The most consistent thing about the malware business is that it’s constantly changing. The field is dominated by gangs that use hit-and-run tactics. A new report by Blue Coat Systems, a security company that specializes in cloud-based services, provides some interesting (and rare) details about how the malware business ebbs and flows.
Between February and May 2011, for example, Blue Coat had 395 unique malware networks under observation. On any given day, their data show, “the number of unique malware networks … ranged from just under 100 … to fewer than 25 in operation.” The report specifically noted “a drop-off in mid-May as networks relocated and consolidated.”
Back in May, I observed the Mac Defender gang carefully. Lately, I’ve been watching a new round of attacks from a different network. Their product is a Trojan, aimed at Windows users. It arrives via e-mail, as a file attachment called RefundForm, in Zip format. It appears to be from a hotel. The subject line indicates it’s about a “wrong transaction” and the message body says the hotel overcharged the recipient’s credit card and says they need to fill out a claim form (attached) to get the money back
Now, this is terrible social engineering. The message is poorly written, and probably won’t fool a native English speaker. But it might be good enough to fool an unsophisticated Windows user whose English is less than perfect. Because the attached file is inside a Zip file, it can get past mail gateways that block executable files as attachments. The compressed attachment contains a Windows executable file, of course, not an Excel form, as the file icon tries to fool the recipient into thinking:
I first noticed this attack last week, on July 27, when several of these messages showed up in the Junk folder of an account I use for monitoring spam. (It’s from a domain I own but is redirected to a Hotmail server.) I saw multiple copies over the course of several days, including (in a remarkable coincidence) one that included the name of a resort I had actually visited earlier this year.
The copy shown in the screen above arrived Tuesday morning at 11:02AM. I copied the file attachment to my local hard drive and did some basic analysis.
First step: I uploaded a copy of the suspicious file to VirusTotal, which reported that I wasn’t the first to report this variant; 6 of 30 antivirus engines had detected it as malware when it was first submitted two hours earlier. When I asked for a reanalysis, it showed that the detection rate had gone up to 13 of 43 engines, presumably based on signatures that had been updated during that brief interval. (After 24 hours, 25 out of 43 engines said it was malware, although they couldn’t agree at all on what it is.)
Second step: I went to ThreatExpert and uploaded a copy of the suspicious file. It wasn’t able to identify the sample as a known threat, but a detailed report that arrived via e-mail a few minutes later contained suspicious details:
- File system modifications: Running the file created a new executable, Dxdiag.exe, in the Startup folder. This is the same name as a Windows system tool and is a major red flag.
- Memory modifications: Svchost.exe, a Windows system file that hosts system services, was modified, with new memory pages created in its address space. This is not something a legitimate program does.
- Network access: The program attempted to make a connection to a remote host over port 80 and tried to run a pair of scripts from a server in Russia. It is most likely that these were attempts to download and install additional software, this time in the background.
These are all telltale signs of particularly aggressive malware. Indeed, Microsoft’s security team identified it as TrojanDownloader:Win32/Dofoil.G. Trust me, you do not want this thing running on any PC you own.
As a test, I kept the file attachment in a local folder and began checking it every few hours using the on-demand scanning tools in two current, high-end consumer antivirus programs running on Windows 7 desktop systems in my office. Before each check, I downloaded and installed the latest updates for each program. What happened?
See also:
