New rogue (MS 2009)

Discussion in 'other anti-malware software' started by curious george, Jan 30, 2009.

Thread Status:
Not open for further replies.
  1. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    The new rouge application thats been going around. I was infected by it a few seconds ago, while virtualizing. Any who, i ran the app sand boxed with sandboxie, and it still managed to get across, perhaps a mistake on my behalf. But yea, keep an eye out.
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Re: New rouge (MS 2009)

    I have 5 different installers for MS AnitiSpyware 2009 and all of them will only partly install sandboxed before the below error shows up.

    Dregs do remain in the sandbox but a simple delete contents gets rid of everything with no breaches at all.

    Capture.JPG
     
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Re: New rouge (MS 2009)

    Is it a full name of it? MS 2009?
     
  4. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
  5. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: New rouge (MS 2009)

    We have been tracking it since earliar this week,it is being imported by a fake codec install(tubeviewer.exe)but is also travelling with a Z-bot on those installs.

    http://threatexpert.com/report.aspx?md5=6a8631343060fc3d99eb375ab0d3b34e

    If you would like source urls then drop me a pm:thumb:
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Re: New rouge (MS 2009)

    On Vista SP1, I let MAS 2009 install virtualized with Sandboxie and get the same results as Franklin. On XP SP3, the virtualized install will complete normally. I see, however, zero file system and registry leakage (verified by Malware Defender and other means). When I terminate the virtualized session (IE + the virtualized child processes the install spawned), MAS 2009 is gone. My Sandboxie settings are out-of-the-box default.

    Nick
     
    Last edited: Feb 1, 2009
  8. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Re: New rouge (MS 2009)

    just tick the damn checkbox to drop rights and nothing will ever be installed...
    not that hard,my nephew could understand it over the phone,not exactly rocket science.
     
  9. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    Re: New rouge (MS 2009)

    OK, so it's rogue, but is it as good as CyberDefender Ad/Spyware-Sponsored Internet Security with the picture of a naked woman for the Immunize PC icon? Has to have some good points! We are so critical of malware; were it not for that, why would we be here? :D

    Dave
     
  10. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: New rouge (MS 2009)

    Hmm not that i have had chance to play with Sandboxie but i have one question to thoes more informed on its operations.

    Dose it prevent the Z-bot component from actively harvesting password's/logins etc and phoning home the data to the mothership?

    Bear in mind Z-bot clears cache's locally and subsequently all login's/passwords re-entered are then collected by it.The collected data is then transmitted back home to the bad guys:mad:
     
  11. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    Re: New rouge (MS 2009)

    If your sandbox is configured to only launch certain apps, it shouldn't run in the first place. IMHO, that is the best way of preventing crap from leaking outside the sandbox.
     
  12. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    Re: New rouge (MS 2009)

    not an answer, but a question. would z-bot hijack a process for transmitting the stolen data, or use it's own created process for that chore? would a decent firewall prevent the transmission, or at least flag it?


    Mike
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: New rouge (MS 2009)

    Yes it injects itself into winlogon.exe and from there into many core system process's.From there it can utilize thoes process's to do its dirtywork.

    A good firewall will catch the the outbound traffic if its not preconfigured to allow M$ process's by default but then again even if a new alert is generated that would be for the M$ executable name and not the trojan file by its name.

    HTH:)
     
  14. wat0114

    wat0114 Guest

    Re: New rouge (MS 2009)

    Under: Restrictions-> Internet access, only programs listed by file name are allowed Internet acces, so for example: iexplore.exe and/or firefox.exe are listed. These programs could also be forced to run in the sandbox, so based on this info, would the trojan be prevented from transmitting out? fcukdat, you mention it injects itself into core processes; could those files be affected?
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: New rouge (MS 2009)

    Yes it has been seen to inject itself into iexplore.exe process so yes it could manipulate it under normal circumstances.

    My original question was how it would behave in a sandbox'ed enviroment.
     
  16. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Re: New rouge (MS 2009)

    Would an Anti Executable stop this from installing / running rather than trying to stop it with a sandbox?
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No, since none of the attacks seem have been the result of a drive-by download. However, some victims don't give many details, and would seem to imply that the infection happened without doing anything:

    http://removal-tool.blogspot.com/2008/12/ms-antispyware-2009-removal-as.html
    You can't tell from this what exactly happened.

    Two ways of becoming victimized have been reported by security analysts as:

    http://www.xp-vista.com/spyware-removal/ms-antispyware-2009-removal-info-msantispyware2009
    http://www.spywareremove.com/removeMSAntiSpyware2009.html
    In the first method, where the user agrees to install the codec or other type file that is infected, the user will turn off Anti-execution protection to permit the installation.

    The same with the second method, where the user is redirected to a malicious website which generates popups with dire warnings that your computer is infected with worse than rats. Again, if the user agrees to install, the user will turn off Anti-execution security protection in order to permit the installation.

    These fake animated scans depend on javascript being enabled. Once the deceptive scan starts, it can be difficult to back out. Here is one from an earlier Antivirus 2009 exploit:

    http://www.urs2.net/rsj/computing/tests/winantivir2009/

    Prevention from these rogue products is simply to have a firm policy in place never install anything that you didn't go looking for (Brian Krebs tip).

    Also, not to pay any attention to popup results from a scanner other than your own while online. If in doubt, disconnect from the internet and and scan with your own Antivirus product.

    ----
    rich
     
    Last edited: Feb 1, 2009
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: New rouge (MS 2009)

    I think you can,t be usre unless you try it. I can guess that under normal circumstances, it will not be able to tamper any process running outrside the sandbox but it can inject into the sandboxed processes and can even connect out through them, provided it is able to run. I will try it and see.
     
  19. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    Re: New rouge (MS 2009)

    yes it does, and thanks. Prevx Edge knocked 'em on their a$$.


    Mike
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: New rouge (MS 2009)

    Which check box you are talking about?
     
  21. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    good strategy, however, in my case with this infection, Antivir bugged the butter out of me with block/quarantee pop-ups as i was attempting to install this malcode. the second infection i had access to Avira didn't 'know' a thing about it.

    Prevx Edge pulled the rug out from both.


    Mike
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I was referring to disregarding any popup warnings from any but your own scanner while on line.

    ----
    rich
     
    Last edited: Feb 1, 2009
  23. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Mike,
    Out of interest, what heuristic settings were you using on Edge?
     
  24. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    Edge did not initially flag on it's executible (the first one i downloaded), so i wanted to see if Edges behavural analysis capabilities would kick in. also i was told if left to "fester" this infection would download rootkits, and other malcode. again i wanted to see first hand how Edge responded to this.

    all this btw done sandboxed, with Defensewall rights restrictions, under the blanket of Shadowdefender, with a newly created Image waiting in the wings....just in case. :argh:


    Mike
     
  25. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    http://www.postimage.org/image.php?v=Pq10Xc0J

    well not what i hoped to accomplish, but there is the answer.:oops:

    i felt (according to the Edge Help file), that i met the criteria of an infrequent software installer (of course that is an arbitrary standard), so this setting is a good balance for me between protection and FP's.

    hope this helps.


    Mike
     
Loading...
Thread Status:
Not open for further replies.