Dangerous trojans on the loose

[TNT]

Dangerous trojans (associated with various exploits) on the loose, I've wrote about them here:
http://cut-thecrap.blogspot.com/2006...y-failing.html

Note that two different trojans were undetected by ANY antivirus out there. After I submitted the samples they were included by many vendors, but now I've found yet another variant of the first undetected yet again by ANY antivirus.

They are possibly trying to install rootkits as well.

[Devinco]

Thanks for letting us know TNT!

[Meriadoc]

...good work, will be havin a looksey.

[redwolfe_98]

i hope that you submitted the files to all of the prominent vendors, including PSC (BOClean), misec (trojanhunter), emsisoft (a-squared), ewido, etrust/CA, mcafee, symantec.. you could also submit the fiiles to pctools (spyware doctor)..

[TNT]

Quote:

Originally Posted by redwolfe_98

i hope that you submitted the files to all of the prominent vendors, including PSC (BOClean), misec (trojanhunter), emsisoft (a-squared), ewido, etrust/CA, mcafee, symantec.. you could also submit the fiiles to pctools (spyware doctor)..

I submitted the first two trojans I found to Kaspersky, BOClean, Ewido, ClamAV (with option to submit to other vendors), and F-Prot. The first three included them within 24 hours. The last two didn't even include them within the first week (I didn't check any further, but let me say that this kind of response is pathetic).
Other vendors such as Bitdefender, DrWeb, Norman, VBA32 and some others I don't recall included them in a matter of a few days, possibly because they received them from Virustotal or other vendors.

I submitted the latest sample to BOClean, Kaspersky and Eset. Only BOClean has included it so far.

[TNT]

Ok, I tested the latest "www.google.com" trojan (which I didn't test) in a sandbox... and I can confirm it's DEFINITELY a trojan (the behavior is identical to the previous one with the same name, now detected by most); so the fact that it's not detected by Kaspersky or Eset is NOT related to it being damaged or not-working.

[TNT]

The number of sites and trojans keeps growing.
Just found a new one, with exploits, pornography, and link spam on it. The "www.google.com" trojan is a new one too, and undetected by ALL the AVs.

This is definitely Coolwebsearch in their new course. Sigh.

[TNT]

According to KAV, three new variants are going to be detected with the next update. I sent other two new variants to Kevin McAleavey, so BOClean is likely to include these two in the next update as well. That's four different variants all undetected by any AV on Virustotal AND Jotti before the updates. And that's just the downloader.

In a couple of days, I found dozens of sites pushing these trojans all over the place; there are hundreds, possibly thousands of different subdomains that seem to have been created with the sole intention of linking/pushing these trojans on web surfers, though so far, the only real download/exploit points are gbeb.cc, gromozon.com and xearl.com (DEFINITELY PUT THESE IN YOUR BLOCK LISTS!). My domain block list is going to include the linking sites too (they're all clearly created with the sole intention of getting a high search engine ranking and pushing exploits and trojans).

The amount of link spam that was done to promote this crap is disgusting. Try to put "earticolo" in Google and see (but do NOT open the links!)... and that's just one domain.

[Marcos]

First of all, I must say that I've tracked down all samples that Eset has recently received, but could not find any with the file www.google.com so I had to dig for it in Jotti's database. Eventually it turned out to be just a dropper, and the file dropped was immediately detected and blocked by AMON (the NOD32 file access scanner).

[TNT]

Quote:

Originally Posted by Marcos

First of all, I must say that I've tracked down all samples that Eset has recently received, but could not find any with the file www.google.com so I had to dig for it in Jotti's database. Eventually it turned out to be just a dropper, and the file dropped was immediately detected and blocked by AMON (the NOD32 file access scanner).

There seems to be a problem at Esent with receiving e-mails from me; this is not the first time something I sent was not received.

By the way, the www.google.com "just a dropper" is a downloader. Did you check if the downloaded file it tries to launch is detected? It wasn't last time I checked it.

[SirMalware]

TNT, do you know what the AV vendors have named these new trojans? (I realize AV vendors choose different names)

[TNT]

"www.google.com" is Trojan.Win32.Agent.vp (Kaspersky); I'm gonna try and let to download the other dropper (the one downloaded by Agent.vp) and see what it's called (I didn't save the file).

EDIT: actually, I have the e-mail response from KAV: 3e2a8d.exe (the random-named file that "www.google.com" is responsible of downloading/starting) is Trojan-Dropper.Win32.Small.aqb.

[SirMalware]

Thanks, I use Kaspersky, I'll make sure I'm updated.

I suppose it's hard these days for any of the AV vendors to be updated 100% of the time for 100% of the malware that's out there. I guess that's why they need new samples sent to them constantly.

[TNT]

New variants are out. Once again, undetected by *ALL* antivirus engines.

[Marcos]

Detected by NOD32's ThreatSense system without needing to update virus signatures :-)

[pykko]

Quote:

Originally Posted by Marcos

Detected by NOD32's ThreatSense system without needing to update virus signatures :-)

Good news!

[TNT]

The same and/or new exploits and malware are now also loaded from a new site: td8eau9td(dot)com (created August 8, 2006), according to dnsstuff.com: http://www.dnsstuff.com/tools/whois.ch?ip=td8eau9td.com

So far the culprits where the malware and exploits now physically reside are:
gromozon(dot)com
xearl(dot)com
td8eau9td(dot)com

Definitely put these in your block lists. Often (but not always) the exploits are triggered from a javascript on js(dot)gbeb(dot)cc/advertizing/ (do NOT visit!), and this JavaScript is included in many thousands of comment-spammed pages on literally hundreds of domains, some ranking quite high on Google, Yahoo and MSN. I'm trying to keep up by including these "jumper" domains in my blocklist as well, but (for now) as long as you include the four mentioned above you will block the exploits and malware as well. Please note that the td8eau9td(dot)com had not been included in the latest blocklist I released as I found this domain only today (and probably wasn't even "alive" two days ago).

By the way, do not rely too much on your antivirus for this: the latest trojan, a "FreeAccess.ocx" was detected (heuristically) only by eTrust-Vet on VirusTotal.

Oh and by the way, it IS confirmed: this infection vector installs rootkits as well. There is an article here in Italian (I'm not the author and I'm not affiliated with them, but it seems reasonably well written... if you speak Italian...)

[sukarof]

Drat! for once I thought I would get a chance to see what the fuss is all about, but two sites are closed by the abuse team. and the third is unresponsive

[TNT]

Quote:

Originally Posted by sukarof

Drat! for once I thought I would get a chance to see what the fuss is all about, but two sites are closed by the abuse team. and the third is unresponsive

They're not closed at all. It's a scam message on their "homepage" to make people think they have been shut down, when in fact they're open and very alive and pushing trojans all over the place. Contact me privately if you're sure you do want an actual live example (but again, please be sure of what you're doing).

[sukarof]

Oops http://img52.exs.cx/img52/271/l9iblush.gif
Thanks for setting things right.

[TNT]

Quote:

Originally Posted by sukarof

Thanx for the reply. http://img52.exs.cx/img52/271/l9iblush.gif

They've tried various methods for appearing "innocent"... a while ago they had a server-side redirection to msn.com if you visited "homepage", meaning if you typed only the domain name in the address bar (of course they have nothing to do with the real msn.com at all).

Now they pretend they've been shut down when in fact they sure haven't. The trojans and exploits, of course, are loaded from a subdirectory (in fact, a routinely randomized one) on those domains not from the "home", so they figured if they put a sign like that people might think their domains are now safe. They're not. They are easily some of the most dangerous active domains around right now.

[TNT]

Just found yet ANOTHER new "www.google.com" trojan, and again it's undetected by ALL the AVs on VirusTotal and Jotti (and yes, that include NOD's heuristics).

Sigh.

[Devinco]

TNT,

The infection vector is through JavaScript only?
So using Firefox with NoScript plugin one would be immune if those domains were set to block JS?
It is not using other vectors like Java or plugins: Flash, Realmedia, Quicktime, Acrobat Reader, is it?

Thanks in advance.

[TNT]

Quote:

Originally Posted by Devinco

TNT,

The infection vector is through JavaScript only?
So using Firefox with NoScript plugin would be immune if those domains were set to block JS?
It is not using other vectors like Java or plugins: Flash, Realmedia, Quicktime, Acrobat Reader, is it?

Thanks in advance.

Most of the pages are using either a JavaScript obfuscation code or a JavaScript redirection to load the exploits on the aforementioned domains. If you don't run JavaScript at all, you're probably not going to encounter these (but I wouldn't be sure of it); however, be advised that the JavaScripts do NOT reside on the aforementioned domains, only to "jump" pages with lots of keywords in them (most probably to be indexed well on search engines), and THESE pages contain the JavaScript that loads the malware from those domains. So if you "blacklist" JavaScript for gromozon, xearl etc, nothing is going to change, you need to blacklist ALL the domains with the "jump pages".

The exploits themselves are not just JavaScript exploits, they are a Windows Media Player exploit, a Java exploits, a JavaScript createControlRange exploit, a WMF exploit, and maybe some others.

[SirMalware]

Quote:

Just found yet ANOTHER new "www.google.com" trojan, and again it's undetected by ALL the AVs on VirusTotal and Jotti (and yes, that include NOD's heuristics).

Sigh.

TNT, if you possess samples of these new trojans, are you submitting them to the various AV companies so that they can update their databases?