|
Archive for the ‘Vundo’ Category
Monday, December 1st, 2008
Malware shows up in the most unexpected places. One of my previous colleagues regularly considered the idea of computer infections ridiculous, but wired Windows systems really are ubiquitous. And this last week’s Thanksgiving trip provided another location to observe computer malware effecting unsuspecting Windows users.
This year’s birthday celebration for our 92-year old grandmother was fantastic at her new home. Singing, dessert, multiple generations of our family were together for the holiday and grandma was in a great mood in her new digs.
In the meantime, a few of us celebrants, full of pizza and cake, left the party to check out the community building — the pool table on the fourth floor, pianos on the first. After knocking an 8ball around the pool table at 8 p.m. in the relative quiet of the home, we noticed a computer center along the way back to the elavators. The monitors in that center could not have displayed a more disappointing screen.
Next to a little “M” square in the system tray (a competing AV product that will remain nameless here), was a large red circle with a white X through it and a familiar fakealert bubble caption containing a frightenting message about an infection and loss of privacy: “Privacy Violation Alert! Antivirus 2009 detected a Privacy Violation”.
A quick look at the registry and taskman showed a spambot, the brastk.exe fakealert downloader, AntiVirus 2009, and a vundo component all installed and running. The brastk.exe downloader, one of the most familiar fakealert components that is being prevented in the ThreatFire community, was running full bore. And the Vundo dll locked up the CPU from within the explorer process. Add a half dozen ads open in half a dozen hung Internet Explorer windows, and the system was unusable.
There were various poker game shortcuts on the desktop, so I’m guessing that one of the senior citizens looking to play a game mistakenly installed a package of malware on the system, assuming that the free software game was innocent and the system was protected.
For a group of elderly that don’t know much about technology but want to use it, this is very disappointing and discouraging.
Along those lines, the recent unusual and severe Mytob infection bringing down several british hospitals (the London Chest Hospital, the Royal London Hospital and St Bartholomew’s) highlights the need for layered security as well. Malware is as ubiquitous as the PC itself.
Posted in Adware, AntiMalware Solutions, Incident, Rogueware, Social Engineering, Undetected malware, Vundo | No Comments »
Monday, September 29th, 2008
While we’ve been calling it Rogueware for years around here, Microsoft and the state of Washington Attorney General’s office is filing a set of complaints against “scareware” makers. It’s interesting that lawsuits can be filed against “John Doe” actors in the complaints, as written up by Elinor Mills on CNet:
“Microsoft filed five new lawsuits and amended two previous complaints against SMP Soft, all relating to programs that allegedly falsely alert consumers to problems on their computers and offer to sell software fixes. The programs listed include Scan & Repair, Antivirus 2009, MalwareCore, WinDefenderXPDefender.com and WinSpywareProtect. Most of the defendants are listed as “John Doe” because investigators do not yet know the identities of the people behind the programs.”
Chief Threat Officer of our research group Kurt Baumgartner was selected to present a timely last minute technical presentation on Thursday of this week on “Recent rogueware” at Virus Bulletin 2008 in Ottawa, Canada. The presentation will focus mostly on technical aspects of Rogueware currently in the wild including a couple of software packages listed in the complaint, the ridiculous but popular MonaRonaDona hoax, and various methods of delivery.
Regardless of the filings, the threats continue to evolve online and are active today, much like the image above.
Posted in FakeAlert, Rogueware, Virus Bulletin, Vundo, Zlob | No Comments »
Tuesday, June 17th, 2008
It seems that quite a bit of malware is being classified as Vundo (Virtumonde) these days. With the volume of malware currently being distributed in dynamic link library form, it is not always easy to differentiate one from another. Frequently these modules are statically linked with C and C++ runtimes, compression, and GUI libraries, which can slow analysis down. In addition to all this embedded library code, Vundo’s code seems to be under constant development and is updated to fix bugs, add a new piece of functionality, or add more randomization to prevent signature recognition quite frequently.
However, there is one construct that the developers behind the code seem to enjoy using. In almost every place where an event and sometimes registry value names are created, the name is generated by a function which is similar between variants.
The function derives this name from an attribute of the infected computer. The attribute is the serial number assigned to the “C:” drive volume when it was last formatted by the operating system. Then, the serial number is randomized by one or more bitwise cpu instructions against a number selected by the programmer. The result of these operations is converted into a string and returned for use.
The recognition of this function can help positively ID a Vundo sample. The source code representation of this function would look similar to this:
#include <windows.h>#define arbitrary_vundo_number 0xFDEC
int generate_number(char *output){ int return_value; DWORD volume_serial_number;
return_value = GetVolumeInformation("c:\\", NULL, 0, &volume_serial_number, NULL, NULL, NULL, 0);
volume_serial_number ^= arbitrary_vundo_number;
return wsprintf(output, "%08x", volume_serial_number);}
Actual Vundo assembly code looks like this:
push esi ; nFileSystemNameSizepush esi ; lpFileSystemNameBufferpush esi ; lpFileSystemFlagspush esi ; lpMaximumComponentLengthlea eax, [ebp+VolumeSerialNumber]push eax ; lpVolumeSerialNumberpush esi ; nVolumeNameSizepush esi ; lpVolumeNameBufferpush offset RootPathName ; "c:\\"mov [ebp+VolumeSerialNumber], 123hcall ds:GetVolumeInformationAxor [ebp+VolumeSerialNumber], 34D2121hpush [ebp+VolumeSerialNumber]push offset a08x ; "%08x"push [ebp+arg_0] ; LPSTRcall ds:wsprintfAadd esp, 0Chpop esileaveretn
Posted in Adware, Obfuscation, Reversing, Undetected malware, Vundo | No Comments »
|
|
|
|
