Lavasoft Security Bulletin: October 2013
Top20 Blocked Malware
| Position | Ad-Aware detection | % of all threats | Change in ranking |
| 1 | Win32.Trojan.Agent | 36.59% | +0.98% |
| 2 | Trojan.Win32.Generic!BT | 27.90% | +4.63% |
| 3 | Trojan.Win32.Generic!SB.0 | 3.48% | +2.38% |
| 4 | Virus.Win32.Sality.ah | 1.30% | -0.51% |
| 5 | Trojan.Win32.Ramnit.c | 1.18% | -1.52% |
| 6 | Malware.JS.Generic | 1.01% | -1.58% |
| 7 | Trojan.Win32.Generic.pak!cobra | 0.96% | -2.93% |
| 8 | Trojan-Dropper.Win32.Agent | 0.94% | -0.30% |
| 9 | Trojan-Downloader.Win32.Banload.ayqh | 0.88% | new |
| 10 | HackTool.Win32.Keygen | 0.69% | -0.45% |
| 11 | Virus.VBS.Ramnit.a | 0.65% | -0.55% |
| 12 | Virus.Win32.Ramnit.a | 0.57% | new |
| 13 | Trojan.Win32.Jpgiframe | 0.43% | -0.52% |
| 14 | Virus.Win32.Sality.bh | 0.43% | new |
| 15 | Virus.Win32.Ramnit.b | 0.42% | -0.12% |
| 16 | Win32.Parite.b | 0.33% | new |
| 17 | Virus.Win32.Jadtre.b | 0.31% | new |
| 18 | Trojan.Win64.Sirefef.ca | 0.31% | new |
| 19 | Virus.Win32.Sality.at | 0.26% | -0.66% |
| 20 | Email-Worm.Win32.Brontok.a | 0.25% | -0.94% |
The Top 20 malicious programs blocked on PCs
Malware Prevalence Table - October 2013
Let’s review and consider information on the number of unique files with the same detection name.
| Position | Ad-Aware detection | % of all threats | Change in ranking |
| 1 | Trojan.Win32.Generic!BT | 36.86% | +1.64% |
| 2 | Trojan-Downloader.Win32.LoadMoney.u | 11.88% | +3.10% |
| 3 | Worm.Win32.Gamarue.z | 6.00% | +0.41% |
| 4 | Trojan.Win32.Generic.pak!cobra | 5.82% | +0.84% |
| 5 | Virus.Win32.Virut.ce | 2.26% | +0.09% |
| 6 | Trojan.Win32.Generic!SB.0 | 2.14% | +0.59% |
| 7 | Virus.Win32.Expiro.gen | 1.97% | new |
| 8 | Malware.JS.Generic | 1.28% | +0.13% |
| 9 | Worm.Win32.Gamarue.af | 1.26% | new |
| 10 | Trojan.Win32.Kryptik.acsn | 1.00% | +0.04% |
| 11 | Win32.Malware!Drop | 0.81% | +0.10% |
| 12 | Trojan.Win32.Desini.a | 0.75% | -0.12% |
| 13 | Trojan-Dropper.Win32.Gepys.a | 0.75% | -0.01% |
| 14 | Trojan.JS.Obfuscator.aa | 0.68% | +0.02% |
| 15 | FraudTool.Win32.FakeRean | 0.63% | -0.02% |
| 16 | Trojan.Win32.DotNet.c | 0.61% | new |
| 17 | Trojan.Win32.Runner.a | 0.58% | -0.21% |
| 18 | Trojan.StartPage | 0.56% | new |
| 19 | Trojan.Win32.Vobfus.paa | 0.51% | +0.14% |
| 20 | TrojanPWS.Win32.OnLineGames.ahj | 0.46% | +0.04% |
New malicious programs entered the Top 20
A new Fake-AV interface that falsely claims to detect hidden threats on a user’s computer was discovered in the wild in October. It is detected by twelve of the forty-eight antiviruses on VirusTotal.
Fake AV (MD5: a3ed09d61f7622ec506e12f967ae06ba) is detected by Ad-Aware as Gen:Variant.Strictor.4450
Virustotal detects MD5: a3ed09d61f7622ec506e12f967ae06ba
Ransomware infections are on the rise. A new variant claims that local law enforcement/government organisations have blocked the affected computer. The new blocker detects a country by the victim’s IP address and shows a corresponding message in order to make the scam seem legitimate. This threat is detected by fifteen of the forty-eight antiviruses on VirusTotal.
Ransomware: (MD5: f6d63190089664f276b65a7c3baf8aa0) is detected by Ad-Aware as Trojan.Generic
Virustotal detects for MD5: f6d63190089664f276b65a7c3baf8aa0
AlienVault Lab recently announced that new ransomware variants now demand BitCoins to unlock a computer.
The crypto blocker (MD5: 012d9088558072bc3103ab5da39ddd54) detected by Microsoft as Trojan:Win32/Crilock.A demands payment in either MoneyPak (USA only), Ukash, cashU and Bitcoin making it harder to trace the attacker. As usual, the crypto locker tries to intimidate the victim user with the encryption details used, such as algorithm name and its unbreakable key length: RSA-2048 referencing to Wikipedia. The program uses standard Microsoft Enhanced Cryptographic Provider v1.0.
To automatically run itself each time Windows is booted, the blocker adds the following link to its file to the system registry autorun key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CryptoLocker" = "%Documents and Settings%\%user%\Application Data\{D0EE94E5-EF8C-E6CC-8E83-EFF5CFCD2F14}.exe"
The malware tries to connect to C&C using DGA (Domain Generation Algorithm) to get RSA public key for encryption:
The C&C server is not currently reachable and some of the domains are sinkholed:
Once the key is received from the C&C server the malware starts looking for files with the following extensions aiming to encrypt them:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.indd, *.cdr, img_*.jpg, *.dng, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.ptx, *.pef, *.srw, *.der, *.cer, *.crt, *.pem, *.pfx
To get a private key a user should pay $300 in a limited amount of time (72 hours) after which the key will be deleted. If you try to enter incorrect information the locker will reduce the time to destroy the private key in half.
This is yet another example of ransomware which has started demanding ransoms be paid in BitCoins making these transactions anonymous and for all intents and purposes, impossible to trace.
Bots Review
Table: Bots under analysis (October 2013, Lavasoft MAS).
| Bot's name | September Count | October Count | Changes |
| Zbot | 479 | 505 | 1,6% |
| Cycbot | 77 | 78 | 0,1% |
| Kelihos | 629 | 700 | 4,5% |
| NrgBot/Dorkbot | 252 | 282 | 1,9% |
| Blazebot | 5 | 2 | -0,2% |
| Shiz | 10 | 13 | 0,2% |
| Total | 1452 | 1580 |
Bot distribution in October:
In the last Kelihos report we noticed that the backdoor uses randomization for autorun key registry values and for dropped files names. In October we saw an increased variety in Kelihos update file names.
In addition to the well known names:
calc.exe, rasta02.exe, traff01.exe, keybex4.exe, mongo02.exe
We discovered some new ones; some of them contain Russian names (e.g. Misha, Boris):
devils1.exe, userid2.exe, mia0002.exe, blacks1.exe, felix03.exe, goodtr2.exe, same7b1.exe, b0ber03.exe, inkr001.exe, safpro1.exe, bubba04.exe, nimble1.exe, gossam1.exe, upeksvr.exe, tretiy1.exe, misha01.exe, boris02.exe, balls02.exe, crypt01.exe, dun0004.exe
Shiz backdoor has been still using DGA to create new domain names with European Union’s top-level domain “.EU” (sample MD5: b19171daa6f4602db826c9c4bd9d2fe5):
Resolved:
IP: 50.116.56.144 Name: gadufiwabim.eu
IP: 50.116.56.144 Name: cihunemyror.eu
IP: 50.116.56.144 Name: jefapexytar.eu
IP: 173.230.133.99 Name: kefuwidijyp.eu
IP: 204.79.197.200 Name: www.bing.com
IP: 50.116.56.144 Name: foxivusozuc.eu
IP: 50.116.56.144 Name: fokyxazolar.eu
IP: 50.116.56.144 Name: ryqecolijet.eu
IP: 96.43.141.186 Name: digivehusyd.eu
IP: 50.116.56.144 Name: xuqohyxeqak.eu
IP: 50.116.56.144 Name: lyruxyxaxaw.eu
IP: 50.116.32.177 Name: galokusemus.eu
IP: 166.78.144.80 Name: jewuqyjywyv.eu
Unresolved:
gahihezenal.eu, puregivytoh.eu, nofyjikoxex.eu, tuwikypabud.eu, qegytuvufoq.eu, kepymexihak.eu, vojacikigep.eu, makagucyraj.eu, xuxusujenes.eu, tucyguqaciq.eu, lymylorozig.eu, jepororyrih.eu, xubifaremin.eu, nozoxucavaq.eu, dimutobihom.eu, voniqofolyt.eu, puvopalywet.eu, ciliqikytec.eu, tunujolavez.eu, xutekidywyp.eu, dikoniwudim.eu, fogeliwokih.eu, dixemazufel.eu, divywysigud.eu, lyvejujolec.eu, puzutuqeqij.eu, fobonobaxog.eu, qederepuduf.eu, rydinivoloh.eu, kemocujufys.eu, lysovidacyx.eu, nojuletacuf.eu, qeqinuqypoq.eu, magofetequb.eu, tupazivenom.eu, marytymenok.eu, rynazuqihoj.eu, jejedudupuc.eu, rytuvepokuv.eu, volebatijub.eu, ciqydofudyx.eu, vofozymufok.eu, cinepycusaw.eu, keraborigin.eu, qetoqolusex.eu, pumadypyruv.eu, nopegymozow.eu, masisokemep.eu, gatedyhavyd.eu, fodakyhijyv.eu, cicaratupig.eu, vocumucokaj.eu
The request to the C&C server looks like:
We can see in the reply for one of the domains that it has been already sinkholed to 166.78.144.80 (X-Sinkhole: malware-sinkhole).
Zbot also started using .EU domains for communication with C&C:
NrgBot/DorkBot continues using Dropbox to download BitCoin Miner tool:
hxxp://www.v.dropbox.com/s/thpae3fchbmgkf2/sym.exe?dl=1 (f865c199024105a2ffdf5fa98f391d74, RiskTool.Win32.BitCoinMiner)
And a worm Shakblades which has been removed recently from the Dropbox servers:
hxxp://www.v.dropbox.com/s/dcynlnz0yitlxyj/rep.exe?dl=1 (044de297a0c023d939300d84e95074ee, detected as Worm.Win32.Shakblades).
Top20 Potentially Unwanted Programs
Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.
| Position | Ad-Aware detection | % of all threats | Change in ranking |
| 1 | Conduit | 31.39% | -5.02% |
| 2 | Adware.JS.Conduit | 18.82% | +1.68% |
| 3 | MyWebSearch | 12.40% | -2.30% |
| 4 | Win32.PUP.Bandoo | 6.10% | +1.17% |
| 5 | Adware.Linkury | 5.29% | +0.81% |
| 6 | Win32.Toolbar.Iminent | 3.12% | -0.39% |
| 7 | InstallBrain | 1.93% | +1.10% |
| 8 | SweetIM | 1.34% | +0.22% |
| 9 | Crossrider | 1.33% | +0.55% |
| 10 | Babylon | 1.29% | -0.64% |
| 11 | Iminent | 1.12% | -2.39% |
| 12 | Yontoo | 1.06% | +0.23% |
| 13 | InstallCore | 0.95% | +0.19% |
| 14 | Adware.DealPly | 0.93% | new |
| 15 | DomaIQ | 0.58% | new |
| 16 | Wajam | 0.57% | new |
| 17 | DownloadMR | 0.52% | +0.03% |
| 18 | Montiera | 0.49% | new |
| 19 | Installerex/WebPick | 0.49% | +0.05% |
| 20 | InstallCore.b | 0.47% | new |
Top20 PUPs detected on user’s PC
Operating Systems
Geographic Location
Infections by country of origin
We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.
Share this post:
Twitter
Facebook