Mcafee Avert Labs Finding Vundo Infections

McAfee Avert Labs Finding Vundo Infections

- Kevin Gudgion, Avert Labs Services

Simple Overview

This “mini” edition of the McAfee Avert Labs, Finding Suspicious Files series covers a particular Trojan - Vundo. Vundo has been the most consistently prevalent Trojan for the past three years.

Vundo Trojans are for monetary gain, they display incorrect or misleading information in order to convince the user they need to purchase some rogue security application.

These Trojans tend to alert on innocent files, or files dropped by the Trojan as security risks, in order to persuade users to buy Rogue Security programs that then claim to clean the system. Typical Rogue Security applications are Sysprotect, AntiSpywareMaster, WinFixer, AntiVirus 2008, AntiVirus 2009 and AntiVirus 360.

Infection Vectors

The Vundo Trojan is typically installed via an end user visiting a malicious website.

We have also seen emails being distributed with links to malicious websites that have been used to infect users. The typical malicious website will either host a hidden IFrame or host a series of browser exploits intended to install malware onto the machine.

We have also observed spammed malware downloading and installing the Vundo Trojan, typically generic backdoor.u.

Symptoms

The Vundo Trojan is a particularly virulent Trojan; it installs itself as a Browser Help Object (BHO). A BHO is a design feature of Internet Explorer, intended to allow legitimate programmers to add functionality to Internet Explorer. Google Toolbar is perhaps the most well known BHO.

However malware authors also quickly realized a BHO is a good method of infecting a machine.

Typical Vundo behavior:

System messages via popups and security alerts advising the user to install a Rogue Security Application.

A more modern version of this is shown here…

Inserting malicious links into search results.

The Vundo Trojan will insert misleading links into search results or re-direct URLs. So clicking on one link for company a will take you to the website of company b.

Visiting these links could facilitate downloading other malware, ad-ware or spy- ware onto the system. Adware mywebsearch and Adware Virtumundo are two popular Adware components downloaded by the Vundo Trojan.

Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb- 170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb- 170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957- 5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362- 68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6- 003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68- d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358- 27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d- 7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae- ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6- 9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected: C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\WINDOWS\system32\urqpqOhi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

The Vundo Trojan makes itself difficult to remove by many means, it employs various anti-removal techniques:

• Injects itself into running processes, explorer.exe, winlogon.exe and lsass.exe.

• Uses rundll32.exe to load itself, and employs watchdog techniques to reload the malware on termination.

• The Vundo Trojan does not provide un-registration information.

• Monitors deletion keys for instances of the malware and removes them.

• The Vundo Trojan also runs in safe-mode.

Due to the large number of Popups generated by Vundo, machines infected often slow to the point of being unusable.

High CPU utilization, application errors, access to certain security related websites is prevented.

Cleaning Vundo

Removing a Vundo infection is often difficult, due to the in-built protection mechanism employed by the Trojan.

Certain variants of the Vundo Trojan are especially difficult to remove. Current DAT and Engine functionality does not yet provide an automatic method to fully remove this threat if it is active in memory. However, a combination of manual and DAT/Engine removal methods does allow for successful removal of this threat.

Instructions

1. Download Process Explorer (procexp.exe) from Sysinternals 2. Reboot the infected machine 3. Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet 4. Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, lssas.exe and rundll32.exe processes (right-click on these process names and choose suspend) 5. Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected] 6. Physically power the machine off and back on (a hard reset is required as Windows will not shutdown without Winlogon.exe running, and resuming that process will revert the changes made by the scanner).

These steps will removal all relevant registry entries and identified Vundo components.

Finding Vundo

Unfortunately as mentioned previously the Vundo Trojan is particularly virulent.

It often has two or three components injected in various processes and deletion simply results in a new copy being created and the infection continuing un- abated.

Places to look and what to look for.

C:\windows\system32 xxxxxxxx.dll _xxxxxxx.dat xxxxxxxx.ini

Where Xxxxxxxx is typically an eight character random name used by the malware.

Maybe more than one instance on an infected machine.

Examples: urqpqOhi.dll fozehuka.dll akuhezof.ini tdssriqp.dll

Since Vundo is a BHO based infection looking at the following registry location can be useful.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\

Any CLSID under this location should be investigated.

Winlogon.exe is often infected by adding the following registry entries.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Xxxxxxx.dll.

\Startup: "SysLogon" \Logoff: "SysLogoff"

Registry marker left by Vundo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan

Typical RUN key entries used by Vundo variants. Remember to check HKLM and Current User hives.

Run: [949d70fa] rundll32.exe "C:\WINDOWS\system32\bawayeka.dll",b.

Stopping Vundo

Stopping Vundo infections is all about closing down infection vectors, as we covered earlier Vundo spreads via spam, so deploy a good quality spam tool, one with regular updates.

The Vundo Trojan has been observed to be downloaded via other spammed malware. So block executable files within email. Your gateway or email server AV software should be able to remove exe files from zips. Also blocking password protected zips can be a useful countermeasure.

The largest number of Vundo infections by far though can be attributed to what we call drive by installs. That is silently installed via browser exploits or hidden Iframe’s on malicious websites.

Often innocent websites become malicious websites because of a vulnerability on the webpage that is exposed and exploited by malware teams in order to infect systems.

Often these websites attempt to run several exploits, often dozens and dozens.

If you must use Internet Explorer as your browser of choice, enable Windows Update to make sure the browser is patched to the latest level. Patching browser levels becomes important. Switching to Mozilla Firefox or another less targeted browser is an obvious preventative measure.

Enable ScriptScan in McAfee VirusScan Enterprise. ScriptScan evaluates and scans scripts before they are executed.

Check ePO detection logs and correlate to firewall logs and block and sites showing exploit detections.

Deploy a web reputation tool like McAfee SiteAdvisor. Not only does it provide good user protection, it also acts like an education tool. Soon users learn what types of sites are deemed malicious or potentially malicious.

Many organizations still have users running with extended or administrative privileges. This makes malware infection even more likely. Running user privileges means the malware has to be capable of escalation of privileges as well as exploiting the browser in order to be able to install.