Tweet

Typically users archive file to lump several files together into a single file for convenience or to simply save storage space. However, we uncovered a worm that creates copies of itself even on password-protected archived files.

We acquired a sample of a worm (detected as WORM_PIZZER.A) that propagates using a particular WINRAR command line (see below). Once executed, this enables WORM_PIZZER.A to create copy of itself in archived files, particularly in .ZIP, .RAR and .RAR FX files. The worm does not harvest passwords from these archive files. The said command line is normal, in which a user can add file onto archived files so long as their system is installed with WINRAR. However, the malware abuses this to add copies of itself onto such files.

Figure 1. WINRAR command line

During our testing, this worm was downloaded by WORM_SWYSINN.SM from a particular site.

This technique is reminiscent of WORM_PROLACO variants seen in 2010, in which variants were seen to archive certain .EXE files together with a copy of itself. But what makes WORM_PIZZER.A interesting is its clever way of creating copies of itself in archived files, even on password-protected ones. Unsuspecting users who extract these archived files would have no idea that they already contain this worm, thus likely to execute the malware along with their other files.

Figure 2. WORM_PIZZER.A copy (bot.exe) in an archived file

Trend Micro detects and deletes WORM_PIZZER.A if found and also blocks access to the site hosting the said malware.

The first half of the year 2013 is shaping up to be a year of rehash, with dated threats like ZBOT, CARBERP, and GAMARUE using new techniques to evade detection or at least stealthier ways to slip into user’s system unnoticed. WORM_PIZZER.A is no different from this flock of repackaged threats. Because of the protective measure archived files afford, users might be too complacent in extracting and executing these files – providing the perfect cover up to propagate in an infected system.

For protection, users must observe best computing practices, which include avoiding visiting unknown sites, and downloading files from unverified email messages. Because the malware can create copies of itself on archived files, users must be extra cautious in executing such files.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

With additional insights Threat researchers from Dexter To and Joseph Jiongco.

Tweet

The notorious info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year. In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow. The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet.

We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months based from Trend Micro Smart Protection Network feedback.

Figure 1. Smart Protection Network feedback for ZBOT (Jan – May 7 2013)

As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII).

ZBOT Earlier Versions vs. Current Versions

Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS.

Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network.

ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated.

Both variants send DNS queries to randomized domain names. The difference in GamOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names.

How does this malware steal your credentials?

ZBOT malware connects to a remote site to download its encrypted configuration file.

Figure 2. Screenshot of ZBOT communication to C&C server

The following information can be seen once the configuration file is decrypted:

• Site where an updated copy of itself can be downloaded
• List of websites to be monitored
• Site where it will send the stolen data

These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers.
Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.

Trend Micro Solution for ZBOT variants

There are several avenues for detecting ZBOT variants, such as:

1. First, as the malware tries to write to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
2. Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file
3. Finally, detecting where the site would send the stolen data, or if acquires an updated copy of itself

In the screen capture below, it demonstrates that the exact behaviour of writing to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon was successfully blocked by OfficeScan’s Behavioural Monitoring function and the malware fails to execute:

Figure 3. OfficeScan Scanning Screenshot

The second opportunity to detect ZBOT variants is when the malware downloads its configuration file, an updated copy of itself, or even with the attempt to upload its stolen information. Trend Micro Web Reputation Services can detect this funcion:

Figure 4. Trend Micro blocks the related URL associated with ZeuS

In the screen capture above, the URL was detected as malicious. With further investigation, we determined that this site is associated with ZeuS/ZBOT. The same is observed if using Trend Micro’s Deep Discovery:

Figure 5. Screenshot of Deep Discovery detection of malicious network activity

Similarly, an attempt to connect to any related URL that is related to ZBOT/ZEUS upon performing it’s call-back routine can be detected via DeepDiscovery Inspector.

Finally, for removing the malware, here is an example of a clean-up procedure for TSPY_ZBOT.XMAS. Since this malware injects itself into certain processes, there are instances that a reboot is required:

As ZeuS/ZBOT malware downloads newer version of itself, the binary itself may not be detected but could generally act the same. As such, certain parts of the infection can be blocked or partially mitigated.

Conclusion

What we can learn from ZeuS/ZBOT’s spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these. Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent. Thus, it is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones. Always keep your system up-to-date with the latest security releases from security vendors and install trusted antimalware protection.

To know more about how cybercriminals are getting better at stealing information, you can refer to this infographic.

With additional inputs from Threat researchers Rhena Inocencio and Roddell Santos.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

Since its initial release in February 2012 the Raspberry Pi – a very inexpensive, palm-sized computer meant to help teach computer science in schools –  has become a favorite of hobbyists, makers, and tech enthusiasts everywhere. Why wouldn’t it be? The Raspberry Pi offers tinkerers a very low-cost (both to buy and to run) computer in an extremely compact platform. In addition, because of its origins as an educational tool, it’s easy to use and is versatile. Accordingly, it can be used in all sorts of creative ways.

However, its apparent simplicity and low cost comes with a downside. The Raspberry Pi is not a simple “device” with limited capabilities; it is a fully capable computer. The same pitfalls that befall normal desktop computing can  hit the Raspberry Pi, if it is not properly secured.

Some uses of the Raspberry Pi actually turn them into servers, and that is something that users may not really know how to secure. For example, some people have made the Raspberry Pi into a server that controls their home automation system, or allows users to watch videos served by the Pi remotely.

For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk. For example, some automated scanners are already trying to log in with the pi user.

In short, the Raspberry Pi is only as secure as the uses you use it for. Good server security is not always easy; consider that even IT professionals make mistakes. Look into known server best practices if you do use a Raspberry Pi for these uses. Considering its origin as an educational tool, learning how to secure a server would be an appropriate use for a Raspberry Pi.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

Last March, I blogged about the Andromeda, a well-known botnet that surfaced in 2011 and is making a comeback this year. Just months after my report, we are still seeing notable activities from the said botnet, in particular a sudden boost of GAMARUE variants last week. The Andromeda botnet is a spam botnet that delivers GAMARUE variants, which are known backdoors and have a noteworthy way of propagating via removable drives.

We’re keeping track of the GAMARUE infection for the past weeks and observed some noteworthy activities. For the past 30 days, we noticed a sudden spike of its variants on May 17. In particular, there was a 82% increase from May 16 – May 17 and another 32% on May 18. A significant bulk of these malware, specifically 63%, is WORM_GAMARUE variants.

Figure 1. GAMARUE detection for the past 30 days (April 20 – May 31)

In my initial blog entry, I reported that the bulk of infection came from Australia. Last year, Germany was also one of the most GAMARUE-affected countries. However, just months after my first post, we are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.

Figure 2. Top countries affected by WORM_GAMARUE

Currently, we can not readily determine why GAMARUE variants increased on the said dates. If anything, this trend shows that the botnet is still active and poses risks to users.

Andromeda Botnet: Old Threat Repackaged

In our 2013 1Q Security Roundup, we concluded that during this quarter, cybercrime was characterized by old threats made new. The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new neat tricks.

This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. GAMARUE variants are known to propagate via removable drives. It also drops component files instead of copies of itself to make detection difficult. Taking cue from threats like DUQU and KULUOZ, GAMARUE variants also uses certain APIs to inject itself to normal process to evade detection.

Propagating techniques aside, GAMARUE variants have backdoor capabilities since it communicates with certain C&C servers to send and receive commands. This communication, in effect, gives a remote malicious user control over the infected system. Some of the commands the malware can execute include downloading other malware onto the system, most notably info-stealing threats like ZeuS/ZBOT variants.

Because some Andromeda-related spam messages eerily looks like legitimate email notification from commercial services (flight, hotel, courier services etc.), the usual criteria for determining a spam are not sufficient. As an alternative, you can verify to see if the email you’ve received is legitimate or not. Since BHEK is known to exploit software vulnerabilities like Java, you must always update your system with the latest security patch or re-consider your use of Java. For better protection, install antimalware software like Trend Micro, which protects your system from spam, malicious URLs, and malware.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

In the process of investigating and analyzing targeted attacks, we have seen that attacks which may not be related at first glance may in fact be linked; conversely attacks that may seem unrelated may turn out to be connected. Knowing which is which can provide useful information in determining how to respond to an attack.

Why Are Separate Attacks “Related”?

Before a cybercriminal or threat actor can launch an attack, many things have to be prepared in advance. The list of recipients have to be compiled, command-and-control (C&C) servers brought online, malware payloads chosen, etcetera. Ideally, attackers would use separate ones, but that isn’t the case: they are just as prone to reuse items or tactics that have worked before. Knowing these similarities between attacks can help determine what is an appropriate response.

There are many ways that seemingly independent attacks can be correlated, but here are some of the most common ones:

1. Same IP address sends different email messages
2. Same email address sends different messages
3. The same malware is attached to different messages
4. Multiple (similar) backdoors use the same C&C server
5. Different backdoor types use the same C&C server
6. Multiple domains registered using the same email address
7. Similarities in the way command-and-control network traffic is organized

How can this information be used?

Typically, organizations face two kinds of threats: highly sophisticated attacks that target them specifically, or more “random” attacks that are aimed at wider audiences. It can be difficult to tell just by examining the specifics of a particular attack which it is, but examination of the similarities above – using additional information provided by the Smart Protection Network – may be useful. It’s best to illustrate this with a hypothetical example.

A company received an apparently targeted email that contained a malicious attachment. The malware installed tries to contact an external C&C server for instructions using HTTP. It would appear, at first, that this was a sophisticated targeted attack.

However, more in-depth analysis would reveal that the malware only accessed two files on the C&C server: /kc1/data.bin and /kc1/gate.php. Accessing two files located in the same directory with the .BIN and .PHP extensions is common behavior by ZeuS/ZBOT variants. In addition, the domain of the C&C server was registered using an email address that was also used to register another domain on the well-known ZeuS Tracker blacklist. All this strongly suggests that it was not a sophisticated attack, but instead a more ordinary ZeuS/ZBOT infection. This can still pose a threat, but it’s a different nature compared to a sophisticated attack.

This information can also be used to gauge the seriousness of an attack. For example, in October, we found a new Poison Ivy variant (BKDR_POISON.AB) had infected 15 different machines, belonging both to individuals and various organizations. What we also found was that there had been a similar attack earlier in the year which distributed a very similar Poison Ivy variant (BKDR_POISON.BJX). Similarities included the malware’s mutexes and the emails used to spread the attack.

From there, one can conclude that both attacks were not meant to directly target anyone, but more to gather information across a wide number of possible targets that could be used for more direct attacks at a later time.

The links between attacks can also be used to discover other potential attacks as well. For example, examining the email and IP addresses linked to domains used as C&C servers in a current attack can lead to other domains. The added information can be used as indicators for potential attacks that may not have been detected at the time.

Conclusion

Gathering information about the connections between attacks can reveal much about the attacks in the first place. Organizations that use this kind of threat intelligence can use it to gain a more accurate picture of the attacks facing them. It can reveal that apparently unrelated attacks may turn out to be related, and have been launched by a single group of attackers. Alternately, it can make clear if an organization is under attack from multiple groups – which may or may not be working together. Whatever the case, this kind of information can be useful in creating a proportional response to threats.

For more discussions on malicious network traffic, you can read our report titled Malicious Network Communications: What Are You Overlooking?.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.