Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-03-12 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

McAfee 4715 DAT False Positive Deletion Reports Follow-up

Published: 2006-03-12
Last Updated: 2006-03-14 15:49:13 UTC
by Patrick Nolan (Version: 3)
0 comment(s)
Friday we started receiving reports of file deletion problems from admins using McAfee AV, scans that were using the 4715 DAT's issued Friday were incorrectly identifying many executables as as W95/CTX virus. Portions of the information submitted are excerpted below, and we thank all of the admins who reported the problems which allowed us to get the early problem alert out. Your reports and the Diary warning McAfee/NAI rolls bad pattern helped many admins.

Update: 21:37 UTC - One of our readers, JD, tells us that McAfee has devleoped a tool that will restore files that were quarantined by DAT 4715.  Customers are encouraged to contact their technical assistance manager.  The tool may be posted on the McAfee website at some point (though it doesn't appear to be there for public download at the moment). --JAC

Update 2: 02:43 UTC 2006-03-13 - McAfee has release a list of (supposedly) all the files affected by DAT 4715.  It includes some other interesting ones in addition to excel.exe, like setup.exe, uninstall.exe, shutdown.exe, and reg.exe to name just a few, but is clearly incomplete since it doesn't include any of the Oracle binaries that have been reported to be affected by some of our readers.  The list can be found
here. --JAC

Update 3: 15:48 UTC 2006-03-14 - The tool is now available.  See here.  --JAC

McAfee DAT 4716 corrects the problem, references W95/CTX and says;
"Users who have moved detected files to quarantine should restore them to their original location.  Windows users who have had files deleted should restore files from backup or use System Restore .

Virusscan Online users can restore the falsely detected file from the Manage Quarantined Files.."

ISC participants report excerpts;

"The 4715 dat files are incorrectly identifying multiple different files as being infected with W95/CTX when scanned with the on-demand scanner with the following products:

VirusScan Enterprise 8.0i
VirusScan Enterprise 7.1
VirusScan Enterprise 7.0
Managed VirusScan 4.0
Managed VirusScan 3.5
VirusScan Online 11
VirusScan Online 10
LinuxShield
VirusScan 7.03 (consumer)

At this time you should cancel any scheduled on-demand scans until the release of the 4716 DATs."

"Some example files are graph9.exe and excel.exe from office 2000" "....3700 files have been quarantined on over 100 pcs."

"We think McAfee's latest DAT file may be bad.  They improved the detection for several variants of the W95/CTX virus, and now our scanners are detecting supposedly infected executables all over our network, including on an original Microsoft Office 11 CD.  Our guess is that this is a false positive.  If so, and your readers have quarantine or delete set as the default action, the Virusscan will do more damage than a real virus would."

"attempted to remove files such as Dell OpenManage, Cygwin, perl, Sysinternals pstools suite."

"anything that was in the PATH environment variable was targeted."

"Not only did it attempt to remove files in the %ORACLE_HOME%\bin directory, but also in the .patch_storage folder - so as far as oracle files, this was not limited to the PATH environment variable."

"This was also capable of navigating mapped drives, so if you had a file server setup as a common install location, if filesystem permissions permitted modification of such files, you'll want to refresh the installation files from the downloaded, compressed source file."

"[removed] ShavlikPro (commandline4.exe) and the entire SuperCACLs suite from trustedsystems.com"

"I started getting reports that looked lke a virus outbreak so I forced scans on all the network machines. This turned out to make matters worse because hundreds of files per machine were incorrctly identified as virus infected and quarantined. Many hours will be spent restoring these files from quarantine. Thankfully it was not set to delete the files."

"We had over 3700 quarantine events. I counted 297 individual file names."
Keywords:
0 comment(s)

Phishing arms race

Published: 2006-03-12
Last Updated: 2006-03-12 15:05:01 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Arms Race ?

As with anything the bad guys do, they react to anything we do to try to prevent them from having success. One of the things we told our users was to ignore alerting messages that their bank (and any other bank they are not a customer of) seems to send them and tells them their account has been abused. It seems that it is finally having it's effect as the phishers are changing tactics.

These kind of arms races require us to increase awareness constantly and to make users more resilient all the time. If we fail this our users, customers, ... will fall prey and we will have failed our users and/or customers in the end.

Example of one of these new phishing attempts

From: Chase Manhattan Bank  
To: victim@example.com
Subject: [ $20 Reward Survey ]

Dear Chase Bank Customer,
CONGRATULATIONS! 

You have been chosen by the Chase Manhattan Bank online department
to take part in our quick and easy 5 question survey.
In return we will credit $20 to your account - Just for your time!
Helping us better understand how our customers feel benefits everyone.
With the information collected we can decide to direct a number of
changes to improve and expand our online service.
We kindly ask you to spare two minutes of your time
in taking part with this unique offer!

SERVICE: Chase Online? $20 Reward Survey

EXPIRATION: March - 13 - 2006

Confirm Now your $20 Reward Survey with Chase Online? Reward
services.

The information you provide us is all non-sensitive and anonymous
No part of it is handed down to any third party groups.
It will be stored in our secure database for maximum of 3 days
while we process the results of this nationwide survey.

Please do not reply to this message. For any inquiries, contact
Customer Service.

Document Reference: (87051203)
Copyright 1996 - 2006 Chase Bank, N.A. Member FDIC Copyright 2006

It was formatted much more fancy in html, but I chose not to show that here.

Of course the link in there doesn't go to anything owned by JPMorgan Chase & Co.

Now let's have a look at that website collecting so called "non-sensitive and anonymous" information.

It starts out all rather innocent

but then it goes on to ask you more details. Details that are far from non-sensitive and anonymous. But remember the psychology: the user just has answered a whopping 5 questions and is now going to get his 20 bucks. He'll even sell his mother for it, or at least tell them her name along with what is going to cost him much more than that 20 bucks he'll never get.

The details they want to know:


New tactic: better servers

Unfortunately they are also getting better on the technology side:
  • "premium" service from a well known name on the Internet
  • very redundant DNS service
  • lots of servers
chaseonline.new-reward-survey.us. 600 IN CNAME premium.geo.yahoo.akadns.net.
premium.geo.yahoo.akadns.net. 300 IN A 66.218.79.174
premium.geo.yahoo.akadns.net. 300 IN A 66.218.79.175
premium.geo.yahoo.akadns.net. 300 IN A 66.218.79.177
premium.geo.yahoo.akadns.net. 300 IN A 66.218.79.184
premium.geo.yahoo.akadns.net. 300 IN A 66.218.79.185
premium.geo.yahoo.akadns.net. 300 IN A 66.218.79.186
premium.geo.yahoo.akadns.net. 300 IN A 66.218.79.188
premium.geo.yahoo.akadns.net. 300 IN A 66.218.79.173

The not so good news goes on:

Worst of all the responses you receive when reporting these things to the abuse contacts of some service providers is so far below par that getting this shut down in a hurry isn't likely. I hope the banks have a bit more pull than this handler.

Yes I know that exposing this more publicly will increase the odds that other rivaling groups will start to use these techniques as well, but after having received half a dozen of these myself my guess is that they already know.

--
Swa Frantzen - Section 66
Keywords:
0 comment(s)
Diary Archives