Virus Analysts

Social Engineering Strikes Again: A “Here you have” malware report

2010-09-10T11:12:00.000-07:00

Since Thursday, a warning is circulating in the AV community about an impending outbreak for the malware named “Here you have”. The urgency in the message to follow the link had contributed to its widespread infection.

Visual Basic Compiled
The file has a PDF icon but it is actually a VB compiled application. The malware usually arrives via an email message with a subject line “Here you have” hence the name. Other possible propagation method might occur via YM from a user named “alicia.taylor2003” (this is still being investigated).

HTML Formatting
These are the two variants of email that it produces. Here’s the message using the “Here you have” subject.

<html>Hello: This is The Free Dowload Sex Movies,you can find it Here. <a target=new href=hxxp://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr>http://www.sharemovies.com/library/SEX21.025542010.wmv </a> Enjoy Your Time. Cheers,</html>

This is the one having a “Just for you” subject.
<html>Hello: This is The Document I told you about,you can find it Here.<a target=new href=hxxp://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr>http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf </a> Please check it andreply as soon as possible. Cheers,</html>

The message is crafted in HTML. The use of HREF tag allows the actual URL to be hidden and a dummy URL displayed so that a user may think they will visit a harmless non-executable file. The HREF tag is normally used to shorten or provide an alias to a usually long URL. The user will think that they will be redirected to http://www.sharemovies.com/library/SEX21.025542010.wmv but the actual link is the one pointed to by HREF tag.

Infection
Once executed, the malware drops copies of itself on the local computer:
C:\WINDOWS\csrss.exe
C:\Administrator CV 2010.exe
C:\WINDOWS\system\Administrator CV 2010.exe
C:\WINDOWS\system\updates.exe

It also drops dummy executables having zero file size on the following paths:
C:\WINDOWS\ff.exe
C:\WINDOWS\gc.exe
C:\WINDOWS\hst.iq
C:\WINDOWS\ie.exe
C:\WINDOWS\im.exe
C:\WINDOWS\m.exe
C:\WINDOWS\op.exe
C:\WINDOWS\pspv.exe
C:\WINDOWS\rd.exe
C:\WINDOWS\re.exe
C:\WINDOWS\re.iq
C:\WINDOWS\SendEmail.dll
C:\WINDOWS\tryme1.exe
C:\WINDOWS\w.exe
C:\WINDOWS\system32\SendEmail.dll

Network Shares
It executes an embedded VBScript which enumerates all computers in the network and drops copy of it using a filename of N73.Image12.03.2009.JPG.scr.Affected shared folders are the following:
• d
• c
• New Folder
• music
• print
• E
• F
• G
• H

It also drop open.exe on removable drives with its autorun.inf having the following text:
[autorun]
open=open.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1
Note that “shell32.dll, 4” is a folder icon. This somehow overrides the original PDF icon of the malware.

JIT Debugger?
The malware modify various registry settings. One thing that's worth mentioning is that its use of “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\”. It adds known security application filenames to the said registry key having a “Debugger” as its value and the malicious “crss.exe” as its data. What it does is that it hijacks or redirects calls to a filename to execute crss.exe.

For example we have this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
If we have any application let’s say calc.exe renamed to procexp.exe and tried to run it, the system will instead execute crss.exe.

The following filenames are being targeted:
00hoeav.com, 0w.com, 360rpt.ExE, 360safe.ExE, 360safebox.ExE, 360tray.ExE, 6.bat, 6fnlpetp.exe, 6x8be16.cmd, _aVP32.ExE, _aVPCC.ExE, _aVPM.ExE, a2cmd.ExE, a2free.ExE, a2service.ExE, a2upd.ExE, abk.bat, adobe Gamma Loader.exe, algsrvs.exe, algssl.exe, angry.bat, anti-trojan.exe, aNtIaRP.ExE, antihost.exe, aNtS.ExE, apu-0607g.xml, apu.stt, aPVxdWIN.ExE, arSwp.ExE, ashdisp.exe, ashEnhcd.exe, ashLogV.exe, ashMaiSv.exe, ashPopWz.exe, ashQuick.exe, ashServ.exe, ashSkPcc.exe, ashUpd.exe, ashWebSv.exe, ast.ExE, aswBoot.exe, aswRegSvr.exe, aswUpdSv.exe, autorun.bin, autoRun.ExE, autorun.ini, autorun.reg, autorun.txt, autorun.wsh, autoRunKiller.ExE, autoruns.exe, autorunsc.exe, avadmin.exe, avastSS.exe, avcenter.exe, avciman.exe, avconfig.exe, aVCONSOL.ExE, aVENGINE.ExE, avgamsvr.exe, avgas.exe, avgcc.exe, avgcc32.exe, avgemc.exe, avginet.exe, avgnt.exe, avgrssvc.exe, avgrsx.exe, avgscan.exe, avgscanx.exe, avgserv.exe, avguard.exe, avgupsvc.exe, avgw.exe, avgwdsvc.exe, avltd.exe, avmailc.exe, avMonitor.ExE, avnotify.exe, avp.com, avp.exe, aVP32.ExE, aVPCC.ExE, aVPM.ExE, avscan.exe, avzkrnl.dll, bad1.exe, bad2.exe, bad3.exe, bdagent.exe, bdsubwiz.exe, BdSurvey.exe, BIOSREad.exe, blackd.exe, blackice.exe, caiss.exe, caissdt.exe, catcache.dat, cauninst.exe, Cavapp.ExE, cavasm.ExE, CavaUd.ExE, CaVCmd.exe, CaVCtx.exe, CavEmSrv.ExE, Cavmr.ExE, CavMUd.ExE, Cavoar.ExE, CavQ.ExE, CaVRep.exe, CaVRid.exe, CaVSCons.ExE, cavse.ExE, CavSn.ExE, CavSub.ExE, CaVSubmit.ExE, CavUMaS.ExE, CavUserUpd.ExE, Cavvl.ExE, CCenter.ExE, CEmRep.ExE, ckahcomm.dll, ckahrule.dll, ckahum.dll, cleaner.exe, cleaner3.exe, clldr.dll, CMain.ExE, copy.exe, curidsbase.kdz, destrukto.vbs, dF5Serv.exe, diffs.dll, drvins32.exe, drwadins.exe, drweb32w.exe, drweb386.exe, drwebscd.exe, drwebupw.exe, drwebwcl.exe, drwreg.exe, e.cmd, e9ehn1m8.com, edb.chk, egui.exe, ekrn.exe, EMdISK.exe, f0.cmd, FileKan.exe, flashy.exe, FPaVServer.exe, FProttray.exe, fpscan.exe, fptrayproc.exe, FPWin.exe, FrameworkService.exe, FRW.ExE, FrzState2k.exe, fs6519.dll.vbs, fssf.exe, fssync.dll, fun.xls.exe, g2pfnid.com, GetSI.dll, GFUpd.ExE, guard.exe, GuardField.ExE, guardgui.exe, guardxkickoff.exe, guardxkickoff_x64.exe, guardxservice.exe, guardxup.exe, h3.bat, Hijackthis.ExE, hookinst.exe, host.exe, i.bat, iamapp.exe, iamserv.exe, IceSword.ExE, ICLOad95.ExE, ICLOadNt.ExE, ICMON.ExE, ICSUPP95.ExE, ICSUPPNt.ExE, Identity.exe, iefqwp.cmd, IEShow.exe, IFaCE.ExE, ij.bat, InstallCaVS.ExE, InstLsp.ExE, Iparmor.ExE, iSafe.exe, iSafInst.exe, KaSaRP.ExE, kav.bav, kav32.ExE, kavbase.kdl, KaVPFW.ExE, kavstart.ExE, ker.vbs, KeyMgr.exe, killVBS.vbs, kissvc.ExE, kl1.sys, klavemu.kdl, klbg.cat, klbg.sys, klif.cat, klif.sys, klim5.sys, kmailmon.ExE, KPfwSvc.ExE, KRegEx.ExE, KVSrvxP.ExE, KVWSC.ExE, kwatch.ExE, licmgr.ex, licreg.exe, lky.exe, lockdown2000.exe, m2nl.bat, mbam.exe, mcagent.exe, mcappins.exe, mcaupdate.exe, mcdash.exe, Mcdetect.exe, mcinfo.exe, mcinsupd.exe, mcmnhdlr.exe, mcregwiz.exe, McShield.exe, Mctray.exe, mcupdmgr.exe, mcupdui.exe, McVSEscn.exe, mcvsftsn.exe, mcvsmap.exe, mghtml.exe, Mmsk.ExE, MooLive.exe, msdos.pif, msfir80.exe, MSGrc32.vbs, msime80.exe, msizap.exe, msmsgs.exe, msvcm80.dll, msvcp80.dll, msvcr71.dll, msvcr80.dll, mzvkbd.dll, mzvkbd3.dll, naiavfin.exe, naPrdMgr.exe, Navapsvc.ExE, NaVaPW32.ExE, NaVW32.ExE, netcfg.dll, new folder.exe, njibyekk.com, nod32.exe, nod32krn.exe, nod32kui.exe, oasclnt.exe, olb1iimw.bat, OnaccessInstaller.ExE, Pagent.exe, Pagentwd.exe, PavFnSvr.exe, pavprsrv.exe, PavReport.exe, pavsched.exe, PaVSRV51.ExE, pavtest.exe, pctsauxs.exe, pctsSvc.exe, pctstray.exe, PFW.ExE, preupd.exe, prloader.dll, procexp.exe, psctrlc.exe, PsCtrlS.exe, PSHost.exe, PsImSvc.exe, pskmssvc.exe, QQdoctor.ExE, QtnMaint.exe, RaV.ExE, ravmon.exe, Ravservice.ExE, RavStub.ExE, RaVtRaY.ExE, rcukd.cmd, reload.exe, rescue32.exe, rescuecd.zip, rfwmain.ExE, rfwProxy.ExE, rfwsrv.ExE, Rfwstub.ExE, rose.exe, RStray.ExE, Runiep.ExE, safeboxtray.ExE, sal.xls.exe, sched.exe, SCVHOSt.exe, scvhosts.exe, SCVHSOt.exe, SCVVHOSt.exe, scvvhosts.exe, SCVVHSOt.exe, seccenter.exe, SendLogs.exe, session.exe, shstat.exe, Socksa.ex, SOLOCFG.exe, SOLOLItE.exe, SOLOSCaN.exe, SOLOSENt.exe, Sphinx.exe, spidercpl.exe, spiderml.exe, spidernt.exe, spiderui.exe, spml_set.exe, Spybotsd.exe, SREngLdr.ExE, ssvichosst.exe, sxs.exe, system.exe, tca.exe, temp.exe, temp2.exe, toy.exe, tPSrv.exe, trojandetector.ExE, trojanwall.ExE, trojdie.KxP, UdaterUI.exe, uiscan.exe, unp_test.ExE, update.exe, updater.dll, UPSdbMaker.ExE, userdump.exe, UUpd.ExE, v.exe, Vba32act.exe, Vba32arkit.exe, Vba32ECM.exe, Vba32ifs.exe, vba32ldr.exe, Vba32PP3.exe, Vba32Qtn.exe, vbcmserv.exe, vbcons.exe, vbglobal.exe, vbimport.exe, vbinst.exe, vbscan.exe, vbsystry.exe, VetMsg.exe, virusutilities.exe, Visthaux.exe, VPC32.ExE, VPtRaY.ExE, VSECOMR.ExE, VSHWIN32.ExE, vsmon.exe, vsserv.exe, VSStat.ExE, VstskMgr.exe, WEBPROxY.ExE, WEBSCaNx.ExE, whi.com, WinGrc32.dll, WOPtILItIES.ExE, Wradmin.exe, WrCtrl.exe, wscntfy.exe, wsctool.exe, yannh.cmd, ybj8df.exe, zonealarm.exe

Prevention
Turning off HTML formatting on our email will help us to detect that there's something fishy in the link given. The malware don't have any complicated code to analyze, no antidebugging skills employed, it does not even exploit any vulnerabilities in the system. Same with other reports on this malware, the trick is social engineering. Until we learn our lessons, malware like these will always return.

Microsoft LNK Exploit CVE-2010-2568

2010-08-13T08:29:00.000-07:00

A new infection vector was found on July 2010. It uses LNK files to automatically execute DLL files without user intervention.

Shortcuts
These LNK files, also called Shortcut files, are not your usual shortcuts that any user can create with a click. It requires the the user to have the knowledge of the LNK file format, the Control Panel's CLSID and creation of a DLL file to craft the LNK exploit. The shortcut file has an extension of .LNK which can be seen from the command prompt. If you drag the LNK file to notepad you can see its contents, other text editors would load the target file instead of the lnk file. You need a hex/binary viewer for the file to be read it properly though.

The LNK Exploit
The exploit is not actually an exploit but rather a feature that is used by system shortcuts. Detecting the CLSID alone is prone to false positives but Microsoft already issued a workaround to disable this feature which can result to an ugly Program menu. Most users would rather ignore the workaround and hope they don't bumped into some malicous LNK files.

WebDAV Danger
The ugly part of this is that the LNK can only be sent to wreak havoc. The target file can be hosted on any server that acts as a shared folder known as WebDAV. Think of this scenario, you've downloaded file from P2P networks using your favorite client. By default, the client selects all the files you need to download. Once finished, you visit the folder and access your file. By visiting the folder with a crafted lnk file in it, you've already infected your computer without you clickin the lnk file.

Prevention
In order to prevent from being infected using this new vector, you need to have a firewall activated to prevent files outside your network from executing. The LNK file requires the target DLL to be on the specified path pointed by the LNK file. The dangerous part even though you have a firewall is when the target path of the LNK file also contains the DLL file. This is a scenario if you've downloaded a file that contains the LNK and the DLL in your DOWNLOADS folder. So far, there's no way of crafting a LNK file that points to its working directory.

Code Obfuscation

2009-05-09T06:06:00.000-07:00

While I was searching for samples to analyze, I came by this post in Offensive Computing website about an article in Security Focus. It talks about whether obfuscated code should be deemed as characteristics of a malicious software or not.

Obfuscation is a technique used by programmers to thwart nosy people from reverse engineering their code. Hackers are known to reverse engineer programs which contributes to wide spread distribution of pirated software. There are also companies who invest in reverse engineering the competitor's software in order to gain or spy new technology. White hats do reverse engineering in order to disclose problems that exists in the software.

I see no reason why legit software companies would obfuscate their code when all it could do is thwart people with no sound experience in reverse engineering. Oooops here I go again with my opinionated mind. So let's go to what makes obfuscation.

Code obfuscation can be done by manually creating a program that is obfuscated or by using third party tools to obfuscate code. If you are familiar with Winzip, Winrar, or 7-zip then you are somewhere near the idea in the sense that the code that you are familiar with are not there. Search for Mew, Asprotect, ExeCrypt, Themida and more. The difference with the zip and rar is that in protectors the exe file retains its executable form whereas in zip, the file changes to a zip file but with the exception of SFX. The compression part on some of these PE protectors is what makes them packers.

Protection Against Malwares: Icon Spoof or Fake Icons

2008-02-18T05:23:00.000-08:00

Malware authors have been taking advantage of spoofed icons. I don't know what to call it, but this is what they are using with their virus, worms or trojans.

Basically what it does is make their malicious software look harmless by posing as normal or commonly used files or folders. Malware authors are using using tools such as Reshack to retrieve icons from XP's shell32.dll then use that to insert the icons into their software. Consider the following folder contents.

It is impossible for the user to distinguish the application from a folder or a text document. A user might think he/she is accessing a folder when in fact he/she is activating a malware.

In order to foolproof yourself with these kind of disguises, it is strongly suggested to use Details view on your folders.

Now you can see the Type field. The type for "Folder 1" and "Text File 1" is an application.

One might think how was this possible. An application can store icon images in their code. The folder icon were extracted from shell32.dll then inserted to "Folder 1.exe". Windows XP icons are stored in shell32.dll, it contains the default icons that the system uses to represent files, objects to the user viewing the XP's GUI.

Next, we then try to unhide the extension name of the file to show the extension names.

Unhide extension names from filenames to show obscured or hidden extension of executable files. Malware could also be using long spaced extension name such as the one below. The executable extension is obscured from the view. So it is important to check first for the type of icon before accessing the program or folder.

I guess that's it for now, remember to click "Apply to All Folders" to avoid the hassle of doing it again.

Preventing USB Autorun Infection

2007-11-03T04:04:00.000-07:00

Protect your PC from USB autorun infection with this step-by-step guide with screenshots. I've been doing this for quite sometime on all of my computers, my friends and relatives computers. You will never have to worry again getting your PC infected automatically from USB sticks.

Autorun are being used by malware such as Brontok to infect other PCs thru removable drives (i.e. Flash Drives, External HDD). Previous autorun infection had been prevented by turning off autoplay on all drives in Group Policy (run gpedit.msc>Computer Configuration>Administrative Templates>System).

But this Brontok have used another autorun.inf command to execute the malware, that is when a user double clicks the USB drive from My Computer.

Try this on your USB drive, create an autorun.inf file which contains the ff. code:

[AutoRun]
Open=calc.exe
shellexecute=calc.exe
shell\Auto\command=calc.exe
shell\Browser\command=calc.exe
shell\Explore\command=calc.exe

Reinsert your USB drive, access your removable drive either by clicking the icon twice or via context menu. It is safe though, it only runs Windows Calculator same as executing it from the command line. You won't be able to access your drive without executing Calculator except if you open Windows Explorer and opening the drive via Folder column.

I was looking for the solution to remove the context menu entries Auto, Browser, Explore from associating themselves to EXE files in the flash drive. I already have the idea that inserting a USB drive updates the Windows Registry's MountPoints2. The only problem is preventing this from happening. Luckily for me, I've found the solution from Pierre's comment at Techrepublic.com about setting Registry permissions.

Here shows a clean MountPoints2:

Here shows the MountPoints2 after putting the autorun.inf:

Find your account's MountPoints2 in the registry:

Then right click on the "MountPoints2" key and modify the permission to deny, like this:

Now you double-click this drive anytime without running Window$ Calculator.

If this prevents calc.exe from running, this will surely help in preventing malicious executables such as Brontok from infecting your computer via autorun vector.