Threat Spotlight

For the week of 27 Oct 2011
Threat 1

Mac Trojan disables XProtect antivirus

Threat Name:

OSX/FlshPlyr-A

Users at Risk:

Mac OS X users

Also Known As:

Microsoft Backdoor:MacOS_X/Flashback
McAfee OSX/Flashfake trojan
Symantec OSX.Flashback

Removal Instructions:

Follow the instructions for removing Trojans or download the free Mac antivirus tool.

About:

OSX/FlshPlyr-A is a backdoor Trojan that targets Mac OS X. It disguises itself as an update to Adobe Flash Player.

Once a user downloads the Trojan, OSX/FlshPlyr-A provides unauthorized access to the infected computer to receive further instructions, including downloading updates and other binaries. The Trojan can also steal sensitive user information.

The malware's authors recently updated the functionality of OSX/FlshPlyr-A so that it disables XProtect, the built-in antivirus on Mac OS X computers.

Threat 2

Duqu Trojan evolves from Stuxnet

Threat Name:

Mal/Duqu-A

Users at Risk:

Windows users

Also Known As:

Avira TR/Duqu.A.1
AVP Trojan.Win32.Duqu.a
K7 Trojan ( 002f86911 )
McAfee PWS-Duqu!rootkit
Microsoft Trojan:WinNT/Duqu.A
Symantec W32.Duqu
Trend Micro RTKT_DUQU.A

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Duqu is a robust malware delivery platform that covertly steals information from infected Windows computers.

Duqu bears many similarities to Stuxnet, a sophisticated worm which targeted industrial control systems. Both threats launch from a driver for further code injection, and the driver codes share similarities in their anti-debugging and armoring tactics. Other similarities include spoofed version information from electronics corporations. Some drivers have valid digital signatures.

Duqu's operation starts with a malicious driver, Mal/Duqu-A, that reads encrypted configuration data from its service registry key. The driver determines the path and encryption key to decrypt and load a main DLL component, Troj/Duqu-B. The main DLL component contains two more DLLs, a loader and a payload.

The loader provides a platform to inject arbitrary components into a selection of processes:

svchost.exe
lsass.exe
iexplore.exe

We've haven't seen many Duqu attacks in the wild. For Sophos customers, we haven't seen any reports of Duqu detections.

Sophos detections include:

Mal/Duqu-A the Duqu driver
Troj/DuquCn-B the encrypted form of the main Duqu DLL component
Troj/Duqu-B the decrypted form of the main Duqu DLL component
Troj/DuquCn-A the encrypted configuration file used by the main Duqu DLL component
Troj/Duqu-C the Duqu loader
Troj/Duqu-D the Duqu payload

Threat 3

Bredo Trojan hides behind Word icon

Threat Name:

Troj/Bredo-KV

Users at Risk:

Windows users

Also Known As:

Avira TR/Dldr.Agent.kuq
AVP Trojan-Downloader.Win32.Injecter.gzc
F-Prot W32/Yakes.D.gen!Eldorado
K7 Trojan-Downloader ( 002f8b591 )
McAfee Downloader.a!uv
Microsoft TrojanDownloader:Win32/Dofoil.L

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Troj/Bredo-KV is a downloader Trojan for the Windows platform.

This piece of malware attempts to trick users into executing the file with a Microsoft Word 2007 document icon. The icon isn't an exact copy of the MS Word icon, and has subtle color differences.

The version information of the file is randomized with a dictionary of English words.

After executing its encryption layer, Troj/Bredo-KV moves itself to:

C:\Documents and Settings\User\Application Data\csrss.exe

It then executes a copy of the legitimate C:\windows\system32\svchost.exe and injects code into it. This makes the malware harder to find as it is hijacking a legitimate Windows process.

The malware makes HTTP requests to retrieve instructions on where to download a malware payload. It then downloads the malware and executes it.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information