Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2012
    S M T W T F S
    « Sep   Nov »
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for October 1st, 2012




    Three of the most notorious malware families we’ve seen proliferate as of late have now been seen working together in a single attack.

    In the past months we saw QUERVAR, ransomware, and SIREFEF/ZACCESS grow rampant in certain regions. QUERVAR was seen widespread in the North America, EMEA, and ANZ regions, ransomware malware family has been prominent in EMEA, while SIREFEF or ZACCESS has been rampant in NABU.

    Now, we’re seeing attacks that involve all three malware families.

    After a widespread infection of QUERVAR in August this year, QUERVAR infections totally stopped in the first half of September. However, as shown in the Trend Micro™ Smart Protection Network™ data below, infections returned after a few days.

    These are detected as PE_QUEARVAR.A-O, PE_QUEARVAR.B-O, PE_QUEARVAR.C-O, and PE_QUEARVAR.D-O.

    Click for larger view

    In September 27, we saw a new QUERVAR variant with a new structure, different from the previously detected variants but with the same infection routines. These included infecting .EXE and Microsoft Excel and Word files and then renaming them with a .SCR extension. However, the newer variants came with a new payload: downloading ransomware and ZACCESS variants.

    The new QUERVAR variants are detected as PE_QUERVAR.E-O. PE_QUERVAR.E-O accesses the following malicious files below to download ransomware variants detected as TROJ_RANSOM.CMY and HTML_RANSOM.CMY, and the ZACCESS variant TROJ_SIREFEF.SZP.

    • http://{BLOCKED}ewidea1.ru/1.php?000102E0&pin=16FB2534B0B2D6E3
    • http://www.{BLOCKED}coservisi.com/test/php/way.php?000076A8&pin=16FB2534B0B2D6E3
    • http://{BLOCKED}y90.com/c/osnovnoj2.exe?00022F68 – detected as TROJ_RANSOM.CMY
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/get.php?id=2 – detected as HTML_RANSOM.CMY
    • http://{BLOCKED}lhgkjl.un {BLOCKED}ilesexchnges.su/landings/first/US/NL_files/buttons.css
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/jquery.min.js
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/FBI.png
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/keyboard.js
    • http://{BLOCKED}lil.ru/33797470/2a06754.50664748/3052832ace10d474336096b36fbd49f05f190.exe?{random characters} – detected as TROJ_SIREFEF.SZP

    The ransomware TROJ_RANSOM.CMY hijacks the infected system and displays the image below. It tricks users into thinking that it is a legitimate FBI warning that enforces copyright laws. The ransomware then locks the computer and prevents users from accessing it. The fake FBI warning also tells users that they are under surveillance by displaying the user’s IP address.

    Click for larger view

    On the other hand, SIREFEF/ZACCESS variants are known rootkit malware, which hides system modifications from users. In particular, the downloaded file (detected as TROJ_SIREFEF.SZP) patches services.exe in both 32bit and 64bit platform to prevent detection. It also disables/terminates Windows Security-related services. This technique is further documented in our previous entry ZACCESS/SIREFEF Arrives with New Infection Technique.

    Trend Micro users need not worry as they are protected via the Smart Protection Network™. In particular, file reputation services blocks and deletes related malicious files, while the web reputation services blocks access to the sites where PE_QUERVAR.E-O downloads its malicious payload.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice