The security industry is currently buzzing with talks about a threat dubbed as the precursor to the next STUXNET.

According to a Symantec analysis, portions of the code are very similar to STUXNET, and was likely written by the same cybercriminals as the well-known threat. Unlike STUXNET, however, Duqu does not have code that suggests it was developed to access SCADA systems. Instead, its final payload appears to be inclined toward information theft.

Duqu is made up of several components. The SYS file, which is detected as RTKT_DUQU.A, is responsible for activating the malware, and triggering the execution of its other routines. Based on analysis, however, the main goal of the said files is to establish a connection with its C&C server. It is said that Duqu delivered an information-stealing malware, detected as TROJ_SHADOW.AF, into the affected systems through this connection. We have also verified that its codes are very similar to that of STUXNET.

Upon execution, TROJ_SHADOW.AF enumerates the processes currently running on the system. It also checks if it matches any of the following security-related processes:

• avp.exe (Kaspersky)
• Mcshield.exe (McAfee)
• avguard.exe (Avira)
• bdagent.exe (Bitdefender)
• UmxCfg.exe (CA)
• fsdfwd.exe (F-Secure)
• rtvscan.exe and ccSvcHst.exe (Symantec)
• ekrn.exe (ESET)
• RavMonD.exe (Rising)

If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one.

TROJ_SHADOW.AF requires command lines in order to execute properly. Available commands include: collecting information on the affected system, terminating malware processes, and deleting itself. It can steal a wide array of information on any affected system, such as:

1. Drive information such as:

• FreeSpace
• Drive device name

2. Screenshots
3. Running Processes and Owner of Running Processes
4. Network Information such as

• IP address
• IP routing table
• TCP and UDP table
• DNS Cache table
• Local Shares

5. Local shared folders and connected users
6. Removable drives serial number
7. Window Names
8. Information on open files on local computer using NetFileEnum

We will be updating this blog entry for further developments. While our investigation is currently ongoing, preliminary information indicates that Trend Micro’s products protect against TROJ_SHADOW.AF. Smart Feedback from the Smart Protection Network™ indicates that no Trend customers have been affected by this threat. Trend Support has not received any infection notifications.

Trend Micro products have been updated to provide protections against this latest threat through updated signature as well as by blocking access to malicious control servers with Web Reputation Services.

Users may refer to our Knowledge Base page to read up on how to protect systems from this threat.

This year, we had the privilege of attending the 21st Virus Bulletin International Conference in Barcelona, Spain.

Researchers from Trend Micro presented three topics in the corporate stream and one topic in the technical stream. Ethan YX Chen covered file-fraction reputation for the technical stream on day 1. For the corporate steam on day 2, Max Goncharov presented on traffic direction systems as malware distribution tools while David Sancho and Rainer Link talked about the lessons they learned while sinkholing botnets. Trend Micro global director of education David Perry talked about the missing metrics of malware.

Among the different topics that were presented in this conference, we got hooked on those in the technical stream. Here’s a rundown of what we found particularly interesting.

A Mobile Malware Jail

The presentation entitled, “An OpenBTS GSM Replication Jail for Mobile Malware,” by Axelle Apvrille discussed the challenges security researchers faced when analyzing mobile threats.

As she said, the golden rule of antivirus is not to spread any malware that we are analyzing. However, when testing malware, sometimes it is necessary to connect to the Internet or to other connections during analysis in order to verify or analyze their routines. Analysis is easier to do on malware affecting computers since it is easy to isolate them from the Internet and still be able to see what they do. Mobile malware, however, are not as easy to confine since there are no wires to unplug in order to analyze them.

Since we don’t want to risk infecting our co-workers’ smartphones while trying to analyze a mobile malware, we need a way to be able to analyze mobile malware effectively without putting other users at risk.

Ms. Apvrille’s solution for this is to create a dummy GSM service operator. This is a cheaper solution compared with building a Faraday cage but it is as effective in confining the malware. It uses OpenBTS, an open source, Unix-based application, and a Universal Software Radio Peripheral (USRP) device. How cheap is cheap? Around US$1,000. Still expensive but we believe this is a good investment for antivirus companies due to the growing number of mobile malware.

Fraud and Stealth Malware

The presentation about fraud malware analysis showed us that FAKEAV/fake tools have been around for some time now and will probably be there for even longer because of their capability to adapt to changes in the computing landscape.

According to the report, we may even expect such threats to adapt to mobile platforms in the coming years.

The stealth malware presentation analysis featured recently emerging rootkits and bootkits, including the infamous TDL Family, Zeroaccess, POPUREB, and Mebromi (aka MyBios).

File Reputation Research

In his presentation, Tim Ebringer of Microsoft brought out the issue regarding difficulties with finding other malware samples related to one particular file. This was similar to Ethan YX Chen’s paper wherein he proposed a solution to combine reputation- and content-based solutions. He offered a different perspective on the efforts to fight against today’s highly polymorphic, micro-distribution malware.

There are a lot of malware families right now so how can we say that a certain sample belongs to a certain malware family?

For the popular ones (Autorun, OnlineGames, FAKEAV), there is no problem but for the not-so-popular ones (RAMNIT, SYSWRT), the likelihood of placing the sample in a new family is high, therefore, damaging the malware taxonomy.

With Bindex, all malware samples are divided into blocks of code and stored in a database. If a new sample that is being analyzed by an engineer contains an interesting code snippet, he/she can search the database using the snippet and find related malware. If the result turns out to be very broad (e.g., composed of different families) then the code snippet that he/she searched may be a compiler code.

Being able to identify a compiler code can help avoid false alarms since the engineer will then know that the code should not be used as a malware signature. Overall, we think this application is of great help in creating heuristic detections.

VB2011 was a great experience for meeting other people in the antimalware industry. In sum, the learning we gained during the conference will definitely help us become even stronger in our battles against future threats and ultimately be better in providing solutions for and in protecting users.

In the past, we’ve reported about malware based on the leaked ZeuS code, such as Ice IX, and ZeuS 2.3.2.0, and this usage of the leaked code has continued on since then, and has resulted to attacks such as the one I’m about to share.

My colleagues and I have been monitoring another new version of ZeuS since the late September, one that we believe is also based on the leaked ZeuS source code. Although this new ZeuS variant seems to have no reference on its code of its version number, we believe it was developed by the same criminals behind LICAT.

This new version, detected as TSPY_ZBOT.SMQH spread around late September through spam that claims to be from ATO (Australian Taxation Office). The spammed messages contain a malicious link, which when clicked directs users to a malicious website that serves the BlackHole exploit kit. The exploit kit, in turn, downloads a variant of this new ZeuS version.

Unlike earlier ZeuS versions that use HTTP to download its configuration file, this version opens a random UDP port and connects to a hardcoded list of IP addresses to download its configuration file.

TSPY_ZBOT.SMQH establishes connection with the server by sending encrypted data which contains the bot ID and a stream of characters. Each IP address in the hardcoded has a corresponding stream of characters which the server seems to check to validate the communication.

If any of the IP addresses is alive, it will reply with the encrypted configuration file via TCP.

Decrypting the Configuration File

Once the configuration file is downloaded, TSPY_ZBOT.SMQH will employ the following decryption algorithm for its configuration file:

As we can see, unlike ZeuS 2.3.2.0 which uses Advanced Encryption Standard (AES), the decryption algorithm did not change much compared to the modified ZeuS 2, which uses RC4.

As I mentioned earlier, like LICAT and ZeuS 2.3.2.0, this new variant also seems to be crafted by a private professional gang, probably the same creators of LICAT, or affiliated with them at least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.

Although the spammed messages only target Australian users, the contents of the decrypted configuration file suggest that it may be used in a global campaign, including the United States, European, and even Asian countries.

We will continuously monitor this threat and other variants that will emerge in the future.

Thanks to Mark Dixon of Westpac Bank of Australia for providing samples of the related malware and spam.

Lately, we have been seeing a renewed increase in volume of spam attacks that utilizes an exploit kit – specifically, the BlackHole exploit kit – to trigger a malicious payload. Specifically, we have seen this in the latest slew of Automated Clearing House (ACH) spam, and the more recent spam run related to Steve Jobs’ death.

In this post, we will reorient readers on the infection chain of such attacks to help us understand why the basic mitigation practices are still effective and helpful in protecting one’s self from today’s threats.

In a typical spam campaign that involves malware, cybercriminals lure users through social engineering into performing several actions before the intended payload gets executed. For example, a user needs to download, extract, and execute a supposedly “benign” file for a spam attack to succeed.

Spam campaigns using exploit kits, however, are a bit more dangerous since they only need to lure the user into clicking a malicious link and the rest of the infection will be able to take place.

Below is an example of this type of spam purporting to be coming from National Automated Clearing House Association (NACHA). NACHA manages the ACH network, which facilitates bulk payment transactions involving businesses, governments, as well as consumers. Users who are more likely to receive email from NACHA are those who conduct transactions related to payroll, government benefits, tax refunds, and others.

In the spam screenshot above, we can see that the link points to a dubious-looking domain that is not related to National Automated Clearing House Association (NACHA). A blank page is displayed when users click the link. This blank page is actually a gateway page that contains the following obfuscated JavaScript:

When decrypted, we can see that it is a script that attempts to embed an iframe pointing to another malicious site, which uses the BlackHole Exploit Kit:

Once the iframe is loaded, content is also loaded from the BlackHole Exploit Kit site which, again, contains a highly obfuscated script. Upon decoding the code, we can now see the actual code which searches for vulnerable software and uses the appropriate exploits.

The BlackHole Exploit Kit exploits vulnerabilities both in third-party applications like Adobe Acrobat, Adobe Flash, and Java, as well as in Windows components like Microsoft Data Access Components (MDAC) and Help and Support Center (HCP).

Successful exploitation executes a shellcode, which triggers downloading and executing malware. We have observed that these attacks have been used to spread ZeuS variants, although these may also be used to spread other malware families.

Multilayer Mitigation

As a reminder to users, here are some ways to prevent this kind of threat from getting into their systems:

• Be aware of social engineering attacks. A majority of online attacks today utilize social engineering before they can exhibit technical infection. By being wary of what you do online, infections can already be mitigated at the onset. Simple common sense like not entertaining unsolicited emails could go a long way in terms of your personal online security.
• Always check for malicious links. Always check where the URLs hyperlinks point to. It is also a good practice to copy and paste a URL to your browser address bar instead of clicking links directly.
• Consider disabling JavaScript in your browser. As mentioned earlier, the gateway page and the BlackHole Exploit Kit page both used JavaScript. This is also the case for a lot of threats today that use the browser to execute a malicious payload. As such, it is a good idea to consider disabling JavaScript in your browser and only allow it to your trusted sites if necessary.
• Always remember to patch. The BlackHole Exploit Kit utilizes exploits that affect old, unpatched versions of software. The persistence of such tools means that old exploits are still able to infect many users. No matter how inconvenient it may be, patching your software regularly is still an important mitigation process.

The state of the threat landscape and the overwhelming reliance of the general public on the Internet demands that users should have awareness of the kinds of threats found on the Web, as well as ways to protect themselves through it. In having knowledge of how attacks such as this one work, users can gain advantage of the attackers, and be able to stop a threat even before it gets into their system. A little self-education can ultimately make the whole Internet a better and safer place to be.

More information on how cybercriminals have utilized spam in their malicious schemes can be found on our recently released security focus report, Spam in Today’s Business World.