Jan
19
2013
The home Trojan-banker known as Shylock has just been updated with new functions. According to the CSIS Security Group, during an investigation, researchers found that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype.
The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare’s “The Merchant of Venice”.
Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK.
The Skype replication is implemented with a plugin called “msg.gsm”. This plugin allows the code to spread through Skype and adds the following functionality:
– Sending messages and transferring files
– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
– Sends request to server: https://a[removed]s.su/tool/skype.php?action=…
Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:
– Execute files
– Get cookies
– Inject HTTP into a website
– Setup VNC
– Spread through removable drives
– Uninstall
– Update C&C server list
– Upload files
Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.
As always for this type of Trojans antivirus detection is low.
Tags: Banking Trojan, Banking Virus, Hacking Tool, Hacktools, News, Shylock, Shylock Trojan, Skype, Skype Hack, Skype Trojan, Trojan, Trojan Banker, Trojan Horse, Virus
Filed in Hacking Tools, Malware / Rootkit, Stories/News, Viruses | Prasanna Sherekar | Comments Off
Oct
26
2011
An emerging malware threat identified as the Duqu trojan has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010.
What is Duqu?
The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.
Duqu Vs Stuxnet
Attribute |
Duqu |
Stuxnet |
Infection Methods |
Unknown |
USB (Universal Serial Bus) PDF (Portable Document Format) |
Dropper Characteristics |
Installs signed kernel drivers to decrypt and load DLL files |
Installs signed kernel drivers to decrypt and load DLL files |
Zero-days Used |
None yet identified |
Four |
Command and Control |
HTTP, HTTPS, Custom |
HTTP |
Self Propagation |
None yet identified |
P2P (Peer to Peer) using RPCs (Remote Procedure Call) Network Shares WinCC Databases (Siemens) |
Data Exfiltration |
Add-on, keystroke logger for user and system info stealing |
Built-in, used for versioning and updates of the malware |
Date triggers to infect or exit |
Uninstalls self after 36 days |
Hard coded, must be in the following range: 19790509 => 20120624 |
Interaction with Control Systems |
None |
Highly sophisticated interaction with Siemens SCADA control systems |
The facts observed through software analysis are inconclusive in terms of proving a direct relationship between Duqu and Stuxnet at any other level.
Does Duqu target industrial control systems?
Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu’s primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.
Is there any evidence in the code indicating specific targets?
Duqu facilitates an adversary’s ability to gather intelligence from an infected computer and the network. Any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware have not yet identified.
What are indicators of a Duqu infection?
The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the 206.183.111.97 IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.
The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.
Name |
File Size |
MD5 |
jminet7.sys |
24,960 bytes |
0eecd17c6c215b358b7b872b74bfd80 |
netp191.pnf |
232,448 bytes |
b4ac366e24204d821376653279cbad8 |
netp192.pnf |
6,750 bytes |
94c4ef91dfcd0c53a96fdc387f9f9c3 |
cmi4432.sys |
29,568 bytes |
4541e850a228eb69fd0f0e924624b24 |
cmi4432.pnf |
192,512 bytes |
0a566b1616c8afeef214372b1a0580c |
cmi4464.pnf |
6,750 bytes |
e8d6b4dadb96ddb58775e6c85b10b6c |
<unknown> (sometimes referred to as keylogger.exe) |
85,504 bytes |
9749d38ae9b9ddd81b50aad679ee87e |
nfred965.sy |
24,960 bytes |
c9a31ea148232b201fe7cb7db5c75f5 |
nred961.sys |
unknown |
f60968908f03372d586e71d87fe795c |
adpu321.sy |
24,960 bytes |
3d83b077d32c422d6c7016b5083b9fc |
iaStor451.sys |
24,960 bytes |
bdb562994724a35a1ec5b9e85b8e054f |
The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.
How do Duqu infections occur?
The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could.
Is antivirus and antimalware protection sufficient for detecting Duqu?
Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.
Tags: Duqu, Duqu Trojan, Duqu Worm, Hacking Tool, Hacking Tools, Hacktools, Malware, RAT, Remote Access Trojan, Stuxnet, Stuxnet Worm, Trojan, Trojan Horse, Virus
Filed in Hacking Tools, Network Hacking, White Papers | Prasanna Sherekar | Comments Off
Aug
28
2011
F-Secure Lab just found a new Internet worm, and it’s spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven’t seen before: RDP (Remote Desktop Protocol). Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.
When you connect to another computer with this tool, you can remotely use the computer, just like you’d use a local computer.
Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.
When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:
admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
…….
………..
Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.
The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt.
Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.
F-Secure Lab detected Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B.
Jan
20
2011
The first virus capable of infecting DOS-based PCs celebrates its silver jubilee this month.
The Brain Virus, written by Pakistani brothers Basit and Amjad Alvi, was relatively harmless. The Alvis claimed the malware was there as a copyright protection measure to protect their medical software from piracy, an article by CIO magazine on the anniversary recalls.
Brain replaced the boot sector of an infected floppy disk with malicious code, moving the real boot sector to another part of the disc. The malware had the effect of slowing down disk access and, more rarely, making some disks unusable.
Any other floppies used on a machine while the virus was in memory would get infected, but the malware did not copy itself to hard disk drives, as explained in a write-up here.
The Lahore-based Alvi brothers were fairly upfront about their questionable actions, going as far as embedding their names and business address in the malware code. Although intended only to target copyright violators, the malware infected machines in the US and UK among other places.
It’s hard to believe now, but the very few computer viruses prior to Brain infected early Apple or Unix machines.
It is highly unlikely any of today’s generation of VXers would do the same. Instead of curios such as the Brain virus, security threats these days take the more ominous form of Zombie botnet clients.
The Alvi brothers could never have imagined we’d get here, even though they arguably helped pave a small part of the way towards a world of Windows malware.
Jan
09
2011
A new social networking worm in the vein of Koobface is currently doing the rounds.
Unlike the majority of Facebook scams, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users.
The link in his Facebook chat from a friend pointed to an app.facebook.com/CENSORED link. Typically when you go to a Facebook app page it prompts you to add the application and grant it permission to post on your behalf or read your profile data. The scary part about this one is that it immediately prompts you to download a “FacebookPhotos#####.exe” file with no prompting or clicking required.

The screen reads “Photo has been moved. This photo has been moved to other location. To view this photo click View Photo.” If your computer has not already downloaded the malware, the “View Photo” button will download the virus for you.
It is really unfortunate that Facebook scams are moving back towards spreading malware. Fortunately, users of Sophos Anti-Virus had proactive protection from this threat with both our HIPS and suspicious file detection technologies; this particular strain is now identified by Sophos as W32/Palevo-BB.
The good news is that, Facebook removed the malicious application from its service. But there are probably many more applications like this one making the rounds, so, as always, beware of unusual messages from friends whether they are in email, on their walls, or in an instant message.
Tags: Facebook, Facebook Hacking, Facebook Worm, Koobface, Malware, News, Stories, Virus, Worm
Filed in Privacy Attacks, Social Engineering Attacks, Stories/News, Viruses | Prasanna Sherekar | Comments Off