Runtime HIPS stops Virtum infections

Virtum (aka Virtumonde, Virtumondo) is one of the most prevalent malware families we have seen in recent times. Barely a week goes by without seeing more samples of the damn thing. They are constantly changing, making detection difficult and they are a pain to remove from infected systems.

However, whilst developing new HIPS runtime behaviour rules to coincide with the release of SAV 7.6.0 I noticed alerts of <System>\winlogon.exe triggering the HIPS/RegMod-011 rule. Our SophosLabs testing rig for HIPS is configured so that Alert Only is turned off, meaning all detected behaviour is blocked. Due to this configuration, the alert was appearing over and over again, several times per second…this doesn’t look good, but more importantly it doesn’t look normal!

We test HIPS against new undetected malware that we receive each day, and upon further investigation I found that the files triggering this HIPS behaviour were actually undetected Virtum droppers which have injected their malicious code into the running winlogon process. The behaviour being blocked was Virtum trying to modify the registry so that its dropped DLL component would be loaded each time the system booted up.

Without this registry entry being successfully entered Virtum would not load after the computer was next switched off, which is why it was trying over and over to set it (with HIPS runtime behaviour analysis consistently blocking it). However with HIPS set to the Alert Only configuration it would succeed on the first try, triggering just one SAV alert of this behaviour against winlogon. Some users may mistakenly assume this to be an unwanted detection and will therefore ignore it.

It’s essential that users investigate all HIPS runtime behavior alerts before coming to any decision about their validity. Just because an otherwise clean file is detected it does not mean that the file has not been compromised in some way and is wreaking havoc on the computer. Users should identify the behaviour being reported by consulting the Sophos web site and at least consider if that behaviour is likely to be normal for the detected component.

But there’s more…

A new rule I developed as part of the SAV 7.6.0 release has also been seen to detect Virtum samples, this time at the point where the malicious DLL is dropped onto the system. HIPS/FileMod-006 detects this behaviour and terminates the offending Virtum process before it performs any further functions.

With HIPS runtime behavior analysis successfully detecting and preventing Virtum infections in this way it is hoped that we will see more samples sent in from customers that will help us to further develop our existing protection against this threat, whilst at the same time preventing customer infections.