Microsoft Security Advisory (2286198)

http://www.microsoft.com/technet/security/advisory/2286198.mspx

Disable the displaying of icons for shortcuts

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

1.	Click Start, click Run, type Regedit in the Open box, and then click OK
2.	Locate and then click the following registry key: HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
3.	Click the File menu and select Export
4.	In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save Note This will create a backup of this registry key in the My Documents folder by default

Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

Disable the WebClient service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

To disable the WebClient Service, follow these steps:

Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

These were the official Microsoft workarounds.

However, there seems to exist also another solution: deploying a GPO that denies running the executable files from all but C drive. This should solve the problem, however, it could be largely uncomfortable (but safe) for users and is recommended only for experienced administrators.

Thanks to Peter Gramantik

Few days ago, a very strange sample appeared here in our lab. In fact, it was so interesting, it deserved these lines. At the moment, both samples – two drivers which use the rootkit technology for hiding themselves – are detected by AVG. These are quite “standard” rootkits, except, one of them is signed with valid certificate of Realtek Semicondutor Corp. In fact, the certificate is not valid right now, but it _was_ and that’s a bit scary as this could confuse a lot of antivirus products. Valid certificate is still kind of “quality mark”.

But while this is very unusual, the biggest surprise is the method of distribution. This malware uses completely new technique and, unfortunately, still opened vulnerability in MS Windows where the main role plays the “.lnk”  file – yes, the well known Windows Shortcut File. In this particular case, following files are placed on the infected USB Flash Drive:

  

Do you have Total Commander, or Windows Explorer? Or any other file manager which supports icons? You’ve got a problem – of course, only in case you plug in the infected flash drive and open it with one of those file managers. The process of infection starts immediately, two files are dropped to your computer:

  %system%\Drivers\mrxcls.sys

  %system%\Drivers\mrxnet.sys

Two services are created to start them:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls]

"Description"="MRXCLS"

"DisplayName"="MRXCLS"

"Group"="Network"

"ImagePath"="\\??\\C:\\WINDOWS\\system32\\Drivers\\mrxcls.sys"

"Start"=dword:00000001

"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]

"Description"="MRXNET"

"DisplayName"="MRXNET"

"Group"="Network"

"ImagePath"="\\??\\C:\\WINDOWS\\system32\\Drivers\\mrxnet.sys"

"Start"=dword:00000001

"Type"=dword:00000001

Finally, all the malware files (.lnk and .tmp) are hidden, so the victim probably won’t even notice there are some other files on the flash drive.

After this, common rootkit behavior follows including “process injection”, “API hooking”, etc.. The driver injects the malware code into following processes:”

  lsass.exe

  svchost.exe

  services.exe

Maybe, this is the only single threat that uses this vulnerability, but we can probably expect many others – until the vulnerability is closed. Microsoft knows about it and, hopefully, they’ll do something about it soon. Until that time, you should, once again, care about your Flash Drives and the source they came from (remember the good old times with all the infected floppy disc?). And, of course, you should stay protected..

Thanks to Peter Gramantik and Arek Kupka

It was first discovered on common Chinese website infected by "Aurora" exploit. This exploit execution causes that malware file qi.exe is downloaded into vulnerable system.

qi.exe pretends to be an 360 Safe Guarder (Chinese AV company) update component using same icon and file version info as this AV company does.

When gi.exe is executed it drops another malware into system folder:
C:\WINDOWS\system32\MiAnHuAtIaNg.ime

and installs it as default Input Method Editor by modifying the following registry:
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804 "Ime File" = "MIANHUATIANG.IME"
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804 "Layout Text" = "cn(ext)"
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804 "Layout File" = "kbdus.dll"
HKCU\Keyboard Layout\Preload "3" = "E0200804"
HKCU\Keyboard Layout\Preload "1" = "E0200804"

what's interesting hiding method.

Ironically, dropped malware is in fact KillAV trojan and it kills 360 Safe Guarder (and also other Antivirus software) using Image File Execution Options:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE "debugger" = "ntsd -d"

It also exports a few functions. Functions “DIKOU” and ”Sete” are the real malware payload. Others functions are just useless (do nothing). The only reason why malware exports those functions is to convince victims that ”I am normal IME file, don’t remove me”.

Detection of menitoned malware is very low at the time. AVG detects qi.exe as Trojan horse Generic17.CEPF, MiAnHuAtIaNg.ime as Trojan horse KillAV.AQT and also infected webpages as infected by Exploit.Aurora.

To remove this infection simply delete detected files.

(thanx to "Frank" Zheng)

Flickr Credit: Sebastia Giralt

The title of this post might confuse some people. The 2.0 symbol may trigger thoughts about yet another social networking story we have all read in the last three years and probably do not want to hear about any more. However, this post is about something completely different. It’s about one of the most successful pieces of malware out there that has managed to stay alive for a long time.

Although you have read about Zeus/Zbot in the past, that was probably about Zeus 1.0 or its many sub-versions 1.2, 1.3, etc. that have spread all over the web for several years now. This post is about the latest Zeus version that hit ‘the market’ recently - Zeus 2.0

The fact that Zeus keeps developing and new releases are still coming out from its developer/s is a story for a separate post. It just indicates on the amount of money involved. The provider of Zeus makes enough money to keep the development running; otherwise this project would have been dead a long time ago, as has happened to other less successful malwares.

The new version of Zeus introduces new features and enhancements to make the work of security vendors even more challenging to detect it.

Here are some improvements in the new Zeus 2.0 that we found in the samples we analyzed:

· Zeus 2.0 incorporates new encryption layers to hide its data and communication. Those of you that found ways to break the 1.x encryption and get the keys may find v2.0 as more challenging.

· In v2.0 the binary is installed in "%APPDATA%\{random chars}\{random chars}.exe". Zeus 1.x was using hardcoded filename and was usually installed under %WINDIR%\System32.

· While Zeus 1.x infected the whole PC if it had sufficient permissions. Zeus 2.0 by-design infects only the current user. That's also the reason why file paths and registry entries have changed. This new behavior makes Zeus 2.0 less detectable but also limits the damage if several users use the same PC.

· Zeus 2.0 registers itself in HKCU\..\Run key while Zeus 1.x normally registered itself in UserInit Key.

· Zeus 2.0 binaries and configuration files are no longer protected by ring-3 rootkit.

· Zeus 2.0 does not hook code in svchost.exe, lsass.exe, services.exe.

· Since v1.3 Zeus Builder is protected with "hardware-based licensing system", thus fighting "malware piracy" and preventing AV researchers from analyzing the builder engine.

· In v2.0 Mutex and event names are now pseudo-random GUID strings. Zeus 1.x used hardcoded mutex names like _XXXX_2109, __SYSTEM__64AD0625__, etc.

This change is probably business-driven, as it allows several copies of Zeus from different "vendors" (infections) to coexist on one PC. Maximizing monetization of a single infected PC by various hackers – each can steal the bank credentials of the same user and cash out.

These are not all the changes in Zeus 2.0; however, they ensure that even users with very limited rights on their computer will get infected.

Zeus 2.0 commands for botnet were completely changed. The new commands are much more descriptive:

user_flashplayer_remove; user_flashplayer_get; user_ftpclients_get; user_homepage_set; user_url_unblock; user_url_block; user_certs_remove; user_certs_get; user_cookies_remove;

user_cookies_get; user_execute; user_logoff; user_destroy; fs_search_remove; fs_search_add;fs_path_get; bot_httpinject_enable; bot_httpinject_disable; bot_bc_remove; bot_bc_add; bot_update; bot_uninstall; os_reboot; os_shutdown;

What should we expect to come on the next Zeus update? Here is our guess:

The following commands are present in malware body but are not implemented yet: bot_httpinject_disable;bot_httpinject_enable;fs_path_get;fs_search_add;fs_search_remove;user_destroy;

As long as Zeus continues to make money for its developer/s, we will continue to find new releases and new features in the market.

Preventing the infection from such malware requires more than just one security technology. At AVG we use multiple security layers: Proactive, reactive, real-time and reputation-based technologies to provide our FREE and Paid users with the most advanced protection against the most advanced malware out there. This is how we came across Zeus 2.0.

Be safe out there …

This post was authored by: Kaspars Osis / Yuval Ben-Itzhak

Flickr Credit: Raqib

Our security research team is constantly monitoring what is happening on the Web that we at AVG should be aware of.

Looking for malicious URLs, exploits, new obfuscation techniques are just a few of the tasks we are doing 24x7 to ensure we provide you the best security.

However, fun is also part of our work, and we try to keep that at a high level. It looks like hackers are also doing their daily work and probably looking for some fun as well.

The constant battle with hackers leads us to funny situations like the one we found today. It looks like this hacker was hit by security product blocking his web attacks, however he/she does not give up and keep on trying to hide the attacks …. as the song/exploit says - ‘show must go on’.

On our research today, we came across the URL showing below: yet another obfuscated exploit script trying to exploit the browser and install a malware. We have seen this for the last six years.

However, we found the obfuscation string used by the hacker as our ‘story of the day’ that makes fun in our work.

Note to the embedded string in the obfuscated buffer: ‘sh ow mu st go on’

On a separate script file, the hacker replaces this funny sentence with the escaping character % to execute it with the Eval() method. This in turn injects a whole set of exploits and Iframes to infect the user with the malware.

Who said hackers do not want fun in their work as well?

This post was authored by Yuval Ben-itzhak

AVG detects all known variants as Trojan horse Generic17.ATLK and Trojan horse PSW.Generic7.AUUX.

This malware belongs to locker or ransom trojan family. Its purpose is to compromise and take ransom from users of infected computer.

It spreads among users of P2P software WinNy. This software is popular amongst the Japanese Hentai collector community. There are more language versions of WinNy. It's popular for illegal content sharing, mostly because WinNy provides partial anonymity for its users. This depends on WinNy version. WinNy has totally 200M users around the world.

Once executed, it starts attended setup and gets screenshots from user computer. In such situation, WinNy is probably running on the screen, so an information about sharing of illegal contest and history of users downloads may be captured. The mechanism is very simple, screenshots are .BMP and .JPG pictures, stored in the system drive in generic folders and file names - for example "5xnCX7e7UE5TQyNhJGHvY5nJMgvpii" with files named "5xnCX7e7UE5TQyNhJGHvY5nJMgvpii.bmp" and "5xnCX7e7UE5TQyNhJGHvY5nJMgvpii.jpg"

These screenshots, together with user information collected from the fake game setup (first name, sure name etc..), are uploaded via internet to the server of a fictive company "Romancing Inc." with free access.

Consequently, user is blackmailed by this so-called "evidence" - for sharing of illegal content and presence of Hentai genre pornography. This is even worse when company computers are used.

Blackmailed user is forced into "pretrial settlement" and has to pay 1500Yen (around 19USD) "fine" for deleting "evidence" from the internet server.

This simple trick was surprisingly effective. And this approach is not the first or even a new threat in the P2P community of WinNy users. In September 2003, strain of worms "Antinny" was spreading there as well.

Those "Antinny" worms had the same idea and had similar success. Even government and law enforcement agencies computers were infected by this worm. "Antinny" steals private user data and screenshots and places them on internet as well.

AVG detects "Antinny" worms variants as Worm/Antinny.

You can download AVG Anti-Virus from www.avg.com or if you are home user you can download AVG Anti-Virus Free for free.

Let's have a closer look at this piece of "software".

Distribution:  The way how the executable is delivered might vary, in our particular case it was downloaded by rogue antivirus.

Upon download, there is bunch of files extracted to the %APPDATA%\ IQManager folder and file named iqmanager.exe is executed then there is connection attempt made in order to obtain further information and localized content.  Yes, main parts of application are quite well localized (you can even change the language)  it is not  poor machine translation we might see in some SPAM emails or rogue products.

To increase credibility, application claims relation to the MPAA, RIAA and The Copyright Alliance. There is also information about  computers’ public IP (or IP of ISP in most cases) displayed and you can even reach localized “Copyright law of the European Union” by clicking on the icons under Lawsuit preview.

A victim of this fraud is offered to “Pass the case to court”…

…or “Settle case in pre-trial order”  and pay $399.85 for amnesty. User is asked to fill in credit card detail and despite the fact form is not connected to any transaction system, sensitive data are sent to bad boys to be missused later.

Malware is detected by the AVG as “Trojan horse FakeAlert.RF” and related website is blocked by the AVG LinkScanner.

Ondra Novotny

1. NSS claims AVG does not block the Aurora exploit code provided on the NSS report under section 3.2.1. However, in testing the same exploit against the exact version NSS claimed that they used, AVG cannot replicate the negative result. In fact, the exploit is blocked separately by three different security rules of AVG’s product!
    
2. On the report, NSS didn’t disclose their other tests code and code variants for revalidation of the results.
    
3. NSS wants to charge AVG money to demonstrate how they tested. It seems NSS is holding AVG hostage and wants to charge us ransom because we are questioning the validity of their claims how they reached their conclusion.
    
4. NSS videotapes all of its testing and they agreed to send AVG the files within two hours of our phone conversation (which was on Thursday, March 11). However, it took them more than14 hours and several requests for them to send us the video which means we have been unable to validate the test prior to Bob McMillan’s article being published.
    
5. In our phone conversation with NSS about the results, they stated that their results had AVG blocking the original Aurora exploit, but failing when a variant was introduced. This is completely different than what is published in their report, and different from what they told the external press.
    
6. NSS lists the version of the AVG product tested to be 8.5.364 (an old version of our product). However, now they claim this was a typo and that they tested on our version 9.0. We are now reviewing the NSS video of the test to verify which version of our product was used and how the test was performed, we will share the results of our findings in this blog as soon as we have them.

This is a screenshot of AVG blocking the Aurora 0-day attack from the AVG labs.

This is a screenshot of the three security rules blocking the exploit for the Aurora attack.

The bottom line is this: when someone reports and informs the external press that our product doesn’t work, but we have solid proof that it does, we take these accusations very seriously and we expect them to offer some validation to back up their findings. It’s interesting that this is the first time in AVG’s history that anyone has come out and said that our product flat out doesn’t catch what it’s supposed to catch. That doesn’t fit with our reputation and it doesn’t fit our own experience with our 110 million customers. It just doesn’t smell right.

AVG eagerly awaits a further response from NSS so they can see for themselves that AVG does indeed protect its customers from the Aurora attack.  

Share | |

Collected Name: DHL_label_NR1156.exe
SIZE: 41984 bytes
MD5: f71d48a86776f8c0da4d7a46257ff97c

After execution malware copies itself as incognito.exe into %system% folder.

Downloader then gets two binaries named exe0.exe and dll.dll and installs them into system.

Collected Name: exe0.exe
SIZE: 33280 bytes
MD5: c0ed88ccdc920a951f750c53b21996a1
Packer: Thinstall

This binary is copied to %system% folder as smss32.exe and is executed.

After execution, the wallpaper is changed by the figure below:

Due to fact that malware modifies these Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetActiveDesktop

The change of this wallpaper is blocked to the user, as shown in the next figure:

After a while, a message pops-up to the user, alerting an infection:

As the malware runs, it verifies if the file smss32.exe is in “C:\Windows\system32”, inserting it in the registry in order to execute this file in init and logon. There are some excerpts below showing registry changes to be done by the malware.
This change in logon is done to show an alert when userinit.exe is executed. The alert message shown before MS Windows starts is:

If the user tries to open some Windows applications as calc.exe, cmd.exe or “Microsoft Word”, all of them quit unexpectedly with the following message, indicating a loss of functionality:

Full list of affected applications follows:
"calc.exe"
"notepad.exe"
"control.exe"
"WINWORD.exe"
"WinRAR.exe"
"winmine.exe"
"vmware.exe"
"uTorrent.exe"
"notepad.exe"
"msconfig.exe"
"thebat.exe"
"taskmgr.exe"
"spider.exe"
"sol.exe"
"sndvol32.exe"
"Skype.exe"
"wupdmgr.exe"
"GoogleEarth.exe"
"chrome.exe"
"MsnMsgr.Exe"
"EXCEL.exe"
"WINWORD.exe"
"word.exe"
"POWERPOI.exe"
"RealPlayer.exe"
"skypePM.exe"
"regedit.exe"
"RegCloneCD.exe"
"RecordingManager.exe"
"POWERPNT.exe"
"PokerStars.exe"
"pinball.exe"
"Photoshop.exe"
"OUTLOOK.exe"
"OIS.exe"
"nfs.exe"
"NeroExpressPortable.exe"
"Nero.exe"
"MSWorks.exe"
"mspaint.exe"
"msmsgs.exe"
"msimn.exe"
"mshearts.exe"
"mplayer2.exe"
"mplay32.exe"
"moviemk.exe"
"miranda32.exe"
"Illustrator.exe"
"Icq.exe"
"hrtzzm.exe"
"GOM.exe"
"FullTiltPoker.exe"
"freecell.exe"
"shvlzm.exe"
"RWipeRun.exe"
"RwcRun.exe"
"PowerDVD.exe"
"LA.exe"
"setup_wm.exe"
"winamp.exe"
"windvd.exe"
"realplay.exe"
"WindowsAnytimeUpgradeUI.exe"
"sidebar.exe"
"tvp.exe"
"AdvancedDVDPlayer.exe"
"QuickTimePlayer.exe"
"digitaleditions.exe"
"cmd.exe"
"CloneCD.exe"
"rstrui.exe"
"AcroRd32.exe"
"wmplayer.exe"
"mplayerc.exe"
"AdvancedDVDPlayer.exe"
"QuickTimePlayer.exe"
"userinit.exe"

If there is no process that matches the malware list, an error occurs:

After the error message, this malware sample tries to execute two binaries in sequence: IS2010.exe and IS15.exe, respectively.
IS15.exe creates links to a fake antivirus (Internet Security 2010), whose homepage was used to host binaries needed by this malware and there were also some advertisements related to buying the fake antivirus. The main homepage was shown below:

If a user clicks the “Download now!” button, there is a form to be filled with personal information, as well as credit card information.

The main DLL used was helper32.dll, which is the downloaded file dll.dll renamed by the malware.

The DLL component works as a network wrapper filtering some URLs and forwarding the user to an alert about an infection in the machine and providing access to the malware antivírus.

This malware supports the following browsers:
Firefox
Internet Explorer
Flock
Opera
Safari

Below, the list of sites blocked by the malware:
facebook.com
youtube.com
myspace.com.live.com
craigslist.org.wikipedia.org
ebay.com.blogger.com
amazon.com
twitter.com
go.com
bing.com.flickr.com
wordpress.com
photobucket.com
weather.com
nytimes.com
pornhub.com
mapquest.com
foxnews.com
hulu.com
livejasmin.com
youporn.com
digg.com
adultfriendfinder.com
mywebsearch.com
rapidshare.com
redtube.com
ask.com
tube8.com
linkedin.com
thepiratebay.org
xvideos.com.godaddy.com
mozilla.com
guardian.co.uk
imageshack.us
livejournal.com
washingtonpost.com
monster.com
bbc.co.uk.bebo.com

When the victim tries to access one of those sites, he receives an alert in an HTML page different from the requested one:

AVG detects all malware samples mentioned in this analysis.

(Thanx to Diego Bassani de Souza)

How surprised we were during analysis of Energizer USB Duo charger monitoring software (no longer available on company's website) we received few days ago. Among regular files installed on computer, which are intended to monitor conditions of batteries, is installed also file named Arucer.dll which has nothing to do with monitoring software but serves as backdoor on infected computers.

File is installed into %system32% folder and add a new "Run" key in the registry which makes it to run every time computer is started up. Malware listen on port 7777 allowing remote attackers to connect to computer to get any information or upload another malicious software. AVG detects this file as Trojan horse BackDoor.Generic12.AQFA.

Very interesting thing is to see the name of author (apparently not from Energizer company) in all DLL files which belongs to this software, malicious as well as clean. So after all, this does not seem to be a coincidence.

Solution is very simple, use AVG to remove this file. Hopefully, this time Energizer's bunny will not keep going and going and going.

(Thanks to Michal Cebak)