Arbor Networks: Security to the Core

Got a round of these in my inbox this morning. These are EXEs being spammed out in e-mail messages to get you to install malware. The names of Hollywood stars used in the emails include Nicole Kidman, Angelina Jolie, and Natalie Portman.

Here’s a sample email:

Subject: Pictures

Parts/Attachments:

1 Shown 5 lines Text (charset: ISO-8859-1)

2 19 KB Application

—————————————-

Good evening, man!

Shocking pictures of nude Nicole Kidman. See it in your attachment.

Bye.

[ Part 2, Application/ZIP 26KB. ]

[ Cannot display this part. Press "V" then "S" to save in a file. ]

The attachment, “amazing.zip”, contains “shocking.exe”.Analyzing the malware reveals that the malware installs a rootkit via a hooked TCP/IP driver:

Object-Type: IRP-hook

Object-Name: \Driver\Tcpip->IRP_MJ_DEVICE_CONTROL

Object-Path: \??\C:\WINDOWS\System32\drivers\runtime.sys

Once executed, shocking.exe will delete itself. It will also use Internet Explorer to download files from the following IP addresses (all on TCP port 80): 208.66.194.241, 66.246.252.213, 66.246.252.215, 66.246.72.173, and 67.18.114.98. It downloads a binary that appears to be used in spamming. It will also install a registry key, \Registry\Machine\System\CurrentControlSet\Services\ip6fw, as one of the means to ensure it runs.

Detection is weak at this point.

Complete scanning result of “shocking.exe”, processed in VirusTotal at 08/02/2007 15:27:56 (CET).

[ file data ]

* name: shocking.exe

* size: 20992

* md5.: c0c2b29e1bdf9e4b1dcd6be02858c399

* sha1: 3e1f327881d3c9a5d27fff1069860225b5b2c81c

[ scan result ]

AhnLab-V3	2007.8.3.0/20070802	found nothing
AntiVir	7.4.0.57/20070802	found nothing
Authentium	4.93.8/20070802	found nothing
Avast	4.7.1029.0/20070802	found nothing
AVG	7.5.0.476/20070801	found nothing
BitDefender	7.2/20070802	found nothing
CAT-QuickHeal	9.00/20070801	found nothing
ClamAV	0.91/20070802	found [Trojan.Downloader-12155]
DrWeb	4.33/20070802	found [Trojan.DownLoader.29243]
eSafe	7.0.15.0/20070731	found nothing
eTrust-Vet	31.1.5026/20070802	found [Win32/Cutwail!generic]
Ewido	4.0/20070801	found nothing
F-Prot	4.3.2.48/20070801	found nothing
F-Secure	6.70.13030.0/20070802	found nothing
FileAdvisor	1/20070802	found nothing
Fortinet	2.91.0.0/20070802	found nothing
Ikarus	T3.1.1.8/20070802	found [Win32.Outbreak]
Kaspersky	4.0.2.24/20070802	found nothing
McAfee	5088/20070801	found nothing
Microsoft	1.2704/20070802	found nothing
NOD32v2	2432/20070802	found nothing
Norman	5.80.02/20070802	found nothing
Panda	9.0.0.4/20070802	found nothing
Rising	19.34.32.00/20070802	found nothing
Sophos	4.19.0/20070801	found nothing
Sunbelt	2.2.907.0/20070802	found nothing
Symantec	10/20070802	found nothing
TheHacker	6.1.7.160/20070801	found nothing
VBA32	3.12.2.2/20070801	found nothing
VirusBuster	4.3.26:9/20070802	found nothing
Webwasher-Gateway	6.0.1/20070802	found nothing

Links around the net:

• Nude celebrity photos? Not so shocking, SophosLabs Blog

This entry was posted on Thursday, August 2nd, 2007 at 3:34 pm and is filed under Arbor Networks, Malware, Rootkits, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.