How a trojan installs

Discussion in 'malware problems & news' started by Rmus, Aug 26, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I've often wondered, but have never been able to test and watch how a trojan installs until today, when I had the opportunity to run a file that unpacked a trojan. It was on a freeware site I was told about, that had a reputation for bundling adware and other stuff with the freeware. At the time, I did not know what was going to happen.

    First, I downloaded the file. I had to turn off my execution protection (Anti-Executable) so that the file could download.

    Then, I re-enabled the execution protection, executed the file, and AE blocked the unpacking of another file, msmsg.exe.

    Searching for msmsg.exe I discovered the reference to Trojan.Zlob.B.

    Then I disabled execution protection and let the file complete its installation, and it installed msmsgs.exe:
    ----------------------------
    C:\WINNT\system32\msmsgs.exe
    ----------------------------

    and immediately my firewall alerted/blocked an outbound attempt:
    -----------------------------------------------------------------
    25/Aug/2005 13:17:52 Rule: Deny Windows Explorer blocked; Out TCP;
    localhost:1035->xx.xxx.xxx.xx:80; Owner: C:\WINNT\EXPLORER.EXE
    -----------------------------------------------------------------


    I found these Registry Entries:
    -----------------------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    RegSvr32/C:\WINNT\system32\msmsgs.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
    "notepad.exe"="msmsgs.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell"="Explorer.exe, msmsgs.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
    "uuid"="7dc713f1-ec56-4750-993d-42b05e117d64"
    -----------------------------------------------------------------

    This behavior is described here:

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.b.html

    Recently, this Trojan.Zlob.B was referenced at

    https://www.wilderssecurity.com/showthread.php?t=94506

    https://www.wilderssecurity.com/showthread.php?t=86367


    Another reference to this and adware trojans pointed out that the constant slight changing of the code allows them to be undetectable until the detection program database is updated. The cat and mouse game.

    How does the user respond to an alert like I received?

    I would always be suspicious that a program would unpack another .exe file

    But, not always easy to make those decisions.

    At least, the trojan would be blocked from loading until the user could decide whether or not to permit the installation to complete.



    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  2. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I am aware of the website that trojan is found at. Believe me it looks like a legitimate website.

    The website makes you think it is a legitimate codec with wording like this:

    "Program x" is a multimedia compressor/decompressor which registers into the Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. "program x" will highly increase quality of video files you play."

    There are some websites that have "must see" videos on them that refers to the website where this trojan is found. Usually the video website will say something to the effect "best viewed with these codecs" and links to the site where the trojan is found.

    The reason why this website is so dangerous is because it really looks legit to the average user. This website might even fool people that trust too much in their AV. AV's like KAV and NOD only sometimes detects the trojan on the website. Almost as soon as they add detection....the website makes the trojan undetectable again.

    This website might fool people that trust too much in their HIPS. The application looks legit. The PG alert pops-up....you click through because you want to view the video using these new codecs....U know how we on Wilders expirement. We want better performance and this site makes all sorts of claims of performance improvement.....next thing you know malware on the computer.

    The question now is....Did the HIPS fail or the operator fail?





    Starrob
     
    Last edited: Aug 26, 2005
  3. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hey Rich

    I was just wondering how you found those file and registry entries ? (edit : Sorry, reread, I see how you found the exe, so just curious about the reg entries)

    It got me to thinking, Online Armor tracks installation, and it shouldn't be too hard to produce a simple report stating :

    1. if a program installed anything outside it's installation directory
    2. registry changes, with autorun entries highlighted

    I put a post in the 'Has anyone heard of Online Armor' thread in relation to this thought, but was still curious how you found them all (manually, or by other means, eg Winpatrol, or some registry program).
     
  4. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    perhaps you could give us a clue as to which freeware site and which program, i frequent a number of freeware sites and am always downloading bits and pieces of AV?

    if this is a rogue freeware site it should be exposed and shutdown.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    When the alert box pops up blocking the unpacking of the .exe, it shows the filename and the directory where it's attempting to install.

    I searched the Registry for that filename (msmsgs.exe), The 'uuid' entry I found later after reading about the trojan on the Symantec site.


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As you know, Wilders does not permit posting links to sites with malware. You can understand why - if a user's AV/AT didn't catch it, and if there weren't other safeguards in place, it could be messy.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    some of the most common places you will find a trojan!!

    system.ini [boot] ,msconfig shell=explorer.exe

    win.ini [windows] ,msconfig run=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell"="
     
Loading...
Thread Status:
Not open for further replies.