Archive

Archive for the ‘trojan’ Category

Attackers using Trojans more than other malware categories

Global cyber threat patterns are a constantly moving target. But there are ways organizations can stay ahead of threats. Beginning in 2006, Microsoft took on systematic study of the ever-shifting security landscape, and we share our latest findings twice each year in our Security Intelligence Report (SIR).

While cyber threats grow more sophisticated, our goal is simple: to help customers understand the many different types of factors that can influence malware infection rates in different parts of the world. We do this because we believe knowledge is power, and our work to partner with policymakers and IT professionals to help keep them apprised of malware trends can help make not only specific regions but also the world safer for people, business, and governments.

To help you prioritize mitigations, including training people to identify cyber threats, we believe the place to start is to understand the current threats your organization is most likely to experience. Currently, that means understanding the growing risk presented by a malware category known as Trojans.

Trojan exploits proliferated in 2015

Trojans, like worms and viruses, are among the most widespread categories of threats Microsoft detects. Between the second and third quarters of 2015, our research and analysis showed that encounters involving Trojans increased by fifty-seven percent and stayed elevated through the end of the year.

Trojans increased more rapidly than other significant malware categories in 2015.

Trojans increased more rapidly than other significant malware categories in 2015.

In the second half of 2015, Trojans accounted for five of the top ten malware families encountered by Microsoft real-time antimalware products. The increase was due in large part to Trojans known as Win32/Peals, Win32/Skeeyah, Win32/Colisi, and Win32/Dynamer. In addition, a pair of newly detected Trojans, Win32/Dorv and Win32/Spursint, helped account for the elevated threat level.

Server platforms at greater risk from Trojans

Overall, unwanted software was encountered significantly more often on client platforms than on server platforms. However, Trojans were used against server platforms slightly more than they were used against client platforms.

During the course of 2015, our data analysis uncovered the following:

  • During the fourth quarter of 2015, Trojans accounted for three of the top ten malware and unwanted software families most commonly encountered on supported Windows client platforms
  • Also during the fourth quarter of 2015, 4 of the top 10 malware and unwanted software families most commonly encountered on supported Windows server platforms were categorized as Trojans

As these examples suggest, malware doesn’t affect all platforms equally. The reasons for this vary. For instance, some exploits may have no effect on some operating system versions. In addition, in areas where specific platforms are more or less popular than elsewhere, some types of threats are just more common. In some cases, simple random variation may cause differences between platforms.

How Trojans work

Like the famous Trojan horse in Homer’s Odyssey, software Trojans hide inside something end users want, such as a work file or social media video. Through this type of social engineering, attackers get people to install malware on their system or lower security settings.

Two common Trojans work as follows:

  • Backdoor Trojans provide attackers with remote unauthorized access to and control of infected computers
  • Downloaders/droppers are Trojans that install other malicious files to a computer they have infected, either by downloading them from a remote computer or by obtaining them directly from copies contained in their own code

Mitigating the Trojan threat

Armed with knowledge about the ways top Trojans in your area of the world work can help give you the upper hand when it comes to protecting your organization. For example, be sure to educate your workforce about common Trojan tricks, such as “clickbait” – fake web headlines with provocative titles – and spoofed emails. In addition, encourage the people in your organization to use personal devices for social media and web surfing instead of using devices connected to your corporate network.

To understand security threats in your region or view the current or previous editions of the SIR, visit www.microsoft.com/security/sir.  To learn more about Security at Microsoft, visit us at Microsoft Secure.

Large Kovter digitally-signed malvertising campaign and MSRT cleanup release

May 10th, 2016 No comments

Kovter is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine.

Starting April 21, 2016, we observed a large Kovter malware attack where in just a week and a half we protected over 350,000 PCs from this threat. Interestingly, for this campaign the attackers managed to acquire trusted SSL digital certificates to secure an HTTPS SSL connection and their own code signing certificate to sign the downloaded malware with.

Kovter carried out this attack campaign using a technique called malvertising, masquerading as a fake Adobe Flash update. In this blog we will share some research into the structure of their malvertising attack, how our MSRT release will be cleaning it up, and the technical details of how Kovter installs and attempts to remain persistent as a file-less malware after it infects a PC.

Kovter’s digitally signed malvertising campaign

Malvertising is a technique used by bad actors to attack your PC, where they buy advertisement space with ad networks, ad exchanges, and ad publishers. These ads then appear on many websites who use the same advertisement network, and attacks some of the users as they visit the websites.

Unlike typical advertisements that require a user click, malvertising attacks often attack as soon as you visit a website that displays them.

Using this technique, we’ve seen malicious attackers use varied techniques such as:

  • Displaying repeated message boxes claiming your PC is infected and encouraging you to call a support phone number for help. These are malicious and they have not detected a problem on your PC.
  • Attempting to lock your browser and demanding payment as ransomware. You can close your browser or restart your computer to escape. This type of ransomware hasn’t really locked your PC.
  • Loading an exploit kit to attack your browser or browser plugin.
  • Claiming your browser, Adobe Flash Player, or Java is out of date and in need of an update. Often they will claim the update is required to view the website content or is needed for security reasons. Keeping these applications up-to-date is really important to keep your PC safe and secure from the latest vulnerabilities. However, you should never trust a website claiming to detect security problems on your PC. Instead, let these apps update if they request to outside of your browser or search for the official websites to install the missing components.

The recent Kovter malvertising attack falls into this last category, using a social engineering attack that states that your Adobe Flash is out of date and needs to be updated for security reasons.

Figure 1 below illustrates the Kovter infection chain used in this attack. Users visiting effected websites are redirected to fake websites impersonating the Adobe Flash hallmark download page claiming your Flash Player is out of date, and Trojan:Win32/Kovter is automatically downloaded pretending to be “FlashPlayer.exe”.

Kovter infection chain

Figure 1 – Kovter’s fake Adobe update malvertising infection chain

 

For this most recent campaign, we saw Kovter perpetrators redirecting to the following domains:

  • aefoopennypinchingpolly.com
  • ahcakmbafocus.org
  • ahxuluthscsa.org
  • caivelitemind.com
  • ierietelio.org
  • paiyafototips.com
  • rielikumpara.org
  • siipuneedledoctor.com
  • ziejaweleda.org

The domains from this campaign and previous campaigns commonly use the same domain registration information, and can be identified by:

Admin Email: monty.ratliff@yandex.com

As soon as the malicious advertisement is displayed, users are redirected to the Kovter social engineering page hosted using HTTPS according to the following pattern:

https://<domain>/<random numbers>/<random hex>.html

For example:

hxxps://ahxuluthscsa.org/4792924404046/89597dd177df3daa78f184fe87c4386c.html

By using HTTPS, your browser displays a ‘secure’ lock symbol – incorrectly adding to the user trust that the website is safe while at the same time preventing most network intrusion protection systems from protecting the user. Endpoint antimalware solutions, such as Windows Defender, still protect the user however. We were unable to confirm due to the servers being taken down, but reports online suggest trial COMODO SSL certificates were being used to secure these connections for the Kovter campaigns in the past.

When you visit the website, it automatically downloads Kovter as “FlashPlayer.exe”. It downloads from the same domains using a pattern such as:

hxxps://ahxuluthscsa.org/1092920552392/1092920552392/1461879398769944/FlashPlayer.exe

Some example FlashPlayer.exe downloaded files for reference are as follows:

Sha1 Md5
eafe025671e6264f603868699126d4636f6636c7
c26b064b826f4c1aa6711b7698c58fc0
0686c48fd59a899dfa9cbe181f8c52cbe8de90f0
e0a31d6b58017428dd8c907b14ea334e
62690c0a5a9946f91855a476b7d92447e299c89a
18ccf307730767c4620ae960555b9237
7a678fa58e310749362a432db9ff82aebfb6de62
f6406681e0652e33562d013a8c5329b9
872d157c9c844636dda2f33be83540354e04f709
42b1b775945a4f21f6105df8e9c698c2
37a8ad4a51b6f7b418c17abd8de9fc089a23125d
3767f655a462c4bf13ae83c5f7656af4
cfebfe6d4065dd14493abeb0ae6508a6d874d809
a14a38ebe3856766d55c1af35fb1681f
c48b21c854d6743c9ebe919bf1271cade9613890
321f9b3717655e1886305f4ca01129ad
4df10be4b12f3c7501184097abee681a1045f2ed
0966f977c6d319e838be9b2ceb689fbe
457f0f7fe85fb97841d748af04166f2a3e752efe
7214015e37750f3ee65d5054a5d1ff8a

 

These downloaded Kovter files were digitally signed by a trusted COMODO certificate under the company name “Itgms Ltd” as follows:

Comodo certificateComodo certificate

 

We notified COMODO of the code signing abuse by Kovter and they have since revoked this certificate. We suspect that the actors behind Kovter code-signed their fake Adobe Flash installer to increase the number of users who trust the downloaded file and decide to run it.

The sheer volume of PCs encountering Kovter during this attack, along with the attackers appearing to have been directly issued their own digital certificates is a cause for concern. Lucky for us, the digital signing actually worked to help us better identify files that are Kovter to better protect you – since we are able to uniquely identify and remove all files signed by this certificate. We will be continuing to monitor Kovter to keep you protected.

 

MSRT coverage

As part of our ongoing effort to provide better malware protection, the May release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for Kovter and Locky. Locky is a family of ransomware which uses infected Microsoft Office files to download the ransomware onto your PC

By adding Kovter and Locky detections to MSRT we hope to have a bigger impact by reaching more affected machines and helping remove these threats. However, as with all threats, prevention is the best protection.

 

Kovter Installation

On top of the recent Kovter Adobe Flash malvertising attack, we have also seen this trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:

  • Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1
  • Md5: 74dccbc97e6bffbf05ee269adeaac7f8

When Kovter is installed, the malware drops its main payload as data in a registry key (HKCUsoftware<random_chars> or HKLMsoftware<random_chars>). For example, we have seen it drop the payload into the following registry keys:

  • hklmsoftwareoziyns8
  • hklmsoftware2pxhqtn
  • hkcusoftwarempcjbe00f
  • hkcusoftwarefxzozieg

Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:

  • hklmsoftwaremicrosoftwindowscurrentversionrun
  • hklmsoftwaremicrosoftwindowscurrentversionpoliciesexplorerrun
  • hklmsoftwarewow6432nodemicrosoftwindowscurrentversionrun
  • hklmsoftwarewow6432nodemicrosoftwindowscurrentversionpoliciesexplorerrun
  • hkcusoftwaremicrosoftwindowscurrentversionrun
  • hkcusoftwareclasses<random_chars>shellopencommand

The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”. When executed at startup, this JavaScript loads the Kovter payload data registry key data into memory and execute it.

One executing in memory, the malware also injects itself into legitimate processes including:

  • regsvr32.exe
  • svchost.exe
  • iexplorer.exe
  • explorer.exe

After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.

 

Payload

Lowers Internet security settings

It modifies the following registry entries to lower your Internet security settings:

  • In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 Sets value: “1400” With data: “0
  • In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 Sets value: “1400” With data: “0

Sends your personal information to a remote server

We have seen this malware send information about your PC to the attacker, including:

  • Antivirus software you are using
  • Date and time zone
  • GUID
  • Language
  • Operating system

It can also detect some specific tools you use in your PC and sends that information back to the attacker:

  • JoeBox
  • QEmuVirtualPC
  • Sandboxie
  • SunbeltSandboxie
  • VirtualBox
  • VirtualPC
  • VMWare
  • Wireshark

Click-fraud

This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does so by running several instances of Internet Explorer in the background.

Download updates or other malware

This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:

 

Demographics

Kovter prevalence or encounters chart

Figure 2 – Kovter’s prevalence for the past two months shows a spike in the month of April

 

Kovter's geographic distribution

Figure 3 – Kovter’s geographic distribution shows that majority of the affected machines are in the United States

 

Mitigation and prevention

To help stay protected from Kovter, Locky and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Geoff McDonald and Duc Nguyen

MMPC

JavaScript-toting spam emails: What should you know and how to avoid them?

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

JavaScript-toting spam emails: What should you know and how to avoid them?

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

Extracting the fare

February 14th, 2012 No comments

When malware is found lurking on a system, quite often it isn’t acting alone. Once malware distributors have control of a system, they will do everything they can to compromise the machine and the user for maximum gain — for instance, hijacking a browser’s search results, or using rogue security software to extract payments from affected users — and will try to install whatever other malware components they need to in order to make this happen.

Such is the case with Win32/Fareit, which is one of two new additions to the Microsoft Malicious Software Removal Tool (MSRT) for February 2012. Win32/Fareit is a family consisting of a password stealer and a component for performing Distributed Denial of Service (DDoS) attacks, and is often present on an affected system along with a suite of other malware.

The Distributed Denial of Service component, which we detect as DDoS:Win32/Fareit, contacts a remote server, which may instruct it to flood a target server with bogus HTTP traffic. It randomly chooses several fields of the HTTP header, in order to make it difficult for the targeted server to filter the unwanted requests. Hijacking the browser and collecting payments for rogue security software are not the only methods of profiting from an infected system, and this is where the password stealing component PWS:Win32/Fareit fits in.

When run, the malware scans the system looking for installations of popular FTP clients and cloud storage clients. Most of these allow users to cache login details for servers that they often connect to, and they store these details encrypted in configuration files or registry entries. If any of these clients are present on the system, the malware attempts to retrieve this login information from the files or registry, decrypt it, and post it to a remote server controlled by the attackers. Once they have this account information, they can log in to the compromised accounts, which often provide access to web servers, and upload other malware that they wish to distribute. You can see a list of the FTP clients and other software that PWS:Win32/Fareit targets in our encyclopedia description. It also attempts to steal stored passwords from some of the major web browsers. 

PWS:Win32/Fareit first came to our attention in large numbers in October, when we noticed it being installed by Win32/FakeScanti and Win32/Cycbot.

Win32/FakeScanti is a rogue security program that was added to MSRT in October 2009 and has recently gone by names such as Cloud AV 2012, AV Guard Online, Security Guard 2012, and Opencloud Antivirus.

Cloud AV 2012

Win32/Cycbot is a backdoor and browser hijacker, and was added to MSRT in February 2011. At various stages we have seen Win32/Cycbot and Win32/FakeScanti also downloading or installing one another, so this month’s addition of Win32/Fareit helps complete the cleaning of this multi-family infection.

Win32/Cycbot remains highly prevalent, and Backdoor:Win32/Cycbot.G was the number-one threat removed by MSRT last month. Win32/FakeScanti activity has decreased, though we continue to monitor it closely; however, we have received no new undetected samples of it so far this year. Unfortunately, this isn’t a sign that the rogue distributors have given up on their nefarious activities; most likely they have simply moved on to distributing different rogue families. 

If your system has been infected with Win32/Fareit, or related families like Win32/Cycbot, and you have any account details saved in your FTP client, after cleaning your local system, we recommend that you immediately change your password for each account. Check the related servers for new or suspicious files that you did not upload, change passwords for any accounts whose details you may have saved in your browser, and check those accounts for any unexpected activity.

The password-stealing component may only need to be run once in order to steal your credentials, so, by the time MSRT has performed its monthly scan, the damage may have already been done. This emphasizes the importance of running an antivirus solution that provides real-time protection.

David Wood
MMPC Melbourne

Are you beta testing malware?

January 7th, 2012 No comments

This post is part one of two.

Popular games are often used by malware writers as social engineering bait as documented in previous blogs (“Dota Players Own3d” and “Keeping Kerrigan From Infection“). So, with a watchful eye for anything related to games used as an infection vector, we came across a couple of interesting files:

These files noted as being available through different torrent/file sharing websites.

The first file we found refers to Defense of the Ancients (DotA) 2, which is an update for the popular custom scenario map DotA for Warcraft III : The Frozen Throne. The second refers to Diablo III. Although the official release date for both games is still in 2012, beta versions are available for testers. However, the curiosity for these games seems to lead to other dangers, like in the wilderness of Diablo II (released in 2000 – more than a decade ago!). We played the previous versions of both Diablo and DotA, with and against each other (during our free time of course 🙂 ).

The “fun” begins once the Pontoeb malware is executed. Pontoeb gathers power through obtaining information from the infected system, which it then sends back to a remote attacker. The information is gathered through a WMI query that retrieves data such as SerialNumber, SystemDrive, Operating system and processor architecture. But its ultimate goal is to morph the infected system into a zombie. It installs a backdoor where an attacker connects to in order to control the infected system and execute certain commands (for example, download a file, update itself, visit a website, and perform HTTP, SYN, and UDP flooding). A detailed description of what the malware does can be found in its encyclopedia description.

The second sample, Fynloski, which mimics the Diablo icon, is a remote access tool (RAT) that is used for malicious purposes, as outlined by our colleague Daniel here.

Figure 1: icon used by Fynloski

It’s basically a backdoor trojan that gains access to almost all the resources and information in your computer; for example, it can log keystrokes, download and run arbitrary files, and disable security settings. More details about Fynloski are available in its encyclopedia description. But what really got our attention was the obfuscation technique that it uses, which we will discuss in our next post.

If you’re running Microsoft Security Essentials, you’re protected against these threats like you would be in Diablo if you have a Blade Barrier. And of course, if you want to continue enjoying your video games in a secure environment, please visit the official DotA and Diablo websites for the actual beta versions.

As always, enjoy playing and be vigilant! GG (Good Game) everyone!

Andrei && Francis

SHA1s used in this post:
803fbc9388203458060f354b0fd3ffe68c506275 – Backdoor:MSIL/Pontoeb.J
a3ca4151c31181a3b948b7cd6a1ef97754fcce22 – Backdoor:Win32/Fynloski.A

Keep your Facebook friends close and your antivirus closer

November 17th, 2011 No comments

Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been observed to post very personable updates on friends’ walls in Facebook, gaining access if the user is logged in.

Facebook friend post

The message links to a video posted on a Youtube-like website, which suggests that the user update the browser with a bogus ActiveX object. The malware’s authors also went one step further in making sure the video landing page looks as legitimate as possible:

Fake youtube site

This download is actually Backdoor:Win32/Caphaw.A, a sophisticated firewall-bypassing backdoor armed with almost everything. It installs an FTP server, a proxy server, and a keylogger on the computer. It also has built-in remote desktop functionality based on the open source VNC project. We received a report that a user found this in his computer and also discovered that money had been transferred from his bank account by an unknown party. The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.

The backdoor “calls home” to domains such as commonworld<removed>.cc or web<removed>es.cc to get the data that it posts on the friends’ Facebook walls. Its main module, in the meantime, is hosted on <removed>youtube.com.

Facebook friend wall post

The good thing to do when spotting such fishy wall posts is to warn your friends whose accounts have been compromised. You can mark the message as spam to help prevent others from downloading the backdoor; Facebook is quite diligent about filtering these posts once they have been reported.

The presence of this threat on your computer threatens your whole online identity, so we recommend that you change the passwords to all of your sensitive accounts – email, online shopping, and online banking, for example. And while you’re at it, remind your affected friends to change their Facebook passwords, too. Finally, scan your machine with an up-to-date antivirus solution to remove this malware from your computer.

Here are some SHA1s of files detected by our products as Backdoor:Win32/Caphaw.A:

  • c10ad13419ea44ba85cd8e83e2cd7ac8313e91de
  • 54d9f40156cc4a2561252f8ad30b4afdcc5e93b4
  • ebbd8790eab8a9822a80c2afaa575a4b2c2f3b55

— Mihai Calota, MMPC

Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation

April 13th, 2011 Comments off

About a month ago, we blogged about an Adobe Flash Player vulnerability (CVE-2011-0609) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day (CVE-2011-0611) was reported by Adobe in a recent advisory (APSA11-02).

It all started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained the malicious Flash exploit inside.  Most of the files we have captured with our signature are named:

  • Fukushima .doc
  • evaluation about Fukushima Nuclear Accident.zip
  • 首場政見會後最新民調略升-蔡英文粉絲團~聲援 .doc
  • 日志分析.doc

Inside the .doc file a malformed Adobe Flash file is embedded. Once a user opens the document, Flash Player will load the malicious file and exploitation will occur. Unlike the previous vulnerability, a bug in the ActionScript Virtual Machine version 1 is now used in the exploitation process. Another difference is that this is not a result of fuzzing clean files. We won’t disclose any detail on what triggers the vulnerability, for security reasons, obviously.

In order to exploit this vulnerability the attackers packaged the AVM1 code inside an AVM2 based Flash file. The latter is embedded inside the Word document and assigned with setting up the exploitation environment.

Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled (image below):

Image 1 – NOP-sled

The AVM2 code constructs a Win32 shellcode(constructed in highlighted  ByteArray  “s”):


 
Image 2 – shellcode

It then loads the attack code inside the Flash Player. The AVM1 code that triggers this vulnerability is loaded as a separate SWF file, converted from a hex-encoded embedded string and executed as in the screen dump below:

 

Image 3 – CVE-2011-0611 attack code

Shellcode details

The shellcode is injected starting at address 0x11111111 and is a fairly standard one.

Its task is to launch the payload while trying to hide the signs of an infection. It does that by dropping a clean Word document which will replace the original, malicious one.

Let’s see, in detail, what the shellcode does once it gets executed:

  • Resolves needed APIS’s :
    • LoadLibraryA
    • GetFileSize
    • GetTempPathA
    • TerminateProcess
    • CreateFileA
    • WideCharToMultiByte
    • SetFilePointer
    • ReadFile
    • WriteFile
    • WinExec
    • CloseHandle
    • GetCommandlineA
    • GetModuleFileNameA
    • CreateFileMappingA
    • MapViewOfFile
    • GetLogicalDriveStringsA
    • QueryDosDeviceA
    • ZwQueryVirtualMemory
  • Brute-forces its way to the Word document’s file handle by knowing that
    • File size must be > 0x7000
    • It must contain the marker 0x7010 at offset 0x7000
  • Retrieves the file path of the Word document file using ZwQueryVirtualMemory and GetLogicalDriveStringsA
  • Decrypts a binary from the document, dumps it as %temp%\scvhost.exe (SHA1 adbf24228f0544a90979a9816569e8c7415efbac – detected as Backdoor:Win32/Poison.M) and finally executes it.

 

Image 4 – Win32 Shellcode fragment

  • Decrypts an embedded doc file and saves it as ‘%temp%\AAAA’. This file is the clean Word document we mentioned earlier.
  • The freshly dumped doc file is then used to overwrite the initial Word document.
  • The new document is launched to hide symptoms of infection.
  • Using the utility “taskkill.exe”, it terminates all processes with the name ‘hwp.exe’.

The current WinWord (Microsoft Word) instance is terminated.

We currently detect the malicious Word document and the embedded attack Adobe Flash file as Exploit:SWF/CVE-2011-0611.A. We urge you to read the advisory from Adobe for mitigation details about this vulnerability.As always, we advise you not to open emails from untrusted sources or emails that seem suspicious to you, even if they apparently come from people you know.

Marian Radu, Daniel Radu & Jaime Wong
MMPC

PS: We’d like to thank our colleague Bruce Dang for his contribution to this blog post.

Trojan downloader Chepvil on the UPSwing

March 26th, 2011 Comments off

A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week.  The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011.

Win32/Chepvil is a trojan that downloads other malware such as Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. The retrieved malware is saved to the %TEMP% folder and then executed. Microsoft Malware Protection Center has noticed that detections over the past few days have gone from a handful to around 400k per day.

The majority of these detections are coming from the antimalware technology protecting our Hotmail customers, clearly indicating the vector – spam. At the time of this blog writing, we received a few reports of other online email service account holders receiving this trojan via spam email as well.

Below is a chart indicating observed telemetry of this trojan over a short period of time:

Image 1 – Chepvil telemetry

Image 1 – Chepvil telemetry

 

Nearly all of the attached files are named “United Parcel Service document.zip”.

The most prevalent SHA1s for the .ZIP attachment are:
0610CE22DF47B3D9C69DC63387705FD666C7205A
151755454A9D443A8A60996F3F1DC4E0C68A9B5D
2C25B6B2764E4DA5EC0A7D57017DFA5FF2A10873

The most prevalent SHA1s for the .EXE trojan within the .ZIP archive are:
0FB63DFF83DB643C9EE42EFE617BDD539A5FFB8F
142E8b00AA24954f9A4AA2271B8A49C445B87587
DA65B7B277540B88918076949A28E8307AD7E41A

Our geographical data from our endpoint protection products show a heavy focus on the United States:

Image 2 – Chepvil telemetry by geography

Image 2 – Chepvil telemetry by geography

 

Below is one example of a spammed message containing the Chepvil trojan.

 

Image 3 – Sample of Chepvil trojan attachment

Image 3 – Sample of Chepvil trojan attachment

 

MMPC customers have detection for this issue through the signature TrojanDownloader:Win32/Chepvil.I.

 

– Holly Stewart, Joe Faulhaber, Jaime Wong & Patrick Nolan

How to defang the Fake Defragmenter

March 19th, 2011 Comments off

We are tracking the trails of this fake "System Defragmenter" software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers.

The fake system defragmenter family (FakeSysdef) is similar to rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request (requirement) that users buy a license. This ultimately is the goal of the scammers – to extract money.

“Brands” or aliases
Common strategies of fake software include branding or use of different names and aliases, and this family is no different, releasing 2 or 3 rebranded variations every week. Many of them are listed in the table below, including the recent “WinScan” that we dissect in this post later on.

System Defragmenter Smart HDD Scanner
Check Disk Win Defragmenter Full Scan
Win HDD Win Defrag HDD Scan
HDD Plus Win Defragmenter HDD Diagnostics
HDD Low Quick Defragmenter HDD Repair
HDD Tools Smart Defragmenter Win Scanner
HDD Doctor HDD Defragmenter Quick Defrag
HDD Rescue Scan Disk HDD Fix
Disk Doctor HDD Control Memory Fixer
Disk Repair Hard Drive Diagnostic My Disk
Easy Scan Disk Ok Fast Disk
HDD Ok Disk Optimizer Memory Optimizer
Good Memory Memory Scan Windows Scan
Disk Recovery Win Disk WinScan

 

The Packers
FakeSysdef uses a few different packers. Figure 1 shows the custom-packer used by this rogue. FakeSysdef uses a relatively simple custom packer that in turn, uses an anti-emulation trick in its bid to thwart emulators.

Illustration of packing layer and obfuscation by FakeSysdef

Figure 1 – Illustration of packing layer and obfuscation by FakeSysdef

Perhaps, what is important to note about this packer is that it’s being used by other malware such as Rogue:Win32/Sirefef, Rogue:Win32/FakeRean, some variants of TrojanDownloader:Win32/Harnig and Rogue:Win32/Winwebsec and, recently, Rogue:Win32/FakeSpypro as well.  It is not uncommon for malware to share packers; identifying the packer can be sufficient to classify the packed file as malicious. (See “Standards and Policies on Packer Use”, our blog post about the use of “taggants” to identify a packer family).

The packer layer decrypts the code and copies the decrypted code to the newly allocated memory before jumping to the second layer, or the injector stub. The injector stub can be easily recognized by the starting code similar to that shown below:

The first two calls just get the base addresses of KERNEL32.DLL and NTDLL.DLL. With the base addresses in hand, the injector can now easily retrieve other needed APIs by parsing the DLL’s Export Address Table, including the RtlDecompress() API, to uncompress the embedded executable using COMPRESSION_FORMAT_LZNT1:

00A41D21                 push    edx             ; RtlDecompressBuffer
00A41D22                 mov     eax, [ebp+_NTDLL_]
00A41D28                 push    eax
00A41D29                 call    _getprocaddress
00A41D2E                 mov     [ebp+var_204], eax
00A41D34                 lea     ecx, [ebp+var_90]
00A41D3A                 push    ecx
00A41D3B                 mov     edx, [ebp+arg_0]
00A41D3E                 mov     eax, [edx]
00A41D40                 push    eax             ; CompressBufferSize
00A41D41                 mov     ecx, [ebp+arg_0]
00A41D44                 add     ecx, 4
00A41D47                 push    ecx             ; CompressedBuffer
00A41D48                 mov     edx, [ebp+arg_4]
00A41D4B                 push    edx             ; UncompressedBufferSize
00A41D4C                 mov     eax, [ebp+var_19C]
00A41D52                 push    eax             ; UncompressedBuffer
00A41D53                 push    COMPRESSION_FORMAT_LZNT1 ; Format
00A41D55                 call    [ebp+var_204]   ; RtlDecompressBuffer

The injector then fixes the PE image in memory after stuffing the now-decompressed code into the host’s own address space. Finally, it jumps to the final entry point of the malicious program, and begins the installation:

00A42957                 mov     [ebp+var_1C], ‘A’
00A4295B                 mov     [ebp+var_1B], ‘l’
00A4295F                 mov     [ebp+var_1A], ‘l’
00A42963                 mov     [ebp+var_19], ‘ ‘
00A42967                 mov     [ebp+var_18], ‘d’
00A4296B                 mov     [ebp+var_17], ‘o’
00A4296F                 mov     [ebp+var_16], ‘n’
00A42973                 mov     [ebp+var_15], ‘e’
00A42977                 mov     [ebp+var_14], ‘.’
00A4297B                 mov     [ebp+var_13], ‘C’
00A4297F                 mov     [ebp+var_12], ‘a’
00A42983                 mov     [ebp+var_11], ‘l’
00A42987                 mov     [ebp+var_10], ‘l’
00A4298B                 mov     [ebp+var_F], ‘i’
00A4298F                 mov     [ebp+var_E], ‘n’
00A42993                 mov     [ebp+var_D], ‘g’
00A42997                 mov     [ebp+var_C], ‘ ‘
00A4299B                 mov     [ebp+var_B], ‘O’
00A4299F                 mov     [ebp+var_A], ‘E’
00A429A3                 mov     [ebp+var_9], ‘P’
00A429A7                 mov     [ebp+var_8], 0
:
00A429BD                 mov     edx, [ebp+arg_0]
00A429C0                 add     edx, [ecx+10h]
00A429C3                 mov     [ebp+_final_entry_point], edx
00A429C6                 mov     esp, [ebp+arg_8]
00A429C9                 xor     eax, eax
00A429CB                 mov     edi, [ebp+arg_14]
00A429CE                 mov     esi, [ebp+arg_10]
00A429D1                 mov     ebx, [ebp+arg_C]s
00A429D4                 jmp     [ebp+_final_entry_point]

New variant?
Earlier in February, we received an attention-getting new sample of FakeSysdef from a customer. At first we thought it was different malware, but looking closely and analyzing the sample, it was indeed a major modification to the FakeSysdef family.

For comparison, previous variants use the same interface and logo with an icon similar to a trojan horse:

Figure 2 – Various branding for FakeSysdef

Figure 2 – Various branding for FakeSysdef

This most recent FakeSysdef sample is using a new interface, though you can tell that it’s part of this family because the menu, texts and (fake) errors messages are still the same (see Figure 3):

 

Figure 3 – New FakeSysdef GUI

Figure 3 – New FakeSysdef GUI

The new variant is armored with a new shiny GUI and its scareware tactics are rather alarming and more aggressive, leaving the computer virtually useless until the user pays for the license to fix the bogus errors.

It is packed with UPX, a packer that is plain and simple without complex obfuscation that would make analysis more difficult. This is an indication that it’s in the early stages of development and still lacks emphasis on malware “hardening” intended to hide the malware from scanners and malware researchers alike.

The Loader
The main executable component arrives as an EXE file and acts as a loader. It first terminates the Internet Explorer process if found running. On computers running Windows Vista and later, it makes sure that it runs as an elevated privilege process. Then it drops a DLL file such as the following:

"C:\Documents and Settings\All Users\Application Data\aJnsgXnTGrqWD.DLL”

It injects the DLL to the specific process name EXPLORER.EXE. After a while, it starts to display a fake error message:

Figure 4 – Fake error message

Figure 4 – Fake error message

 

FakeSysdef injects the DLL file into processes (upon reboot) with the following registry change:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls, “AppSecDll” = "<DLL_PATH>"

The DLL code is kind of selective by only allowing itself to run under specific target processes, so it effectively injects itself only to Explorer.exe, Winlogon.exe and userinit.exe processes.  After injection, it tries to connect to a hardcoded URL, perhaps to phone home its affiliate ID for a pay-per-install scheme:

<site>/404.php?type=stats&affid=487&subid=new05&awok

As of this writing, the associated site “findcopper.org” and URL requested is no longer available.

