Joint Strike Force against Dorifel

The computer virus Dorifel became the past three days a very prominent news item as it was on a rampage, infecting as many computers as possible on both government and private networks. IT personnel were stressed out since there were next to no virus signatures to detect the malware.

The inconvenience felt by the general public grew fast as many town’s civil services, like the issuing of passports, had to be taken offline for damage control: Dorifel had encrypted most Excel and Word documents and converted them into executable files.

The result was that many government staff had to blow the dust of the old fashioned typewriters again as they were asked to leave their computers switched off in an attempt to stop the outbreak in its tracks.

Photo by Marcel van Hoorn (ANP)

The creativity of cybercriminals is endless and they do their utmost to stay hidden, bypass antivirus protection, slow down malware research and do something new. Knowing that most antivirus products will first focus on malware blocking only, we figured at the start of the outbreak that there will be no readily available solution soon to recover the millions of affected documents (which prolongs the exposure of sensitive data to the cybercriminals).

Teaming Up with Emsisoft
While we were investigating the outbreak, we also spoke with Fabian Wosar of Emsisoft who was immediately keen to help. He recently created tooling to combat the ACCDFISA and Reveton ransomware families and conveniently had a few boiler plate functions laying around to speed up development of a dedicated remediation tool.

We immediately setup an extra examination environment in our office in Hengelo for Fabian to remotely work on with us, gathered malicious objects and affected documents and started to analyze the malware’s code and behaviors. The task was to find out how the seized documents were encrypted, if there was a way to recover them and, if possible, create a special tool that people can use to recover their documents.

Working Around The Clock
After working from Wednesday evening into Thursday morning on August 9th, Fabian was ready to offer everybody a free to use decryption tool which is available from our special support page: http://www.surfright.com/support/dorifel-decrypter

From this spot we would again like to thank Fabian Wosar for working with us on such short notice and helping everybody, especially the Dutch people, in limiting the effects of this attack.

To continue, we would like to share some interesting details that we encountered using the images below.

Image: Word, Excel and application files are automatically altered and renamed by the Dorifel malware. Notice the ? which is in fact unicode character 202E (aka RTLO right-to-left-override character) which causes the infected file to show up in Windows as ‘Contractrcs.doc’ to fool users the file is still a document.

Image: The encrypted ‘documents’ contains movie phrases and references to TV shows.

Image: The +++scarface+++ marker indicating the start of the encrypted data, which represents the original document.

Image: The pseudo code of the encryption/decryption loop.

Image: The assembly code of the encryption/decryption loop.

Image: Dorifel communicating on the network. Notice it queries for a local machine named KASPERSKY. More important, notice the internet traffic with the pin= parameter, where Dorifel tries get additional payload. Since it first tries to connect to Microsoft’s Update Service (which is hardcoded in the malware) we think that the attackers were also planning to redirect Windows update traffic. The domain reslove-dns.com is currently sinkholed.

Image: Dorifel connecting to the forum.4game.com website for Command & Control information.

Image: Every 1500 seconds Dorifel is retrieving a seemingly harmless ‘Breaking Bad’ season 5 poster (jpeg).

Image: The ‘Breaking Bad’ jpeg image contains hidden encoded Command & Control data. Dorifel stores it in a .dat file in its own folder under &appdata%, e.g. C:\Documents and Settings\User\Application Data\S4428M\G9D8Z3.exe.dat

Image: Small extract from our database where our HitmanPro software was used to rescue AV protected computers that were infected by Dorifel. The table shows that many machines also had Zeus/Zbot/Citadel Trojans, for weeks! Note: user 4624107 had an expired license of our software, which is why the same malware was detected twice.

The Dorifel outbreak was only a symptom. But what is the real problem?

Earlier this week, government, public sector and networks of private companies were hit hard by a new wave of crypto malware named Trojan-Dropper.Win32.Dorifel. Computers were shut down and the old-fashioned type writers that were gathering dust in the basement reappeared in the work place. For a moment I even thought this was funny.

The Dorifel Trojan scans network shares, local drives and USB connected drives for executables and Microsoft Office (Word and Excel) documents. Documents and programs were replaced with a new executable file that has the .scr file extension. Currently, most affected users will not notice anything since the ‘documents’ open as usual. It looks like the malware is currently only interested in propagating itself to as many machines as possible. But it is not unlikely that the attackers will later start blocking the ‘documents’ and requesting a ransom fee for unblocking them.

This is bad news for the organizations that were hit. But what’s even worse is that the Trojan entered the networks through a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one or more computers inside the network for days, may-be weeks. In other words: the malware could already be snooping all electronic communication inside the organization, including stealing passwords of critical infrastructure, copying confidential documents, social security numbers, passport details, etc. without anyone (or anything) noticing (!)

Not being able to use your computer for a while, while system administrators are shutting them down, cleaning them and bringing them back into the network is very inconvenient. But it is even more worrysome that computers and networks have been infected for a much longer period without anyone noticing.

Parental Controls affect DNSChanger Check-Up Sites

The DNSChanger test that Google, Facebook and the many DNS-OK sites perform do not give the correct results when the computer uses a remote web-filter (or web-proxy) from e.g. their Internet access provider.

In order to explain what causes this, we first need to recap a little of what we wrote earlier this week.

In November 2011, after a two-year FBI probe called Operation Ghost Click, six Estonian nationals were arrested on charges of fraud. They infected computers worldwide with malware called DNSChanger. In conjunction with the Estonian police, the FBI seized the servers used by the cybercriminals but were kept online so as to not disrupt the Web activities of those infected. If the FBI had merely shut down the rogue servers, many of those infected wouldn’t have been able to access the Web at all. That means no websites, no e-mail, and no Facebook.

The DNS Changer Working Group (DCWG), that’s been maintaining the FBI servers since their seizure, has created a website http://www.dns-ok.us that allows you to check if your computer is infected. People are encouraged to check their devices by visiting this website to see if their computer is infected. If infected, they’re then directed to information on how to remove the malware.

It is estimated that over half of the users with an infected computer are not English speaking, so Computer Emergency Response Teams (CERTs, aka CSIRTs) active in many countries setup a localized version of the DNS-OK site. Using articles in local newspapers, people were encouraged to check their systems. To reach even more people, Google and Facebook also started notifying victims of the DNSChanger malware.

Millions of Internet users checked their devices using one of the many DNS-OK websites or through Google or Facebook. And with good results: a tremendous amount of devices have been cleaned till date. But still, despite great efforts, around 300,000 devices are still not cleaned. How come? Don’t these people use Google or Facebook?

False sense of security
The DNS test that Google, Facebook and the many DNS-OK sites perform do not give the correct results when the computer uses a remote web-filter (or web-proxy) from e.g. their Internet access provider. While users expect their own DNS settings to be checked, a remote web-filter will cause the DNS-OK website to check the DNS settings of the filter instead. This means that the DNS-OK site will show green even though the user’s computer could still be infected, giving him or her a false sense of security.

Security as a Service
For example, many ADSL Internet contracts include network-based web-filtering services. These remote web-filters act as an intermediary and retrieves and evaluates webpages and downloads before sending it to the computer of the user. This service, also known as Security as a Service (or SaaS), doesn’t involve any software setup or action from the end-user. It limits children from accessing inappropriate content (parental control), controls the download of certain files (e.g. spyware, pirated software) and optionally filters unwanted web advertising from web content. All good news. But on the other hand this filter prevents accurate DNS testing on any of the DNS-OK websites and affects the check performed by Google and Facebook as well.

Figure 1: The DNSChanger Check-Up Site (www.dns-ok.us) says the infected computer is not affected, while in fact it is.

Figure 2: A name lookup reveals the problem. The remote web-filter returns the wrong IP address.

Figure 3: The same infected computer on a connection without remote web-filtering: correct response.

Because the DCWG is unable to count the infected computers that use a network-based security service, the actual amount of infected computers is very likely higher than the current 300,000.

What to do: check again, manually
The Internet provider cannot be blamed for offering Security as a Service. So if you use an “in-the-cloud” remote web-filter, web or DNS-proxy or safe gateway from e.g. your Internet access provider, and you got a green OK on e.g. www.dns-ok.us: your computer might still be infected. So you might want to check out the Fix page over at DCWG again. Because to prevent losing web and/or e-mail access on July 9, you should follow these two steps:

1. Check your DNS settings manually, because www.dns-ok.us (and other test sites) cannot perform a reliable test in your situation.
2. Use a second opinion antivirus program to scan your computer for the Alureon rootkit (aka TDSS, Olmarik, TDL4) that distributed the DNSChanger malware. Currently, Alureon ranks #4 on our May 2012 malware prevalence list since it successfully hides from antivirus software since 2009. So checking your computer with your regular antivirus software will not be sufficient.

About the DNSChanger malware
The DNSChanger Trojan changed the DNS settings on the computer, redirecting websites entered by the user to other unsolicited, and potentially illegal sites. If personal information was entered on these websites, it could’ve lead to identity theft.

275,000 computers lose Internet access on July 9

On many computers deemed safe and protected by up-to-date antivirus software, the Alureon rootkit is still one of the most prevalent infections that HitmanPro encounters. And over the last few years the Alureon rootkit (aka TDSS, TDL and Olmarik) has evolved and been used for all kinds of different attacks. From drive-by downloads to targeted attacks that aim only a specific group of persons. One of its lesser known jobs was to distribute the DNSChanger Trojan.

Beginning 2007, the DNSChanger Trojan seizes web traffic by changing the DNS (Domain Name System) settings on an infected computer. As a result, victims are diverted to malicious websites instead of the requested website. In other words, once the Trojan has altered the DNS settings, DNS queries will be redirected to the attacker-controlled DNS servers, which forces the user to visit malicious websites where scammers often earned millions of dollars in affiliate and referral fees as well.

FBI
On November 8, 2011 the FBI arrested six Estonian nationals who were operating over a hundred malicious DNS servers in data centers in Estonia, New York and Chicago. Along with these arrests, the servers involved with the DNSChanger malware were seized. Since machines with modified DNS settings would be unable to access the Internet once the malicious DNS servers went offline, the FBI obtained a court order that allowed the non-profit Internet Systems Consortium (ISC) to set up alternate DNS servers to temporarily replace the malicious servers. These servers were intended to give people time to clean up the infection. The court order was originally set to expire March 8 this year, but prosecutors filed for an extension because over 400,000 computers still remained infected. The new deadline for getting cleaned up and averting the Internet blackout is now July 9, 2012.

DCWG, Google, Facebook, CloudFlare
To remediate users and help the FBI with the alternate DNS servers, the DNS Changer Working Group (DCWG) was created. The DCWG is an ad hoc group of subject matter experts, and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham.

To aid the slow remediation rate, Google started notifying affected users in May 2012, showing warnings via a special message that appears at the top of the Google search results page for users with affected devices. Also, 11,000 websites enabled the CloudFlare Visitor DNSChanger Detector which shows infected visitors a warning banner to help them remove the malware and remain online. And this month, Facebook joined Google in warning victims among its 900 million users.

Recover from a DNSChanger infection

The past few months, HitmanPro has helped tens of thousands of people restoring their DNS settings and remove the DNSChanger Trojan and the TDSS rootkit from their computers. As shown in the graph below, the campaigns by Google and Facebook played a significant role in informing users that were infected and pointing them to a solution:

Italy
Below, the latest Top 5 DNSChanger Infections by Country (June 11, 2012). Many computers in Italy are still affected by DNSChanger:

Head over to http://www.dns-ok.us and check your Windows and Mac computers for the DNSChanger Trojan. Given that on July 9 you might not get the chance to do this, you should check your computers as soon as possible.

ZeroAccess – From Rootkit to Nasty Infection

One year ago we’ve blogged about ZeroAccess striking back at antivirus products by means of malicious payload injection causing the antivirus products to terminate. ZeroAccess is known for causing browser redirects causing additional malware infections.

ZeroAccess (also known as Sirefef, Maxplus or Smiscer) changed its way of working a few times and recently it evolved from a rootkit into a user mode virus. This makes sense because it used to use different strategies on 32-bit and 64-bit computers. On 32-bit Windows ZeroAccess infected a random kernel driver and on 64-bit it used an altered Session Manager\SubSystems registry key to survive reboots.

Merging both 32 and 64-bit versions the authors now have a common code base for both architectures which is easier to maintain and improve.

Services.exe infection
Since a few weeks we receive reports of slightly changed versions of services.exe. This Microsoft component is the Services Control Manager and is responsible for running, ending, and interacting with system services. Upon closer inspection, the minor changes to services.exe are not malicious at all. But they do uncover a new and novel way of hiding malicious payload making ZeroAccess invisible to most antivirus products.

Hiding in NTFS
The trick involves storing the malicious contents in the rarely used Extended Attribute of an NTFS record. We have seen malware using Alternate Data Streams (ADS) but this trick is entirely new and has nothing to do with ADS.
The Extended Attribute is stored along with the NTFS record of services.exe and is invisible to the user (it is not a file but meta-information). Antivirus products don’t process the Extended Attribute since it is deep inside the NTFS file system. The Extended Attribute can only be read using special forensic tools such as WinHex.

When the infected services.exe is loaded by Windows, the infection reads the Extended Attribute NTFS record which contains the actual malicious code. Storing the malicious code not in services.exe but in the special Extended Attribute gives ZeroAccess its needed stealthiness to stay undetected on a user’s system.

Note Copying the infected services.exe to a different file system (e.g. FAT32) or archiving the services.exe to a ZIP-file, will strip the Extended Attribute and therefore lose its malicious content.

ASLR stripped
To date we’ve seen two different types of services.exe infections. Both versions have the ASLR capability stripped from services.exe. This causes the operating system to consistently load services.exe on the same address allowing the infection to use hardcoded addresses.

TLS Callback
The authors of ZeroAccess first released a version that adds a Thread Local Storage (TLS) callback to services.exe. This trick, borrowed from other malware, runs the infection before the main thread. Since this trick is already used by other malware, thus making it suspicious, the authors decided to change it in a second version.

ScRegisterTCPEndpoint
The second and current version doesn’t use the TLS trick since it is obviously suspicious due to the fact that it runs code before the actual services.exe code. Instead the infection overwrites 704 bytes of the services.exe!ScRegisterTCPEndpoint function. The 704 bytes start with a JMP and contains the code that read the Extended Attribute (EA) from services.exe using ZwQueryEaFile:

SHA256 of above file:
D370021AECF0826CF3935467C09FBCA0960EE0CD7F99FBF83D50FE204537E133

Removing the Infection
Next to the infected services.exe, ZeroAccess also drops support files under C:\Windows\Installer\ and %LocalAppData% folder as can be seen from this screenshot:

Services.exe is a system file. It must be restored to an original version to maintain system stability.

To complete the removal, HitmanPro also removes the malware’s data files. It uses its cloud assisted remnant scan to get each data file belonging to ZeroAccess.

Currently we have only seen this infection on Windows Vista and Windows 7 (both 32-bit and 64-bit). Windows XP seems unaffected at the moment, but there is no reason why this new trick should not work on XP.

Conclusion
The latest incarnation of ZeroAccess successfully merged its 32-bit and 64-bit code base into a new variant which is both hard to detect and hard to remove. HitmanPro must use all its techniques to detect and remove all pieces of this new ZeroAccess variant.

Download
http://www.hitmanpro.com/downloads

HitmanPro 3.6 Build 159

Today we’ve released a new version of HitmanPro 3.6 to our users. Build 159 includes many improvements over earlier releases. But I would like to blog about one particular new feature today: the detection of the XULRunner malware.

XULRunner redirect
This particular malware, a browser hijacker, affects the Mozilla Firefox browser and redirects Google Search results to e.g. happili.com.

Contrary to sophisticated bootkits that usually cause search redirects (like TDL4 and ZeroAccess), the XULRunner is a fairly basic program. To stay somewhat concealed, it installs a legitimate-seeming add-on in the Firefox browser to ‘hide’ itself: the malware impersonates and abuses the XULRunner name to fool users into believing the add-on is a core part of the browser. The real XULRunner is actually the internal XUL runtime developed by Mozilla, to run XUL-based applications in Firefox: http://en.wikipedia.org/wiki/XULRunner

The XULRunner malware typically creates a folder with a random name in the “Application Data” folder below the user’s profile. Example: C:\Documents and Settings\John\Local Settings\Application Data\{2C02AAE7-C9F9-4B88-8233-CD0895C71420}\

The script that causes the redirects is called overlay.xul. When looking at this JavaScript file, a trained eye can see that it affects popular search engines:

if (loc.match(/google.*\/(search|cse).*[&\?]q=/) || loc.match(/\/search\.yahoo.*search.*[&\?]p=/) || loc.match(/ask.com.*\/web.*[&\?]q=/) || loc.match(/bing.com\/search.*[&\?]q=/) || loc.match(/aol\/search.*(query|q)=/))

To manually determine whether or not your Firefox browser contains the malicious XULRunner add-on, click in Firefox on the Tools menu and select Add-ons:

To get rid of this malware, HitmanPro build 159 (or newer) will detect and thoroughly remove the XULRunner malware, including its files, folders and registry keys.

Changelog
Full release notes of HitmanPro 3.6.0.159:

• ADDED: Windows 8 Release Preview support.
• ADDED: Detection and removal of XULRunner redirect scripts.
• ADDED: /fb command-line option to perform Force Breach.
• ADDED: HitmanPro switches the desktop to ensure visibility.
• Some Ransomware use a dedicated desktop to prevent applications from popping up.
• IMPROVED: Force Breach to kill more processes.
• IMPROVED: Force Breach now works under SYSTEM or SERVICE account.
• IMPROVED: Detection and removal of ZeroAccess/Sirefef CLSID variant.
• IMPROVED: Improved removal of MaxSS bootkit.
• IMPROVED: Improved Volume Boot Record (VBR) handling.
• FIXED: A problem where Default scheduled scan would not scan for cookies.
• FIXED: SafeBoot Minimal was not working.
• FIXED: Behavioral scoring on WOW64 uninstall keys.
• FIXED: Compatibility issue with Dataplex caching software from NVELO.
• UPDATED: Portugues language.
• UPDATED: Internal white lists.

Downloads

32-bit: http://dl.surfright.nl/HitmanPro36.exe
64-bit: http://dl.surfright.nl/HitmanPro36_x64.exe

FBI relaunches DNSChanger cleanup campaign

The FBI has relaunched its campaign to warn that hundreds of thousands of individuals could lose access to the internet come July 9 unless they disinfect and remove the DNSChanger malware off their computers. Part of the new campaign is a website of the DNS Changer Working Group (DCWG) that helps users determine if their machine is infected with the DNSChanger malware.

Malware
The DNSChanger malware changes the DNS server settings of the computer, making it part of a botnet. The malicious DNS server setting causes web browser redirects so that the botnet owners were able to manipulate internet advertising to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

In November 2011 the FBI seized the rogue DNS servers and replaced them with legitimate servers in the hope that users who were infected will not have their Internet access disrupted. These servers were originally to be kept online until March 8, but an extension was filed with the U.S. Court  because a significant number of computers still remained infected. The extension is set to end on July 9 and it appears that there won’t be another one.

Remediation
The DNSChanger Working Group posted a list of software, which includes HitmanPro, that can be used to fix, remove, and recover from DNSChanger malware: http://www.dcwg.org/fix/

References

• www.dcwg.org
• www.forbes.com
• edition.cnn.com
• www.pcmag.com