MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

12.26.2009

Desktop Hijack by Internet Security 2010. Your System Is Infected!

The Desktop Hijack is to "hijack" the desktop background, changing the image and blocking its configuration defined in a way that this can not be restored. This is a clear indication that the system was the victim of a malicious code, a kind of rogue, also known as scareware.

Internet Security 2010 is a rogue who performs this activity. The same is distributed through a crimeware called Siberia Exploit Pack. Below is a screenshot of the Desktop Hijack.

When this malware infects your system, then block the Desktop background settings, installs in the Program Files folder. This threat is aimed at Windows platforms infection in English, so that those who have Spanish versions aren't affected. We then see a screenshot of the interface of the rogue.

Each particular seconds, deploy dissuasive actions designed to generate "fear" in the user through warnings about malicious activity generated by alleged infections. Some of the warnings are:

In order for the user, looking for a solution to the alleged problems of infection, finish buying the full version of the antivirus program. To which, in this instance, you must access via a web form from which you request the "product", even, in some cases you may find advice in real time.

This modus operandi is common and is a rogue employer, including "purchase form" that in many cases until they are supported by https. In this case, Internet Security 2010, is marketed at a cost of nearly USD 50, so if you believe that its spread is related to a botnet, is easy to deduce the amount of money that criminals get through this type of activities.


Countermeasures
Terminate the processes called winupdate86.exe and IS2010.exe (eventually you can find the process winlogon86.exe).
NOTE: The malware can deshactiva conventionally access to cmd, registry and the Task Manager, therefore, to complete the process easily recommend using Process Explorer.

Then, access the system registry and delete the following keys:
In HKLM\Software\Microsoft\Windows\CurrentVersion\Run delete the key Internet Security 2010.
Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run delete the key winupdate86.exe.
Under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit change the call reference that points to C:\WINDOWS\system32\winlogon86.exe with C:\WINDOWS\system32\userinit.exe.

Unregister the dll call winhelper86.dll
NOTE: To perform this action you must access the Start/Run/cmd and type regsvr32 /u [dll name].

Delete the folder InternetSecurity2010 located at C:\Program Files, and files 41.exe (this number may vary found files with numeric names such as 5705.exe, 28145.exe, etc.), winhelper86.dll, winlogon86.exe and winupdate86.exe found in C:\WINDOWS\system32\.

Remove also the direct link called Internet Security 2010 which is on the Desktop and reboot the machine.

Install and run an updated antivirus

Malware Disasters Team

Ver más

12.15.2009

LockScreen. Your computer is infected by Spyware!!!

LockScreen is a trojan designed to block access to the operating system as a primary resource using the fear factor.

First, when activated displays a warning about an alleged infection caused by spyware, inciting to buy an antispyware which is really other malicious code. On the other hand, states that "if not eliminate spyware from the system in three hours, will be formatted".

Thus, the user victim of this malicious code will be forced to take extreme measures to try to access the operating system, or accept the purchase of a false solution to get the unlock key.

This activity is typical of the concept ransomware, which produces the "kidnapping" of the operating system or part thereof, but through more complex processes which usually involves some encryption algorithm and the "payment" (usually money) to obtain the unlock key.

Although malware isn't a complex, currently has a low detection rate, being detected only by 11 antivirus companies a total of 41, as shown in the report of VirusTotal.

Technical Data
MD5: f3a7d1054e79dda8e8a16901d95770e1
SHA1: c1887445b1fd5d89f61e638231d554c5bcff49ab
File size: 32768 bytes
Packer: -

Countermeasure
Restart the computer in Safe Mode Errors (by pressing the F8 key during startup) and delete the file "benimserverim.exe" which is hosted in the Windows folder.

Then clean the system registry by removing the key "benimAnahtar" from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

In case you can not restart the computer in Safe Mode Errors, another alternative is to restart the computer and for the moment, after the inception of the desktop is displayed, quickly press the Ctrl + Alt + Del to access the Task Manager and end the process called "Project1".

Then delete the file "benimserverim.exe" hosted in the WINDOWS folder and the registry key "benimAnahtar" found at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Or... the password required to unlock the system is DosyaYolu.

