Patches for Zero-Day Vulnerability ineffective?

[Larry Sabo]

My client's laptop (XP Pro, SP2) is running Trend Micro Internet
Security 2007. It keeps alerting on a file surreptitiously downloaded
upon visiting hxxp://wwww.asus.com.tw/. The file (BMW3[1].pig) appears
in...

<username>\Local Settings\Temp\Temporary Internet
Files\Content.IE5\<folder>

....and the alert is that it contains EXPL_ANICMOO.GEN. Virustotal
reports...

Complete scanning result of "bmw3_1_.pig.vir", received in VirusTotal
at 04.05.2007, 03:53:46 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.5.0 04.04.2007
Win-Trojan/Exploit-ANI.B
AntiVir 7.3.1.48 04.04.2007 no virus found
Authentium 4.93.8 04.04.2007 no virus found
Avast 4.7.936.0 04.04.2007 no virus found
AVG 7.5.0.447 04.04.2007 Downloader.Small.58.AW
BitDefender 7.2 04.05.2007 Exploit.Win32.MS05-002.Gen
CAT-QuickHeal 9.00 04.04.2007 Exploit.MS05-002
ClamAV devel-20070312 04.05.2007 Exploit.CVE_2007_0038-2
DrWeb 4.33 04.04.2007 Exploit.ANIFile
eSafe 7.0.15.0 04.04.2007 no virus found
eTrust-Vet 30.7.3543 04.05.2007 Win32/MS07-017!exploit
Ewido 4.0 04.04.2007 no virus found
FileAdvisor 1 04.05.2007 no virus found
Fortinet 2.85.0.0 04.05.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 CVE-2004-1305
F-Secure 6.70.13030.0 04.05.2007 no virus found
Ikarus T3.1.1.3 04.04.2007 Exploit.Win32.IMG-ANI.i
Kaspersky 4.0.2.24 04.05.2007 no virus found
McAfee 5001 04.04.2007 no virus found
Microsoft 1.2405 04.05.2007 Exploit:Win32/Anicmoo.A
NOD32v2 2168 04.04.2007 a variant of
Win32/TrojanDownloader.Ani.Gen
Norman 5.80.02 04.04.2007 no virus found
Panda 9.0.0.4 04.05.2007 no virus found
Prevx1 V2 04.05.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 04.03.2007 Trojan-Exploit.Anicmoo.ax (v)
Symantec 10 04.05.2007 Trojan.Anicmoo
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.04.2007 no virus found
VirusBuster 4.3.7:9 04.04.2007 Exploit.ANIFile.G
Webwasher-Gateway 6.0.1 04.05.2007
Exploit.Win32.MS05-002.gen (suspicious)
Aditional Information
File size: 918 bytes
MD5: 2e07798a5a64634f511d0e275429cd6b
SHA1: 396f0d633267ea3a598a7a9a6ce5f5f824c5c9f3

I can delete the infected file without problem but the next visit to
the site puts it back.

The MS patch in KB925902 was installed but makes no difference in the
alert each time the Asus site is visited. I also subsequently
installed the eEYE temporary fix discussed in the article at
http://www.networkworld.com/news/2007/033007-eeye-publishes-fix-for-windows.html
but it, too, seems to make no difference. I added the site to the
Restricted Zone and when I visit the site now, the page loads but I
get an alert in IE7 that Active X has been turned off so the page
might not load correctly, and I don't get the Trend Micro alert.

My questions are:

1. Why does Kaspersky not detect this trojan in VirusTotal?
2. Why do the two patches seem not to work?
3. How can I determine...
a. if the system has been compromised
b. if/when the vulnerability has been properly patched
4. Why did the restricted zone addition allow the page to load at all
5. How would you recommend I deal with this threat?

My client is wondering if his system is owned and he should just
reformat and re-install.

Thanks for any suggestions you might offer.

Larry

 

[Virus Guy]

My client's laptop (XP Pro, SP2) is running Trend Micro Internet
Security 2007. It keeps alerting on a file surreptitiously
downloaded upon visiting hxxp://wwww.asus.com.tw/. The file
(BMW3[1].pig) appears in...

There is (for the moment) only one webpage that I can find that is
serving up that file, and it is this:

(warning - do not attempt to download these files or follow these
links unless you know what you're doing)

hxxp://www. ok8vs.com/app/bmw3.pig

There is a reference in that file to this URL:

hxxp:\\www. yyc8.com/bm/bm3.exe

Here is a VT report on bm3.exe:

AhnLab-V3 no virus found
AntiVir TR/Crypt.XPACK.Gen
Authentium Possibly a new variant of W32/PWStealer.gen1
Avast Win32:Tibs-ADO
AVG Generic3.TII
BitDefender no virus found
CAT-QuickHeal (Suspicious) - DNAScan
ClamAV no virus found
DrWeb Trojan.PWS.Gamania
eSafe suspicious Trojan/Worm
eTrust-Vet Win32/NSAnti
Ewido no virus found
FileAdvisor no virus found
Fortinet PossibleThreat
F-Prot W32/PWStealer.gen1
F-Secure no virus found
Ikarus MalwareScope.Worm.Viking.3
Kaspersky no virus found
McAfee New Malware.bc
Microsoft no virus found
NOD32v2 no virus found
Norman Viking.gen2
Panda Trj/QQPass.XM
Prevx1 no virus found
Sophosno virus found
Sunbelt no virus found
Symantec Infostealer.Lineage
TheHacker no virus found
VBA32 3.11.3 Trojan-PSW.Win32.Nilage.ara
VirusBuster no virus found
Webwasher-Gateway Trojan.Crypt.XPACK.Gen

I don't see anyone linking to either page at this point, so it's not
clear how they entered general circulation...

 

[Virus Guy]

hxxp://www. ok8vs.com/app/bmw3.pig

There is a reference in that file to this URL:

hxxp:\\www. yyc8.com/bm/bm3.exe

A google search for bm3.exe comes back with this:

hxxp://tonnidj. bay.co.ua/

Which is a porn site, which pushes a file at you called "setup.exe" (I
haven't quite figured out the exact URL for that file). VT says this
about setup.exe:

AntiVir DR/Zlob.Gen
BitDefender Trojan.Downloader.Zlob.ZRF
eSafe suspicious Trojan/Worm
Fortinet suspicious
F-Secure Trojan-Downloader.Win32.Zlob.bre
Ikarus Trojan-Downloader.Win32.Zlob.bpg
Kaspersky Trojan-Downloader.Win32.Zlob.bre
McAfee New Malware.as
TheHacker Trojan/Downloader.Zlob.bpl
Webwasher-Gateway Trojan.Zlob.Gen

Everyone else detects nothing.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My client's laptop (XP Pro, SP2) is running Trend Micro Internet
Security 2007. It keeps alerting on a file surreptitiously
downloaded upon visiting hxxp://wwww.asus.com.tw/. The file
(BMW3[1].pig) appears in...

There is (for the moment) only one webpage that I can find that is
serving up that file, and it is this:

asus.com.tw is serving that file via a few JavaScript-obfuscated redirects
that have been placed on the home page.
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFGFLwk7uRVdtPsXDkRAqJRAKCUmy5/LeJe82jAACePwiV2Gc5oWQCfT/Ox
hrAGHzBM7e4FwhG8xRJ1lsI=
=X6rh
-----END PGP SIGNATURE-----

 

[Larry Sabo]

My client's laptop (XP Pro, SP2) is running Trend Micro Internet
Security 2007. It keeps alerting on a file surreptitiously downloaded
upon visiting hxxp://wwww.asus.com.tw/. The file (BMW3[1].pig) appears
in...
[snip]

My questions are:

1. Why does Kaspersky not detect this trojan in VirusTotal?
2. Why do the two patches seem not to work?
3. How can I determine...
a. if the system has been compromised
b. if/when the vulnerability has been properly patched
4. Why did the restricted zone addition allow the page to load at all
5. How would you recommend I deal with this threat?

[snip]
======================

Thanks for the two responses received so far, neither of which
addressed any of my questions, unfortunately. Given the severity of
the threat, I was expecting more replies, and hoping the questions
would be addressed. Anyone?

Larry

 

[Virus Guy]

My client's laptop (XP Pro, SP2) is running Trend Micro Internet
Security 2007. It keeps alerting on a file surreptitiously
downloaded upon visiting hxxp://wwww.asus.com.tw/. The file
(BMW3[1].pig) appears in...

1. Why does Kaspersky not detect this trojan in VirusTotal?
2. Why do the two patches seem not to work?
3. How can I determine...
a. if the system has been compromised
b. if/when the vulnerability has been properly patched
4. Why did the restricted zone addition allow the page to load
at all
5. How would you recommend I deal with this threat?

You're not going to get an easy answer to most of those questions.

An answer from Dave Lipman is your best bet (and I haven't seen him in
this thread so far - ?).

If you're looking for a way to clean it off your client's machine,
normally I would tell you to remove the infected hard drive and slave
it to a second machine and run AV software against it, but since
you're dealing with a laptop, then that's not an option. Some AV run
from a boot CD is your best bet.

Obviously that .pig file probably downloaded the file bm3.exe (see my
previous post). If so, then you have a Zlob varient on that laptop
(and Kaspersky _does_ detect it).

 

[Larry Sabo]

My client's laptop (XP Pro, SP2) is running Trend Micro Internet
Security 2007. It keeps alerting on a file surreptitiously
downloaded upon visiting hxxp://wwww.asus.com.tw/. The file
(BMW3[1].pig) appears in...

1. Why does Kaspersky not detect this trojan in VirusTotal?
2. Why do the two patches seem not to work?
3. How can I determine...
a. if the system has been compromised
b. if/when the vulnerability has been properly patched
4. Why did the restricted zone addition allow the page to load
at all
5. How would you recommend I deal with this threat?

You're not going to get an easy answer to most of those questions.

An answer from Dave Lipman is your best bet (and I haven't seen him in
this thread so far - ?).

If you're looking for a way to clean it off your client's machine,
normally I would tell you to remove the infected hard drive and slave
it to a second machine and run AV software against it, but since
you're dealing with a laptop, then that's not an option. Some AV run
from a boot CD is your best bet.

Obviously that .pig file probably downloaded the file bm3.exe (see my
previous post). If so, then you have a Zlob varient on that laptop
(and Kaspersky _does_ detect it).

Thanks Virus Guy. I'm running AV-CLS on c: from UBCD4Win and will use
all the packages. I'll be confident he has a clean system after that,
but I'm still concerned that he may stumble upon another compromised
site and end up right where he is now, given the apparent
ineffectiveness of the ANI patches. Thanks for your help.

Larry

 

[kurt wismer]

My client's laptop (XP Pro, SP2) is running Trend Micro Internet
Security 2007. It keeps alerting on a file surreptitiously downloaded
upon visiting hxxp://wwww.asus.com.tw/. The file (BMW3[1].pig) appears
in...

<username>\Local Settings\Temp\Temporary Internet
Files\Content.IE5\<folder>

...and the alert is that it contains EXPL_ANICMOO.GEN. Virustotal
reports...
[snip virus total log]

I can delete the infected file without problem but the next visit to
the site puts it back.

The MS patch in KB925902 was installed but makes no difference in the
alert each time the Asus site is visited. I also subsequently
installed the eEYE temporary fix discussed in the article at
http://www.networkworld.com/news/2007/033007-eeye-publishes-fix-for-windows.html
but it, too, seems to make no difference. I added the site to the
Restricted Zone and when I visit the site now, the page loads but I
get an alert in IE7 that Active X has been turned off so the page
might not load correctly, and I don't get the Trend Micro alert.

My questions are:

1. Why does Kaspersky not detect this trojan in VirusTotal?

perhaps kaspersky hasn't seen this variant yet and/or virus total's
version of the kaspersky product doesn't know of this variant yet...

2. Why do the two patches seem not to work?

you seem to be under the impression that the vulnerability is how it got
onto the local system... that's not what happened at all...

someone visited a web page with a browser, it is standard behaviour for
the browser to download the contents of that page to the local machine
in order to render the page and one of the contents was an exploit for a
vulnerability...

the fact that it was downloaded to the local machine has nothing to do
with whether or not the machine vulnerable or whether it got exploited,
it's just the way browsers work...

alternatively, it could have been a drive-by-download, but that's still
just a download - so long as the patch had already been applied the
exploit code itself shouldn't be able to do anything...

3. How can I determine...
a. if the system has been compromised

the same way you determine if your system has been compromised by
anything else...

b. if/when the vulnerability has been properly patched

if you installed the microsoft patch then you're properly patched...

4. Why did the restricted zone addition allow the page to load at all

adding the page to the restricted zone just means certain web
technologies won't be used (depending on how you've set up the
restricted zone) when rendering the page...

5. How would you recommend I deal with this threat?

learn how browsers work... the only threat here is not recognizing the
difference between an exploit and normal browser behaviour...

 

[Larry Sabo]

Kurt, thanks for your reply, and for addressing my questions directly.
I've commented in-line....

Larry Sabo wrote: [snip]

1. Why does Kaspersky not detect this trojan in VirusTotal?

perhaps kaspersky hasn't seen this variant yet and/or virus total's
version of the kaspersky product doesn't know of this variant yet...

Of course; it's just that most of the "premier" A-V programs seem to
take a pass on this file, whereas most of the "second-tier" programs
identify it as problematic. Strange, hence my question.

2. Why do the two patches seem not to work?

[snip]
the fact that it was downloaded to the local machine has nothing to do
with whether or not the machine vulnerable or whether it got exploited,
it's just the way browsers work...

Yeah, you're right. Muddled thinking on my part. Thanks for clarifying
that.

alternatively, it could have been a drive-by-download, but that's still
just a download - so long as the patch had already been applied the
exploit code itself shouldn't be able to do anything...

the same way you determine if your system has been compromised by
anything else...

I knew I shouldn't have asked that, it was so obvious when I re-read
it after posting.

if you installed the microsoft patch then you're properly patched...

Again, I was confusing the ability to download the file with the
purpose of the patch, which is to render such downloads ineffective
should they be executed. It's the anti-virus program that should catch
such downloads and deal with them. I guess I was wondering, how will I
know the patch will work, since Kaspersky doesn't alert on the
downloaded file. KAV should pick up on whatever the exploit yields,
i.e. trojan, but not alerting on the download shakes my confidence.

adding the page to the restricted zone just means certain web
technologies won't be used (depending on how you've set up the
restricted zone) when rendering the page...

I had better read up on such settings. I had just assumed it would be
like a HOSTS file in effect, i.e. frustrate downloads from restricted
sites. Wrong.

learn how browsers work... the only threat here is not recognizing the
difference between an exploit and normal browser behaviour...

I know how browsers work and that downloaded malware is not a problem
until one tries to open/run it. The potential of a downloaded file to
wreak havoc and cause damage is what I call a threat, even if it
hasn't yey been unleashed. If the downloaded file in question has this
potential, it's a threat in my books.

Perhaps the correct answer to this question, is to just delete the
file should an AV product alert on it, and confirm that the patch for
the vulnerability has been installed. I know of no way to verify that
the patch protects the system against the threat, short of running it
and picking through the debris.

Again, thanks for your thoughts.

Larry

 

[Virus Guy]

Kurt, thanks for your reply,

He pissed all over you, and practically called you ignorant.

Why thank him for that?

 

[Larry Sabo]

He pissed all over you, and practically called you ignorant.

Why thank him for that?

Yeah, I did a good job controlling my Irish temper. Nevertheless,
he did point out that I was confusing the functions of the patch and
the A-V program, and did address my specific questions. It has
appeared to me many times that Kurt likes to provoke debate that goes
off the rails, often based on semantics and word games. I decided not
to take the bait, but to take what I could from his response and be
grateful for it.

Cheers,
Larry

 

[kurt wismer]

Yeah, I did a good job controlling my Irish temper. Nevertheless,
he did point out that I was confusing the functions of the patch and
the A-V program, and did address my specific questions. It has
appeared to me many times that Kurt likes to provoke debate that goes
off the rails, often based on semantics and word games. I decided not
to take the bait, but to take what I could from his response and be
grateful for it.

if pointing out what should be obvious to someone with a degree of
technical sophistication seems insulting to someone who actually has
that technical sophistication i'm sorry, that really wasn't the spirit
in which it was offered...

most of the time when someone asks a question, all i have to tell me how
technically sophisticated they are is the question itself...

 

[Fenton]

If you're looking for a way to clean it off your client's machine,
normally I would tell you to remove the infected hard drive and slave
it to a second machine and run AV software against it, but since
you're dealing with a laptop, then that's not an option. Some AV run
from a boot CD is your best bet.

Well, actually, it is an option. I keep handy a cheap ($30) enclosure I got
from CompUSA, with both FireWire and USB. I will remove a hard drive, pop it
in the enclosure, and boom, it's an external disk.