Kevin's discovery of latest Vundo crap
As posted by Kevin on April 18th, 2006:
Virtumonde ("VUNDO") ramps it up
Last night, several things came together here in the BOClean lab involving the nemesis of too many people whose systems have been infected, and those who have tried desperately to help them clear the infection. A "bad actor" known as "Virtumonde" which has wreaked havoc on the unsuspecting for a couple of years now has managed to do what CWS ("coolwebsearch") and their phalanx of backdoor authors and "script kiddies" hadn't. They've now gone into "deep rootkit" mode. No longer satisified to attack "user mode" software by "injecting" into other programs in "ring three" they're now subverting "device drivers" which belong to antivirus, antitrojan and other "security software" so as to hide behind a target that most "security software" will not attempt to shut down.
Last night, we examined some new Virtumonde hijinx and were quite dismayed to find that it even attacked BOClean's driver along with the usual antivirus and antispyware drivers. What this all means for BOClean users is that for the first time, something's been able to embed in OUR code and attempt to hide (without success). And because of this new propensity, if you're ALREADY infected when you first install BOClean (rather than ALREADY being protected in which case, nothing bad ever happens) then it can be a rather bumpy ride to get rid of it. We infected several lab rats with this set of nastiness and in an unusual mode, BOClean required anywhere from 2-15 reboots before it was finally eliminated. :(
Where BOClean was already installed, it was gone the moment it landed. However, most folks don't even think of installing BOClean until after the infections are so severe that it is noticed by the non-technical and despite rumors to the effect that BOClean cannot deal with a system which is already infected - the reality is not as claimed there. However, for the first time ... BOClean is actually challenged in getting rid of this one and it took some updating of our engine as a result of tonight's "intraday" update to ensure that it can actually be gotten rid of AFTER the fact. THIS one's pretty serious.
So who ARE these guys?
Pretty much everyone who's ever gone to a site featuring HJT logs has HEARD of "Vundo" and the name given by AV's is disingenuous. There's a company out there called "Virtumundo" which is an advertising site but is actually rather legitimate in NOT infecting people's machines. And they suffer from the confusion of THEIR "good name" by the "VIRTUMONDE" bloodsuckers. Virtumonde came into being back in 2003 as best as we can tell and when the AV's discovered it in last year, they applied the usual obfuscation of the "real" name of the threat for their own reasons and harmed "VirtuMUNDO" substantially in doing so. But then again, the AV's have a vested interest in "not honoring the actual name given to malware" in order to not be caught not covering it for months/years. :(
"VIRTUMONDE" is an operation based in the Cayman islands, which is a British colony which has been given more and more autonomy in recent years after their separation from technically being "part of Jamaica sorta" ... STILL, it's technically a colony of the U.K. and has become popular among "offshore banking" and criminals of all ilk.
So ... "whois" ...
Server Used: [ whois.domainnamesales.com ]
virtumonde.com = [ 127.0.0.1 ]
Registrant:
Name Administration Inc. (BVI)
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
Domain name: VIRTUMONDE.COM
Administrative Contact:
Domain Administrator admin@nameadmininc.com
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
1.345.946.6879
Technical Contact:
Domain Administrator admin@nameadmininc.com
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
1.3459466879
Registrar of Record: DomainNameSales
Record last updated on 24-Jun-2005.
Record expires on 28-Mar-2007.
Record created on 28-Mar-2005.
Domain servers in listed order:
NS1.15X.NET 66.199.187.170
NS2.15X.NET 66.199.187.171
Domain status: REGISTRAR-LOCK
And whois "domainnamesales?"
Server Used: [ whois.domainnamesales.com ]
nameadmininc.com = [ 216.187.103.168 ]
Registrant:
Name Administration Inc. (BVI)
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
Domain name: NAMEADMININC.COM
Administrative Contact:
Domain Administrator admin@nameadmininc.com
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
1.345.946.6879
Technical Contact:
Domain Administrator admin@nameadmininc.com
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
1.345.946.6879
Registrar of Record: DomainNameSales
Record last updated on 03-Sep-2004.
Record expires on 01-Sep-2014.
Record created on 11-Mar-2002.
Domain servers in listed order:
NS1.15X.NET 66.199.187.170
NS2.15X.NET 66.199.187.171
Domain status: REGISTRAR-LOCK
Gee! Howzabout that!? :)
So we went (with rubber gloves) and followed the trail to www.virtumonde.com a bit closer. I *DO NOT* recommend following that train yourself with IE, or even with Opera or Firefox as the site is only TOO happy to "fudge-pack" you. :(
Pertintent data however from their own site is as follows ... I find it rather humorous that their "name" is NAI, same name as the company that owns McAfee antivirus - but then NAI hasn't done diddle about the OTHER NAI using "their good name" ... :
About NAI
Corporate
Name Administration is a privately owned company based in the British Virgin Islands and the Cayman Islands. Our core business is acquiring and managing domain names for paid search (type-in traffic) and web development purposes.
Advantage
Type-in traffic occurs when users bypass traditional search sites and find information, products and services directly. A growing number of Internet users use this form of navigation as their preferred method of locating the information they need.
For example, if a consumer was looking for a personal loan, they might go to a search engine and type "personal loans" into the search box. They would then sort through a list of links containing that term. Other users will simply type "PersonalLoans.com" into their browser's address bar, and have specialized information delivered instantly.
The popularity of individual search engines continues to change, but generic and memorable domain names have been a constant since the dawn of the commercial Internet. While search engines must invest billions to compete against one another and try to better interpret what their users are looking for; our portfolio of generic websites effortlessly connects millions of people with the products and services they are looking for each week.
Future
Name Administration adds value by ensuring that the information at each of our websites is relevant and by optimizing each visitor's search experience. We are constantly enhancing nearly 100 different verticals (from Advertising to Weddings) and thousands of subcategories to further qualify the traffic our sites generate. Advertisers can be assured that the people drawn to one of Name Administration's websites are among the most highly targeted on the Internet and in media generally.
Every day millions of visitors search Name Administration's network. Currently those people access advertising listings relevant to whatever generic term they searched for. In the future, visitors could be directed to other relevant sites, fully developed verticals, or a hybrid of both.
Uh ... yeah ... sure. Folks *WANT* this on their machines. And "NAI" even has a FAQS page with the following topics ... :(
Frequently Asked Questions
Name Administration Inc. is a responsible domain name registrant and administrator. We are in the business of administering domain names, making websites, syndicating paid search advertising and information via a network of small websites or "microportals". In an effort to reduce our email load and to save you time, here are some answers to frequently asked questions about our domain names and business:
* Is this domain for sale?
* Everything is for sale, name your price.
* What kind of business is this?
* Will you buy my domain name?
* You have a domain name that is mine and I want it!
* Your domain keeps sending me spam, phishing mail etc.
* If you guys are running this nice little business, doing the "right thing", how come you are hiding out in the Cayman Islands?
* The facts about FactCheck.com.
By ALL means, if you HAVE BOClean already, and a proper firewall of some kind, you might want to check out the FAQ's themselves. Since I'd PREFER to keep people safe, took the liberty of using a BOClean-protected machine (and that's how we caught tonight's "goodies") and grabbed that page too ... here it is ...
Is this domain for sale?
We do not sell domain names. We receive many unsolicited offers each day however our business is building and developing each domain name and website into a relevant microportal. We are constantly improving our network to offer more relevant information and advertising content.
Top
Everything is for sale, name your price.
We are not holding out for your best offer. Replying to your email and the many we receive like it each day, costs us time that could be better spent growing our business. We get so many emails with the same subject, that we do not have the time to physically reply to all of them. If you have an inquiry regarding purchasing traffic in one of our verticals or across our network please send a detailed inquiry via our Contact page.
Top
What kind of business is this?
Name Administration Inc. is building the internet equivalent of a television network. High quality generic domain names are our channels. For further information, please visit our About NAI page.
Top
Will you buy my domain name?
"Don't call us, we'll call you". Name Administration purchases generic names that have keyword value. Many generic domain names receive organic browser type in traffic from people looking for information based on the keyword weight of the domain name (i.e. www.TravelLasVegas.com). We do not purchase concept names that do not make sense (i.e. www.hot-b2b-sales-4-u-today.com). If we want your unused domain name, we will call you. If you wish to sell your domain name try www.afternic.com, www.sedo.com, or www.greatdomains.com.
Top
You have a domain name that is mine and I want it!
Name Administration Inc. operates a broad network of generic websites based on brief, popular and generically meaningful terms that have descriptive meaning to many people. We do NOT try to exploit proprietary intellectual property, knowingly administer (or purchase) inherently distinctive names or names that have "exclusive value" to a sole distinctive entity.
We try to be good corporate citizens, do the right thing and be responsible name administrators. If you feel we are administering a domain name that you have built exclusive value in, please send a detailed email via our Contact form and we will consider your claim.
Popular names often have a great deal of desirability to many different parties, due to their scarcity and generic meanings. Accordingly, we refer questions concerning claims of right to competent counsel for review and evaluation.
Top
Your domain keeps sending me spam, phishing mail etc.
a) Name Administration Inc. has never sent a single piece of unsolicited email to anyone. We do not send spam or operate phishing sites. Spammers and "phishing con artists" often select random fictitious addresses for their email (i.e. info@savingmoney.com). These parties do not own the name 'savingmoney.com', we do. They do this because they do not want to hear your complaints about their spam. In a nutshell, these parties send you spam with a fake return address incorporating one of the names we administer to cover their tracks and to look real. We have no way of controlling this activity (and it bothers us more than you) but we can assure you those emails are not coming from Name Administration. We administer domain names. That's it.
b) Name Administration often purchases generic expiring domain names. Sometimes these names have previously been used to send unsolicited email or for other nefarious activity. We buy domain names because they are generic and meaningful, NOT based on their previous activity. Always check the "created date", or "updated date" of an individual name via WHOIS lookup (i.e. www.betterwhois.com). If those dates are recent, it is likely that we newly acquired the domain name at auction, or after it expired and ANY PROBLEM YOU SEE IS FROM A PREVIOUS REGISTRANT'S ACTIVITY. To reduce spam we suggest not posting your email address publicly, not filling in free-offer emails and installing spam filtering software on your PC.
Top
If you guys are running this nice little business, doing the "right thing", how come you are hiding out in the Cayman Islands?
This is our favorite. The Cayman Islands is nothing like what you hear about in the movies. We could just as easily ask, "How come YOU are hiding-out in the USA (or Canada or Europe or Australia)?" We are in the Cayman Islands because it is a great place to live. The weather is warm, the people are friendly and there is good Internet access. Everyone lives somewhere. We live here (www.caymanislands.ky). We may be contacted via email or through the Contact form on this website.
Top
The facts about FactCheck.com.
During the 5 October 2004, debate between United States candidates for the office of vice president, the incumbent Vice President Cheney responded to an issue by referring viewers to "factcheck.com". Mr. Cheney apparently intended to refer viewers to factcheck.org instead of factcheck.com.
The website "factcheck.com" is operated by Name Administration Inc., a privately held company based in the Cayman Islands. Traditionally, Internet addresses ending in ".com" have been intended for commercial purposes, while ".org" has been intended for use by non-profit organizations, such as the "factcheck.org" website operated by the Annenberg Public Policy Center at the University of Pennsylvania.
Name Administration Inc. is a leading domain name administrator, website developer and Internet traffic syndicator. Name Administration Inc. utilizes a portfolio of generic domain names, such as antarctica.com, lipbalm.com, and others as stand alone websites which collectively form an integrated advertising network offering users relevant paid search advertisements and information. "Factcheck.com" was registered by Name Administration long before the U.S. vice presidential debate for use in providing a directory of commercial providers of information resources relevant to the generic term "fact check".
When Mr. Cheney mis-spoke, viewers heeded his advice and visited factcheck.com in staggeringly large numbers. Name Administration re-directed this traffic for several reasons - to protect our servers from the potential for damage caused by Mr. Cheney's error, and as a service to our advertisers. Our advertisers intend to pay for potential customers to their websites instead of observers of political current events.
Name Administration re-directed those visitors to a website relevant to U.S. politics. Name Administration chose the website of investor, philanthropist, and political activist Mr. George Soros, because his website is well-funded, does not seek to raise funds from visitors, and had greater capacity to absorb the load of visitors, reaching over 100 visitors per second during peak times after the debate. An administrator for the Annenberg Public Policy Center has since informed us that their web server system would have been severely crippled by the load, had we directed the traffic to them. Contrary to some imaginative rumors spun by some, our action was undertaken on a voluntary and emergency basis, with no prior communication or consultation with the Soros organization. As confirmed by our legal counsel in response to media inquiries, Name Administration Inc. has not been offered, and has not sought, any inducement, compensation, or other consideration from any individual or organization for re-directed the resulting web traffic.
Traffic to factcheck.com has begun to return to normal levels, and Name Administration Inc. has restored the website to its original and intended use. Name Administration Inc. wishes the citizens of the United States well in the selection of their leaders, whose actions can sometimes have unintended consequences beyond the borders of the United States.
Top
(NAI Websites)
Antarctica.com
BlackGold.com
CeilingFans.com
Chests.com
ChristmasOrnaments.com
CocktailDresses.com
ColoringBooks.com
ComingAttractions.com
Cupcakes.com
DeathPenalty.com
DuctTape.com
Duplication.com
EatingDisorders.com
EShopping.com
FolicAcid.com
ForeignCurrency.com
HappyNewYear.com
Hombres.com
HurricaneTracker.com
Internship.com
JapaneseFood.com
LipBalm.com
Lottery.net
Mapas.com
Mobile.net
Pears.com
PersonalLoans.com
PetPrescriptions.com
Poemas.com
Prescription.net
Promz.com
Quality.net
RazorBlades.com
RemoteControlCars.com
Sailboats.net
SavingMoney.com
ScienceProjects.com
SongDownloads.com
StockTips.com
SyntheticOil.com
TaxDeductions.com
TestDrive.com
ThongBikini.com
TravelChina.com
Triathlons.com
UsedCarsForSale.com
VegasBaby.com
WeddingReception.com
- Thousands of others -
So these birds don't just hijack COMPUTERS, they hijack SITES as well! :(
And for all of the criminal acts they've done, they're STILL free to continue. So much for the so-called "war on terrorism." And they're CLEARLY "Bush haters" as this set of sentences proves:
Name Administration Inc. wishes the citizens of the United States well in the selection of their leaders, whose actions can sometimes have unintended consequences beyond the borders of the United States.
So WHERE are the bombs? :(
I've often described how BOClean is different from anything else in our "behavior-based detection." And while some might confuse that with "heuristics" which we also use as part of our design, our MAIN "behavior" detection is based on getting into the minds of the authors of malware, and specific idiosyncracies of various malware authors. Each one of them has a tendency to "sign" their work one way or another - be it making sure that their NAME is buried in their code, a particular way of misspelling things, or other "unique" way that a malware source identifies itself.
It's ONE thing to just "MD5 hash" a new submission, it's an entirely BETTER thing to actually put the effort in to "know your cuts of meat." And "Virtumonde" has a number of unique things (not to mention their abuse of name servers and redirects to THEIR netblock which serves us VERY well in already having their NEXT move as a "variant" rather than a "unique." TONIGHT, "Vundo" threw us a curve with an absolutely NEW unique method of infection. And that scared the QWAP out of me that from out of nowhere, they've changed course. :(
I'm scared ... those who depend on vendors who just take the latest file and assign it "badthing.abd" and ignore the repercussions have me GENUINELY worried. The latest "VUNDO" is a sign of an entirely NEW course, and it's an incredibly BAD one for those who depend on "AV's ONLY" ...
For those who ALREADY have BOClean, you were protected fully as of just before 5AM Us Eastern time and have been updated by now. For those who HAVEN'T yet purchased BOClean, it'll be a rocky ride with a crash or two but we'll get it. And if you DON'T have BOClean ... my sympathies. :(
Legal requirement - These are MY thoughts and not those of Privacy Software Corp. If I've offended anybody, then another long night blown to hell was worth it. After all, ain't that what blogs are about? People venting their spleen? Heh. This blog is my own personal therapy and no one else's. Lurk if ya wanna, smoke'em if ya gottem, comments welcome but subject to roasting, void where prohibited by good taste. Favorable licensing deals available to "VUNDO" for "real cheep." Heh.
posted by Kevin at 3:36 AM on Apr 18 2006
A question was asked:
Just curious. How does one get infected with this new nastie? Are they exploiting some vulnerability in Windows, for example?
Kevins Response:
As to the "infection vector," I hate to be a bit rude - need some sleep desperately for now. I honestly don't KNOW what sites might entice people to go to "Vundo" or an "affiliate" (wouldn't it have eeb interesting if WCB had discussed "affiliates" instead of "astroturf" since that what (they) was REALLY discussing in that thread? (sorry, forget WCB - I'm just still mighty honked off about it all) ... I s'pose there's deals with "VUNDO" for cash - after all, the "crims" don't bother unless there's CASH at the end of the rainbow, and people wouldn't *HAVE* "Vundo" as "Un CADEAU!" were it NOT for "Interpol-worthy stuff" ... :(
But have NO idea of which sites are spinning this for cash ... all WE know is the PAYLOAD, and we intend to KILL it. That's what REAL folks want - STOP it ... NOW! :)
And a further response from Kevin:
And just an addition before some of our "competitors" try to twist the words - those who DON'T already have BOClean will need to go through a couple of reboots - from the time I originally posted through now, about 55 lab rats now have been infected BEFORE loading in BOClean, and typically, it's been 2-3 reboots before this particular existing infection is finally gone.
When a trojan cannot be killed by ANY means, BOClean will throw up a warning (unless configured NOT to) and then force a system reboot. If "restart" is configured on a system rather than "turn off" then memory often retains the "prior state" unless there's a "power off" as Windows USED to do prior to XPee SPee2 ... *IF* the system does a cold power-down, then one boot after installation, the nasty will be found again in its NEW place (device driver) and BOClean will force ANOTHER shutdown (whereupon it's gone) ...
But IF the system keeps restoring the nasty and "prior state" then the detection and reboot cycles will continue UNTIL the system "finally forgets" and doesn't RESTORE the nasty. THAT is the problem with installing BOClean AFTER you're infected here. But if it's any comfort ... most OTHER software won't even detect its presence at ALL! :(
Another question:
Obviously this is a new technique used by Vundo. Does the author have to be a skilled programmer to write this stuff? I have really no idea.
It will be intersting to see how the file scanners deal with this one.
Kevins response:
I'm SURE the "helpers" in the "go away with your HJT log like you're some kind of "vendah with a agendah" and they'll figure out how NORTON or SPYSWEEPER is suddenly the trojan. Folks on DSLR *get* what they paid for. :)
"PM relief" is finally here, I go home ... TEN NEW "Vundo's" (166 variants) in an update we JUST put out. Never seen anything LIKE this, but now for all of the new releases, they're finally REPACKS of what is to BOClean now, "same old same old - VARIANT!" ... looks like we're there for now or there'll be MORE "intraday updates" whilst I sleep. Moo. :)
Another question asked:
I was rereading this blog and noticed Kevin said "However, for the first time ... BOClean is actually challenged in getting rid of this one and it took some updating of our engine as a result of tonight's "intraday" update to ensure that it can actually be gotten rid of AFTER the fact. THIS one's pretty serious."
Does this mean you have updated the BOC engine we are currently running with the intraday update? Or are we gonna see an new version release soon? As it reads now it appears this is really only a factor for those who install after the new Vundo infection but was curious.
Kevins response:
Looks like I need to clarify a few things. In my mention about "if you're already infected when BOClean is installed" with this one - this particular infection has a number of components watching each other's back, some of which are already hidden. So clobbering the obvious ones the first time BOClean is run on an infected machine requires a couple of reboots - first time to get rid of the startup "backup" stuff and then expose the rootkit, second time to get that and then reveal the rest. BOClean is only at a disadvantage the first time around only because there are so many pieces. Of course if BOClean was already there on the machine, no problem. I was merely pointing out that having it on your machine from the git-go is preferable in THIS case to having to go after it at a later time because *I* don't like the idea of having to do a reboot to do a proper cleaning. That's all.
As far as the "limitation of the engine" which required the update change, BOClean is designed to allow the database to contain not only "definitions" so folks know the name of the nasty, but also allows us to include new functions which can be called when the database is loaded and overlays the existing code. As a result, there's no need for a CODE upgrade as the update takes care of the newly discovered needs. I'm just glad I designed it that way - this was the first time we've had to USE this "feature" of the design. There's a lot of "what if?" stuff in BOClean that we've never had to use and I was merely amused that for once, that stuff was actually needed for a change. :)
I also read here and elsewhere that some folks have visited the links I provided and somehow had an expectation of getting infected by doing so. Handing out "get infected, click here" links is perhaps the most irresponsible thing anyone can do, it's banned in all groups, and I'm certainly not going to do it.
As to where this stuff came from, I have no idea actually. We have a number of people across the globe who provide us samples (as well as other vendors) and this new Vundo stuff just showed up the other night. It was after letting it loose in our deliberately unprotected lab rats that it started grabbing even more stuff and that was the basis of so many updates yesterday as new stuff appeared from out of nowhere on the lab rats. Since yesterday, looks like we've collected them all - there were only two new minor BHO's seen since the "big one."
Some have indicated that they use "properly locked down" machines, and by golly - a tip of the hat to those. We deliberately run "nasty bait" here so that we can hopefully get nailed before anyone else does. "Locking down" our lab rats isn't a good idea given what we do here and what all too many "real world users" do every day.
And John ... you were right ... the zealots of other "brands" are busy spinning this all precisely as you'd predicted - "those eveil immoral BOClean people are trying to scare people again." Heh. No ... once again this blog exists solely for me to gas off about things that bother me. And that so many people continue to get infected after all that "security advice" and operations like "Virtumonde" continue to do what they do after two years now without prosecution is what honks me off and is the reason for what I wrote.
That it was a challenge for a "new install" of BOClean was also bothersome to me because it means that I have to start working on the NEXT version of BOClean all over again because what I saw here tells me that there are a number of OTHER ways into systems in the future. That we were able to handle it of course felt good, but I'm perpetually running scared myself that some day we might actually get nailed by one of these things. And that motivation is what keeps me up at night. :(
And as to how people actually get infected? Numerous ways. The most common ones are hitting sites that offer "free porn" (no surprise there) or "keygens" and "cracked versions of software" (no surprise there either) and some sites with scripts that are huge that will walk machines through every possible known exploit in scripting in hopes that one of those will "stick." And of course, those who MUST click on a link in spam.
And while it's nice to know that there are so many people who have truly locked down their systems, reality is that there's FAR too many out there who haven't and don't care HOW to. Worse yet, many of these folks really should be running a Macintosh or BSD but have Billyware. People who have a problem with their machine and reload PRE-SP1 "rescue disks" and then go online instead of going straight for all the bandaids that just aren't ON that CDROM. :(
BOClean was designed for institutional users by their admins. Places that have "lawyers" and "middle management" types who don't know the difference between a "registry" and a "vision statement." And there's an awful lot of non-technical people out there who were issued computers and have no clue as to "how to work this thing."
And for those who DO know what they're doing, then you'll never get infected anyway. :)
Virtumonde ("VUNDO") ramps it up
Last night, several things came together here in the BOClean lab involving the nemesis of too many people whose systems have been infected, and those who have tried desperately to help them clear the infection. A "bad actor" known as "Virtumonde" which has wreaked havoc on the unsuspecting for a couple of years now has managed to do what CWS ("coolwebsearch") and their phalanx of backdoor authors and "script kiddies" hadn't. They've now gone into "deep rootkit" mode. No longer satisified to attack "user mode" software by "injecting" into other programs in "ring three" they're now subverting "device drivers" which belong to antivirus, antitrojan and other "security software" so as to hide behind a target that most "security software" will not attempt to shut down.
Last night, we examined some new Virtumonde hijinx and were quite dismayed to find that it even attacked BOClean's driver along with the usual antivirus and antispyware drivers. What this all means for BOClean users is that for the first time, something's been able to embed in OUR code and attempt to hide (without success). And because of this new propensity, if you're ALREADY infected when you first install BOClean (rather than ALREADY being protected in which case, nothing bad ever happens) then it can be a rather bumpy ride to get rid of it. We infected several lab rats with this set of nastiness and in an unusual mode, BOClean required anywhere from 2-15 reboots before it was finally eliminated. :(
Where BOClean was already installed, it was gone the moment it landed. However, most folks don't even think of installing BOClean until after the infections are so severe that it is noticed by the non-technical and despite rumors to the effect that BOClean cannot deal with a system which is already infected - the reality is not as claimed there. However, for the first time ... BOClean is actually challenged in getting rid of this one and it took some updating of our engine as a result of tonight's "intraday" update to ensure that it can actually be gotten rid of AFTER the fact. THIS one's pretty serious.
So who ARE these guys?
Pretty much everyone who's ever gone to a site featuring HJT logs has HEARD of "Vundo" and the name given by AV's is disingenuous. There's a company out there called "Virtumundo" which is an advertising site but is actually rather legitimate in NOT infecting people's machines. And they suffer from the confusion of THEIR "good name" by the "VIRTUMONDE" bloodsuckers. Virtumonde came into being back in 2003 as best as we can tell and when the AV's discovered it in last year, they applied the usual obfuscation of the "real" name of the threat for their own reasons and harmed "VirtuMUNDO" substantially in doing so. But then again, the AV's have a vested interest in "not honoring the actual name given to malware" in order to not be caught not covering it for months/years. :(
"VIRTUMONDE" is an operation based in the Cayman islands, which is a British colony which has been given more and more autonomy in recent years after their separation from technically being "part of Jamaica sorta" ... STILL, it's technically a colony of the U.K. and has become popular among "offshore banking" and criminals of all ilk.
So ... "whois" ...
Server Used: [ whois.domainnamesales.com ]
virtumonde.com = [ 127.0.0.1 ]
Registrant:
Name Administration Inc. (BVI)
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
Domain name: VIRTUMONDE.COM
Administrative Contact:
Domain Administrator admin@nameadmininc.com
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
1.345.946.6879
Technical Contact:
Domain Administrator admin@nameadmininc.com
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
1.3459466879
Registrar of Record: DomainNameSales
Record last updated on 24-Jun-2005.
Record expires on 28-Mar-2007.
Record created on 28-Mar-2005.
Domain servers in listed order:
NS1.15X.NET 66.199.187.170
NS2.15X.NET 66.199.187.171
Domain status: REGISTRAR-LOCK
And whois "domainnamesales?"
Server Used: [ whois.domainnamesales.com ]
nameadmininc.com = [ 216.187.103.168 ]
Registrant:
Name Administration Inc. (BVI)
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
Domain name: NAMEADMININC.COM
Administrative Contact:
Domain Administrator admin@nameadmininc.com
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
1.345.946.6879
Technical Contact:
Domain Administrator admin@nameadmininc.com
Box 10518 A.P.O.
Grand Cayman Cayman Islands B.W.I.
KY
1.345.946.6879
Registrar of Record: DomainNameSales
Record last updated on 03-Sep-2004.
Record expires on 01-Sep-2014.
Record created on 11-Mar-2002.
Domain servers in listed order:
NS1.15X.NET 66.199.187.170
NS2.15X.NET 66.199.187.171
Domain status: REGISTRAR-LOCK
Gee! Howzabout that!? :)
So we went (with rubber gloves) and followed the trail to www.virtumonde.com a bit closer. I *DO NOT* recommend following that train yourself with IE, or even with Opera or Firefox as the site is only TOO happy to "fudge-pack" you. :(
Pertintent data however from their own site is as follows ... I find it rather humorous that their "name" is NAI, same name as the company that owns McAfee antivirus - but then NAI hasn't done diddle about the OTHER NAI using "their good name" ... :
About NAI
Corporate
Name Administration is a privately owned company based in the British Virgin Islands and the Cayman Islands. Our core business is acquiring and managing domain names for paid search (type-in traffic) and web development purposes.
Advantage
Type-in traffic occurs when users bypass traditional search sites and find information, products and services directly. A growing number of Internet users use this form of navigation as their preferred method of locating the information they need.
For example, if a consumer was looking for a personal loan, they might go to a search engine and type "personal loans" into the search box. They would then sort through a list of links containing that term. Other users will simply type "PersonalLoans.com" into their browser's address bar, and have specialized information delivered instantly.
The popularity of individual search engines continues to change, but generic and memorable domain names have been a constant since the dawn of the commercial Internet. While search engines must invest billions to compete against one another and try to better interpret what their users are looking for; our portfolio of generic websites effortlessly connects millions of people with the products and services they are looking for each week.
Future
Name Administration adds value by ensuring that the information at each of our websites is relevant and by optimizing each visitor's search experience. We are constantly enhancing nearly 100 different verticals (from Advertising to Weddings) and thousands of subcategories to further qualify the traffic our sites generate. Advertisers can be assured that the people drawn to one of Name Administration's websites are among the most highly targeted on the Internet and in media generally.
Every day millions of visitors search Name Administration's network. Currently those people access advertising listings relevant to whatever generic term they searched for. In the future, visitors could be directed to other relevant sites, fully developed verticals, or a hybrid of both.
Uh ... yeah ... sure. Folks *WANT* this on their machines. And "NAI" even has a FAQS page with the following topics ... :(
Frequently Asked Questions
Name Administration Inc. is a responsible domain name registrant and administrator. We are in the business of administering domain names, making websites, syndicating paid search advertising and information via a network of small websites or "microportals". In an effort to reduce our email load and to save you time, here are some answers to frequently asked questions about our domain names and business:
* Is this domain for sale?
* Everything is for sale, name your price.
* What kind of business is this?
* Will you buy my domain name?
* You have a domain name that is mine and I want it!
* Your domain keeps sending me spam, phishing mail etc.
* If you guys are running this nice little business, doing the "right thing", how come you are hiding out in the Cayman Islands?
* The facts about FactCheck.com.
By ALL means, if you HAVE BOClean already, and a proper firewall of some kind, you might want to check out the FAQ's themselves. Since I'd PREFER to keep people safe, took the liberty of using a BOClean-protected machine (and that's how we caught tonight's "goodies") and grabbed that page too ... here it is ...
Is this domain for sale?
We do not sell domain names. We receive many unsolicited offers each day however our business is building and developing each domain name and website into a relevant microportal. We are constantly improving our network to offer more relevant information and advertising content.
Top
Everything is for sale, name your price.
We are not holding out for your best offer. Replying to your email and the many we receive like it each day, costs us time that could be better spent growing our business. We get so many emails with the same subject, that we do not have the time to physically reply to all of them. If you have an inquiry regarding purchasing traffic in one of our verticals or across our network please send a detailed inquiry via our Contact page.
Top
What kind of business is this?
Name Administration Inc. is building the internet equivalent of a television network. High quality generic domain names are our channels. For further information, please visit our About NAI page.
Top
Will you buy my domain name?
"Don't call us, we'll call you". Name Administration purchases generic names that have keyword value. Many generic domain names receive organic browser type in traffic from people looking for information based on the keyword weight of the domain name (i.e. www.TravelLasVegas.com). We do not purchase concept names that do not make sense (i.e. www.hot-b2b-sales-4-u-today.com). If we want your unused domain name, we will call you. If you wish to sell your domain name try www.afternic.com, www.sedo.com, or www.greatdomains.com.
Top
You have a domain name that is mine and I want it!
Name Administration Inc. operates a broad network of generic websites based on brief, popular and generically meaningful terms that have descriptive meaning to many people. We do NOT try to exploit proprietary intellectual property, knowingly administer (or purchase) inherently distinctive names or names that have "exclusive value" to a sole distinctive entity.
We try to be good corporate citizens, do the right thing and be responsible name administrators. If you feel we are administering a domain name that you have built exclusive value in, please send a detailed email via our Contact form and we will consider your claim.
Popular names often have a great deal of desirability to many different parties, due to their scarcity and generic meanings. Accordingly, we refer questions concerning claims of right to competent counsel for review and evaluation.
Top
Your domain keeps sending me spam, phishing mail etc.
a) Name Administration Inc. has never sent a single piece of unsolicited email to anyone. We do not send spam or operate phishing sites. Spammers and "phishing con artists" often select random fictitious addresses for their email (i.e. info@savingmoney.com). These parties do not own the name 'savingmoney.com', we do. They do this because they do not want to hear your complaints about their spam. In a nutshell, these parties send you spam with a fake return address incorporating one of the names we administer to cover their tracks and to look real. We have no way of controlling this activity (and it bothers us more than you) but we can assure you those emails are not coming from Name Administration. We administer domain names. That's it.
b) Name Administration often purchases generic expiring domain names. Sometimes these names have previously been used to send unsolicited email or for other nefarious activity. We buy domain names because they are generic and meaningful, NOT based on their previous activity. Always check the "created date", or "updated date" of an individual name via WHOIS lookup (i.e. www.betterwhois.com). If those dates are recent, it is likely that we newly acquired the domain name at auction, or after it expired and ANY PROBLEM YOU SEE IS FROM A PREVIOUS REGISTRANT'S ACTIVITY. To reduce spam we suggest not posting your email address publicly, not filling in free-offer emails and installing spam filtering software on your PC.
Top
If you guys are running this nice little business, doing the "right thing", how come you are hiding out in the Cayman Islands?
This is our favorite. The Cayman Islands is nothing like what you hear about in the movies. We could just as easily ask, "How come YOU are hiding-out in the USA (or Canada or Europe or Australia)?" We are in the Cayman Islands because it is a great place to live. The weather is warm, the people are friendly and there is good Internet access. Everyone lives somewhere. We live here (www.caymanislands.ky). We may be contacted via email or through the Contact form on this website.
Top
The facts about FactCheck.com.
During the 5 October 2004, debate between United States candidates for the office of vice president, the incumbent Vice President Cheney responded to an issue by referring viewers to "factcheck.com". Mr. Cheney apparently intended to refer viewers to factcheck.org instead of factcheck.com.
The website "factcheck.com" is operated by Name Administration Inc., a privately held company based in the Cayman Islands. Traditionally, Internet addresses ending in ".com" have been intended for commercial purposes, while ".org" has been intended for use by non-profit organizations, such as the "factcheck.org" website operated by the Annenberg Public Policy Center at the University of Pennsylvania.
Name Administration Inc. is a leading domain name administrator, website developer and Internet traffic syndicator. Name Administration Inc. utilizes a portfolio of generic domain names, such as antarctica.com, lipbalm.com, and others as stand alone websites which collectively form an integrated advertising network offering users relevant paid search advertisements and information. "Factcheck.com" was registered by Name Administration long before the U.S. vice presidential debate for use in providing a directory of commercial providers of information resources relevant to the generic term "fact check".
When Mr. Cheney mis-spoke, viewers heeded his advice and visited factcheck.com in staggeringly large numbers. Name Administration re-directed this traffic for several reasons - to protect our servers from the potential for damage caused by Mr. Cheney's error, and as a service to our advertisers. Our advertisers intend to pay for potential customers to their websites instead of observers of political current events.
Name Administration re-directed those visitors to a website relevant to U.S. politics. Name Administration chose the website of investor, philanthropist, and political activist Mr. George Soros, because his website is well-funded, does not seek to raise funds from visitors, and had greater capacity to absorb the load of visitors, reaching over 100 visitors per second during peak times after the debate. An administrator for the Annenberg Public Policy Center has since informed us that their web server system would have been severely crippled by the load, had we directed the traffic to them. Contrary to some imaginative rumors spun by some, our action was undertaken on a voluntary and emergency basis, with no prior communication or consultation with the Soros organization. As confirmed by our legal counsel in response to media inquiries, Name Administration Inc. has not been offered, and has not sought, any inducement, compensation, or other consideration from any individual or organization for re-directed the resulting web traffic.
Traffic to factcheck.com has begun to return to normal levels, and Name Administration Inc. has restored the website to its original and intended use. Name Administration Inc. wishes the citizens of the United States well in the selection of their leaders, whose actions can sometimes have unintended consequences beyond the borders of the United States.
Top
(NAI Websites)
Antarctica.com
BlackGold.com
CeilingFans.com
Chests.com
ChristmasOrnaments.com
CocktailDresses.com
ColoringBooks.com
ComingAttractions.com
Cupcakes.com
DeathPenalty.com
DuctTape.com
Duplication.com
EatingDisorders.com
EShopping.com
FolicAcid.com
ForeignCurrency.com
HappyNewYear.com
Hombres.com
HurricaneTracker.com
Internship.com
JapaneseFood.com
LipBalm.com
Lottery.net
Mapas.com
Mobile.net
Pears.com
PersonalLoans.com
PetPrescriptions.com
Poemas.com
Prescription.net
Promz.com
Quality.net
RazorBlades.com
RemoteControlCars.com
Sailboats.net
SavingMoney.com
ScienceProjects.com
SongDownloads.com
StockTips.com
SyntheticOil.com
TaxDeductions.com
TestDrive.com
ThongBikini.com
TravelChina.com
Triathlons.com
UsedCarsForSale.com
VegasBaby.com
WeddingReception.com
- Thousands of others -
So these birds don't just hijack COMPUTERS, they hijack SITES as well! :(
And for all of the criminal acts they've done, they're STILL free to continue. So much for the so-called "war on terrorism." And they're CLEARLY "Bush haters" as this set of sentences proves:
Name Administration Inc. wishes the citizens of the United States well in the selection of their leaders, whose actions can sometimes have unintended consequences beyond the borders of the United States.
So WHERE are the bombs? :(
I've often described how BOClean is different from anything else in our "behavior-based detection." And while some might confuse that with "heuristics" which we also use as part of our design, our MAIN "behavior" detection is based on getting into the minds of the authors of malware, and specific idiosyncracies of various malware authors. Each one of them has a tendency to "sign" their work one way or another - be it making sure that their NAME is buried in their code, a particular way of misspelling things, or other "unique" way that a malware source identifies itself.
It's ONE thing to just "MD5 hash" a new submission, it's an entirely BETTER thing to actually put the effort in to "know your cuts of meat." And "Virtumonde" has a number of unique things (not to mention their abuse of name servers and redirects to THEIR netblock which serves us VERY well in already having their NEXT move as a "variant" rather than a "unique." TONIGHT, "Vundo" threw us a curve with an absolutely NEW unique method of infection. And that scared the QWAP out of me that from out of nowhere, they've changed course. :(
I'm scared ... those who depend on vendors who just take the latest file and assign it "badthing.abd" and ignore the repercussions have me GENUINELY worried. The latest "VUNDO" is a sign of an entirely NEW course, and it's an incredibly BAD one for those who depend on "AV's ONLY" ...
For those who ALREADY have BOClean, you were protected fully as of just before 5AM Us Eastern time and have been updated by now. For those who HAVEN'T yet purchased BOClean, it'll be a rocky ride with a crash or two but we'll get it. And if you DON'T have BOClean ... my sympathies. :(
Legal requirement - These are MY thoughts and not those of Privacy Software Corp. If I've offended anybody, then another long night blown to hell was worth it. After all, ain't that what blogs are about? People venting their spleen? Heh. This blog is my own personal therapy and no one else's. Lurk if ya wanna, smoke'em if ya gottem, comments welcome but subject to roasting, void where prohibited by good taste. Favorable licensing deals available to "VUNDO" for "real cheep." Heh.
posted by Kevin at 3:36 AM on Apr 18 2006
A question was asked:
Just curious. How does one get infected with this new nastie? Are they exploiting some vulnerability in Windows, for example?
Kevins Response:
As to the "infection vector," I hate to be a bit rude - need some sleep desperately for now. I honestly don't KNOW what sites might entice people to go to "Vundo" or an "affiliate" (wouldn't it have eeb interesting if WCB had discussed "affiliates" instead of "astroturf" since that what (they) was REALLY discussing in that thread? (sorry, forget WCB - I'm just still mighty honked off about it all) ... I s'pose there's deals with "VUNDO" for cash - after all, the "crims" don't bother unless there's CASH at the end of the rainbow, and people wouldn't *HAVE* "Vundo" as "Un CADEAU!" were it NOT for "Interpol-worthy stuff" ... :(
But have NO idea of which sites are spinning this for cash ... all WE know is the PAYLOAD, and we intend to KILL it. That's what REAL folks want - STOP it ... NOW! :)
And a further response from Kevin:
And just an addition before some of our "competitors" try to twist the words - those who DON'T already have BOClean will need to go through a couple of reboots - from the time I originally posted through now, about 55 lab rats now have been infected BEFORE loading in BOClean, and typically, it's been 2-3 reboots before this particular existing infection is finally gone.
When a trojan cannot be killed by ANY means, BOClean will throw up a warning (unless configured NOT to) and then force a system reboot. If "restart" is configured on a system rather than "turn off" then memory often retains the "prior state" unless there's a "power off" as Windows USED to do prior to XPee SPee2 ... *IF* the system does a cold power-down, then one boot after installation, the nasty will be found again in its NEW place (device driver) and BOClean will force ANOTHER shutdown (whereupon it's gone) ...
But IF the system keeps restoring the nasty and "prior state" then the detection and reboot cycles will continue UNTIL the system "finally forgets" and doesn't RESTORE the nasty. THAT is the problem with installing BOClean AFTER you're infected here. But if it's any comfort ... most OTHER software won't even detect its presence at ALL! :(
Another question:
Obviously this is a new technique used by Vundo. Does the author have to be a skilled programmer to write this stuff? I have really no idea.
It will be intersting to see how the file scanners deal with this one.
Kevins response:
I'm SURE the "helpers" in the "go away with your HJT log like you're some kind of "vendah with a agendah" and they'll figure out how NORTON or SPYSWEEPER is suddenly the trojan. Folks on DSLR *get* what they paid for. :)
"PM relief" is finally here, I go home ... TEN NEW "Vundo's" (166 variants) in an update we JUST put out. Never seen anything LIKE this, but now for all of the new releases, they're finally REPACKS of what is to BOClean now, "same old same old - VARIANT!" ... looks like we're there for now or there'll be MORE "intraday updates" whilst I sleep. Moo. :)
Another question asked:
I was rereading this blog and noticed Kevin said "However, for the first time ... BOClean is actually challenged in getting rid of this one and it took some updating of our engine as a result of tonight's "intraday" update to ensure that it can actually be gotten rid of AFTER the fact. THIS one's pretty serious."
Does this mean you have updated the BOC engine we are currently running with the intraday update? Or are we gonna see an new version release soon? As it reads now it appears this is really only a factor for those who install after the new Vundo infection but was curious.
Kevins response:
Looks like I need to clarify a few things. In my mention about "if you're already infected when BOClean is installed" with this one - this particular infection has a number of components watching each other's back, some of which are already hidden. So clobbering the obvious ones the first time BOClean is run on an infected machine requires a couple of reboots - first time to get rid of the startup "backup" stuff and then expose the rootkit, second time to get that and then reveal the rest. BOClean is only at a disadvantage the first time around only because there are so many pieces. Of course if BOClean was already there on the machine, no problem. I was merely pointing out that having it on your machine from the git-go is preferable in THIS case to having to go after it at a later time because *I* don't like the idea of having to do a reboot to do a proper cleaning. That's all.
As far as the "limitation of the engine" which required the update change, BOClean is designed to allow the database to contain not only "definitions" so folks know the name of the nasty, but also allows us to include new functions which can be called when the database is loaded and overlays the existing code. As a result, there's no need for a CODE upgrade as the update takes care of the newly discovered needs. I'm just glad I designed it that way - this was the first time we've had to USE this "feature" of the design. There's a lot of "what if?" stuff in BOClean that we've never had to use and I was merely amused that for once, that stuff was actually needed for a change. :)
I also read here and elsewhere that some folks have visited the links I provided and somehow had an expectation of getting infected by doing so. Handing out "get infected, click here" links is perhaps the most irresponsible thing anyone can do, it's banned in all groups, and I'm certainly not going to do it.
As to where this stuff came from, I have no idea actually. We have a number of people across the globe who provide us samples (as well as other vendors) and this new Vundo stuff just showed up the other night. It was after letting it loose in our deliberately unprotected lab rats that it started grabbing even more stuff and that was the basis of so many updates yesterday as new stuff appeared from out of nowhere on the lab rats. Since yesterday, looks like we've collected them all - there were only two new minor BHO's seen since the "big one."
Some have indicated that they use "properly locked down" machines, and by golly - a tip of the hat to those. We deliberately run "nasty bait" here so that we can hopefully get nailed before anyone else does. "Locking down" our lab rats isn't a good idea given what we do here and what all too many "real world users" do every day.
And John ... you were right ... the zealots of other "brands" are busy spinning this all precisely as you'd predicted - "those eveil immoral BOClean people are trying to scare people again." Heh. No ... once again this blog exists solely for me to gas off about things that bother me. And that so many people continue to get infected after all that "security advice" and operations like "Virtumonde" continue to do what they do after two years now without prosecution is what honks me off and is the reason for what I wrote.
That it was a challenge for a "new install" of BOClean was also bothersome to me because it means that I have to start working on the NEXT version of BOClean all over again because what I saw here tells me that there are a number of OTHER ways into systems in the future. That we were able to handle it of course felt good, but I'm perpetually running scared myself that some day we might actually get nailed by one of these things. And that motivation is what keeps me up at night. :(
And as to how people actually get infected? Numerous ways. The most common ones are hitting sites that offer "free porn" (no surprise there) or "keygens" and "cracked versions of software" (no surprise there either) and some sites with scripts that are huge that will walk machines through every possible known exploit in scripting in hopes that one of those will "stick." And of course, those who MUST click on a link in spam.
And while it's nice to know that there are so many people who have truly locked down their systems, reality is that there's FAR too many out there who haven't and don't care HOW to. Worse yet, many of these folks really should be running a Macintosh or BSD but have Billyware. People who have a problem with their machine and reload PRE-SP1 "rescue disks" and then go online instead of going straight for all the bandaids that just aren't ON that CDROM. :(
BOClean was designed for institutional users by their admins. Places that have "lawyers" and "middle management" types who don't know the difference between a "registry" and a "vision statement." And there's an awful lot of non-technical people out there who were issued computers and have no clue as to "how to work this thing."
And for those who DO know what they're doing, then you'll never get infected anyway. :)
posted by NotAFanBoy at
4/19/2006 12:22:00 PM
6 Comments:
Thank you for publishing that very informative write up. Keep up the good work.
By
Anonymous, at April 21, 2006 11:53 AM
I love folks that pull no punches and tell it like it is in colorful language (vendah with an agendah...rofl). Kevin you do it the best. It was truly nice to know what was behind that one particular intraday update email that piqued my interest on morning when I checked my email all bleary and sleepy-eyed. Thank you for your blog write-up.
Someday, I'd love to borrow this for a posting signature: Lurk if ya wanna, smoke'em if ya gottem, comments welcome but subject to roasting, void where prohibited by good taste. But being rather notorious myself ;) I prefer to go back to being the meek, mild-mannered security-minded mouse I once was until some (graphic expletives left out in an effort to maintain good taste) pisses me off and the mouse roars...
...kinda like BOClean.
Man, go easy on the spleen!
By
Anonymous, at April 22, 2006 12:09 AM
virtumonde.com
Dear Kevin,
The name virtumonde.com was registered after the former registrant let the domain name lapse for non-payment. We registered the name from a list of expiring names for the term's "virtu" (virtual) and "Monde" (day) "Virtual Day" ..
While from time to time nefarious former registrants let their names expire, We purchase expiring names for nothing more that the keyword weight associated with the name.
This name has clearly taken on new (negative) meaning thanks to the scam artists who formerly held the registration rights, we can not do much about that, but can assure you that those issues have nothing to do with us.
Thanks.
NAI
By
N-A-I, at May 03, 2006 7:40 PM
Heh. Well ... someone's having a truly virtual day with that domain name nonetheless. And even if the domain has expired, the owners live on in glorious living cruller. And you ARE the owner when someone does that "lookup." I'd 404 it if it were mine.
By
Kevin, at May 05, 2006 7:21 AM
Thanks sincerely Kevin.
We will most certainly disable it.
Thanks once again for bringing it to our attention.
Good blog.
N-A-I
By
N-A-I, at May 05, 2006 9:23 PM
Name Administration Inc. is a scam!
Someone with an email associated with a domina registered by that company has stolen money from my paypal/bank account.
If you are lagit then wh the Caymans and why not leave a real address. I will be thre at you box onetime when you get the mail....count on it. Anyone else have ideas on how to get these #@%$#ers please chime in.
By
Anonymous, at June 26, 2007 1:01 PM
Post a Comment
Links to this post:
Create a Link
<< Home