Last year, the security industry was plagued by a series of APT reports, which included the “Nitro Attack”. The backdoor used here is known as PoisonIvy or BKDR_POISON. Its builder is available online. Security vendors have then taken measures to counter this threat to help customers battle against similar infections in the future. However, a recent discovery of the downloader’s stealth mechanism proved that the fight is not yet over.

We thought that there was nothing much to see when we looked at the downloader’s sample at first glance. It’s a VB-compiled executable file which does nothing but perform an HTTP GET request to an HTML page.

When accessed using via a browser it looks like a harmless web page until you decode it.

As pointed out by Microsoft, this downloader turns out to be different from others. Instead of downloading another binary to execute, it merely executes the downloaded code in the harmless-looking file’s context. To do this, the malware converts it to functional code, then executes it via DllFunctionCall.

The executed shellcode is actually a variant of the BKDR_POISON malware family which was used in a number of targeted attacks last year.

A Brief Background on BKDR_POISON

Also known as PoisonIvy, the BKDR_POISON family has been rampant for years. This could be attributed to the fact that its builder is easy to use and is freely available for download from their website. Its auto-start mechanism, as well as the mutex and file names of the malware copy is configurable via the builder, so each generated sample does not necessarily have exactly the same behaviors.

Its backdoor functionalities include keylogging, monitoring audio/video, capturing screenshots, managing processes and services, accessing or uploading files, and many more. In other words, it basically gives the person on the client side full access of the infected system.

Read the rest of this entry »

We have found evidence that the human rights organization found affected by a website compromise is not the only intended target for the attack.

The website was said to have an iframe that redirected users to another compromised site in Brazil. The site executed a malicious Java applet detected as JAVA_DLOAD.ZZC. JAVA_DLOAD.ZZC leverages a vulnerability in Java CVE-2011-3544 to install TROJ_PPOINTER.SM, which in turn drops BKDR_PPOINTER.SM. BKDR_PPOINTER.SM connects to a certain URL to send and receive commands from the attacker. It is also capable of gathering certain information about the affected system.

Based on our investigation, it seems that the initially reported affected organization is just one of the targets in this attack and that the attack itself is fashioned specifically for the targets. We studied the related files and URLs, and found that the string related to the human rights organization was used as the name for both the inserted folder and file in the compromised Brazilian website:

• hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.html
• hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.jar

Furthermore, the code of the file retrieved from the URLs above indicate that it was a payload specifically intended for the said human rights organization, as it has related strings mentioned in its code:

Read the rest of this entry »

When I read this blog entry a few days ago, the first question that entered my head was, “Is this another targeted attack?”. I took a look at the .PDF discussed in the entry and it appeared to be a document addressed to employees of a certain defense contractor. Trend Micro products detect this malicious .PDF as TROJ_PIDIEF.EGG. Below is a screenshot of the survey.

It appears to me that cybercriminals are specifically targeting the employees of this defense contractor in order to obtain information about the company and possibly its clients as well. I also learned that their customers include many high-profile federal government agencies.

Read the rest of this entry »

TrendLabs^SM is currently taking a look at an interesting .ELF file that is actually an IRC backdoor program. We initially found some code suggesting that it performs brute-force attacks on router user name-password pairs.

This malware is predominantly found in Latin America but we are also checking the extent of infection in other regions. The attacks also work against D-LINK routers though we are also verifying if it works on others.

An infected system also connects to a botnet on IRC servers and is capable of receiving and executing commands. Trend Micro detects the offending code as ELF_TSUNAMI.R. Analysis is ongoing and we will be posting updates as new information is found.

There was an old attack in 2008 that targeted routers in Mexico, which we blogged about in the entry “Targeted Attack in Mexico: DNS Poisoning via Modems.”

Update as of March 11, 2011, 6:08 AM Pacific Time

• ELF_TSUNAMI.R is MIPS-based (Microprocessor without Interlocked Pipeline Stages)—a processor typically used in small devices such as routers. The means as to how an attacker would be able to drop the said file into a router is not yet determined, but it is possible that the .ELF file is just a component of a much bigger threat.
• It exploits a vulnerability that affects certain D-Link routers. Successful exploitation of the said vulnerability grants a remote attacker complete administrative access to the affected router.
• It is also capable if disabling the firewall of the affected router by executing the command /etc/firewall_stop

Malware writers are again taking advantage of curious readers by sending out email messages related to recent news events that contain malicious attachments.

One particular sample detected as TROJ_AZAH.A comes disguised as a folder. A curious user may “open” the disguised file and run it. Among the folder names used are:

• Philippine-HK News
• Rise of Global Terrorism and U.S. Strategy
• Status and Future of Global Torture 2010
• Status and Future of U.S. Textile Industry
• Status and Future of Worldwide Press Freedom 2010
• Strategy of US Global Military—Role of Singapore
• U.S. Strategy—Troops Leave Iraq

Once executed, the malware deletes itself and attempts to create a real folder that may contain a .PDF or .DOC file. However, during testing, the malware was unable to create the said files.

As its final payload, it attempts to access a URL to download other malware. Unfortunately, in our recent testing, its download routine has been unsuccessful.

Nevertheless, we shouldn’t let our guards down, as future variants may well use this exact same line of attack. Just in case, Trend Micro already blocks the URLs related to this malware.

Users are advised to avoid opening email attachments, especially if these come from unknown senders.