SophosLabs blog

In the beginning, there was malware.

Naturally, this was followed fairly rapidly by the development of anti-virus software. The war has raged back and forth ever since.

During the course of this struggle, a new player entered the picture; the commercial software protector (aka packer). This development was in response to piracy of commercial applications, but it had unforeseen circumstances on the anti-virus community.

Suddenly, malware authors were able to use these protectors to shield their malware from detection. The reason this worked is because that is exactly what the protectors were designed for: to make it difficult to analyze, and therefore pirate, software. In response to the upsurge of packers, anti-virus products started to try and automate the analysis of these files, also referred to as unpacking. This allows anti-virus software once again to see the original file inside and analyze it on its own merit.

With the release of Sophos Anti-Virus 7.0 the landscape has changed once again. With the inclusion of identities including Sus/Compack we are able to classify commercially packed software appropriately, providing the customer with reports of files that have significant effort put into obfuscating their contents. Armed with this knowledge the customer can then choose if these files on their system have indeed come from a trusted source such as a commercial software vendor, or if they are suspicious files that should be sent to SophosLabs for analysis.

In the past week I have seen several different submissions that we have been the first to detect because of these new Sus/ identities. Once we receive these samples we are then able to write more specific detection to enhance clarity for the customer. Seeing these sorts of reports leads me to believe that we are definitely on the right track.

A mass-mailing worm capitalising on the old Mario game reared its ugly head today in the form of W32/Romario-A.

Sadly aficionados of the Mario game would find themselves in bigger trouble than the much publicised icon of the genre.

When run W32/Romario-A not only runs a Mario game but also attempts to worm itself to other uninfected computers via mass-mailing itself as a file attachment as well as via removable shared drives.

The worm attempts to entrench itself by scheduling a task to ensure the worm runs every day at a specified time.

To further complicate matters, the worm is set to run when files with extensions of BAT, COM, PIF and SCR are opened/launched.

W32/Romario-A belongs to the list of malware pretending to be a game or to run a game. This trick has noticeably been tried many times before by previous malware authors. For example, the W32/Bagle-U worm attempts to start the Microsoft Hearts game (see related news article), the W32/Coconut-A virus starts a Coconut game and the Troj/Gonori-A Trojan plays Minesweeper when run.

In the first part, I described how Troj/WLDrop-A and Troj/WLHack-A patched the winlogon.exe file to load malware on startup. This post is about a similar technique used by the more recent ecard.exe Trojans that are being spammed out at the moment.

Troj/Dorf-M

When I got in on Tuesday morning, Peter from the Australian lab handed over a new Mal/Dorf-A sample that he’d done quite a bit of analysis on, but hadn’t finished writing an identity for. He’d found that, unlike the previous Dorfs (often called Storm, Tibs or Nuwar by other vendors), this one loaded its rootkit by patching tcpip.sys, the Windows driver associated with the TCP/IP protocol stack.

Most people know of Mal/Dorf-A as the ecard.exe executable spammed out in the “You’ve received an Ecard!” emails. Dorf drops a rootkit which it needs to load somehow, and although registering it as a driver and having Windows load it would be the easy option, it’s one that’s quite simple to spot with anti-rootkit tools or even a manual check of the registry. By patching tcpip.sys to load itself, it leaves less obvious clues as to what’s going on particularly as, once loaded, the rootkit then partially stealths tcpip.sys so that it shows up in directory listings but can’t be read from or written to. It also makes removing it quite a bit harder.

Here’s the code from the infected tcpip.sys that loads the rootkit driver:

The Trojan code patched into tcpip.sys needs to import the ZwSetSystemInformation and KeServiceDescriptorTable addresses dynamically, because when tcpip.sys is loaded the only imports that are resolved by Windows are those of the normal tcpip.sys. It has some code to find the base address of ntoskrnl.exe and search its exports manually for the things it wants to import.

The function it uses to load spooldr.sys (the rootkit) isn’t one it can import so simply, however, and it has to search through the code of the service function used by ZwSetSystemInformation for its address. Once done, it can load the rootkit driver and simply call the entrypoint from the same context as tcpip.sys has loaded in.

