Archive for the ‘Dropper’ Category

« Older Entries

Koobface Continued…

Friday, March 5th, 2010

The Koobface gang’s changing tricks and longevity are noted at a recent USAToday article. They’ve recently upped their activity on a major social networking site and user infections appear to have a quick jump. The current theme has been effective for the past month. A message will arrive in a user’s box from a friend (names purposely removed from image). Note that the gang is no longer using the bit.ly service in their attack links:

Koobface_friendmessage

The link will lead the user to the familiar phony Yuotube “Broadcast Yourself” page with video frame and flash installer prompt “This content requires Adobe Flash Player 10.37. Would you like to install it now?”. The “setup.exe” file from “SquarePants”. When setup.exe is run, this file in turn drops and runs “bill103.exe” or “bill104.exe” and begins its badness. ThreatFire prevents it effectively.

Koobface_spongebob

Past posts on Koobface here.

If you are prompted to install the Flash Player, you can skip the install and go to the vendor’s site directly to download the player’s installer and install it in your web browser. Then browse the page you want to view. For legitimate sites, the content should play.

Posted in Bot, Downloader, Dropper, Koobface, Social Engineering, Uncategorized | 1 Comment »

Windows Defender 2010 FakeAv at the Top of this Morning’s List

Tuesday, February 16th, 2010

The group behind “live-windowsantivirus. com” is having a very busy morning distributing Rogueware XP Internet Security 2010. We grabbed some snapshots for you of the current incarnation of the malware, since users appear to be falling for it in large numbers. The full window and the balloon popup stating “System Danger! Your system security is in danger” must be convincing…

2.System_Danger

Fake scan results are presented immediately…

1.XP_InternetSec

As we have been presenting for the past several years, the user is tipped off that something is amiss when their software claims it is “unregistred”, see the window’s title bar.

3.Attention_Danger

Following the “Attention: DANGER!” message, the Windows user may attempt to open Internet Explorer. The FakeAv has modified the browser and instead pops up a window, claiming the system is infected with Trojan-BNK.Win32.Keylogger.gen, recommending activation of XP Internet Security 2010…

4.Firewall_Alert

When the user attempts to activate the phony product, a purchase window for “Windows Defender 2010″ appears…

5.WindowsDefender2010

Running down the side of the page, they make fraudulent claims to have won awards from West Coast Labs and Virus Bulletin:

6.PhonyAwards

Entering personal information into the form POSTS the information to “live-windowsantivirus. com” (the domain is registered in Turkey, while the site is hosted in the US at 206.217.211 .243). We recommend you avoid entering any personal information and clean up the infection instead:

7.2YearLicense

ThreatFire prevents it from running on users’ systems as “Trojan.FakeAv”.

Posted in Dropper, FakeAlert, Rogueware, Social Engineering, Trojan, Uncategorized, Undetected malware | 10 Comments »

Cutwail Spamming for Russian Spammers

Monday, February 1st, 2010

Spam continues to clog the internet with providers reporting spam stuffing 80% – 95% of all email content en route. It’s an ongoing problem into 2010, so last week we examined the active spambot Tedroo, some of its suspicious behaviors, one of its anti-debug/antiRE techniques, and its spam delivery. This week we’ll take a look at Cutwail, a long standing and very active downloader/spambot that suggests regardless of various ISP takedowns, the underground market continues to thrive.

In what seems to be fairly unique to Cutwail (also described as Pandex and Pushdo), the initial Cutwail component delivered to a victim’s system is a downloader/dropper, and the spambot code itself doesn’t touch the disk. This scheme is by design. The spambot code appears to exist relatively unchanged over time, while that initial delivery component is re-developed, re-packed and re-distributed in a myriad of ways along with a set of other components. The end goal is to execute the spambot on the system without it touching disk and without maintaining its code in the downloader.

This particular Cutwail downloader connects to these hosts to download the spambot payload and data (domains modified for readability)…

75.126.159 .19:443
89.149.254 .213
89.149.244 .141
94.75.233 .173:443
94.75.233 .171
94.75.233 .172
89.149.244 .23
aaa.oduvanchic .com
aaa.news2days .ru
fireas*eye .com
f*ckbriankrebs .com
antisgetout .cn

It will attempt to connect to one of the above web severs every 20 seconds until a payload is available and downloaded. The sites are actively brought up and down and often do not respond to an infected host, stymieing research progress on the bot. The bot and data payload itself is served up from these hosts as one encrypted stream of data. Once the downloader completes retrieval, the downloader will deobfuscate/decrypt the payload and launch svchost.exe in suspended mode, injecting the payload into that newly spawned process’s memory. After modifying some the loader data structures inside the process via the GetThreadContext/SetThreadContext APIs, the injector redirects execution to the injected code causing the payload to be run instead of the svchost code.

Due to the complicated packing schemes and highly variable injector code, these initial injectors seem more difficult to detect than the relatively consistent spam payload.  Since the payload is injected directly into a real windows process and does not get written to disk, it proves to be quite elusive.

Once injected and run, the spambot code waits a prolonged period of time to begin its spam run. From our lab, after an eye-rollingly long wait, we collected image-based spam sent out to market prices to Russian readers for spam services:

cutwail_spam_snip2

The image advertises a Moscow based phone line for the “Email distributions. Affordable prices – high quality” touted across the top and the left panel. Price ranges are provided for both Moscow and Russia blasts below (we added the price conversions to USD):

Our price list:
——————————————————
Whole Moscow  =  5000 rubles  ($166 USD)
4 distributions in Whole Moscow  =  10000 rubles  ($333 USD)
——————————————————
Whole Russia = 10000 rubles  ($333 USD)
4 distributions in Whole Russia = 20000 rubles  ($666 USD)
——————————————————
Russia+CIS (Commonwealth of Independent States, the territory of the former USSR)  = 15000 rubles  ($500 USD)
4 distributions in Russia+CIS = 30000 rubles  ($1000 USD)
——————————————————
We have:
——————————————————
-The lowest prices on a market.
-The most present day software.
-Regularly updated databases.
-High response from distribution.

Posted in Downloader, Dropper, Evasion technique, Obfuscation, Spam, Trojan, Undetected malware | 1 Comment »

« Older Entries