First Widespread Virus Cross-infection

After being in oblivion for a while, the Xpiro family of file infectors is back with a bang—and this time with some notorious capabilities. Not only does the new variant infect 32-bit files, it also has broadened its scope of infection to 64-bit files. The infections are cross-platform (a 32-bit Xpiro variant can infect a 64-bit executable file, and vice versa) and persistent in nature. Additionally, this virus has also enhanced its information stealing capabilities by adding Firefox and Chrome extensions to monitor browser sessions.
 
Cross-infection and persistence
While we have seen cross-infectors in the past, Xpiro is the first widespread family of infectors which implements this feature. This new variant can infect executable files from the following architectures:
  • Intel 386 (32-bit)
  • Intel 64 (64-bit)*
  • AMD64 (64-bit)
The creators of Xpiro are looking to infect a larger number of computers. They are leaving no stone unturned in their attempts with the introduction of this cross-infecting capability with persistence. 
 
Traditionally file infectors were known to spread by infecting other executables while not caring about persistence. This variant uses an astute technique to achieve both. Firstly, it enumerates all win32 services and attempts to infect the service files.  It then follows all the link files (.lnk) on the user’s desktop and start menu folders to infect the target files. It chooses these files because they have the highest probability of being run by the system or the user when the computer first starts, thus remaining persistent on successive reboots. Finally, it infects all executables from drives C to Z if the drive is fixed, removable, or mapped.
 
*The Intel64 bit files are infected by the new variant but due to a bug in their code, it renders the files corrupted. Symantec detects and repairs such files to their correct state.
 
Enhanced information stealing
The ultimate goal of the Xpiro  has been to steal information from the infected host. The goal remains the same, except it is stealthier now. When an Xpiro infector runs on a computer, it now also adds a Firefox or Chrome extension, in addition to infecting executable files. The Firefox extension is hidden, but the Chrome extension is named “Google Chrome 1.0” so it can pass as a clean extension and mask its presence. The Firefox extension, for instance, can perform the following actions:
  • Hide extension presence
  • Lower browser security
  • Spy on user Internet activity
  • Steal logs
  • Redirect browser to predefined URLs
After installation, when a new instance of Firefox is opened it is visible that a new add-on has been installed, but the extension cannot be found in the extension list.
 
xpiroblog_fig1.png
Figure 1. Extension list before infection
 
xpiroblog_fig2.png
Figure 2. Extension list after infection
 
The Xpiro extension hides itself from the extension list, showing same number of extensions before and after infection. It also lowers browser security by modifying the browser configuration.
 
xpiroblog_fig3.png
 
Figure 3. Reduced browser security
 
When a user tries to update the browser or browser extensions, the updates won’t take place because Xpiro replaces the update URL with 127.0.0.1, a local IP address. Xpiro does this to avoid any change in configuration that may possibly expose itself as malware.
 
xpiroblog_fig4.png
Figure 4. Xpiro-disabled update
 
The hidden extension disables many security warnings normally shown in the browser to warn the user. The extension also disables some safe browsing features which would otherwise provide phishing protection to users when enabled.
 
Xpiro monitors all HTTP activity in the browser and uploads it to a remote server. It then downloads the following lists from predefined servers:
  • Target URLs
  • Redirection URLs
When a user browses to one of the target URLs on the list, the extension redirects the browser to a corresponding URL from the redirection list. The redirected URL could be an advertising page or a page which downloads more malware. 
 
The Xpiro attackers have upgraded the threat’s functionality to be persistent, stealthier, and most importantly to cross-infect executable files on multiple platforms. Other infector families may be expected to follow suit and add sophisticated functionality to their arsenal in order to be more potent and viable across different platforms. Symantec, however, is committed to protecting your data and information against such advanced threats. Symantec detects this new variant of the Xpiro family as W32.Xpiro.D and W64.Xpiro and also repairs damaged files. Symantec customers are advised to keep their virus definitions up to date.
 

New Internet Explorer 8 Zero-Day Used in Watering Hole Attack

Microsoft has issued Security Advisory 2847140 in response to reports regarding public exploitation of a vulnerability affecting Internet Explorer 8. Other versions such as Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Explorer 10 are not affected. Initial reports indicate that a website associated with a department of the US government was compromised to host the exploit in what’s known as a watering hole attack. Upon visiting the site a vulnerable victim would have been redirected to download a back door as the payload.  Symantec products detect the exploit code on the vulnerable site as Trojan.Malscript, Bloodhound.Exploit.494, or Bloodhound.Exploit.495 and the back door as Backdoor.Darkmoon.

In the Microsoft advisory this vulnerability has been assigned CVE-2013-1347. From analysis, it appears to be nearly identical to a previously discovered vulnerability, CVE-2012-4792, which was patched by Microsoft in MS13-008 in January 2013. Further details and analysis will be provided as they become available.

Symantec customers are protected from the payload with updates from May 1, 2013.  We are also investigating the possibility of further protections for these vulnerabilities and will provide updates when available.  We advise users to apply any patches as soon as Microsoft makes them available.  Microsoft has also provided workarounds to mitigate risk associated with the vulernability.

We have carried out in-depth research into watering hole style attacks dating back to 2009. That research and analysis is contained in a paper named The Elderwood Project, which we published in September 2012.

Update – May 6, 2013

Symantec also has the following intrusion prevention system (IPS) signatures in place to block attacks that exploit this vulnerability:

New Internet Explorer Zero-Day Used In Watering Hole Attack

 

We have received multiple reports of a new Internet Explorer zero-day vulnerability being exploited in the wild. Initial reports indicate that the website used in these attacks belong to a U.S. based think-tank organization. The site was believed to be compromised and used to serve up the zero day exploit as part of a watering hole style attacks as far back as December 21st.
 
A flash file named today.swf was used to trigger the vulnerability in Internet Explorer. The flash file is detected as Trojan.Swifi and protection has been in place for our customers since December 21st. Further details and analysis will be provided soon.
 
We have carried out in-depth research into watering hole style attacks dating back to 2009. That research and analysis is contained in a paper named The Elderwood Project, which we published in September 2012.