Tuesday, December 31, 2013

Happy New Year!


To all my readers, I wish you a happy New Year! Stay tuned, as there will be more blog posts in 2014!

The most important tips of 2013 were probably:





Stay safe folks. May you all have a great and malware-free 2014!






Tuesday, November 5, 2013

Latest UPS spam runs include exploits


Spam runs never get old. Whether you have received a package from UPS, FedEx or even PayPal notifications, they either lead you to (poorly crafted) phishing websites or malware (mostly Trojans like Zeus).

This afternoon I saw a tweet from one of my friends on Twitter:


Not many moments later I had received the mail in my inbox. Here's what it looked like:

UPS Delivery Notification Tracking Number : XLMBGBN855XLMBGBN581



















Mail seems to come from:
auto-notify@ups.com or
auto@ups.com

Obviously the mail is spoofed and is really coming from:
UPS@enviosuperfast.info or
Quantum@enviosuperfast.info or 
View@enviosuperfast.info 

Which traces back to:
192.123.32.83 - Result & 184.82.214.54 - Result

Attached is a file called:
invoiceU6GCMXGLL2O0N7QYDZ.doc
MD5: 7c2fd4abfe8640f8db0d18dbecaf8bb4
Malwr Report
Malware Tracker Report

Other file names are possible as well, but always follow the same format:
invoiceXXXXXXXXXXXXXXXXXX.doc, where XXXXXXXXXXXXXXXXXX is a random string of 18 characters. I haven't seen any other possibilities (yet).

What's this? It seems this is not the usual ZIP file with a piece of malware in, no, rather this .doc file is actually an .rtf file which contains an exploit. There's also a URL in the mail, which leads to the download of the exact same file. (so you're screwed either way - whether you download/open the attachment or the link - malware authors wanting to up their success rate may be a good reason for this "tactic".)

Submission to Malware Tracker revealed CVE-2012-0158

 Let's perform some static analysis as well. Using our favorite tool Notepad++:
Clues in yellow indicating it's indeed an .rtf file (font used: Calibri)
















What's happening exactly when we are trying to open this with Wordpad? I can tell you: you just see the same thing as is happening above with Notepad++.

When using OfficeMalScanner (downloadable here) it is being revealed there's a (vulnerable) OLE document embedded. There's an excellent post over at SANS here as well on the usage of this tool.

Unfortunately OfficeMalScanner was unable to automatically extract malicious shellcode, but after some manual work I was able to receive another file, which ultimately delivers another exploit.

We have now two working exploits (both are exploits for Office/.RTF files):
CVE-2012-0158
CVE-2010-3333


When I tried to open it this .RTF file with Microsoft Word 2010, Word crashed and the following happened...:
 

Word crashing & malicious process(es) spawning



















Those are an awful lot of REG.exe processes, right? In case you're wondering, REG.exe is a legit Microsoft file - or tool- to edit the registry.

A process called WINWORD.exe is present, but neither vendor or description name are mentioned.
MD5: e5e1ee559dcad00b6f3da78c68249120
Malwr Report

Obviously this isn't the legit Microsoft Word, as that application had crashed. The first time I was reproducing this exploit in the works, it also dropped another file. Unfortunately I was a bit too fast and forgot to take a copy of that sample as well. I was not able to reproduce the spawning or creating of the latter sample.

The malware creates persistence by:
  • injecting into explorer.exe
  • Creating a key as follows: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baebadcaacbfcbcdsacfsfdsf

It also recreates itself in:
  • %ApplicationData%
  • %CommonApplicationData%


It calls back to the following domains:
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
feeds.nsupdatedns.com
feed404.dnsquerys.com
static.invoice-appmy.com

... Which resolves to the following IP's:
158.255.2.60 - Result
118.67.250.91 - Result


The reason for these domain names are probably to fool network administrators who are possibly taking a peek at the packets passing through their appliance: "Oh, it's just for DNS queries." , one may think. Nothing's less true though.


Payload

The payload can vary in this case. According to VirusTotal results, it may be ransomware. I was unable to reproduce that kind of behaviour. I have feelings it may be a Bitcoin miner or simply Zeus/Zbot again. Kaspersky had apparently noticed the same campaign, in their sample it's a Brazilian banking Trojan. You can read that article here.



Prevention



 Disinfection

  • Look for suspicious Run keys (examples here) and delete the associated file(s).
  • Run a full scan with your installed antivirus product.
  • Run a full scan with another antivirus and/or antimalware product.
  • In a company: warn your network administrator immediately!


Conclusion

One might wonder if this is a so-called "APT" (Advanced Persistent Threat). I highly doubt that.

Though spammers and malware authors have tried the technique of attaching a malicious file or posting a link in the mail, I haven't seen them do that both very much. (exceptions being some awkward and poorly made viagra spam)

Using these exploits, it's clear they are prooftesting their possiblities. How many have fallen or will fall for this campaign? How much of these mails were sent out anyway? There's no sure way of knowing.

Follow the above prevention tips. If you're an antivirus or security company or researcher or just someone interested in this field, this may interest you:

7500198c94051785a68addc5f264a10f
7c2fd4abfe8640f8db0d18dbecaf8bb4
ad0ef249b1524f4293e6c76a9d2ac10d
e5e1ee559dcad00b6f3da78c68249120

Friday, November 1, 2013

Malware spreading via Skype


Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...)


### Analysis ###

Known MD5's:
293cc1f379c4fc81a7584c40f7c82410
66def80d6f87f6f79156557172f9f295


Callback to IP's:
88.150.177.162

Callback to domains:
Random & partial DGA(1) - Pattern:
http://%random%.aingo.cc

Persistence:
Creates key in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Injects into:
explorer.exe
Sets Proxy:
Yes


Type of malware: Caphaw - Banking malware


Technical details ~~

Meta-data
================================================================================
File:    /home/remnux/samples/invoice_171658.pdf.exe_
Size:    360448 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:     293cc1f379c4fc81a7584c40f7c82410
SHA1:    7bb5b71513e01c2095d37f42c64982a3edb523b5
ssdeep:  3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL
Date:    0x52739069 [Fri Nov  1 11:28:41 2013 UTC]
EP:      0x401270 .text 0/4
CRC:     Claimed: 0x5eb47, Actual: 0x5eb47

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_CURSOR          0x532b0  0x134    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x536c0  0x1eec   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x555b0  0x4e8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x55a98  0x128    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x55bc0  0xea8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x56a68  0x568    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x56fd0  0x10a8   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x58078  0x468    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_GROUP_CURSOR    0x533e8  0x14     LANG_RUSSIAN SUBLANG_RUSSIAN          Lotus 1-2-3
RT_GROUP_ICON      0x584e0  0x4c     LANG_RUSSIAN SUBLANG_RUSSIAN          MS Windows icon resource - 5 icons, 16x16, 16-colors
RT_VERSION         0x53400  0x2c0    LANG_RUSSIAN SUBLANG_RUSSIAN          data

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy    
--------------------------------------------------------------------------------
.text      0x1000       0xee6        0x1000       5.764246   
.rdata     0x2000       0x49ce2      0x4a000      5.440947   
.data      0x4c000      0x619c       0x6000       0.012147    [SUSPICIOUS]
.rsrc      0x53000      0x5530       0x6000       3.693765   

Version info
================================================================================
LegalCopyright: gex Copright   ls soft
InternalName:  jex  MUWEfess dlle
FileVersion: 13, 13, 201, 1241
ProductName:  jox  Weaex Apps
ProductVersion: 13, 13, 21, 153
FileDescription:  jex dllx
OriginalFilename: lexlse.exe
Translation: 0x0419 0x04b0

~~


### Prevention ###

* Check your Skype settings. Only allow contacts to send you messages/files & contact you
* Don't download and run unknown files, especially PE(2) files


### Disinfection ###

* Run a full scan with your installed antivirus product
* Look for suspicious Run keys and delete the associated file(s)
* Run a full scan with another antivirus and/or antimalware product
* Change your Skype password
* Change your proxy to the original one(3) (usually none)
* Change ALL your other passwords
* Call your bank to ensure there was no unauthorized withdrawal or transaction

* When in doubt, seek advise on a professional malware removal forum(4)




### Conclusion ###

* Follow above prevention tips
* Use common sense & do not click on or run anything you encounter
* When in doubt, check the file on VirusTotal for example





# Links #

(1) http://en.wikipedia.org/wiki/Domain_generation_algorithm
(2) http://en.wikipedia.org/wiki/Portable_Executable
(3) http://www.wikihow.com/Change-Proxy-Settings
(4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs

Friday, October 25, 2013

PHP.net compromised


Unless you didn't have any internet access today, you must have heard about the compromise of PHP.net today. An excerpt:

One of the first confirmations that PHP.net is was in fact compromised






Google Safe Browsing warning













You can read the full discussion on whether PHP was compromised or not here:

Statements by PHP.net itself:
I think it's pretty clear by now how it (could have) happened: insertion of a malicious - or change of- a Javascript file on their website.

Let's start with the first entry of infection, most likely userprefs.js on the main page. Some heavily obfuscated Javascript is present, which redirects to either:
Redirects







Here's a Pastebin link containing the modified userprefs.js: http://pastebin.com/yZWxxk2h

After either of those redirects, PluginDetect (which is a legit Javascript library to detect browser plugins) determines your version of Adobe & Java. If you have any of those vulnerable versions installed, you'll get served with several flavors of malware. Your browser will either crash or "hang" for a while.

Interestingly enough, another PluginDetect was also trying to check for vulnerable versions of VLC, SilverLight and Flash.

If you don't have any of these installed, you're possibly being redirected to a website with the text "He took over Russia with a wooden plough, but left it equipped with atomic weapons" (seems to be a letter about Stalin, see here) which contains the following fancy YouTube video:
http://www.youtube.com/watch?v=9Mnmhtr4ThE


Let's move on to the actual payload. Thanks to a blogpost by Barracuda Labs, I was able to download the PCAP file they gathered. 


The PCAP file proved to be very interesting. Besides being able to pull the usual malicious Javascript files, I was able to gather some payloads as well, which aren't very friendly to your machine.

The following malware was seen to be downloaded: Fareit, ZeroAccess (GoogleUpdate/Google Desktop variant), Zeus and even ransomware (unknown) in one instance!

Fareit and Zeus/Zbot have been known for going hand in hand for some time now, see here for an earlier blogpost. When executed, you'll either have to pay up a fine (ransomware), get a rootkit (ZeroAccess) or get your information stolen (Fareit & Zeus). An overview of the information that will be stolen:

Your data being stolen





















I don't need to mention that this is quite bad. Have you visited PHP.net yesterday or today and saw your browser crash? Did you notice any strange behavior? Yes? No? Either way, perform a scan of your machine right away. We'll get back to that though.

MD5s of samples gathered:
c73134f67fd261dedbc1b685b49d1fa4
406d6001e16e76622d85a92ae3453588
dc0dbf82e756fe110c5fbdd771fe67f5
78a5f0bc44fa387310d6571ed752e217
18f4d13f7670866f96822e4683137dd6

Callbacks:
85.114.128.127



Prevention

  • Patch your Java & Adobe or uninstall it if you don't need it.
    Same goes for their browser plugins or add-ons!
  • Keep your browser of choice up-to-date.
  • Install an antivirus and antimalware product and keep it up-to-date & running.
  • Use NoScript in Firefox or NotScripts in Chrome.
  • Block the above IP. (either in your firewall or host file)


Disinfection 


  • Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware.


Conclusion

  • Every website can be injected with malicious Javascript, even well-known websites!
  • Received a Google Safe Browsing warning? Don't simply ignore it, either look up if anything's known about that website being hacked or if you're not sure, stay away from it for a while. (best case is to contact the site owner as well.)


Thursday, October 24, 2013

Twitter account suspended


This is just a small post to indicate that my Twitter account was suspended last week. (15 October 2013)
(don't worry, if you haven't been following, it's back up already since the 18th)

I received the following mail from Twitter:
Mail from Twitter










My account was inaccessible until the 18th of October, when they "un-suspended" it. Luckily my followers & following were recovered. As to this date, I haven't had any reply from Twitter, despite replying to their ticket.

As to the cause of my suspension? I'm unsure. I often tweet about malicious things, but I do keep malicious URLs out of them, even obfuscated ones. (easier just redirecting on Pastebin)

I have noticed however that I was tweeting about an account which was massively spamming Twitter. That tweet is still deleted. Not sure if it had anything to do with it, but I don't see too many other possibilities.


It appears I'm not the first to have had this situation. Mikko Hypponen from F-Secure had it as well somewhere in 2009:


You can't send any links in DMs anymore, so I guess Twitter is getting more restrictive. Which is a good thing. I just hope they won't produce any more false positives ;-) .

Michael Krigsman from ZDNet had also written a short article on Mikko's suspension:
http://www.zdnet.com/blog/projectfailures/twitter-suspends-security-researchers-account-as-a-threat/6327


I will update when I receive any news from Twitter.

Friday, October 11, 2013

Funny Facebook files deliver malware


I've recently got notified on an interesting malware campaign. I'll start with some screenshots:


Save the file and run! It is funny :)

DivX plug-in Required!


























 
Download and execute the facebook app, please!














Some examples of files that can be downloaded:
IamFunnyPNG-facebook.com
IamFunnyPNG-fb.com
IamNakedBMP-facebook.com
IamNiceTIFF-fb.com
IamSexyPIC-fb.com
IamSexyPNG-fb.com
MeBitchTIFF-fb.com
MeFunnyJPG-facebook.com
MeNakedJPEG-fb.com
MeNakedPIC-facebook.com
MeNiceGIF-fb.com;
MeNicePNG-fb.com
MeSexyJPEG-facebook.com
MeSexyPNG-fb.com
YouNakedJPG-fb.com
YouNiceBMP-facebook.com
YouSexyJPEG-fb.com
YouSexyPIC-facebook.com
YouWhoreJPEG-facebook.com


I think you get the point here. Users are being socially engineered to download a file that seems to originate from Facebook. The file is supposed to be an image file (PNG, TIFF, BMP, JPEG and even "PIC") but is in fact an executable. The initial landing page also ends in names of females, for example "laura.html" or "birgitta.html" .


Let's take a look at one of the downloaded files:
IamWhoreJPG-facebook.com
MD5: 1273f3ea6ae76340270bab57b073b0b5
Anubis Result
Malwr Result
VirusTotal Result


Unfortunately I was unable to execute the malware, as I currently don't have a physical machine to test it. According to VirusTotal results, it may be a Trojan called Yakes or Tobfy:
Trojan:Win32/Tobfy is a family of ransomware trojans that targets people from certain countries. It locks your PC and displays a localized webpage that covers your desktop. This webpage demands the payment of a fine for the supposed possession of illicit material.

Some variants might also take webcam screenshots, play an audio message pretending to be from the FBI, closes or stops processes or programs, and prevents certain drivers from loading in safe mode - possibly to stop you from attempting to disable the trojan.
See: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FTobfy

According to Ydklijnsma, this specific campaign drops bitcoin miner malware. See:
There's a good blogpost by Brian Krebs on the subject of bitcoin mining malware:
http://krebsonsecurity.com/2013/07/botcoin-bitcoin-mining-by-botnet/



Most of the malware seems to be hosted via the domain registrar "Hong Kong Sun Network":
Hong Kong Sun Network - hosting multiple malicious websites
























Some IPs that are involved - next to it their abuse contacts:









I'm betting it's safe to assume the worst and block these IPs (more investigation is needed though):
91.218.38.0/24
103.9.150.0/24
109.73.166.0/24
112.213.106.0/24
121.127.226.0/24
188.190.120.0/24

Most of the sites use the pattern described here:
If you're interested in some of the websites that are serving this malware, visit the following Pastebin:
http://pastebin.com/raw.php?i=8BqGPvhX
Note that links may still be live! 




Conclusion


  • Don't be fooled by websites that seem to resemble Facebook, always check the URL you are currently on before downloading or executing files
  • Install an antivirus and antimalware product and keep it up-to-date & running
  • Use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/
  • Use NoScript in Firefox or NotScripts in Chrome to block malicious attempts on unknown sites
  • Running "funny Facebook files" will usually provide you with everything but fun


Wednesday, September 11, 2013

Malware: the blame game



As you may know, there's a never-ending debate between who's at fault when a user is infected:
  •  is it the user for being "gullable" or being social engineered to click on a malicious link?
  •  is it the fault of the antivirus or antimalware application for missing an infection?
  •  is it the fault of the administrator in corporate networks for not having proper policies?
  •  last but not least side-question: is antivirus useless?

Here's an excellent article which goes deeper into these questions and discusses about it:
http://www.welivesecurity.com/2013/01/03/imperva-virustotal-and-whether-av-is-useful/
(TL;DR: Imperva performed an antivirus test with doubtful and possibly improper testing methods and the (antivirus) community reacted on it)

My personal opinion? There's only one group to blame here which seems to get missed in these debates: the malware writers themselves. After all, the people who create (and use) the malware are responsible for the millions of infected machines and affected businesses, which may both lose a considerable amount of money by either
  • users: paying up to ransomware or rogueware, or CC (Credit Card) theft or fraud
  • businesses: personal records stolen (user/password databases), business plans stolen, not to mention the financial & productional losses.

So what's the endless discussion about and why are we not blaming the malware authors and botnet operators? (to learn more about botnets see my blogpost: the botnet wars: a Q&A)

Here are the main points antivirus companies are blamed on:
  • making money on the back of the customer and 
  • not protecting well enough.  

How much of this is true? Is antivirus dead? My only comment about this:
antivirus provides a good (basic) layer or level of protection on your machine. Is it sufficient? Maybe. Do you need extra protection? Depends. If you're a normal "home user", an antivirus and firewall will surely suffice. Free or paid antivirus doesn't really matter at that point. If you're in an organisation or corporation, antivirus will surely provide a good base to start from, not only signature-based but heuristically as well.

But you'll need more. Ideally, you need an extra set of eyes just for monitoring unusual behavior in your network. Is this realistic? Maybe. Are there solutions specifically designed for this on the market? Yes.

I won't go any deeper into the points above, as it's been discussed & debated upon many times.

Moving on:

Do ISPs (Internet Service Provider) need to take an arrow in the knee for this? How many and which ISPs are already detecting machines which are infected? These are newer and interesting questions as well. ISPs are obviously not responsible when a user is getting infected, however... When that machine in question starts sending out quite a lot of traffic (zombie), does the ISP need to take action?

In my opinion, if there's indeed an unusual load of traffic coming from a machine (sending out mass emails, trying to DDoS a box, ...) the ISP should indeed warn the user.

Some ISPs already do this, for example:
CenturyLink, KPN, Time Warner, Xs4All, Ziggo, ...

Getting back to my original point. Whenever there's a big "outbreak" of malware or there's a so called "APT" (Advanced Persistent Threat) found, people from several branches of the industry are very fast to point fingers or play the blame game (hence the title of this post). Examples:


  • You have no proper security implementations!
  • Your $securitysolution sucks! (use ours!)
  • You(r employees) are easily fooled!
  • You use Windows!
  • ...


It so appears that every single person is forgetting the simple fact that malware writers are actually the cause of one's computer issues. Not antivirus. Not Microsoft. Not the user. Not the ISP.
You can basically view these as buffers. Buffers against the malware. Buffers against the bad guys. Yes, you reading this now, you're actually a buffer as well! Do you have any idea on how often companies are suffering from attacks? How many attacks are actually prevented by $securitysolution, sysadmins and even users?

So, let's state it clear for once and for all. There's only one entity to blame:
the malware writer / botnet operator / put-other-synonym-for-bad-guy-here

Why am I using the word "entity" you may wonder? Well... You must know that malware writer and botnet operator aren't actually synonyms (as opposed to suggested above). The malware writer isn't necessary a botnet operator or the other way around. One thing's for sure though: they both take the blame here.

The malware writer for creating and distributing the malware in the first place.
The botnet operator or herder for consequently infecting users.

Here's a simple flowchart I made about how the current "blame" situation is:
(the direction of the arrow indicates who is blaming who)

Note: may differ from current view


An ideal flowchart would be:


An ideal world?

























I propose a new model. One where nobody gets the blame, except for the malware writer malicious entity.


A model where nobody points the finger to the user, which seems to happen in quite a lot of the cases. 

Indeed, a joint effort is necessary in this particular subject. It requires effort from all the involved parties. 


We'll start with each and go build our foundation, our basis:


The user:

  • Should know his or her responsibility and consequences when browsing the web
  • Should install an antivirus & firewall (free or not is irrelevant, as long as both elements are present)
  • Should know there's no 100% protection. There's a maximum of 99(,9?)% protection at least.
  • ... That's basically it.

The antivirus vendor:

  • Should acknowledge the user.
  • Should know the user's needs and shortcomings
  • Should know there's no 100% protection. There's a maximum of 99(,9?)% protection at least.
  • ... That's basically it.


The security company:

  • Should acknowledge both the user and the antivirus vendor
  • Should keep giving feedback for both instances
  • Should acknowledge the cat and mouse game between "viruses" and "antiviruses"
  • ... That's basically it.


Microsoft:

  • See The antivirus vendor and The security company


The 3rd party app:

  • Should acknowledge the user
  • Should know the user's needs and shortcomings and therefore:
  • Simplify the processes while increasing the security (not easy, I know)

That's basically it. If by now you're still thinking things like "users are gullible", "X antivirus is really bad", "Y security company is really lacking", "Windows is filled with vulnerabilities", "Java, Adobe, etc. are so easily exploited", .... Then you missed the point of this post. Start again from the top.

The foundations suggested above are what they are, foundations, and is how I see it. Your foundations may differ depending on the situation you're in, but in the end we're all in the same situation:

"fighting the malicious entity".


That is why there's a need for cooperation, coordination. There are countless possibilities, but to give a few examples for a kick start (for once let's get a step ahead of the bad guys):

The 3rd party app:

Not too many options here, besides:
  • listening to feedback from security companies and researchers and
  • prioritize security and provide sufficient information about security patches.

Microsoft:
  • Continue the cooperation that currently exists between security companies and others
  • Share your research, especially new malware trends. Everyone benefits!

The security company:
  • Continue the cooperation that may currently exist between you and other companies
  • Found anything interesting? Don't hesitate to share. 

Note: I realize there are sometimes reasons specific findings or research may not or cannot be shared. Obviously these specific situations should not be shared then. If you're in this industry, I'm sure you'll know why. An alternative some companies are applying is simply not naming who or what has been affected, but still outlining the incident, solution approach and solution on itself.


The antivirus vendor:
  • Consolidate your resources. There are countless researchers out there who are simply eager to share their findings, suggestions, research or simple MD5 hashes with you
  • Share your own findings as well when there's an "APT". Do not simply use it for the next big marketing move
  • Share, where appropriate, MD5 hashes so the community can benefit.

The ISP:
  • Warn your customers when you see an unusual and/or malicious high traffic load from end-users

The webhost or hosting provider:
  • Provide clear, useful and enough information on how to send an abuse report

Note: I realize there are more than enough (malicious) webhosts out there which do not list an abuse@ address, provide a fake one or do simply not reply. If you are a webhost, start implementing proper security checks so there's no malware being hosted on one of the websites you provide. Provide an email address or online form where security companies and/or researchers and users can send their abuse reports.


Last, but not least:

Users:
  • Don't panic. Panic is a bad counselor. Stay focused and note down what happened or at least what you noticed or think what happened. What did you do right before the culprit happened?
    Did it turn out your version of Office or Windows is illegal?
    Did you click on a link? Did you pick up a call from "Microsoft Support" but ended up in paying countless dollars/euros/pounds/etc. for a problem that didn't even exist in the first place? 
  • Have you been infected with malware (in particular banking malware or ransomware)? 
  • Were you the victim of CC theft, identity theft or any other form of online fraud or theft? 

Report it to the correct instances. Sadly, I found very little useful websites in regards to those situations. Prevention tips are scattered everywhere, but what to do afterwards, when you sit there and think about what has happened, well, that information is very scarce. What I did find is listed here:


Is this of no useful information to you? Exactly. More resources should be available for this.
"What now?":

  • Contact your local police office and file a "cybercrime" complaint: you're a victim!
  • Consult the website of your local CERT - Computer Emergency Response Team - Often they have additional information or may even have a hotline or contact form to report your incident.
  • ...




Conclusion

In this post I have addressed the current situation in regards of a malware infection and its results. Who is to blame? The answer is simple: the malicious entity. This may sound mysterious but as indicated above, I mean the malware writer and/or botnet operator. You can also call it the "cybercrook" or "cybercriminal" or whatever term best suits your needs.

I have proposed a new scheme, a new situation, a new model where we can all benefit from. Insights have been given and hopefully something can come out of it. As a matter of fact, it all boils down to these 3 points:


  • You are not to blame, only the malicious entity is to blame;
  • Look at yourself before pointing the finger to others who have in fact provided you all these years with resources!
  • Work together. Cooperate. Coordinate. Consolidate. You may call it "the 3 C's".
    Be victorious in your efforts to stop "cybercrime" once and for all!


Originally I had named this blogpost "Responsibility with malware infections", but as the post (yes, you may call it a rant if you like) continued to grow, I realised the current title fits the subject in a more appropriate and understandable way. Though you should still take your responsibilities when this kind of incident happens.


Questions? Comments? Feedback? Suggestions? I'm all open for it. Give me a shout-out on Twitter or simply post a comment below. I'll try to answer as soon as possible.


Tuesday, September 3, 2013

PayPal spam leads to malware cocktail



Interesting spammail in one of the traps today, something wrong with your variables, malware authors? :-)

Subject: With your balance was filmed - 300 $ -Resolution of case #PP-025-851-848-207













Content of email:
ID

Transaction: {figure } {SYMBOL }

With your balance was filmed : - 500 $

                                                           -20 $

                                                           -49 $
---------------------------------------------------------------------

Balance is:                                      625 $

For more information, please see page View all history

Sincerely,

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT }


From:  service@int.paypal.com
Source IP: 96.10.192.31 - IPvoid Result
Botnet: Cutwail spambot

Malicious URL (active):
hXXp://dailyreport.cffy88.com/project/index.htm 


WhoIs information:
Domain Name ..................... cffy88.com
Sponsoring Registrar ............ HICHINA ZHICHENG TECHNOLOGY LTD.
Name Server ..................... dns29.hichina.com && dns30.hichina.com
Registrant ID ................... hc590857663-cn
Registrant Name ................. vinson luk
Registrant Organization ......... shenzhenshi caifufengyun keji youxian gongsi
Registrant Address .............. Rm.3-33C Dijingfeng Maoyecheng Dafen Buji, Longgang District
Registrant City ................. shenzhen
Registrant Province/State ....... guangdong
Registrant Postal Code .......... 518000
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.075533572855 
Registrant Fax .................. +86.075584153080 
Registrant Email ................ vinsonluk@hotmail.com

More malware is hosted on cfyy88.com as well, including a ZIPfile which is currently empty. (Error from the malware authors? Uploaded too soon, dropper just not included yet?)

Related websites:
hXXp://erpii.cn/
hXXp://jiami99.com/
hXXp://verp.cc/
hXXp://greatempire.cn/

Hosted on: 211.154.134.171 - IPvoid Result 


Interesting login page











Other screenshots:

















The link from the spammail loads malicious JAR file:
MD5: 6b872d170e878ab3749d717cbba5d0e3
VirusTotal Result
Exploit-Analysis Result

Exploit-Analysis is a new service and looks very promising, besides doing the basic stuff (meta-data dump, strings, tcpdump, ...) you can also view the entropy of the malware, as well as choosing browsertype and Java/Flash/Adobe version. In particular for JAR files, it can also display the classes included and thus can be used to analyze a malicious Jar file online (you can do this offline with JD-GUI for example).

From their website:
Sandy developed under Indian Honeynet and is capable of doing both static and dynamic analysis of Malicious Office, Jar,HTML files at the moment.


Continuing with our findings, the following files were downloaded & dropped to the system:
about.exe    098e44145840862b9488be395c860110   
index.html   325a20d15d66e5a78878da2ff579a715   
readme.exe  523a813fa43744673bdb537d778d0e3f   
w8BDM.exe   5c840a17dcee119cf40a3636971de65c   
able_disturb_planning.jar   6b872d170e878ab3749d717cbba5d0e3   
tixy.exe      82f1d0ed26012f0883cb6017aa8fb671   
able_disturb_planning.php  be3db7ef10eca3a21878cbad80eb5f2d   
pythias.js   d60b2df2b5c6c1ef083766cba29b60d2   
JpVsf.exe   f804ad6fe5b2a0ae3078703fdc112e29   


Besides the usual infostealers (Zbot, Fareit, etc.), Medfos is saying "hello" as well:
Win32/Medfos is a family of trojans that install malicious extensions for Internet browsers and redirect search engine results. It also allows for click-fraud, generating profit for a website through unethical means.
Source: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Medfos



Conclusion


  • Don't click on links from unknown senders.
  • Don't open any attachment(s) of unknown senders. 
  • In fact, don't even open mail from unknown senders.
  • Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
  • Install an antivirus and antimalware product and keep it up-to-date & running.
  • When in doubt, visit the website of §vendor or §product or §service directly.
  • Block the IPs mentioned above in your firewall or hostfile or §solution.
  • I almost forgot: uninstall Java.



Wednesday, August 14, 2013

Scams, scams everywhere


It's the scam season. Well, actually scams are always going around. Facebook is pretty popular to spread those scams, for example the Gina Lisa Facebook scam and the scam to have Facebook in a different color.

There's one recently that caught my attention:

"This is incredible"




















Basically what happened here is that someone on Facebook clicked on the wrong link, and the event got automatically created. Consequently, all of his/her friends were invited to the event as well.

Of the 4 pages that showed up in the search results (there are many more), ~500 people clicked on the bit.ly links. Which is not very much, considering how many people got the invite. Most of the comments on the events were "What is this?", so this means most people realised it's fake.

The CNN logo is being (mis)used, probably to make it look more legit. When you click on the link, you get redirected through affiliates but eventually you land on the following page:


"Dr. Oz Miracle Diet"




















Websites:
hxxp://consumerhealthnews9.org  - URLvoid Report
hxxp://consumerhealthnews6.com   - URLvoid Report

When clicking on any of the links on those sites, you get redirect to:
hxxp://ww90.thorizo.net  - URLvoid Report

More affiliates, more links to click on. The title for this blog post could also have been "affiliates, affiliates everywhere". 



Removal

If it seems that you have created the event, simply go to the event page, click the "wheel" icon and choose "Cancel Event":

Cancel the event















Be sure to also check your Apps, it's possible you allowed a malicious app to post & create things on your behalf:

Check your Apps












If you were invited to the event, simply ignore the message. You can also report the event as scam or spam by clicking on the Report button on the left of the event:

Report the event






















Conclusion


To keep it short and simple:
don't fall for these types of spam/scam, most of the times it's pretty obvious it's fake.

If in doubt, send your friend on Facebook (or if someone sent you the link) via PM if he or she knows what this is about.

You can also use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/

To get some information on a bit.ly (or other URL shortener services) link, you can use any of the following websites:
- http://www.getlinkinfo.com/
- http://longurl.org/
- http://www.longurlplease.com/ (includes Firefox extension)

To report a malicious bit.ly link use:
http://bitly.com/a/report_spam

Wednesday, August 7, 2013

Malware Puzzle


A malware (crossword) puzzle you say? Yes! Why not?


I've made a puzzle about malware (and security) related keywords. It comes in .PNG format, .DOCX and .PDF. You can print it and fill it in and @ me on Twitter: @bartblaze . (or leave a comment)
 


I consider the difficulty of the puzzle quite easy, but here are some breadcrumbs:
  •  I only mean a synonym when it's explicitly mentioned
  •  Across is horizontal, down means vertical
  •  The last letter of (2) down is the first letter of (9) down
  •  I must note I made a small error, (5) down is "disaster" when it should have been "doubt" (FUD). So  just fill in disaster there. 
  •  Don't think about it too long (it's not far-fetched)

To make it more fun you can:

  • Set a time limit to solve the puzzle as I did (10 minutes)
  • Prohibit the use of internet

There's no prize, it's just for fun. Enjoy!



Click to enlarge


.PNG: http://imgur.com/q6MOHlf
.DOCX: http://www.mediafire.com/?bj886m0oh6sq4d2
.PDF: http://www.mediafire.com/?flp27zeh1zuu4xm

Thursday, July 4, 2013

Basic Malware Cleaning



Last year in September I wrote an article for Hakin9 on how to detect, identify and of course disinfect a machine from malware.

I've decided to publish it on my blog as well, you can also download it from the following links in PDF format:
http://www.mediafire.com/?gz7qic8h7xcgyst


Here's the article:




Basic Malware Cleaning

Malware is common nowadays. Each day, machines get infected with viruses, spyware, Trojans, keyloggers, rogueware, ransomware, rootkits, … The list continues with more advanced malware like Conficker, Duqu, Stuxnet, Flame, …

The malware scenario on itself has also drastically changed. Where in the past, malware was created for showing off your skills or gaining your 15 minutes of fame (remember LoveLetter?), it is now almost solely used for the purpose of making money.

If you are reading this article, you have already helped someone getting rid of malware infestations, or you at least have an interest in the basics on how to clean malware from an infected machine.


What you will learn...

  • Identifying malicious processes, terminating these processes and how to properly prevent them from running
  • Identifying malicious startup entries and system modifications
  • Identifying related malicious files, meaning droppers and payload
  • Identifying the malware source and effectively tackling it


What you should know...

  • Basic computer knowledge and common sense
  • Use a proper environment for testing purposes



About the author

The author has been working as a technical support engineer in the antivirus industry for several years and is also involved in performing malware research and malware analysis, intended primarily for improving his own skills and raising awareness amongst every computer user, whether it would be home or business users. You can follow him on Twitter: @bartblaze




Introduction

Before we begin, I’d like to make clear that if you want to test your skills after reading this article or want to test malware in general, you should set up a proper testing environment. Make sure you are using a Virtual Machine if testing on your own machine, or create a machine for the sole use of testing malware and antimalware tools. In either case, it’s a good idea to use a separate network or use a DMZ should you have one. Personally I recommend having the machine connected to the internet, so the malware can do its evil work to its maximum potential and you will be able to carefully study and dissect its workings completely. I’ve made a post on my blog as well on how to build your own malware analysis lab: http://bartblaze.blogspot.com/2013/06/basics-for-malware-analysis-lab.html


More tips can be found in the section On The Web in the last paragraphs of this article.



In the next paragraphs, we will see three possible malware scenarios:

  •  Rogueware
  •  Trojan horse
  •  Rootkit



For each malware scenario or case study, a sample was executed and the machine was consequently rebooted to view the malware’s effects. Each case study will be outlined with the necessary tools and steps to take on how to completely eradicate the above infection types. Note that after performing manual clean-up, it is advised to perform a scan with an (preferably) online antimalware or antivirus product. Most antivirus companies offer a free online scan and automatic removal.

We will be making use of the following tools:

  • Autoruns
  • GMER
  • Process Explorer
  • RootkitRevealer
  • Rootkit Unhooker




First case study - Rogueware

Rogueware is probably one of the most known types of malware nowadays. The reason is simple: when one gets infected with rogueware, annoying pop-ups will appear all over the screen, urging to buy their precious Antivirus, which has found enough infections on your machine to completely toast it – if they were real. Rogueware is simply blatant enough to appear fully on your screen, whereas most other types of malware will (try to) work silently in the background.


In this first case study we will only make use of the tools Process Explorer and Autoruns, both created by Sysinternals.

After running our first sample and rebooting the machine, we receive several messages that the machine is infected and we should take immediate action. A screenshot of this specific rogueware:







Figure 1. Rogueware called ‘Live Security Platinum’ running on our machine




Let’s start Process Explorer and see what’s running!



 Figure 2. Process responsible for Live Security Platinum


What can you make of this screenshot? There are indicators this is indeed malware:

  • Random filename
  • No file description
  • No company name

Explaining why there is a random filename:
trying to evade specific antimalware tools which focus only on names the malware uses – for example, I remember a specific rogueware family from back in 2009 that always placed the same DLL in the System32 folder: win32extension.dll


Tip: If you’re in doubt whether a process is malicious, simply right-click it in Process Explorer and select Search Online...
Most of the times, Google will have a history of this filename. If the search is turning up zero results, it’s an extra confirmation that it concerns a malicious process.


Explaining why there is no file description or company name is simple: in earlier days – the days of Windows XP to be exact – the basic Task Manager did not display any file description or company name. So basically, there was no use in including it since it wasn’t displayed anyway. In Windows Vista, Windows 7 and soon Windows 8 Task Manager is improved.


This malware hides in %appdata%, which is a system variable for the Application Data folder of the currently logged on user. What else can we deduct from this screenshot? The rogueware uses a Microsoft icon, thus trying to trick the user to indicate it’s nothing malicious. An effective trick indeed, but considering the previous factors, we can be sure this is a malicious process which needs to be terminated.


A useful setting in Process Explorer is through Options > Verify Image Signatures. With this option, you’ll be able to quickly determine if a file claiming to be from Microsoft is indeed so or not. Note that these may be forged. 


There are three color codes important for us:

  • Green – new process
  • Red – killed process
  • Purple – process with images that are packed. Intention: hiding strings, evading antivirus detections


By right-clicking the process and choosing Properties, we can gather more intelligence about the file. A short overview of the tabs useful for our malware identification:

  • Image – image file properties
  • Strings – strings loaded into the image or memory 



Figure 3. Image Tab details



Thanks to the Image tab, we are able to view the file location, any command line arguments there may be, but also if the file has a valid Image Signature and the current directory from where the file is executed.


Moving over to the Strings tab, where we may find interesting information about the file and its behavior. An example:


Figure 4. Payform.html, which is the rogueware’s own webpage to order its ‘product’



Let’s close this and start with the cleaning of this type of malware.



First step is killing the rogueware by right-clicking the process in Process Explorer and choosing Kill Process. The rogueware will disappear like snow in the sun. Note that some rogueware is protecting or guarding each other’s process, so it’s possible you will have to Suspend a process first before killing its guardian. Afterwards you can kill the first process and the rogueware will not re-appear again.





Second step is of course disabling the rogueware from starting up with Windows. In order to do so, we will be using Autoruns:



Figure 5. Autoruns Logon tab view



Navigate to the Logon tab and choose to delete it. Click Yes to confirm. Close Autoruns. If you are unsure about a Logon entry, simply untick the checkbox first instead of deleting it.


A trick that is often utilized by malware authors is to hijack several antivirus processes to, for example, svchost.exe or to their own malicious program. They do this to prevent antivirus software from running and making sure their malicious program will be executed. Sometimes, Task Manager, Regedit, the Command Prompt (CMD) and other tools are hijacked as well. I’m sure you have encountered before that you were unable to run any of these built-in Windows features. The reason is Image Hijacks.


We will now be using the same trick against them, by creating our own Image Hijack or, as Microsoft calls it: Image File Execution Options or IFEO. To do so, we will use Regedit:



Figure 6. Image Hijacks can be added under: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options


In order to add an Image Hijack, right-click on the Image File Execution Options key and select to create a new Key. This key must be the exact same name as the malware name. In our first case study, this means: 529C50D8212C2CDD6A42F365D151FC4E.exe


We subsequently create a new String Value under this key with Value Name: Debugger and Value Data: svchost.exe. Now, even when the rogueware is still on the system, it cannot start since it will be forced to start svchost instead.


You can also do this faster by using the following small piece of code and running it by clicking on Start > Run and pasting it in the message box. Replace XXX.exe by the name of the malware:


reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XXX.exe" /v Debugger /d "svchost.exe" /f



In our first case study, for the ‘Live Security Platinum’ rogueware, this would be:


reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\529C50D8212C2CDD6A42F365D151FC4E.exe" /v Debugger /d "svchost.exe" /f




Tip: in Autoruns there’s a useful tab called Image Hijacks which will display any present modifications to this key:



Figure 7. Check if there are any Image Hijacks present


Have you completed all these steps, reboot the machine. If nothing seems to pop up or alarm you, you can visit the folder where the rogueware resides and delete the malicious file. Note that you might have to enable Hidden files, folders or drives, and to unhide Protected Operating System files. You can do this via Windows Explorer:
  • For Windows XP: Tools > Folder Options > View
  • For Windows Vista and Windows 7: Organize > Folder and Search Options > View





This concludes our first case study. Be sure to remember it, as we will be using the same tools for our next malware family:
a Trojan horse.







Second case study – Trojan horse

Trojan horses or Trojans are typically data stealers and can copy themselves on your machine. They may also turn your machine into a zombie, which is basically a computer part of a botnet.


Trojans often disguise themselves as legitimate programs; for example an upgrade of Adobe Flash Player, a crack or key generator for a game or Microsoft Office and many more.


After executing our sample and rebooting the machine, we don’t see anything malicious in Process Explorer. Actually, we are seeing something strange. A Firefox instance was running even though we didn’t start Firefox. When starting Firefox manually, it gets loaded under Explorer. In this case, it was not loaded under Explorer, but started as a separate process:



Figure 8. Malicious Firefox process loaded. As you can see, svchosts.exe is injected into Firefox


The Trojan has loaded a malicious version of a Firefox process, to effectively hide itself from users. After all, who would suspect a Firefox process to be malicious? You can search for Handles or DLLs via the menu Find. Svchosts.exe is the Trojan on itself, which we will see below. Note: for this reason, the Trojan has rootkit capabilities, which we will discuss in the next case study.


If we verify any system modifications with Autoruns, there are two new entries added in the Logon tab:



Figure 9. Two new entries in the Logon tab of Autoruns. We will now discuss some characteristics





In Figure 9 there are two entries highlighted: one under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit, while the other one can be found under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The Trojan has attached itself to the Userinit value, which will ensure that it starts right after a user logs in to Windows. It has also placed an entry in the Run key, as an extra check to start up with Windows.


If we take a look at the Trojan’s file information:



Figure 10. Trojan’s file information


There are a few things that should get your alarm bells ringing:

  • The file is only 188 kB
    --> files with a small size are more likely to contain malware
  • The filename is svchosts.exe and resides in C:\Windows--> malware imitating legit Microsoft files is not uncommon
    --> the legit file is named svchost.exe and resides in C:\Windows\system32
    --> most, but not all, malware hides in C:\Windows or C:\Windows\system32
  • The file description reads “deine mutter-->  which is German for “your mother” and is considered an insult in some countries
  • The icon of a microphone is used into tricking you this might be legit software--> voice or audio recording software for example



Let’s move on and start disinfecting the machine step by step. First step is to Kill the malicious Firefox process with Process Explorer.




Next, open up Regedit and navigate to the following key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon



Figure 11. Hijacked Userinit value




Restore the default Userinit value by double-clicking on the value and entering as Value data (this is the default Value data for Userinit):

c:\windows\system32\userinit.exe


Open Autoruns again or should you not have closed it, refresh. You will see the first entry has disappeared. Now simply delete the other value.



Tip: did you know you can easily access the Registry via Autoruns? Right-click an entry, select Jump To… and you will be taken there instantly. Very useful in cases where the Userinit, Winlogon or Shell Value keys are hijacked or altered.



At this point, reboot the machine and verify with Process Explorer that there aren’t any malicious processes still present, or a malicious Firefox process. Verify with Autoruns that all startup entries are removed. Navigate to the folder where the malware hides and delete the responsible file(s).



This concludes our second case study. In the next case study we will see how to handle a rootkit infection.



Third case study - Rootkit

Rootkits are a type of malware apart. Rootkits are software which can hide processes, files & folders, drivers, registry keys and much more from the Operating System, antivirus software and many security tools. Rootkits can also be used to gain and retain administrator privileges on a machine.

Typically, you can divide rootkits into two categories or types:

  • User mode or user land rootkits
  • Kernel mode or kernel land rootkits





Figure 12. Figure of protection rings. Rings are mechanisms to protect data and functionality from
faults and malicious behavior. (Image source: Wikipedia)




User mode rootkits: operate in Ring 3, together with user applications

Kernel mode rootkits: operate in Ring 0, with the highest Operating System privileges



Rootkits can perform many tasks, besides hiding themselves, they can also disable antivirus components, perform DLL injection (inject and run code in the address space of another process), hide other malware, download additional malware, provide an attacker access to the machine, turn the machine into a zombie, …. You get the point.


In this case study, we will see the infamous TDL3 rootkit (which is a ring 0 rootkit), more specifically the “4DW4R3” rootkit. It was dubbed the 4DW4R3 rootkit because of the strings found in the associated DLLs. (associated files for this malware also start with 4DW4R3 and attached 10 random letters after it, for example: 4DW4R3vDqMXSvfxR.dll)



After executing the sample, it gets deleted immediately. Let’s reboot the machine at this point and document our findings.


Firing up Process Explorer and Autoruns still works normally, but there doesn’t seem to be anything suspicious. In this case, we will need to run some more specialized tools in order to uncover the rootkit’s modifications to the system.


When encountering a rootkit infection, it is recommended to run at least three different anti-rootkit tools. Why?

  • Anti-rootkits can produce false positives
  • The rootkit may have used hooking to prevent certain anti-rootkit tools from running or
    even displaying incorrect results





The first anti-rootkit tool we will be using is RootkitRevealer, another Sysinternals tool:



Figure 13. RootkitRevealer found four files hidden from the Windows API. This means you won’t be able to view them, not even
when having the option on to view hidden files and folders, or protected operating system files


Note that we will only focus on the highlighted changes for now. The others are also from rootkit modifications, where it is denying access on certain registry keys for RootkitRevealer.


Now that we have uncovered associated files from the rootkit, we can use Process Explorer again to verify if there has been any DLL injection. In our second case study, we have already briefly seen this occurrence.




Figure 14. Through the menu Find > Find handle or DLL… We discover that 4DW4R3vDqMXSvfxR.dll is injected into svchost.exe








Besides injecting into svchost.exe, the rootkit will also (attempt to) inject itself in newly created processes, for example firefox.exe

Result is you will be redirected to a shady search engine whenever you are trying to search something on Google, Yahoo or other search engines. This can be verified by opening the 4DW4R3vDqMXSvfxR.dll file in Process Explorer and selecting the Strings tab
(be sure to select Memory):



Figure 15. Search results on Bing, Google, Yahoo, AOL,… Will all be redirected to another (malicious) search engine







When using Rootkit Unhooker, it notifies us of Possible Rootkit Activity. When reading the log, we see the following lines:


==============================================

Stealth



Unknown page with executable code

Address: 0xF889C8BB

Size: 1861



This indicates there’s something stealth, which may be malicious, at address space F889C8BB. The code at this address space is probably used to prevent the scanning of registry keys by certain anti-rootkit tools, as was the case with RootkitRevealer.




When using GMER, it starts a scan of the system right away and will state whether or not there’s an infection:



Figure 16. The 4DW4R3 rootkit has also been discovered by GMER



Let’s review what GMER has found as system modifications:

 Code     F889BEB5      ZwCallbackReturn

 Code     F889B979     ZwEnumerateKey

 Code     F889B96F     ZwSaveKey

 Code     F889B974     ZwSaveKeyEx

 Code     F889BBD2     IofCompleteRequest



ZwCallbackReturn: ensure communication between user mode malware components and the kernel mode rootkit

ZwEnumerateKey: hide registry keys, prevent anti-rootkits from scanning the registry

ZwSaveKey & ZwSaveKeyEx: prevent some anti-rootkits from scanning the registry or detecting mischief

IofCompleteRequest: hide and protect rootkit files


Let’s review what GMER has found as service modifications:

·     Service  C:\WINDOWS\system32\drivers\4DW4R3nKkNtexUqD.sys (*** hidden *** )  [SYSTEM] 4DW4R3      <-- rootkit="">


It is obvious by now the machine is infected with a rootkit. We will be using GMER to fully disinfect the machine. Right-click the service and choose Delete Service. If you receive an error, choose Disable Service. Reboot the machine.


Now that the service is deleted (or disabled) we are able to view the files the rootkit has placed. Simply delete them and reboot:



 
 Figure 17. The rootkit’s associated DLLs and drivers


This concludes our third case study. In the next paragraphs you’ll be able to find additional information on how to handle a malware incident.





Signals of infection

In most cases, it’s pretty obvious when facing an infection like rogueware or ransomware: pop-ups and annoying messages all over the screen. There are other symptoms which may not always seem originating from malware:
  • Failing of Windows Firewall, Windows Security Center warnings. Microsoft Update malfunctioning.
  • Not being able to execute antimalware tools. Not being able to visit websites from antivirus vendors.
  • Redirections taking place in your browser to shady search engines.
  • Severe slowdown of the machine. More bandwidth usage than usual.
  • Suddenly finding software on your machine you never installed or never gave permission to.
    These are called Potentially Unwanted Programs (PUP) or Adware.
  • Unexpected Blue Screens (BSOD). This might be due to a badly written rootkit for example.
  • Unexpected errors or malfunctioning of antivirus and antimalware programs.







General tips and tricks

In this section I’ll add some extra tips and tricks for problems you might encounter during the disinfection process:


  • If a tool is refusing to run, try renaming it to explorer.exe or svchost.exe. Some rogueware families will block all applications, but will allow system processes to run.

  •  If a tool is refusing to run, and you already tried above trick, try renaming to SomeName.com. It’s possible all EXE files are disallowed from running. There’s a tool called exeHelper which will restore the default values for PE (executable) files.

  • Another useful tip is trying to boot the machine in Safe Mode. Some malware will only place a value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, which is ignored when booting in Safe Mode.
    Note that malware X won’t do much in Safe Mode, but can actually still be downloading additional malware if you decide to boot in Safe Mode with Networking.

  • Rootkits can interrupt the execution of several anti-malware tools, where even above tricks won’t be able to help. In that case, you should try fixing the permissions of those tools. A very useful tool for this is Inherit. Just drag and drop the tool or program you want to execute on Inherit. Wait for the message box “OK” to pop up and you should be able to run it.

  • Also in case of a rootkit or any other malware infection, it is advisable to change your most important passwords after fully cleaning the machine. Remember that when having encountered a rootkit infection and cleaning the machine, it is possible there are still infection leftovers. In case of doubt, reinstall Windows completely. In case of a bootkit, which infects the MBR, you need to boot the machine from the Windows installation CD, choose the Recovery Console, and type the command fixmbr in the command prompt. Press Enter and the MBR or Master Boot Record will rebuild.

  • In some cases, the machine is infected so badly that it’s almost unworkable to run any tool. It’s also possible you cannot boot into Windows anymore. In such cases, you can use a boot CD or safe CD from an antivirus vendor. An alternative is the Sardu Multiboot CD or DVD and USB creator, which combines several antivirus rescue CDs. Or you can completely reinstall the machine. Tip: take regular back-ups of important files and folders!






Prevention tips and tricks

I’m guessing most of you already know how to protect yourself against mischief, though I’ll repeat some general tips once again. Repetition is key. Some do’s and don’ts:


Do install an antivirus program – yes, you never use antivirus and you’ve never been infected before. Still, using antivirus reduces the chance even more.

Do uninstall applications you don’t need – examples are Java and Adobe. If you do need them, update them frequently.

Do uninstall browser extensions you don’t need. If you do need them, check for updates frequently.

Do your updates. This includes Windows updates, antivirus updates, browser updates and any other software you may be using.

Do use layered protection if possible – Firewall at hardware level (router), HIPS, antivirus, antimalware …





Don't open email attachments from unknown senders - ever.

Don’t click on everything on the internet. Meaning: use common sense when browsing the web.

Don’t trust everything on the internet. If it looks too good to be true, it probably is!

Don’t fill in your personal information or email address on random websites.

Don't use the same password for each and every website! Implement proper password security.

Don’t panic if you suspect you’ve been infected. Read the tips below on what to do if you are.





Help! I’m infected!

What could be the best procedure if you suspect to be infected? Suggested model:

·          Stay calm, don’t panic. Disconnect yourself from the network.

·          Identify and kill malicious processes.

·          Identify and delete malicious autorun entries.

·          Reboot and repeat the previous steps.

·          Delete associated files and folders.

·          Run a full scan with your installed antivirus product.

·          If disinfection is applied successfully, connect to the network again. If possible, connect to a separate network first to verify everything is indeed back to normal or not. Perform an online scan with another antivirus product than the one you have installed.




If you’re in a corporate network, what could be the best procedure if you suspect to be infected? Suggested model:

·          Stay calm, don’t panic. Disconnect yourself from the network & contact your network administrator.

·          Write down useful information:

o    What were you doing at the time? Did you notice anything special? What was the time and date anyway?

o    Why do you believe your machine is infected? Which steps did you take already, if any? Did your antivirus prompt?

o    Inform your co-workers you’re going for a coffee break.






Summary

This concludes our three case studies – rogueware, Trojan Horse and rootkit. I do hope that you have enjoyed reading the article and going carefully through each step.

We have seen three different case studies as described above, but it is totally not uncommon to have all three types of malware on the same machine. For example, certain families of rogueware have been seen to drop the infamous TDL4 rootkit variant. Goal is to ensure the persistence of the payload on the machine. Therefore, it is advised to always use an anti-rootkit as well.

Remember that some malware is more advanced than others, and it might take you some time to fully disinfect a machine. Sometimes it’s easier, quicker and cleaner to perform a reinstallation of the operating system. If you’re ever stuck, there are many forums out there specifically for helping you in cleaning malware off an infected computer.

As quickly as malware is evolving, so are the people who are constantly battling them – whether this would be antivirus companies, independent malware or security research folks, agencies and governments… Join our cause in making this world a malware-free environment and educate everyone around you, each day.

Should you have any further questions, comments or remarks, I am always available for feedback. You can contact me via Twitter:
@bartblaze .










Glossary

Address space – in this context, memory address of a process.
Botnet – a group of computers infected with malware and controlled by the so called bot herder. Botnets can be used to launch DDoS attacks, send spam …
Dropper – a dropper is a program that installs or downloads additional malware on a system.
LoveLetter – also known as ILOVEYOU worm – spread mostly via email, infected millions of machines.
Master Boot Record – first 512 bytes at the first sector of a hard drive.
Payload – modifications or damage done by malware.
Zombie – computer infected with malware and possibly compromised by a hacker. Zombies are typically part of a botnet.