<![CDATA[[SecurityRatty] tag: scr]]> http://securityratty.com/tag/scr Mon, 07 Apr 2008 23:48:40 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Malware Install Hides Behind Fake Blue Screen Of Death]]> http://securityratty.com/article/b8c8105b310966fe1ed31d74b627f52f http://securityratty.com/article/b8c8105b310966fe1ed31d74b627f52f
sys0.jpg


If the file is allowed to execute on the PC, depending on what files the bundle is rotating for download at the time of install you may well see the dreaded Blue Screen Of Death (or BSOD to its friends).

However, all is not what it seems. While the end-user is faced with the horrors of the BSOD, behind the scenes Malware is installing by the bucketload.How is this possible, I hear you cry? Surely if the PC has crashed, nothing can be installing?

Not in this case, because the blue screen of death is fake - to be more accurate, the bad guys have taken Sysinternals blue screen of death screensaver and bundled it in with the hijack files. This is what the .scr file looks like on the PC:

sys1.jpg


And this is what you see if you explore the code:

sys2.jpg


It seems the bad guys are not without a sense of humour. Hiding a blizzard of infection file installs behind a legitimate screensaver created by a security expert is pretty bizarre. Here is the registry entry created:

sys6.jpg

Meanwhile, here are just some of the files installed onto the PC during the download:

sys5.jpg

Click to Enlarge

The PC pretty much grinds to a halt while all of this is taking place:

sys7.jpg


When the computer finally comes back under your contol, you can expect to see numerous warnings related to fake antispyware programs appearing all over the desktop:

sys8.jpg

Click to Enlarge

sys9.jpg

Click to Enlarge

sys10.jpg


Collectively, we detect the various bundles on offer here as Fake.AV and Smiddy.

Discovery and Research: Chris Mannon, FSL Senior Threat Researcher
]]> Wed, 09 Jul 2008 14:42:24 +0000 fake death blue file scr file infection file installs hijack files hijack death screensaver Malware Install Hides Behind Fake Blue Screen Of Death <![CDATA[Romanian Script Kiddies and the Screensavers Botnet]]> http://securityratty.com/article/5b5c2da1c83dfe7fd39c5e9ccf463c0b http://securityratty.com/article/5b5c2da1c83dfe7fd39c5e9ccf463c0b Shall we turn into zombies, and peek into the modest botnet courtesy of Romanian script kiddies, that are currently spamming postcard.scr greeting cards? Meet the script kiddies. This botnet is going nowhere mostly because knowing how to compile an IRC bot doesn't necessarily mean you posses a certain know-how, a know-how that experienced botnet masters have been outsourcing for years. Malware is obtained through links pointing to :

xhost.ro/filehost/phrame.php?action=saveDownload&fileId=15735
xhost.ro/filehost/phrame.php?action=editDownload&fileId=12923
xhost.ro/filehost/phrame.php?action=saveDownload&fileId=3656
xhost.ro/filehost/phrame.php?action=editDownload&fileId=10936

Scanners result : Result: 22/32 (68.75%)
Trojan.Zapchas.F; IRC/BackDoor.Flood; Backdoor.IRC.Zapchast
File size: 735139 bytes
MD5...: 015e5826084f2302b4b2c3237a62e244
SHA1..: 7d05949f6dfffdc58033c9d8b86210a9bd34897c

Sample traffic output :
"NICK Mq2kC01
USER las "" "pic.kauko.lt" :Px7aW6
USER las "" "Helsinki.FI.EU.Undernet.org" :Px7aW6
USERHOST Mq2kC01
NICK :Rk1zK50
AWAY :Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
MODE Mq2kC01 +i
ISON loverboy loveru SirDulce
JOIN #madarfakar
USER kzg "" "Helsinki.FI.EU.Undernet.org" :Ho5xI1
NICK :Vm3uF52
MODE Mq2kC01 +wx"

And in next couple of hours, the most interesting domain that joined the IRC channel was :

Ny2fW15 is fwuser@mails.legislature.maine.gov * Kg1jT7
Ny2fW15 on #madarfakar
Ny2fW15 using Noteam.Vs.undernet.org I'm too lazy to edit ircd.conf
Ny2fW15 is away: Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
Ny2fW15 has been idle 1min 31secs, signed on Fri Apr 04 12:05:17
Ny2fW15 End of /WHOIS list.

This botnet's futile attempt to scale is a great example of the growing importance of knowlege and experience empowered botnet masters, as a key success factor for sustainability, and also, basic understanding of economic forces, namely, when they're not making an investment there cannot be a return on investment on their efforts at the first place. Take a peek at the efficiency level of remote file inclusion achieved by another botnet, and at alternative botnet C&C channels courtesy of botnet masters realizing that diversity is vital.
]]> Mon, 07 Apr 2008 23:48:40 +0000 botnet botnet masters script kiddies romanian script kiddies botnet courtesy ny2fw15 alternative botnet irc irc bot Romanian Script Kiddies and the Screensavers Botnet