'Rombertik' malware which destroys the system if detected

Researchers have discovered a new malware ‘Rombertik’ which destroys the system if it realizes that it is being analyzed.

"Security researchers are constantly looking for ways to better detect and evade each other. As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples,” Ben Baker and Alex Chiu from Cisco Systems' Talos Group wrote in a blog post.

“Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis,” the blog post added.

Similar to Dyre, Romberik, which has multiple layers of obfuscation and anti-analysis functions, is a complex malware which can be hooked into the user’s browser to read credentials and other sensitive information for ex-filtration.

However, Dyre targets banking information unlike Rombertik which collects information from all websites in an indiscriminate manner.

Researchers said Romberik arrives on any computer through a phishing campaign or through an email attachment. It tries to check to see if it is running within a sandbox. After that, it decrypts itself and launches on the user’s computer. Once this process gets completed, a second copy of itself launches and is overwritten with the spying functionality.

Before Rombertik begins spying on the system, it does a final check to see if it is running in the system’s memory.

It destroys the computer’s master boot record, leaving the system inoperable. If it cannot destroy then it targets all files in the user’s home folder, by encrypting each one with random RC4 keys. It contains plenty of dummy code, which include 75 images and 8,000 functions which is to hide the malware’s functionality.

If the malware is not detected, it checks the browser activities, reading credentials and private information, before sending its findings back to the attacker’s server.

The researchers said that in order to prevent ones’ computer from Rombertik, people have to follow security basics like up-to-date security software, ignore attachments from unknown senders and solid security policies for businesses will all help avoid the malware.

Updated Dyre malware successfully avoiding sandboxing

The Dyre banking trojan, which lead to stealing of over a million from the corporate banks in April has got a new update which renders it undetectatble by anti-sandboxing techniques.

The malware checks how many processor cores the machine has and if it has only one, it terminates. Since sandboxes are configured with only one processor with one core as a way to save resources, this is an effective evasion technique -  most of the computers now come with multiple cores.

Seculert's check for Dyre's evasion of analysis with four commercially available sandboxes revealed that the malware has been successful in fooling the systems.

In addition Dyre has switched user agents to avoid detection by signature-based systems. The Upatre downloader which is working in conjunction with Dyre also has new changes to avoid signature-based detection. Upatre now uses two user agents and different download communication pathway. The communication path naming convention is obscure and not based on identifiable characteristics.

These progress in malware technologies reveal that sandboxing alone cannot be an effective way to deal with vulnerabilities. The ability to detect evasive malware needs to include machine learning and the analysis of outbound traffic over time.

New malware in online banking causes problem in Japan

A new online banking malware, which was found in Operation Emmental, has now been causing problems in Japan.

TROJ_WERDLOD, a new detected malware, has been causing problems in the country since December 2014. More than 400 systems were affected by the new malware.

According to Hitomi Kimura, a security specialist at TrendMicro, the malware can change two settings which allow information theft at the network level.

It does not require a reboot or any memory-resident processes on the affected systems.

Kimura wrote on a blog that one of settings gets modifies in the system’s proxy settings. The attackers controls the way from Internet traffic to a proxy. And the second is the additional malicious root certificate to the system’s trusted root store. It allows malicious site certificates which are added in man-in-the-middle attacks to be used without triggering alerts or error messages.

He wrote that the TROJ_WERDLOD harms users via spam mails with an attached .RTF document. The document said to be an invoice or bill from an online shopping site. If anyone opens the .RTF file, the user gets instruction to double-click the icon in the document in order to execute the TROJ_WERDLOD in the system.
Spam mail which leads to TROJ_WERDLOD. Photo Courtesy:TrendMicro

According to him, the hackers used a fake certificate and proxy in Operation Emmental. They also used fake mobile apps in order to steal SMS messages from online banks. It seems that the same behavior may be seen in the future in Japan, although Japanese banks rarely use SMS authentication.

Kimura suggested that in order to restore an infected PC to its normal condition, the following steps should be taken:
-        1. Remove the proxy automatic setting in Windows and Firefox and if anyone has an option provided by the ISP and/or system administrator, he/she can change it back to the previous setting.
           2. Remove the malicious root certificate installed by TROJ_WERDLOD which was stored in Windows and Firefox. This malicious root certificate has the following signature:
·         A134D31B 881A6C20 02308473 325950EE 928B34CD

Fake adult site infecting your phone with SMS Trojan

People at Zscalar Research have found out that, a chinese porn site has been masquerading, and in reality is making your phone infected with malware.

When you visit the page, and try to play a video, the website asks you to download a piece of software to view the video, which in reality is a trojan.

The trojan installs itself in your phone and becomes a Broadcast Receiver, and intercepts all the SMS communications that happen on your phone. This is used by hackers to do fraudulent transactions on affected phones.

The payload filename is dynamically generated by the website so as no blacklisting of the malicious malware can be done.

Interpol coordinated to take down Simda botnet

The Simda botnet has been taken down on April 9 in a collaborative effort between international law enforcement bodies and private security and technology companies coordinated by Interpol's Global Complex for Innovation.

The botnet, known for spreading banking malware and establishing backdoor for many malware, has exploited more than 770,000 computers in 190 countries. The take down has resulted in seizure of 14 command-and-control servers in the Netherlands, United States, Poland, Luxembourg, and Russia.

According to the researchers, Simda is a mysterious botnet used by cyber criminals for distributing several types of unwanted and malicious software. Due to constant functionality and security updates, it rarely appears on the KSN radars despite a large number of hosts every day.

It uses hardcoded IP addresses to notify the keeper about the various stages of execution. It can modify the system hosts file by downloading and running additional components from its own updated servers, and to point to malicious IP’s, it adds unexpected records for google-analytics.com and connect.facebook.net.

The Kaspersky Lab report says that, “This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client’s malware is installed on infected machines. And that becomes the case when Simda interprets a response from the C&C server – it can deactivate itself by preventing the bot to start after next reboot, instantly exiting. This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.”

To analyse the spread of the infection the Digital Crime Centre (IDCC) in Singapore worked with Microsoft, Trend Micro, Kaspersky Lab, and Japan's Cyber Defense. The researcher team also involved officers from the Dutch National High Tech Crime Unit in the Netherlands, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, the Federal Bureau of Investigation in the US, and the Russian Ministry of the Interior's Cybercrime Department "K".

Sanjay Virmani, Director of the INTERPOL Digital Crime Centre, said “This successful operation highlights the value of, and need for partnerships involving national and international law enforcement and private industry in the fight against the global threat of cyber crime. The operation has dealt a crippling blow to the Simda botnet. INTERPOL will continue its work to assist member countries in protecting their citizens from cybercriminals and to identify other emerging threats.”

‘Trojan.Laziok’ Malware targets energy sector in Middle East

Image Credits: Symantec
Symantec detected a Trojan.Laziok, which acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers.

Between January and February, Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, and the focus  was on the Middle East Countries.

According to the blog post of Symantec’s Christian Tripputi, the attack starts  with spam emails from the moneytrans[.]eu domain,  which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These mails include a  malicious attachment that contain an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). The code is executed, If the users opens the attachment, which is Excel file. It leaves Trojan.Laziok on the computer.

To hides itself Trojan creates folder names in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory, and rename itself with well-known file names such as:

%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\search.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\ati.exe  
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\lsass.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\smss.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\admin.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\key.exe  
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\taskmgr.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\chrome.exe

By collecting system configuration data such as Computer name, Installed software, GPU details, CPU details, Antivirus software, RAM size, Hard disk size, Trojan.Laziok begins its reconnaissance process.

After receiving the system configuration data, attackers infected  the computers with additional malware, and distribute the customized copies of Trojan.Zbot and  Backdoor.Cyberat which are specifically tailored for the compromised computer’s profile.

Symantec and Norton products have protections against this campaign.

Malware infections through spam campaigns can be avoided by not clicking on links in unsolicited, unexpected, or suspicious emails; avoid opening attachments in unsolicited, unexpected, or suspicious emails; use comprehensive security software, such as Symantec Endpoint Protection or Norton Security, to protect yourself from attacks of this kind; take a security layered approach for better protection; keep your security software up to date; apply patches for installed software on a timely basis.