Subject: Finjan Software - Microsoft Hack Aftermath
Date: Wed, 08 Nov 2000 19:44:22 +0000




-----------------------------------------
Microsoft Hacker Incident - Looking Back
-----------------------------------------

WHY YOU SHOULD KNOW ABOUT COMPRESSORS

Companies can indeed learn from the recent Microsoft hacker incident, but
not from reading much of the press coverage.  Most of the press and
industry have questioned Microsoft on its security practices and mention
that Microsoft's anti-virus software would have detected the QAZ Trojan
had its anti-virus software been kept up to date.  Their advice to other
companies was to "update your anti-virus software."  This is the
traditional advice given, but in fact is terribly misleading and gives
companies a false sense of security because it implies that once companies
update their anti-virus scanner, they can rest at ease from known Trojans.

The media has completely missed the point that it's trivial to pass known
Trojans through anti-virus software using compression tools (or "packers").
We'd be shocked if the hacker who sent QAZ Trojan to Microsoft had NOT
compressed (or uncompressed) the file to change its signature, thus creating
a new "variant".  Every decent hacker has several compressors in their arsenal
for this very purpose.  Unlike the WinZip utility, these Win32 packers
PERMANENTLY compress executable files by up to 50% -- and those programs run
at that size -- they do NOT uncompress to run.  Once compressed, any known
Trojan will pass undetected through anti-virus software -- EVERY time.
(Hackers know this well and scoff at anti-virus security.)  Unfortunately,
most companies are completely unaware that this is even possible.

The original QAZ Trojan was compressed using UPX - the source is readily
available for download on many hacking sites.  It is most likely that the
Russian hackers simply uncompressed QAZ and recompressed it with another
"packer".  These techniques were used to create the popular PrettyPark and
MiniZip worms during the past year.  Uncompressing programs and/or
re-compressing them with different packer tools is an easy and common way to
create a new variant.

Here is the link on Finjan's web site that discusses compression tools:
www.finjan.com/av.cfm

In addition, to learn more about the use of compressors, below is
evidence and proof of the common use of compression tools in the wild.
Every hacker knows about these tools, we thought you should too.

A few notable worms and Trojans that were compressed:

1) ExploreZip (June 99) compressed in December 99: MiniZip I, II, III worms
Finjan press release on MiniZip worm and compression tools:
http://www.finjan.com/press_release_detail.cfm?press_release_id=49

MiniZip worm highlights weak anti-virus defenses -- Computerworld 12/99
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO43251,00.html

2) PrettyPark worm and its 10+ variants using UPX and ProcDump
compression/decompression tools:
http://www.finjan.com/attack_release_detail.cfm?attack_release_id=30

3) The popular SubSeven Trojan backdoor tool is distributed in an
"unpacked form" so hackers can compress it themselves.  Authors include
compression tips with the download:

"INSTUCTIONS FOR COMPRESSING SUBSEVEN (these come included w/the server)
SubSeven server version 2.1.3 M.U.I.E. -- *unpacked* --

ok, since a lot of av's are gonna pick up this version pretty soon,
i decided to release the unpacked version of the server, so you guys can
easily pack it with an exe packer and have your own custom version.
so, here's how to do it:

first of all, let me explain something. all the settings in EditServer are
appended at the end of server.exe. when ran, the server will look for it. if
it can't find it, then it _won't_ work. so you can't just pack the server
with an exe-packer, you're gonna have to add that info at the end. here's
how to do it step-by-step:

1.first, find an exe-packer on the net. there are a _lot_ of them out there.
2.then, use the exe-packer on the server.
3.then, open up EditServer with the command: "EditServer.exe /noread".
set all the options in there, and at the end click "update server with the
new settings". after that, you can use the server as the original.

*note: if you wanna be able to change the icon of the server, then don't
pack the _resources_. all exe-packers should have an option to compress or
not the resources. of course, that'll result in a bigger server. it's up to
you.

well, that's it.  if you have no idea what i'm talking about here, then
don't try anything with it. use the original server.  don't e-mail me about
it, i _won't_ help you.  use an exe packer that is _less_ known.  the less
known it is, the less people will use it to pack the server.
which means more time for the av's to catch it."

4) Compression tools on popular hacking sites:
www.megasecurity.org/~masterrat/Packers.html
www.suddendischarge.com/Compressors.html

5) Binder tools available on a popular hacking site
http://www.megasecurity.org/~masterrat/Binders.html

As for other "famous" worms: with ILOVEYOU, no compression tools were used
to create new variants.  It was a script file, so simply changing the name
and a few lines of script was enough to change its "signature" -- a very
trivial task (ILOVEYOU was only one page or so of script).  Likewise,
Melissa was an MS Word macro virus and cannot be "compressed" using Win32
compressors.  Macros are essentially scripts, so it was very easy to create new variants of Melissa too by editing/changing the macro script.


Finjan Software
http://www.finjan.com