WEEKLY REVIEW

WEEKLY NEW THREATS

It's Friday and it's time for the weekly review.

Another week has past pretty fast bringing with it new threats, some more dangerous then others. Let’s take a look at the most active of them, in descending order:


1. Packer.Malware.Crypter.H
Although NSAnti is still hanging, on the last place, in the top10 e-threat1 chart, after it took over with three entries, of which one was the first place, in April our new guest is climbing up the ranks: Packer.Malware.Crypter.H seems to be the obfuscator for a rogue antivirus program called “Antivirus 2008”. We call them rogue antiviruses because they don’t protect you of anything actually, instead, they give you false infection warnings to trick you into buying the product. A document describing rogue antiviruses in detail will follow shortly so stay tuned.


2. Adware.Zango.SI
Adware.Zango is a potentially unwanted application with adware capabilities that runs in the background, monitors user search queries and displays ads based on them. It also installs a toolbar in Internet Explorer that changes its interface and display links related to user searches. A yellow taskbar icon is visible however you cannot dispose of it using standard methods.


The application comes with an EULA (license agreement) that explicitly specifies the software’s behavior and therefore, when agreed, Zango cannot be held responsible for its actions or any damage caused by visiting the websites advertised by it.


3. Trojan.Downloader.Firu.E
Executables with random names composed of 8 characters (letters and numbers) are copied into the system32 directory of Windows after execution of this malware. They are all copies of the original and 29248 bytes in size.
The executable created above is scheduled for execution via the “Scheduled Tasks” feature. It creates 24 distinct entires, each scheduled to start every day at a fixed hour (at 00, at 01, 02 and so on until 23). If the Task Scheduler service is stopped, the malware starts it and sets it to auto-start upon reboot.


When executed from the system32 directory, it deletes the file passed to it through the command line (this feature is used to delete the original file once it has copied itself to the system32 directory). Upon execution from the system32 directory, the malware injects itself in every running process (because of this, the cleaning must be done from Safe mode).


The malware transmits informations about the infected systems (the version and product key of the operating systems, the serial number of the hard disk and so on) to a central server .


4.Trojan.Crypt.DE
This malware is a dropper which creates a file named tt.exe, 1.exe or 2.exe in the Windows folder. The dropped file is detected as Packer.Malware.NSAnti.AO. After executing this file, the dropper deletes itself.


The dropped file will create a registry key in order to make sure it will be executed after every reboot and will drop two files, tavo.exe and tavo0.dll in %WINDIR%/system32 folder. After this, it will hijack explorer.exe and will inject one of it’s component, tavo0.dll, in each running process.


The purpose of these components is to steal online games accounts used to access http://tw.gamania.com/.


5. Dropped:Virtool.ChangeHosts.A
This e-threat is not really malware but a hacktool. This means it’s a program that is not necessarily used for malicious purposes, however it can be used as such. What it does is adding, deleting or editing lines in c:windowssystem32driveretchosts from the command line, in order to make people use unregistered domain names or redirect them to false websites.



The program is called WebDegenerator. It is packed with a modified version of UPX (Ultimate Packer for eXecutables) in order to obfuscate its intentions.



Considering the fact that it’s being installed without the users consent it’s safe to suppose that the use of it is malicious, in which case the end purpose of it could be any of the following: pharming, phishing, information hijacking through hidden or fake web applications etc.


This week has also had new versions of Trojan.Vundo, Packer.NSAnti, Trojan.Patched and Backdoor.Hupigon however not many infections by them have been reported so far.


One very interesting happening was the discovery of Aviv Raff. A Cross-Zone Scripting vulnerability in Internet Explorer which allows attackers to execute arbitrary code on the users machine.



The explointation takes place when the user is trying to print a web page with the “Print Table of Links” option selected. While generating the new HTML file that is to be printed, the printing script does not validate the URLs within the text, so specially crafted Java Scripts can be inserted and will get executed. This is due to the fact that the printing script is run in Local Machine Zone (instead of Internet Zone where most IE scripts are being executed).



Microsoft has been contacted about this vulnerability however no fix has been issued yet. We recommend users not to use the “Print Table of Links” for the time being.



More details here.