Dell SonicWALL Threats Research team came across a new variant of the Dorkbot worm specifically targeting Skype users. Dorkbot also known as Ngrbot is known to spread through instant messengers, social networking websites, and removable drives. However, this is the first instance we saw that targets Skype users as well by hooking to Skype APIs.

The malware executable is named as Skype_(Date)_(img or foto).exe and uses Skype’s official icons for disguise as seen below:

Infection Cycle

• The new variant when executed, drops a copy of itself in the user’s Application Data directory and also modifies registry to ensure that it runs on system reboot:
  • Dropped File – (Application Data)Whzkzg.exe (copy of itself)
  • Registry – HKCUSoftwareMicrosoftWindowsCurrentVersionRunWhzkzg: “%AppData%Whzkzg.exe”
• Connects to api.wipmania.com to determine the public IP address of the infected system.
• It was found to be actively sending out Skype IMs to the infected user’s Skype contacts. The message is sent in local default language of the infected system and consists of a shortened URL that leads to the download of the Skype Dorkbot variant as seen below:



Statistics of clicks registered for the shortened malicious URL (courtesy Google) shows that it has received more than 200,000 visits in past one month:



• It is also capable of spreading via MSN Messenger, removable drives, and various social networking sites by posting comments. Below is the list of propagation vectors:



• The Dorkbot variant we analyzed connects to one of the following domains on TCP port 1863:
  • mars.dothome.pl
  • venus.timeinfo.pl
  • photobeat.su

  It also contains a hardcoded command and control IP address: 188.40.15.29 that it connects on TCP port 1863 if the above mentioned domains fail to resolve.

• Dorkbot is also known to download and install other malware family payloads as part of Pay Per Install scheme where the author gets paid for every successful install. In our analysis we found that the sample downloaded two different payloads from the file sharing service hotfile.com:
  • hotfile.com/dl/1765672(REMOVED).html -> (Application Data)4C.exe [Backdoor Trojan detected as GAV: Simda.FFK (Trojan)]
  • hotfile.com/dl/1765679(REMOVED).html -> (Application Data)4D.exe [Ransomware detected as GAV: PornoAsset.ANHR (Trojan)]

  It utilizes the Ruskill feature to install these downloaded malware files, which is known to keep track of system file and registry changes. The Ruskill feature also ensures that these files are removed upon system reboot.

• It also contains modules for ftpgrab, formgrab, popgrab, and HTML injection, which are used in monitoring following URLs to steal user credentials:



• The bot is also capable of performing DDoS attacks via following three modules:
  • slowloris flood
  • UDP flood
  • SYN flood

Dell SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

• GAV: Dorkbot.SKP (Trojan)
• GAV: Dorkbot.SKP_2 (Trojan)

Dell SonicWALL Threats research team received reports of a fake antivirus(AV) malware which was actively spreading in the wild. FakeAV software of this nature continues to be a steady growing trend and has been covered in some of our previous SonicALERTs. Once infected, this software will disable the antivirus notifications and lower the security settings. It will then proceed with its campaign to claim that the system is infected with malware and try to sell the software to the user.

The sample we received was spreading by the name of Delta_A_Ticket_Print_Document

Infection Cycle

• Upon execution it starts communicating with the remote Command & Control (C&C) server

  

• The response to this is a command to stay idle until further notice

  

• Further we see instructions to download an executable file from a link. We saw multiple links in our analysis session

  
  

• We saw a command c=run&u=(URL to malicious executable) following which it downloads a new variant of Fake AV – SystemProgressiveProtection
• We discovered the following commands being used by the C&C server during our analysis:
  
  • Idl
  • Run
  • Rem
  • Rdl
  • Red
  • Upd
• We observed the executable communicating with the following C&C servers:
  
  • 175.41.28.157
  • 178.162.174.134

• The original executable is a downloader/dropper that downloads and runs the FakeAV on the system, it deletes itself and makes a copy in %AllUsers%AppData folder with a random name

  

• The executable begins by creating a svchost.exe process and injecting it with malicious code. We also see an empty text file opened through Notepad and a malicious executable being opened. This executable triggers the FakeAV

  

• The malware adds entries to the registry ensuring it runs each time the system starts
  HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce[Random Characters]
• The malware modifies the following registry entries to lower the internet security settings HKCUSoftwareMicrosoftWindowsCurrentVersionInternetSettingsZoneMapProxyBypass
  HKCUSoftwareMicrosoftWindowsCurrentVersionInternetSettingsZoneMapIntranetName
  HKCUSoftwareMicrosoftWindowsCurrentVersionInternetSettingsZoneMapUNCAsIntranet
• We see the Fake AV supposedly scan the system and falsely state that the system is infected with different kinds of malware.

  

FakeAV – System Progressive Protection
Once the FakeAV screen appears on the system the following is observed:

• Most of the executing programs are closed
• TaskManager is disabled
• No easy way to close this application as taskmanager is disabled, the user cannot run programs which can kill this process. It even disables right click on its icon in taskbar
• Closes any application which the user opens claiming that its infected



• Notification about system infection keeps popping up at regular intervals if the user closes the main window



• User gets a warning message when he tries to open any site. In this example we got a message saying google.com is a potentially dangerous site

Dell SonicWALL Gateway AntiVirus provides protection against this threat as well as the downloaded executable via the following signatures:

Dell SonicWALL UTM Research team has released a research paper containing the analysis of Blackhole Exploit kit.

In this paper we explore the inner workings of the Blackhole Exploit kit. We analyze the design, functionality, evolution and mode of the operation of this kit. We study the model of the infection routines and delve in to the working of exploit payloads. The geographical distribution of hosting servers and infections attributed to this kit are studied and plotted in this paper. We also explore the possible connections to other cybercrime rings such as Cutwail, Zeus, Cridex, and others.

Full version of the paper can be viewed here: Blackhole Exploit Kit – Rise & Evolution

HP SiteScope is an agentless monitoring software focused on monitoring the availability and performance of distributed IT infrastructures, including servers, operating systems, network and Internet services, applications and application components. HP SiteScope tests a web page or a series of web pages using synthetic monitoring. However, it is not limited to web applications and can be used to monitor database servers (Oracle Database, Microsoft SQL Server, etc.), Unix servers, Microsoft Windows servers and many other types of hardware and software.

HP SiteScope incorporates Apache Tomcat to help serve its custom web applications. Apache Tomcat is an open source web server and servlet container. Tomcat implements the Java Servlet and the Java Server Pages (JSP) specifications from Sun Microsystems, and provides a “pure Java” HTTP web server environment for Java code to run. In such a relationship, Apache receives all of the HTTP requests made to the Web application. Apache then recognizes which requests are intended for Servlets/JSPs, and passes these requests to Tomcat. Tomcat fulfills the request and passes the response back to Apache, which then returns the response to the requester. Two web applications UploadManagerServlet and DownloadManagerServlet are included with a HP SiteScope server installation that provide file upload and download services. These services are available at the following URIs:

• /SiteScope/upload
• /SiteScope/download

A directory traversal vulnerability exists in the HP SiteScope server. Specifically, an authenticated user can directly access the UploadManagerServlet and the DownloadManagerServlet web applications and supply an arbitrary file path for upload and download. An authenticated remote attacker can leverage this vulnerability to upload and execute arbitrary code on the vulnerable target under the privileges of Administrators.

Dell SonicWALL UTM has researched this vulnerability and released the following IPS signature to detect and prevent the attacks addressing this issue:

• 8708 HP SiteScope Directory Traversal

This vulnerability was not assigned with a CVE ID.