Virtumonde's latest trick!

essexboy · 2008-01-03T21:32:02.000Z

It changes too fast, in this game the advantage is with the malware programmers. Virus analysts are allways playing catchup. The only way to reduce the effect is to surf with restricted rights, not a major problem with Vista but a PITA with XP.

polonus · 2008-01-03T23:00:42.000Z

Hi essexboy,

Yes it is an ongoing battle against the vundo monster, see the posting in our special corner re: win32.bho-hd with vundo characteristics, there I posted the latest file traces (dated Jan 3rd 2008).
I also expect there are certain dlls in Firefox that can add this to spread, these were reported where certain similar spyware was concerned (Adware). The glitch in Windows that causes that the windows protection is slowly deminishing while the machine is just connected to the Internet is hard to avoid. Best policy at the moment, update Sun Java and remove older versions, use NoScript, and surf with normal user rights and not with full admin rights, in the latest versions a driver dll is loaded and a BHO created, also initial executable names are being reverted. Well they use all the tricks in the malware book, and it is effective…

An example of a vundo infection:
Side effects:
• Drops a file
• Drops a malicious file
• Third party control

Files It deletes the initially executed copy of itself.

The following files are created:

– %SYSDIR%%seven-digit random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/Virtumonde.B

– %TEMPDIR%\removalfile.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

Registry The following registry keys are added:

– [HKCR\CLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
• @=“%SYSDIR%%seven-digit random character string%.dll”
• “ThreadingModel”=“Both”

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ShellExecuteHooks]
• “{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}”=“”

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
vtutrrq]
• “Asynchronous”=dword:00000001
• “DllName”=“%seven-digit random character string%”
• “Impersonate”=dword:00000000
• “Logon”=“Logon”
• “Logoff”=“Logoff”

Backdoor Contact server:
All of the following:
• http: //82.98.235.63/cgi-bin/check/**********
• http: //85.12.25.**********

As a result it may send information and remote control could be provided.

Sends information about:
• Current malware status

Remote control capabilities:
• Download file

Injection – It injects the following file into a process: %SYSDIR%%seven-digit random character string%.dll

All of the following processes:

• explorer.exe
• WINLOGON.EXE

Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own files

polonus

FreewheelinFrank · 2008-01-04T08:37:29.000Z

Isn't Zero Day Security a good solution? Will it detect Virtumonde? Is a HIPS tool necessary for it?

Relax, take a chill pill, and…

http://donaldbroatch.users.btopenworld.com/dont_panic.jpg

[b]Malware-Laced Banner Ads At MySpace, Excite[/b]
If you happen to visit the MySpace Chat Forums without the benefit of the latest security updates for popular Web browsers and media player plug-ins (think Macromedia Flash, QuickTime, e.g.), your Windows machine is likely to get a kitchen sink full of malware crammed down its gullet.

http://blog.washingtonpost.com/securityfix/2008/01/malwarelaced_banner_ads_at_mys.html?nav=rss_blog

[b] Malicious ads on Myspace, Excite, Blick[/b]
We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace. (Malware is being delivered through exploits, but fully patched systems won’t be affected.)

http://sunbeltblog.blogspot.com/2008/01/malicious-ads-on-myspace-excite-blick.html

“fully patched systems won’t be affected”

Lisandro · 2008-01-04T10:57:04.000Z

FreewheelinFrank post:6:

Relax, take a chill pill, and…

http://donaldbroatch.users.btopenworld.com/dont_panic.jpg

Frank… when I’ve saw Sasha with his computer infected… other avast users having deep trouble… yes, I’ve panicked.

system · 2008-01-04T14:40:07.000Z

I paniced aswell after seeing Sasha’s thread. The worst part is he was infected for months before discovering the infection. :o
It makes you wonder doesn’t it …

polonus · 2008-01-04T16:16:00.000Z

Hi Miha,

It makes you wonder indeed, if you fail the one dropper before it starts up for instance through winlogon, the file name is changed in a random arrangement or being reversed or even with a space in between the legit name and the executable, who would notice afterwards. It is like with demons, invite one in and all his friends are coming to stay as well. So there is not really much hope after you have been compromised and the trojan played havoc and contacted outside to do whatever it is programmed to do. So one gram of preventions weighs more than one kilo of cleansing afterwards. Anyway panick has never done anyone any good, and there our friend FwF has a solid point. Better prevent script to run or have it checked, update and patch or better even still - surf between the plag-poles and watch the shark-siren, my dear friend,

Damian

Lisandro · 2008-01-04T16:53:41.000Z

polonus post:9:

Anyway panick has never done anyone any good

You can call it lost of confidence. People say we’re fan boys… I don’t feel like one.

FreewheelinFrank · 2008-01-04T16:58:32.000Z

Don’t put your trust in any AV: make sure to patch the vulnerabilities that let these drive-by downloads happen. Here is a list of exploits used in a current attack:

Then the exploit script itself is also double encoded, again with the Neo-algorithm, and contains the following exploits...
(1) first is the venerable MDAC (MS06-014). It’s old, (worked up to Sep 2006), but it works like a charm if you’re not patched.
(2) second is one of the many QuickTime exploits. It’s not easy to determine which version it is, but it’s probably one of last years.
(3) three is AOL’s SuperBuddy, from April 2007
(4) is an NCTAudioFile2 overflow from January 2007
(5) is the GomWebCtrl from October 2007, and which has recently appeared in the Storm exploit pack as well (an idea that is Catching On ™)
(6) is SetSlice, patched in October 2006 and
(7) is the ANI exploit from April 2007.

http://explabs.blogspot.com/2008/01/neosploit-january-2008.html

szc · 2008-01-04T19:17:57.000Z

Yes, I felt it on my own skin… nothing helped, so I had to go all the way back to the last year with my system backup image. After I’ve noticed there will be so much caching up, reinstallation of hundreds of applications and tools I use, there was an idea burning deep inside of me that I might as well install my OS from the scratch… at least I’ll have completely flushed and refreshed system. So I went with Vista Ultimate and I have to say for some reason it works at least 1/3 times faster than my old XP installation. Everything seems super fast and smooth, and I believe it’s due to the fact that I’m running it on 2 Gb of RAM and of course with a huge help of my new nVidia card. Of course this will not change my opinion about this OS 'cause there still are all those issues that MS needs to fix with that SP1 we are waiting for so bad… but it helped me to realize how much faster it behaves when you have more RAM… it is sad though that people who can’t afford to put more RAM into their computers, can’t experience this OS in full. So, I went to the store and bought another 2 Gb RAM but this time for my laptop (running Vista as well). Since there are two memory slots only, I took out 512 Mb from one and installed this 2 Gb instead, leaving another 512 Mb inside the other slot… so now my laptop runs Vista with 2.5 Gb and I have to say it is a huge difference. Still… MS needs to work on fixing all those annoyances we’ve got with this “new” OS.

Huh… got carried away… back to VirtuMonde - thre words only - I HATE IT!

polonus · 2008-01-04T20:31:34.000Z

Hi SasH,

Well make back ups, maybe have a virtual 2GB online encrypted, and the next time it is flush and install anew, but I agree with you it is one of the nastiest experiences you can get. It turned me into a malware fighter until the end of my days,

Damian

szc · 2008-01-04T21:23:24.000Z

As I mentioned in my reply above:

... nothing helped, so I had to go all the way back to the last year with my system backup image...

I’m not even sure if there is anyone else in this forum that makes and have more system backup images than I do. For every single month, for the past two years, I have backups for each two weeks, all on DVD’s read to restore. Bunch of last backups is no good anymore since I found out they all were infected, so I went back all the way to the last year backup from December. Naturally, I had to reinstall a lot of applications since I installed a bunch of new ones since December 2006, so that made my decision to reinstall OS from the scratch even easier… especially because I had a chance to switch from XP to Vista in the same time.

So, making backups IS very important, but it shows that if your security applications can not protect you, backups are almost unusable. Let’s take a small example… ordinary PC user won’t make more than 2 system backups per month, and most of them will not even go further than 2 months in the past… so the calculation is pretty straight-forward… all those backups, if infected like in my example, would be ready for trash. Go figure what to do in cases like this… I just wonder where my antivirus was when this hit my computer.

Lisandro · 2008-01-04T21:35:35.000Z

SasH post:14:

I just wonder where my antivirus was when this hit my computer.

Siting silently in the system tray ;D
Better, swirling ;D

system · 2008-01-04T21:38:24.000Z

Tech post:15:

SasH post:14:

I just wonder where my antivirus was when this hit my computer.

Siting silently in the system tray ;D
Better, swirling ;D

Happily scanning along, letting the nasties inside and producing FP’s every now and then … ;D

system · 2008-01-04T21:46:04.000Z

SasH,do you have any idea how you became infected ? Do you use P2P,( or similar downloading ) or do you think it was by visiting a bad site/opening email/ clicking on link,etc. I do nearly all my surfing/emaiing using Sandboxie,I haven’t as yet,recovered anything from sandboxes,but, as far as just purely using the net to ‘look’ ,open email attatchments, clicking links etc, I feel quite safe.When I’m done I simply empty the box,and any nasties with it.Also, if you click on an email link while using sandboxie,it opens your browser sandbxed,or if you view a video while surfing,it opens your media player sandboxed,etc,etc.

system · 2008-01-04T22:12:34.000Z

polonus post:13:

Hi SasH,

Well make back ups, maybe have a virtual 2GB online encrypted, and the next time it is flush and install anew, but I agree with you it is one of the nastiest experiences you can get. It turned me into a malware fighter until the end of my days,

Damian

Hello old Pol ! ;D

What did you mean by “make backups”, were you referring in general or where you saying to Sasha that HE should make backups ?

You checked out IDrive yet ? U like ? I love it ! ;D

P.S: Thanks again Tech for letting me us know about IDrive !

Lisandro · 2008-01-05T00:15:03.000Z

Darth_Mikey post:18:

P.S: Thanks again Tech for letting me us know about IDrive !

Yeah… www.idrive.com
12Gb of storage if you share at least with 5 other friends

szc · 2008-01-05T00:18:56.000Z

micky77 post:17:

SasH,do you have any idea how you became infected ? Do you use P2P,( or similar downloading ) or do you think it was by visiting a bad site/opening email/ clicking on link,etc. I do nearly all my surfing/emaiing using Sandboxie,I haven’t as yet,recovered anything from sandboxes,but, as far as just purely using the net to ‘look’ ,open email attatchments, clicking links etc, I feel quite safe.When I’m done I simply empty the box,and any nasties with it.Also, if you click on an email link while using sandboxie,it opens your browser sandbxed,or if you view a video while surfing,it opens your media player sandboxed,etc,etc.

To tell you the truth, I have no idea. P2P is a strange word when it comes to my computer. I used to use Azureus but that was 2 years ago. Since then no P2P program is installed on my machine. I simply don’t need them. I use uTorrent, but what I was downloading is Linux distros from developers’ site, so possibility to download something like that is equal to none.

Even though I don’t use P2P, my avast! P2P provider is always active… same with chat programs. I don’t do any file transfer when it comes to chat apps.

I really have no clue what was going on… Also, I don’t visit any nasty websites… if Site Advisor says it is “green” I am in, if it’s not I simply never open that link…

szc · 2008-01-05T00:21:16.000Z

Tech post:19:

Darth_Mikey post:18:

P.S: Thanks again Tech for letting me us know about IDrive !

Yeah… www.idrive.com
12Gb of storage if you share at least with 5 other friends

Free - but not quite enough. My system backups are usually around 13-15 Gb, and that’s just partition C: with OS installed and program files. Also, even when encripted, I am not fund of leaving my files somewhere “in the wild”.

polonus · 2008-01-05T00:21:37.000Z

Hi Miha,

Why are you always guessing what I think about? Yes that was what I was thinking about. He has too many valuable things on his computer to loose that because of a compromised computer.
The “total recall” thing should not be out of the ordinairy, and your thought is the best option in the case of hardware trouble, you know better than me what the life-span of a hard disk is/could be, what dust can do to a motherboard, and that a normal “nagrywarka” (dvd-burner) does not live longer than 250 !! burning-hours? Heh, it is not a lightbulb, but this hardware comes closest. Did you know that? Shocking information for some. So your critical items locked online, not a bad thought, I have my codes online at a share site of 2 GB, and you have to renew by going there every month.

And for SasH, go to wikipedia and do a read-up on vundo and the Internet glitch, you can get this doing nothing at all just hanging on the Internet through a router will do it in time! M$ would say that it was a feature…

pol

system · 2008-01-05T00:46:52.000Z

polonus post:22:

…
Why are you always guessing what I think about?
…

Well i have to guess because i do not understand your posts sometimes and i want to know what you meant, that’s all …

In this case it seemed like you were implying to Sash that he needs to backup, which is a strange comment since he explained already he is doing regular backups. Besides you and me both know he was making system images before you and me even heard the term system image so i just wanted to clear up what you meant. Did you mean A: Sash you need to backup ! or B: Everybody should back up ! I hope you understand what i am trying to say, your post could be interpreted either way .

Announcements