As part of our investigation on The Command Structure of the Aurora Botnet. I took a deep look into two malware families that based on the CnC data we have, is related to Operation Aurora. Both of them fall under the Fake AV / Scareware Family of Malwares. They are Fake AV / Login Software 2009 and Fake Microsoft Antispyware Services.
I will summarize the deployment of these families below. For the full details of the analysis and how they relate to Operation Aurora, please read our full report on The Command Structure of the Aurora Botnet: History Patterns, and Findings.
Fake AV: Login Software 2009 Family
This set of malware is propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. Upon execution of the dropper, it assigns a specific ID to the compromised host. It then registers it to its malware server website and downloads the rest of the malware to the compromised host.
To ensure that the malware is downloaded, the creator of this malware dropper uses redundancy in its malware serving web infrastructure. The dropper checks three different malware serving websites.
After the successful download of the main component, the main dropper generates a random name and copies the downloaded component to “C:\Documents and Settings\<User>\Local Settings” folder. It calls itself Login Software 2009. The dropped file is then executed to make it active in memory. For it to survive reboot, it uses the most common way to autostart by using the registry entry:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The rest of the components are also downloaded and executed for them to be active. They are placed in the same folder as the first dropped file. These components are exact copies of themselves with names that is designed to full the unsuspecting users that they are Windows executables or legitimate third party software.
These components are hidden from the user by hiding the folder where they are dropped and also setting the attributes of the dropped files themselves as hidden. To survive reboot, these components also are set to autostart using the same technique as the main dropped file.
A DLL file is also dropped in “C:\Windows\System32” with a random filename. Aside from registering (regsvr32.exe) the dropped DLL file for it to be active, the malware dropper also modifies the registry to set it up as a Browser Helper Object (BHO). It also sets up the DLL to autostart every boot up by using SharedTaskScheduler.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
This paves the way for tracking cookies to be downloaded for ads to be served to the compromised host. Take note that this DLL is not hidden unlike the other components.
After setting up all the dropped files, the main dropper sets the stage to protect the dropped files by manipulating the settings of Windows Explorer and Internet Explorer. See Protection Mechanism section for more details.
Once all of these “malware installation” is done by the main dropper, the main dropper activates a batch file to unload itself in memory and deletes both the dropper and the batch file.
The installed malware set are now all active and is actively attempting to communicate with their CnC.
Figure 1: Memory string dump shows the C&C the EXE component is reaching out to
Fake Microsoft Antispyware Services
This set of malware is also propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. It basically drops and installs three components:
- EXE Component – This is the one that poses itself as Microsoft Antispyware Services
- VXD Component – It downloads and installs ntconf32.vxd, ntsys32.vxd, msimsg32.vxd
- SYS Component – It downloads and installs msconfig32.sys
Once the dropper is executed, it can easily bypass UAC since it is given explicit permission by the user that was made to believe that the installation is an AV product. The first thing the dropper does is to connect to its malware server domain to download its components. Unfortunately, as of this writing, the malware server domains are already down so no detail analysis of the other components were done.
The only component on hand is the EXE component.
But if we base it just on the name of the files it downloads, below are some associations of the files with known malware activity:
- VXD Components – These filenames are often related to malware families that have keylogging and spyware behavior. They are also found in some IRC bots.
- SYS Component – This is related to the publicly known and notoriously popular Aurora variant tied to the Google attack.
Concentrating the analysis on the EXE component, it disguises itself as Microsoft Antispyware Services. It basically sets itself to run on Startup using the tried and true method of the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Because of the absence of some key files, the main functionalities of this malware family cannot be fully analyzed but they all point to one goal and that is to steal information.
Figure 2. Attempting to connect to Amazon EC2
Figure 3: Memory string dump shows the C&C the EXE component is reaching out to
The Allure of Fake AV Websites.
The bad guys find using Fake AV websites effective and have used it extensively. The prevalence of this vector earned it a separate name: Scareware. What makes this effective is the believability of the Fake AV website. It also appeals to the fear of uneducated users. The bad guys leverage this fear to create a sense of urgency and importance that urges the user to not waste any more time and download and execute the dropper immediately. Aside from unknowingly downloading a malware, the victimized user also is fooled into paying for the Fake AV. Not only will the user be charged for the cost of the Fake AV, there’s a high probability that the user’s credit card information has been captured since the website processing the payment is rogue to begin with.
On the technical side, using this vector saves the bad guys time in finding ways to bypass host protection such as UAC since the user gives the malware dropper explicit permission to execute.
- Christopher Elisan, Senior Research Analyst
Tags: APT, Aurora, Aurora Botnet, botnet, bots, Google APT, Google Attack, Google China, Google Hack, Login Software 2009, Microsoft Antispyware Services, Operation Aurora
[...] Truth About Two Malware Families Related to Operation Aurora By skeoseyan The Truth About Two Malware Families Related to Operation Aurora: “The Truth About Two Malware Families Related to Operation [...]
Hey there! Nice article!
You say that the sys file is related to operation aurora, but after analyzing the sys file myself in operation aurora, I can say that it contained another file, and was not a driver.
Check out my external file analysis since proper binary analysis couldn’t have been made at the current status of the file :
http://imthezuk.blogspot.com/2010/03/aurora-sys-file-used-in-attack-external.html
Check this out
So, if in this case the msconfig32.sys is a driver, it’s just means they both used the same name, but it doesn’t mean nothing more.
I don’t think myself it’s related to a malwares common over the net, I think it was a dedicated attack for fortune 500 companies / other interesting companies to steal info from.
You can contact me via my blog if needed. Good luck
http://imthezuk.blogspot.com
On a second look, those domains looks very very similar to Aurora’s domains…
Check my presentation which I gave on technical details regarding the Aurora activity at :
http://www.ihackbanme.com/presentation/Google%20Vs.%20China%20Presentation_updated.pdf
I think someone is trying to copy the way of acting on those malware… just so Aurora can be accused once the malware is being caught. Or it’s the other way around -> Aurora’s writers made this malware so no one will suspect of the real owners (Chinese ?)…
Interesting.