Warning: New malware wants to steal your passwords

Social websites like Facebook or Twitter tend to be the number one channel to distribute new malware in 2011. This time a new bot targets Twitter users and spreads via the microblogging service.  Emsisoft Anti-Malware detects this malware as Worm.Win32.Ngrbot. Read this article to learn more about this new outbreak and how to protect against it.

Malware spreads via Twitter

The malicious files we received  show  the picture of a woman as icon with a file name being in the format  ”facebook-pic% number%.exe”, which in our analysis shows that the malware is quite dangerous.

Malicious file icon

When executed, Ngrbot extracts the main file of his body to the directory “C:\Documents and Settings\%username%\Application Data\” on test machines running Windows XP. The used filename is generated using the HDD serial number as the initial key. If the malware however fails to get the HDD serial number, it will then use “1337B00B” (read: elite languages​​) as initial key.

1337B00B

One of its “features” is to block the access to various security sites, including emsisoft.com. So indirectly it prevents security programs from performing updates. The body of the worm contains the blocked sites names within the encrypted section .data:

String of blocked Antivirus/Anti-Malware

In addition, Ngrbot also downloads a text file that is located at hxxp://212.7.214.16/list.txt, which contains 1269 sites domain and blogs related to computer security. This means it is also able to update the list of pages that are blocked.

Wireshark - Download domain list

As a self-defense, this malware also has rootkit capabilities to hide its presence on the created files and registry entries. Ngrbot performs a system wide hook to inject itself into the whole process and hooks some of the following APIs:

  • advapi32.dll.RegCreateKeyExW
  • advapi32.dll.RegCreateKeyExA
  • ntdll.dl.NtQueryDirectoryFile
  • ntdll.dl.NtEnumerateValueKey
  • ntdll.dl.NtResumeThread
  • ntdll.dl.LdrLoadDll
  • kernel32.dll.CopyFileW
  • kernel32.dll.CopyFileA
  • kernel32.dll.CreateFileW
  • kernel32.dll.CreateFileA
  • kernel32.dll.MoveFileW
  • kernel32.dll.MoveFileA
  • wininet.dll.InternetWriteFile
  • wininet.dll.HttpSendRequestW
  • wininet.dll.HttpSendRequestA
  • ws2_32.dll.getaddrinfo
  • ws2_32.dll.send
  • nspr4.dll.PR_Write

And, Ngrbot marks its presence in the infected system with a mutex named “s5rBKCUVfOF8JLVi” and “hex-Mutex”.

On the API list you can see several functions associated with the network/Internet, meaning that Ngrbot can monitor browsing activities of its victim. This malware communicates with the host or C&C server through the IRC protocol, so it can transmit any information found on the victims computer to the author. Additionally the author is able to instruct the malware to do something, like for example download another malicious file or to update the malware binary file.

Steal user account (gmail)

This is obviously very dangerous – if the victim logs into his email, Facebook, Twitter, or even online banking account these are not safe any more. One example is shown in the picture above, the string was found in a hijacked process:

Malware steals online banking accounts

Here you can see some online banking sites like officebanking.cl, Alertpay, Moneybookers and PayPal.

On the infected computer Ngrbot collects several pieces of information like the IP address and country of origin by connecting to http://api.wipmania.com/.

On our test machine, the default page of the browser was also modified, leading to the site hxxp://redirecturls.info/ which then redirects to the following sites:

  • hxxp://best-articles.li
  • hxxp://bestarticles-ever.blogspot.com
  • hxxp://amazingarticles.info
  • hxxp://mega-articles.info

Change browser default page

The MSN Messenger is also used as one of the spreading tools. What the bot does is to intercept messages sent by the user and then hijack the message on-the-fly.

Malware hijack MSN Messenger messages

For example in this case I try to send the message “Hello” to a friend, but apparently my friends actually get the message “LOL http://[MALICIOUS_LINK]“. The malicious URL being received can vary, depending on what is instructed by the host server. Furthermore the malware will report this action to the host server.

Malware spreads via MSN Messenger

However, the author of Ngrbot seems to have a sense of humor despite being a criminal – he leaves some messages to those trying to crack and analyze his malware.

Ngrbot message