Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Rainer Link (Senior Threat Researcher)






    From some time now, we have been checking the download site of the WORM_BAGLE.DA for changes in the uploaded file. When I checked the main site of the download url, which is http://{blocked}i.ru, I discovered that the site was a website for a LEGITIMATE Russian Company.

    The author/s of the Bagle Malware just hacked the website and put the malware file on the http://{blocked}i.ru/img/ as 2.jpg, disguising itself as a jpg file of the legitimate website.

    This may have been done by the malware author/s to avoid getting caught, since the site will not be traced to them.

     
    Posted in Bad Sites | Comments Off





    Again we are experiencing a storm of TROJ_BAGLES coming in. The attachment of the TROJ_BAGLE being 19_09.exe.

    As I said in my previous blog we were downloading the files from the urls used by bagle. To my surprise a new sample of the WORM_BAGLE was downloaded in this site http://{blocked}/img/2.jpg! Curiousity kicked in and im in hyper mode…


    After some googling, I confirmed that the packer used in this WORM_BAGLE variant (UpolyX) is a polymorphic UPX scrambler. There you go Polymorphic!


    After a while I downloaded again the file from the same url. Guess what I now have a new WORM_BAGLE variant.

    So this may mean two things



    • 1. From time to time a batch file maybe automatically replacing the uploaded file in http://{blocked}/img/2.jpg with a repacked version of the file. And since its packer is UpolyX, it has now changed appearance.
    • 2. The malware writer may manually repack his WORM_BAGLE and manually change the file uploaded in the said site.

    Either way the packer which is UpolyX is one of the reasons, why there are so many variants floating around.

    Another thing, the filename of the trojan mass mailled by WORM_BAGLE also changes.

    The ones we are currently receiving have the filename 19_09.exe while the one I downloaded from the site has a trojan with this filename 20_09.exe. Anyone see a pattern?

    The batch file I mentioned in number one may also be responsible for autorenaming the trojan with the current date.

    • 19_09.exe – September 19
    • 20_09.exe – September 20


    Update
    So after downloading the files, heres what I got…



    • Four (4) variations of WORM_BAGLE.DA (Undetected)
    • Four (4) variations of TROJ_BAGLE.DA (3 Detected and 1 Undetected)
    • One (1) TROJ_DLOADER.ACT (Undetected)


    Each TROJ_BAGLE.DA is already embedded in the WORM_BAGLE.DA 4 different worms also carries 4 different trojans.

    MD5 Hash of files located below



    • 2B855271E01342FD7ED6E0A2A6042947 2.jpg – WORM_BAGLE.DA
    • 33E8E59AA5773978E4E9AA1B0DB28A4E 20_09.exe – DETECTED AS TROJ_BAGLE.DA
    • 07BE19293429F833C284A1D96448E8DE 2.jpg – WORM_BAGLE.DA
    • AAD4A3C6E090E2687320F19E4F3F8034 19_09.exe – TROJ_BAGLE.DA
    • 8F2CF4AAE13C4F8588E92B97D522CD1C 2.jpg – WORM_BAGLE.DA
    • 555573598640743DDE5C2DF992E5CBE3 02.exe – DETECTED AS TROJ_BAGLE.DA
    • 9E6F3B0BA3D101CED7A3B0861B69865E 2.jpg – WORM_BAGLE.DA
    • 2E5E131E4D5A6500B94F68D1C11FFCC5 09.exe – DETECTED AS TROJ_BAGLE.DA
    • 609883018B90A6F4D36641F4D7F482F3 osa6.gif – TROJ_DLOADER.ACT


    Note: By different, what I mean is the hex view(different because of the UpolyX packer). The behavior of the four files are the same.

     
    Posted in Bad Sites | Comments Off


    Sep27
    11:16 am (UTC-7)   |    by

    A new batch of Mytob link emails is currently spreading. It uses the same technique as the one posted a while back.

    The link which is found on the emails spread by Mytob downloads a file named Confirmation.pif.

    This file is actually a Self Extracting Rar archive file containing a malware package.
    Some files included are the WORM_MYTOB that spreads the email and a BOT malware.

    According to a report made by Mark Toshack of MessageLabs, this new Mytob also installs an adware from http://{blocked}.matcash.com. It is said that the author gets $0.15 each each time the adware program is installed.


     
    Posted in Bad Sites | Comments Off




    Just an additional info for WORM_BAGLE.DA.

    After the bagle storm yesterday, we were still receiving reports that new bagle variants were being seen. So we decided to again download the links found on the WORM_BAGLE, TROJ_BAGLE and TROJ_DLOADER. I didnt find a new bagle variant, although i’m still downloading from the links, what I found out is a completely different thing.

    On WORM_BAGLE.DA download links, there are 8 download links which connects to a web.php, 2 links were already down while the other 6 were downloaded successfully.

    http://{blocked}/web.php

    Inside the file web.php, are the email addresses used by WORM_BAGLE in its FROM FIELD. This may also be the reason why I couldnt simulate the E-Mail propagation of the worm since I tested it on an environment without internet connection. Each download link contains a different domain and name.

    On one web.php



    • tom@atomate.com
    • tom@atomco.com
    • tom@atomcreation.com
    • tom@atomdigitaldesign.co.uk
    • tom@atomic.com.au
    • tom@atomic4.com
    • tom@atomicamps.com
    • tom@atomicblender.com
    • tom@atomicdesign.tv
    • tom@atomicdesigninc.com
    • tom@atomicdog.com
    • tom@atomicmarketing.com
    • tom@atomicspatula.com


    and on another



    • shkim301@korea.com
    • shkim303@ktsolution.co.kr
    • shkim303@ktsolutions.co.kr
    • shkim304@hanmail.net
    • shkim304@samsung.co.kr
    • shkim3057@hanmail.net
    • shkim30@daewoo.com
    • shkim30@famecs.co.kr
    • shkim30@hanmail.net


    yet on another



    • kathleen@kent.net
    • kathleen@kenwoodcc.net
    • kathleen@keogh.net.au
    • kathleen@kephart.net
    • kathleen@keplers.com
    • kathleen@keromail.com
    • kathleen@kerraisle.com
    • kathleen@kerstondesignteam.com
    • kathleen@kertzmanweil.com
    Also WORM_BAGLE.DA downloads a file from this link http://{blocked}/sss.php and saves it as re_file.exe. However the link is still down as of the moment.

     
    Posted in Bad Sites | Comments Off





    Lately we have been finding some malwares wherein a fast spreading WORM like REATLE is carrying a VIRUS in its body.

    I dont know if this is something old or new, but all I can think of is that this technique of WORM with a VIRUS maybe used by some malware authors to increase the infection rate of their viruses. Please see below



    • A WORM is created by malware author
    • Malware Author infects the WORM with a VIRUS
    • WORM is spread carrying with it the VIRUS
    • Upon execution of the WORM, the VIRUS also infects other files in the system.


    This way the VIRUS carried by the WORM can infect more files while getting a free ride accross the networks via its WORM where it can again infect other files.

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice