ESET Threat Blog

The gang behind the Nuwar threat (also called Storm Worm or Zhelatin) has been very active during the holidays.  They have been sending numerous waves of spam in an attempt to infect as many users as possible. The gang is taking advantage of the fact that a lot of researchers are taking some time off and might be slower to react during this period of the year.  They might also catch users off guard since the holidays is the period of the year when many trade electronic cards.

The latest spam run uses a list of topics related to the New Year.  Once again, the objective is to convince users into opening a web link and downloading a malicious file.  This time, the web page that is displayed to the user does not have any embedded exploits.  It is a very basic text inviting the user into downloading and executing a file.  The files can have various names including happy2008.exe, happynewyear2008.exe, happy-2008.exe, and so on.

Nuwar’s authors are spending a lot of efforts into modifying their program in an attempt to evade antivirus detection when they launch a spam run.  To do so, they are modifying the packer of the malware very quickly.  The threat still uses rootkit techniques to hide its presence after infection.  The latest variants we have analyzed create a driver, a configuration file and copy its executable in the windows\system32 folder.  All three file names start with “kirjtkkd” and have some random characters appended to them.

The objective behind Nuwar’s operation seems to be the construction of a strong and reliable network of infected hosts.  The controllers of this botnet are making huge sums of money by using the infected computers to send spam and even install other malware.  As we have stated before, the creators and controllers of Nuwar have not invented anything new in the field of malware.  Their strength is that they are using every tool they have in a very effective and coordinated way.  One of the advantages of malware authors is time, as we have seen with Nuwar.  They can remain quiet for weeks preparing their next operation and start their attack when their adversaries are less expecting it.

Pierre-Marc Bureau

Researcher

There seems to be a common belief that malware only lands on a computer through e-mails. This is far from being the case. Our ThreatSense statistics shows that a lot of Internet users fall for social engineering on web pages and are tricked into installing fake programs. As David Harley pointed out on his blog (http://blogs.securiteam.com/index.php/archives/1029), convincing users into downloading and running a program is more effective than any software vulnerability to infect systems.

One of the most common deception technique used by malware authors is to create websites with interesting content that will get indexed by search engines, for example spicy videos. The catch is that to view the video they need to install a codec. The word codec comes from code / decode, it is a device (hardware or software) used to encode data to reduce its size, making it easier to transfer over a network. We have seen numerous web pages like the screenshot below offering fake codecs. Most of the files downloaded from these malicious pages are variants of the Zlob malware family and should be avoided at all cost.

Another usual imposter we observe are fake antivirus, antispyware and antiadware programs. For example, users who mistype an Australian domain name and add a double extension (.com.au.com) will be redirected to a warning message inciting them into downloading an antispyware. The following screenshot shows an example of warning message that is displayed.

The downloaded file will not necessarily be malicious but we strongly recommend verifying a company’s credentials and certifications before downloading and installing one of their programs.

Pierre-Marc Bureau

Researcher

At midnight GMT time, we started receiving reports of a new wave of Nuwar e-mails.  The e-mails contain the following text trying to convince a user into visiting a malicious website:

This Christmas, we want to show you something you will really enjoy.

This might not be fun for the whole family, but I bet you’ll like it come one take 2 min and check it out.

http://<malicious website address/

The advertised website uses software exploits to infect visitors.  It also offers visitors a strip show application where “Each one does her best to make you really feel the Holiday Spirit!”

This new variant of Nuwar will copy itself to the Windows directory under the name disnisa.exe and create a registry key to launch the executable every time the system boots.  This threat is still using a peer-to-peer network protocol to establish communication between infected computers and their controller.

Pierre-Marc Bureau

Researcher

PLEEEEASE Infect me

This is what Windows says when you install it. You see, there is a default setting called “autorun” that will automatically run a program when you insert a CD or DVD or thumb drive into your computer. The idea is that you put the media in there to run a program, so Windows may as well make it easy for you. The bad guys like this approach because it means that they can put a malicious file on a CD, DVD, or thumb drive and all you have to do is put it in the computer to infect your computer.

How bad is autorun? Steve Riley is a genuine security expert at Microsoft. You can see what he has to say about it here http://blogs.technet.com/steriley/archive/2007/09/22/autorun-good-for-you.aspx

At ESET, Trojans using autorun to infect computers have been one the most prevalent threats that we have been seeing for several months now.

Yes autorun is convenient, but it is a bit like making a car start moving forward automatically every time you put on your seatbelt. You will run into a lot of things in front of you!

Fundamentally, there are two types of readers here. The first type will disable autorun and be more secure. The second type will eventually be victims.