Photo via broadwayworld.com

A new wave of BlackhatSEO attack is targeting the divorce of LuAnn de Lesseps – the actress in The Real Housewives of New York City, a reality TV series.

FakeAV exploits LuAnn de Lesseps’ divorce

The FakeAV continues to take advantage of website www.xorg.pl to register domains for the attack such as: gochecksys1.xorg.pl, go-clean-sys.xorg.pl, etc.; which is similar to the BHSEO attack that takes advantage of “Iceland volcano 2010”.

Website xorg.pl is used to register free sub-domains for FakeAV

The FakeAV has been updated in Bkav database. We still keep tracking down the malware for more information.

Bkis Taskforce Team

After the two entries about file replacing virus, I received feedback from Mary Landesman – Scansafe. I have re-checked and have discovered that it is an interesting finding. Thank you, Mary. And now I will talk about it.

To illustrate the entry with paths and screenshots, it is my wont to use the latest variant of malware. Indeed, I did not think that the virus had changed. The previous variant, that I debugged, overwrites Adobe, Java, etc. updaters as described here. (TrendMicro also had some analysis about this updater file replacing malware).

But to the lastest variant, while the malware continues to overwrite Java updater, its strategy with Adobe has changed. It drops a new file in the same folder with the program and disguises as Adobe updater. The file is named AcrobatUpdater.exe, which which is the same as AcrobatUpdater.dll, an available one. The newly generated file has same icon and version information with the real Acrobat Updater.

As you can see, the malware has changed for better disguising. In the previous entry, I was talking about the three generations of file replacing malware with the updater file replacing virus as  the 3^rd generation. The 1^st gen overwrites system files – easy to make the system corrupted; then, the 2^nd gen overwrites start-up program files – easy to damage the program operations; and most recent, the 3^rd gen overwrites updater files of some programs – does not affect the softwares’ operations but makes the update components unable to function. With the lastest malware variant, I would call it the 3.5^th generation.

Exactly as what I wrote in the previous blog – “They are still changing the infection methods as bad guys never stop finding ways to introduce troubles to AVs”.

Nguyen Cong Cuong

Senior Malware Researcher

Two days ago I wrote an article about the new trend of file replacing virus. However, as I was busy, I did not have much time to go deep into detail then. For this, I may have to say sorry because some of you, even people with security knowledge, may think there is nothing new in it. In fact, the new thing here is the big change in the strategy that the viruses use to easily fool antivirus experts. Today, when other stuffs have been settled, I am having more time to make a summary of our team’s 4-year tracking and studying of the development of this virus type. Hopefully, you will have an overview of these viruses as well as their new trend.

First emerged in 2007, this type of virus has actually undergone 3 development stages:

The first stage (2007) – System-file replacing virus:

The viruses aim to replace Windows system files such as: explorer.exe, userinit.exe, winlogon.exe, rpcss.dll, lpk.dll, comres.dll, etc. To keep the system operate normally, the viruses make a backup for replaced files and refer to these files only when they have been executed. If we try to remove the infection by deleting infected files without restoring replaced file, the whole computer system will be broken. Unfortunately, almost all AVs have this problem. We already gave a warning on this issue at APCERT AGM.

The second stage (2009) – Startup-program file replacing virus

Instead of replacing system files, bad guys aim their arrows at startup programs. These programs are often registered under 2 following keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The viruses still make a backup for replaced files (similar to first stage). And yet, AV programs still make the same mistake when deleting infected files without restoring critical files.

The third stage (2010) – Software-Updater file replacing virus

Recently, there is a rising number of newly emerged viruses that overwrite software updaters. Many would mistakenly recognize them as the second stage ones. File replacing viruses in this period disguise themselves much better by faking (icons, version information, etc.) and overwrite updaters of some popular softwares (Adobe, DeepFreeze, Java, etc.).

Different from the two previous stages, they do not make any backup for replaced files. They only attack the software updaters and thus do not affect the software operations. In addition, with icons and version information faked by the viruses, we can not define whether or not the systems have been infected by using tools (such as Autoruns, Process Explorer, etc.).

Obviously, this is the new strategy that is causing many difficulties to experts.

You can visit the following links for more details:
http://blog.bkis.com/en/malware-faking-adobe-update
http://www.pcworld.com/businesscenter/article/192422/new_malware_overwrites_software_updaters.html
http://www.computerworld.com/s/article/9174126/New_malware_overwrites_software_updaters
http://news.softpedia.com/news/Trojan-Masquerades-as-Adobe-Reader-Updater-Component-138453.shtml

These are 3 stages of file replacing virus development. They are still changing the infection methods as bad guys never stop finding ways to introduce troubles to AVs. This requires AV vendors to continually improve their softwares rather than just “detect and delete” infected files like the way they are doing now.

Nguyen Cong Cuong

Senior Malware Researcher

Another BHSEO attack is targeting users searching with key words related to volcanic eruption in Iceland after 200 years.

Our findings reveal that if users Google with key words “Iceland volcano 2010”, they can be redirected to malicious websites.

In this wave of attack, these malicious websites fake Windows’ interface and have such domain names as the following:

In fact, www.xorg.pl is the website that allows free registration of xorg.pl’s subdomains. Taking advantage of this, hacker creates countless domain names such as dibod81.xorg.pl, dibod76.xorg.pl, gertub11.xorg.pl, etc. to avoid Google Safe Browsing’s block. If Google blocks one domain, hacker will create another one.

Usually, with different domain names the hacker will have different IP server addresses.

Bkis Taskforce Team

Recently, bad guys have spread massive malware variants which have identical icons and version details as popular softwares’ update programs to bypass antivirus softwares as well as system analysts. Once having infected victims’ computers, malware will overwrite such update programs. Because the information about software’s icon or version is faked, ordinary users, sometimes even virus researchers themselves, are easily “fooled” and skip such malware without raising an eyebrow.

Figure 1: Malware’s key run and processes when read by Autorun and ProcessXP. Malware is hard to be detected.

From analysis, we found that malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.

In this case, Acrobat Reader version 9 is imitated. The malware overwrites AdobeUpdater.exe file in the folder Adobe/Reader 9.0/Reader. From our analysis, this is a new technique that malware overwrites the update file of some popular software.

Figure 2: Fake AdobeUpdater

Figure 3: Fake Java’s update

In such cases, the best advice for users is to update their antivirus softwares on a regular basis to get the best support and protection from specialists.

This malware is detected as W32.Fakeupver.trojan by Bkav. Bkav customers are protected against the malware by the latest version of our antivirus software.

Analyst: Nguyen Cong Cuong