Fig. 1: The email claims to carry a Conficker removal tool.

The mail claims that the network where the PC is located is infected with Conficker.B and that the ISP has informed Microsoft about that. The attached tool allegedly offers a free system scan.

The attachment is a FakeAV solution though; also Microsoft would never send out an executable attachment without former consent via email. Do not execute the malware in the zip file from the mail! Avira detects it as TR/Vilsel.ior with the VDF 7.01.06.127.

Dirk Knop
Technical Editor

In those forums there were links embedded in the posts which lead to a JavaScript on a Russian website. A google search with the URL revealed that already more than 100 web pages, especially forums, got infected with that malicious link – the infection rate is increasing fast. Later another URL with the malware script was identified, which Google reported on more than 16.000 obviously infected web pages.

Fig. 1: The JavaScript is encrypted and obfuscated in several layers.

The JavaScript is trying to exploit several vulnerabilities to silently install malware on affected users’ computers. Among these are exploits for Microsoft Video ActiveX Control Vulnerability (CVE-2008-0015), Microsoft Internet Explorer XML Parsing Vulnerability (CVE-2008-4844), Microsoft Internet Explorer Malformed CSS Memory Corruption Vulnerability (CVE-2009-0076) and some PDF exploits for Firefox and the Internet Explorer. All these exploits are already known and security updates are available. The malware writers obviously assume that a lot of Internet users do not update their systems.

Fig. 2: Decrypting the JavaScript needed some brute force, too.

That malicious JavaScript is hosted on a fast-flux’ed domain – the Internet addresses to which the embedded link points resolves to different locations every few minutes (fast flux as abbreviation from fast fluctuation, see Wikipedia). So it doesn’t help to take down one server as there are plenty of them. Usually infected computers serve the malware.

Fig. 3: The domain the JavaScript was loaded from was a fastflux'ed domain.

The servers are GeoIP-aware. Trying to access them directly with an IP from Deutsche Telekom network resulted in an “access denied”, while using a proxy in the USA made the bots deliver the malware.

Fig. 4: The shellcode in the JavaScript finally leads to a FakeAV infection.

But this malware – Avira detects it TR/FraudPack.ams – is just another downloader. It is encrypted with some layers as well.

Fig. 5: The crypter author sends out greetings to Sunbelt.

One of the encryption layers contains greetings to the company Sunbelt.

Fig. 6: Contents of the FakeAV downloader svcst.exe.

It accesses a set of “double fast-flux’ed” domains to fetch the actual malware, a FakeAV and a ftp password stealer which sends the data to guest books on the Internet. These are detected by Avira with generic detection as TR/Crypt.ZPACK.Gen and as TR/FakeAV.RK, while the password uploader gets detected as TR/Downloader.Gen.

Fig. 7: The FakeAV disguises itself as Antivirus Pro 2010.

The WebGuard of the Avira Premium and Professional blocks the URLs from where the malicious JavaScript is included and also the malware download URLs. Avira AntiVir also protects users from the downloaded malware.

(Article updated on 6th October to add more details about the malware.)

Emanuel Somosan
Moritz Kroll
Engine R&D

Dirk Knop
Technical Editor

Our developers created a special version of our Avira Removal Tool which is capable of detecting and deleting infected programs. You can download the English version here and the German version here!

Dirk Knop
Technical Editor

Avira antivirus solutions already detect the malicious PDF files as EXP/Pidief.TH and the dropped malware by those documents as TR/Drop.Wmach and TR/Spy.WMach, respectively. Anyhow it is a good idea to take additional security measures until Adobe provides an update.

Adobe recommends to delete or rename the file authplay.dll that ships with the Reader and with Acrobat. Also, enabling Data Execution Prevention (DEP) and activating the User Access Control (UAC) in Windows Vista shall mitigate the risk according to Adobe.

Another solution would be using a different PDF reader and disabling Adobe PDF and Flash within the web browser via its add-ons-manager. The NoScript extension for Firefox also helps preventing Flash applications to run in the browser; it is possible that drive-by-downloads via malicious Flash applications embedded in web sites turn up soon.

Dirk Knop
Technical Editor

It is polymorphic and has been manually adapted and extended by its author(s) multiple times. While analysing one of the latest W32/Virut variants, we came accross a block in the virus code that couldn’t be properly disassembled by the used debugger. Looking closer, it turned out that the problematic block of code contained a relatively unusual multi-byte no-operation instruction (NOP).

Fig. 1: Even modern disassemblers and debuggers can't decode the length of the NOP correctly (OllyDbg 1.10).

The usual NOP instruction of x86 processors is one byte long (opcode 0x90). But there is also a multi-byte NOP with the opcode 0x0F 1F which is used in the virus code. The multi-byte NOP can take up to 9 bytes. NOP instructions can get used for padding the code to align it to 8 or 16 byte boundaries – on modern processors this can speed up the code, mostly for caching reasons.

Intel officially documented this multi-byte NOP in 2006, but it has already been present in older processors for quite a while – apparently since Pentium Pro, but not the Pentium MMX.

Fig. 2: Older disassemblers and debuggers don't cope well with the multi-byte NOP instructions (older IDA variant).

The author(s) of the W32/Virut malware now use(s) the fact that these multi-byte NOP instructions are still quite unknown to complicate the analysis and to trick disassemblers and emulators. Some commonly used disassemblers and debuggers don’t support these opcodes. They cannot calculate the correct length of the instruction and as a result aren’t able to properly “translate” the code beyond this point.

Markus Hinderhofer
Engine Research & Development

Dirk Knop
Technical Editor

Fig. 1: The new import table

W32/Tobin adds a new section named “.lenna” at the end of the PE file. This section consists of an import table – such import tables are used by the Windows loader to dynamically load DLLs and provide the corresponding function from them to the started program. The new import table references the dropped DLL “nikitob.dll”. At the same time, the import data directory entry in the PE header gets modified to point to the newly attached import table. If there is a bound import table in the executable, W32/Tobin “removes” the entry from the data directory by setting it’s RVA and size to 0.

Fig. 2: Original data directory address

Fig. 3: Patched data directory address

The dropped DLL “nikitob.dll” just exports one function, “NikitaTob”. Upon calling it, it shows a message box with the text “NikitaTob”. The actual virus code is executed automatically when the DLL is loaded.

Fig. 4: The malware dll exports just one function

Among other things, the import address table is rebuilt to make the patched executable work. In our analysis we didn’t find further malicious routines in the malware.

Fig. 5: W32/Tobin just shows a message

In one of the W32/Tobin samples we found the reference to “C:\NIKITA\Soft\black_soft\29a\nikitob\Release\nikitob.pdb”. A short search in our archives turned up an old magazine of the VX group 29A. In the issue from January 2005 there is proof-of-concept code which exactly infects files the W32/Tobin-way. The new section there is called “.senna”, and a message box shows the text “PayLoad”. It looks like some malware writers used the Proof-of-Concept virus to learn new techniques.

Removing this kind of malware from an infected system isn’t as simple as it may look on first glance. Simply deleting the dropped DLL doesn’t work: The infected executables depend upon the DLL now and won’t start anymore. Most likely the whole system wouldn’t start up anymore. Since W32/Tobin stores the address of the original import table at the end of the executable, it is possible to restore that value and disinfect the system gracefully.

Dirk Knop
Technical Editor

The conficker worm started downloading updates. Interestingly it doesn’t use some of those 50.000 domains it generates on daily basis, but a Peer-to-Peer-network which it has functionality built-in for. Users of Avira security solutions are safe from the threat as the new variants spread this way got generically detected as TR/Crypt.XPACK.gen. Additionally, our Virus Lab added the detection Worm/Conficker.D so the malware can be better identified.

The media got hit by reports about a juvenile bored programmer who wrote and released 5 Twitter worms in short time. As excuse he told the media, he got no answer or reaction from Twitter  when contacting them. After that, some web design company found his skills to be impressing and hired him. I wouldn’t want my web page be programmed by someone writing malware though.

Dirk Knop
Technical Editor

Good news is that PowerPoint Viewer 2003 and 2007 as well as Office 2007 seem to be unaffected. If you get PowerPoint presentations by mail, only open them with these versions. Anyhow it seems a good idea to first check whether you expected that presentation from exactly that sender and if in doubt, contact the sender to verify it was really him sending the document.

As administrator of a company network you might want to setup a MOICE filter for incoming documents to sanitize them so they can’t lead to dangerous actions on the client PCs.

Dirk Knop
Technical Editor

In our analysis we found plenty of interesting strings in the Psyb0t-variant 2.9L.

Fig. 1: Disassembled Psyb0t and its function graph.

This malware is quite sophisticated and has a whole lot of functions which a bot master may need. Psyb0t connects to an IRC-Server and can be controlled from there.

It tries to exploit weak passwords on devices reachable via the Internet and contains an extensive list of default passwords and some often used passwords, too. Also it attacks SQL servers and software like PHPMyAdmin. So it doesn’t only infect Netcomm-DSL-Modems as has been reported on the media sometimes, but can break into plenty of other MIPS-based devices from other brands as well – even in OpenWRT installations, if they use some insecure service versions.

How can you detect if your router is infected? There is no easy way to tell. But the malware adds a firewall rule to block telnet connections (iptables -A INPUT -p tcp –dport 23 -j DROP). So if there is a telnet deamon running on your router and you can’t reach it, it would be a bad sign.

How to get rid of an infection? You have to connect via wired network to your Internet gateway in this situation. Fetch the latest firmware version available from a different network, maybe at a neighbour’s place or at a friend’s. Then you usually have to initiate a hard reset on the Internet gateway. Most devices reset their settings to the default ones when pressing the reset knob for 10 seconds, then pulling the power plug and reinserting the plug again.

After that, first change the default password to a good and safe one – you know the drill: Small and capital letters, special characters and numbers in most random fashion. Then upgrade the firmware to the most recent version. After that you can start configuring your Internet gateway again.

Dirk Knop
Technical Editor

Markus Hinderhofer
R&D Engine Team

Hi Dear sniffer
If you want to find the net
You better put some effort in doing it
Because anubis wont do the job for you
Bitch.

Anubis is a sandbox system reachable on the Internet where you can upload suspicious executable files to. Those are run in a safe environment and changes done to the system during that run are shown after a few minutes. Obviously, malware authors are upset about those sandboxes and now start to prepare their binaries so that the malicious activity is not detectable by them anymore.

Dirk Knop
Technical Editor