Both the rootkit itself (dropped as spooldr.sys) and the infected tcpip.sys are detected by Sophos as Troj/Dorf-M. We also disinfect the patched tcpip.sys that Mal/Dorf-A creates and return it to as close to its original state as possible.

It will be interesting to see if more malware starts using this technique as tech-savvy users and admins continue checking their registry every now and then for unusual startup entries. While many users know when a run key in the registry looks suspicious, there aren’t many that can tell if their drivers have been tampered with.

It’s not uncommon in malware to discover that more than one family is written by the same author or group, and it can be interesting to see where the overlaps occur.

Yesterday I was looking into a couple of webpages that had been brought to our attention. Each was detected as Mal/JSShell-B, and each tried to exploit a different old and long-patched vulnerability in Internet Explorer to run code that would download and execute a file from the same website. When I downloaded the file, I found we also already detected that as Mal/Heuri-E, but I was interested so I carried on investigating.

Bear with me, there are a lot of names but it all ties together in the end.

One of the things this Mal/Heuri-E file does is download a configuration file, which contains a list of other files for it to download - in this case 10 more. So off I went and downloaded them, and three among them caught my eye - one detected as Mal/Dorf-A, one as Troj/Enclag-A, and one as Troj/Agent-FZB.

The Mal/Dorf-A file is a downloader in the same broad family as all the Dorf Trojans and Dref worms and viruses that we’ve been seeing so many of in recent weeks, mostly being spammed out in an attempt to enlarge an existing bot network. The Troj/Enclag-A is a network sniffer, designed to report to a remote website about the network connections of the infected computer. Troj/Agent-FZB drops another file into memory which drops two stealthing rootkits and injects code into Internet Explorer to download yet more files.

So what? Well, Troj/Enclag-A is written by the same author as the Clagger Trojans, a family of downloaders that we used to see on a regular basis … being spammed out in massive campaigns. And that author was also responsible for other families of malware, including CashGrab, Cimuz and SpamToo Trojans, with strategies mentioned in this blog entry. And here it was being downloaded by something that was also downloading a Dorf.

As for Troj/Agent-FZB, it was mid-way through my investigation into this file that we started to see large quantities of the same file being spammed out. And today again we’ve seen an extremely similar file, Troj/Agent-FZG, spammed out in even larger quantities, and the file it drops to memory (detected proactively as Mal/Basine-C) have turned out to new faces in the Pushu family of Trojans. So more malware in more spam.

It’s possible that Mr Dorf is just borrowing code from Mr Clagger, and that Mr Pushu is mailing out his own little malicious monsters from somewhere else entirely. But it’s much more likely that the same gang is responsible for all this malware, and is increasing the range of weaponry in their arsenal while still using very similar tactics.

How did I know that Troj/Enclag-A was by the same author as the Clagger Trojans, if it had completely different functionality? And what on earth has this got to do with a blog dedicated to the Los Alamos National Laboratory? That’s going to have to wait until a later posting …

I saw a few of these spammed out this afternoon…

I was skeptical about this being an actual product but then, as I moved my mouse up towards the close box, up pops this little box:

It seems these internet marketing gurus really can read my mind, or at least my mouse.

With current tools such as AutoRuns letting users and sysadmins see at a glance which files are set to run when a computer starts up, and Sophos’s endpoint product automatically cleaning up registry entries associated with detected malware, it’s becoming increasingly hard for malware authors to hide the fact that their programs are being loaded on startup.

Some recent pieces of malware have returned to techniques more usually associated with traditional viruses in order to solve this problem. Instead of leaving traces of their automatic startup in the registry, they’ve infected certain Windows files that are loaded on startup in order to hitch a ride along with them.

Troj/WLHack-A

Troj/WLHack-A (shortly followed by Troj/WLHack-C) is the name we use for copies of winlogon.exe that have been patched by the Troj/WLDrop-A dropper. Because winlogon.exe is loaded every time Windows starts up, this Trojan was able to load itself on startup too, even before any users had logged on to the computer. The infection code is stored in slack space (unused areas inside executabile files that exist to meet alignment requirements imposed by the OS) and the Trojan code gains control via a six-byte patch inside the winlogon.exe entry point. Here are both the clean and infected winlogon.exe entry points — can you spot which is which?

The slack space in winlogon.exe isn’t big enough to contain any really complicated malware, so Troj/WLHack-A just loads an extra DLL inside the winlogon process. If the filesystem is NTFS, this DLL will be in an Alternate Data Stream of another valid system file called ws2_32.dll.

Sophos provides disinfection for the patched winlogon.exe — something that was quite tricky for us to achieve as it’s impossible to write to the file while winlogon is running, and terminating the process causes problems for the user (either the computer reboots as soon as winlogon is terminated, or it remains in an state in which the user can’t logoff or reboot at all)

In the next part, I’ll go into detail on a very recent piece of malware that uses this technique: the Dorf family of Trojans that are being spammed out via email as ecard.exe.

SophosLabs encountered a newly spammed out Trojan today that’s making its way to email servers around the world.

The email has the following characteristics:

The subject lines can be any of the following:

“Life is beautiful”
“Life will be better”
“Good summer”
“help you”

The message contents are typically of the following:

“Good morning/evening, man!

Realy cool screensaver in your attachment!

Wanna more? Welcome to our site - <URL>

Good Bye.”

or

“Hello, old chap!

Cool screensaver in your attachment!

Wanna more? Welcome to our site - <URL>

Thanks.”

A sample screenshot of the spammed out Trojan looks like this:

The file attachment uses the filename bsaver.zip. Naturally, opening the file attachment and running the archived file within, bsaver.exe would not give you any screensaver. In fact, running the archived file will result in another 2 pieces of malware being dropped.

The main file bsaver.exe (detected as Troj/Agent-FZB) drops 2 kernel driver rootkits both of which are used to stealth the Troj/Agent-FZB Trojan (detected as Troj/NTRootK-BY and Troj/Agent-FVT respectively).

I have been looking at the spam that I have been receiving recently. Whilst others are getting ecards I seem to be on some Russian spammers’ lists. The strangest spam I got today was this:

Yes, that really is an advert for a company selling rubber grommets. My boss made some cryptic comment about me having some eccentric interests but really! Do I look like someone who collects rubber grommets for a hobby?

This is what is known as telephone spam. There was a phone number but no web address to go to so I can’t fully confirm what they are really selling without picking up the phone.

Somehow I don’t think it will lead me into a new relationship with a young lady in Russia - I suspect there really will be a salesperson at the other end trying to sell me grommets.

Today we published our updated threat report which provides a summary of the threat landscape over the past 6 months.

As we have documented on this blog over the past few months, the shift in malware has been very much towards web-based threats. We are currently adding over 29,000 new webpages every day. 80% of them are compromised sites, perfectly legitmate in their content, other than the fact they have been hacked and are now hosting malware.

To put this into perspective, we took a closer look at some of the sites hosted in the UK that were found to be infected yesterday.

These included :

*A dog breeder website with a forum allowing people to upload their dog-related thoughts and pictures - Infected with Mal/IFrame
*A Suffolk-based antique store infected with a virus that is a few years old now, suggesting that there is no anti-virus running on the web server
*An interactive forum for fans of a popular British TV comedy show infected with Mal/IFrame
*A Bristol-based artist selling art and announcing exhibitions is infected with Mal/IFrame
*A photo website in Cumbria infected with Mal/ObfJS

This small selection shows that productivity filtering of URLs won’t necessarily help protect against web based threats and it is becoming increasingly crucial that anyone hosting a website must ensure that it is kept up to date with the latest security patches and regularly scanned for malware.

SophosLabs often sees broken spam campaigns. The campaigns can be broken for a number of reasons, incompetence being the prime one.

Here we see a mistake in the configuration of the spam tools used for sending out porn-related image spam.

Had the spammer bothered to test that their spam ran correctly, they would have seen a broken message like the one above.

The creator of this message actually wished the recipients to see the following:-

Spammers, and the people that supply the spam tools, are interested in making money. Unfortunately, the economics of spam dictate that the average spammer can actually afford to make the occasional mistake. These mistakes are costly to us all, however, because broken messages can be much more difficult to block.

Why? Broken messages often break automated spam analysis systems. This forces human beings, like me, to analyze the messages. While failing to line the spammer’s pockets with silver, these broken spam messages can prove even more annoying than any other spam.