The massive infection rate described in the article presents just another reason why you need our quiet ThreatFire product protecting your workstation. On a weekly basis, thousands of updated ThreatFire-protected systems were attacked and protected from variants of the bots with a feature we call “behavioral recognition”. It is far superior to AV file scanner signatures and definitively identifies the behavior of malware families like the bots that were a part of the Mariposa botnet. Problems with signature based AV scanner recognition and various Mariposa variant bots were described in a technical paper here.

If you saw a red dialog from ThreatFire warning that it is protecting your system from “Worm.Palevo” or “W32.Pilleuz”, your system was protected from becoming another one of over 12 million Mariposa victims.

Brontok is a mass mailing worm that isn’t mentioned all that often anymore, being out-amplified by sensations like Conficker/Downadup/Kido, but its many variants continue to show up all over the world. For the past month, our ThreatFire users in Mexico and Brazil have been most protected from these Brontok variants, being run and ThreatFire-prevented on desktops in high numbers.
The compromised hosts used to be abused as DDoS bots, attacking sites around the world in what was unconfirmed as hacktivism or blackmailing attempts. Now, however, the worm travels without a head in the sunniest tropics — the major provider (unwittingly at the time) hosting Brontok’s configuration files have long ago taken down Brontok-accessed command-and-control server accounts.

Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to rip across the Russian Federation and the Ukraine by attacking a several-year-old vulnerability in srvsvc.dll, the server service hosted within one of the several svchost.exe processes running on Windows systems. (Why rush development of a new stack overflow exploit when users don’t patch systems for various reasons for years?) The worm itself attempts to exploit the aged vulnerability and deliver download and execute shellcode, pulling down and running more malware on the compromised host. That shellcode has been downloading an incremented-daily URL from a server hosted in England since August 2nd. Today it is 94.76.194 .116/ 37.exe. Threatexpert report for the payload here.

Update: Some of the files definitely are Waledac spam/dos bots, with encoded command and control communications retrieved from http://cismosis. com/up21.php (there are others), as evidenced here:

AV detection is surprisingly low for these executables, be sure to add a layer of behavioral protection to your system with ThreatFire.

The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.

The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
24.99.76.139
68.190.49.24
76.127.120.44
81.108.192.83
91.121.135.189
199.0.205.28

Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:

// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com',  abc+'fb.php'],
['tagged. com',    abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com',   abc+'ms.php'],
['msplinks. com',  abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com',     abc+'fu.php'],
['twitter. com',   abc+'tw.php'],
['hi5. com',       abc+'hi5.php'],
['bebo. com',      abc+'be.php']];

Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.

We noticed it this morning on multiple machines, and it seems to be spreading. The worm injects itself into the Windows explorer shell, and from there attempts to update multiple locations in the registry and removable drives like usb sticks with SETUP\DATA\June.exe.
It includes a nasty message in the accompanying autorun.inf file with a long annoying string.
;HEHhahahahehhehehahahahhehehehaha

It was packed with Armadillo, which potentially made it difficult to detect for the AV vendors — none detected it this morning, and this afternoon seems to bring only one or two vendors declaring it “suspicious” since we uploaded it to VirusTotal for sharing. Be sure to add true client-side behavioral protection to your system, and as always, use caution when sharing usb sticks with others.

We are seeing it running on systems alongside FakeAv installers, including “System Security”, where we see the fake scare tactics blaring “WARNING! 38 infections found!!!”. The two may be related, we are investigating.

Which of course, continues to nag the user with “System Security Firewall has blocked a program from accessing the internet” and pops its nag system tray balloon with “System Security Warning Your PC is still infected with dangerous viruses”

Or with a more sleek look on Vista:

The distributors of System Security Antivirus, another rogueware or FakeAv product, are redirecting Turkish users to a site encouraging them to download the malware with a familiar scheme: To watch this video you must have the Flash Player installed.
It appears that the group is worming through Windows Live Messenger to attract downloads in increasing prevalence. We’ll be investigating it in depth and posting details here.

The phony video page this time appears in Turkish, hosted on a Turkish server:
“Flash Player version uyumsuzlugu:
Tarayiciniz bu videoyu goruntuleyemiyor.
Bu videoyu izleyebilmek icin Flash Player yaziliminizin guncel olmasi gerekiyor.
Flash Player yaziliminizi guncellemek icin «Devam» butonuna tiklayiniz.”

The downloaded file, flashplayerupdate_01.exe, drops and runs advhost.exe from system32 to perform the dirty work and injects adlaunch32.dll into all newly started applications.

An interesting characteristic for the flashplayer_01 executable is its use of a spoofed, invalid digital signature, supposedly signed from Microsoft:

Conveniently, the english version of the attacking web page is hosted on the same server:

Of course, the payload appears to be a bit different, serving up a doctored install_flash_player_9.04.exe package that includes the legitimate mIRC client.

This past week, the ThreatFire community stopped a slew of autorun-launched malicious Conficker code from users’ removable drives:
c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

These are consumer PCs, and these Conficker/Downadup attacks continue to be real usb-stick based attacks on users’ systems. Please continue using a layered security approach, including a behavioral based solution for the times when you don’t patch immediately or there just isn’t a patch for a vulnerability, be sure to patch your system when patches/updates are released, and practice safe use of removable storage (network and usb-based).

Conficker autorun-based attacks made up a little less than 10% of the autorun-based attacks in April within the ThreatFire community. The other 90% of autorun based malware continues to thrive by abusing misunderstood autorun features, like Virut, Almanahe or SillyFDC, Dizan or Texel (also called Sality), W32.Whybo, W32.Rajump and a variety of Autorun worms that are dropping password stealers and keyloggers on victim machines. While the family names provided by Av scanners often are inaccurate or provide little information about the functionality of what was stopped, they are worms and they are real threats. In real terms, these worms are every bit as impactful on a system as the active Conficker threat.

Top Conficker infected countries to watch appear to be
1. China
2. Brazil
3. Russia
4. India
5. Argentina

If you are reading this post, your system most likely is not infected with Conficker (Conficker denies infected host systems from visiting this blog). Please update your Windows system and its software regularly with patches from the Microsoft Update site, use decent passwords for your Windows user accounts other than “1234″, install a protective set of security products (behavioral protection, firewall, AV, etc), and do not act promiscuously with your usb-based storage or network drives and shares.
Continue on with your online activity, descriptions of damaging behavior other than failed rogueware downloads by the Conficker worm will be posted here whenever they may occur.

If you do receive a file or link with a name like one of these (the “.pif” portion will appear to be missing), do everyone a favor and delete it.

Here are the file names we have seen too much of since the beginning of December:
WTF_HAHAHAH_LESBIAN_DOGS.PIF
YOUR-DAD-NAKED-hahahaha.PIF
YOUR-SISTER-NAKED-hahahaha.PIF
YOUR-MOTHER-NAKED-hahahaha.PIF
_MARIAGE_SUR_SKYPE_LOL_HAHAHAHA.EXE
KFPRU_MARIAGE_SUR_SKYPE_2_MOI_HAHAHA_LOL.EXE