July 2008

IBM Internet Security Systems

X-Force Threat Insight Monthly
Table of Contents

About the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . 01

The MBR rootkit strikes again . . . . . . . . . . . . . . . . . . . . . 02

The Debian® OpenSSL flaw . . . . . . . . . . . . . . . . . . . . . . . 09

Prolific and impacting issues of June 2008 . . . . . . . . . . . . . . . 14

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
X-Force Threat Insight Monthly
Page 1

About the report

The IBM Internet Security Systems™ X-Force® Threat Insight Monthly is designed
to highlight some of the most significant threats and challenges facing security
professionals today. This report is a product of IBM Managed Security Services
and IBM Internet Security Systems (ISS) X-Force research and development
team. Each issue focuses on specific challenges and provides a recap of the most
significant recent online threats.

IBM Managed Security Services are designed to help an organization improve its
information security, by outsourcing security operations or supplementing your
existing security teams. The IBM ISS protection on-demand platform helps deliver
Managed Security Services and the expertise, knowledge and infrastructure an
organization needs to secure its information assets from Internet attacks.

The X-Force team provides the foundation for a preemptive approach to

Internet security. The X-Force team is one of the best-known commercial
security research groups in the world. This group of security experts researches
and evaluates vulnerabilities and security issues, develops assessment and
countermeasure technology for IBM ISS products, and educates the public
about emerging Internet threats.

We welcome your feedback. Questions or comments regarding the content of this

report should be addressed to XFTAS@us.ibm.com.
X-Force Threat Insight Monthly
Page 2

The MBR rootkit strikes again

Over the past several years, the security industry has seen a dramatic rise in
cyber-crime for profit. Gone are the days when people sought out vulnerabilities
for intellectual curiosity and bragging rights. Cyber-crime has become a business,
and those that take part in it are driven by the amount of money that can be made.
As a result, cyber-criminals do not always use the latest and most innovative
techniques, but rather they use what is most effective. Recent worms still attempt
to exploit vulnerabilities that have been patched for months or even years and
are successful because a significant portion of users do not patch routinely or
apply adequate protection. As long as these older vectors are still profitable to
cyber-criminals, there is no motivation to expend time and energy on keeping
up with the latest innovations; therefore, the return on investment is not worth
it from a business standpoint.

In recent months, a very old technique has once again reared its head and has
begun to circulate in new malware that has been detected. A new rootkit is hiding
itself in the Master Boot Record (MBR) of the systems that it infects – a technique
that is over a decade old, but has not been put to any widespread practical use for
almost as long.
X-Force Threat Insight Monthly
Page 3

The basics of rootkits

A root-kit is basically a backdoor that can be installed on a compromised system
to allow an attacker to return to the system at a later date. Most often, the first
thing an attacker will do after gaining access to a system is to install a rootkit.
Not only does a rootkit allow an attacker continual access to a system, but
several other important functions are performed as well. Rootkits usually go to
great lengths to ensure that they remain undetected. These lengths include
covering their installer’s tracks by modifying log files and hiding themselves
from the system’s owner through a variety of techniques. For example, rootkits
often modify key system utilities to make themselves appear invisible. They will
hide files, processes, network traffic, and other indicators that might alert a
system’s owner to their presence. Additionally, any number of other functions
may be included in a rootkit such as keyloggers for capturing passwords, the
ability to send spam e-mail, and code for launching Distributed Denial of
Service (DDoS) attacks.

Rootkits can be installed at a variety of system access levels. The simplest

rootkits install themselves at the application layer by overwriting binary
executable files or libraries with custom code. Other rootkits install themselves
as part of the operating system’s kernel making them very difficult to detect or
remove. A third class of rootkits bypasses the operating system altogether and
runs as a hypervisor in which the system’s operating system actually runs as a
virtual machine under its supervision. This third type of rootkit received a
great deal of media attention last year as researchers debated whether or not it is
possible to create a hypervisor rootkit that cannot be detected by a host
operating system. The Blue Pill rootkit1 was developed to demonstrate this
concept, but others have challenged its claim of being undetectable.2
X-Force Threat Insight Monthly
Page 4

The current threat

The focus of this article, MBR rootkits, is an older concept that has been subject
to a recent revival. The concept of MBR rootkits has existed for at least ten years
and includes early viruses such as Stoned3 and Michelangelo.4 In practice, this type
of rootkit has rarely been seen in the wild; however, that changed several months
ago when reports of a new MBR rootkit targeting NT-based Windows systems began
to circulate. This rootkit, known by the aliases Troj/Mbroot-A (Sophos), 5 Trojan.
Mebroot (Symantec), 6 and StealthMBR (McAfee), 7 takes advantage of the fact that
most versions of Windows allow direct write access to disk sectors from user mode.

An MBR rootkit works by overwriting the first sector (boot sector) of a storage
device such as a hard disk, USB drive, or floppy disk. This first sector is
significant because it contains the device’s MBR which is a set of instructions
for loading operating systems from other partitions on the device. The code in
the boot sector is the first thing that gets executed after a system is powered on
and the BIOS completes its startup routines. Since the code is executed before
any operating system code has been loaded, it has the opportunity to make
modifications to the operating system as it is loaded.

Troj/Mbroot-A is the stealth rootkit that is currently in circulation. This

malware is actually a modified version of a proof-of-concept rootkit called
BootRoot.8 Although MBR rootkits already existed for the DOS environment,
BootRoot demonstrates that the concept also extends to a Windows
environment. Troj/Mbroot-A finds its way onto systems through drive-by
exploits hosted on malicious or compromised Web sites. The authors of this
malware subsequently install a banking Trojan on compromised systems with
the intent of capturing financial credentials.
X-Force Threat Insight Monthly
Page 5

How it works
Upon initial infection, Troj/Mbroot-A will copy malicious kernel driver code into
unused sectors of the disk. It will also overwrite the MBR sector (sector 0) as well
as sectors 60, 61, and 62. The MBR sector gets overwritten with loader code and is
the first part of the Trojan that gets executed upon a reboot. Additional loader
code is copied into sectors 60 and 61 and is eventually executed to load the
malicious kernel driver code. Sector 62 contains a copy of the original MBR
which is used to hide the fact that a system has been compromised.

The functionality of Troj/Mbroot-A can be demonstrated by infecting a system

and then examining its hard disk from both within the operating system and
from an external source to expose the changes. But first, a reference point is
needed. This reference is obtained by copying the first sector of the hard disk of
an uninfected system to a file. Sector 62 is also copied for comparison.

Uninfected MBR Sector

X-Force Threat Insight Monthly
Page 6

Next a sample of Troj/Mbroot-A is obtained and executed on the target system.

So, what happens when the file is executed? Apparently nothing. There is no
visual indication that anything happens, but in reality, several things occur in
the background. The executable copies malicious kernel driver code into
unused sectors on the disk, makes a copy of the original MBR, and overwrites
the MBR with a malicious loader.

Now, whenever the system is rebooted, the code in the malicious MBR will get
executed instead of the original MBR. The malicious MBR code alters the boot
process by hooking int 13h (the interrupt used for low level disk operations),
which allows it to modify the kernel as it is loaded. During this process, Troj/
Mbroot-A will also modify two routines, IRP_MJ_READ and IRP_MJ_WRITE,
which allow the malware to remain hidden and prevent it from being overwritten.
If an API call attempts to access data from the infected MBR sector (sector 0), the
modified IRP_MJ_READ routine will instead return the contents of sector 62
that contains a copy of the original uninfected MBR. Likewise, any attempt to
overwrite the infected sectors will be blocked by the modified IRP_MJ_WRITE.

In order to view the malicious MBR, the infected disk can be mounted from an
external operating system. By doing this, the data on the disk can be read without
actually booting the infected system. The infected sectors can now be compared
with our baseline to reveal the changes. To demonstrate, the infected sectors 0
and 62 are copied to files. A simple test shows if anything has happened:

[mlv@lc4eb7624703401 mbr_data]$ diff sector0-clean sector62-infected

[mlv@lc4eb7624703401 mbr_data]$ diff sector0-clean sector0-infected
Binary files sector0-clean and sector0-infected differ
[mlv@lc4eb7624703401 mbr_data]$ diff sector62-clean sector62-infected
Binary files sector62-clean and sector62-infected differ
X-Force Threat Insight Monthly
Page 7

The diff utility can be used to compare two files to determine whether or not
they differ. If the files match, no output is displayed. As expected, the test above
shows that the infected copies of sectors 0 and 62 both differ from their
originals. Additionally, the infected copy of sector 62 matches the original
(clean) copy of sector 0 which indicates that the original MBR was successfully
copied into sector 62. Viewing the infected MBR (sector 0) clearly shows that it
has been altered from our previous reference.

Infected MBR Sector

X-Force Threat Insight Monthly
Page 8

Future of the threat

MBR rootkits alter compromised operating systems in such a way that they are
difficult to detect and repair. Currently, the malware described in this article is
the only such rootkit that is being detected in the wild, but the authors have
already released several versions of it with incremental improvements in each
iteration. It is not unreasonable to expect that others will take advantage of this
technique and develop other MBR rootkits in the future.

Also on the horizon is a system management mode (SMM) rootkit. Researchers

are planning to present this new breed of rootkit at the upcoming Black Hat
security conference in August.9 This rootkit takes advantage of a feature present
in x86 processors, SMM, that allows code to be run from the processor, bypassing
the operating system. The researchers plan to demonstrate that a rootkit can be
hidden in this hardware, making it almost invisible to the operating system and
very challenging to detect.

Although rootkits pose a problem for those that are infected by them, they still
depend on the same attack vectors used by other malware or intruders. The
rootkit must first find its way onto a system by exploiting a vulnerability, or socially
engineering a victim into executing a Trojan horse. The best defense against a
rootkit is to prevent it from infecting a system in the first place. Anti-virus
software is effective at detecting and blocking this type of malware. Additionally,
maintaining up-to-date software and applying security patches also helps protect
a system from compromise.
X-Force Threat Insight Monthly
Page 9

The Debian® OpenSSL flaw

Last month’s X-Force Threat Insight Monthly concluded a three-part series on

Securing the Secure Shell (SSH). This series highlighted the problems with
reusable passwords and demonstrates how widespread use of authentication,
based on strong public key cryptography, can improve security. Unfortunately,
while SSH authentication keys are a significant improvement over the current
practices of reusable passwords, a vulnerability disclosed earlier this year
reveals that, even in a relatively secure environment, compromise can occur.

In May 2008, Debian announced a weakness in OpenSSL in the Debian Etch

Linux distribution. The flaw resulted in only a limited number of keys being
generated by systems based on that distribution and any of its derivatives. Any
keys generated by these systems for SSH, SSL, and some Virtual Private
Networks (VPN) must be considered compromised.

The perfect storm

This vulnerability appears to be the culmination of a perfect storm involving the
misunderstanding of a perceived bug, miscommunications with upstream package
management and maintenance teams, and a questionable local patching policy.
More than two years ago, an audit conducted by some automated vulnerability tools
indicated a potential flaw in OpenSSL. Based on the remediation procedure taken
by the Debian Security Team, it seems that the vulnerable code was not well
understood and therefore, the patch and its ramifications were not well understood.

To “fix” the flaw, the vendor applied a patch that removed any possibility of adding
any additional entropy to OpenSSL’s pool of randomness. In other words, the patch
resulted in a critical reduction in the number of possible cryptographic keys that
could be generated. This resulted in only 32,768 possible keys for any given key
type including SSH keys, OpenVPN keys, DNSSEC keys, and key material for
use in X.509 certificates and session keys used in SSL/TLS connections.
X-Force Threat Insight Monthly
Page 10

This also impacts IPSec VPNs (OpenSWAN™, StrongSWAN, Raccoon, or

ISAKMP) when used with X.509 certificates for authentication. In the case of
IPSec with X.509 certificates, the potential exists for an attacker to fake an
authenticated VPN. However, much more configuration information is required
to carry out this attack, such as the complete public certificate with attributes
and the network topology configurations, which are not contained in the
certificates. It may also be possible to “man in the middle” a valid VPN session
if the communications can be completely disrupted between the two valid
endpoints. However, due to the design of IPSec with ephemeral session keys
and optional “perfect forward secrecy” with rekeying, it should not be possible
for an attacker to use this keying material to sniff and decode existing
connections and sessions.

While the initial flaw and its “fix” were discussed in the open development
forum dedicated to the OpenSSL package, the fault with the fix was not
identified during discussions. This flawed fix was never submitted to the
upstream maintainers as a formal patch to be incorporated into the upstream
development. Subsequently, Debian never followed up on the patch or its
incorporation into the upstream package.

Debian continued to carry the patch to cryptographically sensitive code for

more than two years as a local-only patch. A year ago, the patch made its way
into their distribution release, setting the stage for this most recent incident.
Since that time, flawed keys have been generated and propagated from the
Debian distribution and any distributions based on Debian.

The vulnerability
The predictable pseudo-random number generator (PRNG) is at the core of the
Debian OpenSSL issue. As a result of this weakness, certain encryption keys
are much more common than they should be. A remote unauthenticated
attacker could conduct a SSH brute force attack against an affected application
and potentially guess the correct secret key material. The attacker could then
obtain unauthorized access to the vulnerable system through the affected
service or perform man-in-the-middle attacks.
X-Force Threat Insight Monthly
Page 11

Debian Etch (stable) was released in April of 2007, even though the vulnerable
code was uploaded to test in April of 2006 and subsequently available in Debian
Lenny (unstable) prior to the release of Etch. Distributions such as Ubuntu™
Linux® and Knoppix® released after that time and based on Etch are affected.
Other Debian-based systems may also be vulnerable. In addition, embedded
systems and Run-live CDs and BBCs (Bootable Business Cards) based on
Debian Etch may be impacted by this issue. The old stable distribution (sarge)
is not affected.

While this is a Debian-specific vulnerability, which does not affect other operating
systems that are not based on Debian, other systems can be indirectly affected.
Keys generated by vulnerable systems may also have made their way into other
systems and embedded devices.

Let the fun begin

Within 24 hours of the announcement of the vulnerability, the complete set of
all the possible 1024 bit DSA, 2048 bit RSA, and 4096 bit RSA keys that would
have been generated by this flawed code were posted publicly to a Web site. Not
only were the public keys published, which would have allowed detection of the
flawed keys, but the private keys were published as well. Publication of the
private keys amounts to a “rainbow table” of keys that can be rolled into a
variety of brute force attacks.

As if this disclosure were not detrimental enough, a Perl™ script was made publicly
available soon after that can be used in conjunction with these publicly available
keys to conduct SSH brute force attacks. Our analysts have deployed honeypots to
watch for this type of brute force activity. Though our analysts have not yet observed
any brute force attempts against authentication keys, they believe this could change
with the availability of the vulnerable keys and Perl exploit.
X-Force Threat Insight Monthly
Page 12

Coincidentally, over the last several months, SSH has been one of the most
scanned for services. Any given address or server on the Internet can expect to be
hit with an SSH probe at least 5 to 15 times during the course of a single week. If
the probe encounters an SSH service, a brute force scan then ensues, attempting
to guess root, subsystem administrative, and common user passwords. In this
instance, it appears that the attackers ultimately break in through SSH but not
through any particular vulnerability in SSH. Rather, the attack succeeds through
weak passwords.

Recommendations
This is a rather painful issue for administrators because all keys generated by
the flawed code must be regenerated. Updating the OpenSSL package and/or
changing the passwords is not sufficient. Setting or changing a password has no
effect on the compromised keys. Should a key be compromised, the key must be
regenerated and replaced. All keys, including SSH, OpenVPN, DNSSEC, and key
material for use in X.509 certificates generated under the affected distributions
must be eliminated from all configuration files and regenerated from scratch.10
Regenerated X.509 certificates will need to be recertified by corresponding
certifying authorities and several have stated publicly that they will do this for
their customers at no additional charge.

IPSec based VPNs using OpenSWAN, StrongSWAN, Racoon, or ISAKMP may or

may not be affected. Pure RSA keys and shared secret keys in these packages are
not generated using OpenSSL and are not impacted. However, X.509 certificates
for these packages are generated using OpenSSL and are therefore impacted. Any
X.509 certificates must be checked and regenerated if necessary.

If SSH public keys and authorized_keys files are centrally managed, it becomes
easier to search for, track down and subsequently remove faulty or compromised
keys. Even if new keys are regenerated, if these faulty keys are left present in an
authorized_keys file on any system, that system remains vulnerable.
X-Force Threat Insight Monthly
Page 13

Those running Debian or Ubuntu systems and using keys for SSH authentication
that were generated between September 2006 and May 13, 2008 are vulnerable.
All Digital Signal Algorithm (DSA) keys must be considered compromised since
the DSA relies on a secret random value used during signature generation. GPG and
GNUTLS keys are not affected because these applications use their own random
number generators and not the one from the vulnerable version of OpenSSL.

Additionally, if your organization makes an SSH or SSL connection to a system

that you know is running a Linux variant, but you are not sure which variant,
we recommend determining this and getting a statement from your vendor. The
affected vendors’ advisories can be found in the References section below.

Lessons learned
Even though public key cryptography is far superior to reusuable passwords, flaws
can intrude. An error in understanding, coupled with a questionable local patching
policy resulted in a pervasive problem that is going to be difficult to clean up.

While this incident does not imply a general weakness in SSH keys, it does
highlight the occasional need to update keys in response to an actual or suspected
compromise and the difficulty in managing them. At the time of this writing, no
attacks have been detected utilizing the publicly available keys, though this may
be just a matter of time. This incident, however, should not detract from the fact
that SSH authentication keys are vastly more secure than reusable passwords and
should not deter organizations from deployment.
X-Force Threat Insight Monthly
Page 14

Prolific and impacting issues of June 2008

Significant disclosures
In June, the X-Force team analysts researched and assessed 640 security
related threats. A significant percentage of the vulnerabilities featured within
the X-Force team database became the focal point of malicious code writers
whose productions include malware and targeted exploits.

Total Vulnerabilities in June 2008: 640

High Medium Low

Vulnerability Vulnerability Vulnerability
130 424 86
X-Force Threat Insight Monthly
Page 15

The chart below categorizes the vulnerabilities researched by X-Force team

analysts according to what they believe would be the greatest categories of
security consequences resulting from exploitation of the vulnerability. The
categories are: Bypass Security, Data Manipulation, Denial of Service, File
Manipulation, Gain Access, Gain Privileges and Obtain Information.*

1% 0.5%

5% 5%

8%

26% 50%

* Represent unique
4% vulnerability count.

Bypass Security – 5%
An attacker can bypass security restrictions such as a firewall or proxy, an IDS system
or a virus scanner.
File Manipulation – 0.5%
An attacker can create, delete, read, modify or overwrite files.
Gain Access – 50%
An attacker can obtain local and remote access. This also includes vulnerabilities in
which an attacker can execute code or execute commands with the goal of gaining
access to the system.
Gain Privilege – 4%
An attacker can gain privileges on the local system only.
Data Manipulation – 26%
An attacker is able to manipulate data stored or used by the host associated with the
service or application.
Denial of Service – 8%
An attacker can crash or hang a service or system, or take down a network.
Obtain Information – 5%
An attacker can obtain information such as file and path names, source code,
passwords or server configuration details.
Other – 1%
An attacker can perform other, less common attacks, such as price changing. Used when
the other consequences do not apply.
X-Force Threat Insight Monthly
Page 16

On June 10, 2008, IBM ISS disclosed a serious vulnerability, discovered by an X-Force
analyst, affecting Microsoft Windows® DirectX®. This remote code execution
issue is caused by multiple stack-based buffer overflows affecting the Microsoft
MJPEG codec. This codec is a component of Microsoft Media® player, found in
all modern Microsoft operating systems, including Microsoft Windows Vista®.

This issue is invoked when specially-crafted MJPEG data is encountered in either

an Audio Video Interleave (AVI) or Advanced Systems Format (ASF) media file
(and possibly other file types). An attacker may need to entice a user to perform
an operation to trigger this vulnerability. A victim could perform one of the
following actions to be vulnerable: visit a malicious Web page, browse either a
local or remote directory containing a malicious file, cause an application using
an embedded version of Microsoft Media player to play or preview a malicious file,
and open a specially-crafted Microsoft Office or media file.

• A protection advisory provided by IBM ISS: Microsoft Windows MJPEG Codec

Multiple Overflows11
• IBM ISS Protection Signature:
– RIFF_Codec_Overflow
• Microsoft Security Bulletin MS08-033 – Critical: Vulnerabilities in DirectX Could
Allow Remote Code Execution (951698)12
• CVE-2008-0011 13

On the same day the protection advisory was published, the X-Force team also
produced a protection alert to address another remote code execution vulnerability
affecting Microsoft Windows DirectX. The issue is caused by improper validation
of Synchronized Accessible Media Interchange (SAMI) file type parameters. By
persuading a victim to open a specially-crafted SAMI file, a remote attacker could
exploit this vulnerability to execute arbitrary code on the system with the privileges
of the victim.

• A protection alert provided by IBM ISS: Microsoft Windows DirectX SAMI Code Execution14
• IBM ISS Protection Signature:
– SAMI_WMP_Overflow
• Microsoft Security Bulletin MS08-033 – Critical: Vulnerabilities in DirectX Could
Allow Remote Code Execution (951698)15
• CVE-2008-1444 16
X-Force Threat Insight Monthly
Page 17

Additional June highlights

This section of the report briefly covers some of the additional threats facing
security professionals during the month of June.

SQL injection attacks – June wrap-up

In May 2008, the threat level was elevated to AlertCon 2 and the X-Force team
produced a protection alert as a result of a significant increase in the volume of
targeted SQL injection attacks. This past month, our analysts continued to
monitor this threat and observed another significant uptick in unique sources
performing these attacks and overall attack volume. This may be an indication
that the SQL injection malware in use is evolving.

According to a post to Microsoft’s Security Vulnerability Research & Defense

(SVRD) blog, the acceleration of the SQL injection attacks throughout the year
appear to be related to at least two factors – a malicious tool that is automating
these attacks is circulating, and one or more malicious bots are now launching
SQL injection attacks. One of the threats responsible for some of the recent SQL
injection attacks, the Asprox botnet, was found utilizing a fraudulent anti-virus
program called XP Security Center to infect victims’ systems. Our analysts
captured a phishing e-mail purportedly from “Captial One TowerNET”
containing a link that when clicked leads to a payload site hosting a file called
ad.js, which installs XP Security Center.

(Author’s note: the phishing e-mail misspells “Capital” as shown here)

X-Force Threat Insight Monthly
Page 18

The “fast-flux” technique, which involves the rapidly changing of DNS

resolution services, is used in this attack as well as many of the recent attacks to
redirect users to malicious sites. This constant movement adds to the difficulty
of shutting down these malicious domains. The Storm Worm is an example of
malware that exploits this technique.

Microsoft also published a Security Advisory last month to inform customers

that there has been “a recent escalation” of SQL injection attacks targeting Web
sites that use Microsoft ASP and ASP.NET and that do not follow best practices
for secure Web application development.17 According to Microsoft, these attacks
do not exploit a specific software vulnerability and it does not require Microsoft
to issue a security update. The purpose of the advisory is to assist
administrators with identifying ASP and ASP.NET Web application code that
may be vulnerable to possible SQL injection attacks.

These compromises serve as another reminder that this threat remains a

serious security problem for organizations. Additionally, attackers will continue
to target popular, highly visited sites. For instance, with the opening of
Wimbledon 2008 last month, tennis-related Web sites were found compromised
via SQL injection.18

We encourage our clients to review the June 2008 edition of the X-Force Threat
Insight Monthly to obtain ways to mitigate against this threat. Additionally, the
X-Force protection alert, “Automated SQL Injection Attacks” highlights
associated IBM ISS product coverage.19
X-Force Threat Insight Monthly
Page 19

Major security breaches

A number of high-profile security breaches are reported every year drawing
attention to the need to protect consumer and employee information from the
risk of exposure to malicious individuals/identity (ID) theft rings. In addition
to the loss or misplacement of information, corporations and individuals are at
risk to exposure via malware, hacking, phishing attacks and various social
engineering tactics. There are also non-cyber related methods such as stealing
mail, “dumpster-diving” (rummaging through trash bins), or obtaining
information from employees or stolen records. Below are some of the major
security breaches that became public in the month of June:

• Citibank – A server that processes ATM withdrawal stores was breached. This incident
resulted in hundreds of fraudulent withdrawals from New York City ATM machines.20
• Cotton Traders – An attack against the company’s Web site compromised the credit
card details of as many as 38,000 customers.21
• Scottish Ambulance Service – A disc containing the records of close to 900,000
emergency calls, including the name and addresses of patients, has gone missing.22
• Stanford University – A laptop containing sensitive information, including faculty
members’, staffers’ and students’ names, addresses, Social Security numbers, birth
dates, university ID and employee numbers was stolen, potentially compromising
72,000 records.23
• University of Florida – The sensitive information, including Social Security numbers,
names and addresses of 11,000 current and former students was posted online. 24
• University of Utah Hospital – 2.2 million billing records containing the personal
information of patients from the past 16 years have been stolen.25
X-Force Threat Insight Monthly
Page 20

Malcode corner
As part of the continued effort of the IBM ISS X-Force Virus Prevention System
(VPS) team in the strengthening of IBM ISS antivirus, anti-spyware and anti-
malware protection, the VPS team investigated and added another 12,866 new
samples to the malcode zoo in June, 2008.

The X-Force VPS team’s categorization of malcode is based on the most

dominant features of the threat. The categories are:

• Adware – Designed to deliver advertisements and in most cases, these

advertisements are unwanted.
• Backdoor – Provides functionality for a remote attacker to log on and/or execute
arbitrary commands on the affected system.
• Dialer – Uses modem connections to either dial back to the attacker or causes the
affected system to use primary-rate billing numbers when making connections.
• Downloader – Low-profile malcode that downloads and installs a more
sophisticated or updated malcode agent.
• Miscellaneous – All other malcode not falling into one of the primary categories.
• Password Stealer – Designed primarily to steal login credentials, such as those
used for instant messaging, online games and online applications.
• Rootkit – Usually acts as a component of another malcode and has the
functionality to hide files, registry entries and processes.
• Spy – Designed to monitor the user’s activity, such as logging key strokes and
tracking the user’s online activities. Similar to password stealers, Spy malcodes
may also have the functionality to capture login credentials and other confidential
information sent to online applications.
• Trojan – Usually appears to be a legitimate application before installing itself and
performing its malicious actions on the system. Examples of malicious actions can
include dropping another malcode, lowering the system’s security settings, and
allowing a remote attacker to relay network connections via the affected system in
order to conceal the real origin of the attacker.
X-Force Threat Insight Monthly
Page 21

• Virus – Propagates by infecting a host file and possibly doing some form of damage
to the host file.
• Worm – Self-propagates via e-mail, network shares, removable drives, file sharing
applications or instant messaging applications.

Malcode Type Percent

Worm 25.4%
Trojan 20.8%
Backdoor 13.1%
Miscellaneous 9.0%
Password Stealer 8.7%
Downloader 7.6%
Virus 6.9%
Spy 6.0%
Adware 2.0%
Dialer 0.4%
Rootkit 0.2%
X-Force Threat Insight Monthly
Page 22

List of Contributors for this paper include:

Michelle Alvarez – Team Lead, IBM MSS Intelligence Center

Michael Vucelich – Analyst, IBM MSS Intelligence Center

Luann Johnson – Manager, IBM ISS X-Force Database

IBM ISS X-Force Virus Prevention System (VPS) team

X-Force Threat Insight Monthly
Page 23

References

The MBR rootkit strikes again

1
Introducing Blue Pill
http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

Tool Roots Out Virtualized Rootkits

2

http://www.darkreading.com/document.asp?doc_id=130587

Stoned
3

http://vil.nai.com/vil/content/v_1169.htm

Michelangelo Madness
4

http://www.research.ibm.com/antivirus/SciPapers/White/VB95/vb95.
distrib-node7.html

Troj/Mbroot-A
5

http://www.sophos.com/security/analyses/viruses-and-spyware/
trojmbroota.html

Trojan.Mebroot
6

http://www.symantec.com/security_response/writeup.
jsp?docid=2008-010718-3448-99

StealthMBR
7

http://vil.nai.com/vil/content/v_143908.htm

BootRoot
8

http://research.eeye.com/html/tools/RT20060801-7.html

Hackers Find a New Place to Hide Rootkits

9

http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_
new_place_to_hide_rootkits.html
X-Force Threat Insight Monthly
Page 24

The Debian OpenSSL flaw

10
Key Rollover:
http://www.debian.org/security/key-rollover/

Debian Security Advisory DSA-1571-1

http://lists.debian.org/debian-security-announce/2008/msg00152.html

Ubuntu Security Notice USN-612-2

http://www.ubuntu.com/usn/usn-612-2

US-CERT Vulnerability Note VU#925211

http://www.kb.cert.org/vuls/id/925211

Prolific and impacting issues of June 2008

11
A protection advisory provided by IBM ISS: Microsoft Windows MJPEG
Codec Multiple Overflows
http://iss.net/threats/294.html

12
Microsoft Security Bulletin MS08-033 – Critical: Vulnerabilities in DirectX
Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx

13
CVE-2008-0011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0011

14
A protection alert provided by IBM ISS: Microsoft Windows DirectX SAMI
Code Execution
http://iss.net/threats/295.html

15
Microsoft Security Bulletin MS08-033 – Critical: Vulnerabilities in DirectX
Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx

16
CVE-2008-0011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1444

17
Microsoft Security Advisory (954462)
http://www.microsoft.com/technet/security/advisory/954462.mspx
X-Force Threat Insight Monthly
Page 25

18
Game, set and match
http://www.sophos.com/security/blog/2008/06/1514.html

19
Automated SQL Injection Attacks
http://iss.net/threats/293.html

20
Citibank Hack Blamed for Alleged ATM Crime Spree
http://blog.wired.com/27bstroke6/2008/06/citibank-atm-se.html

21
Card details stolen in web hack
http://news.bbc.co.uk/2/hi/technology/7446871.stm

22
Scottish Ambulance Service loses nearly 900,000 records
http://www.computing.co.uk/computing/news/2219911/scottish-
ambulance-service

23
Stolen laptop teaches Stanford a lesson on need for encryption
http://computerworld.com/action/article.do?command=viewArticleBasic
&articleId=9094958

24
11,000 University of Florida Student Social Security Numbers Posted Online
http://www.foxnews.com/story/0,2933,365462,00.html

25
U of U medical records stolen, 2.2 million patients’ data at risk
http://www.sltrib.com/ci_9540210

* Information in this document concerning non-IBM products was obtained

from the suppliers of these products, published announcement material or other
publicly available sources. Questions on the capabilities of non-IBM products
should be addressed to the suppliers of those products.

All performance data contained in this publication was obtained in the specific
operating environment and under the conditions described above and is presented
as an illustration. Performance obtained in other operating environments may
vary and customers should conduct their own testing.
© Copyright IBM Corporation 2008.

IBM Global Services

Route 100
Somers, NY 10589
U.S.A.

Produced in the United States of America.

07-08

All Rights Reserved.

IBM and the IBM logo are trademarks or registered

trademarks of International Business Machines
Corporation in the United States, other countries, or both.
ADDME, Ahead of the threat, BlackICE, Internet Scanner,
Proventia, RealSecure, SecurePartner, SecurityFusion,
SiteProtector, System Scanner, Virtual Patch, X-Force and
X-Press Update are trademarks or registered trademarks
of Internet Security Systems, Inc. in the United States,
other countries, or both. Internet Security Systems, Inc.
is a wholly-owned subsidiary of International Business
Machines Corporation.

Openswan is a trademark of Xelerence Corp.

Debian is a registered trademark of Software in the

Public Interest, Inc.

Ubuntu is a trademark or registered trademark of

Canonical, Inc.in the U.S. and/or other countries.

Linux is a registered trademark of Linus Torvalds.

Knoppix is a registered trademark of Klaus Knopper.

Perl is a trademark of the Perl Foundation.

Microsoft, Windows, DirectX, and SQL Server are

trademarks or registered trademarks of the Microsoft
Corporation in the United States, other countries, or both.

Other company, product and service names may be

trademarks or service marks of others.

References in this publication to IBM products or

services do not imply that IBM intends to make them
available in all countries in which IBM operates.

U.S. Patent No. 7,093,239