McAfee Avert Labs Blog

It has been almost a year since the rogue antivirus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via Drive by downloads, SEO poisoning, Spam campaigns and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

• Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

• Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

• Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

• Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

A few days ago I got a chance to look at a recent variant of the DNSChanger.ad. It drops a common rootkit that is mostly associated with FakeAlert and DNSChanger Trojans. Over a period of time the dropped sys file names have changed from tdss*.sys to seneka*.sys to skynet*.sys and so on. Our memory detection and cleaning for this rootkit is Generic Rootkit.d. The techniques of this threat are well known now. It basically uses inline hooks on IofCallDriver, IofCompleteRequest, NtFlushInstructionCache, NtEnumerateKey, etc. This Trojan removes permissions from its registry entries as well.

The malware has a hidden sys file in the system32\drivers directory with a name like skynet*.sys. One can use a rootkit analysis tool or just windbg to restore the inline hooks installed by the malware. Even though the malicious file is no longer hidden after hook restoration, the malware can recreate the file after its deletion. It is common that malware try to “watch” or recreate their components but the curious thing was that File Monitor (filemon) did not show any activity and other API-tracing approaches also didn’t point to anything that could explain the rebirth of this file.

Taking a closer look, we found that the malware uses one of the delayed system worker threads to call, at regular intervals, ZwCreateFile in a loop created using KeDelayExecutionThread. The following figure shows the relevant malware code and thread.

This explains how the file is recreated after its deletion. This thread also watches the malware’s registry. This thread continuously restores the system service descriptor table (SSDT) using the code shown below. So any tracing utility that hooks SSDT to monitor activity would not work.

If it were just SSDT rewriting, then filemon should have reported the file activity. But the malware also removes all filesystem filter drivers; because filemon also uses a filesystem filter, it didn’t report anything. The figure below shows the device stack before and after infection. Note that all filters are removed after infection.

And here is the code that removes attached filters.

Actually the attached device field only for NTFS is nulled out, and the rest of the stack remains dangling.

Figure 3 also shows that not only is the filemon filter driver removed but even the Filter Manager has been effectively removed. Removing all filters and rewriting SSDT will thwart analysis tools that use these techniques but may also break other software as well. Obviously it does not matter to malware as long as its rootkit works in a stealthy manner in most environments. It’s a tradeoff that many malware make and this one has made its choice.

The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson–blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We’ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we’ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story–with much the same results.

With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news.

Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to websites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!

But another way to attract visitors looking for news is a technique known as search engine optimization (SEO for short, see more here). Blackhats use SEO to inflate search engine results in an attempt to put their results on top of the list and drive more users to fake websites offering “more information” about the current trendy news. When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft.

A good way to protect against this kind of attack is to use our SiteAdvisor tool, which can be downloaded for free at this site: http://www.siteadvisor.com/. It will help you identify potentially malicious links on your search results.

And again, repeat with me: No, that email will NOT show you pictures of Michael Jackson’s body; it will just install malware on your machine.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

Recently, my colleague Pedro Bueno wrote about “dumb” malware authors hardcoding their login credentials into their password-stealing Trojan. The malware he referenced, PWS-Banker.gen.i, ostensibly came from Brazil. Today, we found the same negligence in a similar piece of Chinese malware detected as PWS-Banker.gen.de.

When run, the password-stealing Trojan queries for the infected host’s IP address using three web-based IP address-lookup services. It then makes a SQL query over TCP to post stolen passwords to a server in China. This is a part of the actual SQL query to log into the malicious SQL server:

Provider=SQLOLEDB.1;Password=168520564;Persist Security Info=True;User ID=mengmeng;[REMOVED]

mengmeng has been malicious, and what’s more, was careless to leave his login credentials in the open. Please keep your DATs updated to stay secure!

So, Iran had elections this weekend. Some people don’t agree with the results. As a consequence, some people are organizing DDoS attacks against Iranian websites, more precisely:

http://www.leader.ir/
http://president.ir/
http://www.irib.ir/
http://www.iribnews.ir/

and some specific URLs on those domains.

No guys, that’s not the right path and, as it is a malicious activity, we are detecting the tools being distributed to create this DDoS. In my opinion, I doubt that it would cause much damage, since this looks more like a media thing than a huge DDoS attack. The applications use old techniques and unless there are lots of “followers,” I don’t think that it will cause much impact. We will continue to monitor the situation.

Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters.

Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms can lead to full-blown havoc–or, at a minimum, a very bad day.

So I was thinking of potential new vectors when it hit me–there are a few right under our noses that some people just might overlook. A kind of “can’t see the forest for the trees” scenario.

Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?

A) Most USB devices that you can plug into your computer that have storage

If you answered A, you’re right! (That wasn’t hard, was it?)

How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication.

How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.”

Now, the truly paranoid (or truly cautious?) administrators have been known to swab glue into the USB connectors so that they seal off access completely. This may not be the best way to solve the problem (think disabling AutoPlay, up-to-date antivirus, enabling a firewall, etc.).

But going down the road to prevention, however, is not the point I’m trying to make. There is already a myriad of advice on the Internet for that. All I am trying to say is that the spread of AutoRuns can go beyond the USB drives we all use to conveniently move stuff around. Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.

Hopefully, you do already think about these devices as a legitimate way to pass along a worm. In that case, maybe the most you got out of this little blog was some lighthearted entertainment (or at least a break from whatever you were doing).

If you haven’t thought about this vector, though, I urge you to start now and to proceed with caution the next time you are going to offload and share that video, or grab the latest hit song.

That way you can say, “Hold the side of ‘autorun.inf’ with my music, thank you very much.”

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

As we foresaw, spammers have used the Air France AF447 disaster to catch people’s attention and prompt them to open fake news emails related to this event. Less than two weeks after the crash, the firsts emails started to spread. We’ve seen the following subjects:

• A-330 blackbox record
• Another plane crushed
• Last seconds of plane

When opened, all these emails display advertisements promoting Canadian pharmacy products such as Viagra and Cialis.

Two days ago, we saw several million spam messages with these subjects. Today this number is only half as big.

As usual, these spammers are disrespectful and do not hesitate to use the most shocking events to promote their shady businesses.

I thank my colleague Adam Wosotowsky for his invaluable assistance with this post.