Recently in Worms Category

SoundBot Exploits Network Vulerabilities

| | Comments (0)
Hey there.  It is time for another thrilling adventure into the world of security threats.  This time I'll be going over a worm we like to call SoundBot.  This worm has the potential to leak sensitive information to the attacker about the victim's network infrastructure.  It manages to do this by not only blocking many of the security applications designed to detect it, but also by using legitimate processes that make removal difficult.

The main culprit in this infection is a file called Soundman.exe.  If you see this file on your computer don't panic just yet.  Its also a legitimate process.  Here are some things you should watch for:

One of the first things SoundBot does is disable any type of program that would detect or remove it.  It uses 2 separate methods to do this.  When installed, it disables several legit services related to security applications such as:
kmailmon.exe
kavstart.exe
shstat.exe
runiep.exe
360safe.exe
360tray.exe
cacls.exe
ccenter.exe
rav.exe
iris.exe
vpcmap.exe
vmsrvc.exe
vmusrvc.exe

It also sets up Image File Execution Options to make sure if the processes are restarted they are ineffective.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe       
...360safe.exe       
...360safebox.exe       
...360tray.exe       
...CCenter.exe          
...KPPMain.exe       
...KWatch.exe       
...QQDoctor.exe       
...QQKav.exe       
...RavMon.exe       
...RavMonD.exe       
...safeboxTray.exe
AND finally,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe    Debugger    "SoundMan.exe"

This shows us that Soundman.exe is ran instead of ctfmon.exe whenever executed.  This is an effective way of making sure the worm file is ran.  This effectively removes the need to have an Autostarter value (which are common investigative techniques used when attempting to pinpoint the actual infection in a forum environment).


soundman.PNG This is a closer look at the actual worm file.  Upon closer inspection of Soundman.exe we see that it is iterating through a common network structure looking for open ports.  This gives the attacker certain advantages when/if he ever decides to infiltrate the victim's network.

endpoint.PNGThe above picture depicts just exactly what is going on while Soundman.exe is running.  It makes ARP requests and epmap requests throughout the entire network looking for potential holes.

A malware infection  just wouldn't be a malware infection unless it phoned home to install numerous other infections.  Soundbot is no different.  It contacts a site to download a .jpg file that is no mere picture file.  It is actually collection of download links to more bad files.

jpg2.PNG
The final blow to this worm is dealt by another file that poses as a legitimate process.  It creates a service called "helpsvc" related to another file that intializes soundman.exe.

helpsvc.PNG
Network administrators should look for any unnecessary or suspicious traffic happening on their network as explained above.  If you suspect your organization is under attack from this threat, then I suggest using our handy MicroScanner!








MSNAgent attempts to hide from security analysts

| | Comments (0)

Recently I came across a threat facing MSN messenger users that employs extremely devious means of infection.  The actual executable for this MSN worm is hidden in a .jpg file.

 

picture.PNG

The reason there is no preview available is that this isn't a picture, but executable code in the guise of a picture file.

 

The thing that makes this so interesting is the length at which the attacker is willing to go in order to hide themselves from detection of commonly used security applications.  Only by using certain tools can you see the threat running behind the scenes.  Here you can see an ominously almost legitimate application running called "MSNAgent".

 

txtfile.PNG

MSN Agent starts up when the computer boots up.

 

MSNAgent has the ability to connect to a remote server for the purposes of stealing your MSN username and password.  The file "gf1008.exe" is originally saved in the Temporary Internet Files to avoid too much suspicion.  Its on the Desktop in this example for the purposes of testing. 

 

autostart.PNG

This is shown to the user whenever the computer is restarted.

 

Taking a closer look at gf1008.exe shows you the following:

bintext.PNG

You can see here that this file is directly related to the autostart value "MSNAgent".  It also shows us that it's trying to make a connection to a remote server as well as get the user to change their password presuming for the purpose of phishing the user.

 

 

Attempting to find this threat running with other free security apps might be a problem.

 

Hijackthis:

 


Thumbnail image for hijackthis.PNG

 

Regcrawler:


Thumbnail image for regedit.PNG

MSNAgent can't be found in the registry through traditional means either.

 

Hijackthis is one of the common security applications used to verify if there is an infection when users try to get help from other users on a forum.  Most of the time, Hijackthis is the first step when trying to find the threat.

 

Never fear though.  We detect this threat as MSNAgent.  Using our Microscanner should reveal if you are currently under surveillance.



An MSN Worm appears to be in the wild which retains some of the functionality of a worm mentioned here, but with some additional features (such as sending spam, for example).

Initially, it sends the victim a message regarding Myspace (in our testing, this was the only message it sent, unlike the worm linked above which had numerous options to choose from):

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn1-thumb.jpg
Click to Enlarge

Before you know it, you'll be sending lots and lots of spam - I hope your friends are looking for high quality luxury watches:

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn2-thumb.jpg
Click to Enlarge

Finally, the payload drops a file onto the computer that attempts to execute remote code - it seems they're attempting to exploit victims with this.

Here's the (randomly named) file in question that causes this, deposited into your System32 Directory:

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn3-thumb.jpg
Click to Enlarge

We detect this as MN.Spooler.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

NextDoor Worm Spreads across MSN

| | Comments (0)

There is a lot of talk out there in the Ether about worms that are spreading through MSN clients and adding unsuspecting users to their botnet. These kinds of attacks are among the most dangerous, and pose a very real security threat. It doesn't take much of an imagination to think that these attackers will DDoS attack their enemies. There are dozens of these kinds of worms floating out there however. FSL recently uncovered one we dub, NextDoor. Like the other worms of its kind, once it is on the infected PC it will attempt to contact all contacts in order to infect more users. The difference in these worms is what they do to the victim after they have been attacked. Some will simply show advertisements or a wide variety of porn; others tend to log keystrokes of the victim in order to learn very sensitive information like passwords or credit card information. NextDoor installs a dialer (called Carlson Dialer) onto the victim's PC to make long distance calls.

First you will see a suspicious looking message with a .zip attachment.

http://blog.spywareguide.com/upload/2007/11/chat-thumb.PNG
Party_jpg.zip contains www.Party_jpg_Msn.com.

Of course your involvement after this step isn't necessary. From here the worm commences with its attack.

http://blog.spywareguide.com/upload/2007/11/IRC-thumb.PNG
NextDoor creates a connection to an IRC channel and begins to pull down infected files using FTP.

Now we see what has been installed onto the victim's machine.

http://blog.spywareguide.com/upload/2007/11/cdrive-thumb.PNG
The file with the ominous looking icon is the dialer that is installed by this worm.

http://blog.spywareguide.com/upload/2007/11/windows-thumb.PNG
The actual MSN worm is stored in the Windows Directory.

http://blog.spywareguide.com/upload/2007/11/sys32-thumb.PNG
These 2 files are involved in setting up an FTP connection with the attacker.

Now that your computer is entirely infected, Carlson Dialer begins its main function.

http://blog.spywareguide.com/upload/2007/11/call-thumb.PNG
It geographically finds the victim's IP address and associates it with a country code.

This is what it would look like in a regular browser...

http://blog.spywareguide.com/upload/2007/11/dialer-thumb.PNG

To get an idea of how recently this worm was updated...

http://blog.spywareguide.com/upload/2007/11/end-thumb.PNG
The infection that FSL came across first has been around his Nov. 26 2007.

Those aren't normal .jpgs either. Those are dialers that use the JPG vulnerability.
http://blog.spywareguide.com/upload/2007/11/picture-thumb.PNG
Each .jpg file on the attacker's site uses the JPG vulnerability.

Facetime currently protects against this threat as well as the dialers it installs.

Sometimes we obtain files and they just sit there, doing nothing. Here's a case where we went back for a second look and lots of IRC activity eventually kicked into life. This particular infection takes place as follows:

1) The bad guys infect your PC with an initial infection link, dropping you into a Botnet.

http://blog.spywareguide.com/upload/2007/09/insidejtworm-thumb.jpg
Click to Enlarge

2) The Botnet is fired up periodically and they deposit a collection of Zipfiles (each containing more infections) onto your PC.

http://blog.spywareguide.com/upload/2007/09/zipstorage1-thumb.jpg
Click to Enlarge

3) Infection commands are then sent via IRC to tell the infected PC to send your contacts infection links to the Zipfiles stored in your Windows directory.

http://blog.spywareguide.com/upload/2007/09/msnjt_replacement-thumb.jpg
Click to Enlarge

Some of the infection messages include

"Look at my new dancing movie"

"Look at me doing the moonwalk!!"

"Look what I found, more nude pictures of Justin Timberlake!"

We detect this (naturally enough) as JT.Moonwalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Bubbles...For Kids!

| | Comments (1)

The discovery of the Bubbles worm has led to the discovery of more and more variants across the internet. While all have essentially the same methods of infection, not all simply block security programs. FSL has come across a variant of the Bubbles worm that is designed to steal any and all sensitive information from the victim's computer through the most devious method of all...keylogging!

It starts with an executable downloaded from a questionable website. This executable copies itself into the system32 directory of the victim PC, and these 4 files are copies of the main executable:

http://blog.spywareguide.com/upload/2007/09/hiddenfiles-thumb.PNG

Click to Enlarge

That's not all this worm does. It also looks for the game Runescape on the infected PC. Here's a screenshot taken from the main executable, pdo.exe:

http://blog.spywareguide.com/upload/2007/09/runescape-thumb.PNG

Click to Enlarge

For those not aware, Runescape is a MMO game whose target demographic is children, young teens, and teenagers in general. This worm is looking for not only "runescape", but a "RS PIN:" as well. Could this mean payment details? Or (more likely), could they be referring to the victim's PIN to their game bank? Whether its to simply loot your gold, or sell the PIN on illegal forums is unknown. That's not even the scariest part of this infection. It also logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll.

http://blog.spywareguide.com/upload/2007/09/syswinf-thumb.PNG

Click to Enlarge

Syswinf32.dll stores extremely sensitive information monitored from the infected PC.

The above picture is just a sample of what was found in the .dll file. It shows applications that have run, any action taken within the application, any text typed, and any websites visited. Now that it's effectively stealing every piece of information on the victim PC, it's time for the worm to spread to every Skype contact.

http://blog.spywareguide.com/upload/2007/09/skypemsg-thumb.PNG
Click to Enlarge

Now this worm starts looking familiar. This is the exact same behavior we observed in the original Bubbles worm. When you put it all together what do you get? You get a worm/keylogger that spreads through skype contacts and targets the teenagers that play Runescape. Combine that with the big juicy MAILTO: in the main executable file and you have yourself a wonderful recipe for potential identity theft.

Research Summary Write-Up: Chris Mannon, Senior Threat Researcher
Additional Research: Deepak Setty, Senior Threat Researcher

As mentioned on the Official Skype Blog, there is indeed a new worm in the wild - someone, somewhere came up with w32/Ramex.A as a name but I thought "Bubbles" was more appropriate, as you'll see.

Everything starts with a user downloading this file:

http://blog.spywareguide.com/upload/2007/09/skyper1-thumb.jpg
Click to Enlarge

Presented as an imagefile in the infection message, it's actually an .scr file - and no, that's not good.

skyper2.jpg


This file has been compressed to perfection:

http://blog.spywareguide.com/upload/2007/09/skyper6-thumb.jpg
Click to Enlarge

....yep, that's 2k infection file. Yet there's a whole lot of trouble in such a small package:

http://blog.spywareguide.com/upload/2007/09/skyper5-thumb.jpg
Click to Enlarge

...as you can see, the Worm tries to fool you into thinking someone really is on the other end by sending you what looks like fragments of a continuing conversation, finishing with a supposedly accidental sending of an image you're "not supposed to see".

Got to love that social engineering.

Here's a sample of some of the infection messages sent by the worm:

http://blog.spywareguide.com/upload/2007/09/skyper3-thumb.jpg
Click to Enlarge


But why did we call it "bubbles"? Easy, this is what you see when you attempt to open the .scr for the first time:

http://blog.spywareguide.com/upload/2007/09/skyper4-thumb.jpg
Click to Enlarge

Apparently, not everyone sees the bubbles when they run this file. I bet they really feel like they're missing out...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

The Net has a long history of hoaxes and many of the "best" seem to involve dire warnings of virus attacks that simply don't exist. Whether you're being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there's a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There's an MSN network instant messenging infection currently on the prowl that has a little fun at the good guy's expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it's fairly subtle and not everyone would appreciate the rather warped humour. Assuming someone on your contact list has been infected, you'll see a message similar to the below appear on your screen:

http://blog.spywareguide.com/upload/2006/09/fantvcard4-thumb.jpg
Click to Enlarge

Click the link, and you're taken to the below website:


http://blog.spywareguide.com/upload/2006/09/fantvcard1-thumb.jpg

Click to Enlarge

Download and run the file on offer and (as you might expect) a bunch of nasty files are deposited onto your computer. Most of the files seem to be related to a certain strain of banking trojan particularly popular in Brazil - in fact, they're not too different from the files used in the Orkut Worm we discovered. Okay, I hear you cry - it attempts to steal confidential data. Show us something new, already.

Well, here we go.

You run an infection file, and generally one of two things happens:

1) Lots of notable stuff splatters across your desktop in the form of toolbars, popups and strange flashing banners.

2) An absence of anything notable happens on your desktop, which is probably an even worse scenario.

Here, however, you see....this:

http://blog.spywareguide.com/upload/2006/09/fantvcard3-thumb.jpg
Click to Enlarge

...confused yet?

Allow me to explain. Rewind back to the infection site - it speaks of a "virtual card for you". Examine the URL the strange heart-picture comes from - Quatrocantos, a well known site dedicated to exposing online web hoaxes. That's right - the bad guys pop open an image from the good guys' hoax-hunting website (using up their bandwidth in the process), where the image refers to a "fake" virtual card hoax...and tying it into a real virtual card exploit.

As a final twist, the Quatrocantos website has a featured article on one other virtual card hoax, which stretches back to the year 2000. The title of that hoax?

A virtual card for you.

I asked Wayne Porter, Senior Director of Special Research (a new division I can't comment on) for his opinions given his background studying memetic engineering. "This is a cultural camouflage approach which we call "hoax cloaking". It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a "media virus".

For example, a natural response from a user might be to Google "A Virtual Card For You" to see if the card is an exploit or safe. At the moment Google, a trusted search engine, returns results from respected and trusted security companies like Sophos, Symantec, Mcafee, Trend Micro, and F-Secure all warning this is a hoax and the rest of the sites are very well known and trusted hoax busting sites. The criminal taps into three layers of trust using a hoax which is pretty sophisticated behavior and pretty rarely seen. You can see some more information on the press release here.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Supplemental Research: Wayne Porter, Senior Director Special Research

IMPORTANT UPDATE: Google has reacted very quickly to our concerns, and we have been in discussions with their top engineers. As netizens we are encouraged by their quick reaction to our concerns, and willingness to listen thoughtfully to our feedback. Successful companies like Google understand that one must be a part of the conversation, not stand outside the conversation or try to obscure it. Our hats are off!
Stay tuned for more news...(See Addendum At Bottom)

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

Back to the entry and analysis from Paperghost....

The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea. But what happens when those bad-guys are already inside the gates?

From Wikipedia:

(Orkut is) run by Google and named after its creator, Google employee Orkut Buyukkokten. It claims to be designed to help users meet new friends and maintain existing relationships. Similar to Friendster and MySpace, orkut goes a step further by permitting "communities" of users. It is also invitation-only: users must be invited to join the community by someone already there.

So, an interesting concept. But as we saw with Myspace not so long ago, people can (and will) game the system. In this case, the targets are (primarily) Brazilian users of Orkut - because for some reason, something like 70% of all users are from Brazil, and Portuguese is the language of choice right now. Of course, Orkut are not to blame here - nor are social networking sites in general. The sad fact is, large concentrations of end-users in a confined space are like the world's biggest honeypot to a social engineer.

It figures, then, that this particular infection - a variant of an older password stealer, which we dubbed Orc.Malware - should contain a message in Portuguese. Following up a hot tip from this guy (FallenHawk, an extremely resourceful Security Researcher), I was able to get a look at something rather nasty. Something that has apparently been nailing Orkut users for at least a month or so, but (until now) has been ultra-elusive with regards trying to pin it down. The early variants (one or two of which I've since obtained) didn't do very much, and there was no direct tie to Orkut, other than this was where the bad-guys were pushing it. Now, however, the infection will pop up a message telling you your data is being mailed off someplace, before sending you to the Orkut site (as you'll see from the video later on. Bring some popcorn).

The source of the problem are these two nasties (disguised as images), created in the System32 folder by a rogue executable file:

orkfiles1.jpg

Let's have a look at how these things get on board in the first place. We'll start off with the method of delivery...the infection message. The most common one we've seen so far is this:

"Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [link removed] - Sei que vai gostar"

A (very rough!) translation: "As Orkut limits the amount of photos that can be published in my account, I created a slideshow with some photos of mine, please click to see!"

This message is deposited in an Orkut user's "Scrapbook" (similar to a guestbook), and as the Scrapbooks are public, anyone visiting can see the link and click it. As you probably guessed, that's a real bad idea in this case.

The end-user is presented with what looks like an image file - open it up, and covert ops of the nastiest kind are instigated against the PC. Two more files are installed.

They don't look like much, but they're busy trying to drain your pockets of cash and anything else they can get their hands on. One of the files contains references to a pile of specific login pages for Brazilian banks, as well as a whole section devoted to Orkut and its Friends and Scrapbook pages. On the Orkut help site, they mention how automated Scrap sending isn't allowed:

"If you use other sites to log into orkut or send your friends scraps, you will likely be blocked from performing any actions on orkut.com for about 15 minutes and you'll see the message "We're sorry...but your query looks similar to automated requests."

However, there are many examples of people abusing the system - Orkut has had lots of problems previously with people creating Spam scripts. And this particular infection does seem to have at least a (very) basic automated functionality. I first tested this on the Eighth of June, and was more interested in the data-theft aspect at that point. I didn't see anything particularly unusual going on (beyond the keylogging, of course!) and yet when I logged in a few days later, I saw this:

http://blog.spywareguide.com/upload/2006/06/orkfiles2-thumb.jpg
Click to Enlarge

...and this:

http://blog.spywareguide.com/upload/2006/06/orkfiles3-thumb.jpg
Click to Enlarge

During testing, I had two contacts in my "Friends" network. To my surprise, both of those users now had the infection message sitting in their scrapbooks. As you can see, the time / date of both messages is identical: 09:54 AM, 08/06/2006.

Now that's pretty freaky.

Worse still, this infection seems to be amazingly random. During one round of testing, it even deposited me into an XDCC Botnet:

http://blog.spywareguide.com/upload/2006/06/orkfiles4-thumb.jpg
Click to Enlarge

Yay, I'm file-sharing pirated content!

As for how the data is actually sent back to the hacker guy, you'll probably want to check this short movie clip out:

flmtckr1.jpg Click here to download movie (2.90 MB)

00:00 to 00:09 seconds: End-user is going about their daily business, logging into Orkut. Note that you could be performing any web-based activity here; it's just a little thing I like to call context. Plus, I don't actually have any Brazilian bank accounts so you'll just have to make do with Orkut.

00:10 to 00:14 seconds: The end-user clicks into "My Computer". Oh dear - an "error message", warning that you have insufficient virtual memory and the application will now close (or words to that effect. I never was very good with Babelfish).

00:17 to 00:27: At this point, the end-user is probably wondering what on Earth is going on, as they see a message telling them their "form has been submitted", and that they will be redirected somewhere in 5 seconds. Can you guess where?

00:28 to 00:34: That's right, Orkut! I mean, he stole all your bank details and website logins, but at least he gives you a chance to get back into Orkut and change your password before he steals that too!

http://blog.spywareguide.com/upload/2006/06/orkfiles5-thumb.jpg
Click image to Enlarge

Make no mistake about it - this infection is a real nasty one. And worse still, it looks like the tip of a very ugly iceberg. I'd insert a really rubbish comment at this point about "how I hope we're not too late to avoid a Spyware-Titanic", but you'd probably hate me for it. Even if it was a nice tie in to the whole iceberg thing. So I'll just leave you with the advice that randomly clicking links to check out pictures, especially when those pictures are from some magical party you've never heard of, is probably not a very good idea.

Many thanks to Peter in our Bangalore office for his incredible sleuth work and the entire team for assisting in pulling this complex case to pieces. Special thanks to Wayne Porter for all night monitoring and revisions.

ADDENDUM: A startling event was discovered during extended testing on an infected machine, which was infected in a lab setting on the 13th of June. The link to the dangerous payload was propogated on the 16th...however the infection message is timestamped as having been sent on the 14th of June:

http://blog.spywareguide.com/upload/2006/06/orkfiles6-thumb.jpg
Click to Enlarge


http://blog.spywareguide.com/upload/2006/06/orkfiles7-thumb.jpg

Click to Enlarge

ADDENDUM Saturday, 17 2006 Happy Endings for Orkut

From CNET:


Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."

For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

About this Archive

This page is a archive of recent entries in the Worms category.

Videogames is the previous category.

Find recent content on the main index or look in the archives to find all content.