This morning, we were observing a surge in hits from an Armadillo/SoftwarePassport packed Rbot variant. It looks like this one might be distributed over a P2P network. AV scanner detection appears to be fairly spotty for now:
When we are looking through files that come in, we see the work of fairly underground joiners/stickers of all sorts — microjoin, minichain, exebind, etc. These tools are used to bind an executable to another file package, so that a stub is added to the original file along with the bot, and they are “binded” together. That way, when the unwitting victim receives a bound file, they’ll think they are running one executable when really they are running two.
An interesting example came in this morning: sdsetup.exe. Interesting, because the filename is the same as the PC Tools product installer for SpywareDoctor. And the icon of the file appears to be the one that PC Tools uses for their SpywareDoctor product. However, here are some properties of the file that appear when you right click on the installer file and select “Properties”. The file is missing a digital signature, and the file’s “Description” is “Win32 Cabinet Self Extractor”. It seems fishy right off the bat, because that’s a legitimate tool normally used to build installers and files that bind more than one executable together, just like the underground binders we see all the time:
Now, below is a genuine installer from PC Tools. Cool icon, huh? You can see the file’s properties by right clicking on it again. Notice the “Digital Signatures” tab, the “PC Tools” signer name, and the confirmation that the signature itself is ok from Verisign. This countersignature provider confirms that the file is from PC Tools, much like a Notary Public’s stamp would for a legal document:
Now we run the file that arrived with the odd Description property and is missing the digital signature. BAM! a new executable is created in the system directory and silently executed. This little obfuscated Rbot treat comes with keylogging capabilities and more, and calls home to a computer running on a dsl line here in Kansas City in the U.S. The server is down for now, but it appears to be cycling through ip addresses:
Reason to be alarmed? Not really, this technique commonly is used by creeps every day. But there are lessons to be learned here. If you are going to install a product, do not get it from your favorite P2P collection. Instead, go to the source, like the PC Tools or ThreatFire web site.
And, if you are going to run an executable, you can check it for a digital signature. It’s one more layer of security — the signature helps confirm that the source of the executable is genuine.
