Archive

Archive for the ‘Win32/Sality’ Category

Pramro and Sality – two PEs in a pod

February 21st, 2012 No comments

The second of the families added to the February release of the Microsoft Malicious Software Removal Tool (MSRT) is Win32/Pramro. Win32/Pramro is a family of trojans that can act as a SOCKS proxy on an infected computer. In this case, this proxy may be used to relay spam and HTTP traffic. Detection was first added for Pramro variants in January 2008.

There is a strong connection with the polymorphic file infector Win32/Sality, which shares portions of code with Pramo. For example, let’s examine one of the encrypted files which is currently downloaded by a variant of Worm:Win32/Sality.AU from the host ‘baulaung.org’.  If we apply the key ‘GdiPlus.dll’ and a modified RC4 algorithm, the resultant output is a PE file. This file is detected as TrojanProxy:Win32/Pramro.F.

Image 1 - View of Pramro using a file viewer utility

Image 1 – View of Pramro using a file viewer utility


Examining this particular Win32/Pramro variant, we can see that it employs the same key and decryption algorithm as this Win32/Sality variant.

 Pramro decryption algorithm

Looking closely at some detection statistics from MSRT, we observe that variants of Win32/Pramro have been reported on 104,120 unique machines during the first week of release. The majority of the affected machines were running Windows XP (81.8%), followed by Windows 7 (12.9%). For the machines which reported a variant of Win32/Pramro, the prevalence distribution of all detection reported by MSRT is listed in the following table. As expected, the connection to Win32/Sality is supported by our data.

Table 1 - MSRT detection statistics

Table 1 – MSRT detection statistics


The geographical breakdown of machines which reported a Win32/Pramro variant appears as:

Table 2 - Geographic distribution of Pramro

Table 2 – Geographic distribution of Pramro

Interestingly, the top reported file MD5: 543b96731b80fc30a7583bd22cd0d567 / SHA1: 1B9E07EAAF512DA72850612AC6D41207D4340E3C was reported on 76,690 unique machines. This appears to be the most current variant of Win32/Pramro. It was first reported in the wild from our customers in the first week of January 2012 and the encrypted copy is still available at location(s) used by Win32/Sality. This suggests that MSRT was cleaning computers with an active Win32/Pramro infection.

Scott Molenkamp
MMPC, Melbourne

Categories: MSRT, Win32/Pramro, Win32/Sality Tags:

May MSRT by the numbers

June 9th, 2011 No comments

In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged. As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families.

Top 25 detections by MSRT, May 10 – May 20

Family Machine Count Note
Sality 202,351 Classic parasitic virus
Taterf 77,236 Worm
Rimecud 65,149 Worm
Vobfus 59,918 Worm
Alureon 58,884 Evolved parasitic virus
Parite 53,778 Evolved parasitic virus
Ramnit 52,549 Evolved parasitic virus
Brontok 50,392 Worm
Cycbot 50,209 Trojan
Conficker 49,173 Worm
Renocide 48,395 Worm
Bubnix 45,712 Trojan
FakeRean 40,695 Rogue
Zbot 40,087 Trojan
Bancos 39,452 Trojan
Frethog 33,100 Evolved parasitic virus
Banker 31,675 Trojan
Jeefo 22,396 Classic parasitic virus
Renos 21,858 Trojan
Lethic 21,521 Trojan
Cutwail 21,222 Trojan
Virut 20,963 Classic parasitic virus
Hamweq 17,102 Worm
FakeVimes 14,899 Rogue
Hupigon 14,553 Trojan

 

You may have noticed that Ramnit, like several of the other viruses mentioned in the above chart, is classified as an “evolved” virus – as described in Scott’s previous Ramnit post, one that combines earlier and later generations of malicious infection techniques.

Allow me to go ‘back to the book’ for the definition of a parasitic virus. A parasitic virus, or a file infector, is a type of ‘old school’ malware that attaches, modifies or resides in a host file on the file system. Due to its invasive spreading technique, one may wonder why malware are still in love with this old method, particularly when file infectors tend to leave the computer in an unstable state, slow and crashing often, while some even render the infected computer useless.

With today’s malware authors aiming to make profit from their victims, one would expect the malware authors are motivated to create stealth threats with the least overhead to the machine as to keep the windows of time open long enough to harvest data (or perform other payloads).

There are several possible explanations:

  • Malware authors know that anti-malware industry is targeting them; viruses can sometimes require more effort to detect and clean properly, possibly causing security companies to invest more resources in the remediation of the threat.
  • Current threats tend to have multiple components. For example, Ramnit authors wrote worm modules to help propagate via USB and network drives, using Autorun
  • While some file infector viruses such as Sality, Jeefo and Virut are traditional, many other file infectors are not.  For example Alureon and Cutwail will only infect system files or system drivers (e.g. “atapi.sys” or “agp440.sys”).  If a system file is infected and becomes hidden, the job of the file infecting component is done, while the other malicious components may continue to execute the payload.

Parasite viruses are not going away, they are still relevant and evolving.  Our newly published Microsoft Security Intelligence Report shows the steady presence of viruses as a threat category.

Detections by Threat Category

Image 1 – Detections by Threat Category

 

For more information about SIR, refer to http://www.microsoft.com/sir.

Special thanks to Patrick Nolan for his assistance in this post.

 

– Scott Wu, MMPC

Categories: MSRT, parasitic virus, SIR v10, Win32/FakeRean, Win32/Ramnit, Win32/Rimecud, Win32/Sality, Win32/Taterf, Win32/Vobfus Tags:

Win32/Renocide, the aftermath

March 16th, 2011 Comments off

On March 8th, we announced the release of our latest Malicious Software Removal Tool (MSRT), version that included detection and cleaning capabilities for a backdoor enabled worm we are calling Win32/Renocide. If you are not familiar with this threat, we recommend reading our encyclopedia entry here.

According to our telemetry, this new addition was among the top 5 detected threats (in the first week of release), both when when classified based on number of detected files and number of infected machines.

Rank Family Name Threat Count
1 Sality 248,250
2 Rimecud 209,208
3 Taterf 178,421
4 Renocide 167,826
5 Frethog 125,781
6 Bubnix 116,772
7 Vobfus 114,850
8 Conficker 88,636
9 Zbot 78,304
10 FakeSpypro 64,904

Chart 1 – Win32/Renocide, detected files

 

Rank Family Name Machine Count
1 Rimecud 200,267
2 Taterf 160,632
3 Sality 160,579
4 Renocide 123,413
5 Vobfus 107,866
6 Frethog 104,121
7 Bubnix 88,858
8 Conficker 82,192
9 Zbot 72,669
10 FakeSpypro 62,943

Chart 2 – Win32/Renocide, infected machines

The high tally of affected machines reflects Renocide’s relative age; the botnet has been around since 2008 and has slowly but steadily increased its prevalence. Our first detection dates back to the first half of 2008.

If you look at the ranking for machine count you’ll notice that the first 2 families are also worms. Rimecud is a backdoor-enabled worm (just like Renocide), while Taterf is an account stealer. Although only third when it comes to machine count ranking, Sality leads in the threat count ranking due to the fact that it is a file infector.

You can read more about all malware families present in this blog from our encyclopedia. We thank you for using MSRT.

Marian Radu,
MMPC Dublin

Categories: MSRT, Win32/Renocide, Win32/Rimecud, Win32/Sality, Win32/Taterf Tags: