Archive for August, 2009

« Older Entries
Newer Entries »

Waledac birdie_a.exe, birdie_b.exe, corvus_b.exe, william_a.exe Mixed in with FakeAv Download Scheme

Monday, August 24th, 2009

We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but some of the classic characteristics of the Waledac trojan/worm — the email/spam engine, AES encrypted/bzip2 compressed P2P peering listing, DDoS capabilities, http C&C contact, email harvester, and credential stealing functionality. Along with the FakeAv downloads coming from these servers, these executables may be a variant on the spambot. We’ll update this post with more information as we more accurately identify the malware.

Update: Some of the files definitely are Waledac spam/dos bots, with encoded command and control communications retrieved from http://cismosis. com/up21.php (there are others), as evidenced here:

AV detection is surprisingly low for these executables, be sure to add a layer of behavioral protection to your system with ThreatFire.

Posted in Undetected malware, Waledac, Worm | No Comments »

Downloader Updates

Monday, August 24th, 2009

Around the 17th of this month, the relentless malware distribution gang serving up malicious downloaders in a variety of scams and “headline malware” schemes moved their wares from 95.211.8.20, as described in a previous post, to their newest location at 95.211.8.21. Their phony codec file naming scheme has changed slightly yet again:

update_flash_plugin.v.40013.exe

95.211.8.21
alsexe.com
astexe.com
callexe.com
domainexe.com
helpexe.com
helpexeguide.com
homeexeguide.com
loadexedirect.com
sitespacesexe.com
texeguide.com
thetestexe.com
topexeonline.com

As always, be sure to add a layer of behavioral detection to your system. Detection for these downloaders are generally poor with the FakeAv payloads receiving more attention but not 100%.

Posted in Downloader, FakeAlert, Rogueware, Undetected malware | No Comments »

Bredolab Armored Attachments

Friday, August 21st, 2009

Over the past three days, ThreatFire users were being targeted by a higher number of Bredolab downloaders. Bredolab is a nasty, morphing little downloader being spammed out in droves mostly to users in the U.S. and Europe. While it seemed to have been a short term experiment at first, the blasts are continuing throughout the year. At first, the group sent out UPS related attachments (UPSDocs_IN987712001.zip, UPSFile_Nr67721912.exe, UPSNr_76129811.exe, etc) to the community, which were duly prevented when run by the duped user.

The scheme has changed slightly away from the Ups theme to a more generic one. The executable, most likely with its origins in the Russian Federation, currently arrives in a .zip email attachment. Most of the related messages seem to suggest that the soon-to-be-victim has ordered an item:

“Thank you for settling the order No. *insert random number here*.”

The .zip attachment, once extracted, is usually an ~36-40kb executable that maintains an Excel icon, as seen here with a few examples:


A few example names recently prevented in the ThreatFire community:
D6e4c332d.exe
D391d6951.exe
D0193c67c.exe
D0f2984b8.exe
D4fdce55f.exe

The attachments are interesting in that they are packed in layers, with a outer code layer (that changes across binaries) consisting of function-less jumps and garbage code, followed by another layer that decrypts the inner, static, UPX packed payload. This UPX payload contains another layer of encryption that appears to remain static across binaries. This payload contains the unexpected injection and downloader functionality, injecting itself into system components to retrieve more malware from the web. It also overwrites user mode hooks in attempt to evade hook based security solutions with a technique frequently used by game cheats in the past.

At the beginning of the year, the Bredolab downloaders were retrieving Rogueware/Scareware/FakeAv. AV file scanner performance against them was a mixed bag, more often only able to generically detect the changing encryption schemes, and often mixing up identification of what was Bredolab samples with Waledac and their packers and vice versa or missing it altogether (file detection can be a very tricky thing for scanners). On a behavioral level, the current downloaders are attempting to download Rogueware/FakeAv components and are adding a banking password stealing Zbot variant to the mix. However, as of this week, the server that provided the additional payloads continues to be down.

Be cautious of what you open when it arrives in the mail.

Posted in Bredolab, Downloader, Social Engineering, Undetected malware, ZBot | No Comments »

« Older Entries
Newer Entries »