Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    Our previous blog entry discussed the “destructive” FBI security advisory and an analysis about the WIPALL malware family and its direct connection to the massive Sony Pictures hack. In this blog post, we will further discuss other WIPALL malware variants and their main routines that link to the #GOP warning seen in infected computers of Sony Pictures employees. Below is an overview of the infection chain to be discussed in this entry:

    BKDR64_WIPALL.F Disables McAfee’s Services

    The WIPALL variant BKDR_WIPALL.C shares the same coding as the previously discussed variant, BKDR_WIPALL.B. In the case of BKDR_WIPALL.C, the dropped copies are named as igfxtrays{2 random characters}.exe and executes several copies of itself with specific parameters (-a, -m, -d, -s), which contain its main routines.

    Figure 1. Main malware routines of BKDR_WIPALL.C

    It is a notable observation that BKDR_WIPALL.C checks if the infected system is 64-bit. If found to be running on a 64-bit system, the malware drops kph.sys (KProcessHacker driver) and its component ams.exe (detected as BKDR64_WIPALL.F).

    We noticed that BKDR64_WIPALL.F replaces McAfee’s real-time scanner, mcshield.exe with another file located in its current directory, while the original mcshield.exe is placed in the system32 directory. In turn, when McAfee’s service executes, the replacement file will be executed instead of the legitimate real-time scanner component, effectively disabling the antivirus’ operation.

    Figure 2. BKDR64_WIPALL.F obtains the Image Path of McShield.exe from the registry’s list of services: HKLM\CurrentControlSet\services\McShield

    Figure 3. BKDR64_WIPALL.F moves the legitimate mcshield.exe to the System32 folder and replaces it with another mcshield.exe located in the malware’s current directory

    BKDR64_WIPALL.F installs KprocessHacker as a driver service and uses it to terminate the following running processes related to McAfee’s antivirus application (also listed in the infection chain above). This is an added measure in order to ensure the malware’s smooth execution.

    • mcshield.exe
    • UdaterUI.exe
    • McTray.exe
    • shstat.exe
    • FrameworkService.exe
    • VsTskMgr.exe
    • mfeann.exe
    • naPrdMgr.exe

    Based on our analysis, the malware BKDR64_WIPALL.F may have used a driver service because it has a higher privilege than a typical user-mode application. This is to ensure that the processes will be terminated.

    Figure 4. BKDR64_WIPALL.F installs the KProcessHacker component (kph.sys) as a service driver

    Figure 5. BKDR64_WIPALL.F checks all running processes with the hardcoded list of processes related to McAfee antivirus applications

    Figure 6. It uses the KprocessHacker service driver as a device object to terminate the processes

    Tracing Back to #GOP

    This attack, along with the one we discussed in our previous blog entry, were both found to trace back to the hacker group named #GOP or “Guardians of Peace.”

    The BKDR_WIPALL.A infection chain (via its component BKDR_WIPALL.E)  leads to an HTML file displaying the message with the files back.jpg and index.wav. All of these are encrypted and embedded in the component iissvr.exe (detected as BKDR_WIPALL.E).

    Similarly, the infection chain for BKDR_WIPALL.D (via its component BKDR_WIPALL.C)  displays the #GOP message in an image file dropped as walls.bmp.

    Figure 7: Top: walls.bmp dropped by BKDR_WIPALL.C;
    Bottom: Scrolling message in an HTML file loaded by BKDR_WIPALL.E

    There have been reports linking these attacks to North Korea as the culprit, and some claim that the Sony hack may have been an inside job. While nothing is confirmed at the moment, we advise users to exercise vigilance in their online to ensure private data stays that way.

    Read our timeline of events related to the Sony hack in our page: The Hack of Sony Pictures: What We Know and What You Need to Know.

    Analysis by Rhena Inocencio and Joie Salvio

    Related hashes:

    • D1C27EE7CE18675974EDF42D4EEA25C6 as BKDR_WIPALL.A
    • 760C35A80D758F032D02CF4DB12D3E55 as BKDR_WIPALL.B
    • E1864A55D5CCB76AF4BF7A0AE16279BA as BKDR_WIPALL.E
    • B80AA583591EAF758FD95AB4EA7AFE39 as BKDR_WIPALL.C
    • 2618dd3e5c59ca851f03df12c0cab3b8 as BKDR_WIPALL.D
    • 7E5FEE143FB44FDB0D24A1D32B2BD4BB as BKDR64_WIPALL.F


    Our coverage of the Sony attack continues as we spot more developments. Here is a list of our stories related to this incident:

    Posted in Bad Sites, Malware |

    TrendLabs engineers were recently able to obtain a malware sample of the “destructive malware” described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses last December 2. According to Reuters, the FBI issued a warning to businesses to remain vigilant against this new “destructive” malware in the wake of the recent Sony Pictures attack. As of this writing, the link between the Sony breach and the  malware mentioned by the FBI has yet to be verified.

    The FBI flash memo titled “#A-000044-mw” describes an overview of the malware behavior, which reportedly has the capability to override all data on hard drives of computers, including the master boot record, which prevents them from booting up.

    Below is an analysis of our own findings:

    Analysis of the BKDR_WIPALL Malware 

    Our detection for the malware detailed in the FBI report is BKDR_WIPALL. Below is a quick overview of the infection chain for this attack.

    The main installer here is diskpartmg16.exe (detected as BKDR_WIPALL.A). BKDR_WIPALL.A’s overlay is encrypted with a set of user names and passwords as seen in the screenshot below:

    Figure 1. BKDR_WIPALL.A’s overlay contains encrypted user names and passwords

    These user names and passwords are found to be encrypted by XOR 0x67 in the overlay of the malware sample and are then used to log into the shared network. . Once logged in, the malware attempts to grant full access to everyone that will access the system root.

    Figure 2. Code snippet of the malware logging into the network

    The dropped net_var.dat contains a list of targeted hostnames:

    Figure 3. Targeted host names

    The next related malware is igfxtrayex.exe (detected as BKDR_WIPALL.B), which is dropped by BKDR_WIPALL.A. It sleeps for 10 minutes (or 600,000 milliseconds as seen below) before it carries out its actual malware routines:

    Figure 4. BKDR_WIPALL.B (igfxtrayex.exe) sleeps for 10 minutes

    Figure 5. Encrypted list of usernames and passwords also present in BKDR_WIPALL.B

    Figure 6. Code snippet of the main routine of igfxtrayex.exe (BKDR_WIPALL.B)

    This malware’s routines, aside from deleting users’ files, include stopping the Microsoft Exchange Information Store service. After it does this, the malware sleeps for another two hours. It then forces the system to reboot.

    Figure 7. Code snippet of the force reboot

    It also executes several copies of itself named taskhost{random 2 characters}.exe with the following parameters:

    • taskhost{random 2 characters}.exe -w – to drop and execute the component Windows\iissvr.exe
    • taskhost{random 2 characters}.exe -m – to drop and execute Windows\Temp\usbdrv32.sys
    • taskhost{random 2 characters}.exe -d – to delete files in all fixed or remote (network) drives

    Figure 8. The malware deletes all the files (format *.*) in fixed and network drives

    The malware components are encrypted and stored in the resource below:

    Figure 9. BKDR_WIPALL.B malware components

    Additionally, BKDR_WIPALL.B accesses the physical drive that it attempts to overwrite:

    Figure 10. BKDR_WIPALL.B overwrites physical drives

    We will be updating this post with our additional analysis of the WIPALL malware.

    Analysis by Rhena Inocencio and Alvin Bacani

    Update as of December 3, 2014, 5:30 PM PST

    Upon analysis of the same WIPALL malware family, its variant BKDR_WIPALL.D drops BKDR_WIPALL.C, which in turn, drops the file walls.bmp in the Windows directory. The .BMP file is as pictured below:

    Figure 11. Dropped wallpaper

    This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase “hacked by #GOP.” Therefore we have reason to believe that this is the same malware used in the recent attack to Sony Pictures.

    Note that BKDR_WIPALL.C is also the dropped named as igfxtrayex.exe in the same directory of BKDR_WIPALL.D.

    We will update this blog entry for more developments.

    Additional analysis by Joie Salvio


    Our coverage of the Sony attack continues as we spot more developments. Here is a list of our stories related to this incident:

    Posted in Bad Sites, Malware |

    Just several hours after the news on the bash vulnerability (covered under CVE-2014-7169) broke out, it was reportedly being exploited in the wild already.  This vulnerability can allow execution of arbitrary code, thus compromising the security of systems. Some of the possible scenarios that attackers can do range from changing the contents of web server and website code to defacing the website to even stealing user data from databases, among others.

    We spotted samples which are the payload of the actual exploit code. Detected as ELF_BASHLITE.A (also known as ELF_FLOODER.W), this malware is capable of launching distributed denial-of-service (DDoS) attacks. Some of the related commands it executes are

    • PING
    • HOLD pause or delay attack for specified duration
    • JUNK Junk Flooding
    • UDP DDoS using UDP packet
    • TCP DDoS using TCP packet
    • KILLATTK – terminate attack thread
    • LOLNOGTFO – terminate bot

    It also has the capability to do brute force login, enabling attackers to possibly get the list of login usernames and passwords. Based on our analysis, ELF_BASHLITE.A also connects to a C&C server, 89[dot]238[dot]150[dot]154[colon]5.

    BASHLITE diagram

    Figure 1. Threat infection diagram (Click image to enlarge)

    Below is the screenshot of the code depicting the arrival of malware on a system:


    As discussed in our earlier post, the severity of this vulnerability is serious given that web servers are mostly affected. It (vulnerability) also poses risks to Internet of Everything/Internet of Things devices that have Linux (and Bash) on them.  It was also reported that it affects Bitcoin/Bitcoin mining, thus attackers may possibly/potentially create armies of bots through this.

    The related hash for this attack is 0229e6fa359bce01954651df2cdbddcdf3e24776.

    Trend Micro Solutions for Shellshock:

    The Trend Micro Smart Protection Network protects users from the BASHLITE variant mentioned above. We will continuously monitor for any other exploits abusing this vulnerability. On the other hand, attempts to exploit the Shellshock vulnerability on the network can be detected via the following Deep Discovery rule:

    • 1618 – Shellshock HTTP REQUEST

    Other Trend Micro products (Trend Micro OSCE, IWSVA and Titanium) detect this as CVE-2014-6271-SHELLSHOCK_REQUEST.

    In addition, Trend Micro Deep Security protects users from this Bash vulnerability through the following DPI rule:

    • 1006256 – GNU Bash Remote Code Execution Vulnerability

    Other users who may want to check if they are affected should check our free protection for Shellshock. We’ve also released browser extension and device scanners to protect users’ browsers and devices against the risks posed by Bash bug vulnerability. These tools can scan devices to detect if has been affected by the bug.

    The Latest Developments on Shellshock: 

    We have monitored the developments around this topic and documented them here:

    We are currently doing further research analysis on this topic and will update our blog for developments.  Users can also read more on this in our Simply Security blog.

    With additional analysis from Rhena Inocencio, Karla Agregado, Serafin Lago, Alvin Bacani, Kim Sotalbo, Joie Salvio, and Erwina Dungca. 

    Update as of 1:38 PM, September 26, 2014

    We spotted two malware payloads of the exploit code, one of which is detected by Trend Micro as PERL_SHELLBOT.WZ. When executed, it connects to the IRC server, fbi[dot]bot[dot]nu[colon]5190, where it receives several commands from an attacker. Some of the commands it issues include:

    • cback – Execute a remote shell (/bin/sh or cmd.exe)
    • download – Download from a URL and save to a specified file
    • portscan – Scans an IP address for the following ports
    • join – Join a channel
    • part – Leave a channel
    • rejoin – Leave and rejoin a channel

    Another payload is detected as ELF_BASHLET.A, which connects to 27[DOT]19[DOT]159[DOT]224[COLON]4545, where it waits for commands from a malicious attacker.



    Figure 1. Motto taken from the InstallBrain website ( on July 3, 2014”

    “Monetize On Non-buyers” is the bold motto of InstallBrain—adware that turns out to have been developed by an Israeli company called iBario Ltd. This motto clearly summarizes the potential risks adware companies can introduce to users, especially when they install stuff on systems without their consent.

    Adware is often perceived as low-risk, because these usually display unwanted popups and pop under advertisements. However, they can pose serious security risks when used by adware companies to load malware onto systems wherein their adware has been installed. In our latest research paper, On the Actors Behind MEVADE/SEFNIT, shows that iBario’s InstallBrain adware installed MEVADE/SEFNIT Trojans in significant number of systems in 2013.

    One of the major threat stories in 2013 was the sudden and dramatic increase of Tor users. In August 2013, the number grew from a million to five million users. Fox-IT was the first to publish the cause of the spike: the MEVADE/SEFNIT malware downloaded a Tor component related to its command-and-control (C&C) communications. This malware does click fraud and Bitcoin mining.

    Microsoft was the first to point out the InstallBrain-SEFNIT connection—a connection also seen by Trend Micro. iBario Ltd removed the brand name Installbrain from its corporate website and replaced it with Unknownfile, which basically is just a successor of Installbrain. Feedback from Trend Micro’s Smart Protection Network shows that there are InstallBrain detections in about 150 countries—a clear indication of how widespread this adware is.

    Adware Company Hosts Malware

    In recent media interviews, iBario described itself an entirely Israel-based company with an estimated worth of US$100M. The 9-figure number is probably an exaggeration, and we also believe that iBario outsources a lot of technical work to Ukraine as there are clear links between iBario and Ukrainian contractors. In fact we found the organizational chart of iBario Ukraine on the Internet headed by the CTO of Installbrain.


    Figure 2. Organizational chart for iBario Ukraine; screenshot taken on June 20, 2014

    One interesting thing we noted is that while Mevade.C was widespread in more than 68 countries, even sparsely populated ones, there was virtually no infection in Israel. This is perhaps to avoid trouble with the local law enforcement.

    It becomes even more interesting when we found that a domain name of a Ukrainian contractor called Denis R, also known as Scorpion, had one of its hostnames pointing to the IP address of iBario’s source code repository. The said file repository hosted Sefnit malware in 2011, so there was Sefnit malware on the corporate source code repository of iBario in 2011. We cannot provide the exact details of this finding publicly, but we are willing to hand over proof to law enforcement partners.

    The fact that iBario’s Installbrain has installed Sefnit on systems, the presence of Sefnit malware in a code repository of iBario in 2011, and the links between iBario and several suspicious contractors from the Ukraine make us believe that iBario is involved with Sefnit.

    Gateway to Infection

    We believe that deceit, or any indication that a user has given no real consent to the download and installation of a file or to what that file is actually doing, is grounds for us in the security industry to block and detect a file as malware.

    InstallBrain is one real example of the risks of having adware on user systems, and of how attractive and beneficial it can become for adware companies to abuse their access to user computers—to the point of discreetly downloading malware. In this case, the downloaded malware takes over computers to commit click fraud or to mine bitcoins.

    For more information about the threat actors, download our research paper On the Actors Behind MEVADE/SEFNIT.

    Update as of 10:26 AM, August 8, 2014

    Since our research on this situation posted, Mike Peters, Co-Founder & General Manager at iBario LTD, has contacted us. Mr. Peters has claimed that the events related to the SEFNIT and MEVADE malware are due to the actions of a rogue contractor who was able to compromise their network and suborn their systems for malicious purposes without their knowledge. Mr. Peters has indicated that he has worked with Microsoft on this matter and they have both offered to provide additional information in this regard. We have told Mr. Peters that we would be happy to review any new information and make any updates based on additional analysis on this new data.

