Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Archive for the ‘analyses’ Category
August 1st, 2013

Malicious Bitcoin Miners target Czech Republic

Single BitcoinToday we are going to talk to those of you who use Bitcoin digital currency to pay for a variety of goods and services – along with a warning about yet another source of Bitcoin miners – the sharing services. You may think that if you avoid cracks and keygens while browsing the web you will be safe. Well, we would recommend that you reconsider that position. Recently we found that on the uloz.to file sharing service someone uploaded a lot of fake files containing Bitcoin miners!

Bitcoin Mining service

First a little background for the uninitiated: Bitcoins can be obtained by trading real currency, goods, or services with people who have them or alternatively, through mining. The mining process involves running software that performs complex math problems for which you’re rewarded a share of the income. There are a finite amount of Bitcoins to be had, and mining for them can be compared to extracting gold or diamonds from the earth. The more you get, the fewer there are to be had, so it becomes increasingly harder and more expensive. Here’s a descriptive article about mining.

Bitcoin mining services such as bitminter.com use shared computer resources of their users to mine new Bitcoins. In order to participate, the mining users have to create an account and then register their computers (workers) with the service. Then they simply run the Bitcoin miner program provided with their credentials on as many computers as they have. In the end, if they had enough computation power and time they might end up with a few Bitcoins.

It can be expected that some people will not be satisfied just using their own machines so they will try to use the computing power of unsuspecting victims. And that’s exactly what the authors of this malware are doing: They use hardware that does not belong them to generate more money.

It’s not a Bitcoin problem; it’s a people problem

We must stress that there’s nothing wrong with Bitcoin or its mining services. The problem is that some greedy people are misusing them.

Some of them can be seen on the following image.  The word “cestina” means that the file should contain Czech localization of the referenced program. All of them contain a hidden feature, and sometimes the name is a complete fabrication. For example, The-Night-of-the-Rabbit-cestina.exe contains a crack for Call of Duty 4. Notice too, that all these files have an elevated popularity; no doubt a result of tampering. Some downloaders already suspect something fishy about these files.

Uloz.to malicious filesWarning comment on the sharing server.

Read more…

July 22nd, 2013

Multisystem Trojan Janicab attacks Windows and MacOSX via scripts

On Friday, July 12th a warning from an AVAST fan about a new polymorphic multisystem threat came to an inbox of AVAST. Moreover, an archive of malicious files discussed here were attached. Some of them have been uploaded to Virustotal and therefore they have been shared with computer security professionals on the same day. A weekend had passed by and articles full of excitement about a new Trojan for MacOs started to appear on the web. We decided to make a thorough analysis and not to quickly jump on the bandwagon. The key observation is that the final payload comes in the form of scripts needed to be interpreted by Windows Script Console resp; Python in the case of MacOs. Moreover a script generator that creates new malicious Windows file shortcuts was also included.

Windows version

A chain of events that installs a malicious Visual Basic script on Windows platform looks like this:

win32_janicab_chain

Read more…

Categories: analyses, Mac, Virus Lab Tags:
July 3rd, 2013

Fake Flash Player installer spreads via Twitter and Facebook

Recently we identified a threat which uses Twitter and Facebook to spread. The origin of the infection begins by clicking malicious tweets or Facebook posts.

fakeflash_sc01
Read more…

June 25th, 2013

Story of the Cutwail/Pushdo hidden C&C server

This is a loose sequel to the Cutwail botnet analysis blogpost published on the malwaremustdie.blogspot.com. In this blogpost I will primarily focus on the downloaded PE executable itself (SHA256: 5F8FCC9C56BF959041B28E97BFB5DB9659B20A6E6076CFBA8CB2D591184C9164) and the network traffic that it generates. I will also reveal a hidden C&C server.

But first let’s quickly go through the things it does at the beginning:
- It registers an exception handler that will only start the process again using CreateProcess().
- It performs a check whether it has admin privileges.
- It checks or creates a mutex named “xoxkycomvoly” (hardcoded identifier used on multiple occasions).
- It checks or creates couple of registry entries under HKCU\Software\Microsoft\Windows\CurrentVersion.
- It checks if the process image filename is “xoxkycomvoly.exe” (it restarts for the first time).
- It nests into the system by creating autorun entry in registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
- It copies itself to the user’s profile directory named as “xoxkycomvoly.exe”.
Then on the first time an exception occurs and the sample is restarted from the user’s profile location named as “xoxkycomvoly.exe”.

Initial startup activities

Initial startup activities

After these initial steps, the sample starts communicating heavily over the network.
Read more…

Comments off
June 18th, 2013

Your Facebook connection is now secured! Thank you for your support!

The title of this blog post may make you think that we will discuss the security of your Facebook account. Not this time. However, I will analyze an attack which starts with a suspicious email sent to the victim’s email account.

The incoming email has the following subject, ‘Hey <name> your Facebook account has been closed!‘ or ‘Hi <name> your Facebook account is blocked!‘. The email has a ZIP file attachment with name <name>.zip, which contains a downloader file named <name>.exe. <name> stands for a random user name. After a user downloads and executes the executable file, he is presented with the message saying that “Your Facebook connection is now secured! Thank you for your support!” It tries to convince you that there was a problem with your Facebook account, which was later successfully solved by executing the application from the email attachment.

Let’s look inside the executable file!

fbsec01

Read more…

Comments off
June 17th, 2013

Android:Obad – malware gets smarter – so does AVAST

det

If you had the privilege to meet Android:Obad, which Kaspersky earlier reported to be the “most sophisticated android malware,” you are in a real bad situation and this will probably be the moment to which you’ll be referring to in the future as “The time I learned the hard way what better-safe-than-sorry means.” A few days ago we identified a new variant of that threat. There is a chance you bumped into this bad guy before we started detecting it, because if our generic detections don’t catch the malware there is always a short delay before it gets to us. In most cases, it isn’t a problem to get rid of a malicious app – you just uninstall it after you find it. This time, that won’t work.

The problem we are facing here is called “Device administrator.” After you launch an app infected with Android:Obad, you will be asked to make the app the current device administrator, which will be only a few buttons away so it isn’t hard to do. After you do so, there is no way back because this piece of malware uses a previously unknown vulnerability which allows it to get deeper into the system and hide itself from the device administrator list – the only place you can manage device administrators. You won’t be also able to uninstall the app via Settings, because all the buttons will be grayed out and will not function.

scr

Lucky for you, avast! Mobile Security will save you from doing a factory reset and losing your data, which certainly is one of the solutions. But don’t worry, you are safe with us. Read more…

June 4th, 2013

For Your Satisfaction – Android:Satfi-A [Trj]

We all have our favorite apps for all the things we do. I use Shazam when I don’t know what song is playing, Maps when I’m lost, FlightRadar24 when I’m curious about the plane flying over my head. These apps are there for my satisfaction; they meet some need.

main_x

Each of us have different needs and desires. Apps like SatsFiU Player take advantage of that.  Wherever you got this app from, it’s not from the Google Play Store. This app will try to satisfy both your and its developer’s desires.

SafsFiU Player is an app that might come in handy, when you need to be entertained, in an “adult way,” if you know what I mean. For the ones that don’t get it or don’t believe what I’m talking about it, I’ll be clear -  it’s an app that plays pornographic movies. There is the standard “catch” which almost every malicious app for android has. In this case, the catch most visible is that it allows the developer to remotely control your phone, in a particular way. The most distressing part is that he can tell your phone to send an SMS to a given number, potentially premium-rated.

Yes, it’s a win-win situation. Kindof. You’ll be pleased by what you see, he’ll be pleased by the money he gets and the information sent from your phone. Read more…

May 29th, 2013

Analysis of a self-debugging Sirefef cryptor

Recently I wrote a blog post about a legitimate website spreading Sirefef malware. Then I continued with a deeper analysis and noticed that it uses an interesting cryptor.

Malware authors spread many new variants of malware every day. These variants often look completely different at the first glance. That’s why regular updates of your antivirus is important. However, when we look deeper into most malware spreading these days, we see that the core functions do not change very often. Most of the variability of today’s malware is caused by encapsulating it by so-called “cryptors.”

In most cases, these cryptors are pretty boring pieces of software. They usually take seemingly random data from the malicious file, reshuffle them in a correct way, so that these bytes then become an executable code, and then they execute them. However, authors of Sirefef malware often come up with more interesting methods of loading their programs, and we will look at their method in this blog post.

Now, let’s get to Sirefef. Soon after it is executed, we can see the following scheme.

Read more…

Categories: analyses, Virus Lab Tags: ,
Comments off
May 22nd, 2013

Grum lives!

 

Grum, one of the largest spamming botnets, suspected to be responsible for over 17% of worldwide spam (as described here), which was “killed” in July 2012, still lives.  We have been tracking its activity since January 2013.  We can confirm spiderlab’s doubts about the grum killing published in March 2013. The following article provides some details about registered grum activity.

We have seen grum activity on following sites:

  • servercafe.ru
  • hub.werbeayre.com
  • sec.newcontrrnd.com
  • sec.convertgame.com

Every bot client generates its own identification number (ID) on its first run. The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run.

 Black Energy bot id schema

 

After the bot sets its ID, it tries to connect to a C&C server.

1) The bot contacts C&C server with a HTTP GET request to get the FQDN of the client’s computer

http://%server/spm/s_get_host.php?ver=%botVer

2) The information is used to contact one of the SMTP servers obtained from DNS MX records from following domains which are used for sending spam:

  • hotmail.com
  • yahoo.com
  • aol.com
  • google.com
  • mail.com
  • mail.ru
  • yandex.ru

3) Then the C&C server is contacted by the following request

http://%s/spm/s_alive.php?id=%botID&ticks=%u&ver=%botVersion&smtp=%s&sl=%d&fw=%d&pn=%d&psr=

The smtp variable is set to ‘ok’ when the bot successfully contacts one of the SMTP servers and set to ‘bad’ if it does not.

4) The C&C server answers with a message which looks like a typical BASE64 encoding

For example:

Xu6hQoZL5+9/Hva9N3F3A2+gwPdLuk28BPA5Alm1IOS9MWvCLGp9r/UEqHksCNo4djEmA8SBk/tPRNvg1wc1rjZnwToThUorVw7kdU/h53sgoszvg0OX06MFQvEOxLqF7P4PQ+s=

Actually the message is encrypted by RC4 algorithm with key equals to the bot’s ID and then it is encoded by BASE64.

Grum bot low level Base64

parts of low level BASE-64 decoding

Grum bot low level RC4

low level decryption part of RC4

 

The whole decryption algorithm written in C# could look like this:

Grum decrypt

The bot id is 72176717204370682282907051332175 for the mentioned message.
After decryption process we can see the message:

http://84.200.70.131:9091/spm/s_task.php?id=72176717204370682282907051332175&tid=61853

5) The bot remembers the ot variable and sends the HTTP task request without the ot variable.

http://84.200.70.131:9091/spm/s_task.php?id=72176717204370682282907051332175&tid=61853

6) The C&C answers with spamming instructions including spam mail template which is also encrypted by the schema mentioned above.

The interesting thing is that sent spam is similiar to scam described on our blog in the past.

 

Finally, we provide a screenshot of encrypted instructions, a spam email and an example of decrypted instructions .

 

Spam

example of sended spam

encrypted spam instructions

encrypted spam instructions

 

 

<info>
taskid=61853
realip=x.x.x.x
dns=8.8.8.8
hostname=y
heloname=y
maxthread=25
from=usypc@ozucfx.net

type=0
try_tls=0
use_psr=0
use_dnsapi=1
try_mx_num=1
use_ehlo=1
</info>
<emails>
nadialee@hanmail.net
nadialee@hellokitty.com

nadialeitao@zipmail.com.br
nadia_leonita@yahoo.co.id
</emails>
<ac_list>
</ac_list>
<text>
Received: by work.ozucfx.net (Postfix, from userid %W_RND_INT[3])
id E%W_RND_INT[2]CE%W_RND_INT[5]E; %DATE
From: Work at Home <%FROM_EMAIL>
To: <%TO_EMAIL>
Subject: Your second chance in life just arrived

Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bi
Precedence: bulk
Message-Id: <%GMTDATA[yyyyMMddHHmm].E%W_RND_INT[2]C%W_RND_INT[5]F@web.ozucfx.net>

<html>
<body>

</body>
</html>
</text>

 

Categories: analyses, Virus Lab Tags: , , ,
Comments off
May 20th, 2013

Lockscreen Win32:Lyposit displayed as a fake MacOs app

When the mastermind hackers of the notorious Carberp Banking Trojan were arrested, we thought the story had ended. But a sample that we received on May 7th, a  month after the arrests, looked very suspicious. It connected to a well known URL pattern and it really was the Carberp Trojan. Moreover, the domain it connected to was registered on April 9th!

Taking a closer look into the PE header, it was observed that the TimeDateStamp (02 / 27 / 13 @ 12:19:29pm EST) displayed a bit earlier date than the date of the arrests of the cybercriminals, and the URL was a part of larger botnet where plenty of Russian bots are involved. So the case was closed as a lost sample within a distribution process.

After using our internal Malware Similarity Search  to catch as many malware samples as possible, a cluster appeared. It contained some well-known families like Zbot, Dofoil, Gamarue, and some fresh families like Win32/64:Viknok and Win32:Lyposit. The latter is a dynamic link library and it caught our attention by a quite sophisticated loader and a final payload. Read more…

Categories: analyses, Mac, Virus Lab Tags:
Comments off