A PERSPECTIVE OF THE

MIDDLE EASTERN MALWARE

LANDSCAPE
Tareq Saade
Microsoft Security Research & Response
Hack In The Box ‘07
 Intro
2

 Tareq Saade
 Program Manager
Microsoft Security Research & Response
 Design tools & technologies for malware analysis &
response
 Member of the Windows Defender product group
 Recreational Malware Reverse Engineer
 ParticularlyIRC-related threats
 Involved with various informal groups & task forces

 tareq.saade@microsoft.com
 Agenda
3

 The scene
 Agenda, terminology, background
 The cast
 Technologies
 The back story
 How data is collected
 The data
 Telemetry & analysis
 The Finale
 Conclusion + Q&A
 Terms & Technologies
4

 Gulf Cooperation Community (GCC)

 Saudi Arabia, UAE, Kuwait, Qatar, Bahrain & Oman
 Geographic ID (GeoID)
 OS regional identifier defined by customers
 Locale ID (LocID)
 OS language locale
 Useful for highly targeted data sets
 Most people run US-EN
 Microsoft Windows Malicious Software Removal Tool (MSRT/MRT)
 Microsoft SpyNet
 The Windows Defender component responsible for collecting telemetry
 ‘Removals’
 Removals are reports sent back by clients indicating that a particular threat or piece of
unwanted software has been removed from the system
 This is not the same as a ‘detection’, which indicates the presence of said software
 Malware Spectrum
5

Harmless

Potentially
Unwanted
Adware, spyware, monitoring software,
remote control software

Malicious
Viruses, worms, trojans, rootkits, bots
 Malware Spectrum (cont.)
6

Harmless

• Windows Live • Windows

Potentially
OneCare Defender
Unwanted

• Microsoft
Forefront Client
Security

• Windows Live
OneCare safety
scanner
• Windows Malicious
Malicious Software Removal
Tool
 Products & Technologies
7

Product Name Main Customer Malicious Software Spyware and Available at Main
Segment Potentially Unwanted No Distribution
Software Additional Methods
Charge
Consumers Businesses Scan Real-Time Scan Real-Time
and Protection and Protection
Remove Remove
Windows Partial WU / AU,
Malicious
• • Download
Software Center
Removal Tool

Windows Download
Defender
• • • • Center

Windows Live Web

OneCare Safety
• • • •
Scanner

Windows Live Web / store

OneCare
• • • • • purchase

Microsoft Web / store

ForeFront Client
• • • • • purchase
Security
 Windows Defender
8
 Windows Defender
Reporting
9

 Reports are sent when:

 An unknown file triggers some ‘suspicious’ trigger such
as writing itself to a system startup location
 A known bad file is detected on disk

 A known bad file is detected in memory

 Two member tiers

 Basic

 Advanced

 (and ‘off’)
 Malicious Software Removal Tool
10
 Malicious Software Removal Tool
Reporting
11

 Reports are sent when:

A threat is detected
 A threat is removed
 MRT Usage
12

 Deployed monthly via Windows Update /

Automatic Updates since January 2005
 Available in 24 languages
 5+ billion executions, 300 million unique computers
 Detection for 80+ malware families, 135k+
different variants
 Mostly targets client / consumer threats
 300+ million downloads per month
 Telemetry Collection Summary
13

 All telemetry reporting requires some for of user

opt-in
 Read the EULA/Privacy Policy
 Data used strictly by analysts to help make
determinations about software
 Global outbreak? Localized outbreak?
 ‘Controlling Communication with the Internet’ for
Vista & XP SP2
 Anti-Malware Lifecycle
14

Malware
Collection

Telemetry Analysis and

Collection Signature
Creation

Signature
Testing and
Deployment
 SpyNet Spyware Telemetry
15
 Windows Defender
Top Removals – January 2007
16

Worldwide GCC

Zlob Zlob
NewDotNet Starware
Renos WhenU.SaveNow
ZangoSearchAssistant NewDotNet
ClickSpring.PuritySCAN ZangoSearchAssistant
CometSystems BearShare
WhenU.SaveNow KaZaA
Starware Hotbar
Hotbar C2.Lop
TVMediaDisplay CometSystems
 Windows Defender
Removals – January 2007
17

SpyNet 01/07 Common Sample

GCC / Worldwide
25

20

15

10 Worldwide
GCC

*Based on reports
 Windows Defender
GCC Top 11 (Reports) – Nov’06-Feb’07
18

GCC Worldwide
Ignore Quarantine Remove Ignore Quarantine Remove
Zlob 25.55% 1.03% 73.42% 22.98% 0.73% 76.29%
NewDotNet 33.38% 1.54% 65.08% 22.83% 2.45% 74.70%
WhenU.SaveNow 44.90% 10.80% 44.30% 46.19% 12.33% 41.47%
Starware 61.25% 12.40% 26.36% 64.60% 11.50% 23.88%
180Solutions.Zango.SearchAssistant 56.79% 6.41% 36.80% 57.12% 10.91% 31.95%
BearShare 83.72% 5.77% 10.51% 82.53% 6.87% 10.60%
KaZaA 47.25% 6.91% 45.83% 41.17% 15.90% 42.88%
RealVNC 81.70% 3.72% 14.57% 88.62% 2.55% 8.82%
C2.Lop 22.98% 0.84% 76.17% 15.77% 4.19% 80.01%
Altnet 58.02% 8.45% 33.53% 44.98% 17.24% 37.76%
CnsMin 94.10% 0.17% 5.73% 37.40% 1.64% 60.96%

*Based on reports
 MSRT Telemetry
19
 MSRT Top10 Removals
(Nov’06-Feb’07)
20

Worldwide Arabic Locale

Brontok* Brontok*
Zlob Wukill*
Jeefo Jeefo
Rbot Mywife*
Parite Parite
Hupigon Zlob
Wukill* Rbot
Banker Tibs*
Alcan Gael
Tibs* Sinowal
 MSRT: Top Threats
All Arabic Locales
21

14%

12%

10% Win32/Wukill
Win32/Jeefo
Win32/Mywife
8%
Win32/Parite
Win32/Zlob

6% Win32/Rbot
Win32/Tibs
Win32/Gael
4% Win32/Sinowal
win32/sdbot

2%

0%
Nov Dec Jan Feb
 MSRT: Top Threats
All Arabic Locales
22

70%

60%

Win32/Brontok
50%
Win32/Wukill
Win32/Jeefo
40% Win32/Mywife
Win32/Parite
Win32/Zlob
30% Win32/Rbot
Win32/Tibs
Win32/Gael
20%
Win32/Sinowal
win32/sdbot
10%

0%
Nov Dec Jan Feb
 MSRT Top Threats
Arabic/Global Comparison
23

Rbot
2%
Tibs
Zlob 1%
Parite 2% Other
3% Brontok
4% 13%
Mywife Other
4% 22%

Zlob
11%
Jeefo
10% Tibs
3%
Alcan
4% Jeefo
11%
Brontok Banker
Wukill 61% 4%
13%
Wukill
6% Rbot
Hupigon 10%
7% Parite
9%

Top Threats (Ar) Top Threats (Global)

11/06-2/07 11/06-2/07
 MSRT: Top Threats (Ar)
24

Zlob Rbot Tibs Parite

4% 2% 1% Gael 3%
Other 0% Mywife Other
Mywife Zlob
8% Other 5% 9%
5% Parite 2%
3% 4%
Jeefo
Jeefo
9%
10%
Brontok Mywife Wukill Brontok
61% 4% 13% 60%
Win32
/Wukill
13%
Jeefo
11/06 10% 1/07

PariteOther
Parite 2% 7%
4% Mywife
Other Brontok 4%
Mywife 11% Wukill 61%
4% 13% Jeefo
9%
Jeefo
10% Wukill
Brontok 12%
Brontok
Wukill 59%
66%
12%

Top Threats (Ar)

11/06-2/07 2/07
12/06
 What is Win32/Brontok?
25

 Mass mailing worm

 Indonesian e-mail
 Includes an attachment containing malware
 People still open random attachments?!?!?!?
 Carries out ping flood against several websites
 Exploit vs. Social Engineering
Overview
26

Exploit: Win32/Sasser.B Social Engineering: Win32/Netsky.P

 Discovered  Discovered
 May 1, 2004  March 21, 2004
 Exploited vulnerability  Multi-vector social
present in Windows engineering
2000, Windows XP  E-mail
 Peer-to-peer

 450,000 disinfections in  <450,000 disinfections in

first 7 days first 7 days
 What is Zotob?
27

 IRC Bot
 Bot herders based in Turkey & Morocco
 Exploits MS05-039 (PnP Vuln)
 Aug 9 - Microsoft Advisory
 Aug 13 – Zotob first detected
 Aug 26 – Moroccan and Turkish police make arrests
 Mitigation
It’s not all bad news…
28

350,000,000
Monthly MSRT Executions

300,000,000

250,000,000
200,000,000
150,000,000
100,000,000
50,000,000
0

Month
 Mitigation (cont.)
It’s not all bad news…
29

 Microsoft
 Security engineering
 Automatic updates
 ISA Firewall
 Data Execute Prevention (DEP)
 Stack protection
 System / service hardening
 Anti-malware tools & technologies
 Security ISVs
 Intrusion prevention / detection
 Enhanced antimalware response times
 User education
 Usage of security products
 Accelerated patch adoption
 Conclusions
30

 Global aggregates generalize into virtually all locales with

sufficient data
 Dynamics of individual threats varies depending on the threat itself
 Targeted threats exist (ex. Brontok)
 More granularly targeted threats exist (ex. Antinny)
 Even more granularly targeted threats are perceivable (ex. ‘spear
phishing’ applied to malware propagation)

 Education & awareness are key components to online safety

 Particularly in countries with developing internet infrastructure
 Anti-malware scanners are an absolute necessity in today's
networked environment
 Q&A
31
 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tareq Saade
Microsoft Security Research & Response
Hack In The Box ‘07
 Reference
33
 Resources
34

 Microsoft Malware Removal Tool (MRT)

http://www.microsoft.com/security/malwareremove/default.mspx
 Windows Defender
http://www.microsoft.com/athome/security/spyware/software/def
ault.mspx
 Windows Live Safety Scanner
http://onecare.live.com/scan
 Microsoft Forefront Client Security
http://www.microsoft.com/forefront/clientsecurity/default.mspx
 Windows Live OneCare
http://onecare.live.com
 Anti-Malware Engineering Team Blog
http://blogs.technet.com/antimalware/
 Papers
35

 Using Windows Vista or Using Windows XP with Service Pack 2: Controlling Communication with the Internet
http://www.microsoft.com/downloads/details.aspx?FamilyID=e6a35441-918f-4022-b973-e7fc0d1d2917&DisplayLang=en
 Defeating Polymorphism: Beyond Emulation
http://go.microsoft.com/fwlink/?LinkId=57019
 Win32/Blaster: A Case Study From Microsoft's Perspective
http://go.microsoft.com/fwlink/?LinkId=57018
 Behavioral Classification
http://www.microsoft.com/downloads/details.aspx?FamilyID=7b5d8cc8-b336-4091-abb5-2cc500a6c41a&DisplayLang=en
 Windows Malicious Software Removal Tool: Progress Made, Trends Observed
http://go.microsoft.com/fwlink/?linkid=67998
 Microsoft Security Intelligence Report (H106)
http://www.microsoft.com/downloads/details.aspx?FamilyID=1c443104-5b3f-4c3a-868e-36a553fe2a02&DisplayLang=en
 I Know What You Did Last Logon
http://www.microsoft.com/downloads/details.aspx?FamilyID=0b6321d4-0e65-4133-85e7-44e666cc245a&displaylang=en
 Behavioral Modeling of Social Engineering-Based Malicious Software
http://www.microsoft.com/downloads/details.aspx?FamilyID=e0f27260-58da-40db-8785-689cf6a05c73&displaylang=en
 An Automated Virus Classification System
http://www.microsoft.com/downloads/details.aspx?FamilyId=D61708BD-EF96-4A53-A8F8-
8A1F00C79747&displaylang=en
 What is Win32/Antinny?
36

 Worm that spreads over the Winny p2p system

 Winny is a Japanese p2p client
 No localized builds of Winny
 Very localized threat
 Copies random files on an infected host into the Winny
shared folder
 Identified as a localized outbreak and integrated into MRT
 Lots of positive press over working with the Japanese
community to remove Antinny:
 http://www.microsoft.com/japan/presspass/detail.aspx?newsid=2434
 http://www.msnbc.msn.com/id/13283771/