Security in VoIP Systems
One of the tasks of security companies is to "forecast" what will happen in the future based in the data and trends we observe. This is a really important task, as this way we can provide users with guidelines and base our researchs in the possible protection mechanisms we will have to develop in the future.
Some days ago, a Trojan entered the fray which attempts to deceive users passing itself off as a security program for Skype. It is called Skype Defender and its main aim is to steal the user's data of Skype. It is then when we shall look back and bring to mind what we told about VoIP attacks almost 2 years ago. In January 2006, we published a document about security in VoIP systems, written by Fernando de la Cuadra and Enrique González Ochoa. We presented it in the 5th Iberoamerican Conference on Systems, Cybernetics and Computer Science CISCI 2006, in Orlando, Florida.
Here you have an extract of the document:
"Identity Theft. A malicious application could steal a VoIP system user ID, deactivate the user's connection to avoid duplicity and use the stolen ID in its own VoIP network. In this way, the theft victim would be paying for the account when in fact the thief would be the one using it. This use of communication lines is an update of "phreaking" techniques, which use telephone lines to make connections or have conversations unbeknownst to their legitimate owners."
It seems that some of the predictions we made have come true. I have published this document here again in case you want to know which threats are awaiting us.
MP3 spam
Yes. It's true. Believe it or not, this is another step in the malware world. We are seeing spam sent with MP3 attachments, the audio quality is pretty bad, and the file names are different but try to trick users using names as oursong.mp3, bartsimpson.mp3, ciara.mp3, cassidy.mp3, etc.
Actually, it is a pump and dump spam that talks about a Canadian company that could have incredible results in USA. It seems that it is being sent out from the Storm Worm network. Be careful and of course, don't pay attention to these kind of messages.
How long should we wait to see an MP4 spam?
New Zero day PDF exploit for Adobe Acrobat
We have received a new 0-Day exploit for Adobe
Acrobat via full-disclosure mailing list. This vulnerability was
announced on September 20th, 2007 in the site gnucitizien.org. In the advisory, the following can be read:
"The issue is quite critical given the fact that PDF
documents are in the core of today’s modern business. This and the fact
that it may take a while for Adobe to fix their closed source product,
are the reasons why I am not going to publish any POCs. You have to
take my word for it. The POCs will be released when an update is
available."
But somebody, who had read the original
advisory, has discovered where the vulnerability is and has developed a
working PoC. This PoC has been sent to full-disclosure, a public
mailing list.
The PoC isn't harmful, however, when the PoC file is opened with a vulnerable version of Adobe Acrobat, calc.exe will be executed
Looking inside the PoC:
we can see the string that exploit the vulnerability.
TruPrevent is able to block this vulnerability (from the very first day). However, if you try the PoC with TruPrevent, the PoC will work because calc.exe is a trustworthy application for TruPrevent. Whereas if the vulnerability is modified to drop a malware, TruPrevent will block the vulnerability, avoiding the malware infection.
Malware articles in Virus Bulletin
Taking a look at McAfee's Blog, I've seen a post talking about an old "friend" of us: the virus Virutas, and I have realized that I hadn't linked the latest articles we published in the Virus Bulletin Magazine.
The first one, Beyond Virtu(e) and Evil, written by Mario and Victor, analyses the virus Virutas in depth. It was published in the May edition of the Virus Bulletin.
The second one, The Life Cycle of Bots, was published in the number of September 2007. This article, which was written by me, goes through the whole life cycle of bots, where we can see how some bots have almost a life of their own.
Enjoy them!
Automatic classification of malware
Last year we posted an article
about graphic
representations of malware, in which we commented that it's possible
to automatically
identify and classify malware into a family based on
their graphical structure
representation. This representation is based on the relationship between
function calls in the executable.
These relationships create a graph of the internal structure of the
executable. These graphs are very similar among samples of the same
family or among samples which share the same
source code. There are several publications about this technique (Ero Carrera &
Gergely Erdély [VB2004]) and all of us have heard about Sabre
Security VxClass
Project, which is a system to automatically unpack and classify a binary into
a family.
PandaLabs is 'two or three steps ahead' too and we
have developed our own system to automatically identify and classify the samples
we receive daily. Of course, this system
works with unpacked samples, that's why we use it with our
generic unpacker engine. We have made a flash video [14 MB] (to show you how this system works. Basically the steps are:
- Unpack the sample
(the system only works with unpacked binaries) - Drag&Drop it into the client
application - The client
application sends it to the graph
server - The server analyzes it with IDA and uses several python
scripts to extract: - Graph of
function calls - Control Flow Graph (cfg) of
functions - Entropy
- CRC32 and custom CRC of
functions - Preselect samples from the database, applying several filters: entropy,
compiler, filesize,… Then, the resulting ones will be compared with our sample.
This data will be used to compare the
sample with our entire graph database (Actually, we have already analyzed and stored in the graph database 185.000 samples).