Gallery

Are friends electric?

Posted on 28 Jan 2009 at 16:59

Jon Honeyball puts his spellcheck to good use, reveals one of the nastiest examples of malware seen so far, and tries to remain upbeat about the future.

Super nasty

Some of my current lack of sparkle is thanks to some news I just read from my old sparring partner Woody Leonhard. Back in the early 1990s, we both inhabited the official Microsoft Word support forum on CompuServe, where Woody was one of those who really dived inside the platform. He's a fun writer, too, and I try to read his stuff whenever I get the chance. His latest missive brings me dreadful news: unbeknown to most of us, the virus writers have made a major breakthrough. The nasty is called Sinowal or Mebroot, the former being the older name and the latter its newer variety.

This nasty creation would appear to be the most advanced and stealthiest example of malware seen so far, and most AV products are helpless to act against it. Let me describe what this brute does. It hides in the MBR (master boot record) of your hard disk and loads before Windows starts. It's effectively its own micro-operating system, which can survive the loading of Windows proper, and it has its own network stack that's independent of the Windows one and communicates with hundreds, possibly thousands of back-end servers through a heavily encrypted communication session. It has a complex install-and-run mechanism, which means that it bypasses almost all the security products. It can hide all of the changes it makes on fly, and it can patch itself on-the-fly. And now for the really bad news: it attacks more than 100 European online banks, attempting to steal money as users do online banking.

Woody referred me to a good slide deck at www.f-secure.com/weblog/archives/00001510.html. This reminds us the original MBR virus arrived more than 20 years ago as the Stoned virus. Then Mebroot was released in November 2007. In the lead up to this there was a BootRoot project from eEye presented at Black Hat, and then the Vbootkit from NVlabs, which worked under Vista RC1 and RC2. The release of Mebroot was the first use of this technology for real malware under Windows. The deck contains a slide that sent a chill down my spine: "No executable files on filesystem, no Registry keys or standard launch points, no driver module in module list, minimal memory footprint, early execution during startup, stealth read/write disk operations, stealth tunnel network, active anti-removal protection, totally generic open malware platform (MAOS)". Just what you don't want to read over your breakfast.

I checked a number of AV vendors' websites, and many claim to have fixes for Mebroot. It appears it can trundle into an XP installation with almost nothing to stop it, although things are a little different with the most recent patches of Vista: you do at least get a UAC (User Account Control) warning that something is attempting to run. Now for some scary numbers: according to a report on the Washington Post website, "RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on web servers the Sinowal authors were using to set up their attacks." It goes on to say: "Sinowal, also called 'Torpig' and 'Mebroot' by various antivirus companies, constantly morphs its appearance to slip past security software. Between April and October, researchers spotted an average of 60 to 80 new Sinowal variants per month. Indeed, in the 24 hours ending 30 October, security researchers at ThreatExpert.com saw at least three new versions of Sinowal being released into the wild."