In recent days, there have been new Zeus variants which update like Conficker. With the experience in analyzing and monitoring Conficker, Bkis has been tracking this Zeus botnet. According to our statistics, this botnet contains about 18,752 zombies in 153 countries, 34 percent of which are in the USA.

The percentage of zoombie distribution

Top 10 infected countries

When users access websites containing malware or visit legitimate websites controlled by hackers, a virus called W32.ZbotL.Worm (by Bkav) will be loaded onto users’ computers via vulnerabilities of IE, Firefox, Adobe or Flash Player, etc .

To maintain this botnet, Zbot drops a file infecting virus, W32.Licat.PE, onto the system. This virus attempts to infect executable files on the system. Each time these infected files are executed, the Licat’s code in the files will connect to the randomly generated domains which serves new Zbot’s update.

The top-level domains of these randomly generated domains are: .biz .com .info .org .net

Licat uses the time got by GetSystemTime function and applies algorithms to generate domains randomly. This algorithm is able to generate 1,020 random domains a day. When a Licat-infected file is executed, it will connect to 800 different domains (among those 1.020 randomly generated domains).

If one of these domains belongs to hacker, the new variants will be downloaded. Licat will check the signature in the file downloaded to know whether it is a new Zbot. If it is a new variant, this variant will be executed.

Zeus botnet working diagram

By setting up Honeypot and Rada system like what we do to monitor Conficker, we are able to give the exact number of zombies as well as to keep close track of this botnet’s development.

According to our statistics, this botnet is growing quite fast. We will continue to update the statistics in the next entries.

Le Minh Hung
Senior Malware & Security Researcher

Update: Lastest statistics, the number of zombies amounts to 20,553.

Stuxnet, the first Trojan exploiting Windows shortcut vulnerability, has recently been spreading in the wild. Series of expert’s analysis documents as well as many forum topics on Stuxnet have shown the critical level of this worm. Anxiety psychology has made users searching for Stuxnet removal tools on Internet. However, besides some good tools provided by Microsoft, some antivirus companies or IT community, there are many fraud ones. They are created to spread malicious code in large scale.

Recently, our Honeypot system has detected a particularly dangerous counterfeit tool: instead of cleaning Stuxnet, it will clean everything in your drive C.

Picture 1: Posing as Microsoft’s tool

Picture 2: Generate a .bat file executing malicious behaviours

Bkav has detected the Trojan as W32.FakeStuxer.Trojan.
To avoid reinstalling Windows and losing your important data, users should regularly update the latest version of their antivirus software. Also, users should be cautious with tools provided on forums.

Nguyen Van Sao
Malware Analyst

Update: In his comment Freddy suggested that this virus may originate from Germany.

What will you do upon receipt of a video link from a friend with message: “I told you I got an iPhone4 for free :))” like this:

Figure 1: Message from a friend

“Youtube.com” is a well-known and reliable domain. I bet that there will be a lot of users clicking this link to see the video. With one click, you have been tricked by bad guys to spread virus. This, in fact, is a relatively sophisticated trick of hackers. They replace the quotation mark “.” with “%2E” which the browser is still able to read. So, the link you click actually is not “youtube.com” but “youtube.com.checkconfig.info”.
This link points to a perfectly faked YouTube:

Figure 2: YouTube is faked in a sophisticated way

However, to see this video clip, you will be required to download and install Adobe Flash Player, which in fact, is a virus written in Autoit:

Figure 3: Fake Adobe Flash Player setup

This virus (detected by Bkav as W32.Faketube.Worm), on being loaded, it will:
- Automatically copies itself to folder %Startup% as “Adobe.exe” to run at Windows’ startup.
- Changes the default homepage of IE to promote the website: http://com[removed]osy.com/
- Automatically sends messages with malicious links via popular chat programs. Chat programs used by virus:

• Yahoo! Messenger
• AIM
• Windows Live Messenger
• Windows Messenger

- Messages’ content:

• “is it cool :D”
• “see my new clip on Youtube =))”
• “I told you I got an iPhone4 for free :)) “
• “my new iPad is coming ;;) “

- These messages are sent with link to fake YouTube:

http://youtube.com%2Ech[removed]ckconfig%2Einfo/?video=flash&vid=thr2503

-  Downloads other malwares and updates itself via the following links:

http://174.121.2.58/~ntp[removed]duc/update/cw2010.exe

http://174.121.2.58/~ntp[removed]duc/update/CWcount.php

Nguyen Cong Cuong
Senior Malware Researcher

Sincere thanks to Nguyen Hong Quang for his malware analysis.

MS10-061 is one of the four vulnerabilities exploited by Stuxnet worm. The vulnerability lies in Windows Print Spooler service. By sending a crafted print request over RPC, a remote user can execute arbitrary code on the system using the service

The vulnerability derives from RpcStartDocPrinter(Opnum 17) function

DOC_INFO_CONTAINER structure contains pDocInfo1 pointer to DOC_INFO_1 structure:

pOutputFile: An optional pointer to a string that specifies the name of an output file. As the file’s extension specified by pOutputFile is totally not controlled, the file written can be in any format, including executable file. Then once the RpcWritePrinter( Opnum 19) procedure is called, data will be written on the output file.

So, by exploiting RpcStartDocPrinter and RpcWritePrinter, a remote user might write a file with arbitrary content onto the vulnerable system (the working directory is %SystemRoot%\\system32).

The problem to the attacker is how to execute the crafted file. HD Moore from Metasploit found out that NetrJobAdd( Opnum 0) function is extremely suitable for this task.

By using the AT_INFO structure passed to this function, a remote user can “plan” to execute the file created in system32 before.

This vulnerability has been fixed in Microsoft Security Bulletin for September 2010, Windows users should get their systems updated with the patch.

Le Manh Tung
Senior Security Researcher