May 4, 2000 – six years ago yesterday – email servers crashed when a flood of emails clogged them. And the Philippines was again on the center of the map of notoriety – the Love Bug (Trend Micro: VBS_LOVELETTER, Symantec: VBS.LoveLetter) was traced to a certain student named Onel de Guzman.

De Guzman was not convicted of any crime, since no relevant law that covers his crime exist at that time. An effect of his mischievousness is the passage of the E-Commerce Act. He remains free. I wonder where he is now.

This worm started the rise of social engineering as a means to spread malware. And now, this era is ending, with cybercrime, identity theft, and spyware fast becoming a problem.

The payloads of a malware are designed to achieve a goal – they are not there on a whim. In system analysis and design, the first step in the so-called software development life cycle is determining problems and requirements. I dare say that malware developers take a different step, or rather, a different view on that first step. The first step is to knwo what is the goal, or what are the goals, that a malware should achieve in the end. Hence, each payload has a goal to achieve.

Take for example Agobot worms. For reference, read Trend Micro’s description on WORM_AGOBOT.AAA. Let’s ask a few questions, and I will try to answer them tomorrow.

There are several propagation methods available. Why did the author choose network shared folders and Windows vulnerabilities as means of propagation? WHy does it terminates processes? Why does it modifies the HOSTS file?

Dynasty Warriors 5: Empires just released last month. Can’t wait to get my hands on it.

This weekend, AV companies are faced with two new crossover malware.

There is a proof-of-concept virus that infects Windows and Linux executable files. Yep. This virus, PE_BI.B (Trend Micro’s detection for Windows executables infected by this virus) and ELF_BI.A (for Linux executables) infects Windows and Linux executables. Whew! Good thing it is just a PoC. Symantec has a single detection for this one, W32/Linux.Bi.

Then there is another crossover worm that infects Windows machines and Windows Mobile. MSIL.Letum.A@mm, as described by Symantec:

MSIL.Letum.A@mm is a worm written in Microsoft .NET’s Microsoft Intermediate Language (MSIL) that can affect both Windows PC and Windows Mobile powered devices that have the .NET framework installed. The worm arrives as an attachment to a spoofed email that pretends to come from Symantec and also spreads through Usenet servers.

Yep, it uses a social engineering technique. This worm spreads via an email message purporting to have come from Symantec. It is also the first one that propagates via newsgroups.

Trend Micro has a different take on this worm, WORM_LETUM.A. Nowhere in its description is the fact that it is written in MSIL, neither the info that it also affects devices running Windows Mobile.

What’s the matter? Why the difference in description?

A congressman asked Internet cafes to impose curfews in their shops to students and minors.

“We appeal to LGUs [local government units] to compel Internet operators to impose a strict student color-coding scheme wherein there’s a time limit for students or minors accessing Internet games,” he said in a statement.

“By 6 p.m. or 7 p.m., no students or minors should be seen in front of Internet computers. They should be inside their homes by that time either having dinner or praying the Angelus,” he said.

Noel said Internet cafe operators should also be conscientious in offering Internet games that provided good and positive values to children.

The lawmaker made the proposal after receiving several complaints from concerned parents that their children had become “so addicted” to Internet games that they even skipped classes.

He said he received reports that Internet cafes inside shopping malls were taking in students even during class hours.

“A responsible Internet cafe operator should shoo-away uniformed customers who are obviously skipping their classes,” he said.

He also expressed alarm that most of the Internet games being offered by the operators were violent and had no educational value.

“What positive values could we get from games whose main objective is to invade a territory, destroy a military base, and fight-off zombies with blazing guns and tanks?” he said.

“Soon we will be producing adults who are war-freak and utak-pulbura [violent] who will approach their daily problems with the mindset of a warrior or a terminator,” he said.

Well. What can I say?

He also expressed alarm that most of the Internet games being offered by the operators were violent and had no educational value.

“What positive values could we get from games whose main objective is to invade a territory, destroy a military base, and fight-off zombies with blazing guns and tanks?” he said.

–What positive values could we get from congressmen whose main objective is to invade government funds, destroy the opponent’s character, and fight off impeachment bids with blabbering mouths?

“The lawmaker made the proposal after receiving several complaints from concerned parents that their children had become ‘so addicted’ to Internet games that they even skipped classes.”

–While Internet cafes have a part in this, it is primarily the responsibility of parents to teach their kids on this issue. Parents who complain are lazy.

Anyway I give this situation to the congressman: Assuming that I am a student who has no computer and no Internet access at home. A teacher gave us some research assignments, and the information needed is not in the library. The computer and Internet labs at school are either full, closed, defective, have slow Internet connections or no connection at home. So I go out and rent. Fine. What if my last class ends at 6PM? Or 7PM? Or 9PM? And my class begins at 7AM.

Mr. Congressman, we have a phrase for that. It’s called throwing the baby with the bathwater.

It is people like him that what makes me apprehensive about a parliamentary system, much more a unicameral one. Those who signed the initiative will know the error of their ways soon enough.

In Roman Catholic beliefs, there are seven deadly sins – pride, avarice/greed, lust, envy, gluttony, anger, and sloth. The history of malware activity and prevalence follow the two sins – pride and envy. When before, malware authors unleash their creations to the world to be known, nowadays malware authors are driven by money. And who wouldn’t? Consider the following cases:

• In November 2005, the US Federal Bureau of Investigation arrested Jeanson James Ancheta for installing and using a botnet to install adware delivery programs. This venture allegedly netted him US$60,000. He also got a spanking BMW, highly unusual for a 20-year old. (Wired News)
• In August 2004, FBI has charged Jay Echouafni for renting botnets to perform denial of service (Dos) attacks against his company’s competitors Web sites, causing US$3 million in losses for three companies and an Internet Service Provider. (TechWeb)
• In January 2006, the Million Dollar Homepage (www.milliondollarpage.com) was taken down via DoS (through botnets) after its owner, Alex Tew, refused to pay US$50,000 in “protection money”. (Netcraft)

Those are big bucks. And it is easy for script kiddies to earn money, what with bot source codes available every where, new vulnerabilities to be exploited, and adware companies looking for delivery mechanisms and install bases. And with human gullibility, installing bots, spyware, and adware is easy through clever social engineering techniques – spreading is just one click away! And money is just a few network packets away!

Depending on their level of sophistication, malware authors and malicious hackers employ the following tactics to earn money:

1. Using a program to steal bank account information and credit card numbers – This includes spyware and keyloggers.
2. Phishing – Humans tend to be gullible, and it is easy to fool users by just displaying a look-alike Web page with forms, and voila! Malicious criminals laugh their way to the bank.
3. Mafioso-like tactics – For those who do not have enough sophistication in life (or enough brain cells), they use brawn. There’s always one bully in the street corner, and the cyberworld is not far behind.

Extortion is a time-tested bully tactic to get money. The Mafia used it, your neighborhood bully did it, and now, cyberspace is not spared.

TROJ_CRYZIP.A (Trend Micro) (Trojan.Cryzip – Symantec) is an extortionist Trojan that was discovered last March 11, 2006. It compresses common document files and uses a password to protect the compressed file. That means a user cannot decompress the files without the password. Whoa! Where are my files, the witless user might ask. But wait! There’s a text file left, which details how a user can get back his files. All he has to do is to open an E-gold account and deposit US$300. When the payment is confirmed, the password is supposedly sent via email. Ingenious.

Whoever did it is a true bully – brawns more than brains. Analysts at Trend Labs found that the password – C:Program FilesMicrosoft Visual StudioVC98 – is in the Trojan’s code. Not ingenious.

It is also not original. TROJ_PGPCODER.A (Trend Micro), (Trojan.Gpcoder – Symantec, PGPCoder – McAfee) which was discovered May 21, 2005, encrypts the files (as opposed to compressing them), and leaves instructions on how to get the decoder. And recently, a new variant, TROJ_PGPCODER.C (Trojan.Gpcoder.D – Symantec), was discovered in January 30, 2006. It uses a more complex encryption algorithm (RSA) as compared with the previous variants. Despite the advances made by PGPCODER, Trend Micro has created fix tools that will undo the damage done by these Trojans.

Anyway, extortion attacks are very rare, since it is unsophisticated, requires more effort than usual, and it also requires interaction between the bully and the victim. Why exert more effort and risk capture when there are stealthy means of getting money?

And with profit in the minds of malware authors, the first consideration is how to avoid being caught. The current onslaught of SDBOT worms employ rootkits – those nasty pieces of code that allow these worms to run unhampered and undetected. However, the existences of several payloads give away their existence in an affected computer, and malware authors can only hope and pray that affected users remain clueless about how their computers are turning into zombies. And not use an antivirus, of course. So malware authors should concentrate less on payloads and damage if they don’t want to be caught.

The second consideration is how to spread copies of their handiwork. When it comes to social engineering techniques, SOBER worms are the best. Most bot worms exploit security holes and scour for open network shared folders. FEEBS variants use file names that entices P2P users on the lookout for cracked installers. The ways to fool gullible users are almost endless. It is a good way, but again, it has a face, and it betrays the intent ultimately. So the way to go is to exploit human gullibility and at the same time employ tactics that maintain secrecy. When a malware author combines these ways, you get a malware that spreads thoroughly and quickly.

Malware authors have learned from the past; it does not pay to be bold. Most of the authors of the high-profile malware are already caught. The money is in secrecy. Malware authors have the tools at hand, the scripts are there for the taking, and cold cash is just clicks away. Thus begins the reign of greed.

(Author’s Note: This was submitted for consideration in an internal company newsletter; since it was not chosen, the author posts this article for the whole world to see, constraints for that action being lifted.)

I have recently discovered Pinoy Gaming Blog, via Philippines Best of Blogs. Hopefully, the office will not block the said site.

StopBadware.org has recently tagged four applications as badware.

What is badware? The said organization defines it as follows:

Badware is malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads.
xxx
What’s particularly tricky about badware is that you may not know that you downloaded it. Some badware manufacturers bundle it with other programs without disclosing that it’s part of the package. Others put their programs on your PC when you visit certain websites or play online games.

In its first report, StopBadware.org tags four apps as badware: Kazaa, Mediapipe, SpyAxe, and Waterfalls 3. You may want to download the PDF file here.

Take note that some antivirus companies tag them as adware or spyware. Trend Micro has two detections: ADW_SPYAXE.B and ADW_SPYAXE.E. Symantec detects it as Spyaxe.

I had tried Kazaa, and clean up after uninstalling it was no walk in the park. Install it at your own peril.

After the exploit code for a new vulnerability in Internet Explorer was released, a new malware that exploits the said vulnerability was discovered. Trend Micro has detected a JavaScript malware JS_DLOADER.BXR that exploits this vulnerability to remotely execute code.

As this vulnerability is unpatched, users are urged to disable ActiveScripting as described in the previous posting.

UPDATE: Trend Micro has created a detection for the newest IE vulnerability, EXPL_TXTRANGE.A.

Blogs are now fast becoming sources of information. Some companies have already grasped the impact of blogs to their companies, and so some of them are already incorporating blogs not only as a disseminator of information but also as a marketing tool.

For those who are curious about malware, several second-tier antivirus companies have blogs. Unfortunately, first-tier companies – the so-called Big Three (Symantec, McAfee, Trend Micro) – don’t have blogs. All of them has an encyclopedia of sorts (Trend Micro is more comprehensive), but try looking for a specific malware on those encyclopedias, and you’ll get what I mean. It’s like looking for a needle in a stack of needles.

Anyway, here are the blogs of two antivirus companies:

• F-Secure: News from the Lab
• Kaspersky: Analyst’s Diary

When will the Big Three catch up? Would they even blog?

The bosses of those companies might ask: why bother? Most blogs are RSS-capable; it means that news readers can access blog posts, without the user even visiting the Web site. It is a fast platform to release information. It removes the middle man when disseminating information, so there is no more constraint on the fast availability of information. No need to wait for publication, no need for press releases. And bloggers do link a lot, so you can generate buzz through blogs. There’s no need for large capital outlay, since the infrastructure is there, only the software needs to be acquired or developed.

Here’s hoping that they do so soon.

(NOTE: This is the 100^th entry on this blog, though it is not actually the 100^th according to the post ID.)