Yesterday’s release of Windows 7 brings with it a different playground for malware.


If reviewer predictions are realized, the platform will overtake Windows XP as the Windows OS of choice in high volume. Which provides a whole new platform of interest and attention from money making malware writers. It is inevitable that they will shift their attention to the newest defenses implemented in the most widely deployed platform.


The most common single piece of malware run on Windows 7 Rtm systems, as observed in the ThreatFire Community to-date, has been Protection System FakeAv variants and its droppers. The dropper is usually a part of a crack or keygen distributed at crack sites and over P2P. It drops out multiple other unwanted components, including the FakeAv. It is a common thing to have seen in the past on other platforms. What is different here, is that User Account Control, a feature introduced in Windows Vista, has been reviewed and modified, newly delivered with 7.

At runtime, the Windows 7 related scareware files are dropped to disk and the dropper creates some porn-related shortcuts on the desktop. The offending dropper makes registry key creations to ensure persistence across reboots without a peep from UAC in its default settings, even when logged in as a Standard User. Another executable responsible for many of the popups is copied to the profile directory. A phony scan is kicked off (thousands of pieces of malware were stored on the system and all were not detected), and two hard coded detections are displayed. And no, there isn’t a legitimate vendor that maintains malware family names as variants of “GayCodec”:


Multiple pop-ups appear for phony malware detections and payment/activation. All without a peep from Windows 7 UAC. At reboot, the malware persists, restarts, and performs its worthless rescan again, this time spoofing messages from the Windows firewall with a randomized list of malware that are not running on the system:


It’s reported to attempt uninstall on other security products, which was not observed on lab machines.

All in all, the release seems to be a hit. As volume picks up, most likely so will Windows 7-targeting malware. Users should be aware of scams like this one and always purchase software from legitimate vendors. And install a behavioral layer of protection over and above UAC on your system like ThreatFire, which runs well on Windows 7 and keeps your system protected.

Posted in The Law | 6 Comments

The relentless rogueware distribution groups that we’ve been monitoring have changed their gig yet again, in their efforts to evade the typical AV solutions. And by the numbers this month, it seems that they are having a successful go at it.


The installer drops cs.exe to c:\program files\cs\cs.exe on your system and runs it, which prompts the user with nagging popups. If you are seeing “Cyber Protection Center reports that ‘Cyber Security’ is inactive” on your system, do not activate it:

Standard set of phony detections to scare the victim into paying for the software:

“Cyber Protection Center” gui has become the “usual” Microsoft security center spoof:

The naming has changed a bit. The typical download Url will look like a variant on this scheme:
91.212.107. 5/download/Soft_40s5.exe
91.212.107. 5/download/Soft_257.exe (starting 10/13)
91.212.107. 5/download/scanner-323_2007.exe
91.212.107. 5/download/scanner-323_2007.exe (starting 9/8)
91.212.107. 5/download/antivirus-8D5D21_2015-5.exe
91.212.107. 5/download/antivirus-32CED34_2007.exe (starting 8/12)

This month’s moves include ip and domain changes:
91.212.107.5
best-antispyware-09 .com
best-antispyware-11 .com
computer-protection-7 .com
computer-protection-9 .com
quick-antimalware-2 .com
top-antispyware-scan9 .com
topantimalwarescan5 .com
wwwantispyware-01 .com
your-pc-protection0 .com
your-pc-protection2 .com
yourantispyware-2 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

83.133.119.154
yourspywarescan0 .com
computer-protection-7 .com
computer-protection-9 .com
ftp.dot5productions .com
your-pc-protection0 .com
your-pc-protection2 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

85.12.24.12
computer-protection-7 .com
computer-protection-9 .com
your-pc-protection0 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

Do not activate the product:

What will the group have in store in November? We’ll wait and see. In the meantime, PC Tools ThreatFire users and the recently award winning Spyware Doctor with AntiVirus 2010 (with Behaviorguard) are well protected from this round of scareware.

Posted in The Law | 3 Comments

ThreatFire protected systems have been preventing Urlzone (also known as Bebloh), which has been flying under the radar of most AV vendors, for most of the year. The family is long in the wild and a pernicious one, so why the lack of recognition? Let’s take a quick look at some complexities related to the unpacking stub and the file’s delivery.

Multiple variants of the family implement an unpacking stub that burns through anti-emulation time lock loops intermixed with additive decoding loops, and then transfer control to underlying layers of the unpacking code by making a service pack dependent calculation to the location that control must be transferred to.

All of these calculations are surrounded by garbage code, so let’s strip down the trick to its bare bones: calculations are made, edx is pushed on the stack and control is transferred to that location with a return instruction.

The correct value of edx is arrived at by subtracting a predictable data value copied from a location near the kernel32 module entrypoint to attain the expected value. Kernel32 changes across service packs, so uploading these samples to automation tools may produce varying results depending on whether or not the researcher downloading from the distribution web server indicated the same service pack in the http request on the client system as on the automation system.

So what data may change across service packs and protected OS’s? The data preceding and at the entrypoint of kernel32. The unpacking routine is dependent on finding the values in the Peb (Process Environment Block) for the “InLoadOrderModuleList”, which points to a list of loaded modules (dlls) within the process. This technique is often used in exploitation-delivered shellcode (see skape’s section 3.2.1 on using PEB to find kernel32). The unpacking stub then walks the list to find the pointer to the entry point of kernel32.

A predictable sequence of bytes exists prior to and at kernel32′s entrypoint per Service Pack. The calculation in the this post is meant for XP SP3, any SP prior causes the malware to calculate an incorrect location and exit. That predictable sequence also changes if the entrypoint of kernel32 is hooked. Any jmp instructions will break the control.
Hence, the 0x8b909090 value (the three nop bytes prior to kernel32.EP and the push ebp) for use in a sub from their hardcoded value to calculate the final jmp destination.

Following the sub from edx, ebx is discarded. Edx is pushed to the stack for a ret and the malicious execution continues from there…

Posted in The Law | 1 Comment

Yesterday’s AMTSO conference brought with it formal announcements of Board positions, new tools for the AMTSO to offer testers (be sure to join the group!) and potential new efforts. There were some Board updates due to terms expiring, and discussion about the group’s directions. The meeting and its agenda are posted at the site’s meeting link.

The group continues to pursue ways to improve testing methods, and finding and collecting malware has always been an issue for improvement. The group is attempting to ensure testing samples that are current, and providing testing matter that exercises products in ways adequate to support reviewer conclusions.

Various papers were discussed and only two of these put up for vote. The group passed the two important papers today that will be posted to the website soon — “Issues in Creating Samples for Testing”, and “Network AV Testing”.

Posted in The Law | Leave a comment

Cybercriminals are implementing techniques in their banking password stealers to further cover their tracks. Not that they were having an extremely difficult time with this already, as pointed out by Guillaume Lovet’s Virus Bulletin paper on fighting cybercrime. But the technical and forensic challenges are now stepped up another level. We have been tracking the growth of the Urlzone/Bebloh family since February of this year, and other groups have been finding accelerated sophistication in the fraudulent activity.

The first, larger waves we saw in February targeted German users, protected within the ThreatFire community from the menace. As more european banks and countries were hit, we continued to monitor for more of a global presence, as the malware package becomes even more popular among multinational banking cyberthieves. Distribution servers have been appearing on American providers’ networks, the next logical step is to find American banks targeted as well. We will be monitoring the situation closely.

The stealer is being spread by attacking the usual client side vulnerabilities in browsers and third party plugins.

Posted in The Law | Leave a comment

In Wisconsin, they’ve got a great smelt fry on Lake Michigan. In Louisiana, you can find great crayfish boils. But in Los Angeles, the Fbi announced a very different fry — another major international cyberfaud takedown they named Operation Phish Phry. The hundreds of people involved defrauded online banking users with phony banking sites, stealing online user identities and later money with those user names and passwords from thousands of individuals.

We’ve posted previously on projects more closely related to ThreatFire’s anti-bot capabilities, like Operation Bot Roast. Sometimes, phishing web servers hosting fraudulent/spoofed banking web pages are provided by compromised, bot-infested systems, without the knowledge of the system’s user. Either way, this multi-year, multinational Phish Phry takes another facet of cybercrime off the grid.

Posted in The Law | Leave a comment

Thousands of users fell for a Hotmail/Windows Live “likely phishing scheme” over the weekend. User account access is being blocked, and instructions to reclaim accounts are provided after a form is filled out on the site. Limited set of details are on the team’s blog here, with useful hints about identifying phishing scams and selecting strong passwords: “Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software”.

Posted in The Law | Leave a comment

At Virus Bulletin, we presented on some of the nastiest families of 2009, and zbot was one of them. Early Sunday morning was the first that the ThreatFire community started seeing a newer variant of the banking password stealing family “Zbot” in fairly high prevalence, served on a system hosted in Sweden (83.140.191.170). This variant is interesting in that it indiscriminately targets banks all over the world — the U.S., Germany, Italy, Spain, Russia, England, Ireland, etc. (the ThreatExpert report lists the banking sites here), but the users being attacked appear to be concentrated within the U.S. for now.

As always, be sure to update third party plugins (like flash players and pdf readers) in addition to your system software and add a behavioral layer of protection like ThreatFire.

Posted in The Law | Leave a comment

This year’s annual Virus Bulletin 2009 is being held in Geneva, Switzerland. The presentations are very interesting with topics covering Waledac, Koobface, botnets, and other malware families ThreatFire is most effectively protecting users against every day.

PC Tools’ Kurt Baumgartner presented a survey of Peter Ferrie’s series of papers on anti-unpacking techniques, and how these techniques are and are not implemented within the “worst families” of 2008-2009. Slides here from the Virus Bulletin 2009 slides page. It was exciting to discuss with at least a dozen other researchers the questions and answers we provided about Waledac and its consistent use of Int 0x2e within its packer. We examined other families and specific decryption algorithms implemented by each, and unusual techniques malware writers are using to throw off automated research and file scanners. You can find Peter Ferrie’s “Anti-Unpacker Tricks” Virus Bulletin papers at his web page, under his “International Publications” section.

Righard Zwienenberg presented on the progress AMTSO is making, a group that PC Tools has actively participated in since its start. There was much interest in its activity and some of its current work that we are pleased to take part in driving forward. The upcoming meeting in Prague will bring with it discussion over one of its most controversial papers, “Issues in the Creation of Malware” [for testing purposes], which hopefully will be voted on and released soon. We encourage testers and reviewers to join and actively participant in this group.

Topics of interest included “The real face of Koobface” by Ivan Maclintal, and “Brazil, land of plentiful bankers” from Dmitry Bestuzhev. The Brazilian banker presentation discussed many issues resulting in the thriving banking password stealing efforts and groups in Brazil, and the surprising presence of the Induc virus infecting Bancos password stealers that ThreatFire effectively prevents. Also of interest is the malware working group connecting the AV industry, with Igor Muttik discussing the Industry Connection Security Group’s proposed xml structure and content for sharing samples and information amongst vendors and testers. It’s something we’ll probably exchange thoughts on at the upcoming AMTSO meeting.

Posted in The Law | Leave a comment

Zeus/Zbot is an annoying threat. Its persistence is explained with a fact that it’s generated by a large army of attackers who use Zeus builder.

Those attackers who are high in the food chain pay thousands of dollars for the latest Zeus builder to make sure they distribute the most up-to-date undetectable bot builds. But many are still happy to use obsolete versions of the builder – these are available for free on various file sharing web sites.

One way or another, the wave if new Zeus/Zbot samples being distributed every day is alarming. It’s kind of an “attack of the clones” when multiple modifications of the bot are being produced in-the-wild, packed and encrypted on top with all sorts of packers, including modified, hacked, or private packer builds. Before being released, every newly generated and protected bot is uploaded into popular multi-AV scanner services to make sure it is not detected by any antivirus vendor. Hence, quite a bit of a problem in terms of its distribution scale.

The nasty thing about Zeus/Zbot is that it evolves. The latest generation bot uses rootkit techniques to hide its presence on a customer machine. The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds. The money laundering groups anonymously hire physical people to withdraw money from their personal accounts – in the criminal world these people are called “drops”, and their accounts are called “drop accounts”.

Without going too much into detail about the whole economy that operates behind Zeus/Zbot, let’s rather concentrate on some of its technical aspects.

An important fact to mention is that the bot itself is like a framework with no “brains”. It is merely a program that hooks itself into the system and hides there effectively. The logics that drives behaviour of the bot is contained in its configuration file.

The configuration file of Zeus/Zbot is like a definitions database for an antivirus product. Without it, it’s pretty much useless. The logics contained in the configuration contains the list of banking institutions that the bot targets, URLs of the additional components that the bots relies on to download commands and updates, the lists of questions and the list of the fields that the bot injects into Internet banking websites to steal personal details/credentials, etc.

For instance, if the attacker only wanted to target local customers in Brazil, the bot’s configuration file would enlist Brazilian banks and the list of questions/fields would be in Brazilian Portuguese language only. This way, the bot could transparently allow Internet banking transactions for non-Brazilian customers because the attacker would not be interested in those transactions, attacking domestic customers and their transactions only.

The configuration of Zeus/Zbot is never stored in open text. It is encrypted. Previous generation of Zeus/Zbot used a hard-coded encryption mechanism for its configuration. It was possible to reverse engineer the encryption algorithm and build a decryptor for any configuration file that belonged to any bot of the same generation.

The game has changed. The latest generation of Zeus/Zbot encrypts configuration file with a key that is unique for and is stored inside the bot executable for which this configuration file exists. This way, configuration file of one bot sample will not work for another bot sample, even if both samples are generated with the same builder. As the decryption key is stored inside the bot executable, the configuration cannot be decrypted without the executable. However, the executable that contains the key is also packed on top so that the key cannot easily be retrieved from it. Brute-forcing the key is not a viable option as the key is 256 bytes long.

In other words, it’s practically “a riddle wrapped in a mystery inside an enigma, but perhaps there is a key”, as Winston Churchill once said about the homeland of Zeus author(s).

In order to reveal the key for Zeus/Zbot configuration and study the decryption mechanism, a few things need to be done first.

Firstly, Zeus/Zbot could be run on a virtual machine under OllyDbg debugger and dumped with the OllyDump plugin installed:

The created dump can be loaded into IDA disassembler – the variables that store dynamically retrieved addresses of APIs should be renamed into the API names to ease the code reading, as shown below:

The analysed dump does not reveal the code that downloads and decrypts the configuration file. It is because the dump was created for the first stage of the execution workflow – when it drops other files, installs hooks and injects its own code into the system process services.exe.

In spite of the decryption key being present in the dump (as it becomes known later), revealing it now along with the decryption mechanism by analysing the dump statically is not easy as the code did not branch that execution path yet.

Ok, so what do we do now?

Let’s run RootkitUnhooker to check the system integrity. According to its hook revealer, two installed IAT hooks can be seen:

According to ThreatExpert report, the bot creates the following files:

  • %System%\lowsec\local.ds
  • %System%\lowsec\user.ds
  • %System%\sdra64.exe

Because of the hooks, these files are not visible in Explorer, but trying to create a directory %System%\lowsec invokes the following message box:

The hook in the system process services.exe gives a good reason to dump it and analyse what’s in its memory. Dumping main module is not enough as a typical injection mechanism allocates memory on the heap of the process and writes the code there. Thus, the process needs to be dumped entirely, all of its heap pages.

From all the dumped pages of the system process services.exe, two allocations belong to the bot:

These two allocations may span over the address range 0×000400000×00057000 or 0×009800000×00997000 after reboot, and can be joined together to be loaded into the disassembler again.

Once reloaded into disassembler, the variables that store dynamically retrieved addresses of APIs should be renamed again into the API names. As the names of the APIs are not visible in this dump anymore, the APIs can either be retrieved by looking up the virtual addresses contained in the function pointers, or by matching the disassembled code with the previously disassembled dump (obtained from OllyDbg/OllyDump) and assigning the same names as in the former dump to the same pointer variables, as shown in the screen grab below:

With the properly named API function pointers, it’s much easier to read the code.

The bot contains a special section in its code that contains several important fields:

The URL fields in that section are encoded by using an older encryption mechanism that was used by older Zeus/Zbot generations. Here is a C equivalent of the decryptor – it’s straightforward:


   BYTE b;

   for (int i = 0; i < iBufferSize; i++) 
   {
      b = lpSourceBuffer[i];
      if ((i % 2) == 0) 
      {
         b += 2 * i + 10;
      }
      else 
      {
         b += 0xF9 - 2 * i;
      }
      lpDestinationBuffer[i] += b;
   }

One of the URLs points to an encrypted configuration file. The bot downloads that file and saves it into a hidden file %System%\lowsec\local.ds.

Next, the bot reads the 256-byte long encryption key stored in its section and uses it to decrypt the downloaded configuration file:

The decryption routine is not very easy to follow during static analysis. One way of building a configuration file decryptor is to blindly rip the assembler code out of the bot source, only taking care of interfacing it properly – that is passing it the same parameters. However, in order to understand the code and build its C equivalent, the code is better to be traced.

But here comes the question – how to trace the code that is running inside the services.exe process?

An easy way of doing that so it attach a debugger of your choice to the system process services.exe, break its execution, point EIP (the instruction pointer) into the first instruction of the decryption routine, patch memory contents to instruct the routine to unpack a file that is different from %System%\lowsec\local.ds (before you’re doing that, make sure the configuration file is downloaded from the earlier discovered URL and is saved under a different filename), suspend all other threads of services.exe process, and debug step-by-step its decryption routine.

The image below shows how the filename %System%\lowsec\local.ds is patched with c:\c

Stepping through the decryption routine reveals how the configuration file is fully decrypted:

Decryption routine itself is represented below:

During decryption, the values of its 256-byte key are constantly shuffled. The C equivalent of this routine is:


   byCounter = 0;
   byMask = 0;
   iSectionOffset = 0x2a;

   for (int i = 0; i < iConfigSize; i++)
   {
      byCounter++;
      byMask += byResource[iSectionStart + iSectionOffset + byCounter];
      byTemp = byResource[iSectionStart + iSectionOffset + byMask];
      byResource[iSectionStart + iSectionOffset + byMask] = byResource[iSectionStart + iSectionOffset + byCounter];
      byResource[iSectionStart + iSectionOffset + byCounter] = byTemp;
      byTemp += byResource[iSectionStart + iSectionOffset + byMask];
      byConfig[i] ^= byResource[iSectionStart + iSectionOffset + byTemp];
   }

Once the configuration file is decrypted, its internal structure reveals that it consists of data blocks. Every data block has a header that describes the length of the block, its type, and whether it’s compressed or not.

As shown in the image below, some fields’ meaning is not clear. But it seems that the 5th byte of the data block indicates if the data it contains is encrypted or not. Two DWORD values that follow are showing the size of compressed and uncompressed data. Next, the block contains the data itself.

For example, the first block has the size values equal 4 bytes, and the data block itself is 0B 07 02 01. Next two blocks are not compressed – the data size for both blocks is 0×28 bytes. The last block contains a flag that shows it’s compressed. The size of compressed data is 0×85 bytes; the size of uncompressed data is 0xA1 bytes, with the 0×85 bytes of data followed.

Analysis of the decompression routine reveals that it’s unrv2b algorithm. The decompression source code is available here.

By knowing the decryption/decompression mechanism and the data format, it is possible now to build a tool that will inspect full memory contents of the process services.exe, locate a page which contains Zeus/Zbot code in it, then locate a section in it with the 256-byte key, retrieve that key and use it to decrypt the provided configuration file. As the address of the section within the bot page is not known in advance, it can still easily be detected by probing the size of the structure, probing the bytes within the 256-byte encryption key, and trying to decode the URLs, knowing their length (from the structure) and the key-less encoding method (from the older Zeus generations).

Unfortunately, such tool could only be able to decrypt configuration file on a machine infected with Zeus/Zbot. Thus, it must be run on the same virtual machine that is infected with the bot.

The tool is available for download here.

One positive side-effect of the tool is that even if the configuration file is not available, the tool will still reveal if the machine is infected with Zbot.

The limitation of the tool is that it won’t be able to decrypt a configuration file for one bot if the virtual machine is infected with another bot, even if both bots are produced with the same Zeus builder. It’s because every bot uses a unique encryption key that will only decrypt configuration file created for the very same bot.

Running the Zeus configuration decryptor over several Zeus/Zbot samples submitted in the last few days reveals quite interesting characteristics. The full list of its capabilities is too big to be presented here, so only a few questions/additional fields that Zbot injects are highlighted below:

  • Due to security measures, please provide the answers to all the security questions listed below:
  • As an additional safeguard, we ask that you provide the last eight digits of your ATM or Check Card number
  • Please enter your Credit Card Number linked to your account, security code (cvv) and expiration date
  • For your Identity verification and Fraud prevention please send us answers that you need to answer when you log in to your account
  • Our behavioral monitoring software has detected a variation in your use pattern. For your protection, we ask that you verify your identity by answering your personal questions below. Once verified, you will be directed to the page.
  • Authorization Required. In order to provide you with extra security, we occasionally need to ask for additional information when you access your accounts online. Please enter the information below to Sign on:
  • Please enter your Personal Access Code (PAC):
  • Your first school
  • Your mother’s maiden name
  • Your place of birth
  • Please enter all digits of your PIN
  • What is your favourite meal or restaurant?
  • The name of a memorable place to you?
  • Your favourite film of all time?
  • Your favourite book of all time?
  • Your favourite teacher or subject?
  • Your favourite TV star or show?
  • Please enter a valid Mother’s Maiden Name
  • Please enter a valid Driver’s License Number
  • Please enter a valid Date of Birth
  • Please enter a valid Social Security Number
  • Please enter a valid Home Telephone Number
  • Your favorite TV show?
  • Your favorite flower?
  • Your favorite leisure time activity?
  • Your favorite type of music?
  • Your favorite professional football team?
  • Your favorite professional baseball team?
  • The color of your first car?
  • Your favorite holiday?
  • Your favorite place to vacation?
  • In which month were your parents married?
  • What is the first letter of the name of your high school?
  • What is the first letter of the name of your pet?
  • In which month was your first child born?
  • What was the last two digits of the year of your high school graduation?
  • Please enter valid ATM/Debit Card # (CIN)
  • Please enter valid PIN
  • Please enter valid Last 4 Digits of Social Security or Tax ID #

The list goes on, but you get an idea of what an identity theft weapon it is.

Update: Thanks to Peter Kosinar and Thorsten Holz for identifying the encryption algorithm above as RC4.

Posted in The Law | Leave a comment

In a post last December on the ThreatExpert blog, Sergei proposed a method to defeat Koobface — hit ‘em in the pocketbook where it hurts. The CAPTCHA cracking services that the Koobface gang uses could be the weak link in its chain and could be abused to interrupt their scams. Unfortunately, no one seems to be taking up that proposal. Koobface relentlessly is released and spread across multiple distribution groups with its captcha crackers in action.

The Koobface malware recently was slightly altered in several ways. The binary carries with it the functionality to phone back to one of two sites for its captcha cracking needs.

Perhaps these are the new weak links to target.

Posted in Virus News | Leave a comment

The banner ads allegedly rotating through the NY Times website over the weekend delivered FakeAv/Rogueware from servers that have been delivering the same stuff since around July 19th. The current Url over the weekend was protection-check07. com, but it changes frequently.

The ThreatFire community has seen this stuff effectively prevented on desktops using a variety of names since the servers have been delivering the FakeAv, also known as Downloader.MisleadApp, Trojan.Fakeavalert, XPAntivirus and Trojan:Win32/FakeXPA. Here are just a few of the resource variations that ThreatFire has identified over the past few months:

88.198.107.25 /DOWNLOAD/ANTIVIRUS-5920E_2007.EXE
88.198.107.25 /DOWNLOAD/ANTIVIRUS-E92EFB7_2024-2.EXE
88.198.107.25 /DOWNLOAD/ANTIVIRUS-8023A_2024-2.EXE

94.102.51.26 /DOWNLOAD/INSTALL-C8D161_2006-31.EXE
94.102.51.26 /DOWNLOAD/SETUP-A3B7FBB_2024-3.EXE
94.102.51.26 /DOWNLOAD/SETUP-3985EC_2009-2152.EXE

91.212.107.5 /DOWNLOAD/ANTIVIRUS-9F83_2024-5.EXE
91.212.107.5 /DOWNLOAD/INSTALL-9EC30A_2006-71.EXE
91.212.107.5 /DOWNLOAD/INSTALL-C22753_2004.EXE

These servers are hosted in Germany, the Netherlands, and Cyprus, but their victims are located throughout the world. In this case, potentially where-ever NY Times readers may be located. Be sure to add a behavioral based security solution to your system. The banner ads seem to have been acted on quickly, as there has been no additional reports and there have been no further identifiable malicious banners.

Posted in Malware Alerts | Leave a comment

ThreatFire continues to prevent high levels of activity from the Bredolab downloaders this week. The ongoing spam activity described several weeks ago is not abating. Our research then began to pry into the several kernel level hook overwrite attempts that Bredolab implements with the end goal of evading behavioral based security products. ThreatFire effectively prevents this malware, while other behavioral based products do not seem to perform quite so well, their kernel mode hooks duly overwritten and bypassed.

Two of the kernel hook overwrite attempts abuse straightforward Windows vulnerabilities, and they both have been patched. The other Bredolab hook overwrite attempt targets a mechanism that isn’t officially a vulnerability. When users are not logged in as admin, Bredolab is not effective. Here is the short list of the targeted vulnerabilities, in the order called by the Bredolab code:

1st Bredolab targeted vulnerability – MS07-017 – GDI Local Elevation of Privilege Vulnerability
CVE-2006-5758

2nd Bredolab targeted vulnerability- MS08-025 – Windows Kernel Usermode Callback Local Privilege Escalation Vulnerability
CVE-2008-1084

3rd Bredolab targeted vulnerability- Flaw allows local users with the SeDebugPrivilege privilege to execute arbitrary code as kernel
CVE-2004-2339

Just before exploiting the vulnerabilities to gain access to the kernel, Bredolab copies ntkrnlpa.exe from the drive to a location in virtual memory, examining the code for the addresses of nine kernel APIs that are frequently hooked by security solutions. It finds them and stores the virtual addresses for these api’s in its text section for use in the overwrites:
ZwAllocateVirtualMemory
ZwWriteVirualMemory
ZwProtectVirtuallMemory
ZwCreateThread
ZwAdjustPrivilegesToken
ZwOpenProcess
ZwOpenThread
ZwQueueApcThread
ZwSetValueKey

The first exploit attempt to overwrite security solutions’ hooks involves abusing Windows graphics functionality. After calling MapViewofFile and searching for the api’s listed above in the mapped copy of ntkrnlpa.exe, Bredolab maliciously initializes a Palette object:


Hook overwriting shellcode is delivered via a carefully crafted GetNearestPaletteIndex call:

cr0 manipulation in the shellcode to obtain write permissions on kernel memory here:

The first method will fail for Bredolab if the system is MS07-017 patched (patch your systems!). To account for that issue, Bredolab will check for the patch, and if present, deliver its next exploit.

First, it calls GetDesktopWindow to retrieve a handle to the desktop. Next, it sets up the first of two interrupt trampolines to NtUserMessageCall

After the two are setup, it then tricks ZwSetIntervalProfile to call user mode code from the kernel, passing a pointer to its hook overwrite function

Sometimes these first two exploits do not work on a system for the malware. But Bredolab arrives with a solution for that situation. When the first two are patched, Bredolab checks that its calling user has SeDebugPrivilege privilege

If SeDebugPrivilege is present, Bredolab calls ZwSystemDebugControl with two interesting parameters: Debug_Control_Code=9 and SysDbgCopyMemoryChunks_1. Providing that debug code to the call, Bredolab copies arbitrary code from user space to kernel space:


Using a bug in the read I/O sub-function of NtSystemDebugControl, not shown here, Bredolab writes to kernel memory. It modifies an IDT entry with a pointer to its malicious code, and provides control to the code by again calling ZwSetIntervalProfile.

While the bulk of the attacks appear in the U.S., outbreaks of this stuff occured the past year throughout Italy, England, Germany and Russia as well. Unfortunately, there remains large enough numbers of unpatched systems in these countries to gain these attackers’ attention.

Posted in Virus News | Leave a comment

Some hugely prevalent, worming families just won’t wither away and disappear. They top vendors’ prevalence lists for years on end, even as the malcode fails to serve its original purpose. As the ThreatFire community grows its presence in Mexico and Brazil, it protects more users from a relentless worm originally distributed from Indonesia, Brontok.

Brontok is a mass mailing worm that isn’t mentioned all that often anymore, being out-amplified by sensations like Conficker/Downadup/Kido, but its many variants continue to show up all over the world. For the past month, our ThreatFire users in Mexico and Brazil have been most protected from these Brontok variants, being run and ThreatFire-prevented on desktops in high numbers.
The compromised hosts used to be abused as DDoS bots, attacking sites around the world in what was unconfirmed as hacktivism or blackmailing attempts. Now, however, the worm travels without a head in the sunniest tropics — the major provider (unwittingly at the time) hosting Brontok’s configuration files have long ago taken down Brontok-accessed command-and-control server accounts.

Posted in Virus News | Leave a comment

September has brought a slew of new FakeAv/Rogueware/Scareware distribution points. As Dancho Danchev chronicles the blackhat seo work of his biggest Ukrainian fan club (that is sarcasm, folks) leading to delivery of a particular FakeAv, the ThreatFire community is protected from FakeAv polymorphic downloaders from gangs and campaigns of all stripes. Behavioral protection handles the sort of AV-evading polymorphism implemented in this malicious stuff well. Just a few highly active ip/domain examples that we’ve seen this past week are listed here. It looks like the groups are trying to get smart, using new domain names like “intellectual-vir-scan01 .com”:

88.198.81. 153/download/antivirus-9446_2001-2.exe
advancedvirscanner3 .com
antivirus-scannerv17 .com
best-security-scanv8 .com
bestantivirusscanv8 .com
professionalspywarescanv8 .com
professionalvirusscanv3 .com
reliable-scanner06 .com
superb-virus-scan03 .com

83.133.126. 201/download/antivirus-DEA18_2033-7.exe
advancedvirscanner3 .com
antivirus-scannerv17 .com
antivirusquickscan2 .com
bestantispywarescanv4 .com
bestantivirusscanv8 .com
intellectual-vir-scan01 .com
intellectual-vir-scan03 .com
intellectual-vir-scan05 .com
professionalspywarescanv8 .com
professionalvirusscanv3 .com
protectedsecurityaudit .cn
reliable-scanner06 .com
reliable-scanner09 .com
superb-virus-scan03 .com

78.46.251 .43/download/antivirus-9DC048_2009-2053.exe
antimalwarescanner8 .com
antispyware-scanner2 .com
antispyware-scanner5 .com
antivirus-scanner6 .com
antivirusonlinescan6 .com
best-antivirus3 .com
best-antivirus8 .com
best-antivirus9 .com
live-virus-scanner5 .com
live-virus-scanner9 .com

91.212.107 .5/download/antivirus-8D5D21_2015-5.exe
advancedpcscanner3 .com
bestpersonalprotectionv7 .com
computer-antivirus-scanv9 .com
fastvirusscanv6 .com
govirusscanner .com
intellectual-vir-scan08 .com
intellectual-vir-scan09 .com
onlineantispywarescanv6 .com
onlinebestscannerv3 .com
onlinepersonalscanner .com
onlineproantivirusscan .com
onlineproantivirusscanner .com
personalfolderscanv2 .com
private-antivirus-scannerv2 .com
reliable-scanner01 .com
reliable-scanner05 .com
secure-antispyware-scanv3 .com
securityfolderprotection .com
spyware-scannerv2 .com
spywarescannerv4 .com

88.198.107 .25/download/antivirus-7C545A_2011-7.exe
antimalwarescanner8 .com
antispyware-scanner2 .com
antispyware-scanner5 .com
antivirus-scanner6 .com
antivirusonlinescan6 .com
best-antivirus3 .com
best-antivirus8 .com
best-antivirus9 .com
live-virus-scanner5 .com
live-virus-scanner9 .com
online-best-scanv3 .com
premium-antispy-scanv3 .com
premium-antispy-scanv7 .com
safeonlinescannerv4 .com
safeonlinescanv4 .com
secure-spyware-scannerv3 .com

78.46.201 .89/download/antivirus_19.exe
antivir-scan-my-pc .com
antivir-scan-online .com
antivirscanmycomputer .com
awardantivirusscan .com
best-virus-scanner4 .com
best-virus-scanner6 .com
bestvanillaresorts .cn
bewareofvirusattacks3 .com
clean-all-spyware03 .com
clean-all-spyware07 .com
hqvirusscanner5 .com
hqvirusscanner7 .com
hqvirusscanner8 .com
megaspywarescan2 .com
thebestviruscheck .com
totalspywarescan3 .com
totalspywarescan5 .com
tryantivirusscan .com
valueantivirusshop1 .com
warningmalwarealert .com
warningmalwarealert2 .com
warningvirusalert .com
worldbestonlinescanner .com
yourholidaytoday .cn

209.44.126 .52/download/antivirus-71B_2033-8.exe
advancedvirscanner3 .com
antimalwareonlinescanv4 .com
antivirus-scannerv17 .com
antivirusquickscan2 .com
best-security-scanv8 .com
bestantispywarescanv4 .com
bestantivirusscanv8 .com
professionalspywarescanv8 .com
professionalvirusscanv3 .com
virusonlinescanv3 .com

94.102.51 .26/download/antivirus-C8D1_2009-1506.exe
advancedpcscanner3 .com
bestpersonalprotectionv7 .com
computer-antivirus-scanv9 .com
fastvirusscanv6 .com
govirusscanner .com
intellectual-vir-scan08 .com
intellectual-vir-scan09 .com
onlinebestscannerv3 .com
onlinepersonalscanner .com
onlineproantivirusscan .com
onlineproantivirusscanner .com
reliable-scanner01 .com
reliable-scanner05 .com
secure-antispyware-scanv3 .com
securityfolderprotection .com
spyware-scannerv2 .com
spywarescannerv4 .com

193.169.12 .70/download/antivirus_70.exe
91.212.127 .200/download/antivirus-AD4D76_2006-69.exe
78.46.251 .43/download/antivirus-913_2004.exe
78.46.201 .89/download/antivirus_156.exe
209.44.126 .52/download/antivirus-9853D_2033-7.exe
78.46.251 .43/download/antivirus-75FF09D_2007.exe
88.198.107 .25/download/antivirus-A4238A0_2009-1.exe
209.44.126 .52/download/antivirus-815_2033-7.exe
94.102.51 .26/download/antivirus-5C76A_2006-69.exe
91.212.107 .5/download/antivirus-CE41_2007.exe
88.198.120 .177/download/antivirus-4A8D4_2030-4.exe
78.46.251 .43/download/antivirus-815_2015-5.exe
88.198.81 .153/download/antivirus-9DC048_2002-8.exe
83.133.126 .201/download/antivirus-9AB1B_2024-7.exe
94.102.51 .26/download/antivirus-E3DAD_2006-69.exe
78.46.201 .89/download/antivirus_88S1.exe

Posted in Virus News | Leave a comment

PPStream is a multimedia player used widely throughout Asia, as in hundreds of millions of users. As such, it is interesting when crashes for widely used client-side software are reported as “exploitable” on various blogs and PoC sites.

According to the post, the reportedly vulnerable ActiveX component is MList.ocx, and it appears to maintain a heap overflow condition. The author had not released a workable exploit, and there appears to be no ThreatFire community reports for the component. Its exploitability is being discussed on full disclosure lists and various other forums:
“PPStream is the most huge p2p media player in the world. There are two hundred million ppstream users in the world. The vulnerability is exploitable,but I have no time to make it,you could visit my blog for detail.^@^ ”

So it appears to be a work in progress. If it is exploitable for such widely used software, it is strange that this one did not hit the underground market first and it has not been added to known exploit packs and kits. If you are using PPStream, be wary of the sites that you stream until you patch.

Posted in Malware Alerts | Leave a comment

The relentless group pushing malicious downloaders that are crafted most often to appear as video codecs and also are packaged with cracks, underground key generators, and blackhat SEO schemes, this week have moved to serving up their warez from 95.211.8.21 to 64.20.55.163. The server now hosts files similarly named to “flash-plugin_update.45031.exe” (that number in the name changes per download).

A number of domains resolve to that ip address 64.20.55.163:
094k.ofspokesman .com
bestexe .com
bestexeonline .com
boomexe .com
boomexesite .com
hardexeworld .com
hexexe .com
hexexeterra .com
lastexe .com
lastexesite .com
luxexe .com
novoxexe .com
startexcite .com
startexe .com

ThreatFire is preventing the malicious downloaders in high volumes and currently is the most reliable solution for detecting this family. Scanning the files as they are downloaded and run by users shows dismal detection rates, as the downloaders evade detection with frequent repacking and obfuscation. Be sure to add a behavioral solution that can definitively recognize entire families of malware like this one reliably, and do your best to ensure that the software that you are downloading and installing is coming from a trustworthy source.

Posted in Malware Alerts | Leave a comment

We’ve been waiting for some stats to come rolling in, but we haven’t seen a hint of an 0day worm or any attacks for that matter on the current Microsoft Ftp module 0day.

Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to rip across the Russian Federation and the Ukraine by attacking a several-year-old vulnerability in srvsvc.dll, the server service hosted within one of the several svchost.exe processes running on Windows systems. (Why rush development of a new stack overflow exploit when users don’t patch systems for various reasons for years?) The worm itself attempts to exploit the aged vulnerability and deliver download and execute shellcode, pulling down and running more malware on the compromised host. That shellcode has been downloading an incremented-daily URL from a server hosted in England since August 2nd. Today it is 94.76.194 .116/ 37.exe. Threatexpert report for the payload here.

Posted in Virus News | Leave a comment

Last week’s Bredolab post generally described the ongoing downloader’s email blasts and the malicious injector/downloader’s static and dynamic characteristics. Here are a few more screenshots of the moneymaker payload. This payload currently is the rogueware/scareware “PC AntiSpyware 2010″, which also has been distributed in a number of other ways over the past few months.

First off, users are prompted with the all-too-familiar, inaccurate and scary taskbar balloon “Your Computer is Infected! Windows has detected spyware infection!”.

The software then pops an attractive dialog, appearing to scan the drive and find infections. So far in this screenshot it incorrectly reported 34 infections on our clean lab machine:

Even on our clean lab system, the user is also prompted with a series of phony malware detections. This one appears to be “Email-Worm.JS.Gigger”, which they claim can “reformat the user’s hard disk after reboot”:

A registration page will eventually pop up, which redirects the user to a page to register the software for a “Lifetime Software License – 89.95 USD One Time Charge“.

The home page for the site includes a set of supposed “Testimanials” and a list of award logos that they have never achieved:

This site’s installer, “installer2.exe”, is served up from a site hosted in London:
uliondarvasoka.com
216.86.144.130

As warned in the previous post, always be suspicious of attachments that arrive via email, software being delivered from web sites that don’t seem to be trustworthy, and add a behavioral layer of protection to your system.

Posted in Virus News | 2 Comments

Previous posts showed spam-based scams attempting to deliver a payload named “pav.exe” onto your system. The scam is continuing with the title “Total Security” for the familiar scareware messages. Be aware that there is a legitimate security suite that includes those words in its name, but this scam is not that legitimate package. You can recognize the fake scan with phony detections here:

Phony scan offering and immediate scan requirement here:
“Warning!!! Your system requires immediate anti viruses scan! Total Security can perform fast and free virus and malicious software scan of your computer .”

Full phony detection message here:
“Harmful and malicious software detected. Such programs may damage your computer and steal your private information. Online Security Scanner requires Total Security components to repair your computer. Please click OK to download and install Total Security tool.”

Today and yesterday’s most active domains/ip addresses included:
88.198.120.177
antispyware-scanner2 .com
antispyware-scanner5 .com
antivirus-online-scan7 .com
best-antivirus9 .com
live-virus-scanner3 .com
online-best-scanv3 .com
premium-antispy-scanv3 .com
premium-antispy-scanv7 .com
professionalcomputerscanv2 .com
safeonlinescannerv4 .com
safeonlinescanv4 .com
secure-spyware-scannerv3 .com

91.212.127.200
antispyware-scanner2 .com
antispyware-scanner5 .com
antivirus-online-scan7 .com
best-antivirus9 .com
live-virus-scanner3 .com
professionalcomputerscanv2 .com
safeonlinescannerv4 .com
safeonlinescanv4 .com

88.198.81.153
antivirus-scannerv17 .com
best-security-scanv8 .com
bestantispywarescanv4 .com
professionalspywarescanv8 .com
professionalvirusscanv3 .com

78.46.251.43
antivirus-online-scan5 .com
antivirus-scannerv12 .com
antivirus-scannerv15 .com
getyourantivirusv3 .com

83.133.126.201
antivirus-scannerv17.com
bestantispywarescanv4.com
professionalspywarescanv8.com
professionalvirusscanv3.com
protectedsecurityaudit.cn

ThreatFire preventions for this scareware/rogueware payload continue to be on the rise. Before installing any software, be sure to inform yourself by looking into opinions and reviews of legitimate products.

Posted in Malware Alerts | Leave a comment

One of the most enjoyable and informative annual anti-malware conferences is being held in Geneva, Switzerland this year. The upcoming Virus Bulletin 2009 will bring presentations over three days on two tracks, business and technical, taking place 23-25 September 2009. Online registration is available on the site.

On the technical track, Kurt Baumgartner from our PC Tools ThreatFire research team will be presenting for a third year. “AntiRE En Masse” will be a discussion of anti reversing techniques documented in Peter Ferrie’s recent set of papers published in multiple Virus Bulletin magazines over the past year and their implementation (or lack thereof) in a set of the past year’s most prevalent or active malware families. Waledac, Koobface, Taterf/Gamepass, and other crimeware nailed by ThreatFire on a daily basis will be dissected and examined in this light. We look forward to seeing you there.

Posted in Virus News | 1 Comment

It seemed strange when the steady stream of changing, but similar, Mebroot (also known as Sinowal) executables dried up in late July. But alas, the mbr infecting family seems to have simply run out of flour and wheat for their “pasta theory” code, as described by Elia Florio and Kimmo Kasslin.

The spaghetti code typical of the Mebroot family for so long seems to have been straightened out. Known for downloading banking and financial service password stealers, it also developed a reputation for oodles of obfuscation in its executables. Now, instead of the neverending jmps, rets and scrambled code flow, the family seems to be released without the pasta and with a series of bogus calls — some DeviceIoControl with a stack full of NULL parameters, some bogus filenames passed to CreateFile, etc. Otherwise, the components observed in the lab match up with past Mebroot components, so we are digging deeper into the chances that we really are witnessing a new generation of the malware.

At the time we started digging into the dropper, googling “dedkeopght.com”, the site from which the malcrafted pdf file fetched this Mbr injecting payload, turned up no results whatsoever. Neither did scanning the payload file (the dropper) with a variety of AV file scanners. However, ThreatFire users are safe, and TF continues to prevent its injections and Mbr infection techniques.

Be sure to regularly update your software and add a behavioral solution to your system.

Posted in The Law | Leave a comment

We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but some of the classic characteristics of the Waledac trojan/worm — the email/spam engine, AES encrypted/bzip2 compressed P2P peering listing, DDoS capabilities, http C&C contact, email harvester, and credential stealing functionality. Along with the FakeAv downloads coming from these servers, these executables may be a variant on the spambot. We’ll update this post with more information as we more accurately identify the malware.

Update: Some of the files definitely are Waledac spam/dos bots, with encoded command and control communications retrieved from http://cismosis. com/up21.php (there are others), as evidenced here:

AV detection is surprisingly low for these executables, be sure to add a layer of behavioral protection to your system with ThreatFire.

Posted in The Law | Leave a comment

Around the 17th of this month, the relentless malware distribution gang serving up malicious downloaders in a variety of scams and “headline malware” schemes moved their wares from 95.211.8.20, as described in a previous post, to their newest location at 95.211.8.21. Their phony codec file naming scheme has changed slightly yet again:

update_flash_plugin.v.40013.exe

95.211.8.21
alsexe.com
astexe.com
callexe.com
domainexe.com
helpexe.com
helpexeguide.com
homeexeguide.com
loadexedirect.com
sitespacesexe.com
texeguide.com
thetestexe.com
topexeonline.com

As always, be sure to add a layer of behavioral detection to your system. Detection for these downloaders are generally poor with the FakeAv payloads receiving more attention but not 100%.

Posted in The Law | Leave a comment

Over the past three days, ThreatFire users were being targeted by a higher number of Bredolab downloaders. Bredolab is a nasty, morphing little downloader being spammed out in droves mostly to users in the U.S. and Europe. While it seemed to have been a short term experiment at first, the blasts are continuing throughout the year. At first, the group sent out UPS related attachments (UPSDocs_IN987712001.zip, UPSFile_Nr67721912.exe, UPSNr_76129811.exe, etc) to the community, which were duly prevented when run by the duped user.

The scheme has changed slightly away from the Ups theme to a more generic one. The executable, most likely with its origins in the Russian Federation, currently arrives in a .zip email attachment. Most of the related messages seem to suggest that the soon-to-be-victim has ordered an item:

“Thank you for settling the order No. *insert random number here*.”

The .zip attachment, once extracted, is usually an ~36-40kb executable that maintains an Excel icon, as seen here with a few examples:


A few example names recently prevented in the ThreatFire community:
D6e4c332d.exe
D391d6951.exe
D0193c67c.exe
D0f2984b8.exe
D4fdce55f.exe

The attachments are interesting in that they are packed in layers, with a outer code layer (that changes across binaries) consisting of function-less jumps and garbage code, followed by another layer that decrypts the inner, static, UPX packed payload. This UPX payload contains another layer of encryption that appears to remain static across binaries. This payload contains the unexpected injection and downloader functionality, injecting itself into system components to retrieve more malware from the web. It also overwrites user mode hooks in attempt to evade hook based security solutions with a technique frequently used by game cheats in the past.

At the beginning of the year, the Bredolab downloaders were retrieving Rogueware/Scareware/FakeAv. AV file scanner performance against them was a mixed bag, more often only able to generically detect the changing encryption schemes, and often mixing up identification of what was Bredolab samples with Waledac and their packers and vice versa or missing it altogether (file detection can be a very tricky thing for scanners). On a behavioral level, the current downloaders are attempting to download Rogueware/FakeAv components and are adding a banking password stealing Zbot variant to the mix. However, as of this week, the server that provided the additional payloads continues to be down.

Be cautious of what you open when it arrives in the mail.

Posted in The Law | Leave a comment

Rogueware of the week: Personal Anti-Virus

The distributors of this scareware, FakeAv, Rogueware, Fakealert (whatever you want to refer to it) software recently have chased headline events as we posted here. As the distributors repack the binaries for their ongoing various campaigns, the newest variants are evading legitimate AV detection fairly effectively for the most part. In the meantime, the ThreatFire community continues to be protected from the latest pav.exe variants and activity has been quite high over the past few days.

The install names seen in the ThreatFire community, in addition to the pav.exe payload, look like
Antivirus-3ab3_2006-71.exe, Antivirus-9dc04_2006-71.exe, Antivirus-dea18f_2006-71.exe.

This morning’s top five busiest servers providing these installers are hosted on ip addresses accompanied by very official sounding dns names…
88.198.120.177
best-folder-scanv3.com
check-for-malwarev3.com
check-your-pc-onlinev3.com
online-best-scanv3.com
online-defenderv9.com
online-secure-scannerv2.com
premium-antispy-scanv3.com
premium-antispy-scanv7.com
secure-spyware-scannerv3.com
secure-virus-scannerv5.com

91.212.127.200
check-for-malwarev3.com
check-your-pc-onlinev3.com

88.198.107.25
best-folder-scanv3.com
check-for-malwarev3.com
check-your-pc-onlinev3.com
online-best-scanv3.com
online-defenderv9.com
online-secure-scannerv2.com
premium-antispy-scanv3.com
premium-antispy-scanv7.com
secure-spyware-scannerv3.com
secure-virus-scannerv5.com

91.212.107.5
basicsystemscannerv8.com
best-folder-scanv3.com
bestpersonalprotectionv2.com
bestpersonalprotectionv7.com
check-for-malwarev3.com
check-your-pc-onlinev3.com
computer-antivirus-scanv9.com
fastvirusscanv6.com
govirusscanner.com
mysafecomputerscan.com
online-best-scanv3.com
online-defenderv9.com
online-pro-antivirus-scan.com
online-secure-scannerv2.com
onlineantispywarescanv6.com
onlinebestscannerv3.com
onlinepersonalscanner.com
onlineproantivirusscan.com
onlineproantivirusscanner.com
personalantivirusprotection.com
personalfolderscanv2.com
premium-antispy-scanv3.com
premium-antispy-scanv7.com
private-antivirus-scannerv2.com
privatevirusscannerv8.com
secure-antispyware-scanv3.com
secure-spyware-scannerv3.com
secure-virus-scannerv5.com
securepersonalscanner.com
securityfolderprotection.com
spyware-scannerv2.com
spywarescannerv4.com

209.44.126.52 <-- This one and its related domains appears to be more recently used by the group.
antimalwareonlinescanv4.com
best-security-scanv8.com
online-secure-scanv7.com
virusonlinescanv3.com

94.102.51.26
basicsystemscannerv8.com
best-folder-scanv3.com
bestpersonalprotectionv2.com
bestpersonalprotectionv7.com
check-for-malwarev3.com
check-your-pc-onlinev3.com
computer-antivirus-scanv9.com
fastvirusscanv6.com
govirusscanner.com
mysafecomputerscan.com
online-best-scanv3.com
online-defenderv9.com
online-pro-antivirus-scan.com
online-secure-scannerv2.com
onlineantispywarescanv6.com
onlinebestscannerv3.com
onlinepersonalscanner.com
onlineproantivirusscan.com
onlineproantivirusscanner.com
personalantivirusprotection.com
personalfolderscanv2.com
premium-antispy-scanv3.com
premium-antispy-scanv7.com
private-antivirus-scannerv2.com
privatevirusscannerv8.com
secure-antispyware-scanv3.com
secure-spyware-scannerv3.com
secure-virus-scannerv5.com
securepersonalscanner.com
securityfolderprotection.com
spyware-scannerv2.com
spywarescannerv4.com

Update: Dancho Danchev dissected the Seo campaign related to delivering this FakeAv here. It seems that the campaign may be morphing its keyword targets to printables, bob the builder valentines, wisconsin badgers, and others.

Posted in The Law | Leave a comment

Koobface continues to tweet its assault on the twittersphere and social networking sites. Here is an abbreviated list of the more high volume Koobface urls that the ThreatFire community has been protected from over the past 48 hours. See a pattern here (DO NOT VISIT ANY OF THESE LINKS AND DOWNLOAD THE MALWARE SERVED THERE)?

84.109.178.7 /0x3e8/setup.exe
24.26.210.231 /0x3e8/setup.exe
70.55.53.249 /0x3e8/setup.exe
76.73.251.20 /0x3e8/setup.exe
62.0.89.172 /0x3e8/setup.exe
79.181.64.72 /0x3e8/setup.exe
66.25.232.104 /0x3e8/setup.exe
75.74.67.164 /0x3e8/setup.exe
24.174.63.153 /0x3e8/setup.exe
98.141.34.175 /0x3e8/setup.exe
83.185.64.203 /0x3e8/setup.exe
92.114.157.146 /1/PP.11.EXE
75.119.106.62 /0x3e8/setup.exe
71.76.142.141 /0x3e8/setup.exe
92.33.141.77 /0x3e8/setup.exe
98.197.95.169 /0x3e8/setup.exe
173.66.158.253 /0x3e8/setup.exe
174.96.77.152 /SETUP.EXE
76.73.251.20 /0x3e8/setup.exe
68.144.24.217 /0x3e8/setup.exe
174.42.228.14 /0x3e8/setup.exe
207.199.227.243 /SETUP.EXE
72.174.220.70 /0x3e8/setup.exe
81.245.19.99 /0x3e8/setup.exe
190.20.145.48 /0x3e8/setup.exe
65.71.236.57 /0x3e8/setup.exe
74.67.182.131 /0x3e8/setup.exe
88.74.12.80 /0x3e8/setup.exe
68.45.27.253 /0x3e8/setup.exe
77.210.43.169 /0x3e8/setup.exe
79.181.28.74 /0x3e8/setup.exe
76.126.23.249 /0x3e8/setup.exe
70.53.46.21 /0x3e8/setup.exe
24.113.132.233 /0x3e8/setup.exe
92.114.157.146 /1/FB.58.EXE
67.9.38.140 /0x3e8/setup.exe
75.187.74.2 /0x3e8/setup.exe
24.141.233.195 /0x3e8/setup.exe
75.34.65.250 /0x3e8/setup.exe
69.137.75.168 /0x3e8/setup.exe
84.109.35.166 /0x3e8/setup.exe
65.50.33.145 /0x3e8/setup.exe

Obviously, this is a fairly well automated scheme. The site locations are scattered throughout the globe. All the sites that we have visited serve up the same rather uninspired video presentation with a familiar and phony “Flash Player upgrade required” page. It serves malicious Koobface binaries from a most likely fictitious Bruno Carlot and his video about Hong Kong:

As always, exercise a high level of caution when reading tweets with links, and add a behavioral layer of protection to your system.

Posted in The Law | Leave a comment

Cutwail (also known as Pandex) malware is not a new family name on the bot scene. However, the Cutwail/Pandex botnet is described as one of the largest and most active botnets currently known. This resilient botnet managed to bounce back after both the McColo ISP and the more recent Pricewert/3FN ISP shutdowns in California, both of which brought down global levels of spam for a short time and cut off the control servers where many bots retrieved their command and control instructions.
To further the botnet’s resilience and spread, the distributors of the malicious executables attempt to re-pack and re-obfuscate the components to evade security file scanners on victim systems. The executable runtime behavior may change across variants just a bit, but the fingerprint and physical makeup changes dramatically. This type of evasion, of course, is ineffective against a behavioral-based solution like ThreatFire. Cutwail is succesfully prevented from running on ThreatFire community user systems on a daily basis.

Some of the latest Cutwail/Pandex variants are themselves delivered in a variety of ways to a user’s system, renamed to reader_s.exe and run (note, other prevalent and current variants are renamed to update.exe). Reader_s.exe drops 0.exe, which drops an ADS or “alternate data stream” to the drive. This sort of location on the drive is tricky for a user to spot, because the svchost.exe:ext.exe stream cannot be seen as a file within an explorer window. This ADS executable code is installed as a system service by the Cutwail dropped executable 0.exe. Then, 0.exe launches and hijacks a svchost.exe process, communicating from it over an encrypted channel to a set of ip addresses. These communications eventually result in the compromised system gathering information to spew enough spam to help generate over 74 billion messages a day from the botnet.

The packing and evasion techniques implemented within these executables changes over time. One of the recent techniques is one that we have seen before in a variety of Fakealert executables in the past — intermixing random mmx instructions into the compiled code itself. These instructions have no functional purpose whatsoever. They simply modify values within the mmx registers arbitrarily. Intermixing the mmx instruction set unexpectedly within functions using the general-purpose intel instructions can cause problems for recognizing Cutwail malcode for emulators, backend automation, and AV scanners themselves — the evasion technique can be effective.

You can see one such function that was modified with mmx “nop” filler:

Protecting your system from becoming a part of the largest, most active botnet on the web requires an effective behavioral based layer like ThreatFire.

Posted in The Law | Leave a comment

koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for “My home video :) ” or “cool video! WOW!” redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, “Flash player upgrade required”. An example here:

The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.

The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
24.99.76.139
68.190.49.24
76.127.120.44
81.108.192.83
91.121.135.189
199.0.205.28

Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:

// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com',  abc+'fb.php'],
['tagged. com',    abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com',   abc+'ms.php'],
['msplinks. com',  abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com',     abc+'fu.php'],
['twitter. com',   abc+'tw.php'],
['hi5. com',       abc+'hi5.php'],
['bebo. com',      abc+'be.php']];

Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.

Posted in The Law | 1 Comment

When it’s a FakeAv/Rogueware downloader, of course. An interesting note about the malware served from the ongoing malware operation recently moved to 95.211.8.20 and is covered in many previous posts…since August 1st, the group now serves up executables labelled as flash plugins. It seems their “viewer” (streamviewer.exe, tubeviewer.exe, porntubeviewer.exe, etc) theme wasn’t as successful as it used to be. Here are a few that ThreatFire prevented in the community today:

95.211.8.20/ flash-plugin.45032.exe
95.211.8.20/ flash-plugin.45031.exe
95.211.8.20/ flash-plugin.40040.exe

The downloaders continue to phone home for malware payloads to the same urls as previously posted:
myart-gallery .com
robert-art .com
superarthome .com

ThreatExpert report here. As always, add a behavioral based security layer to your system like ThreatFire and be wary of sites trying to force a codec install or upgrade.

Posted in The Law | Leave a comment