Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Follow the Bouncing Malware: Columbus Day

Published: 2007-10-09
Last Updated: 2007-10-09 05:23:58 UTC
by Tom Liston (Version: 1)
0 comment(s)

[This FTBM is created in honor of Columbus day, celebrated in the US on October 8th]

 

“I Know India Is Around Here SOMEWHERE”

 

Joe Sixpack leaned back in his chair and glared at the photo of his son sitting on his desk.  It was nearing midnight, and Joe had spent the last several hours building a model depicting the landing of Christopher Columbus’ ship, the Niña.  Earlier tonight, at dinner, Joe junior had announced that he needed a diorama for school in the morning.  

Admittedly, it wasn’t Joe’s best work, but he was on a deadline.  He had scavenged through Junior’s toy chest and had made do with what he could find.  The brown paint didn’t completely cover up the red plastic on the toy pirate boat, and you could still see the outline of the skull and crossbones underneath the name “Niña,” hastily scrawled in black Sharpie marker.  He felt, however, that the action scene that he had created with Junior’s plastic Indian figurines more than made up for the poorly disguised boat.  There was a slight scale issue (the Indians on horseback, surrounding Columbus’ men – who were dressed remarkably like cowboys and WWII combat soldiers – were about as tall as the boat) but if you squinted your eyes up just right, it looked pretty good.  The centerpiece of the work, Columbus reared up on horseback, six-shooter blaring, single-handedly gunning down several bloodthirsty savages, would at least get Junior a “B.”  Besides, he wasn’t going to go crazy trying to get everything perfect – Junior needed to learn that leaving his assignments until the last minute had consequences.

Joe turned his attention to the worksheet that accompanied the diorama assignment.  It was full of questions about names and dates and it appeared as though Junior had made a half-hearted attempt at answering them.  One question was left blank:

“How were the ships Columbus used constructed?”

Joe was pretty sure he knew the answer, but he decided to take the matter to a higher authority.  He reached over and tapped on the keyboard of his trusty computer, watching as the monitor slowly came to life.

At the dentist’s office, the week before, Joe had been stuck reading some science magazine to pass the time (it was that, or several back issues of Cosmo, which, despite the sexy, half-dressed model on the cover, weren’t all that interesting to actually read).  In the “geeky/computer” section of the science magazine he had found a description of some techniques to get better search results out of Google.  The article had been somewhat interesting and he thought that now would be a good time to try out the stuff that he could remember.  

He was interested in finding out “information”, and he remembered that you could restrict your Google search in some way that that had something to do with “domains”.  Since the search results that he was looking for was “information”, he would use the “.info” domain.  He was interested in the construction of Columbus’ ships, specifically the fasteners used to hold them together, so he used the first two words that popped into his head.  His search term string looked like this:

“site:.info nina screw”

The search results that he got back didn’t seem to be all that much better than when he didn’t put that “site” stuff in there.  In fact, they seemed to be more than a little “off topic.”  He couldn’t help but chuckle to himself as he looked at his search string… what had he been thinking?

Then again, though Joe, perhaps he would take a little voyage of discovery of his own.

Two hours later, Joe was in a quandary.  There was a “Video ActiveX Object Error” sitting in the middle of his screen, and he didn’t know how to get rid of it.

Your browser cannot display this video file,” it proclaimed, and went on to tell him, “You need to download new version of Video ActiveX Object to play this video file.”  Below that, it said. “Click Continue to download and install ActiveX Object.”  

Before all this pop-up nonsense began, Joe had been hoping to see some VERY active X, but this was just annoying.  If he clicked “Cancel,” another box popped up, this time from Internet Explorer telling him that his browser couldn’t play the video and telling him to “Click ‘OK’ to download and install missing Video ActiveX object.”  If he clicked “Cancel” on that box, another window opened saying “Please install new version of Video ActiveX Object” and only offering him the option of clicking “OK”.  Clicking “OK” took him back to the previous screen.  Around and around he went.

Joe was so frustrated and angry that he finally decided to just click “OK” and install the software.  Internet Explorer popped up a warning screen, telling him that some files could harm his computer, but then again, it did that when he downloaded things from other places too.  Besides, he was running antivirus software… at least he thought he was.  He couldn’t remember if he’d re-enabled it the last time some program had told him that he should disable it while installing… but he was pretty sure he had.  He clicked on “Open” and held his breath.

A “License Agreement” popped up on his screen.  He glanced through it quickly… reaffirmed his decision that law school would’ve been a bad idea, and clicked on “Install.”

Several things appeared to happen all at once.  Windows opened and closed, and finally, when things settled down, a new, shiny, slick-looking window opened on the middle of his screen.

“AntiVirGear v.3.8,” the window declared.  “Warning! 4 threats found!”

What had started out as a voyage of discovery had ended up with Joe washed up on some strange foreign shore.

It was going to be a long, long night.
 

Land Ho!

(or, more politically-correctly: Land Lady-of-the-Evening!)

According to the history books, Columbus, before he moved to the great state of Ohio and set up shop as a state capitol, sailed the ocean blue in fourteen hundred ninety two, with the lofty goal of finding an ocean passage to India.  

As it turned out, he missed by a long shot.

Like most really big screw-ups, Columbus blundered his way through life so incredibly self assured that even when he’d obviously made a mistake of historic proportion he just… well… went with it.  Rather than admit that he fell awfully dang short of his intended goal, he decided to go ahead and drop names on things to try to convince the folks back home that he knew exactly what he was doing.  Thus, the “West Indies” were born. (Which, to be entirely correct should have been called the “Waaaaaaay West Indies”.)
 
Five hundred and a few years later, much like Chris, Joe Sixpack found himself in the middle of a mess-up of his own making and decided to simply bowl ahead as though he knew it would all work out just fine in the end.

Today, we’ll only take a look at the single most obvious portion of Joe’s misadventure. But, like that whole “Native American / Indian” debacle that Columbus left for us to straighten out, Joe’s expedition into the unknown has some long-term ramifications that we’ll discuss in a later installment.

But for now, let’s see what Joe’s carelessness has wrought.  In the course of clicking his way around the globe, Joe encountered a new and interesting download: a “Video ActiveX object” from the fine folks at “kimsoftware.com” who, based on the wording of their License Agreement, apparently like to go by the rather off-putting nickname “Licensor.”  It also seems that “Licensor” has a bit of an inferiority complex and something of a “thing” for self-deprecation… but we’ll get into that in a minute.

One result of installing this “Video ActiveX object” is a cascading download and installation of several files onto Joe’s machine, one of the most interesting of which goes by the name AntiVirGear3.8.exe.  

Weighing in at 3,262,914 tasty bytes it’s dropped onto Joe’s desktop machine like a wet sail hitting the deck of a ship. After grinding the hard drive for some period of time, it suddenly pops up a message saying that it has found four indications that Joe’s machine is infected with “Win32.Trojan.Click.Spywad.b”

The program then offers to “clean” the infection … for a fee.  You see, the “unregistered” version of AntiVirGear will only TELL you about the infections on your machine.  If you want to get rid of the infections, then you need to shell out fifty bucks to the folks at antivirgear.com

Not that I have anything against people wanting to make a buck… but in the past, I’ve investigated other “antivirus” programs that “found” malware even on a fresh install of Windows.  Those programs also would only remove the “found” items for a fee.  Could this be the same scam?

Through the magic of virtual machines and snapshots, I was able to return to the moment before all of the downloading and installing on Joe’s machine began.  Having extracted AntiVirGear3.8.exe from the downloaded traffic, I moved it back in time (so to speak) and installed it on Joe’s machine BEFORE Joe said “yes” to installing the big bundle o’fun from the kimsoftware.com/Licensor folks.

What did it find?  Nothing!  AntiVirGear didn’t find anything bad on the clean version of Joe’s machine.

Hmmm…. That’s strange.

Let’s recap for a moment:  you’re a software developer that markets your wares under the brand “kimsoftware.com”… so let’s assume (for the sake of argument) that you’re a young, blond, 23 year old named Megan.

No… no… wait…

Kim.  

Let’s say your name is Kim.

So… you create cutting edge software…. perhaps something like a “Video ActiveX object.”  You obviously have a bit of trouble with the English language and a penchant for porn.  Perhaps you failed out of law school, or are dating someone who did.  That might explain your twisted need to be called things like “Licensor” and the almost brutally lengthy “License Agreement” that you bundle with your “Video ActiveX object.”

So far, so good.  You’re a little strange, perhaps “quirky”, but you still fall somewhere within the big center portion of that bell curve we like to call “normal.”

But then it all comes crashing down.  

Kim, Kim, Kim…  Where did it go wrong?

What happened?  What drove you to the pits of self-loathing in which you obviously now seethe?  What inner daemons have driven you to the depths of depraved self-deprecation? How is it that you could possibly bundle a piece of software with your “Video ActiveX object” that would… dare I say it?... brand the child of your keyboard, the fruit of your software loins… as a virus?

Oh, the humanity.

Dear readers, pity poor, poor Kim.

Or… perhaps there might be another explanation.  Perhaps Kim has a cunning, almost evil plan.  What if there was some way that Kim might benefit if unsuspecting denizens of the Internet were to be convinced to register AntiVirGear?  What if there was some sort of “system” where Kim would make money every time a version of AntiVirGear that she installed got registered?

But how could a system like that ever exist?  For one thing, it would take someone at AntiVirGear willfully ignoring the obvious potential for abuse that such a system would create.  For another, you would have to have someone so completely morally bankrupt that they would purposefully infect someone else’s computer for their own financial gain.  How could such people possibly exist?

Sheesh… the next thing you’ll be telling me that the earth is round.

 ------------------------------------------------------------------

Tom Liston - Handler on Duty - Intelguardians

 

Keywords:
0 comment(s)
Diary Archives