Category: Viruses

Jan 19 2013

Shylock Banking Trojan Spreads via Skype

Skype TrojanThe home Trojan-banker known as Shylock has just been updated with new functions. According to the CSIS Security Group, during an investigation, researchers found that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype.

The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare’s “The Merchant of Venice”.

Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK.

The Skype replication is implemented with a plugin called “msg.gsm”. This plugin allows the code to spread through Skype and adds the following functionality:

– Sending messages and transferring files
– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
– Sends request to server: https://a[removed]s.su/tool/skype.php?action=…

Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:

– Execute files
– Get cookies
– Inject HTTP into a website
– Setup VNC
– Spread through removable drives
– Uninstall
– Update C&C server list
– Upload files

Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

As always for this type of Trojans antivirus detection is low.

Jul 11 2012

How DNSChanger Malware Works

DNSChangerDNSChanger is malicious software (malware) that changes a user’s Domain Name System (DNS) settings, in order to divert traffic to unsolicited and potentially illegal sites.

Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name “Rove Digital” and used the malware to manipulate users’ Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

FBI has since seized the rogue DNS servers and the botnet’s command-and-control (C&C) servers as part of “Operation Ghost Click” and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.

To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.

DNS Work DNSChanger Work
How DNS Works How DNSChanger Works

With the ability to change a computer’s DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address, in this case, advertisement websites.

A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.

Jan 06 2012

Ramnit Worm Targets Facebook, Over 45,000 Accounts Compromised

Ramnit Worm FacebookMuch has been written about the Ramnit worm and its transformation into a financial malware. And now, Seculert’s research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France.

Discovered in April 2010, the Microsoft Malware Protection Center (MMPC) described Ramnit as “a multi-component malware family which infects Windows executable as well as HTML files”, “stealing sensitive information such as stored FTP credentials and browser cookies”. In July 2011 a Symantec report estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.

In August 2011, Trusteer reported that Ramnit went ‘financial’. Following the leakage of the ZeuS source-code in May, it has been suggested that the hackers behind Ramnit merged several financial-fraud spreading capabilities to create a “Hybrid creature” which was empowered by both the scale of the Ramnit infection and the ZeuS financial data-sniffing capabilities.

With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands.

Seculert has provided Facebook with all of the stolen credentials that were found on the Ramnit servers.

Oct 28 2011

Tsunami – Backdoor Trojan for Mac OS X Discovered

OSX/Tsunami.A, an IRC controlled backdoor Trojan for Mac OS X, has been discovered that enables the infected machine to become a bot for Distributed Denial of Service (DDoS) attacks.

The analyzed sample contains a hardcoded list of IRC servers and channel that it attempts to connect to. This client then listens and interprets commands from the channel. The list of accepted commands can be seen in the following comment block from the C source code of the Linux variant.

Linux Tsunami

In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine.

In terms of functionality, the Mac variant of the backdoor is similar to its older Linux brother, with only the IRC server, channel and password changed and the greatest difference being that it’s a 64-bit Mach-O binary instead of an ELF binary.

Aug 28 2011

Windows Remote Desktop Worm “Morto” Spreading

F-Secure Lab just found a new Internet worm, and it’s spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven’t seen before: RDP (Remote Desktop Protocol). Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.

Windows Remote Desktop Worm Morto

When you connect to another computer with this tool, you can remotely use the computer, just like you’d use a local computer.

Windows Remote Desktop Worm Morto

Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
…….
………..

Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt.

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.

F-Secure Lab detected Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B.