About Me

Rachit Mathur

Rachit Mathur

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

New wave of nuwars storming in

Tuesday, August 7, 2007 at 4:24am by Rachit Mathur
Rachit Mathur

W32/Nuwar aka Storm worm authors have been active again recently. It is speculated to be one of the largest botnets and has the potential to launch a mammoth DDoS attack. The huge rise in the numbers of botnets lately has been attributed to the social engineering tactics that recent eCard spam mails employ. This threat is also believed to be behind the recent spams of RAR-Compacted text files.

This notorious group is not only focusing on ‘improving the effectiveness’ of their spam but are also trying hard to evade detection of the malignant eCard executables by using some of the techniques as mentioned below.

There is a re-emerging trend among malware to parasitically infect executables that are already listed in the startup registries to insert loader code for malicious binary instead of using the traditional techniques of modifying the startup registry. This could potentially help bypass some of the tools that system administrators might use to inspect the registry for suspicious executables. Recent variants of Nuwar parasitically infect the tcpip.sys to insert the loader code for its malicious device driver file. It is a pretty interesting technique to specifically target and infect Windows device driver files (tcpip.sys in this case). The following image shows the malicious code inserted at the end of the infected tcpip.sys file whose entry point is modified to point to this.

Nuwar variants have also been using ‘Server-based Polymorphisms’ to evade detection, wherein the code for the top-level decryptor of the executable hosted on the server keeps changing while still preserving the overall semantics. A cocktail of some of the following anti-emulation techniques is also frequently introduced; the code for these is constantly morphed as well.

- Use of various MMX instructions
- Using fake API calls: most Nuwar variants make fake Windows API calls such as CreateMDIWindowA, ILGetSize etc. This is not dead code. These API calls are fake because they are not called to solve the actual purpose they exist for. Instead, null or junk parameters are passed and the returned error codes are validated during decryption.
- Verifying the value at the end of Structured Exception Handling chain.

We are keeping our eyes open!

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (4)

  • Pablo Barrachina August 31, 2007 10:48AM

    We are an ISP in Spain and we have been receiving an extrange DOS atact that is growing since yesterday. This is the only reference I found to explain the problem.

    Let me explain the case. The attack is performed to the mail server, the connection is open but never closed by the client side. The connection is closed by the mailserver after timeout. With this method they exhaust sockets rapidly.

    We have been identifying infected Ip at a rate of 16.000 per hour Today. It was about 8000 yesterday. What will it be on Monday? We have been managing the situacion but this is can get worse as people comes back from summer holidays next Monday.

    I would like to know if there any other suffering this.

    Pablo Barrachina
    http://www.digitalvalue.es/

    Reply
  • omarg August 9, 2007 9:06PM

    sound very nasty :(

    > We are keeping our eyes open!

    You mean, you cannot sleep now after seeing this?

    Reply
  • alex August 9, 2007 10:59AM

    install ubuntu and live happy :)

    Reply
  • Traci August 8, 2007 9:31AM

    How do we then destroy this if we have been infected?

    Reply