New rogue (MS 2009)

The new rouge application thats been going around. I was infected by it a few seconds ago, while virtualizing. Any who, i ran the app sand boxed with sandboxie, and it still managed to get across, perhaps a mistake on my behalf. But yea, keep an eye out.

 

Re: New rouge (MS 2009)

I have 5 different installers for MS AnitiSpyware 2009 and all of them will only partly install sandboxed before the below error shows up.

Dregs do remain in the sandbox but a simple delete contents gets rid of everything with no breaches at all.

 

Re: New rouge (MS 2009)

Is it a full name of it? MS 2009?

 

Re: New rouge (MS 2009)

Looks so; http://www.spywareremove.com/removeMSAntiSpyware2009.html

 

Re: New rouge (MS 2009)

There's a whole mess of crap (rogues) out there.........

http://malwaredatabase.net/blog/

http://www.malwarebytes.org/roguenet.php

http://www.malwarebytes.org/forums/index.php?showforum=30

 

Re: New rouge (MS 2009)

We have been tracking it since earliar this week,it is being imported by a fake codec install(tubeviewer.exe)but is also travelling with a Z-bot on those installs.

http://threatexpert.com/report.aspx?md5=6a8631343060fc3d99eb375ab0d3b34e

If you would like source urls then drop me a pm

 

Re: New rouge (MS 2009)

On Vista SP1, I let MAS 2009 install virtualized with Sandboxie and get the same results as Franklin. On XP SP3, the virtualized install will complete normally. I see, however, zero file system and registry leakage (verified by Malware Defender and other means). When I terminate the virtualized session (IE + the virtualized child processes the install spawned), MAS 2009 is gone. My Sandboxie settings are out-of-the-box default.

Nick

 

Re: New rouge (MS 2009)

just tick the damn checkbox to drop rights and nothing will ever be installed...
not that hard,my nephew could understand it over the phone,not exactly rocket science.

 

Re: New rouge (MS 2009)

OK, so it's rogue, but is it as good as CyberDefender Ad/Spyware-Sponsored Internet Security with the picture of a naked woman for the Immunize PC icon? Has to have some good points! We are so critical of malware; were it not for that, why would we be here?

Dave

 

Re: New rouge (MS 2009)

Hmm not that i have had chance to play with Sandboxie but i have one question to thoes more informed on its operations.

Dose it prevent the Z-bot component from actively harvesting password's/logins etc and phoning home the data to the mothership?

Bear in mind Z-bot clears cache's locally and subsequently all login's/passwords re-entered are then collected by it.The collected data is then transmitted back home to the bad guys

 

Re: New rouge (MS 2009)

If your sandbox is configured to only launch certain apps, it shouldn't run in the first place. IMHO, that is the best way of preventing crap from leaking outside the sandbox.

 

Re: New rouge (MS 2009)

not an answer, but a question. would z-bot hijack a process for transmitting the stolen data, or use it's own created process for that chore? would a decent firewall prevent the transmission, or at least flag it?


Mike

 

Re: New rouge (MS 2009)

Yes it injects itself into winlogon.exe and from there into many core system process's.From there it can utilize thoes process's to do its dirtywork.

A good firewall will catch the the outbound traffic if its not preconfigured to allow M$ process's by default but then again even if a new alert is generated that would be for the M$ executable name and not the trojan file by its name.

HTH

 

Re: New rouge (MS 2009)

Under: Restrictions-> Internet access, only programs listed by file name are allowed Internet acces, so for example: iexplore.exe and/or firefox.exe are listed. These programs could also be forced to run in the sandbox, so based on this info, would the trojan be prevented from transmitting out? fcukdat, you mention it injects itself into core processes; could those files be affected?

 

Re: New rouge (MS 2009)

Yes it has been seen to inject itself into iexplore.exe process so yes it could manipulate it under normal circumstances.

My original question was how it would behave in a sandbox'ed enviroment.

 

Re: New rouge (MS 2009)

Would an Anti Executable stop this from installing / running rather than trying to stop it with a sandbox?

 

No, since none of the attacks seem have been the result of a drive-by download. However, some victims don't give many details, and would seem to imply that the infection happened without doing anything:

http://removal-tool.blogspot.com/2008/12/ms-antispyware-2009-removal-as.html

You can't tell from this what exactly happened.

Two ways of becoming victimized have been reported by security analysts as:

http://www.xp-vista.com/spyware-removal/ms-antispyware-2009-removal-info-msantispyware2009

http://www.spywareremove.com/removeMSAntiSpyware2009.html

In the first method, where the user agrees to install the codec or other type file that is infected, the user will turn off Anti-execution protection to permit the installation.

The same with the second method, where the user is redirected to a malicious website which generates popups with dire warnings that your computer is infected with worse than rats. Again, if the user agrees to install, the user will turn off Anti-execution security protection in order to permit the installation.

These fake animated scans depend on javascript being enabled. Once the deceptive scan starts, it can be difficult to back out. Here is one from an earlier Antivirus 2009 exploit:

http://www.urs2.net/rsj/computing/tests/winantivir2009/

Prevention from these rogue products is simply to have a firm policy in place never install anything that you didn't go looking for (Brian Krebs tip).

Also, not to pay any attention to popup results from a scanner other than your own while online. If in doubt, disconnect from the internet and and scan with your own Antivirus product.

----
rich

 

Re: New rouge (MS 2009)

I think you can,t be usre unless you try it. I can guess that under normal circumstances, it will not be able to tamper any process running outrside the sandbox but it can inject into the sandboxed processes and can even connect out through them, provided it is able to run. I will try it and see.

 

Re: New rouge (MS 2009)

yes it does, and thanks. Prevx Edge knocked 'em on their a$$.


Mike

 

Re: New rouge (MS 2009)

Which check box you are talking about?

 

good strategy, however, in my case with this infection, Antivir bugged the butter out of me with block/quarantee pop-ups as i was attempting to install this malcode. the second infection i had access to Avira didn't 'know' a thing about it.

Prevx Edge pulled the rug out from both.


Mike

 

I was referring to disregarding any popup warnings from any but your own scanner while on line.

----
rich

 

Mike,
Out of interest, what heuristic settings were you using on Edge?

 

Edge did not initially flag on it's executible (the first one i downloaded), so i wanted to see if Edges behavural analysis capabilities would kick in. also i was told if left to "fester" this infection would download rootkits, and other malcode. again i wanted to see first hand how Edge responded to this.

all this btw done sandboxed, with Defensewall rights restrictions, under the blanket of Shadowdefender, with a newly created Image waiting in the wings....just in case.


Mike

 

http://www.postimage.org/image.php?v=Pq10Xc0J

well not what i hoped to accomplish, but there is the answer.

i felt (according to the Edge Help file), that i met the criteria of an infrequent software installer (of course that is an arbitrary standard), so this setting is a good balance for me between protection and FP's.

hope this helps.


Mike