|
Archive for July, 2009
Thursday, July 30th, 2009
The banking password and information stealer Clampi recently was described as infecting anywhere from 100,000 and 1 million windows PC’s. Let’s take a closer look at this menace, and what interesting Clampi behaviors ThreatFire has been preventing in our community.
First, let’s talk about the distribution over the past year. Most of the Clampi executables appear to be unique, and appear to have been run on no more than one machine. The bulk of these executables are repacked and re-obfuscated to evade AV solutions, so only a quarter of the Clampi malware prevented in the ThreatFire community over the past year showed up on more than one system. Mostly all of the Clampi variants seen on multiple user desktops appear to have been delivered via an Adobe Acrobat client-side exploit. As posted previously about mainstream Windows pdf readers, be sure to update the software on your system, especially popular web browser third party plugins. A high number of these Clampi-delivering exploits successfully attacked Acrobat 7.0. Unfortunately, while the message may be getting out that third party plugins need to be updated on a regular basis, the advice does not seem to be followed reliably.
The trojan runs a new instance of Internet Explorer and injects it with executable code of its own, accesses the personal store of saved passwords, and phones the data off of the system to multiple web sites. It’s not a set of new malicious techniques, but highly problematic nonetheless. ThreatFire prevents these behaviors reliably, and PC Tools AV reliably detects the malware with one of several heuristic routines: Trojan.DL.Ilomo.Gen!Pac, Trojan.DR.Ilomo.Gen!Pac.2, Trojan.DL.Ilomo.Gen!Pac .
Symantec named this malware Trojan.Clampi, and it has been labelled inconsistently by other groups with a handful of other names, including Clomp, Downloader, Inject, Rscan, Small, Ilomo, Agent2, Agent, and often it is detected by its packer’s characteristics. Unfortunately, its packer changes and old signatures can become ineffective against this malware as it appears on systems around the world over time. PCTAV heuristics were effective over time, however.
Update: Please see post with a bit of technical information regarding Clampi variant’s injection technique.
Posted in Bot, Crimeware, Evasion technique, Exploit | No Comments »
Wednesday, July 29th, 2009
In another “duh!” moment, it was discussed that government workers and contractors probably should not be sharing their drive contents using P2P software. In a recent hearing, U.S. lawmakers discussed sensitive content like “FBI files, medical records, Social Security numbers and even a file containing information about a safe house location for [the U.S.] President” that was accessed over LimeWire.
While this post does not present a stance on the policymaking or even the level of intelligence it takes to accidentally share drive contents over LimeWire, the ThreatFire continues to trigger and protect our community against a number of malware executables accessed over the LimeWire sharing network. Always be careful of the shared content on these networks — too often, things are too good to be true, as posted previously. Today, ThreatFire protected user information from more crackz bundled with malware, like another “Age of Mythology[ENGLISHVERSION] Crack Keygen” with a malicious setup file.
When the unsuspecting P2P user runs the setup file, this trojan downloader contacts a server at www.diespamdie. com, where adware and additional bot malware are served up. One of the served files includes a nasty bot sometimes identified by its packer, its circa 1999 injection technique, and its string references, Tdss.
Posted in Bot, Social Engineering | No Comments »
Tuesday, July 28th, 2009
As out-of-band patches are released today, we are not yet seeing memory corruption attacks targeting these newly patched vulnerabilities that effect Internet Explorer 6,7, and 8. Nonetheless, be sure to visit the Microsoft updates site and patch your system soon.
Instead, ThreatFire continues to prevent prevalent attacks from malicious pages like those currently hosted on cxim-way. cn, where javascript identifies third party plugins on the system and attacks the user’s system accordingly. Pseudocode here:
while name = navigator.plugins[i].name
if((name.indexOf(”Adobe Acrobat”) != -1) || (name.indexOf(”Adobe PDF”) != -1))
then iframe src=”cache/readme.pdf
if(name.indexOf(”Foxit Reader”) != -1) then iframe src=”cache/update.pdf
if(name.indexOf(”Flash”) != -1) then iframe src=”cache/flash.swf
The resulting malicious payload is prevented by ThreatFire. “Load.exe” is pulled down from the site on a successfully compromised system, renamed to “pdfupd.exe”, and run. This malicious downloader/dropper currently evades most AV scanners. It drops a couple of drivers, and possibly may be a rustock bot variant, which we are looking further into: 
ThreatFire users are protected from multiple layers of the attacks. In addition to patching your system, install a behavioral-based layer of protection on your system.
Posted in Exploit, Undetected malware | No Comments »
|
|
|
|