Malware Disasters Team

Ver más

12.14.2009

Waledac/Storm. Past and present a threat

At the beginning of 2007 jumped from the darkness to begin a malicious code to be a source of important news because of their particular strategies of deception and a major campaign at the global level of infection that still remain a subject of research by the community security.

This is Storm, aka Nuwar or Zhelatin depending on the identity assigned by the antivirus companies, although it's known as "storm", perhaps alluding to the manner in which systems ravaged by which he transformed into zombies, recruiting teams under the command of the botnet.

At present, the threat posed Storm hasn't been to one side, but transferred to its twin brother, Waledac, which remains essentially the characteristic of trying to innovate in terms of apology necessary for the spread and recently has awakened after a period of hibernation.

Some features of this threat are:

The spread is through the unwanted e-mail (spam)
Uses deception strategies (Social Engineering) different for each campaign to spread
Through a link embedded in the body of a message routed to a site where malware is downloaded
The infected computers are part of a botnet
To complete the cycle of infection through the spread of spam
Fast-Flux networks
They have polymorphic capabilities at the server level

During virtually the entire 2007, Storm (the first appearances as a strategy of deception used to display a video on a storm unleashed in Europe) used as a means of propagation/infection e-mail with questions and topics varied inciting to click on a link embedded in the message body, which in some cases direction of a page (some of them also tried to spread Storm exploit vulnerabilities using iframe tags as resources) and others directed to the download of a binary in Storm both cases.

Already for next year (2008), Storm joined the "surprise effect" linking the e-mail link provided to a web site that accompanied the excuse presented in the case of mail with an image alluding also to the theme that, the as in 2007, rotating with each major event (Valentine's Day, Independence of the USA, Christmas, etc). In addition, some variants spread through blogs.

After several months of inactivity in terms of the spread of the threat, in January of this year appears Waledac, a trojan that uses the same mechanisms used by Storm and many security professionals are beginning to see the similarity between them.

After several investigations, says that Waledac is, one might say, the twin brother of Storm. Using the same methodologies of Social Engineering with a broad portfolio of images and themes used as an excuse to capture users' attention. Passing through images rather the typical "love" for the month of Valentine Cases of alleged terrorist attacks, among others, to the recent course on a video on YouTube.

There are, among others, two very interesting features in both Waledac Storm: the use of Fast-Flux networks and polymorphic capabilities on the server.

The first of these threats were allowed to spread across different IP addresses and using different domain names that constantly rotate between each other with the name resolution. This causes, through a certain time to live (TTL) pre-configured every x amount of jumps between nodes (infected computers) from the same domain, you download a different prototype of malware.

This leads to the second feature, the polymorphism. In this way, each time the package (malware) is established TTL attempt to download a different version of the malicious code to be "changes" every certain amount of time (also predetermined by the attacker) establishing capacity polymorphic.

The diagram below provides the direct relationship, over time, the threat was used as a strategy of deception.

Each of the zombies that are part of the botnet created by Waledac, focus your intentions in sending spam. In this sense, a very interesting extract from a report that says Waledac has the ability to send about 150,000 spam emails per day.

Perhaps, then you know that Storm/Waledac are running campaigns with high rates of spread of infection globally and overcrowded, it's clear that their creators are continuing their criminal operations for a financial issue, which is nothing new for malware today.

via Pistus Malware Intelligence Blog
Malware Disasters Team

Ver más

Symbiosis malware present. Koobface

Koobface is a worm designed to exploit the user profiles of popular social networks like MySpace and FaceBook in order to obtain sensitive and confidential information of their victims, although the latest versions limiting their goal FaceBook. In fact, the word Koobface is a transposition of the word Facebook.

His early versions date back to late 2008 and since then continues In-the-Wild with an infection rate of concern. Thus, the same company released a series of preventive measures to minimize the potential risk of infection, which is constantly latent for users who use the social network.

In principle, the usual means of dissemination used Koobface is via web through visual Social Engineering and is the first facet of propagation.

The second facet (infection) channeled their malicious actions in a very common at present, based on a combination of malware, creating a symbiosis where each component of ambient display instructions to seek a common objective and comprehensive.

But let's see which are these components that form a part of the stage of infection of the variant Koobface. NBO. This worm, detected nowadays by approximately 31 companies antivirus of 41 (75.61 %), on having infected the system establishes connection with the following URL's:

http://oberaufseher.net/img/cmd.php
http://pornfat.net/img/cmd.php

It also downloads the following malware:

TrojanDownloader.Small.OCS Troyano
Tinxy.AD Troyano
Tinxy.AF Troyano
BHO.NOE Troyano
Koobface.NBH gusano
PSW.LdPinch.NEL Troyano
From the technical point of view, some data can be collected in the brief preliminary analysis of each of the malicious code downloaded by Koobface:

The trojan TrojanDownloader.Small.OCS has a detection rate of 35/40 (87.5%) creates keys in the registry and backs himself.

HKLM\SOFTWARE\Microsoft\MSSMGR\
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\winccf32
C:\WINDOWS\system32\winccf32.dll (copy of itself).

Tinxy.AF, another trojan, it also creates files in the system and has a detection rate of slightly less than the previous 30/40 (75.00%).

C:\windows\ld09.exe
C:\docume~1\user\locals~1\temp\podmena.bat

The trojan Tinxy.AD has a detection rate of 35/40, was detected by approximately 87.50% of the virus. Creates a copy of itself and makes use of the tool to enable a NetShell DLL, open ports, and specify a proxy.

C:\WINDOWS\system32\SYSDLL.exe (copy of itself)
netsh add allowedprogram "SYSDLL" C:\WINDOWS\System32\SYSDLL.exe ENABLE
netsh firewall add portopening TCP 80 SYSDLL ENABLE
netsh firewall add portopening TCP 7171 SYSDLL ENABLE
netsh winhttp set proxy proxy-server="http=localhost:7171" Agrega la información del proxy en:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f

BHO.NOE is another of the trojans as part of the process of infection Koobface, with a detection rate of 92.11% (35/38), create a folder and a file.

C:\WINDOWS\system32\796525
C:\WINDOWS\system32\796525\796525.dll

As to PSW.LdPinch.NEL trojan, detected by 34 antivirus of 40 (85.00%), is designed to steal passwords from different web browsers, mail clients, IM clients and other services.

Finally, download a variant of the family, the worm Koobface.NBH, in this case, the detection rate was 27/40 (approx. 67.50%).

As we can see, the infection of this malware isn't just limited to malicious instructions they have, but it goes beyond that and download another. This action is a common behavior in the present, where the fusion of Web applications and control of botnets and the administration of different types of malware, joining forces with a common goal: improving the economics of crime.

via Pistus Malware Intelligence Blog
Malware Disasters Team

Ver más

12.05.2009

Swizzor reload. Adware and control of P2P networks

P2P networks are one of the sources used to propagate different types of malicious code. That makes him very dangerous vector for those who don't take into account certain preventive measures.

Moreover, the main function is to deploy adware popups displaying advertising without us even asking him many times after infection, it can display advertising even when a connection is made.

This is an increasingly common case where different types of malware interact with each taking control of the computer to download and install additional malware.

Nomenclature: NSIS/TrojanDownloader.Swizzload.A (ESET)
Md5: e2a2089255811ff295cdb695e426adc4
Sha1: 99eccdc87671138b9f4b15b0610bef8a3df418b6
Report VirusTotal 15/41 (36.59%)
Packer: NSIS

It spreads through web pages using a strategy of social engineering. When run a number of file download from which there is an update of itself.

From install.x3codec.com/get_file.php?file=program&program=codec_x3 download:

Nomenclature: -
File: x3codec.exe located in codec_x3.zip
Md5: 06579ded81b2b648c5106d4732a4b06f
Sha1: a2d05264eeb807e5fadd3bd60df3c0b6495c5a75
Report Virus Total 0/41 (0.00%)
Packer: -

From install.x3codec.com/get_file.php?file=program&program=p2pc download

Nomenclature: Trojan-Dropper.Agent (Ikarus)
File: p2pc.exe alojado en p2pc.zip
Md5: 9964ee2867cb2128c8f3c84b311bdb86
Sha1: a83edbe783856edf5c1838e2e1f9df9bca6ea6f2
Report Virus Total 3/41 (7.32%)
Packer: NSIS

Nomenclature: Downloader.Agent (Ikarus)
File: VistaPutcher.exe alojado en p2pc.zip
Md5: c899655cf6c26eadcd4f8adbc32d7da6
Sha1: f316b3d09519cb73b512a58be6b7b688374839eb
Report Virus Total 9/41 (21.95%)
Packer: NSIS

After checking a number of information in the system makes the connection against connect.p2pcontrol.com/?command=install&uid={EE72CD72-7427-E246-A983-AF903B5DEC0E}&affid_tr=&os=XP where down the instructions to install the programs.