Scaring the user
The DLL component creates a black BMP file on the fly based on the operating system (Productname) and service pack number queried from registry data, and sets the created BMP as the desktop background (see Figure 5). This BMP file is dropped in the Temporary files folder and will appear to be an authentic “Safe Mode” boot background which will be used later on after a forced reboot by the trojan.

FakeSysdef also disables the background tab options of the Windows desktop configuration to make sure that the new desktop background will not be altered, with the following registry modification:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, “NoChangingWallPaper”=”1

It may terminate more active processes and will, finally, force the machine to reboot. Once rebooted, the malware begins its assault by showing a fake Windows boot failure error dialog box at the background, with the BMP created earlier on top of it, simulating Safe Mode:

Figure 5 – Fake Safe Mode and Windows Boot Failure dialog after reboot

Figure 5 – Fake Safe Mode and “Windows Boot Failure” dialog after reboot

This is followed by a disk diagnostics dialog that will request permission to diagnose the “disk problems”. Annoying disks and memory errors will pop-up to assert its presence and create more panic for the user. Eventually, the malware will offer a module to download and “fix” those errors. If the user doesn’t accept the fix, the malware will again reboot the computer and the process repeats itself again and again, until the user might just give up and allow the “fix” module to run.

The machine appears useless now and will not allow any application or program to be executed, leaving the hapless user seemingly no choice but to accept the fix and repair offered from the rogue authors (see Remediation at the end of this blog). Yes, that’s the scareware tactics.

The remainder of symptoms by this trojan variant are already similar to previous variants – before it fixes the errors, you need to activate the module by purchasing a software license from these malware makers. It opens a simple, custom browser showing a very legit-looking “secure and verified” webpage.

Rogue Call-back and Affiliate Sign In
This trojan family phones home to a remote website to record its installation stats such as how some other malware is installed and the affiliated ID, presumably for pay per install business transactions. This network communication and behavior makes it possible to write IDS/IPS signatures to detect and block its network activity. Our data shows that FakeSysdef has the following outbound connection string formats:

<website>.com/dfrg/dfrg
<website>.com/readdatagateway.php?type=stats&affid=<AFFID>&subid=<SUBID>&
<website>.com/customers/readdatagateway.php?type=stats&affid=<AFFID>&subid=<SUBID>&
<website>.com/404.php?type=stats&affid=<AFFID>&subid=<SUBID>&

Example URLs:

<website>readdatagateway.php?type=stats&affid=427&subid=01&version=5.0&adwareok
<website>/customers/readdatagateway.php?type=stats&affid=427&subid=02&version=5.0&installok
<website>/404.php?type=stats&affid=484&subid=t01&version=5.0&installok

Some of the sites contacted by this family include (edited):

<string>across.org
<string>finddivide.org
<string>findexchange.org

At least one of the sites involved allows the malware affiliate to log on as displayed below:

Figure 6 – Example of the affiliate logon portal

Figure 6 – Example of the affiliate logon portal

 

Remediation
There is a somewhat painless method to remove this trojan without giving in and paying the trojan. The basic steps are to start the computer in safe mode, delete the trojan DLL responsible as well as the scary bitmap wallpaper, then reboot and scan.

The DLL is identified by reviewing the registry data “<DLL_PATH>”:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
“AppSecDll” = "<DLL_PATH>"

The bitmap is stored as either “wall.BMP” or “<random>.BMP“ in the Temporary files folder. The trojan also sets a policy to prevent the user from modifying the desktop wallpaper via a registry setting named “NoChangingWallPaper”. Windows customers requiring additional help can get assistance from our online support site http://support.microsoft.com/ or via phone by calling 1-800-PC-SAFETY (1-800-727-2338).

Conclusion
Despite its simplistic approach, and with its recent code modifications, FakeSysdef tells us two things: (1) the malware authors are getting a reasonable amount of money from their operation, and (2) it seems we will be seeing more of this trojan in the coming months.  The hardcoded strings – Uniform Resource Identifier (URI), filenames, etc. — suggest that the scammers are using a toolkit or builder to compile new releases.

Hopefully, you found this post helpful. MMPC will continue to track and haunt them until the game is over.

— Rex Plantado, MMPC

Fake Microsoft Security Essentials software on the loose. Don’t be fooled by it!

October 25th, 2010 No comments

Last week, we saw the re-emergence of another new trojan that is disguising itself as Microsoft’s no-cost antimalware program Microsoft Security Essentials. This imposter is known in the technical world of antimalware combat as “Win32/FakePAV”. FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.

This fake software is distributed by a tactic commonly described as a “drive-by download” and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake Microsoft Security Essentials software reports it cannot clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.

Before we get to the detailed view of how this trojan works, we want the message to be very clear: This software is a fake. Do not be fooled by this scam. This malware can potentially cause consumers and small business owners harm. Microsoft Security Essentials can be downloaded and used at no cost by users running genuine Windows (Download here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly up to no good.

If you have not already updated your security software please do so. Making sure your security software is up-to-date and has the latest definitions is the best way to prevent infections.

And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here is how the current one imitating Microsoft Security Essentials works:

1. It modifies the system so that it runs when Windows starts

2. When you go to execute something it’s watching for, it opens the alert window claiming the program is infected and blocks it from running.

3. You can expand it out for “additional details”

4. If you click “Clean computer” or “Apply actions”, it simulates an attempt to clean the claimed infection

5. You’ll then get an ‘unable to clean’ alert and be instructed to click ‘Scan Online’

6. Clicking this, a list of antimalware programs appears, including several fake removal tools, and you’d need to click Start Scan

7. Once the simulated scan completes, it will claim a solution was found and list products that can ‘clean’ the system (the listed products are fake removal tools).

8. Clicking ‘Free install’ on one of those downloads will download its installer and start installing

If you believe your machine has become infected, we encourage you to use Microsoft Security Essentials to check your PC for malware and to help remove them from your system. You can also find out how to get virus-related assistance at no charge from Microsoft here: http://www.microsoft.com/protect/support/default.mspx.

For more information on this FakePAV please visit our encyclopedia entry at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakePAV. It contains a lot of information that may help answer questions about this rogue.

And remember: Microsoft does not charge for Microsoft Security Essentials. You can find the legitimate version of Microsoft Security Essentials at http://www.microsoft.com/security_essentials.

Fake Microsoft Security Essentials software on the loose. Don’t be fooled by it!

October 25th, 2010 No comments

Last week, we saw the re-emergence of another new trojan that is disguising itself as Microsoft’s no-cost antimalware program Microsoft Security Essentials. This imposter is known in the technical world of antimalware combat as “Win32/FakePAV”. FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.

This fake software is distributed by a tactic commonly described as a “drive-by download” and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake Microsoft Security Essentials software reports it cannot clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.

Before we get to the detailed view of how this trojan works, we want the message to be very clear: This software is a fake. Do not be fooled by this scam. This malware can potentially cause consumers and small business owners harm. Microsoft Security Essentials can be downloaded and used at no cost by users running genuine Windows (Download here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly up to no good.

If you have not already updated your security software please do so. Making sure your security software is up-to-date and has the latest definitions is the best way to prevent infections.

And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here is how the current one imitating Microsoft Security Essentials works:

1. It modifies the system so that it runs when Windows starts

2. When you go to execute something it’s watching for, it opens the alert window claiming the program is infected and blocks it from running.

3. You can expand it out for “additional details”

4. If you click “Clean computer” or “Apply actions”, it simulates an attempt to clean the claimed infection

5. You’ll then get an ‘unable to clean’ alert and be instructed to click ‘Scan Online’

6. Clicking this, a list of antimalware programs appears, including several fake removal tools, and you’d need to click Start Scan

7. Once the simulated scan completes, it will claim a solution was found and list products that can ‘clean’ the system (the listed products are fake removal tools).

8. Clicking ‘Free install’ on one of those downloads will download its installer and start installing

If you believe your machine has become infected, we encourage you to use Microsoft Security Essentials to check your PC for malware and to help remove them from your system. You can also find out how to get virus-related assistance at no charge from Microsoft here: http://www.microsoft.com/protect/support/default.mspx.

For more information on this FakePAV please visit our encyclopedia entry at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakePAV. It contains a lot of information that may help answer questions about this rogue.

And remember: Microsoft does not charge for Microsoft Security Essentials. You can find the legitimate version of Microsoft Security Essentials at http://www.microsoft.com/security_essentials.

Fake Microsoft Security Essentials software on the loose. Don’t be fooled by it!

October 25th, 2010 Comments off

Last week, we saw the re-emergence of another new trojan that is disguising itself as Microsoft’s no-cost antimalware program Microsoft Security Essentials. This imposter is known in the technical world of antimalware combat as “Win32/FakePAV”. FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.

This fake software is distributed by a tactic commonly described as a “drive-by download” and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake Microsoft Security Essentials software reports it cannot clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.

Before we get to the detailed view of how this trojan works, we want the message to be very clear: This software is a fake. Do not be fooled by this scam. This malware can potentially cause consumers and small business owners harm. Microsoft Security Essentials can be downloaded and used at no cost by users running genuine Windows (Download here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly up to no good.

If you have not already updated your security software please do so. Making sure your security software is up-to-date and has the latest definitions is the best way to prevent infections.

And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here is how the current one imitating Microsoft Security Essentials works:

1. It modifies the system so that it runs when Windows starts

2. When you go to execute something it’s watching for, it opens the alert window claiming the program is infected and blocks it from running.

3. You can expand it out for “additional details”

4. If you click “Clean computer” or “Apply actions”, it simulates an attempt to clean the claimed infection

5. You’ll then get an ‘unable to clean’ alert and be instructed to click ‘Scan Online’

6. Clicking this, a list of antimalware programs appears, including several fake removal tools, and you’d need to click Start Scan

7. Once the simulated scan completes, it will claim a solution was found and list products that can ‘clean’ the system (the listed products are fake removal tools).

8. Clicking ‘Free install’ on one of those downloads will download its installer and start installing

If you believe your machine has become infected, we encourage you to use Microsoft Security Essentials to check your PC for malware and to help remove them from your system. You can also find out how to get virus-related assistance at no charge from Microsoft here: http://www.microsoft.com/protect/support/default.mspx.

For more information on this FakePAV please visit our encyclopedia entry at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakePAV. It contains a lot of information that may help answer questions about this rogue.

And remember: Microsoft does not charge for Microsoft Security Essentials. You can find the legitimate version of Microsoft Security Essentials at http://www.microsoft.com/security_essentials.