Malware spreading via Skype

Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...)


### Analysis ###

Known MD5's:
293cc1f379c4fc81a7584c40f7c82410
66def80d6f87f6f79156557172f9f295

Callback to IP's:
88.150.177.162

Callback to domains:
Random & partial DGA(1) - Pattern:
http://%random%.aingo.cc

Persistence:
Creates key in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Injects into:
explorer.exe
Sets Proxy:
Yes


Type of malware: Caphaw - Banking malware


Technical details ~~

Meta-data
================================================================================
File:    /home/remnux/samples/invoice_171658.pdf.exe_
Size:    360448 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:     293cc1f379c4fc81a7584c40f7c82410
SHA1:    7bb5b71513e01c2095d37f42c64982a3edb523b5
ssdeep:  3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL
Date:    0x52739069 [Fri Nov  1 11:28:41 2013 UTC]
EP:      0x401270 .text 0/4
CRC:     Claimed: 0x5eb47, Actual: 0x5eb47

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_CURSOR          0x532b0  0x134    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x536c0  0x1eec   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x555b0  0x4e8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x55a98  0x128    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x55bc0  0xea8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x56a68  0x568    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x56fd0  0x10a8   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x58078  0x468    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_GROUP_CURSOR    0x533e8  0x14     LANG_RUSSIAN SUBLANG_RUSSIAN          Lotus 1-2-3
RT_GROUP_ICON      0x584e0  0x4c     LANG_RUSSIAN SUBLANG_RUSSIAN          MS Windows icon resource - 5 icons, 16x16, 16-colors
RT_VERSION         0x53400  0x2c0    LANG_RUSSIAN SUBLANG_RUSSIAN          data

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy    
--------------------------------------------------------------------------------
.text      0x1000       0xee6        0x1000       5.764246   
.rdata     0x2000       0x49ce2      0x4a000      5.440947   
.data      0x4c000      0x619c       0x6000       0.012147    [SUSPICIOUS]
.rsrc      0x53000      0x5530       0x6000       3.693765   

Version info
================================================================================
LegalCopyright: gex Copright   ls soft
InternalName:  jex  MUWEfess dlle
FileVersion: 13, 13, 201, 1241
ProductName:  jox  Weaex Apps
ProductVersion: 13, 13, 21, 153
FileDescription:  jex dllx
OriginalFilename: lexlse.exe
Translation: 0x0419 0x04b0

~~


### Prevention ###

* Check your Skype settings. Only allow contacts to send you messages/files & contact you
* Don't download and run unknown files, especially PE(2) files


### Disinfection ###

* Run a full scan with your installed antivirus product
* Look for suspicious Run keys and delete the associated file(s)
* Run a full scan with another antivirus and/or antimalware product
* Change your Skype password
* Change your proxy to the original one(3) (usually none)
* Change ALL your other passwords
* Call your bank to ensure there was no unauthorized withdrawal or transaction

* When in doubt, seek advise on a professional malware removal forum(4)




### Conclusion ###

* Follow above prevention tips
* Use common sense & do not click on or run anything you encounter
* When in doubt, check the file on VirusTotal for example





# Links #

(1) http://en.wikipedia.org/wiki/Domain_generation_algorithm
(2) http://en.wikipedia.org/wiki/Portable_Executable
(3) http://www.wikihow.com/Change-Proxy-Settings
(4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs

Another Skype worm

Remember this post from not too long ago?
Worm spreading through Skype and Messenger

Well, seems this tactic is getting more popular...

A new Skype worm shows you the following message:

this is a very nice photo of you http://bit.ly/10UCanc?fotos=%username% :$
this is a very nice photo of you http://bit.ly/10UCanc?id=%username% :P

Other languages are possible as well, for example Russian:

это очень хорошая фотография вы http://bit.ly/10UCanc?fotos=%username%

When clicking on the link, it gets redirected to a filesharing site and downloads the following file:
facebook_profile.zip

Inside is an EXE file called:
profile-facebook_23052013_img.exe
MD5: 669441b1f5532bdc1a5371112dabc4c8
VirusTotal Result (15/46)
Anubis Result
Malwr Result

When executing the file, you start spreading this message as well to all your Skype friends. There is no icon for the EXE file, which should ring some bells... Actually, the "pictures" being a single EXE file should ring bells so hard the whole neighbourhood wakes up.


Filesharing sites used to spread the malware:
4shared.com
hotfile.com


These filesharing sites have already removed all the malicious files and cannot be downloaded anymore.

Malware files already removed, awesome!

Some interesting stats for the bit.ly link:

Current amount of clicks

Geographic distribution of clicks.

As you can see, there have been over 120,000 clicks today, that's quite a lot!  Also interesting to note is that most clicks are in Belarus, which may indicate where the malware's origin lies (or at least where the infection point started).

As far as I could see, the malware creates a file with a random name in the C:\Programdata or %appdata% folder, injects into explorer.exe and thus is able to 'protect' itself:

When deleting said malware file, it will immediately re-create.

The malware also tries to phone home to (currently offline):

hXXp://r.gigaionjumbie.biz/images/gx.php

hXXp://x.dailyradio.su/images/gx.php

hXXp://w.kei.su/images/gx.php

The above links are related with the Alureon malware, which can download other malware as well as steal your credentials and other personal information. Microsoft:
Win32/Alureon is a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. It may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer. Source.

There are also some peculiar strings in the malware:

lTaj13zzz5632jetsusjabs 

Regrey8hiaid958562ids  

Culmbusy4teg217jo548 

Sel35scagalawn9ser84996  

Hinog968begs6421879  

Cyme28ilkax65274sunn35  

Toph8toil2528248030  

Pent8cute812  

hoorney milk  

DESTRUCT COMMON 

Not sure what those strings are supposed to mean, if there's any meaning to it at all.
To view all strings pulled from the malware image, check Pastebin:
http://pastebin.com/Svb40p9Q



Desinfection

• Perform a full scan with your installed antivirus ànd a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this worm.
• Change your Skype password.
• Notify your friends that you had sent them a malware link.

Conclusion

This conclusion is pretty much the same as in my previous post about a Skype worm:


Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/

Worm spreading through Skype and Messenger

Since Saturday, there's a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).

Someone who's infected with this worm will send you the following message:

Message in German asking to check your cool pictures

The link refers to goo.gl and is actually Google's URL Shortener service. You'll land on Hotfile.com, which is a legitimate file sharing website. (it's not the first time Hotfile has been used to spread malware, read more here. The file has already been removed by Hotfile.)

Links refers to Hotfile and will immediately download a ZIP file.

 
Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we'll find the following file, which is covered as a Skype setup file:

Looks like the real deal. But it's not.

When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:

The icon suggests it's uTorrent. But it's not.

This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:

74.208.112.178 - IPVoid Result
87.106.98.157 - IPVoid Result
199.15.234.7 - IPVoid Result
213.165.71.142 - IPVoid Result
213.165.71.153 - IPVoid Result
217.160.108.147 - IPVoid Result

Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive - skype_05102012_image.exe looks for the following processes:
msnmsgr.exe
msmsgs.exe
skype.exe

It will then automatically send a message, based on the OS language. It uses the following list to spread:
tas ir jusu jauna profila bildes?
seo do grianghraf prl nua?
ont uusi profiilikuva?
nai aft a fotografa profl sas?
sa kvo profili lusankary aquesta
s la teva nova foto de perfil?
hey ito sa iyong larawan sa profile?
hey lanh tieu cua ban?
hey ini foto profil?
hei zhni de gn zilio zhopin ma?
ni phaph porfil khxng khun?
hej er det din nye profil billede?
hej je to vasa nova slika profila?
hej je to tvuj nov obr zek profilu?
hei er dette din nye profil bilde?
hey la tua immagine del profilo nuovo?
hej to jest twj nowy obraz profil?
hej jeli ovo vasa nova profil skila?
hey bu yeni profil pic?
hej detta är din nya profilbild?
tung, cka paske lyp ti nket fotografi?
moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
hey is dit je nieuwe profielfoto?
ez az j profil ksta tu foto de perfil nuevo?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey c'est votre nouvelle photo de profil?
hoi schoni fotis hesch du uf dim profil ppe n
lol is this your new profile pic?


It will then add the link and subsequently adds your username after the equals '=' sign :
http://goo.gl/QYV5H?img=


Let's take a closer look at the files:

skype_05102012_image.exe
Result: 23/44
MD5: 98f74b530d4ebf6850c4bc193c558a98
Anubis Report
Malwr Report
ThreatExper Report


36A9.exe
Result: 16/44
MD5: 0d4b7f4c1731c91dff56afce0ecf37c5
Anubis Report
Malwr Report
ThreatExpert Report


The malware is commonly identified as Worm.Dorkbot and Worm.Agent or Generic Trojan.

Microsoft provides a description:
Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

On my testmachines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it's ransomware, rogueware....



Conclusion

Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.co, bit.ly, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/
http://virusscan.jotti.org/