NSWays

The old:

A few month ago, I receive an e-mail from a spammer with a title of “Video of Angelia Jolie XXX video,” knowingly what expected in the url, I click safely on the url. The site look similar every standard video player website like youtube. The video listed contain an explicit picture which only waiting for me to click on the play button to get the next frame. So I clicked. Once I click, a message pop up asking me to download Adobe_Player9.exe. So what else for me to do? I click it.

Behavior analysis:
Adobe_Player9.exe : MD5: 5c15d4b98a8af9d3f80d11e5876c65e0
Once executed, the malware unpack three file to c:\windows, file include 9129837.exe and new_driver.sys. The malware setup an autorun with a key name “ttool” in CURRENT_USER registry. And execute 9129847.exe
Once 9129847.exe executed, it load the new_driver.sys which is modify the kernel call to hide 9129847.exe from detection.
The malware does more and more but overall this is the behavior of the malware.

Remove and Detect:
A simple way to detect if you don’t have an Anti-Virus software like me is to check what in the registry by run “msconfig” and look up autorun, if there’s a value execute 9129847.exe, delete it. And reboot your system. Once reboot, go to c:\windows\ and delete this two file.

The new:
This week I found a few malware using facebook and other banks name as a way to distribute the malware. Even though the malware does contain different packer, the behavior of the malware are identical to the above malware with slight modification. To test how strong our security is, I upload the malware to virustotal.com, and found out, one or two of total 33 Antivirus detect this malware. Maybe the test is wrong since I am not sure if virustotal keep up with the update or their test is valid. But it is pretty sad to see only two unpopular antivirus software detect the malware while the rest wait to get infected. Someone
need to enlighten me on this.

Some sample MD5
Adobe_Player10.exe : bb1c0a7b83e60609fb63cce9bb85ee38
Adobe_Player11.exe : 353a2425e8632cfb6d75bf1b192ac9a7
****digicert.exe : 650c240b68e4275686c29586a2925fc7

Tips on how not to get infected:

1. Do not open anything unless you trust the file.
2. Turn off javascript in your browser as the default, turn on only if you know it’s safe to use.
3. Do not open anything unless you trust the file.
4. Don’t open anything you receive unexpectedly, include from your love one.

Answer to the old respond:
Some would say stop using MS Window and just use Linux or Mac.
It does not matter what OS you use, most vulnerable component of the whole system is the human being. It’s easier to exploit a person then to exploit the OS. Why? well we tend to be careless, trust easily, and curiosity.

Tags: Anti-Malware, malware, reverse enginneering, tips on not get infected

This entry was posted on Saturday, March 21st, 2009 at 10:17 am and is filed under malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.