Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    The Andromeda botnet – first spotted in late 2011 – has recently resurfaced. This threat arrives via a familiar means: spammed messages with malicious attachments or links to compromised websites hosting Blackhole Exploit Kit (BHEK) code. Here is one spam message we saw recently:

    andromeda_spam

    Figure 1. Sample spammed message

    Andromeda itself is highly modular, and can incorporate various modules, such as:

    • Keyloggers
    • Form grabbers
    • SOCKS4 proxy module
    • Rootkits

    As is typical of backdoors, it can download and execute other files like ZeuS, as well as update and remove itself if needed. Typically, variants of the Andromeda malware can be bought online for 300-500 US dollars. However, each of the plugins mentioned above costs an extra sum of money. The most recent version number we have identified is version 2.60. The top affected countries of this threat are Australia, Turkey, and Germany based on our Smart Protection Network feedback below:

    spn_andromeda

    Figure 2. Andromeda infection count from January- February 25 2013

    One unusual aspect worth mentioning here is how ANDROMEDA spreads via removable drives. Instead of simply dropping copies of itself, it drops component files instead, making detection and analysis more difficult. The latest variant we spotted, which Trend Micro detects as BKDR_ANDROM.DA has the capability to open and listen to TCP Port 8000 and launch Command Shell (cmd.exe). Once a remote system is connected, it can already use all the command capability of the Command Shell rendering the system vulnerable to other malware. It also uses the following native APIs to inject to the normal processes, a technique also seen in DUQU and KULUOZ:

    • ZwCreateSection
    • ZwMapViewOfSection
    • ZwResumeThread
    • ZwUnmapViewOfSection

    This can make analysis difficult and consequently, malware removal from the infected system.The ultimate payload of Andromeda depends entirely on the commands given from the command-and-control (C&C) server it connects to. This means that a wide variety of threats can be seen on affected systems. In addition, the malware itself is being continuously updated.

    In our 2013 security predictions, we mentioned that we’re going to see more refinements in the tools or malware that attackers use. The perpetrators behind Andromeda have improved the malware’s propagation routines to proliferate itself by dropping several component files, one of which creates the registry key containing an encrypted .DLL file for its propagation.

    To some degree, these threats can be evaded by not opening links or attachments in suspicious emails, although with well-crafted emails this can be difficult. Trend Micro products already detect and remove this particular threat from user systems.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice