The Spykiller

Bundling malware and legitimate software on unofficial download websites is an effective way of tricking users into running malicious files. We often see keygens, hacktools and game trainers bundled with trojans and posted on forums or as comments under videos.

I recently analyzed a file that claimed to be a game tool used for customizing Dota2, a multiplayer online battle arena video game developed by Valve Corporation. The tool was made by a third party and offered for free download online.

After unpacking the file, I found that it included more than the game tool - there was another executable in the bundle, a malware file that Microsoft detects as TrojanSpy:Win32/Usteal.D.

Further investigation into the origin of this malicious bundle led me to the online malware builder that created it. We detect this builder as TrojanSpy:Win32/Usteal.

TrojanSpy:Win32/Usteal is publically available online and is responsible for creating the malware that is then distributed to unsuspecting victims.

Figure 1: The user interface for the TrojanSpy:Win32/Usteal builder shows some of the applications it supports.

It is fairly customizable - with just a tick of a checkbox, users can enable and configure different malware features.

Figure 2: The builder is easily customized.

Once a trojan is created with the builder, an author can choose to bundle the malware with legitimate tools, software or images.

It’s then up to the author to decide how to distribute it.  It could be as simple as uploading the file to a free hosting site and freely spam the link on forums, as comments or as  instant messages. The distribution method depends on an attacker’s target.

Figure 3 below shows just one example of how an attacker can distribute bundled malware.

In this example an attacker is targeting Dota2 players. The attacker bundles a Dota2 game tool with TrojanSpy:Win32/Usteal. They then upload it to a hosting site. 

Figure 3: One example of how an attacker can distribute bundled malware.

The attacker tries to distribute their malware by spamming comments in both Russian and English under Dota2-related videos on YouTube.

The main purpose of this malware is to steal stored passwords from various web browsers, FTP clients and instant messengers.

It does this by going to the location of the stored passwords - either a registry or a file, depending on the target application.

Figure 4: Registry locations in ICQ instant messenger.

It then parses the contents of the registry profile for the username and password. It writes it to a file, compresses, and encrypts it. The log file will have “ufr” at the beginning of the file name by default as well as a “ufr” header inside the file.

Figure 5: TrojanSpy:Win32/Usteal writes, compresses and encrypts stolen username and passwords.

The log or report file is then sent to the bundle author by e-mail, ftp or server.

After it is done, the trojan can either continue in launching the tool, software or images or delete itself as well as the report.

The builder also serves as the decoder for the log/report files which contain the stolen passwords.

However, TrojanSpy:Win32/Usteal can only steal stored passwords - it does not have a key logging function unless it is bundled with a keylogger or the downloading function is pointed to a keylogger.

Most infections for this trojan are detected in Russia where the software originated, but we are also seeing infections in other countries, including the United States.

Figure 6: TrojanSpy:Win32/Usteal infection rates by country.

The Microsoft Security Intelligence Report volume 13 has more details on the hidden dangers of free software bundled with hidden malware.

It is important to be aware of this risk, and understand just how easy it can be for malware authors to create malicious software bundles. It’s a good practice to download software directly from an official website - be wary of anything linked directly within a comment or forum post.

Alden Pornasdoro
MMPC 
 

Recently we released the Microsoft Security Intelligence Report volume 14. The report initially presented data showing reduced Java malware detections in Q3 2012 and gaining prevalence in Q4 of 2012. During a later review of the backend data, we found that we were missing some detection counts from our initial calculations. We have revised the data, and Figure 1 shows the updated graph.

Figure 1 Machine count of detections for each exploit categories

From Figure 1, what we can see clearly is the sudden rise in Java exploitation, as explained in the conclusion. As the HTML/JS category is usually used in delivering other exploit vectors (for example, Blacole pages leading to other Java and PDF, SWF exploits), Java malware is the most prevalent exploit vector that actually tries to exploit vulnerabilities in the software since 2011 .

Figure 2 shows the breakdown of individual Java exploits. In 2012 we saw four different Java vulnerabilities were used most, CVE-2012-1723, CVE-2012-0507, CVE-2012-4681, CVE-2012-5076. Details or guidelines for each vulnerability are available in the following articles:

An interesting case of JRE sandbox breach (CVE-2012-0507)

The rise of a new Java vulnerability - CVE-2012-1723

Protecting yourself from CVE-2012-4681 Java exploits

A technical analysis on new Java vulnerability (CVE-2012-5076)

The prevalence of CVE-2011-3544, which was found in late 2011, went down drastically after CVE-2012-0507 was discovered in Q1 of 2012. And we see this trend continue through the whole year.

Figure 2 Breakdown trends of Java exploits

The first half of 2012 was dominated by malware abusing CVE-2012-0507, but malware abusing CVE-2012-1723 overtook the trend in Q3 replacing CVE-2012-0507 resulting in the detection count of CVE-2012-0507 dropping just after the CVE-2012-1723 vulnerability was found in August 2012. After CVE-2012-1723 was discovered in early Q3, the appeal for malware authors to use CVE-2012-0507 diminished; however, exploits abusing CVE-2012-0507 didn't completely die, even in Q4.

In Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found. But we didn't observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723. The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6. As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. We can assume that, for this reason, they didn't do away with the older vulnerabilities.

So there were two kinds of Java vulnerabilities that appeared in 2012 overall: One is the category that applies to both multiple versions of Java including Java 6 and 7, and the other are the vulnerabilities that only applies to Java 7. So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker's strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package.

Table 1 Details of CVE-IDs

If you look at Table 1, you can see that only one out of four vulnerabilities was a 0-day. Three out of four vulnerabilities were used when there were updates available at the time of outbreak. So, we can assume that updating users' software to the most recent version of Java might have prevented a lot of malware infections that were distributed through Java vulnerabilities. Even the case of CVE-2012-4681, where the exploit was distributed as a 0-day in the first place, it took less than a week for the vendor to release the update for users. So from a security point of view, users would have benefited from promptly updating their software.

The Java vulnerabilities we are talking here are not memory corruption issues. The issues lie in the access check failure to data structures, packages or fields of classes, etc. So, when the vulnerable software is exposed to the malicious Java exploits, the success rate of the exploitation is usually very high compared to memory corruption vulnerabilities. This might be one reason why Java malware has become so prevalent.

In conclusion, overall we saw a huge increase in Java malware activity last year, and Java malware shows a high success rate in exploitation. But, many times the Java vulnerabilities are adopted by malware writers after the updates from the Oracle is released, so, you should update your Java installation regularly whenever you - see any alert from Java Auto Update to reduce your chance of being vulnerable to these and similar exploits.

Jeong Wook (Matt) Oh
MMPC

We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A.  The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox.  

When installed, it attempts to update itself using the following URLs:  

Chrome browser:

du-pont.info/updates/<removed>/BL-chromebrasil.crx  

Mozilla Firefox browser:

du-pont.info/updates/<removed>/BL-mozillabrasil.xpi 

Note: Updated versions of this threat have been verified and are still detected as Trojan:JS/Febipos.A.

To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook. It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do.

Depending on the file, this malware can do any of the following in the Facebook profile of an infected system:

• Like a page

• Share

• Post

• Join a group

• Invite friends to a group

• Chat to friends

• Comment on a post

At the time of writing this blog, we have also seen the following behavior.

The configuration file contains a command to post the following message in Facebook:

• GAROTA DE 15 ANOS VÍTIMA DE BULLYING COMETE SUICÍDIO APÓS MOSTRAR OS SEIOS NO FACEBOOK

  Vìdeo no link abaixo:<Currently unavailable link>

It is written in Portuguese and here’s an English translation:

• 15 YEAR-OLD VICTIM OF BULLYING COMMITS SUICIDE AFTER SHOWING HER BREASTS ON FACEBOOK.

  Video on the link below: <Currently unavailable link>

The above URL is unavailable and already blocked by Facebook.

We also found this threat tries to "like" and "comment" on a Facebook page:

It also attempts to comment on a post from this Facebook page with one of the following messages, written in Portuguese: 

• Tenha um Celta 0km pagando R$13,00 por dia!!

  English translation: Get a brand new Celta paying R$13 per day!! 

• Concurso valendo um Vale-Compras de R$1000,00!

  English translation: R$1000-voucher contest!

Note: This message may vary depending on the configuration file.As we can see on the Facebook page, there’s a link that has been shared with about 165 comments and 167 likes. There is a possibility that these people are infected with Trojan:JS/Febipos.A. 

This trojan may also send out the following message via chat, posts or comments:

• Desculpa ai galera, mas isso eh um absurdo!!!

  English translation: Sorry guys, but this is ridiculous!!!

• Sonzinho sensação do momento. Muito show!!

  English translation: The coolest tune at the moment. It’s really nice!

• Léo Max e Renan - Rebolada de Gama (Clipe Oficial)

  English translation: <song title> (Official Clip)

• Eu, não tenho carro do ano, não tenho grana sobrando, mas chego junto e...♫♫

  English translation: I don’t have a new car, I don’t have spare cash, but I get really close...

It may also post links on Facebook profiles. For example, the posted link from the Facebook page in the image above redirects to a website that sells cars.

At the time this blog was written, there were more users “liking” and “commenting” on the Facebook page that this malware uses – so there’s a possibility that there are more people continuing to be infected.

The number of “likes” for this page grew as we analyzed this malware. When we began analysis the page statistics looked like this:

• Facebook page likes: 2,746

• Facebook shared link likes: 167

• Number of comments: 165

After several hours this had risen to:

• Facebook page likes: 3,177

• Facebook shared link likes: 201

• Number of comments: 183

All of the information above is what we found at the time of our analysis. There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection. 

Jonathan San Jose
MMPC

A recently debuted exploit kit (EK), called "Cool EK," and detected by us with the name Exploit:JS/Coolex, has been known to include various exploits targeting Oracle JRE, Adobe Reader, Adobe Flash Player to Windows kernel-mode drivers. If you’re unlucky enough to visit a webpage that hosts Cool EK, you might encounter all these exploits in the one place, turned against you in a barrage designed to compromise your computer.

Recently there was an update to the kit’s armaments to include new exploits that are using vulnerabilities identified as CVE-2012-0755, CVE-2013-0634, and CVE-2012-1876. Each of these exploits targets a different application: Adobe Reader, Adobe Flash, and Internet Explorer respectively.

What was really interesting about this update was found in the exploit for CVE-2012-1876. This is a heap overflow vulnerability which occurs while manipulating HTML table contents, leading to possible remote code execution (RCE) to compromise visitors' unpatched computers. This vulnerability was reported by an external researcher group during last year’s Pwn2Own competition held by HP TippingPoint ZDI. It was addressed by MS12-037. For a while it seemed exploit kit writers were not too interested in this vulnerability, until the Cool EK writers included this exploit in their January update. Cool EK is currently the only kit to include this vulnerability exploit in its arsenal.

CVE-2012-1876 in Cool EK is interesting because it uses a return-oriented programming (ROP) technique that is able to leverage multiple versions of a DLL, which increases the potential pool of victims. The technique identifies the version of DLL the process is running on, then heap-sprays the attack payload that is specific to that version. The exploit includes not only one but 18 different attack payloads, giving attackers the ability to leverage 18 different versions of mshtml.dll. In the past, there was only one payload per exploit targeting one specific version of the module, usually XP system files or several other 3rd-party files that are without address space layout randomization (ASLR) protection enabled. With this enhancement in exploit stability, the exploit is capable of exploiting a larger population of victims, including those using Windows Vista and Windows 7.

So this targeting broader range of victims is possible due to the characteristic of this heap overflow vulnerability. The exploit uses this vulnerability to leak specific information to identify such DLL version information. While there were similar cases of spraying different payloads per version on Reader exploits, those exploits use script-level API calls to know such information. This exploit is leaking memory to achieve the same purpose but by different and harder means.

Exploitation for this IE vulnerability involves leaking process memory to bypass ASLR protection. With this leaked memory information, the attacker can figure out the base address of a loaded module, defeating the purpose of ASLR protection. Then it leaks another piece of information to calculate how far this value is located from the base address, which could well imply the version of the module running. Knowing the version, the exploit then generates an ROP chain with an adjusted base address, using a gadget set from only that specific version of the module. There are three parts to the attack payload that the exploit sprays, ROP chain, egg-hunter bypass, and shellcode:

1. The ROP chain calls into VirtualProtect to allow execution on the sprayed memory.
2. The egg-hunter bypass looks for a specific gadget from ntdll. This is used to bypass the export address table access filtering (EAF) feature of Enhanced Mitigation Experience Toolkit (EMET).
3. The shellcode tries to download from this URL hxxp://<13 hex letters>.<removed>challenge.com/<removed>/new.png and drops it as C:\users\Administrator\AppData\Local\Temp\wpbtK.dll or C:\users\Administrator\AppData\Local\Temp\wpbt1.dll. The DLL file is registered as a service on the system via regsvr32.

Although there is currently a low prevalence for this update in Cool EK, it is expected that it will propagate soon. It is often stealthed and not visible to web surfers, so caution is required when visiting unfamiliar websites. And more importantly – update your software. Do it regularly and do it often. See MS12-037 for more details.

Justin Kim
MMPC

In a previous post, "Fake apps: Behind the effective social strategy of fraudulent paid-archives," we exposed the social engineering technique behind Win32/Pameseg - our detection for a family of "paid-archives."

We described the use of "low-ball" techniques and explained how users are led to believe they are making an informed choice. However, the choice ultimately leads to the user being deceived into doing what the attacker wants - downloading and executing an installer.

The scheme begins with a request for a fee - a cost that was not previously made clear to the user. This hidden cost is revealed by a second request, for example by asking the user to send a premium SMS message to get an activation code to continue to complete the installation.

This monetization model of paid-archives certainly appears to be deceptive - it targets users in order to secure a financial gain, and it is this classic deception that warrants its detection as a trojan.

With this finding, we have reassessed more than a hundred signatures related to the Pameseg family name and reclassified them from program to trojan. And, because paid archive applications contain traces of builders, partners and SMS payment networks, we have extracted this information and used a link-analysis method to find the underlying connections for proper grouping and identification. This resulted in identifying 13 new families of paid-archive (the list is also included the in Win32/Pameseg encyclopedia description - Additional information section).

It's important to note that these fake installers, specifically those using paid-archives monetization, are part of a widespread platform-independent campaign. They also target Mac OS X users (Trojan:MacOS_X/Pameseg.A) and mobile devices running the Android operating system (Trojan:AndroidOS/SMSFakeSky.A).

This signature alignment effort allows us to more accurately classify these paid-archives as malicious - following in the footsteps of similar past realignments of other misleading malware that rely on social engineering for success, such as Rogue security software and Ransomware.

Stay safe and stay informed.

Methusela Cebrian Ferrer
MMPC Melbourne

​As we first reported in the Microsoft Security Report Volume 13, Keygens have become the number one threat reported by users of Microsoft antimalware products. The research also indicates that 76 percent of users that downloaded Keygen or software cracks were also exposed to other, more dangerous malware.  

Keygens are typically not very dangerous on their own. However, malware authors are having great success using deceptive downloads that either pretend to be Keygens or contain them as well as other malware to spread their malicious payloads. Customers reporting Keygens have higher rates of additional malware infections compared to other threats.  Some of these threats try to trick users into paying for software that’s distributed for free from trusted sources.

Figure 36: Detection trends for a number of notable and potentially unwanted software families in 2012.

Keygens are different from most other threats, they’re more likely to affect the latest operating systems than older ones. They are used to generate software keys particularly when setting up new computers.  They account for a large portion of the threats affecting Windows 8 and Windows 7, as seen in the Security Intelligence Report Version 14.

Figure 37: The malware and potentially unwanted software families most commonly detected by Microsoft antimalware solutions in 4Q12, and how they ranked in prevalence on different platforms.  

In addition to using up-to-date real-time security software as detailed in the Intelligence report, please be sure to only get software from trustworthy suppliers.

Joe Faulhaber

MMPC

In order to evaluate the performance of their protection provider, customers need to rely on information that goes beyond what external certifications and comparative tests can provide. Today we’re releasing a whitepaper, called "Evaluating Microsoft’s protection performance and capabilities," that we believe will help customers with these evaluations.

The whitepaper describes the measurements we use to track our effectiveness across quality, customer experience, and protection coverage. We use measurements that track the impact to the customer, and we hope that customers will apply these measurements to their evaluations of any protection product’s performance and capabilities.

In addition, the whitepaper reports our results for these measurements and how they impact on the customer experience.

Please download and read our whitepaper today to learn more.

Dennis Batchelder
Partner Program Manager
Microsoft Malware Protection Center