Lavasoft Security Bulletin: September 2013

Top20 Blocked Malware

Position Ad-Aware detection % of all threats Change in ranking
1 Win32.Trojan.Agent 35.61% +5.57%
2 Trojan.Win32.Generic!BT 23.27% -2.58%
3 Trojan.Win32.Generic.pak!cobra 3.89% +0.99%
4 Trojan.Win32.Ramnit.c 2.70% new
5 Malware.JS.Generic 2.59% +1.37%
6 Trojan.Win32.Reveton.a 1.98% new
7 Virus.Win32.Sality.ah 1.81% +1.43%
8 Trojan-Dropper.Win32.Agent 1.24% new
9 Virus.VBS.Ramnit.a 1.20% new
10 Email-Worm.Win32.Brontok.a 1.19% -2.60%
11 HackTool.Win32.Keygen 1.14% 0.00%
12 Trojan.Win32.Generic!SB.0 1.10% +0.82%
13 Trojan.Win32.Jpgiframe 0.95% +0.59%
14 Virus.Win32.Sality.at 0.92% -0.35%
15 Trojan.WinNT.Conficker.b 0.87% new
16 Worm.Win32.Morto.ab 0.78% new
17 Virus.Win32.Expiro.gen.a 0.61% new
18 Worm.Win32.Pykspa 0.55% +0.05%
19 Virus.Win32.Ramnit.b 0.54% -0.46%
20 Heur.HTML.MalIFrame 0.52% +0.14%

The Top 20 malicious programs blocked on PCs

Malware Prevalence Table - September 2013

Let’s review and consider information on the most prevalent families detected in September.

Position Family % of all threats Change in ranking
1 Trojan.Win32.Generic!BT 35.22% -0.25%
2 Trojan.Win32.Generic.pak!cobra 4.98% +0.22%
3 Trojan-Downloader.Win32.LoadMoney.u 8.78% +4.72%
4 Worm.Win32.Gamarue.z 5.59% new
5 Virus.Win32.Expiro.bc 3.36% -0.71%
6 Virus.Win32.Virut.ce 2.17% -0.73%
7 Trojan.Win32.Generic!SB.0 1.55% +0.74%
8 Malware.JS.Generic 1.15% +0.16%
9 Trojan.Win32.Dwnldr.y 1.13% +0.47%
10 Trojan.Win32.Desini.a  0.87% -0.13%
11 Trojan.Win32.Kryptik.acsn  0.96% new
12 Worm.Win32.Mabezat.b 0.85% +0.48%
13 Trojan-Dropper.Win32.Gepys.a  0.76% -0.09%
14 Trojan.Win32.Runner.a  0.79% +0.08%
15 Win32.Malware!Drop 0.71% -0.06%
16 Trojan.JS.Obfuscator.aa 0.66% +0.11%
17 Trojan.Win32.PSW.gz 0.49% -0.12%
18 FraudTool.Win32.FakeRean 0.65% 0.00%
19 TrojanPWS.Win32.OnLineGames.ahj 0.42% -0.01%
20 Trojan.Win32.Vobfus.paa 0.37% -0.08%

New malicious programs entered the Top 20

September sees new Fake-AV interfaces that supposedly detect hidden threats on a user’s computer.

Fake AV (MD5: cc2fedff4406e3f620b84983057fabbb) is detected by Ad-Aware as Trojan.Win32.Kryptik.acsn

Ransomware continues to blight users, blocking computers and encrypting private data. Lavasoft recently discovered a non-detected crypto locker titled “Anti-Child Porn Protection” that encrypts user’s data demanding a ransom to decrypt them. As described within the locker’s notification window, the ransomware utilizes AES-256, an unbreakable cipher. Bruteforcing is not practical as it needs to cover 1.1x1077 combinations which would take 3.31x1056 years (EETimes) as well, as recovery tools used to restore erased original files like in case of GpCode.ak that used RSA-1024.

Ransomware (MD5:0b06eb1ed254790e38d7b5accc0fe072) is detected by Ad-Aware as Trojan.Win32.Generic

It is worth noting that this ransomware was created in October 2012 - since that date we see no detections on the VirusTotal multi-scanner. It is detected by Ad-Aware Antivirus as Trojan.Win32.Generic and described in the Malware Encylopedia.

Bots Review

Table 1: Bots under analysis (September 2013, Lavasoft MAS).

Bot name Aliases* Count Autorun Windows Services
Modification
Anti-AV/
Anti-Analysis
Propagation Communication Protocol Rootkit Activity Network Activity/ Updates Connected Domains
Zbot Zeus, Trojan.Win32.Zbot(VIPRE), Trojan-PSW.Win32.Tepfer(Ikarus),
PWS:Win32/Zbot(Microsoft), Win32:Zbot(Avast), Trojan.Zbot(Symantec),
PWS-Zbot(McAfee)
479 yes* None no/no Removable drives, Email,
Drive-by infection
HTTP 30-52 user-mode hooks in 6
libraries
yes/yes google.com, google.ca, kgv-weser.com, thenatemiller.co, streetviewdaz.com, ninjamakeresjulakihsyrias.com, microsoftinternetsafety.net, akamai.net, ftp.brickwallmgmt.com, screaminpeach.com, solutioncorp.com, mastergrp-spb.ru, golfpark-moossee.ch, chocolatecovers.com, automa.it, goodvaluecenter.com, nuritech.com, brookfarm.com.au, fraser-high.school.nz, pixemia.com, mattiussiecologia.com, bocr.cz, austriansurfing.at, bocr.cz, d4drmedia.com, 4pipp.com, bocr.cz/bocr, ricated.com, easygen.com, re-wakefield.co.uk, robertmcintyre.com.au, tessera.co.jp, telenavis.com, thedonaldsongroup.com, hinnenwiese.de, kamaruka.vic.edu.au, digpro.se, fabianonline.de, empordalia.com, yamamoto-sr.com, fruitspot.co.za, shipeliteexpress.com, stepnet.de, biurimex.pl, tavdi.com, padstow.com, youjoomla.com, upsilon89.com, gjk.com.pl, sigmametalsinc.com, thesergery.com, sigmaaero.com, structives.org, agence-des-druides.com, buzzkillmedia.com, sspackaginggroup.com, perc.ca, pbna.com, leadershipforum.us, kafrit.com, theautospas.com, photoclubs.com, rea-soft.ru, graceweb.net, ctr4process.org, altonhousehotel.com
Cycbot BKDR_CYCBOT (TrendMicro),
Backdoor.Win32.Cycbot(VIPRE), Backdoor.Win32.Cycbot(Ikarus, Emsisoft),
BackDoor.Gbot(DrWeb), Backdoor:Win32/Cycbot(Microsoft), Win32:Cybota(Avast),
Backdoor.Cycbot(Symantec)
77 yes* Disables wscsvc no/no Using other malware HTTP None yes/yes akamai.net, akamaiedge.net, newworldorderreport.com, parkingcrew.net, google.com, google.ca, remindmeroster.com, TRANSERSDATAFORME.COM, cloudstorepro.com, suras-ip.com, webnode.com, binghamtonschools.org, yordatazone.com, firoli-sys.com, windowsupdate.com, alleducationalsoftware.com
Kelihos Backdoor.Win32.Kelihos(Vipre),
Backdoor:Win32/Kelihos(Microsoft), BackDoor.Slym(DrWeb), Kelihos (Norman)
629 yes* None no/no Removable drives HTTP 19 user-mode hooks in 6
libraries
yes/yes amazonaws.com, ivynvov.net, qikizny.net, taanrif.net, azawvos.com, asjoros.biz (mostly Ips were used)
NrgBot/Dorkbot TSPY_DORKBOT(TrendMicro),
Worm.Win32.Dorkbot(VIPRE), BackDoor.IRC.NgrBot(DrWeb), Worm:Win32/Dorkbot(Microsoft), Trojan.Win32.Cidox(Kaspersky)
252 yes* None yes/yes Removable drives, Social
Networks, MSN Messenger, IRC
IRC 17 user-mode hooks in 5
libraries
yes/yes
hotmail.com, api.wipmania.com, k211128.com, k211130.com, jaao20222.com, jo1aa28.com, jo1aa23.com, jossven.com, lartinito.com, balkoov.com, tsroxybaa.com, baerr000.ru, joerv06.com, cae1r699.ru, jo1rv99.com
Blazebot Backdoor:Win32/IRCbot,
Worm:Win32/Neeris(Microsoft)
5 yes* Enable RDP no/no Removable drives, MSN
Messenger, Filesharing (Dropbox)
IRC None yes/yes dropbox.com, dropboxusercontent.com, whatismyip.com, checkip.dyndns.com, p0rn-lover.us, pool-x.eu
Shiz Backdoor.Win32.Shiz(Ikarus),
TROJ_SHIZ(TrendMicro), PWS:Win32/Simda (Microsoft), Trojan.PWS.Ibank (DrWeb),
Win32:Shiz(Avast), Infostealer.Shiz(Symantec)
10 yes** None yes/yes Using other malware HTTP 23 user mode hooks in 6
libraries
yes/yes kefuwidijyp.eu (mostly IP addresses were used

Aliases*: Generic verdicts were not included.
Autorun: yes*: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Autorun: yes**: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run], [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

Bot distribution in September:

Autorun
All the bots analysed exploit the “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” registry key to launch itself when Windows boots up. The Shiz backdoor also uses “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” in a further attempt to survive a reboot.


DorkBot and Shiz block AV websites preventing users from downloading the latest updates. A recent Dorkbot block list contains 1258 URLs and can be downloaded from one the bots: hxxp://146.185.237.111/va.txt (also available from our mirror.)

Additionally, Shiz and DorkBot use server-side polymorphism to avoid detection.

Recently we found many references on the Internet stating that Kelihos supposedly checks if a victim’s IP is in online blacklists (CBL – composite block list). This information was published by ZScaler Lab and referenced by ThreatPost and hundreds of others news sites.

Unfortunately, we could neither find CBL requests in our database nor reproduce such behavior on the Kelihos sample used by ZScaler (fbad0969a3fe539fa048df9912b8c6d4). In addition, Kelihos uses HTTP protocol to communicate with peers, not SMTP as was noted by ZScaler. The SMTP traffic that highlighted by ZScaler researcher can be explained by spambot activity, which implies numerous connections to SMTP servers. It is possible that the analysts mistakenly attributed blocking replies from SMTP servers as being part of the Kelihos protocol.

SMTP traffic generated by mail servers when Kelihos sends spam

Self-Propagation
The bots can propagate via removable drives (Kelihos uses a vulnerability in LNK files), social networks (DorkBot), Instant Messengers (Dorkbot, Blazebot) and filesharing services, like Dropbox (Blazebot with Rbot). Drive-by attacks and downloading by other malware are also used to deliver a backdoor.

Communication Protocols
HTTP and IRC protocols are the most commonly used nowadays. We noticed that such IRC bots as Dorkbot, Blazebot and Rbot are operating together and probably owned by the same botmaster.

Bot distribution by the type of communication protocol

Rootkit Activity
Four bots out of six (Zbot, Kelihos, DorBot, Shiz) install user-mode hooks into Windows system DLLs in order to spy on user’s activity. Zbot has the highest number of hooks being installed.

Network Activity
All revised bots are still alive, showing network activity and downloading updates.

According to last month’s network activity, Kelihos and Dorkbot were using Amazon’s Cloud Service to host malicious files. In September we found eighty-eight malicious samples that connected to compute.amazonaws.com for bot updates.

The first of such connections made by Kelihos were detected in June 2013 and only continue to grow – it would appear that Amazon's Cloud is becoming popular among bot-masters, being used to increase their botnets.

Amazon Web Services

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats Change in ranking
1 Conduit 36.41% new
2 Adware.JS.Conduit 17.14% new
3 MyWebSearch 14.70% +10.16%
4 Win32.PUP.Bandoo 4.93% +3.60%
5 Adware.Linkury 4.48% +2.96%
6 Win32.Toolbar.Iminent 3.51% +2.45%
7 Babylon 1.93% +1.78%
8 Iminent 1.19% +0.13%
9 SweetIM 1.12% +0.72%
10 Yontoo 0.83% +0.58%
11 InstallBrain 0.83% +0.70%
12 Bprotector 0.80% +0.38%
13 Crossrider 0.78% new
14 InstallCore 0.76% +0.39%
15 Win32.Adware.ShopAtHome 0.57% +0.35%
16 DownloadMR 0.49% +0.33%
17 Yontoo 0.45% +0.20%
18 Amonetize 0.45% new
19 Installerex/WebPick 0.44% new
20 Elex Installer 0.43% new

Top20 PUPs detected on user’s PC

Operating Systems

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook