Research: June 2008 Archives

Sysda Act

| | Comments (0)
Oh hi there.  Apologies for the Whoopee movie reference, but its hard to come up with something catchy.  This latest threat coming through the Facetime Security Labs steals passwords related to chinese sites.  This is not really a threat to most businesses in the US, but judging from the malware trend coming from China and spreading to the rest of the world I'd say its only a matter of time before we start seeing the same method of theft.  The name of this new threat has been named SysdaSysda lies dormant until a certain site is navigated to.  This site is generally related to when a user attempts to change their password for the site.  After that it simply posts the information back to the attacker.  Users should be on the look out for a file called "sysdajchv.dll".  All it really needs is to hook into iexplore.exe to steal your user credentials. 

crack.PNG
The above illustrates that Sysda is attempting to steal login credentials to Sohu.com.  Whether this is simply a new way to phish for information, or something more sinister along the lines of fraud are still unclear at this point.  I'll let you know what I found out.

SoundBot Exploits Network Vulerabilities

| | Comments (0)
Hey there.  It is time for another thrilling adventure into the world of security threats.  This time I'll be going over a worm we like to call SoundBot.  This worm has the potential to leak sensitive information to the attacker about the victim's network infrastructure.  It manages to do this by not only blocking many of the security applications designed to detect it, but also by using legitimate processes that make removal difficult.

The main culprit in this infection is a file called Soundman.exe.  If you see this file on your computer don't panic just yet.  Its also a legitimate process.  Here are some things you should watch for:

One of the first things SoundBot does is disable any type of program that would detect or remove it.  It uses 2 separate methods to do this.  When installed, it disables several legit services related to security applications such as:
kmailmon.exe
kavstart.exe
shstat.exe
runiep.exe
360safe.exe
360tray.exe
cacls.exe
ccenter.exe
rav.exe
iris.exe
vpcmap.exe
vmsrvc.exe
vmusrvc.exe

It also sets up Image File Execution Options to make sure if the processes are restarted they are ineffective.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe       
...360safe.exe       
...360safebox.exe       
...360tray.exe       
...CCenter.exe          
...KPPMain.exe       
...KWatch.exe       
...QQDoctor.exe       
...QQKav.exe       
...RavMon.exe       
...RavMonD.exe       
...safeboxTray.exe
AND finally,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe    Debugger    "SoundMan.exe"

This shows us that Soundman.exe is ran instead of ctfmon.exe whenever executed.  This is an effective way of making sure the worm file is ran.  This effectively removes the need to have an Autostarter value (which are common investigative techniques used when attempting to pinpoint the actual infection in a forum environment).


soundman.PNG This is a closer look at the actual worm file.  Upon closer inspection of Soundman.exe we see that it is iterating through a common network structure looking for open ports.  This gives the attacker certain advantages when/if he ever decides to infiltrate the victim's network.

endpoint.PNGThe above picture depicts just exactly what is going on while Soundman.exe is running.  It makes ARP requests and epmap requests throughout the entire network looking for potential holes.

A malware infection  just wouldn't be a malware infection unless it phoned home to install numerous other infections.  Soundbot is no different.  It contacts a site to download a .jpg file that is no mere picture file.  It is actually collection of download links to more bad files.

jpg2.PNG
The final blow to this worm is dealt by another file that poses as a legitimate process.  It creates a service called "helpsvc" related to another file that intializes soundman.exe.

helpsvc.PNG
Network administrators should look for any unnecessary or suspicious traffic happening on their network as explained above.  If you suspect your organization is under attack from this threat, then I suggest using our handy MicroScanner!








Pages

About this Archive

This page is a archive of entries in the Research category from June 2008.

Research: May 2008 is the previous archive.

Research: August 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.