Lavasoft Security Bulletin: October 2013

Top20 Blocked Malware

Position Ad-Aware detection % of all threats Change in ranking
1 Win32.Trojan.Agent 36.59% +0.98%
2 Trojan.Win32.Generic!BT 27.90% +4.63%
3 Trojan.Win32.Generic!SB.0 3.48% +2.38%
4 Virus.Win32.Sality.ah 1.30% -0.51%
5 Trojan.Win32.Ramnit.c 1.18% -1.52%
6 Malware.JS.Generic 1.01% -1.58%
7 Trojan.Win32.Generic.pak!cobra 0.96% -2.93%
8 Trojan-Dropper.Win32.Agent 0.94% -0.30%
9 Trojan-Downloader.Win32.Banload.ayqh 0.88% new
10 HackTool.Win32.Keygen 0.69% -0.45%
11 Virus.VBS.Ramnit.a 0.65% -0.55%
12 Virus.Win32.Ramnit.a 0.57% new
13 Trojan.Win32.Jpgiframe 0.43% -0.52%
14 Virus.Win32.Sality.bh 0.43% new
15 Virus.Win32.Ramnit.b 0.42% -0.12%
16 Win32.Parite.b 0.33% new
17 Virus.Win32.Jadtre.b 0.31% new
18 Trojan.Win64.Sirefef.ca 0.31% new
19 Virus.Win32.Sality.at 0.26% -0.66%
20 Email-Worm.Win32.Brontok.a 0.25% -0.94%

The Top 20 malicious programs blocked on PCs

Malware Prevalence Table - October 2013

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats Change in ranking
1 Trojan.Win32.Generic!BT 36.86% +1.64%
2 Trojan-Downloader.Win32.LoadMoney.u 11.88% +3.10%
3 Worm.Win32.Gamarue.z 6.00% +0.41%
4 Trojan.Win32.Generic.pak!cobra 5.82% +0.84%
5 Virus.Win32.Virut.ce 2.26% +0.09%
6 Trojan.Win32.Generic!SB.0 2.14% +0.59%
7 Virus.Win32.Expiro.gen 1.97% new
8 Malware.JS.Generic 1.28% +0.13%
9 Worm.Win32.Gamarue.af  1.26% new
10 Trojan.Win32.Kryptik.acsn  1.00% +0.04%
11 Win32.Malware!Drop 0.81% +0.10%
12 Trojan.Win32.Desini.a  0.75% -0.12%
13 Trojan-Dropper.Win32.Gepys.a  0.75% -0.01%
14 Trojan.JS.Obfuscator.aa 0.68% +0.02%
15 FraudTool.Win32.FakeRean 0.63% -0.02%
16 Trojan.Win32.DotNet.c 0.61% new
17 Trojan.Win32.Runner.a  0.58% -0.21%
18 Trojan.StartPage 0.56% new
19 Trojan.Win32.Vobfus.paa 0.51% +0.14%
20 TrojanPWS.Win32.OnLineGames.ahj 0.46% +0.04%

New malicious programs entered the Top 20

A new Fake-AV interface that falsely claims to detect hidden threats on a user’s computer was discovered in the wild in October. It is detected by twelve of the forty-eight antiviruses on VirusTotal.

Fake AV (MD5: a3ed09d61f7622ec506e12f967ae06ba) is detected by Ad-Aware as Gen:Variant.Strictor.4450

Virustotal detects MD5: a3ed09d61f7622ec506e12f967ae06ba

Ransomware infections are on the rise. A new variant claims that local law enforcement/government organisations have blocked the affected computer. The new blocker detects a country by the victim’s IP address and shows a corresponding message in order to make the scam seem legitimate. This threat is detected by fifteen of the forty-eight antiviruses on VirusTotal.

Ransomware: (MD5: f6d63190089664f276b65a7c3baf8aa0) is detected by Ad-Aware as Trojan.Generic

Virustotal detects for MD5: f6d63190089664f276b65a7c3baf8aa0

AlienVault Lab recently announced that new ransomware variants now demand BitCoins to unlock a computer.

The crypto blocker (MD5: 012d9088558072bc3103ab5da39ddd54) detected by Microsoft as Trojan:Win32/Crilock.A demands payment in either MoneyPak (USA only), Ukash, cashU and Bitcoin making it harder to trace the attacker. As usual, the crypto locker tries to intimidate the victim user with the encryption details used, such as algorithm name and its unbreakable key length: RSA-2048 referencing to Wikipedia. The program uses standard Microsoft Enhanced Cryptographic Provider v1.0.
To automatically run itself each time Windows is booted, the blocker adds the following link to its file to the system registry autorun key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CryptoLocker" = "%Documents and Settings%\%user%\Application Data\{D0EE94E5-EF8C-E6CC-8E83-EFF5CFCD2F14}.exe"

The malware tries to connect to C&C using DGA (Domain Generation Algorithm) to get RSA public key for encryption:

The C&C server is not currently reachable and some of the domains are sinkholed:

Once the key is received from the C&C server the malware starts looking for files with the following extensions aiming to encrypt them:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.indd, *.cdr, img_*.jpg, *.dng, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.ptx, *.pef, *.srw, *.der, *.cer, *.crt, *.pem, *.pfx

To get a private key a user should pay $300 in a limited amount of time (72 hours) after which the key will be deleted. If you try to enter incorrect information the locker will reduce the time to destroy the private key in half.

This is yet another example of ransomware which has started demanding ransoms be paid in BitCoins making these transactions anonymous and for all intents and purposes, impossible to trace.

Bots Review

Table: Bots under analysis (October 2013, Lavasoft MAS).


Bot's name September Count October Count Changes
Zbot 479 505 1,6%
Cycbot 77 78 0,1%
Kelihos 629 700 4,5%
NrgBot/Dorkbot 252 282 1,9%
Blazebot 5 2 -0,2%
Shiz 10 13 0,2%
Total 1452 1580



Bot distribution in October:

In the last Kelihos report we noticed that the backdoor uses randomization for autorun key registry values and for dropped files names. In October we saw an increased variety in Kelihos update file names.
In addition to the well known names:

calc.exe, rasta02.exe, traff01.exe, keybex4.exe, mongo02.exe

We discovered some new ones; some of them contain Russian names (e.g. Misha, Boris):

devils1.exe, userid2.exe, mia0002.exe, blacks1.exe, felix03.exe, goodtr2.exe, same7b1.exe, b0ber03.exe, inkr001.exe, safpro1.exe, bubba04.exe, nimble1.exe, gossam1.exe, upeksvr.exe, tretiy1.exe, misha01.exe, boris02.exe, balls02.exe, crypt01.exe, dun0004.exe

Shiz backdoor has been still using DGA to create new domain names with European Union’s top-level domain “.EU” (sample MD5: b19171daa6f4602db826c9c4bd9d2fe5):
Resolved:

IP: 50.116.56.144 Name: gadufiwabim.eu
IP: 50.116.56.144 Name: cihunemyror.eu
IP: 50.116.56.144 Name: jefapexytar.eu
IP: 173.230.133.99 Name: kefuwidijyp.eu
IP: 204.79.197.200 Name: www.bing.com
IP: 50.116.56.144 Name: foxivusozuc.eu
IP: 50.116.56.144 Name: fokyxazolar.eu
IP: 50.116.56.144 Name: ryqecolijet.eu
IP: 96.43.141.186 Name: digivehusyd.eu
IP: 50.116.56.144 Name: xuqohyxeqak.eu
IP: 50.116.56.144 Name: lyruxyxaxaw.eu
IP: 50.116.32.177 Name: galokusemus.eu
IP: 166.78.144.80 Name: jewuqyjywyv.eu

Unresolved:

gahihezenal.eu, puregivytoh.eu, nofyjikoxex.eu, tuwikypabud.eu, qegytuvufoq.eu, kepymexihak.eu, vojacikigep.eu, makagucyraj.eu, xuxusujenes.eu, tucyguqaciq.eu, lymylorozig.eu, jepororyrih.eu, xubifaremin.eu, nozoxucavaq.eu, dimutobihom.eu, voniqofolyt.eu, puvopalywet.eu, ciliqikytec.eu, tunujolavez.eu, xutekidywyp.eu, dikoniwudim.eu, fogeliwokih.eu, dixemazufel.eu, divywysigud.eu, lyvejujolec.eu, puzutuqeqij.eu, fobonobaxog.eu, qederepuduf.eu, rydinivoloh.eu, kemocujufys.eu, lysovidacyx.eu, nojuletacuf.eu, qeqinuqypoq.eu, magofetequb.eu, tupazivenom.eu, marytymenok.eu, rynazuqihoj.eu, jejedudupuc.eu, rytuvepokuv.eu, volebatijub.eu, ciqydofudyx.eu, vofozymufok.eu, cinepycusaw.eu, keraborigin.eu, qetoqolusex.eu, pumadypyruv.eu, nopegymozow.eu, masisokemep.eu, gatedyhavyd.eu, fodakyhijyv.eu, cicaratupig.eu, vocumucokaj.eu

The request to the C&C server looks like:

We can see in the reply for one of the domains that it has been already sinkholed to 166.78.144.80 (X-Sinkhole: malware-sinkhole).

Zbot also started using .EU domains for communication with C&C:

NrgBot/DorkBot continues using Dropbox to download BitCoin Miner tool:

hxxp://www.v.dropbox.com/s/thpae3fchbmgkf2/sym.exe?dl=1 (f865c199024105a2ffdf5fa98f391d74, RiskTool.Win32.BitCoinMiner)

And a worm Shakblades which has been removed recently from the Dropbox servers:
hxxp://www.v.dropbox.com/s/dcynlnz0yitlxyj/rep.exe?dl=1 (044de297a0c023d939300d84e95074ee, detected as Worm.Win32.Shakblades).

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats Change in ranking
1 Conduit 31.39% -5.02%
2 Adware.JS.Conduit 18.82% +1.68%
3 MyWebSearch 12.40% -2.30%
4 Win32.PUP.Bandoo 6.10% +1.17%
5 Adware.Linkury 5.29% +0.81%
6 Win32.Toolbar.Iminent 3.12% -0.39%
7 InstallBrain 1.93% +1.10%
8 SweetIM 1.34% +0.22%
9 Crossrider 1.33% +0.55%
10 Babylon 1.29% -0.64%
11 Iminent 1.12% -2.39%
12 Yontoo 1.06% +0.23%
13 InstallCore 0.95% +0.19%
14 Adware.DealPly 0.93% new
15 DomaIQ 0.58% new
16 Wajam 0.57% new
17 DownloadMR 0.52% +0.03%
18 Montiera 0.49% new
19 Installerex/WebPick 0.49% +0.05%
20 InstallCore.b 0.47% new

Top20 PUPs detected on user’s PC

Operating Systems

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook