Archive

Archive for the ‘Win32/Dofoil’ Category

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

MSRT June ’12 – cleanup on aisle one

June 12th, 2012 No comments

In the June ’12 installment of the Microsoft Malicious Software Removal Tool (MSRT), we take on two threat families – Win32/Kuluoz and Win32/Cleaman. This post includes information about Kuluoz as we’ll discuss Cleaman later this month.

Win32/Kuluoz is a multi-component trojan family that that attempts to steal passwords that are stored in certain applications, and sensitive files from your computer. The trojan implements a downloader component that we observed being distributed via spam email as an attachment.

As is common with trojans, Kuluoz is known to use a file icon that comes from a popular application. In this case, it is a PDF document, and is installed into the Application Data subfolder, such as this:

Image 1 – View of Win32/Kuluoz stored on an infected computer

As for technique, Kuluoz doesn’t innovate – it injects its payload into legitimate Windows executables like “svchost.exe”. It is able to load modules that extend its abilities to perform additional payloads, including FTP password-theft and data file stealing, similar to other families of trojans, such as Win32/Dofoil, which we included in MSRT previously.

One thing we should mention is that the downloader component of Kuluoz also tries to send requests to some legitimate websites with the similar patterns used in C&C communication:

Image 2 – Legitimate domains mixed with malware domains as requested by Kuluoz

As visible in the above image, some of the domains requested by the malware include known ‘good’ domains, such as bing.com, twitter.com and google.com which results in a page not found error. It appears that this technique is performed by the malware to possibly confuse the human eye when reviewing access logs.

For additional details, please look into our Win32/Kuluoz family description.

— MMPC

MSRT November: Dofoil

November 22nd, 2011 No comments

As previously noted, one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil. TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options, as visible in a partially decrypted Dofoil configuration shown below:

Partially decrypted Dofoil configuration

Figure 1. Partially decrypted Dofoil configuration

The current generation of Dofoil can be purchased on illicit online marketplaces. Prices are advertised in US dollar equivalent WebMoney values. Depending on the version purchased, the price ranges between 150-250 $US for the main malware component. The cost for plugins ranges from an additional 25-150 $US. One example plugin is a password stealing component which targets many FTP, IM, poker and email clients.

Whilst often seen as an attachment as part of a spam campaign, the MMPC has observed Win32/Dofoil distributed and installed via other mechanisms such as by exploit. In the wild Win32/Dofoil variants are employed to download rogue security software such as Trojan:Win32/FakeSysdef and spam capable malware such as Trojan:Win32/Danmec.L.

Among observed spam campaigns, here is a small selection of spam lures employed during the last two months:

IRS

From: pay.damages@irs.gov
Subject: IRS Notification

Tax notice,

There are arrears reckoned on your account over a period of 2010-2011 year.
You will find all calculations according to your financial debt, enclosed.
You have to sick the debt by the 17 December 2011.

Sincerely,
IRS.

 

————————

iTunes

From: account.sn.5890@itunes.apple.com
Subject: Your iTunes Gift Certificate

Hello,

You have received an Itunes Gift Certificate in the amount of $50
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50 will be credited to your account.
So you can start buying video, music, games right away.

iTunes Store.

 

————————

Xerox

Subject: Fwd: Scan from a Xerox W. Pro #16389356

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 4
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: RXX135OO6MSX6732224

 

————————
 
German

From: “Deutsche Post” (service@deutschepost.de)
Subject: Holen Sie ihre Postsendung ab.

Lieber Kunde,

Es ist unserem Boten leider misslungen einen Postsendung an Ihre Adresse zuzustellen.
Grund: Ein Fehler in der Leiferanschrift.
Sie konnen Ihre Postsendung in unserer Postabteilung personlich kriegen.
Anbei finden Sie einen Postetikett.
Sie sollen dieses Postetikett drucken lassen, um Ihre Postsendung in der Postabteilung empfangen zu konnen.

Vielen Dank!
Deutsche Post AG.

————————

The Malicious Software Removal Tool reported variants of Win23/Dofoil on 13,488 unique machines this month. Forty-seven percent of these machines were running Windows XP, whilst approximately twenty-nine percent were running Windows 7. Looking at the geographic distribution of the machines which reported a Win32/Dofoil detection:

 
Geographic distribution of machines reporting 

 Figure 2. Geographic distribution of machines reporting

Whilst most prevalent in the United States, the MMPC observed those attempting to distribute Win32/Dofoil employing the use of localized lures targeting recipients in Germany, France Italy and Australia.

 
As we begin to wrap up 2011, we give to you another monthly installment of the MSRT to wrap up another malware family.
 
Scott Molenkamp
MMPC Melbourne

 

Categories: MSRT, spam, Win32/Dofoil Tags:

MSRT November ’11: Carberp

November 8th, 2011 No comments

We included three threat families in the November edition of the Microsoft Malicious Software Removal Tool – Win32/Carberp, Win32/Cridex and Win32/Dofoil. In this post, we discuss Win32/Carberp.

The first variant of Win32/Carberp was discovered early last year. This malware has evolved from a trojan downloader that downloads an additional password stealer, such as PWS:Win32/Ldpinch, to a full-fledged banking trojan and user-mode rootkit with the ability to load malicious plugins on-the-fly. One distribution method of Win32/Carberp is through drive-by downloads, which can occur when users visit compromised websites or follow spammed links to the malicious webpage. Some of these websites host exploit kits, like JS/Blacole, to install Win32/Carberp in the background on vulnerable computers.

Upon installation, there is no registry data added; however an executable is copied into the Windows startup folder so that it will run when the user logs on to system. The malware file name can appear legitimate (e.g. ‘igfxtray.exe’). However, Win32/Carberp chooses to go one step further, by hiding the executable using its user-mode rootkit code, which hooks ZwQueryDirectoryFile.

The hooking method Win32/Carberp used is not that obvious, because it replaces the pointer to ‘SharedUserData!SystemCallStub’ instead of placing a ‘jmp’ instruction. Under Windows XP SP3 32-bit system, it would look like the following:

 
Figure 1 - Win32/Carberp replaces pointer
Figure 1 – Win32/Carberp replaces pointer
 
The bad pointer points to the address of the hooking function that hijacks the following information classes and remove the records for certain file names, e.g. igfxtray.exe:
FileDirectoryInformation
FileFullDirectoryInformation
FileBothDirectoryInformation
Just like Win32/Cridex, Win32/Carberp injects the payload into the explorer.exe process and exits immediately to hide its presence. By hooking the native API ZwResumeThread, any process created by explorer.exe will be injected with the payload – the injected code can be duplicated into the sub-processes as well.
Aside from the rootkit component, another thing that makes Win32/Carberp interesting is its ability to download and run plugins from a remote server without dropping files to the local computer. The plugins are XOR-encrypted during the transfer process. There are three major plugins that are loaded within a newly created daemon process (e.g. svchost.exe):
  • passw.plug: password stealer
  • miniav.plug: removes competing malware
  • stopav.plug: stops and removes antivirus or security components

Please refer to our Win32/Carberp family description for specific details about the plugins, which are additional to its main functionality – stealing banking credentials.

The command and control (C&C) server can push configuration data that contains a list of targeted online banking sites, and code to inject into HTML pages that are returned to the victim’s web browser. This method is known as Man-in-the-Browser (MitB); what you see in the browser is not what is actually returned from the website. Though the configuration is encrypted, after decryption one of records appears as the following:

 
 
Figure 2: Decrypted script
Figure 2: Decrypted script
 
This record instructs Win32/Carberp to insert the specified code into the HTML returned by the online banking website, in this case "sbi.sberbank.ru". The code is long, but it basically defines configuration and loads an external JavaScript to hijack your login session with the bank, which could lead to credential leaking or unauthorized fund transfers.
 
The green part in the below figure is a portion of what the online banking site returns, the red part is portion of the code that is inserted by the compromised web browser:
 
Figure 3: Illustration of code injected by Win32/Carberp
Figure 3: Illustration of code injected by Win32/Carberp
 
The configuration can be updated any time, which means the financial institutions targeted can change as well.
 
Bank on the MMPC when it comes to protecting your interests!
 
 
— Shawn Wang, MMPC