25 Jan PimpMyWindow - Brazilian adware Fabio Assolini
15 Jul The most innocent as vectors to increase the Pay-per-Click business Jorge Mieres
07 Nov Unexpected redirects Dmitry Bestuzhev
05 Dec Virtumonde/Vundo goes file infector Roel
02 Sep The Nsag infector story continues Roel
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Brazilian cybercrime is based primarily on the spread of Trojan bankers. For some time now the country’s bad guys have been investing their efforts in new monetization schemes, the latest includes the use of adware. And the perfect place for distributing this sort of malware? Yes, that’s right – social networks. This is how "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works.
To spread quickly among innocent users the adware uses a "change the color of your profile" option that recently surfaced. The infected profiles are used to spread automatic messages to your Facebook contacts:
It is clear that cybercriminals do not have any code of ethics. Consequently, even the most innocent are not exempt from a malicious attacker’s perspective, and are often used as a means to allow them to generate higher economic returns, in this case, through the abuse of clicks.
The following image provides clear evidence of this. Designed with an interface that’s "user friendly" for kids, this website invites you to download a threat detected by Kaspersky Lab as not-a-virus: AdWare.Win32.BHO.tbz.
Maybe you’re one of the increasing number of users on the lookout for new ways to protect your machine against the malware that’s always in the news. Maybe you’re even one of the users running a sandbox on your machines. (If you’re not, and you don’t know what a sandbox is - it’s an isolated area on a computer, often running on a virtual machine, where you can run code without infecting the main or host machine. Sometimes a sandbox is a separate program that functions within the framework of the local OS – this type is easier for a novice to use as you don’t need to install a virtual machine.)
I was trying to download a sandbox application of the second type when I stumbled on something interesting. I got unexpectedly re-routed to download.com – it’s part of cnet.com and one of the most popular software repositories on the Internet.
The download went smoothly, but then I got re-routed to another page on download.com. This page contained recommendations for other popular software available for download.
I think there’s a pretty clear moral here. You're security conscious and you want to protect your computer. You’re looking for useful utilities. Download.com assures users that all programs available via the website have been analysed, and don’t contain any malicious code. So maybe you relax your vigilance. But with both businesses and bad guys making use of sponsored links on sites like download.com and Google, you’ve got to stay very alert indeed to make sure that you don’t get caught out.
Over the last couple of days I've been looking at some of the latest tricks used by the creators of some adware - Virtumonde a.k.a Vundo. Virtumonde is notoriously hard to remove from an infected machine and with a new infection vector added, the program's got even tricksier.
The authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.
Dropper code is prepended to the original host file, with a copy of Virtumonde being appended to the same file. When the infected file is launched it drops the original host file to %temp% and the Virtumonde file to the system directory.
Although Virtumonde is using an infection marker to prevent re-infecting the same file over and over again, this doesn't always work. There are samples of already infected files being re-infected and the host file then won't run. However, re-infection doesn't prevent Virtumonde itself from running.
This new trick from the Virtumonde authors is pretty easy to detect and disinfect. (We detect it as Virus.Win32.Trats.a). Although this variant didn't cause any headaches from a technical point of view, we can expect some interesting challenges if Virtumonde continues to evolve.
Since we last reported on Nsag infectors, we've seen quite a lot of new malware related to Nsag.
There's no real point in continuing to refer to this malware as Smitfraud, so we won't.
Overall, the malware is the same old thing, but in slightly different clothing. Nsag.b infectors have taken the place of Nsag.a infectors. Although these new infectors aren't really innovating, the Trojan-Downloaders that install these infectors are.
Most Trojan-Downloader.Win32.Zlob variants download numerous pieces of malware - most notably a Nsag.b infector and Trojan.Win32.Puper variants.
Zlob is interesting because of the technique it uses to download files.
It uses a new method to inject code into explorer.exe. This way it can download the malicious files without alerting the firewall.
It would seem that the creators are refining the way the Nsag infector gets introduced to the system rather then building new features into the infector itself.
This once again shows that the author(s) means business. This story is far from over.
Exactly two years ago we introduced our extended databases.
These databases protect against AdWare, RiskWare and PornWare. Some people like to refer to the extended databases simply as anti-spyware protection, but we actually detect much more than just that with the help of these databases, most notably RiskWare programs.
Back then we still had cumulative updates and the extended databases consisted of three components: advware.avc, riskware.avc and pornware.avc.
Later two of those names changed to adware.avc and obscene.avc. Since the beginning of this year we simply have combined them into extxxx.avc database, where the x stands for a decimal figure. However, we've actually been detecting these types of threats for much longer than two years.
Before we introduced the extended databases the detection of AdWare etc. was included in x-files.avc.
Two years ago it was special to have a separate option to cover such threats, now it is a much more common feature for antivirus programs.
You can select the extended databases by going to KAV's settings, clicking on Threats and exclusions, and then selecting the extended database.
Be sure to read the pop-up message when choosing a database from the dropdown list.
In December 2004 we reported about the first AdWare related file infector, Virus.Win32.Implinker.a.
The number of reports was significant enough for us to include detection and disinfection for this piece of malware in our klwk cleaner.
I was sure that Implinker would change the malware landscape, and it did.
In February 2005, the Virus.Win32.Bube saga started, with multiple variants appearing within a short period of time.
Bube is more advanced than Implinker, and also more difficult to remove.
After Bube's success, I was absolutely certain that it was only a matter of time before a massive outbreak would be caused by a file infector, most likely related to AdWare, and difficult to remove.
And this in the situation we are in now.
Virus.Win32.Nsag.a has been causing havoc across the globe for a couple of weeks now. As the outbreak involves malware which doesn't spread automatically over the internet, statistics are hard to gather. However, the number of reports shows that we're dealing with a massive amount of infected systems.
Nsag is the file infecting part of an infection which many people refer to as 'Smitfraud(.c)'. It seems that several pieces of malware (e.g. Trojan-Downloaders) are downloading and/or installing Nsag onto the system.
For more details of how it infects, see Virus.Win32.Nsag.a in the Virus Encyclopaedia.
Some important factors: dedicated anti-spyware solutions can't detect or disinfect infected files, the system is still (partly) infected even after such solutions have been run. Therefore Windows(explorer.exe) may not start properly.
Part of disinfecting wininet.dll has to be done manually. This prevents novice users from getting rid of the infection. (See Virus.Win32.Nsag.a in the Virus Encyclopaedia for removal instructions.)
So what is Smitfraud's real aim?
It seems that all (recent) Smitfraud variants have one thing in common: They all try to persuade the user to download PSGuard, a program which claims to remove the spyware (i.e. Smitfraud) which has been installed onto the system.
Naturally the program only disinfects the infection once the user has paid for it.
Although PSGuard is questionable in terms of motive, the program itself has no malicious payload whatsoever. This means we can't simply add detection for it to our databases.
So is this a new method of distributing Adware,Spyware and alledgedly legitimate software? Is it another nail in the coffin of dedicated anti-spyware solutions? Others have undoubtedly already seen Nsag's major success, and the methods it uses will certainly be copied.
Will av vendors have to change their traditional code of ethics, and start detecting software which had no malicious payload at all, but is almost certainly related to Trojans, viruses or other malware?
Worrying questions, with perhaps even more worrying answers...
A few days ago we mentioned the protection mechanism that Sober uses to keep anti-virus programs from detecting it. Such mechanisms are actually fairly common these days.
They are frequently used by adware and adware related Trojans. These techniques have evolved over time and are getting very sophisticated. So antivirus vendors are having to work hard to combat these new methods.
There's a range of interesting examples.
When some AdWare companies realised that antivirus solutions could easily delete their software, they first resorted to multiple processes guarding each other.
If either process/file is deleted, the other one would automatically respawn it. This technique is still being used in an enhanced form.
Of course there's the Sober approach: protecting a file in such a manner that it can't be scanned. For instance, some versions of Trojan-Downloader.Win32.Istbar do this, and have an additional mechanism which aims to prevent the process memory from being scanned.
A version of AdWare.Isearch effectively re-introduced an old technique.
It makes use of a .sys driver which write-protects its files. This means that an antivirus can detect the files, but not delete them. These .sys drivers are also used to hide malware and its activities - resulting in the very popular rootkits.
There are many more examples of ways how malware tries to protect itself. It's very clear that such techniques are placing pressure on security vendors to push the envelope in detection.
The use of .sys drivers has been increasing over the past few months. We are now at a point where open source IRCBots are also using this functionality to hide their presence in infected systems and this is a very worrying trend.
Today we detected a new Email-Worm which downloads and install AdWare onto the infected computer: we named it Email-Worm.Win32.CWS.a.
It's interesting to note that the worm doesn't spread like most other email worms do. Most email worms email copies of themselves. The copies are executed on the next victim's machine and finally more copies are sent to email addresses harvested on the infected machines.
Instead, Email-Worm.Win32.CWS.a emails a malicious file which is embedded in the worm.
Upon execution, this file - which we detect as Trojan-Downloader.Win32.CWS.gen - will download the worm and some AdWare onto the system. After the worm has been downloaded and installed the process will start over again.
I think this method is probably used to measure the worm's effectiveness, as the number of downloads can be monitored. Virus writing is indeed a business!
We are currently seeing an increase in cases which involve file infecting AdWare.
These new viruses are more sophisticated than the one we previously reported and append malicious code to Windows' explorer.exe. The viruses belong to the Virus.Win32.Bube family.
For example, Virus.Win32.Bube.d downloads AdWare and Trojans, including: AdWare.ISearch.d, Trojan-Clicker.Win32.Agent.bn, Trojan.Win32.LowZones.ai and PornWare.Dialer.Salc.
Disinfection in this case is tricky, as explorer.exe is an important Windows process. Additionally, the malware tries to prevent removal by disabling system restore, infecting the explorer.exe residing in %sysdir%\dllcache and lowering overall system security.
Things can get extra complicated as an AV can block access to the infected explorer.exe. This is why we provide the following removal instructions.
Please note that this removal guide does not apply to KAV 5 series. KAV 5 can disinfect explorer.exe in normal mode. However a full system scan is still required to delete or disinfect other malicious files.
* Boot into safe mode.
* Start a full system scan
* While the scan is running, kill the explorer.exe process via taskmanager.
* Disinfect all files detected as Virus.Win32.Bube.
* The system is now clean of Virus.Win32.Bube.
* Make sure to use the extended bases to remove the AdWare that Virus.Win32.Bube. may have downloaded..
* Security related system settings may have been altered by Virus.Win32.Bube, so check your settings after disinfection.