Ackantta Trojan spam campaign (August 19, 2010)

SonicWALL UTM Research team observed a Twitter spam campaign involving a newer variant of Ackantta Trojan in the last 7 days. The spam emails arrive with a zip archived attachment which contains the Ackantta Trojan executable. The e-mail is drafted to appear as a Twitter invitation from a friend.

Attachment: Invitation Card.zip (contains document.doc … .exe)

Subject: Your friend invited you to Twitter!

Email Body:
————————

New to Twitter? Sign up now

Have an account? Sign in

Your friend invited you to twitter!

Twitter

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question:

What are you doing?

To join or to see who invited you, check the attachment.
————————

A sample email message looks like:

The executable files inside the attachment looks like this:

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

• Network Activity:
  • It connects to whatismyip.com and attempts to obtain victims IP address

  

  • It sends a request to a known malicious domain

  

  • It resolves multiple SMTP servers and attempts to propagate by mass emailing
• File Activity:

  It creates the following files

  • %windir%system32HPWuSchdb.exe (copy of document.doc … .exe) – Detected as GAV: Ackantta.TW (Trojan)
  • %windir%system32reader_s1.exe – Detected as GAV: Ackantta.TW (Trojan)
  • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontenttimer.xul – Detected as GAV: Dursg.G (Trojan)
  • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}install.rdf
  • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome.manifest
• Process Acitivty:

  It creates the following process in memory

  • %AppData%SystemProclsass.exe
  • %windir%system32reader_sl.exe
  • %windir%system32HPWuSchdb.exe
  • %windir%system32hp-357.exe
  • %ProgramFiles%Internet ExplorerIEXPLORE.EXE
• Registry Activity:
  • It creates HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: C:WINDOWSsystem32HPWuSchdb.exe under the name “HP Software Updater” ensuring infection on system restart
  • It creates HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: C:WINDOWSreader_sl.exe under the name “Adobe Reader Speed Launcher” ensuring infection on system restart
  • It disables Windows Security Center Service by modifying HKEY_LOCAL_MACHINESystemCurrentControlSetServiceswscsvc:Start
  • It disables Error Reporting Service by modifying HKEY_LOCAL_MACHINESystemCurrentControlSetServicesERSvc:Start
  • It disables User Account Control(UAC) by modifying HKEY_LOCAL_MACHINESoftwareMicrosoftSecurity Center:EnableLUA
  • It disables User Account Control(UAC) notification by modifying HKEY_LOCAL_MACHINESoftwareMicrosoftSecurity Center:UACDisableNotify
• Firefox Extension:

  As part of the infection process it installs timer.xul as a firefox extension which embeds a script in the section of the certain pages rendered in the browser.

  

SonicWALL Gateway AntiVirus provides protection against this Ackantta Trojan variant with GAV: Ackantta.TW (Trojan) signature. [12770 hits recorded in last 7 days]

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.