Read the full post at darknet.org.uk
Read the full post at darknet.org.uk
In recent weeks, McAfee Labs has seen a rise in the W97MDownloader malware, which comes with a macro downloader embedded in doc files. One of the malware families that serves these embedded macros is Bartallex, whose appearances have increased significantly during this period. The following chart shows the recent trend for the family:
This threat is a malicious macro that comes into users’ systems through a spam email and a Microsoft Word file, which leads to downloading and running the malware on the victim’s machine. Whenever a user tries to open the malicious doc file, Word should show a security notification asking whether the user wants to enable macros. If enabled, this threat will execute.
One difference in this variant of W97MDownloader is that it clears the contents in the Word document after the macro is enabled. It also generally downloads its payload in the %temp% folder.
The spam email may look like this:
This threat shows that attackers have not forgotten the classic exploitation technique of tricking users into enabling Office macros to execute malicious code.
The infection chain starts with the spammed email. The email is carefully designed to lure users and seems legitimate. After executing, Bartallex drops a .bat file and a .vbs file onto the victim’s system. They download further malware.
The following figure shows a .doc file with embedded macro posing as a fax:
If email recipients open the document, they first see junk data with a request to enable the macro–in spite of the security warning to not trust its content. The doc file has a random name, for example:
Upon execution, this malware drops the following files:
The downloaded files are:
- %Temp%444.exe (for Windows XP and earlier)
- %User Temp%444.exe (for Windows Vista and later)
Extracting the Macro
This document contains three embedded macros. The details of the extracted macros follow:
Let’s take a look some of this malware’s evasion efforts. The first two lines use some classic obfuscation.
- BART212 = “” & “d-up” + “date”
- BART2 = Chr (97) + Chr (100) & “” & “o” & “” & “b” & “e” + “ac” & BART212
Splitting a variable is typical for evading scanners searching for keywords and other suspicious activities such as downloading a file. The Chr function returns a string containing the character associated with the specified character code. For example, Chr (97) is the letter a and Chr (100) is the letter d.
After removing the breaks and making the substitutions, we see a meaningful string:
BART2 = “adobeacd-update”
Opening the document file with macros enabled runs the dropped batch file, which in turn runs the .vbs file, which immediately downloads other malware–such as malware families Upatre, Vawtrak, and Chanitor– from the remote server.
The malware connects to the control server “http:/xx.xxx.254.213/us/file.jpg” and downloads the payload, which appears to be a .jpg file but is really a malicious .exe file.
Here’s a look at the traffic:
We have also seen this threat download a clean PNG image file and save it with a random file name, for example %temp%savepic.su5123965.png.
We are seeing lot of malware propagating through this infection vector. It’s always a good idea to pay attention to system security messages. Don’t ignore a suggestion to be careful.
McAfee products detect this threat and its payloads as:
- Generic-FAWE! [partial hash]
- Backdoor-FCMU! [partial hash]
I would like to thank my colleague Lenart Brave for his help with this analysis.
On Tuesday, Ars chronicled Microsoft's four- to six-week delay responding to a Finnish man who had obtained a Windows Live e-mail address that allowed him to register unauthorized transport layer security certificates for the live.fi domain. Today comes the tale of a Belgian IT worker who has waited more than four years to return two similar addresses for the live.be domain.
Microsoft's delay in securing the addresses such as [email protected] and [email protected] has potential consequences for huge numbers of people. Browser-trusted certificate authorities such as Comodo grant unusually powerful privileges to people with such an address. All the account holders had to do was ask for a domain-validated TLS certificate for live.fi or live.be. Once they clicked a validation link Comodo sent to their e-mail addresses, the certificates were theirs. Comodo's automatic certificate application also works for addresses with the words admin, postmaster, and webmaster immediately to the left of the @ and the domain name for which the certificate is being applied.
It came as a surprise that Microsoft waited until this week to respond to the Finnish man's report, reportedly from January, that he came into possession of the [email protected] address. One would have expected such addresses to be locked down tight to begin with. Once a breach of this policy was reported, it would have been reasonable to assume Microsoft security personnel would respond to it within a day or two, if not sooner. But the Belgian IT worker's e-mail reveals a mind-boggling wait of more than four years for company officials to respond to his private and voluntary report he was sitting on the addresses [email protected] and [email protected]
Apple has released security updates for Safari to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code or prevent users from discerning a phishing attack on an affected system.
- Safari 8.0.4 for OS X Mountain Lion v10.8.5
- Safari 7.1.4 for OS X Mavericks v10.9.5
- Safari 6.2.4 for OS X Yosemite v10.10.2
US-CERT encourages users and administrators to review Apple security update HT204560 and apply the necessary updates.