Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

October 15th, 2009

Kavo – a neverending story?

Hello again, this time I would like to present a story of one successful malware family. Why successful? Because it established a new way of spreading some time ago and mainly because it always scored very well in our statistics of malware detected in the wild. And what’s Kavo? It’s a name derived from the filenames of some binaries used by the malware family (kavo0.dll, kavo1.dll etc.). The malware family is known under different names such as Oliga, Kavos, Kamso, OnLineGames, Taterf etc.

Well, let’s start the story of Kavo. We would have to go over two years back in time in order to see the first attempts of Kavo author to rise his online games password stealer. It was roughly the same time when rootkits became quite popular. So the author wrote a rootkit and a user mode binary intended to drop the rootkit and do some additional changes to the system (will be described later). He also wrote/bought his first obfuscator to protect the binary and to carry the server-side polymorphism. Great, the payload is ready – now, how to spread it? The most efficient way was probably ever the exploitation of OS weaknesses. The Kavo author decided for autoruns. This function was enabled on all drives by default (btw: I could never understand why should anything be autorunned from HDD or pen-drive with default OS settings), so why not to abuse it? This way proved its efficiency and a huge amount of computers got quickly infected through the pen-drives exchange (borrowing between friends, plugging them in different computers in net-cafe etc.). Kavo was the first malware family that used this way of spreading so massively (the same way was used later by Conficker, Virut and some others). What’s bad is the fact that also nowadays is this way of spreading relatively successful.

After the starting phase the author decided to change the obfuscator (this has been done about five times in the whole Kavo life cycle) and tighten the cohesion between the rootkit and system. The stable era of Kavo brought no major functionality changes. The functionality remains relatively unchanged also in recent variants. So what this malware family does?

  • drops a rootkit (klif.sys)
  • drops its user mode binaries to system folder
  • drops autoruns and autorunned binaries to each drive (in order to spread itself)
  • injects explorer.exe with own code
kavo01

explorer injection

  • injects iexplore.exe to force the update procedures
updating of Kavo

updating of Kavo

  • steals passwords for online games

The analysis of the server infrastructure used to update established infections and collect stolen data is a thing that always amazes me. It seems to be only a few computers to handle all the hundreds of thousands of victims. In fact, the servers are quite busy all the time (sometimes even fully overloaded) and the download speed of the updates is really low (and the download sometimes doesn’t finish). When I wrote that this malware family is successful, I didn’t consider possible earnings from this activity (they are anyway hard to guess). I considered only the rising and the currently running life cycle, which is – based on the conditions – a success. Let’s notice

  • the author has not been traced ever (for more than two years) even when we (and not only we) know where his domains were registered. There’s no need to enter any significant credentials when registering a domain. And the servers (maybe also the author himself) reside somewhere in China, that may be a problem for European or US law.
  • whole infrastructure is running on almost ridiculous machinery, but this malware family is able to spread, is able to react to the new detections by AV and change the obfuscator etc.
  • this family is an evergreen. It is still alive and well visible even when there are lots of another widespread malware families (all the rogues etc.)

So that’s the current stage of Kavo story. And what will be the next? Unfortunately I think the current activity will be still enough to stay alive. I absolutely can’t expect, that the author will be traced, prisoned and all his infrastructure will be put down. What do you think? Will this story have some (happy)end? The conclusion for us is – always keep an eye open and watch the steps made by Kavo author – it’s a typical cat & mice game.

Categories: analyses, Virus Lab Tags: , , , ,
  1. lordpake
    October 16th, 2009 at 16:53 | #1

    Interesting choice for a name for rootkit file. Incidentally, Kaspersky Labs products also use a mini-filter driver named klif.sys in system32/drivers folder.

  2. October 17th, 2009 at 06:07 | #2

    Hi Michal,

    I am still curious, what is the variant name when detected by avast?

    Regards,
    Yanto Chiang

  3. October 17th, 2009 at 20:02 | #3

    @Yanto Chiang
    From older to newer – Win32:Oliga, Win32:Gamona, Win32:Monga, Win32:Kavos, Win32:Kamso, Win32:Amvo.

  4. October 19th, 2009 at 12:59 | #4

    Does the modern day antivirus suites fully remove or heal it ? Is there any specific removal tools for “kavo” out there at the web or by Avast ?

  5. October 19th, 2009 at 13:12 | #5

    A question to Avast team, recently I installed latest ClamWin antivirus v 0.95 and I have already Jiangmin antivirus kv2009 installed on my WIN XP SP2 machine. My problem is that Jiangmin antivirus detects a trojan whenever I try to open up the ClamWin antivirus from Window’s start up. Jiangmin antivirus has deleted ” libclamunrar.dll “.This pop up detection nags me every time I try to open clamwin antivirus.Although I tried reinstalling Clamwin antivirus, the problem persists. Every time I try to open Clamwin antivirus,Jiangmin antivirus simply deletes it. Whereas Jiangmin antivirus was quite o.k with older version of Clamwin antivirus v 0.93 . May I get help from you?

  6. October 19th, 2009 at 15:27 | #6

    @Frankenstein Creative Inc.
    Avast detects this malware family under the names mentioned above and cleans it (in boot-time scanning stage). There will maybe remain some autoruns (harmless without having the proper binary component along).

    Your second question is completely unrelated, you should ask in Jiangmin or Clam forums.

  7. John Malon
    October 19th, 2009 at 23:50 | #7

    Since avast knows the websites it uses, can/does avast block access to these sites to prevent infection and/or updates to Kavo?

  8. October 20th, 2009 at 10:03 | #8

    @John Malon
    Yes, these domains are in our URL-blocking list.

  9. Laperuz
    October 21st, 2009 at 02:49 | #9

    What is the location of klif.sys?

  10. October 21st, 2009 at 10:18 | #10

    @Laperuz
    It’s \system32\drivers (I guess it’s the same location as the location used by Kaspersky driver, that will be replaced in this case probably).

  11. Razer
    October 23rd, 2009 at 20:57 | #11

    When Avast is going to launch Avast 5 ? Please tell me so that I can plan my license buying accordingly.

  12. November 3rd, 2009 at 01:28 | #12

    Just wanted to let you know that I am very pleased with avast…it has already alerted me and destroyed several malware programs that had invaded my laptop and avast took care of the problem…thank you for this free antivirus program…it has saved my laptop…and if I had paid for it…it would have paid for itself by now just with those few times it has worked…keep up the good work and I have told my family about this product….

Comments are closed.