Archive

Archive for the ‘MSRT’ Category

Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection

May 26th, 2016 No comments

Every month, Microsoft’s Malicious Software Removal Tool (MSRT) scans more than 500 million Windows devices for malware and malicious software. This tool aids in the detection and removal of malware from 1 to 2 million machines each time, even on those devices running antivirus software. Meanwhile, many Windows customers continue to use the Microsoft Safety Scanner (MSS) to manually scan their PC for malware.

Windows 10 is the most secure operating system Microsoft has ever shipped, and we continue to make it better with regular security updates and new features. For example, we’re making malware detection and protection even easier and more seamless for our customers, whether they choose to use the built-in Windows Defender antivirus or a third-party antivirus solution. Starting with the Windows 10 Anniversary Update this summer—and available in this week’s Windows Insider build—Windows 10 will include a new security setting called Limited Periodic Scanning. Windows Insiders can enable this feature on unmanaged devices today.

When enabled, Windows 10 will use the Windows Defender scanning engine to periodically scan your PC for threats and remediate them.  These periodic scans will utilize Automatic Maintenance—to ensure the system chooses optimal times based on minimal impact to the user, PC performance, and energy efficiency—or customers can schedule these scans. Limited Periodic Scanning is intended to offer an additional line of defense to your existing antivirus program’s real-time protection.

 

Enabling Windows 10 Limited Periodic Scanning

If you are not using Windows Defender as your antivirus program on Windows 10, you can enable Limited Periodic Scanning under Settings.

  1. Navigate to Settings -> Update & Security -> Windows Defender.
  2. Turn Limited Periodic Scanning on.

Screenshot of the Limited Periodic Scanning option

If you are already using Windows Defender as your antivirus program on Windows 10, then you already have this feature enabled. Windows Defender periodically scans your PC, also known as Scheduled scans.

 

Notifying you of threats found on your PC

When Windows 10 Limited Periodic Scanning is turned ON, and even if you are NOT using Windows Defender for your real-time protection, the Windows Defender user interface and History tab will allow you to view any additional threats that have been detected.

Screenshot of Windows Defender periodic scanning settings Screenshot of the Windows Defender History settings

When a threat is found, Windows Defender will notify you with a Windows 10 notification. In most cases, Windows Defender will also automatically take action on the threat. Clicking on the notification will open Windows Defender where you can further review the threat that was found and the action that was automatically taken.

Screenshot of the Windows Defender scan notification

Clicking the notification will take you to the Windows Defender main user interface, where additional actions (if required) can be taken and applied.

At this time, Windows 10 Limited Periodic Scanning is intended for consumers. We are evaluating this feature for commercial customers, but Limited Periodic Scanning only applies to unmanaged devices for the Windows 10 Anniversary Update.

Windows 10 is our most secure operating system yet, and we will continue to improve Windows 10 with features like Limited Periodic Scanning. With Windows 10, you can rest assured you’ll always have the latest security protections. To learn more about the security features offered in Windows 10 visit: http://www.microsoft.com/security.

 

 

Deepak Manohar

Microsoft Malware Protection Center

Large Kovter digitally-signed malvertising campaign and MSRT cleanup release

May 10th, 2016 No comments

Kovter is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine.

Starting April 21, 2016, we observed a large Kovter malware attack where in just a week and a half we protected over 350,000 PCs from this threat. Interestingly, for this campaign the attackers managed to acquire trusted SSL digital certificates to secure an HTTPS SSL connection and their own code signing certificate to sign the downloaded malware with.

Kovter carried out this attack campaign using a technique called malvertising, masquerading as a fake Adobe Flash update. In this blog we will share some research into the structure of their malvertising attack, how our MSRT release will be cleaning it up, and the technical details of how Kovter installs and attempts to remain persistent as a file-less malware after it infects a PC.

Kovter’s digitally signed malvertising campaign

Malvertising is a technique used by bad actors to attack your PC, where they buy advertisement space with ad networks, ad exchanges, and ad publishers. These ads then appear on many websites who use the same advertisement network, and attacks some of the users as they visit the websites.

Unlike typical advertisements that require a user click, malvertising attacks often attack as soon as you visit a website that displays them.

Using this technique, we’ve seen malicious attackers use varied techniques such as:

  • Displaying repeated message boxes claiming your PC is infected and encouraging you to call a support phone number for help. These are malicious and they have not detected a problem on your PC.
  • Attempting to lock your browser and demanding payment as ransomware. You can close your browser or restart your computer to escape. This type of ransomware hasn’t really locked your PC.
  • Loading an exploit kit to attack your browser or browser plugin.
  • Claiming your browser, Adobe Flash Player, or Java is out of date and in need of an update. Often they will claim the update is required to view the website content or is needed for security reasons. Keeping these applications up-to-date is really important to keep your PC safe and secure from the latest vulnerabilities. However, you should never trust a website claiming to detect security problems on your PC. Instead, let these apps update if they request to outside of your browser or search for the official websites to install the missing components.

The recent Kovter malvertising attack falls into this last category, using a social engineering attack that states that your Adobe Flash is out of date and needs to be updated for security reasons.

Figure 1 below illustrates the Kovter infection chain used in this attack. Users visiting effected websites are redirected to fake websites impersonating the Adobe Flash hallmark download page claiming your Flash Player is out of date, and Trojan:Win32/Kovter is automatically downloaded pretending to be “FlashPlayer.exe”.

Kovter infection chain

Figure 1 – Kovter’s fake Adobe update malvertising infection chain

 

For this most recent campaign, we saw Kovter perpetrators redirecting to the following domains:

  • aefoopennypinchingpolly.com
  • ahcakmbafocus.org
  • ahxuluthscsa.org
  • caivelitemind.com
  • ierietelio.org
  • paiyafototips.com
  • rielikumpara.org
  • siipuneedledoctor.com
  • ziejaweleda.org

The domains from this campaign and previous campaigns commonly use the same domain registration information, and can be identified by:

Admin Email: monty.ratliff@yandex.com

As soon as the malicious advertisement is displayed, users are redirected to the Kovter social engineering page hosted using HTTPS according to the following pattern:

https://<domain>/<random numbers>/<random hex>.html

For example:

hxxps://ahxuluthscsa.org/4792924404046/89597dd177df3daa78f184fe87c4386c.html

By using HTTPS, your browser displays a ‘secure’ lock symbol – incorrectly adding to the user trust that the website is safe while at the same time preventing most network intrusion protection systems from protecting the user. Endpoint antimalware solutions, such as Windows Defender, still protect the user however. We were unable to confirm due to the servers being taken down, but reports online suggest trial COMODO SSL certificates were being used to secure these connections for the Kovter campaigns in the past.

When you visit the website, it automatically downloads Kovter as “FlashPlayer.exe”. It downloads from the same domains using a pattern such as:

hxxps://ahxuluthscsa.org/1092920552392/1092920552392/1461879398769944/FlashPlayer.exe

Some example FlashPlayer.exe downloaded files for reference are as follows:

Sha1 Md5
eafe025671e6264f603868699126d4636f6636c7
c26b064b826f4c1aa6711b7698c58fc0
0686c48fd59a899dfa9cbe181f8c52cbe8de90f0
e0a31d6b58017428dd8c907b14ea334e
62690c0a5a9946f91855a476b7d92447e299c89a
18ccf307730767c4620ae960555b9237
7a678fa58e310749362a432db9ff82aebfb6de62
f6406681e0652e33562d013a8c5329b9
872d157c9c844636dda2f33be83540354e04f709
42b1b775945a4f21f6105df8e9c698c2
37a8ad4a51b6f7b418c17abd8de9fc089a23125d
3767f655a462c4bf13ae83c5f7656af4
cfebfe6d4065dd14493abeb0ae6508a6d874d809
a14a38ebe3856766d55c1af35fb1681f
c48b21c854d6743c9ebe919bf1271cade9613890
321f9b3717655e1886305f4ca01129ad
4df10be4b12f3c7501184097abee681a1045f2ed
0966f977c6d319e838be9b2ceb689fbe
457f0f7fe85fb97841d748af04166f2a3e752efe
7214015e37750f3ee65d5054a5d1ff8a

 

These downloaded Kovter files were digitally signed by a trusted COMODO certificate under the company name “Itgms Ltd” as follows:

Comodo certificateComodo certificate

 

We notified COMODO of the code signing abuse by Kovter and they have since revoked this certificate. We suspect that the actors behind Kovter code-signed their fake Adobe Flash installer to increase the number of users who trust the downloaded file and decide to run it.

The sheer volume of PCs encountering Kovter during this attack, along with the attackers appearing to have been directly issued their own digital certificates is a cause for concern. Lucky for us, the digital signing actually worked to help us better identify files that are Kovter to better protect you – since we are able to uniquely identify and remove all files signed by this certificate. We will be continuing to monitor Kovter to keep you protected.

 

MSRT coverage

As part of our ongoing effort to provide better malware protection, the May release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for Kovter and Locky. Locky is a family of ransomware which uses infected Microsoft Office files to download the ransomware onto your PC

By adding Kovter and Locky detections to MSRT we hope to have a bigger impact by reaching more affected machines and helping remove these threats. However, as with all threats, prevention is the best protection.

 

Kovter Installation

On top of the recent Kovter Adobe Flash malvertising attack, we have also seen this trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:

  • Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1
  • Md5: 74dccbc97e6bffbf05ee269adeaac7f8

When Kovter is installed, the malware drops its main payload as data in a registry key (HKCUsoftware<random_chars> or HKLMsoftware<random_chars>). For example, we have seen it drop the payload into the following registry keys:

  • hklmsoftwareoziyns8
  • hklmsoftware2pxhqtn
  • hkcusoftwarempcjbe00f
  • hkcusoftwarefxzozieg

Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:

  • hklmsoftwaremicrosoftwindowscurrentversionrun
  • hklmsoftwaremicrosoftwindowscurrentversionpoliciesexplorerrun
  • hklmsoftwarewow6432nodemicrosoftwindowscurrentversionrun
  • hklmsoftwarewow6432nodemicrosoftwindowscurrentversionpoliciesexplorerrun
  • hkcusoftwaremicrosoftwindowscurrentversionrun
  • hkcusoftwareclasses<random_chars>shellopencommand

The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”. When executed at startup, this JavaScript loads the Kovter payload data registry key data into memory and execute it.

One executing in memory, the malware also injects itself into legitimate processes including:

  • regsvr32.exe
  • svchost.exe
  • iexplorer.exe
  • explorer.exe

After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.

 

Payload

Lowers Internet security settings

It modifies the following registry entries to lower your Internet security settings:

  • In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 Sets value: “1400” With data: “0
  • In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 Sets value: “1400” With data: “0

Sends your personal information to a remote server

We have seen this malware send information about your PC to the attacker, including:

  • Antivirus software you are using
  • Date and time zone
  • GUID
  • Language
  • Operating system

It can also detect some specific tools you use in your PC and sends that information back to the attacker:

  • JoeBox
  • QEmuVirtualPC
  • Sandboxie
  • SunbeltSandboxie
  • VirtualBox
  • VirtualPC
  • VMWare
  • Wireshark

Click-fraud

This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does so by running several instances of Internet Explorer in the background.

Download updates or other malware

This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:

 

Demographics

Kovter prevalence or encounters chart

Figure 2 – Kovter’s prevalence for the past two months shows a spike in the month of April

 

Kovter's geographic distribution

Figure 3 – Kovter’s geographic distribution shows that majority of the affected machines are in the United States

 

Mitigation and prevention

To help stay protected from Kovter, Locky and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Geoff McDonald and Duc Nguyen

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

MSRT March 2016 – Vonteera

March 9th, 2016 No comments

As part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.

BrowserModifier:Win32/Vonteera

We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:

Vonteera distribution numbers

We classify Vonteera as unwanted software because it violates the following objective criteria:

  • Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
  • Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
  • Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.

Vonteera is usually distributed by software bundlers that offer free applications or games.

Once installed on your PC, it modifies your homepage and changes your search provider.

It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.

Search policy message

More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.

It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.​

DESCRIPTION

Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.

By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Microsoft assists law enforcement to help disrupt Dorkbot botnets

December 3rd, 2015 No comments

Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

Dorkbot telemetry

During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

Dorkbot example  
Figure 1: Dorkbot infection trend for the past six months
 
Dorkbot example

Figure 2: Dorkbot detections by country for the past six months

Dorkbot example

Figure 3: Dorkbot machine detections heat map for past three months

Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

Dorkbot example  
Figure 4: Dorkbot builder IRC server settings

Dorkbot example 

Figure 5: Dorkbot builder command settings

Distribution

Dorkbot malware has been distributed in various ways, including:

  • Removable drives (USB “thumb-drives”)
  • Instant messaging clients
  • Social networks
  • Drive-by downloads / Exploit kits
  • Spam emails

Dorkbot example

 
Figure 6: Dorkbot distribution methods

During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator. 

When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

Behaviors

Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

Dorkbot loader

Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
 

Dorkbot example 

Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

Dorkbot loader – update and download other malware

The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
 
Dorkbot example

Figure 8: Decoded download URLs in the loader module

The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

Dorkbot loader – guide IRC module to real C&C

Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

Dorkbot example

Figure 9: Overview of trap process guiding to real C&C
 
Dorkbot example

Figure 10: C&C server overriding
Dorkbot example  
Figure 11: List of C&C domains

After connecting to C&C server, the IRC module will start receiving commands.

Dorkbot – IRC module (aka NgrBot)

After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
 
Dorkbot example

Figure 12: Dorkbot C&C communication via IRC

Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
 
Dorkbot example

Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

Stealing online user credentials

Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

  • HttpSendRequestA/W
  • InternetWriteFile
  • PR_Write

It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

  • AOL
  • eBay
  • Facebook
  • Gmail
  • Godaddy
  • OfficeBanking
  • Mediafire
  • Netflix
  • PayPal
  • Steam
  • Twitter
  • Yahoo
  • YouTube

Anti-security techniques

Blocking websites

Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

Anti-sandbox techniques

Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

Remediation

To help prevent a Dorkbot infection, as well as other malware and unwanted software:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC

Microsoft assists law enforcement to help disrupt Dorkbot botnets

December 3rd, 2015 No comments

Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

Dorkbot telemetry

During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

Dorkbot example  
Figure 1: Dorkbot infection trend for the past six months
 
Dorkbot example

Figure 2: Dorkbot detections by country for the past six months

Dorkbot example

Figure 3: Dorkbot machine detections heat map for past three months

Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

Dorkbot example  
Figure 4: Dorkbot builder IRC server settings

Dorkbot example 

Figure 5: Dorkbot builder command settings

Distribution

Dorkbot malware has been distributed in various ways, including:

  • Removable drives (USB “thumb-drives”)
  • Instant messaging clients
  • Social networks
  • Drive-by downloads / Exploit kits
  • Spam emails

Dorkbot example

 
Figure 6: Dorkbot distribution methods

During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator. 

When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

Behaviors

Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

Dorkbot loader

Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
 

Dorkbot example 

Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

Dorkbot loader – update and download other malware

The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
 
Dorkbot example

Figure 8: Decoded download URLs in the loader module

The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

Dorkbot loader – guide IRC module to real C&C

Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

Dorkbot example

Figure 9: Overview of trap process guiding to real C&C
 
Dorkbot example

Figure 10: C&C server overriding
Dorkbot example  
Figure 11: List of C&C domains

After connecting to C&C server, the IRC module will start receiving commands.

Dorkbot – IRC module (aka NgrBot)

After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
 
Dorkbot example

Figure 12: Dorkbot C&C communication via IRC

Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
 
Dorkbot example

Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

Stealing online user credentials

Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

  • HttpSendRequestA/W
  • InternetWriteFile
  • PR_Write

It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

  • AOL
  • eBay
  • Facebook
  • Gmail
  • Godaddy
  • OfficeBanking
  • Mediafire
  • Netflix
  • PayPal
  • Steam
  • Twitter
  • Yahoo
  • YouTube

Anti-security techniques

Blocking websites

Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

Anti-sandbox techniques

Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

Remediation

To help prevent a Dorkbot infection, as well as other malware and unwanted software:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC

MSRT September 2015: Teerac

September 8th, 2015 No comments

As part of our ongoing effort to provide better malware protection, the September release of the Microsoft Malicious Software Removal Tool (MSRT) will include detection for the prevalent ransomware family Win32/Teerac.

We first detected Teerac in early 2014. Since then, the family has joined Win32/Crowti and Win32/Tescrypt as one of the most prevalent ransomware families impacting our home and enterprise customers.

Encounters

Figure 1: Teerac encounters since April 2015

Affected countries

Figure 2: Countries most affected by Teerac infections

Teerac is usually downloaded and installed from malicious spam email attachments. The malware tries to encrypt files on the infected PC using Advanced Encryption Standards (AES). It asks for a ransom payment using Bitcoins (equivalent to about USD 500) for the supposed “decryption software”.

Encrypting ransomware families such as Teerac have proven their ability to form part of a business model for malware authors, and as a result we see some samples updated on an almost daily basis in an attempt to evade antimalware detections.

Our malware encyclopedia entry for Win32/Teerac has more details about this malware family.

By adding Teerac to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this threat. However, as with all malware, prevention is the best protection.

Backup your important files

It’s a good idea to back up your important files with a cloud storage service such as OneDrive. OneDrive is integrated into Windows 10 and Windows 8.1.

After you've removed a ransomware infection from your PC, you can restore previous, unencrypted versions of your Office files.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Categories: MSRT, Teerac Tags:

MSRT September 2015: Teerac

September 8th, 2015 No comments

As part of our ongoing effort to provide better malware protection, the September release of the Microsoft Malicious Software Removal Tool (MSRT) will include detection for the prevalent ransomware family Win32/Teerac.

We first detected Teerac in early 2014. Since then, the family has joined Win32/Crowti and Win32/Tescrypt as one of the most prevalent ransomware families impacting our home and enterprise customers.

Encounters

Figure 1: Teerac encounters since April 2015

Affected countries

Figure 2: Countries most affected by Teerac infections

Teerac is usually downloaded and installed from malicious spam email attachments. The malware tries to encrypt files on the infected PC using Advanced Encryption Standards (AES). It asks for a ransom payment using Bitcoins (equivalent to about USD 500) for the supposed “decryption software”.

Encrypting ransomware families such as Teerac have proven their ability to form part of a business model for malware authors, and as a result we see some samples updated on an almost daily basis in an attempt to evade antimalware detections.

Our malware encyclopedia entry for Win32/Teerac has more details about this malware family.

By adding Teerac to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this threat. However, as with all malware, prevention is the best protection.

Backup your important files

It’s a good idea to back up your important files with a cloud storage service such as OneDrive. OneDrive is integrated into Windows 10 and Windows 8.1.

After you've removed a ransomware infection from your PC, you can restore previous, unencrypted versions of your Office files.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Categories: MSRT, Teerac Tags:

MSRT September 2015: Teerac

September 8th, 2015 No comments

As part of our ongoing effort to provide better malware protection, the September release of the Microsoft Malicious Software Removal Tool (MSRT) will include detection for the prevalent ransomware family Win32/Teerac.

We first detected Teerac in early 2014. Since then, the family has joined Win32/Crowti and Win32/Tescrypt as one of the most prevalent ransomware families impacting our home and enterprise customers.

Encounters

Figure 1: Teerac encounters since April 2015

Affected countries

Figure 2: Countries most affected by Teerac infections

Teerac is usually downloaded and installed from malicious spam email attachments. The malware tries to encrypt files on the infected PC using Advanced Encryption Standards (AES). It asks for a ransom payment using Bitcoins (equivalent to about USD 500) for the supposed “decryption software”.

Encrypting ransomware families such as Teerac have proven their ability to form part of a business model for malware authors, and as a result we see some samples updated on an almost daily basis in an attempt to evade antimalware detections.

Our malware encyclopedia entry for Win32/Teerac has more details about this malware family.

By adding Teerac to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this threat. However, as with all malware, prevention is the best protection.

Backup your important files

It’s a good idea to back up your important files with a cloud storage service such as OneDrive. OneDrive is integrated into Windows 10 and Windows 8.1.

After you’ve removed a ransomware infection from your PC, you can restore previous, unencrypted versions of your Office files.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Categories: MSRT, Teerac Tags:

MSRT January 2014 – Bladabindi

January 14th, 2014 No comments

This month the Malicious Software Removal Tool (MSRT) includes a new malware family – MSIL/Bladabindi. An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download.

Because of this, there are many variants in this family, and they spread in many different ways, such as Facebook message and hacked websites. Once installed, malware in this family can be used to take control of a PC and steal sensitive information. We added Bladabindi to the MSRT due to its prevalence throughout 2013.

DESCRIPTION

Figure 1: Telemetry data showing the prevalence of Bladabindi

Bladabindi variants can be created by using the Remote Access Tool (RAT) known as "NJ Rat". We detect this RAT as VirTool:MSIL/Bladabindi.A. Bladabindi can also be downloaded by recent variants of Jenxcus family, which likely has the same author as Bladabindi.

Recently its author released a dedicated downloader to download Bladabindi and run it directly from memory – we detect this as TrojanDownloader:MSIL/Bladabindi.A.

Bladabindi variants are usually installed with an enticing name and icon to trick people into running it. The following are some sample file names:

  • فيس بوك.exe – (Facebook.exe)
  • فيديو قتلى المجموعات الإرهابية.exe – (Video killed the terrorist groups.exe)
  • ! My Picutre.SCR
  • Windows_7_Activators.exe
  • hot.exe
  • StartupFaster.exe

Below are some sample icons:

DESCRIPTION

Figure 2: Some file icons used by Bladabindi

Bladabindi is written in VB.NET, and usually obfuscated with various .NET obfuscators to avoid detection. It uses undocumented APIs to make itself a critical process, which will cause a system crash if it is terminated. This can make it difficult to remove from your PC when the malware is running. MSIL/Bladabindi also has backdoor functionality, including:

  • Using your camera to take picture
  • Running files
  • Registry manipulation
  • Remote shells
  • Key logging
  • Screen captures
  • Loading plugins dynamically
  • Updating
  • Uninstalling
  • Restarting

From information we collected, it seems Bladabindi's author tries to show their ability to develop malware, to help their chances of being hired on to other projects. They even use the following picture (showing infected machines) as the header photo of their Twitter page.

DESCRIPTION

Figure 3: Bladabindi author's Twitter page

Though there is no direct evidence connecting the author, distributor, and online account owner associated with the malware, the same user name is consistently used across multiple forums and social media. Do you remember the infamous Win32/Hupigon worm? – Another case where a malware author wrote a backdoor, but claims they didn't distribute it.

As usual, the best protection from Bladabindi, and other malware or potentially unwanted software is to have up-to-date security software installed and being aware of the risks of social engineering.

Zhitao Zhou, Steven Zhou, and Francis Allan Tan Seng
MMPC

Categories: malware research, MSRT Tags:

Tackling the Sefnit botnet Tor hazard

January 10th, 2014 No comments

Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem.

Win32/Sefnit made headlines last August as it took the Tor Network by storm. Tor is an open source project for online anonymity and is commonly used to browse the Internet anonymously. Around August 19, 2013, millions of infected computers running Win32/Sefnit installers are believed to have been woken up and given instructions en masse, to download and install a Sefnit component using the Tor Network for C&C communication. Based on the Tor Network’s connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks, as shown in Figure 1.

Win32/Sefnit affects the Tor network

Figure 1: The effect of Win32/Sefnit on the Tor Network connecting-user base

The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.

The Tor client

The Tor client service left behind on a previously-infected machine may seem harmless at first glance – Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20. While no high-severity security bulletins have been issued affecting Tor v0.2.3.25, Tor has a history of high-severity vulnerabilities – as illustrated in Figure 2.

 

CVE
Versions Affected
DESCRIPTION
v0.2.2.35 and earlier
Multiple heap-based buffer overflows.
0.2.2.20-alpha and earlier and v0.2.1.28 and earlier
Heap-based buffer-overflow.
v0.2.0.34 and earlier
Treats incomplete IPv4 addresses as valid causing unknown impact.
v0.2.0.33 and earlier
Unspecified heap corruption.

Figure 2: History of vulnerabilities affecting Tor with potential for remote-code execution

Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication – essentially giving an attacker access to take over the machine remotely. This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future.

Cleanup efforts

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

These actions and their effect on the Tor Network’s estimated connecting-users is illustrated in Figure 3.

 Tor Network connecting user estimate timeline

Figure 3: Tor Network connecting-user estimate timeline with marked events.

Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached. Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further.

Home users:

Download and run our free Microsoft Safety Scanner to scan and clean your PC.

Network administrators and advanced users:

Download and run our free Microsoft Safety Scanner to scan and clean workstations.

Your anti-virus solution may have removed Sefnit from your workstations while leaving the Sefnit-added Tor service running. The remediation of the Tor service is dependent on the completeness of the removal by other AV scanners. For this reason, we recommend you check your workstations for Tor client services added by Sefnit. You can use the following commands to check and stop the Tor client service using Command Prompt as Administrator:

    1. Query the basic information about the Tor service by issuing the command: “sc query tor.” If the service is found, it should result in something like the following:

Tor service is found

    1. If the Tor service is found, and you weren't expecting it, it’s highly likely that it is a Sefnit-installed service. The configuration should be queried by issuing command “sc qc tor,” which should give you a result like that shown below:

Tor service configuration

    1. If the “BINARY_PATH_NAME” above matches, the Sefnit-added Tor client service can be stopped by the command “sc stop tor”:

Stopping the Tor service

    1. You can then delete the service with the command “sc delete tor”:

Correct Tor service removal

    1. Verify that the service is no longer running by “sc query tor” again. If removed correctly, this should display the following error:

The service is no longer running

We also shared this information with our Microsoft Virus Initiative and Virus Information Alliance partners so that they, too, can help in the clean-up.

Geoff McDonald
MMPC

Categories: MSRT, Sefnit, Tor Tags:

Tackling the Sefnit botnet Tor hazard

January 10th, 2014 No comments

Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem.

Win32/Sefnit made headlines last August as it took the Tor Network by storm. Tor is an open source project for online anonymity and is commonly used to browse the Internet anonymously. Around August 19, 2013, millions of infected computers running Win32/Sefnit installers are believed to have been woken up and given instructions en masse, to download and install a Sefnit component using the Tor Network for C&C communication. Based on the Tor Network’s connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks, as shown in Figure 1.

Win32/Sefnit affects the Tor network

Figure 1: The effect of Win32/Sefnit on the Tor Network connecting-user base

The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.

The Tor client

The Tor client service left behind on a previously-infected machine may seem harmless at first glance – Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20. While no high-severity security bulletins have been issued affecting Tor v0.2.3.25, Tor has a history of high-severity vulnerabilities – as illustrated in Figure 2.

 

CVE
Versions Affected
DESCRIPTION
v0.2.2.35 and earlier
Multiple heap-based buffer overflows.
0.2.2.20-alpha and earlier and v0.2.1.28 and earlier
Heap-based buffer-overflow.
v0.2.0.34 and earlier
Treats incomplete IPv4 addresses as valid causing unknown impact.
v0.2.0.33 and earlier
Unspecified heap corruption.

Figure 2: History of vulnerabilities affecting Tor with potential for remote-code execution

Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication – essentially giving an attacker access to take over the machine remotely. This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future.

Cleanup efforts

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

These actions and their effect on the Tor Network’s estimated connecting-users is illustrated in Figure 3.

 Tor Network connecting user estimate timeline

Figure 3: Tor Network connecting-user estimate timeline with marked events.

Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached. Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further.

Home users:

Download and run our free Microsoft Safety Scanner to scan and clean your PC.

Network administrators and advanced users:

Download and run our free Microsoft Safety Scanner to scan and clean workstations.

Your anti-virus solution may have removed Sefnit from your workstations while leaving the Sefnit-added Tor service running. The remediation of the Tor service is dependent on the completeness of the removal by other AV scanners. For this reason, we recommend you check your workstations for Tor client services added by Sefnit. You can use the following commands to check and stop the Tor client service using Command Prompt as Administrator:

    1. Query the basic information about the Tor service by issuing the command: “sc query tor.” If the service is found, it should result in something like the following:

Tor service is found

    1. If the Tor service is found, and you weren't expecting it, it’s highly likely that it is a Sefnit-installed service. The configuration should be queried by issuing command “sc qc tor,” which should give you a result like that shown below:

Tor service configuration

    1. If the “BINARY_PATH_NAME” above matches, the Sefnit-added Tor client service can be stopped by the command “sc stop tor”:

Stopping the Tor service

    1. You can then delete the service with the command “sc delete tor”:

Correct Tor service removal

    1. Verify that the service is no longer running by “sc query tor” again. If removed correctly, this should display the following error:

The service is no longer running

We also shared this information with our Microsoft Virus Initiative and Virus Information Alliance partners so that they, too, can help in the clean-up.

Geoff McDonald
MMPC

* January 22, 2014: To clarify, this protection removes the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.

 

Categories: MSRT, Sefnit, Tor Tags:

Rotbrow: the Sefnit distributor

December 10th, 2013 No comments

This month’s addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months.

In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on the most prevalent component, which Geoff labelled the “Updater and Installer Service” in his blog, we found one file in particular stood out. We knew that this file was bundled with an installer for a harmless program called FileScout, but where did the FileScout installer come from?

Our telemetry showed us a pattern. The FileScout/Sefnit installer was not being downloaded directly from the web; it was usually written by a process called “BitGuard.exe”. We were quickly able to trace the individual file that was writing the installer on so many computers. It was the most prevalent sample of something that called itself “Browser Protector” (and sometimes “Browser Defender”). We had seen many versions of this before, but never any that exhibited behaviour that would warrant our detection. This sample was different – we knew it must have either carried the FileScoout/Sefnit installer inside it, or it was downloading it from somewhere else.

It took only minutes to identify which possibility was correct. Inside the file we found a resource called RT_BIN, whose content was not immediately significant, but whose size was 251,299 bytes – exactly the same as the FileScout/Sefnit installer.

Apparently the resource was encrypted. We could see that “Browser Protector” contained the same RC4 decryption code we’d seen in Sefnit, and the decryption key was easy to locate inside the code (rather obviously it was “FilescoutEncryptionKey”), so we tried it out. Sure enough, the decrypted result matched the the FileScout/Sefnit installer we expected. It was also easy to confirm that “Browser Protector” could write the decrypted file to the temporary folder with the file name setup_fsu_cid.exe, exactly as we had seen from our telemetry.

While we found that many variants of “Browser Protector” do not contain Sefnit, they are capable of updating to versions that do, so we added a generic detection under the name Win32/Rotbrow. To further stymie this avenue for Sefnit distribution, this month we add the Rotbrow family to MSRT.

SHA1s:

Sefnit updater and installer service: 942860bedf408cc4c6a1831ef3744a3f9e68b375
FileScout installer: c5758309136cd1e7e804d2003dc5ca27ae743ac3
Rotbrow: efe10525395591ca4fb6ec083f6f22c9e0db2d9d

Rotbrow: the Sefnit distributor

December 10th, 2013 No comments

This month’s addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months.

In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on the most prevalent component, which Geoff labelled the “Updater and Installer Service” in his blog, we found one file in particular stood out. We knew that this file was bundled with an installer for a harmless program called FileScout, but where did the FileScout installer come from?

Our telemetry showed us a pattern. The FileScout/Sefnit installer was not being downloaded directly from the web; it was usually written by a process called “BitGuard.exe”. We were quickly able to trace the individual file that was writing the installer on so many computers. It was the most prevalent sample of something that called itself “Browser Protector” (and sometimes “Browser Defender”). We had seen many versions of this before, but never any that exhibited behaviour that would warrant our detection. This sample was different – we knew it must have either carried the FileScoout/Sefnit installer inside it, or it was downloading it from somewhere else.

It took only minutes to identify which possibility was correct. Inside the file we found a resource called RT_BIN, whose content was not immediately significant, but whose size was 251,299 bytes – exactly the same as the FileScout/Sefnit installer.

Apparently the resource was encrypted. We could see that “Browser Protector” contained the same RC4 decryption code we’d seen in Sefnit, and the decryption key was easy to locate inside the code (rather obviously it was “FilescoutEncryptionKey”), so we tried it out. Sure enough, the decrypted result matched the the FileScout/Sefnit installer we expected. It was also easy to confirm that “Browser Protector” could write the decrypted file to the temporary folder with the file name setup_fsu_cid.exe, exactly as we had seen from our telemetry.

While we found that many variants of “Browser Protector” do not contain Sefnit, they are capable of updating to versions that do, so we added a generic detection under the name Win32/Rotbrow. To further stymie this avenue for Sefnit distribution, this month we add the Rotbrow family to MSRT.

SHA1s:

Sefnit updater and installer service: 942860bedf408cc4c6a1831ef3744a3f9e68b375
FileScout installer: c5758309136cd1e7e804d2003dc5ca27ae743ac3
Rotbrow: efe10525395591ca4fb6ec083f6f22c9e0db2d9d

Don’t fall for Folstart

November 13th, 2012 No comments

We use thumb drives in different ways – usually to transfer files from one computer to another. When we create folders in thumb drives, we have a certain level of confidence that the folder isn’t malicious or doesn’t contain malware. Unfortunately, this assumption is not always true. For the month of November, we added the Folstart family to the Microsoft Malicious Software Removal Tool (MSRT).

Folstart is a family of worms that copies itself using the same names as folders in your USB drives. In addition, it uses the folder icon to further its deception. Although this technique is not new, it still leads to infecting several thousand users mostly in the United States as shown in the graph below:

Figure 1: Distribution of Win32/Folstart

The following is the screenshot of a drive in which folders are set to hide known extension and not show hidden files, folders and drives. It seems to be a normal folder but is actually W32/Folstart. Executing this will lead to an infection.

Figure 2: Folstart sample named “new folder”

To avoid this scenario, it is a good practice to show hidden files and system files file extensions. To do this, in Windows Explorer, go to Organize >Folder and Search options and then click the View tab:

Figure 3: How to display hidden files and folders, and show file extensions

This way, your computer can reveal the real files that are actually there. Here’s the same folder as in Figure 2 with these settings enabled:

Figure 4: The same sample in Figure 2, with the file extension visible

For some users who prefer to hide files and extensions, there is an alternative – right-click on the file and check what’s written under “Type of file” in the General tab. Figure 5 shows a Folstart copy with the file type as an executable.

Figure 5: File type is .exe for a Folstart sample

A real folder type should be File folder:

Figure 6: File type is folder for a real folder

Most of the things we discussed were about preventing infection by Folstart. If you suspect that you were infected by Win32/Folstart we suggest running the MSRT. For more details about Win32/Folstart please visit our encyclopedia.

Francis, MMPC

Categories: Folstart, malware research, MSRT Tags:

MSRT August ’12 – What’s the buzz with Bafruz?

August 14th, 2012 No comments

For this month’s Microsoft Malicious Software Removal Tool (MSRT) release, we will include two families: Win32/Matsnu and Win32/Bafruz. Our focus for this blog will be Bafruz, which is a multi-component backdoor that creates a Peer-to-Peer (P2P) network of infected computers (using C&C, for instance), and includes a nasty list of payloads, as well as unique means of disabling security and antivirus products.

Win32/Bafruz contains components, which achieve a number of objectives for the attacker, such as hijacking Facebook and Vkontakte accounts, launching Distributed Denial of Service attacks, performing Bitcoin mining, downloading malware, and disabling security and antivirus products.

Let’s delve a bit further into its payload of disabling security and antivirus products. Upon first receiving this component, it simply appeared to terminate a long list of security processes listed in its code. It also displayed alerts in the system tray similar to those displayed by your run-of-the-mill rogue application, as shown below:

But unlike your common rogue, there is no mention of any sort of payment required in order to remove this threat. All it asks is for a reboot of the computer.

So, what happens when one chooses to interact with this alert and “Remove” this so called virus? This is where the true nature of this backdoor comes to light. Clicking on the “Remove” option causes the computer to reboot in safe mode (note: if the affected user does not click “Remove” and trigger a reboot, the backdoor will eventually force reboot). This gives Bafruz the opportunity to remove components of the installed antivirus product from the system, thus disabling it completely. So in fact, the list of security and antivirus processes listed in the Bafruz description is used by the backdoor to detect which product is installed, in order for it to remove its components, as well as display the following alert once the reboot is complete:

In our test environment, we had Microsoft Security Essentials (MSE) installed, hence why this alert is masquerading as a message from MSE. If we were running another security product in our environment, and it was contained within Bafruz’s list of targets (listed in the Win32/Bafruz family description), the alert would contain the name of that product instead. So this may lead the user into believing all is well with their security product, as it is now running in “Enhanced protection mode”, while in the meantime, Bafruz is downloading additional components and malware onto the computer in the background through its P2P network.

 

MMPC

MSRT June ’12 – cleanup on aisle one

June 12th, 2012 No comments

In the June ’12 installment of the Microsoft Malicious Software Removal Tool (MSRT), we take on two threat families – Win32/Kuluoz and Win32/Cleaman. This post includes information about Kuluoz as we’ll discuss Cleaman later this month.

Win32/Kuluoz is a multi-component trojan family that that attempts to steal passwords that are stored in certain applications, and sensitive files from your computer. The trojan implements a downloader component that we observed being distributed via spam email as an attachment.

As is common with trojans, Kuluoz is known to use a file icon that comes from a popular application. In this case, it is a PDF document, and is installed into the Application Data subfolder, such as this:

Image 1 – View of Win32/Kuluoz stored on an infected computer

As for technique, Kuluoz doesn’t innovate – it injects its payload into legitimate Windows executables like “svchost.exe”. It is able to load modules that extend its abilities to perform additional payloads, including FTP password-theft and data file stealing, similar to other families of trojans, such as Win32/Dofoil, which we included in MSRT previously.

One thing we should mention is that the downloader component of Kuluoz also tries to send requests to some legitimate websites with the similar patterns used in C&C communication:

Image 2 – Legitimate domains mixed with malware domains as requested by Kuluoz

As visible in the above image, some of the domains requested by the malware include known ‘good’ domains, such as bing.com, twitter.com and google.com which results in a page not found error. It appears that this technique is performed by the malware to possibly confuse the human eye when reviewing access logs.

For additional details, please look into our Win32/Kuluoz family description.

— MMPC

Dishigy dishes out the DDoS and we dig deeper…

May 25th, 2012 No comments

​The May edition of the Microsoft Malicious Software Removal Tool saw the inclusion of two new malware families: Win32/Unruy and Win32/Dishigy. Let’s dig a bit deeper into Dishigy and the nature of Denial of Service.

So, bear with me while I take you back to security 101…

A Denial of Service (DoS) attack is a pretty straightforward concept – an attacker floods or otherwise sends malicious traffic to a targeted system in such a way that the targeted system is not able to respond to legitimate requests. Sometimes, particularly for flood attacks, a single system may not be able to generate enough traffic to flood a target by itself, and so multiple machines are used in order to more effectively ‘flood’ the target and make the attack more difficult to block. This is where we get the term Distributed Denial of Service (DDoS) attack – where the attack is distributed across multiple machines, and those machines are ordered to attack a single target and overwhelm it with their concerted requests.

So, why would an attacker want to stop a system from being able to respond to requests from legitimate users? It’s a fairly common behavior amongst malware, and, like the vast majority of malware created and distributed these days, you just have to ask yourself how criminals could use such nefarious practices to make a buck. In the case of Denial of Service conditions, they could be used, for example, for extortion (i.e. “Do what we want or the website gets it, see?“) or possibly for taking out the competition.

Where does Dishigy fit in? Dishigy traditionally targeted web servers. It uses HTTP requests to perform its denial of service payload against websites. While other types of network traffic might be subject to additional restrictions due to the threat it might pose, port 80 is often left mostly unchecked, enabling easy egress of web traffic. Dishigy is a distributed denial of service attack for hire and can be purchased from the seedier side of the internets to target websites of the purchaser’s choice. Now for the grim, technical details…

Win32/Dishigy is written in Delphi, and can be remotely instructed by an attacker to perform denial of service attacks on targets. The malware connects to a hard-coded remote host and sends an HTTP POST to obtain configuration data. The configuration data contains a set of three parameters separated by a token (delimiter) and is followed by a target URL, as shown in the image below:

Dishigy configuration data with target URL obscured

Image 1 – Dishigy configuration data with target URL obscured

The first parameter defines the type of attack it uses; these can vary depending on what types are supported by each variant (for example, HTTP GET requests or HTTP POST requests).

The second parameter denotes the maximum number of threads (channels of execution) the malware should use in an attack; each thread sends several requests in a loop.

The third parameter is the frequency with which the malware should connect to the remote host to obtain updated configuration information. If, however, there is no target host available in the configuration data, the malware will connect back at the specified frequency but not perform any attacks.

The malware can be instructed to perform one of several types of attacks. The malware uses an open source TCP/IP Winsock library for Delphi called Synapse to construct the packets.

Early variants of Dishigy generated only HTTP GET requests against a target:

Image 2 – Use of HTTP GET request by Dishigy

The User-Agent field is randomly chosen from a large list contained in the malware, this makes it appear that the HTTP requests originate from a variety of sources. Later variants added more functionality, including the ability to generate HTTP POST requests against a target:

The POST request includes a Referer field which is also randomly chosen from a list contained in the malware. Worth noting is that the POST data contains the URL for the targeted host only as opposed to a typical POST which could include form data and other bits.

Dishigy’s addition to the Microsoft Windows Malicious Software Removal Tool this month makes the web a slightly better place. Dishigy’s success against a target relies on numbers, so taking out as many infections as possible that could contribute to a flood is key to making it ineffective. It is also highly resource intensive for the unfortunate victims who find their computers compromised by this menace, so removing it from victim computers should ease some pain for individuals whose computing experience has been affected by this threat. And maybe, most importantly, targeting Dishigy may help to stop criminals from deciding which websites you can and can’t visit.

– Ray Roberts
MMPC Melbourne

MSRT April 2012: Win32/Claretore

April 10th, 2012 No comments

We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool – Win32/Claretore, Win32/Bocinex and Win32/Gamarue. In this post, we discuss Win32/Claretore.

The earliest reported variant in this family can be traced back to November 2011. Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL. It also sends information about the affected computer to a remote server.

The installation and preservation mechanism employed by Claretore is not new but it is aggressive. Claretore drops copy of itself to the user profile’s folder and the temp folder, and removes the original copy of the malware. The registry is modified to execute Claretore at every Windows start.

Registry data associated with launching Win32/Claretore at Windows start

Image 1 – Registry data associated with launching Win32/Claretore at Windows start

The aggressive part is that it injects itself as a DLL component to each running process that loads the kernel32 module. This method allows the malware to support being installed on Windows 2000 operating systems and helps in hiding the malware so that it is does not appear present when viewing running processes using Windows Task Manager.

Below, you can see Win32/Claretore injected into “iexplore.exe” as shown via a debugging utility:

View of process "iexplore.exe" with Win32/Claretore injection

Image 2 – View of process “iexplore.exe” with Win32/Claretore injection

The malware attempts to block its removal by manual cleaning or by a security product by creating two monitoring threads that persistently verify if its file component and registry has been modified by others. This mechanism is implemented by utilizing the following Windows APIs:

  • RegNotifyChageKeyVaule
  • ReadDirectoryChanges

Next, Claretore is ready to do its ‘dirty work’. It hooks the following three network APIs to intercept certain web traffic:

  • WSPCloseSocket
  • WSPSend
  • WSPRecv

The trojan is then able to intercept every website accessed that also has contains a reference to Google Analytics JavaScript, and replaces the legitimate code with code from an attacker-supplied URL. For example, a variant of Win32/Claretore was observed to replace references to the Google Analytics JavaScript “google-analytics.com/ga.js” with “<removed>in-f108.com/ga.js”, allowing attacker-specified code to execute.

Tracing through Win32/Claretore code

Tracing through Win32/Claretore code

Image 3 – Tracing through Win32/Claretore code

Win32/Claretore collects and sends the following details, encrypted using MD5, about the affected computer to an attacker-supplied URL:

  • Machine GUID
  • User logon account name
  • Computer name
  • Windows install date
  • Disk identifier

 

This threat is detected and removed by the Microsoft Windows Malicious Software Removal Tool and when using current security technologies and protection. Thank you for reading and stay tuned to the MMPC for the latest developments in the digital threat landscape.

–Tim Liu, MMPC