WE ARE INTERESTED IN YOUR PRODUCTS (Feb 14, 2013)

Dell SonicWALL Threats Research team discovered an instance of an E-mail based attack that was flagged by our e-mail security service. The e-mail pretends to be from a potential international customer inquiring about the product prices and delivery times. We have seen this e-mail theme used before in 419 scams but in this case the e-mail contained malicious attachment with minor modification to the message body.

The E-mail involved in this campaign looks like below:

The attached archive contains a malicious executable donkumasi.exe with icon disguised to look like a legitimate document file as seen below:

This is an Infostealer bot which is written in C#.net and has the capability to propagate via Instant Messengers and Removable media.

Infection cycle

Upon execution the malware performs following activity on the victim machine:

• It decrypts and loads a Dynamic Link Library file which is embedded in its resource section. This DLL contains the functions utilized by this malware to steal information and propagate.
• It creates a mutex DYRB to ensure that only a single instance of the bot is running on the victim machine.
• It installs a hook to log user keystrokes and also takes screenshots of the user desktop.
• The malware mines the victim machine for sensitive information and stores the data it collects at the following location:
  
  • %Appdata%MicrosoftBackups
  • %Appdata%MicrosoftCredentials
  • %AppData%Microsoft
• It is capable of stealing user account credentials and account setting information for multiple applications as defined by the author.
• It is also capable of disabling notable Windows features like:
  
  • Task Manager
  • Registry Editor
  • System Restore
  • Control Panel & Folder Options
  • Command Prompt
  • UAC
• It also sends an e-mail confirmation message containing sensitive system informatoin to report successful infection. The hardcoded e-mail address belonged to GMAIL and we have reported it to the Google Security team.
• It is capable of spreading across systems via:
  
  • Skype
  • MSN Messenger
  • Yahoo Messenger
  • Removable drives

During our analysis, we discovered that the malware executable that was part of the e-mail attachment was being sold as Limitless Logger on the underground hacking forums. The latest version of this logger is v8.0.2 and it was released last week on Feb 8, 2013. Below are some of the screenshots taken from the underground forums showing the complete feature list, pricing, and author’s post.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Agent.SKP (Worm)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.