Dangerous trojans on the loose

Discussion in 'malware problems & news' started by TNT, Jun 22, 2006.

Thread Status:
Not open for further replies.
  1. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Dangerous trojans (associated with various exploits) on the loose, I've wrote about them here:
    http://cut-thecrap.blogspot.com/2006/06/is-av-industry-failing.html

    Note that two different trojans were undetected by ANY antivirus out there. After I submitted the samples they were included by many vendors, but now I've found yet another variant of the first undetected yet again by ANY antivirus.

    They are possibly trying to install rootkits as well.
     
  2. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks for letting us know TNT!
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    ...good work, will be havin a looksey.
     
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i hope that you submitted the files to all of the prominent vendors, including PSC (BOClean), misec (trojanhunter), emsisoft (a-squared), ewido, etrust/CA, mcafee, symantec.. you could also submit the fiiles to pctools (spyware doctor)..
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I submitted the first two trojans I found to Kaspersky, BOClean, Ewido, ClamAV (with option to submit to other vendors), and F-Prot. The first three included them within 24 hours. The last two didn't even include them within the first week (I didn't check any further, but let me say that this kind of response is pathetic).
    Other vendors such as Bitdefender, DrWeb, Norman, VBA32 and some others I don't recall included them in a matter of a few days, possibly because they received them from Virustotal or other vendors.

    I submitted the latest sample to BOClean, Kaspersky and Eset. Only BOClean has included it so far.
     
    Last edited: Jun 23, 2006
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ok, I tested the latest "www.google.com" trojan (which I didn't test) in a sandbox... and I can confirm it's DEFINITELY a trojan (the behavior is identical to the previous one with the same name, now detected by most); so the fact that it's not detected by Kaspersky or Eset is NOT related to it being damaged or not-working. :cautious:
     
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    The number of sites and trojans keeps growing. :(
    Just found a new one, with exploits, pornography, and link spam on it. The "www.google.com" trojan is a new one too, and undetected by ALL the AVs.

    This is definitely Coolwebsearch in their new course. Sigh.
     
  8. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    According to KAV, three new variants are going to be detected with the next update. I sent other two new variants to Kevin McAleavey, so BOClean is likely to include these two in the next update as well. That's four different variants all undetected by any AV on Virustotal AND Jotti before the updates. And that's just the downloader.

    In a couple of days, I found dozens of sites pushing these trojans all over the place; there are hundreds, possibly thousands of different subdomains that seem to have been created with the sole intention of linking/pushing these trojans on web surfers, though so far, the only real download/exploit points are gbeb.cc, gromozon.com and xearl.com (DEFINITELY PUT THESE IN YOUR BLOCK LISTS!). My domain block list is going to include the linking sites too (they're all clearly created with the sole intention of getting a high search engine ranking and pushing exploits and trojans).

    The amount of link spam that was done to promote this crap is disgusting. :mad: Try to put "earticolo" in Google and see (but do NOT open the links!)... and that's just one domain. :mad:
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    First of all, I must say that I've tracked down all samples that Eset has recently received, but could not find any with the file www.google.com so I had to dig for it in Jotti's database. Eventually it turned out to be just a dropper, and the file dropped was immediately detected and blocked by AMON (the NOD32 file access scanner).
     
  10. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    There seems to be a problem at Esent with receiving e-mails from me; this is not the first time something I sent was not received.

    By the way, the www.google.com "just a dropper" is a downloader. Did you check if the downloaded file it tries to launch is detected? It wasn't last time I checked it.
     
  11. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    TNT, do you know what the AV vendors have named these new trojans? (I realize AV vendors choose different names)
     
  12. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    "www.google.com" is Trojan.Win32.Agent.vp (Kaspersky); I'm gonna try and let to download the other dropper (the one downloaded by Agent.vp) and see what it's called (I didn't save the file).

    EDIT: actually, I have the e-mail response from KAV: 3e2a8d.exe (the random-named file that "www.google.com" is responsible of downloading/starting) is Trojan-Dropper.Win32.Small.aqb.
     
  13. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Thanks, I use Kaspersky, I'll make sure I'm updated.

    I suppose it's hard these days for any of the AV vendors to be updated 100% of the time for 100% of the malware that's out there. I guess that's why they need new samples sent to them constantly.
     
  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    New variants are out. Once again, undetected by *ALL* antivirus engines. :doubt:
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Detected by NOD32's ThreatSense system without needing to update virus signatures :)
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Good news! ;)
     
  17. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    The same and/or new exploits and malware are now also loaded from a new site: td8eau9td(dot)com (created August 8, 2006), according to dnsstuff.com: http://www.dnsstuff.com/tools/whois.ch?ip=td8eau9td.com

    So far the culprits where the malware and exploits now physically reside are:
    gromozon(dot)com
    xearl(dot)com
    td8eau9td(dot)com

    Definitely put these in your block lists. Often (but not always) the exploits are triggered from a javascript on js(dot)gbeb(dot)cc/advertizing/ (do NOT visit!), and this JavaScript is included in many thousands of comment-spammed pages on literally hundreds of domains, some ranking quite high on Google, Yahoo and MSN. I'm trying to keep up by including these "jumper" domains in my blocklist as well, but (for now) as long as you include the four mentioned above you will block the exploits and malware as well. Please note that the td8eau9td(dot)com had not been included in the latest blocklist I released as I found this domain only today (and probably wasn't even "alive" two days ago).

    By the way, do not rely too much on your antivirus for this: the latest trojan, a "FreeAccess.ocx" was detected (heuristically) only by eTrust-Vet on VirusTotal.

    Oh and by the way, it IS confirmed: this infection vector installs rootkits as well. There is an article here in Italian (I'm not the author and I'm not affiliated with them, but it seems reasonably well written... if you speak Italian...)
     
    Last edited: Aug 10, 2006
  18. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Drat! for once I thought I would get a chance to see what the fuss is all about, but two sites are closed by the abuse team. and the third is unresponsive :(
     
  19. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    They're not closed at all. It's a scam message on their "homepage" to make people think they have been shut down, when in fact they're open and very alive and pushing trojans all over the place. Contact me privately if you're sure you do want an actual live example (but again, please be sure of what you're doing).
     
  20. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Last edited: Aug 10, 2006
  21. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    They've tried various methods for appearing "innocent"... a while ago they had a server-side redirection to msn.com if you visited "homepage", meaning if you typed only the domain name in the address bar (of course they have nothing to do with the real msn.com at all).

    Now they pretend they've been shut down when in fact they sure haven't. The trojans and exploits, of course, are loaded from a subdirectory (in fact, a routinely randomized one) on those domains not from the "home", so they figured if they put a sign like that people might think their domains are now safe. They're not. They are easily some of the most dangerous active domains around right now.
     
  22. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Just found yet ANOTHER new "www.google.com" trojan, and again it's undetected by ALL the AVs on VirusTotal and Jotti (and yes, that include NOD's heuristics).

    Sigh.
     
  23. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    TNT,

    The infection vector is through JavaScript only?
    So using Firefox with NoScript plugin one would be immune if those domains were set to block JS?
    It is not using other vectors like Java or plugins: Flash, Realmedia, Quicktime, Acrobat Reader, is it?

    Thanks in advance.
     
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Most of the pages are using either a JavaScript obfuscation code or a JavaScript redirection to load the exploits on the aforementioned domains. If you don't run JavaScript at all, you're probably not going to encounter these (but I wouldn't be sure of it); however, be advised that the JavaScripts do NOT reside on the aforementioned domains, only to "jump" pages with lots of keywords in them (most probably to be indexed well on search engines), and THESE pages contain the JavaScript that loads the malware from those domains. So if you "blacklist" JavaScript for gromozon, xearl etc, nothing is going to change, you need to blacklist ALL the domains with the "jump pages".

    The exploits themselves are not just JavaScript exploits, they are a Windows Media Player exploit, a Java exploits, a JavaScript createControlRange exploit, a WMF exploit, and maybe some others.
     
  25. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    TNT, if you possess samples of these new trojans, are you submitting them to the various AV companies so that they can update their databases?
     
Loading...
Thread Status:
Not open for further replies.