Virus Murofet.A (Oct 8, 2010)

SonicWALL UTM Research team received reports of a new file infector active in the wild. This new virus infects PE files and uses its own random domain name generator to generate domain names. It then attempts to download and execute malicious files via these domains.

Last time we saw random domain name generation algorithm being used by Conficker Worm to download additional Malware.

Installation:

The virus drops a copy of itself on the system and runs it. It will also inject codes to running processes before dropping a batch file to delete itself.

The injected code generates random domains and tries to download and execute additional Malware. These generated domains are derived from a randomizing function computed from the current UTC system time and date using the Windows API GetSystemTime.

It generates 800 random domains per second until it successfully downloads a Malware from one of the domains.

Dropped Files

It drops a copy of itself at:

• {User}Application Data{random folder (4 Characters)}{random}.exe

In our environment, the virus copied itself as:

• {User}Application DataDyemvaiq.exe – GAV: Murofet.A (Virus)

Other dropped files:

• {User}Application DataKesakuaww.eve

Registry modification

It adds the following registry entry to ensure that the dropped copy of malware starts on every system reboot:

• Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “{ABE1C0BF-B85A-7A2B-01C5-9CAEA05BDB43}”
  Data: “”{User}Application DataDyemvaiq.exe””

• It infects .exe files and uses cavity style of infection to insert malicious code. This allows the virus to infect files without increasing its file size.

Random Domain Name Generation

• Get the current System time and date (UTC Format)
• Compute based on timestamp to generate Ascii characters [a-z].
• Generate Domain Name from characters [a-z] not exceeding 16 characters.
• Uses one of the following top level domains to form the URL:
• .com
• .net
• .info
• .biz
• .org
• The generator does not include the seconds and milliseconds in the computation. This makes any infected machine synchronize up to the Minute to generate the same Domain Name.

URL Pattern:

http://{generated_domain}/forum/

Samples of Domain Names observed:

• eiw{REMOVED}gyoqzm.info
• opq{REMOVED}ghpnjux.biz
• njj{REMOVED}tekjpsib.net
• onu{REMOVED}xrtusnyl.org
• trk{REMOVED}xsvuml.com

Download Routine

Infected files attempt to download other malicious file from the generated URL and saves it in %TEMP% directory. It also validates the downloaded file first before executing it. Files downloaded by this virus are getting blocked as GAV: Conficker.gen (Worm)

Sample DNS requests:

SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Murofet.A (Virus) and GAV: Conficker.gen (Worm)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.