September 2011 was relatively quiet and did not bring any major burst of viral activity; apparently, malware makers, back from summer vacation, decided to devote themselves to more pragmatic pursuits. However, the month did see the discovery of a Trojan horse of unique architecture capable of infecting BIOS. Also a new backdoor for Mac OS X was found in the wild in large numbers. Finally, September saw a significantly increased number of phishing attacks on social networking sites.
Spammers divide up Gaddafi’s funds
The recent political developments in Libya brought about a bulk of fraudulent mailings offering would-be victims a chance to take advantage of the money held in frozen accounts belonging to the Gaddafi family.
The fraud scheme is typical of Nigerian scams. There is nothing new here, however, it is clear that spammers continue to monitor the political situation and quickly change the subject of their messages to stay in line with new realities.
Trojan.Bioskit.1 infects BIOS
In the first days of September, a remarkable malware sample fell into the hands of Doctor Web’s virus analysts. The malicious program has been dubbed Trojan.Bioskit.1. Its payload enables it to infect the system’s BIOS if the latter was manufactured by Award Software.
First, the dropper of Trojan.Bioskit.1 checks whether one of the Chinese anti-viruses on its list is running in the system. If any are found, the malware creates a transparent dialogue box from which it invokes its main routine. Then Trojan.Bioskit.1 determines the operating system version. If the OS is Windows 2000 or later (except for Windows Vista), it continues the infestation process.
If the BIOS was manufactured by a company other than Award Software, Trojan horse infects the Master Boot Record by overwriting the first 14 sectors of the hard drive. The original MBR is stored in the 8th sector. If the Trojan horse detects Award BIOS, the bios.sys driver, which has frighteningly destructive capabilities incorporated into its dropper, springs into action. It incorporates three routines:
- Detects Award BIOS (and also determine its image size and, most important, the address of the I/O port, through which the Trojan horse can force the software to generate SMI (System Management Interrupt) and thus to execute code in the SMM mode).
- Saves the BIOS image into the c:\bios.bin file on the disk.
- Creates a BIOS image from the c:\bios.bin.
Accessing and re-flashing a BIOS chip is not a trivial task. To do this, one has to be able to communicate with the motherboard chipset to access the chip, detect the chip, and use a data erase/write protocol supported by the chip. However, the Trojan horse author chose an easier way and let BIOS. do all the work. He used information acquired in 2007 by a Chinese researcher using the alias “Icelord”“. “At that time, an analysis of the Winflash utility for Award BIOS revealed that the chip could be re-flashed using a simple method: by the BIOS itself in SMM (System Management Mode). The operating system doesn’t have access to the SMM and SMRAM code (if the BIOS is written properly, it will block access to the code), so the code is executed independently. The code may serve different purposes. It may emulate features that haven’t been implemented with the motherboard hardware, handle hardware errors, manage the power supply, and perform service tasks.
To modify the BIOS image, this malicious program uses the cbrom.exe utility (by Phoenix Technologies), which is incorporated into its resources. Using this utility, the Trojan horse injects its module hook.rom as an ISA BIOS ROM into the image. Then Trojan.Bioskit.1 issues a command to one of its other drivers to reflash the BIOS using the updated file.
Upon a subsequent system restart, the BIOSwould call all the available PCI Expansion ROM, including hook.rom. Every time this happened, the malicious code injected into the module would check whether the MBR had been compromised and re-infect it if necessary. It should be noted that the availability of an Award BIOS chip does not guarantee that the Trojan horse will infect the system. Only one out of three motherboards tested in the virus laboratory was infected, while the remaining two motherboards didn’t have enough BIOS memory into which a new module could be written.
It is hard to overestimate the severity of such threats especially when more sophisticated versions of this program or other viruses with similar payloads are likely to appear in the future. At the moment Dr.Web anti-virus software can detect the components of the Trojan horse and cure the MBR and system files.
BackDoor.Flashback – backdoor for MacOS
BackDoor.Flashback was the fourth known backdoor for the operating system MacOS X, but unlike its predecessors (e.g., the malicious program BackDoor.Olyx), it had extremely advanced features and a complex architecture. In addition, it was the first malware of its kind for Mac OS that spread on such a wide scale and implemented a sophisticated scheme to spread and maintain bots.
BackDoor.Flashback installer is disguised as an Adobe Flash Player installer. When a user visits a site distributing malicious software, a flash player error message appears on the screen and then the user is prompted to upgrade their Adobe Flash software.
If they agree to the update, a chain of redirections brings up a prompt to download and install an archive containing the FlashPlayer-11-macos.pkg file (this file is downloaded only if the target operating system is Mac OS X Lion). Then the ‘player’ installation starts. When it is completed, the package is deleted, and instead the main malicious component Preferences dylib is installed into /Library/Preferences//. It performs backdoor tasks in the system and executes commands received from numerous remote control centers. It is worth mentioning that the backdoor can also receive additional commands from the mobile.wtitter.com server.
The main thing Preferences.dylib does is it implements various directives received from a remote command center including standard shell commands. The library can also be used to embed JavaScript code into web pages loaded by a user.
The hunt for bogus sites
In early September 2011, Doctor Web took a series of preventive measures that allowed it to add to its Parental Control database a huge number of sites containing objectionable content or implementing various fraud schemes.
Virus analysts got hold of a list of domains to which users were redirected from compromised sites. A close examination revealed that each server on the list with an IP address typically hosts several sites. Many of the sites provide objectionable content, including fake file-sharing services and other services such as fortune-telling, palmistry, dietary adjustments, genealogical research, the return of hijacked cars, and even treatment for acne. Some provided access to explicit adult content. Many such sites contain links to other sites for which a similar list of sites hosted on the same server was also compiled. All the links were checked manually. Thus Doctor Web uncovered an entire network of untrustworthy sites. A segment of the network is shown below.
Most of the identified IP addresses belonged to providers in the UK, the Netherlands, the Virgin Islands, Gibraltar; and only a small part of them was located in the Russian Federation. The discovered addresses were added to the Dr.Web Parental Control list. Doctor Web assures users that similar measures to block untrustworthy sites will be taken on a regular basis.
September threats to Android
In September, Doctor Web added 115 new database entries for threats to Android. With 92 entries in the database, Android.SmsSend programs have become the absolute leader; Android.Imlog comes in second with six entries, followed closely by Android.Ddlight (four entries), Android.Typnotify (three entries), and Android.Geinimi, Android.Flexispy and Android.Backdoor (at two entries each).
In addition to the above mentioned 115 entries for viruses that were examined by analysts manually, 58 malicious programs for Android were found automatically by the Origins Tracing technology, a fact mentioned in one of our previous reviews. Malicious programs discovered by means of this technology include 18 Android.SmsSend modifications, seven variants of Android.Gongfu, five Android.Plankton modifications, five Android.Spy modifications, four variations of Android.DreamExploid, and three Android.Geinimi programs.
The Trojan horse Android.SpyEye.1 is the most peculiar malicious species targeting Android. If a user’s computer is compromised by SpyEye, it significantly increases the risk of infection by Android.SpyEye.1 for the user’s mobile device. When a user visits a bank site whose address is present in the Trojan horse’s configuration file, the malicious program injects contents such as text and web forms into the web page. That’s how the unsuspecting customer, who loads their bank’s website page in the browser on their desktop or laptop, winds up seeing a message informing them that a new bank security policy has been introduced. To access their account via the Internet, they are told that they need to install a special application that will supposedly prevent their short messages from being intercepted. Further down the page, the user can see a link to the program, which is distributed as simseg.apk. The malware’s size is about 20 Kbytes.
Once it has been downloaded and installed onto a device, the application won’t appear on the list of installed programs. To find it, the user has to open the Settings applet, go to Applications, and select Application management. The malware is hidden behind the “System” icon.
In order to activate this application, the user must follow the criminals’ instructions by calling 325000 from the device. Android.SpyEye.1 intercepts the call and displays the activation code that the user will supposedly need to enter the bank’s website from then on-the code is always the same number 251340.
After that, all short messages received by the infected devices will be intercepted by the Trojan horse and forwarded to criminals.
Windows lockers head to the West
Among the other notable September events we’d like to mention is the fact that with the onset of autumn, extortionist programs blocking access to Windows have flocked to warmer climes, namely to non-Russian Internet territory. First, virus analysts discovered a number of windows lockers that incorporated a blocking window displaying a message in the victim’s native language and signed by a police department operating in their country. For example, German users got a message that was supposedly from Bundespolizei; the British were threatened by the Metropolitan Police, while the Spaniards received intimidating messages from La Policia Espanola. In all cases, users are charged with visiting illegal, adult-content websites and are told to pay a “fine” via the payment system available in their country.
“Another case of Windows lockers involved a blackmailer that infected the master boot record. It spread in large numbers all over the Internet and was added to the virus database as Trojan.MBRlock.15. This Trojan horse also displayed a message in English, demanding that users pay 20 euros over one of the most widespread payment systems in Europe in order to unlock their systems.
Users whose systems were compromised by Trojan.MBRlock can use the following unlock code: unlock391.
Malicious files detected in mail traffic in September
| 01.09.2011 00:00 – 30.09.2011 18:00 | ||
| 1 | Trojan.Oficla.zip | 135919 (38.01%) |
| 2 | Trojan.DownLoad2.24758 | 42198 (11.80%) |
| 3 | Trojan.DownLoad2.32643 | 27733 (7.75%) |
| 4 | Win32.HLLM.MyDoom.33808 | 18710 (5.23%) |
| 5 | Win32.HLLM.MyDoom.54464 | 17673 (4.94%) |
| 6 | Win32.HLLM.Netsky.18401 | 10058 (2.81%) |
| 7 | Trojan.Tenagour.3 | 9841 (2.75%) |
| 8 | Win32.HLLM.Netsky.35328 | 6970 (1.95%) |
| 9 | Win32.HLLM.MyDoom.based | 6278 (1.76%) |
| 10 | Win32.HLLM.Netsky | 6102 (1.71%) |
| 11 | BackDoor.IRC.Bot.872 | 6098 (1.71%) |
| 12 | Win32.HLLM.Beagle | 5840 (1.63%) |
| 13 | Trojan.Carberp.13 | 3488 (0.98%) |
| 14 | Trojan.Botnetlog.zip | 3175 (0.89%) |
| 15 | Trojan.DownLoader2.64347 | 2940 (0.82%) |
| 16 | Trojan.DownLoader4.21360 | 2879 (0.81%) |
| 17 | Trojan.DownLoader4.51015 | 2334 (0.65%) |
| 18 | Trojan.DownLoader4.56005 | 2054 (0.57%) |
| 19 | Trojan.Siggen2.14564 | 1821 (0.51%) |
| 20 | Trojan.Packed.666 | 1794 (0.50%) |
Total scanned: 148,210,174
Infected: 357,620 (0.24%)
Malicious files detected on user machines in September
| 01.09.2011 00:00 – 30.09.2011 18:00 | ||
| 1 | JS.Click.218 | 67333862 (42.80%) |
| 2 | Trojan.Mayachok.1 | 29366751 (18.67%) |
| 3 | Win32.Rmnet.12 | 24834750 (15.79%) |
| 4 | JS.IFrame.112 | 9469508 (6.02%) |
| 5 | Win32.HLLP.Neshta | 9442600 (6.00%) |
| 6 | Trojan.IFrameClick.3 | 2802268 (1.78%) |
| 7 | JS.IFrame.117 | 887843 (0.56%) |
| 8 | Win32.Gael.3666 | 802301 (0.51%) |
| 9 | Win32.HLLP.Whboy | 781844 (0.50%) |
| 10 | Win32.HLLP.Rox | 776905 (0.49%) |
| 11 | Trojan.MulDrop1.48542 | 691067 (0.44%) |
| 12 | Win32.HLLP.Liagand.1 | 689635 (0.44%) |
| 13 | Trojan.DownLoader.42350 | 631170 (0.40%) |
| 14 | JS.IFrame.95 | 631060 (0.40%) |
| 15 | JS.Click.232 | 514805 (0.33%) |
| 16 | Win32.Siggen.8 | 418178 (0.27%) |
| 17 | Trojan.Click.64310 | 397567 (0.25%) |
| 18 | HTTP.Content.Malformed | 295247 (0.19%) |
| 19 | Win32.HLLP.Whboy.45 | 239515 (0.15%) |
| 20 | Trojan.DownLoad2.32643 | 229527 (0.15%) |
Total scanned: 7,391,189,733,623
Infected: 157,317,745 (0.00%)
Leave a reply
