Trend Micro has received reports from users about a new, dangerous file infector. This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Conficker variants. This technique allows the file infector to download and execute malicious files from various servers on the Internet.
Like WORM_DOWNAD, PE_LICAT.A generates a list of domain names from which it downloads other malicious files. The domain name generation function is based on a randomizing function, which is computed from the current UTC system date and time. This particular randomizing function returns different results every minute.
According to Escalation Engineer Alvin Bacani, whenever a file infected by PE_LICAT.A is executed, the malware generates a pseudorandom domain name, with the exact value depending on the system’s time. It then tries to connect to the said domain name. If it is successful, it downloads and executes the file at that pseudorandom URL. If not, it tries up to 800 times, generating a “new” URL every time. This helps ensure that the malware will be able to keep itself updated and even if one or more domains are taken offline, others can take its place.
Systems that are infected and synchronized to the current UTC date and time will compute and contact the same set of domain names.
Based on PE_LICAT.A’s code, the downloaded files are first validated before executed, which is the same technique WORM_DOWNAD employed. Users whose systems have been infected are at risk of downloading more malicious files onto their systems every time PE_LICAT.A is executed.
Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™, which detects and blocks the said file infector from running. CTO Raimund Genes talks more about this protection in How Analyzing a New Virus Can Lead to Multiple Protections.
Analysis of this threat is ongoing and further details will be provided when they become available.
Update as of October 11, 2010 12:10 p.m. UTC
PE_LICAT.A uses the domain generation algorithm to try and access a live URL. From our monitoring, PE_LICAT.A downloads TSPY_ZBOT.BYZ, a ZeuS variant. Even more interesting, apart from info-stealing routines, TSPY_ZBOT.BYZ also decrypts and executes a malware code in memory: PE_LICAT.A-O‘s. More information about this threat and its relation to ZeuS can be found in the blog entry, ZeuS Ups the Ante with LICAT.