My friend Lithium has been blogging about the recent wave of malware being distributed by emails. There seem to be 2 differentiated campaigns right now:
1- Emails that have links to compromised web sites (no attachments)
2- Emails that have a .zip/exe attachment
As I was working on some of our customers computers (they got infected when clicking an email from UPS, even when they never shipped anything…) I realiced how bad this actually is. The people think that they are being infected by the rogue antivirus programs (antivirus xp, antivirus 2009, 2009 antivirus, aav,… whatever they decide to promote) but the origin of the infection itself is much worst than that:
The file received on the email is actually a variant of ZTOP or Sinowal (name changes depending on AV vendor) These trojans have self update, key logging and remote control capabilities. Once installed, they “Phone home” to download updated commands. They do this periodically.
I ran one of them at one of my virtual machines. For a few seconds, nothing happened and I was even tempted to run it again. The the trojan connected to russia (hxxp://blatundalqik.ru/panama/odessa.bin) and downloaded new instructions. Inmediatelly, my virtual machine began closing applications, and before it restarted on its own the desktop background changed to the popular “your computer is infected”.
Once the computer restarted, I got one of the variants of xp antivirus running and my real antivirus was just dead. Constant warnings where coming from the task bar.I have seen this warnings hundreds of times. They are annoying, but usually they are not dangerous. This time is different.
What actually happened is that the trojan had installed itself (ntos.exe, crypts.dll, wnspoem folder and video/audio.dll files) and after calling home it was ordered to install xp antivirus. They ordered to install xp antivirus the same way they could have ordered to silently monitor the user browsing and capture any bank or credit card information. Tomorrow they may decide that they need spamming computers, or to do a DOS on a company… all they have to do is change the configuration file. All the infected zombies will follow orders!
Once ntos.exe and crypts.dll installs in a computer, the computer no longer belongs to the user. Using root kit technologies, the file will hide itself from the user, and only advanced rootkit detectors will be able to reveal the real problem. The trojan also runs from a temporary file on the temp folder, while crypts.dll monitors that the required registry entries to load it on restart are still present. The computer is now part of a botnet, another zombie to be used as needed.
About the xp antivirus infection? It’s anoying, you may have to fix a few registry entries to gain full desktop functionality but unless you go and buy their thing, they are more or less harmless (at least from a tech point of view, I’m sure the user will see that being worst than having a silent trojan)
Only the people controlling the hxxp://blatundalqik.ru server will know the actual extend of the infection. Besides the pop-ups and attempts to get your credit card information, the trojan could be recording your every key stroke, logging your visits to pay your bills, even taking screen shots of your applications; while all your confidential information is conveniently backed up in a server in Russia, should it ever be needed by some one (other than you)
The overload of xp antivirus and similar calls to the antivirus companies has also the effect of saturating their resources, having to dedicate more and more time to manual removal of infections, to keep the customer happy, while the real malicious codes are lurking on the background, undetected.
