April spyware list

This month, Adware/Gator gains the first position again, with only 75 more detections than Adware/Lop.

1: Adware/Gator
2: Adware/Lop
3: Application/MyWebSearch
4: Application/Winantivirus2006
5: Spyware/Virtumonde
6: Adware/SaveNow

Application/Winantivirus2006 moves 2 positions forward, from 6th to 4th position. This rogue antispyware is usually promoted by other adware or by banners included in websites that simulate a fake analysis of the system, which always finds threats. Then, we are requested to purchase for a modest price a program to remove them.

Spyware/Virtumonde rises from the 9th to the 5th position. This malware is continually displaying banners belonging to rogue antispywares and error-repairing programs. Some versions also send information about the programs that the user has installed in the computer. They also download the toolbar Application/VSToolbar.

In the 23rd position we find Adware/Spylocked, which is an adware that promotes Application/Spylocked. It is installed mostly through the famous fakecodecs.

Application/Spylocked is the latest version of a quite well-known rogue antispyware, which has been previously named as SpywareQuake or VirusBurst.

Not without my Eula!!!

In a website that uses exploits to infect I have come across a malware that installs a program with the EULA agreement without user’s consent.

Here you have a video in the following link or via YouTube:

The process is shown:

1 – Eula agreement – How a user would install the program with the EULA agreement.

2 – Without Eula agreement – How the malware installs the program with the EULA agreement without user’s awareness.

3 – Debugging – The process followed by the malware to be installed:

a) First, it drops a copy of the program with the EULA agreement, which is included in its code.

b) Then, it runs it.

c) It looks for some texts with the API function “FindWindow” in order to obtain the handlers of certain windows.

d) Once it obtains the handlers, it hides the window using “ShowWindow”, so that the infected user is hardly aware of what it’s being carried out.

e) It sends the necessary messages using “SendMessage” to the previous handlers, faking the users acceptance of the agreement.

Cybercrime… for sale (I)

You have probably wondered at some time or another why there is so much malware. As we have lately explained on so many occasions, most times it all comes down to money. However, this raises other questions: How do hackers make money out of programming malware? Where do they sell their creations? For how much? Who buys the malware? What for?

Our investigation has taken a long time, not only due to the language barrier (the majority of this software and service sales in this sector –the evil sector- comes from Russia and other countries in the area, which made us turn to our technicians in Russia and Ukraine for help), but also due to the many buy-and-sell forums out there and the great variety of products / services available. Some of the services on offer include:

– DDoS attacks
– Spam Hosting.
– Hiding of executable files.
– FTP accounts.
– Mailing Lists.
– ICQ numbers.
– RapidShare accounts.
– Online business accounts (mainly Russian).
– Sale of Trojans.
– Hiring of hackers’ services.

From there on, there were services directly related to organized crime, which we will cover in future posts.

We are not going to tell you the sites where we found all of this info, but I can tell you that you don’t need to ‘google’ a lot to find them.
In this post. I will concentrate on the prices of the most important services offered on underground websites, although we have found out that haggling is widely used.

Services:

DDoS attacks

 The price usually depends on the attack time:

          1 hour –  US$10-20 (depends on the seller)
          2 hours – US$20-40
          1 day   –  US$100
          + 1 day –  From US$200 (depends on the complexity of the job)

         It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them the server and they will perform a DoS attack for 10 minutes, so that you can evaluate the ‘service’.

The following screenshot shows how DDoS services are sold and how people request hacker services (Google translation):

Spam Hosting:                                     US$200
            Dedicated spam server            US$500
            +10,000,000 Mails per day      US$600
            SMS spam (per message)        US$0.2
            ICQ (1,000,000)                          US$150

Mailing lists for spam:  (US$)

 ACCOUNTS              USA                GERMANY               RUSSIA         UKRANIA
1,000,000                   100                  100                             100                  100
3,000,000                   200                  200                             200                  200
5,000,000                   300                  300                             300                  –
8,000,000                   500                  500                             500                  –
16,000,000                 900                  –                                  –                      –
32,000,000                 1500                –                                  –                      –

Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files won’t be detected even by the antivirus updates of the date of purchase):

             From US$1 to US$5 per executable file (cheap, isn’t it?)

 

Accounts

FTP accounts:                                   US$1 per account

50MB of Limbo Trojan logs US$30 (contains email accounts, bank account numbers, credit card numbers, etc. A percentage is guaranteed)

Icq numbers:                                     fromUS$1 to US$10 (depending on the ICQ number)

RapidShare premium accounts:         1 month    –  US$5
                                                           2 months   –  US$8
                                                           3 months   –  US$12
                                                           6 months   –  US$18
                                                           1 year       –  US$28

 
Online Shops accounts (megashop.ru, bolero.ru, cup.ru…etc ALL RUSSIAN): US$50 each.

This screenshot shows how ICQ spam, proxies and hacking software are offered (Google translation):

In my next post, I will focus on the price of software (Trojans, joiners, viruses, etc.).

W32/Spamta.WF.worm

In the last hours we have received a few hundreds e-mails containing the worm Spamta.WF. The attached file has one of the following extensions:

• bat
• cmd
• exe
• pif
• scr

The subject of the email is one of the following:

• Error
• Good Day
• hello
• Mail Delivery System
• Mail Transaction Failed
• picture
• Server Report
• Status
• test

The worm is proactively detected by TruPrevent™ Technologies.

Artesimda.A

Everyday we discover a huge number of new Trojans. Almost all of them are crimeware related (to steal any kind of credentials, e-mail addresses, etc.). It is common that the hackers, some of them really lazy, use different tools to carry out different actions instead of programming them within the code of the Trojan. This is good for us, as we can see suspicious behaviours when some services or tools are running.

Today I’m going to talk about a new Trojan we have just been dealing with and that uses some Windows features in order to take control of the infected computer.

The Trojan is named Trj/Artesimda.A, it creates a new account in Windows XP, whose user name is “Adminestrator” and the password is “Pass3488585”.

 This is what you would see in case you’re infected:

It uses a rootkit in order to hide itself and it starts the Remote Desktop Help Session Manager. As it steals different information (as the IP address) and has a local administrator user account and password, the hacker can remotely connect to the infected computer with full access. It is not the smartest way to control an infected computer, but it is an original one.

It also monitors Internet Explorer traffic and steals all the information entered in websites that contain forms. This way, it could obtain e-mail addresses, as well as usernames & passwords stored in the system, etc. But, not only it obtains all this information but also data about the software and hardware installed on the infected computer.

All the stolen information is sent out to a server located in Hong Kong.

 

FakeImages

I have just discovered a new kind of fakecodecs. This time, instead of being related with codecs to watch videos, it is related to images, I have named it Adware/ImageAccesActiveXObject. 

As well as with the fakecodecs, it offers us to "enjoy" some porn images by installing an ActiveX supposedly needed to whatch them. What it really does is to register a class Imageactivexobject.Ñhl that checks the web site we are visiting, so if we are on that particular website it redirects the browser to a different one where we could see the photos.

This is part of the script where this is checked:

<script>

<!–

function activex_is_here() {try {var testObjet = new ActivexObject("imageactivexobject .Ñhl"); return true; } catch(e)  { ; } return false; }

if (activex_is_here()) { location.href = 'http://www.ximagecollection.com/&#39;; }

–>

</script> 

 

In this case, when you click on the photos to watch them, it appears a message saying that the domain has expired. Here you have a video where we show the installation process.

See the demo in the following video (It's encoded with XviD ) or via YouTube:

As most of the fakecodecs, it checks if it is running on a virtual machine, in case it is it won’t infect the computer.

All the malware that it installs it is mainly related to promote rogue antispyware and error repair programs, but in certain cases it also shows other kind of advertisements, as on-line Casinos.

When ImageAccesActiveXObject is installed, it drops in the computer the following malware:

– Adware/SpyLocked: Spends all the time showing fake messages saying that we are infected, it also downloads and installs the rogue antispyware Application/SpyLocked. This is a new version that in previous times we have seen with different names as SpywareQuake or VirusBurst.

– Adware/Securitytoolbar: It installs a toolbar and a browser helper object (bho) that redirects the browser traffic and shows advertisement popus. It also creates some links in the desktop pointing to different web sites.

Ani exploit plus Heap Spraying

Today we have detected a server exploting the last ani vulnerability with the known “Heap Spraying” technique. The ani file exploits the vulnerability nevertheless there isn’t a shellcode inside it:

The html page has a javascript code to inject heap as much as possible until a valid memory become the return address to jump after the stack overflow, in this case 0x0B0B0B0B.
The reason to use this technique instead include the shellcode inside the ani file should be to avoid the stack execution protection feature. By this way the shellcode is executed in the heap not in the stack, bypassing this protection. You can see the injected heap in the following image and the shellcode:

Nurech.Z

In the last hours we have received several mails containing the worm Nurech.Z. In order to avoid being detected, this worm comes in a .zip file attached to the email. In addition, a password is needed to open that .zip, which makes its detection by the email filter even more complicated. Instead of being given in the body of the message, this password is included in a .gif file. However, it is not a very new technique as multiple variants of the Bagle have been using it for a long time.

The subject of the email is varied, but it usually warns of the presence of malware in our PC. Some examples are:

Virus Alert!
Worm Alert!
Spyware Alert!

The worm is proactively detected by TruPrevent™ Technologies. This is the image that appears in the .gif file:

 

The worm drops a couple of rootkits that will try to complicate our lives. The first one searches e-mail addresses in the computer, creates the image .GIF and, in addition, allows spam to be sent. The second hides the worm to make its detection more difficult.

Trojan Snatch installed in a lot of malware servers

Lately, I’ve been coming across several websites that infect computers with the Trojan Trj/Snatch by using exploits.

This malware not only monitors the passwords entered in the websites accessed by the user, but also has rootkit functionalities in order to remain hidden.

As most of the malware kits that are for sale, it consists of a component that generates the server files with which it infects and of a web component, which is usually hosted in a server where it is indicated the websites to monitor and where it receives the information it harvests from the infected computers.

The author of this malware can access via web in order to configure the data. This is the screen that is usually displayed in order to log in:

These are the URLs that the Trojan is monitoring from 3 different servers:

So you don't need to change the Trojan in order to update the entities that are being monitorized, just changing the URL you have it!

 

ANI vulnerability and malware researchers… be careful

Last week (thursday and friday) was very hard for all malware researchers, working with the “new” ANI threat. Too much and different information were released. “Yes, it’s the same MS05-002 issue”, “No, it’s not the same issue…” , “It ‘s a user32.dll fault, but probably it’s only an Outlook and IE issue….”. What is really true? We spent last Friday analyzing the vulnerability and no, it’s not just an Outlook/IE issue. If you are a malware researcher (or not) and you usually use WinHex  you should be careful. The sample we were analyzing tried to download an executable (wincf.exe) from: http://22x.x.x.189/wincf.exe. By now the file has been deleted from the site however we changed the URL in order to see if the exploit works, and it really works great, fast and with WinHex…..What? Yes, we are not crazy. We were as surprised as you.

See the demo in the following video (It’s encoded with XViD [870k]) or via YouTube:

It’s time of WinHex’s reverse engineer to discover why the exploit is working on it even if the ANI file is renamed to whatever you want. A call to Shell32.ExtractIconA is made and therefore triggering the ANI threat: