Wednesday, February 17, 2010

Conficker.B Microsoft Warning spam rehashed

This morning I was being briefed on the morning spam campaigns by one of my analysts, Sarah Turner, who told me that the second most popular email subject in today's spam was "Conflicker.B Infection Alert".

That seemed to ring a bell - sure enough, we had almost the same thing back in October and November, which we wrote about in the blog entry of October 19, 2009: Zipped Malware Attachments in Spam: Here comes Conflicker!.

Today's email reads:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division


The email from October 19th was slightly different. It read:

Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division


See! the date changed! Other than that, its basically the same email.

We received the old version of the email in heavy bursts on October 19th & 20th, and again on November 13th.

The old email had an attachment named "install.zip".

The new email has an attachment named "open.zip".

The zip file is 6,664 bytes in size, with an MD5 of 17bc2f36203bb43b16015388e9c35dea

A Virus Total report of the zip file shows a 21 of 40 detection rate, with primary detection name of "Bredolab".

The .exe inside the zip file is named "open.exe".

The exe file is 15,360 bytes in size, with an MD5 of 1f824d203b360e7f62581ba9c2410fd9

A Virus Total Report for this file shows a 20 out of 40 detection, with primary naming calling it "Bredolab".


We launched up the open.exe in the lab, and it made a connection to 195.88.190.36, which is:

inetnum: 195.88.190.0 - 195.88.191.255
netname: BIGNESS-GROUP-NET
descr: Bigness group Ltd. Network
country: RU
org: ORG-BGL6-RIPE
admin-c: BO429-RIPE
tech-c: BO429-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: BIGNESS-GROUP-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: BIGNESS-GROUP-MNT
mnt-domains: BIGNESS-GROUP-MNT
source: RIPE # Filtered

organisation: ORG-BGL6-RIPE
org-name: Bigness Group Ltd
org-type: OTHER
address: 25 Nevsky broad str, office 96
address: S-Petersburg, Russia
e-mail: cardiro@cardiro.org
admin-c: BO429-RIPE
tech-c: BO429-RIPE
mnt-ref: HOSTER-RIPE-MNT
mnt-by: BIGNESS-GROUP-MNT
source: RIPE # Filtered

person: Bogenov Oleg
address: Russia, S-Petersburg
phone: +79212290843
nic-hdl: BO429-RIPE
mnt-by: BIGNESS-GROUP-MNT
source: RIPE # Filtered

route: 195.88.190.0/23
descr: IPs
origin: as49093
mnt-by: BIGNESS-GROUP-MNT
source: RIPE # Filtered

--------------------------

So far we've received just over 3,000 emails with this subject, beginning at approximately 16FEB2010 @ 2245.

The memory image of the malware showed two strings:

- /pr/pic/sys.exe
- /pr/pic/fixer_sdgareh_b.exe

Those are actually talked about on many Threat reports, including:

http://forums.malwarebytes.org/index.php?showtopic=38605

http://www.threatexpert.com/report.aspx?md5=88860304fd87ad175c2640971643bc12

Several of the reports mention a file called "/pr/pic/fixer_sdgareh_h.exe" (h instead of b) and several mention network traffic being observed to 83.133.122.160 as well. Many other reports mentions other malware filenames being dropped from these locations, including a fake AV product dropped as "smilex_gasiodfht_b.exe".

Some of those reports indicate that the dropped files are a FakeAV product and a copy of a peer to peer botnet that some are calling "Waledac.C".

------------------------
Because BredoLab is a dropper, we can't be sure that the server we are connecting to always drops the same thing in response to a request for the same filename. When we first tried to fetch files, we didn't get anything. About an hour later our requests did begin producing files.

/pr/pic/sys.exe
has an MD5 of 093dc8d6a59dab28dc96f9db47bf2e61
we were the first to upload that particular file to VirusTotal.
VirusTotal Report showed 15 of 41 detects, still calling it Bredolab, primarily.

The filesize is 407040 bytes, which shows the confusion around naming these things. *THIS* is Bredolab, but the AV products also detected the tiny 10k dropper file as Bredolab. Perhaps "Drops Bredolab" and "Is Bredolab" are close enough to be treated as the same, but the files are definitely not similar in any way.


/pr/pic/fixer_sdgareh_b.exe
has an MD5 of efb27beba9b91a87c3698309c9085b71
The icon for the file, crossed keys on a blue shield, makes it clear that this is a Fake AV installer, which was confirmed by letting it run in the lab. More on that later today. The file is a huge 1,045,504 bytes!

The VirusTotal Report for this one, which we were also the first to upload, calls it a host of names, with no clear leader coming up among the 12 of 41 detections listed.

AntiVir 8.2.1.170 2010.02.17 Worm/Koobface.eyz
Comodo 3971 2010.02.17 TrojWare.Win32.FraudTool.ST.~GGI
eTrust-Vet 35.2.7309 2010.02.17 Win32/Fraud!packed
F-Secure 9.0.15370.0 2010.02.17 Trojan:W32/FraudPack.BS
McAfee 5895 2010.02.17 FakeAlert-LX
McAfee+Artemis 5895 2010.02.17 FakeAlert-LX
McAfee-GW-Edition 6.8.5 2010.02.17 Worm.Koobface.eyz
NOD32 4875 2010.02.17 a variant of Win32/Kryptik.CLH
Panda 10.0.2.2 2010.02.17 Suspicious file
Sophos 4.50.0 2010.02.17 Mal/EncPk-KW
Symantec 20091.2.0.41 2010.02.17 Trojan.FakeAV!gen13
TrendMicro 9.120.0.1004 2010.02.17 Cryp_Krap-9


Again the confusion with naming. McAfee and AntiVir call this Koobface, even though it has no Koobface like properties whatsoever. Why? Probably because Koobface often drops a Fake AV product, and may actually drop THIS Fake AV product from time to time. Again, the industry is confused on how to differentiate between the Dropper and the Dropped, but they should be praised for taking the time to detect it at all, I suppose. Symantec was the only product that correctly named this a FakeAV,




------------------------

If anyone has evidence regarding this spam campaign that they'd like to share, feel free to email me at the University - gar at uab dot edu!

Thanks!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.