Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    During the past few months, we’ve been observing increases in the number of systems infected by VBS (visual basic scripting) malware, specifically VBS_SOSYOS, VBS_JENXCUS and VBS_DUNIHI. Most of these systems were found in Latin America, a region typically targeted by the Banker/Bancos Trojan.

    Figure 1. VBS malware activity for the past months in Latin America region (LAR)

    These VBScript malware were initially seen in targeted attacks, but are now being distributed on a larger scale. Numerous VBS_ JENXCUS and VBS_DUNIHI infections were found in several Latin American countries. Based on feedback gathered from the Trend Micro Smart Protection Network, the chart below shows the number of VBScript malware infections from the region in the month of November.

    SPN_VBSmalware_LAR

    Figure 2. Number of VBS malware infection in LAR for November

    Among scripting malware affecting LAR, VBS malware accounted for 28% of infections – overshadowed only by the more common JavaScript malware.

    Percentage-of-VBScript-Malware-LAR_edited

    Figure 3. Percentage of VBScript malware vis-à-vis other common scripting malware in LAR

    VBS Malware Variants Compared

    When installed, VBS_DUNIHI and VBS_JENXCUS allows an attacker to execute commands. These malware have similarity in their code.

    Our analysis reveals that VBS_DUNIHI’s code is based on VBS_JENXCUS. VBS_JENXCUS, however, can only execute commands (two to three) – a much lower number compared to VBS_DUNIHI, which can perform up to 13 commands. Overall, both allow remote threat actors to issue commands that will run onto the infected systems.

    Both VBS_JENXCUS and VBS_DUNIHI arrive as an attached file to spam email messages. These malware are usually encrypted, which can be a roadblock during analysis. Upon successful decryption, however, users can readily distinguish the malware author(s) signature. VBS_JENXCUS has the string ‘njq8 ‘, while VBS_DUNIHI has the string ‘houdini’.

    VBS_malware_code_comparison

    Figure 4. Comparison of JENXCUS (above) and DUNIHI (below) header after decryption

    Once executed. VBS_JENXCUS drops copies of itself in %User Temp% and %User Startup% using the filenames Serviec.vbe, Servieca.vbs, Updater.vbs, and Updatea.vbs. The file names are hard-coded, in contrast to VBS_DUNIHI.

    VBS_JENXCUS receives and executes commands from a remote server. We also extracted several C&C servers where the malware connects to. However, they are currently inaccessible. It also propagates by creating LNK files that point to the dropped copy of the malware in the removable drives.

    Malicious files coded in VBScript are not new in the threat landscape. As early as year 2000, the infamous ILOVEU virus were distributed and caused damages to numerous systems all over the world. Being an old threat, however, does not guarantee systems are immune to this threat. Trend Micro solutions for VBS malware infection include file and behavioral detection, URL blocking and spam detection.

    Disabling the Windows Script Host

    This attack would not be possible if the Windows Script Host (WSH) was not present on the system. WSH is an automation tool used by administrators, programmers, power users and the like that has been installed by default since Windows 98. It provides a set of services and objects that can be used to create scripts that will run in either graphical or command-line mode.

    It has been debated for a long time whether WSH should be disabled or not. Explicitly blocking or disabling it has one very obvious benefit: you can prevent all present and future VBS malware from running in your environment.

    There are two ways to disable WSH. Microsoft provides one method in this TechNet article. If the user tries to run a .VBS file, this pop-up would appear:

    wsh1

    Figure 5. Blocked VBS pop-up

    Alternately, one can use the behavioral monitoring settings of third-party security software like OfficeScan in order to block the applications that make up the WSH. If the user tries to run a .VBS file, the following pop-ups would appear:

    wsh2

    wsh3

    Figures 6-7. OfficeScan alerts

    Preventing .VBS files does improve a system’s security, but it can also have drawbacks. In enterprise users, some users may actually be using WSH. Examples include back-up operators or anyone that does batch processing. These users should be considered if/when deciding to roll out VBS blocking.

    Additional insights by Jay Yaneza.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice