|
Archive for the ‘Bredolab’ Category
Wednesday, January 27th, 2010
As a followup to our early Jan Bredolab email blast warning, this post presents technical details and functionality about the payload accompanying the delivery notice + invoice attachment. While past posts have described the downloader’s windows api hook overwrite functionality, related social engineering techniques, its Zbot and FakeAv downloads, this post identifies a different injection and banking password stealing payload.
The Bredolab downloader variant repeats the same exploits to bypass security apps and perform “hook overwrites”. It abuses the same exploits as our previous variant; MS07-017, MS08-025, CVE-2004-2339. These hook overwrites are performed across the dropper threads and all injected threads (within explorer.exe and svchost.exe) with a simple comparison and copy: rep movs dword ptr es:[edi], byte ptr ds:[esi].
After the injection into explorer, the malcode reports its installation and retrieves info at dollardream .ru, dropping a tmp file to disk and running it. Following the connection with dollardream. ru, the new process creates a directory under users\application data\microsoft\windows and the mspdp<number>.dll, making the dll a persistent presence on the system with an AppInit_dlls registry entry. After the dll and reg key have been created, it deletes itself and calls InitiateSystemShutdown, restarting the system.
Because this DLL maintains an entry under the AppInit_DLLs registry key, it reliably will load into each process running on the victim system’s, including all web browser processes. At dll load time within Internet Explorer, for example, it hooks a dozen different windows API prologues. The malicious code is precisely placed to be reliably notified when data important enough to be encrypted is being sent off of the machine. It intercepts and examines all user data prior to encryption. When data being sent over http is examine, the code first performs a hash comparison on the HTTP headers to identify “interesting” Urls. These approximately 25 “interesting” Url strings are all banking and financial account related, except for a couple social networking and photo share web sites. Here is a view of the code locating content within the raw packet data, after a user has typed their username/pass and clicked on “Login”:
Once the malcode parses the data stream and identifies interesting locations within the stream, it retrieves the input data (i.e. banking user names and passwords), and immediately writes the sensitive data out to file. The file is placed in the same subdirectory as the dll itself, in our lab example: “all users\application data\Microsoft\Windows\Network\Network\mspdb80.dll”. This “.dll” file extension and name choice mimics that of a legitimate file distributed with Visual Studio, and instead contains the stolen login data in plain text. This content is gathered and sent off the system to a server hosted in Russia in the 109.196.143.xx range…
As you can see, it is very important to pay attention to the attachments that you attempt to open, and whether or not they are malicious executables or just look like a harmless spreadsheet.
Update (2/10/2010): appears that other researchers are interested in alerting the public as well, only their February writeup includes interesting details that ACH and wire transfer institutions are targeted by the dll, in addition to what was posted above.
Posted in Bredolab, Password stealing, Spyware | No Comments »
Tuesday, January 12th, 2010
Over the past 16 hours, we’ve seen a sharp spike in the number of UPS_Invoice themed malware being run and prevented on systems. We’ve seen this invoice scheme many times before, but to many computer users, the scam still is not familiar. The files often are delivered as .zip attachments, containing a malicious Bredolab downloader or Zbot password stealer. Again, this is the extracted file’s appearance, after it is unzipped and file extensions are not visible (a folder option). Compare it with the screenshot below. the difference is not obvious, unfortunately:
And here is a screenshot with the extensions visible:
Some of the names being used and designed to fool users include…
UPS_INVOICE_NR81913.ZIP
UPS_INVOICE_NR81913.EXE
UPS_invoice_NR43193.zip
UPS_INVOICE_NR43193.EXE
UPS_invoice_NR12090.zip
UPS_INVOICE_NR12090.EXE
UPS_invoice_NR74225.zip
UPS_INVOICE_NR74225.EXE
UPS_INVOICE_NR10124.ZIP
UPS_INVOICE_NR10124.EXE
UPS_INVOICE_NR85411.ZIP
UPS_INVOICE_NR85411.EXE
UPS_INVOICE_NR76225.ZIP
UPS_INVOICE_NR76225.EXE
Be sure to examine the contents of .zip files prior to attempting to open them. We will update this post as more information is available.
Posted in Bredolab, Social Engineering, Spam, Trojan, Undetected malware | 1 Comment »
Thursday, December 31st, 2009
Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.
Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.
Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.
As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.
Posted in AMTSO, Bot, Bredolab, Crimeware, FakeAlert, Koobface, Malware Estimates, Password stealing, Rogueware, Sality, Social Engineering, Vundo, Waledac, ZBot | No Comments »
|
|
|
|
