Hello, Birus! A Note on BIOS Rootkits

Author: Vitaly Kiktenko, Design and Test Lab

In a recent weeks a new rootkit, that is able to infect system BIOS was discovered (Rootkit.Win32.Mybios.a). The initial code of this malware is being executed as a part of BIOS boot code, loaded from motherboard ROM, which is the earliest startup known so far. This malware infects AwardBIOS systems, that have AWDFLASH software embedded in BIOS. Although main code of this rootkit still reside in MBR and acts as an ordinary bootkit, the ROM code contains malware self-regeneration routine, that is invoked by BIOS after each system reboot, which makes system disinfection more challenging. Rootkit uses SMI port to rewrite the BIOS, using the configuration of BIOS-embedded AWDFLASH software. Also malware dropper carries legal utility CBROM, that was developed by Phoenix technologies, and commonly used by hardware vendors to customize BIOS code for their products. Malware uses this utility to embed own module into victim’s computer BIOS as ISA ROM BIOS extension. The code in BIOS checks the boot drive’s MBR for bootkit code, and rewrites it from a backup, stored in BIOS.

Such kind of malware does not seem to be widely spread for now, but this may become common in future, with the development of generic system management interfaces for firmware updates.

Case Studies for Security Services

Today we have published several case studies of our recent and on-going security services projects. Among them:

• Urgent Malware Analysis and Reporting on Demand
• Rootkit Behavior Analysis and Antirootkit Tests
• Trojan-Blocker Bulk Analysis
• Search for Preferred Trojan Families

Check out the Services page for full information.

Article: Security in the Cloud

Alexander Adamov published his new article titled «Security in the Cloud». Here is a short abstract:

Today a virtual user space is expanded by widespread expansion of social networking and Internet services that allow to transfer processing and storing data «in the cloud» with the help of modern Internet technologies.

The term «cloud» is used as a metaphor, which is mentioned in the article IEEE Internet Computing published in 2008, and defined as:

Cloud Computing — is a paradigm in which information is permanently stored on servers in the Internet and cached temporarily on a client side, such as personal computers, game consoles, laptops, smart phones and so on.

Thus, a user becomes less tied to a personal computer, which is used only for access to online services to obtain the necessary data and perform operations on them. This approach allows us to abstract from hardware characteristics of a device used to access in the Internet and use any mobile hardware and software platforms for a wide range of applications in the cloud. More information about the concept of «cloud computing» can be found on pages of Wikipedia. And we turn to the security issues related to the data stored in the cloud, secured access, and protecting these services against attacks.

Read the full article «Security in the Cloud».

Eugene Kaspersky Calls Pavel Durov to Respect Users’ Privacy

Yesterday, Eugene Kaspersky — head of the leading anti-virus vendor Kaspersky Lab — wrote a LiveJournal post titled «7 advices on how to improve users’ security and privacy in Vkontakte social network. An open letter to Pavel Durov». This letter follows recent changes in Vkontakte security settings. Now lists of friends are visible to everyone. It is allowed only 15 hidden friends per user.

Vkontakte is a top-rated social network, the most popular in Russia, Ukraine, Belarus and other post-USSR countries. The number of users is over 70 million. Founder and CEO: Pavel Durov.


By Kl ingo (Own work) [GFDL or CC-BY-3.0], via Wikimedia Commons

Here is the brief outline of the Kaspersky’s seven advices.

1. Develop a new approach to privacy. Today the Vkontakte privacy settings allow any user to see personal data of any other users by default (photos, videos, list of friends, notes and so on). Mr. Kaspersky suggests the following well-known security practice: «hide everything and allow users to open anything they want».

2. Introduce complete removal of user accounts. Vkontakte follows the Russian law: a removal request can be considered for up to three months. Eugene suggests to do this process more quicker and liberal.

3. Create special terms for minors. Parents must have rights to request removal or suspending of social profiles of their children. Moreover, geo-location services must be disabled for such profiles.

4. Educate Users. You are protected if you are educated. Existing Vkontakte security guidelines are not sufficient and outdated. Vkontakte should develop an educational portal with video courses, manuals, a live chat with security specialists, FAQs.

5. Enable HTTPS. It will enable confidentiality and security for users even using public networks. Kaspersky suggests enable this feature by default.

6. Implement two-factor authentication. It is not a big deal for a criminal to steal, sniff or guess a victim’s password. Vkontakte should follow banks, financial institutions and some online services in this approach. It is need to implement two-factor authentication with using of a mobile device. This feature will not affect usability greatly.

7. Certify applications. Third-party applications extend basic features of the social network. However, uncontrolled proliferation of applications, including «gray» and malicious ones, increases security risks. So, Vkontakte should improve certification process significantly.

References:

• Kaspersky’s Open Letter to Durov (LiveJournal, in Russian)
• Kaspersky calls on Russia’s top social network to boost privacy (RiaNovosti)

A Quick Review of Malware Sandboxes

As you might guess from the title this time the focus will be on services that make it possible to investigate suspicious files without launching them on their own. Such services are called as sandboxes. Usually they are virtual or real machine equipped with a means of changes monitoring in a file system, registry and network activity. Less commonly used systems are emulators that do not use an operating system, even a virtual one. The emulator — is a complicated system and more about it I’ll tell another time.

Four online sandbox service are provided in the review:

• GFI Sandbox
• Norman SandBox
• ThreatExpert
• CWSandbox

Read the full article «Online Sandboxes» by Dmytro Krasylnikov.

Computer and Internet Security Video Tutorials

As you have noted probably, we have released Computer and Internet Security Video Tutorials. The course consists of 4+ hours of screen-casts about theory and practice of malware diagnosis, analysis and removal.

You can buy the course immediately over the Internet: buy security videocourse. The price is $49.95.

Another way is to pay per view. You can watch selected tutorials here: Internet Security Tutorials.

Information for resellers and affiliates

We are looking for resellers and affiliates. Get up to 40% in commissions per each sale. Register for an affiliate program with ShareIT! — our trusted e-commerce partner.

Trojan-Ransoms Infect Master Boot Records

Author: Yuri Bredikhin

Information about a trojan that blocks Microsoft Windows by overwritting the Master Boot Record appeared last year. The trojan was downloaded by a trojan from the Oficla family and many antivirus companies put it to the Seftad family of malicious programs. The complete description of the trojan read at our Malicious Programs Encyclopedia.

Nowadays, the trojan has been modified slightly, and its detection name as well.But its payload remainded the same: the Master Boot Record is overwritten in order to block the boot-up of Microsoft Window. Right after the infection, the trojan restart Windows. Then a user will see the following message:

Attention ! Windows activation period is exceeded.
This windows copy is illegal and not registered properly.
The further work is not possible.
For activating this copy of windows yo must enter registration code.

This code you can find in your windows distribution package.
If you not find them you can receive it by the phone: +423 877 0158.
Registration code must be entered not later then three days, if it entered later the unlocking is not possible.

This time, there is no fake messages about encryption of harddrives, but there is a message regarding unlicensed and unregistered copy of Microsoft Windows. Also, there is a phone number where a code to unblock the system can be requested. The trojan uses different phone numbers depending on a language installed in the system:

+423 877 0158
0906-000 172
0906-000 169
0906-000 173
899 021 233
0907 480 52
0907 480 46
0930 823 833

The number shown at the screenshot (+423 877 0158) is used by default. Nevertheless, the unblocking code is quite simple. It is necessary to enter 14 arbitrary characters (e.g. we used «abcdefg1234567») and the trojan will restore the original Master Boot Record. The trojan’s one will be deleted.

Article: Wireless Security

In the article titled «Wireless Security» Alexander Adamov tells about about different kinds of attacks on wireless networks. The most recent tool to attack wireless networks (stealing credentials for popular online services) is FireSheep.

Then, the author describes standards for wireless security & encryption: WEP, WPA, and WPA2. The differences between them are considered too.

Read the full article: «Wireless Security».

Article: Files With a Digital Signature

We invite you to read a quick tutorial on Digital Signatures mechanism. The article «Files With a Digital Signature» was written by Dmytro Krasylnikov.

Here is an abstract of the article:

• Motivation to use digital signatures
• What is whitelisting?
• Some flaws of digital signatures mechanism (e.g. Stuxnet)
• Why attackers don’t buy sertificates to sign malware?

Read more: «Files With a Digital Signature».

An article about the Debian release cycle

Dmytro Krasylnikov (he is one of our analysts) wrote an article about the release cycle of Debian. The article describes some history of this Linux distribution briefly. Then, the author tells about major development stages: testing, stabilization and release. Also, the problem with new versions of different programs is described.

Also you can read the whole list of Design and Test Lab’s articles or visit Dmytro’s blog at av-school.com.