The Dark Power of Windows PowerShell

Windows PowerShell, the Microsoft scripting language, has made the headlines recently due to malware authors leveraging it for malicious purposes. Symantec has identified more PowerShell scripts being used for nefarious purposes in attacks. Unlike other PowerShell scripts that we have identified previously, the new script, which Symantec detects as Backdoor.Trojan, has different layers of obfuscation and is able to inject malicious code into “rundll32.exe” so that it can hide itself in the computer while still running and acting like a back door.

Powershell 1.png

Figure 1. The original Microsoft Windows PowerShell script

As seen from the previous image, the script is obfuscated to prevent users from seeing the clear text. However, the attacker has used the parameter “-EncodedCommand” in order to encode the entire script in base64. Once decoded, the script is still obfuscated and it looks like the following:

Powershell 2.png

Figure 2. PowerShell script’s first layer of decryption

After this, the script will again decode a portion of itself from base64 to plain text and the decoded part of the script is passed through a decompression function. The decompressed data is the latest stage of the deobfuscated PowerShell script, which will be executed through the “Invoke-Expression” command.

Powershell 3.png

Figure 3. A deobfuscated PowerShell script

The attacker uses the command “CompileAssemblyFromSource” so that they can compile and execute on-the-fly embedded code which hides itself on the computer. The compiled code will then try to execute “rundll32.exe” in a suspended state, inject malicious code into the newly created process and restart the “rundll32” thread. This method is used to prevent detection on the computer.

The injected code will then try to connect to a remote computer and it then waits to receive a buffer of instructions. The code will subsequently store these instructions with EXECUTE_READWRITE permissions, so that they can be executed in a stealthy way.

The following picture shows how the injected code allocates the memory and receives the instructions that are later executed.

Powershell 4.png

Figure 4. Malicious code injected into rundll32.exe

Symantec customers are currently protected from this attack with the detection Backdoor.Trojan. To avoid being infected, we recommend that customers should use the latest Symantec technologies and update their virus definitions. Users should avoid running unknown PowerShell scripts and should not lower PowerShell’s  default execution settings in order to prevent potential malicious scripts from executing.

25,000 Linux and Unix Servers Compromised in Operation Windigo

Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”. Since the campaign began in 2011, more than 25,000 Linux and Unix servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims. Targeted operating systems include OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET detection names):

  • Linux/Ebury – an OpenSSH backdoor used to control servers and steal credentials
  • Linux/Cdorked – an HTTP backdoor used to redirect Web traffic
  • Perl/Calfbot – a Perl script used to send spam

Lengthy campaigns by malicious attackers have become commonplace. With the appropriate resources, motivation, and desire, attackers can obtain significant rewards for their efforts. While some campaigns focus on targeting specific organizations to identify and exfiltrate sensitive information, the goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads.

Symantec protection

Symantec customers are protected against malware used in Operation Windigo with the following signatures:



More details on ESET’s discovery of Operation Windigo is available on their blog.

Malware Using Fake Certificate to Evade Detection

Contributor: Hiroshi Shinotsuka

Malware authors are always seeking new ways to hone their craft. As cybercriminals are facing a multitude of preventative technologies from Symantec and users are becoming more security conscious, it is becoming increasingly difficult for the bad guys to win.

Recently, during research, we came across an oddly named sample, Word13.exe. Upon first glance, it appears to be a digitally signed file from Adobe.

Fake Certificate 4.jpg

Figure 1. Word13.exe file signed by Adobe

Fake Certificate 1.png

Figure 2. Fake digital signature properties

But upon closer inspection we found something very interesting.

Fake Certificate 2.png

Figure 3. Fake signature and certificate

It’s fake, as the “Issued By” field says "Adobe Systems Incorporated" - Adobe is a VeriSign customer. Also, in the certificate information, we see that the CA Root certificate is not trusted - another dead giveaway.

Fake Certificate 3.png

Figure 4. Legitimate Adobe signature and certificate

Symantec has protection in place and detects this file as Backdoor.Trojan.

Backdoor.Trojan will execute and inject itself into iexplore.exe or notepad.exe and start a back door function.

It may create the following files:

  • %UserProfile%\Application Data\ aobecaps \cap.dll
  • %UserProfile%\Application Data\ aobecaps \mps.dll
  • %UserProfile%\Application Data\ aobecaps \db.dat

It connects to the following command-and-control (C&C) server on port 3337:

  • Icet**** 

This back door may then perform the following actions:

  • Steal user and computer information
  • Create folders
  • Create, download, delete, move, search for, and execute files
  • Capture screenshots
  • Emulate mouse function
  • Steal Skype information

To ensure that you do not become a victim of this threat, please ensure that your antivirus definitions are always up-to-date and that your software packages are also regularly updated. Always double check the URL of the download that is being offered and, if applicable, check the certificate and signature just to be safe.

Fake Antivirus Renewal Email Rises from the Dead

Over the last few years, many reports, white papers, and blogs have been released detailing targeted attacks. For example, some attacks employ sophisticated infection methods, such as watering hole attacks, and some rely on exploit code hidden in document files mixed with social engineering schemes. Some time ago, when the malware world was still dominated by mass-mailing worms that used fake emails as the infection method, one of the schemes was a fraudulent license renewal notification from well-known antivirus vendors.

Some may think that this scheme had become extinct but we saw evidence recently that it is still alive and kicking when an email was sent to an electric power company and a major industrial company in Japan.

Figure 1. Fake antivirus email with a Zip file attached

Inside the attached .zip file there is a file with a .doc.exe extension, which smells fishy. The file name is gibberish as well.

Figure 2. File name of the file found inside the Zip file

Although the file uses an MS Word icon, this file is an executable file and will therefore run regardless of whether MS Word is installed on the computer or not. This file is detected by Symantec as Trojan.Dropper. Once it is executed, it drops a simple back door onto the computer, detected as Backdoor.Trojan, which connects to a command-and-control (C&C) server and awaits commands from the remote attacker.

Interestingly the same “From” address was used to send different fraudulent emails to several airline companies targeting recipients that appear to be Japanese. As the targets are airline companies, the attacker was smart enough to use aviation related information in the email, but the use of the doc.exe tactic remained the same.

Figure 3. File name of the attachment sent to airline companies

This file is also detected as Trojan.Dropper that also drops Backdoor.Trojan, which connects to the same C&C server mentioned previously.

Once the back door is successfully opened, the attacker can take control of the computer and do whatever he or she wants, including stealing information that could be used in subsequent attacks.

While using defense systems against sophisticated attacks has become an absolute necessity, often a simple and old trick is enough to compromise a computer. Basic security practices can often be forgotten when security software is used and this sort of email rarely lands in your inbox. It is important to remember the expression “Disaster strikes when you least expect it.”