Lavasoft Security Bulletin: September 2013
Top20 Blocked Malware
| Position | Ad-Aware detection | % of all threats | Change in ranking |
| 1 | Win32.Trojan.Agent | 35.61% | +5.57% |
| 2 | Trojan.Win32.Generic!BT | 23.27% | -2.58% |
| 3 | Trojan.Win32.Generic.pak!cobra | 3.89% | +0.99% |
| 4 | Trojan.Win32.Ramnit.c | 2.70% | new |
| 5 | Malware.JS.Generic | 2.59% | +1.37% |
| 6 | Trojan.Win32.Reveton.a | 1.98% | new |
| 7 | Virus.Win32.Sality.ah | 1.81% | +1.43% |
| 8 | Trojan-Dropper.Win32.Agent | 1.24% | new |
| 9 | Virus.VBS.Ramnit.a | 1.20% | new |
| 10 | Email-Worm.Win32.Brontok.a | 1.19% | -2.60% |
| 11 | HackTool.Win32.Keygen | 1.14% | 0.00% |
| 12 | Trojan.Win32.Generic!SB.0 | 1.10% | +0.82% |
| 13 | Trojan.Win32.Jpgiframe | 0.95% | +0.59% |
| 14 | Virus.Win32.Sality.at | 0.92% | -0.35% |
| 15 | Trojan.WinNT.Conficker.b | 0.87% | new |
| 16 | Worm.Win32.Morto.ab | 0.78% | new |
| 17 | Virus.Win32.Expiro.gen.a | 0.61% | new |
| 18 | Worm.Win32.Pykspa | 0.55% | +0.05% |
| 19 | Virus.Win32.Ramnit.b | 0.54% | -0.46% |
| 20 | Heur.HTML.MalIFrame | 0.52% | +0.14% |
The Top 20 malicious programs blocked on PCs
Malware Prevalence Table - September 2013
Let’s review and consider information on the most prevalent families detected in September.
| Position | Family | % of all threats | Change in ranking |
| 1 | Trojan.Win32.Generic!BT | 35.22% | -0.25% |
| 2 | Trojan.Win32.Generic.pak!cobra | 4.98% | +0.22% |
| 3 | Trojan-Downloader.Win32.LoadMoney.u | 8.78% | +4.72% |
| 4 | Worm.Win32.Gamarue.z | 5.59% | new |
| 5 | Virus.Win32.Expiro.bc | 3.36% | -0.71% |
| 6 | Virus.Win32.Virut.ce | 2.17% | -0.73% |
| 7 | Trojan.Win32.Generic!SB.0 | 1.55% | +0.74% |
| 8 | Malware.JS.Generic | 1.15% | +0.16% |
| 9 | Trojan.Win32.Dwnldr.y | 1.13% | +0.47% |
| 10 | Trojan.Win32.Desini.a | 0.87% | -0.13% |
| 11 | Trojan.Win32.Kryptik.acsn | 0.96% | new |
| 12 | Worm.Win32.Mabezat.b | 0.85% | +0.48% |
| 13 | Trojan-Dropper.Win32.Gepys.a | 0.76% | -0.09% |
| 14 | Trojan.Win32.Runner.a | 0.79% | +0.08% |
| 15 | Win32.Malware!Drop | 0.71% | -0.06% |
| 16 | Trojan.JS.Obfuscator.aa | 0.66% | +0.11% |
| 17 | Trojan.Win32.PSW.gz | 0.49% | -0.12% |
| 18 | FraudTool.Win32.FakeRean | 0.65% | 0.00% |
| 19 | TrojanPWS.Win32.OnLineGames.ahj | 0.42% | -0.01% |
| 20 | Trojan.Win32.Vobfus.paa | 0.37% | -0.08% |
New malicious programs entered the Top 20
September sees new Fake-AV interfaces that supposedly detect hidden threats on a user’s computer.
Fake AV (MD5: cc2fedff4406e3f620b84983057fabbb) is detected by Ad-Aware as Trojan.Win32.Kryptik.acsn
Ransomware continues to blight users, blocking computers and encrypting private data. Lavasoft recently discovered a non-detected crypto locker titled “Anti-Child Porn Protection” that encrypts user’s data demanding a ransom to decrypt them. As described within the locker’s notification window, the ransomware utilizes AES-256, an unbreakable cipher. Bruteforcing is not practical as it needs to cover 1.1x1077 combinations which would take 3.31x1056 years (EETimes) as well, as recovery tools used to restore erased original files like in case of GpCode.ak that used RSA-1024.
Ransomware (MD5:0b06eb1ed254790e38d7b5accc0fe072) is detected by Ad-Aware as Trojan.Win32.Generic
It is worth noting that this ransomware was created in October 2012 - since that date we see no detections on the VirusTotal multi-scanner. It is detected by Ad-Aware Antivirus as Trojan.Win32.Generic and described in the Malware Encylopedia.
Bots Review
Table 1: Bots under analysis (September 2013, Lavasoft MAS).
| Bot name | Aliases* | Count | Autorun | Windows Services Modification |
Anti-AV/ Anti-Analysis |
Propagation | Communication Protocol | Rootkit Activity | Network Activity/ Updates | Connected Domains |
| Zbot | Zeus, Trojan.Win32.Zbot(VIPRE), Trojan-PSW.Win32.Tepfer(Ikarus), PWS:Win32/Zbot(Microsoft), Win32:Zbot(Avast), Trojan.Zbot(Symantec), PWS-Zbot(McAfee) |
479 | yes* | None | no/no | Removable drives, Email, Drive-by infection |
HTTP | 30-52 user-mode hooks in 6 libraries |
yes/yes | google.com, google.ca, kgv-weser.com, thenatemiller.co, streetviewdaz.com, ninjamakeresjulakihsyrias.com, microsoftinternetsafety.net, akamai.net, ftp.brickwallmgmt.com, screaminpeach.com, solutioncorp.com, mastergrp-spb.ru, golfpark-moossee.ch, chocolatecovers.com, automa.it, goodvaluecenter.com, nuritech.com, brookfarm.com.au, fraser-high.school.nz, pixemia.com, mattiussiecologia.com, bocr.cz, austriansurfing.at, bocr.cz, d4drmedia.com, 4pipp.com, bocr.cz/bocr, ricated.com, easygen.com, re-wakefield.co.uk, robertmcintyre.com.au, tessera.co.jp, telenavis.com, thedonaldsongroup.com, hinnenwiese.de, kamaruka.vic.edu.au, digpro.se, fabianonline.de, empordalia.com, yamamoto-sr.com, fruitspot.co.za, shipeliteexpress.com, stepnet.de, biurimex.pl, tavdi.com, padstow.com, youjoomla.com, upsilon89.com, gjk.com.pl, sigmametalsinc.com, thesergery.com, sigmaaero.com, structives.org, agence-des-druides.com, buzzkillmedia.com, sspackaginggroup.com, perc.ca, pbna.com, leadershipforum.us, kafrit.com, theautospas.com, photoclubs.com, rea-soft.ru, graceweb.net, ctr4process.org, altonhousehotel.com |
| Cycbot | BKDR_CYCBOT (TrendMicro), Backdoor.Win32.Cycbot(VIPRE), Backdoor.Win32.Cycbot(Ikarus, Emsisoft), BackDoor.Gbot(DrWeb), Backdoor:Win32/Cycbot(Microsoft), Win32:Cybota(Avast), Backdoor.Cycbot(Symantec) |
77 | yes* | Disables wscsvc | no/no | Using other malware | HTTP | None | yes/yes | akamai.net, akamaiedge.net, newworldorderreport.com, parkingcrew.net, google.com, google.ca, remindmeroster.com, TRANSERSDATAFORME.COM, cloudstorepro.com, suras-ip.com, webnode.com, binghamtonschools.org, yordatazone.com, firoli-sys.com, windowsupdate.com, alleducationalsoftware.com |
| Kelihos | Backdoor.Win32.Kelihos(Vipre), Backdoor:Win32/Kelihos(Microsoft), BackDoor.Slym(DrWeb), Kelihos (Norman) |
629 | yes* | None | no/no | Removable drives | HTTP | 19 user-mode hooks in 6 libraries |
yes/yes | amazonaws.com, ivynvov.net, qikizny.net, taanrif.net, azawvos.com, asjoros.biz (mostly Ips were used) |
| NrgBot/Dorkbot | TSPY_DORKBOT(TrendMicro), Worm.Win32.Dorkbot(VIPRE), BackDoor.IRC.NgrBot(DrWeb), Worm:Win32/Dorkbot(Microsoft), Trojan.Win32.Cidox(Kaspersky) |
252 | yes* | None | yes/yes | Removable drives, Social Networks, MSN Messenger, IRC |
IRC | 17 user-mode hooks in 5 libraries |
yes/yes | hotmail.com, api.wipmania.com, k211128.com, k211130.com, jaao20222.com, jo1aa28.com, jo1aa23.com, jossven.com, lartinito.com, balkoov.com, tsroxybaa.com, baerr000.ru, joerv06.com, cae1r699.ru, jo1rv99.com |
| Blazebot | Backdoor:Win32/IRCbot, Worm:Win32/Neeris(Microsoft) |
5 | yes* | Enable RDP | no/no | Removable drives, MSN Messenger, Filesharing (Dropbox) |
IRC | None | yes/yes | dropbox.com, dropboxusercontent.com, whatismyip.com, checkip.dyndns.com, p0rn-lover.us, pool-x.eu |
| Shiz | Backdoor.Win32.Shiz(Ikarus), TROJ_SHIZ(TrendMicro), PWS:Win32/Simda (Microsoft), Trojan.PWS.Ibank (DrWeb), Win32:Shiz(Avast), Infostealer.Shiz(Symantec) |
10 | yes** | None | yes/yes | Using other malware | HTTP | 23 user mode hooks in 6 libraries |
yes/yes | kefuwidijyp.eu (mostly IP addresses were used |
Aliases*: Generic verdicts were not included.
Autorun: yes*: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Autorun: yes**: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run], [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Bot distribution in September:
Autorun
All the bots analysed exploit the “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” registry key to launch itself when Windows boots up. The Shiz backdoor also uses “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” in a further attempt to survive a reboot.
DorkBot and Shiz block AV websites preventing users from downloading the latest updates. A recent Dorkbot block list contains 1258 URLs and can be downloaded from one the bots: hxxp://146.185.237.111/va.txt (also available from our mirror.)
Additionally, Shiz and DorkBot use server-side polymorphism to avoid detection.
Recently we found many references on the Internet stating that Kelihos supposedly checks if a victim’s IP is in online blacklists (CBL – composite block list). This information was published by ZScaler Lab and referenced by ThreatPost and hundreds of others news sites.
Unfortunately, we could neither find CBL requests in our database nor reproduce such behavior on the Kelihos sample used by ZScaler (fbad0969a3fe539fa048df9912b8c6d4). In addition, Kelihos uses HTTP protocol to communicate with peers, not SMTP as was noted by ZScaler. The SMTP traffic that highlighted by ZScaler researcher can be explained by spambot activity, which implies numerous connections to SMTP servers. It is possible that the analysts mistakenly attributed blocking replies from SMTP servers as being part of the Kelihos protocol.
SMTP traffic generated by mail servers when Kelihos sends spam
Self-Propagation
The bots can propagate via removable drives (Kelihos uses a vulnerability in LNK files), social networks (DorkBot), Instant Messengers (Dorkbot, Blazebot) and filesharing services, like Dropbox (Blazebot with Rbot). Drive-by attacks and downloading by other malware are also used to deliver a backdoor.
Communication Protocols
HTTP and IRC protocols are the most commonly used nowadays. We noticed that such IRC bots as Dorkbot, Blazebot and Rbot are operating together and probably owned by the same botmaster.
Bot distribution by the type of communication protocol
Rootkit Activity
Four bots out of six (Zbot, Kelihos, DorBot, Shiz) install user-mode hooks into Windows system DLLs in order to spy on user’s activity. Zbot has the highest number of hooks being installed.
Network Activity
All revised bots are still alive, showing network activity and downloading updates.
According to last month’s network activity, Kelihos and Dorkbot were using Amazon’s Cloud Service to host malicious files. In September we found eighty-eight malicious samples that connected to compute.amazonaws.com for bot updates.
The first of such connections made by Kelihos were detected in June 2013 and only continue to grow – it would appear that Amazon's Cloud is becoming popular among bot-masters, being used to increase their botnets.
Amazon Web Services
Top20 Potentially Unwanted Programs
Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.
| Position | Ad-Aware detection | % of all threats | Change in ranking |
| 1 | Conduit | 36.41% | new |
| 2 | Adware.JS.Conduit | 17.14% | new |
| 3 | MyWebSearch | 14.70% | +10.16% |
| 4 | Win32.PUP.Bandoo | 4.93% | +3.60% |
| 5 | Adware.Linkury | 4.48% | +2.96% |
| 6 | Win32.Toolbar.Iminent | 3.51% | +2.45% |
| 7 | Babylon | 1.93% | +1.78% |
| 8 | Iminent | 1.19% | +0.13% |
| 9 | SweetIM | 1.12% | +0.72% |
| 10 | Yontoo | 0.83% | +0.58% |
| 11 | InstallBrain | 0.83% | +0.70% |
| 12 | Bprotector | 0.80% | +0.38% |
| 13 | Crossrider | 0.78% | new |
| 14 | InstallCore | 0.76% | +0.39% |
| 15 | Win32.Adware.ShopAtHome | 0.57% | +0.35% |
| 16 | DownloadMR | 0.49% | +0.33% |
| 17 | Yontoo | 0.45% | +0.20% |
| 18 | Amonetize | 0.45% | new |
| 19 | Installerex/WebPick | 0.44% | new |
| 20 | Elex Installer | 0.43% | new |
Top20 PUPs detected on user’s PC
Operating Systems
Geographic Location
Infections by country of origin
We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.
Share this post:
Twitter
Facebook