A new Master Boot Record (MBR) rootkit has recently taken the threat spotlight. The Microsoft Malware Protection Center (MMPC) noted a new malware variant that is capable of overwriting a system’s MBR. In MMPC’s post, Microsoft also clarified that using the Windows Recovery Console is enough to return the infected MBR to a clean state and has also provided manual instructions for fixing the MBR via this blog post.

We also acquired a sample of the malware. Below are the details on what we have seen so far.

How Does POPUREB Work?

Based on our analysis, users’ systems may be infected by POPUREB, which we detect as TROJ_POPUREB.SMA by visiting malicious sites. Once installed, the malware writes its component such as the malicious MBR, C:alg.exe (detected as TROJ_POPUREB.SMB),  and %Current%hello_tt.sys (detected as RTKT_POPUREB.A) on the disk. It also drops a .SYS file and registers its rootkit component as a service. TROJ_POPUREB.SMA then proceeds to delete the %Current%hello_tt.sys and executes C:alg.exe.

Among the malware components, TROJ_POPUREB.SMB performs the most routines. It connects to specific sites to download its configuration and other malicious files as well as sends information to a remote user. It also hijacks browser sessions based on the downloaded configuration and initialization files to create malicious HTTP traffic. This malicious traffic may lead to varied payloads, including the download of other malware, connecting to sites, and pushing malvertisements.

Read the rest of this entry »

Here at Trend Micro, we have seen all kinds of cybercrime and digital threats. For the first-ever Cybersecurity Awareness Day in Singapore, one of my colleagues, Richard Sheng, has taken time out to explain what so-called “Advanced Persistent Threats” (a.k.a. APT) are. Singapore is one of the first Asian countries to come up with a strong cybersecurity agenda. As such, advanced persistent threats have captured the interest of its security practitioners.

How Advanced Persistent Threats Typically Work

The use of the term “advanced persistent threats” perhaps helps people grasp how sophisticated attacks staged by groups that intend to and are capable of targeting a specific organization are. Attacks under the umbrella term “advanced persistent threats” usually take longer to plan and execute as well as utilize a variety of tools compared with typical malware attacks that are relatively uncontrolled and do not criticize in terms of target.

Staging attacks classified as advanced persistent threats involves detailed reconnaissance work to gather information and to identify a particular target’s system and infrastructure weaknesses. To do this, attackers may rely on publicly available information, including data found in the target’s website or in its social networking accounts. This allows them to get a better idea on who in the company they should target as their attack’s point of entry. The information they gather includes employees’ names and their personal details (e.g., email addresses, social networking profiles, etc.) as well as the company’s IT policies, preferred OS, applications, software, and network structure.

Next, the attackers obtain access to their target’s system through ingenious social engineering ploys. At this point, the malware, as an attack tool, is executed. It then performs malicious payloads like information theft or denial of service (DoS) without being found out. Covering their tracks is thus very important because the attackers must stay under the radar until they get what they want (e.g., data theft, backdoor program installation). The malware they use should also have the ability to communicate with them in order to transmit information or intelligence.

Read the rest of this entry »

Approximately a month ago we released our full analysis of the new file-patching ZeuS variants in the paper “File-Patching ZBOT Variants: ZeuS 2.0 Levels Up“.

Recently, however, we received a new LICAT sample (passed along to us via trusted collaborative channels) that communicates with its command-and-control (C&C) server using a pseudo-random domain that was not among those generated by the original algorithm. This discovery prodded us to take a closer look into the acquired sample.

Our analysis revealed that the new sample still had all of the original routines we found in the original LICAT sample. For example, it generated the same number of domains on a given day and used the same top level domains. There is a key difference in the code of the two variants, however: a different XOR key is being used. This new variant uses 0xDEADC2DE as its key, where the original used 0xD6D7A4BE:

Not only does this new variant use different XOR keys, it also uses more keys as well. The original LICAT variant’s domain generation algorithm (DGA) used the same XOR key twice: once for where its configuration file was located, and another were new/updated variants could be downloaded automatically. In this new variant, however, different keys are used; neither do they share the same value from the original variant. This doubles the number of domains that have to be monitored and blocked by researchers.

We expect that more LICAT variants with different XOR keys are probably going to be spotted in recent weeks. This newly discovered variant is detected as PE_LICAT.B-O, with the patched files are detected as PE_LICAT.B. As we noted earlier, their behavior (except for domain generation) is identical to that exhibited by PE_LICAT.A.

Trend Micro customers are protected by the Trend Micro™ Smart Protection Network™,  which detects and blocks the said file infector from running. We will be continuously monitoring for new LICAT variants and domains that these contact, and blocking them as necessary.

Special thanks to advanced threat researcher Feike Hacquebord for initially bringing this threat to light.

Last September, several individuals were arrested for using information-stealing Trojans created with the well-known ZeuS toolkit. Following this, security researchers anticipated the inevitable “upgrade” to the toolkit/Trojans that will allow cybercriminals to continue their money-making ploy. Soon enough, we received reports on a ZeuS Trojan Trend Micro detects as TSPY_ZBOT.BYZ with the following new features:

1. Trojanizing .EXE files to keep the malware updated (turning them into PE_LICAT.A) and more difficult to remove
2. Contacting pseudorandomly generated domains ala DOWNAD/Conficker to avoid easy takedown

Over the past few weeks, we have been working on completing a comprehensive report on this new ZeuS upgrade. This includes an analysis of its runtime decompression/deobfuscation stub, a decryption of the configuration file it used for its information-stealing payload, an identification of the command-and-control (C&C) servers it used, and an in-depth study of the above-mentioned file infection and domain generation algorithm (DGA).

Earlier this week, reports on the supposed SpyEye and ZeuS toolkit merger came out. The result of this merger may be a hybrid toolkit that uses the best features of both SpyEye and ZeuS.

The full analysis in the report, “File-Patching ZBOT Variants: ZeuS 2.0 Levels Up,” is the result of the collaborative effort of TrendLabs engineers/researchers Alvin Bacani, Mark Anthony Balanza, Feike Hacquebord, Marco Dela Vega, Julius Dizon, Patrick Estavillo, Jasper Manuel, Loucif Kharouni, David Sancho, Ben April, Kevin Stevens, Ryan Flores, Ivan Macalintal, and Robert McArdle.

We have been chronicling our findings about TSPY_ZBOT.BYZ, the ZeuS Trojan with LICAT features, in the following entries:

• File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
• ZeuS Ups the Ante with LICAT
• ZeuS’ Response to Automated Analysis
• The Plot Thickens for ZeuS-LICAT
• ZeuS, Still a Threat; Now Also Spreading Through LICAT

We have been continuously analyzing this new ZeuS “upgrade” known as LICAT (aka Murofet) for some time now. In this update, I will delve on the monitored URLs and domains that LICAT contacts as well as the latest detection names associated with them.

The primary difference between LICAT and ZeuS is LICAT’s capability to contact its server using domains generated based on the current date, particularly the year, month, day, and minute. As expected, a number of the generated domains became active and were found to host new or updated versions of LICAT and ZeuS configuration files. Most of the domains, which became live, resolved to already-known ZeuS IP addresses. Below are some grouped (by resolving IP addresses) generated domains.

The domains above were already used to host encrypted configuration files that LICAT downloads and decrypts for use in its information-stealing routine. The configuration file contains a list of the types of information to be stolen, particularly login credentials for conducting various online transactions, as well as instructions on where to upload these.

Aside from the information-stealing routine the configuration file downloaded from the generated domains, some active domains were also found to host new LICAT or ZeuS malware variants, namely, TSPY_ZBOT.BYZ and PE_LICAT.A-O. The new downloaded samples mostly had different hashes, which are detected via the heuristic detection TSPY_ZBOT.SMEQ. Furthermore, these generated domains can easily be registered by other cybercriminals for use in delivering other malware. This poses a new threat to users and consequently increases the potential for system infection. Indeed, with LICAT’s capability to steal valuable information, it poses a critical threat to user systems and up-to-date virus definitions are a must.

You can find several discussions on this threat in the following blog entries:

• ZeuS’ Response to Automated Analysis
• ZeuS Ups the Ante with LICAT
• File Infector Uses Domain-Generation Technique Like DOWNAD/Conficker

As we continue to monitor this threat, we will post updates on the Malware Blog. In addition, we are currently working on a more in-depth technical paper that will provide details on the intricacies behind the ZeuS-LICAT plot.