Different class of viruses starting to appear ?

[Modelworks]

I have a pc that I purposely infect with spyware and virus to study how they work. There are some really talented coders out there, but the majority of the stuff I find is virtual basic scripts and simple trojans or rootkits. Friday I encountered something I had never seen before.

I run any downloaded files on the test system before I open them on my main pc . I virus scanned the file with avg, clamav, microsoft security essentials, all said it was safe. I then used uniextract to extract the setup file to make sure nothing was packed in with the file, which is what has become a more common way to infect pc, nothing suspicious that I saw.

So I put the file on my main pc and ran it, program installed and all was fine or so I thought. I also run another program called process explorer. Later that day I was running process explorer and noticed a process named svchost1 was running. I checked to see what it is attached to and notice it has access to networking and is doing a lot of I/O with the hard drive. I immediately disconnected the network and suspended the process. When working with virus it is important you do not kill or terminate a process because that just causes the virus to restart. Suspending the process, basically freezes the virus from executing code.

I ran antivirus on the main pc and nothing found. I tracked down how it got into the system and managed to bypass antivirus and windows 7 UAC . The file contained a dll called graph.dll . I disassembled the file and found that it contained all the code that the normal graph.dll contained but it also contained extra code so that each time graph.dll was called by the main program it performed other functions. The more the graph.dll file was used the faster it was able to work on the system . The main program had permission to run by UAC so UAC did not have a problem with the code hidden in the dll performing other task.

I don't know of an easy way to detect trojans like this with the way current AV products work. I submitted all I found to the main AV companies and MS actually responded wanting more information on where I got the files and anything else I found, so I guess they were intrigued too.
So be careful where you download from because not even AV or UAC is enough protection.

 

[Chiefcrowe]

very interesting! where did you find this new virus?

 

[u3laptoper]

It doesn't seem to be too clever. A bit passive to avoid being caught.

But I do appreciate your efforts of neighborhood-watching. Sleep safely.

 

[Modelworks]

very interesting! where did you find this new virus?

The virus came from the the download.com site. A shareware program that had been updated by the author. I contacted the author and he found the virus on his system as well and I haven't heard back from him as to where he got it.

I found this one interesting because it simply stayed quiet in the background doing its function while not alerting the user that anything was going on , all the while bypassing virus scanners and other utils made to detect it.

The code is in pure ASM so I know whoever did it wasn't just some script kiddy but someone a bit more knowledgeable.

 

[mechBgon]

Yeah, best not to hand over the keys to the kingdom by installing stuff that we aren't sure is ironclad legit. And as you note, antivirus software is not a way to be sure.

When I was hunting new variants of NewMediaCodec daily, I had to run the Trojan and then turn the system's clock ahead one day to trigger it. Crafty. It also sent the bad guys my NIC's MAC address in a BITS transmission, so I kept changing it in the NIC driver to avoid blowing my cover. They're not dumb, and as the low-hanging fruit begins to diminish (Win2000/XP systems running as Admin), they will start to adapt.

 

[n0cmonkey]

Have you uploaded it to virus total? If not, it might be interesting to see the results?

 

[Rottie]

you guys start to scare me

 

[Modelworks]

Have you uploaded it to virus total? If not, it might be interesting to see the results?

I uploaded it to virus total and this is the result

Antivirus  	Version  	Last Update  	Result
a-squared	4.5.0.43	2009.12.05	-
AhnLab-V3	5.0.0.2	2009.12.05	-
AntiVir	7.9.1.92	2009.12.05	-
Antiy-AVL	2.0.3.7	2009.12.04	-
Authentium	5.2.0.5	2009.12.02	-
Avast	4.8.1351.0	2009.12.05	-
AVG	8.5.0.426	2009.12.05	-
BitDefender	7.2	2009.12.05	-
CAT-QuickHeal	None	2009.12.05	-
Comodo	3103	2009.12.01	-
DrWeb	5.0.0.12182	2009.12.05	-
eSafe	7.0.17.0	2009.12.03	-
eTrust-Vet	35.1.7159	2009.12.04	-
F-Prot	4.5.1.85	2009.12.05	-
F-Secure	9.0.15370.0	2009.12.03	-
Fortinet	4.0.14.0	2009.12.04	-
GData	19	2009.12.05	-
Ikarus	T3.1.1.74.0	2009.12.05	-
K7AntiVirus	7.10.912	2009.12.05	-
Kaspersky	7.0.0.125	2009.12.05	-
McAfee	5823	2009.12.05	-
McAfee+Artemis	5823	2009.12.05	-
McAfee-GW-Edition	6.8.5	2009.12.05	-
Microsoft	1.5302	2009.12.05	-
NOD32	4662	2009.12.05	-
nProtect	2009.1.8.0	2009.12.05	-
Panda	10.0.2.2	2009.12.05	-
PCTools	7.0.3.5	2009.12.05	-
Prevx	3.0	2009.12.05	-
Rising	22.24.05.04	2009.12.05	-
Sophos	4.48.0	2009.12.05	-
Sunbelt	3.2.1858.2	2009.12.05	-
Symantec	1.4.4.12	2009.12.05	-
TheHacker	6.5.0.2.086	2009.12.05	-
TrendMicro	9.100.0.1001	2009.12.05	-
VBA32	3.12.12.0	2009.12.03	-
ViRobot	2009.12.4.2072	2009.12.04	-
VirusBuster	5.0.21.0	2009.12.05	-
Additional information
File size: 389120 bytes
MD5...: aa7e61b3e60eb59823fe57ec80fa56d4
SHA1..: 2f704dbecc6d142bca86bfab939768099ec10d8e
SHA256: 75071bf9111ee58406bafc9287c5de7a85106cf9cfc595a9456e6910932a6826
ssdeep: 6144:gzcdro7QUM96wj4gatvtFWwFDs0EaKTz9znQ7e1arOIb1u9wSePoynUfZc5
pLgDE:gtM96wj4gefDDsth7Q8QOe1al1BUpga
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: OpenGL object (29.2%)
Lotus 123 Worksheet (generic) (14.6%)
HSC music composer song (9.2%)
Game Music Creator Music (8.2%)
MacBinary 1 header (7.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: oicu812
signing date.:AE1BC5
verified.....: Signed

It is one crafty bit of code.
I'm going to work on disassembling it further when I get some free time to determine exactly what it is trying to do. All I know right now is it access network and hard drive, but I don't know what it is looking for or trying to do.

 

[n0cmonkey]

I'd love to run it in my behavioral analysis sandbox, but I don't have that option at the moment.

 

[gsellis]

Interesting. And for motivation, you have to realize that viruses are now a business. You have the "Russian Business Network" involved now. There are real programmers getting paid big dollars to write this code. They can steal millions and millions of dollars around the world electronically now. Big business, not some guy in his mom's basement.

I just wait for the day that the RBN finds out the Mac users may be more affluent that PC users. No more Mac vs PC ads soon after that.

 

[Pegun]

OP, do you have any firewall programs that are monitoring attempted hard drive access? I use Zone alarm and it sounds like this might be detected with zone alarm because of the extra IO code.

 

[SunnyD]

So let me get this straight... you downloaded a shareware program off a public repository and then proceeded to install it after giving it UAC elevated privileges?

Sure, I understand you did best effort, but DLL-injected code is hardly new.

 

[Modelworks]

So let me get this straight... you downloaded a shareware program off a public repository and then proceeded to install it after giving it UAC elevated privileges?

Sure, I understand you did best effort, but DLL-injected code is hardly new.

I downloaded it, scanned it with 4 programs including MS own and used uniextract to extract the main file to its parts, all before allowing it to be installed with UAC.

The difference between this and previous DLL methods is that this is not using the DLL to install a virus or really make any changes to the users system. The DLL is mixed with code from the original DLL so that every time the DLL code is used a task the virus creator wants completed is done. The more you run the program , the more time the code gets to do its work. Now imagine if someone replaces their version of the DLL with something like MSVC.DLL that is called by many programs. They now have their code running without anyone able to detect unless they are closely monitoring what every program is doing. You might think that 'well it has to be signed to replace a system file' , well look above, the signature is intact and approved by verisign.

I think the most worrisome part about this is that it its stealthy nature where it doesn't even alert the user that anything is taking place and that once it gets past UAC and is installed it is now free to do whatever it likes. It has concerned trend micro enough that they have been emailing me back and forth since I reported it.

About the closest thing that describes it is the page below but the code in this one is not the same, but using similar ideas.
http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html

 

[Modelworks]

OP, do you have any firewall programs that are monitoring attempted hard drive access? I use Zone alarm and it sounds like this might be detected with zone alarm because of the extra IO code.

It will go right through a firewall because if you allowed the parent program access then this will have access as well. So if you allow something like a program to receive updates then you also give access to the code inside the DLL. It isn't creating anything new on running, it is basically running inside of the legitimate program.

You could stop it with a firewall if you made it so that each running program only had access to a preset site and trying to access any other site would flag it as a problem.

 

[SunnyD]

You might think that 'well it has to be signed to replace a system file' , well look above, the signature is intact and approved by verisign.

Well see, there's the problem. The cert had to have been hacked or forged (and we now know that cert providers can be hacked as of like 8 months ago) in order for the OS to allow this as a valid signed file. You may want to contact VeriSign about that one. You can't just take an arbitrary signed file, modify it by adding code, and have the signature still valid. That's just not possible unless you forge a new signature for it.

Don't get me wrong, I'm not saying you're not right about the stealthy nature, but I am saying "unknown program + shareware repository = bad things generally".

Also, did the installer replace a previous version of the DLL in the systemroot? If it did, shame on the installer.

 

[gsellis]

Well see, there's the problem. The cert had to have been hacked or forged (and we now know that cert providers can be hacked as of like 8 months ago) in order for the OS to allow this as a valid signed file.

LOL - like the '*' cert

SunnyD is referencing a now known and alledged to have been corrected where certificate providers and applications were not parsing text fields correctly (length defined fields that they were parsing as SZ, so inserting a 0x00 in the field would then allow getting a certificate valid for * so that an application would read it and assume that the cert was completely valid for everything).

 

[Modelworks]

Also, did the installer replace a previous version of the DLL in the systemroot? If it did, shame on the installer.

It doesn't need to replace a DLL in the system root. It can keep the DLL in program files with the exe and do all the damage it needs to do .

I just got an email from MS. They have added protection for it to the security updates today.
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatId=-2147337674

 

[gsellis]

It doesn't need to replace a DLL in the system root. It can keep the DLL in program files with the exe and do all the damage it needs to do .

I just got an email from MS. They have added protection for it to the security updates today.
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatId=-2147337674

Now where did that golf clap icon go?

What, no Win32/ModelWorks.A?

 

[SunnyD]

It doesn't need to replace a DLL in the system root. It can keep the DLL in program files with the exe and do all the damage it needs to do .

I just got an email from MS. They have added protection for it to the security updates today.
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatId=-2147337674

Well, I agree that it doesn't need to go into systemroot to do damage period. However it WOULD need to go into systemroot in order for WFP to be effective, which removes the argument about the cert from play. Also, my point was for this DLL to be truly dangerous, it would need to inject itself into systemroot in order to be utilized by other applications that call that original DLL.

All that being said, this isn't truly a novel virus approach. It's just not as common an approach because of the potential limited impact. It is a novel trojan however, as it wasn't detected by your antiviral precautions. Congratz! They should have named it after you.

 

[spikespiegal]

Sure, I understand you did best effort, but DLL-injected code is hardly new.

What he said.

The trojan encountered here is a rather un-common class I call 'piggy backers' because they require a specific .DLL to be pre-installed to work and they avoid the common ambush on \ System32 files which is a lot easier to find, wipe and replace. Trojan writers are moving away from brute force approaches and getting more subtle. Let somebody else install a legitimate app, then 'piggy back' off it to hide your crafted bug.

It's still the same trick though; make your code look like code already on the system, which requires a lot more work on the part of the AV scanner because they have to scrutinize system files a lot more closely rather than just the file size or version being off. Proof again that Trojan writers are testing their warez with mainstream AV software to find their weaknesses.