Something smells fishy

2007-12-01

Peter Ferrie

Symantec, USA
Editor: Helen Martin

Abstract

The author of MSIL/Yakizake claimed that ‘very few implementations of multi-platform malware exist up until now'. Peter Ferrie lists a dozen multi-platform viruses and explains why Yakizake does not qualify for the category.


Introduction

Multi-platform malware is nothing new. In 1999 we saw the W32/W97M infector Coke and W32/HLP infectors SK and Babylonia. In 2000 we saw W32/HLP infectors Dream and Pluma; in 2001 we saw W32/Linux infector Peelf, followed by Simile in 2002 and Bi in 2006. In 2003 and 2004 we saw W32/W64 infectors MSIL/Impanate and Chiton. Three new multi-platform scripting viruses were seen in 2005 (see VB, November 2005, p.4) – and of course, there was the Morris worm in 1988.

These points are apparently lost on Paul Sebastian Ziegler, the author of MSIL/Yakizake. The virus author wanted to call his virus ‘Akikaze’ (Japanese for ‘Autumn wind’), but I went with the Japanese word for grilled salmon. The virus author claims that ‘very few implementations of multi-platform malware exist up until now’ (despite the dozen that I’ve just listed), so he went ahead and wrote a ‘multi-platform’ virus and presented it at the DEFCON 15 conference.

Multi-what?

It’s unclear why Mr Ziegler thinks that his virus is multi-platform, because the platform is the environment in which the application runs. It’s not the CPU on which it is running, because it needs to interact with other hardware to survive. It’s not the operating system, either, if the environment is a virtual machine of some kind, or the virus exists outside of the operating system itself (for example, a boot sector virus).

In this case, the virus runs on a particular platform that has multiple implementations – which include Microsoft .NET Framework, Novell Mono, and DotGNU Portable.NET. The platform is a hardware-independent virtual machine. The platform has been ported to several CPU architectures, but since it’s hardware-independent, the applications running inside it can’t see the CPU anyway. So it’s really just the one platform. The virus is aware of the operating system, but that’s irrelevant. It’s still just the one platform.

There can be exceptions, of course, such as MSIL/Impanate (see VB, November 2004, p.6). Impanate is a file infector that understands both the 32-bit and 64-bit MSIL file formats. It’s a MSIL virus, so it’s not multi-platform, but it is multi-platform-aware. Yakizake is neither of these things.

The virus

The virus begins by looking for the Thunderbird address book. There is code to deal with Unix systems, Macintosh systems, and Windows systems, however due to a bug, only the Unix and Windows code works. The bug is that the code to check for the Macintosh system is identical to the code to check for all other Unix systems. As a result, the Macintosh code can never be reached. This means that the virus cannot replicate from Macintosh systems.

In the case of Windows systems, the virus will attempt to terminate all instances of the Thunderbird executable, in order to gain control over the address book.

The virus creates a list of all addresses that it can find. The first version of the virus accepts addresses in ‘*@*.*’ format, where ‘*’ can be any character. The second version of the virus restricts this to one or more case-insensitive alphanumeric characters before and after the ‘@’, and no longer checks for the ‘.’ character.

The virus also looks inside ‘prefs.js’ for the SMTP server information, and inside ‘signons.txt’ for the SMTP server password.

The virus creates different email messages, depending on certain characteristics. If the virus is sending from a German system to a German user, the subject will be ‘Programmierung’ and the message will be in German (an almost exact translation of the English message), otherwise the subject will be ‘Programming’ and the message will be in English. The virus chooses an ‘advanced’ message body if it is running on a Unix system, and the string ‘/gcc’ exists in %path% or if it is running on a non-Unix system, and ‘Visual Studio’ exists in the %ProgramFiles% directory.

The ‘advanced’ message body is:

Hi,

I wrote this program using a new approach. Please tell me what you think
of it.

The ‘average’ message body is:

Hi,

I have recently started to try out programming!

This is one of my first programms. What do you think of it?

On Unix systems, both messages continue with:

If the programm should not work instantly on your non-windows-system you
probably need to execute it using mono. (mono-project.com)

After constructing the message, the virus sends it to each recipient in turn, using the host SMTP server and credentials, with the virus executable as an attachment. When the mailing is finished, the virus exits. There is no payload.

Dumb and dumber

To create a virus because one did not exist before is just dumb. To incorrectly call it multi-platform is even dumber.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.