Fake scan results are presented immediately…

As we have been presenting for the past several years, the user is tipped off that something is amiss when their software claims it is “unregistred”, see the window’s title bar.

Following the “Attention: DANGER!” message, the Windows user may attempt to open Internet Explorer. The FakeAv has modified the browser and instead pops up a window, claiming the system is infected with Trojan-BNK.Win32.Keylogger.gen, recommending activation of XP Internet Security 2010…

When the user attempts to activate the phony product, a purchase window for “Windows Defender 2010″ appears…

Running down the side of the page, they make fraudulent claims to have won awards from West Coast Labs and Virus Bulletin:

Entering personal information into the form POSTS the information to “live-windowsantivirus. com” (the domain is registered in Turkey, while the site is hosted in the US at 206.217.211 .243). We recommend you avoid entering any personal information and clean up the infection instead:

ThreatFire prevents it from running on users’ systems as “Trojan.FakeAv”.

In what seems to be fairly unique to Cutwail (also described as Pandex and Pushdo), the initial Cutwail component delivered to a victim’s system is a downloader/dropper, and the spambot code itself doesn’t touch the disk. This scheme is by design. The spambot code appears to exist relatively unchanged over time, while that initial delivery component is re-developed, re-packed and re-distributed in a myriad of ways along with a set of other components. The end goal is to execute the spambot on the system without it touching disk and without maintaining its code in the downloader.

This particular Cutwail downloader connects to these hosts to download the spambot payload and data (domains modified for readability)…

75.126.159 .19:443
89.149.254 .213
89.149.244 .141
94.75.233 .173:443
94.75.233 .171
94.75.233 .172
89.149.244 .23
aaa.oduvanchic .com
aaa.news2days .ru
fireas*eye .com
f*ckbriankrebs .com
antisgetout .cn

It will attempt to connect to one of the above web severs every 20 seconds until a payload is available and downloaded. The sites are actively brought up and down and often do not respond to an infected host, stymieing research progress on the bot. The bot and data payload itself is served up from these hosts as one encrypted stream of data. Once the downloader completes retrieval, the downloader will deobfuscate/decrypt the payload and launch svchost.exe in suspended mode, injecting the payload into that newly spawned process’s memory. After modifying some the loader data structures inside the process via the GetThreadContext/SetThreadContext APIs, the injector redirects execution to the injected code causing the payload to be run instead of the svchost code.

Due to the complicated packing schemes and highly variable injector code, these initial injectors seem more difficult to detect than the relatively consistent spam payload.  Since the payload is injected directly into a real windows process and does not get written to disk, it proves to be quite elusive.

Once injected and run, the spambot code waits a prolonged period of time to begin its spam run. From our lab, after an eye-rollingly long wait, we collected image-based spam sent out to market prices to Russian readers for spam services:

The image advertises a Moscow based phone line for the “Email distributions. Affordable prices – high quality” touted across the top and the left panel. Price ranges are provided for both Moscow and Russia blasts below (we added the price conversions to USD):

Our price list:
——————————————————
Whole Moscow  =  5000 rubles  ($166 USD)
4 distributions in Whole Moscow  =  10000 rubles  ($333 USD)
——————————————————
Whole Russia = 10000 rubles  ($333 USD)
4 distributions in Whole Russia = 20000 rubles  ($666 USD)
——————————————————
Russia+CIS (Commonwealth of Independent States, the territory of the former USSR)  = 15000 rubles  ($500 USD)
4 distributions in Russia+CIS = 30000 rubles  ($1000 USD)
——————————————————
We have:
——————————————————
-The lowest prices on a market.
-The most present day software.
-Regularly updated databases.
-High response from distribution.

Vulnerable systems with out-of-date Adobe Acrobat installs are the main focus of the attacks involving the Tedroo spambot. The spambot commonly is being distributed via a set of canned attacks using what appears to be a version of the Liberty Exploit kit. The Liberty pack maintains an effective set of Acrobat attacks, and considering the thousands of Acrobat attacks prevented on ThreatFire systems since the beginning of Jan, the attacks themselves are well chosen — vulnerable versions of Acrobat Reader continue to be readily available, even in this new decade. 

Once the malformed pdf’s shellcode is passed control on a victim system, it attempts to download multiple components from another server. In our samples, a system hosted in China. There are several downloads to choose from on the server. The first of the files is a loader, carrying a packing stub somewhat similar to the recent Bredolab packed malware with an outer layer of encryption on top of a UPX packed inner layer. It drops a dll to an alternate data stream of a random file in the windows or system32 directory. It then registers that ADS in the AppInit_DLLs so that the dll is loaded at startup. The dll is loaded, and maintains a long list of paths and executables. Most are related to security solutions (examples are listed below) and system components. It terminates a group of them immediately. It then adds entries for security software to the Restricted Software Policy list in the registry, an AVKill method that we haven’t seen fully described as one elsewhere:  HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\<SID>

C:\Documents and Settings\All Users\Application Data\PC Tools
C:\Program Files\Common Files\PC Tools
C:\Program Files\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
C:\Program Files\ESET
C:\Program Files\Panda Security
C:\Program Files\Avira
C:\Program Files\Norton AntiVirus
C:\Program Files\Alwil Software
C:\Program Files\Agnitum
C:\Program Files\Symantec

With that undetected (on the day of discovery) component loaded and AV processes killed, the Tedroo spambot is loaded. In the latest loader variants associated with the bot, we observe an interesting entry point with anti-debug and anti-emulator tricks that can be vaguely described as an abuse of “Modern” CPU Instructions. In this case, the packer implements an unexpected x86 VMX instruction — VMLAUNCH. Versions of reverser-friendly Ollydbg decode it to “sgdt edx” and cannot handle the instruction at runtime, reporting to the user that it does not know how to step into it, while some vendor emulators also have a difficult time decoding it. 

Windbg, on the other hand, decodes the vmlaunch command properly as specified by the Intel Reference material, seen below…

Following the malware entrypoint, a windbg deadlisting shows “mov ecx, 0×4fffh”, followed by the vmlaunch. On processors we observed, this setup thows an exception for an Illegal Instruction with ecx = 0×4fffh. The writers of this trick, however, took it upon themselves to force the code to trigger this exception 20,479 times (the decimal representation of 0×4fffh). It’s implemented by registering an SEH pointer to code that simply stores the counter, decrements it, and returns back into the ExcecuteHandler2 function within ntdll that’s within the standard flow of Windows exception handling. Each time, the exception “handler” code returns back into RtlDispatchException and eventually NtContinue, where CONTEXT.eip takes control directly back to the Illegal Instruction location, triggering yet another exception. When the counter finally is decremented to zero, the unpacking stub then modifies CONTEXT.eip on the stack so that flow passes out of this exception loop at ntdll.NtContinue and further into its unpacking stub. Tricky stuff indeed.

Decrement ecx value within the process CONTEXT struct

Continuing on its code path, the code first checks if it’s been run before on the victim system, looking for registry values it creates:

HKCU  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKCU  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
    value: userini path: c:\windows\explorer.exe:userini.exe

It copies itself as an alternate data stream of explorer.exe
     c:\windows\explorer.exe:userini.exe

It sets this ADS to load at startup in the various autorun registry entries listed above, and then runs thru a series of sleeps/gettickcout to delay activity and cloak itself.

 After a long wait, the spambot calls InternetConnectA and HttpOpenRequestA to contact its hardcoded server and retrieves more spam templates. The resulting spam recently has all led to www . pharm directbook .com, another ”Canadian Pharmacy #1 Internet Online Drugstore”. This behavior is similar to that noted in our past post. The sites have been run for years by a group otherwise known as “Glavmed“, selling knockoff, illegal pills with shifty names like “Viagra Professional”…

In spite of the significant shutdowns over the past year, spam like Tedroo’s continues to mess it all up on the net. Don John couldn’t have tried to mess up a good thing any better himself.

 And here is a screenshot with the extensions visible:

Some of the names being used and designed to fool users include…

UPS_INVOICE_NR81913.ZIP
UPS_INVOICE_NR81913.EXE
UPS_invoice_NR43193.zip
UPS_INVOICE_NR43193.EXE
UPS_invoice_NR12090.zip
UPS_INVOICE_NR12090.EXE
UPS_invoice_NR74225.zip
UPS_INVOICE_NR74225.EXE
UPS_INVOICE_NR10124.ZIP
UPS_INVOICE_NR10124.EXE
UPS_INVOICE_NR85411.ZIP
UPS_INVOICE_NR85411.EXE
UPS_INVOICE_NR76225.ZIP
UPS_INVOICE_NR76225.EXE

Be sure to examine the contents of .zip files prior to attempting to open them. We will update this post as more information is available.

The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.

The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
24.99.76.139
68.190.49.24
76.127.120.44
81.108.192.83
91.121.135.189
199.0.205.28

Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:

// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com',  abc+'fb.php'],
['tagged. com',    abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com',   abc+'ms.php'],
['msplinks. com',  abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com',     abc+'fu.php'],
['twitter. com',   abc+'tw.php'],
['hi5. com',       abc+'hi5.php'],
['bebo. com',      abc+'be.php']];

Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.

As in previous posts, we find that the end game is to install password stealing components. Some of the subject lines look like
“FaceBook message: Very Beautiful facebook girl Dance Video! (Last rated by __insert name here__)”
“FaceBook message: facebook members Dancing In Striptease (Last rated by __name here__)”
“FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing (Last rated by __name here__)”

The message content includes text like
“You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 21, 2009! We’re absolutely shocked!”. Proceed to view full video message: hxxp://facebook.xxx.xxx(dot)personalid-aa(dot)management(dot)324uptdate(dot)com/home.htm?/logon/application=999″

Clicking on the link in turn redirects the user’s browser to another set of sites hosting a video, prompting the user to download and install Flash_Adobe11.exe. Don’t bother, it’s still not the real flash player. Instead, Zbot malware is installed. Here is a censored screenshot of one of the attacking sites:

ThreatFire is preventing the malware from running on a fair number of community systems right now. Do not run Flash_Adobe11.exe from these sites.

The source of the file, “jk982732-2309.zip”, which extracts simply to an aspack’ed “jk982732-2309.exe”, is not entirely clear at this point. If any of our users have seen this file prevented on their desktop, please contact us on the forums or here in the comments with some information on its source and any IM messages or email related to this file.

A dead giveaway that something is unusual is the “Google Inc” file company name property, along with the Microsoft MSN butterfly icon:

Another giveaway that something is amiss is that the file also attempts to download components from free web hosting site “nofeehost.com” that masquerade as Brazilian security Buster Browser Defense components.

Any further information from users would be welcome.

So far, getting the user to run an executable (or exploiting a system running vulnerable third party pdf reader plugins) that modifies the hosts file with “browser-security.microsoft.com” to redirect to 195.245.119.131 and launch a browser to a page on that domain seems to be a fairly prevalent tactic. The links on the page direct the user to pay for another piece of rogueware called “Spyware Protect 2009″. In no way is this site associated with the real microsoft.com web presence.
Other domains shared by the group right now are sys-protection.com, sysguard2009.com, os-protection.com, swp2009.com, spy-protect-2009.com, spywprotect.com and some adult entertainment links. Avoid these domains and rogueware.

Update: The “Malware Analysis and Diagnostic” blog posted some additional information on the rogueware. Looks like an interesting blog, and for english readers, Google translate is your friend.

Update: More of the same technique found here.

Update: Michael Hale Ligh posted details of his investigation into a related incident here. In an update, he comments that the user’s system had an outdated version of Adobe Acrobat Reader, which was most likely the targeted vulnerable application. It’s excellent work and a great read for those interested in technical details.

Security researcher Paul Ferguson speculated that the original targeted attack, in which a Word document was sent to a select group of individuals, was similar to previous attacks targeting pro-Tibetan groups:
“Although Ferguson does not know who wrote the attack code, he said that it looks similar to software that was sent to pro-Tibetan groups about a year ago, apparently for the purpose of intelligence gathering…Whether this will lead to more widespread Internet Explorer attacks is unclear, Ferguson said.”

The exploit code itself is beginning to spread and has shown up on additional servers in the Pacific rim. While the original attack may have been very targeted, the exploit code itself looks the same. Even variable and function names remain the same across the exploit pages we’ve seen.
The shellcode and the delivered malware executables differ altogether across servers. In one case, the writers jumped through hoops to complete some stable download and execute shellcode, and in another, the writers added some unusual loops to download “menu.dat” to the user’s temp directory and execute it as “U.exe”.
The original executable was not packed and dropped a dll that phoned data over an encrypted session to a server hosted in China. The second, U.exe, is a downloader packed with a somewhat common compressor known as nPack.
So it appears that different groups already are using the exploit, leading us to believe that this reliable and effective exploit code will continue to spread in the wild.

Be sure to update your Windows system if you have not done so already.

“Setup.exe” is being offered at hxxp://softupdate09.com, along with a misleading guarantee that the software was “100% checked by antivirus”. To be sure, the file may have been checked by antivirus, but the results certainly aren’t posted on that site. Do NOT run the file.

As can be seen on the ThreatExpert report, the file installs a “CMVideo.dll” Bho. Aside from downloading other malware, the Bho component will redirect any google search result link to a set of affiliate servers. So, clicking on a google results link will pop open a new browser to “toseeka.com”:

This somewhat more sophisticated adware technique is becoming commonplace nowadays. Popups have been clearly defined as “badware”. Sleuthing down additional behavior like this adware’s can be involved, tiresome and not quite as intrusive.

Also interesting are some of the links that the setup file drops on the user’s desktop. Currently, the “Cheap Software” link directs the user to hxxp://www.download-provider.com/?aff-id=1280. The site seems to offer a $4.95 a month service, and claims to serve up “over 1,400,000 files for you, consisting of over 1,200,000 GB of data. If you’re looking for it online, you’ll be sure to find it with us.”
Over at a complaints forum, there are a few other descriptions of the site, along with a comment that a user has filed a complaint with the Internet Crime Complaint Center (IC3) regarding the site this past Wednesday.