Grey clouds on the horizon

In December 2004, I received reports from the anti-spyware community about some ad/spyware which was very difficult to identify. After some research, it was clear that the first file-infecting ad/spyware had been found - by accident.

The infector, named Virus.Win32.Implinker.a, used an old, but interesting tactic. The main file consists of two components, a file-infecting dropper and an adware dll. The adware component is detected by Kaspersky Anti-Virus as 'not-a-virus:AdWare.Visiter', also known as Holax.

Upon execution the .dll file is dropped into %sysdir% and the infector looks for the usual RUN keys for programs executed at boot. It copies the files it finds into %temp% and adds an import which refers to the .dll component in the target file. PendingFileRenameOperations is then used to replace the files in %temp% with the original files at the next system boot.

This was quite a different way of loading a .dll file. It marked the first real blow against dedicated anti-spyware applications, whose engines are not sophisticated enough to detect or disinfect the infected files. An additional downside to only deleting the malicious .dll file is that due to the missing import library, infected files can no longer be executed.

The impact of this piece of malware was quite noticeable. Even after the first positive identification, the anti-spyware community continued to have great difficulty identifying this infection. Although it's hard to compile precise statistics, the number of reports suggest that this was a minor (adware) epidemic.

At the end of January 2005, Virus.Win32.Bube.a (aka Beavis) was detected. A number of variants appeared in a short space of time, but they hardly differed from each other, incorporating only minor changes such as the target URL.

Bube quickly became notorious. Just like many other pieces of malware, it was installed in the system when the user visited an infected site, with the MHTML URL Processing Vulnerability (see http://secunia.com/advisories/11067/) being used to install it on unpatched machines.

The infector appended code to explorer.exe so that Explorer functioned as a Trojan downloader, downloading adware and Trojans. Once all adware and Trojan programs had been installed, an infected machine would be hosting about 200 infected files.

Bube also infected the copy of explorer.exe in %sysdir%\dllcache. This made removal difficult, and as the number of infected users rose, it became clear that a number of anti-malware applications were not able to disinfect explorer.exe.

Whoever wrote Bube produced a program which:

It's a little unexpected that malware with a mutex referring to MTV's Beavis and Butthead would be so complex. But getting rid of the infection was a simple matter of terminating the process and running an anti-virus that was capable of disinfecting explorer.exe.

The Bube case led us to the following conclusions:

Our fears were realized with the introduction of the Virus.Win32.Nsag.a infectors. These started to become highly prevalent at the beginning of June this year.

At the moment, there are four major Nsag.a infectors: Trojan-Downloader.Win32.Agent.ns was first detected in the middle of May, with Trojan.Win32.Agent.eo, Agent.ev and Agent.ff being detected shortly after. These four pieces of malware have been modified very slightly by the authors in an attempt to evade detection. This is particularly noticeable in the cases of Trojan.Win32.Agent.eo, Agent.ev and Agent.ff which have been altered numerous times.

Trojan downloaders are used to install this malware in the system. These Trojan downloaders are installed either via exploits on web pages, or by other Trojan downloaders. The specific Trojan downloaders which installed the Nsag infectors also often download other Trojan programs, and something called AntiVirus-Gold, which describes itself as an anti-virus program.

At the end of July new infectors were found. These were similar to previous Trojans, but as some filenames differ we chose to call them Nsag.b infectors. Let's take a look at two different Trojans, one Nsag.a infector and one Nsag.b infector. They are both detected as Trojan.Win32.Agent.eo.

When executed, the infector (normally named loader.exe) starts by dropping oleadm.dll into the system directory, this is the main Trojan component.

After dropping oleadm.dll, a file named oleadm32.dll is created, also in %sysdir%. This is a copy of the system's wininet.dll. The infector then starts to infect oleadm32.dll with Trojan code. It checks for the location of the HttpSendRequest function and then creates an entry point in the file header (and makes other corresponding changes), so that all calls to this function are transferred to oleadm32.dll, instead of wininet.dll.

The MZ header has been modified. The reference to oleadm is clear. After infection oleadm.dll is loaded into the dropper's process. The .dll uses the mutex 'OLEADMUTEX' to ensure that only one instance of itself is running at any time.

The dropper then makes entries to [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager] and [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager], where it uses the function 'PendingFileRenameOperations' for replacing and deleting files. This is quite a powerful function, as is shown by the fact that it is able to replace wininet.dll with another file.

The dropper also adds a line which will delete the copy of itself. After this has been done, the dropper adds '"AllowProtectedRenames"=dword:00000001' to the same keys in the registry. This value needs to be set in order to rename vital files. In operating systems such as 9x, which don't support this function, the dropper uses good old WININIT.INI to achieve the same goals.

The infector then tries to download a file via HTTP from a website, but this file was unavailable at the time of writing.

Regardless of whether the download is successful, a file called wp.gif is created in the system directory. This is rather interesting as the .gif file is converted to a .bmp file. When the files are unpacked, there's a 95KB difference between them, but the difference in size between the compressed files is negligible.

This image will be set as the new wallpaper. It warns that Trojan-Spy.HTML.Smitfraud.c has been detected. This is actually a Kaspersky Anti-Virus detection for a very popular phishing mail.

Additionally, the background colour will be changed to '1 2 172' to match the wallpaper's colour. NoDispBackgroundPage and NoDispAppeancePage values are set to 1 to try to prevent the user from changing the relevant settings back again.

UninstIU.exe is dropped into %windir%. Although this file is detected as a Trojan, it actually reverses some of the changes made by the initial Agent.eo. It reverses only the registry changes which relate to the desktop and also deletes the 'SpyWare' entries which are created following the installation of uninstU.exe.

After uninstIU.exe is dropped, the following keys and values are added to the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\Internet Update]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {357A87ED-3E5D-437d-B334-DEB7EB4982A3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Uninstall\Internet Update]DisplayName="Internet Update"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Uninstall\Internet Update]UninstallString="uninstIU.exe"

'Internet Update' refers to the spyware that will be detected by the program oleadm.dll downloads.

When these registry entries have been added, oleadm.dll launches a hidden instance of Internet Explorer which will download a 'virus and spyware remover' program called PSGuard. If it is not installed successfully, Internet Explorer will download the PSGuard installation file repeatedly until the process is successful.

The tempfile is created in the Windows directory and is called w[seven random characters].exe.

PSGuard will secretly install and register to start at boot. It detects the 'spyware' mentioned above as Trojan.InternetUpdate.

Oleadm.dll is designed with two goals in mind. One is spying on HTTP traffic. This is done very cleverly simply by hooking all calls to the HTTPGetRequest function. A bonus is that oleadm.dll will be loaded each time the system starts without any references to it besides those in the infected wininet.dll. This makes initial detection difficult.

The other goal is to install and promote PSGuard. But the biggest advantage is that wininet.dll is involved - this important Windows file is very hard to disinfect automatically without using PendingFileRenameOperations.

Nsag.b (Agent.eo) is very similar to the Nsag.a package. Instead of oleadm.dll and oleadm32.dll, the files are called oleext.dll and oleext32.dll respectively. Apart from this, registry keys and internal filenames are the same, and the actions taken with PSGuard and uninstIU.exe are identical.

Instead of using a .bmp for wallpaper an .html file is used. A big red 'Warning!' blinks at the top of the screen, when the user is warned of infection. There's also a 'Click here' which leads to the PSGuard site.

This version of Agent.eo includes Trojan.Win32.Small.ev. Some Nsag.a infectors carry this Trojan as well. Its main payload is that it is displayed as a tray icon, claiming the system has been infected. When the icon is clicked, Internet Explorer will be opened to the PSGuard site. Small.ev will be registered to execute at system start.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run] intell32.exe="C:\%sysdir%\intell32.exe"

Perhaps the most interesting development in the Nsag case is that there has been no significant evolution apart from an increasingly aggressive approach, and more and more new pieces of malware which install it.

It's interesting to note that the first Nsag infector, Trojan-Downloader.Win32.Agent.ns, was much less aggressive in its promotion of PSGuard than later infectors. It did not have the 'taskbar trojan', nor did it download PSGuard automatically.

The user was presented with a pop-up which asked if the system should be checked for viruses and spyware. If the user clicked 'yes', PSGuard would be downloaded, and the download process was clearly visible to the user. Additionally, in comparison with later variants, its wallpaper was not particularly eye-catching.

One major question comes to mind when discussing Implinker, Bube and Nsag: are we talking about viruses or Trojans?

The problem, more or less, is that this type of malware can be viewed from different angles. Let's look at the infector components first. These 'special target infectors', as I've dubbed them for the time being, infect the target with code which is not able to replicate.

Perhaps this type of behaviour is comparable to what you get when you put a black sock in with your white laundry. The white laundry gets 'infected' by the black sock, but the 'infected' whites won't 'infect' other clothes.

Let's take a look at the target components.

The target components are infected by the infector with code that is not designed to replicate; it is pure Trojan code. So can we classify these infected files as Trojans? No, the term Trojan implies that the file can't be disinfected (and is 100% malicious), while the samples we're dealing with can be disinfected.

The terms 'virus' and 'Trojan' don't really seem to fit in this context, so perhaps a new type of classification is in order.

I propose the term 'poison' - this type of malware is highly selective, just as poison can be selective, attacking very specific cells and structures. Additionally, malware classified as poison doesn't necessarily have to spread further, and objects it infects can be disinfected. The term seems to fit perfectly and given the likelihood that this type of malware will become more and more popular, the time for a new classification seems ripe.

As mentioned earlier, PSGuard is the software which the Nsag infectors aim to promote. Between the beginning of June and the beginning of August, the people behind PSGuard seem to have changed direction.

Firstly, the program was upgraded from v2 to v3. The major change seems to be a completely redesigned GUI. Luckily for the people who use this software, the upgrade meant that the update functionality was no longer impaired. Version 2 always encountered a 404 when trying to update.

Unfortunately, detection rates do not seem to have improved. The software was tested on some older Sober, Kelvir and Mytob variants, but all went undetected, even though detection of Kelvir is mentioned specifically on the PSGuard site.

But with the latest build of this software, the authors decided to alter the program's behaviour radically in comparison to earlier versions.

Version 3.3.0.1/3.3.0.0 (engine/update respectively) is not (yet) available for direct download from the PSGuard site; you have to update the downloadable package. This version considers its own presence on the system to be a critical risk while previous builds do not exhibit this behaviour.

When the user tries to remove malware which has been detected on the system by PSGuard, the program will ask the user to pay to register. If registration (and payment) is not completed, PSGuard will not delete the detected objects.

AntiVirus-Gold seems to be rather more aggressive than PSGuard. Trojan downloaders which download this program (e.g. Trojan-Downloader.Win32.Small.bdw) also download Trojans/hoaxes which state that the computer is infected with spyware.

When the user clicks on the message displayed by the Trojan the Internet browser is opened at the AntiVirus-Gold website. If the user opts to scan with AntiVirus-Gold, he will be told that the computer is infected with spyware, even if the machine is clean.

The anti-virus world is assisted by the changes that PSGuard has made. Previous versions/builds did not display any significant suspicious behaviour, except for the way it was being promoted. Certainly detection rates are not on a par with those of other products and the user has to pay up before cleaning the infected machine - but couldn't the same be said about some products with established names?

The fact of the matter is that more and more of these 'light grey' products are surfacing. If we look exclusively at the code of these programs they shouldn't be detected at all. But the community wants anti-virus solutions to detect these programs.

A permanent solution needs to be found as soon as possible. One option would be a maintained Rogue/Suspect Anti-Spyware list, similar to Eric L. Howes' list. If a listed program was detected, users could be directed to the list, leaving them to decide whether or not to remove it manually.

Given the success of the different 'poisons' so far, it's safe to say that we will see more of these infections in the future.

So far, such threats have revealed a number of anti-malware programs with removal problems. Detection and disinfection therefore clearly need to be improved to stand a chance of counteracting the next generation of 'poisons'. The search for vital (infectable) system files shows that new versions will undoubtedly be more difficult to remove.

Aggressive promotion of such 'light grey' software has brought unwanted attention from those in the security industry, and made the community as a whole more aware of such issues. It seems that programs like PSGuard and AntiVirus-Gold may have dug their own grave in using malware to promote their programs. It remains to be seen what other grey clouds are gathering on the horizon.