Chinese Security firm Discovers new BIOS based Virus

Chinese AV company 360 discovers a new Troajn, the “BMW Virus” (also called Mebromi), that can actually infect a computers BIOS:

“BMW 360 Security Center virus is the latest catch of a high-risk virus, the virus that infected a chain BIOS (motherboard chip program), MBR (master boot drive) and Windows system files, reinstall the system, regardless of the victim computer, format the hard disk, or replace the hard disk can not completely remove the virus.” – Translated 360 page

According to The H Security, when a system is infected, the trojan checks to see if the system has an Award Bios. If it does, it hooks itself to the BIOS. Once the system is restarted, it adds itself to the hard drive’s master boot record (MBR). Next it infects the winlogon.exe or winnt.exe system files (depending on Windows OS version).

The malware also is a Trojan downloader, it will connect out and try to download other viruses to the infected system.

If the system uses a BIOS other than Award, the Trojan skips trying to write to the BIOS, but still tries to infect the MBR of the boot hard drive.

Removing the virus from the MBR and infected files really has no effect, because as soon as the system is restarted, the BIOS is read and the computer re-infected again.

Seeming most virus companies will not want to create a BIOS cleaning utility, most likely the BIOS would need to be re-flashed to remove the virus infection completely.

How to Recognize and Analyze a Fake Anti-Virus Message

I was surfing the web the other day looking for photos and received this error when clicking on an image in Google:

Wow, I thought, this can’t be good, Windows Security has found some critical issues on my system and needs to do a system scan. Something must be very wrong. Thank goodness that this helpful website is offering to scan my system for me.

Actually, nothing could be further from the truth.

Okay I knew right away that this was a fake message. How? I click on a photo and ended up at a completely different website that showed this security alert. This is not how Google normally behaves when you click on an image. It usually takes you to a webpage and shows the image you clicked on in the foreground, while the picture source page is shown in the background.

Also, Windows does not show alerts like this. Windows 7 uses a little red “x” on the white flag at the bottom right side of your desktop when there is a security alert. In addition, the message looks nothing like a standard alert from my anti-virus software, so I knew that this  online scan was bogus.

It would have been more believable too if I was actually running Windows at the time, which I was not, but what the heck, let’s see what happens when we click “OK”

(Never click on these messages by the way, just close the whole browser window with the red “X”. Run your own anti-virus program to do a scan, never an online one).

Right away the “helpful” program comes up and runs a system scan. It isn’t really doing a scan by the way, it just builds the page with html and scripts to make it look believable. It does seem to look like a legit Windows screen, except it all shows up in a browser window, and again, I am not even running Windows on this system!

It then wants me to click on the “Remove All” button, which I did not. Doing so will usually prompt you to download and install the bogus anti-virus program. Allowing the program to run will install the virus to your system. This particular brand of malware when installed will bring up a very believable anti-virus screen and tell you that you need to purchase a license to use it. It also asks for your credit card.

When trying to figure out how I was redirected to this fake AV site from clicking on a Google image, I found something interesting. Hovering over the picture, I noticed that the website that showed up under the image looked legit, but when looking at the image url (which displays if you hover over the image) it pointed to a completely different website. The Google Imgrefurl tag was a mile long, and contained random upper and lower case letters. Clicking on the image immediately took me to the bogus site and kicked off the fake anti-virus message.

So what can we do to see what the fake site is really doing?
(Just a warning – Don’t play with malware sites, especially on production systems, doing so could get your system infected!)

There are several free malware analysis websites available. For this one, I chose Anubis. Anubis is backed by Secure Business Austria and is developed by the International Secure Systems Lab. It is an open framework for malware analysis and  the nice thing is it allows you to submit sites by URL name. From the Anubis home page, just paste in the suspicious target website address and it will examine the webpage with a simulated Internet Explorer interface. Anubis acts like a IE Honeypot and records everything the page tries to do.

After you submit the page, it takes a few minutes for Anubis to preform the analysis. When it is finished it provides you with an indepth report of what it finds.

Submitting this suspicious URL to Anubis resulted in a 9 page report. Below is an abbreviation of what Anubis found that the website code tries to do:

Summary:
Description

  • Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. RISK-MEDIUM
  • Performs Registry Activities: The executable creates and/or modifies registry entries. RISK – LOW

– Further on in the report under Registry Activities, Anubis reported that the website code tries to modify 3 windows registry settings, and tries to read in over 50 more settings.

Finally it tries to read your Internet history and monitors the use of 6 keyboard keys and all three mouse buttons.

This is just what one of the Malware anaylsis programs found on the malicious website alone. Allowing the site to download the full malware to your system would bring in another level of problems.

With the rash of fake online anti-virus type attacks, including the most recent LizaMoon attack, it is important to remember to not allow any programs to run from unknown websites.

Chinese based Android Trojan Dubbed “Most Sophisticated” Found to Date

We all love our games, but buyer beware. An Android Trojan has been discovered in some Chinese games. “Geinimi” not only steals personal data from the phone, but even has some Botnet like command and control features:

Geinimi is also capable of receiving commands from remote servers controlled by hackers, this botnet-style functionality together with the use of code obfuscation techniques leads mobile security firm Lookout to describe the malware as the most sophisticated to appear on Android devices to date.

According to Lookout Mobile Security, when Geinimi is installed it:

  • Collects location coordinates & device identifiers from the phone
  • Collects a list of installed Apps
  • Connects to a remote server at 5 minute intervals to transfer information
  • Can download apps it chooses
  • Prompts user to remove apps it doesn’t want on the phone

According to reports, Chinese and even Russian trojans like Geinimi seem to be locale based. Downloading apps from recognized and approved sources is the safest way to avoid these types of viruses.

Malware seems to be a growing problem with smart phones. Phandroid reports that 9% of Android users have been affected by an SMS bug that sends out the message “My boss is an A$$!” to random people from your contact list.

If this is trend continues, looks like even our phones will need constant system and virus protection updates.

Stuxnet a Sign of New Cyber Special-Operations Warfare?

Stuxnet has been called the first true cyber war weapon and the most advanced virus ever created. As time goes by, additional information on Stuxnet is leaking out. A FoxNews article released yesterday contained a lot of new and interesting details. Here is a summation of the information presented:

Complexity: Stuxnet attacked and penetrated a secure underground facility that had no external connections. The virus was specifically written to spread from machine to machine, and network to network until it found its target.

The command and control process of Stuxnet was also highly advanced, and was programmed to disappear once the target was penetrated.

“…During this time the worms reported back to two servers that had to be run by intelligence agencies, one in Denmark and one in Malaysia. The servers monitored the worms and were shut down once the worm had infiltrated Natanz. Efforts to find those servers since then have yielded no results.”

Target: When Stuxnet found the nuclear power plant network, it went to work attacking its main target, the centrifuge frequency converters.

“The worm then took control of the speed at which the centrifuges spun, making them turn so fast in a quick burst that they would be damaged but not destroyed. And at the same time, the worm masked that change in speed from being discovered at the centrifuges’ control panel.”

The centrifuges were not the only target, as the virus also attacked the Russian built steam turbine at the Bushehr plant.

Result: A physical attack against the nuclear plants this late in the game could have released a lot of radiation. According to the report, Stuxnet was created not to destroy the nuclear power plant, but to disable its ability to function. This it has done in spades.

An estimated 30,000 Iranian systems were infected by the worm. Of Iran’s 9000 centrifuges, it is estimated that only 3700 are now in use.

It is believed that it will take another year to clean up the effects of Stuxnet from the nuclear plant systems.

Also, Stuxnet has created a strong psychological warfare effect at the plants. Iranian intelligence officers have clamped down on the facilities, interrogating and monitoring many. Iranian scientists and engineers have been jailed, executed, or simply disappeared.

This was obviously a coordinated attack against Iran. One of the big clues that Iran was the main target is in the way the Centrifuge Frequency programs were attacked. Very specific commands had to be known about the frequency systems. Iran used two sources for the systems, one was a Finnish Company, but the other was an Iranian company. According to the article, no one knew about the Iranian source, not even the IAEA. 

We are seeing in Stuxnet a new era of special operations. An advanced cyber warfare unit and intelligence agency teamed up to form a very effective force. This team worked closely together with civilian SCADA system & nuclear power plant experts to try create the first true cyber weapon. Could this be the beginning of Cyber Spec-Op warfare?