Chris Mannon: May 2008 Archives

Content Match OVERLOAD

| | Comments (0)
You've seen it a thousand times before in malware infections.  A Trojan Downloader that installs another Trojan Downloader which installs blah blah blah until you have a Russian Doll scenario.  By the time you notice your being attacked, its probably already too late.  The trojan in question here is called Trojan.Bind.

added.PNGAnd thats just what was installed before my PC started giving me "Virtual Memory Low" messages.  The threats installed here range from a harmless hijacked start page to a new BHO in your browser to a rootkit thats designed to sniff around the network of the infected PC. Just to name a few known threats installed by Trojan.Bind are:

AntiArp
Borlan
Cinmeng
CINMUS
IE Invoker
IESuper
PCI.Load
QQPass
Sogou

Most of the infections installed by this trojan are known, but there is really no perfect solution of prevention.   The best way you can prevent this from happening to you is to MIND YOUR CLICKS.  Don't click anything unless your sure you know what it is.  Most malware these days comes from China.  So if you look down at the bottom of the browser and see "http://www.blahblah.CN" (emphasis on the .cn part) then be cautious. 

The next thing you should do is make sure you have the latest definitions from your anti-virus or anti-malware application.  It is a CONTINUOUS struggle to fight all the baddies that are after your computer.  Whether its for theft or just plain destruction, one click can lead to a disaster for you and your computer.  We currently detect and remove for all the threats installed by this trojan.

INTERESTING SIDE NOTE:  While testing this trojan, the fan on my PC starting making awful noises, then subsequently passed away.  Coincidence?


Misleading Download Accelerators...as seen on TV

| | Comments (0)

So I was wandering around siteadvisor and came across this site.

page.PNG
Orly?  What channel?  These guys have been pushing their application as a download accelerator for torrent clients like uTorrent.  According to the description seen above, it also does everything but get you a cup of coffee.  If you actually download and run the file "setupclickhere.exe" then you'll soon discover you've been had.  Instead of defying the internet and downloading at 100Mb, you'll be given a FREE hidden application that surfs to affiliate links of the designers choosing.


app.PNGAs you can see the attacker has chosen these 5 links to legit sites through an affiliate network.  How are these links chosen you ask?  Well upon running the threat, it goes to another website related to coolfreedownloads.net where its just a simple matter of changing the text on a html file (http://www.{BLOCKED}com.info/info1.htm).  This allows the attacker to change what affiliate links he wants his victims to surf to in order to give the most profit. 

Of course the victim is hardly aware of the attack since the pages are surfed through hidden Internet Explorer pages.  Don't panic though!  If you think you've been infected by this program you can run our extremely nifty online scanner!  We detect this threat as HighSpeedTorrent.

MSNAgent attempts to hide from security analysts

| | Comments (0)

Recently I came across a threat facing MSN messenger users that employs extremely devious means of infection.  The actual executable for this MSN worm is hidden in a .jpg file.

 

picture.PNG

The reason there is no preview available is that this isn't a picture, but executable code in the guise of a picture file.

 

The thing that makes this so interesting is the length at which the attacker is willing to go in order to hide themselves from detection of commonly used security applications.  Only by using certain tools can you see the threat running behind the scenes.  Here you can see an ominously almost legitimate application running called "MSNAgent".

 

txtfile.PNG

MSN Agent starts up when the computer boots up.

 

MSNAgent has the ability to connect to a remote server for the purposes of stealing your MSN username and password.  The file "gf1008.exe" is originally saved in the Temporary Internet Files to avoid too much suspicion.  Its on the Desktop in this example for the purposes of testing. 

 

autostart.PNG

This is shown to the user whenever the computer is restarted.

 

Taking a closer look at gf1008.exe shows you the following:

bintext.PNG

You can see here that this file is directly related to the autostart value "MSNAgent".  It also shows us that it's trying to make a connection to a remote server as well as get the user to change their password presuming for the purpose of phishing the user.

 

 

Attempting to find this threat running with other free security apps might be a problem.

 

Hijackthis:

 


Thumbnail image for hijackthis.PNG

 

Regcrawler:


Thumbnail image for regedit.PNG

MSNAgent can't be found in the registry through traditional means either.

 

Hijackthis is one of the common security applications used to verify if there is an infection when users try to get help from other users on a forum.  Most of the time, Hijackthis is the first step when trying to find the threat.

 

Never fear though.  We detect this threat as MSNAgent.  Using our Microscanner should reveal if you are currently under surveillance.



OKOK.exe is not okay - okay?

| | Comments (0)

The biggest threat companies are facing today is corporate espionage. Even the most secure networks aren't 100% safe, but there are ways network administrators can spot a worm or attacker before the damage is done. Recently I came across a worm that has the potential to send the internal infrastructure of a network to the attacker by using a service related to Backdoor.CVM.
The infection begins like it usually does. Someone clicks something they shouldn't. Regardless of how it happens, the results are the same.
http://blog.spywareguide.com/upload/2008/05/total-thumb.PNG
You can expect to see this many added/modified files across your network if this worm has its way.

The worm's first order of business is to contact the site hosting the malicious content. This particular variant of this threat phoned home to http:// 513389.cn/kk.txt. Once there it downloads 34 executable files, the last of which being okok.exe. Once okok.exe is saved to the infected machine as C:\Windows\System32\Microsoft\svchost.exe it sends out an ARP broadcast to map the network.

http://blog.spywareguide.com/upload/2008/05/svchostdumped-thumb.PNG
Svchost.exe (okok.exe) sends out an ARP broadcast across the network.

After that it's only a matter of time until more and more computers on the network start displaying similar network activity. We detect this threat as OkOk.

About this Archive

This page is a archive of recent entries written by Chris Mannon in May 2008.

Chris Mannon: March 2008 is the previous archive.

Chris Mannon: June 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.