Fatsos Wiggle Their Toes

Note: This entry has been restored from old archives.

Now I say this as a certified “fatso”: pedometers/wiis/foot-tapping aren’t going to make fat bastards experience “big health benefits” (my qualifications: BMI of 27.6 … still a fat bastard, but that’s down from the 37.6 I was at 3 years ago — BMI’s don’t mean a huge deal but the mirror doesn’t lie). Maybe there’s one fatso in one thousand who gets a case of OCD over their wiggle-my-stick-wii game and loses a few pounds, but seriously? “The allure of computer gaming and competition with other users encourages players to make small lifestyle changes that can add up to big health benefits.”

But these are scientists saying this is so, so who am I to pronounce judgement
or even have an opinion? It’s just rare that I see something come through ACM
TechNews that makes me think “what a load of tripe”.

AFAIC fat bastards have two things to do:

  1. eat less,
  2. lift some heavy shit (seriously, muscle burns calories).

Wiggling your PDA and other “small lifestyle changes” isn’t going to do it for
you. And for the truly obese “running” is just going to stuff your knees.
Want real incentive? Take away access to public health services of any kind,
it should be treated the same as smoking or any other personal risk-increasing
habit. You choose to increase your risk, you cover the consequences. Of
course the US is way ahead of everybody on that front, but they’re still all
fat. I guess that’s why I’m not qualified to have an opinion :) d’oh!

Of course, this is actually from a press release, so isn’t worth paying attention to.

Bah, this isn’t even going in tech.

[[[Update: Fellow fatsos should read this.]]]

Another Dying Gasp From Email?

Note: This entry has been restored from old archives.

I’ve sporadically been losing emails recently. It turns out this is due to two things.

  1. I changed ISPs and now have a dynamic IP that is in several blacklists.
  2. I’ve been sending emails with the string “configure.ac” in them and this is in several URI blacklists.

Mostly this means I don’t receive my own emails, but sometimes the IP thing seems to catch emails on their way to me from someone else. I do have to wonder who else is not getting my emails though :(

OK, so “dying gasp” is a bit melodramatic. But email seems to become increasingly unreliable. Unless you’re expecting email and will thus miss it when it doesn’t arrive how do you know you’ve missed the unexpected? There’s no way of knowing whether you’re getting all you should be, or others are getting all you’re sending! More and more I use IM and websites for communication, and email becomes an “on the record” and “just a sec, I’ll email you the file” medium.

The listed IP thing is only going to happen to geeks who have local mail relays. I use a local mail relay for work email, so it is kind of important. I guess I’ll have to configure the local MX to not add a received header.

The “configure.ac” thing is just a PITA.

Still Doesn’t Like Kaspersky

Note: This entry has been restored from old archives.

Seeing more of those emails that try to hurt Kaspersky’s feelings. An interesting note about them. If you download with an IE useragent string you get something different that what you get with a Firefox useragent string. If the UA string isn’t FF or IE you get simple HTML with just the link to the exploit .exe file. The obvious difference between the FF and IE versions is that the FF version of the code doesn’t insult Kaspersky.

Beyond that the FF and IE have very different payloads attached. The IE payloads I see now are very similar to the weekend’s, some minor differences that seem to mainly revolve around the different IP address. The decoded script contains a variety of nastiness, including downloading “file.php” which is another PE executable, yet another version of Zhelatin/Nuwar/Storm. This site’s version of video.exe is labor.exe (Labor Day in US). Both PEs are detected as Zhelatin vars by KAV. KAV catches the IE version of the web script, but not the FF version. Overall scan results are pretty average (heh, these guys probably use sites like virustotal.com to test their damn malware).

   File             | Caught By | As %
--------------------+-----------+--------
IE Script           |   6/31    | 19.36% 
IE Script (decoded) |  15/32    | 46.88% 
FF Script           |   7/31    | 22.59% 
FF Script (decoded) |  12/32    | 37.50% 
labor.exe           |  16/32    | 50.00% 
file.php            |  12/32    | 37.50% 

(The /31 entries are where the Prevx1 scanner wasn’t included for some unexplained reason.)

The FireFox post-xor payload is much shorter than the IE version. It seems to contain just a couple of simpler exploits. One of which is for Windows Media Player plugin EMBED bug MS06-006. The other looks like something intended to do some stack smashing in the FF javascript engine.

Also worth noting, each time you download you get a script that has used a different value for the xor key (well, probably random rather than specifically different). Both versions have the same obvious xor decrypt though. Getting closer to some difficult form of polymorphism?

Seen only a couple of IPs hosting this creature so far. In both cases they’re RoadRunner owned IPs in the US.

Finally, here’s a coverage summary from a script that processes virustotal.com results. This data is by no means a meaningful representation of anything at all. Top points to Webwasher, although AFAIK they uses multiple AV engines. I’ve never even heard of half these scanners outside of virustotal.com scans.

                                 FF-dec FF IE-dec IE file.php labor.exe  COVERAGE
Webwasher-Gateway (2007.09.03):       Y  Y      Y  Y        Y         Y     100%
              AVG (2007.09.03):       x  Y      Y  Y        Y         Y      83%
          AntiVir (2007.09.03):       Y  x      Y  x        Y         Y      66%
      VirusBuster (2007.09.03):       x  x      Y  Y        Y         Y      66%
        Kaspersky (2007.09.03):       x  Y      Y  x        Y         Y      66%
           McAfee (2007.09.03):       Y  Y      Y  Y        x         x      66%
         F-Secure (2007.09.03):       Y  Y      Y  x        x         Y      66%
         Symantec (2007.09.03):       Y  x      Y  x        Y         Y      66%
      BitDefender (2007.09.03):       Y  x      Y  x        Y         Y      66%
       eTrust-Vet (2007.09.03):       Y  x      Y  x        x         Y      50%
        Microsoft (2007.09.03):       x  x      Y  Y        x         Y      50%
            eSafe (2007.09.03):       x  Y      x  Y        x         Y      50%
           Sophos (2007.09.03):       Y  x      x  x        Y         Y      50%
           Rising (2007.09.03):       Y  x      Y  x        x         x      33%
            Ewido (2007.09.03):       x  Y      Y  x        x         x      33%
    CAT-QuickHeal (2007.09.03):       x  x      x  x        Y         Y      33%
            DrWeb (2007.09.03):       x  x      x  x        Y         Y      33%
          Sunbelt (2007.08.31):       x  x      x  x        Y         Y      33%
           Norman (2007.09.03):       Y  x      x  x        x         Y      33%
           Ikarus (2007.09.03):       Y  x      x  x        x         x      16%
            Panda (2007.09.03):       x  x      x  x        Y         x      16%
       Authentium (2007.09.02):       x  x      Y  x        x         x      16%
            VBA32 (2007.09.03):       Y  x      x  x        x         x      16%
           F-Prot (2007.09.02):       x  x      Y  x        x         x      16%
            Avast (2007.09.03):       x  x      x  x        x         x       0%
        AhnLab-V3 (2007.09.03):       x  x      x  x        x         x       0%
          NOD32v2 (2007.09.03):       x  x      x  x        x         x       0%
      FileAdvisor (2007.09.03):       x  x      x  x        x         x       0%
         Fortinet (2007.09.03):       x  x      x  x        x         x       0%
           Prevx1 (2007.09.03):       x  O      x  O        x         x       0%
           ClamAV (2007.09.03):       x  x      x  x        x         x       0%
        TheHacker (2007.09.02):       x  x      x  x        x         x       0%

[[[FYI I’m a big fan of using different AV scanners. I.e. use one product on your desktop, another on your mail server, and yet another at the gateway. I have a leaning towards McAfee and KAV, in the rather unrepresentative example above they make a perfect combination. ;) It’s a bit expensive though, and you’re not going to get any “seamless integration” this way. Could be some call for a meta-AV company. The meta-AV company creates a UTM, remote desktop management system, and messaging (mail, etc) server scan interface with one unified management system. What would make it different from the alternatives I’ve seen around is that rather than being single-vendor based the aim would be to allow different AV products to plug in to each location.

Another semi-related thought is that you could have a system where a business has n different AV products installed across it’s desktop systems. Most employee desktops do stuff-all with their mega-cpu-power, so let’s put it to some good use. What you get is a “farm” of AV engines that your email/proxy infrastructure can call out to for scanning. To make it even more distributed you could have employee mail clients and web browsers pulling their traffic through their peers in such a way that each peer links through a peer with a different AV product. It’s a bit rough around the edges. Can you trust a desktop platform to do the job of secure proxy server? What about the added latency, is it significant? AV scanning tends to be slow.]]]

Someone Doesn’t Like Kaspersky

Note: This entry has been restored from old archives.

Seeing more and more of these spammed attempts to get people to self-infect. Most recently I passed over one that looked much like one described by the AVERT blog a short while ago. A very simple email with the line:

Dude I know thats you, someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v=iVyfrel8jIt

The bit that seems to be a YouTube link is actually wrapped in an anchor tag linking to an IP address (not reproduced above). Not YouTube! Duh! (It’s rather disappointing that the YouTube URL actually doesn’t show some amusing video.)

If you hit the site you get a nice HTML page that tells you your video will be ready in 15 seconds. Meanwhile it tries to break your web browser, as recently described on the Kaspersky blog. In fact I think the author of this malware might read the KAV blog too, from the script code:

function kaspersky(suck,dick){}; function kaspersky2(suck_dick,again){};

Ouch! Getting personal in malware code!

As an added bonus the page includes:

If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run.

Sure, “press Run”? But how many people will this sucker? Too many I’m afraid.

ClamAV tells me that the HTML page is “JS.XorCrypt” (some sort of generic signature I assume) and that the video.exe file linked to is “Trojan.Small-3273″. McAfee and Kaspersky both catch both files too, “Nuwar” and “Zhelatin” respectively for video.exe… no surprises there. I guess the author is right to be annoyed at Kaspersky, it catches their malware! Ha! (On VirusTotal.com 46.88% of 32 scanners detect the HTML file and 78.13% detect the executable – detected malware names vary greatly.)

Examining the code in these things is often fun. In this example the HTML page contains the (reformatted) code:

function xor_str(plain_str, xor_key)
{   var xored_str = "";
    for (var i = 0 ; i < plain_str.length; ++i)
    xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); 
    return xored_str;
} 
function kaspersky(suck,dick){}; 
function kaspersky2(suck_dick,again){};
var plain_str = <<OBFUSCATED_STRING_HERE>>
var xored_str = xor_str(plain_str, 20);
eval(xored_str);

Given a couple of minutes I can translate this to:

#!/usr/bin/perl -w
use strict;
sub xor_str
{
    my ($plain_str, $xor_key) = @_;
    my $xored_str = "";
    for my $chr (split //, $plain_str)
    {
        $xored_str .= chr($xor_key ^ ord($chr));
    }
    return $xored_str;
}
my $plain_str = <<OBFUSCATED_STRING_HERE>>
my $xored_str = xor_str($plain_str, 20);
print $xored_str;

I don’t really have time to dig deeper (it’s 03:31 right now!), but here’s the list of functions grepped out of the decoded exploit code.

h() {mm=mm; setTimeout("h()", 2000);}
getb(b, bSize)
cf()
startWinZip(object)
startWVF()
elea(){
yah()
startOverflow(num)
GetRandString(len)
CreateObject(CLSID, name) {
XMLHttpDownload(xml, url) {
ADOBDStreamSave(o, name, data) {
ShellExecute(exec, name, type) {
MDAC() {
start() {

A final note. The virustotal.com result for the decoded payload gives a 46.88% (15/32) detection rate. What is interesting is that the detections are by a very different set of AV products and identified by a very different set of names! Only 7 engines detected both the encoded and decoded forms. Of these seven only one gave them the same name, but this was the rather uninspiring “Downloader” from Symantec. I kind of expected that at least one product would be able to perform the decode and identify the payload (although if you can detect prior to doing this you save CPU time, so doing the decode isn’t necessarily desirable).

All in all I think it is rather sad that malware this lame will probably do it’s intended job and net a few more netizens for the botnet empire.

Fun’n'games.