New Virus Going Around

Mopquill

Active member
I'm no stranger to system security, and I know my way around both Windows 95 - 7, and CentOS/Debian Linux (I prefer Debian :P). I've got ESET Nod32 on my computer, a secure firewall on my router, and I use EMET to keep would-be-vulnerable programs in check. I hadn't gotten a virus on my own computer in around six or seven years.

The night before last, NameCheap posted an interesting status about fancy CSS3 that can create functional widgets and things without the need for JavaScript. JavaScript can be great when done right, but it slows load and execution times, so, the less, when it can be helped, the better. I click their link, and the first thing I see is a slideshow. I click the source for that, and then click to view the live demo, and suddenly, Firefox, Chrome, and Opera were all closed. Yes, I was using all three. Confused, I try to open Task Manager with Ctrl + Shift + Esc. Nothing happens. I hit it a few more times, and then I try Ctrl + Alt + Delete. "Start Task Manager" was *missing* from my options. I tried starting it via run and cmd, nothing. I go to it directly and double-click it to get "Task Manager has been disabled by your system administrator." I try making sure it's enabled in the group policy manager, taking ownership, nada. I can't use it.

Anyhow, I open up Process Explorer, which I have for occasions such as this, or when an svchost.exe is acting oddly, and I find a gibberish exe running. For some reason, ESET didn't even notice this thing get in, and it somehow got in my temp folder, as a bunch of .tmp files, which then assembled themselves into an EXE. Somehow, the temp files themselves didn't show up as viruses, just the completed EXE, and even then, ESET didn't stop it or quarantine it. Confused, I kill it myself with Process Explorer, use Unlocker to close its open handles, and then have ESET manually quarantine it. I upload a sample to Virus Total to have it look, and only three of the things there even knew it was a virus (two of them MacAffee, which normally sucks, and the other was Panda). I still couldn't use Task Manager, so I downloaded and ran the latest Combofix, and as soon as it was running, I could open Task Manager again, and it found and cleaned some files from my system. I ran a system-wide scan with ESET that then removed a bunch of infected files from all over my computer (- it took like, 20 hours), and had virustotal rescan my sample. Then, 7 recognized it as a virus, still not ESET. I sent the sample (double rar-ed and passworded so Gmail would let me send it) to ESET's sample reception thing, and I got this reply:

Dear Mopsy,

Thank you for your submission.
The detection for this threat will be included in our next signature update.

mdfewq206085.exe - Win32/TrojanDownloader.Prodatect.BL trojan
mdfewq206085.rar - unknown

Regards,

ESET Malware Response Team


Anyhow, it should be taken care of soon, but, this thing got past Firefox *and* ESET, which, don't get me wrong, is a fantastic anti-virus. Not a single thing has gotten past it before, and it's generally quite good about false positives. I *suspect* it used some exploit in Internet Download Manager, but I don't have any solid proof, only an error message I got from the second visit. I accidentally restored my tabs and opened the same page- I'm an idiot. XD I knew what it was going to do this time, though, and I was able to kill it before it was finished doing what it was doing, and ran Combofix to remove the traces. It still got in, though.

The virus total link is here, and as of this posting, someone other than me has updated it, and 12 antiviruses now recognize it as a virus. I can re-upload my sample to have them update it later on, if anyone is interested and no one else has.

Anyhow, the URI I visited, that I believe to be the source of the virus (possibly a rogue advertiser) is posted below, but I urge none of you to visit it unless you have a reliable sandbox set up. This virus isn't particularly devastating, but it is quite intrusive at present- but maybe that was just me with IDM? I'm not eager to test it at the moment. Anyhow, I just figured I'd warn everyone that there's something going around. I hope none of you catch it. =]

DANGEROUS, POTENTIALLY INFECTED
http://www.gonzoblog.nl/2012/05/10-fresh-and-useful-pure-css3-tutorials-no-javascript/
 
Most people using this drop method of infection are after CC information and bank details... as to why they would make such an obvious virus with such little "consequence" is puzzling?
 
Your guess is as good as mine, but, I almost wonder if they were testing the method or something. Don't get me wrong, once I suspected I was infected, I invalidated all my present cookies and didn't log into anything until I felt confident that my system was clean. It's entirely possible that I'm infected with some super virus, and myself and ESET and even Combofix are all completely unaware of it. I guess time will tell. :P
 
Your guess is as good as mine, but, I almost wonder if they were testing the method or something. Don't get me wrong, once I suspected I was infected, I invalidated all my present cookies and didn't log into anything until I felt confident that my system was clean. It's entirely possible that I'm infected with some super virus, and myself and ESET and even Combofix are all completely unaware of it. I guess time will tell. :p

Indeed, possibly a new proof of concept.
 
too bad you don't have a SHA-1 or MD5 of the file :\

Well, the SHA256 is on the virustotal page: 06b52f94b9a8de9519fc0453606e95353a6c773bd66947476429d5a5716f7660

But as I've said, I have a sample. Here's a whole mess of checksums:

300544 bytes

ADLER32: c73ce9b2
CRC32: c9924a3f
MD2: 71e9c4b1e65861579bc1c58a2a8422b5
MD4: 2186aabb2be2146ed038d8a1c7cc5e9f
MD5: dd4918e6e6c7121148a5ef9662d3d44b
SHA1: 9e8b78a71606f9bf13fcf2dc5900fbd378946cdc
SHA256: 06b52f94b9a8de9519fc0453606e95353a6c773bd66947476429d5a5716f7660
SHA384: f1459b2db7236168c86156c1775a567de025a4d98d37d452e5adfab670347bad4a5b2bb27f46563fd713356aceb7c011
SHA512: 39955e1f9a93698b6973e19fa53c0f29aa49bb43732ebce98c8c9e49d9af13544a77a6c83e4f67c50e59a39a340caccd505a56b5578bc9c40d6fcb9c5598a693
RIPEMD128: 9ed9f217a79632aeb93424f23d92b3c3
RIPEMD160: cbe0232530c5528b60a38ea8d103cee5b14b6971
TIGER128: 42dd1887ebc52752159e67bf0e181156
TIGER160: 42dd1887ebc52752159e67bf0e181156d85d0f27
TIGER192: 42dd1887ebc52752159e67bf0e181156d85d0f27d2d99915
GOST: 14ed774972b3a50ec3d7177dcf3090a4f5c47643e0430049265b7800a0aca8d6

Indeed, possibly a new proof of concept.
That's what I was thinking. However, I wonder if letting an innocuous sample out for a bunch of people to report and get added to definition lists is the best way to go about that. You'd think it'd sort of give us the headstart for when they release a bigger, badder version of it.
 
That's what I was thinking. However, I wonder if letting an innocuous sample out for a bunch of people to report and get added to definition lists is the best way to go about that. You'd think it'd sort of give us the headstart for when they release a bigger, badder version of it.

Its not the virus itself id be woried about, more the method of delivery.
 
Well, the SHA256 is on the virustotal page: 06b52f94b9a8de9519fc0453606e95353a6c773bd66947476429d5a5716f7660

But as I've said, I have a sample. Here's a whole mess of checksums:

300544 bytes

ADLER32: c73ce9b2
CRC32: c9924a3f
MD2: 71e9c4b1e65861579bc1c58a2a8422b5
MD4: 2186aabb2be2146ed038d8a1c7cc5e9f
MD5: dd4918e6e6c7121148a5ef9662d3d44b
SHA1: 9e8b78a71606f9bf13fcf2dc5900fbd378946cdc
SHA256: 06b52f94b9a8de9519fc0453606e95353a6c773bd66947476429d5a5716f7660
SHA384: f1459b2db7236168c86156c1775a567de025a4d98d37d452e5adfab670347bad4a5b2bb27f46563fd713356aceb7c011
SHA512: 39955e1f9a93698b6973e19fa53c0f29aa49bb43732ebce98c8c9e49d9af13544a77a6c83e4f67c50e59a39a340caccd505a56b5578bc9c40d6fcb9c5598a693
RIPEMD128: 9ed9f217a79632aeb93424f23d92b3c3
RIPEMD160: cbe0232530c5528b60a38ea8d103cee5b14b6971
TIGER128: 42dd1887ebc52752159e67bf0e181156
TIGER160: 42dd1887ebc52752159e67bf0e181156d85d0f27
TIGER192: 42dd1887ebc52752159e67bf0e181156d85d0f27d2d99915
GOST: 14ed774972b3a50ec3d7177dcf3090a4f5c47643e0430049265b7800a0aca8d6


That's what I was thinking. However, I wonder if letting an innocuous sample out for a bunch of people to report and get added to definition lists is the best way to go about that. You'd think it'd sort of give us the headstart for when they release a bigger, badder version of it.


Thanks for those :). If we have time maybe my malware reversal team can decompile it. I'm not exactly sold that it is a brand new virus, or even a brand new breed of malware for that matter. I see it more likely it was a heavily encrypted/encoded malware than anything else.
 
Its not the virus itself id be woried about, more the method of delivery.
Well, since this one did very little but hide task manager (since it can be killed so apparently easily), I imagine a similar method of delivery with a much more robust payload would have been a terrible thing to discover all at once. Maybe the dev thinks they can form a new delivery to get past things yet again? Maybe they can, and they're purposefully using a nerfed version of it, or something. It's also possible that this virus would have been worse, but because ESET was already installed on my system and had kernel access, the virus could not get the same level of access? It's hard to say- I'm no virus expert.

Thanks for those :). If we have time maybe my malware reversal team can decompile it. I'm not exactly sold that it is a brand new virus, or even a brand new breed of malware for that matter. I see it more likely it was a heavily encrypted/encoded malware than anything else.
What is a malware reversal team? In any event, if you like, you can PM me your instant messenger username, and I can give you the file for your team to... reverse, or whatever. And it's certainly a new something. Near as I can tell, no one was aware of it until late the 3rd, maybe early the 4th, and even virustotal didn't have any old records on it. ESET said their next definition will include it in the threat list, as their current one did not. Something in all of this has to be new, or at least, that's how it sounds to me. =]


EDIT: Reverified it. 16/42, and ESET's one of them. =]
 
Top Bottom