Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Roddell Santos (Threats Analyst)




    In a previous post, we discussed how the rise in the number of Tor users that was directly attributed to the Mevade malware. In this post, we will look into the details of the Mevade malware and how it first arrived on user systems.

    The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different.

    Figure 1. TROJ_DLOADE.FBV file properties

    Figures 2 and 3. Signed legitimate file

    The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication.

    As for TROJ_DLOADE.FBV, we’ve found that the URLs it uses to access its C&C servers has the following pattern:

    • http://{malicious domain}/updater/{32 random hexadecimal characters}/{1 digit number}

    The IP addresses that host these C&C servers are located in Russia.

    Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected.

    Table 1. Countries affected by TROJ_DLOADE.FBV

    BKDR_MEVADE.A shows a different distribution, which highlights that TROJ_DLOADE.FBV is not just being used to distribute Mevade:

    Table 2. Countries affected by BKDR_MEVADE.A

    In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing adware and toolbars. Its distribution is more similar to the original downloader malware:

    Table 3. Countries affected by ADW_BPROTECT

    Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical.

    Table 4. Countries affected by BKDR_MEVADE.C

    How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to avoid visiting and downloading files from unverified websites or links from email, social media etc. Always update the system with the latest software security patch. Trend Micro detects and deletes the malware cited in this blog entry.

    With analysis from Eduardo Altares, Alvin Bacani, and Marvin Cruz.

     
    Posted in Bad Sites, Malware | Comments Off



    Spoofing – whether in the form of DNS, legitimate email notification, IP, address bar – is a common part of Web threats. We’ve seen its several incarnations in the past, but we recently found a technique known as header spoofing, which puts a different spin on evading detection.

    Header spoofing is when a URL appears to be downloaded from a certain domain, but in reality it is downloaded from a different and (very likely) malicious one. Unlike other types of spoofing techniques, this action is done without any system or file modification. Instead, header spoofing is performed by modifying the network packet, in particular adding the new domain to the request header once malware has connected to server and right before it sends the data. My colleague Jessa dela Torre mentioned this behavior in her research on the StealRat botnet.

    One interesting malware that performs this is the malware TROJ_RODECAP.SM. Figure 1 shows the GET command to the link http://www.google.com/d/conh11.jpg, as well as the header of the downloaded file.

    GET_command_screenshot

    From the network traffic, it can be seen that the reply came from the domain {BLOCKED}.104.93, which is located in Russia and is not connected to Google at all. Thus, network administrators might skip or regard the traffic as harmless because the purported requested link is a legitimate domain and merely leads to an image file. This spoofing provides a good way to cover up the communication between the malware and the remote server that ultimately avoid rousing any suspicion, without revealing itself to end users.

    As we mentioned earlier, this technique was used by the StealRat botnet which brought its own novel ways of sending spam. These incidents highlight how threat actors are coming up with new tools and techniques to evade detection by security vendors.

     
    Posted in Bad Sites, Malware | Comments Off



    Online banking threats have been prevalent for many years, but recently they seem to be determined to expand beyond their usual targets. In the past few weeks and months, we’ve seen various attacks target Korean banks using various techniques.

    The latest attack we’ve found uses a Trojan that redirects users of various Korean banks to malicious phishing sites. It does this by modifying the system’s HOSTS file and redirecting users to an IP address located in Japan. We detect the Trojan responsible for this attack as TSPY_QHOST.QFB, while the related batch file (which actually modifies the HOSTS file) is detected as BAT_QHOST.QFB. (This technique has been used for many years by other banking threats.)

    The malicious site looks like this:


    Figure 1. Page of malicious site

    The malicious site has an additional window in the middle.


    Figure 2. Additional window of malicious site

    The image roughly translates to:

    • Did you install the certificate of authentication in your PC (computer)?
    • Are you using the security card for identification?
    • You can safely use the Internet banking of WOORI-Bank if you obtain this security certificate.
    • You will move to the security verification page, if you click the following button.
    • Start Date: August – September Planned.

    Unsuspecting users might believe they do need to perform this verification and thus click the button. Initially, the user will be directed to the following page that will ask for their name and Korean resident registration number:


    Figure 3. Information is asked

    The following screen asks for more information such as their cell phone number, account number, account password, user ID, user password, and certificate password:


    Figure 4. Additional information is asked

    These phishing sites abuse the trust that users have in their banks to get financial and personal information from users. They are made to think that they are entering their information in the bank’s real online banking site, when in fact they are not. Instead, the information ends up in the hands of the attackers who created this malware. (The phishing site and associated malware are all detected by Trend Micro products.)

    While these may represent an evolution in terms of the chosen targets, the malware used is still not as sophisticated as what is typically used elsewhere. In addition, banking threats using various methods to steal information from Korean users have been seen multiple times recently.

    Banking threats in general were described in our crimeware paper last year. However, it is likely that we will see these more sophisticated threats hit these banks in the future.

     
    Posted in Bad Sites, Malware | Comments Off



    Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof.  Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers.

    Based on Smart Protection Network feedback, 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.

    BANKER_malware_percountry

    Figure 1. Top affected countries

    Infection Chain

    The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder.  The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file.

    The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others.

    The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif.

    Malicious Component File Leads to Serious Security Compromise

    Based on code analysis, %Temp%\update.gif  is used to enable multiple concurrent remote desktop sessions in the affected system. But what does this mean to users?

    For security reasons, remote desktop sessions are limited to just one session at a time. But %Temp%\update.gif creates its own user account (ADM123), which is set as a system adminstrator. Once the system has been set-up for multiple sessions, it notifies its C&C server of the compromise. The remote malicious user then connects to the affected system using the ADM123 account. The remote attacker has now complete control over the system. The attacker has now the capability to perform more damaging commands onto the infected machine. Trend Micro protects users from this threat by detecting and deleting the related malware if found in the system.

    Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game.

    This is the latest development in the rather interesting development in the Brazilian threat landscape, which was lately troubled with a malicious “homemade” browser and other banking Trojans that give Bancos variants a run for their money.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

     



    Noted for its stealth routine, PlugX and its developers now appear to be using several legitimate applications, in particular those used by Microsoft, Lenovo, and McAfee, in an effort to remain under the radar.

    PLUGX variants are known for its use of normal applications to load its malicious .DLL components. This .DLL hijacking technique is not new and was initially discussed by last July 2010 by Mandiant here. PlugX is able to use any executable and has started to use known applications. The malware also takes advantage of a certain vulnerability found in an executable when .DLLs are loaded, specifically on how executables load the first .DLL file in a specific folder.

    Unfortunately, many applications – old and even new ones – still contain this vulnerability.
    The first PlugX variant that used this technique is BKDR_PLUGX.SME. It used the legitimate NVIDIA file NvSmart.exe, which imports the functions of the malware’s malicious .DLL. Since then, PLUGX variants have been using other applications to hide their tracks from antimalware software.

    Below are some of the malware that use various normal files to load its malicious components:

    BKDR_PLUGX.DMI

    • uses HHC.EXE which is a legitimate Microsoft file for HTML Help
    • loads hha.dll, which then loads hha.dll.bak
    • both files are also detected as BKDR_PLUGX.DMI

    BKDR_PLUGX.AI

    • uses CamMute.exe which is a Lenovo software related to Camera Mute Control Service for ThinkPad
    • loads CommFunc.dll, which then loads CommFunc.jax
    • both two files are also detected as BKDR_PLUGX.AI

    BKDR_PLUGX.AQT

    • uses Mc.exe which is a legitimate McAfee file
    • loads McUtil.dll, which then loads McUtil.dll.url
    • both files are also detected as BKDR_PLUGX.AQT
    • connects to the fake anti-malware site vip.{BLOCKED}ate.com

    Note that in each case, a specific DLL was paired with an executable. New to these variants is the loading of the encrypted file with the same file name with an additional extension. Here is a code snippet that shows how the encrypted .DLL is loaded:

    Plugx-snippet-code

    Figure 1. Screenshot of PlugX code snippet

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice