Paying a price for the open-source advantage

JULY 2006
™
Security Vision from McAfee® Avert® Labs
Vol. 1 • Issue 1
Paying a price
for the open-source
advantage
2 Security Trends and Events of the Last Six Months
26 Building Better Bots
6 Good Intentions Gone Awry
36 Is Open Source Really So Open?
13 Money Changes Everything
38 Vulnerability Bounties
21 Open-Source Software in Windows Rootkits
40 Will the Worm Eat the Apple?
Sage JULY 2006
Money
13
Changes Everything
Malware authors leverage
open-source model for profit.
By Igor Muttik
A
turning point in the evolution
of malicious software occurred
in 2003 and 2004. Prior to
then, unsatisfied teenagers, trying to
prove themselves, were responsible for
the development of most viruses and
Trojans. Since then, the spectrum of
questionable and undesirable programs
has expanded to encompass more
than pure malware, and the underlying
motivation has shifted to financial gain.
the graph in Figure 1 shows, the sheer
number of PUPs families has grown
dramatically since 2003.
Astonishingly, growth in malware
threats has also picked up in the last 18
months. Figure 2 shows the growth in
malware threats since 2002, based on
unique malware samples submitted
to McAfee® Avert® Labs. The sharing of
malicious source code and obfuscating
tools, coupled with financial
Adware and spyware, generally
classified as potentially unwanted
programs (PUPs) and not malware,
are among the clearest examples of
this shift in the threat environment. As
incentives, has dramatically affected
the global threat level, increasing both
the number and the complexity of
threats, while decreasing susceptibility
to detection.
Sage JULY 2006
Spyware
700
70
600
60
500
50
Count of Families
Count of Families
Adware
400
300
200
40
30
20
10
100
0
0
2000
2001
2002
2003
2004
2005
2000
2001
2002
Year
2003
2004
2005
Year
Figure 1: Adware and spyware family counts
Source: McAfee Avert Labs
The prevalence of Internet Relay Chat (IRC)
bots is a substantial component of the malware
growth shown in Figure 2. The term bots is
adapted from robots because bots are typically
automated scripts or programs that execute a
series of instructions based upon pre-defined
stimuli. Contemporary malware bots are similar
in that they autonomously crawl the Internet,
looking for vulnerable computers. Once one
has been found, a bot launches a scripted
exploit against it, typically obtaining root-
level privileges. The bot is then able to start
processes, inject malicious code, and turn the
computer into a new drone for its master. Drones
periodically communicate back to the master,
or bot herder, for further instructions. These bot
herds are often used for a variety of nefarious
purposes, including Denial of Service (DoS)
attacks, spamming, disseminating malware, and
collecting confidential information. IRC bots are
particularly popular because they communicate
through a distributed network of IRC servers that
Unique Malware Submissions to McAfee Avert Labs, 2002 to 2006
200,000
Count of Threats (excludes PUPs)
150,000
100,000
50,000
4/9/06
2/9/06
12/9/05
10/9/05
8/9/05
6/9/05
4/9/05
2/9/05
12/9/04
10/9/04
8/9/04
6/9/04
4/9/04
2/9/04
12/9/03
10/9/03
8/9/03
6/9/03
4/9/03
2/9/03
12/9/02
0
10/9/02
14
Date
Figure 2: Number of unique malware submissions
Source: McAfee Avert Labs
Sage JULY 2006
Financial Motivation
There are several
motivations for
bot herders, but
only the last two
in this list are not
implicitly driven by
financial gain.
• Launching a Distributed Denial
of Service (DDoS) attack on a Web
site (for extortion)
• Generating revenue through adware
installations on controlled PCs
• Generating revenue through payper-click schemes and spoofing
affiliate schemes
• Installing other malware, such as
backdoors and password- or datastealing Trojans (including credit
There is significant
evidence to confirm
that financial
motivation underlies
bot development.1
these machines are traded in chat
rooms. Virus authors and middlemen administer payment through
anonymous accounts or by using
Western Union money transfers.
Organized criminals can use these
networks to run huge DoS attacks
or distribute spam with viruses
that steal credit card and/or bank
• McAfee Avert Labs’ analysis
confirms that certain variants of
W32/Mytob have been involved in
downloading the following adware:
Adware-ISTbar, Adware-BB,
Adware-Websearch, Adware-RBlast,
Adware-SAHAgent, Adware-WinAd,
Adware-SideFind, Adware180Solutions, Adware-DFC, and
Adware-ExactSearch
• Many W32/Sdbot variants are distributed along with SMTP proxies
(Proxy-FBSR and Proxy-Piky)
• The German magazine c’t
details from unsuspecting users
• In September 2004, Norwegian
Internet provider Telenor shut
down a botnet consisting of
approximately 10,000 machines.
The botnet was ready to perform
DoS attacks and hacking attempts
on numerous computers and
networks3
• In March 2004, criminal syndicates
operating from Russia targeted
betting Web sites worldwide. The
criminals threatened to launch
DoS attacks on the Web sites
card data, banking login details,
reported in February 2004 that it
unless the business owners paid
PayPal, Nochex, etc.)
was able to buy access to a botnet
a ransom of up to £30,000 each
from Peter White, a.k.a “iss,” a
(approximately U.S. $57,000). The
developer of chat-server software.
bookmakers worked closely with
White offered the services of his
the United Kingdom’s National
botnet to distribute spam for U.S.
Hi Tech Crime Unit to prevent
$28,000 a month2
these attacks and help secure the
• Installing SMTP proxy software to
propagate spam
• Stealing data from computers and
networks (often for identity theft)
• Reselling botnets (for DDoS attacks
prosecution of the extortionists.
• The same story also quotes a
In addition, some bookmakers
Scotland Yard source who said,
invested up to £100,000 (approxi-
“Small groups of young people
• Using a distributed network of
mately U.S.$189,000) to increase
are creating a resource of 10,000
computers to crack passwords
the security of their sites3
to 30,000 computers networked
or spam relaying)
• Controlling a large number of
computers to participate in a
bot war
together and are renting them out
According to a Reuters report from
1. “McAfee Virtual Criminology Report: North American
Study into Organized Crime and the Internet,” July 2005,
http://www.mcafee.com/us/local_content/misc/mcafee_
na_virtual_criminology_report.pdf
July 2004, the going rate is as low
2. http://www.heise.de/ct/
as U.S. $100 an hour. There is also
3. “McAfee Virtual Criminology Report: The First
Pan-European Study into Organised Crime and the
Internet,” January 2005, http://southwales.bcs.org/docs/
McAfeeCriminologyReportUK.pdf
to anybody who has the money.”
evidence that the IP addresses of
15
16
Sage JULY 2006
effectively cloaks the bot herders from detection.
Since 2004, IRC bots have grown from 3 percent
to 22 percent of all malware threats (see Figure
3). A raw count of active IRC bots is equally
alarming (see Figure 4).
The use of IRC bots in for-profit ventures,
such as spamming and collecting confidential
information, has forced malware authors to
improve the quality and features of their code. To
those ends, malicious programmers are adopting
coding practices and controls akin to those in the
legitimate software development world.1 They
are also adapting social and professional norms,
established by the open-source community,
to develop malware, and capitalizing on the
widespread availability of source code for many
of the Internet’s popular malware families.
There is little doubt that this availability has
dramatically increased the general threat level
and pervasiveness of specific threats. Ironically,
this same dynamic led to the proliferation of
open-source software and its resulting benefits.
IRC-Sdbot
2002,2 but its source code has become the basis
for thousands of other IRC bots as programmers
have added functionality.
Although W32/Sdbot began as a nonpropagating Trojan, later strains employed
spreading mechanisms, such as share-hopping,
the use of numerous exploits, and weak
password detection. Some of these strains
received separate names such as Rbot, Forbot,
and Wootbot.
Two other large IRC bot families experienced
similar shared development: W32/Spybot (first
appearance in May 2003) and W32/Gaobot
(first appearance in October 2003, with a latter
strain dubbed Phatbot). New versions of source
code for these families are readily available
on the Internet. By adding new functionality,
programmers fuel the generation of even more
variants. Each of these bot families now includes
thousands of variants.
Bolting Threats Together
The IRC-Sdbot Trojan demonstrates how a single
piece of malware can have a ripple effect. IRCSdbot originally appeared in the first quarter of
There is a growing trend toward compound
threats, or bundled malicious tools. For example,
W32/Mytob was created by bolting a mass-mailing
routine from W32/Mydoom to the W32/Sdbot.
1. See Michael Davis’ “Building Better Bots” in this issue.
2. http://vil.nai.com/vil/content/v_99410.htm
Malware Composition, 2004–2006
100%
90%
80%
PUPs
70%
Trojans
Win32
60%
Scripts
50%
Macros
Legacy
40%
Bots
30%
20%
10%
0%
2004
2005
2006
Figure 3: Malware composition breakdown1
1. In the graphs, “legacy” denotes DOS, boot-sector, and Windows 3.1 viruses.
Source: McAfee Avert Labs
Sage JULY 2006
IRC Bots Detected
45,000
Count of Active Bots
40,000
35,000
30,000
25,000
20,000
15,000
10,000
5,000
0
2004
2005
2006
Figure 4: IRC bots catalogued as of March 2004, 2005, and 20062
2. These numbers include field reports, samples from honeypots, and submissions from anti-virus companies.
It is not possible to determine if all samples originated from true field infections.
Source: McAfee Avert Labs
The W32/Mydoom family
has hundreds of variants, significantly more than a
typical malware family, and that is most likely due
to the widespread availability of its source code.
In January 2004, the mass-mailing W32/Mydoom
virus created one of the worst virus outbreaks
ever.3 Another virus, W32/Doomjuice, distributed
W32/Mydoom’s source code in February 2004.4
Undoubtedly, when bot writers sought to add a
mass-mailing feature, the field success of W32/
Mydoom and the easy availability of its source
were important factors in its selection. This
started the new W32/Mytob family in March 2005.
Figure 5 illustrates the ebb and flow of new
variants in the W32/Mydoom and W32/Mytob
families. The graph shows that the W32/Mydoom
family has hundreds of variants, significantly
more than a typical malware family, and that is
most likely due to the widespread availability of
3. http://vil.nai.com/vil/content/v_100983.htm
4. http://vil.nai.com/vil/content/v_101002.htm
its source code. The graph also shows that the
creation of W32/Mytob (achieved by merging
the W32/Mydoom source into W32/Sdbot)
revitalized the generation of new variants.
Around the spring of 2005, W32/Sdbot went
through yet another incarnation when it
acquired the FURootkit backdoor to cloak
itself from users and from anti-virus scanners.
Statistics from the Microsoft® Malicious Software
Removal Tool show that FURootkit was the most
common non-replicating malware at the end
of 2005,5 due to its inclusion in W32/Sdbot. On
its own, FURootkit does not have a propagation
mechanism; thus, W32/Sdbot served as the
principal springboard for its dissemination.
5. J.Garms, “An Accurate Understanding of On-Going Malware Presence,” AVAR
2005, Tianjin, PRC.
17
Sage JULY 2006
Mydoom to Mytob
40
35
W32/Mydoom
W32/Mytob
30
Variants
4 per Moving Avg. (W32/Mydoom)
4 per Moving Avg. (W32/Mytob)
25
20
15
10
5
Figure 5: Tracking the shift from Mydoom to Mytob
Source: McAfee Avert Labs
Multi-component threats are growing, with
obfuscation tools being the latest added feature.
For example, the Swizzor Trojan was packed with
the packer UPC to protect it from detection. The
perennial Hacker Defender rootkit has a special
relationship with a packing tool called Morphine.
Packing tools, as we shall see, are another
obfuscation technique that is shared within the
malware community. These tools help malware
evade anti-virus scanner detection, extending the
useful life of both new and old malware.
Packers and Security
Envelopes (Protectors)
In general, packers are a class of software that
compress files to save disk space, such as Winzip.
Malware developers, however, are not interested
in compression so much as a by-product of
packers’ use. Packed files no longer resemble the
originals on a binary level, but are still recoverable
and executable, thus making them effectively
hidden from signature-based anti-virus scanners.
For anti-virus scanners to detect packed malware,
they must be able to inspect compressed data.
Applying a packer to 1,000 worms effectively
creates 1,000 new, undetectable worms, unless the
scanners can see through the packing.
Security envelopes, also known as protectors or
cryptors, are another set of tools used by malware
authors for obfuscation. Though they have
legitimate uses, such as protecting games from
copyright abuses, these tools extend the useful
life of malware by hindering analysis and reverse
engineering of samples through numerous antidebugging and anti-emulation tricks.
Applying packers and protectors requires little
skill. Combined with their relative effectiveness,
it is a recipe for rapid malware growth. Malware
authors often employ several layers of packers and
protectors. They also use commercial software
installers such as InstallShield, Wise, and Nullsoft
to obfuscate malware. Figure 6 shows the growth
in the number of packers (counting only major
versions, protectors included) and the proportion of
packed malware. Today, packers and/or protectors
obfuscate more than 50 percent of malware.
Figure 7 shows the life cycle of the Morphine
packer (discussed later). As with other malware,
packers have a predictable life cycle with a
popularity window that eventually tails off as they
become less effective at obfuscating malware.
However, packers have a longer useful lifespan
than most malware because engineering a solution
for each packer is more complex than adding a
malware signature to an anti-virus scanner.
Most packers are used almost exclusively for
malware concealment. Figure 8 shows the
prevalence of seven obfuscating tools (packers and
protectors) as a percentage of all packed malware
samples submitted to McAfee Avert Labs.
pr
6A
200
b
n
ar
200
6M
6 Fe
200
ec
6 Ja
200
ov
5D
5N
200
200
p
5O
ct
200
ug
5 Se
200
5 Ju
l
5A
200
200
ay
5 Ju
n
200
pr
5A
5M
200
200
b
n
ar
5M
200
5 Fe
200
ec
5 Ja
200
ov
4D
4N
200
200
p
4O
ct
200
ug
4 Se
200
4 Ju
l
4A
200
200
ay
4 Ju
n
4M
200
200
ar
pr
4A
n
4 Ja
4M
200
200
200
4 Fe
b
0
200
18
Sage JULY 2006
Packers on the rise include PE-Compact2, NSPack,
and UPack v>2. Although a few packers experience
stable usage, the most popular packers tend to
gradually vanish as they lose their effectiveness.
Let’s examine an example of how the desire
to prolong the useful life of malware led to
the development of an obfuscating tool and an
entire community to support it.
Malware Development
Communities
One popular Web site devoted to rootkit
development is the Slovakian “Hacker
Defender” site,6 which carries many versions
of the Hacker Defender rootkit source code and
hosts development discussions.
6. http://www.hxdef.org/
Packer Statistics
140
60%
Packer count
Packed %
120
Count of Packers
100
40%
80
30%
60
20%
40
10%
20
Percent of Packed Malware
50%
0%
0
2000
2001
2002
2003
2004
2005
Year
Figure 6: Count of packers and prevalence of packed malware
Source: McAfee Avert Labs
Morphine Evolution
450
400
Morphine 1.2+
Morphine 1-1.2
350
300
Samples
250
200
150
100
50
0
200
3O
ct
200
3D
ec
200
4 Ja
n
200
4 Fe
b
200
4M
ar
200
4A
pr
200
4M
ay
200
4 Ju
n
200
4 Ju
l
200
4A
ug
200
4 Se
p
200
4O
ct
200
4N
ov
200
4D
ec
200
5 Ja
n
200
5 Fe
b
200
5M
ar
200
5A
pr
200
5M
ay
200
5 Ju
n
200
5 Ju
l
200
5A
ug
200
5 Se
p
200
5O
ct
200
5N
ov
200
5D
ec
200
6 Ja
n
200
6 Fe
b
200
6M
ar
200
6A
pr
200
6M
ay
-50
Month
Figure 7: Evolution of the Morphine packer
Source: McAfee Avert Labs
19
Sage JULY 2006
Packer Prevalence
30%
25%
% of Malware
20
20%
15%
10%
5%
0%
2005 Sep
2005 Oct
2005 Nov
2005 Dec
UPX
FSG 2.0
NSPack
2006 Jan
Morphine
Mew 1.1+
2006 Feb
2006 Mar
PE-Compact2
UPack v>2
Figure 8: Percentages of malware packed with each packer
Source: McAfee Avert Labs
Below is a statement from the Hacker Defender
Web site.
Welcome to www.hxdef.org - home of the
Hacker defender project. This Project was
started in 2002. Many things has [sic] changed
since then. There are two main subprojects on
this page. First is Hacker defender Windows
NT rootkit. The second is PE module encryptor
for Windows NT called Morphine, its purpose
is to protect PE modules against antivirus
detection. Both of these programs are free and
open source but both have their paid versions
which can be ordered in antidetection section
as antidetection service. There are also other
open source programs in download section.
They mostly implement some undocumented
NT stuff for which is hard to find a good source
code on the net.
This statement is revealing. It is a clear example
of an open-source threat development project,
and demonstrates how malware authors
have embraced the open-source model and
are actively sharing and contributing to each
others’ development efforts. It also shows
that this loosely organized community and
its polymorphic Morphine packer project is
engaged in an arms-race style of competition
with commercial anti-virus software vendors.
Conclusion
The growth of bots is due to two factors—
financial motivation and the availability of
source code. Without financial incentives, there
would be far fewer variants. The financially
neutral Mydoom family, for example, has far
fewer variants than any major bot family. Also,
without large-scale source-code sharing, we
would not see the handful of massive families
that we have today. Rather, we would expect
to find many small families, reflecting the
individual efforts of separate researchers.
But the malware community is no longer a
scattered army of individual hobbyists. The
addition of funding from successful botnet
deployments and the leveraging of open-source
tools and techniques have created a formidable
machine for the creation, modification, and
distribution of threats.
About the author
Igor Muttik is a Senior Research Architect at McAfee Avert
Labs. He speaks regularly at security conferences and has
been researching viruses since 1987. Igor received his PhD in
Physics and Mathematics from Moscow University in 1989.
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com
McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of
McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006 McAfee, Inc. All rights reserved.
11-avert-sage-rpt-0706