Posts

Backdoor Lecna Exploits MS hcp URL XSS Vulnerability (July 1, 2010)

/in /by

SonicWALL UTM Research received reports of malware actively exploiting the recently reported vulnerability in Windows Help and Support Center (CVE-2010-1885) – MS hcp-URL Cross Site Scripting (June 10, 2010)

The malware author used the code below to exploit the vulnerability:

    screenshot

Upon successful exploitation, it downloads a component JavaScript file shown below as its payload:

    screenshot This file is being blocked by SonicWALL as GAV: JS.HCP.SVR.XSS (Exploit)

This script then downloads and executes the Backdoor Lecna file which uses an Adobe Acrobat icon to disguise itself as a acrobat file.

    screenshot

Malware Installation

Mutex Name:
To ensure that only one instance of this malware is running on the infected system it creates a mutex:

  • MicrosoftForZR

Files Added:
It drops a copy in Startup folder which allows itself to run on every system startup.

  • (Documents and Settings)All UsersStart MenuProgramsStartupAdobe Acrobat Speed Launcher.exe – GAV: Lecna.GEN (Trojan)

Registries Added:
It writes into the registry the host id which marks systems it successfully infected:

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftCurrentIESetup
    Value: hostid
    Data: dword:000045f2

Files Downloaded:
It downloads the following files which are actually executable.

  • www.{REMOVED}.com/ForZRMail/myapp.htm – GAV: Lecna.GEN (Trojan)
  • www.{REMOVED}.com/ForZRMail/zr.txt – GAV: Lecna.GEN_2 (Trojan)

Network Activity:
Tries to connect to the following:

  • 77.90.80.0
  • www.vic{REMOVED}.com
  • www.ian{REMOVED}.com

SonicWALL Gateway AntiVirus provided protection against this malicious backdoor via following signatures:

  • GAV: HCP.SVR.XSS.1 (Exploit)
  • GAV: JS.HCP.SVR.XSS (Exploit)
  • GAV: Lecna.GEN (Trojan)
  • GAV: Lecna.GEN_2 (Trojan)

screenshot

Novell iManager Tree Name Denial of Service (July 1, 2010)

/in /by

Novell iManager is a Web-based administration console that provides customized access to network administration utilities and content from virtually any location in the world. A default installation of Novell iManager includes the Apache HTTP server, Tomcat application container and so on.

Novell iManager provides services through HTTP on port 8080/TCP, and HTTPS on port 8443/TCP. The iManager default login page is accessible via the following URL:

https://:/nps/servlet/webacc

where the port is 8443 by default.

In the login page listed above there are three input login credentials, which include a User Name, a Password and a Tree Name. The input data and other various hidden parameters are submitted in the same URI using an HTTP POST request. The data is passed to the iManager application in the web form represented by variables. The Tree Name parameter is passed in the variable “tree”.

A denial of service vulnerability is found in the Novell iManager web application. The vulnerability is due to a failure of the application to properly check the length of the variable tree submitted within the iManager login request. Specifically, the vulnerable codes check the input string and add some extra characters to the input string, which causes the overwritten of the stack buffer. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET or POST request to the server. This will result in abnormal termination of the affected service process, causing a denial of service condition.

SonicWALL UTM team has researched this vulnerability, and created the following IPS signature to prevent/detect the attacks addressing this issue:

  • 5475 Generic Server Application Buffer Overflow Exploit 2

This vulnerability is referred by the CVE as CVE-2010-1930.

Defense Center – Rogue AV (June 25, 2010)

/in /by

SonicWALL UTM Research team found instances of a new Rogue AV downloader being spammed in the wild with the theme “Statement of Fees”. The e-mail contains the downloader file inside the zip attachment.

Below is a sample e-mail:

Email Campaign – Statement of Fees

Subject: Statement of fees 2010

Attachment: Statement_of_Fees_2010.DOC.zip (contains Statement_of_Fees_2010.DOC.exe)

Email Body:
————————
Please find attached a statement of fees as
requested, this will be posted today.
The accomodation is dealt with by another
section and I have passed your request on to them
today

Kind regards.
{email sender}
————————

The e-mail message looks like below:

    screenshot

Malicious executable file inside the zip attachment disguise itself as a document file via Microsoft Word icon:

screenshot

Once the user runs the executable file, the Trojan will download and install the Rogue AV from the following URLs:

  • http://(REMOVED)fic.com/ms04/ad
  • http://(REMOVED)can.com/ms04/ad
  • http://(REMOVED)kol.com/ms04/ad

Prior to downloading the Rogue AV, it will first do the following system activities:

  • To ensure that only one intance of this downloader runs in the memory, it creates a mutex: AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
  • Adds the following in the registry:
    Key: [HKEY_CURRENT_USERPrintersConnections] Data: “subid”=”landing”
    Data: “affid”=”396”
  • Creates the file _favdata.dat at Documents and SettingsAll UsersFavorites folder with the following content:
    386
    landing
  • Verifies that the location of the user is not in the following list before continuing its installation:
    – Azerbaijan
    – Belarus
    – Czech Republic
    – Kazakhstan
    – Kyrgyzstan
    – Poland
    – Russia
    – Ukraine
    – Uzbekistan

Rogue AV Installation

    screenshot

    screenshot

    screenshot

    Files Added:

    • (Temp)wscsvc32.exe – GAV: Conficker.gen (Worm)
    • (Temp)autmgr32.exe – GAV: Tibs.JF (Trojan)

    • (Program Files)Defense Center
    • (Program Files)Defense Centerdefcnt.exe – GAV: Conficker.gen (Worm)
    • (Program Files)Defense Centerdefext.dll – GAV: Conficker.gen (Worm)
    • (Program Files)Defense Centerdefhook.dll – GAV: Conficker.gen (Worm)

    • Documents and Settings{User}Start MenuProgramsDefense Center
    • Documents and Settings{User}Start MenuProgramsDefense CenterAbout.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterActivate.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterBuy.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center Support.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterScan.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterSettings.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterUpdate.lnk

    Registries Added:

      Auto Startup Entry
    • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
      Value: Defense Center
      Data: “”C:Program FilesDefense Centerdefcnt.exe” -noscan”
      Disables Task Manager
    • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
      Value: DisableTaskMgr
      Data: dword:00000001
    • Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
      Value: DisableTaskMgr
      Data: dword:00000001
      Shell Spawning
    • Key: HKEY_CLASSES_ROOT.exeshellopencommand
      Value: @
      Data: autmgr32.exe /START “%1″ %*”
    • Key: HKEY_CLASSES_ROOTsecfileshellopencommand
      Value: @
      Data: autmgr32.exe /START “%1″ %*”

    Registries Modified:

    • Key: HKEY_CLASSES_ROOT.exe
      Value: @
      Original Data: “exefile”
      New Data: “secfile”

    After installation, the Rogue AV will pretend to perform full system scan for any malware infection. At the end of scanning it displays fake results indicating malware infection on the system:

      screenshot

    Once the user clicks the button to remove the threats, it will prompt for product activation which redirects the user to its payment portal.

      screenshot

      screenshot

    SonicWALL Gateway AntiVirus provides protection against these spammed Rogue AV variants via following signatures:

    • GAV: TDSS.BHKV (Trojan) – (6,204 hits)
    • GAV: Tibs.JF (Trojan)
    • Tdss.BEEA_2 (Trojan))
    • GAV: Conficker.gen (Worm)

    screenshot

HP OpenView NNM arg Buffer Overflow (June 25, 2010)

/in /by

HP OpenView software provided large-scale system and network management of an organization’s IT infrastructure. One of the modules provided by HP OpenView is the Network Node Manager (NNM), which supplies web-based tools to view status of a network. NNM provides several CGI applications which allow users to manage the NNM server using a web browser; one of the CGI applications is jovgraph.exe.

There exists a buffer overflow vulnerability in HP OpenView Network Node Manager. Specifically, the vulnerability is due to insufficient boundary checking when jovgraph.exe handles the arg parameter. The vulnerable code does not validate the length of the arg parameter and copies the whole string into a fixed-length stack-based buffer.

A remote attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation would overwrite critical stack data, such as return addresses and exception handlers, and lead to arbitrary code injection and execution. In the case code execution is not successful, the vulnerable process may terminate abnormally, resulting a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-1960.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4376 HP OpenView NNM jovgraph.exe BO Attempt

Malware targeting Facebook (June 18, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Facebook malware being spammed via private messages through Facebook. The message pretends to contain link to a photo album but eventually leads to download of the malware.

Thousands of users were reportedly affected by this malware. Messages sent by the malware from the infected machine looks like:

  • “You? I find it on google. http://www.onli(REMOVED)albums.org/Ephraim_Garlit”
  • “That yours? I find it on google. http://www.onli(REMOVED)albums.org/Rhoda_Octavia”

If the recipient user clicks the link, it leads them to a malicious site that looks like:

screenshot

Malware gets downloaded when user clicks on the photo album:

screenshot

If the user attempts to open the downloaded executable it will perform following activities:

  • It displays a dialog box showing a fake message of filetype not supported by OS:

    screenshot

  • It drops three malicious executable files and executes them:
    • (TEMP)1.exe
    • (TEMP)2.exe
    • (TEMP)3.exe

Process 1.exe

This process scans for any open Internet Explorer or Firefox instances and terminates them to ensure that code injected by process 3.exe gets executed during next browsing session.

Process 2.exe

This process performs following file and registry modifications:

  • Drops a copy of itself at (Application Data)dfw.exe [Detected as GAV: Kbot.ANJ (Trojan)]

  • Adds registry entry HKLMSOFTWAREMicrosoftWindowsCurrentVersionRundfw.exe: “”(Application Data)dfw.exe”” to ensure that it runs on system restart.

  • Memory dump showing the strings related to Facebook during this process run:

    • screenshot

Process 3.exe

  • Scans for security related processes like Kaspersky, F-Secure, Comodo and terminates them when found.

  • Attempts to disable System Restore functionality.

  • Drops a malicious DLL at (Application Data)Windows Serverckiobo.dll [Detected as GAV: Small.ACMO (Trojan)]

  • Adds registry entries
    • HKLMSYSTEMControlSet001ControlSession ManagerAppCertDllsAppSecDll: “(Application Data)Windows Serverckiobo.dll”
    • HKLMSYSTEMCurrentControlSetControlSession ManagerAppCertDllsAppSecDll: “(Application Data)Windows Serverckiobo.dll”

  • Injects malicious DLL code into the memory which gets executed when user attempts to connect to Facebook via IE or Firefox.

  • Deletes itself.

Following HTTP requests were initiated by the malware once the user logs onto Facebook on an infected machine:

  • GET /message.php?subid=284&version=_nn2&id=(REMOVED)XAOBd00TglD6O HTTP/1.1 Host: smartcontrol.info
  • GET /ab/setup.php?act=filters&id=(REMOVED)Qf7E4s2t&ver=2 HTTP/1.1 Host: spmfb3309.com
  • POST /ab/setup.php?act=data HTTP/1.1 Host: spmfb3309.com

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Kbot.ANJ (Trojan) signature.

ISC DHCP Server Denial of Service (June 18, 2010)

/in /by

The Dynamic Host Configuration Protocol (DHCP) is a computer networking protocol used by hosts (DHCP clients) to retrieve IP address assignments and other configuration information. DHCP uses a client-server architecture and utilizes UDP ports 67 and 68 for communication. The client sends a broadcast request for configuration information. The DHCP server receives the request and responds with configuration information from its configuration database. A typical DHCP transaction looks like:

[ Client ] —– DISCOVER —-> [ Server ]
[ Client ] <------ OFFER ------ [ Server ]
[ Client ] —– REQUESST —-> [ Server ]
[ Client ] <------- ACK ------- [ Server ]

All DHCP messages consist of a fixed-length header and some variable-length options. Each individual option record has the following format:

Offset Size Value
====== ==== ====================
0000 1 Option code
0001 1 Option length (len)
0002 len Option data

One of the option records is option 61, the Client Identifier.

A denial of service vulnerability exists in ISC DHCP server, which is the most widely used open source DHCP implementation. Specifically, the vulnerability is due to a design error in the handling of crafted Client Identifier option record. A remote attacker could exploit this vulnerability by sending a crafted DHCP message to the target server. Successful exploitation would terminate the process and cause a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-2156.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 1079 ISC DHCP Server Client ID DoS

MS hcp-URL Cross Site Scripting (June 10, 2010)

/in /by

Just one day after the busy Microsoft Patch Day in June with ten security bulletins fixing 34 vulnerabilities, a new Cross Site Script (XSS) issue is published disclosed by Tavis Ormandy. It can potentially lead to shellcode execution within the logged in user’s security context.

Microsoft Windows Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”, a typical example is provided in the Windows XP Command Line Reference as bellow. Please refer to http://technet.microsoft.com/en-us/library/bb490918.aspx for details.

helpctr [/url [URL]] [/mode [URL]] [/hidden] [/fromstarthelp]

Help and Support Center application is by default installed in c:windowspchealthhelpctrbinaries with filename helpctr.exe in Windows XP SP2 and after. It can be passed by web browser with a HCP URL through its command line argument “/fromhcp”. This flag switches the help centre into a restricted mode, which will only permit a white-listed set of help documents and parameters.

The application is using a function “MPC::HTML::UrlUnescapeW()” to normalize the URL, which in turn uses MPC::HexToNum() to translate URL escape sequences into their original characters. However, the return code from MPC::HexToNum() is not well sanitized as required, which allows the unexpected garbage is returned to the standard string class variable. This error could allow an attacker evade the white-list detection mentioned before. On top of that, the hacker may take use of some web accessible documents to call the vulnerable function, and execute the encoded shellcode. An example of the document could be:

C:WINDOWSpchealthhelpctrSystemsysinfosysinfomain.htm

The SonicWALL UTM team has researched this vulnerability and created IPS signature to detect/prevent attacks exploiting this issue.

  • 4177 MS hcp-URL sysinfomain.htm XSS

This vulnerability is not referred by Common Vulnerabilities and Exposures (CVE) yet.

Adobe Flash Player Zero Day exploit (Jun 8, 2010)

/in /by

SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2010-1297) in Adobe Flash player, Reader and Acrobat affecting Windows, Mac OS X, Linux and Solaris operating systems. Successful exploit attempts typically lead to application crash, and could potentially allow the attacker to gain control of the victim machine. Affected software versions include: Adobe Flash Player 10.0.45.2 and earlier versions, Adobe Reader and Acrobat 9.3.2 and earlier versions. Adobe issued a security advisory on June 4, 2010 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability which is a specially crafted PDF file containing a malicious packed Shockwave Flash (SWF) file and a malicious encoded JavaScript. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

Decoded version of JavaScript extracted from the PDF file shows presence of shellcode that drops a malicious executable file onto the target machine:

screenshot

The embedded malicious SWF file looks like this when executed:

screenshot

The malicious PDF file when opened performs the following:

  • Encoded JavaScript uses heap spraying technique via large Unicode strings to effectively place the embedded shellcode into the memory.
  • Malicious SWF file gets executed which triggers the vulnerability and causes the Adobe application to crash.
  • The application crash further leads to the execution of the shellcode that already resides within the memory.
  • The shellcode is responsible for extracting and dropping a malicious executable file from the PDF onto the victim machine.
    • c:-.exe [Detected as: GAV: DownLdr.AC (Trojan)]

The downloaded malware executable is a backdoor Trojan that performs following activities on the victim machine:

  • Sends GET request: GET /ddradmin/ddrh.ashx?guid=00000000-0000-0000-0000-000000000000 to a predetermined IP addresss. [appears to be down at the time of writing this alert]
  • Drops following files:
    • (Windows System)dllcacheqmgr.dll
    • (Windows System)qmgr.dll
    • (Windows System)es.ini
    • (Windows System)kernel64.dll
    • (Windows)EventSystem.dll

    The dropped DLL files are detected as GAV: Agent.AAQJ (Trojan).

Adobe made an announcement today about releasing security patch for Flash player on June 10, 2010 whereas security patch for Adobe Reader and Acrobat will be available on June 29, 2010.

SonicWALL UTM appliance provides protection against this threat via GAV: Pdfka.CKQ (Exploit) and IPS: Adobe PDF File with Flash signatures.

Protection Center – Rogue AV (June 4, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Rogue AV downloader being spammed in the wild using variety of email themes. The e-mail contains the downloader file inside the zip attachment. Below are the sample e-mails for each of these spam themes:

Campaign #1 – Online Order e-mail spam

Subject: Thank you for setting the oder No. [6-digits]

Attachment: label.zip (contains label.exe)

Email Body:
————————
Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was send at your address.
The tracking number of your postal parcel is indicated in the document
attached to this letter
Please print out the postal label for receiving the parcel.

Internet Store.
————————

The e-mail message looks like below:

    screenshot

Campaign #2 – Outlook Setup Notification email spam

Subject: Outlook Setup Notification

Attachment: outlookupdate.zip (contains outlookupdate.exe)

Email Body:
————————
You have (8) messages from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.
————————

The e-mail message looks like below:

    screenshot

Campaign #3 – Twitter Password e-mail spam

Subject: Reset your Twitter password

Attachment: password.zip (contains password.exe)

Email Body:
————————
Hey there.

Because of the measures taken to provide safety to our
clients, your password has been changed.
You can find your new password in attached document.

Yours,
Twitter=
————————

The e-mail message looks like below:

    screenshot

Rogue AV Installation

Once the user opens the zip attachment and execute the malicious file, the Trojan will download and install the Rogue AV from the following URLs:

  • http://(REMOVED).org/ms03/ad
  • http://(REMOVED).com/ms03/ad
  • http://(REMOVED).com/ms03/ad

    screenshot

    screenshot

Files Added:

  • Documents and Settings{User}Local SettingsTempwscsvc32.exe – GAV: Conficker.gen (Worm)
  • Documents and Settings{User}Local SettingsTempmscdexnt.exe – GAV: Conficker.gen (Worm)

  • Program FilesProtection Center
  • Program FilesProtection Centercntprot.exe – GAV: Conficker.gen (Worm)
  • Program FilesProtection Centercntext.dll – GAV: Conficker.gen (Worm)
  • Program FilesProtection Centercnthook.dll – GAV: Conficker.gen (Worm)

  • Documents and Settings{User}Start MenuProgramsProtection Center
  • Documents and Settings{User}Start MenuProgramsProtection CenterAbout.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterActivate.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterBuy.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterProtection Center Support.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterProtection Center.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterScan.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterSettings.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterUpdate.lnk

Registries Added:

    Auto Startup Entry
  • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Protection Center
    Data: “”C:Program FilesProtection Centercntprot.exe” -noscan”
    Disabling Task Manager
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    Value: DisableTaskMgr
    Data: dword:00000001
  • Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    Value: DisableTaskMgr
    Data: dword:00000001
    Shell Spawning
  • Key: HKEY_CLASSES_ROOT.exeshellopencommand
    Value: @
    Data: mscdexnt.exe /START “%1″ %*”
  • Key: HKEY_CLASSES_ROOTsecfileshellopencommand
    Value: @
    Data: mscdexnt.exe /START “%1″ %*”

Registries Modified:

  • Key: HKEY_CLASSES_ROOT.exe
    Value: @
    Original Data: “exefile”
    New Data: “secfile”

After installation, the Rogue AV will run and pretends to scan the whole system for any malware present. At the end of scanning it displays fake results indicating malware infection on the system. Shown below is the screenshot of the Fake detection result.

    screenshot

Once the user clicks the button to remove the threats, it will prompt for product activation which redirects the user to its payment portal.

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against these spammed Rogue AV variants via following signatures:

  • GAV: Suspicious#polycrypt.12 (Worm) – (5,996,197 hits)
  • GAV: Suspicious#fakeav_4 (Trojan) – (339,789 hits)
  • GAV: FakeAV.DN (Trojan)
  • GAV: Conficker.gen (Worm)

screenshot

screenshot

Desktop Security 2010 – Rogue AV (May 6, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Rogue AV downloader being spammed in the wild since yesterday via Invoice e-mail spam and Ecard e-mail spam campaigns. The Downloader Trojan arrives as an e-mail attachment or gets downloaded via a URL in the e-mail.

Campaign #1 – Transaction Invoice e-mail spam

Subject: Your transaction has been processed

Attachment: invoice.zip (contains invoice.exe)

Email Body:
————————
Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
And will inform you about delivery.
Sincerely,
Amazon Team
————————

The e-mail message looks like below:

screenshot

Campaign #2 – Ecard e-mail spam

Subject: You Have Received a Greeting Card

Attachment: none

Email Body:
————————
Good day.
You have received an eCard

To pick up your eCard, click on the following link (or copy & paste it
into your web browser):

htt://groups.google.com/group/{REMOVED}/setup.zip

Your card will be available for pick-up beginning for the next 30
days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!
————————

The e-mail message looks like below:

screenshot

When the user clicks the URL, it will lead to this Google Groups page pointing to the Rogue AV downloader.

screenshot

Installation
Installs itself as the following files and could use different file names per every infection:

  • Program FilesCommon FilesMicrosoft SharedDWApplicationReporting.exe – (151,040 bytes)
  • Program FilesCommon FilesMicrosoft SharedDW1033WindowsTMOperating.exe- (151,040 bytes)
  • Program FilesCommon FilesMicrosoft SharedDW1036ErrorMicrosoft.exe – (151,040 bytes)
  • Program FilesWindows NTAccessoriesWindowsMicrosoft.exe – (151,040 bytes)
  • Program FilesOnline ServicesProvidersRefer.exe – (151,040 bytes)

It attempts to connect to securehttpss.com and downloads Desktop Security 2010 Installer vi following HTTP request:

  • GET Request: GET /getfile.php?r={random 10 digits character}&p={REMOVED}=

Installs the Desktop Security 2010 Rogue AV as seen below:

screenshot

screenshot

Registry Changes

    Added Registry

  • Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun>
    Value: TCPViewSysinternals
    Data: “C:Documents and Settings(UserName)Desktopinvoice.exe”

    Value: SAPI5WindowsTM
    Data: “c:program filescommon filesmicrosoft sharedspeech1033windowstmoperating.exe”

  • Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices
    Value: DWIntl20Application
    Data: “Program FilesCommon FilesMicrosoft SharedDW1036ErrorMicrosoft.exe”

    Value: wordpadWindows
    Data: “Program FilesWindows NTAccessoriesWindowsMicrosoft.exe”

    Value: NotificationsSubscriber
    Data: “Program FilesCommon FilesMicrosoft SharedDWApplicationReporting.exe”

    Value: moreInternet
    Data: “Program FilesOnline ServicesProvidersRefer.exe”

  • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Desktop Security 2010
    Data: “Application DataDesktop Security 2010Desktop Security 2010.exe” /STARTUP

    Value: SecurityCenter
    Data: “Application DataDesktop Security 2010securitycenter.exe”

  • Key: HKCUSoftwareMicrosoftWindowsCurrentVersionUninstallDesktop Security 2010
    Value: DisplayName
    Data: “Desktop Security 2010”

    Value: UninstallString
    Data: “Application DataDesktop Security 2010securityhelper.exe” /UNINSTALL

    Value: DisplayIcon
    Data: “Application DataDesktop Security 2010securityhelper.exe”,1

Remote Server Connection:

    This Rogue AV tries to connect to remote server and reports back system information and installation logs. Shown below is sample data sent to the server:

screenshot

SonicWALL Gateway AntiVirus provided protection against these spammed Rogue AV variants via following signatures:

  • GAV: FakeAlert.GEN_6 (Trojan)- (3 million hits recorded till now)
  • GAV: FakeAV.DH (Trojan)

screenshot