Avast WEBforum
Other => General Topics => Topic started by: polonus on January 02, 2008, 08:15:06 PM
-
Hi malware fighters,
What about the latest developments coming from the Virtumonde authors?
The latest trick they use is file infection to make removal even more difficult. Coming from one of the most notoriously to remove malware, we were not expecting less. They use all the tricks i the book:
notice the differende between trial.exe and trial. exe?!
"Like some other malware this version of Virtumonde enumerates which files are being run at Windows startup. It will check the files and if deemed OK for infection it will start the infection routine.
What Virtumonde is basically doing is creating a Trojan-Dropper. It will drop the original host file into %temp% and start the file from there. Next to that it will drop the Virtumonde component into the system directory.
The dropped DLL in the system directory will do its Virtumonde-tricks as well as look for files to infect(from startup). So, this is not a patcher. This is a virus.
About 4KB of dropper code is prepended in front of the host file. The Virtumonde DLL gets appended to the host file. The DLL is about 32KB large, but the exact size of appended code may vary. It also makes use of an infection marker in the resource section to make sure it does not reinfect the same file time and time again.
The original host file sits unaltered inside the newly created exe which makes disinfection quite easy.
Something tells me that their next attempt is going to be more tricky to handle. Info - KAV"
polonus
-
Virtumonde seems to be the "name" in threats these days. :P
I've seen several threads on how to repair the damage afterwards. But what's the best pro-active defense, avast and other kinds of specialized anti-malware? Or is Virtumonde changing too quickly for normal defenses to keep up with?
-
Isn't Zero Day Security a good solution? Will it detect Virtumonde?
Is a HIPS tool necessary for it?
-
It changes too fast, in this game the advantage is with the malware programmers. Virus analysts are allways playing catchup. The only way to reduce the effect is to surf with restricted rights, not a major problem with Vista but a PITA with XP.
-
Hi essexboy,
Yes it is an ongoing battle against the vundo monster, see the posting in our special corner re: win32.bho-hd with vundo characteristics, there I posted the latest file traces (dated Jan 3rd 2008).
I also expect there are certain dlls in Firefox that can add this to spread, these were reported where certain similar spyware was concerned (Adware). The glitch in Windows that causes that the windows protection is slowly deminishing while the machine is just connected to the Internet is hard to avoid. Best policy at the moment, update Sun Java and remove older versions, use NoScript, and surf with normal user rights and not with full admin rights, in the latest versions a driver dll is loaded and a BHO created, also initial executable names are being reverted. Well they use all the tricks in the malware book, and it is effective...
An example of a vundo infection:
Side effects:
• Drops a file
• Drops a malicious file
• Third party control
Files It deletes the initially executed copy of itself.
The following files are created:
– %SYSDIR%\%seven-digit random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/Virtumonde.B
– %TEMPDIR%\removalfile.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
Registry The following registry keys are added:
– [HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
• @="%SYSDIR%\%seven-digit random character string%.dll"
• "ThreadingModel"="Both"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
ShellExecuteHooks]
• "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
vtutrrq]
• "Asynchronous"=dword:00000001
• "DllName"="%seven-digit random character string%"
• "Impersonate"=dword:00000000
• "Logon"="Logon"
• "Logoff"="Logoff"
Backdoor Contact server:
All of the following:
• http: //82.98.235.63/cgi-bin/check/**********
• http: //85.12.25.**********
As a result it may send information and remote control could be provided.
Sends information about:
• Current malware status
Remote control capabilities:
• Download file
Injection – It injects the following file into a process: %SYSDIR%\%seven-digit random character string%.dll
All of the following processes:
• explorer.exe
• WINLOGON.EXE
Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.
Hides the following:
– Its own files
polonus
-
Isn't Zero Day Security a good solution? Will it detect Virtumonde?
Is a HIPS tool necessary for it?
Relax, take a chill pill, and...
(http://donaldbroatch.users.btopenworld.com/dont_panic.jpg)
Malware-Laced Banner Ads At MySpace, Excite
If you happen to visit the MySpace Chat Forums without the benefit of the latest security updates for popular Web browsers and media player plug-ins (think Macromedia Flash, QuickTime, e.g.), your Windows machine is likely to get a kitchen sink full of malware crammed down its gullet.
http://blog.washingtonpost.com/securityfix/2008/01/malwarelaced_banner_ads_at_mys.html?nav=rss_blog (http://blog.washingtonpost.com/securityfix/2008/01/malwarelaced_banner_ads_at_mys.html?nav=rss_blog)
Malicious ads on Myspace, Excite, Blick
We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace. (Malware is being delivered through exploits, but fully patched systems won’t be affected.)
http://sunbeltblog.blogspot.com/2008/01/malicious-ads-on-myspace-excite-blick.html (http://sunbeltblog.blogspot.com/2008/01/malicious-ads-on-myspace-excite-blick.html)
"fully patched systems won’t be affected"
-
Relax, take a chill pill, and...
(http://donaldbroatch.users.btopenworld.com/dont_panic.jpg)
Frank... when I've saw Sasha with his computer infected... other avast users having deep trouble... yes, I've panicked.
-
I paniced aswell after seeing Sasha's thread. The worst part is he was infected for months before discovering the infection. :o
It makes you wonder doesn't it ...
-
Hi Miha,
It makes you wonder indeed, if you fail the one dropper before it starts up for instance through winlogon, the file name is changed in a random arrangement or being reversed or even with a space in between the legit name and the executable, who would notice afterwards. It is like with demons, invite one in and all his friends are coming to stay as well. So there is not really much hope after you have been compromised and the trojan played havoc and contacted outside to do whatever it is programmed to do. So one gram of preventions weighs more than one kilo of cleansing afterwards. Anyway panick has never done anyone any good, and there our friend FwF has a solid point. Better prevent script to run or have it checked, update and patch or better even still - surf between the plag-poles and watch the shark-siren, my dear friend,
Damian
-
Anyway panick has never done anyone any good
You can call it lost of confidence. People say we're fan boys... I don't feel like one.
-
Don't put your trust in any AV: make sure to patch the vulnerabilities that let these drive-by downloads happen. Here is a list of exploits used in a current attack:
Then the exploit script itself is also double encoded, again with the Neo-algorithm, and contains the following exploits...
(1) first is the venerable MDAC (MS06-014). It's old, (worked up to Sep 2006), but it works like a charm if you're not patched.
(2) second is one of the many QuickTime exploits. It's not easy to determine which version it is, but it's probably one of last years.
(3) three is AOL's SuperBuddy, from April 2007
(4) is an NCTAudioFile2 overflow from January 2007
(5) is the GomWebCtrl from October 2007, and which has recently appeared in the Storm exploit pack as well (an idea that is Catching On (tm))
(6) is SetSlice, patched in October 2006 and
(7) is the ANI exploit from April 2007.
http://explabs.blogspot.com/2008/01/neosploit-january-2008.html (http://explabs.blogspot.com/2008/01/neosploit-january-2008.html)
-
Yes, I felt it on my own skin... nothing helped, so I had to go all the way back to the last year with my system backup image. After I've noticed there will be so much caching up, reinstallation of hundreds of applications and tools I use, there was an idea burning deep inside of me that I might as well install my OS from the scratch... at least I'll have completely flushed and refreshed system. So I went with Vista Ultimate and I have to say for some reason it works at least 1/3 times faster than my old XP installation. Everything seems super fast and smooth, and I believe it's due to the fact that I'm running it on 2 Gb of RAM and of course with a huge help of my new nVidia card. Of course this will not change my opinion about this OS 'cause there still are all those issues that MS needs to fix with that SP1 we are waiting for so bad... but it helped me to realize how much faster it behaves when you have more RAM... it is sad though that people who can't afford to put more RAM into their computers, can't experience this OS in full. So, I went to the store and bought another 2 Gb RAM but this time for my laptop (running Vista as well). Since there are two memory slots only, I took out 512 Mb from one and installed this 2 Gb instead, leaving another 512 Mb inside the other slot... so now my laptop runs Vista with 2.5 Gb and I have to say it is a huge difference. Still... MS needs to work on fixing all those annoyances we've got with this "new" OS.
Huh... got carried away... back to VirtuMonde - thre words only - I HATE IT!
-
Hi SasH,
Well make back ups, maybe have a virtual 2GB online encrypted, and the next time it is flush and install anew, but I agree with you it is one of the nastiest experiences you can get. It turned me into a malware fighter until the end of my days,
Damian
-
As I mentioned in my reply above:
... nothing helped, so I had to go all the way back to the last year with my system backup image...
I'm not even sure if there is anyone else in this forum that makes and have more system backup images than I do. For every single month, for the past two years, I have backups for each two weeks, all on DVD's read to restore. Bunch of last backups is no good anymore since I found out they all were infected, so I went back all the way to the last year backup from December. Naturally, I had to reinstall a lot of applications since I installed a bunch of new ones since December 2006, so that made my decision to reinstall OS from the scratch even easier... especially because I had a chance to switch from XP to Vista in the same time.
So, making backups IS very important, but it shows that if your security applications can not protect you, backups are almost unusable. Let's take a small example... ordinary PC user won't make more than 2 system backups per month, and most of them will not even go further than 2 months in the past... so the calculation is pretty straight-forward... all those backups, if infected like in my example, would be ready for trash. Go figure what to do in cases like this... I just wonder where my antivirus was when this hit my computer.
-
I just wonder where my antivirus was when this hit my computer.
Siting silently in the system tray ;D
Better, swirling ;D
-
I just wonder where my antivirus was when this hit my computer.
Siting silently in the system tray ;D
Better, swirling ;D
Happily scanning along, letting the nasties inside and producing FP's every now and then ... ;D
-
SasH,do you have any idea how you became infected ? Do you use P2P,( or similar downloading ) or do you think it was by visiting a bad site/opening email/ clicking on link,etc. I do nearly all my surfing/emaiing using Sandboxie,I haven't as yet,recovered anything from sandboxes,but, as far as just purely using the net to 'look' ,open email attatchments, clicking links etc, I feel quite safe.When I'm done I simply empty the box,and any nasties with it.Also, if you click on an email link while using sandboxie,it opens your browser sandbxed,or if you view a video while surfing,it opens your media player sandboxed,etc,etc.
-
Hi SasH,
Well make back ups, maybe have a virtual 2GB online encrypted, and the next time it is flush and install anew, but I agree with you it is one of the nastiest experiences you can get. It turned me into a malware fighter until the end of my days,
Damian
Hello old Pol ! ;D
What did you mean by "make backups", were you referring in general or where you saying to Sasha that HE should make backups ?
You checked out IDrive (http://www.idrive.com/) yet ? U like ? I love it ! ;D
P.S: Thanks again Tech for letting me us know about IDrive !
-
P.S: Thanks again Tech for letting me us know about IDrive !
Yeah... www.idrive.com
12Gb of storage if you share at least with 5 other friends ;)
-
SasH,do you have any idea how you became infected ? Do you use P2P,( or similar downloading ) or do you think it was by visiting a bad site/opening email/ clicking on link,etc. I do nearly all my surfing/emaiing using Sandboxie,I haven't as yet,recovered anything from sandboxes,but, as far as just purely using the net to 'look' ,open email attatchments, clicking links etc, I feel quite safe.When I'm done I simply empty the box,and any nasties with it.Also, if you click on an email link while using sandboxie,it opens your browser sandbxed,or if you view a video while surfing,it opens your media player sandboxed,etc,etc.
To tell you the truth, I have no idea. P2P is a strange word when it comes to my computer. I used to use Azureus but that was 2 years ago. Since then no P2P program is installed on my machine. I simply don't need them. I use uTorrent, but what I was downloading is Linux distros from developers' site, so possibility to download something like that is equal to none.
Even though I don't use P2P, my avast! P2P provider is always active... same with chat programs. I don't do any file transfer when it comes to chat apps.
I really have no clue what was going on... Also, I don't visit any nasty websites... if Site Advisor says it is "green" I am in, if it's not I simply never open that link...
-
P.S: Thanks again Tech for letting me us know about IDrive !
Yeah... www.idrive.com
12Gb of storage if you share at least with 5 other friends ;)
Free - but not quite enough. My system backups are usually around 13-15 Gb, and that's just partition C: with OS installed and program files. Also, even when encripted, I am not fund of leaving my files somewhere "in the wild".
-
Hi Miha,
Why are you always guessing what I think about? Yes that was what I was thinking about. He has too many valuable things on his computer to loose that because of a compromised computer.
The "total recall" thing should not be out of the ordinairy, and your thought is the best option in the case of hardware trouble, you know better than me what the life-span of a hard disk is/could be, what dust can do to a motherboard, and that a normal "nagrywarka" (dvd-burner) does not live longer than 250 !! burning-hours? Heh, it is not a lightbulb, but this hardware comes closest. Did you know that? Shocking information for some. So your critical items locked online, not a bad thought, I have my codes online at a share site of 2 GB, and you have to renew by going there every month.
And for SasH, go to wikipedia and do a read-up on vundo and the Internet glitch, you can get this doing nothing at all just hanging on the Internet through a router will do it in time! M$ would say that it was a feature...
pol
-
...
Why are you always guessing what I think about?
...
Well i have to guess because i do not understand your posts sometimes and i want to know what you meant, that's all ...
In this case it seemed like you were implying to Sash that he needs to backup, which is a strange comment since he explained already he is doing regular backups. Besides you and me both know he was making system images before you and me even heard the term system image so i just wanted to clear up what you meant. Did you mean A: Sash you need to backup ! or B: Everybody should back up ! I hope you understand what i am trying to say, your post could be interpreted either way .
-
Hi Miha,
No I mean as I say that an oline image of what we have is a blessing for all that suddenly run into a big hardware calamity to recover data easily and at a low(er) cost. I could have guessed that Sasha thought of this before all of us. Another thing is that I experienced what it was to have to copy your windows data burning from knoppix because the data could not be attained in any other way (no valid allocation and other major trouble), using the alternating arrows and F8's to change from a compromised Windows into a Linux for recovery is no pleasure, I can tell you, it brought me here,
Damian
-
Free - but not quite enough. My system backups are usually around 13-15 Gb, and that's just partition C: with OS installed and program files. Also, even when encripted, I am not fund of leaving my files somewhere "in the wild".
Hello buddy !
It's meant more for file/folder backups, and not system images altough you could store those aswell that's of course if they fit. But you could get a payed account with 50gb storage, 12gb is enough for my needs. I only backup my documents and certain sensitive files with IDrive though. All of that is only 1gb so the size isn't an issue for me. As for system images i have the latest always stored on my second hdd and the older ones i store on my linux rig.
-
lol where can i download this Virtumonde's ?
I want to destroy this computer (NOT IN MY SIGNATURE)
-
I just wonder where my antivirus was when this hit my computer.
Siting silently in the system tray ;D
Better, swirling ;D
;D It's funny, but it scares me. I'm already afraid to surf the net :( going only to sites I check everyday...
-
lol where can i download this Virtumonde's ?
I want to destroy this computer (NOT IN MY SIGNATURE)
Destroy which computer ? We are here to help people recover their computers and ask for help when needed... certainly not to destroy anything.
Not quite for LOL in my opinion :P
These forums are here to help people having problems with viruses, stop spreading of above mentioned or if it's already kind of late, trying to clean them... and asking to download some virus is not appropriate, especially in forums like this one. I hope it was just a joke.