|
Archive for the ‘Password stealing’ Category
Tuesday, March 2nd, 2010
Spanish law enforcement nabbed three operators of the Mariposa botnet: “Authorities identified them by their Internet handles and their ages: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25.”
The massive infection rate described in the article presents just another reason why you need our quiet ThreatFire product protecting your workstation. On a weekly basis, thousands of updated ThreatFire-protected systems were attacked and protected from variants of the bots with a feature we call “behavioral recognition”. It is far superior to AV file scanner signatures and definitively identifies the behavior of malware families like the bots that were a part of the Mariposa botnet. Problems with signature based AV scanner recognition and various Mariposa variant bots were described in a technical paper here.
If you saw a red dialog from ThreatFire warning that it is protecting your system from “Worm.Palevo” or “W32.Pilleuz”, your system was protected from becoming another one of over 12 million Mariposa victims.
Posted in Bot, Crimeware, Evasion technique, IM Worm, Malware Counts, Obfuscation, Password stealing, Uncategorized, Worm | 1 Comment »
Wednesday, January 27th, 2010
As a followup to our early Jan Bredolab email blast warning, this post presents technical details and functionality about the payload accompanying the delivery notice + invoice attachment. While past posts have described the downloader’s windows api hook overwrite functionality, related social engineering techniques, its Zbot and FakeAv downloads, this post identifies a different injection and banking password stealing payload.
The Bredolab downloader variant repeats the same exploits to bypass security apps and perform “hook overwrites”. It abuses the same exploits as our previous variant; MS07-017, MS08-025, CVE-2004-2339. These hook overwrites are performed across the dropper threads and all injected threads (within explorer.exe and svchost.exe) with a simple comparison and copy: rep movs dword ptr es:[edi], byte ptr ds:[esi].
After the injection into explorer, the malcode reports its installation and retrieves info at dollardream .ru, dropping a tmp file to disk and running it. Following the connection with dollardream. ru, the new process creates a directory under users\application data\microsoft\windows and the mspdp<number>.dll, making the dll a persistent presence on the system with an AppInit_dlls registry entry. After the dll and reg key have been created, it deletes itself and calls InitiateSystemShutdown, restarting the system.
Because this DLL maintains an entry under the AppInit_DLLs registry key, it reliably will load into each process running on the victim system’s, including all web browser processes. At dll load time within Internet Explorer, for example, it hooks a dozen different windows API prologues. The malicious code is precisely placed to be reliably notified when data important enough to be encrypted is being sent off of the machine. It intercepts and examines all user data prior to encryption. When data being sent over http is examine, the code first performs a hash comparison on the HTTP headers to identify “interesting” Urls. These approximately 25 “interesting” Url strings are all banking and financial account related, except for a couple social networking and photo share web sites. Here is a view of the code locating content within the raw packet data, after a user has typed their username/pass and clicked on “Login”:
Once the malcode parses the data stream and identifies interesting locations within the stream, it retrieves the input data (i.e. banking user names and passwords), and immediately writes the sensitive data out to file. The file is placed in the same subdirectory as the dll itself, in our lab example: “all users\application data\Microsoft\Windows\Network\Network\mspdb80.dll”. This “.dll” file extension and name choice mimics that of a legitimate file distributed with Visual Studio, and instead contains the stolen login data in plain text. This content is gathered and sent off the system to a server hosted in Russia in the 109.196.143.xx range…
As you can see, it is very important to pay attention to the attachments that you attempt to open, and whether or not they are malicious executables or just look like a harmless spreadsheet.
Update (2/10/2010): appears that other researchers are interested in alerting the public as well, only their February writeup includes interesting details that ACH and wire transfer institutions are targeted by the dll, in addition to what was posted above.
Posted in Bredolab, Password stealing, Spyware | No Comments »
Thursday, December 31st, 2009
Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.
Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.
Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.
As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.
Posted in AMTSO, Bot, Bredolab, Crimeware, FakeAlert, Koobface, Malware Estimates, Password stealing, Rogueware, Sality, Social Engineering, Vundo, Waledac, ZBot | No Comments »
|
|
|
|
