Archive for the ‘Trojan’ Category

Windows Defender 2010 FakeAv at the Top of this Morning’s List

Tuesday, February 16th, 2010

The group behind “live-windowsantivirus. com” is having a very busy morning distributing Rogueware XP Internet Security 2010. We grabbed some snapshots for you of the current incarnation of the malware, since users appear to be falling for it in large numbers. The full window and the balloon popup stating “System Danger! Your system security is in danger” must be convincing…


Fake scan results are presented immediately…


As we have been presenting for the past several years, the user is tipped off that something is amiss when their software claims it is “unregistred”, see the window’s title bar.


Following the “Attention: DANGER!” message, the Windows user may attempt to open Internet Explorer. The FakeAv has modified the browser and instead pops up a window, claiming the system is infected with Trojan-BNK.Win32.Keylogger.gen, recommending activation of XP Internet Security 2010…


When the user attempts to activate the phony product, a purchase window for “Windows Defender 2010″ appears…


Running down the side of the page, they make fraudulent claims to have won awards from West Coast Labs and Virus Bulletin:


Entering personal information into the form POSTS the information to “live-windowsantivirus. com” (the domain is registered in Turkey, while the site is hosted in the US at 206.217.211 .243). We recommend you avoid entering any personal information and clean up the infection instead:


ThreatFire prevents it from running on users’ systems as “Trojan.FakeAv”.

Cutwail Spamming for Russian Spammers

Monday, February 1st, 2010

Spam continues to clog the internet with providers reporting spam stuffing 80% – 95% of all email content en route. It’s an ongoing problem into 2010, so last week we examined the active spambot Tedroo, some of its suspicious behaviors, one of its anti-debug/antiRE techniques, and its spam delivery. This week we’ll take a look at Cutwail, a long standing and very active downloader/spambot that suggests regardless of various ISP takedowns, the underground market continues to thrive.

In what seems to be fairly unique to Cutwail (also described as Pandex and Pushdo), the initial Cutwail component delivered to a victim’s system is a downloader/dropper, and the spambot code itself doesn’t touch the disk. This scheme is by design. The spambot code appears to exist relatively unchanged over time, while that initial delivery component is re-developed, re-packed and re-distributed in a myriad of ways along with a set of other components. The end goal is to execute the spambot on the system without it touching disk and without maintaining its code in the downloader.

This particular Cutwail downloader connects to these hosts to download the spambot payload and data (domains modified for readability)…

75.126.159 .19:443
89.149.254 .213
89.149.244 .141
94.75.233 .173:443
94.75.233 .171
94.75.233 .172
89.149.244 .23
aaa.oduvanchic .com
aaa.news2days .ru
fireas*eye .com
f*ckbriankrebs .com
antisgetout .cn

It will attempt to connect to one of the above web severs every 20 seconds until a payload is available and downloaded. The sites are actively brought up and down and often do not respond to an infected host, stymieing research progress on the bot. The bot and data payload itself is served up from these hosts as one encrypted stream of data. Once the downloader completes retrieval, the downloader will deobfuscate/decrypt the payload and launch svchost.exe in suspended mode, injecting the payload into that newly spawned process’s memory. After modifying some the loader data structures inside the process via the GetThreadContext/SetThreadContext APIs, the injector redirects execution to the injected code causing the payload to be run instead of the svchost code.

Due to the complicated packing schemes and highly variable injector code, these initial injectors seem more difficult to detect than the relatively consistent spam payload.  Since the payload is injected directly into a real windows process and does not get written to disk, it proves to be quite elusive.

Once injected and run, the spambot code waits a prolonged period of time to begin its spam run. From our lab, after an eye-rollingly long wait, we collected image-based spam sent out to market prices to Russian readers for spam services:


The image advertises a Moscow based phone line for the “Email distributions. Affordable prices – high quality” touted across the top and the left panel. Price ranges are provided for both Moscow and Russia blasts below (we added the price conversions to USD):

Our price list:
Whole Moscow  =  5000 rubles  ($166 USD)
4 distributions in Whole Moscow  =  10000 rubles  ($333 USD)
Whole Russia = 10000 rubles  ($333 USD)
4 distributions in Whole Russia = 20000 rubles  ($666 USD)
Russia+CIS (Commonwealth of Independent States, the territory of the former USSR)  = 15000 rubles  ($500 USD)
4 distributions in Russia+CIS = 30000 rubles  ($1000 USD)
We have:
-The lowest prices on a market.
-The most present day software.
-Regularly updated databases.
-High response from distribution.

Much Tedroo about Nothing, other than “Viagra Professional”

Tuesday, January 19th, 2010

In an early-2009 literary flourish we condemned spammers to hell, discussed the Tedroo spambot’s increased momentum due to the shutdown of other botnets, posted screenshots of the Tedroo spewed pharmaceutical spam and related scam sites, and noted its distribution via malicious pdf files. Tedroo’s increased presence and its distribution is continuing into 2010. As a matter of fact, while the distributors are relying on users’ delays in updating their vulnerable pdf readers like Acrobat, the distributors are actively maintaining/modifying the bot itself — AV scanner results on the repacked binaries are very low as the modified variants are newly re-released.

Vulnerable systems with out-of-date Adobe Acrobat installs are the main focus of the attacks involving the Tedroo spambot. The spambot commonly is being distributed via a set of canned attacks using what appears to be a version of the Liberty Exploit kit. The Liberty pack maintains an effective set of Acrobat attacks, and considering the thousands of Acrobat attacks prevented on ThreatFire systems since the beginning of Jan, the attacks themselves are well chosen — vulnerable versions of Acrobat Reader continue to be readily available, even in this new decade. 

Once the malformed pdf’s shellcode is passed control on a victim system, it attempts to download multiple components from another server. In our samples, a system hosted in China. There are several downloads to choose from on the server. The first of the files is a loader, carrying a packing stub somewhat similar to the recent Bredolab packed malware with an outer layer of encryption on top of a UPX packed inner layer. It drops a dll to an alternate data stream of a random file in the windows or system32 directory. It then registers that ADS in the AppInit_DLLs so that the dll is loaded at startup. The dll is loaded, and maintains a long list of paths and executables. Most are related to security solutions (examples are listed below) and system components. It terminates a group of them immediately. It then adds entries for security software to the Restricted Software Policy list in the registry, an AVKill method that we haven’t seen fully described as one elsewhere:  HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\<SID>

C:\Documents and Settings\All Users\Application Data\PC Tools
C:\Program Files\Common Files\PC Tools
C:\Program Files\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
C:\Program Files\ESET
C:\Program Files\Panda Security
C:\Program Files\Avira
C:\Program Files\Norton AntiVirus
C:\Program Files\Alwil Software
C:\Program Files\Agnitum
C:\Program Files\Symantec

With that undetected (on the day of discovery) component loaded and AV processes killed, the Tedroo spambot is loaded. In the latest loader variants associated with the bot, we observe an interesting entry point with anti-debug and anti-emulator tricks that can be vaguely described as an abuse of “Modern” CPU Instructions. In this case, the packer implements an unexpected x86 VMX instruction — VMLAUNCH. Versions of reverser-friendly Ollydbg decode it to “sgdt edx” and cannot handle the instruction at runtime, reporting to the user that it does not know how to step into it, while some vendor emulators also have a difficult time decoding it. 

Olly sgdt

Windbg, on the other hand, decodes the vmlaunch command properly as specified by the Intel Reference material, seen below…

Windbg vmlaunch

Following the malware entrypoint, a windbg deadlisting shows “mov ecx, 0×4fffh”, followed by the vmlaunch. On processors we observed, this setup thows an exception for an Illegal Instruction with ecx = 0×4fffh. The writers of this trick, however, took it upon themselves to force the code to trigger this exception 20,479 times (the decimal representation of 0×4fffh). It’s implemented by registering an SEH pointer to code that simply stores the counter, decrements it, and returns back into the ExcecuteHandler2 function within ntdll that’s within the standard flow of Windows exception handling. Each time, the exception “handler” code returns back into RtlDispatchException and eventually NtContinue, where CONTEXT.eip takes control directly back to the Illegal Instruction location, triggering yet another exception. When the counter finally is decremented to zero, the unpacking stub then modifies CONTEXT.eip on the stack so that flow passes out of this exception loop at ntdll.NtContinue and further into its unpacking stub. Tricky stuff indeed.

Decrement ecx value within the process CONTEXT struct

Decrement ecx value within the process CONTEXT struct

Continuing on its code path, the code first checks if it’s been run before on the victim system, looking for registry values it creates:

HKCU  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKCU  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
    value: userini path: c:\windows\explorer.exe:userini.exe

It copies itself as an alternate data stream of explorer.exe

It sets this ADS to load at startup in the various autorun registry entries listed above, and then runs thru a series of sleeps/gettickcout to delay activity and cloak itself.

 After a long wait, the spambot calls InternetConnectA and HttpOpenRequestA to contact its hardcoded server and retrieves more spam templates. The resulting spam recently has all led to www . pharm directbook .com, another ”Canadian Pharmacy #1 Internet Online Drugstore”. This behavior is similar to that noted in our past post. The sites have been run for years by a group otherwise known as “Glavmed“, selling knockoff, illegal pills with shifty names like “Viagra Professional”…

www .pharmadirectbook. com


In spite of the significant shutdowns over the past year, spam like Tedroo’s continues to mess it all up on the net. Don John couldn’t have tried to mess up a good thing any better himself.