Complex IM Worm Stars as Antivirus Killer

Contrary to popular belief, instant messenger worms are more than those annoying bots that spam IM contacts on behalf of the infected user.  Today’s analysis is dedicated to a family of worms that bundle Trojan.VB.Agent.HS – an insidious e-threat that compromises the local security, and then starts making money for its creator by abusing various advertising schemes.

The attack unfolds as follows: everything starts with clicking an apparently innocuous link sent via MSN Messenger by an infected contact. However, at the other end of the connection, there is a dropper Trojan that carries in its belly a load of obfuscated malicious code. In order to ensure that it evades superficial inspection, the payload is presented as multiple sections of Base-16 Unicode data. Conversion to ANSI reveals a set of buffers split by a separator. Ignoring the separators and dumping the data reveals an encrypted file packed with UPX.

The UPX-packed payload is fragmented in buffers

Inside this Matroska-style amalgam there is the Trojan. It automatically launches after it has been dropped and starts wreaking havoc inside the infected computer. First and foremost, it is instructed to search and annihilate an incredible assortment of processes associated with antimalware products or with digital forensics software.

Just a couple of the processes the Trojan tries to forcefully kill

Despite the fact that the Trojan does not have any rootkit component to allow total termination of the self-protection mechanisms set in place by antimalware solutions, the Trojan actually succeeds in compromising some of their processes or crippling others’ interaction with the user.

With local security partially defeated, the Trojan goes on with its plan: it subsequently injects a load of URLs into the HOSTS file and then redirects them to a variety of unallocated IPs, thus rendering them completely inaccessible from any browser. Of course, these URLs are associated with antivirus vendors, online scanners and… surprise, surprise, even with online resources teaching users how to remove malware from their systems. No wonder, Malware City and Malware City France have also been blacklisted. You may remember this approach of blocking security resources from the heyday of the Conficker worm, although the implementation was somewhat different (by poisoning the DNS client).

Malware City and Malware City France are blacklisted

HOSTS file modification goes on with the addition of extra rules to hijack e-banking URLs to phishing servers. Wherever an infected user tries to access the bank’s URL in the browser, they will get redirected to the IP address on the left column, where a phishing page identical to the legit service is waiting to collect login credentials.

HOSTS file entries: the phishing IP is associated a legit e-banking URL

Since time is money and most of the users rarely check their e-banking accounts, the timeframe between infection and successful credential theft is used for another revenue fraud, namely pay-per-click abuse. The Trojan comes with a clicker component that loads various URLs in an invisible browser control. This content displays the attacker’s own ads; it is subsequently parsed as HTML code and then clicks are simulated on the respective ads. This brings the cyber-thug between $0.05 and $1 per click, depending on advertiser, which translates into substantial revenues for the crook.

Detection and elimination

I already mentioned that the piece of malware does not come with a rootkit driver to conceal its presence or make it more resilient to detection and removal. However, this Trojan employs a great deal of tricks to ensure that it is not kicked out of its host. In order to hide its presence, the Trojan spawns a new process (usually svchost.exe) and suspends it. Subsequently, it modifies the entry point of the process to automatically launch its code. This is a common practice in the malware creation industry, which ensures that any user trying to see what happens in the process list won’t be able to detect the in-memory malicious code. Moreover, as the Trojan cripples any malware analysis tools (including access to the Windows Registry Editor and the Task Manager), chances are that one won’t be able to terminate it.

If you are a BitDefender customer, you don’t have anything to worry about, as our advanced heuristics system detects the intrusion even before it has been dropped by the worm. If you don’t have a BitDefender product installed on your machine, we have developed a free removal tool that eliminates the malware and purges the compromised hosts file.

The removal tool is available courtesy of BitDefender virus researchers Vlad Crăciun and Mihail Andronic.