Virtumonde's latest trick!

[polonus]

Hi malware fighters,

What about the latest developments coming from the Virtumonde authors?
The latest trick they use is file infection to make removal even more difficult. Coming from one of the most notoriously to remove malware, we were not expecting less. They use all the tricks i  the book:
notice the differende between trial.exe and trial. exe?!

"Like some other malware this version of Virtumonde enumerates which files are being run at Windows startup. It will check the files and if deemed OK for infection it will start the infection routine.

What Virtumonde is basically doing is creating a Trojan-Dropper. It will drop the original host file into %temp% and start the file from there. Next to that it will drop the Virtumonde component into the system directory.

The dropped DLL in the system directory will do its Virtumonde-tricks as well as look for files to infect(from startup). So, this is not a patcher. This is a virus.

About 4KB of dropper code is prepended in front of the host file. The Virtumonde DLL gets appended to the host file. The DLL is about 32KB large, but the exact size of appended code may vary. It also makes use of an infection marker in the resource section to make sure it does not reinfect the same file time and time again.

The original host file sits unaltered inside the newly created exe which makes disinfection quite easy.
Something tells me that their next attempt is going to be more tricky to handle. Info - KAV"

polonus

[MikeBCda]

Virtumonde seems to be the "name" in threats these days. 

I've seen several threads on how to repair the damage afterwards.  But what's the best pro-active defense, avast and other kinds of specialized anti-malware?  Or is Virtumonde changing too quickly for normal defenses to keep up with?

[Lisandro]

Isn't Zero Day Security a good solution? Will it detect Virtumonde?
Is a HIPS tool necessary for it?

[essexboy]

It changes too fast, in this game the advantage is with the malware programmers.  Virus analysts are allways playing catchup.  The only way to reduce the effect is to surf with restricted rights, not a major problem with Vista but a PITA with XP.   

[polonus]

Hi essexboy,

Yes it is an ongoing battle against the vundo monster, see the posting in our special corner re: win32.bho-hd with vundo characteristics, there I posted the latest file traces (dated Jan 3rd 2008).
I also expect there are certain dlls in Firefox that can add this to spread, these were reported where certain similar spyware was concerned (Adware). The glitch in Windows that causes that the windows protection is slowly deminishing while the machine is just connected to the Internet is hard to avoid. Best policy at the moment, update Sun Java and remove older versions, use NoScript, and surf with normal user rights and not with full admin rights, in the latest versions a driver dll is loaded and a BHO created, also initial executable names are being reverted. Well they use all the tricks in the malware book, and it is effective...

An example of a vundo infection:
Side effects:
   • Drops a file
   • Drops a malicious file
   • Third party control

 Files It deletes the initially executed copy of itself.



The following files are created:

– %SYSDIR%\%seven-digit random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/Virtumonde.B

– %TEMPDIR%\removalfile.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry keys are added:

– [HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
   • @="%SYSDIR%\%seven-digit random character string%.dll"
   • "ThreadingModel"="Both"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   ShellExecuteHooks]
   • "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   vtutrrq]
   • "Asynchronous"=dword:00000001
   • "DllName"="%seven-digit random character string%"
   • "Impersonate"=dword:00000000
   • "Logon"="Logon"
   • "Logoff"="Logoff"

 Backdoor Contact server:
All of the following:
   • http: //82.98.235.63/cgi-bin/check/**********
   • http: //85.12.25.**********

As a result it may send information and remote control could be provided.

Sends information about:
    • Current malware status


Remote control capabilities:
    • Download file

 Injection –  It injects the following file into a process: %SYSDIR%\%seven-digit random character string%.dll

    All of the following processes:
   • explorer.exe
   • WINLOGON.EXE


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files

polonus

[FreewheelinFrank]

Isn't Zero Day Security a good solution? Will it detect Virtumonde?
Is a HIPS tool necessary for it?

Relax, take a chill pill, and...

Malware-Laced Banner Ads At MySpace, Excite

If you happen to visit the MySpace Chat Forums without the benefit of the latest security updates for popular Web browsers and media player plug-ins (think Macromedia Flash, QuickTime, e.g.), your Windows machine is likely to get a kitchen sink full of malware crammed down its gullet.

http://blog.washingtonpost.com/securityfix/2008/01/malwarelaced_banner_ads_at_mys.html?nav=rss_blog

Malicious ads on Myspace, Excite, Blick

We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace.  (Malware is being delivered through exploits, but fully patched systems won’t be affected.)

http://sunbeltblog.blogspot.com/2008/01/malicious-ads-on-myspace-excite-blick.html

"fully patched systems won’t be affected"

[Lisandro]

Relax, take a chill pill, and...

Frank... when I've saw Sasha with his computer infected... other avast users having deep trouble... yes, I've panicked.

[Hard_ROCKER]

I paniced aswell after seeing Sasha's thread. The worst part is he was infected for months before discovering the infection.   
It makes you wonder doesn't it ...

[polonus]

Hi Miha,

It makes you wonder indeed, if you fail the one dropper before it starts up for instance through winlogon, the file name is changed in a random arrangement or being reversed or even with a space in between the legit name and the executable, who would notice afterwards. It is like with demons, invite one in and all his friends are coming to stay as well. So there is not really much hope after you have been compromised and the trojan played havoc and contacted outside to do whatever it is programmed to do. So one gram of preventions weighs more than one kilo of cleansing afterwards. Anyway panick has never done anyone any good, and there our friend FwF has a solid point. Better prevent script to run or have it checked, update and patch or better even still - surf between the plag-poles and watch the shark-siren, my dear friend,

Damian

[Lisandro]

Anyway panick has never done anyone any good

You can call it lost of confidence. People say we're fan boys... I don't feel like one.

[FreewheelinFrank]

Don't put your trust in any AV: make sure to patch the vulnerabilities that let these drive-by downloads happen. Here is a list of exploits used in a current attack:

Then the exploit script itself is also double encoded, again with the Neo-algorithm, and contains the following exploits...

(1) first is the venerable MDAC (MS06-014). It's old, (worked up to Sep 2006), but it works like a charm if you're not patched.
(2) second is one of the many QuickTime exploits. It's not easy to determine which version it is, but it's probably one of last years.
(3) three is AOL's SuperBuddy, from April 2007
(4) is an NCTAudioFile2 overflow from January 2007
(5) is the GomWebCtrl from October 2007, and which has recently appeared in the Storm exploit pack as well (an idea that is Catching On (tm))
(6) is SetSlice, patched in October 2006 and
(7) is the ANI exploit from April 2007.

http://explabs.blogspot.com/2008/01/neosploit-january-2008.html

[szc]

Yes, I felt it on my own skin... nothing helped, so I had to go all the way back to the last year with my system backup image. After I've noticed there will be so much caching up, reinstallation of hundreds of applications and tools I use, there was an idea burning deep inside of me that I might as well install my OS from the scratch... at least I'll have completely flushed and refreshed system. So I went with Vista Ultimate and I have to say for some reason it works at least 1/3 times faster than my old XP installation. Everything seems super fast and smooth, and I believe it's due to the fact that I'm running it on 2 Gb of RAM and of course with a huge help of my new nVidia card. Of course this will not change my opinion about this OS 'cause there still are all those issues that MS needs to fix with that SP1 we are waiting for so bad... but it helped me to realize how much faster it behaves when you have more RAM... it is sad though that people who can't afford to put more RAM into their computers, can't experience this OS in full. So, I went to the store and bought another 2 Gb RAM but this time for my laptop (running Vista as well). Since there are two memory slots only, I took out 512 Mb from one and installed this 2 Gb instead, leaving another 512 Mb inside the other slot... so now my laptop runs Vista with 2.5 Gb and I have to say it is a huge difference. Still... MS needs to work on fixing all those annoyances we've got with this "new" OS.

Huh... got carried away... back to VirtuMonde - thre words only - I HATE IT!

[polonus]

Hi SasH,

Well make back ups, maybe have a virtual 2GB online encrypted, and the next time it is flush and install anew, but I agree with you it is one of the nastiest experiences you can get. It turned me into a malware fighter until the end of my days,

Damian

[szc]

As I mentioned in my reply above:

... nothing helped, so I had to go all the way back to the last year with my system backup image...

I'm not even sure if there is anyone else in this forum that makes and have more system backup images than I do. For every single month, for the past two years, I have backups for each two weeks, all on DVD's read to restore. Bunch of last backups is no good anymore since I found out they all were infected, so I went back all the way to the last year backup from December. Naturally, I had to reinstall a lot of applications since I installed a bunch of new ones since December 2006, so that made my decision to reinstall OS from the scratch even easier... especially because I had a chance to switch from XP to Vista in the same time.

So, making backups IS very important, but it shows that if your security applications can not protect you, backups are almost unusable. Let's take a small example... ordinary PC user won't make more than 2 system backups per month, and most of them will not even go further than 2 months in the past... so the calculation is pretty straight-forward... all those backups, if infected like in my example, would be ready for trash. Go figure what to do in cases like this... I just wonder where my antivirus was when this hit my computer.

[Lisandro]

I just wonder where my antivirus was when this hit my computer.

Siting silently in the system tray
Better, swirling