Archive

Archive for the ‘Win32/Winwebsec’ Category

Slick links linked to slinky Winwebsec

May 3rd, 2011 No comments

I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further.

Message 1, about two weeks old, contained a simple URL shown as ‘facebook.com/abunk.maralyn’.  The hyperlink actually is for a different site, “medshealthtablets.net”, a site that has been taken down when I tested in our lab.

Message 2 contained another URL, also displayed as ‘facebook.com/abartha.leigha’ and the hyperlink this time was for another site, “meds-atcheap.com”.   As of April 27, the site was still alive, and appears to be a fake site for the purchase of drugs online:

Image 1 – fake pharma site

 

Message 3 arrived only a few days ago, and it too used the ‘facebook.com’ ruse. The message contained a single line of content, with a displayed link of ‘facebook.com/abeightol.jeremaine’ and an actual hyperlink of “borjborj.hpage.com”. I turned to a fellow researcher Tim to investigate. Below is a short summary of what he discovered.

When visiting the URL, it installs a program with a file name of “pack.exe” (ShA1: 6286972A5DA540E058DD2AEDFC38B6061FF67F14). A quick search at VirusTotal – an online service that scans submitted malware samples using multiple security scanners – indicated no current detection by security vendors.

When I ran the program, a familiar interface popped up – it was the rogue Win32/Winwebsec:

Image 2 – Win32/WinWebsec rogue

 

And now, they want $99.95 for it:

Image 3 – purchase lure

 

After having a peek at the HTML code of the malicious website, we found there was actually an exploit kit being implemented to install rogues, using a “drive-by-install” method. The exploit is similar to the known “Zombie Infection Kit” and also the “Siberia exploit kit”, and it includes the following exploitation methods:

 

Image 4 – CVE-2006-003 – Microsoft Data Access Components (MDAC) Vulnerability

 

Image 5 – CVE-2010-0886 – Java Deployment Toolkit Vulnerability

 

Image 6 – CVE-2010-1885 – Microsoft Windows Help and Support Center Vulnerability

If these exploit methods look familiar, that’s because they are the exact exploit toolkits heavily used to distribute Zbot (aka Zeus). The rogue installed by the web page mentioned above is detected as Rogue:Win32/Winwebsec.

If you only draw one conclusion from our research, let it be “don’t click on suspicious links”.

 

–Tim Liu & Scott Wu, MMPC

Trojan downloader Chepvil on the UPSwing

March 26th, 2011 Comments off

A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week.  The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011.

Win32/Chepvil is a trojan that downloads other malware such as Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. The retrieved malware is saved to the %TEMP% folder and then executed. Microsoft Malware Protection Center has noticed that detections over the past few days have gone from a handful to around 400k per day.

The majority of these detections are coming from the antimalware technology protecting our Hotmail customers, clearly indicating the vector – spam. At the time of this blog writing, we received a few reports of other online email service account holders receiving this trojan via spam email as well.

Below is a chart indicating observed telemetry of this trojan over a short period of time:

Image 1 – Chepvil telemetry

Image 1 – Chepvil telemetry

 

Nearly all of the attached files are named “United Parcel Service document.zip”.

The most prevalent SHA1s for the .ZIP attachment are:
0610CE22DF47B3D9C69DC63387705FD666C7205A
151755454A9D443A8A60996F3F1DC4E0C68A9B5D
2C25B6B2764E4DA5EC0A7D57017DFA5FF2A10873

The most prevalent SHA1s for the .EXE trojan within the .ZIP archive are:
0FB63DFF83DB643C9EE42EFE617BDD539A5FFB8F
142E8b00AA24954f9A4AA2271B8A49C445B87587
DA65B7B277540B88918076949A28E8307AD7E41A

Our geographical data from our endpoint protection products show a heavy focus on the United States:

Image 2 – Chepvil telemetry by geography

Image 2 – Chepvil telemetry by geography

 

Below is one example of a spammed message containing the Chepvil trojan.

 

Image 3 – Sample of Chepvil trojan attachment

Image 3 – Sample of Chepvil trojan attachment

 

MMPC customers have detection for this issue through the signature TrojanDownloader:Win32/Chepvil.I.

 

– Holly Stewart, Joe Faulhaber, Jaime Wong & Patrick Nolan