Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2013
    S M T W T F S
    « May    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
    • About Us
    Trendlabs Security Intelligence > File Infector Uses Domain Generation Technique Like DOWNAD/Conficker

    Trend Micro has received reports from users about a new, dangerous file infector. This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Conficker variants. This technique allows the file infector to download and execute malicious files from various servers on the Internet.

    Like WORM_DOWNAD, PE_LICAT.A generates a list of domain names from which it downloads other malicious files. The domain name generation function is based on a randomizing function, which is computed from the current UTC system date and time. This particular randomizing function returns different results every minute.

    Click for larger view

    According to Escalation Engineer Alvin Bacani, whenever a file infected by PE_LICAT.A is executed, the malware generates a pseudorandom domain name, with the exact value depending on the system’s time. It then tries to connect to the said domain name. If it is successful, it downloads and executes the file at that pseudorandom URL. If not, it tries up to 800 times, generating a “new” URL every time. This helps ensure that the malware will be able to keep itself updated and even if one or more domains are taken offline, others can take its place.

    Click for larger view Click for larger view

    Systems that are infected and synchronized to the current UTC date and time will compute and contact the same set of domain names.

    Based on PE_LICAT.A’s code, the downloaded files are first validated before executed, which is the same technique WORM_DOWNAD employed. Users whose systems have been infected are at risk of downloading more malicious files onto their systems every time PE_LICAT.A is executed.

    Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™,  which detects and blocks the said file infector from running. CTO Raimund Genes talks more about this protection in How Analyzing a New Virus Can Lead to Multiple Protections.

    Analysis of this threat is ongoing and further details will be provided when they become available.

    Update as of October 11, 2010 12:10 p.m. UTC

    PE_LICAT.A uses the domain generation algorithm to try and access a live URL. From our monitoring, PE_LICAT.A downloads TSPY_ZBOT.BYZ, a ZeuS variant. Even more interesting, apart from info-stealing routines, TSPY_ZBOT.BYZ also decrypts and executes a malware code in memory: PE_LICAT.A-O‘s. More information about this threat and its relation to ZeuS can be found in the blog entry, ZeuS Ups the Ante with LICAT.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Thursday, October 7th, 2010 at 1:55 am and is filed under Malware . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice