[Security] New Skype worm and rejoinder on URL obfuscation

F-Secure, Trend Micro, and Symantec reports on a new worm spreading via Skype.

The malware is the usual IM variety, propagating by sending links to Skype contacts. The link at face value points to a purportedly harmless JPEG file. But once clicked, a copy of the worm is downloaded and executed on the user's computer. It displays the image SOAP BUBBLES.BMP (if it exists on the user's computer) to hide the malware's existence.

It also exhibits properties common to bot worms, like shutting down security applications and blocking security-related Web sites via HOSTS file modification.

Skype users are advised not to click on links sent via Skype's chat feature, unless they are very sure that the link is legitimate.

Incidentally, in a previous post, I discussed the problems in lack of standards in making malware descriptions. Once again, the lack of standards defeat the purpose of obfuscating malicious URL. Both Trend Micro and F-Secure blog posts on the Skype worm published the malicious URLs that the worm sends. Both employed URL obfuscation, but with different output.

(click on the image to view full size)
On F-Secure:


On Trend Micro:


Based on the two posts, we can determine the complete URL.

[Security] Sony caught using rootkit - again

Some people don't ever learn.

Sony came under fire in November 2005 when it was found to be using rootkit for its CD DRMs. Sony was mercilessly skewered by antivirus companies for such a stunt, and Sony had to issue an update to remove the rootkit.

Almost two years later, Sony is once again caught employing a questionable technology in one of its products, this time, a USB flash drive.

From F-Secure Weblog:

The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.

In addition to the software that was packaged with the USB stick, we also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality.

It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here.

Sony was contacted, but no reply was given at the time the blog post was published.

Why is rootkit dangerous? Rootkit technology enables a software to hide its files from ordinary Window view. It is possible to view these hidden files via command prompt, but you have to know the exact location and the exact file names. Several malware employ this technology to hide their files, to prevent primitive antivirus products and non-technical users from ever finding and deleting malware files.

[Security] Simple Phishing Scams via SMS

F-Secure has posted something that is rather familiar in the Philippines in a sense.

An text message or SMS will be sent to a potential victim, which tells the recipient that he/she won a certain amount of money or a car from a certain institution.

The difference is that the criminal does not ask for an account/ATM card number. The criminal is instead interested in getting money from a target victim. The criminal will either ask to meet the victim to get the money, or the criminal will ask the victim to deposit the money in a certain account (before the "prize" can be given to the victim).

Naturally, the prize is non-existent. The victim is screwed.

The usual "prize money" is one million pesos, the usual "prize car" is an SUV. Even the Bangko Sentral ng Pilipinas (Central Monetary Authority) was used as the institution that conducted the "raffle".

(This post is exclusive to the Geeky Guide.)

[Security] What were you thinking, Microsoft?

By default, Windows does not display the extension names of common file types. This was OK until someone sleazy took advantage of that oversight and used that as a social engineering tool.

The I Love You virus (VBS_LOVELETTER) is such a simple worm, very small since it is only a script. Yet it had caused much damage, and put the Philippines in the malware map. All because it appeared as a text file and its name made a lot of people curious. All because Windows hid the extension name. All because Microsoft thought VBScript files were common.

Microsoft Vista was supposed to be a secure OS, but it seems Microsoft has not learned its lessons (or it is being stubborn). In its weblog, F-Secure laments the fact that Vista by default does not display the file extension names. I ask the same question that the post author posited: "What were they thinking?"