Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Anthony Joe Melgarejo (Threat Response Engineer)

    We recently came across some AutoCAD malware which we detect as ACM_SHENZ.A. It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.

    It first creates a user account with administrative rights on the system. It then creates network shares for all drives from C: to I:. It then opens four ports on the system: ports 137-139, and port 445.

    Figures 1-2. Decompiled code

    Perhaps because of the malware’s limited goals, the author did not bother to obfuscate his code.

    Figure 3. Malware code without obfuscation

    These ports are associated with the Server Message Block (SMB) protocol, which provides access to files, printers, serial ports, and miscellaneous communications between nodes on a network running on Windows. By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched. Security bulletins that cover the SMB vulnerabilities include MS10-020 and MS11-043.

    The decision to create an account with administrator privilege is a strategic one.  Without the said account, the attacker will have to crack passwords for existing accounts or remotely create one—processes that can be difficult and time-consuming. With the admin account, the attacker can easily steal all the files in those drives and plant other information-stealing malware.

    Historically, AutoCAD malware is very rare, although not completely unheard of. Aside from disabling certain AutoCAD functions and ensuring that all opened AutoCAD documents spread the malware as well, these kinds of malware may also be used to download or run other malware components. The primary advantage of AutoCAD malware may well be that users do not expect this type of document to be malicious; users should be careful about all document types and not just those that are “well-known” to contain malware.

    Posted in Malware | 1 TrackBack »

    The year might be coming to a close but we’re still seeing our 2013 predictions come true. We encountered an attack that featured an old malware with new routines. This malware, detected as BKDR_SINOWAL.COP specifically attempts to disable the Rapport software from Trusteer.

    Figure 1. Code that looks for the Trusteer Rapport module

    Rapport is software that protects users from phishing and man-in-the-browser (MitB) attacks. It is frequently provided to users by their banks to improve their security. If the attacker succeeded in disabling Rapport, users would be more vulnerable to man-in-the-browser attacks, which are frequently used by banking malware.

    A side note: we have been in contact with Trusteer regarding this threat, and they have confirmed that it does not succeed in disabling Rapport, so users are not at increased risk.

    However, BKDR_SINOWAL.COP does not have the ability to perform MitB attacks by itself. This means that it requires a plugin component or another malware to successfully perform this type of attack.

    Feedback from the Smart Protection Network shows that the attack arrived as an email attachment. This attachment is a compressed file which contains a variant of BKDR_ANDROM malware, detected as BKDR_ANDROM.LSK. This malware will drop and execute both the SINOWAL malware and TSPY_ZBOT.IRF.

    Figure 2. SINOWAL routine

    Knowing this, we can say that the attacker intended to make ZBOT’s MitB routine (via web injects) more successful by using BKDR_SINOWAL’s capability to disable software that prevents that specific attack.

    This threat shows how different threats can work together to increase their effectiveness in carrying out their malicious activities, like stealing information. We already detect the malware associated with this attack.

    The following are the SHA1 hashes of the files that are related to this threat:

    • 1888306B7A47CB2A0EE88529D9C0C55D5E43A870
    • 494F4902437F446C7C4178672489980889111CC1
    • 9DFB7E2EF011B537ED0238FA64058AFB7340EA27
    • B6598BB118F903175FFE5914A28F7D2E03BF471F
    • C9D153A22E75F30F4246F6B4E730D8CF5E33A333
    • FABCDC9564E1E7D59C406969C871C6C53652284E
    Posted in Malware, Spam | Comments Off on SINOWAL Attempts To Disable Rapport, Aid ZBOT

    A new attack is spreading via Facebook and several instant messaging applications. Its chief payload is a backdoor – BKDR_LIFTOH.DLF – which allows its attackers to take control of the infected systems. It spreads by using two worms, once of which is a new variant of the rather notorious DORKBOT family.

    DORKBOT is known for for spreading via social media and instant messaging applications (e.g.Skype and mIRC etc.), is now found propagating in multi-protocol instant messaging (IM) apps like Quiet Internet Pager and Digsby.

    These apps enable users to communicate via various IM apps. Digsby supports AIM, MSN, Yahoo, ICQ, Google Talk, Jabber, and Facebook Chat accounts while Quiet Internet Pager supports at least four different IM services. Thus, this malware may potentially affect more users because of its wider launchpad for propagation.

    Detected as WORM_DORKBOT.SME, this worm sends out shortened URLs to the contacts found in the IM client of the infected system. These URLs point to a file, which is actually an updated copy of DORKBOT uploaded to the file-hosting site Mediafire. This is probably a maneuver to evade detection and easy removal from the system.

    Aside from its propagation routines, DORKBOT is also known for its capability to steal login credentials by hooking APIs to certain web browsers.

    WORM_DORKBOT.SME is downloaded by the main payload, BKDR_LIFTOH.DLF.  One of the commands that this backdoor receives from its C&C server is to download and execute other malware. The command also consists of the URL where this backdoor will be downloaded. However, this time, the file is uploaded on Hotfile.

    Moreover, this backdoor also has the capability to edit its configuration from its C&C server.

    Figure 1. BKDR_LIFTOH.DLF Configuration

    Figure 1. BKDR_LIFTOH.DLF configuration

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on Backdoor Leads to Facebook and Multi-Protocol Instant Messaging Worm

    Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception.

    We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to redirect users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”.

    It does this by redirecting all traffic to and to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site.

    Users eager to log into Facebook may fall victim to this ruse, taking  the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration.

    Figure 1. Fake Facebook Security Page

    Read the rest of this entry »


    neutrinoRobust and stealthier toolkits are predicted to emerge this year. This was first seen when the WhiteHole Exploit Kit appeared in the threat landscape. It took advantage of several vulnerabilities including the infamous CVE-2013-0422.

    Additionally, there have been reports of another new exploit kit called “Neutrino” being sold in the underground. The exploit, which we detect as JAVA_EXPLOYT.NEU takes advantage of the following vulnerabilities:

    Systems with versions Java 7 Update 11 and below are vulnerable. When exploited successfully, it downloads a ransomware variant, or  TROJ_RANSOM.NTW. Ransomware typically lock computers until users pay a certain amount of money or ransom. Our research paper Police Ransomware Update contains more information on the said threat.

    The vulnerabilities covered in CVE-2013-0431 were also exploited in a BlackHole Exploit kit spam run that supposedly came from PayPal. This vulnerability was addressed when Oracle released an out-of-band update, raising issues and concerns. On the other hand, CVE-2012-1723 was also employed by the BlackHole Exploit kit as well as the WhiteHole exploit kit.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on A New Exploit Kit in Neutrino


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice