Threat Spotlight

For the week of 30 Jun 2011
Threat 1

Mac fake antivirus pops up in image searches

Threat Name:

OSX/FakeAVDl-B

Users at Risk:

Mac users

Also Known As:

Avira MACOS/FavDon.B
Kaspersky Trojan-Downloader.OSX.FavDonw.c
McAfee OSX/FakeAlert-MacDefender
Microsoft Rogue:MacOS_X/FakeMacdef
Symantec Trojan.Gen
Trend OSX_FAKEAV.D

About:

OSX/FakeAvDl-B is a variant of a fake antivirus Trojan targeting Mac users. 

Scammers poison image results in search engines using Black Hat SEO techniques targeting popular search terms. Mac users who click on the image are redirected to an infected page.

The infected page presents a pop-up that appears to run a scan on the user's machine and inevitably reports infections. The web page then offers to download OSX/FakeAvDl-B to the user's download directory in order to "remove" the virus.

OSX/FakeAvDl-B usually arrives in a zip file which is automatically unpacked if the user has the Safari browser set to "open safe file types."

When run, OSX/FakeAvDl-B downloads and installs a Mac OS fake antivirus Trojan such as OSX/FakeAv-ECW, OSX/FakeAv-EDC or OSX/FakeAv-EDD.

Threat 2

McDonald's spam will spoil your breakfast

Threat Name:

Troj/Bredo-HU

Users at Risk:

Windows users

Also Known As:

Avira TR/Drop.Wlord.axa
K7 Trojan ( bea46b1b0 )
Kaspersky Trojan-Dropper.Win32.Wlord.axa
McAfee Downloader.x!fzh
Microsoft TrojanDownloader:Win32/Dofoil.J
Symantec Downloader
Trend TROJ_INJECTOR.VI

About:

Troj/Bredo-HU is a Trojan for the Windows platform.

Spammers recently launched a campaign intending to trick users into opening an attachment containing the Trojan. The spam appears to come from McDonald's and offers an invitation to a "Free Breakfast Day."

Troj/Bredo-HU includes functionality to access the Internet and download code from the following domains.

ccqljpif dot zc dot cc
uxahtglh dot zc dot cc

When first run, Troj/Bredo-HU copies itself to <Startup>\dxdiag.exe. The following files are downloaded and created:

<User>\Local Settings\Application Data\<random name>.exe (which is detected as Mal/FakeAV-CS)
<Temp>\_ex-08.exe (which is detected as Mal/FakeAV-IH)

The following registry entry is created to run _ex-08.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SmartIndex
<Temp>\_ex-08.exe

Registry entries are created under:

HKCU\Software\Google\

Threat 3

Spam sets trap with alluring subject lines

Threat Name:

Troj/Agent-RNY

Users at Risk:

Windows users

Also Known As:

Avira TR/Dldr.Chepvil.L
K7 Spyware ( 002668e61 )
Kaspersky Trojan-Spy.Win32.Zbot.bnvo
McAfee PWS-Spyeye.ax
Microsoft TrojanDownloader:Win32/Rimod.A
Symantec Downloader
Trend TROJ_KRYPTIK.VI

About:

Troj/Agent-RNY is a Trojan for the Windows platform.

We are currently seeing cybercriminals spamming out the Trojan in large numbers right now, using a variety of sleazy subject lines advertising "sexy cities," among others, to trick the unwary into opening the attachment.

This particular piece of malware has multiple components, including a downloader. The sample attempts to download further files from:

211 . 154 . 153 . 49 : 80 - Blocked as Malware/Repository

And attempts to make a GET request from:

http://net . com/2/1.php?q=2 - Blocked as Malware/Repository
http://net . com/2/1.php?q=1 - Blocked as Malware/Repository

The sample will attempt to drop these files (including a copy of itself) to "%userprofile%\Application Data\"

To make sure the sample can establish a link to its Call Home Address (CHA), Troj/Agent-RNY will add an exception for itself in the Windows Firewall, by modifying the registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List:*:Enabled:ldrsoft

The sample creates the following directory:

"%userprofile%\Application Data\<Random letters and numbers>\"

It then drops the following file to this directory:

"%userprofile%\Application Data\<Random letters and numbers>\svcnost.exe"
(Notice the "svcNost.exe," instead of "svchost.exe.")

The sample crates the following registry run key for its dropped files:

entry_location = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
entry = "mssend"
description = "Java(TM) Platform SE binary"
publisher = "Sun Microsystems, Inc."
image = "c:\documents and settings\support\application data\xf3bmwvelhz2wushramwvaxyucokodgv2\svcnost.exe"
launch_string = """C:\Documents and Settings\support\Application Data\xf3bmwvelhz2wushramwvaxyucokodgv2\svcnost.exe"""

The sample has also been seen dropping the following files:

%userprofile%\application data\<4-7random chars="">\<4-6random chars="">.exe
%userprofile%\application data\<4-7random chars="">\<4-6random chars="">.tmp
%userprofile%\application data\<4-7random chars="">\<4-6random chars="">.ozr
%userprofile%\application data\<4-7random chars="">\<4-6random chars="">.tmp
%userprofile%\application data\<4-7random chars="">\<4-6random chars="">.gie
%userprofile%\application data\<4-7random chars="">\<4-6random chars="">.gie.0

Interestingly, this malware seems to open "%userprofile%\application data\Desktop.ini" for writing and injects dll code into it. This dll appears to be BTREE.dll and contains a series of exports for creating and verifying SSL certsa and also connecting with and disconnecting from an SSL pipe.