What's in a name? — Adclicker agent spambots

Sometimes family names from various AV products don’t really fit the behavior of samples that we are seeing. The naming conundrum has been an ongoing challenge for the AV industry. One serious attempt at a naming standard put forth by CARO in 1991 has been casually used for some time. But no product has been absolutely compliant over the past 17 years, and a message at the group’s site makes it seem that the group, and its half-used standards, is running out of steam:

Some leaders in the industry have called the latest attempt, the CME naming standard, dead. That is arguable, but the question remains, how effective is the CME standard at helping consumers of security software understand what they are being protected against and reducing the public’s confusion in referencing threats during “malware incidents”? Has it improved communication and information sharing between vendors and the rest of the community?

Currently, we are looking at a surge in malicious binaries in our user community that either are currently undetected by the major AV scanners or have been misnamed altogether. The file names for these binaries are random, but look like:

The files are custom packed to make reversing more difficult. Most of these samples use an interesting encoded series of communication that would be described as botlike activity. This morning, they are pulling down “install_cn.exe” from a variety of sites, and then go on to spam out messages with sex-themed content from the infected host (links below intentionally modified):

You really can make your wife more gratified!
You dont know what to do? It’s more than simply
Follow this link to learn more
http://kfc< >esa.com/
Have an impassionedzealous love!

You have a nice chance to say goodbye to your sexual troubles
You dont know what to do? Here a recipe for you….
Use link to learn more…
http://dontw< >forsizes.com/
Have a passionate nights!

Make your lady-love satisfied!
You dont know how? It’s simply!
All details are here:
http://www.incr< >esizesnow.com/
Have a fervent love!

Related malware reports of previously detected and undetected samples, dating back to the end of November, show that the effort to release this stuff exhibiting similar behaviors and communicating with the same domains is not entirely new, and that family names provided by scanners differ across all the samples when they are first released.

Unfortunately, this leads us to believe that 2008 is becoming another banner year for spam and rogueware (the new adware).
So what to call it? We’ll see updates and modifications for this one, and it blurs the lines of the adclicker, spambot, zlob family characteristics and more. Right now, you might see this one prevented by ThreatFire as Trojan.ClizxkBot or Trojan.AdClicker. We hope not.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>