We have received several reports and inquiries about the file infector PE_QUERVAR.B-O and its infected file, PE_QUERVAR.B. Both are getting some media attention, specifically in Europe, where reports have identified infections registering mostly in the Netherlands.

Its massive spreading may be explained by a couple of things:

1. It infects files commonly used and shared by users: MS Word (.doc, .docx), MS Excel (.xls, .xlsx), and .EXE (normal executable) files. Once a user opens an infected file, the malware automatically looks for other MS Word/MS Excel/EXE files that it will infect in the user’s computer.
2. It targets drives that DO NOT have System Volume Information. These are commonly mapped network drives and USB/removable drives. A shared drive gets the infection spreading pretty fast.

Once files are infected, QUERVAR renames the files and changes the file extension to .SCR, but the file icon remains the same. If the computer view is configured to hide file extensions and the user opens an infected file, nothing will happen and the file will not be opened.

Note that manually renaming the file will not work. Infected files are also encrypted by QUERVAR, adding difficulty to cleaning and restoring. While some are taking this as a sign that this is ransomware, our analysis so far hasn’t shown that to be the case. We’re not sure why these are encrypted but are continuing to research that.

Trend Micro products detect both file infectors via the Smart Scan Pattern 9.311.00. It automatically deletes PE_QUERVAR.B-O. Updates will further be posted in this blog entry.

Update as of 6:28 PM PST

Trend Micro customers are encouraged to update their patterns to 9.313.00. PE_QUERVAR.B infected files are restored to its usable state by this pattern.

Update as of August 15, 3:59 PM PST

We saw reports that Citadel Zeus variants were observed to download QUERVAR. While we were unable to confirm this, we analyzed {BLOCKED}.{BLOCKED}.162.163, the IP address which is said to host QUERVAR and Citadel Zeus. Based on our Smart Protection Network, we found out that it also hosts Hermes (detected by Trend Micro as TROJ_GATAKA.AI), which is downloaded by QUERVAR. This leads us to conclude that certain variants of Citadel ZeuS, Hermes and QUERVAR may be coming from a single threat actor.

Trend Micro also blocks the related IP addresses.

Update as of August 16, 10:48 PM PST

The Hermes malware mentioned in the above update is now detected as BKDR_GATAKA.A.

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

Trend Micro researcher Lion Gu, together with other security researchers belonging to the China Education and Research Network Computer Emergency Response Team (CCERT) have written a white paper titled Investigating China’s Online Underground Economy containing a comprehensive look into the cybercrime underground in China. The result of months of hard work, research, and thorough analysis, the paper describes the architecture, the targets, and the techniques of Chinese cybercriminals. (The English-language version of this paper was published by the University of California-San Diego’s Institute on Global Conflict and Cooperation.)

As director for Threat Research Martin Roesler noted, what’s clear from the paper is that the Chinese cybercrime underground has adapted to local conditions. For example, online gamers are at particular risk in China. Many Chinese users lack access to online banking (due to financial constraints), making banking fraud unpopular. However, many of these same users spend money on online games, making attacks against these much more popular.

Roesler also notes that mobile users are also at added risk. Many Internet users in China have no fixed Internet access at home, relying instead on mobile access. This means that in China, mobile malware is far more important than it might otherwise be in other regions. Because of the relative lack of availability of other mobile platforms, Android devices are at a particularly high risk in China.

One thing that the Chinese underground market has in common with other regions is its growth. Not only did we see growth in the number of participants and posts made in popular forums; we also saw much interest in underground forums in would-be attackers being tutored by older, more experienced criminals.

This degree of knowledge and understanding of the cybercrime provides Trend Micro with additional information that is useful in providing comprehensive and timely threat protection. Underground monitoring of the global cybercrime underground is routinely carried out by our researchers and engineers, providing improved threat intelligence for all Trend Micro users.

We shall be discussing these, and many more findings, in the next few days.

On Sunday, Microsoft issued Security Advisory 2718704 which announces an update that revokes the trust of two Microsoft-issued intermediate Certificate Authority (CA) certificates for all currently supported versions of Windows. The certificates revoked are:

• Microsoft Enforced Licensing Intermediate PCA (2 certificates)
• Microsoft Enforced Licensing Registration Authority CA (SHA1)

As outlined in Microsoft’s initial advisory, analysis of the Flame attack has shown that these certificates were used to issue unauthorized digital certificates that were used by attackers to make components of the Flame attack appear to be signed by Microsoft. This made these malware components falsely appear to be code from Microsoft and appear to have played a role in infecting systems through a man-in-the-middle (MitM) against Microsoft’s Windows Update mechanism.

While we and others have said that the Flame attack is limited and not a broad threat to customers, the ability to sign malicious code with these certificates and bypass security checks does represent a potential, broad threat. While there is no indication at this time that other attacks have used these certificates to make malware look legitimate, it is a very real possibility that this could happen in the future.

We are urging all customers to deploy the updates associated with with Microsoft Security Advisory 2718704 as soon as possible. This update will invalidate these certificates and flag any code signed by them, including possible malware, as untrusted.

As of Monday evening, Microsoft has also indicated on their blog that they will be issuing an additional update in the future to provide additional protections for the Windows Update mechanism against man-in-the-middle attacks. We urge all customers to make preparations now so that when this update is available, it can be deployed as soon as possible.

While there is no indication of broad attacks utilizing either the fraudulent digital certificates or man-in-the-middle attacks against Windows Update, these are very serious issues with the potential to be utilized for broad attacks. Customers should deploy the update available now as soon as possible and the soon-to-be-released as soon as possible as well.

As we’ve noted, Trend Micro customers are protected against the Flame malware. In addition to deploying these updates as soon as possible, customers should ensure their Trend Micro products are running the latest updates and signatures to help ensure broadest protections against any attempts to use these mechanism in attacks.

As always, we will provide new information to customers as we find it on our blog.

In our recent post about the Flame malware, we promised to update you with information from our ongoing investigation. Today we wanted to give you the latest information on the threat itself, protections available for Trend Micro customers and results from our analysis so far. In a nutshell, while Flame is a very interesting piece of malware, it’s not a broad threat.

Flame has been noteworthy the past few days. But it’s noteworthy because of the nature of the malware and what appears to be its very limited and specific targets. Flame right now is not a significant threat to users more broadly. Information from our Smart Protection Network™ and working with customers show actual numbers of infections to be extremely low and confined to the Middle East and Africa regions.

The threat from Flame is lessened even more for Trend Micro customers because they are protected against the attack both through current signatures (which detect the malware as WORM_FLAMER.A and the configuration files as TROJ_FLAMER.CFG) and URL blocking of identified command and control (C&C) servers.

In terms of analysis, our focus is on protecting Trend Micro customers, so our ongoing analysis is focused on identifying additional C&C servers because these are geographically disbursed and can move. Interestingly, our analysis is showing C&C servers located primarily in Europe and Asia.

The malware itself is focused on stealing data and is very large, making thorough analysis slow. In this case, the largeness is due to the multi-faceted capabilities of the malware: it has been equipped with a variety of tools to accomplish its mission once it’s made its way into the target network. Some of the components that it includes date back to 2009.

As Rik Ferguson also noted, the malware is also unusual because it appears to be written in the Lua programming language which is often used as a scripting language by game developers (and not typically used for malware).

Our analysts are continuing to work to understand all the components in this malware, particularly to continue adding URL blocking as new C&C servers are identified. While Flame itself doesn’t represent a broad risk right now, there is a risk that the malware will be taken up by others and repurposed for broader attacks like we’ve seen in other attacks like this such as Stuxnet. Our worldwide teams are watching for that and if we see that, will add protections and provide information for Trend Micro customers on this blog as soon as possible.

Update as of June 1, 2012 3:17 AM PST

Trend Micro protects enterprises from the malicious network packets related to FLAME via Trend Micro Deep Discovery.

Update as of June 4, 2012 2:49 AM PST

Trend Micro has been covering users from the two vulnerabilities used to deploy Flame since 2010. In particular Trend Micro Deep Security protects users from exploits targeting MS10-061 via rule 1004401 (released on September 2010) and MS10-046 via rule 1004314, 1004293, 1004294, 1004308, 1004304, and 1004302 (released on July and August 2010).

Update as of June 4, 2012 7:21 PM PST

Microsoft issued Security Advisory 2718704 to revoke two certificates that are being used by Flame components. Users running Windows XP, Vista, Server 2003, Server 2008 (Server Core Installation included), and 7, as well as Windows Mobile 6, 7, and 7.5 users are advised to run Microsoft Update to download and install the security update from Microsoft.

We were alerted to reports about the info stealing malware Flame, which has reportedly been seen in Iran and certain countries since 2010. Dubbed the most sophisticated malware, Flame is capable of performing several information stealing techniques, including capturing screen shots, and recording audio via the affected computer’s microphone. Because of its scope and specific targets, Flame has drawn comparison to other notorious threats such as Stuxnet. Stuxnet, malware that surfaced in 2010, targets SCADA systems.

Trend Micro detects Flame malware as WORM_FLAMER.A. In our on-going analysis, we’ve found that this worm spreads via removable drives. It is also capable of spreading to other computers in a local network when one machine within that network is infected. Other significant routines of this worm include its ability to terminate running processes that are mostly anti-malware/firewall/security-related, capturing screen shots and audio recording, propagation, and its ability to log and report its activities.

Trend Micro protects users from WORM_FLAMER.A by detecting and removing it from affected computers. The configuration files, TROJ_FLAMER.CFG, used by this worm are also detected and removed from systems. We will regularly update you in succeeding blog entries as we find more results in our investigation.

Update as of May 29, 2012, 8:54 PM PST

In addition to detecting WORM_FLAMER.A and its configuration files, Trend Micro also blocks access to all found related URLs as we move forward with our investigation.

Update as of June 5, 2012, 1:02 AM PST

Trend Micro has been covering users from the two vulnerabilities used to deploy Flame since 2010. In particular Trend Micro Deep Security protects users from exploits targeting MS10-061 via rule 1004401 (released on September 2010) and MS10-046 via rule 1004314, 1004293, 1004294, 1004308, 1004304, and 1004302 (released on July and August 2010).

Moreover, as more components are uncovered in relation to Flame, new findings cite that some of these components might be using certificates issued by Microsoft. To mitigate this risk, Microsoft issued Security Advisory 2718704 to revoke two certificates that are being used by Flame components. Users running Windows XP, Vista, Server 2003, Server 2008 (Server Core Installation included), and 7, as well as Windows Mobile 6, 7, and 7.5 users are advised to run Microsoft Update to download and install the security update from Microsoft.