Saturday, November 22, 2008

eCard worm: The new batch!

After a brief period of inactivity, eCard themed spam mails seem to be back in action. As usual, these mails carry links to malware masqueraded as e-greeting cards. Here are some examples of eCard mails (note that the From header is spoofed):




This eCard malware is a mIRC based backdoor, and most of the AVs detect it. The dropper is actually a SFX file, following screenshot shows files bundled in the dropper:



When run, the dropper installs an mIRC client and also adds a WH_KEYBOARD message hook to log keystrokes. The mIRC client tries to establish connection with remote servers 89.46.165.197 (whois) and 210.51.167.75 (whois). An automated analysis of this malware is avilable at ThreatExpert.

Thursday, November 20, 2008

Zlob and Vundo team up!

Recently, noticed few rogue websites that are pushing both Zlob fake codec and Vundo trojan. Usually, Vundo trojans spread in the form of keygens or cracks. However, the gang behind Vundo seems to be collaborating with Zlob gang to spread malware in the form of fake codecs!

Here's one such website, aaibberlinoschlosschn.com.cn (69.61.96.245), hosting both Vundo and Zlob. A Zlob installer is offered for download if "Continue" button is clicked, and a Vundo dropper is delivered when "Download free player" link is clicked.



VirusTotal scan results for Zlob and Vundo droppers are available here and here respectively.

Friday, November 07, 2008

Moon-Player

Moon-Player is one of the latest fake video codec/player by Zlob/DNSChaner gang! Moon-Player installer is dropped by the standard Zlob fake codec infection technique. An example of a dropper-website and installer is shown here:




Moon-Player installer is hosted at http://moon-player.com (203.169.164.18) (whois info). This particular Zlob variant is highly dangerous as it drops rootkit based spyware and also adds malicious DNS servers. Following HijackThis entry shows the rogue name servers added to the "NameServer" list of the system:

O17 - HKLM\System\CCS\Services\Tcpip\..\{27C05F16-264E-4B56-9C02-90A5B7D0A17D}: NameServer = 85.255.112.143;85.255.112.94

These name servers are located at Ukraine and whois information can be found here and here.

The rootkit component is a user mode rootkit that hides files by hooking APIs of ntdll.dll. Following screenshots show rooted file and hooked APIs:



The rootkit also injects a DLL into few of the standard Windows processes (alg.exe and spoolsv.exe), as shown in below screenshot.


The injected DLL C:\Windows\System32\Dll.dll actually does not exist, and the file that is really injected is C:\Windows\Temp\tempX.tmp (where X is some random number). This can be seen from the DLL information shown by IceSword. It seems that the injected file changes its name in the module list maintained in process PEB, to a dummy/non-existent one.


VirusTotal scan result of the installer can be found here. An automated analysis of the installer can be found at this ThreatExpert page.

Update: A Zlob (Moon-Player and other fake video players)  rootkit removal tutorial has been posted here.

Monday, November 03, 2008

SysProt AntiRootkit v1.0.0.7 released!

Here's a quick update on SysProt AntiRootkit. Various improvements were made in SSDT hook detection and hidden files scanning feature. And as a result, here's the latest release - SysProt AntiRootkit v1.0.0.7.

Download SysProt AntiRootkit v1.0.0.7 from MajorGeeks. Your feedback is welcome :)

Supported operating systems: Windows 2000/XP/2003 32 bit.

Sunday, November 02, 2008

SysProt AntiRootkit v1.0.0.6 released!

Here comes the latest version of SysProt AntiRootkit, with various improvements over the previous version. Following list summarizes the improvements in SysProt AntiRootkit v1.0.0.6:
  • Improved hidden drivers and services detection
  • Improved driver/service disabling feature
  • Improved process killing mechanisms
  • Added DLLs view for processes (double-click on a process to see loaded DLLs)
  • Brand new hidden and locked files/folder scanning
  • Color coded display (hidden items are displayed in red color)
  • Ability to filter the display to show only hidden items
  • Various optimizations in driver for better performance and stability

Here are some screenshots which show SysProt AntiRootkit v1.0.0.6 in action:
Processes view:


DLLs of a process:


Hidden drivers:


Hidden and locked files:


SSDT hooks:

Download SysProt AntiRootkit v1.0.0.6 from MajorGeeks. Feedback is welcome :)

MSoftCodec

MSoftCodec is yet another fake codec belonging to Zlob trojan family. The dropper, MSoftCodec.exe, is hosted at 1st-download-software-base.net (206.51.225.218) (whois info). As of now, detections are poor as demonstrated by this VirusTotal scan.