Sure, you want to get it for free. Who doesn’t want free schwag?

In our previous post on peculiar Vundo capabilities, we detailed Vundo’s inclusion of Microsoft Research Detours source code in their malicious binaries. After googling Vundo and reading up on it, you still might not feel confident that you understand how one gets Vundo on their system. While there are malicious sites out there using commodity exploit kits to attack unpatched windows systems and install the Vundo components, and there may be a few cases of users receiving spammed email messages with links to the malware, from my perspective it seems that most of the Vundo infections on this planet have to do with crackz. That is, key generators that enable individuals to pirate software.

So we decided to stop by getcracks.com and get the latest. While the enticing allure of free software abounds, even more present is the pile of malcode served up from the site and its various providers. And what do you know? It looks like they have a crack for ThreatFire too!

Only before you go off to the site, thinking that you can find things for free, understand that nothing really is for free.

In this case, we extracted the executable and found five files inside: readme.bat, crack.exe, serial.exe, keygen.exe, and number.exe. The readme isn’t really a readme at all. When double clicked, the file simply runs the four executables that it is delivered with. And what do we find in the other four?
crack.exe — Trojan.Vundo/Trojan.Virtumonde
number.exe — Trojan-Downloader.Small.CML,Trojan.Nebuler!sd6/Trojan.Nebuler
keygen.exe — Trojan-Downloader.Small!sd5,Trojan-Downloader.Win32.Small.ury,Downloader,TROJ_DLOADER.NWJ
serial.exe — Trojan-Downloader.Trojan!sd6,Downloader.Trojan, Trojan-Downloader.Homles!sd6,Trojan-Downloader.Win32.Homles.br,Infostealer, Adware.Maxifiles

As you can see, things aren’t free. Vundo doesn’t travel alone. Some of that stuff could ruin your system and potentially steal sensitive information.
The crack.exe file itself drops multiple dlls. They are injected into multiple processes and display alarming ads. Often, it’s difficult to understand where the ads came from or why they are on the system at all — the loaded Vundo libraries do not start displaying these ads for at least a half day. In the meantime, they track your surfing habits and send the data back to a set of servers. Here are a couple of their latest ad campaigns. The first performs the standard phony scan on your machine and identifies malware that isn’t on the system, shocking the user into buying a rogueware package:

They are hawking rogueware from “AntiSpywareExpert.com”. Their website really looks pretty slick:

The second of the two ads performed another phony scan, and claimed that pornographic images and porn site cookies were all over the machine, which was false:

Steer clear of crackz and gaming cheatz! You’ll find much of the same.

Another malcrackz post here.

This entry was posted on Thursday, June 12th, 2008 at 2:45 pm and is filed under Dropper, Vundo. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.