Using Avast EndPoint Protection 8.x with the SOA
The affected workstation is running Windows 7 Ultimate SP1
VPS: 160524-1
Program: 8.0.1607
SOA: 1.3.3.35, running on Windows 7 Ultimate SP1
It seems to me that Avast may not be detecting, or at least, not fully detecting and blocking, a recent variant of what Trend Micro calls “Worm_Zlader.B”:
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_zlader.b
I have no definitive proof; I will just present the evidence I have collected.
Yesterday shortly before noon, users on my network began reporting that the names of all of the top-level folders inside a couple of network shares had been renamed to series of numbers and letters inside curly braces.
Further investigation revealed that these new names resembled standard Windows resource GUIDs, and that bogus “recycler” folders had also been created in each of the affected shares. Also, new “shortcuts” had been created that were given the real names of each of the renamed folders in the shares. These shortcuts actually pointed to a GUID-named .scr file that was deposited in the bogus “recycler” folder.
The renamed folders can easily be renamed back to what they should be, and none of the subfolders or files inside them were affected.
These shares are on a Linux file server running SAMBA 3. Therefore, and fortunately, double-clicking these shortcuts produced no effect, because Windows software cannot execute on those shares.
This is the behavior that has been documented for Worm_Zlader.B.
The bogus “recycler” folders and the .scr files they contain show creation dates in Windows in February of this year. However, examining them in a GUI file manager on the Linux machine shows that they were actually created yesterday.
On the Security tab of the Windows Properties dialog, all of the shortcuts and bogus “recycler” folders, and the files they contained, showed “Full Control” permissions granted to the same single network domain user name. This user has access to only one workstation on the network. This is a restricted domain user account; it does not have permissions to install software on any machine. However, all network users have the ability to create or modify folders on the network shares to which they have access.
The dropped files referenced on the Trend Micro site were not found on this user’s computer.
An Avast full scan of this computer found no threats. Also, an Avast scan of one of the bogus recycler folders on the network share did not find anything wrong with it or its contents.
A Trend Micro Housecall full scan of this computer found no threats.
At around the same time of day yesterday, the SOA recorded that the Avast Web Shield found the following on this user’s computer:
http://lidiahalamtrading.com/pm.dll Sf:Nuclear-A [Trj]
Visiting that site in Firefox (just the site; I did not dare to try to navigate directly to the dll file) does not produce an Avast pop-up warning. A Google search on the site reports that the site “may have been hacked”. To my eyes, the site appears to have been abandoned.
Oddly, the Web Shield also reported the identical site and malware on a different workstation on the network about five minutes earlier. The user who created the bogus shortcuts does not have access to this second computer, and the user of the second computer was not implicated in any of the issues we found.
However, the behavior we saw on our network shares has not been attributed to Sf:Nuclear-A as far as I can tell.
About 3 weeks earlier, one of our email addresses (hosted by Rackspace, not us) was hacked by a botnet and used to send spam. The bots mostly used that address as the “from” address, however, it also spoofed another of our addresses as well. The user implicated in the current folder-name-changing incident was one of a very small number of users who has access to both of those email addresses.
I can’t rule out that this user encountered a similar issue to the “lidiatrading” event while browsing a few weeks earlier, at a time when Avast may not have been detecting that issue. On the other hand, the user also has an extensive browser history of visiting inappropriate websites so her behavior may have simply exposed us to two unrelated threats.
Possibly related to this, a full MalwareBytes scan on this user’s machine found:
Spyware.Ursnif
Trend Micro has this to say about that malware:
http://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/
The behavior we saw is not associated with that malware as far as I know, but it is the ONLY malware that ANY scan actually found on the machine of the user whose login was associated with the bogus shortcuts and recycler folders.
I am very concerned about this. I don’t know what those .scr executables would have done to my network if they had been executed on a Windows server instead of being on a Linux machine. It is not clear that the website flagged by Avast had anything to do with this event, but if it did, Avast failed to block its action. This strikes me as highly dangerous.
I will probably submit this report and the .scr file directly to Avast but wanted your reactions first.
Thanks.