WEBROOT – INSIGHTS INTO THREATS AND TRENDS FROM OUR INTERNET SECURITY EXPERTS
Category Archives: Destructive behavior
Some malware can damage the operating system, such that it crashes and/or will not reboot. Webroot characterizes any behavior that results in loss of data or of the use of the infected computer destructive.
As a follow-up to the Blackhole Exploit posting, I thought I would share one aspect of my job that I truely enjoy: Discovery.
While investigating some active urls being served up via a blackhole kit, I noticed something quite odd, as I would end up on sites that had malicious code injected into their webpages.
Once the redirection to the blackhole kit was initiated, I saw the usual exploits taking place, first being Internet Explorer and Adobe Flash, then onto Adobe Reader and Java.
This time, the kit didn’t stop there. Internet Explorer proceeded to launch Windows Media Player. Since I had never used it on this test machine, the Windows Media Player install sequence initiated, causing the windows media player setup screen to appear in order to finalize its installation.
I became curious as to what Windows Media Player is being used for. Unfortunately in this case, I couldn’t see where any files were called down to the machine and did not have any type of network analyzer running.
An unusual family of Trojans, apparently of Chinese origin, engages in rootkit-like behavior which seems designed not to hide the presence of the malware on an infected system, but to misdirect or confuse a technical person who might be using system analysis tools on an infected computer.
The Trojans all originated from a server operated by a free Web host in China, and each sample we tested sent profiling data about the infected system to a command-and-control server located on yet another free Web host, also located in China. It appears to have capabilities to receive instructions to download other components, and it scans the system for antivirus products commonly available in China, including products made by Qihoo 360, China’s largest homegrown antivirus company.
But the most interesting aspect of the Trojans was how it managed to fool most of the free tools someone might use to monitor running programs. The Trojan shows up in the list of active programs, but when that list includes a full path to the running executable, that path points at a nonexistent file supposedly in another location. Continue reading →
In our previous technical analysis of the ZeroAccess rootkit, we highlighted how it acts as a framework by infecting the machine — setting up its own private space in the disk, first through a dedicated file system on the disk, and more recently by using a hidden and locked directory. This is where the rootkit stores the modules it downloads from the command and control servers. Until now, the plugins we’ve monitored have been ad-clickers and search engine hijackers.
We have also noted how the ZeroAccess rootkit acts very similar to the TDL3 rootkit, either by infecting a random system driver, using its own file system to store its plugins or by filtering the disk I/O by analysing the SCSI packets – though in a pretty different way. It’s more effective in the TDL3 rootkit and less effective in the ZeroAccess rootkit, however ZeroAccess has many more self-protection mechanisms in place.
While analyzing the ZeroAccess rootkit, I’ve always had the feeling it was inspired by the TDL3 rootkit. But while looking at the latest updates of it I’ve found something pretty interesting: The ZeroAccess team is looking at TDL rootkit as an enemy that needs to be defeated. The questions remains, is there a link between the two rootkits? We suspect the answer is yes.
Among the most infamous kernel mode rootkits in the wild, most of them have had a slowdown in their development cycle – TDL rootkit, MBR rootkit, Rustock are just some examples. The same doesn’t apply for the ZeroAccess rootkit. The team behind it is working quite hard, which we know for a fact because I’ve seen it.
We already talked about this rootkit and its evolutions in several blog posts, along with a white paper that documents more in depth all the technical features of the malware. The last major update released by the team behind ZeroAccess dates back a couple of weeks; That update implemented a strong self-defense routine able to kill security software programs that try to get access to its code, blocking the security software from running by manipulating access control list, or ACL, settings.
Last week ZeroAccess received another update, and again it’s a major one. The rootkit shifted from a hidden encrypted file used as an NTFS filesystem volume to a more comfortable hidden directory created inside the Windows folder, where the rootkit still stores its configuration data and other malware in an encrypted form. Continue reading →
The latest generation of a rapidly evolving family of kernel-mode rootkits called, variously, ZeroAccess or Max++, seems to get more powerful and effective with each new variant. The rootkit infects a random system driver, overwriting its code with its own, infected driver, and hijacks the storage driver chain in order to hide its presence on the disk. But its own self-protection mechanism is its most interesting characteristic: It lays a virtual tripwire.
I’ve written about this rootkit in a few recent blog posts and in a white paper. On an infected computer, this new driver sets up a device called \Device\svchost.exe, and stores a fake PE file called svchost.exe – get it? The path is \Device\svchost.exe\svchost.exe. The driver then attaches itself to the disk device stack. The driver creates a new system process, called svchost.exe, pointing to the path: \\Globalroot\Device\svchost.exe\svchost.exe. This fake process serves as a kind of trap, specifically looking for the types of file operations performed by security software.
When a typical security scanner tries to analyze the rootkit-created svchost.exe file, the rootkit queues an initialized APC into the scanner’s own process, then calls the ExitProcess() function — essentially forcing the scanner to kill itself. The rootkit’s effectiveness, however, is hindered by a weakness in the way the rootkit filtered disk I/O. As it turned out, we can easily bypass the filtering technique and get to the masked data. We’ve also reversed the code the rootkit uses to generate domain names it will contact for command-and-control, and have provided a list of the domains it will use in the months of July, 2011 and August, 2011 so network managers can protect themselves proactively.
The other morning, I walked into the office to find a slew of instant messaging buddy requests from total strangers. This isn’t unexpected: I frequently get buddy requests on IM accounts I maintain for research purposes that contain malicious URLs and other useful research data. But this was one request I wasn’t expecting.
The inquiry, written in both English and Russian, was simply an advertisement for “Organization of DDOS attacks” from an ICQ account that has not been used since the friend request came in. The somewhat perplexing offer claims the service offers “support online 24/7/365″ (finally, a DDOS service that works weekends and holidays, unlike those slacker DDOSers who only work during banker’s hours) and asks “You hurt? We got competition?“
Who’s this we you’re referring to, mister criminal mastermind?
The solicitation for business included a different ICQ user ID number than the one used to send the buddy request, as well as an email address. I’ve seen some strange solicitations for various kinds of business delivered this way, but never one so brazen over an ostensibly illegal (both in Russia and elsewhere) service.
It’s too bad I can’t tell the guy to just go DDOS himself, but the accounts used in the ad have all been shut down.
Last Wednesday, Microsoft published a blog post detailing a significant update to a piece of malware named Popureb. The malware adds code to the Master Boot Record, or MBR, a region of the hard disk that’s read by the PC during bootup, long before the operating system has had a chance to get started. Researchers sometimes refer to these kinds of malware as bootkits, or a rootkit which loads at such a low level during the boot process that it is invisible to the operating system, and therefore very difficult to remove.
Microsoft researcher Chun Feng detailed some of the new features of Popureb.E, which includes a very low-level hook into the Windows driver responsible for disk writes and reads. When the driver on an infected system detects an attempt to write changes into the MBR — the kinds of changes a repair tool might try to make — it simply changes the command from write to read, effectively neutering any kind of tool running within Windows that might try to fix the infection.
Microsoft’s initial cleanup guidance on Popureb.E was pretty drastic, and more than a little scary: Full removal of the bootkit requires a full reinstall of Windows, wiping out anything currently on the hard drive. We don’t think this is the case, and the Microsoft folks seem to have moderated their advice to include some manual fixes using the recovery console.
While the whole concept behind the Trojan is valid and technically powerful, the practical implementation of the malware is not as valid as the idea behind it. What follows is a fairly technical write-up that describes both the problem, and one solution we’ve come up with.
This week’s rogue, once again, mimics a system utility and not merely an antivirus product. Either way, the scam is the same: Convince the victim that their computer is broken, then coerce them to pay for useless snake oil.
These rogue system utilities go by the names Windows Troubles Killer or Windows Salvage System; They are, for all intents and purposes, identical programs which have been “skinned” with different names. They actually appear to be a hybrid rogue, carefully blending a customized mix of malarkey and baloney into some sort of shenanigans smoothie. The program claims not only to be able to scan your computer for problems with software settings and other system optimization-sounding stuff, but also to perform some sort of check of your “Computer Safety” and “Network Security.” Oh yes, and there’s an antivirus component too, just to round out the complete package.
All in all, it’s a fairly rudimentary rogue to remove (whether you choose to do it manually or use our software), but it performs some unique system modifications that disable some legitimate security software, turns off some important Windows features, mimics some of Microsoft’s own software, and generally acts as a nuisance while reducing the actual security level of an infected computer. I’ll detail those after the jump. Continue reading →
This week’s Thre@t Reply video features Threat Research Analyst Armando Orozco answering one of the most frequently asked questions we receive: What is a firewall, and how does it work? Well, the actual question wasn’t put quite so politely, but that’s the gist of it. Armando is the primary researcher working on the Mobile Security for Android product, but he also researches malware on Windows and Mac malware, as well.
As always, feel free to submit your security question to @webroot, or by email to blog (at) webroot (dot) com, or in the comments below and we’ll get one of our threat researchers to answer it on an upcoming Thre@t Reply video. To see any of our other video replies to reader questions, visit the Webroot channels on YouTube or Vimeo.