9 hours ago
Showing posts with label Dropper. Show all posts
Showing posts with label Dropper. Show all posts
Monday, June 23, 2008
Removal Tool? No.
A little detected "tool" is downloading and executing bots. A version of "driveguard.exe", with promises of cleaning up your system from infections and keeping it clean, is worming its way onto machines and downloading strains of Poison Ivy as "WinSecSys.exe", a bot capable of stealing screenshots, keystrokes, spreading to other machines, etc. We wrote about these "RAT" tools in previous posts and the characters behind them, some of whom are sentenced to prison terms now. TF detects it as a worm.
Friday, June 20, 2008
Rustock Crackz
Last Thursday's post commented on malware commonly bundled with crackz. A large number of users are running files that appear to be distributed from a number of crack sites. We will not publish those domains on this post.
The filename bundles carry a common theme for a downloader that delivers more than a user would expect. Crack.exe, keygen.exe, patch.exe and install.exe have been bundled within phony cracks and released to a number of sites. They contain trojan downloaders, among other things, pulling down and executing spambot variants and many other malware executables, including our old friend Vundo. Here are just a handful of the bundle names that we've been seeing:
Microsoft_Office_Professional_Plus_2007.txt.exe
WINDOWSXPSP2ACTIVATIONCRACK.ZIP.EXE
popcapzumadeluxe!v1.0crack.zip.exe
COMMAND_AND_CONQUER_GENERALS_ZERO_HOUR_MULTI_KEYGEN_BY_FFF.ZIP.EXE
MAGICISO_V3.5_BUILD_0064.ZIP.EXE
WINDOWS_XP_HOME_EDITION_OEM_BUILD_2600_ACTIVATION_CRACK_BY_AMOL_A._MORE.ZIP.EXE
nero_8.2.8.0_serial.txt.exe
DYNOMITE_DELUXE_V2.71.ZIP.EXE
WARCRAFT_3_REIGN_OF_CHAOS_BY_RAZOR.ZIP.EXE
osadobephotoshopcs2tryouttofullactivationkeygenoscaria.zip.exe
SONIC_FOUNDRY_ACID_PRO_V4.0B.ZIP.EXE
ADOBE_PHOTOSHOP_CS2_CS2_SERIAL_NUMBER.TXT.EXE
Notice the clever(?) use of the double file extension, ending in .zip.exe or .txt.exe. DO NOT download and run these files.
In our labs, we find that running these files results in a ridiculous attack. The volume of malware that ends up running on the system is so large that the system becomes entirely unusable. We haven't seen an attack quite so bad since the 2nd-thought.com site was taken down.
One of the components infects services.exe on the system (often named "axer.exe"), and drops rootkit and spambot components (surprisingly, we see a consistent driver filename "pqasghjd.sys"), sending out waves of spam from this system process. The kernel level driver component hooks SSDT entries NtCreateKey, NtOpenKey and NtTerminateProcess, in an attempt to hide registry keys and prevent termination of the malware's user-mode processes. It also attaches to the Ntfs file system driver, in order to obscure access to its presence on-disk.
The spambot components download updated lists of user accounts and available smtp servers over http, and then peddles rather "adult" themes in outgoing messages. All of the messages include a link to phony "personal growth" pills for men. Here are a couple of "mentionable" subject lines, just to get a small percentage of users to actually open the message:
"Life will get better with this"
"Wanna know why she's hot"
"Jessica Alba bikini pics"
"All the love you need"
"Scarlett Johansson and Justin Timberlake spotted together"
"Get ready for a stunning improvement to your love life"
"Scarlett Johansson and Tom Brady spotted in Mexico"
The filename bundles carry a common theme for a downloader that delivers more than a user would expect. Crack.exe, keygen.exe, patch.exe and install.exe have been bundled within phony cracks and released to a number of sites. They contain trojan downloaders, among other things, pulling down and executing spambot variants and many other malware executables, including our old friend Vundo. Here are just a handful of the bundle names that we've been seeing:
Microsoft_Office_Professional_Plus_2007.txt.exe
WINDOWSXPSP2ACTIVATIONCRACK.ZIP.EXE
popcapzumadeluxe!v1.0crack.zip.exe
COMMAND_AND_CONQUER_GENERALS_ZERO_HOUR_MULTI_KEYGEN_BY_FFF.ZIP.EXE
MAGICISO_V3.5_BUILD_0064.ZIP.EXE
WINDOWS_XP_HOME_EDITION_OEM_BUILD_2600_ACTIVATION_CRACK_BY_AMOL_A._MORE.ZIP.EXE
nero_8.2.8.0_serial.txt.exe
DYNOMITE_DELUXE_V2.71.ZIP.EXE
WARCRAFT_3_REIGN_OF_CHAOS_BY_RAZOR.ZIP.EXE
osadobephotoshopcs2tryouttofullactivationkeygenoscaria.zip.exe
SONIC_FOUNDRY_ACID_PRO_V4.0B.ZIP.EXE
ADOBE_PHOTOSHOP_CS2_CS2_SERIAL_NUMBER.TXT.EXE
Notice the clever(?) use of the double file extension, ending in .zip.exe or .txt.exe. DO NOT download and run these files.
In our labs, we find that running these files results in a ridiculous attack. The volume of malware that ends up running on the system is so large that the system becomes entirely unusable. We haven't seen an attack quite so bad since the 2nd-thought.com site was taken down.
One of the components infects services.exe on the system (often named "axer.exe"), and drops rootkit and spambot components (surprisingly, we see a consistent driver filename "pqasghjd.sys"), sending out waves of spam from this system process. The kernel level driver component hooks SSDT entries NtCreateKey, NtOpenKey and NtTerminateProcess, in an attempt to hide registry keys and prevent termination of the malware's user-mode processes. It also attaches to the Ntfs file system driver, in order to obscure access to its presence on-disk.
The spambot components download updated lists of user accounts and available smtp servers over http, and then peddles rather "adult" themes in outgoing messages. All of the messages include a link to phony "personal growth" pills for men. Here are a couple of "mentionable" subject lines, just to get a small percentage of users to actually open the message:
"Life will get better with this"
"Wanna know why she's hot"
"Jessica Alba bikini pics"
"All the love you need"
"Scarlett Johansson and Justin Timberlake spotted together"
"Get ready for a stunning improvement to your love life"
"Scarlett Johansson and Tom Brady spotted in Mexico"
Thursday, June 12, 2008
ThreatFire Crackz
Sure, you want to get it for free. Who doesn't want free schwag?
In our previous post on peculiar Vundo capabilities, we detailed Vundo's inclusion of Microsoft Research Detours source code in their malicious binaries. After googling Vundo and reading up on it, you still might not feel confident that you understand how one gets Vundo on their system. While there are malicious sites out there using commodity exploit kits to attack unpatched windows systems and install the Vundo components, and there may be a few cases of users receiving spammed email messages with links to the malware, from my perspective it seems that most of the Vundo infections on this planet have to do with crackz. That is, key generators that enable individuals to pirate software.
So we decided to stop by getcracks.com and get the latest. While the enticing allure of free software abounds, even more present is the pile of malcode served up from the site and its various providers. And what do you know? It looks like they have a crack for ThreatFire too!
Only before you go off to the site, thinking that you can find things for free, understand that nothing really is for free.
In this case, we extracted the executable and found five files inside: readme.bat, crack.exe, serial.exe, keygen.exe, and number.exe. The readme isn't really a readme at all. When double clicked, the file simply runs the four executables that it is delivered with. And what do we find in the other four?
crack.exe -- Trojan.Vundo/Trojan.Virtumonde
number.exe -- Trojan-Downloader.Small.CML,Trojan.Nebuler!sd6/Trojan.Nebuler
keygen.exe -- Trojan-Downloader.Small!sd5,Trojan-Downloader.Win32.Small.ury,Downloader,TROJ_DLOADER.NWJ
serial.exe -- Trojan-Downloader.Trojan!sd6,Downloader.Trojan, Trojan-Downloader.Homles!sd6,Trojan-Downloader.Win32.Homles.br,Infostealer, Adware.Maxifiles
As you can see, things aren't free. Vundo doesn't travel alone. Some of that stuff could ruin your system and potentially steal sensitive information.
The crack.exe file itself drops multiple dlls. They are injected into multiple processes and display alarming ads. Often, it's difficult to understand where the ads came from or why they are on the system at all -- the loaded Vundo libraries do not start displaying these ads for at least a half day. In the meantime, they track your surfing habits and send the data back to a set of servers. Here are a couple of their latest ad campaigns. The first performs the standard phony scan on your machine and identifies malware that isn't on the system, shocking the user into buying a rogueware package:
They are hawking rogueware from "AntiSpywareExpert.com". Their website really looks pretty slick:
The second of the two ads performed another phony scan, and claimed that pornographic images and porn site cookies were all over the machine, which was false:
Steer clear of crackz and gaming cheatz! You'll find much of the same.
Another malcrackz post here.
In our previous post on peculiar Vundo capabilities, we detailed Vundo's inclusion of Microsoft Research Detours source code in their malicious binaries. After googling Vundo and reading up on it, you still might not feel confident that you understand how one gets Vundo on their system. While there are malicious sites out there using commodity exploit kits to attack unpatched windows systems and install the Vundo components, and there may be a few cases of users receiving spammed email messages with links to the malware, from my perspective it seems that most of the Vundo infections on this planet have to do with crackz. That is, key generators that enable individuals to pirate software.
So we decided to stop by getcracks.com and get the latest. While the enticing allure of free software abounds, even more present is the pile of malcode served up from the site and its various providers. And what do you know? It looks like they have a crack for ThreatFire too!
Only before you go off to the site, thinking that you can find things for free, understand that nothing really is for free.
In this case, we extracted the executable and found five files inside: readme.bat, crack.exe, serial.exe, keygen.exe, and number.exe. The readme isn't really a readme at all. When double clicked, the file simply runs the four executables that it is delivered with. And what do we find in the other four?
crack.exe -- Trojan.Vundo/Trojan.Virtumonde
number.exe -- Trojan-Downloader.Small.CML,Trojan.Nebuler!sd6/Trojan.Nebuler
keygen.exe -- Trojan-Downloader.Small!sd5,Trojan-Downloader.Win32.Small.ury,Downloader,TROJ_DLOADER.NWJ
serial.exe -- Trojan-Downloader.Trojan!sd6,Downloader.Trojan, Trojan-Downloader.Homles!sd6,Trojan-Downloader.Win32.Homles.br,Infostealer, Adware.Maxifiles
As you can see, things aren't free. Vundo doesn't travel alone. Some of that stuff could ruin your system and potentially steal sensitive information.
The crack.exe file itself drops multiple dlls. They are injected into multiple processes and display alarming ads. Often, it's difficult to understand where the ads came from or why they are on the system at all -- the loaded Vundo libraries do not start displaying these ads for at least a half day. In the meantime, they track your surfing habits and send the data back to a set of servers. Here are a couple of their latest ad campaigns. The first performs the standard phony scan on your machine and identifies malware that isn't on the system, shocking the user into buying a rogueware package:
They are hawking rogueware from "AntiSpywareExpert.com". Their website really looks pretty slick:
The second of the two ads performed another phony scan, and claimed that pornographic images and porn site cookies were all over the machine, which was false:
Steer clear of crackz and gaming cheatz! You'll find much of the same.
Another malcrackz post here.
Wednesday, June 4, 2008
MSN IM Worm
Another MSN IM-worm is making the rounds, in an effort to create yet another IRC-based botnet. Almost all of the activity that we are seeing is coming from our user community in Italy, Spain, Argentina and Peru.
A message will arrive, asking "Is this your photo?", and will either carry with it an attachment that appears to be "134453_9198.JPG-WWW.MYSPACE.zip" and within it "134453_9198[1].JPG-WWW.MYSPACE.COM" or "134453_9198.JPG-WWW.YOUTUBE.COM",
"134453_9198.JPG-WWW.MSNSPACES.COM" and
"IMAGE_134453.JPG-WWW.MYSPACE.COM".
The file may be delivered via a link in the message as well. When executed, the file copies itself to temp as taksmgr.exe and the windows directory as wksvcsc.exe or
winudpmgr.exe and attempts to send itself to everyone in your MSN address book. Variants have attempted to phone home to m.bihsecurity.com over IRC and other channels. The activity is recorded in this ThreatExpert report.
VirusTotal results help explain why this one is spreading:
We saw this same sort of IM-worm activity in December.
Update -- It's now June 24th. Some of the other vendors' research teams have had the time to get a little more certain on this worm. Maybe just a nudge would help... ;)
A message will arrive, asking "Is this your photo?", and will either carry with it an attachment that appears to be "134453_9198.JPG-WWW.MYSPACE.zip" and within it "134453_9198[1].JPG-WWW.MYSPACE.COM" or "134453_9198.JPG-WWW.YOUTUBE.COM",
"134453_9198.JPG-WWW.MSNSPACES.COM" and
"IMAGE_134453.JPG-WWW.MYSPACE.COM".
The file may be delivered via a link in the message as well. When executed, the file copies itself to temp as taksmgr.exe and the windows directory as wksvcsc.exe or
winudpmgr.exe and attempts to send itself to everyone in your MSN address book. Variants have attempted to phone home to m.bihsecurity.com over IRC and other channels. The activity is recorded in this ThreatExpert report.
VirusTotal results help explain why this one is spreading:
| File image_134453_9198.jpg-www.myspace received on 06.04.2008 18:16:28 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.5.30.1 | 2008.06.04 | - |
| AntiVir | 7.8.0.26 | 2008.06.04 | Worm/IrcBot.43803 |
| Authentium | 5.1.0.4 | 2008.06.04 | - |
| Avast | 4.8.1195.0 | 2008.06.04 | - |
| AVG | 7.5.0.516 | 2008.06.04 | - |
| BitDefender | 7.2 | 2008.06.04 | - |
| CAT-QuickHeal | 9.50 | 2008.06.04 | Backdoor.IRCBot.dip |
| ClamAV | 0.92.1 | 2008.06.04 | Trojan.IRCBot-2456 |
| DrWeb | 4.44.0.09170 | 2008.06.04 | - |
| eSafe | 7.0.15.0 | 2008.06.04 | - |
| eTrust-Vet | 31.6.5847 | 2008.06.04 | - |
| Ewido | 4.0 | 2008.06.04 | - |
| F-Prot | 4.4.4.56 | 2008.06.02 | - |
| F-Secure | 6.70.13260.0 | 2008.06.04 | Backdoor.Win32.IRCBot.dip |
| Fortinet | 3.14.0.0 | 2008.06.04 | - |
| GData | 2.0.7306.1023 | 2008.06.04 | Backdoor.Win32.IRCBot.dip |
| Ikarus | T3.1.1.26.0 | 2008.06.04 | Backdoor.Win32.IRCBot.dip |
| Kaspersky | 7.0.0.125 | 2008.06.04 | Backdoor.Win32.IRCBot.dip |
| McAfee | 5309 | 2008.06.03 | - |
| Microsoft | 1.3604 | 2008.06.04 | - |
| NOD32v2 | 3158 | 2008.06.04 | Win32/IRCBot.AGQ |
| Norman | 5.80.02 | 2008.06.04 | - |
| Panda | 9.0.0.4 | 2008.06.04 | Suspicious file |
| Prevx1 | V2 | 2008.06.04 | Worm |
| Rising | 20.47.22.00 | 2008.06.04 | - |
| Sophos | 4.30.0 | 2008.06.04 | Mal/Generic-A |
| Sunbelt | 3.0.1144.1 | 2008.06.04 | - |
| Symantec | 10 | 2008.06.04 | - |
| TheHacker | 6.2.92.333 | 2008.06.03 | - |
| VBA32 | 3.12.6.7 | 2008.06.03 | - |
| VirusBuster | 4.3.26:9 | 2008.06.03 | - |
| Webwasher-Gateway | 6.6.2 | 2008.06.04 | Worm.IrcBot.43803 |
| Additional information | |||
| File size: 43803 bytes | |||
| MD5...: 7029a5feddc61e7da347b80c0fa3cc48 | |||
| SHA1..: 431d7e328245dfd493fce228901c97af2912f7b2 | |||
| SHA256: 7a35c959f1c7026115fa41253a782a36909a12a9301ec5d9453c25e238f304cc | |||
| SHA512: c29a762a71e28842fd65e2fc798ad79ba4c25ccaa21d57f1e0ac7c708fc107a6 0f99c528d16d79eb8ab085cb26472d8a892aa4c79e35dd25e01d3cd388b403de | |||
| PEiD..: - | |||
We saw this same sort of IM-worm activity in December.
Update -- It's now June 24th. Some of the other vendors' research teams have had the time to get a little more certain on this worm. Maybe just a nudge would help... ;)
Wednesday, May 14, 2008
Agent again, this time undetected
Several interesting surges in malware activity are showing up today. The most highly propagated that we are seeing is a large increase in the past 24 hours of an old friend that's been labelled "Trojan.Agent". The filename that we are seeing the most of is "wingmmesc.exe", and it continues to run rampant without much in the way of AV detection, including the new and improved engines to detect suspicious obfuscation:
We are investigating its spread and its packing techniques. While the outer layer was packed with upx, another layer of protection needs to be peeled back, which may explain low AV detections. In the past, this sort of stuff was spread via emails with "enticing" (often pornographic) messages with links to urls, like hxxp://aliodsf . com / video.exe. We'll get back with more detail.
Update...It appears to be related to the Sality family, because we're seeing lots of familiar Sality "WINEUJE.EXE" activity related to the downloader, a worm that's run around for a long time now, especially in Asia. It attempts to download .gif files from "kukutrustnet888.info" and "microupdate14.info", both domains that we've seen from this family before. We'll rename this one to a more appropriate Sality label, and more AV detections should begin to pick up, now that we've uploaded it to virustotal for sharing.
We are investigating its spread and its packing techniques. While the outer layer was packed with upx, another layer of protection needs to be peeled back, which may explain low AV detections. In the past, this sort of stuff was spread via emails with "enticing" (often pornographic) messages with links to urls, like hxxp://aliodsf . com / video.exe. We'll get back with more detail.
Update...It appears to be related to the Sality family, because we're seeing lots of familiar Sality "WINEUJE.EXE" activity related to the downloader, a worm that's run around for a long time now, especially in Asia. It attempts to download .gif files from "kukutrustnet888.info" and "microupdate14.info", both domains that we've seen from this family before. We'll rename this one to a more appropriate Sality label, and more AV detections should begin to pick up, now that we've uploaded it to virustotal for sharing.
Thursday, March 13, 2008
Aowch
A painfully high number of incidents have been occuring over the past couple of days in India, Thailand and Greece involving a bot/mailer that is installed by a "aow4.tmp", "aowc.tmp", "aow28.tmp"...you get the idea. The bot is downloaded from 66. 29 . 53. 125/supply/pack (a server hosted by a provider in New Jersey) and then injected into a suspended svchost.exe process. This process then spews mail containing nasty Russian slang and attempts to phone home. Most of the servers that it tries to connect with do not accept its mailing at this time.
AV detection is surprisingly low -- there is some generic detection, but the variants continue to morph.
Rootkit components are not delivered with this one, and the downloader utilizes an unusual thread injection technique while deleting its own presence. The tmp file creates a suspended process with the svchost.exe executable, calls GetThreadContext to get the registers of the suspended process, writes its own code to the memory space of the svchost process, and then calls SetThreadContext and ResumeThread on the suspended process to resume execution on its injected code within the remote process. ThreatFire will prompt users about this injection.
AV detection is surprisingly low -- there is some generic detection, but the variants continue to morph.
Rootkit components are not delivered with this one, and the downloader utilizes an unusual thread injection technique while deleting its own presence. The tmp file creates a suspended process with the svchost.exe executable, calls GetThreadContext to get the registers of the suspended process, writes its own code to the memory space of the svchost process, and then calls SetThreadContext and ResumeThread on the suspended process to resume execution on its injected code within the remote process. ThreatFire will prompt users about this injection.
Monday, March 3, 2008
MonaRonaDona Mystery Solved
Brain Krebs at the Washington Post blogged today about a pretty common, unusually mysterious, and very badly named extortion scam, "MonaRonaDona":
"Nobody seems to know how the thing wiggles into infected PCs in the first place, but the one thing that's clear is that this invader's primary purpose is to call as much attention to itself as possible...This piece of malware disables a number of programs on the victim's PC, changes the title of each Internet Explorer Window to include its name, and pops up the warning shown in the adjacent screenshot."
Our talented friend Roel at Kaspersky blogged about symptoms that they've seen as well, without much to add about its origins:
"How the malware actually reaches the system isn't entirely clear at the moment. When first run, the only thing the program does is register itself to start at Windows boot. As symptoms of infection aren't immediately visible, this makes it harder for victims to pinpoint what they were doing when they actually got infected. "
We were analyzing the same threat earlier this morning, when one of our support team was contacted about the problem. Our ThreatExpert and ThreatFire protected community provided the binaries to find some answers.
Some of these users unfortunately were persuaded over the past week or so to run a version of "RegistryCleaner2008.exe" (afec3d0f13b8f866f2c2eec122024165 for you researchers out there), as can be seen here:
Along with a particular version of "RegistryCleaner2008.exe", came a little friend by the name of "srvspool.exe" and friends. Some of the infection symptoms are somewhat simple and silly compared to other threats we've been researching -- "MonaRonaDona" appears in the Internet Explorer title bar, the "DisableTaskManager" key in the registry is set so users cannot use Ctl+Alt+Del to kill the threat on their system, and "srvspool.exe" appears in the All Users startup folder.
Interestingly, the release coincided with the shortlived appearance of an antivirus suite at www.unigray.com. Notice the "New Spyware Threats" list in the bottom right corner contains #1 new find "MonaRonaDona". At the moment of posting, googling for this dreadfully named virus family turns up no results from any of the credible AV vendors:
Meanwhile, a mysterious poster "ParadiseForever" claimed that "The computer virus by the name Monaronadona is causing widespread havoc by infecting computers everywhere" and that "The only solution would be to install a good AntiVirus software package which can detect and kill the virus. There are a lot of free AntiVirus softwares available online. However the normal antivirus such as Norton or McAfee may not work for this Virus.
You can try dowloading the Unigray Antivirus which is considered the best for removing the monaronadona virus compared to the other spyware / antivirus programs", which can be seen here:
And here is an attempt to lend credibility to this overpriced false positive producing Unigray scanner, by putting it in the same list as established and well known AV vendors:
Note that it has been reported by other researchers that users' search engine results are modified in some way, but we have not witnessed this activity. Instead, the rogueware authors have posted at Digg and other sites in order to appear as top Yahoo and other search engine hits for the search term "MonaRonaDona", with pages that promote the rogueware Unigray AV scanner.
A clean system shows that the top unsponsored result at the yahoo web site takes you to the phony "ParadiseForever" post at hubpages.com:
More of the scam can be read about on Krebs' post, where he instructs users "If you're a victim of this extortion scam, please don't pay up."
We'll have more details about the binaries and provide updated information as well. In the meantime, we are pleased to report that the source of this Rogueware is quiet at the moment:
"Nobody seems to know how the thing wiggles into infected PCs in the first place, but the one thing that's clear is that this invader's primary purpose is to call as much attention to itself as possible...This piece of malware disables a number of programs on the victim's PC, changes the title of each Internet Explorer Window to include its name, and pops up the warning shown in the adjacent screenshot."
Our talented friend Roel at Kaspersky blogged about symptoms that they've seen as well, without much to add about its origins:
"How the malware actually reaches the system isn't entirely clear at the moment. When first run, the only thing the program does is register itself to start at Windows boot. As symptoms of infection aren't immediately visible, this makes it harder for victims to pinpoint what they were doing when they actually got infected. "
We were analyzing the same threat earlier this morning, when one of our support team was contacted about the problem. Our ThreatExpert and ThreatFire protected community provided the binaries to find some answers.
Some of these users unfortunately were persuaded over the past week or so to run a version of "RegistryCleaner2008.exe" (afec3d0f13b8f866f2c2eec122024165 for you researchers out there), as can be seen here:
Along with a particular version of "RegistryCleaner2008.exe", came a little friend by the name of "srvspool.exe" and friends. Some of the infection symptoms are somewhat simple and silly compared to other threats we've been researching -- "MonaRonaDona" appears in the Internet Explorer title bar, the "DisableTaskManager" key in the registry is set so users cannot use Ctl+Alt+Del to kill the threat on their system, and "srvspool.exe" appears in the All Users startup folder.
Interestingly, the release coincided with the shortlived appearance of an antivirus suite at www.unigray.com. Notice the "New Spyware Threats" list in the bottom right corner contains #1 new find "MonaRonaDona". At the moment of posting, googling for this dreadfully named virus family turns up no results from any of the credible AV vendors:
Meanwhile, a mysterious poster "ParadiseForever" claimed that "The computer virus by the name Monaronadona is causing widespread havoc by infecting computers everywhere" and that "The only solution would be to install a good AntiVirus software package which can detect and kill the virus. There are a lot of free AntiVirus softwares available online. However the normal antivirus such as Norton or McAfee may not work for this Virus.
You can try dowloading the Unigray Antivirus which is considered the best for removing the monaronadona virus compared to the other spyware / antivirus programs", which can be seen here:
And here is an attempt to lend credibility to this overpriced false positive producing Unigray scanner, by putting it in the same list as established and well known AV vendors:
Note that it has been reported by other researchers that users' search engine results are modified in some way, but we have not witnessed this activity. Instead, the rogueware authors have posted at Digg and other sites in order to appear as top Yahoo and other search engine hits for the search term "MonaRonaDona", with pages that promote the rogueware Unigray AV scanner.
A clean system shows that the top unsponsored result at the yahoo web site takes you to the phony "ParadiseForever" post at hubpages.com:
More of the scam can be read about on Krebs' post, where he instructs users "If you're a victim of this extortion scam, please don't pay up."
We'll have more details about the binaries and provide updated information as well. In the meantime, we are pleased to report that the source of this Rogueware is quiet at the moment:
Tuesday, January 8, 2008
Help.exe still not much of a helper
One of the highest hitting worms that ThreatFire encountered over the past week is a worm designed to target online game player logins by dropping a password stealer and rootkit components on infected systems. We previously blogged about the help.exe component that drops rkd.dll, amvo0.dll and amvo.exe, and now we observe many more variants that are repacked with some fairly sophisticated packer and code perversion technology.
The password stealers themselves are updated on various websites that we have observed moving locations throughout China, repacked for AV and emulation evasion purposes. We also see ongoing server side polymorphism with the dropper.
The executables all display very unusual static PE characteristics. First, the import directory contains the name of one dll (kernel32) and imports only three of its functions (LoadLibraryA, GetProcAddress, ExitProcess), the bare bones minimum that you need for a PE packer:
All of the section names are mangled, to further raise our suspicion:
And finally, the resource section is huge and unrecognizable to a simple resource section parser (hint -- it contains more executable code):
Unfortunately, effectively this incessant rate of change results in a low rate of AV scanner detection:
If you are seeing a popup like this one, go ahead and quarantine the thing:
The password stealers themselves are updated on various websites that we have observed moving locations throughout China, repacked for AV and emulation evasion purposes. We also see ongoing server side polymorphism with the dropper.
The executables all display very unusual static PE characteristics. First, the import directory contains the name of one dll (kernel32) and imports only three of its functions (LoadLibraryA, GetProcAddress, ExitProcess), the bare bones minimum that you need for a PE packer:
All of the section names are mangled, to further raise our suspicion:
And finally, the resource section is huge and unrecognizable to a simple resource section parser (hint -- it contains more executable code):
Unfortunately, effectively this incessant rate of change results in a low rate of AV scanner detection:
If you are seeing a popup like this one, go ahead and quarantine the thing:
Bootkit binaries in the wild
Yesterday, we were further analyzing an executable that we recently haven't been seeing all that much of, tmpms45.exe. The filename is familiar, as sometimes various executables with that name are delivered by malicious emails or malicious web pages. Most often, we see it as a part of a commodity exploit kit (i.e. Mpack), and the malicious web site operators simply forgot to change the filename in the kit's scripts that they just purchased.
This time, however, a file delivered with that filename is receiving a lot of attention as the newest piece of malware writing directly to raw disk and the master boot record on WindowsXP systems. It may also go by several other names, like mat16.exe, mat17.exe, mat18.exe and so on. The code for the malicious dropper itself is getting attention partly because it is the first in the wild malware found to contain a slightly modifed version of the "BootRoot" code presented at Blackhat 2005 by eEye researchers.
This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.
This time, however, a file delivered with that filename is receiving a lot of attention as the newest piece of malware writing directly to raw disk and the master boot record on WindowsXP systems. It may also go by several other names, like mat16.exe, mat17.exe, mat18.exe and so on. The code for the malicious dropper itself is getting attention partly because it is the first in the wild malware found to contain a slightly modifed version of the "BootRoot" code presented at Blackhat 2005 by eEye researchers.
This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.
Wednesday, December 12, 2007
Online game password stealing worm
We are seeing a strong surge in the spread of a game password-stealing worm. A number of reports online have described the infection occurring when the user was copying files over a usb drive.
The files that we are seeing drop an executable in the windows\system32 directory by varying names: "avpo.exe" and "niedeiect.com" are common. This nasty little thing copies itself to various locations on your drive, drops driver files possessing unstable rootkit techniques to hide its own files, and steals the passwords of your favorite games. If you see "avpo" or "amvo0.exe" performing strange behaviors alongside "niedeiect.com" on your drive, like writing to the explorer.exe process, quarantine them.
The files that we are seeing drop an executable in the windows\system32 directory by varying names: "avpo.exe" and "niedeiect.com" are common. This nasty little thing copies itself to various locations on your drive, drops driver files possessing unstable rootkit techniques to hide its own files, and steals the passwords of your favorite games. If you see "avpo" or "amvo0.exe" performing strange behaviors alongside "niedeiect.com" on your drive, like writing to the explorer.exe process, quarantine them.
Wednesday, December 5, 2007
Unpacking a suspicious dll -- top to bottom
Fyi, this writeup is geared to satisfy curiosities about technical stuff, to start responding to some of the interest expressed over at our forum. You have been warned...
We use Ollydbg for all sorts of things around here. It's an outstanding tool. In fact, Olly himself found some spare time and is releasing a new version soon. He's got the pre-alpha version 2 code available on his website.
His debugger is a very useful tool for reversing user-mode software. When we're looking to get to the bottom of a suspicious component, one way is to fire up olly and get started. Unfortunately, there are challenges to that approach. Sometimes, we need to understand what a dll or other component is doing as well, and sometimes those dlls and other components are packed.
There are other tools that we use, and this post will survey the steps for using them while unpacking a dll...you can find this sort of information all over the web, but the writing styles sometimes make understanding the content very difficult.
Some of the fine reverse engineering tools available are
Ollydbg
LordPE
Import Reconstructor
IDA Pro
In our labs, we have a suspicious dll to examine. Apparently, it was installed as a bho into Internet Explorer:
When you load this dll into Olly, the tool reports that its listing of the binary's instructions are most likely inaccurate. IDA Pro can't disassemble the binary either.
So we can use a couple of tools to help identify if this executable has been tampered with. One popular tool is PEiD. PEiD detects "Upack" as the packer used here, and usually is pretty accurate. You can also take a peek with ProtectionID.
Upack is a very simple packer, used to compress executables, and can make file examination only somewhat difficult. There are no antidebugging tricks that it employs to be concerned with. Here is PEiD in action, identifying the file as packed with UPack by Dwing:
If we want to load it into olly and dump it for full unpacking, one way to start the unpacking process is to simply rename the file extension to "exe" and modify a flag in its PE header so that windows loads the file as an exe, not a dll. You can take a course from a reverser like Jason Geffner on deobfuscation and read all the PE documents, then perform the math, pop open Ultraedit or hexedit and manually edit the file's PE header. Or you can run LordPE on the file and simply deselect the "Dll" checkbox under its file characteristics:
After you save your modification, load up the file into Olly and identify the program's original entry point, or OEP. This work can be time consuming when learning about a new packer. But Upack is a simple packer. It's much like UPX, the industry standard, but it uses the LZMA compression algorithm. A reverser might notice that the first instruction of the unpacker is "pushad", followed by a call instruction:
The easiest thing to do would be to scan the rest of this section for a matching "popad" instruction followed by a jmp to the beginning of the lzma decompressed code. When we do that, we find a popad (a restore of all the register values that were pushed onto the stack at the beginning of the unpacker stub) followed immediately by a jmp to the .Upack section that was previously empty:
At this point, we can hit "F7" to step into this new code section, use Olly's "Analyse" function and voila, we see
push ebp
mov ebp, esp
and we are most likely at the dll's original entry point (OEP):
Great! Now, using LordPE again we can dump the file to disk and fix up the Imports with ImpRec. Here's a view of LordPE options for attaching to a process and dumping an individual module to disk:
Now that we have the image dumped to disk, we can use Import Reconstructor to attach to the dll's process as it is suspended at its OEP, find the import address table in memory and then fixup the dumped image on disk:
We have to provide ImpRec with the OEP. Hopefully it then can find the Import Directory and IAT for us, and with UPack, it reliably completes the fixup for us. Clicking on "Fix dump" and selecting the image dumped by LordPE will provide us with an unpacked file that we can next throw into IDA Pro for disassembly and analysis, which will be another post:
Hope that satisfies some of the curiosities of our forum readers, next we'll take a look at some of the malicious behaviors this dll performs.
Note- This example worked through one of the simplest packers out there, Upack. For more information on unpacking tricks, you can find a couple of awesome lists of tips and tricks related to anti-debugging/anti-reversing and at openrce and Mark Vincent Yason's Blackhat paper.
We use Ollydbg for all sorts of things around here. It's an outstanding tool. In fact, Olly himself found some spare time and is releasing a new version soon. He's got the pre-alpha version 2 code available on his website.
His debugger is a very useful tool for reversing user-mode software. When we're looking to get to the bottom of a suspicious component, one way is to fire up olly and get started. Unfortunately, there are challenges to that approach. Sometimes, we need to understand what a dll or other component is doing as well, and sometimes those dlls and other components are packed.
There are other tools that we use, and this post will survey the steps for using them while unpacking a dll...you can find this sort of information all over the web, but the writing styles sometimes make understanding the content very difficult.
Some of the fine reverse engineering tools available are
Ollydbg
LordPE
Import Reconstructor
IDA Pro
In our labs, we have a suspicious dll to examine. Apparently, it was installed as a bho into Internet Explorer:
When you load this dll into Olly, the tool reports that its listing of the binary's instructions are most likely inaccurate. IDA Pro can't disassemble the binary either.
So we can use a couple of tools to help identify if this executable has been tampered with. One popular tool is PEiD. PEiD detects "Upack" as the packer used here, and usually is pretty accurate. You can also take a peek with ProtectionID.
Upack is a very simple packer, used to compress executables, and can make file examination only somewhat difficult. There are no antidebugging tricks that it employs to be concerned with. Here is PEiD in action, identifying the file as packed with UPack by Dwing:
If we want to load it into olly and dump it for full unpacking, one way to start the unpacking process is to simply rename the file extension to "exe" and modify a flag in its PE header so that windows loads the file as an exe, not a dll. You can take a course from a reverser like Jason Geffner on deobfuscation and read all the PE documents, then perform the math, pop open Ultraedit or hexedit and manually edit the file's PE header. Or you can run LordPE on the file and simply deselect the "Dll" checkbox under its file characteristics:
After you save your modification, load up the file into Olly and identify the program's original entry point, or OEP. This work can be time consuming when learning about a new packer. But Upack is a simple packer. It's much like UPX, the industry standard, but it uses the LZMA compression algorithm. A reverser might notice that the first instruction of the unpacker is "pushad", followed by a call instruction:
The easiest thing to do would be to scan the rest of this section for a matching "popad" instruction followed by a jmp to the beginning of the lzma decompressed code. When we do that, we find a popad (a restore of all the register values that were pushed onto the stack at the beginning of the unpacker stub) followed immediately by a jmp to the .Upack section that was previously empty:
At this point, we can hit "F7" to step into this new code section, use Olly's "Analyse" function and voila, we see
push ebp
mov ebp, esp
and we are most likely at the dll's original entry point (OEP):
Great! Now, using LordPE again we can dump the file to disk and fix up the Imports with ImpRec. Here's a view of LordPE options for attaching to a process and dumping an individual module to disk:
Now that we have the image dumped to disk, we can use Import Reconstructor to attach to the dll's process as it is suspended at its OEP, find the import address table in memory and then fixup the dumped image on disk:
We have to provide ImpRec with the OEP. Hopefully it then can find the Import Directory and IAT for us, and with UPack, it reliably completes the fixup for us. Clicking on "Fix dump" and selecting the image dumped by LordPE will provide us with an unpacked file that we can next throw into IDA Pro for disassembly and analysis, which will be another post:
Hope that satisfies some of the curiosities of our forum readers, next we'll take a look at some of the malicious behaviors this dll performs.
Note- This example worked through one of the simplest packers out there, Upack. For more information on unpacking tricks, you can find a couple of awesome lists of tips and tricks related to anti-debugging/anti-reversing and at openrce and Mark Vincent Yason's Blackhat paper.
Friday, November 30, 2007
Spyware Doctor bundle?
This morning, we were observing a surge in hits from an Armadillo/SoftwarePassport packed Rbot variant. It looks like this one might be distributed over a P2P network. AV scanner detection appears to be fairly spotty for now:
When we are looking through files that come in, we see the work of fairly underground joiners/stickers of all sorts -- microjoin, minichain, exebind, etc. These tools are used to bind an executable to another file package, so that a stub is added to the original file along with the bot, and they are "binded" together. That way, when the unwitting victim receives a bound file, they'll think they are running one executable when really they are running two.
An interesting example came in this morning: sdsetup.exe. Interesting, because the filename is the same as the PC Tools product installer for SpywareDoctor. And the icon of the file appears to be the one that PC Tools uses for their SpywareDoctor product. However, here are some properties of the file that appear when you right click on the installer file and select "Properties". The file is missing a digital signature, and the file's "Description" is "Win32 Cabinet Self Extractor". It seems fishy right off the bat, because that's a legitimate tool normally used to build installers and files that bind more than one executable together, just like the underground binders we see all the time:
Now, below is a genuine installer from PC Tools. Cool icon, huh? You can see the file's properties by right clicking on it again. Notice the "Digital Signatures" tab, the "PC Tools" signer name, and the confirmation that the signature itself is ok from Verisign. This countersignature provider confirms that the file is from PC Tools, much like a Notary Public's stamp would for a legal document:
Now we run the file that arrived with the odd Description property and is missing the digital signature. BAM! a new executable is created in the system directory and silently executed. This little obfuscated Rbot treat comes with keylogging capabilities and more, and calls home to a computer running on a dsl line here in Kansas City in the U.S. The server is down for now, but it appears to be cycling through ip addresses:
Reason to be alarmed? Not really, this technique commonly is used by creeps every day. But there are lessons to be learned here. If you are going to install a product, do not get it from your favorite P2P collection. Instead, go to the source, like the PC Tools or ThreatFire web site.
And, if you are going to run an executable, you can check it for a digital signature. It's one more layer of security -- the signature helps confirm that the source of the executable is genuine.
When we are looking through files that come in, we see the work of fairly underground joiners/stickers of all sorts -- microjoin, minichain, exebind, etc. These tools are used to bind an executable to another file package, so that a stub is added to the original file along with the bot, and they are "binded" together. That way, when the unwitting victim receives a bound file, they'll think they are running one executable when really they are running two.
An interesting example came in this morning: sdsetup.exe. Interesting, because the filename is the same as the PC Tools product installer for SpywareDoctor. And the icon of the file appears to be the one that PC Tools uses for their SpywareDoctor product. However, here are some properties of the file that appear when you right click on the installer file and select "Properties". The file is missing a digital signature, and the file's "Description" is "Win32 Cabinet Self Extractor". It seems fishy right off the bat, because that's a legitimate tool normally used to build installers and files that bind more than one executable together, just like the underground binders we see all the time:
Now, below is a genuine installer from PC Tools. Cool icon, huh? You can see the file's properties by right clicking on it again. Notice the "Digital Signatures" tab, the "PC Tools" signer name, and the confirmation that the signature itself is ok from Verisign. This countersignature provider confirms that the file is from PC Tools, much like a Notary Public's stamp would for a legal document:
Now we run the file that arrived with the odd Description property and is missing the digital signature. BAM! a new executable is created in the system directory and silently executed. This little obfuscated Rbot treat comes with keylogging capabilities and more, and calls home to a computer running on a dsl line here in Kansas City in the U.S. The server is down for now, but it appears to be cycling through ip addresses:
Reason to be alarmed? Not really, this technique commonly is used by creeps every day. But there are lessons to be learned here. If you are going to install a product, do not get it from your favorite P2P collection. Instead, go to the source, like the PC Tools or ThreatFire web site.
And, if you are going to run an executable, you can check it for a digital signature. It's one more layer of security -- the signature helps confirm that the source of the executable is genuine.
Wednesday, September 5, 2007
How do Storm and other current threats attack security solutions and silently maintain their presence on systems?
Malware v2.0 writers continue to develop new techniques and write sophisticated code to evade security solutions. We've seen a surge in the volume of changing and newly distributed malware that “go Ring0”, or install kernel level drivers. Often, and in the case presented here, the driver is installed in order to silently render AV solutions useless. The widespread Storm threat includes kernel level functionality to perform some of its malicious work, but so do a number of other web-based threats that include components not yet detected by all of the AV community. 
In our previous post, we examined a commoditized third party plugin exploit being used in the wild now and its "proactive-solution" evading shellcode. This post will take a look at another effective attack method being used right now, often as another layer in a web based attack, with the end result of rendering a majority of real time av scanners ineffective on the system. Why do malware writers go to these lengths? Usually, in order to obtain and maintain presence on the system.
This added technique relies on a driver installer (often downloaded and executed by an attacker’s shellcode), and a driver component to perform the malicious activity. The samples that we have analyzed also will download a spambot and proxies following the driver component’s successful modification/destruction of the av solution’s real-time scanning capabilities.
I'll try to describe the activity and environment in fairly plain terms, so readers don't have to be a device driver writer to understand what is going on.
The driver somehow has to be copied to the system and its service installed. This action can be done in a number of ways. The executable component that creates the driver file and installs the service can be launched on a victim's system by attacking a web browser plugin as detailed in the last post, binding it to another exe and spamming it out to harvested email accounts, or any number of other well known methods already effectively used in the wild.
This downloaded executable copies out the .sys file to c:\windows\system32\drivers and makes a common win32 api call to install this driver as a file system object. Here's a quick snapshot of the thread stack when the call is made:
The dropper’s work is almost done. Next, it starts the service and exits.
Once the driver is started by its installer, it maliciously modifies the file system stack. "Real-time" file scan functionality is then disabled, even for major av products.
Here are a couple of screenshots of the system’s device tree prior to the attack – 1. a device tree representation of the Ntfs and raw filesystem drivers following a default install, and 2. a device tree representation of the Ntfs and raw filesystem drivers following the installation of a major anti-virus product. Keep in mind this kernel layout is what the malware writers are looking at when choosing their targets. The visualization is meant to help understand what is being attacked…
This screenshot presents the filesystem stack prior to the installation of the AV product. Notice that the ntfs driver (labelled DRV \FileSystem\Ntfs) has a named device (labelled DEV \Ntfs), and also in its stack is the system volume (labeled MED \Device\HarddiskVolume1), which represents the underlying disk volume/partition. The XP SP2 operating system device tree normally looks like this following a default install:
This screenshot presents the device tree representation of the file system stack after the installation of a major vendor's anti-virus product. The Ntfs driver stack has been changed altogether. These changes are indicate that the anti-virus scanner has installed a set of mini-filter drivers, shown by the additions of multiple new attachments labeled "ATT Attached: (Unnamed) - \Filesystem\FltMgr":
After observing and recording the state of the filesystem stack in a normal state and in a av solution modified state, we run the malware on this goat system in our lab, and it runs unhindered by the antivirus product -- signatures for the binary have not been added yet by this av vendor, even though the malware has been circulating in the wild for over a couple of weeks now. At least a couple other vendors are detecting the dropper and its driver.
Here is a screenshot of the filesystem stack after the malware has been run. Notice that all of the mini-filter attachments that were attached by the AV solution to the Ntfs device object have now been detached from the stack:
This modification effectively chokes off any real-time functionality of the AV solution's filesystem scanner. We expected the system to crash and throw off a BSOD, but it kept running in this state in our labs for hours without any blue screen.
The AV security application continues to run, without presenting any warning to the user that it has been hacked, so the user thinks everything is ok. But their system is left unprotected at this level.
At last we confirm the inability of the real-time AV filesystem scanner to detect malware copied to disk in real-time. We copy three year old malware binaries (variants of the bagle Trojan) from a server we maintain in the labs to this attacked system. Normally they are caught by this AV scanner’s real-time protection:
The files are copied to the system's hard drive without any detection, while the Auto-protect feature of the scanner quietly reports its “On” status. The AV solution clearly has been rendered useless and misleads the user into thinking that their drive is protected. This last confirmation in the AV gui's status page reinforces that this host compromise is unexpected, effective and stealthy:
Subscribe to:
Posts (Atom)