The aim is to control the downloads through P2P networks by establishing a number of eDonkey servers and Kademila.

From http://connect2.p2pcontrol.com/?command=download&filename=known_e.met establishes the following servers:

  • 208.53.131.220:4662
  • 208.53.131.221:4662
  • 76.73.89.210:61895
  • 208.53.131.220:27600
  • 208.53.131.221:7258
  • 76.73.77.66:52352
  • 76.73.77.66:53352
  • 208.53.131.221:4500

From install.x3codec.com/get_file.php?file=minime connects to http://space.cachefly.net/7714569/ and download the malware

Nomenclature: a variant of Win32/TrojanDownloader.Swizzor.NCV (ESET)
File: minime.exe
Md5: 898a21afe498579797e8bc8163f4b1e2
Sha1: 817f44e1fbf98f51f3266a35b246af757574ebd1
Report Virus Total 22/39 (56.41%)
Packer: -

It also installs adware, responsible for changing the settings of Internet Explorer and Firefox through the following lines:

[InternetExplorer]
MinVersion=6
HomePage=http://www2.iesearch.com/
DefaultSearchEngine=Ask
SearchUrl=http://www2.iesearch.com/s/?q={searchTerms}&iesrc={referrer:source?}
GuidHash=x3Codec-search

[FireFox]
MinVersion=2.0
HomePage=
DefaultSearchEngine=Ask
SearchUrl=http://www2.firesearch.com/s/?q={searchTerms}&src=FF-SearchBox



Some countermeasures


  • Uninstall programs Ask Search, P2PControl and x3Codec
  • Delete the folders option bird and x3Codec located in the Program Files
  • Delete entry inside eggs located in the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Delete entry eggs joy math type located in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Delete the folder option bird located in X:\Documents and Settings\Administrator\Application Data. This folder contains the files: SEEKOWNSMETA.exe [a variant of Win32/TrojanDownloader.Swizzor.NDE Trojan (ESET)]. borereadmebike.exe [a variant of Win32/TrojanDownloader.Swizzor.NCS Trojan (ESET)]. tfonuuvu.exe [E:\malware\not\tfonuuvu.exe - a variant of Win32/TrojanDownloader.Swizzor.NCY Trojan (ESET)]
  • Restart your computer
  • Delete the folder Bind army eggs joy located in Documents and Settings\All Users\Application Data
  • Change the start page in the browser and delete temporary files
  • Run your antivirus program updated

Malware Disasters Team

Ver más

12.01.2009

IMPORTANT READ

Malware Disasters Team is comprised of a group of enthusiasts who are dedicated to the study and analysis of what computer security is known under the term "Malicious Code" (Malware).

The intention is to concentrate in this space, a series of brief analysis, curiosities and manual disinfection proposals to help counter the negative effects that these types of threats caused by infecting a system.

About proposals that seek to eliminate certain actions caused by an infection, we must bear in mind that the steps mentioned herein may change depending on the variant and family of malware, and from any point of view completely solves the problems that might have caused the infection.

However, in complex problems where it isn't possible to access certain features of the operating system, the manual removal of certain harmful actions can help regain control of the system.

On the other hand, also helps the study and understanding of the most common patterns that identify malicious activities and strategies different from malicious code.

Accordingly, it leaves established that the contents of this site has as primary aim to provide the information necessary to understand how these threats and to act accordingly.

The author also takes no responsibility for the misunderstanding that it could ever have of what transpired in this site, or the consequences which might arise in the implementation of countermeasures provided.

Malware Disasters Team is a division of MalwareIntelligence.

Malware Disasters Team

Ver más