Zimuse leverages an IQ test to infect its victims.

An oddball hybrid malware program grabbed some electronic headlines this week. The bad app combines the activity of a worm with the infectious  properties of a virus. There appears to be two variants of it: Win32.Worm.Zimuse.A and Win32.Worm.Zimuse.B.

What makes the pernicious program queer is its destructive properties. These days, Black Hats tend to concentrate their efforts on programming schemes that have a cash payoff. When that’s your line of business, stealth, not havoc, is your modus operandi. Zimuse’s creators, through, don’t seem to care about monetary gain. Proliferation and mayhem appear to be their game.

Given the putative origin of the malware, it’s easy to understand why it departs from the malware mainstream. According to security experts, the black app was originally written to infect fans of a motorcycle club in the Liptov region of Slovakia. As can be the case with computer pranks, however, the malware started spreading wildly and soon began infecting corporate networks. Now badware watchers say the majority of the machines infected by the Zimuse variants are in the United States, followed by Slovakia, Thailand and Spain.

The malware is a two trick pony. First, it infects a machine and looks for ways to propagate itself. Then, after a defined number of days, it trashes its host’s Windows operating system and cripples it.

One way Zimuse distributes itself is by compromising legitimate Web sites. It’s planted as a self-unpacking zip file that contains an IQ test. When the IQ test installs itself on a machine, it also installs the malware. The IQ test is a legitimate application and serves to obfuscate what Zimuse is doing under the compromised computer’s hood.

After the sinister software insinuates itself on a computer, it begins to multiply. Depending on the varient, it copies itself in anywhere from seven to 11 areas critical to the device’s operating system. In addition, it modifies the Windows Registry to guarantee that its components will be launched as services each time a computer is started. Here are the keys altered by Zimuse.

HKLM\System\CurrentControlSet\Services\EventLog\System\MSTART

HKLM\System\CurrentControlSet\Services\MSTART

HKLM\System\CurrentControlSet\Services\MSTART\Security

HKLM\System\CurrentControlSet\Services\Mseu

HKLM\system\currentcontrolset\services\UnzipService

In addition to working mischief with the Registry, the malware also adds two drivers. They look like this.

%system%\drivers\Mstart.sys

%system%\drivers\Mseu.sys

Users of the 64-bit versions of Windows 7 and Vista can breathe a little easier than XP coves because those versions of Microsoft’s operating system require that drivers be signed before they’re installed and Zimuse’s drivers won’t cut the mustard in that department.

After Zimuse finds a home on a computer, it waits for USB storage devices to be attached to the machine so it can infect them too. When such a device mates with a computer, Zimuse copies itself to the hardware as a file named zipsetup.exe, as well as an auto run file. The contents of that file, autorun.inf, looks like this.

[autorun]
shellexecute=zipsetup.exe /H

According to White Hats, the USB vector has been a rewarding one for spreading the nasty code.

In moving from the A variant to the B version of the program, its creators have tightened up the timeframe of its actions. The 10 days it took for the A variant to begin infecting USB plug-ins has been reduced to seven days in the B version. The B variant also trashes its host sooner–20 days compared to 40 days for the A version.

When running on a computer, the malware is invisible to a user. That’s typical for outlaw programs these days. Zimuse, though, isn’t content with propagating itself in the background. After the aforementioned fixed period of time–40 days for variant A, 20 days for B–the spiteful software displays an error message claiming a problem has occurred due to IP packets  from a rummy URL. The problem can be solved, the message tells the user, with a system recovery, which can be accomplished by clicking OK in the error message’s window.

The so-called system recovery is actually system chicanery. When the infected computer reboots, Zimuse overwrites the first 50 megabytes of the Master Boot Record for Windows. That essentially cripples the file system and makes all data on the disk inaccessible without the use of special tools.

As malware goes, Zimuse is particularly malevolent, but as some commentators have observed on the Web, having a Master Boot Sector zapped in far less injurious than having passwords to bank accounts or social security numbers stolen.

Hybrid malware spreading via USB devices

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The April Fools Day Conficker scare didn’t amount to much, although that doesn’t mean that Conficker poses no danger. It’s still out there, silently spreading and perhaps collecting information, and may well become one of the biggest botnets ever–so don’t make the mistake of being lulled into a false sense of security because nothing happened on April 1.

What’s perhaps even more alarming is that there are copycats out there. The Neeris worm, which has been around for a while, has been updated to target the same MS08-067 Microsoft flaw that Conficker took advantage of. Like Conficker, Neeris downloads a copy of the worm onto the victim’s machine via HTTP, and then patches the system’s TCP/IP layer. Also like Conficker, Neeris spreads via the autorun function, and it adds an “Open folder to view files” Autoplay option.

A recent blog entry by two Microsoft researchers noted that the Neeris variant spiked between March 31 and April 1, coinciding with the Conficker date everyone was so worried about. However, the researchers note that there is no evidence that the Neeris variant is related to Conficker other than being a copycat. The researchers speculate that the perpetrators of both exploits may collaborate with each other, and that Conficker may actually have been designed based on the original Neeris worm design.

Neeris is an IRC bot, originally spread through MSN Messenger. More recently, more methods for replicating itself have been added, and the latest variant can also be spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and now, exploiting the same MS08-067 flaw that Conficker targeted.

The same proactive measures can be taken to prevent attack by Neeris as are taken to prevent attack by Conficker. Install the MS08-067 patch, and use AutoPlay carefully and only with familiar applications, and disable Autorun completely.

Conficker copycats starting to appear

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

A PCWorld blog entry calls out the FUD concerning the Conficker worm and the upcoming April 1 threat, saying that it is “likely hype.”

The article quotes a security researcher who says “there will be no April 1st outbreak,” explaining that the concern revolves around a new variant of Conficker that will become active on April 1st. The researcher is correct in saying that for those who are not yet infected, nothing will happen, and if you are, the worm will update itself. But here’s where it gets a little fuzzy. The reseracher says that although it is possible that the update could contain some dramatically dangerous or destructive instructions, it’s “unlikely.”

Let’s not forget though, the main watchwords of security professionals:

1. Trust no one.
2. You are not paranoid. Everybody really is out to get you.
3. Always protect against the unlikely.

Yes, it is true that there is a lot of hype about Conficker’s April Fool’s update. I even saw a report on it on Fox News. But is it just FUD? Sure, the update may not be destructive, in the sense that it’s unlikely that it would do something like wipe out your hard drive. The disseminators of Conficker have something more financially rewarding in mind. We don’t know what that is yet, and that’s the point. We need more FUD and hype about this thing to make sure everybody is aware of it–so don’t get lulled into a false sense of security by anyone claiming it to be “likely hype.”

Is the Conficker April Fool’s Update Just Hype?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

A computer virus has disrupted communications within a major network of military importance. This time the victim  was the Royal Navy. It was confirmed just over a week ago that the communications network – email and web servers included – aboard some of its warships of the Royal Navy were disrupted because of a virus.

The Ministry of Defence said that a “a small number” of MoD systems had been affected by the disruption caused by the computer virus. There were reports that the virus had affected up to seventy-five percent of the Royal Navy’s fleet.

The MoD said that no classified or personal data had been compromised and that the virus had been contained and insisted that weapons and navigational systems had not been affected.

It was reported that the Navy computers infected were the NavyStar system. These computers are designed, built and supplied by Fujitsu. Fujitsu designed and built the PCs using normal commercial components but packaged them as smaller and more ruggedized for rough weather conditions encountered by the Royal Navy.

The PCs are used for purposes such as storekeeping, email and similar support functions. NavyStar ship nets connect to wider networks by shore connection when ships are docked and use satellite communications when at sea. They are designed to meet strict emissions certification to avoid interference with other systems.

The HMS “Ark Royal” carrier was one of the warships reported to have suffered an  outage caused by the virus infection. A major impact was the loss of email service.

An MoD spokesperson released the following statement:

“Since 6 Jan ’09 the performance of the MOD IT systems in a number of areas was affected by a virus. Immediate action was taken to isolate the problem to stop the virus from spreading. This meant that some people were without regular IT access (i.e. email, internet). There have been no infections detected on any networks with sensitive information.”

“A solution to prevent re-infection has been tested and implemented. The majority of systems are working normally. This is an ongoing process which we are working urgently on so for those people who are still offline normal business will resume as quickly as possible.”

No details were given about the specific virus, transmission methods, or countermeasures taken to clean up the infected systems and protect them from further infection.

Royal Navy Email Outage due to Virus

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators