Are they new tools for cyber wars or big business for a few? It is true that it does not cease to amaze the common user the difficulty of facing threats of viruses and other harmful programs on a day-to-day basis.
by Osvaldo Callegari
That is why we try to establish contact with companies that are in this environment to know what is happening inside our computers.
Although for an ordinary person a virus or malware is intangible and invisible inside their machine, the current circumstances have been increasing the level of danger to different situations.
What kind of activity did a virus perform before 2000?, it was small programs that spread through copies of a compact disc to another or from a diskette to a hard disk or simply from one computer to another.
We will make a description, if we can say how benevolent they were before that date and what they have become now.
Virus before 2000
What was its activity and spread?
* Affected executable files (programs) making them inoperable or presenting erratic changes.
* Affected database files making them unreadable.
* It affected operating system programs (Boot sector) for example causing the computer not to boot properly.
* Generated thousands of copies by filling the discs with information without any use.
Viruses from 2000 to the present
What was its activity and spread?
* Affect the identity of people, violate all confidential information
* Perform processes of boot, stop or malfunction of computer-controlled systems
* Turn the computers of ordinary users into dumb terminals for handling secret information
* They serve as surveillance of some governments
* They are used in some cases as tools of war
* Certain protection and security companies generate their own viruses for their own updates.
* Governments seek technicians from antivirus companies to perform intelligence tasks.
* They use methods to forcibly drive advertising on every PC, a million-dollar business.
Evidently the role changed substantially and the threats are different.
While we say viruses we also say malware, we can generalize as malicious codes that in essence is what they are.
Analysis of a case in Latin America
As part of the research work of the ESET Latin America Laboratory, a case in the region was followed up, in which the capabilities of this malicious code will be recapitulated. The information captured during the analysis allows to know the behaviors of the cyber-criminals in the region and how they use the infected systems for the theft of information.
The following analysis corresponds to a variant of Win32/Dorkbot.B which spread mostly in Peru in order to carry out phishing attacks. The targets of this attack are banks in that country and Chile.
Propagation campaign
The attack originally spread as an alleged free top-up from a well-known cell phone company. Users who wanted to get this fake benefit downloaded the malicious code and when they executed it they infected their system.
Spread on social networks and instant messengers
One of the actions that was detected during the follow-up of this attack is that the infected computers used social networks and instant messengers to continue spreading the threat.
Messages are sent from the Command and Control Center to update propagation messages and the interval at which they will be sent.
Dorkbot its dissemination in Latin America
Dorkbot spreads through facebook chat or messenger.
Infection
the first action of malicious code after being executed is to add an entry to the windows registry to start automatically the next time you boot the system
Theft of information
In addition to the phishing attack and the spread through social networks, Dorkbot has an information theft module. When the user connects to services such as Gmail, Facebook, Hotmail or Twitter, the access credentials are sent to the attacker. This process runs every time the user tries to log on to any of these services. The theft of personal data allows the attacker to re-propagate the threat with the credentials obtained from the zombie computers.
Changes in propagation strategies
One of the main reasons for this change in the propagation techniques used is accompanied by the evolution of operating systems. In the latest versions of Microsoft products, autorun of removable storage media is disabled.
This modification leads malicious code developers to implement new propagation techniques and in the particular case of Dorkbot it was very effective. It is reflected in the statistics of the entire region: in 6 months it was consolidated as the malicious code with the highest detection rate for Latin America
Dorkbot is the fastest growing malicious code in 2012, it has spread through mass storage devices, social networks and instant messengers with the aim of stealing information.
However, the impact it had in Latin America, unlike the rest of the world, highlights the lack of awareness regarding the use of licensed software and the installation of security patches.
In addition, it is important to note that education is a very important factor when it comes to computer security, as it helps mitigate incidents for both home and business environments.
According to Pablo Ramos, Specialist at Awareness & Research: "When we talk about malicious codes we have seen that they are able to use a large number of techniques to avoid detection in the system. However, through a thorough analysis of an infected system it is possible to detect how the user's privacy is violated and the attacker obtains their information. This time, we will share with you how a variant of Win32/Dorkbot, a worm that spreads throughout the region, obtains the user's credentials from the processes running on the infected computer.
The threat that we are going to analyze, is spreading through fake emails, and pretends to be a draw for the user to get an iPhone 4s. Remember that to avoid falling into this type of deception it is advisable to recognize how to detect a false email. This worm is detected by ESET NOD32 Antivirus as Win32/Dorkbot.B. A preliminary analysis of the malware shows us that it is packaged with UPX, therefore to perform a static analysis we should unpack the sample to be able to perform a static analysis.
But let's use another approach, when the system is already infected, Dorkbot is associated with certain system events from where it captures the information. Therefore, we will use a debugger like OllyDbg and some Sysinternals tools to find hidden data in the system.
Once the system is infected, we know that Dorkbot runs automatically at startup and is also hidden inside the user's folders. But at first glance this information is not there, so to see if there is any kind of hidden data within the system we use RootkitRevealer and see what information it reports to us.
With the information that this tool reports to us, we can detect two things. The first of these is that an entry is created in the registry to execute the threat before each system startup, in this way the attacker ensures that he can steal the system information affecting all the processes that are executed. The second, shows us where a copy of this malicious code is hosted, by default a Windows environment variable (%appdata) is used, for example the location varies depending on whether it is Windows XP or Windows 7.
So from now on, when the user starts any process on their system, the places they access are monitored by this malicious code and sent to the attacker. For example, when the user launches a browser and tries to connect to social networks, their access credentials are captured by Win32/Dorkbot and sent via the IRC protocol to the attacker. In the following screenshot we see how within the same browser process, this malicious code is intercepting the connection data and then sending them to the command and control center of the network of infected computers:
In the image you can see with the value "-E9 8D2674C0" and the jump to the memory address 00162160, this means that a Hook is being made to the HttpSendRequestW function belonging to the Wininet.dll library of Windows. At each call to this function, the normal operation of the browser is interrupted and the malicious code can obtain information. In addition to this function, other calls are intercepted in order to perform different actions.
In conclusion, these types of techniques go unnoticed by the user who does not have an antivirus solution running that proactively detects these malicious codes.
As we see in Ramos' technical commentary, it is not easy to elucidate a virus and its behavior, so much so that credibility is being lost in the companies that generate protection, it will be necessary to see that the final result can be open or unexpected.
Dorkbot has been analyzed by experts as a generator of false positives
A false positive is when an antivirus mistakenly detects legitimate software as if it were carrying a virus or malware. The most frequent causes are imitating having a behavior similar to a virus, applications that can be used for dark purposes.
A technical report or fact sheet based on the Microsoft Threat Protection Center
Worm: Win32/Dorkbot
dorkbot can have the following name aliases
* Win-Trojan/Injector.636416.D (AhnLab)
* W32/Dorkbot.B.gen! Eldorado (Command)
* Trojan.Injector!mcxcCCeftrA (VirusBuster)
* W32.IRCBot.NG (Symantec)
* WORM_DORKBOT. QUN (Trend Micro)
* ngrBot (other)
The level of alertness is very severe
Win32/Dorkbot is a family of IRC-based worms that spreads through removable drives, instant messaging programs, and social networks. The main propagation networks are Facebook, Twitter, Bebo, Vkontakte a Russian social network.
Variants of Win32/Dorkbot captures network monitoring communication usernames and passwords, can lock pages related to security updates. You can also launch a limited denial of service (DoS).
Some additional names that connect to IRC channels can be:
* shuwhyyu.com
* lovealiy.com
* syegyege.com
* av.shannen.cc
Later we will talk about the malicious code Flamer and Stuxnet used by the world's leading power to violate nuclear sites, these two viruses are on the red carpet of discussions.
The names and trademarks mentioned are names and trademarks registered by their respective authors. Technical information collected from ESET LATAM.and Microsoft Threat Center.
*If you wish, you can write to the author of this article for queries or concerns to [email protected]
Leave your comment