Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Analysis of the PE_LICAT.A file infector (first discussed in File Infector Uses Domain Generation Technique Like DOWNAD/Conficker) has revealed further information on this emerging threat.

    We have been able to isolate a copy of the main file infector, which we detect as PE_LICAT.A-O. (A main file infector is one that triggers the process of infecting files but is not infected itself.) It injects itself into the Explorer.exe process, which has two effects. First, it becomes memory-resident. Second, any file executed afterward becomes infected with malicious code and is detected as PE_LICAT.A.

    We looked into the pseudo-random domains that LICAT accesses to download files. Every time PE_LICAT.A is executed, it attempts to download files from these domains, trying to do so a maximum of 800 times.

    The following top-level domains are used by these created domains:

    • biz
    • com
    • info
    • org
    • net

    Our monitoring indicates that most of these domains have not been registered. A small number have been registered. Although some of the sites these actually lead to are currently inaccessible, some are still alive and active. As a precaution, all related sites have now been classified as malicious and blocked by Trend Micro.

    These domains appear to link PE_LICAT and ZeuS. Several of the domains that PE_LICAT was scheduled to download files from in late September have been confirmed to be known ZeuS domains in that period. One of these domains, {BLOCKED}, was registered approximately one week before it would have been used by PE_LICAT. Another domain was hosted on an ISP that has seen significant levels of ZeuS-related activity in the past and is a known haven for cybercrime.

    We were able to obtain a sample from these LICAT-related domains, which we currently detect as TSPY_ZBOT.BYZ.  The downloader file shows certain behaviors often associated with ZeuS.  However, the capability to act as a downloader is not a functionality seen in ZeuS to date. As such, further analysis is taking place for this file.  The file drops a copy of the main file infector, PE_LICAT.A-O. Files exhibiting similar behavior to the downloader will be proactively detected as TSPY_ZBOT.SMEQ.

    PE_LICAT infections appear to have hit the North American and European regions hardest, with Latin America the lightest hit according to our Smart Protection Network™ feedback.

    Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™. CTO Raimund Genes talks more about this protection in How Analyzing a New Virus Can Lead to Multiple Protections. The domains generated by PE_LICAT are being analyzed in real-time and blocked as necessary. In addition, infected files are being detected and cleaned as well.

    Update as of October 11, 2010 2:28 p.m. UTC

    Upon analysis of the dropped file TSPY_ZBOT.BYZ, it was found that this ZeuS variant is actually both the starting point and final payload of this infection chain. Studying TSPY_ZBOT.BYZ reveals that it decrypts and drops PE_LICAT.A-O onto an affected system. As such, it can be inferred that this was, indeed, a ZeuS-driven attack, with the file infection and URL generation technique used to prolong its lifespan.

    Below is an image describing the whole infection chain:

    Infection Chain

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice