the smaller rockets and $200 for the larger one.”

Make that a cheap publicity stunt.  But an expensive (and foolish) attempt at demonstrating, uh, something, or whatever it is they wanted to demonstrate to the DEFCON crowd.