    Posted in Bad Sites, Malware | Comments Off

    Vulnerabilities, particularly zero-days, are often used by threat actors as the starting point for targeted attacks. This was certainly the case for a (then) zero-day vulnerability (CVE-2014-1761) affecting Microsoft Word. In its security advisory released last March, Microsoft itself acknowledged that the vulnerability was being used in “limited, targeted attacks.” Microsoft has since patched this vulnerability as part of its April Patch Tuesday.

    However, the existence of a patch has not deterred threat actors from exploiting this vulnerability. We are still seeing targeted attacks that leverage this particular vulnerability as part of their campaigns.

    The Taidoor Connection

    We came across 2 attacks that targeted government agencies and an educational institute in Taiwan. The first attack used an email with a malicious attachment supposedly sent by a government employee. The attachment used a title pertaining to a national poll to appear legitimate.  The attachment is actually the exploit, detected as TROJ_ARTIEF.ZTBD-R. It drops a file detected as BKDR_SIMBOTDRP.ZTBD-R, which then drops two files — TROJ_SIMBOTLDR.ZTBD-R and TROJ_SIMBOTENC.ZTBD-R. These two files finally lead to the final payload detected as BKDR_SIMBOT.SMC.

    Figure 1. Email sample

    The second attack targeted an educational institute, also in Taiwan. This run used an email attachment to gain access to the recipient’s computer and network. The email message discussed free trade issues, while the attachment had a title about a work project. Similar to the first case, the attachment is also an exploit detected as TROJ_ARTIEF.ZTBD-PB. It drops a backdoor component detected as BKDR_SIMBOT.ZTBD-PB. Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement.

    Figure 2. Email sample

    We have determined that these two attacks have ties to the Taidoor  — a campaign that has been active since 2009 — through the similar network traffic structure. The attacks described above have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used (using a zero-day vulnerability).

    The PlugX Payload

    Another attack we saw used CVE-2012-0158 and targeted a mailing service in Taiwan. Just like the other attacks, this run uses an email attachment as the entry point to the network. The email attachment pretends to be a list about new books from a particular publishing house. This was done to try and pique  the recipient’s interest.

    Figure 3. Email sample

    This attachment is actually the exploit detected as TROJ_ARTIEF.ZTBD-A  which drops a PlugX malware detected as TROJ_PLUGXDRP.ZTBD. It drops a file detected as BKDR_PLUGX.ZTBD, which has the capability to perform a wide range of information stealing routines, including:

    • Copy, move, rename, delete files
    • Create directories
    • Create files
    • Enumerate files
    • Execute files
    • Get drive information
    • Get file information
    • Open and modify files
    • Log keystrokes and active window
    • Enumerate TCP and UDP connections
    • Enumerate network resources
    • Set TCP connection state
    • Lock workstation
    • Log off user
    • Restart/Reboot/Shutdown system
    • Display a message box
    • Perfrom port mapping
    • Enumerate processes
    • Get process information
    • Terminate processes
    • Enumerate registry keys
    • Create registry keys
    • Delete registry keys
    • Copy registry keys
    • Enumerate registry entries
    • Modify registry entries
    • Delete registry values
    • Screen capture
    • Delete services
    • Enumerate services
    • Get service information
    • Modify services
    • Start services
    • Perform remote shell
    • Connect to a database server and execute SQL statement
    • Host Telnet server

    PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system.

    Employing Countermeasures

    Patching should remain a top priority for regular users and enterprises alike. Installing patches as soon as they are made available can help organizations against attacks that exploit vulnerabilities. Enterprises should also consider virtual patching as they can help mitigate threats in the presence of zero-days and unsupported systems.

    Employee education is also a key element in protecting against targeted attacks. For email attacks that still get through, proper end-user training can help identify possible suspicious activity and/or emails. Users need to be taught to make their fellow employees aware of suspect e-mails in order to improve awareness and enhance defenses throughout the organization.

    Update as of May 23, 2014, 02:05 A.M. PDT

    The detections mentioned in the post have been renamed as following:

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice