Archive

Archive for the ‘MMPC’ Category

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

April 13th, 2015 No comments

'Simda.AT' designed to divert Internet traffic to disseminate other types of malware.

Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in 2012. It is a widely distributed malware that causes significant damage to users through the manipulation of internet traffic and spread of other malware. 

Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT's active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia and the United States.

The Microsoft Malware Protection Center (MMPC) and the Microsoft's Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro.

MMPC activated the Coordinated Malware Eradication (CME) platform to provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and our partners.  This information helped law enforcement take action against Simda.AT and its infrastructure, while providing easy remediation and recovery options for victim machines around the world.  

Since 2009, the Simda malware family has been a dynamic and elusive threat.  Simda's function has ranged from a simple password stealer to a complex banking trojan.  To read more about the Simda family, see Win32/Simda.

Encounters

Simda.AT makes up the vast majority of our current detections for this malware family. We've measured approximately 128,000 new cases each month over the last six months with infections occurring around the world. The 'Top 10' countries accounted for 54 percent of the detections our customers have experienced from February through March:

Simda.AT machine detections from October 2014 to March 2015

Figure 1: Simda.AT machine detections from October 2014 to March 2015

Percentage of Simda.AT machine detections by country from February to March 2015

Figure 2: Percentage of Simda.AT machine detections by country from February to March 2015

Simda.AT machine detections heat map from February to March 2015

Figure 3: Simda.AT machine detections heat map from February to March 2015

Distribution

Over time, the Simda family was distributed in various ways, including:

With Simda.AT, the most common infection vector we identified was compromised websites using embedded or injected JavaScript.  Compromised sites were used to redirect users' traffic to another website, named the "gate".  Figure 4 shows an example of an injected JavaScript which is detected as Trojan:JS/Redirector.  

This gate website is part of the exploit tool chain, which will redirect the browser to the exploit landing page. The "gate" in this Simda.AT example, is detected as Exploit:JS/Fiexp (aka  Fiesta Exploit kit). Fiesta can serve several types of exploits. For example, we have observed Fiesta delivering Simda.AT through malicious SWF files (Shockwave Flash), detected as Exploit:SWF/Fiexp, malicious Java applet files, detected as Exploit:Java/Fiexp and malicious Silverlight files, detected as Exploit:MSIL/CVE-2013-0074.  More specific details related to the exploits can be found in the following CVEs: 

Compromised website with injected malicious JavaScript

Figure 4: Compromised website with injected malicious JavaScript

 

The “gate” contains script that redirects the browser to the Fiesta landing page. From the landing page, Fiesta attempts to deliver one of three exploits to compromise the machine.  Figure 5 shows the general Simda.AT payload delivery process:

Fiesta exploit kit in action

Figure 5: Fiesta exploit kit in action          

Behaviors

Simda.AT provides two primary functionalities:

  • Internet traffic re-routing
  • Distribution and installation of additional software packages or modules

Anti-emulation/Anti-sandbox techniques

For years, Simda used anti-sandbox techniques to evade detection. In most cases, the malware will not run properly, or might sleep indefinitely when the malware suspects that it's being installed into a software security research environment like the one we have at MMPC.  

During installation, the binary checks against a list of black-listed programs and running processes.  The checks performed might seem standard and predictable, but Simda.AT collects information from machines it deems suspicious to update the list. Then it uses an automatic and sustainable process for releasing a new binary every couple of hours with updates that cannot be detected by the majority of the AV scanners.  See the Simda.AT encyclopedia page for details about the dozens of files, processes, and registry keys checked by Simda.AT at the time of installation.

HOSTS file manipulation

During installation, Simda.AT also modifies the file %SYSTEM32%driversetchosts by updating the content and changing the file attributes to be read-only and hidden.  The specific changes are hard-coded into each binary, and can cause the victim machine's internet traffic to be routed according to the new instructions for targeted hosts. 

After applying the updates, the installer creates a new and empty file %SYSTEM32%driversetchosts.txt to further obfuscate the changes made to the system. The most recent samples are targeting network communication from the following URLs:

  • connect.facebook.net
  • google-analytics.com
  • www.google-analytics.com

Older samples were also seen targeting Bing.com hosts for redirection (e.g. u.bing.com, bing.com, ca.bing.com, gb.bing.com, www.bing.com) and a portion of recent Simda.AT samples connecting to Bing.com using the following URL pattern:  http://www.bing.com/chrome/report.html?<encoded string> 

The malware authors might have intended to use the HOSTS file modifications to relay additional information about victim machines to the servers of their choosing.  However, from our research, Simda.AT samples stopped updating the HOSTS file with the Bing.com hosts in early February.  As a result, we've been able to monitor traffic to this, normally unused, location for the last several days, and we have observed an average of approximately 5,000 unique IPs reach out to us each day.

Software distribution and modules

Based on our research, we believe the primary monetization method for this is through a Pay-Per-Install (PPI) program in which the authors can be compensated for distributing and installing additional software packages or modules.  Over time, we have observed the following types of software to be distributed by Simda.AT:

Persistence

The initial infection modifies the system registry to execute during every system start-up.  There are no communications outside of the initial program execution. 

C&C communication

DGA/Command and Control Infrastructure

The Simda.AT command and control infrastructure is organized differently than similar malware families.  Each binary contains up to six hard-coded IPs that dictate the communication infrastructure for each bot.  The Domain-Generation-Algorithm (DGA) that's normally used to define the infrastructure is instead used to generate a seed for the encryption that is used by the host and the command and control servers.

Using RDTSC instruction, the DGA creates a random, 15-19 character long string that's embedded into a domain in one of the following formats:

  • report.<random>.com
  • update[1,2].<random>.com 

These domains are then injected as the 'Host' in the associated POST requests issued to the command and control servers.

To decrypt the 'report' HTTP request, append the query string to the hostname and use as the key. Then unquote the query value and enumerate each byte and get the decrypted byte with the following python code snippet:

decrypted_string += chr(ord(cipher[i]) – ord(hostname[i % len(hostname)]))

The third, or 'update' request, requires an additional step to base64 decode the query string.

Check-In and update

As alluded to earlier, Simda.AT has two primary functions while communicating with the command and control server:

  • 'report'
  • 'update'

These two functions are differentiated in the POST request sent to the servers, and they are normally issued to different servers through the hard-coded configuration in the binary.

The 'report' function acts as a simple check-in and provides the following type of information, from the victim machine, to the command and control server prior to terminating the connection ahead of the server response:

  • Adapter information
  • Assorted other system and registry information to distinctly identify the computer
  • Creation time of the folder "C:System Volume Information"
  • Computer name
  • Hard disk information
  • MAC address
  • Volume serial number

This information is used to provide a unique ID for the bot.

In some situations, the bots can also append information about installed applications and processes that are running that we suspect are used for anti-emulation updates for new samples.

The 'update' command is used when downloading modules or additional software packages.  Again, a small amount of machine and binary information is packaged from the victim machine and sent to a different, 'module', or server.  When the module servers receives the request and then responds with an 'Active' message, the bot drops an embedded component (TrojanDropper:Win32/Simdown.A) that handles the download and installation of all modules using hard-coded paths. 

Both functions are called at the initial infection and at every system restart.

It's interesting to note that Simda.AT has been using the same user agent strings in its command and control communication since 2012, which can provide a valuable signature for IPS/IDS engines:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"

"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"

While the disruption action can disable the ability of existing infections to download or update new software components, it will not disable modules that might have been installed by Simda.AT. 

If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials, Windows Defender, or your preferred Anti-Malware Solution.

As a part of our cleaning solution, we will detect and remove any malware distributed by this family, and return your HOSTS file to the default, blank, state.

As always, we urge Windows users to be vigilant against malware:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

As a reminder to organizations invested in security, if your organization is interested in joining or initiating an eradication campaign, or you are just interested in participating in the CME program, please see the CME program page. You can also reach out to us directly through our contact page for more information. 

Tommy Blizard, Rex Plantado, Rodel Finones, and Tanmay Ganacharya

MMPC

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

April 13th, 2015 No comments

'Simda.AT' designed to divert Internet traffic to disseminate other types of malware.

Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in 2012. It is a widely distributed malware that causes significant damage to users through the manipulation of internet traffic and spread of other malware. 

Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT's active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia and the United States.

The Microsoft Malware Protection Center (MMPC) and the Microsoft's Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro.

MMPC activated the Coordinated Malware Eradication (CME) platform to provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and our partners.  This information helped law enforcement take action against Simda.AT and its infrastructure, while providing easy remediation and recovery options for victim machines around the world.  

Since 2009, the Simda malware family has been a dynamic and elusive threat.  Simda's function has ranged from a simple password stealer to a complex banking trojan.  To read more about the Simda family, see Win32/Simda.

Encounters

Simda.AT makes up the vast majority of our current detections for this malware family. We've measured approximately 128,000 new cases each month over the last six months with infections occurring around the world. The 'Top 10' countries accounted for 54 percent of the detections our customers have experienced from February through March:

Simda.AT machine detections from October 2014 to March 2015

Figure 1: Simda.AT machine detections from October 2014 to March 2015

Percentage of Simda.AT machine detections by country from February to March 2015

Figure 2: Percentage of Simda.AT machine detections by country from February to March 2015

Simda.AT machine detections heat map from February to March 2015

Figure 3: Simda.AT machine detections heat map from February to March 2015

Distribution

Over time, the Simda family was distributed in various ways, including:

With Simda.AT, the most common infection vector we identified was compromised websites using embedded or injected JavaScript.  Compromised sites were used to redirect users' traffic to another website, named the "gate".  Figure 4 shows an example of an injected JavaScript which is detected as Trojan:JS/Redirector.  

This gate website is part of the exploit tool chain, which will redirect the browser to the exploit landing page. The "gate" in this Simda.AT example, is detected as Exploit:JS/Fiexp (aka  Fiesta Exploit kit). Fiesta can serve several types of exploits. For example, we have observed Fiesta delivering Simda.AT through malicious SWF files (Shockwave Flash), detected as Exploit:SWF/Fiexp, malicious Java applet files, detected as Exploit:Java/Fiexp and malicious Silverlight files, detected as Exploit:MSIL/CVE-2013-0074.  More specific details related to the exploits can be found in the following CVEs: 

Compromised website with injected malicious JavaScript

Figure 4: Compromised website with injected malicious JavaScript

 

The “gate” contains script that redirects the browser to the Fiesta landing page. From the landing page, Fiesta attempts to deliver one of three exploits to compromise the machine.  Figure 5 shows the general Simda.AT payload delivery process:

Fiesta exploit kit in action

Figure 5: Fiesta exploit kit in action          

Behaviors

Simda.AT provides two primary functionalities:

  • Internet traffic re-routing
  • Distribution and installation of additional software packages or modules

Anti-emulation/Anti-sandbox techniques

For years, Simda used anti-sandbox techniques to evade detection. In most cases, the malware will not run properly, or might sleep indefinitely when the malware suspects that it's being installed into a software security research environment like the one we have at MMPC.  

During installation, the binary checks against a list of black-listed programs and running processes.  The checks performed might seem standard and predictable, but Simda.AT collects information from machines it deems suspicious to update the list. Then it uses an automatic and sustainable process for releasing a new binary every couple of hours with updates that cannot be detected by the majority of the AV scanners.  See the Simda.AT encyclopedia page for details about the dozens of files, processes, and registry keys checked by Simda.AT at the time of installation.

HOSTS file manipulation

During installation, Simda.AT also modifies the file %SYSTEM32%driversetchosts by updating the content and changing the file attributes to be read-only and hidden.  The specific changes are hard-coded into each binary, and can cause the victim machine's internet traffic to be routed according to the new instructions for targeted hosts. 

After applying the updates, the installer creates a new and empty file %SYSTEM32%driversetchosts.txt to further obfuscate the changes made to the system. The most recent samples are targeting network communication from the following URLs:

  • connect.facebook.net
  • google-analytics.com
  • www.google-analytics.com

Older samples were also seen targeting Bing.com hosts for redirection (e.g. u.bing.com, bing.com, ca.bing.com, gb.bing.com, www.bing.com) and a portion of recent Simda.AT samples connecting to Bing.com using the following URL pattern:  http://www.bing.com/chrome/report.html?<encoded string> 

The malware authors might have intended to use the HOSTS file modifications to relay additional information about victim machines to the servers of their choosing.  However, from our research, Simda.AT samples stopped updating the HOSTS file with the Bing.com hosts in early February.  As a result, we've been able to monitor traffic to this, normally unused, location for the last several days, and we have observed an average of approximately 5,000 unique IPs reach out to us each day.

Software distribution and modules

Based on our research, we believe the primary monetization method for this is through a Pay-Per-Install (PPI) program in which the authors can be compensated for distributing and installing additional software packages or modules.  Over time, we have observed the following types of software to be distributed by Simda.AT:

Persistence

The initial infection modifies the system registry to execute during every system start-up.  There are no communications outside of the initial program execution. 

C&C communication

DGA/Command and Control Infrastructure

The Simda.AT command and control infrastructure is organized differently than similar malware families.  Each binary contains up to six hard-coded IPs that dictate the communication infrastructure for each bot.  The Domain-Generation-Algorithm (DGA) that's normally used to define the infrastructure is instead used to generate a seed for the encryption that is used by the host and the command and control servers.

Using RDTSC instruction, the DGA creates a random, 15-19 character long string that's embedded into a domain in one of the following formats:

  • report.<random>.com
  • update[1,2].<random>.com 

These domains are then injected as the 'Host' in the associated POST requests issued to the command and control servers.

To decrypt the 'report' HTTP request, append the query string to the hostname and use as the key. Then unquote the query value and enumerate each byte and get the decrypted byte with the following python code snippet:

decrypted_string += chr(ord(cipher[i]) – ord(hostname[i % len(hostname)]))

The third, or 'update' request, requires an additional step to base64 decode the query string.

Check-In and update

As alluded to earlier, Simda.AT has two primary functions while communicating with the command and control server:

  • 'report'
  • 'update'

These two functions are differentiated in the POST request sent to the servers, and they are normally issued to different servers through the hard-coded configuration in the binary.

The 'report' function acts as a simple check-in and provides the following type of information, from the victim machine, to the command and control server prior to terminating the connection ahead of the server response:

  • Adapter information
  • Assorted other system and registry information to distinctly identify the computer
  • Creation time of the folder "C:System Volume Information"
  • Computer name
  • Hard disk information
  • MAC address
  • Volume serial number

This information is used to provide a unique ID for the bot.

In some situations, the bots can also append information about installed applications and processes that are running that we suspect are used for anti-emulation updates for new samples.

The 'update' command is used when downloading modules or additional software packages.  Again, a small amount of machine and binary information is packaged from the victim machine and sent to a different, 'module', or server.  When the module servers receives the request and then responds with an 'Active' message, the bot drops an embedded component (TrojanDropper:Win32/Simdown.A) that handles the download and installation of all modules using hard-coded paths. 

Both functions are called at the initial infection and at every system restart.

It's interesting to note that Simda.AT has been using the same user agent strings in its command and control communication since 2012, which can provide a valuable signature for IPS/IDS engines:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"

"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"

While the disruption action can disable the ability of existing infections to download or update new software components, it will not disable modules that might have been installed by Simda.AT. 

If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials, Windows Defender, or your preferred Anti-Malware Solution.

As a part of our cleaning solution, we will detect and remove any malware distributed by this family, and return your HOSTS file to the default, blank, state.

As always, we urge Windows users to be vigilant against malware:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

As a reminder to organizations invested in security, if your organization is interested in joining or initiating an eradication campaign, or you are just interested in participating in the CME program, please see the CME program page. You can also reach out to us directly through our contact page for more information. 

Tommy Blizard, Rex Plantado, Rodel Finones, and Tanmay Ganacharya

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

Microsoft Malware Protection Center assists in disrupting Ramnit

February 25th, 2015 No comments

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit – The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

Infected machines in the last six months

 Figure 1: Ramnit infection trend from the past six months

 

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

Python implementation of DGA

  Figure 2: Sample Python code

 

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

  • Hook-Spy Module:

This core module does a sophisticated form of fraud referred to as a "web-injection" attack to capture the user's banking credentials. To achieve this goal, this module first downloads a configuration file which contains a list of websites to monitor. A majority of the websites we saw were banks. With this list, Ramnit continues to monitor websites on the list.

When Ramnit sees the user attempting to connect to one of the websites on the list, it silently captures the credential information and uploads it to the C&C server.

Configuration can also specify additional information to be collected from the user. User interface elements needed to collect this information are dynamically inserted into the web page that the user is visiting.

For the user, it appears as though the target website itself is requesting new information. For example, Figure 3 shows the effect of a Ramnit web-injection. The image on the left shows how the webpage would be presented to a user on an uninfected computer. The image on the right shows how the webpage would be presented to a user on a Ramnit-infected computer. 

The effect of Ramnit web-injection

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

    • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
    • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

    1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
    2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
    3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
    4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

The way Ramnit C&C servers are organized

Figure 4: A high-level flow of how Ramnit C&C servers operate

  • Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

  • Windows Firewall
  • Windows Update
  • Windows Defender
  • Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit – The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit – The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

  • FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

  • Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

  • VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

  • Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

The way Ramnit C&C servers are organized

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

  • Exercise caution when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC

 

Microsoft Malware Protection Center assists in disrupting Ramnit

February 25th, 2015 No comments

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit – The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

Infected machines in the last six months

 Figure 1: Ramnit infection trend from the past six months

 

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

Python implementation of DGA

  Figure 2: Sample Python code

 

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

  • Hook-Spy Module:

This core module does a sophisticated form of fraud referred to as a "web-injection" attack to capture the user's banking credentials. To achieve this goal, this module first downloads a configuration file which contains a list of websites to monitor. A majority of the websites we saw were banks. With this list, Ramnit continues to monitor websites on the list.

When Ramnit sees the user attempting to connect to one of the websites on the list, it silently captures the credential information and uploads it to the C&C server.

Configuration can also specify additional information to be collected from the user. User interface elements needed to collect this information are dynamically inserted into the web page that the user is visiting.

For the user, it appears as though the target website itself is requesting new information. For example, Figure 3 shows the effect of a Ramnit web-injection. The image on the left shows how the webpage would be presented to a user on an uninfected computer. The image on the right shows how the webpage would be presented to a user on a Ramnit-infected computer. 

The effect of Ramnit web-injection

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

    • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
    • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

    1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
    2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
    3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
    4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

The way Ramnit C&C servers are organized

Figure 4: A high-level flow of how Ramnit C&C servers operate

  • Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

  • Windows Firewall
  • Windows Update
  • Windows Defender
  • Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit – The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit – The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

  • FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

  • Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

  • VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

  • Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

The way Ramnit C&C servers are organized

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

  • Exercise caution when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC

 

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

We’ve got our eye on Eyestye

July 20th, 2012 No comments

Back in October 2011, we began to remove Eyestye variants using the Malicious Software Removal Tool (MSRT) in an effort to prevent the proliferation of this botnet. Today, we published a detailed MMPC Threat Report on this family. The report provides an in-depth analysis of how Win32/EyeStye works and the telemetry we have on its activity in 2011 and early 2012.

Win32/EyeStye is a family of trojans that attempt to steal sensitive data, such as logon credentials, from banking websites and other online properties. EyeStye does not spread on its own by default; instead, it is typically distributed using spam email messages and social engineering. In its effort to steal data, EyeStye lowers your browser’s security settings, making it possible to obtain online banking user names and passwords, credit card numbers, social security numbers, and other data. It then sends all its gathered information back to the operator.

The report examines the functionality of the bot: how it’s created, what it does to an infected computer, how it steals users’ data, and so on. It also discusses where this botnet has been the most prevalent, that is, what countries are most affected according to our data.

Download the report here. You can also read what our TWC friend Tim Rains has to say over here.

Happy reading!

-Jaime Wong

Categories: EyeStye, malware, MMPC, threat report Tags:

Facebook offers Microsoft Security Essentials as a security solution

May 4th, 2012 No comments

We’re very excited to announce that Microsoft has teamed up with Facebook to offer Windows users free malware protection with Microsoft Security Essentials. Since May 1st, Facebook users have had the choice of downloading and installing Microsoft Security Essentials as their security solution.

While there are numerous threats on the Internet, and while there are many things you can do to help prevent your computer from becoming infected, a cornerstone of protection is a strong anti-malware solution which offers real-time protection. Facebook is aware of this situation, which is why we think it’s great that they’re educating their users about available security solutions.

Microsoft Security Essentials, which is one of the solutions being offered, is free to download and use for all computers running genuine versions of Windows 7, Windows Vista, and Windows XP. More information about the Facebook initiative is here.

Don’t forget that the MMPC also has a Facebook page, where you can find out more about how we keep our users protected.

Keep safe online.

Jeff Williams

Principal Program Manager

The MMPC on Facebook and Twitter

July 12th, 2011 No comments

Late last week, the MMPC officially launched its Facebook page and its Twitter account.

From this Welcome page, you can read our latest blog posts, see our latest Twitter feeds, and find out what threats most affect your desktop. You can also download the latest Security Intelligence Report (SIR), which contains a wealth of information on the current threat landscape.

We have great plans ahead for our Facebook page – this launch is only the start! So Like us, Follow us, and stay tuned!

Ina Ragragio, MMPC

Categories: Facebook, Like, MMPC, Twitter Tags:

Newly updated MMPC whitepapers now available

July 8th, 2011 No comments

Would you like to know more about the MMPC, and how we protect computer users worldwide? We have released new versions of two whitepapers which describe how the MMPC operates, and provide an introduction to the antimalware technologies that the MMPC supports. The two new papers are:

You can also read the results of the extensive insight and intelligence that the MMPC has developed in our recently released Qakbot MMPC Threat Report and the brand new Security Intelligence Report Special Edition about the Rustock takedown.

— MMPC

Categories: MMPC, SIR, whitepapers, Win32/Qakbot Tags:

MMPC Threat Report: Cracking open Qakbot

May 27th, 2011 No comments

Today, we’re releasing a Microsoft Malware Protection Center Threat Report on Qakbot as a follow-up to the recently-released Microsoft SIRv10 and our special report on Battling Botnets in late 2010.  This report focuses on one botnet in particular, Qakbot. Qakbot is a backdoor that includes user-mode rootkit functionality to hide itself and also steal sensitive user data from infected machines.

In addition to some of the interesting traits of Qakbot, such as the areas of the world where it’s most prevalent and the types of computers it targets, we found one particular aspect to be quite interesting – where the Qakbot authors may have gotten some of their code.

We have long suspected that the Qakbot authors were taking code samples from the Internet and incorporating them into their malware as the family evolved. Recently, while reviewing some of the earliest samples of Qakbot, we found something interesting: NtIllusion debug strings.

Qakbot NTIllusion Strings


NtIllusion
is a rootkit that was first disclosed in an article within the underground security zine called Phrack in July of 2004. It includes functionality to hide processes, files, registry entries, and evidence of TCP/IP communication. It hooks several network communication APIs in order to steal POP3 and FTP passwords. This code still appears in Qakbot today.

You can read about this and more on Qakbot in our Threat Report:
http://go.microsoft.com/?linkid=9773832

 

Dan Kurc

Categories: botnets, MMPC, Qakbot, SIR v10 Tags:

Operation b107 – Rustock Botnet Takedown

March 18th, 2011 Comments off

Just over one year ago, Microsoft- with industry and academic partners- utilized a novel combination of legal and technical actions to take control of the Win32/Waledac botnet as the first action in Project MARS (Microsoft Active Response for Security).  Today, a similar action has had its legal seal opened allowing us to talk more openly about recent activities against the Win32/Rustock botnet.

Comparatively, Waledac was a much simpler- and smaller- botnet than Rustock.  It is, however, because of legal and technical lessons learned in that set of actions that we were able to take on the much larger challenge of Rustock- a botnet with an estimated infection count above one million computers and capable of sending billions of spam messages per day. Some statistics suggest that, at peaks, it represented as much as 80% of spam traffic and in excess of 2000 spam messages per second.

 

Our efforts here represent a partnership between Microsoft’s Digital Crimes Unit, the Microsoft Malware Protection Center and Trustworthy Computing. This was a multi-month effort which had its denouement yesterday with a coordinated seizure of command and control servers under court order from the U.S. District Court for the Western District of Washington carried out by the U.S. Marshals Service as well as authorities in the Netherlands.  Investigators are now inspecting the evidence captured in these seizures from five hosting centers in seven locations in order to, potentially, learn more about those responsible and their activities.

 

Efforts like this are not possible without collaboration with others.  For this effort, we worked with Pfizer—whose brands were infringed by fake-pharma spam coming from Rustock. We also worked with our colleagues at FireEye and the University of Washington.  All three provided valuable declarations to the court on the behaviors of Rustock and the specific dangers posed by this threat- dangers to public health in addition to those affecting the Internet. 

 

We are continuing our work with both CERTs and ISPs around the world to reach out to those whose computers are infected and help clean them of viruses. If you believe a computer under your care or that of a family member, friend or colleague may be infected, please make a concerted effort to clean it and get protected with a full antivirus product from a trusted provider.  More support information is available at http://support.microsoft.com/botnets. The announcement from Microsoft’s Digital Crimes Unit can be found on the Official Microsoft Blog and the Microsoft on the Issues blog.

 

 –Jeff Williams

My Sweet Valentine – the CIFS Browser Protocol Heap Corruption Vulnerability

February 17th, 2011 Comments off

On Valentine’s Day, an anonymous researcher announced a previously undisclosed SMB (Server Message Block) vulnerability affecting the CIFS (Common Internet File System) browser service. Along with the vulnerability, the researcher also posted Proof-of-Concept (PoC) exploit code showing exactly how to exploit the vulnerability, triggering a blue screen in kernel mode.

 

Considering the issue was disclosed without providing any time for remediation or a patch, we analyzed the vulnerability and immediately released edge-based protection (Vuln:Win/SMB.Browser.DoS!NIS-2011-0003) for our Forefront Threat Management Gateway customers.  Luckily, the PoC was not fully weaponized (that is, it was not designed to achieve remote code execution, just a denial of service) although it has been reported as being a remote code execution vulnerability.  Our colleagues at SRD have analyzed the vulnerability and drawn conclusions as to whether RCE is possible and under what circumstances.  Their blog has the details.

 

Let’s talk a little bit more about this vulnerability and the consequences of exploiting this issue.  As stated by the researcher who disclosed it, the vulnerability is inside an error-reporting function of the CIFS browser service module. The function gets a variable number of arguments as parameters. Those string arguments are pushed on the stack for processing. In some cases, some of the strings can be controlled by the attacker.

 

An attacker triggers the vulnerability by causing multiple string arrays to be concatenated. The target buffer to which the concatenated string arrays are pushed has a pre-allocated fixed size.  When the remaining target buffer length becomes 0, the string copy loop should exit, but it does not. The length is decremented by one more before the actual string copy instructions are executed, which is intended to reserve the string’s NULL termination. Suddenly, the length of the string to be copied becomes a huge number due to the integer underflow. The next string copy operation will attempt to copy an extremely large number of bytes from the source address to the target buffer, and then the overflow ensues.

 

Our conclusion is that the part of the string that the attacker can control will always end up inside the allocated buffer, and the part the attacker can’t control is in the part that overflows the buffer.  Also, it is not possible to control the length of data to overwrite, so that it’s always the same (and predictable) huge integer value.  As a result, we don’t (yet) see how RCE can happen.

 

In any case, our coverage was released late on Valentine’s Day right around the time most of you were (hopefully) enjoying your Valentine’s Day desserts.

 

– Matt (Jeong Wook) Oh and the MMPC Vulnerability Response Team

Fake Microsoft Security Essentials software on the loose. Don’t be fooled by it!

October 25th, 2010 No comments

Last week, we saw the re-emergence of another new trojan that is disguising itself as Microsoft’s no-cost antimalware program Microsoft Security Essentials. This imposter is known in the technical world of antimalware combat as “Win32/FakePAV”. FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.

This fake software is distributed by a tactic commonly described as a “drive-by download” and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake Microsoft Security Essentials software reports it cannot clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.

Before we get to the detailed view of how this trojan works, we want the message to be very clear: This software is a fake. Do not be fooled by this scam. This malware can potentially cause consumers and small business owners harm. Microsoft Security Essentials can be downloaded and used at no cost by users running genuine Windows (Download here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly up to no good.

If you have not already updated your security software please do so. Making sure your security software is up-to-date and has the latest definitions is the best way to prevent infections.

And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here is how the current one imitating Microsoft Security Essentials works:

1. It modifies the system so that it runs when Windows starts

2. When you go to execute something it’s watching for, it opens the alert window claiming the program is infected and blocks it from running.

3. You can expand it out for “additional details”

4. If you click “Clean computer” or “Apply actions”, it simulates an attempt to clean the claimed infection

5. You’ll then get an ‘unable to clean’ alert and be instructed to click ‘Scan Online’

6. Clicking this, a list of antimalware programs appears, including several fake removal tools, and you’d need to click Start Scan

7. Once the simulated scan completes, it will claim a solution was found and list products that can ‘clean’ the system (the listed products are fake removal tools).

8. Clicking ‘Free install’ on one of those downloads will download its installer and start installing

If you believe your machine has become infected, we encourage you to use Microsoft Security Essentials to check your PC for malware and to help remove them from your system. You can also find out how to get virus-related assistance at no charge from Microsoft here: http://www.microsoft.com/protect/support/default.mspx.

For more information on this FakePAV please visit our encyclopedia entry at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakePAV. It contains a lot of information that may help answer questions about this rogue.

And remember: Microsoft does not charge for Microsoft Security Essentials. You can find the legitimate version of Microsoft Security Essentials at http://www.microsoft.com/security_essentials.