Friday, November 1, 2013

Malware spreading via Skype


Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...)


### Analysis ###

Known MD5's:
293cc1f379c4fc81a7584c40f7c82410
66def80d6f87f6f79156557172f9f295


Callback to IP's:
88.150.177.162

Callback to domains:
Random & partial DGA(1) - Pattern:
http://%random%.aingo.cc

Persistence:
Creates key in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Injects into:
explorer.exe
Sets Proxy:
Yes


Type of malware: Caphaw - Banking malware


Technical details ~~

Meta-data
================================================================================
File:    /home/remnux/samples/invoice_171658.pdf.exe_
Size:    360448 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:     293cc1f379c4fc81a7584c40f7c82410
SHA1:    7bb5b71513e01c2095d37f42c64982a3edb523b5
ssdeep:  3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL
Date:    0x52739069 [Fri Nov  1 11:28:41 2013 UTC]
EP:      0x401270 .text 0/4
CRC:     Claimed: 0x5eb47, Actual: 0x5eb47

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_CURSOR          0x532b0  0x134    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x536c0  0x1eec   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x555b0  0x4e8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x55a98  0x128    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x55bc0  0xea8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x56a68  0x568    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x56fd0  0x10a8   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x58078  0x468    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_GROUP_CURSOR    0x533e8  0x14     LANG_RUSSIAN SUBLANG_RUSSIAN          Lotus 1-2-3
RT_GROUP_ICON      0x584e0  0x4c     LANG_RUSSIAN SUBLANG_RUSSIAN          MS Windows icon resource - 5 icons, 16x16, 16-colors
RT_VERSION         0x53400  0x2c0    LANG_RUSSIAN SUBLANG_RUSSIAN          data

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy    
--------------------------------------------------------------------------------
.text      0x1000       0xee6        0x1000       5.764246   
.rdata     0x2000       0x49ce2      0x4a000      5.440947   
.data      0x4c000      0x619c       0x6000       0.012147    [SUSPICIOUS]
.rsrc      0x53000      0x5530       0x6000       3.693765   

Version info
================================================================================
LegalCopyright: gex Copright   ls soft
InternalName:  jex  MUWEfess dlle
FileVersion: 13, 13, 201, 1241
ProductName:  jox  Weaex Apps
ProductVersion: 13, 13, 21, 153
FileDescription:  jex dllx
OriginalFilename: lexlse.exe
Translation: 0x0419 0x04b0

~~


### Prevention ###

* Check your Skype settings. Only allow contacts to send you messages/files & contact you
* Don't download and run unknown files, especially PE(2) files


### Disinfection ###

* Run a full scan with your installed antivirus product
* Look for suspicious Run keys and delete the associated file(s)
* Run a full scan with another antivirus and/or antimalware product
* Change your Skype password
* Change your proxy to the original one(3) (usually none)
* Change ALL your other passwords
* Call your bank to ensure there was no unauthorized withdrawal or transaction

* When in doubt, seek advise on a professional malware removal forum(4)




### Conclusion ###

* Follow above prevention tips
* Use common sense & do not click on or run anything you encounter
* When in doubt, check the file on VirusTotal for example





# Links #

(1) http://en.wikipedia.org/wiki/Domain_generation_algorithm
(2) http://en.wikipedia.org/wiki/Portable_Executable
(3) http://www.wikihow.com/Change-Proxy-Settings
(4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs

4 comments: