Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2013
    S M T W T F S
    « Nov   Jan »
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for December 26th, 2013




    Early this year, Trend Micro researcher Kyle Wilhoit observed an increase in the use of AutoIt in several hacker tools and malware, which were typically uploaded on sites like Pastebin and Pastie. In the said blog post, Kyle noted that because of AutoIt’s easy-to-learn language, we can expect more threat actors to incorporate this scripting language in their schemes. Now we’ve learned that he was right, as we are seeing more malware using AutoIt.

    We recently encountered a ZeuS variant that arrives with a malicious AutoIt file and garbage files. It arrives via spammed email message and the unpacked file it arrives with is detected as TSPY_ZBOT.SMIG.  Like any ZeuS/ZBOT variant, TSPY_ZBOT.SMIG drops a configuration file that contains a list of its targeted banks and other financial sites. It also steals information from different FTP sites and steals personal certificates from the infected system

    In addition, we also spotted two other malware that use the same packer, which Trend Micro detects as TSPY_CHISBURG.A and TSPY_EUPUDS.A.  When TSPY_CHISBURG.A is loaded into memory, it steals user names and passwords from Yahoo, Hotmail, Pidgin, FileZilla, and VPN/ISP credentials among others.  Similarly, TSPY_EUPUDS.A gets data from the infected system such as user ID, browser and version, and OS version.  It also steals information like user names and passwords stored in certain browsers.  Cybercriminals may use the gathered information to sell in the underground cybercrime or to launch other attacks.

    The new AutoIt packer tool code found online contains the ability to propagate via removable drives, has installation routines and checks installed antivirus software on the system. Furthermore, its code has garbage codes and obfuscated  functions to make it harder to analyze. And while these malware (TSPY_CHISBURG.A and TSPY_EUPUDS.A) are old, they remain to be an effective means to steal information especially with the added capability of the AutoIt packer.

    With the incorporation of malware to a scripting language such as AutoIt, it makes analysis arduous especially if there is no decompiler that can aid in the analysis.  AutoIt is also used by normal applications, thus there is need for malware which are compressed to be unpacked so as to get only the malicious routines/behavior.

    To avoid these malware, we advise users to be wary of the email messages they receive and avoid executing the attachment(s) that goes along with them. Users are also encouraged to regularly update their systems and anti-malware software to ensure protection. Trend Micro detects and deletes all the malware reported in this post through the Smart Protection Network.

    With additional insights from Rika Gregorio.

     
    Posted in Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice