New Windows virus attacks PHP, HTML, and ASP scripts

[FreewheelinFrank]

Researchers have identified a new strain of malware that can spread rapidly from machine to machine using a variety of infection techniques, including the poisoning of webservers, which then go on to contaminate visitors.

The malware is a variation of a rapidly mutating virus alternately known as Virut and Virux. It has long proved adept at injecting itself into executable files, which are then able to attack uninfected machines through network drives and USB sticks.

The variant, which Microsoft is calling Virus:Win32/Virus.BM, is also able to infect web scripts based on languages such as PHP, ASP, and HTML. Servers that become infected include an iframe in webpages that attempt to spread malware to visitors.

"This catapults the possibility of spreading even farther," Trend Micro researchers warn. "If the script files happen to be uploaded to a publicly accessible website, any visitor to the affected sites will be led to the URL embedded in the iframe code."

The iframe surreptitiously directs visitors to zief.pl (don't visit it unless you're a security professional), which attempts to exploit a variety of vulnerabilities based on the browser and other applications the user has installed, Microsoft researchers say. Once installed, the virus injects its code into various system processes such as explorer.exe and winlogon.exe and hooks low-level Windows APIs to ensure it stays in memory.

The virus has also picked up some new polymorphic tricks designed to make it harder for anti-virus programs to detect. Among other things, it uses more than one layer of encryption, allowing its binary fingerprint to change but to preserve its malicious payload.

Infected machines will have an IRC backdoor installed that tries to connect to several servers using port 80. ®

http://www.theregister.co.uk/2009/02/12/new_virut_strain/

LinkScanner confirms the URL is bad: Does avast! have it blocked?

[kubecj]

zief.pl is blocked

[FreewheelinFrank]

Cool.

[polonus]

Hi FwF,

We have met this darling virut here: http://forum.avast.com/index.php?topic=42274.0
Even could make some users switch to linux, but there seems to be a rather effective special cleansing tool around (see final posting in given link), but one ounce of protection (Avast Netshield) is better than a pound of cleansing, as you have demonstrated in your description of this nasty.

For an interesting read about the latest Virut variant by Nicolas Brulez:
http://securitylabs.websense.com/content/Blogs/3300.aspx

polonus

[polonus]

Hi malware fighters,

Typical file infectors choose any of the following infection styles:

    * cavity - the virus inserts its code into available spaces within the normal file
    * appending - the virus inserts its code after the normal file’s code
    * prepending - the virus inserts its code before the normal file’s code
    * entry-point obscuring - a complex infection technique used to evade immediate detection

The VIRUX aka Virut strain, however, uses the following infection schema, see picture below:

  * Appending viruses

A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.
Example: could be a simple COM infector, that appends itself to the end of COM files and propagates through the directory - it's installed in unless you move an infected program outside of the directory of course - virus could be made with Assembly....

 * Cavity Viruses

A cavity virus attempts to install itself inside of the file it is infecting. This is difficult.

Most viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don't see the increase in file length when the virus is active in memory.

A cavity virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A cavity virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a cavity virus.

Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare.

Summary

A cavity virus attempts to install itself inside of the file it is infecting.

This is difficult to do properly and so this type of virus is rare,

 * EPO viruses

Entry-point obscuring viruses are very interesting because of the very difficult nature of its detection, disinfection and removal. Nowadays the EPO technique is used in many different ways, however Win32.CTX.Phage has been chosen for this article because it was written by the same author of other such infamous viruses as Win9x.Margburg (one of the first Windows9x polymorphic virus, which first appeared in the wildlist) and Win9x.HPS. The author of these viruses is known for his difficult-to-detect and difficult-to-disinfect creations. CTX.Phage in particular involves many techniques that make the disinfection process highly difficult, even after the virus is fully understood.
Re: http://www.securityfocus.com/infocus/1841


polonus

[FreewheelinFrank]

Hi malware fighters,

Typical file infectors choose any of the following infection styles:

    * cavity - the virus inserts its code into available spaces within the normal file
    * appending - the virus inserts its code after the normal file’s code
    * prepending - the virus inserts its code before the normal file’s code
    * entry-point obscuring - a complex infection technique used to evade immediate detection

The VIRUX aka Virut strain, however, uses the following infection schema, see picture below:

  * Appending viruses

A virus that inserts a copy of its malicious code at the end of the file. The goal of an appending virus is not to harm the host program, but to modify it to hold the virus code and then be able to run itself.
Example: could be a simple COM infector, that appends itself to the end of COM files and propagates through the directory - it's installed in unless you move an infected program outside of the directory of course - virus could be made with Assembly....

 * Cavity Viruses

A cavity virus attempts to install itself inside of the file it is infecting. This is difficult.

Most viruses take the easy way out when infecting files; they simply attach themselves to the end of the file and then change the start of the program so that it first points to the virus and then to the actual program code. Many viruses that do this also implement some stealth techniques so you don't see the increase in file length when the virus is active in memory.

A cavity virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. This empty space can be used to house virus code. A cavity virus attempts to install itself in this empty space while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. The Lehigh virus was an early example of a cavity virus.

Because of the difficulty of writing this type of virus and the limited number of possible hosts, cavity viruses are rare.

Summary

A cavity virus attempts to install itself inside of the file it is infecting.

This is difficult to do properly and so this type of virus is rare,

 * EPO viruses

Entry-point obscuring viruses are very interesting because of the very difficult nature of its detection, disinfection and removal. Nowadays the EPO technique is used in many different ways, however Win32.CTX.Phage has been chosen for this article because it was written by the same author of other such infamous viruses as Win9x.Margburg (one of the first Windows9x polymorphic virus, which first appeared in the wildlist) and Win9x.HPS. The author of these viruses is known for his difficult-to-detect and difficult-to-disinfect creations. CTX.Phage in particular involves many techniques that make the disinfection process highly difficult, even after the virus is fully understood.
Re: http://www.securityfocus.com/infocus/1841


polonus

Sneaky bugger.