Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Anthony Joe Melgarejo (Threat Response Engineer)

    We are currently looking into a new point-of-sale (PoS) malware family detected as TSPY_POSLOGR.K, which is making the rounds just in time for this year’s holiday shopping weekend.

    Around this time last year, the U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware, a PoS RAM scraper malware family. Cybercriminals gathered roughly 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers. Home Depot also suffered recently from a data breach, which has so far cost the hardware mart more than $43 million in expenses to investigate the breach.

    TSPY_POSLOGR.K: In the Beta Testing Phase?

    Based on our initial analysis, this new PoS malware does not connect to any server to exfiltrate the dumped data. TSPY_POSLOGR.K reads memory from specified processes written in the .INI file and saves gathered dump to rep.bin and rep.tmp.

    Figure 1. In the case of TSPY_POSLOGR.K, dumped data is placed in rep.bin and rep.tmp. The word ‘FUCK’ is inserted in front of the data.

    Based on the other PoS malware behaviors we observed, it appears to be designed as multicomponent malware similar to an earlier BlackPOS variant named TSPY_MEMLOG.A, as it might require another component to retrieve the dumped data. It is highly possible that this is deployed as a package.

    The malware is dependent on its configuration file (which means that it’s starting to build flexibility). By default, the configuration file named as 1.ini is not present in the system, so we cannot tell which default processes are being scanned or read. The malware also does not display any known C&C communications and still has debug strings in its code. Because of this, we believe that this PoS malware is still in the beta testing stage or under development.



    Figure 2. Code snippet of debug strings used

    Figure 3. Expected content of the .INI file: Values of cryp , time, proc

    We will continue to monitor this threat for more updates. In the meantime, users can stay safe online during the holiday shopping weekend by following the tips in the articles below:

    Read more about PoS RAM Scraper Malware from our paper titled “PoS RAM Scraper Malware: Past, Present, and Future.”

    With additional analysis by Rhena Inocencio

    Hat tip goes out to Nick Hoffman of 

    Posted in Malware | Comments Off

    Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its antimalware evasion techniques.

    Below is a screenshot of the extracted code of TSPY_ZBOT.AAMV, which is injected with the 64-bit ZBOT:

    Figure 1. Screenshot of 32-bit ZBOT

    Going through the code, the 64-bit version can be seen as a part of the text section (executable code) of the malware.

    Figure 2. Screenshot of injected 64-bit ZBOT

    Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version.

    The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers. This component is embedded at the bottom part of the injected code, along with the 32-bit and 64-bit versions. To initiate this component, the malware suspends the process svchost.exe and injects it with the Tor component’s code then resumes the process. In doing so, the execution of Tor is masked. It is launched using the following parameters:

    “%System%\svchost.exe” –HiddenServiceDir “%APPDATA%\tor\hidden_service” –HiddenServicePort “1080{random port 1}” –HiddenServicePort “5900 {random port 2}”

    These parameters specify how the Tor client will run. In this case, the Tor client runs as a hidden service and specifies the location of the private_key and hostname configuration. TSPY_ZBOT.AAMV then reports to its C&C server the said configuration, which is then relayed to a remote malicious user. The Tor client redirects the network communications in ports 1080 and 5900 to randomly generated ports, which the remote user can now access.

    The Tor component will act as a server, which the malicious remote user will use to access an infected system. This ZBOT variant contains Virtual Network Computing (VNC) functionality, which the remote user can then use to execute its desired commands. This functionality of certain ZBOT variants was reported as early as 2010 , effectively creating a remote-control capability for these malware, similar to how a backdoor controls an infected system.

    64-bit ZBOT Levels Up Antimalware Evasion Tricks

    Aside from these functionalities, we found new routines added to this ZBOT. One is the execution prevention of certain analysis tools such as OllyDbg, WinHex, StudPE, and ProcDump among others.

    Another noteworthy addition is this ZBOT’s user mode rootkit capability, which effectively hides the malware processes, files, and registry.

    The said variant also hides its dropped files and autostart registry. As the images below show, the malware’s created folders can be seen using the dir command in CMD, but are hidden when browsed via File Explorer.

    Figure 3. ZBOT hidden folders visible in CMD using dir command

    Figure 4. ZBOT files hidden in File Explorer

    As for the TSPY_ZBOT.AAMV autostart registry, created folders and files, users can view this by restarting in Safe mode. Because the malware only has a user mode rootkit capability, which only hides malware-related files and processes as opposed to  a kernel mode rootkit, users can delete these while in Safe Mode.

    This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011. Since then, we have seen several reincarnations of the malware, most notably in the form of KINS and its involvement with other malware such as Cryptolocker and UPATRE. Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts.

    Trend Micro protects users from this threat by detecting  ZBOT variants if found in a system. It also blocks access to known C&C sites of the malware.

    Additional information about Tor may be found in the paper “Deepweb and Cybercrime: It’s Not All About TOR.”

    Posted in Malware | Comments Off

    We recently came across some AutoCAD malware which we detect as ACM_SHENZ.A. It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.

    It first creates a user account with administrative rights on the system. It then creates network shares for all drives from C: to I:. It then opens four ports on the system: ports 137-139, and port 445.

    Figures 1-2. Decompiled code

    Perhaps because of the malware’s limited goals, the author did not bother to obfuscate his code.

    Figure 3. Malware code without obfuscation

    These ports are associated with the Server Message Block (SMB) protocol, which provides access to files, printers, serial ports, and miscellaneous communications between nodes on a network running on Windows. By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched. Security bulletins that cover the SMB vulnerabilities include MS10-020 and MS11-043.

    The decision to create an account with administrator privilege is a strategic one.  Without the said account, the attacker will have to crack passwords for existing accounts or remotely create one—processes that can be difficult and time-consuming. With the admin account, the attacker can easily steal all the files in those drives and plant other information-stealing malware.

    Historically, AutoCAD malware is very rare, although not completely unheard of. Aside from disabling certain AutoCAD functions and ensuring that all opened AutoCAD documents spread the malware as well, these kinds of malware may also be used to download or run other malware components. The primary advantage of AutoCAD malware may well be that users do not expect this type of document to be malicious; users should be careful about all document types and not just those that are “well-known” to contain malware.

    Posted in Malware | 1 TrackBack »

    The year might be coming to a close but we’re still seeing our 2013 predictions come true. We encountered an attack that featured an old malware with new routines. This malware, detected as BKDR_SINOWAL.COP specifically attempts to disable the Rapport software from Trusteer.

    Figure 1. Code that looks for the Trusteer Rapport module

    Rapport is software that protects users from phishing and man-in-the-browser (MitB) attacks. It is frequently provided to users by their banks to improve their security. If the attacker succeeded in disabling Rapport, users would be more vulnerable to man-in-the-browser attacks, which are frequently used by banking malware.

    A side note: we have been in contact with Trusteer regarding this threat, and they have confirmed that it does not succeed in disabling Rapport, so users are not at increased risk.

    However, BKDR_SINOWAL.COP does not have the ability to perform MitB attacks by itself. This means that it requires a plugin component or another malware to successfully perform this type of attack.

    Feedback from the Smart Protection Network shows that the attack arrived as an email attachment. This attachment is a compressed file which contains a variant of BKDR_ANDROM malware, detected as BKDR_ANDROM.LSK. This malware will drop and execute both the SINOWAL malware and TSPY_ZBOT.IRF.

    Figure 2. SINOWAL routine

    Knowing this, we can say that the attacker intended to make ZBOT’s MitB routine (via web injects) more successful by using BKDR_SINOWAL’s capability to disable software that prevents that specific attack.

    This threat shows how different threats can work together to increase their effectiveness in carrying out their malicious activities, like stealing information. We already detect the malware associated with this attack.

    The following are the SHA1 hashes of the files that are related to this threat:

    • 1888306B7A47CB2A0EE88529D9C0C55D5E43A870
    • 494F4902437F446C7C4178672489980889111CC1
    • 9DFB7E2EF011B537ED0238FA64058AFB7340EA27
    • B6598BB118F903175FFE5914A28F7D2E03BF471F
    • C9D153A22E75F30F4246F6B4E730D8CF5E33A333
    • FABCDC9564E1E7D59C406969C871C6C53652284E
    Posted in Malware, Spam | Comments Off

    A new attack is spreading via Facebook and several instant messaging applications. Its chief payload is a backdoor – BKDR_LIFTOH.DLF – which allows its attackers to take control of the infected systems. It spreads by using two worms, once of which is a new variant of the rather notorious DORKBOT family.

    DORKBOT is known for for spreading via social media and instant messaging applications (e.g.Skype and mIRC etc.), is now found propagating in multi-protocol instant messaging (IM) apps like Quiet Internet Pager and Digsby.

    These apps enable users to communicate via various IM apps. Digsby supports AIM, MSN, Yahoo, ICQ, Google Talk, Jabber, and Facebook Chat accounts while Quiet Internet Pager supports at least four different IM services. Thus, this malware may potentially affect more users because of its wider launchpad for propagation.

    Detected as WORM_DORKBOT.SME, this worm sends out shortened URLs to the contacts found in the IM client of the infected system. These URLs point to a file, which is actually an updated copy of DORKBOT uploaded to the file-hosting site Mediafire. This is probably a maneuver to evade detection and easy removal from the system.

    Aside from its propagation routines, DORKBOT is also known for its capability to steal login credentials by hooking APIs to certain web browsers.

    WORM_DORKBOT.SME is downloaded by the main payload, BKDR_LIFTOH.DLF.  One of the commands that this backdoor receives from its C&C server is to download and execute other malware. The command also consists of the URL where this backdoor will be downloaded. However, this time, the file is uploaded on Hotfile.

    Moreover, this backdoor also has the capability to edit its configuration from its C&C server.

    Figure 1. BKDR_LIFTOH.DLF Configuration

    Figure 1. BKDR_LIFTOH.DLF configuration

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice