Archive for the ‘Obfuscation’ Category

« Older Entries

Streamviewer’s .gif Images Embedded with Encrypted Malware

Tuesday, June 16th, 2009

Our post last week warned on a group moving their FakeAv-Koobface-Vundo-Spyware “softwarefortubeview” phony codec downloader to a new home last week, and this week, we are examining a similar scheme that downloads, surprise, surprise, Koobface, FakeAv prompting BHOs like iehelper.dll’s prompts for “Antivirus system PRO”, performs some level of click fraud, installs podmena.dll and podmena.sys…this one also includes a nice ftp credential stealing component, stealing passwords from FileZilla, Coffee Cup, FTP Control, CuteFtp and more.

Streamviewer.40050.exe (and other streamviewer + random version names) has been flying off the shelf at a server on 64.20.38.171. That ip hosts multiple badware domains:
go-exe-go.com
reverse38-170.reserver.ru
gruzzilla.com
hot-exe-area.com
last-exe-portal.com
main-exe-home.com
super-exe-home.com

Interesting about the downloader is the way in which additional malware is downloaded and dropped by this phony codec. It contacts a set of servers with encoded data about the system.
reportsystem32.com (216.240.146.119)
terradataweb.com (66.199.229.229)
dvdisorapid.com (64.27.5.202)
superimagesart.com (95.211.8.61)
thenewpic.com (66.148.80.4)

It then pulls out data from a decoded xml file containing a list of urls to contact for a variety of .gif images (titem.gif, qwerce.gif, 217.gif, etc).
superimagesart.com
thenewpic.com
stockshopimages.com
imagesoffline.com
theimagesphoto.com
imageheadphones.com

At the time of download, gif viewers will display titem.gif with a political message about french politician Christine Boutin:

Know that we do not endorse any political message with this post. But this gif image is no ordinary image. If it were, its size might reach 35 kb at the most. Embedded in the image is the encrypted payload, bloating the image out over a couple hundred kilobytes (~270 kb).
The downloader gathers the response information from the previous sites to find more urls to contact and finds its decryption key. It then uses its key to decrypt the code embedded within downloaded gifs.

Much like the recent (and possibly related) beladen downloader and the older Tibs downloaders, this malware delivery embedded image scheme attempts to evade gateway appliance based protection and optimized AV scans with gif-based encrypted payloads. It stymies automated web crawling based research efforts. No longer are we seeing simple xor decoding schemes with visible PE headers in downloaded image files. The encryption implemented for this attack was another previously commerical and proprietary encryption algorithm.
ThreatFire is preventing this downloader in fairly high prevalence.

Posted in Embedded trojan, Evasion technique, Obfuscation, Reversing | No Comments »

Zbot IM and invoice_8612112

Wednesday, March 4th, 2009

Another repacked variant of Zbot, the banking password stealer component of the all-too-common exploit/trojan kit Zeus, is being distributed over Yahoo! Messenger, in email, and being downloaded via web browser. There is no regional concentration, we’ve seen triggers in Argentina, Alaska, Philippines, Romania, California — it’s globally distributed. Detection is poor and this variant has been obfuscated well.

Do not fall for IM messages or email claiming to warn you of a UPS delivery failure, carrying a zip archive (invoice_8612112.zip) and containing a filename like invoice_8612112.exe. If you do see such a thing, please make a copy of the text of the message and contact us in our comments section. It seems to be changing. Do not run the file.

Posted in Crimeware, Obfuscation, Undetected malware, ZBot | No Comments »

Rigged pdf files

Monday, November 10th, 2008

Pdf malware is being actively distributed. Our user community is seeing a slew of rigged pdf files attacking various buffer overflow vulnerabilities in the Adobe Acrobat Reader software, including the newest publicly known. Sometimes, the user is duped into downloading malicious files appearing to be Microsoft software updates. More often, they appear to be downloading silent malicious installers.

A couple of the downloaded, packed files appear to carry with them tricks that continue to evade AV file scanning with VirusTotal results at 5/36.

For example, a chunk of the standard download and execute shellcode that we are currently seeing pulls a file from hxxp://ascoprguide. net/lel / load.php?xpl=pdf, renames it as c:\\U.exe, and runs it on the victim’s system. This “U.exe” then runs and installs other adware and spyware related components.
Other downloads are installing various Rogueware packages, like the ones we presented at Virus Bulletin 2008.


Be sure to visit the Adobe site and update your Acrobat Reader software.

Posted in Exploit, Obfuscation, Rogueware, Vulnerability | No Comments »

« Older Entries