Analysis of the PE_LICAT.A file infector (first discussed in File Infector Uses Domain Generation Technique Like DOWNAD/Conficker) has revealed further information on this emerging threat.

We have been able to isolate a copy of the main file infector, which we detect as PE_LICAT.A-O. (A main file infector is one that triggers the process of infecting files but is not infected itself.) It injects itself into the Explorer.exe process, which has two effects. First, it becomes memory-resident. Second, any file executed afterward becomes infected with malicious code and is detected as PE_LICAT.A.

We looked into the pseudo-random domains that LICAT accesses to download files. Every time PE_LICAT.A is executed, it attempts to download files from these domains, trying to do so a maximum of 800 times.

The following top-level domains are used by these created domains:

• biz
• com
• info
• org
• net

Our monitoring indicates that most of these domains have not been registered. A small number have been registered. Although some of the sites these actually lead to are currently inaccessible, some are still alive and active. As a precaution, all related sites have now been classified as malicious and blocked by Trend Micro.

These domains appear to link PE_LICAT and ZeuS. Several of the domains that PE_LICAT was scheduled to download files from in late September have been confirmed to be known ZeuS domains in that period. One of these domains, {BLOCKED}klklmssrr.com, was registered approximately one week before it would have been used by PE_LICAT. Another domain was hosted on an ISP that has seen significant levels of ZeuS-related activity in the past and is a known haven for cybercrime.

We were able to obtain a sample from these LICAT-related domains, which we currently detect as TSPY_ZBOT.BYZ.  The downloader file shows certain behaviors often associated with ZeuS.  However, the capability to act as a downloader is not a functionality seen in ZeuS to date. As such, further analysis is taking place for this file.  The file drops a copy of the main file infector, PE_LICAT.A-O. Files exhibiting similar behavior to the downloader will be proactively detected as TSPY_ZBOT.SMEQ.

PE_LICAT infections appear to have hit the North American and European regions hardest, with Latin America the lightest hit according to our Smart Protection Network™ feedback.

Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™. CTO Raimund Genes talks more about this protection in How Analyzing a New Virus Can Lead to Multiple Protections. The domains generated by PE_LICAT are being analyzed in real-time and blocked as necessary. In addition, infected files are being detected and cleaned as well.

Update as of October 11, 2010 2:28 p.m. UTC

Upon analysis of the dropped file TSPY_ZBOT.BYZ, it was found that this ZeuS variant is actually both the starting point and final payload of this infection chain. Studying TSPY_ZBOT.BYZ reveals that it decrypts and drops PE_LICAT.A-O onto an affected system. As such, it can be inferred that this was, indeed, a ZeuS-driven attack, with the file infection and URL generation technique used to prolong its lifespan.

Below is an image describing the whole infection chain:

A fake Malicious Software Removal Tool (MSRT) has been found circulating in the wild. Senior threats analyst Edgardo Diaz stumbled upon a sample that Trend Micro detects as TROJ_FAKEAV.MSRT.

From the onset, it looks like the real MSRT based on the icon it uses. Similar to other FAKEAV variants, it also displays a fake scanning alert that the user’s system has been supposedly infected by malware.

However, keen-eyed users will notice that this tool is fake due to the following reasons:

1. File size: It is relatively small, making up only 412,672 Bytes.
2. Digital signature: The real tool is digitally signed, this isn’t.
3. Antivirus product: It scans for installed antivirus products on the system and informs users that the recommended software (Shield EC Antivirus) can only remove the malware.

However, the clincher comes at the end. Like its predecessors, it entices users to purchase the recommended rogue antivirus—Shield EC Antivirus. It points users to the billing page, http://{BLOCKED}buypage.com/index_new.php?sid=205 where they are asked to pay US$99.90 for the product.

Trend Micro product users are already protected from this attack via the Trend Micro™ Smart Protection Network™, which detects the said FAKEAV variant. Non-Trend Micro product users, on the other hand, can use the free cleanup tool, HouseCall.

Trend Micro recently came across a .PDF file sample that exploits a vulnerability that was discovered as early as mid-2009. The specially crafted .PDF file detected as TROJ_PIDIEF.SML contains malicious JavaScript in its code that uses the getAnnots() method to corrupt an affected system’s memory.

It is interesting to note that its final payload is the download of a malicious binary file that happens to be a ZBOT/ZeuS variant detected as TROJ_ZBOT.BYZ. This acts as a combination of the two most
prevalent threats today—ZBOT and PDF exploits. From phishing emails to social-networking sites, the widespread ZeuS Trojan has now been making its rounds across various attack vectors to get into users’ systems.

ZeuS has been around since 2007 and even if most antivirus companies have caught on with its stealth and polymorphic routines, this malware still shows no signs of slowing down.

Learn more about ZBOT/ZeuS by reading more about the various tactics it uses in the following blog entries:

• Keeping an Eye on EYEBOT and a Possible Bot War
• New ZBOT/Zeus Binary Comes with a Hidden Message
• ZBOT Variant Spoofs the NIC to Spam Other Government Agencies
• Phishing in the Guise of Enhancing Security
• ZBOT Targets Facebook Again

Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.

Another PDF sample that exploits an unpatched vulnerability in Adobe Reader and Acrobat has been spotted in the wild. The sample (detected by Trend Micro as TROJ_PIDIEF.WIA) uses the heap spray technique to execute shellcode in its stream. As a result, a malicious file detected as BKDR_POISON.UC is dropped into the system.

When executed, BKDR_POISON.UC opens an instance of Internet Explorer and connects to a remote site, cecon.{BLOCKED}-show.org. Once connected, a malicious user may execute any command on the affected system.

Adobe has announced that it will provide a patch for this vulnerability on January 12, 2010 but until then, users are advised to disable JavaScript in Adobe Reader and Acrobat as cybercriminals are sure to take advantage of this unpatched vulnerability. To do this, follow the steps below.

1. Click Edit > Preferences.
2. In the left panel, select JavaScript.
3. Untick the Enable Acrobat JavaScript option.
4. Click OK.

In addition, Adobe also plans to release an automatic/silent updater that will automatically patch systems even without user intervention. This will hopefully lessen the number of users who can be victimized by attacks employing exploits for already patched vulnerabilities.

Trend Micro protects users from this threat via the Smart Protection Network, which detects all related malicious files. OfficeScan users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF003885 filters.

In this month’s Patch Tuesday, Microsoft released six security advisories to address 12 vulnerabilities. Three of these security bulletins are deemed “critical” (MS09-071, MS09-074, MS09-072) while the rest are tagged as “important.”

The recently reported vulnerability exploit in Internet Explorer versions 6 and 7 has also been fixed in MS09-072. The said vulnerability could grant the attacker user rights access to the system. In addition, it also allows malicious users to execute arbitrary code in the system. Trend Micro detects this as HTML_SHELLCOD.WT.

Similarly, Adobe also released two security advisories to address recently discovered vulnerabilities in Flash Player and Illustrator. Accordingly, the vulnerability in Flash Player could give malicious users control of the system if successfully exploited.

With the holiday season just around the corner, along with a truckload of holiday-related scams (fake e-cards, phishing attacks, etc.) and malware, users are strongly advised to apply these patches immediately and keep their systems up-to-date.