SophosLabs researchers have noticed a significant increase in the spread of malware we call W32/VBNA-X (among other names).
Several other vendors, including McAfee (W32/Autorun.worm.aaeb) and Symantec (W32.ChangeUp), have been alerting their customers as well. While the basic components of this malware have been around for some time, it has become considerably more aggressive in its latest iteration.
W32/VBNA-X is a worm, but also exhibits characteristics typically found in a Trojan. Its most obvious method of spreading appears to be through the use of autorun.inf files dropped on removable media and writable network shares.
You would hope this technique wouldn't be too effective on today's PCs, though. Microsoft released updates for XP, 2003 and Vista in February 2011 to disable Autorun on all media aside from "shiny discs."
It is still not a bad idea to disable Autorun/Autoplay more completely, which is quite easy to do according to Microsoft's instructions, which include a "FixIt."
Most PCs will ignore autorun.inf files these days, so people must be clicking on the malware itself, but why?
It appears to be a cocktail of clever social engineering, poor default settings and user carelessness.
After creating the autorun.inf file for the unpatched victims, it begins to enumerate all of the file and folder names on writable shares and removable devices.
For example, say your E: drive is a network share with folders named au and r and files named as.txt and Adobe.pdf.
It will set all of these to have the hidden attribute and set a registry key to ensure hidden files are not displayed.
Then it will create copies of itself called Porn.exe, Sexy.exe, Passwords.exe and Secret.exe in addition to creating a copy of itself for each legitimate file and folder present on the volume.
The duplicates of the original folders and files will have their icons set to the standard folder icon in Windows 7.
In this screenshot you can see the original folders at the top showing their Windows XP icons and the cloned/Trojaned ones with the Windows 7 icons lower down.
The malware appears to assume that you are not showing extensions, which is the default in all releases of Windows.
I can easily see how people browsing file shares and USB drives could accidentally click the wrong folder, especially if the real folders are set to hidden.
If we show extensions and view all hidden files we see a very different picture.
In addition to the original files and their impostors there are also files called ..exe and ...exe. The malware is also known to write a zero byte file called x.mpeg, although it did not do so in this test instance.
The malware copies itself to the user's profile using a random file name and adds a registry key to start the malware on boot.
Some variants are known to disable Windows Update to prevent the victim from receiving a patch or updated instructions that may disable it.
30582368427f752b7b6da4485db456de915101b2SHA1 for Porn.exe
7ff75f92c5461cc221cb3ab914592bd2a5db6e15SHA1 for Sexy.exe
d71a89c085ffbb62f4e222fb2f42d7e2271e4642SHA1 of all the rest
Registry keys created:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\%random% %UserProfile%\%random% /%randomletter%- For persistence
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ NoAutoUpdate = 1- To disable updates
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ ShowSuperHidden = 0- To ensure hidden items stay hidden
You're infected, now what happens?
These samples follow the standard operating procedure for modern malware. Once loaded W32/VBNA-X contacts a command and control (C&C) server to receive instructions for further payloads to download.
The malware attempts to contact the C&Cs on port 9003 using HTTP, although McAfee has reported seeing samples connecting to port 9004 as well.
Many of the DNS names are hosted in the ddns#.eu domain space, but the entire list is quite extensive. Administrators who wish to monitor for infections may wish to monitor their firewall logs for connections to ports 900[0-9].
Once the C&C server is contacted a command and URL is passed back to the malware instructing it to download a payload named google.exe which is placed in the users profile directory.
The instances we investigated downloaded banking Trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location.
Aside from keeping your anti-virus up to date there are several things you can do and can watch for.
- Ensure Autorun is totally disabled on all Windows operating systems.
- Make sure your standard Windows images and group policies are configured to show file extensions and hidden files.
- Restrict write permissions to file shares to allow access only where absolutely necessary
- Block all outbound connections to unknown ports and services on your gateway and client firewalls.
- Ensure behavioral detection technologies are enabled in your anti-virus product to detect addition of malware persistence schemes and tampering with updating and anti-virus settings.
* W32/VBNA-X: Specific detection for this worm (variants include W32/VBNA-U, W32/VBNA-Z, W32-VBNA-AA and W32/VBNA-AB)
* Mal/SillyFDC-Z Generic worm detections for Autorun.inf files (variants include Mal/Autorun-AX, W32/SillyFDC-IP and W32/AutoInf-DI)
* Troj/Tepfer-E Trojan payloads detected in relation to this malware (variants include Troj/VB-GFM, W32/SillyFDC-IP and Mal/SillyFDC-Z)
* HIPS/RegMod-009 Proactive detection and prevention for registry modifications and persistence
* Customers using Sophos web protection will be prevented from accessing domains known to be involved with this malware
I would like to extend a special thank you to the entire SophosLabs Vancouver team and especially Mike Wood, Peter Szabo and Savio Lau for spending so much extra time to share these details with our readers.
Malware skull image from Shutterstock.