Thursday, 25 September 2014

VAWTRAK Plagues Users in Japan

VAWTRAK first made the rounds via attachments to fake shipping notification emails in August 2013. The attachment was actually a ZIP file that contained a malicious file, detected as BKDR_VAWTRAK.A, which was initially known for information theft from FTP and email clients. This 2013 variant stole credentials from several Windows email clients, however, more recent VAWTRAK variants have expanded their capabilities to include a wider range of theft. Among these capabilities were banking Trojan routines such as stealing banking credentials and credit card information.
What is the VAWTRAK malware family?
VAWTRAK is a family of online banking malware. It was originally spotted in August 2013 for its information theft routines but more recent variants are known to steal banking credentials, more prominently in Japan.
Why is VAWTRAK noteworthy?
VAWTRAK is noteworthy because its routines have vastly "improved" from simple information theft to stealing banking data from certain banking institutions in Japan. VAWTRAK is also notable because its routines make malware cleanup difficult. VAWTRAK restricts users from running files related to antivirus software by adding specific registry entries to infected systems. It checks for various security software (including Trend Micro products) and downgrades the software privileges to render the antivirus capabilities ineffective.
Despite its routines, VAWTRAK’s malware behavior is not particularly innovative. Stealing FTP credentials are similar to the FAREIT malware. VAWTRAK is also similar to ZBOT as it has a configuration file, which contains code for web injection and a list of sites it monitors. Another major reason why VAWTRAK is notable is that it managed to target four major banks and five credit card companies based in Japan. These sites then lead to the Angler Exploit Kit, which leads users to various Flash and Java exploits used to install VAWTRAK in systems.
How widespread are VAWTRAK variants in Japan?
Data from the Trend Micro™ Smart Protection Network™ in the pie chart above shows that most of the VAWTRAK infections are found in Japan. The United States and Germany trail far behind. The increase in banking malware that target banks in Japan can be attributed to the increase in information stealing malware such as TSPY_AIBATOOK that have added capabilities allowing the malware to steal banking credentials.
What are the notable VAWTRAK variants?
Some of the more notable VAWTRAK variants include BKDR_VAWTRAK.PHY, BKDR_VAWTRAK.SM, and BKDR_VAWTRAK.SMN. A common malware routine for these variants involve checking for the presence of certain security-related directories in the Program Files and Application Data folders. These security products include the following:
  • a-squared Anti-Malware (now Emsisoft Anti-Malware)
  • a-squared HiJackFree (now Emsisoft Anti-Malware)
  • Agnitum
  • Alwil Software
  • AnVir Task Manager
  • ArcaBit
  • AVAST Software
  • AVG
  • Avira
  • BitDefender
  • BlockPost
  • Doctor Web
  • DefenseWall
  • ESET
  • f-secure
  • FRISK Software
  • G DATA
  • K7 Computing
  • Kaspersky Lab
  • Lavasoft
  • Malwarebytes
  • McAfee
  • Microsoft Security Essentials
  • Norton AntiVirus
  • Online Solutions
  • pTools
  • Panda Security
  • Positive Technologies
  • Sandboxie
  • Security Task Manager
  • Spyware Terminator
  • Sunbelt Software
  • Trend Micro
  • UAenter
  • Vba32
  • Xore
  • Zillya Antivirus
Once VAWTRAK finds any of the above-mentioned security software installed, it creates the following registry entries to force the antivirus installation to run under restricted user privileges:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\
CodeIdentifiers\0\Paths\{generated GUID for the AV software}
ItemData = "{AV software path}"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\
CodeIdentifiers\0\Paths\{generated GUID for the AV software}
SaferFlags = "0"
What are its main routines?
VAWTRAK’s main routines include backdoor commands, such as keylogging and capturing screenshots. It also steals FTP credentials and stored email credentials, as well as data from Internet browsers. VAWTRAK also tracks data that contains banking and credit card information.
How will I know if my system is infected?
Users will know that their systems are infected if there is an existing {random filename}.dat or {All Users Profile}\Application Data in the ProgramData folder. The .DAT file is actually a .DLL file present in the autorun registry.
Another symptom for VAWTRAK infection is users’ inability to run antivirus-related processes. VAWTRAK adds policy-related registries that restrict users from running files under antivirus-related folders.
How does a typical VAWTRAK infection chain look like?
Below is a sample infection chain that shows how VAWTRAK arrives on a system via a Java.exe file that originates from a malicious or compromised site. The .DAT file is actually a .DLL and the final payload, aka, the VAWTRAK malware.
VAWTRAK system arrival via java.exe
Here is another sample infection chain that shows how VAWTRAK arrives on a system, this time using a Flash.ocx file that leads to the final payload, a .DAT file that is actually a .DLL (VAWTRAK).
VAWTRAK system arrival via Flash11e.ocx
How do I protect myself from VAWTRAK?
Users are advised to disable or uninstall browser plugins such as Java, Adobe Flash, and Adobe Reader if they are not needed. Since the attacks illustrated in the infection chains above originated from and involved certain software, it is always best to minimize the risk of infection by applying software patches and keeping systems up-to-date. Cybercriminals may utilize vulnerabilities and system bugs should these holes be uncovered and exploited.
Lastly, users must be sure to only visit legitimate banking websites to lessen the risk of clicking fraudulent links embedded in emails or spammed messages.
Does Trend Micro protect users from this threat?
Yes. Trend Micro products detect and delete VAWTRAK variants via the Smart Protection Network’s file reputation services. Web reputation services blocks access to the domains where VAWTRAK variants connect to.
FROM THE FIELD: EXPERT INSIGHTS
"We may continue to see VAWTRAK in the wild since its newer, specialized routines may lead to complicated cleanup solutions. There are definitely clear signs of VAWTRAK further advancing and improving. Newer variants now have features such as having a configuration file that contains the banking and credit card institutions which it monitors. The older arrival vectors were just spammed messages, but now VAWTRAK is seen to arrive via Java exploits." –Jimelle Monteser, threat response engineer
"The VAWTRAK threat is ultimately a threat toward all people who utilize online banking. Since online banking has gone mainstream for a large percentage of users, ranging from home users to enterprises, VAWTRAK poses grave a threat to all." –Rhena Inocencio, threat response engineer

 http://about-threats.trendmicro.com/us/webattack/3141/VAWTRAK+Plagues+Users+in+Japan

ZeuS and Its Continuing Drive Towards Stealing Online Data

ZeuS and Its Continuing Drive Towards Stealing Online Data
TSPY_ZBOT is the Trend Micro detection for malware related to what the industry dubs "ZeuS botnets." ZeuS botnet, in fact, is a shortened term for networks of compromised computers that use ZeuS/ZBOT Trojans in their botnet-related operations. TSPY_ZBOT variants typically arrive via spam appearing to come from legitimate sources, asking recipients to click a link. The said link leads to the download of TSPY_ZBOT, which silently sits in systems to wait for users to key in their credentials to particular sites.

Since 2007, Trend Micro has been monitoring the ZBOT family. The number of ZBOT detections has substantially grown over the years. To date, Trend Micro has seen over 2,000 ZBOT detections and the numbers continue to rise.

How does this threat get into users' systems?

The threat may arrive as a spammed message or may be unknowingly downloaded from compromised websites. The majority of ZBOT detections have been found to target bank-related websites. However, recent spam runs have shown an increasing diversity in targets. The list of noteworthy ZBOT variants include TROJ_ZBOT.SVR, which was used to spam government agencies; TSPY_ZBOT.JF, which targeted AIM users; and TSPY_ZBOT.CCB, which targeted social networking site, Facebook.

Spammed messages typically purport to be from legitimate companies and, more recently, from government agencies. One recent ZeuS attack targeted Bank of America Military Bank customers. ZBOT variants have likewise been found in a spam run that rides on popular events such as Michael Jackson's death.

Trend Micro also found a ZBOT variant that leveraged the Windows LNK flaw. A new ZBOT variant was spotted that was supposedly signed by a legitimate antivirus company. In reality, the signature had been lifted from a legitimate application of the company without their knowledge or consent.

How does it trick users into clicking links?

Spammed messages typically purport to be from legitimate companies and, more recently, from government agencies. ZBOT variants have likewise been found in a spam run that rides on popular events such as Michael Jackson's death.

What is the primary purpose of the ZeuS botnet?

It is primarily designed for data theft or to steal account information from various sites like online banking, social networking, and e-commerce sites.

How does this threat make money for its perpetrators?

It generates a list of bank-related websites or financial institutions from which it attempts to steal sensitive online banking information such as user names and passwords. It then monitors the user's Web browsing activities (both HTTP and HTTPS) using the browser window titles or address bar URLs as triggers for its attack.

Newer ZBOT variants use JavaScript codes, inserting these into a legitimate bank's Web page. Other ZBOT variants display a second fake login page after the original login page to get additional information. Cybercriminals may either siphon money directly from victim accounts. They may either steal money directly from the victim, or use them as conduits or "money mules" that help transfer funds from victims to cybercriminal bank accounts.

These routines risk exposing the user's account information, which may then lead to the unauthorized use of the stolen data.

Who are at risk?

ZBOT variants target online banking users in general. As mentioned in the section How does this threat get into users' systems?, ZBOT spreading via spam uses latest headlines or convincing email content, or exploit flaws in commonly-used software. Almost anyone can fall prey to its schemes. Users with ZBOT-infected systems who log in to any of the targeted sites are at risk of losing personal information to cybercriminals.

What does the malware do with the information it gathers?

It sends the gathered information via HTTP POST to remote URLs. Cybercriminals may then use this information for their malicious activities. They may be sold in underground markets.

What makes this threat persistent?

In addition to its social engineering tactics and ever-evolving spamming techniques, ZBOT makes detection difficult because of its rootkit capabilities. Upon installing itself on an affected system, ZBOT creates a folder with attributes set to System and Hidden to prevent users from discovering and removing its components. Furthermore, ZBOT is capable of disabling Windows Firewall and of injecting itself into processes to become memory-resident. It also terminates itself if certain known firewall processes are found on the system. ZBOT variants also figure in daisy-chain downloads involving other malware families such as WALEDAC and FAKEAV.

Moreover, ZBOT creators leveraged the Windows LNK flaw and have abused the PDF Launch feature in some Adobe products. Using the aforementioned as entry points allow ZBOT variants to get into more systems virtually undetected. Also, ZBOT has also kept up with trends in operating systems. Newer variants feature full and integrated support for new Windows operating systems like Vista and Windows 7. Older versions only had support for the said operating systems with optional modules.

What is the difference among ZeuS, ZBOT, and Kneber?

In February 2010, Trend Micro researchers came across several malware that were first thought of as part of a new botnet dubbed as Kneber. However Kneber, as it turned out, relates to the ZeuS botnet as a recently coined term pertaining to a specific ZBOT/ZeuS compromise. On the other hand, the term 'ZBOT' is Trend Micro's detection name for all malware involved in the massive botnet.

So what can I do to protect my computer from the threat presented by the ZeuS botnet?

It is important that users exercise caution when opening email messages and when clicking URLs. Since the ZBOT malware perpetrators are constantly finding new ways to attack users, users are advised to employ safe computing practices.

Be wary of phishing pages that purport to be legitimate websites, as these are primarily designed to fool unwitting users into handing over personal information. Clicking links on emails that come from unknown senders is one of the easiest ways to fall prey to ZBOT attacks.

TSPY_ZBOT variants are currently supported by Trend Micro GeneriClean, a feature found in most Trend Micro products. Users need to manually scan their systems to trigger this.

Solutions supported by the Trend Micro™ Smart Protection Network™ block the spam used by this botnet to infect users via the email reputation service. It can detect and prevent the execution of malicious files via the file reputation service. It also protects users from ZBOT variants by blocking access to malicious sites via the Web reputation service as well as from phone-home attempts wherein an infected computer tries to upload stolen data or to download additional malware from command-and-control (C&C) servers.

Non-Trend Micro product users can also check their systems using HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. They can also use Web Protection Add-On to proactively protect their computers from Web threats and bot-related activities. RUBotted can be used to find out if their machines are part of a bot network.

Some of our heuristic detections for this threat are MAL_ZBOT, MAL_ZBOT-2, MAL_ZBOT-3, MAL_ZBOT-4, MAL_ZBOT-5, MAL_ZBOT-6, and MAL_ZBOT-7.
 
 http://about-threats.trendmicro.com/us/webattack/64/ZeuS+and+Its+Continuing+Drive+Towards+Stealing+Online+Data