There are times, when working long hours on our KNOS Operating System, that I question my sanity in doing what I now do instead of hunting viruses for a living as I did for so many years.
Frankly, I've gotten so used to not even having to think about malware any longer using our own "dog food" that I often forget these days what serious panic ensues with the flood of malware out there. And though I write about "Anonymous" and the lulzers often here, I'm fortunate to not even have to give them much of a thought in my own realm or that of my customers.
This past Friday, word emerged about "Anonymous getting hacked" and I have to admit, I chuckled a bit over it. Word broke out over the weekend that Symantec had put out a press release claiming that "Anonymous had gotten pwned by Zeus" and it didn't surprise me at all.
My impression of the almighty "Anonymous" has always been that the group consists of a handful of seriously talented coders and a cast of thousands of morons, and so word that our "friends" at the Russian Business Network had once again scored on a trending thing by linking to malware only to have useful idiots grab some really didn't surprise me at all.
This time, according to Symantec, some fake tweets were sent out - allegedly from "anonymous" - claiming that people should download and join in attacks using the current tool of DDOS choice known as "slowloris" (I've written about this before) to attack sites over the FBI's Mega Upload raid.
The only problem is that twitter sites "YourAnonNews" insisted that it's bogus, "AnonOps" has had nothing to say about it at all, and "anonymousirc" only put up a warning urging idiots to be careful what and where they download. Reality is that the "faithful to the cause" downloaded their tools last year and only the "noobs" would be out there hunting for their first copies and about the only booty RBN might hope to claim is their school lunch money.
So reluctantly, I looked into all this silliness after spotting an article written by Paul Wallis over at Digital Journal (Thanks for the tip, Taylor!) who broke from the laughter over the kids getting pwned to pen an article in which he makes a convincing case at first glance that Symantec was up to no good, and that possibly Symantec was making up the whole story for their own purposes.
Naturally, since I'm known here at the Island as being a bigger enemy of Symantec recently than Anonymous, I just *had* to follow up on his charges. And so, the turd hunt began in earnest.
What raised my suspicion was that in Symantec's article, they pointed to a site called "multiupload.nl" where the trojan resided which was interesting to say the least since "Multiupload" was shuttered several weeks ago and has been unreachable ever since.
Certainly a file hosted there couldn't be any risk. And the pastebin upload which directed users to the shuttered site bore none of the usual fingerprints of the "anonops" crowd either. It was poorly done copypasta.
The two coincidences smelled mighty funny since my experience in antimalware revolves around getting to know the malware crowd's mindsets and behaviors in order to anticipate their next move before they release.
The *real* slowlaris.exe for Windows is compact, and written in C and works out to about 58k in size. This one stood out like a lighthouse in the middle of the Pacific and was uncharacteristically large. Certainly not the kind of code RBN would release either since they too are masters of small, tight, well-packed code.
It just didn't add up and I was growing more and more suspicious of Symantec's press release with each stab at Google in an endless search for a sample to examine.
Despite being busy trying to get our KNOS 9 Release Candidate out the door for our testers, I pressed on and finally found a pastebin which had links to other sites that were still available which contained a slowloris.exe file fitting Symantec's description and proceeded to download a copy of the file in question from a mirror site that was still up tonight. Looks like Symantec wasn't fibbing after all. Snagged it!
Fired it up in KNOS, nothing. Turns out that unlike actual RBN product, this one was written in Visual Basic 6. (LOL WUT?) ... clearly amateur hour in this file although it contained an encrypted payload and good old MSVB, had all the internals necessary to feed it to Win7 and all other versions.
Could be Zeus? Smelled highly suspicious. Tried all sorts of gyrations in KNOS with Wine, patched files, every trick that normally made Windows code wake up and run ... nothing. Just wouldn't work.
So in a final act of desperation since I just couldn't make it start up so I could suspend it and have a look in memory at what it really was, gave up and submitted the file to Virustotal. Got results back quickly since this was a file they had seen before.
So for all of Symantec's pressers, the bad news is that only 31 of 43 AV's detect it at all. The GOOD news is that Symantec does detect "Zeus" ... as "Trojan.Gen."
So beware of gods carrying hammers ... it's "Lores" (cryptic AV name so as to not "glorify the author" otherwise known as slowloris) to most of the other AV's though apparently Symantec thinks it's "Zeus." No rootkit, no banking, just a stupid old bot or downloader or something according to everyone other than Symantec.
Ah well ... at least they detect it. And my compliments to Symantec's marketing department for giving it a name that their analysts didn't have time for. Boy am I glad I don't have to worry about this stuff running KNOS.
About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.