BitDefender weekly review

Trojan.Downloader.JS.NN
Yet another JavaScript that is used to exploit one of the Adobe Reader and Acrobat code execution vulnerabilities described in detail here: CVE-2008-2992. If the malicious PDF file is executed, the JavaScript inside it will do the following:
– decrypt
its encrypted body (first phase), responsible for injecting the shell-code at a specific address into the attacked process.
– Place
several NOP (No Operation) instructions at the begging of that code to make sure execution of the shell-code starts at the beginning.
The shell-code (~450 B) will first decrypt the rest of the code (second phase), make sure certain API functions are available to it, then attempt a download for an executable file located at http://netcorb[removed]/load.php which will be saved under the current folder with the name “~.exe”. If the download is successful, the script will launch the executable.
Trojan.Dropper.Cutwail.AT
This Trojan is a versions of the Cutwail (Pushdo/Pandex) Trojan that forms the second largest spam BotNet on the planet – sending proximately 7.7 billion emails per day.
When first executed, the main installer (which is actually nothing but a downloader) unpacks itself in memory. It then makes a copy of the original *.exe into %userprofile%%username%.exe
and registers it to start at every system startup, then deletes the original file.
In order to protect itself, it will continuously launch, do its job, then exit. This makes it almost impossible to kill because of the rapidly changing process identifier.
Its main purpose is to download the other two components of the Trojan: the rootkit dropper and the spammer.
If successful, it will execute the rootkit first, which was saved in %temp% under the name BN[number].tmp. This file will drop a driver inside %windir%system32drivers[name].sys where name can be any of the following: ntmd, fat16s, fat32s, pusi, gen_vok, ws2_32sik, netsik, port135sik, nicsk32, ksi32sk, systemntmi, securentm, fips32cup, ati64si, i386si, amd64si, acpi32.
Regardless of the file name, the driver creates a symbolic link to the file which is “ndis_ver2”. If the driver is already present it will update it to the latest version.
After this process, the *.tmp file will be deleted.
The driver contains another copy of the original downloader and will inject it into services.exe from kernel mode, to make removal even harder.
After the driver has been launched, the spammer component follows. It will be injected by the downloader into svchost.exe, which trnasforms the system into a spam-bot, sending hundreds of unwanted emails per day.
Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Balazs Biro
tags
Author
Right now
Top posts
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns
January 19, 2023
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps
November 29, 2022
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022