Porn clips are everywhere! But then again, rogue antivirus software are everywhere too.

The fake video codec tactic targets unsuspecting users wanting to view the adult videos purportedly being hosted in the malicious website:


Clicking on one of the thumbnails presents a video player window with the error message “Video ActiveX Object Error”. The message asks the user install a new version of Video ActiveX Object which is actually an installer for Security Tool posing as a fake video codec.

This page also shows the following messageboxes when the user tries to move away from the malicious website and basically does not allow the user to select cancel.

Downloading and installing the presented file install.exe installs Security Tool on the affected computer.

Users of infected machines will have to deal with these annoyances:

Unsuspecting users pay a hefty price of $79.95 for a lifetime software license. Ouch!
Posted in Online Fraud | Tagged | Leave a comment

Zeus is an extremely effective bot builder kit designed and developed to be sold in underground markets as a cybercrime kit, enabling buyers to easily build identity theft related spyware that evades many security solutions. The writers have been known to do custom work as well, all for a price.

The bots produced by the kit were in turn called ”Ntos” and ”Zbot” by major software security vendors. We’ve kept on top of its activity over the past couple of years, describing its distribution as a part of other attacks, drive by attacks, and spam blasts. The ThreatExpert blog maintains posts here and here. ThreatFire is one of the most effective, if not the most effective, products on the market at detecting and preventing the Zbot variants on user systems. It detects them clearly as “Spyware.Zbot”. Because one gang of the bot distributors have been so determined and successful at distributing the malware to high-value targets over the past couple of years, an individual zbot botnet currently made up of a reported 74,000 zbot infected systems is being renamed as the “Kneber Botnet“, based on the username this Zbot variant uses.

We have posted a dozen times about Zbot over the past couple of years, including stats on Zbot-downloading Bredolab variants being run on user’s systems. Locations of the tens of thousands of systems on which users have run Zbot itself over only the past six months vary across globe, but here are a recent top ten from the ThreatFire community.


These Zbot hits are the malware that get through spam filters, mail AV scanners, etc, and Zbot actually was run on the user’s system and then prevented by ThreatFire. It’s also interesting to know that over 70% of ThreatFire users are running another security solution on their system (indicating that ThreatFire is first and only to detect and prevent in a startling number of incidents). ThreatFire protected all of our users that were tricked into running Zbot, and it’s a good thing. The vast majority of these variants were configured to steal banking credentials, in addition to other valuable user data.

Note – the Dns domains registered to “Hilary Kneber” from which the attacking web sites served the zbot spyware (which cleverly must helped in naming the botnet), maintained the Zbot executables as “bot.exe” from a couple of different directories. One would think that this filename may be a giveaway to security monitors. On victim systems where the malware was run, it seems that the file was downloaded and renamed to both “svchost.exe” and random names like “58e.tmp” so as to camoflage its purpose. It predictably then would attempt to copy itself to c:\windows\system32\sdra64.exe.

Posted in Hackers | Tagged , | Leave a comment

The group behind “live-windowsantivirus. com” is having a very busy morning distributing Rogueware XP Internet Security 2010. We grabbed some snapshots for you of the current incarnation of the malware, since users appear to be falling for it in large numbers. The full window and the balloon popup stating “System Danger! Your system security is in danger” must be convincing…


Fake scan results are presented immediately…


As we have been presenting for the past several years, the user is tipped off that something is amiss when their software claims it is “unregistred”, see the window’s title bar.


Following the “Attention: DANGER!” message, the Windows user may attempt to open Internet Explorer. The FakeAv has modified the browser and instead pops up a window, claiming the system is infected with Trojan-BNK.Win32.Keylogger.gen, recommending activation of XP Internet Security 2010…


When the user attempts to activate the phony product, a purchase window for “Windows Defender 2010″ appears…


Running down the side of the page, they make fraudulent claims to have won awards from West Coast Labs and Virus Bulletin:


Entering personal information into the form POSTS the information to “live-windowsantivirus. com” (the domain is registered in Turkey, while the site is hosted in the US at 206.217.211 .243). We recommend you avoid entering any personal information and clean up the infection instead:


ThreatFire prevents it from running on users’ systems as “Trojan.FakeAv”.

Posted in Malware Alerts | 13 Comments

Sometimes it’s difficult to distinquish between pranks, performance art, and hacktivists’ true political statements, and the “Anonymous” group’s latest message creates more of that confusion. In an idealistic and strongly worded video, the group is rallying an attack against the Australian government . They supply a set of DDoS tools to carry out the attack, supposedly to rally action against censorship. At the same time, there seems to be glaring cases of content censorship around the world (often described as internet black holes), much more striking than filtering edge cases of pornographic content.


Today, the Australian Parliament’s web systems are accessible over the web.

Posted in Hackers | Tagged , | Leave a comment

This past week, we posted some of Cutwail’s recent spamming activity. As we were digging into the elevated levels of Cutwail activity, the researchers over at Shadowserver posted on the unusual SSL traffic originating from infected hosts. Dark Reading picked up the story and came up with question marks, “what is Pushdo up to?”:

“It’s unclear thus far whether this is a test-run for phony SSL connections gone amuck that ended up exposing this Pushdo [Cutwail] traffic, or something else. Stewart says it’s possible there could be more to the latest activity, such as the botnet’s rotating its target lists. “It’s hard to say,” he says.” 

Having recently researched the downloader, we took a second look. The answer to the question “what is Pushdo [Cutwail] up to?”…the heavy SSL traffic Cutwail is sending to these new sites is a result of coding error. The Cutwail writers wanted to cloak their connections to their own payload sites listed in our previous post, and released an implementation that failed to meet that delicate goal. Instead, they killed a fly with a sledgehammer. While they could have implemented a few minor tweaks to make the SSL connections to decoy sites appear more “web browser like” to a network monitor, they failed to do so and wrote unnecessary unreliable dependencies into their SSL connection rate limiter. Also, the rate limiting code is implemented in such a way that it simply would not used to evade DDoS tracking. We observed two sets of routines in the code that form the basis of that conclusion…

As described in our previous post, 1. downloader code is injected into a spawned SVCHOST.exe.

2. Within this thread, the delimited list of payload serving hard-coded addresses are split into individual strings:;;;;;;;;;;;firea*;


3. The SSL “camoflauge thread” (the one that connects to the cia, google, and legitimate site) is started


4.  An RC4 encryption key is generated based on the value returned in the “lowpart” value returned from a QueryPerformanceCounter call
5. An attempt is made every 20 seconds to download the spam bot payload from the above list of addresses using the generated RC4 key
6. When a payload has been downloaded, it is decrypted using the above key, and executed directly or injected into another SVCHOST.exe process
7. After succesful execution, the mutex “00012-1010212-12012012-1211″ is created


In the background the camoflauge thread is busy doing the following actions:
1. Attempts to open the mutex “00012-1010212-12012012-1211″
2. If the mutex is not found, it will spawn a thread to perform a fake ssl transaction with a random hostname from the embedded list (of legitimate sites or “decoys”) every 5 seconds
3. If the mutex *is* found, the thread will stop launching fake ssl transactions and exit


What this means in plainer terms is that a flurry of fake SSL connections are continuously launched until the payload is succesfully downloaded, after the mutex to stop making new connections is created and accessed. What happens if the payload servers are taken down (as we saw in our research lab), and a payload is never downloaded from these sites? It means no ‘stop’ mutex will be created by the initial Cutwail thread on the infected host and then found by the SSL camoflage thread, and the half baked SSL connections will continue to bombard the decoy sites!

Posted in Online Fraud | Leave a comment

It seems that the recent and unusually public disclosure of the Google breach (and dozens of other U.S. corporations) has turned some heads. As Google reaches out to the NSA for help to secure its networks, a prominent cybersecurity bill passed the House today. It will drive large new cybersecurity efforts in the U.S. and will be an interesting bill to follow through the Senate. A summary of H.R. 4061 here.

Posted in Hackers | Leave a comment

Rogueware Internet Security 2010 (not to be confused with PC Tools Internet Security 2010) is moving its way to the top of ThreatFire’s community stats to be one of the highest hitting FakeAv/scareware/rogueware packages for January 2010 and the beginning of Feb. Not only is its prevalence glaring, but the infection itself visually and functionally stands out:

InternetSecurity2010 Desktop

Victims of this scam will have a hard time ignoring the screaming new message on their desktop, “YOUR SYSTEM IS INFECTED”. The familiar red X appears in the system tray in the lower right corner of the screen, and multiple phony scan images subsequently pop up.


Next up is a phony but thorough listing of all the detected malware that doesn’t really exist on the user’s system, described with a “Critical vulnerabilities found!” header and a mishmash of security industry buzzwords thrown together in a non-sensical phrase “Proactive system found several active vulnerabilities on your computer”…


And, after shocking the user with this series of blatently false warnings, coming up is the money maker, a suggestion that the user get a license or pay for Internet Security 2010:


If the user ignores the above warnings and tries to continue their work, they instead are assailed with scare-tactic messaging from the bottom right corner of the screen…”Click here to protect your computer from spyware!”…


And “System Warning! Continue working in unprotected mode is very dangerous”, another phony taunt…


Good thing that ThreatFire can keep this stuff off of your system in the first place, and Spyware Doctor+AV is known to effectively clean up previously infected systems.

Posted in Malware Alerts | 1 Comment

Spam continues to clog the internet with providers reporting spam stuffing 80% – 95% of all email content en route. It’s an ongoing problem into 2010, so last week we examined the active spambot Tedroo, some of its suspicious behaviors, one of its anti-debug/antiRE techniques, and its spam delivery. This week we’ll take a look at Cutwail, a long standing and very active downloader/spambot that suggests regardless of various ISP takedowns, the underground market continues to thrive.

In what seems to be fairly unique to Cutwail (also described as Pandex and Pushdo), the initial Cutwail component delivered to a victim’s system is a downloader/dropper, and the spambot code itself doesn’t touch the disk. This scheme is by design. The spambot code appears to exist relatively unchanged over time, while that initial delivery component is re-developed, re-packed and re-distributed in a myriad of ways along with a set of other components. The end goal is to execute the spambot on the system without it touching disk and without maintaining its code in the downloader.

This particular Cutwail downloader connects to these hosts to download the spambot payload and data (domains modified for readability)…

75.126.159 .19:443
89.149.254 .213
89.149.244 .141
94.75.233 .173:443
94.75.233 .171
94.75.233 .172
89.149.244 .23
aaa.oduvanchic .com
aaa.news2days .ru
fireas*eye .com
f*ckbriankrebs .com
antisgetout .cn

It will attempt to connect to one of the above web severs every 20 seconds until a payload is available and downloaded. The sites are actively brought up and down and often do not respond to an infected host, stymieing research progress on the bot. The bot and data payload itself is served up from these hosts as one encrypted stream of data. Once the downloader completes retrieval, the downloader will deobfuscate/decrypt the payload and launch svchost.exe in suspended mode, injecting the payload into that newly spawned process’s memory. After modifying some the loader data structures inside the process via the GetThreadContext/SetThreadContext APIs, the injector redirects execution to the injected code causing the payload to be run instead of the svchost code.

Due to the complicated packing schemes and highly variable injector code, these initial injectors seem more difficult to detect than the relatively consistent spam payload.  Since the payload is injected directly into a real windows process and does not get written to disk, it proves to be quite elusive.

Once injected and run, the spambot code waits a prolonged period of time to begin its spam run. From our lab, after an eye-rollingly long wait, we collected image-based spam sent out to market prices to Russian readers for spam services:


The image advertises a Moscow based phone line for the “Email distributions. Affordable prices – high quality” touted across the top and the left panel. Price ranges are provided for both Moscow and Russia blasts below (we added the price conversions to USD):

Our price list:
Whole Moscow  =  5000 rubles  ($166 USD)
4 distributions in Whole Moscow  =  10000 rubles  ($333 USD)
Whole Russia = 10000 rubles  ($333 USD)
4 distributions in Whole Russia = 20000 rubles  ($666 USD)
Russia+CIS (Commonwealth of Independent States, the territory of the former USSR)  = 15000 rubles  ($500 USD)
4 distributions in Russia+CIS = 30000 rubles  ($1000 USD)
We have:
-The lowest prices on a market.
-The most present day software.
-Regularly updated databases.
-High response from distribution.

Posted in Spam | 1 Comment

Evgeny Legerov is wrapping up his month of 0day awareness. We are mid-way through his week of database 0day on the Intevydis blog:

“[January 25 - February 1] – week of database bugs, inspired by our research for DBJIT Toolset, 0days in Mysql, IBM DB2, Lotus Domino, Informix, Oracle(?)…and hopefully more”

Mostly all of our ThreatFire workstation users remain unaffected, as the noted attacks focus on enterprise level issues. So far this week he’s delivered the goods on all the major databases. If you’re unaware, Legerov runs a responsive shop developing exploit packs for the Canvas penetration-testing suite.

Posted in Adware & Spyware | 1 Comment

As a followup to our early Jan Bredolab email blast warning, this post presents technical details and functionality about the payload accompanying the delivery notice + invoice attachment. While past posts have described the downloader’s windows api hook overwrite functionality, related social engineering techniques, its Zbot and FakeAv downloads, this post identifies a different injection and banking password stealing payload.

The Bredolab downloader variant repeats the same exploits to bypass security apps and perform “hook overwrites”. It abuses the same exploits as our previous variant; MS07-017, MS08-025, CVE-2004-2339. These hook overwrites are performed across the dropper threads and all injected threads (within explorer.exe and svchost.exe) with a simple comparison and copy: rep movs dword ptr es:[edi], byte ptr ds:[esi].

After the injection into explorer, the malcode reports its installation and retrieves info at dollardream .ru, dropping a tmp file to disk and running it. Following the connection with dollardream. ru, the new process creates a directory under users\application data\microsoft\windows and the mspdp<number>.dll, making the dll a persistent presence on the system with an AppInit_dlls registry entry. After the dll and reg key have been created, it deletes itself and calls InitiateSystemShutdown, restarting the system.

Because this DLL maintains an entry under the AppInit_DLLs registry key, it reliably will load into each process running on the victim system’s, including all web browser processes. At dll load time within Internet Explorer, for example, it hooks a dozen different windows API prologues. The malicious code is precisely placed to be reliably notified when data important enough to be encrypted is being sent off of the machine. It intercepts and examines all user data prior to encryption.  When data being sent over http is examine, the code first performs a hash comparison on the HTTP headers to identify “interesting” Urls. These approximately 25 “interesting” Url strings are all banking and financial account related, except for a couple social networking and photo share web sites. Here is a view of the code locating content within the raw packet data, after a user has typed their username/pass and clicked on “Login”:


Once the malcode parses the data stream and identifies interesting locations within the stream, it retrieves the input data (i.e. banking user names and passwords), and immediately writes the sensitive data out to file. The file is placed in the same subdirectory as the dll itself, in our lab example: “all users\application data\Microsoft\Windows\Network\Network\mspdb80.dll”. This “.dll” file extension and name choice mimics that of a legitimate file distributed with Visual Studio, and instead contains the stolen login data in plain text. This content is gathered and sent off the system to a server hosted in Russia in the 109.196.143.xx range…


As you can see, it is very important to pay attention to the attachments that you attempt to open, and whether or not they are malicious executables or just look like a harmless spreadsheet.


Update (2/10/2010): appears that other researchers are interested in alerting the public as well, only their February writeup includes interesting details that ACH and wire transfer institutions are targeted by the dll, in addition to what was posted above.

Posted in Online Fraud | Leave a comment

Banload is a malware name that is typically associated with banking trojan downloaders, but the Banload-detected sample covered in this post is a bit different than the norm.  The MD5 hash for this sample is 707D3477CBBEAD4923B17CE353D9761D. And, just to note, currently click fraud is reported elsewhere to challenge even the biggest, most technologically advanced online advertising companies. Some of the up-and-comers are committed to studying low intensity search abuse schemes as well.

Initially this DLL is loaded with regsvr32.exe, in order to perform an installation.  It installs a GUID in the “Browser Helper Objects” registry key which tells Internet Explorer where to find the DLL on disk.  Next it installs an executable (ctfmon_qj.exe) which will start any time the ctfmon.exe executable is launched.  It does this by inserting a “Debug” registry value in the “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe” registry key.  This causes ctfmon_qj.exe to be launched instead of ctfmon.exe, as it is being treated as the “debugger” for ctfmon.exe.

Ctfmon_qj.exe, when run, launches the actual ctfmon.exe; then proceeds to launches Internet Explorer.  This would guarantee that the browser helper object is loaded as soon as ctfmon.exe executes.  Once loaded, the DLL sits in Internet Explorer waiting for someone to navigate to a URL, such as clicking the “Search” button on  The destination URL is then scanned by the BHO for,, and  If one of these domains are found in the URL, it starts looking for the search term, which is usually prefaced with something like, “&q=TERM” in Google’s case, or “&p=TERM” in Yahoo’s. It then harvests these query terms for later use and possibly evasion of click fraud detection algorithms.

After the term is found, a connection is made to takeasearch .com and the Bho sends the search term and a machine identification number, which is derived from your primary hard disk’s serial number.  The information that the takeasearch .com site returns tells the BHO what to do next.  There are several commands that can be returned from the web presence: DL:, GO:, REF: and OK:.

The first code path for the Bho to take depends on the returned data containing “DL: URL”. The BHO will send an Http GET to the URL as specified by the “DL:” command, saving the response to a file in the “C:\Program Files” directory, naming it “KB%i.exe”. The %i represents a random number generated by the rand() function.  The downloaded file is then executed via the ShellExecute() API.

If the response contains “GO: “, followed by a URL, the browser will be redirected to that URL.  There is also a timer that runs within Internet Explorer that will control the malware’s launch of a new instance of IE. This instance of  Internet Explorer is launched with a hidden window, so the browser runs on the system without the user’s consent or knowledge. The hidden browser will periodically connect to searchaccelerator .net with the machine identification token. As witnessed with the takeasearch .com result, if a “GO: ” response is provided to the hidden browser, it will be sent to several addresses that redirect the browser to its final destination. This final destination page is covered with ads that reportedly are “pay per impression” with revenues split between affiliates.

Here’s a sample conversation from the “hidden” Internet Explorer window. It is full of redirection:

1) GET http ://searchaccelerator .net/qi3.php?YBNz(shortened)
REF:http ://totalfinder .info/ search.php?q=Insurance%20recovery%20cars|GO:http ://totalfinder. info/clicks?719578181|DST:comparedby.us1234|RVER:80|TIMW:8|

We can see that the response contains several pieces of information, delimited by the vertial-pipe character. All of this information specifies the queries that the malware running on the user’s system is to carry out. The REF field tells the BHO to set the “Referrer: ” http header to the specified URL when sending a GET to the target URL, specified by the GO field.  The DST field is the browser’s final destination.

2) GET http ://totalfinder .info/ clicks?719578181
HTTP/1.1 302 Found
Server: Apache/1.3.41 (Unix) PHP/5.2.9
Location: http: //totalfinder .info/ search.php?q=Insurance%20recovery%20cars&sess=719578181

We can see in the response that the web server at totalfinder .info has redirected the browser via the “302/Found” HTTP response code to the next url. This subsequent url is also on the totalfinder .info domain, but this time, we observe high value search terms present in the URL itself: “Insurance recovery cars”. The redirection contains additional information, in our labs, we observed that these queries were most likely harvested from other infected systems, in an effort to randomize the redirected query terms.

3) http ://totalfinder .info/search.php?q=Insurance%20recovery%20cars&sess=719578181
<html><body><form name=”formrfgz” action=”http://68.169.70. 144/ go.php” method=”GET” target=”_top”><input type=”hidden” name=”c” value=”—truncated for brevity—”></form><script language=”JavaScript”>formrfgz.submit();</script></body></html>

On the third leg of redirections, we can see the that we actually load a regular web page with some html and a javascript.  On this page there is a form, with an action attribute that contains a URL to which the formrfgz.submit() function will tell the direct the browser to fetch this url.

4) http://68.169.70. 144/ go.php?c=truncated-for-brevity-again

HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html
Location: http :// .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0

Again, we see another 302 status redirect to a different URL.

5) GET http :// .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0

<script language=”javascript”>
function v3clicktoit ()

<body bgcolor=”#FFFFFF” OnLoad=”Javascript:v3clicktoit()”>
<form name=”clickit” method=”POST” action=”/jump2/?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars”>
<input type=”hidden” name=”kw” value=”insurance recovery cars”>

The fifth redirect loads a regular webpage as was seen in redirect 3, and it uses the same submit() javascript function to direct the browser to “POST” the form, to the next URL.

6) .com/jump2/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars
<frame name=’target’ src=”http ://r.looksmart .com/og/ ad=725195471;ag=732989664;kw=930857280;qt=insurance%20recovery%20cars;ip=;geo=0;vid=0;rm=|http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a&camp=Moxy+H+RON&group=Moxy+H+RON&keyword=insurance%20recovery%20cars”>

As we near completion of our redirects, we can see a frame on this page, which loads the ‘target’ url which is on the r.looksmart .com domain.  It contains many parameters in the URL, which was shortened a bit, but still shows some of the interesting pieces of information being passed along.  From what we’ve seen thus far, we can speculate that there is an advertisement id, advertisement group, keyword id, query term, the computers external IP address, geological location id, and a the destination URL.

7) http ://r.looksmart .com/og/ …
HTTP/1.1 302 Found
Location: http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a

After this last “Found” redirect, we arrive out our destination. Here is a list of final destinations for the Bho and hidden IE process, and matching query terms returned by the servers:

iaf .net — injury lawyer
yb .com — maricopa employment
theyellowpages .com — car insurance quotes
comparedby .us — sewing material
theyellowpages .com — fish window cleaning
comparedby .us — memory tattoos
glimpse .com — QUEST SECURITY
allthebrands .com — sowing machine
yellowpages.lycos .com — teleflora
hotjobs .com — lyrics to anberlin unwinding cable car
hotjobs .com — mortgage companys in brownsville
theproductdepot .net — where does ivy tech culinary arts program rank
healthline .com — commercial locksmiths contra costa
yellowbook .com — will st johns wort stop pantic attacks
freepornvideos .com — anniversary party
hilcoind .com — scoliosis
longmontflorist .com — hall funeral home
milehigh-harley .com — www rentals
comparedby .us — advanced driver improvement

In all search queries above, the common points of redirect are 206.161.121. 110, 68.169.70. 144, local-search-pages .com, discover-facts .com, find-dozens .com.  Not coincidentally, all of the domains hide behind the same privacy registration service, making whois registration information unavailable.

In some instances, the search query is handed off to pay-per-click advertising sites and in others it passes the search directly to a site with an affiliate-id. It’s a complicated trail to follow, considering all of the redirections and affiliates, but the end result is artificially generated traffic to ad-serving sites. And stealing real search queries, misspellings and all, help to create data that best replicates input from a real online “consumer”.

Posted in Privacy | 4 Comments

In an early-2009 literary flourish we condemned spammers to hell, discussed the Tedroo spambot’s increased momentum due to the shutdown of other botnets, posted screenshots of the Tedroo spewed pharmaceutical spam and related scam sites, and noted its distribution via malicious pdf files. Tedroo’s increased presence and its distribution is continuing into 2010. As a matter of fact, while the distributors are relying on users’ delays in updating their vulnerable pdf readers like Acrobat, the distributors are actively maintaining/modifying the bot itself — AV scanner results on the repacked binaries are very low as the modified variants are newly re-released.

Vulnerable systems with out-of-date Adobe Acrobat installs are the main focus of the attacks involving the Tedroo spambot. The spambot commonly is being distributed via a set of canned attacks using what appears to be a version of the Liberty Exploit kit. The Liberty pack maintains an effective set of Acrobat attacks, and considering the thousands of Acrobat attacks prevented on ThreatFire systems since the beginning of Jan, the attacks themselves are well chosen — vulnerable versions of Acrobat Reader continue to be readily available, even in this new decade. 

Once the malformed pdf’s shellcode is passed control on a victim system, it attempts to download multiple components from another server. In our samples, a system hosted in China. There are several downloads to choose from on the server. The first of the files is a loader, carrying a packing stub somewhat similar to the recent Bredolab packed malware with an outer layer of encryption on top of a UPX packed inner layer. It drops a dll to an alternate data stream of a random file in the windows or system32 directory. It then registers that ADS in the AppInit_DLLs so that the dll is loaded at startup. The dll is loaded, and maintains a long list of paths and executables. Most are related to security solutions (examples are listed below) and system components. It terminates a group of them immediately. It then adds entries for security software to the Restricted Software Policy list in the registry, an AVKill method that we haven’t seen fully described as one elsewhere:  HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\<SID>

C:\Documents and Settings\All Users\Application Data\PC Tools
C:\Program Files\Common Files\PC Tools
C:\Program Files\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
C:\Program Files\ESET
C:\Program Files\Panda Security
C:\Program Files\Avira
C:\Program Files\Norton AntiVirus
C:\Program Files\Alwil Software
C:\Program Files\Agnitum
C:\Program Files\Symantec

With that undetected (on the day of discovery) component loaded and AV processes killed, the Tedroo spambot is loaded. In the latest loader variants associated with the bot, we observe an interesting entry point with anti-debug and anti-emulator tricks that can be vaguely described as an abuse of “Modern” CPU Instructions. In this case, the packer implements an unexpected x86 VMX instruction — VMLAUNCH. Versions of reverser-friendly Ollydbg decode it to “sgdt edx” and cannot handle the instruction at runtime, reporting to the user that it does not know how to step into it, while some vendor emulators also have a difficult time decoding it. 

Olly sgdt

Windbg, on the other hand, decodes the vmlaunch command properly as specified by the Intel Reference material, seen below…

Windbg vmlaunch

Following the malware entrypoint, a windbg deadlisting shows “mov ecx, 0x4fffh”, followed by the vmlaunch. On processors we observed, this setup thows an exception for an Illegal Instruction with ecx = 0x4fffh. The writers of this trick, however, took it upon themselves to force the code to trigger this exception 20,479 times (the decimal representation of 0x4fffh). It’s implemented by registering an SEH pointer to code that simply stores the counter, decrements it, and returns back into the ExcecuteHandler2 function within ntdll that’s within the standard flow of Windows exception handling. Each time, the exception “handler” code returns back into RtlDispatchException and eventually NtContinue, where CONTEXT.eip takes control directly back to the Illegal Instruction location, triggering yet another exception. When the counter finally is decremented to zero, the unpacking stub then modifies CONTEXT.eip on the stack so that flow passes out of this exception loop at ntdll.NtContinue and further into its unpacking stub. Tricky stuff indeed.

Decrement ecx value within the process CONTEXT struct

Decrement ecx value within the process CONTEXT struct

Continuing on its code path, the code first checks if it’s been run before on the victim system, looking for registry values it creates:

HKCU  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKCU  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
    value: userini path: c:\windows\explorer.exe:userini.exe

It copies itself as an alternate data stream of explorer.exe

It sets this ADS to load at startup in the various autorun registry entries listed above, and then runs thru a series of sleeps/gettickcout to delay activity and cloak itself.

 After a long wait, the spambot calls InternetConnectA and HttpOpenRequestA to contact its hardcoded server and retrieves more spam templates. The resulting spam recently has all led to www . pharm directbook .com, another ”Canadian Pharmacy #1 Internet Online Drugstore”. This behavior is similar to that noted in our past post. The sites have been run for years by a group otherwise known as “Glavmed“, selling knockoff, illegal pills with shifty names like “Viagra Professional”…

www .pharmadirectbook. com


In spite of the significant shutdowns over the past year, spam like Tedroo’s continues to mess it all up on the net. Don John couldn’t have tried to mess up a good thing any better himself.

Posted in Spam | Leave a comment

A strange conclusion to Steve Lohr’s NY Times article yesterday “Companies Fight Endless War Against Computer Attacks“, reporting that federal mandates may be considered for software at some point because of market failures.

“Just as the government eventually stepped in to mandate seat belts in cars and safety standards for aircraft, says James A. Lewis, a computer security expert at the Center for Strategic and International Studies, the time has come for software.

Mr. Lewis, who advised the Obama administration about online security last spring, recalled that he served on a White House advisory group on secure public networks in 1996. At the time, he recommended a hands-off approach, assuming that market incentives for the participants would deliver Internet security.

Today, Mr. Lewis says he was mistaken. “It’s a classic market failure — the market hasn’t delivered security,” he said. “Our economy has become so dependent on this fabulous technology — the Internet — but it’s not safe. And that’s an issue we’ll have to wrestle with.”

Posted in Privacy | 3 Comments

Previous post described the installation process of the trojan and its backdoor commands.

Now it’s time to inspect its connection details, in particular – where does it retrieve the host name of the remote command-and-control (C&C) server.

The source code of the trojan contains a hard-coded host name that is tried out every 5 seconds, but these values must have been used during testing only – they are replaced with the different ones during the runtime – we must establish which ones.

It is also worth noting that the trojan’s code is very fragmented – it is deliberately split into small chunks with the size of a few instructions each, connected with the calls and jumps into a large maze: the code of Trojan.Hydraq contains 1,748 jumps and 922 calls – tracing it requires quite a bit of a patience. Graph image of the disassembled source indeed reminds a serpent-like beast – hence, probably, the name.

Hydraq’s call-only graph:

The trojan carries its C&C connection details (server, name, port, retry delay, etc.) inside the internal resource (name is 100, type is 243). The resource is 344 bytes in size, and it is encrypted.

Decryption of the resource is performed in 4 stages:

  • The first 8 bytes of the resource are skipped, the remaining 336 bytes are XOR-ed with 0×99
  • Next, every byte from the 336 input buffer is translated according to the following logics:
    • if the byte is a character from ‘A’ to ‘Z’, it is subtracted ‘A’ value (0×41)
    • if the byte is a character from ‘a’ to ‘z’, it is subtracted ‘G’ value (0×47)
    • if the byte is a character from ’0′ to ’9′, it is added 4
    • if the byte is a character ‘+’, its replaced with ‘>’
    • if the byte is a character ‘/’, its replaced with ‘?’
    • if the byte is a character ‘=’, its replaced with ‘\0′
    • otherwise, the byte is left as is

  • The input buffer is then converted into the resulting buffer which is 25% smaller. This is achieved by splitting every byte quartet (bytes 0-3) from the input buffer into 3 pairs (0-1, 1-2, 2-3), performing operations over these three pairs, and writing 3 byte results into the output buffer. This way, the 336 bytes will be converted into 252 bytes (4 -> 3 conversion); in some way, it’s similar to unpacking all-ASCII base64 back into binary. The operations performed over the 3 pairs are illustrated below:
  • Finally, the resulting 252 bytes are XOR-ed with 0xAB

The fully decrypted resource is shown below:

Knowing this logics, the decryption can now be reconstructed in a stand-alone tool; a function that retrieves and decrypts the resource from the trojan DLL is provided below (should be run from a virus lab as loading the DLL will invoke its entry point):

#define IDD_RES_NAME   100
#define IDD_RES_TYPE 243

void DecodeHydraqResource()
    HMODULE hDll;
    HRSRC hRes;
    HGLOBAL hResLoad;
    BYTE lpBuffer[0x150];
    BYTE lpResult[0x150];
    int iResultOffset;
    int i;
    char szHost[MAX_PATH];
    int dwDelay;
    int dwPort;
    char szAltDnsServer[MAX_PATH];
    char szMessage[MAX_PATH * 4];
    BOOL bOk;

    szHost[0] = '/0';
    dwDelay = 0;
    dwPort = 0;
    szAltDnsServer[0] = '/0';
    bOk = FALSE;
    szMessage[0] = '/0';

    hDll = LoadLibrary(_T("sample.dll"));
    if (hDll)
        if (hRes)
            hResLoad = LoadResource(hDll, hRes);
            if (hResLoad)
                memset(lpResult, 0, 0x150);
                iResultOffset = 0;

                if (SizeofResource(hDll, hRes) == 0x158)
                    memset(lpBuffer, 0, 0x150);
                    memcpy(lpBuffer, (LPBYTE)hResLoad + 8, 0x150);

                    for (i = 0; i < 0x150; i++)
                        lpBuffer[i] ^= 0x99;

                        if ((lpBuffer[i] >= 'A') && (lpBuffer[i] <= 'Z'))
                            lpBuffer[i] -= 'A';
                        else if ((lpBuffer[i] >= 'a') && (lpBuffer[i] <= 'z'))
                            lpBuffer[i] -= 'G';
                        else if ((lpBuffer[i] >= '0') && (lpBuffer[i] <= '9'))
                            lpBuffer[i] += 4;
                        else if (lpBuffer[i] == '+')
                            lpBuffer[i] = '>';
                        else if (lpBuffer[i] == '/')
                            lpBuffer[i] = '?';
                        else if (lpBuffer[i] == '=')
                            lpBuffer[i] = 0;

                    for (i = 0; i < 0x150; i++)
                        lpResult[iResultOffset++] = (lpBuffer[i] * 4) ^ (lpBuffer[i + 1] / 16);
                        lpResult[iResultOffset++] = (lpBuffer[i + 1] * 16) ^ (lpBuffer[i + 2] / 4);
                        lpResult[iResultOffset++] = (lpBuffer[i + 2] * 64) ^ (lpBuffer[i + 3]);
                        i += 3;

                    for (i = 0; i < 0x150; i++)
                        lpResult[i] ^= 0xAB;

                    i = strlen((LPSTR)lpResult);

                    if ((i > 0) && (i < MAX_PATH))
                        strcpy(szHost, (LPSTR)lpResult);
                                lpResult[iResultOffset - 4],
                                lpResult[iResultOffset - 3],
                                lpResult[iResultOffset - 2],
                                lpResult[iResultOffset - 1]);
                        dwPort = *(LPDWORD)(lpResult + iResultOffset - 12);
                        dwDelay = *(LPDWORD)(lpResult + iResultOffset - 8);
                                _T("Remote Host: %s\nAlternative DNS Server: %s\nConnection Port: %d\nDelay between connection attempts: %d sec."),
                        bOk = TRUE;


    if (!bOk)
        MessageBox(NULL, _T("Failed to retrieve any details!"), _T("Error"), MB_OK);
        MessageBox(NULL, szMessage, _T("Success"), MB_OK);


Once the trojan knows its C&C server, it attempts to connect to it via the specified port – e.g. server, port 443.

It starts doing so by trying to resolve its host name first. If this attempt fails, the trojan makes a DNS query by crafting a TCP packet on port 53 of an alternative (legitimate) DNS server, also specified in its resource, in order to resolve the same host name. For example, the analysed sample has alternative DNS server – this is server located in Taiwan.

If Hydraq can’t connect to the remote server, it falls asleep for the time specified in its resource (2 minutes), then repeats the beaconing again.

If the connection to remote host on port 443 succeeds, the malware prepares a packet to send – it is 20 bytes in size:

00 00 00 00 00 00 FF FF 01 00 00 00 00 00 00 00 00 00 77 00

The packet is encoded by inverting its bytes:


As soon as the packet is submitted to the live C&C server, it receives the response packet that is also 20 bytes in size. It is encrypted with the XOR 0xCC.

Hydraq decodes the received packet and retrieves the command ID from it – a number from 0 to 18, which is then converted into the backdoor command group – a number from 0 to 10. Conversion rules Command ID -> Backdoor Command Group are shown below:

  • 0 -> 0 (adjust privileges, terminate processes)
  • 1 -> 1 (control services group)
  • 2 -> 2 (remote file execution)
  • 3 -> 3 (registry manipulation group)
  • 4 -> 4 (file system manipulation group)
  • 5 -> 10 (receive more data)
  • 6 -> 5 (system manipulations – power off/reboot/uninstall/clear events)
  • 7 -> 6 (file search)
  • 8 -> 7 (call other components)
  • 9 -> 10
  • 10 -> 8
  • 11 -> 10
  • 12 -> 10
  • 13 -> 10
  • 14 -> 10
  • 15 -> 10
  • 16 -> 10
  • 17 -> 10
  • 18 -> 9 (networks.ics file manipulations)

Next, a specific command from the chosen group is executed. For more details on backdoor groups and commands within them, please check the previous post.

It may be assumed that upon successful connection to the remote C&C server (, the trojan was designed to be able to update itself. A new copy may have a different C&C server specified in its resource (e.g., or as in the last seen sample – in order to survive the shutdown of the old servers.

The presence of a resource that stores all the connection parameters could potentially indicate an intented cloud-based automation for updating the same template with a newly generated resource without the need to recompile the sample, with the obfuscation step added on top of it to evade existing detections. With the relatively high update frequency of such server-side polymorphism, the C&C server shutdown may always fall behind; given the fact the firewalls let the traffic on port 443 through (HTTPS traffic), a heuristic detection of Trojan.Hydraq (added as Trojan.Hydraq!gen1) is a viable option that reliably breaks this vicious circle.

Posted in Virus News | Leave a comment

The Google compromise in China story builds interest as Microsoft released an advisory and blog post on the relevant Internet Explorer browser vulnerability, crediting “details” to Google, Mandiant and others. A number of factors are unfolding a dramatic story here, with the detection of a 20-year old Stanford student’s computer targeted and attacked (it seems to be no surprise that a regional coordinator of Students for a Free Tibet would be another target), and mention of Sergey Brin’s own Russian refuge background reported “The source told the Guardian the company’s decision was largely influenced by the experiences of Sergey Brin’s Russian refugee background.”

The 0day Google hack attacked a invalid pointer reference within Internet Explorer. It seems that malicious web links were visited by Google employees, resulting in FUD spyware installations on their workstations. Over the past couple of decades, this type of vulnerability has been exploited and sometimes resulted in hugely prevalent and successful exploits on the web, such as the infamous createTextRange Internet Explorer mshtml.dll hole.

Update: Google China employees seem to have been given an early holiday, according to Tech Crunch IMers.

The trojan itself has been analyzed and described on our ThreatExpert blog here and more information from Symantec on the attacks here.

Posted in Virus News | 1 Comment

The post describes functionality (static analysis) of the trojan that was reported in the recent targeted attacks against some large companies.

Trojan.Hydraq trojan is a DLL that runs as a service within the context of the system process svchost.exe.

In order to be executed within the process svchost.exe at the system startup, the trojan employs no injection techniques – this is achieved with the steps described below.

Firstly, the trojan registers itself as a system service RaS[4 random characters] by creating registry entries under the newly created key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]

The “ImagePath” value of its service registry key is set to start svchost.exe, as shown below:

“ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]

This will force the system process svchost.exe to look up its multi-string value “netsvcs”, load all services specified in it into its address space, and then call their ServiceMain() exports.

To make svchost.exe aware of its existence and be loaded too, the trojan adds its service name into the list of strings (service names) stored in the value “netsvcs” of the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

To make sure its service name is added to the list of services only once, the trojan queries the contents of the value “netsvcs” to make sure that the multiple strings stored in that value do not contain any string that starts from “RaS” (case-sensitive).

Other parameters of the newly installed service are specified in the values:

ObjectName = LocalSystem
Type = dword:0×20 (a win32 service that can share a process with other win32 services)
Start = 2 (to be loaded automatically for all startups)

of the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]

Finally, to let svchost.exe process know where to load the DLL from, the image path of the trojan’s service DLL is saved by setting the value:

ServiceDll = [path to trojan DLL]

of the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]\Parameters

The file name of the trojan DLL is retrieved by calling GetModuleFileNameA() API, as the trojan knows its name may vary.

For instance, the trojan can create a copy of itself under a random filename in the %TEMP% directory; if it locates a file %TEMP%\c_1758.nls, it may rename that file under a different file name.

NOTE: %TEMP% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP), or C:\User\[UserName]\AppData\Local\Temp (Windows Vista, Windows 7).

The Hydraq trojan installs a backdoor trojan that listens for incoming commands. The commands allow the trojan to perform multiple actions – the trojan organizes them into groups – these commands are enlisted below with the [group number].[internal command number] prefixes:

  • [0.0] adjust token privileges
  • [0.1] terminate processes
  • [1.0] enumerate name and status for all system services
  • [1.1] control arbitrary services
  • [1.2] query status for arbitrary services
  • [2.0] receive remote file and save it as %TEMP%\mdm.exe, then launch it by using command control program %SYSTEM%\cmd.exe
  • [3.0] enumerate registry keys under the specified key
  • [3.1] enumerate registry values for the specified key
  • [3.3] query registry values
  • [3.4] set registry values conditionally
  • [3.5] set registry values unconditionally
  • [3.6] delete registry keys
  • [3.7] create registry keys conditionally
  • [3.8] create registry keys unconditionally
  • [4.0] retrieve the list of logical drives on a system
  • [4.1] read files from the local file system
  • [4.2] execute arbitrary files
  • [4.3] copy files in the local file system
  • [4.4] delete arbitrary directories
  • [4.5] rename files
  • [4.6] change file attributes
  • [5.1] power off computer
  • [5.2] reboot Windows
  • [5.3] uninstall itself by deleting the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]
  • [5.5] clear all system event logs (application, security, and system pools)
  • [6.0] enumerate files in the specified path
  • [7.11] check if %SYSTEM%\acelpvc.dll is present – if it is present, load it and call its EntryMain() export; check the presence of the DLL %SYSTEM%\VedioDriver.dll
  • [9.1] open the file %SYSTEM%\drivers\etc\networks.ics and read 616 bytes from it
  • [9.2] delete the file %SYSTEM%\drivers\etc\networks.ics

In addition to the commands enlisted above, the trojan retrieves CPU speed by querying the “~MHz” value from the registry key:

The stolen details are then delivered to the remote site.

Hydraq trojan is capable to keep inter-process communications with other components via a named pipe – a separate thread is spawned for that purpose.

Internal data or configuration is stored by the trojan in the values “IsoTp” and “AppleTlk” in the dedicated registry key:

Continued in part II.

Posted in Virus News | Leave a comment

Over the past 16 hours, we’ve seen a sharp spike in the number of UPS_Invoice themed malware being run and prevented on systems. We’ve seen this invoice scheme many times before, but to many computer users, the scam still is not familiar. The files often are delivered as .zip attachments, containing a malicious Bredolab downloader or Zbot password stealer. Again, this is the extracted file’s appearance, after it is unzipped and file extensions are not visible (a folder option). Compare it with the screenshot below. the difference is not obvious, unfortunately:



 And here is a screenshot with the extensions visible:


Some of the names being used and designed to fool users include…


Be sure to examine the contents of .zip files prior to attempting to open them. We will update this post as more information is available.

Posted in Spam | 1 Comment

There is an infinite number of ways to calculate 2010, here is a fairly fun list of some of them.

The past year showed massive numbers of malware being run on systems across the globe. Behind the malware was an active malware marketplace, often with forums full of services for hire, advice on distributing and maintaining crimeware, and devious ways to hire money-mules.

There is more than meets the eye to these services. Much of the activity was not being discussed in these public forums or was as front and center in the media as the Conficker circus. While bot activity is not new to the party, a recently published study “SBotMiner: Large Scale Search Bot Detection“ brings in the year with a fresh start on identifying and quantifying malicious search bot traffic. The activity is under-studied and significant: the “miner” identified that almost 4% of all query traffic is bot-related (which represents at least hundreds of millions of search queries every couple of months), and that seems to be only the tip of the iceberg. The traffic was collected in Feb and April 2009, the search engine is not specified (google, yahoo!, live, altavista, ask, etc.) and that selection may have impacted the studies’ volumes and results. It is suggested that Live search results were used, so results most likely are much larger when the other engines are considered. The study also includes more forms of bot-based attacker-related traffic, instead of exclusively examining click fraud related bot queries and activity.

The discussion and findings included:

“More importantly, detecting bot-generated search traffic has profound implications for the ongoing arms race of network security. While many bot queries from individual hosts may be legitimate (e.g., academic crawling of specific Web pages), a significant fraction of bot search traffic is associated with malicious attacks at different phases. In addition to the well known click-fraud attacks that can be commonly observed in query logs, attackers also use search engines to find Web sites with vulnerabilities, to harvest email addresses for spamming, or to search well-known blacklists.”

“Attackers are leveraging search engines for exploiting vulnerabilities of Web sites. SBotMiner Identifies 88K searchbot groups searching for various PHP scripts and ASP scripts.”

“Using the entire datasets, SBotMiner detects 8,678 groups searching for PHP scripts in Feb and 79,337 such groups in April; 64 groups searching for ASP scripts in Feb and 301 groups in April. These searches spread all over the world.”

“Initial evidence shows that many of them might be associated with various forms of malicious activities such as phishing attacks, searching for vulnerabilities and spamming targets, or checking blacklists. Interestingly, attacks from different countries and regions do exhibit distinct characteristics, and search bots from countries with high bandwidth Internet access are more likely to be aggressive in submitting more queries.”

“We used sampled query logs collected in two different months and identified 700K bot groups with more than 123 million pageviews involved. The percentage of bot traffic is non-trivial — accounting for 3.8% of total traffic”  

So how might this effect you, dear reader? Well, 2010 already brings with it more publicly available information on the methods being used to harvest information about you, the blackhat Seo that these groups are increasingly relying on and the means in which these groups attempt to identify vulnerable servers to attack and use, in turn, to attack your system. It’s a fine read with some fresh information and an enjoyable way to settle into the New Year.

Posted in Adware & Spyware | Leave a comment

Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.

Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that  millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.

Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.

As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.

Posted in Virus News | Leave a comment

Malware often just isn’t pleased to be running on ThreatFire protected systems. To gather data for the intelligence built into ThreatFire and BehaviorGuard for evaluating system events (which proves to be the best at blocking malware), ThreatFire blends into the Windows system itself. Some of the changes it makes may be unappealing to malware, although legitimate applications won’t notice. This difference is because of the complicated manner in which malware continues to be written, in order to evade various types of security products.

Sometimes, it’s easy to misunderstand the cause and effect of this sort of error. Since it is difficult for customers and even testing groups to quickly understand crashes that they may see on their system, this variant deserves some space: Koobface crashes on the most recent ThreatFire protected systems. It’s much better than the alternative.

As posted previously and discussed in major publications, Koobface is an extremely active family of malware. Victims consistently fall for web pages that appear to be serving up codecs from links that are posted on their friends’ social networking pages. So the links and phony codecs seem all the more trustworthy, and victims are left with the Black Spot. Let’s dive into some of the technical details.

The latest version of Koobface maintains an unpacking stub using code that legitimate software does not contain. Instead of calling the documented and well known GetProcAddress function to dynamically resolve needed addresses of functions exported by kernel32 and other dll system modules (one of the most common, documented functions at process-load on Win32 systems), the phony Koobface unpacking stub implements a custom and somewhat bizarre address resolution routine. First, it searches for the start of the kernel32 module in its process’ virtual memory space and then performs an unusual comparison to find the beginning of the function that it is interested in, in this case VirtualProtectEx. The comparison works like this:

Locate and verify Kernel32 within the process memory space

Loop through Kernel32 one byte at a time, gathering four bytes of data for comparison

Bitwise “AND” the current four bytes of data with the next four bytes in memory

Compare the results to the hardcoded value “5181045″

Once “5181045″ is found (which is first found in VirtualProtectEx within the kernel32 address space), perform another comparison, looking for the function prologue. If it’s a match, FOUND IT!, and call into this VirtualProtectEx memory location.

The related disassembly implementing the “logic” above constains these instructions…

mov ecx, dword ptr ds:[eax] (where EAX = Kernel32.7C800002, now ECX = 00030090)

and ecx, dword ptr ds: [eax + 4]

cmp ecx, 5181045

mov ecx, dword ptr ds:[eax] (EAX = Kernel32.7C801A6F)

and ecx, dword ptr ds: [eax + 4] (ECX = 1875FF57, EAX = 7C801A6E, [EAX+4] = 75FF1045)

cmp word ptr ds: [eax], 8B55 (8B55 is little endian 0x558B..x86 is push ebp)

call near dword ptr ds: [eax] <– call the expected function, in this case VirtualProtectEx

Now, ThreatFire makes some slight modifications to blend into the system at runtime. These modifications may cause one of Koobface’s odd GetProcAddress custom replacement routine’s checksums to fail (again, legitimate applications using “GetProcAddress” succeed at resolving their imports on ThreatFire-protected systems just fine). With this change, the Koobface unpacking stub cannot find 0×55 (push ebp), 0x8B (mov ebp) until it reaches GetSystemTimeAsFileTime, which is the incorrect function (just using the documented GetProcAddress function would work fine here). GetSystemTimeAsFileTime receives unexpected data passed in as a parameter and exception occurs.

Unfortunately, the Koobface binary may be left on the desktop because it has not performed anything malicious and ThreatFire won’t see any further behavior from the executable in question. It’s for this reason that defense in depth is always recommended — with the PC Tools Internet Security Suite, the system scanners kick in and can identify the file itself, and the Site Guard can protect your browsers from visiting malicious Koobface sites in the first place. Its layers of protection raise system protection to levels that users can be confident in.

Posted in Virus News | Leave a comment

Results of a lengthy real-world malware protection study are published here.

Posted in The Law | Leave a comment

Sometimes gadgets are great fun and security isn’t a critical concern, but when price tags on military technology are upwards of several million dollars, it’s always a surprise to read about potential errors in design. Apparently, video feed communications are made in the plain from U.S. military drones, resulting in an easy way to intercept these communications – a $26 software package called “SkyGrabber” (whose Russian distribution site currently is down, possibly for good). Skygrabber can be used to hijack and intercept video feeds from satellites.

Not exactly “hacked drones”, but poorly secured at the least.


SkyGrabber by SkySoftware

SkyGrabber by SkySoftware

Posted in The Law | Leave a comment

It seems that the news on Chrome OS release have left no one neutral; some observers are beating the drums of its imminent failure and premature death, by relying on rather oversimplified concepts of cloud computing and insinuating about the reasons why careless moms and dads just can’t grasp the concept of strong passwords (“how many times did we tell them to memorize Qp%n#82r$7D, but they keep writing it down on a piece of paper or even worse – keep choosing 12345?”).

From the point of view of these observers, the new security model of Chrome OS is not much different from this:

Let’s step back for a moment and try to give it a fresh and fair look. Let’s also keep in mind that many good projects make their way into our lives by having 3 stages of its public perception: strong criticism (almost always, and that’s where many fail), gradual, painful at start, then easier adoption, followed with a final stage that can be characterized as “Well, what’s so special about it?”. We don’t want to fall the victims of the first stage, no matter how natural for humans it is, right?

Well, Google claims that under Chrome OS hood “all apps are web apps”. Boo! But hold on a second, isn’t it already true for Hotmail, Skype, online banking, and lots of other online web services that we are relying on so much every day?

Now come into a computer store (mentally) and look (again, mentally) at the average mom and dad who want to buy a new computer. Is it really a surprise to learn that most they’re going to use it for will be “web apps” anyway, such as web, email, IM/chat/forums, Internet phone, documents editing/printing (bills/taxes/records), personal finance services (online banking, trading stocks), online gaming, etc. ?

Sure enough, with a web-only machine they won’t be able to scan documents, but given the market exists, there will be dedicated scanners for the home users that will scan the documents and send the images over to their online accounts. They won’t be able to listen or watch CD/DVD, but there are specialized devices that do it better anyway. They won’t be able to play games with the powerful graphics, but there are plenty of gaming consoles for that purpose too.

Somehow it comes to a point – would you prefer to have a TV, a DVD/BD player, and a sound system as dedicated stand-alone devices, maybe from the different brands, or have all of them combined in one (cheaper) device? Would you prefer to have a printer, a scanner, and a telephone as separate devices, or a combined (cheaper) unit?

If you choose the second option, then you must really adore your phone’s camera! If you choose first, even if it’s a pricier option, doesn’t it sound reasonable to have a dedicated device to handle web-only services?

For start, let’s stick to just one such service – Internet Banking. Imagine having a dedicated 100% secure tiny netbook that allows you to bank online. It boots in 10 seconds and it can’t run malware by design. Sure enough, hackers will try hacking a device like that to run Windows on it, but that won’t be YOUR DEVICE. If your device gets stolen, it’s useless – it stores nothing and you can’t be impersonated with it. If you spill hot coffee on it and it shuts down instead of running faster, you’ll buy another one (not coffee, netbook). Will it give you an extra hour of a good night sleep by knowing that no hacker can compromise your online banking account?

Now try to imagine how many threat families (keyloggers, banking Trojans, rootkits) instantly become irrelevant for you. Even if your other computer gets compromised with them, the only valuable thing the hackers might eventually steal from you will be a serial number of your antivirus product.

If you love your netbook, you might extend its application to online shopping or online trading. Then to anything that’s online and is asking you for a password from that little soiled notes book from the middle section of your wallet. Extending its application further becomes a dangerous business as a flaw in one web service may affect your other services (e.g. a phishing email may affects your online banking account if you do both on one machine), just like it’s not wise to put all your eggs in one basket.

The security overview of Chrome OS is an interesting read.

By openly discussing the security challenges and suggested approaches to circumvent them the Chrome guys talk to us this way:

“Look, in our bank there is a vault with so much gold in it. The system is secure, but we’re not sure about that air con duct – we think it’s a weak point and the intruders may potentially crawl through it”.

Given the source code is open, the potential intruders will get access to the internals’ scheme immediately. But the moment they start studying it, the highly qualified white-hat professionals will start doing that as well. The idea is that any bugs, flaws or weaknesses will be revealed and fixed instantly, without leaving the intruders any chance to plan an attack.

Compare it with an alternative approach: “Look, in our bank there is a vault with so much gold in it. The system is secure.” After the robbery: “The system is secure.” After another one: “Ok, we fixed it, the system is secure”, and so on.

With the security being the main cornerstone of Chrome, it’s a step away from the “traditional” development philosophy that we all are used to: “make it usable and release it first, think about security later, when the bugs/flaws are discovered”. Usability being priority #1 creates a cash flow that allows investing into security and fine-tune usability at a later stage. The problem with this approach is that when under-invested security fails, usability falls with it. Not just declines, but crashes spectacularly.

The only company that can afford to have security in the first place, in the blueprints, even before the developed software becomes available for users, will likely have a “cash cow” in a different product or solution. Otherwise, it will be trapped in a vicious circle when the product is not released because its model is not secure enough, thus there are no sales and therefore, no funding to make it secure enough to be released. Google’s “cash cow” is in its ads program, giving it all the required conditions to build a truly secure OS.

Not an OS that replaces all other OS (this will never happen), but at least an OS that can safely and narrowly be used for those critical web-only applications that create so much headache for the customers in terms of stolen identity and money.

Will Google blow this chance or not, time will tell.

Posted in The Law | Leave a comment

A routine laptop clean-up revealed a few month old video of unpacking the Limbo trojan dropper. Before it gets deleted, posting it here just in case some folks might find it useful [link to video].

PS The sample was received from Michael Hale Ligh. Thanks, Michael.

Posted in The Law | Leave a comment

The Koobface gang and their inability to spell is a giveaway for the latest of their trick pages. If you end up at a page that states “This content requires Adobe Flash Player 10.37. Would you want to install it now?”, and the title of the page is “YuoTube”, your spidey sense should start to tingle.

The latest Koobface trick includes thousands of accounts at Google Reader (many continue to be up). Here is a shot of what today’s Reader pages look like hosting phony YouTube videos:


Of course, these Google Reader pages are not new, and are not particularly notable, as other groups have used the same scam in the past year to drive the same redirections to other sites that host the malware. Here is one that is up today, a giveaway is the Title of the page “YuoTube”, instead of “YouTube”:


At the same time, the older Koobface style of flash player update pages served by the same gang all over the web appear to be more attractive to users, and attract many more hits. They are up and fooling users as this post goes up, here is a representative page to look out for, which, if you read this blog, you’ve seen before:


The phony “setup.exe” codec installer (which is really the Koobface malware) and the scheme still tricks many users. Don’t get fooled.

Posted in The Law | 3 Comments

Dennis Yu provides an experienced insider’s perspective on ad networks’ social networking monetization process. Fascinating details of major players within the ad networks and their practices. It’s amazing how difficult it can be to make money in a legitimate way online:

“I will walk you through how these online scams work on Facebook and other social networks – the mechanics of how the money is made, some of the people involved, and who is actually clicking on ads. If you’re reading this article, there is a good chance that you are not the type of person actually clicking on these spam ads, but are you curious as to who actually is?”

Posted in The Law | 3 Comments

The cybercriminal gangs developing and distributing Zbot have been highly active recently, as seen here and here, so let’s dig into the code again.

On a day to day basis, malware researchers locate a sample of interest, which can seem similar to isolating a grain of sand on a beach, and investigate it in the lab.  Some tools are utilized to capture information generated by the sample which typically include changes to what Windows runs at startup, browser default page settings, newly installed programs or libraries, generated network traffic, and, if neccesary, unpacked/decrypted copies of the sample.  With most samples, this information collection process is straight forward, but Zbot is smarter than your average malware.

These tools are very effective for analysis because it can be easy to determine which changes came from which programs.  After unpacking a regular malware sample, it is possible to control it using a debugger and walk through interesting sections of code to see how it works.  This ease of analysis is where Zbot separates itself from typical malware.

The first action recent zbot variants perform is to unpack themselves (sdra64.exe, F836BA2BA0CEE2B8F0CFEE31BB535515), and instead of performing any immediate botnet-related tasks, it injects this unpacked code into the winlogon.exe process and terminates itself.

This injection is interesting for two reasons. First, the winlogon process is very sensitive.  For instance, asking a tool like process explorer to terminate the winlogon process can cause a blue screen of death.  Even if an anti-virus scanner detects this payload in memory, it is tough remove because it has to be careful not to take down the winlogon process with it. So the selection of this process target in particular was carefully done.  Secondly, the payload of this injection requires running inside the actual winlogon process for initial activation.  The payload attempts to piggy-back off of a “non-IO worker” thread running uniquely within the winlogon process via the CreateTimerQueueTimer() function. If the payload is artificially injected into another process, the payload will not exhibit its malicious behavior. This runtime requirement makes it difficult to emulate the payload’s environment for research purposes.

A portion of the payload does not only execute from within the winlogon process, however. The activated code running within winlogon (described above) also injects a copy of itself into the first real svchost.exe process that it finds.  It uses the same thread piggy-backing techniques employed in the winlogon process.  One of the first tasks that this newly injected payload performs is the downloading of the encrypted configuration file.  Later, after this configuration fetching task is complete, it injects this same payload into all other processes, which then engage API hooks to intercept the victims’ online banking web traffic.

These injection and information stealing tasks are all coordinated with the payload residing in the winlogon process via named pipe inter-process communication mechanism.  The pipe is typically accessed via the file name “\\.\pipe\_AVIRA_2108″ and uses a mutex with the same name (_AVIRA_2108) to guard against simultaneous access to this resource by multiple payloads in other processes.  This named pipe is watched for a series of number commands which perform particular actions, some of which are listed below:

05: opens local.ds
06: closes local.ds
07: opens user.ds
08: closes user.ds
09: closes sdra64.exe
10: opens sdra64.exe
14: intentionally causes a NULL pointer dereference (crashes the winlogon process, resulting in a BSOD)

In the screenshot provided below, we can see a piece of code that executes immediately after downloading the encrypted configuration data.  It sends the command “6″ to the named pipe which tells the winlogon payload to close the “local.ds” data file, which resides in the %SYSTEM%\lowsec directory.  It then writes a fresh “local.ds” file to this directory, and instructs the winlogon payload to re-open this data file with the “5″ command.

Svchost Example Zbot Command

Svchost Example Zbot Commands

Separating the malware execution into code chunks that reside in different processes makes it difficult to analyze what this bot actually does. With each chunk camouflaged inside a real process, the separation also makes it difficult to properly clean off your system once infected, due to the infection being spread all over legitimate processes.

Posted in The Law | 2 Comments

While the sentence of the Pinch Trojan authors is about to expire within the following few months, the code of their Trojan is still being morphed by others into other nasty forms.

Apart from its known ability to gather system information and steal confidential information such as user names and passwords, the Pinch is now capable of delivering the stolen details to the remote website by utilizing a powerful news management system called “Cute News”.

What’s not cute in this case however is that the name of the website established by the remote attackers to collect stolen credentials is disguised under the name of the forecoming movie blockbuster New Moon.

The infection starts from an image displayed with the purpose of distracting user attention while the Trojan gets activated. While the user stares at the picture, the Trojan starts harvesting user details, passwords, email addresses and other contents from the configuration files of the installed email clients Eudora, Thunderbird, Outlook, The Bat!, FTP clients FileZilla, WS_FTP, CuteFTP, and several other applications.

The Trojan then collects system information that includes installed application names and their versions, serial numbers, user and computer names, the names of the running applications, user’s email account settings, and some other system details.

The collected information is then encoded into Base64 format and posted into the remote Cute News service hosted by the attackers at

The post takes place via HTTP protocol allowing attackers to use the power of the Cute News system to accept, collect and use the stolen information without setting up any databases as all information is stored in flat files.

Automated analysis is available here.

Posted in The Law | Leave a comment

Unfortunately, a lot of people didn’t realize that the email and attachment we posted yesterday was not really from “The Facebook Team”. ThreatFire users were protected from the Bredolab downloader and its Zbot payload, and it’s a good thing too. Here is some information on who fell for it by country:


The bulk of the protected systems were in the U.S., where the number of Facebook users are higher than anywhere else. Below is a non-exhaustive list of banks that the group has targeted with Zbot payloads from the ip address that the Bredolab downloaders pulled from. Surprisingly, the cybercrime group decided to mess with U.S. military members at

https://businessonline.huntington .com
https://business-eb.ibanking-services .com
https://securentrycorp.nbarizona .com
https://treas-mgt.frostbank .com
https://www8.comerica .com
https://cashmgt.firsttennessee .biz
https://www.usaa .com
https://*netspend .com .uk

Posted in The Law | Leave a comment

Another cybercriminal group is abusing the face of Facebook in another malware spam blast, fooling users to install banking password stealing malware and adware on their systems.

The message of the email claims to arrive from “The Facebook Team”, but in fact, the spam is spoofed and not from the team at all:

“Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

The Facebook Team”

The real Facebook Team maintains threat-related information, “what-to-do-if” information, and security related stuff here.

The emails maintain an attachment that may have various names. Here are a some of the attachment names that when unzipped and run, ThreatFire has protected its community against in the past day:

So what is being sent out? Unfortunately, the AV vendors that are starting to detect this variant do not always identify what they are detecting accurately (lucky that they are detecting it at all!). But in the end, the zipped attachment contains an armored downloader. Some of the spammed downloader executables drop multiple variants of multiple families. Adware, spyware, spambots, why not all of them? They are all money makers for this malware distribution group.

The malware package, in some cases, includes the highly active and highly malicious Zbot family. It seems that the Bredolab protector and dropper/downloader in active development has proven to be effective enough against AV scanner detections, so the crimeware groups are re-wrapping their zbot malware with it. Also interesting is that these two families of malware have recently been distributed by groups that implement methods to remove the other bot from victim systems. It’s been described as another “War of the Bots” with Bredolab v. Zbot. Clearly, this active cybercrime group is a separate one with different aims and no internal wars.

Koobface, Bredolab, and Zbot-distributing cybercrime groups all spoof Facebook and other highly popular social networking sites to deliver their malware to victim systems. Avoid the confusion and install a behavioral based layer of protection like ThreatFire that reliably and effectively prevents Bredolab, Zbot, and other highly dangerous malware families. Surf where you want, PC Tools Facebook group here.

Posted in The Law | 4 Comments