Threat Spotlight

For the week of 07 Sep 2009
Threat 1

Trojan redirects traffic from compromised legitimate websites

Threat Name:

Web threat: Troj/Iframe-BW

Users at Risk:

Windows users

Also Known As:

Malicious iFrame injection

Further Reading:

SophosLabs blog: A touch of class (on malicious IFrame injection)

Removal Instructions:

If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.

About:

Troj/Iframe-BW is a Trojan that is used to redirect traffic from compromised legitimate websites. The Trojan creates a tiny frame in an infected webpage, invisible to the victim of the attack, which sends their browser to a site operated by malicious hackers.

Iframe attacks (whether by Trojans or malware) are still one of the most commonly seen threats on web pages that have been compromised by malicious hackers.

Threat 2

DHL/UPS Tracking spam recruits your PC into a botnet

Threat Name:

Malware: Mal/Bredo-A

Users at Risk:

Windows users

Also Known As:

  • Kaspersky: Backdoor.Win32.Bredolab
  • Avira: BDS/Bredolab TR/Crypt.ZPACK.Gen
  • McAfee: Bredolab.gen
  • Trend: TROJ_BREDOLAB
  • Microsoft: TrojanDownloader:Win32/Bredolab.X

Further Reading:

In addition to the detection provided for Mal/Bredo-A, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Mal/Bredo-A, using rule HIPS/FileMod-001.

Removal Instructions:

If your system has detected the presence of Mal/Bredo-A, please follow these instructions to remove the threat.

About:

Mal/Bredo-A is a bot, allowing infected computers to be controlled as part of a botnet.

Infected files originate from spam, pretending to be a UPS or DHL delivery invoice with subjects such as:

  • Subject: DHL Tracking Number <fake tracking number>
  • Subject: UPS Tracking Number <fake tracking number>
  • Subject: UPS Delivery Problem

Mal/Bredo-A itself is attached to the email inside a zip file attachment, typically named:

  • D<fake tracking number>.zip
  • M<fake tracking number>.zip

The spam messages are sent by other bots infected with Mal/Bredo-A.

When a user runs the bot it first copies itself to the %TEMP% folder with a filename like:

  • ~TM<lettersANDnumbers>.TMP

It then installs an executable file to the <STARTMENU>\Programs\Startup folder—one example file is dfqupd32.exe. This executable file in the Startup folder ensures that the bot will remain active even when the computer is rebooted. The file is usually marked as readonly and hidden.

Once Mal/Bredo-A is active it joins a botnet by contacting a command and control (C&C) server in Russia, mudstrang.ru, via the following HTTP GET request on port 80:

  • http://<C&C server>.ru/def/controller.php?action=bot%26entity_list=%26uid=%26first=1%26guid=<NUMBERS>%26v=<NUMBERS>%26rnd=<NUMBERS>

The GUID is calculated per machine.

At the time of writing, the response from the botnet control server indicates that the network is still in development:

  • "Notice: Undefined variable: entity_info in /home/host1/domains/<C&C server>.ru/public_html/def/controller.php on line 377"
Threat 3

Malware family hides rootkits in plain sight

Threat Name:

Malware: Mal/TDSSPack-A

Users at Risk:

Windows users

Also Known As:

  • AhnLab: Win-Trojan/Alureon.67584
  • Ikarus: Rootkit.Win32.TDSS, Trojan.Win32.Monderc
  • Kaspersky Lab: Packed.Win32.Tdss.f, Rootkit.Win32.TDSS.phm
  • McAfee: DNSChanger.gen
  • Microsoft: Trojan:WinNT/Alureon.C, Trojan:Win32/Alureon.gen!J
  • Symantec; Backdoor.Tidserv

Removal Instructions:

Though TDSS can be hard to remove if it has installed itself successfully, please follow the instructions on this page to get rid of the TDSS threat. If you need to determine if TDSS is present on your system, you can use our free Sophos Anti-Rootkit Tool.

About:

Mal/TDSSPack-A is a group of malware families, which includes the TDSS family of kernel-mode rootkits. Detection is based on the unusual polymorphic executable packers used on these samples, which typically aren't seen in clean files. Because of this, other malware packed with the same or similarly malicious packers may also be detected as Mal/TDSSPack-A.

Typically, droppers for the TDSS family of rootkits that are detected as Mal/TDSSPack-A will create their files in the and \drivers folders with names that are legitimate-looking as well as being somewhat randomized.

One variant creates and stealths the following files:

  • Multiple files called <Temp>\UAC<Random digits>.tmp
  • Multiple files called <System>\UAC<Random letters>.dll
  • <System>\UAC<Random letters>.dat
  • <System>\uacinit.dll
  • <System>\drivers\UAC<Random letters>.sys

The dropped files with a .dat extension and the file uacinit.dll are typically detected as Mal/TDSSConf-A. These are configuration files for the TDSS rootkit. They are not executable or harmful on their own, but do indicate the presence of a TDSS infection.

Other components may be detected by Sophos as Mal/TDSSPack-A or other Mal/TDSSPack variants.

The file with the .sys extension is the kernel-mode rootkit component. It provides a stealthing functionality that hides itself, the other TDSS-related files and registry keys from normal applications.

TDSS may hide registry keys, including the service key it creates for itself, in locations such as these:

  • HKEY_LOCAL_MACHINE\SOFTWARE\UAC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys

While the TDSS variant in this example uses the "UAC" prefix to lend legitimacy to filenames of dropped components, other variants use similarly legitimate-sounding names.

Sophos Anti-Virus detects the droppers for TDSS as Mal/TDSSPack-A or other Mal/TDSSPack variants. If the Sophos on-access scanner is disabled and the rootkit manages to install then customers should use Sophos Anti-Rootkit or the Sophos Bootable Anti-Virus CD to detect and remove the threat as the malware components will be stealthed at that point.

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy