Archive

Archive for the ‘malware research’ Category

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

January 10th, 2018 No comments

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Considering that Windows 10 has a much larger install base than Windows 7, this difference in ransomware encounter rate is significant.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.

 

Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

December 4th, 2017 No comments

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnets command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
  • Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes time to wait for when to ask the C2 server for the next command
  • Task ID – used by the hacker to track if there was an error performing the task
  • Command one of the command mentioned above
  • Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Malicious macro using a sneaky new trick

May 18th, 2016 No comments

We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

Screenshot of VBA script editor showing the user form and list of modules

The VBA user form contains three buttons

 

The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

It appeared to be some sort of encrypted string.

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

Screenshot of the VBA macro script in Module2 that decrypts the Caption string

The macro script in Module2 decrypts the string in the Caption field

 

The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

-Marianne Mallen and Wei Li
MMPC

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

MSRT March 2016 – Vonteera

March 9th, 2016 No comments

As part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.

BrowserModifier:Win32/Vonteera

We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:

Vonteera distribution numbers

We classify Vonteera as unwanted software because it violates the following objective criteria:

  • Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
  • Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
  • Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.

Vonteera is usually distributed by software bundlers that offer free applications or games.

Once installed on your PC, it modifies your homepage and changes your search provider.

It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.

Search policy message

More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.

It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.​

DESCRIPTION

Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.

By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

April 13th, 2015 No comments

'Simda.AT' designed to divert Internet traffic to disseminate other types of malware.

Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in 2012. It is a widely distributed malware that causes significant damage to users through the manipulation of internet traffic and spread of other malware. 

Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT's active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia and the United States.

The Microsoft Malware Protection Center (MMPC) and the Microsoft's Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro.

MMPC activated the Coordinated Malware Eradication (CME) platform to provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and our partners.  This information helped law enforcement take action against Simda.AT and its infrastructure, while providing easy remediation and recovery options for victim machines around the world.  

Since 2009, the Simda malware family has been a dynamic and elusive threat.  Simda's function has ranged from a simple password stealer to a complex banking trojan.  To read more about the Simda family, see Win32/Simda.

Encounters

Simda.AT makes up the vast majority of our current detections for this malware family. We've measured approximately 128,000 new cases each month over the last six months with infections occurring around the world. The 'Top 10' countries accounted for 54 percent of the detections our customers have experienced from February through March:

Simda.AT machine detections from October 2014 to March 2015

Figure 1: Simda.AT machine detections from October 2014 to March 2015

Percentage of Simda.AT machine detections by country from February to March 2015

Figure 2: Percentage of Simda.AT machine detections by country from February to March 2015

Simda.AT machine detections heat map from February to March 2015

Figure 3: Simda.AT machine detections heat map from February to March 2015

Distribution

Over time, the Simda family was distributed in various ways, including:

With Simda.AT, the most common infection vector we identified was compromised websites using embedded or injected JavaScript.  Compromised sites were used to redirect users' traffic to another website, named the "gate".  Figure 4 shows an example of an injected JavaScript which is detected as Trojan:JS/Redirector.  

This gate website is part of the exploit tool chain, which will redirect the browser to the exploit landing page. The "gate" in this Simda.AT example, is detected as Exploit:JS/Fiexp (aka  Fiesta Exploit kit). Fiesta can serve several types of exploits. For example, we have observed Fiesta delivering Simda.AT through malicious SWF files (Shockwave Flash), detected as Exploit:SWF/Fiexp, malicious Java applet files, detected as Exploit:Java/Fiexp and malicious Silverlight files, detected as Exploit:MSIL/CVE-2013-0074.  More specific details related to the exploits can be found in the following CVEs: 

Compromised website with injected malicious JavaScript

Figure 4: Compromised website with injected malicious JavaScript

 

The “gate” contains script that redirects the browser to the Fiesta landing page. From the landing page, Fiesta attempts to deliver one of three exploits to compromise the machine.  Figure 5 shows the general Simda.AT payload delivery process:

Fiesta exploit kit in action

Figure 5: Fiesta exploit kit in action          

Behaviors

Simda.AT provides two primary functionalities:

  • Internet traffic re-routing
  • Distribution and installation of additional software packages or modules

Anti-emulation/Anti-sandbox techniques

For years, Simda used anti-sandbox techniques to evade detection. In most cases, the malware will not run properly, or might sleep indefinitely when the malware suspects that it's being installed into a software security research environment like the one we have at MMPC.  

During installation, the binary checks against a list of black-listed programs and running processes.  The checks performed might seem standard and predictable, but Simda.AT collects information from machines it deems suspicious to update the list. Then it uses an automatic and sustainable process for releasing a new binary every couple of hours with updates that cannot be detected by the majority of the AV scanners.  See the Simda.AT encyclopedia page for details about the dozens of files, processes, and registry keys checked by Simda.AT at the time of installation.

HOSTS file manipulation

During installation, Simda.AT also modifies the file %SYSTEM32%driversetchosts by updating the content and changing the file attributes to be read-only and hidden.  The specific changes are hard-coded into each binary, and can cause the victim machine's internet traffic to be routed according to the new instructions for targeted hosts. 

After applying the updates, the installer creates a new and empty file %SYSTEM32%driversetchosts.txt to further obfuscate the changes made to the system. The most recent samples are targeting network communication from the following URLs:

  • connect.facebook.net
  • google-analytics.com
  • www.google-analytics.com

Older samples were also seen targeting Bing.com hosts for redirection (e.g. u.bing.com, bing.com, ca.bing.com, gb.bing.com, www.bing.com) and a portion of recent Simda.AT samples connecting to Bing.com using the following URL pattern:  http://www.bing.com/chrome/report.html?<encoded string> 

The malware authors might have intended to use the HOSTS file modifications to relay additional information about victim machines to the servers of their choosing.  However, from our research, Simda.AT samples stopped updating the HOSTS file with the Bing.com hosts in early February.  As a result, we've been able to monitor traffic to this, normally unused, location for the last several days, and we have observed an average of approximately 5,000 unique IPs reach out to us each day.

Software distribution and modules

Based on our research, we believe the primary monetization method for this is through a Pay-Per-Install (PPI) program in which the authors can be compensated for distributing and installing additional software packages or modules.  Over time, we have observed the following types of software to be distributed by Simda.AT:

Persistence

The initial infection modifies the system registry to execute during every system start-up.  There are no communications outside of the initial program execution. 

C&C communication

DGA/Command and Control Infrastructure

The Simda.AT command and control infrastructure is organized differently than similar malware families.  Each binary contains up to six hard-coded IPs that dictate the communication infrastructure for each bot.  The Domain-Generation-Algorithm (DGA) that's normally used to define the infrastructure is instead used to generate a seed for the encryption that is used by the host and the command and control servers.

Using RDTSC instruction, the DGA creates a random, 15-19 character long string that's embedded into a domain in one of the following formats:

  • report.<random>.com
  • update[1,2].<random>.com 

These domains are then injected as the 'Host' in the associated POST requests issued to the command and control servers.

To decrypt the 'report' HTTP request, append the query string to the hostname and use as the key. Then unquote the query value and enumerate each byte and get the decrypted byte with the following python code snippet:

decrypted_string += chr(ord(cipher[i]) – ord(hostname[i % len(hostname)]))

The third, or 'update' request, requires an additional step to base64 decode the query string.

Check-In and update

As alluded to earlier, Simda.AT has two primary functions while communicating with the command and control server:

  • 'report'
  • 'update'

These two functions are differentiated in the POST request sent to the servers, and they are normally issued to different servers through the hard-coded configuration in the binary.

The 'report' function acts as a simple check-in and provides the following type of information, from the victim machine, to the command and control server prior to terminating the connection ahead of the server response:

  • Adapter information
  • Assorted other system and registry information to distinctly identify the computer
  • Creation time of the folder "C:System Volume Information"
  • Computer name
  • Hard disk information
  • MAC address
  • Volume serial number

This information is used to provide a unique ID for the bot.

In some situations, the bots can also append information about installed applications and processes that are running that we suspect are used for anti-emulation updates for new samples.

The 'update' command is used when downloading modules or additional software packages.  Again, a small amount of machine and binary information is packaged from the victim machine and sent to a different, 'module', or server.  When the module servers receives the request and then responds with an 'Active' message, the bot drops an embedded component (TrojanDropper:Win32/Simdown.A) that handles the download and installation of all modules using hard-coded paths. 

Both functions are called at the initial infection and at every system restart.

It's interesting to note that Simda.AT has been using the same user agent strings in its command and control communication since 2012, which can provide a valuable signature for IPS/IDS engines:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"

"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"

While the disruption action can disable the ability of existing infections to download or update new software components, it will not disable modules that might have been installed by Simda.AT. 

If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials, Windows Defender, or your preferred Anti-Malware Solution.

As a part of our cleaning solution, we will detect and remove any malware distributed by this family, and return your HOSTS file to the default, blank, state.

As always, we urge Windows users to be vigilant against malware:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

As a reminder to organizations invested in security, if your organization is interested in joining or initiating an eradication campaign, or you are just interested in participating in the CME program, please see the CME program page. You can also reach out to us directly through our contact page for more information. 

Tommy Blizard, Rex Plantado, Rodel Finones, and Tanmay Ganacharya

MMPC

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

April 13th, 2015 No comments

'Simda.AT' designed to divert Internet traffic to disseminate other types of malware.

Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in 2012. It is a widely distributed malware that causes significant damage to users through the manipulation of internet traffic and spread of other malware. 

Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT's active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia and the United States.

The Microsoft Malware Protection Center (MMPC) and the Microsoft's Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro.

MMPC activated the Coordinated Malware Eradication (CME) platform to provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and our partners.  This information helped law enforcement take action against Simda.AT and its infrastructure, while providing easy remediation and recovery options for victim machines around the world.  

Since 2009, the Simda malware family has been a dynamic and elusive threat.  Simda's function has ranged from a simple password stealer to a complex banking trojan.  To read more about the Simda family, see Win32/Simda.

Encounters

Simda.AT makes up the vast majority of our current detections for this malware family. We've measured approximately 128,000 new cases each month over the last six months with infections occurring around the world. The 'Top 10' countries accounted for 54 percent of the detections our customers have experienced from February through March:

Simda.AT machine detections from October 2014 to March 2015

Figure 1: Simda.AT machine detections from October 2014 to March 2015

Percentage of Simda.AT machine detections by country from February to March 2015

Figure 2: Percentage of Simda.AT machine detections by country from February to March 2015

Simda.AT machine detections heat map from February to March 2015

Figure 3: Simda.AT machine detections heat map from February to March 2015

Distribution

Over time, the Simda family was distributed in various ways, including:

With Simda.AT, the most common infection vector we identified was compromised websites using embedded or injected JavaScript.  Compromised sites were used to redirect users' traffic to another website, named the "gate".  Figure 4 shows an example of an injected JavaScript which is detected as Trojan:JS/Redirector.  

This gate website is part of the exploit tool chain, which will redirect the browser to the exploit landing page. The "gate" in this Simda.AT example, is detected as Exploit:JS/Fiexp (aka  Fiesta Exploit kit). Fiesta can serve several types of exploits. For example, we have observed Fiesta delivering Simda.AT through malicious SWF files (Shockwave Flash), detected as Exploit:SWF/Fiexp, malicious Java applet files, detected as Exploit:Java/Fiexp and malicious Silverlight files, detected as Exploit:MSIL/CVE-2013-0074.  More specific details related to the exploits can be found in the following CVEs: 

Compromised website with injected malicious JavaScript

Figure 4: Compromised website with injected malicious JavaScript

 

The “gate” contains script that redirects the browser to the Fiesta landing page. From the landing page, Fiesta attempts to deliver one of three exploits to compromise the machine.  Figure 5 shows the general Simda.AT payload delivery process:

Fiesta exploit kit in action

Figure 5: Fiesta exploit kit in action          

Behaviors

Simda.AT provides two primary functionalities:

  • Internet traffic re-routing
  • Distribution and installation of additional software packages or modules

Anti-emulation/Anti-sandbox techniques

For years, Simda used anti-sandbox techniques to evade detection. In most cases, the malware will not run properly, or might sleep indefinitely when the malware suspects that it's being installed into a software security research environment like the one we have at MMPC.  

During installation, the binary checks against a list of black-listed programs and running processes.  The checks performed might seem standard and predictable, but Simda.AT collects information from machines it deems suspicious to update the list. Then it uses an automatic and sustainable process for releasing a new binary every couple of hours with updates that cannot be detected by the majority of the AV scanners.  See the Simda.AT encyclopedia page for details about the dozens of files, processes, and registry keys checked by Simda.AT at the time of installation.

HOSTS file manipulation

During installation, Simda.AT also modifies the file %SYSTEM32%driversetchosts by updating the content and changing the file attributes to be read-only and hidden.  The specific changes are hard-coded into each binary, and can cause the victim machine's internet traffic to be routed according to the new instructions for targeted hosts. 

After applying the updates, the installer creates a new and empty file %SYSTEM32%driversetchosts.txt to further obfuscate the changes made to the system. The most recent samples are targeting network communication from the following URLs:

  • connect.facebook.net
  • google-analytics.com
  • www.google-analytics.com

Older samples were also seen targeting Bing.com hosts for redirection (e.g. u.bing.com, bing.com, ca.bing.com, gb.bing.com, www.bing.com) and a portion of recent Simda.AT samples connecting to Bing.com using the following URL pattern:  http://www.bing.com/chrome/report.html?<encoded string> 

The malware authors might have intended to use the HOSTS file modifications to relay additional information about victim machines to the servers of their choosing.  However, from our research, Simda.AT samples stopped updating the HOSTS file with the Bing.com hosts in early February.  As a result, we've been able to monitor traffic to this, normally unused, location for the last several days, and we have observed an average of approximately 5,000 unique IPs reach out to us each day.

Software distribution and modules

Based on our research, we believe the primary monetization method for this is through a Pay-Per-Install (PPI) program in which the authors can be compensated for distributing and installing additional software packages or modules.  Over time, we have observed the following types of software to be distributed by Simda.AT:

Persistence

The initial infection modifies the system registry to execute during every system start-up.  There are no communications outside of the initial program execution. 

C&C communication

DGA/Command and Control Infrastructure

The Simda.AT command and control infrastructure is organized differently than similar malware families.  Each binary contains up to six hard-coded IPs that dictate the communication infrastructure for each bot.  The Domain-Generation-Algorithm (DGA) that's normally used to define the infrastructure is instead used to generate a seed for the encryption that is used by the host and the command and control servers.

Using RDTSC instruction, the DGA creates a random, 15-19 character long string that's embedded into a domain in one of the following formats:

  • report.<random>.com
  • update[1,2].<random>.com 

These domains are then injected as the 'Host' in the associated POST requests issued to the command and control servers.

To decrypt the 'report' HTTP request, append the query string to the hostname and use as the key. Then unquote the query value and enumerate each byte and get the decrypted byte with the following python code snippet:

decrypted_string += chr(ord(cipher[i]) – ord(hostname[i % len(hostname)]))

The third, or 'update' request, requires an additional step to base64 decode the query string.

Check-In and update

As alluded to earlier, Simda.AT has two primary functions while communicating with the command and control server:

  • 'report'
  • 'update'

These two functions are differentiated in the POST request sent to the servers, and they are normally issued to different servers through the hard-coded configuration in the binary.

The 'report' function acts as a simple check-in and provides the following type of information, from the victim machine, to the command and control server prior to terminating the connection ahead of the server response:

  • Adapter information
  • Assorted other system and registry information to distinctly identify the computer
  • Creation time of the folder "C:System Volume Information"
  • Computer name
  • Hard disk information
  • MAC address
  • Volume serial number

This information is used to provide a unique ID for the bot.

In some situations, the bots can also append information about installed applications and processes that are running that we suspect are used for anti-emulation updates for new samples.

The 'update' command is used when downloading modules or additional software packages.  Again, a small amount of machine and binary information is packaged from the victim machine and sent to a different, 'module', or server.  When the module servers receives the request and then responds with an 'Active' message, the bot drops an embedded component (TrojanDropper:Win32/Simdown.A) that handles the download and installation of all modules using hard-coded paths. 

Both functions are called at the initial infection and at every system restart.

It's interesting to note that Simda.AT has been using the same user agent strings in its command and control communication since 2012, which can provide a valuable signature for IPS/IDS engines:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"

"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"

While the disruption action can disable the ability of existing infections to download or update new software components, it will not disable modules that might have been installed by Simda.AT. 

If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials, Windows Defender, or your preferred Anti-Malware Solution.

As a part of our cleaning solution, we will detect and remove any malware distributed by this family, and return your HOSTS file to the default, blank, state.

As always, we urge Windows users to be vigilant against malware:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

As a reminder to organizations invested in security, if your organization is interested in joining or initiating an eradication campaign, or you are just interested in participating in the CME program, please see the CME program page. You can also reach out to us directly through our contact page for more information. 

Tommy Blizard, Rex Plantado, Rodel Finones, and Tanmay Ganacharya

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

MSRT January 2014 – Bladabindi

January 14th, 2014 No comments

This month the Malicious Software Removal Tool (MSRT) includes a new malware family – MSIL/Bladabindi. An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download.

Because of this, there are many variants in this family, and they spread in many different ways, such as Facebook message and hacked websites. Once installed, malware in this family can be used to take control of a PC and steal sensitive information. We added Bladabindi to the MSRT due to its prevalence throughout 2013.

DESCRIPTION

Figure 1: Telemetry data showing the prevalence of Bladabindi

Bladabindi variants can be created by using the Remote Access Tool (RAT) known as "NJ Rat". We detect this RAT as VirTool:MSIL/Bladabindi.A. Bladabindi can also be downloaded by recent variants of Jenxcus family, which likely has the same author as Bladabindi.

Recently its author released a dedicated downloader to download Bladabindi and run it directly from memory – we detect this as TrojanDownloader:MSIL/Bladabindi.A.

Bladabindi variants are usually installed with an enticing name and icon to trick people into running it. The following are some sample file names:

  • فيس بوك.exe – (Facebook.exe)
  • فيديو قتلى المجموعات الإرهابية.exe – (Video killed the terrorist groups.exe)
  • ! My Picutre.SCR
  • Windows_7_Activators.exe
  • hot.exe
  • StartupFaster.exe

Below are some sample icons:

DESCRIPTION

Figure 2: Some file icons used by Bladabindi

Bladabindi is written in VB.NET, and usually obfuscated with various .NET obfuscators to avoid detection. It uses undocumented APIs to make itself a critical process, which will cause a system crash if it is terminated. This can make it difficult to remove from your PC when the malware is running. MSIL/Bladabindi also has backdoor functionality, including:

  • Using your camera to take picture
  • Running files
  • Registry manipulation
  • Remote shells
  • Key logging
  • Screen captures
  • Loading plugins dynamically
  • Updating
  • Uninstalling
  • Restarting

From information we collected, it seems Bladabindi's author tries to show their ability to develop malware, to help their chances of being hired on to other projects. They even use the following picture (showing infected machines) as the header photo of their Twitter page.

DESCRIPTION

Figure 3: Bladabindi author's Twitter page

Though there is no direct evidence connecting the author, distributor, and online account owner associated with the malware, the same user name is consistently used across multiple forums and social media. Do you remember the infamous Win32/Hupigon worm? – Another case where a malware author wrote a backdoor, but claims they didn't distribute it.

As usual, the best protection from Bladabindi, and other malware or potentially unwanted software is to have up-to-date security software installed and being aware of the risks of social engineering.

Zhitao Zhou, Steven Zhou, and Francis Allan Tan Seng
MMPC

Categories: malware research, MSRT Tags:

Korean gaming malware – served 3 ways

December 21st, 2012 No comments

Recently, we’ve seen similar activities being performed by different malware that monitor online Korean applications. Mostly, the applications they monitor are card games, such as those in Figure 1.

Examples of online Korean games that are being monitored. (Source: http://www.hangame.com)
Figure 1: Examples of online Korean games that are being monitored. (Source: http://www.hangame.com)

 

The following applications are monitored if found running on the system:

  • LASPOKER.EXE
  • highlow2.exe
  • baduki.exe
  • duelpoker.exe
  • HOOLA3.exe
  • poker7.exe
  • FRN.exe

The first malware is Trojan:Win32/Urelas.C. Written in Delphi, this malware uses a typical spying technique. It takes screenshots of a user’s gaming activity by looking for the processes listed above at certain positions on the screen; these screenshots could then be used to observe the gaming behavior of the compromised user. It sends copies of the screenshots it captures to a remote server in JPG, TIFF, or BMP picture format and also gathers other information from the compromised system, such as the computer name and user login details. 

The second malware is Trojan:Win32/Gupboot.A. This malware takes things a step further, introducing a bootkit component and reusing code from Urelas to overwrite the MBR (which we detect as Trojan:DOS/Gupboot.A). Part of this malware’s payload is to allow kernel-mode hooking to hide the malware process and its suspicious activities from the user, making the system run in a compromised state.

Like most malware that overwrites the MBR, the main intent is to use the malware’s 16-bit loader to execute the payload. The malware uses its own copy of explorer.exe (dropped as temp1234.dat) written on the physical sector and redirects execution of the system’s original explorer.exe to the malware copy (see Figure 2). This type of behaviour is also discussed in the Bitdefender LABS blog “Plite bootkit spies on gamers”

Portion of Trojan:DOS/Gubpoot.A written on disk with intenet to replace C:Windows\explorer.exe execution
Figure 2: Portion of Trojan:DOS/Gubpoot.A written on disk with intent to replace C:Windows\explorer.exe execution

Also found in the body of the malware code is a zip archive that contains an executable detected as Trojan:Win32/Gupboot.A.

The third and last malware is Backdoor:Win32/Blohi.B. The malware is compiled in VB and usually arrives disguised as a game bundled in an NSIS installer with names such as Plants vs. Zombies, StarCraft and others. Once installed, it pings http://blog.naver.com/PostView.nhn, a very popular Korean search engine, to test for an internet connection. It logs keystrokes, monitors the processes listed above (if they exist) and has predefined backdoor commands that can modify the process list, take screenshots and uninstall the malware. It can also display a fake blue screen (see Figure 3) – possibly to force the user into rebooting their computer so that the Blohi malware can install other malware.

Fake blue screen
Figure 3: Fake blue screen

 

We also observed that these threats are most prevalent in Korea compared to other geographical locations, as seen from the following reports for the month of November 2012.

Table 1: Urelas infection
Table 1: Urelas infection

 

Table 2: Gupboot infection
Table 2: Gupboot infection

 

Table 3: Blohi infection
Table 3: Blohi infection

 

The aim of the malware authors is to gather information, for example:

  • User login details
  • Credit card details – used for purchasing game money and avatar upgrades
  • Korean ID – similar to a social security number, required for registration and verification purposes
  • Screenshots – taken to observe the gaming behavior of the user and possibly to provide an advantage to the authors if they choose to play with the user

MMPC strongly recommends users be cautious with files downloaded from the internet. Always verify that it comes from a reputable source before executing the binary. In the case of Blohi and other malware posing as installers, instead of playing a full version of the game, you might end up getting played by malware authors.

Marianne Mallen
MMPC

Categories: malware research Tags:

An analysis of Dorkbot’s infection vectors (part 2)

November 21st, 2012 No comments

In part 1 of this series, we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we’ll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files.

Spreading vectors not requiring user interaction: Drive-by downloads and Autorun files

Dorkbot can also spread automatically, without user interaction. We recently encountered a malicious Java applet that exploits the vulnerability described in CVE-2012-4681 to distribute the Dorkbot worm. We detect the applet as Exploit:Java/CVE-2012-4681.HD. Let’s take a closer look at how this exploit works.

Java applets that are not digitally signed are considered untrusted. They are executed with limited permissions by the Java Runtime Environment. Before it can download and execute arbitrary files, Exploit:Java/CVE-2012-4681.HD has to disable the security manager, which defines the security policy of the applet. The security manager can be disabled with a call to System.setSecurityManager(null), but applets are restricted from calling this method directly.

The exploit relies on vulnerabilities in the implementation of the following two methods:

  • Method com.sun.beans.finder.ClassFinder.findClass(String,ClassLoader)
  • Method com.sun.beans.finder.MethodFinder.findAccessibleMethod(Class,String,Class[])

We decompiled the method ClassFinder.findClass to determine why it was vulnerable. As shown in Figure 8, ClassFinder.findClass calls the method Class.forName in its internal implementation. The method Class.forName in turn only looks at the immediate caller to perform security checks. As you can see, the vulnerability lies in the way Class.forName is used, and not in the method Class.forName itself.

The fix was to perform an additional package access check at the beginning of method ClassFinder.findClass, a check that fails if an applet attempts to access a restricted Java class (Figure 8).

Figure 8: The vulnerability in com.sun.beans.finder.ClassFinder.findClass(String,ClassLoader)

Another issue, this time in the implementation of the method sun.awt.SunToolkit.getField(Class,String), allows one to access private members of Java classes. The method SunToolkit.getField would not be accessible by default to user code, but the exploit calls it with the help of a java.beans.Expression object. java.beans.Expression.execute() is also vulnerable because it relies on the two vulnerable methods described above.

Exploit:Java/CVE-2012-4681.HD calls SunToolkit.getField to modify a private member of a java.beans.Statement object and set the access control context to “all permissions”. The class Statement can be used to invoke methods from arbitrary classes with modified access control context value. The exploit relies on a Statement object with modified access control context to invoke the privileged method System.setSecurityManager. After this, it has the permission to download additional malware (Figure 9).

Figure 9: Execution flow of Exploit:Java/CVE-2012-4681.HD

As is typical for Java exploits nowadays, the code of Exploit:Java/CVE-2012-4681.HD is heavily obfuscated to try to bypass AV detection. Figure 10 shows how the exploit retrieves the private field “acc” of the java.beans.Statement class, a field that defines the access control context.

Figure 10: Obfuscated code in Exploit:Java/CVE-2012-4681.HD

Exploits for CVE-2012-4681 are guaranteed to work if the Java Runtime Environment is vulnerable (unlike exploits for memory corruptions, for instance). They are also platform independent (so they can also infect *nix and Mac users) and target a huge base of Java installations.

Unsurprisingly, as shown in Figure 11, our telemetry indicates that exploits for CVE-2012-4681 have been widely used to distribute malware since the vulnerability was first made public in late August 2012. A security update to resolve it was released around the same time.

Figure 11: Infections attempts with CVE-2012-4681 Java exploits reported from September 15th to October 17th, 2012

To avoid getting infected through drive-by downloads, make sure your software is up to date – for Java specifically, we talked about that in a previous post.

Worm:Win32/Dorkbot can also infect removable drives, by creating an autorun.inf file that points to a copy of the worm. If you have Autorun enabled in your computer, Dorkbot automatically runs whenever the removable drive is accessed. Fortunately, this distribution method is not very effective anymore as explained in a previous blog post. Please keep your Windows up-to-date to deal with this infection vector.

Conclusion

As we previously mentioned, malware these days use a variety of ways to infect computers and Dorkbot is no exception. And its access to a C&C server allows for a certain level of dynamic behavior. Because of this, we advise users to be more vigilant against all the different channels that Dorkbot uses.

And finally, always make sure your definitions are up-to-date for your antivirus solution. If you don’t have one and you’re running Windows XP, Vista, or 7, you can download and install Microsoft Security Essentials for free. If you’re using Windows 8, make sure your antivirus program is enabled and running properly.

The following are the SHA1s of the samples that we’ve analyzed for this blog post:

  • Exploit:Java/CVE-2012-4681.HD – f624121d44b87369ba9ffa975db64fbb7bc395b3
  • Worm:Win32/Dorkbot spreading component – 11a2ddb73af46060802537dec0f8799e2a0dc13f
  • Worm:Win32/Dorkbot.A – 4176f4193b1ef64569bf0ab220113cce6074df4e
  • Worm:Win32/Dorkbot.I – 37c09e044ebe57eb66aa6c72cb039140b3b985f1

Horea Coroiu, MMPC Munich

An analysis of Dorkbot’s infection vectors (part 1)

November 14th, 2012 No comments

Malware nowadays benefits from the complexity of the Internet ecosystem to infect new computers through vectors such as browser plugins, social networks, and instant messaging programs.

In this two-parter series, we’ll look at Worm:Win32/Dorkbot, a prevalent worm with the capabilities of an IRC backdoor and a password stealer. Dorkbot relies both on social engineering attacks and on methods that don’t require human intervention, such as infected removable drives and drive-by downloads. This versatility has contributed to a spike in Dorkbot detections in the last year and a half: over 28 million detections of Dorkbot have been reported since we saw this malware family in April of 2011, as seen in Figure 1.

Figure 1: Number of Worm:Win32/Dorkbot detections since 2011 based on MAPS telemetry

Dorkbot uses IRC over SSL to communicate with its command-and-control (C&C) server. To find out what it’s transmitting to the remote attacker, we intercepted the SSL-encrypted traffic, as shown in Figure 2.

Figure 2: A machine infected with Dorkbot talking to the C&C server

Dorkbot hooks several Windows APIs related to network access to steal FTP and website login credentials. The network traffic capture in Figure 2 also shows Dorkbot stealing FTP credentials from Total Commander and login credentials for several websites: facebook.com, gmail.com and mail.yahoo.com. For a full list of the websites that are targeted, please see the Worm:Win32/Dorkbot description.

After it connects to an IRC channel, the worm is instructed to download its spamming component and additional malware, such as Worm:Win32/Gnoewin.A, Worm:Win32/Gnoewin.B, Trojan.Win32.Lethic.F, and Worm:Win32/Pushbot.gen.

This first post is about Dorkbot’s spreading vectors that require user interaction.

Spreading vectors requiring user interaction: Social engineering, IM programs, and social networks

Dorkbot relies on simple social engineering attacks to propagate with user interaction. Using its downloaded spamming component, it spams all the contacts on Windows Live Messenger and Skype with an enticing message, designed to trick them into downloading and running a Dorkbot copy.

Figure 3: Dorkbot posting a goo.gl short URL in a Skype window; the URL leads to a copy of the Dorkbot worm

The spreading mechanism is as follows: Dorkbot downloads a separate spamming component, which in turn spams the user’s contacts with a link to the main Dorkbot executable. If the contact opens the link and executes Dorkbot, the spamming component is downloaded again, and the cycle continues as shown in Figure 4.

Figure 4: The relationship between the spamming component and the main executable

The attack is made more effective by the localization of the spammed message in over 24 languages (Figure 5). Dorkbot picks up the language depending on your Windows locale from one of: English, French, Portuguese, Spanish, Hungarian, Dutch, German, Swiss German, Albanian, Swedish, Turkish, Serbian, Polish, Italian, Norwegian, Czech, Russian, Slovakian, Danish, Thai, Mandarin, Indonesian, Vietnamese, and Filipino.

Figure 5: Localized messages are hardcoded in the resource section of the Dorkbot component

We checked a goo.gl short URL link out of the hundreds that have been spammed by Dorkbot. As of this writing, it’s been clicked about 100,000 times. The access pattern shows a spike for a short period of time, until the link is flagged as malicious by Google.

Figure 6: Statistics for a spammed link leading to Dorkbot

Another way that it spreads using social engineering is by posting arbitrary messages, such as links to malware, on the following social networks: Facebook, Twitter, VKontakte, Friendster and Bebo, whenever it is instructed by its C&C server.

In the case of Firefox, Dorkbot hooks the function PR_Write exported by nspr4.dll. This function gets called every time the browser writes data to a remote socket. To take the example of Facebook, when a user writes an instant message to another user, an HTTP POST request containing details about the message is sent to facebook.com. The HTTP request triggers a call to the PR_Write hook and Dorkbot has a chance to inject additional content into it, such as malware URLs (see Figure 7).

Figure 7: Dorkbot hijacking Facebook messages

To avoid getting infected through Dorkbot’s social engineering attacks be careful about the links you click on, even if they’re from a trusted source – if possible, verify with your contacts first that they actually did send you the link. If you’re using Internet Explorer 8 and newer, SmartScreen checks the URLs that you open to make sure they don’t lead to malware.

Next week, spreading vectors not requiring user interaction.

Horea Coroiu, MMPC Munich

Categories: Dorkbot, malware research Tags:

Don’t fall for Folstart

November 13th, 2012 No comments

We use thumb drives in different ways – usually to transfer files from one computer to another. When we create folders in thumb drives, we have a certain level of confidence that the folder isn’t malicious or doesn’t contain malware. Unfortunately, this assumption is not always true. For the month of November, we added the Folstart family to the Microsoft Malicious Software Removal Tool (MSRT).

Folstart is a family of worms that copies itself using the same names as folders in your USB drives. In addition, it uses the folder icon to further its deception. Although this technique is not new, it still leads to infecting several thousand users mostly in the United States as shown in the graph below:

Figure 1: Distribution of Win32/Folstart

The following is the screenshot of a drive in which folders are set to hide known extension and not show hidden files, folders and drives. It seems to be a normal folder but is actually W32/Folstart. Executing this will lead to an infection.

Figure 2: Folstart sample named “new folder”

To avoid this scenario, it is a good practice to show hidden files and system files file extensions. To do this, in Windows Explorer, go to Organize >Folder and Search options and then click the View tab:

Figure 3: How to display hidden files and folders, and show file extensions

This way, your computer can reveal the real files that are actually there. Here’s the same folder as in Figure 2 with these settings enabled:

Figure 4: The same sample in Figure 2, with the file extension visible

For some users who prefer to hide files and extensions, there is an alternative – right-click on the file and check what’s written under “Type of file” in the General tab. Figure 5 shows a Folstart copy with the file type as an executable.

Figure 5: File type is .exe for a Folstart sample

A real folder type should be File folder:

Figure 6: File type is folder for a real folder

Most of the things we discussed were about preventing infection by Folstart. If you suspect that you were infected by Win32/Folstart we suggest running the MSRT. For more details about Win32/Folstart please visit our encyclopedia.

Francis, MMPC

Categories: Folstart, malware research, MSRT Tags:

All copy and paste makes Jack a bored boy

October 31st, 2012 No comments

We recently came across what appeared to be a new sample, but was actually part of malware discovered in 2010. This new-old sample is built from publicly available source code and, like many of its kind, is frequently rebranded. Because of all the changes that malware authors have made, we have detection for each customized iteration. One such iteration (SHA1 8d81462089f9d1b4ec4c7423710cf545be2708e7) is commonly deployed under private obfuscators (such as H1N1 or Umbra). We detect this threat as TrojanSpy:Win32/SSonce.C(the sample also has a message for antivirus researchers, asserting that our job is monotonous and boring.)

Other backdoors that originate from the same source code are currently detected as Backdoor:Win32/Bezigate.A and Backdoor:Win32/Talsab.C, and Backdoor:Win32/Nosrawec.C. What we are seeing here is rampant use of copy/paste in the code. Because of this, all these spying families share common features, such as: reverse-connection to an attacker’s server, plugins capable of file transfers, screen capture and anti-virus software disabling. Although the code is publicly available, there are some features, such as mouse/keyboard control, which are only available in private versions, as seen from the Facebook page of one of the authors.

A high number of version builds and obfuscator updates is characteristic of these types of threats, as the malware authors are constantly struggling to bypass our scanner’s detection.

So essentially, because antivirus researchers are doing their job well, malware authors have to copy/paste code over and over again. Well, we think that’s boring.

Mihai Calota
MMPC Munich

Categories: malware research Tags:

ELAM Is Black and White

October 11th, 2012 No comments

At the Virus Bulletin conference this year, there was a talk about the limitations and suggested enhancements for the Early Launch Anti-Malware (ELAM) environment. The main observation, complaint if you will, was that there is no way for an anti-malware (AM) engine to perform a deep scan. However, there is a very good reason for why ELAM does not allow that: it is not meant to.

The purpose of ELAM is exactly to perform black- and/or white-listing of drivers until the full AM engine is loaded as part of the boot process. At that point, the full AM engine can take over and perform deep scanning of everything that loads after it, along with everything that loaded before it which the ELAM driver could not classify. The ELAM driver can make a list of the drivers which it did not recognise, and pass this to the full AM engine.

If for some reason any of those drivers can’t be found by the AM engine, then that alone is cause for suspicion, and the driver details can be added to the black-list for blocking on the next reboot.

The ELAM driver has a very restricted environment, in terms of memory and time. However, both of these restrictions exist for performance reasons. The small memory requirement means that only hashes can be used for classifying drivers, but this is fine because there are not that many drivers to classify. There was a question about polymorphic drivers, but this is largely irrelevant – the driver would need to be re-signed after modification, meaning that we could simply block the certificate that was used. A variation of this attack would involve using Return-Oriented Programming (ROP), where a clean driver is loaded for no purpose except to cause a sufficient number of “gadgets” to be present in memory for a second driver to use. This second driver would not be malicious as such, but by constructing a chain of gadgets, it would be possible to create a block of code which can perform malicious actions. However, again, this would appear no different from the polymorphic case, since the second driver would need to re-sign itself after creating the list of gadget offsets in the clean driver.

The small time requirement forces the ELAM driver to perform only a hash-based classification, but this is the only form of scanning that is viable at that point anyway. The time restriction is intended to take away the temptation to construct a virtual file system in order to access the file image manually.

So there you have it. ELAM is not intended for deep scanning, and any suggestion that it should be enhanced in such a way that it can be simply misses the point.

Read more about ELAM here.

– Peter Ferrie

Categories: conference, malware research Tags:

Obfuscating, bifurcating, escalating and mitigating on 64-bit

July 13th, 2012 No comments

With the growth in adoption of 64-bit architectures and associated operating systems, we’re seeing the usual malicious suspects following the trend. We have seen variants of several families, including Alureon, Koobface, Sirefef and Ursnif targeting this platform. These families adopt various techniques to prevent their detection and removal, one of which is obfuscation.

Let’s take a look at Ursnif, a family of malware which has been active as far back as 2006. The malware usually comes in the form of an executable which contains 2 DLL files stored as resources, one for 32 bit machines and one the for 64 bit. It loads the appropriate DLL depending on the architecture of the infected machine.

The 64 bit version uses a similar type of obfuscation as the 32 bit version – there is the primary first layer which decrypts a second layer of obfuscated code. The second layer in turn decrypts and decompresses the malware binary.

The following is a code snippet of the first layer decrypter, which is quite straightforward, and decrypted a DWORD at a time:

obfus1_layer1.png

The second layer decrypter has the same type of decryption but is a little different in that it attempts to brute force the decryption key by trying various pseudo-random values first. Below is a code snippet from the second layer decryption:

obfus1_layer2.png

The obfuscator also contains code from a publicly available compression library known as APLIB to reduce the size of the malware binary.

In the last week we have noticed Ursnif binaries using a different obfuscator, which makes use of anti-emulation techniques to thwart detection. An example of this technique which has seen extensive use in malware is to perform an API call and check results against known behaviour.

The obfuscator calls two API’s from the “ndtll.dll” system library. The first is “NtContinue“:

obfus2_api1.png

followed by “NtCreatePagingFile“:

obfus2_api2.png

The return value from both functions are subtracted from each other and compared with a preset. If the result is not expected then the malware does not continue to execute.

These types of techniques are not new, several obfuscators have used multiple layers of encryption and compression as well as a variety anti-emulation techniques on 32-bit platforms. But an increased use in 64-bit code by malware means having to ensure proper support of the architecture in order to combat them.

Ray Roberts
MMPC Melbourne

Categories: 64-bit code, malware research Tags: