MoMusings

Do you think you know all about malware authors?

Well, if you read my earlier blog posting on malware authors being employed by computer security firms, then you might know something, but there is more to tell…let us scratch the surface a little more…

The ’standard’ stereotype used for malware authors has always been: “aged between 14 and 21, male and socialy inept“. However, many of us that have been in the anti-malware industry for a number of years know that this is far from accurate. It may well be a valid stereotype for script-kiddies and wannabe malware authors, but not for the core, more adept and technicaly competent malware authors.

For instance, I know a number of malware authors that are in their late 30’s or early 40’s. Many of these have good jobs and are socially adept, and many of them have now stopped writing malware, having now realised their youthful folly. To prove there is always an exception to a rule, did you know that there is at least one known female malware author? Yes, there really is.

I often get asked if those that write malware are “very bright but misguided individuals?”, my answer is always the same; “A few [very few] are, the vast majority are script-kiddies who steal and modify others code and release it as their own”. 99.9% of malware authors are not ‘Uber-geeks’, they are all criminals, the electronic equivalent of vandals, bullies and graffiti artists at the very least, and at worst thieves, liars, con-artists, mercenaries and pimps.

On the F-Secure weblog there have been a number of related postings about malware authors in the news. Below you will find short clips from some of those postings as well as links to the original F-Secure Research Weblog postings, and the media pieces that they refer to.

• The case of Mr. Marcos Velasco from Brazil

• mobilemonday.net

• Police raided another virus writer

• Benny Interviewed Again
• news.com

• Antivirus vendor suing a virus writer for finding bugs

• p2pnet.net

If I get sufficient interest [feedback] I may well write an article on the motivations that the malware authors often cite to justify their ‘hobby’….

Last night I suddenly started to receive some very odd e-mails, which frankly absolutely reeked of being malware, but NONE of the 14 virus scanner I had available detected anything suspicious! Not a good sign.

Here is an example of the e-mail:

Subject: Important notice for user xxx@xxx.xxx
From: “Support” xxx@pxxxxxx.xxx
Message-Id: 1ipBgH7ZN5.IaKxl@v
Reply-To: xxx@pxxxxxx.xxx

Dear user of [domain]
Your account has been used to send a large amount of spam messages during
the recent week.Most likely your computer had been infected by a recent
virus and now runs a trojaned proxy server.

We recommend that you run in attach free spyware remover
software to keep your computer safe.

Password to archive: 7831
License key: 15-5-2795

Best regards,
The [domain] team

Attachment: SpyKiller.zip

As you may have noticed the attachment is a ZIP file, password protected using a password of 7831.

The attachment and text would lead you to believe that you are infected and that you should run the attached FREE tool to fix the problem [yeah right, like I’m going to do that!].

So, I extracted the file from the ZIP. The extracted file is called SpyKiller.exe and scanned it again with the 14 up-to-date scanners, still not one of them detected anything suspicious. So, at 19:29 on the 19th of January I dutifully sent it off to the AV companies for analysis [as I usually do with suspicious files].

Below are more details on the ZIP and the extracted EXE file:

FileName: SpyKiller.zip
FileDateTime: 19/01/2005 19:10:31
Filesize: 9852
MD5: 826856f2d2f7c0e3849391176bddfec5
CRC32: 4EF3957E
File Type: ZIP Archive File

FileName: SpyKiller.exe
FileDateTime: 20/01/2005 02:13:54
Filesize: 10133
MD5: f2d29276bf087e9fc4993eae109c19d8
CRC32: B3D23EC4
File Type: PE Executable
Packer: FSG

And to detect it until the anti-virus firms got round to it I created the following SNORT signature which will detect the incoming infected e-mails:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”Troj/Lohav-Q [SOPHOS] - MIME”; content:”CyXouhfNUeJ9i3t0N7k993sVScEjojNh78DVeU12dvLEjLHRNqIW5YI+EE5yLSFMEAXw3icA5xh2″; classtype: misc-activity;rev:1;)

A Result!
At 13:00 today [20th January] I finally received a response from ONE of the anti-virus companies confirming my suspicions, thanks go to Sophos for having the courtesy to respond and give me useful data.

Below is the data they supplied [please check their site for latest details]:

The file spykiller.exe that you sent to us for analysis was a Trojan, Troj/Lohav-Q, that also downloads the Trojan, Troj/Padodor-U. There are descriptions below.

Troj/Lohav-Q is a backdoor proxy Trojan.

Troj/Lohav-Q may arrive with a filename of SPYKILLER.EXE as part of an email, with the subject “Important notice for user [user@domain]” and body text:

Dear user of [domain]

Your account has been used to send a large amount of spam messages during the recent week. Most likely your computer had been infected by a recent virus and now runs a trojaned proxy server.

We recommend that you run in attach free spyware remover software to keep your computer safe.

Password to archive: [password]
License key: [key]

Best regards,
The [domain] team

Troj/Lohav-Q will attempt to download and run an executable file detected as Troj/Padodor-U.

When first run, Troj/Lohav-Q will copy itself to the Windows system folder as WINHOST.EXE. In order to run automatically each time a user logs in, Troj/Lohav-Q will set the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winhost.exe
%SYSTEM%\winhost.exe

Troj/Lohav-Q will also set the following registry entries:

HKCU\Software\Timeout
uid
[number]

HKCU\Software\Timeout
port
[listening port number in hexadecimal]

HKCU\Software\Timeout
pid
[process identity number]

where the default listening port number is 9010.

Periodically, Troj/Lohav-Q will contact a number of websites in order to register the computer as being infected.

Troj/Lohav-Q can be used to route internet traffic from other computers via the proxy component and can be used to forward spam email.

Troj/Lohav-Q will attempt to terminate the following security-related processes:

AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE,
APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE,
ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE,
AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE,
AVprotect9x.exe, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE,
BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE,
BIPCPEVALSETUP.EXE,
BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE,
CDP.EXE, CFGWIZ.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIADMIN.EXE, CFIAUDIT.EXE,
CFIAUDIT.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET.EXE, CFINET32.EXE,
CFINET32.EXE, CLEAN.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER.EXE, CLEANER3.EXE,
CLEANPC.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMGRDIAN.EXE, CMON016.EXE,
CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE,
CWNTDWMO.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE,
DRWATSON.EXE,
DRWEBUPW.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE,
EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE,
FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE,
FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE,
HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMAPP.EXE,
IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE,
ICSUPP95.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE,
IRIS.EXE,
JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE,
KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE,
KILLPROCESSSETUP161.EXE,
LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE,
LUALL.EXE, LUCOMSERVER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE,
MCUPDATE.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGUI.EXE, MINILOG.EXE,
MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.EXE, MSSMMC32.EXE,
MU0311AD.EXE, NAV80TRY.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE,
NAVW32.EXE,
NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE,
NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE,
NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE,
NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE,
NTVDM.EXE, NUPGRADE.EXE, NVARCH16.EXE, NWINST4.EXE, NWTOOL16.EXE,
OSTRONET.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE,
PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE,
PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCFWALLICON.EXE,
PCIP10117_0.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE,
PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE,
PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE,
PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE,
PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDIT.EXE,
REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE,
RTVSCN95.EXE, RULAUNCH.EXE, SAFEWEB.EXE, SBSERV.EXE, SD.EXE,
SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE,
SH.EXE,
SHELLSPYINSTALL.EXE, SHN.EXE, SMC.EXE, SOFI.EXE, SPF.EXE, SPHINX.EXE,
SPYXX.EXE, SS3EDIT.EXE, ST2.EXE, SUPFTRL.EXE, SUPPORTER5.EXE,
SYMPROXYSVC.EXE, SYSEDIT.EXE, TASKMON.EXE, TAUMON.EXE, TAUSCAN.EXE, TC.EXE,
TCA.EXE, TCM.EXE, TDS-3.EXE, TDS2-98.EXE, TDS2-NT.EXE, TFAK5.EXE,
TGBOB.EXE,
TITANIN.EXE, TITANINXP.EXE, TRACERT.EXE, TRJSCAN.EXE, TRJSETUP.EXE,
TROJANTRAP3.EXE, UNDOBOOT.EXE, UPDATE.EXE, VBCMSERV.EXE, VBCONS.EXE,
VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VFSETUP.EXE,
VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC42.EXE,
VPFW30S.EXE, VPTRAY.EXE, VSCENU6.02D30.EXE, VSECOMR.EXE, VSHWIN32.EXE,
VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE,
VSWINNTSE.EXE,
VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBSCANX.EXE,
WGFE95.EXE, WHOSWATCHINGME.EXE, WHOSWATCHINGME.EXE, WINRECON.EXE, WNT.EXE,
WRADMIN.EXE, WRCTRL.EXE, WSBGATE.EXE, WYVERNWORKSFIREWALL.EXE,
XPF202EN.EXE,
ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZAUINST.EXE, ZONALM2601.EXE,
ZONEALARM.EXE

====

Troj/Padodor-U is a password stealing Trojan.

When first run, Troj/Padodor-U will copy itself to the Windows System folder as SYSTEMIL.EXE. The Trojan will also create a copy of itself as IL.DAT.

Troj/Padodor-U will drop the files SYSIE.DLL and SYSIL.DLL. These files are detected as Troj/Padodor-N.

In order to run the Trojan automatically on startup, Troj/Padodor-U will set the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
systemil
(Random CLSID)

HKCR\CLSID\(Random CLSID)\InProcServer32
(Default)
sysil.dll

Troj/Padodor-U monitors access to banking websites in order to steal username and password information.

At the time of writing only the following anti-virus products detect this:

• Sophos

** Yes it was sent to Symantec, Trend and many, many, other anti-virus companies and researchers.