On a daily bases security researchers are discovering and reversing more sophisticated malwares. Over 2013 there were new malwares that were created and aims to steal users information or control remote systems. some of them are using old techniques but with a slight update that makes the attack more effective against the security measures implemented.
This malware is another version of bootkits, Bootkit are widely used to have a full access on victim machine so it allows attacker to hook the operating system activity without being observed by the security software.
Win32/Gapz implements several functions and is able to effectively hide its presence on the infected system. The malware exploit Windows vulnerabilities to escalate user privileges including (CVE-2011-3402 , CVE-2010-4398 (Driver Improper Interaction with Windows Kernel Vulnerability) COM Elevation (UAC white list)).
Gapz also allows capturing pictures from user’s webcam and displaying them with a payment request in the upper right corner on the infected host. It locks the computer asking to pay for a code to unlock victims PC.
Avatar was firstly discovered in February 2013, the malware is able to bypass antivirus software as it is loaded in the memory without being saved to the hard drive. The Avater C&C server is configured to use Yahoo group services to get the information and update to the Bot in case it loses connection with the bot network. This makes the malware resilient and to not lose the compromised servers on internet. The malicious code will search in Yahoo Groups messages using special parameters such as «hxxp://finance.groups.yahoo.com/group/I62TUUWM/».
Win32/Caphaw Banking malware was used by cybercriminals to conduct an attack on major European banks, the attack lasted for more than a year. Win32/Caphaw differs from other similar threats that it is one of the few Trojans which can automatically steal money from your bank account during the normal work without victim knowledge.
Win32/Caphaw is able to test the environment in which it is going to be executed. This test allows detecting/avoiding honeypots and environments that are designed to reversing the malware it also injects its code into all running processes and has a multithreaded architecture for tasks execution.
This malware is similar to the Zues and SpyEye, the malware aims to grab sensitive login information for users by logging the keystrokes and making screenshots for victim computer. Hundreds of victims were found in European countries including Turkey, Portugal, Czech Republic and the UK.
Main functionality for the malware is:
- Intercepting network traffic
- creating desktop screenshots
- video capture
- Creating a remote proxy connections
- VNC for a hidden server.
Some components of the malware can be installed on mobile devices running Symbian, Blackberry or Android.
This crime-ware is a backdoor that is using TOR. It is one of the most dangerous malware at the moment. When Atrax infect the system attacker will have the following information:
- Infected machine IP address
- Operating system version
- The CPU type
also he can execute the following command:
- dlexec – download and execute file
- dlrunmem – download file and inject it to browser
- dltorexec – download TOR executable file and execute
- dltorrunmem – download TOR executable file inject it to browser
- update – update itself
- install – download file, encrypt with AES and save to %APPDATA%
- installexec – download file, encrypt with AES and save to %APPDATA% and execute afterward
- kill – terminate all own threads
Atrax have many plugins that will add functionality to the botnet. there are also plugins to use victim computer to launch a DDoS from distributed network , UDP/TCP flood, HTTP Slowloris for slow DOS attack on apache, HTTP RUDY, it also supports IPv6 and IPv4.
2013 been full with new malwares that are updating the technique to bypass and avoid antiviruses so it is important that you keep your security software updated with latest definition to have the protection against new threats.
Advanced Evasion Techniques by Win32/Gapz http://www.welivesecurity.com/wp-content/uploads/2013/05/CARO_2013.pdf
- Hesperbot – Technical analysis part 1/2 http://www.welivesecurity.com/2013/09/06/hesperbot-technical-analysis-part-12/
- The rise of TOR-based botnets http://www.welivesecurity.com/2013/07/24/the-rise-of-tor-based-botnets/