Author Archives: Peter Kruse

The past two weeks have been quite busy for especially one group of criminals using different lures to force feed unpatched Windows machines with different types of malware. The exploits are provided with the assistance of the infamous Blackhole exploi… Continue reading CSIS Blog: Same gang, different lures and payload→

We are seeing a massive spam campaign send to random e-mail adresses and which claims to be from UPS (does that sound familiar?).

The spam mails comes with the content shown below:

Notice the attachment is a zip file which when unzipped will reveal itself as a Win32 PE but using a Word looking icon to trick the user into opening it.

The Win32 is a ZeuS P2P variant which upon execution will copy itself to the compromissed system. It first spawns and runs a batch file which executes several commands and does a bit of cleaning up after the infection process has occoured.

Spawns a shell like this:
C:Windowssystem32cmd.exe /c C:[%user profile%]AppDataLocalTempWUX818.bat

The batch job looks like this:

@echo off
:d
del “C:invoice-2131 copy.exe”
if exist “C:invoice-2131 copy.exe” goto d
del /F “[%user profile%]AppDataLocalTempWUX818.bat”

This will execute the file “C:invoice-2131 copy.exe” dropped into the root folder of the infected machine. Next step the main component will get dropped with a random filename into:
[%user profile%]AppDataRoaming[%random folder name%][%random filename%].exe

The ZeuS P2P version ID returns 2.2.5.

During execution the code makes several checks including:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion InstallDate
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography MachineGuid
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion DigitalProductId

The code then injects itself into several Windows processes e.g. explorer.exe, svchost.exe, conhost.exe and connects itself with other peers in the ZeuS P2P Botnet using the UDP protocol. Peers observed include but not limited to:

46.48.148.147
190.239.109.160
210.213.137.50
186.136.173.245
194.36.163.54
99.116.158.19
99.120.1.3
186.59.228.111
220.246.38.109
183.11.30.252
71.43.167.82
99.72.61.142
184.147.56.198
190.36.95.118
67.140.85.16

[..]

BOTnet communication:

GET
HTTP/1.1
Connection: Close
Authorization
Basic
GET
POST
div
script
nbsp;
connection
proxy-connection
content-length
transfer-encoding
upgrade
chunked
keep-alive
close

The decrypted config contains more than 100 specific targets primarily online banking solutions.

As a sidenote we have previously this week seen same payload but with different lures:

Bank of America spam / stid 36618-22.zip
http://blog.dynamoo.com/2013/07/bank-of-america-spam-stid-36618-22zip.html

A scan on Virustotal gives the malware a signature detection rate of 24 / 47:
https://www.virustotal.com/da/file/a2fa9736bf5d58a1b905f17d6c2629e5d333e38c4c9379ad5551c553a7df4108/analysis/

For more detailed info on this threat I’d recommend the fine work from our friends at Cert Polska entitled
“ZeuS-P2P internals – understanding the mechanics: a technical report”:
http://www.cert.pl/news/7386/langswitch_lang/en

Continue reading CSIS Blog: UPS spamrun carries a ZeuS P2P payload→

I assume you already heard about the CSIS Heimdal Security Agent, right?! If not you should visit our Heimdal website for further information. It’s located here: https://heimdalagent.com.

In short the Heimdal Security Agent is a free security tool developed by CSIS Security Group. The purpose of Heimdal making it easier for end users to protect against the everyday threats when surfing the Internet.

We have also developed a PRO and corporate version working on all supported versions of Microsoft Windows. The PRO and corporate contains additional protection such as malware detection and a webfilter protecting against malicious websites and online content. Obviously the corporate version has additional functionality such as a centralized graphical interface and management.

The Heimdal agent for iDevices is just about to be launched. Below is a picture from our lab where we are finalizing the tool.

The first version is aimed towards the iOS platform but we plan to release Heimdal for Android devices as well.

Heimdal for smartphones will protect your data and traffic when on the move, as well as thwart of cyber-attacks from malicious websites, apps and spy tools. Basically Heimdal for smartdevices is a solution to several BYoD (Bring Your own Device) worries in a corporate network.

Heimdal for iDevices will be available in the Apple iStore shortly.

Continue reading CSIS Blog: Heimdal is coming to an iPhone near you!→

The home Trojan-banker known as Shylock has just yesterday been updated with new functions. When analyzed, during an investigation, we noticed that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype. This allows the malicious Trojan-banker to infect more hosts and continue to be a prevalent threat. Also, the timing does not seem completely coincidental as Microsoft just recently announced that they are discontinuing their Messenger solution and replacing it with Skype.

Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK. If we look at sinkhole data collected by CSIS (illustrated below) it becomes quite clear that the attackers prefer to focus only on a few countries instead of random infections in different countries.

When using a tool like Skype, or any “chat” based technology, for replication purpose, it only fuels the geographic focus. Past infections, from e.g. worms spreading across MSN Messenger, Yahoo etc. or any other real-time chat program, shows that people have a tendency to stay connected with friends (usually within their own region) allowing outbreaks to be contained locally.

The Skype replication is implemented with a plugin called “msg.gsm”. This plugin allows the code to spread through Skype and adds the following functionality:

– Sending messages and transferring files
– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
– Sends request to server: https://a[removed]s.su/tool/skype.php?action=…

Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:

– Execute files
– Get cookies
– Inject HTTP into a website
– Setup VNC
– Spread through removable drives
– Uninstall
– Update C&C server list
– Upload files

Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

As always for this type of Trojans antivirus detection is low:

https://www.virustotal.com/file/4bd97130a89c2f9080259d8e87d8d713a23fd0e4336eabb0bf47a44d700ec842/analysis/1358414436/

Analysis:
Iurii Khvyl and Peter Kruse

Continue reading CSIS Blog: Shylock calling Skype→