Archive for the ‘Dropper’ Category

« Older Entries

Cutwail/Pandex reader_s.exe Continues to Deliver Spambots and mmx Evasions throughout Shutdowns

Monday, August 10th, 2009

Cutwail (also known as Pandex) malware is not a new family name on the bot scene. However, the Cutwail/Pandex botnet is described as one of the largest and most active botnets currently known. This resilient botnet managed to bounce back after both the McColo ISP and the more recent Pricewert/3FN ISP shutdowns in California, both of which brought down global levels of spam for a short time and cut off the control servers where many bots retrieved their command and control instructions.
To further the botnet’s resilience and spread, the distributors of the malicious executables attempt to re-pack and re-obfuscate the components to evade security file scanners on victim systems. The executable runtime behavior may change across variants just a bit, but the fingerprint and physical makeup changes dramatically. This type of evasion, of course, is ineffective against a behavioral-based solution like ThreatFire. Cutwail is succesfully prevented from running on ThreatFire community user systems on a daily basis.

Some of the latest Cutwail/Pandex variants are themselves delivered in a variety of ways to a user’s system, renamed to reader_s.exe and run (note, other prevalent and current variants are renamed to update.exe). Reader_s.exe drops 0.exe, which drops an ADS or “alternate data stream” to the drive. This sort of location on the drive is tricky for a user to spot, because the svchost.exe:ext.exe stream cannot be seen as a file within an explorer window. This ADS executable code is installed as a system service by the Cutwail dropped executable 0.exe. Then, 0.exe launches and hijacks a svchost.exe process, communicating from it over an encrypted channel to a set of ip addresses. These communications eventually result in the compromised system gathering information to spew enough spam to help generate over 74 billion messages a day from the botnet.

The packing and evasion techniques implemented within these executables changes over time. One of the recent techniques is one that we have seen before in a variety of Fakealert executables in the past — intermixing random mmx instructions into the compiled code itself. These instructions have no functional purpose whatsoever. They simply modify values within the mmx registers arbitrarily. Intermixing the mmx instruction set unexpectedly within functions using the general-purpose intel instructions can cause problems for recognizing Cutwail malcode for emulators, backend automation, and AV scanners themselves — the evasion technique can be effective.

You can see one such function that was modified with mmx “nop” filler:

Protecting your system from becoming a part of the largest, most active botnet on the web requires an effective behavioral based layer like ThreatFire.

Posted in Bot, Dropper, Evasion technique, FakeAlert, Undetected malware | No Comments »

South Korea and U.S. Government Sustained DDoS

Thursday, July 9th, 2009

The botnet driven distributed denial of service attack that started over the weekend has been attacking American agency web sites like the White House web site, the FTC site, NYSE site, FAA, NSA, Dept of Homeland Security, the Treasury, and many more agency web sites is a pretty bold thing to do. The botnet also has many South Korean web sites in its crosshairs as well, including the president’s and various news and commerce sites.

We are examining the binaries involved, and ThreatFire could have protected those systems from the bot, stopping its dropper, and in turn, prevented at least some of the DoS flood on these U.S. and the many South Korean web sites. The underlying code itself appears to be fairly unsophisticated.

One of the malicious DoS components is delivered unpacked, sets itself up as a service, and contains a handful of commonly used user agent strings to camoflage its GET and POST traffic. Interestingly, we find “Accept-Language: ko, UA-CPU: x86″ in the http headers. We are further looking into an unusual dependency on pcap for network traffic requests: pcap_open, pcap_sendpacket, and other functions are abused by this malware, but it uses common winsock calls to perform its network activity too.
Here it uses an extremely common registry editing technique to disable the compromised host’s Windows firewall:

In the meantime, government, network operators and web masters in both countries are working to tame this thing.

Posted in Bot, Dropper, Government and Cybersecurity | No Comments »

Koobface flash_udpate.exe Around the World

Friday, December 5th, 2008

We are analyzing the binaries and koobface processes and will provide detailed technical information later — this one performs lots of process, system admin, file create/delete activity, and each one has a tricky anti-emulation trick that we’ll describe here. Also of note, the server that was allegedly compromised to serve up koobface-downloaded adware/clickfraud executables in early November continues to serve up malware:
hxxp:// www.aibcvienna.o rg/ youtube/fb.28.exe
The unfortunate piece is that this binary continues to see only 15/38 AV scan detections at virustotal.

In the meantime, here is a map of only some of the attacking servers hosting the Koobface worm since the very end of November. As you can see, there are some concentrated pockets of the worm’s distribution servers throughout Europe, but it is a global problem:


Posted in Dropper, Koobface, Social Engineering, Worm | No Comments »

« Older Entries