Dangerous trojans on the loose

TNT,

What happens if you visit with a fully patched IE 6 WindowsXP SP2 with only JavaScript on (no ActiveX or Java)?

I've been following this thread (trying at least), but it appears that in order for the www.google.com (a frequently customized/randomized trojan?) to automatically download and execute, they are using months old already patched exploits in IE, patched bugs in IE's JS implementation, patched OS bugs, patched WMP bugs, or Java and ActiveX.
So wouldn't we just need to keep the OS updated and harden IE to block ActiveX and Java?

What happens if you visit with Firefox and just JavaScript enabled (no Java or plugins)?
If they are customizing their content based on user agent, then you can use the user agent switcher extension to fool them into thinking it is IE also.

And if you visit with Opera with only Javascript enabled (no Java or plugins), it justs prompts you to download www.google.com?

How should we protect ourselves from this threat?

 

Yes, none of the vulnerabilities in unpatched as far as I can tell. Some are quite recent, however. Blocking ActiveX and Java is not enough if the system is unpatched, there's also a JavaScript vulnerability. Blocking JavaScript, however, probably blocks everything as it seems all the exploits are run through an obfuscated JavaScript.

It prompts you a tiff that's actually a WMF (with exploit) and a "www.google.com" trojan. At least last time I checked it; but it uses also a Windows Media Player exploit, so possibly you're not truly "safe" by turning Java off and not accepting those binaries. Me, I use the VLC plugin instead of the WMP plugin so I don't have "direct" experience with this.

Yes.

I guess. I haven't tried that.

Well, personally, I think the browser should be restricted/sandboxed, although keeping Windows patched MIGHT be enough for this particular threat now.

 

Thank you for the answers and for being the Wilder's Daredevil on this so we can learn about this in-the-wild threat. Most users don't get a chance to see how these things really work and it helps our security knowledge with this safe step by step threat analysis.

 

So the best recommendation is using Firefox with the excellent extension Noscript. It's important to forbid not only Javascript by default, but also Java and other plugins as shown on this page and to allow them only on sites that are absolutely trustworthy.

 

TNT, could you also send your samples to Nick Skrepetos of SUPERAntiSpyware at:
samples@superantispyware.com

 

Ok, I will do it.

 

a good news for NOD32 users. Even if it doesn't detect the google.com droppers it actually detects the file being dropped as unknown new heur_PE virus. (and only 2 other scanners detectes this file.)

 

Which ones are they pykko?

 

TNT,

I'm sure your efforts have a serious intention but your warning will not work.
There are always dummies that will visit such sites and afterwards they will complain that they are infected.
Therefore, on my own site, i have formal forbidden to publish such links.

 

Well, I sure hope most of people here are not to be considered "dummies". Dummies, as you probably intend the word, probably do not even consider going on computer security forums. Besides, knowing what the links are and what they do does more good than harm, in my opinion. In security ignorance is definitely not bliss.

 

Let i say it in another way, a more clear one: publishing links to malware is against Wilder's TOS and therefore a violation of it

 

Oh yeah, too bad there are no 'links'.

Besides, there is a CLEAR WARNING for the addresses published.

 

TNT

How areyou knowing about the Vuns if no AV detects them? Are you seeing it thru PG?

con

 

The 'vulnerabilities' are not malware, nor are the exploits. Very few AVs seem very good at detecting exploits, especially if they're obfuscated through javascript. As for the malware, I see what files it drops with Sandboxie, I check what it sends through Core Force and Ethereal, and I see what executables are launched with Process Guard. As for these being malware, it's obvious. Legitimate files are not pushed through exploits; legitimate files don't try to contact and download from remote known malware source IPs in the background; legitimate files don't drop rootkits, or create files with reserved names that can't be removed with the 'normal' Windows tools.

Also, legitimate sites are not spammed on comments boards and blogs, they don't use JavaScript obfuscation to hide what they do, and they don't contain a huge list of meaningless sentences to push keywords on the search engines.

 

TNT, are you an active member of Malware Research?
http://malware-research.co.uk/

Your information could be shared in a collective technical environment which includes AV and AS vendors.

The main complaint I have against some of the AV giants out there (no brand names mentioned), is their inability to delete the malware that is detected. Why detect it if you can't get rid of it?

Case in point, example from brand X AntiVirus:
Object Name: C\WINDOWS\lpt7.jcq
Virus Name: Trojan Horse
Action Taken: Unable to repair this file
Action Taken: Access to this file was denied.

All they have to do is take the extra time to tag the files and registry entries and delete them during a reboot before Windows starts. People pay good money for these programs. I work in the IT industry and I hear it every day from customers, "After $70.00, why doesn't my expensive antivirus delete these files?" "You mean to tell me that the free program you had me download and run got rid of this stuff, but my $70.00 'bright yellow box' AntiVirus program could see it, but couldn't?" It's time these AV vendors either *blank* or get off the pot, especially that popular one in the 'bright yellow box', it's expensive, bloated, and incompetent. To think that there are free removal programs out there in the forums that are developed by programmers in their spare time that completely and competently remove these infections is a disgrace to the commercial AV industry.

 

No. I didn't actually even know about it.

You know, this you describe is actually most probably a file dropped by THIS infection vector. I know, because I've seen how it works and what people infected by this experience (and there's a lot in Italy)...

You can't get rid of that file with 'normal' Windows stuff because it has a reserved name (it's usually NUL or COM or LPT or PRN followed by a number and a "random" extension). IceSword deletes it without problems.

But anyway, yeah, many AV/AT/AS etc. can't delete all the malware they detect once it's on the computer.

Yeah, I pretty much agree with a lot of what you said (see the IceSword example above) only one thing: removing infection in SOME cases (certainly not all the cases where many of the 'popular' AVs fail) might be a really difficult task, because essential system files or their behaviour could have been "corrupted" by the malware; rookits can be an example of this, but not just them.

Anyway, I'm not as experienced with actual malware behavior "on the system" as I am with what they try to do (for instance) to exploit vulnerabilites in the browser or to hide their tricks during http transmission, as I always worked as a programmer for so-called "web" applications rather than "system" applications: these means usually a lot of scripting language, but actually not very much contact with the "low-level" programming languages.

 

So does Avenger.

That's an excellent point. Unfortunately, a lot of this stuff does target AV programs. It's just that my customers keep screaming in my ear. (LOL!)

But I think you would like all the dialogue exchanged in the Malware Research forum.

 

Kaspersky and Avira.

 

Really only these two?

 

Boclean though not an on demand multiple file scanner, detects google.com and it's variants, running in memory or if attepted to run or install

 

It certainly does...

GOOGLE.COM
GOOGLE.COM10
GOOGLE.COM11
GOOGLE.COM12
GOOGLE.COM13
GOOGLE.COM14
GOOGLE.COM15
GOOGLE.COM16
GOOGLE.COM17
GOOGLE.COM18
GOOGLE.COM19
GOOGLE.COM2
GOOGLE.COM3
GOOGLE.COM4
GOOGLE.COM5
GOOGLE.COM6
GOOGLE.COM7
GOOGLE.COM8
GOOGLE.COM9

...obviously the above is from BOC's 8/23 list of covered trojans.

 

Well, they have just replaced all the trojans. Just found new 5 variants, all undetected by all the AVs, including BOClean. This is not good at all.

EDIT: just got the response from Kaspersky: this is "Trojan.Win32.Obfuscated.a"... they evidently changed the code enough to warrant a new name.

 

Would you mind sending those samples to samples [at] eset.com as well? I don't believe it should be called "obfuscated", NOD32 has been detecting functional samples of this kind of threat by heuristics for some time.

 

I wrote a full writeup of what we actually know about this threat.

I hope you'll like it

My pdf report

Best regards,

Marco

 

@ EraserHW: excellent, excellent. Make sure this paper gets published or mentioned in "important" places too, like ISC, CastleCops, etc.

@ Marcos: ok.