Archive for the ‘Win32/Cridex’ Category

Fake Seattle traffic ticket notification leads to malware

January 20th, 2012 No comments

Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home — specifically, Seattle Washington. They’re seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form:

Fake Seattle traffic ticket spam

Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink and the time and date of the “offense” changes among iterations of the spam. It’s interesting to note that the “Date of Offense” is in European format (DD/MM/YYYY), which is a strange deviation from the date format used in most of the U.S. (MM/DD/YYYY). So far, we’ve seen the hyperlink point to several recently registered domains.

If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006.

If the exploit is successful, it will download and execute a file named “info.exe” from the domain “”. At the time of writing, we detect this file as Worm:Win32/Cridex.B (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051). Once the malware is running, it tries to connect to “” (IP, registered January 11, 2012) using SSL. The malware is able to update itself through communicating with the server. At present, this host is serving the exact same file as the malware running on the affected computer (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051).

We started seeing reports of this file earlier today, although we were not previously aware of the distribution vehicle until the City of Seattle alerted us about the spam. It’s also interesting to note that the domain was registered only a few days ago, so this is a new spam campaign.

While this particular campaign is new, Win32/Cridex variants originated around September 2011. As is usually the case, the malware authors attempted to evade detection by updating the malware and altering the hosts that it communicates with. You can read more about Worm:Win32/Cridex.B in the MMPC malware encyclopedia.

The best way to remain protected against this type of attack is to:

• Keep your security software and Windows security updates current
• Teach yourself to recognize and avoid phishing emails and other messages

Also, note that neither the Seattle Police Department nor Department of Motor Vehicles (DMV) sends tickets by email — only by “snail mail” (post). The Seattle Police Department published an alert on their site at the following link:

— Tareq Saade, Microsoft Security Response Center 

Categories: phishing, Seattle, Win32/Cridex Tags:

MSRT November ’11: Carberp

November 8th, 2011 No comments

We included three threat families in the November edition of the Microsoft Malicious Software Removal Tool – Win32/Carberp, Win32/Cridex and Win32/Dofoil. In this post, we discuss Win32/Carberp.

The first variant of Win32/Carberp was discovered early last year. This malware has evolved from a trojan downloader that downloads an additional password stealer, such as PWS:Win32/Ldpinch, to a full-fledged banking trojan and user-mode rootkit with the ability to load malicious plugins on-the-fly. One distribution method of Win32/Carberp is through drive-by downloads, which can occur when users visit compromised websites or follow spammed links to the malicious webpage. Some of these websites host exploit kits, like JS/Blacole, to install Win32/Carberp in the background on vulnerable computers.

Upon installation, there is no registry data added; however an executable is copied into the Windows startup folder so that it will run when the user logs on to system. The malware file name can appear legitimate (e.g. ‘igfxtray.exe’). However, Win32/Carberp chooses to go one step further, by hiding the executable using its user-mode rootkit code, which hooks ZwQueryDirectoryFile.

The hooking method Win32/Carberp used is not that obvious, because it replaces the pointer to ‘SharedUserData!SystemCallStub’ instead of placing a ‘jmp’ instruction. Under Windows XP SP3 32-bit system, it would look like the following:

Figure 1 - Win32/Carberp replaces pointer
Figure 1 – Win32/Carberp replaces pointer
The bad pointer points to the address of the hooking function that hijacks the following information classes and remove the records for certain file names, e.g. igfxtray.exe:
Just like Win32/Cridex, Win32/Carberp injects the payload into the explorer.exe process and exits immediately to hide its presence. By hooking the native API ZwResumeThread, any process created by explorer.exe will be injected with the payload – the injected code can be duplicated into the sub-processes as well.
Aside from the rootkit component, another thing that makes Win32/Carberp interesting is its ability to download and run plugins from a remote server without dropping files to the local computer. The plugins are XOR-encrypted during the transfer process. There are three major plugins that are loaded within a newly created daemon process (e.g. svchost.exe):
  • passw.plug: password stealer
  • miniav.plug: removes competing malware
  • stopav.plug: stops and removes antivirus or security components

Please refer to our Win32/Carberp family description for specific details about the plugins, which are additional to its main functionality – stealing banking credentials.

The command and control (C&C) server can push configuration data that contains a list of targeted online banking sites, and code to inject into HTML pages that are returned to the victim’s web browser. This method is known as Man-in-the-Browser (MitB); what you see in the browser is not what is actually returned from the website. Though the configuration is encrypted, after decryption one of records appears as the following:

Figure 2: Decrypted script
Figure 2: Decrypted script
This record instructs Win32/Carberp to insert the specified code into the HTML returned by the online banking website, in this case "". The code is long, but it basically defines configuration and loads an external JavaScript to hijack your login session with the bank, which could lead to credential leaking or unauthorized fund transfers.
The green part in the below figure is a portion of what the online banking site returns, the red part is portion of the code that is inserted by the compromised web browser:
Figure 3: Illustration of code injected by Win32/Carberp
Figure 3: Illustration of code injected by Win32/Carberp
The configuration can be updated any time, which means the financial institutions targeted can change as well.
Bank on the MMPC when it comes to protecting your interests!
— Shawn Wang, MMPC