Reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, have recently surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A. Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.

It drops two primary components: TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. The files it overwrites are those with the following strings in the file name or code:

• document
• picture
• video
• music

Once overwritten, these files can no longer be restored or opened. On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer.

Trend Micro is continuously investigating this threat. Watch this space for updates.

Update as of August 20, 2012 11:13 PM

Further analysis of TROJ_WIPMBR.A reveals that it overwrites disk partitiions with a damaged .JPEG file using its component file DRDISK.SYS. It also creates a file containing the number of files to be compromised. TROJ_DISTTRACK.A also uses TROJ_WIPMBR.A to communicate with its C&C Server.

Update as of August 21, 2012 02:43 AM

We also found a 64-bit version of the malware that exhibits similar behavior. Trend Micro detects the malware as WORM_DISTTRACK.A and its components as TROJ_WIPRMBR.A and TROJ_DISTTRACK.A.

With additional analysis from Christopher Daniel So

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

We discovered a malicious MS PowerPoint document that arrives via an attached file attached to specific email messages. The file contains an embedded Flash file, which exploits a software bug found in specific versions of Flash Player (CVE-2011-0611) to drop a backdoor onto users’ systems.

Users who open the malicious  .PPT file triggers the shellcode within the Flash file that exploits CVE-2011-0611, and then drops “Winword.tmp” in the Temp folder. Simultaneously, it also drops a non-malicious PowerPoint presentation file “Powerpoint.pps”, tricking users into thinking that the malicious file is just your average presentation file. Based on our analysis, “Winword.tmp” is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other, more menacing threats such as data stealing malware.

Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.EVL and the dropped backdoor file as BKDR_SIMBOT.EVL. Reports, as well as our own analysis, confirmed that this kind of malware has been used for targeted attacks in the past.

Recent threats are no longer limited to malicious files disguised as ordinary binaries (such as .EXE file) attached to emails. These specially crafted files can be embedded in commonly used files such as PDF, DOC, PPT or XLS files. In this particular scenario, users are unaware of the attack since TROJ_PPDROP.EVL also displays a non-malicious PowerPoint file to serve as a decoy.

Reliable Vulnerabilities: Effective Infection Gateways

This case also shows that cybercriminals are continuously taking advantage of previously reported vulnerabilities in popular software such as MS Office applications, Flash etc. In a previous blog entry, we uncovered that old and reported software bugs such as CVE-2010-3333 and CVE-2012-0158 are still being exploited by attackers. This finding highlights two things. First, exploits created for reliable vulnerabilities remain effective cybercriminal tools. Second, most users do not regularly update their systems’ with the latest security patch, which explains why attackers are continuously exploiting these bugs.

Trend Micro protects users from this threat via Smart Network Protection™, which blocks the related email and URLs and detects TROJ_PPDROP.EVL and BKDR_SIMBOT.EVL. In this new era where simple documents can lead to information theft, users should be extra cautious before downloading files from email messages, especially those from unknown senders. Users should also regularly keep their systems updated with the latest security patch.

We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www.facebook.com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www.facebook.com” and uses the extension “.COM”.

Once executed, this malware (detected as WORM_STEKCT.EVL) terminates services and processes related to antivirus (AV) software, effectively disabling AV software from detection or removal of the worm. WORM_STEKCT.EVL also connects to specific websites to send and receive information.

Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself.

Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites. To know more on how you can prevent these threats targeting Facebook and other social media sites, you may read our comprehensive e-guide A Guide to Threats on Social Media.

Furthermore, with our recent partnership with Facebook, Trend Micro™ protects users via Smart Protection Network™, which blocks access to the related malicious link. The file reputation technology in Smart Protection Network™ detects and deletes both WORM_STEKCT.EVL and WORM_EBOOM.AC.

We encountered a ransomware unlike other variants that we have seen previously. A typical ransomware encrypts files or restricts user access to the infected system. However, we found that this particular variant infects the Master Boot Record (MBR), preventing the operating system from loading. Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code. Right after performing this routine, it automatically restarts the system for the infection to take effect. When the system restarts, the ransomware displays the following message:

This message prompt informs affected users that the PC is now blocked and that they should pay 920 hryvnia (UAH) via QIWI to a purse number (12 digits) – 380682699268. Once paid,they will receive a code that will unlock the system. This code will supposedly resume operating system to load and remove the infection. This particular variant has the “unlock code” in its body. When the unlock code is used, the MBR routine is removed.

Trend Micro detects this ransomware as TROJ_RANSOM.AQB and the infected MBR as BOOT_RANSOM.AQB.

Read the rest of this entry »

We recently came across reports about a hacker group that was able to detect a backdoor that was found capable of monitoring online activities and of recording calls made on Skype. Apart from its routines, it also garnered media attention because of claims that the backdoor may be used by German law enforcement authorities.

The malware, which we detect as BKDR_R2D2.A, was named such based on the strings “R2D2″ found in its malware code:

Based on our analysis, this malware is capable of doing the following:

• Listen to chat conversations for applications like Skype, Yahoo! Messenger, MSN Messenger, and SipGate x-lite.
• Record audio calls made on Skype.
• Monitor Web browsing activities done on SeaMonkey, Navigator, Opera, Internet Explorer, and Mozilla Firefox.
• Take screenshots of the infected system.

The list below shows the programs it monitors and injects itself into.

This backdoor also receives commands from a remote site and is capable of installing component files; of retrieving system information; of downloading, uploading, and executing programs; and of uninstalling itself. It also has the ability to communicate with a remote IP address in order to receive commands from a remote user. This allows cybercriminals to take total control of infected systems.

The malware code doesn’t show any information about its connection to any government. However, we’ve seen reports saying that the Bavarian Minister of Interior Affairs Joachim Herrmann (CSU) already confirmed that the malware was created by the Bavarian police.

Regardless of creator, however, R2D2 still remains an information-stealing tool and so we find it of utmost importance that users are protected from having their privacy broken into. Especially with this release of information to the public, it is highly likely that we will find this tool in the cybercriminals’ hands for use in more sinister intents. With this, Trend Micro detects R2D2 as BKDR_R2D2.A and its component file as RTKT_R2D2.A.