Archive

Archive for the ‘Malicious Software Removal Tool’ Category

MSRT March 2016 – Vonteera

March 9th, 2016 No comments

As part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.

BrowserModifier:Win32/Vonteera

We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:

Vonteera distribution numbers

We classify Vonteera as unwanted software because it violates the following objective criteria:

  • Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
  • Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
  • Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.

Vonteera is usually distributed by software bundlers that offer free applications or games.

Once installed on your PC, it modifies your homepage and changes your search provider.

It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.

Search policy message

More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.

It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.​

DESCRIPTION

Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.

By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Help! Someone is holding my computer hostage

March 18th, 2014 No comments

If you see a pop-up window, webpage, or email message warning you that your computer has been locked because of possible illegal activities, you might be a victim of a criminal extortion scam called ransomware.

Ransomware often masquerades as an official-looking warning from a well-known law enforcement agency, such as the US Federal Bureau of Investigation (FBI).

The aim of ransomware is to prevent you from using your computer until you pay a fee (the “ransom”). If you get an email message or a warning like this, do not follow the payment instructions. If you pay the ransom, the criminals probably won’t unlock your computer and might even install more viruses or steal your personal and financial information.

 

Example of ransomware

What to do if you think you’ve been a victim of ransomware

If you’ve already paid the scammers, you should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.

To detect and remove ransomware and other malicious software that might be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products can detect and remove this threat:

More information about how to prevent and get rid of ransomware

 

 

 

Rotbrow: the Sefnit distributor

December 10th, 2013 No comments

This month’s addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months.

In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on the most prevalent component, which Geoff labelled the “Updater and Installer Service” in his blog, we found one file in particular stood out. We knew that this file was bundled with an installer for a harmless program called FileScout, but where did the FileScout installer come from?

Our telemetry showed us a pattern. The FileScout/Sefnit installer was not being downloaded directly from the web; it was usually written by a process called “BitGuard.exe”. We were quickly able to trace the individual file that was writing the installer on so many computers. It was the most prevalent sample of something that called itself “Browser Protector” (and sometimes “Browser Defender”). We had seen many versions of this before, but never any that exhibited behaviour that would warrant our detection. This sample was different – we knew it must have either carried the FileScoout/Sefnit installer inside it, or it was downloading it from somewhere else.

It took only minutes to identify which possibility was correct. Inside the file we found a resource called RT_BIN, whose content was not immediately significant, but whose size was 251,299 bytes – exactly the same as the FileScout/Sefnit installer.

Apparently the resource was encrypted. We could see that “Browser Protector” contained the same RC4 decryption code we’d seen in Sefnit, and the decryption key was easy to locate inside the code (rather obviously it was “FilescoutEncryptionKey”), so we tried it out. Sure enough, the decrypted result matched the the FileScout/Sefnit installer we expected. It was also easy to confirm that “Browser Protector” could write the decrypted file to the temporary folder with the file name setup_fsu_cid.exe, exactly as we had seen from our telemetry.

While we found that many variants of “Browser Protector” do not contain Sefnit, they are capable of updating to versions that do, so we added a generic detection under the name Win32/Rotbrow. To further stymie this avenue for Sefnit distribution, this month we add the Rotbrow family to MSRT.

SHA1s:

Sefnit updater and installer service: 942860bedf408cc4c6a1831ef3744a3f9e68b375
FileScout installer: c5758309136cd1e7e804d2003dc5ca27ae743ac3
Rotbrow: efe10525395591ca4fb6ec083f6f22c9e0db2d9d

Rotbrow: the Sefnit distributor

December 10th, 2013 No comments

This month’s addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months.

In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on the most prevalent component, which Geoff labelled the “Updater and Installer Service” in his blog, we found one file in particular stood out. We knew that this file was bundled with an installer for a harmless program called FileScout, but where did the FileScout installer come from?

Our telemetry showed us a pattern. The FileScout/Sefnit installer was not being downloaded directly from the web; it was usually written by a process called “BitGuard.exe”. We were quickly able to trace the individual file that was writing the installer on so many computers. It was the most prevalent sample of something that called itself “Browser Protector” (and sometimes “Browser Defender”). We had seen many versions of this before, but never any that exhibited behaviour that would warrant our detection. This sample was different – we knew it must have either carried the FileScoout/Sefnit installer inside it, or it was downloading it from somewhere else.

It took only minutes to identify which possibility was correct. Inside the file we found a resource called RT_BIN, whose content was not immediately significant, but whose size was 251,299 bytes – exactly the same as the FileScout/Sefnit installer.

Apparently the resource was encrypted. We could see that “Browser Protector” contained the same RC4 decryption code we’d seen in Sefnit, and the decryption key was easy to locate inside the code (rather obviously it was “FilescoutEncryptionKey”), so we tried it out. Sure enough, the decrypted result matched the the FileScout/Sefnit installer we expected. It was also easy to confirm that “Browser Protector” could write the decrypted file to the temporary folder with the file name setup_fsu_cid.exe, exactly as we had seen from our telemetry.

While we found that many variants of “Browser Protector” do not contain Sefnit, they are capable of updating to versions that do, so we added a generic detection under the name Win32/Rotbrow. To further stymie this avenue for Sefnit distribution, this month we add the Rotbrow family to MSRT.

SHA1s:

Sefnit updater and installer service: 942860bedf408cc4c6a1831ef3744a3f9e68b375
FileScout installer: c5758309136cd1e7e804d2003dc5ca27ae743ac3
Rotbrow: efe10525395591ca4fb6ec083f6f22c9e0db2d9d

3 ways to speed up your PC

October 15th, 2013 No comments

Here are three ways to speed up a sluggish computer.

1.       Scan your computer for viruses

If your computer is slow or restarts often, it could be infected with a virus or other malicious software.

If you have Windows 8, you can use the built-in Windows Defender to help you get rid of a virus or other malware. If you have Windows 7, Windows Vista, or Windows XP, scan your computer with the Microsoft Safety Scanner. Or get help at the Virus and Security Solution Center.

For more information, see How to avoid and remove computer viruses.

2.       Turn on automatic updating

One of the easiest things you can do to speed up your PC is to make sure that your operating system and software are kept up to date. Learn how to get security updates automatically.

Is your computer sluggish, or is it just your web browser? The newest version of Internet Explorer is Internet Explorer 10. It’s included with Windows 8, and you can download it for free for other versions of Windows. Learn more about security in Internet Explorer 10.

 

3.       Upgrade your operating system

If you’re still using Windows XP, you could speed up your PC by upgrading to Windows 8 or Windows 7.

Support for Windows XP ends on April 8, 2014. You can get solutions to your Windows XP security issues now, but not for too much longer. If you’re still using Windows XP, you’re missing out on all kinds of security, productivity, and performance enhancements available in Windows 7 and Windows 8.

Find out what end of support for Windows XP means to you.

If your computer is still slow, you can try limiting how many programs run at start up, deleting software and files you don’t need, or following these additional tips to speed up your PC.

Get free or paid support for your malware problem

September 24th, 2013 No comments

Is your computer running slowly? Are programs starting unexpectedly? Is the activity light on your broadband or external modem constantly lit? Does it sound like your computer’s hard disk is continually working?

If you answered “yes” to any of these questions, your computer might be infected with malware.

Scan your PC for viruses

If you suspect that your computer has a virus, you can download the Microsoft Safety Scanner. The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software.

Download the Microsoft Safety Scanner

Get help from the Microsoft forums

If you’ve scanned your computer and you can’t get rid of the virus, you might be able to get free help from the Microsoft Community. Check out the Viruses and Malware forum.

Get help from a Microsoft Answer Tech for $99

If you want to pay for help, a Microsoft Answer Tech can help track down viruses, malware, and spyware.  

Chat with an Answer Tech now

Why does my AV software keep turning off?

July 25th, 2013 No comments

Bob writes:

My antivirus software keeps turning off and I can’t get it back on.

Here are the most common reasons you might encounter this problem:

Your computer is already infected with rogue security software

The warning that you’re antivirus software is turned off might be a fake alert, also known as “rogue security software.” This type of warning is designed to fool you into downloading malicious software or paying for antivirus software. Take our Real vs. Rogue quiz to see if you can identify the difference.”

You have more than one antivirus program

Your antivirus software could turn off if you try to install another antivirus program. Running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

You might have a virus

Some viruses can disable your antivirus software or disable updates to your antivirus software. Viruses can also prevent you from going online to update or reinstall your antivirus software.

For troubleshooting help, see What to do if your antivirus software stops working.

MSRT August ’12 – What’s the buzz with Bafruz?

August 14th, 2012 No comments

For this month’s Microsoft Malicious Software Removal Tool (MSRT) release, we will include two families: Win32/Matsnu and Win32/Bafruz. Our focus for this blog will be Bafruz, which is a multi-component backdoor that creates a Peer-to-Peer (P2P) network of infected computers (using C&C, for instance), and includes a nasty list of payloads, as well as unique means of disabling security and antivirus products.

Win32/Bafruz contains components, which achieve a number of objectives for the attacker, such as hijacking Facebook and Vkontakte accounts, launching Distributed Denial of Service attacks, performing Bitcoin mining, downloading malware, and disabling security and antivirus products.

Let’s delve a bit further into its payload of disabling security and antivirus products. Upon first receiving this component, it simply appeared to terminate a long list of security processes listed in its code. It also displayed alerts in the system tray similar to those displayed by your run-of-the-mill rogue application, as shown below:

But unlike your common rogue, there is no mention of any sort of payment required in order to remove this threat. All it asks is for a reboot of the computer.

So, what happens when one chooses to interact with this alert and “Remove” this so called virus? This is where the true nature of this backdoor comes to light. Clicking on the “Remove” option causes the computer to reboot in safe mode (note: if the affected user does not click “Remove” and trigger a reboot, the backdoor will eventually force reboot). This gives Bafruz the opportunity to remove components of the installed antivirus product from the system, thus disabling it completely. So in fact, the list of security and antivirus processes listed in the Bafruz description is used by the backdoor to detect which product is installed, in order for it to remove its components, as well as display the following alert once the reboot is complete:

In our test environment, we had Microsoft Security Essentials (MSE) installed, hence why this alert is masquerading as a message from MSE. If we were running another security product in our environment, and it was contained within Bafruz’s list of targets (listed in the Win32/Bafruz family description), the alert would contain the name of that product instead. So this may lead the user into believing all is well with their security product, as it is now running in “Enhanced protection mode”, while in the meantime, Bafruz is downloading additional components and malware onto the computer in the background through its P2P network.

 

MMPC

Get advance notice about June security updates

June 7th, 2012 No comments

Today the Microsoft Security Response Center (MSRC) posted details about the June security updates. On Tuesday, June 12 at approximately 10 AM Pacific Time Microsoft will release 8 bulletins.

The easiest way to get the updates when they’re available is to turn on Windows automatic updating. For more information about how this works, see Understanding Windows automatic updating.

The Microsoft Security Bulletin Advance Notification Service offers details about security updates approximately three business days before they are released. We do this to allow customers (especially IT professionals) to plan for effective deployment of security updates.

Advanced Notification includes information about:

  • The number of new security updates being released
  • The software affected
  • Severity levels of vulnerabilities
  • Information about any detection tools relevant to the updates

Dishigy dishes out the DDoS and we dig deeper…

May 25th, 2012 No comments

​The May edition of the Microsoft Malicious Software Removal Tool saw the inclusion of two new malware families: Win32/Unruy and Win32/Dishigy. Let’s dig a bit deeper into Dishigy and the nature of Denial of Service.

So, bear with me while I take you back to security 101…

A Denial of Service (DoS) attack is a pretty straightforward concept – an attacker floods or otherwise sends malicious traffic to a targeted system in such a way that the targeted system is not able to respond to legitimate requests. Sometimes, particularly for flood attacks, a single system may not be able to generate enough traffic to flood a target by itself, and so multiple machines are used in order to more effectively ‘flood’ the target and make the attack more difficult to block. This is where we get the term Distributed Denial of Service (DDoS) attack – where the attack is distributed across multiple machines, and those machines are ordered to attack a single target and overwhelm it with their concerted requests.

So, why would an attacker want to stop a system from being able to respond to requests from legitimate users? It’s a fairly common behavior amongst malware, and, like the vast majority of malware created and distributed these days, you just have to ask yourself how criminals could use such nefarious practices to make a buck. In the case of Denial of Service conditions, they could be used, for example, for extortion (i.e. “Do what we want or the website gets it, see?“) or possibly for taking out the competition.

Where does Dishigy fit in? Dishigy traditionally targeted web servers. It uses HTTP requests to perform its denial of service payload against websites. While other types of network traffic might be subject to additional restrictions due to the threat it might pose, port 80 is often left mostly unchecked, enabling easy egress of web traffic. Dishigy is a distributed denial of service attack for hire and can be purchased from the seedier side of the internets to target websites of the purchaser’s choice. Now for the grim, technical details…

Win32/Dishigy is written in Delphi, and can be remotely instructed by an attacker to perform denial of service attacks on targets. The malware connects to a hard-coded remote host and sends an HTTP POST to obtain configuration data. The configuration data contains a set of three parameters separated by a token (delimiter) and is followed by a target URL, as shown in the image below:

Dishigy configuration data with target URL obscured

Image 1 – Dishigy configuration data with target URL obscured

The first parameter defines the type of attack it uses; these can vary depending on what types are supported by each variant (for example, HTTP GET requests or HTTP POST requests).

The second parameter denotes the maximum number of threads (channels of execution) the malware should use in an attack; each thread sends several requests in a loop.

The third parameter is the frequency with which the malware should connect to the remote host to obtain updated configuration information. If, however, there is no target host available in the configuration data, the malware will connect back at the specified frequency but not perform any attacks.

The malware can be instructed to perform one of several types of attacks. The malware uses an open source TCP/IP Winsock library for Delphi called Synapse to construct the packets.

Early variants of Dishigy generated only HTTP GET requests against a target:

Image 2 – Use of HTTP GET request by Dishigy

The User-Agent field is randomly chosen from a large list contained in the malware, this makes it appear that the HTTP requests originate from a variety of sources. Later variants added more functionality, including the ability to generate HTTP POST requests against a target:

The POST request includes a Referer field which is also randomly chosen from a list contained in the malware. Worth noting is that the POST data contains the URL for the targeted host only as opposed to a typical POST which could include form data and other bits.

Dishigy’s addition to the Microsoft Windows Malicious Software Removal Tool this month makes the web a slightly better place. Dishigy’s success against a target relies on numbers, so taking out as many infections as possible that could contribute to a flood is key to making it ineffective. It is also highly resource intensive for the unfortunate victims who find their computers compromised by this menace, so removing it from victim computers should ease some pain for individuals whose computing experience has been affected by this threat. And maybe, most importantly, targeting Dishigy may help to stop criminals from deciding which websites you can and can’t visit.

– Ray Roberts
MMPC Melbourne

Free PC safety scan

March 22nd, 2012 No comments

Think your computer might have a virus? The Microsoft Security scanner is a free download that will scan your computer and help you remove viruses, spyware, and other malicious software.

Download Microsoft Safety Scanner

The scanner is not a replacement for antivirus software. It contains the latest anti-malware definitions, but it works with your antivirus software. The Microsoft Security scanner expires after 10 days, but you can download the newest version again for free. Antivirus software like Microsoft Security Essentials is also free, but provides real-time scanning and does not expire after 10 days.

Get more information about the Microsoft Security Scanner.

MSRT Nov’ 11: Cridex – the hex of Skidlo

November 10th, 2011 No comments

Earlier, we discussed Win32/Carberp, a malware family included in the November release of the Malicious Software Removal Tool. In this post, we discuss another included malware, Win32/Cridex. Win32/Cridex is a relatively new family; we discovered its first variant in the wild in August 2011. This trojan is primarily downloaded and installed by other malware, detected as TrojanDownloader:Win32/Skidlo.

Win32/Skidlo is commonly distributed as an attachment to spammed email, using various names such as “UPS_NOTIFICATION”, “Changelog”, “Invoice”, and “XEROX_SCAN”. The attachment shared the same old trick which is also used in many other spammed downloader trojans. The executable files are all in a .ZIP archive with a specially crafted file name format:

“%___Coll<0xE2><0x80><0xAE>cod.exe”

where “<0xE2><0x80><0xAE>” is three illegible and hexadecimal characters (UTF-8 encoded Unicode character ‘Right-To-Left Override’). This trick re-orders the sequence of chars from “123.456” to “654.321”. When the zip file is opened by certain software, it may show as the following:


Figure 1 – Example file name of Win32/Skidlo, a trojan that downloads Win32/Cridex

The shown extension makes the malware appear as a valid Microsoft Word document instead of an executable. When run, Win32/Skidlo downloads Win32/Cridex to the local drive and executes it. A copy of Win32/Cridex is copied to the Application Data (%AppData%) folder and commonly with a misleading name and file icon, such as:


Figure 2 – Example file name of installed Win32/Cridex trojan

The trojan’s payload is injected into the “explorer.exe” process to hide its presence from process tools such as Windows Task Manager. A user-mode native API ZwResumeThread is hooked in every running process to assist the trojan in copying the code injection into newly created processes. The registry is modified to run the trojan from the subkey “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”. These steps are typical and to ensure the malware remains resident on the affected computer.

Win32/Cridex is a multi-purpose bot that is designed for nastiness, including downloading malware, uploading your files, stealing certificates and more. The most harmful of the payload code would be the stealing of online banking credentials. As with other infamous banking trojans (Zbot, EyeStye, Carberp), Win32/Cridex monitors Internet traffic between remote servers and your web browsers (Internet Explorer and FireFox) and captures the credentials entered in certain sites.

Configuration data that contains a list of targeted websites is stored in the affected computer’s registry:

Figure 3 – Illustration of registry data storage listing targeted websites

Although most of the sites are related to online banking sites from around the world, some social networking sites are also targeted (for more details, see the Win32/Cridex family description). That means that hypothetically, your online friends could become exposed to the danger of spamming via your compromised account(s).

Regardless of the use of SSL or not, Win32/Cridex hooks APIs in your web browser process to monitor and capture the clear packets before they are sent to the remote sites:


Figure 4 – Hex editor view of data captured by Win32/Cridex

To maximize the potential of capturing online credentials after Win32/Cridex is installed, the C&C could instruct the malware to delete stored web browser cookies. A symptom of this behavior could be in a newfound request to enter your account login for sites where the option to “remember login” was set. The captured post data will eventually be uploaded to the C&C server, and at that time the security of your account is now compromised.

Microsoft security products protect you from this and other online banking malware.

SHA1 of prevalent examples of this malware:
142bef5475927cc5f0b3d7200b61c00b5917a03e
fa3af04fc014cb88c654f6cd085e3424349035ba
4e7ec0ded41eb00d37cfaf72914462aa1b92efa2

— Shawn Wang, MMPC

MSRT November ’11: Carberp

November 8th, 2011 No comments

We included three threat families in the November edition of the Microsoft Malicious Software Removal Tool – Win32/Carberp, Win32/Cridex and Win32/Dofoil. In this post, we discuss Win32/Carberp.

The first variant of Win32/Carberp was discovered early last year. This malware has evolved from a trojan downloader that downloads an additional password stealer, such as PWS:Win32/Ldpinch, to a full-fledged banking trojan and user-mode rootkit with the ability to load malicious plugins on-the-fly. One distribution method of Win32/Carberp is through drive-by downloads, which can occur when users visit compromised websites or follow spammed links to the malicious webpage. Some of these websites host exploit kits, like JS/Blacole, to install Win32/Carberp in the background on vulnerable computers.

Upon installation, there is no registry data added; however an executable is copied into the Windows startup folder so that it will run when the user logs on to system. The malware file name can appear legitimate (e.g. ‘igfxtray.exe’). However, Win32/Carberp chooses to go one step further, by hiding the executable using its user-mode rootkit code, which hooks ZwQueryDirectoryFile.

The hooking method Win32/Carberp used is not that obvious, because it replaces the pointer to ‘SharedUserData!SystemCallStub’ instead of placing a ‘jmp’ instruction. Under Windows XP SP3 32-bit system, it would look like the following:

 
Figure 1 - Win32/Carberp replaces pointer
Figure 1 – Win32/Carberp replaces pointer
 
The bad pointer points to the address of the hooking function that hijacks the following information classes and remove the records for certain file names, e.g. igfxtray.exe:
FileDirectoryInformation
FileFullDirectoryInformation
FileBothDirectoryInformation
Just like Win32/Cridex, Win32/Carberp injects the payload into the explorer.exe process and exits immediately to hide its presence. By hooking the native API ZwResumeThread, any process created by explorer.exe will be injected with the payload – the injected code can be duplicated into the sub-processes as well.
Aside from the rootkit component, another thing that makes Win32/Carberp interesting is its ability to download and run plugins from a remote server without dropping files to the local computer. The plugins are XOR-encrypted during the transfer process. There are three major plugins that are loaded within a newly created daemon process (e.g. svchost.exe):
  • passw.plug: password stealer
  • miniav.plug: removes competing malware
  • stopav.plug: stops and removes antivirus or security components

Please refer to our Win32/Carberp family description for specific details about the plugins, which are additional to its main functionality – stealing banking credentials.

The command and control (C&C) server can push configuration data that contains a list of targeted online banking sites, and code to inject into HTML pages that are returned to the victim’s web browser. This method is known as Man-in-the-Browser (MitB); what you see in the browser is not what is actually returned from the website. Though the configuration is encrypted, after decryption one of records appears as the following:

 
 
Figure 2: Decrypted script
Figure 2: Decrypted script
 
This record instructs Win32/Carberp to insert the specified code into the HTML returned by the online banking website, in this case "sbi.sberbank.ru". The code is long, but it basically defines configuration and loads an external JavaScript to hijack your login session with the bank, which could lead to credential leaking or unauthorized fund transfers.
 
The green part in the below figure is a portion of what the online banking site returns, the red part is portion of the code that is inserted by the compromised web browser:
 
Figure 3: Illustration of code injected by Win32/Carberp
Figure 3: Illustration of code injected by Win32/Carberp
 
The configuration can be updated any time, which means the financial institutions targeted can change as well.
 
Bank on the MMPC when it comes to protecting your interests!
 
 
— Shawn Wang, MMPC

Update on the Zbot spot!

October 31st, 2011 No comments

Hello Internet!

I’m back to update you on our changes to Zbot in the Malicious Software Removal Tool (MSRT). We reviewed the data coming back from MSRT in September and incorporated the findings into October’s MSRT (and beyond), which means we are now in a position to provide additional information.

As I mentioned in the previous blog post, the purpose of our special Zbot September update was to glean an insight into the effectiveness of MSRT against this prolific threat. Couple that with a focus on the Zbot family and, suffice it to say, we’re pretty happy with our findings and results!

And now, onto the numbers!

Historically, and prior to the September 2011 release, MSRT consistently detected about 90% of PWS:Win32/Zbot variants in the wild. For the month of September 2011, we detected and removed PWS:Win32/Zbot from around 185,000 distinct Windows computers, a stark increase to the months beforehand, which we can attribute the increase to additional technology added to MSRT for just such an occasion.

For October so far, we’ve removed Zbot from over 88,000 computers and we expect that number to grow to around 100,000 – again, a very good result from MSRT, illustrated in the chart below that lists October 2011 MSRT data:

 

MSRT Family
Threat Reports
Machines Detected
Zbot
101385
88765

  

These increased numbers are also likely a result of new functionality we’ve seen in Zbot recently. It seems that some variants now automatically spread via the Windows autorun functionality; something that is very common with other prolific malware families, so it’s not very surprising we’re seeing it now – but is surprising we hadn’t seen it before now. Regarding autorun, Microsoft released a security update in February of 2011 that changed its default behavior – the result was an overall decline in threats utilizing autorun as a spreading mechanism. There is a Microsoft Knowledge Base article that discusses how to disable autorun in Windows, here.

October 25th marked the tenth anniversary of the release of Windows XP.  And what a difference a decade makes! Consumers should upgrade to the newest operating system version in order to take advantage of enhanced security features of Windows 7 including AppLocker, User Account Control (UAC), Data Execution Prevention (DEP) and Structured Exception Handling Overwrite Protection (SEHOP). The recently released Microsoft Security Intelligence Report volume 11 shows that the latest Windows 7, 32-bit OS is six times less likely to become infected than the comparable Windows XP SP3.

And finally a reminder, MSRT isn’t a replacement for a full antivirus solution. You’re already infected when MSRT detects malware – using a security application with real-time protection can help prevent you from becoming infected in the first place.

  

Matt McCormack
MMPC Melbourne

MSRT October ’11: EyeStye

October 13th, 2011 No comments

This month, the Malicious Software Removal Tool (MSRT) targets two families: Win32/EyeStye and Win32/Poison.

EyeStye (aka ‘SpyEye’) is a family of trojans that steals information, targeting authentication data used for online banking such as passwords and digital certificates. The method it employs is called “form grabbing” which involves the interception of webform data submitted to the host through the client’s browser. By intercepting this data, authentication information can be stolen, and web content presented to the user can be altered to the malware author’s preference. In one recent EyeStye variant (for example SHA1 e36287d81770d583679be28d9a229f8363ab4cde) we came across, we observed that the following browsers were targeted, indicating that the malware authors are leaving few stones unturned: Internet Explorer, Mozilla, Chrome and Opera.

The malware file contains obfuscated code, while the payload is injected into running processes. It also employs user-mode rootkit protection in an effort to prevent itself from being seen via Windows Explorer or the Command Prompt. This may be intended to make detection and remediation challenging for antivirus engines. As this bot is kit-based, the file names and mutexes it creates are variable, which makes identification (based on these factors) difficult.

Towards the end of 2010, the release of EyeStye kit 1.3.X included a feature to avoid detection by Trusteer’s Rapport, a feature also offered by Zeus (Zbot). This release also removed a feature to kill Zeus if it was detected running on the affected machine, leading some to suggest that the two bots were being merged. However, by that time the Zeus code was already publicly available, which lead us to believe that those rumors were speculative in nature. We continue to monitor both of these bots for evidence of such a merger.

As with much of the malware we see today, EyeStye is often spammed out to users or posted on open forums enticing users to click on a link, employing one of the increasingly common social engineering techniques. An example of such a spam email can be seen below: This spam mail was being posted in an open BSD forum; clicking on the link leads to a download of a file named “VIEW_EVENT_DOC.PIF”, which we detect as Win32/EyeStye (SHA1 df8a8483515dd0db3494d796ede33fddb369df10).


 

For more information on this malware family, please refer to Win32/EyeStye.

 

— Jaime Wong, MMPC

The Zbot battle: Microsoft turns up the heat

February 10th, 2011 Comments off

Botnets
are networks of compromised computers controlled by cybercriminals. Botnets can
send out spam, spread malicious software, steal passwords, and more.

Zbot (also known
as the “Zeus Botnet”) has been responsible for stealing passwords and other
financial information from infected computers worldwide.

Today, Microsoft
published a special edition of the Security Intelligence Report that details ongoing
success in the battle against Zbot.

Download the Zbot Analysis paper.

For more detailed
information on battling botnets, see the Featured Intelligence section of the Security Intelligence Report
website.

Protect yourself against botnets

Protect
your computer with Microsoft Security Essentials Software


Microsoft Security Essentials is the no-cost, high-quality service that helps protect
against botnets and other malicious software.

If you think your
computer is already infected by a botnet, try the following: