Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2013
    S M T W T F S
    « Jan   Mar »
     12
    3456789
    10111213141516
    17181920212223
    2425262728  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for February 1st, 2013




    Expecting an online booking or package delivery confirmation? Just make sure to avoid these fake email messages serving BKDR_KULUOZ.PFG.

    This backdoor was first seen in the wild around April to June of 2012 and a part of a well-known botnet. However, we have recently been noticing several spam variants carrying this malware, like the one below:

    fedex_kuluoz

    Figure 1. Sample FedEx spammed message

    BKDR_KULUOZ arrives in the form of attachments (usually archived) in spammed messages. These email messages typically spoof well-known corporations. So far, the spam variants we’ve seen recently included fake email notifications from courier services like FedEx, UPS (postal-themed), and airline companies. Like most malware arriving via email, BKDR_KULUOZ are disguised as your average office files like .PDF (Adobe) or .DOC (Microsoft document) files, to make them appear legitimate.

    Once user downloads and executes the file, it drops and opens a .TXT file as a ploy to trick unsuspecting users into thinking that there’s no harm being done on the system.

    kuluoz_fig2

    Figure 2. Screenshot of the dropped.TXT file

    It then creates svchost.exe process and injects another .PE file, which is a .DLL File with export named “work.” Typically, a malware injects its code into to normal processes so that it will be harder to terminate on the infected system.  In addition, this backdoor also executes its code using the following native APIs to slowdown/hinder debugging:

    • “ZwCreateSection”
    • “ZwReadVirtualMemory”
    • “ZwMapViewOfSection”
    • “ZwUnmapViewOfSection”
    • “ZwResumeThread”

    Accordingly, this technique of coding malware is also seen in threats like DUQU and Andromeda. This downloader malware also communicates to its command-and-control (C&C) server to send and receive information and commands. In turn, the infected system is susceptible to further attacks and is effectively under a remote user’s control.

    Read the rest of this entry »

     
    Posted in Botnets, Malware, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice