The Andromeda botnet – first spotted in late 2011 – has recently resurfaced. This threat arrives via a familiar means: spammed messages with malicious attachments or links to compromised websites hosting Blackhole Exploit Kit (BHEK) code. Here is one spam message we saw recently:

Figure 1. Sample spammed message

Andromeda itself is highly modular, and can incorporate various modules, such as:

• Keyloggers
• Form grabbers
• SOCKS4 proxy module
• Rootkits

As is typical of backdoors, it can download and execute other files like ZeuS, as well as update and remove itself if needed. Typically, variants of the Andromeda malware can be bought online for 300-500 US dollars. However, each of the plugins mentioned above costs an extra sum of money. The most recent version number we have identified is version 2.60. The top affected countries of this threat are Australia, Turkey, and Germany based on our Smart Protection Network feedback below:

Figure 2. Andromeda infection count from January- February 25 2013

Read the rest of this entry »

In our 2013 Security Predictions, we predicted that conventional malware will focus mainly on refining tools instead of creating new threats. A perfect example of this prediction is how Blackhole Exploit Kit continuously attempts to circumvent the efforts done by the security industry. True enough, we recently received reports of a Blackhole Exploit Kit (BHEK) run that incorporated an exploit (detected by Trend Micro as JAVA_ARCAL.A) targeting the recently patched CVE-2013-0431.

If users can still recall, this vulnerability is part of the Java zero-day ruckus last January. This slew of critical incidents led Oracle to release an out-of-band security update to quickly address the issue. However, this release raised some crucial questions.

This particular BHEK run starts with spammed messages spoofing PayPal. When users click the item number indicated in these messages, they are led to several redirecting sites until they arrive at the page hosting the encrypted BHEK code. This code then checks the vulnerable system for versions of Adobe Reader, Flash Player, and Java. This determines which exploit (and subsequent payload) are downloaded onto the system.

Figure 1. Sample spoofed PayPal email message

In the testing we did, the BHEK code found certain versions of Adobe Reader, which prompted it to download and execute a malicious .PDF file (detected as TROJ_PIDIEF.MEX), which exploits an old vulnerability in CVE-2010-0188.

Read the rest of this entry »

Expecting an online booking or package delivery confirmation? Just make sure to avoid these fake email messages serving BKDR_KULUOZ.PFG.

This backdoor was first seen in the wild around April to June of 2012 and a part of a well-known botnet. However, we have recently been noticing several spam variants carrying this malware, like the one below:

Figure 1. Sample FedEx spammed message

BKDR_KULUOZ arrives in the form of attachments (usually archived) in spammed messages. These email messages typically spoof well-known corporations. So far, the spam variants we’ve seen recently included fake email notifications from courier services like FedEx, UPS (postal-themed), and airline companies. Like most malware arriving via email, BKDR_KULUOZ are disguised as your average office files like .PDF (Adobe) or .DOC (Microsoft document) files, to make them appear legitimate.

Once user downloads and executes the file, it drops and opens a .TXT file as a ploy to trick unsuspecting users into thinking that there’s no harm being done on the system.

Figure 2. Screenshot of the dropped.TXT file

It then creates svchost.exe process and injects another .PE file, which is a .DLL File with export named “work.” Typically, a malware injects its code into to normal processes so that it will be harder to terminate on the infected system.  In addition, this backdoor also executes its code using the following native APIs to slowdown/hinder debugging:

• “ZwCreateSection”
• “ZwReadVirtualMemory”
• “ZwMapViewOfSection”
• “ZwUnmapViewOfSection”
• “ZwResumeThread”

Accordingly, this technique of coding malware is also seen in threats like DUQU and Andromeda. This downloader malware also communicates to its command-and-control (C&C) server to send and receive information and commands. In turn, the infected system is susceptible to further attacks and is effectively under a remote user’s control.

Read the rest of this entry »