August 3, 2010

July 2010 saw the discovery of a large population of Trojan.Stuxnet programs in the wild. These malicious programs take advantage of an alternative autorun mechanism to start from removable media and also make use of digital signatures stolen from popular software developers. It’s also become the norm for malware to use bootkit technologies. Meanwhile, in the face of effective countermeasures, Windows blockers are on the decline, and now criminals are searching for alternatives to paid short messages.

Trojan.Stuxnet gets in through the shortcut loophole

The new malicious program classified by Dr.Web as Trojan.Stuxnet was the summer “blockbuster” that forced anti-virus vendors to mobilize their resources once again. The new Trojan exploits a newly discovered Windows vulnerability and has at its disposal a few novel techniques that allow it to evade Windows defences. It has already proven to pose a real threat; industrial espionage was the first application of Trojan.Stuxnet.1.

The malware installs two drivers into the system. One of them—a file system driver-filter—hides Trojan components on removable media. The second driver injects an encrypted dynamic library into system processes and the programs needed to perform its main task.

Makers of the new Trojan prepared some unpleasant surprises for users. The first one is the aforementioned vulnerability where the malware takes advantage of the flaw in the shortcut handling mechanism of Windows. However, it should be noted that Microsoft responded to the new threat in a timely manner. According to the maker of Windows, 32- and 64-bit versions of Windows beginning with Windows XP and up to Windows 7 and Windows Server 2008 R2 are vulnerable. Criminals can exploit the vulnerability of these MS versions to launch malicious programs on a target machine remotely. In addition, malicious code can be integrated into documents with embedded shortcuts and can be spread by exploiting the vulnerability.

On August 2, 2010, Microsoft issued a critical security update for all affected versions of Windows. If automatic updating is enabled in the system, the update is installed automatically. However, a system must be restarted for changes to take effect.

But the above was not the only surprise; the malicious drivers have digital signatures stolen from developers of legal software. In July, the drivers were fitted with signatures belonging to such companies as Realtek Semiconductor Corporation and JMicron Technology Corporation. Digital signatures allow criminals to install the drivers into the target system in the silent mode.

It’s worth noting that the drivers are not the only things bearing digital signatures; the malicious file that launches from removable media with the exploitation of Windows Shell’s vulnerability also has a digital signature. However, it becomes invalid almost immediately after the Trojan’s initial launch as the embedded counter routine modifies the executable file.

Trojan.Stuxnet.1 quickly attracted copy-cats who exploited the same vulnerability. Such programs are detected by Dr.Web anti-viruses as Exploit.Cpllnk. Within just a few days, these programs ranked at the top of the Top 20 Viruses detected on user machines in July, while Trojan.Stuxnet.1 was the sixth most frequently detected malicious program.

Programs exploiting the vulnerability are found in large numbers in the wild. The trend will probably persist until the security patch is installed on most computers. Doctor Web also promptly added routines for curing the Trojan to its virus database.

Mass use of bootkits

Bootkits are malicious programs that modify the boot sector of a disk, and they are becoming default components of malware. Standard tools for detection of malicious code are unable to reveal if the boot sector has been modified and can only find malicious files on a disk. In such cases, a virus will get into the system again even if it has been cured. The only way to completely neutralize the threat is to restore the boot sector to its original state.

There are few comprehensive anti-virus solutions capable of uncovering boot sector modifications and completely curing the compromised system. In most cases anti-virus developers advise users to solve the problem by means of special utilities. However, a user often doesn’t start searching for another solution since he doesn’t realize that his anti-virus is simply unable to detect that the boot sector of the system disk has been modified.

Trojan.Hashish was among the bootkits that disturbed users in July. In the previous month it had mainly targeted Europeans. The Trojan opened multiple Internet Explorer windows that displayed advertisements even if a different default browser was set in the system. Another perceivable effect of the presence of Trojan.Hashish in the system is the repeated playing of the application launch sound if such a sound is present in the system.

Blockers back off

In July, the blocker epidemics continued on a smaller scale with Doctor Web’s statistics server registering over 280,000 instances of detection of Windows blockers—down from June’s figure of 420,000. The decline is largely the result of the successful implementation of joint countermeasures by users and anti-virus developers, including Doctor Web. As law enforcement agencies and telecom operators cracked down on SMS fraudsters, makers of blockers had to devise other schemes for converting their profit into actual money. They make use of various online payment systems and often provide users with several payment options.

Support requests related to the blocking of social-networking, mail, and search-engine sites increased. By the end of July, the number of these requests exceeded the number of calls related to the blocking of the Windows desktop.

In upcoming months, the number of blockers is expected to shrink even further as payment schemes that don’t involve short messages are now far less effective and law enforcement agencies are paying more attention to the problem. The number of users, who are informed about alternative, free ways to unblock their systems, is also growing steadily.

Other notable species of malware

Various modifications of Trojan.Oficla are being spread over e-mail on a large scale. Messages with attached HTML-files (JS.Redirector) are also being found in mail traffic. Such messages redirect users to advertising and malicious web sites. Increased activity of polymorphic file viruses of the Win32.Sector family has also been registered. Dr.Web has long been known for its ability to cure systems of complex polymorphic viruses. Nonetheless, in June, Doctor Web’s developers optimized routines for better detection of malicious programs of this type. European users are still being plagued by banking Trojans that prompt them to reveal their single-use TAN codes (see the June review for more details) as well as by new variations of fake anti-viruses that inherit the look and feel of their predecessors.

In conclusion, it can be said that anti-virus developers and users didn’t face any insurmountable challenges in July. The prompt release of the security patch by Microsoft will most likely result in a rapid decline in the numbers of shortcut vulnerability exploiters detected by Dr.Web as Exploit.Cpllnk. Since bootkits are now a common feature of malicious programs, anti-virus developers will have to incorporate capabilities for detecting boot-sector modifications into their comprehensive solutions rather than rely on single-purpose utilities. As for blockers and their makers, the figures show that comprehensive countermeasures do yield results

Malicious files detected in mail traffic in July

Malicious files detected on user machines in July