Archive for the ‘Embedded trojan’ Category

« Older Entries

Ongoing Downloader Activity, Now at 64.20.38.172

Thursday, July 16th, 2009

The gang distributing FakeAv downloaders and more have moved their goods and scheme to yet another server and adult theme. In addition to downloader filenames like streamviewer.45043.exe, tubeviewer.ver.6.21586.exe, onlinemovies.45023.exe, the group is finding success in their new addition, freepornmovies.40067.exe. The ThreatFire community is protected from these downloaders, and the newest is showing up in higher volumes.

For the most part, this downloader is being served from 64.20.38.172. The following domains currently resolve to that address:
exe-direct. com
exe-get. com
exe-online-world. com
exe-paste. com
exe-porto. com
exe-site. com
exefileformat. com
exenetsfiles. com
freeexefiles. com
hotexefiles. com
my-exe-load. com
newexefile. com
red-exe. com
robo-exe. com
soft-exe. net
the-exefiles. com
tiaexe. com

The downloader itself currently is pulling down embedded, encrypted malicious files, described in a previous post, from
myart-gallery. com
robert-art. com
superarthome. com

Be wary of codecs that may be tempting to download and run.

Posted in Blackhat, Embedded trojan, FakeAlert, Rogueware | No Comments »

Streamviewer’s .gif Images Embedded with Encrypted Malware

Tuesday, June 16th, 2009

Our post last week warned on a group moving their FakeAv-Koobface-Vundo-Spyware “softwarefortubeview” phony codec downloader to a new home last week, and this week, we are examining a similar scheme that downloads, surprise, surprise, Koobface, FakeAv prompting BHOs like iehelper.dll’s prompts for “Antivirus system PRO”, performs some level of click fraud, installs podmena.dll and podmena.sys…this one also includes a nice ftp credential stealing component, stealing passwords from FileZilla, Coffee Cup, FTP Control, CuteFtp and more.

Streamviewer.40050.exe (and other streamviewer + random version names) has been flying off the shelf at a server on 64.20.38.171. That ip hosts multiple badware domains:
go-exe-go.com
reverse38-170.reserver.ru
gruzzilla.com
hot-exe-area.com
last-exe-portal.com
main-exe-home.com
super-exe-home.com

Interesting about the downloader is the way in which additional malware is downloaded and dropped by this phony codec. It contacts a set of servers with encoded data about the system.
reportsystem32.com (216.240.146.119)
terradataweb.com (66.199.229.229)
dvdisorapid.com (64.27.5.202)
superimagesart.com (95.211.8.61)
thenewpic.com (66.148.80.4)

It then pulls out data from a decoded xml file containing a list of urls to contact for a variety of .gif images (titem.gif, qwerce.gif, 217.gif, etc).
superimagesart.com
thenewpic.com
stockshopimages.com
imagesoffline.com
theimagesphoto.com
imageheadphones.com

At the time of download, gif viewers will display titem.gif with a political message about french politician Christine Boutin:

Know that we do not endorse any political message with this post. But this gif image is no ordinary image. If it were, its size might reach 35 kb at the most. Embedded in the image is the encrypted payload, bloating the image out over a couple hundred kilobytes (~270 kb).
The downloader gathers the response information from the previous sites to find more urls to contact and finds its decryption key. It then uses its key to decrypt the code embedded within downloaded gifs.

Much like the recent (and possibly related) beladen downloader and the older Tibs downloaders, this malware delivery embedded image scheme attempts to evade gateway appliance based protection and optimized AV scans with gif-based encrypted payloads. It stymies automated web crawling based research efforts. No longer are we seeing simple xor decoding schemes with visible PE headers in downloaded image files. The encryption implemented for this attack was another previously commerical and proprietary encryption algorithm.
ThreatFire is preventing this downloader in fairly high prevalence.

Posted in Embedded trojan, Evasion technique, Obfuscation, Reversing | No Comments »

Facebook, Open These Images Scheme — dvc-foto010.jpeg_www.facebook.com

Wednesday, September 24th, 2008

No, it is not a link, it is a file that does not have photos that you are interested in, and will not direct you to jpegs you are interested in on the facebook site. Also making the rounds is “newestpicture0021.jpeg-www.imageshack.com”, and other “imageshack.com” files.

Another worm is propagating with a .com extension, which is actually an executable format on Windows systems. The file, when run, drops a copy of itself to the system32 directory as “symlasvc.exe” or “symlssdr.exe”, and hides its process from monitoring tools with rootkit components. In both cases, it adds itself to the Run key as the “Symantec Administration Service” so that it starts at every boot. Among other activities, it kills a set of tools that may be used to identify its presence on the system, and mangles the hosts file to prevent access to security information, security software and security update sites, including this blog. Here is an example:
127.0.0.1 blog.threatfire.com
127.0.0.1 www.threatexpert.com
127.0.0.1 blog.hispasec.com
127.0.0.1 mailcenter.rising.com.cn
127.0.0.1 mailcenter.rising.com
127.0.0.1 www.rising.com.cn
127.0.0.1 www.rising.com

ThreatFire currently is preventing these worms as “Worm.Injector”. In the past, we’ve seen similarly effective social engineering schemes:
MSN IM Worm
Surge in IM worm activity — don’t look at that cute puppy
New Undetected Worm
Bot on the loose — careful with images

Please do not run these files when they arrive.

Posted in Embedded trojan, Rootkit, Social Engineering, Worm | No Comments »

« Older Entries