autorun – Kashif Ali

July 1, 2013

The Java Autorun Worm, Java.Cogyeka (1 of 3)

Java.Cogyeka
Recently there has been a lot of attention drawn to the vulnerabilities in Java and how they can lead to malware being created. However, it is worth noting that a vulnerability is not always required for malware to exist, as is the case with Java.Cogyeka. While this threat does not exploit any vulnerability in Java itself, it is written in the Java language and performs numerous malicious activities, which I intend to explore throughout this series of blogs.

Java.Cogyeka was discovered in July 2012 and is still active now. This malware has five features, which I have broken down into the following categories:

Propagation through autorun.inf
Stealth techniques
Downloader functionality
Obfuscation
Infostealer functionality

Other Java malware we have seen does not have this combination of malicious features. Typically, when we encounter Java in a malicious program, its only purpose is to download other malware, which then performs further malicious actions. However, Java.Cogyeka is a malicious program in its own right and with its own purpose—the Java code itself is being used to perform malicious activities without requiring an additional malicious module. This makes it the most comprehensive Java-only malware that I have ever come across.

This is the first in a series of three blogs on Java.Cogyeka and in this blog I will discuss the following features:

Propagation through an autorun.inf file
Stealth techniques
Downloader functionality

The remaining functions, Obfuscation and Infostealer functionality, will be discussed in future blogs.

Propagation through an autorun.inf file
As previously mentioned, this worm uses autorun.inf to spread and attempts to copy itself to a removable drive using a file name in the following format:

%DriveLetter%:\RECYCLER\[SID]\[RANDOM FILE NAME].[THREE RANDOM LETTERS FILE EXTENSION]

It then attempts to copy an autorun.inf file to the root folder of the removal drive in order to execute the worm whenever the removable drive is inserted into another computer.

Technically, a problem exists when creating the autorun.inf file on the removable drive. By design, Java operates within a sandbox and cannot interact directly with the resources of the operating system. Because of this, a Java application cannot directly determine the drive letter of a removable drive, but the Java Native Interface (JNI) offers a possible solution to this problem. The worm needs to know the drive letter of a removable drive in order to store and use the autorun.inf file effectively. To solve this problem, it attempts to call a native WIN32 API method GetDriveType through a Windows binary DLL file that the malware author made specifically for this purpose. This DLL is then accessed indirectly by the Java code using JNI. Symantec also detects the malicious DLL file as Java.Cogyeka.

Figure 1. Determining the name of the removable drive

Stealth techniques
Java.Cogyeka uses certain stealth techniques when compromising a computer. It is doubtful that these techniques successfully trick users of the compromised computer or fool security products for that matter. The threat uses three stealth techniques.

Compromised removable drive icon
The removable drive that is compromised by this malware has its drive icon changed to a folder icon. It is easy to change a drive icon, the malware simply adds “icon=[PATH OF ICON IMAGE]” to the autorun.inf file. This malware uses the folder icon from the shell32.dll file.

Figure 2. Removable drive with changed icon

Changing the icon of an executable file is a well-known camouflage technique. If an executable file has a document file icon, like Microsoft Word or Adobe PDF, users may misidentify the executable file as a document file. However, changing the icon of a removable drive is a slightly different case. I do not know why the malware changes the icon of the removable drive, but this is one of the malware's meaningless stealth techniques. If found on the compromised computer, it can be seen as a sign that the malware may be present.

Repacked, not copied
Previously, I stated that the malware copies itself, but this is not entirely accurate. The malware actually repacks itself to the following location:

%Temp%\jar_cache[RANDOM DIGITS].tmp

The malware spreads itself as a JAR file. It may try to change the hash value of the JAR file by adding random bytes. The JAR format is like a Zip format that is used to pack Java classes into one file. The malware attempts to add random bytes to an extra field in the Zip headers. However, most security vendor virus scanners can extract Zip files to scan files contained in the archive. They do this so that they can scan the malicious .class file within the JAR file and detect it even though the hash value of the JAR file has changed.

As a result, the malware's modification of the hash value of the JAR file is meaningless.

java.exe instead of a system process
The malware copies java.exe to the following location:

%Temp%\hsperfdata_[USER NAME]\[SYSTEM EXECUTABLE FILE NAME].exe

It uses one of the following system executable file names:

csrss
explorer
lsass
services
smss
svchost
winlogon

Users, even if they have administrator privileges, cannot end these processes, except for the explorer.exe process. The malware aims to deter users from ending the process that the worm is running on. However, it uses “javaw” in the StubPath registry subkey, as described in our detection write-up, instead of "[SYSTEM FILE NAME].exe" with "SYSTEM FILE NAME" representing one of the processes listed above. Users who find this malware running as a system process cannot manually end the malware process by using Windows Task Manager. Third-party software, however, can be used to end the process. It is also worth noting that Symantec Endpoint Protection and Norton Internet Security/Norton 360 products will end this process automatically as soon as it starts.

While the malware author makes it inconvenient for users to end this process manually, the technique used is far from successful.

Downloader functionality
After the malware compromises a computer, it attempts to connect to a server in order to download an additional module. Apparently, this module is a JAR file. It downloads and extracts class files into its memory space and then loads them with the ClassLoader Java class. Through any class loading, a malware author can gain control of the compromised computer. The malware can also download updates with new features for itself or other modules.

To be continued…
This blog is an overview of Java.Cogyeka and how it works to compromise computers. The next blog in the series will discuss obfuscation techniques used by the worm as well as its main module.

February 15, 2013

Polymorphic AutoRun Worm Evolves and Obfuscates

Recently we have seen a spike in a Visual Basic 6-compiled AutoRun worm family. The family is both client- and server-side polymorphic. (For more on this family, refer to our VIL and Advisory entries.)

The W32/Autorun.worm.aaeh family usually gets on a victim’s machine through email spam, Blacole drive-by downloads, or downloads by BackDoor-FJW. From a behavioral perspective, it looks like any other thumb-drive infecting worm. It adds an autorun.inf file on all removable drives and network shares, has an icon resembling a folder icon to trick people into double-clicking it, and infects ZIP and RAR archives. What separates this worm from the rest, however, is the level of obfuscation and polymorphism that it employs.

This family is known to package itself with open-source VB6 projects taken from repositories on the web as an obfuscation mechanism. It appears that the author achieves this by downloading an existing VB6 project with GUI components (forms, user-defined controls, etc.), including the malicious code inside the project and switching the Startup Object as “Sub Main” so that only the malware gets control–instead of the original project’s event handlers. This is possibly an attempt to pose as legitimate software. However, the compiled binaries typically never contain clearly visible strings required by the malware, and are instead encrypted with the RC4 algorithm using a randomly generated encryption key. The files may also be either p-code compiled or native VB6 compiled. The code is obfuscated and they developers appear to have used an automated code scrambler for the binary generation. The generated code uses junk API calls and string functions to further complicate any analysis (described below).

Internals

This threat has been around for more than a year and has evolved. I should note that the earliest samples from this family weren’t nearly as complex as they are today. Some of the oldest samples didn’t encrypt all the strings (MD5:A858514E09637B9B84FD207CED38657B), but the authors have evolved their software (MD5:65CCF15E6224444AAC1141BA210A35C2) by encrypting everything important with a single round of RC4 encryption. Some new variants use an additional round of RC4 (MD5:DCEF805C893A0515C7A0BA117F13CDC3).

When this family first executes, it performs the following operations:
(Boldface items apply only to the new variants that use two rounds of RC4.)

Checks if only one instance of the application is running, else quits
Opens itself with File Read permission
Searches for its encrypted data, which later decrypts to its strings. It needs to obtain a key for decryption. The key is built from two subkeys.
Key1 is obtained from the application title
Key2 is a hardcoded ASCII byte key
Performs RC4 decryption over encrypted data using key2 (Layer 1 Decryption)
Performs RC4 decryption over encrypted data using using key1 (Layer 2 Decryption)
Splits strings based on vbCrLf as decrypted strings appear as one large string delimited by vbCrLf
Performs malicious activity and refers to decrypted strings for API functions, DLLs, filenames, URLs, and other information.

Aside from having the code compiled in native mode and p-code to generate separate binaries that display identical behavior, the author uses various techniques.

Unnecessary Strings

The following image shows strings in clear text that have no relevance to the malware.

Random VB6 Library Function Calls

The next image shows various VB6 function calls that have no relevance to the malware.

Polymorphism

Besides using the usual tricks, such as register swaps and code merging, this family is capable of using different sets of instructions to implement the same feature. For example, some samples may use polymorphic code for performing RC4, as shown below:

The same routine also appears in other samples using floating-point instructions:

Next we see a dump of the decrypted strings:

advapi32
CloseHandle
connect
CreateToolhelp32Snapshot
GetDiskFreeSpaceExW
GetDriveTypeW
GetFileAttributesW
GetLogicalDrives
GetLogicalDriveStringsW
CreateMutexW
GetModuleHandleW
GetUserNameW
ExitProcess
htons
InternetCloseHandle
InternetOpenUrlW
InternetOpenW
InternetReadFile
kernel32
OpenProcess
Process32First
recv
shell32
ShellExecuteW
SHGetSpecialFolderPathW
Sleep
socket
TerminateProcess
user32
wininet
WriteProcessMemory
WSAStartup
ws2_32
RegCreateKeyExW
RegSetValueExW
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden
autorun.inf
.exe
:.dl
&h
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
[autorun]
action=
open=
useautoplay=1
view files
abcedfghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
aeiou
bcdfghjklmnpqrstvwxyz
ico
task
proc
x.mpeg
Secret
Sexy
Porn
Passwords
BeginUpdateResourceW
UpdateResourceW
EndUpdateResourceW
.scr
CsrGetProcessId
TerminateThread
SetWindowLongW
CallWindowProcW
OpenMutexW
Process32Next
ntdll
NtTerminateProcess
gethostbyname
SetFileAttributesW
DeleteFileW
CopyFileW
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
cmd /c tasklist&&del
mp3,avi,wma,wmv,wav,mpg,mp4,doc,txt,pdf,xls,jpg,jpe,bmp,gif,tif,png
RECYCLER
SetTimer
GetProcAddress
RtlMoveMemory
RegOpenKeyW
RegDeleteValueW
RegisterClassW
CreateWindowExW
DefWindowProcW
GetMessageW
WaitMessage
ShowWindow
ReleaseMutex
NoAutoUpdate
GetForegroundWindow
GetWindowTextW
Software\Microsoft\Windows NT\CurrentVersion\Windows
.com
.net
.org
.biz
.info
config
registry
Load
Run
=
:
.
\
exe
[
]
/
.at
.eu
.by
oq2*mckxjbnof}
runme
8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3
<PATCH1>
<PATCH2>
FindFirstFileW
FindNextFileW
FindClose
GetShortPathNameW
zip
rar
*
\WinRAR\Rar.exe
a -y -ep -IBCK
1
2
4
14
63
32768
32772
2035711
67108864
-4
-2147483646
-2147483647
sbiedll
dbghelp
snxhk
SYSTEM\ControlSet001\Services\Disk\Enum
*VIRTUAL*
*VMWARE*
*VBOX*
*QEMU*
RegQueryValueExW
xxx

From the strings we can see that this threat is VM-aware and capable of infecting RAR and ZIP files. The numbers (1, 2, 3, 14, 63) are used to randomly generate domain names based on table lookups, etc.

The worm can download other prevalent families, such as ZBot, and it’s clear that the payload families use the worm’s spreading mechanism as a propagation vector.

What Can You Do?

This family hasn’t shown signs of fading away (more than a million files on VirusTotal belong to this family), but with a few simple steps, you can avoid getting infected by this annoying worm.

Don’t click links in spam emails that promise free stuff or suggest new ways to make a quick buck. Don’t execute software that arrives via spam.
Disable the AutoRun feature on Windows
Refrain from opening files named “secret,” “sexy,” “porn,” or “passwords” from unknown sources
Don’t open any executable file with a shady application name (visible through a tool tip when you hover your mouse near a file or by right-clicking the file and selecting properties)
Don’t open any executable file that looks like a folder icon with blurred edges
Read our Threat Advisory for more information

McAfee products detect this family as W32/Autorun.worm.aaeh and W32/Autorun.worm.aaeh!gen.

Don’t forget to sign up for our Notification Services, which are available via email or apps on your mobile device.

February 7, 2013

Fake Cleaning Apps in Google Play: an AutoRun Attack and More

Almost exactly one year ago, Google announced the addition of a “new layer to Android security,” a service codenamed Bouncer that was intended to provide automated scanning of the Android Market for potentially malicious software. However, as my colleague Jimmy Shah wrote in a previous blog post, Bouncer has not been enough to keep all the malware out of the market: We saw Android malware (for example, Android/DougaLeaker) distributed in the Google Play Market in 2012. Recently, two malicious applications from the developer Smart.Apps were found using the same official distribution method:

Both applications present themselves as “optimizers” that make Android devices faster and more responsive by cleaning the browser cache, optimizing network settings, clearing unused log files, and so on. When the applications are executed, they display fake user interfaces:

In the case of DroidCleaner, the graphical user interface is more elaborate; the application displays three different cleaning options that lead to the same fake progress bar:

Meanwhile, in the background and without user consent, a service establishes a communication with a control server. The commands include common actions performed by other Android malware:

Sending device and network information (IMEI, IMSI, phone number) to a remote server
Sending and deleting SMS messages (could be used to subscribe the user to premium-rate services)
Stealing sensitive personal information (installed applications, pictures, contacts, SMS messages, GPS coordinates)
Mapping the contents of the SD card (files and directories) to later upload to the remote server

Other less common functions are also implemented as available commands:

Executing shell commands remotely
Rebooting the device using the command “reboot” on rooted devices
Launching another application installed in the device without user consent
Setting call forwarding and changing the ringer mode to silent so the user is not aware that calls are being redirected to another number

One of the most interesting commands in this new Android malware is UsbAutorunAttack, which consists of downloading three files (autorun.inf, folder.ico, and svchost.exe) from a remote server to place in the SD card and infect Windows computers that have the AutoRun feature enabled. This new distribution method may not be as effective because the latest version of Windows has AutoRun disabled by default; yet it is interesting to see Android malware trying to infect Windows computers.

Another interesting command in this threat is CallOut, which aims to initiate the dialer’s pad with a specific phone number. The implementation of this command reminds me of the “Dirty USSD” vulnerability, discovered last year, because this one uses the protocol “tel:,” which can be used with a special USSD code to wipe an Android device. Although we haven’t seen this attack in the wild and the issue has already been fixed for most devices with an OTA software update, due to the fragmentation problem of Android it is possible that your device doesn’t have the latest version of the operating system. To find out if your device is vulnerable, McAfee offers a test page that performs a test with nonmalicious code. If your device is vulnerable, you can download and install the McAfee Dialer Protection app from Google Play.

This threat also executes phishing attacks aimed to steal Android (Google) and Dropbox credentials by showing the following user interface to the user when the commands creds_attack and creds_dropbox are sent by the control server:

Once the user enters the information and taps “Login,” the stolen credentials are sent to the remote server while the message “Wrong credentials” is displayed.

McAfee Mobile Security detects this mobile threat as Android/Ssucl.A. The Windows threat is detected by McAfee VirusScan/Total Protection as Generic Dropper.p.

December 24, 2012

Worm Lures Victims with Indian Celebrity Video Links

Malicious worms are found infecting customers through-out the year. They keep evolving to evade the Anti Virus detections. They add junk codes or come up with new custom packer, yet achieve their full functionality and reward their developers.

We have seen earlier how different types of malware use chat windows to download and spread across victims here and here.

This worm spreads by copying itself to removable drives and writeable network shares,and by modifying system settings. It can also send out messages via instant messaging client messages.

Spreading technique:

Payload

A file by the name Setting.ini is dropped into Windows system folder. It then tries to download other files from any URL specified randomly and once downloaded they are then executed.

What looked interesting to us was that some messages send by this worm actually had some Indian celebrities’ names like Aishwarya Rai,Nayanthara and Simbufollowed by a link.

The URLs are actually retrieved from setting.ini randomly.URLs point to a remote server which host a copy of worm. The following are few messages seen:

· “Aishwarya Rai videos ftp://tlpoeil:[email protected] <url>”
· “stream Video of Nayanthara and Simbu ftp://tlpoeil:[email protected] <url>”
· “Latest video shot of infosys girl ftp://tlpoeil:[email protected] <url>”
“Latest video shot of infosys girl ftp://tlpoeil:[email protected] <url>”
· “cyber cafe scandal visit ftp://tlpoeil:[email protected] <url>”
· “World Business news broadcaster ftp://tlpoeil:[email protected] <url>”
· “Regular monthly income by wearing your shorts at the comfort of your home for more info ftp://tlpoeil:[email protected] <url>”
· “Nfs carbon download ftp://tlpoeil:[email protected] <url>”
· “Free mobile games ftp://tlpoeil:[email protected] <url>”
“Nse going to crash for more ftp://tlpoeil:[email protected] <url>”

From the look at the list of messages in setting.ini, we suspect this variant of worm was targeted against Indian computer users.

In case if the worm fails to read the content of setting.ini, it send one of the following messages (in Vietnamese) with the URL pointing to remote server hosting the worm.

E may, vao day coi co con nho nay ngon lam
Vao day nghe bai nay di ban
Biet tin gi chua, vao day coi di
Trang Web nay coi cung hay, vao coi thu di
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…
Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…
Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…
Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…

The worm also has the ability to enumerate through various applications running in the victim’s machine and terminating if the following were found:

“Registry”
“System Configuration”
“Windows mask”
“Bkav2006″
“Trung tƒm An ninh m?ng Bkis”
“FireLion”

The following system changes can be looked out for checking the presence of this worm:

The presence of the following files:
<system folder>/regsvr.exe
<system folder>/svchost .exe
%windir%/regsvr.exe
New Folder.exe (with a folder icon)

The dropped files are all sample copies with Folder icon.

Taksmgr.exe and Regedit.exe are disabled.
AT1.job is created to ensure that the worm gets executed everyday at 9:00 AM.

The presence of the following registry modifications:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
“Shell” = “explorer.exe regsvr.exe”HKCU\Software\Microsoft\Windows\CurrentVersion\Run
“Msn Messsenger” = “<system folder>\regsvr.exe”

We advise our customers to pay extra caution when they plug in their USB sticks and keep their DATS updated.

McAfee detects this worm as W32/Autorun.g.