Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that  millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.

Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.

As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.

This year’s birthday celebration for our 92-year old grandmother was fantastic at her new home. Singing, dessert, multiple generations of our family were together for the holiday and grandma was in a great mood in her new digs.

In the meantime, a few of us celebrants, full of pizza and cake, left the party to check out the community building — the pool table on the fourth floor, pianos on the first. After knocking an 8ball around the pool table at 8 p.m. in the relative quiet of the home, we noticed a computer center along the way back to the elavators. The monitors in that center could not have displayed a more disappointing screen.
Next to a little “M” square in the system tray (a competing AV product that will remain nameless here), was a large red circle with a white X through it and a familiar fakealert bubble caption containing a frightenting message about an infection and loss of privacy: “Privacy Violation Alert! Antivirus 2009 detected a Privacy Violation”.

A quick look at the registry and taskman showed a spambot, the brastk.exe fakealert downloader, AntiVirus 2009, and a vundo component all installed and running. The brastk.exe downloader, one of the most familiar fakealert components that is being prevented in the ThreatFire community, was running full bore. And the Vundo dll locked up the CPU from within the explorer process. Add a half dozen ads open in half a dozen hung Internet Explorer windows, and the system was unusable.
There were various poker game shortcuts on the desktop, so I’m guessing that one of the senior citizens looking to play a game mistakenly installed a package of malware on the system, assuming that the free software game was innocent and the system was protected.
For a group of elderly that don’t know much about technology but want to use it, this is very disappointing and discouraging.

Along those lines, the recent unusual and severe Mytob infection bringing down several british hospitals (the London Chest Hospital, the Royal London Hospital and St Bartholomew’s) highlights the need for layered security as well. Malware is as ubiquitous as the PC itself.

Chief Threat Officer of our research group Kurt Baumgartner was selected to present a timely last minute technical presentation on Thursday of this week on “Recent rogueware” at Virus Bulletin 2008 in Ottawa, Canada. The presentation will focus mostly on technical aspects of Rogueware currently in the wild including a couple of software packages listed in the complaint, the ridiculous but popular MonaRonaDona hoax, and various methods of delivery.
Regardless of the filings, the threats continue to evolve online and are active today, much like the image above.

However, there is one construct that the developers behind the code seem to enjoy using. In almost every place where an event and sometimes registry value names are created, the name is generated by a function which is similar between variants.

The function derives this name from an attribute of the infected computer. The attribute is the serial number assigned to the “C:” drive volume when it was last formatted by the operating system. Then, the serial number is randomized by one or more bitwise cpu instructions against a number selected by the programmer. The result of these operations is converted into a string and returned for use.

The recognition of this function can help positively ID a Vundo sample. The source code representation of this function would look similar to this:

#include <windows.h>#define arbitrary_vundo_number 0xFDEC

int generate_number(char *output){    int return_value;    DWORD volume_serial_number;

    return_value = GetVolumeInformation("c:\\", NULL, 0,        &volume_serial_number, NULL, NULL, NULL, 0);

    volume_serial_number ^= arbitrary_vundo_number;

    return wsprintf(output, "%08x", volume_serial_number);}

Actual Vundo assembly code looks like this:

push    esi             ; nFileSystemNameSizepush    esi             ; lpFileSystemNameBufferpush    esi             ; lpFileSystemFlagspush    esi             ; lpMaximumComponentLengthlea     eax, [ebp+VolumeSerialNumber]push    eax             ; lpVolumeSerialNumberpush    esi             ; nVolumeNameSizepush    esi             ; lpVolumeNameBufferpush    offset RootPathName ; "c:\\"mov     [ebp+VolumeSerialNumber], 123hcall    ds:GetVolumeInformationAxor     [ebp+VolumeSerialNumber], 34D2121hpush    [ebp+VolumeSerialNumber]push    offset a08x     ; "%08x"push    [ebp+arg_0]     ; LPSTRcall    ds:wsprintfAadd     esp, 0Chpop     esileaveretn

In our previous post on peculiar Vundo capabilities, we detailed Vundo’s inclusion of Microsoft Research Detours source code in their malicious binaries. After googling Vundo and reading up on it, you still might not feel confident that you understand how one gets Vundo on their system. While there are malicious sites out there using commodity exploit kits to attack unpatched windows systems and install the Vundo components, and there may be a few cases of users receiving spammed email messages with links to the malware, from my perspective it seems that most of the Vundo infections on this planet have to do with crackz. That is, key generators that enable individuals to pirate software.

So we decided to stop by getcracks.com and get the latest. While the enticing allure of free software abounds, even more present is the pile of malcode served up from the site and its various providers. And what do you know? It looks like they have a crack for ThreatFire too!

Only before you go off to the site, thinking that you can find things for free, understand that nothing really is for free.

In this case, we extracted the executable and found five files inside: readme.bat, crack.exe, serial.exe, keygen.exe, and number.exe. The readme isn’t really a readme at all. When double clicked, the file simply runs the four executables that it is delivered with. And what do we find in the other four?
crack.exe — Trojan.Vundo/Trojan.Virtumonde
number.exe — Trojan-Downloader.Small.CML,Trojan.Nebuler!sd6/Trojan.Nebuler
keygen.exe — Trojan-Downloader.Small!sd5,Trojan-Downloader.Win32.Small.ury,Downloader,TROJ_DLOADER.NWJ
serial.exe — Trojan-Downloader.Trojan!sd6,Downloader.Trojan, Trojan-Downloader.Homles!sd6,Trojan-Downloader.Win32.Homles.br,Infostealer, Adware.Maxifiles

As you can see, things aren’t free. Vundo doesn’t travel alone. Some of that stuff could ruin your system and potentially steal sensitive information.
The crack.exe file itself drops multiple dlls. They are injected into multiple processes and display alarming ads. Often, it’s difficult to understand where the ads came from or why they are on the system at all — the loaded Vundo libraries do not start displaying these ads for at least a half day. In the meantime, they track your surfing habits and send the data back to a set of servers. Here are a couple of their latest ad campaigns. The first performs the standard phony scan on your machine and identifies malware that isn’t on the system, shocking the user into buying a rogueware package:

They are hawking rogueware from “AntiSpywareExpert.com”. Their website really looks pretty slick:

The second of the two ads performed another phony scan, and claimed that pornographic images and porn site cookies were all over the machine, which was false:

Steer clear of crackz and gaming cheatz! You’ll find much of the same.

Another malcrackz post here.

First off, the Detours project out of Microsoft Research focuses on “Binary Interception of Win32 Functions“. In other words, when a developer or malware writer wants to hook a function inline and insert their own code, they can intercept a win32 function with code from the Detours library.
To use this code commercially, “Detours Professional 2.1 includes a license for use in production environments and the right to distribute detour functions in products…For information on licensing Detours Professional 2.1 contact Microsoft’s IP Licensing Group at iplg@microsoft.com”. Let’s assume either that Microsoft never provided the vundo developers with a license or that the vundo developers never attempted to obtain a license for their “commercial” use.

One of Vundo’s library components currently in the wild is injected into processes as a part of its attack. This component may in turn be detected by anti-spyware scanners using the EnumProcessModules api call, which would provide an anti-malware scanner using that call with a handle to the injected module. And this is where the abuse begins.
You can see the malicious Vundo hook in this screenshot, implementing the hook functionality from the Detours library. Basically, if a process calls EnumProcessModules, the vundo appropriated code will intercept the win32 function and report that the module enumeration procedure failed. When the EnumProcessModules call fails, certain security scanners are unable to detect the vundo component’s presence:

How can Detours code be identified in this dll? Well, the source of the detours library can be placed side-by-side with the unpacked and disassembled vundo component. In many places, the same sequence and order of instructions and data is unmistakably identical. For the sake of brevity, we’ll focus on just a couple that briefly illustrates our point in this post.

Here, the deadlisting for the vundo function is on the left, and the matching Detours source code on the right. This chunk of Detours code is at the core of the hooking functionality within disasm.cpp of detours.lib. The source from the Detours library here is determining the length of the currently evaluated instruction and then copying the instruction to the trampoline buffer (this location is the place where the inlined vundo rootkit function can call back into the original function without interception). The appropiated code on the left is compiler optimized, and it is a mirror image of the Detours logic on the right:

Here, in a similar fashion, we see vundo functionality that was stolen from the Detours library calling the DetourCopyInstructionEx() function and an inlined detour_does_code_end_function() function. In this reversing illustration, the vundo function is performing checks to ensure the target function’s eligibility for interception. In other words, vundo’s appropriated Detours code is checking to see if the target function contains a select set of instructions that would prevent hooking: