Rootkits, Downloaders, and Natalie Portman
Got a round of these in my inbox this morning. These are EXEs being spammed out in e-mail messages to get you to install malware. The names of Hollywood stars used in the emails include Nicole Kidman, Angelina Jolie, and Natalie Portman.
Here’s a sample email:
1 Shown 5 lines Text (charset: ISO-8859-1)
2 19 KB Application
Good evening, man!
Shocking pictures of nude Nicole Kidman. See it in your attachment.
[ Part 2, Application/ZIP 26KB. ]
[ Cannot display this part. Press “V” then “S” to save in a file. ]
The attachment, “amazing.zip”, contains “shocking.exe”.Analyzing the malware reveals that the malware installs a rootkit via a hooked TCP/IP driver:
Once executed, shocking.exe will delete itself. It will also use Internet Explorer to download files from the following IP addresses (all on TCP port 80): 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52. It downloads a binary that appears to be used in spamming. It will also install a registry key, RegistryMachineSystemCurrentControlSetServicesip6fw, as one of the means to ensure it runs.
Detection is weak at this point.
Complete scanning result of “shocking.exe”, processed in VirusTotal at 08/02/2007 15:27:56 (CET).
[ file data ]
* name: shocking.exe
* size: 20992
* md5.: c0c2b29e1bdf9e4b1dcd6be02858c399
* sha1: 3e1f327881d3c9a5d27fff1069860225b5b2c81c
[ scan result ]
AhnLab-V3 2007.8.3.0/20070802 found nothing AntiVir 184.108.40.206/20070802 found nothing Authentium 4.93.8/20070802 found nothing Avast 4.7.1029.0/20070802 found nothing AVG 220.127.116.116/20070801 found nothing BitDefender 7.2/20070802 found nothing CAT-QuickHeal 9.00/20070801 found nothing ClamAV 0.91/20070802 found [Trojan.Downloader-12155] DrWeb 4.33/20070802 found [Trojan.DownLoader.29243] eSafe 18.104.22.168/20070731 found nothing eTrust-Vet 31.1.5026/20070802 found [Win32/Cutwail!generic] Ewido 4.0/20070801 found nothing F-Prot 22.214.171.124/20070801 found nothing F-Secure 6.70.13030.0/20070802 found nothing FileAdvisor 1/20070802 found nothing Fortinet 126.96.36.199/20070802 found nothing Ikarus T188.8.131.52/20070802 found [Win32.Outbreak] Kaspersky 184.108.40.206/20070802 found nothing McAfee 5088/20070801 found nothing Microsoft 1.2704/20070802 found nothing NOD32v2 2432/20070802 found nothing Norman 5.80.02/20070802 found nothing Panda 220.127.116.11/20070802 found nothing Rising 19.34.32.00/20070802 found nothing Sophos 4.19.0/20070801 found nothing Sunbelt 2.2.907.0/20070802 found nothing Symantec 10/20070802 found nothing TheHacker 18.104.22.168/20070801 found nothing VBA32 22.214.171.124/20070801 found nothing VirusBuster 4.3.26:9/20070802 found nothing Webwasher-Gateway 6.0.1/20070802 found nothing
Links around the net:
- Nude celebrity photos? Not so shocking, SophosLabs Blog