New malware linked to FDIC phish spam

Discussion in 'Anti-Virus' started by Virus Guy, Feb 8, 2007.

  1. Virus Guy

    Virus Guy Guest

    This was linked to an FDIC phish I received today.

    WARNING: If you don't know what you're doing, don't mess with this.

    hxxp://trasoffice.com/flash/ safeConnect.exe

    Note: Very cute. It's got the icon of a folder.

    VT is coming up pretty much zero on this one.

    Antivir says "Heur/malware"

    Panda says "suspicous file"

    Everyone else says nothing.

    I don't see the sandbox thing that VT normally does (is that a Norman
    feature?) so I can't report anything else other than packed with
    BINARYRES.

    Dave, what do you make of this?

    ---------------

    Domain: trasoffice.com

    Registrant
    Mike Beriault

    291 Elm #4
    Beaconsfield, PQ H9W5X1 CA
    +1.5144260832
    Record created on April 25, 2002

    Looks like their server was hacked:

    http://www.trasoffice.com/

    Someone should tell Mike.
     
    Virus Guy, Feb 8, 2007
    #1
    1. Advertisements

  2. From: "Virus Guy" <>

    | This was linked to an FDIC phish I received today.
    |
    | WARNING: If you don't know what you're doing, don't mess with this.
    |
    | hxxp://trasoffice.com/flash/ safeConnect.exe
    |
    | Note: Very cute. It's got the icon of a folder.
    |
    | VT is coming up pretty much zero on this one.
    |
    | Antivir says "Heur/malware"
    |
    | Panda says "suspicous file"
    |
    | Everyone else says nothing.
    |
    | I don't see the sandbox thing that VT normally does (is that a Norman
    | feature?) so I can't report anything else other than packed with
    | BINARYRES.
    |
    | Dave, what do you make of this?
    |
    | ---------------
    |
    | Domain: trasoffice.com
    |
    | Registrant
    | Mike Beriault
    |
    | 291 Elm #4
    | Beaconsfield, PQ H9W5X1 CA
    | +1.5144260832
    | Record created on April 25, 2002
    |
    | Looks like their server was hacked:
    |
    | http://www.trasoffice.com/
    |
    | Someone should tell Mike.

    Yes, the site was hacked and they are in the process of mitigating the alterations made,
    infection and the vulnerabilities that were exploited.
     
    David H. Lipman, Feb 8, 2007
    #2
    1. Advertisements

  3. Virus Guy

    C J. Guest

    Seems theres been a lot of this going on with Banks lately. Just the other
    day I received a rather official looking email from Bank of America (whom I
    bank with ) on an emial account they don't have - notifying me my account
    had been frozen. First I went to the bank to check this out, and found I
    could log in normally. Being suspicious, I examined the message header of
    the email in OE, and did a Whois on a http:// referenced in their link. I
    forwarded the info to the Bank.

    One thing I did find is that the Sending party server was a legitimate
    corporation server, so they probably weren't aware they've been hacked with
    some kind of mailbot.
     
    C J., Feb 8, 2007
    #3
  4. Virus Guy

    Virus Guy Guest

    24 hours later and the VT results are showing 1 additional hit.

    Bit Defender is now ID'ing it as Trojan.BHO.AC.

    Dave, doesn't VT give a sandbox report of what a sample does when
    executed? I thought I've seen that in the past with some samples. Or
    does it take more hits (or a detection by a specific AV) to trigger
    the sandbox report?
     
    Virus Guy, Feb 9, 2007
    #4
  5. Virus Guy

    Art Guest

    It is odd indeed. I had submitted safeconnect.exe to Kaspersky
    analysts yesterday, and I haven't yet heard a peep, which is very
    unusual if the file is actually malware. Normally, they either respond
    immediately or within a hour or two at most ... and will have added
    detection.
    I remember seeing that once or twice long ago being done by Norman
    Virus Control (NVC) (they have the technology). It was a "somethimes"
    sort of thing, though, and not consistent. But I've not seen a sandbox
    report by NVC in ages.

    I'll report back here if I hear from Kaspersky.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Feb 9, 2007
    #5
  6. Virus Guy

    Art Guest

    Are you saying their analysts are tied up putting out fires elsewhere?
    Or their email isn't yet working to respond to my submission?

    Art
    http://home.epix.net/~artnpeg
     
    Art, Feb 9, 2007
    #6
  7. From: "Virus Guy" <>

    | 24 hours later and the VT results are showing 1 additional hit.
    |
    | Bit Defender is now ID'ing it as Trojan.BHO.AC.
    |
    | Dave, doesn't VT give a sandbox report of what a sample does when
    | executed? I thought I've seen that in the past with some samples. Or
    | does it take more hits (or a detection by a specific AV) to trigger
    | the sandbox report?

    SandBox results are from SunBelt and Norman if the resultant catch generates such a result.
     
    David H. Lipman, Feb 9, 2007
    #7
  8. From: "Virus Guy" <>

    | 24 hours later and the VT results are showing 1 additional hit.
    |
    | Bit Defender is now ID'ing it as Trojan.BHO.AC.
    |
    | Dave, doesn't VT give a sandbox report of what a sample does when
    | executed? I thought I've seen that in the past with some samples. Or
    | does it take more hits (or a detection by a specific AV) to trigger
    | the sandbox report?

    I think you'll find thar Avira and Ikarus will names this trojan similar to "Trojan.BHO.AC".

    BTW: If you submit the file directly to SunBelt's sandbox it balks and doesn't provide a
    result.
     
    David H. Lipman, Feb 10, 2007
    #8
  9. Virus Guy

    Art Guest

    Still nothing from Kaspersky after two submissions. Here's a Norman
    sandbox report:
    ******************************************************
    safeConn.exe : Not detected by Sandbox (Signature: NO_VIRUS)

    [ General information ]
    * Accesses executable file from resource section.
    * File length: 817152 bytes.
    * MD5 hash: 454284b824688c9949ca58986c57a0b4.

    [ Changes to filesystem ]
    * Creates file C:\out.dll.
    * Creates file C:\win_srv.dll.
    * Deletes file c:\\out.dll.

    [ Signature Scanning ]
    * C:\win_srv.dll (446976 bytes) : no signature detection.

    (C) 2004-2006 Norman ASA. All Rights Reserved.

    The material presented is distributed by Norman ASA as an information
    source only.

    This file is not flagged as malicious by the Norman Sandbox
    Information Center. However, we can not guarantee that the file is
    harmless. If you still suspect the file to be malicious and if you
    urgently need to know for sure, please submit it to your local Norman
    support department for manual analysis.
    **************************************

    Art
    http://home.epix.net/~artnpeg
     
    Art, Feb 13, 2007
    #9
  10. From: "Art" <>


    |
    | Still nothing from Kaspersky after two submissions. Here's a Norman
    | sandbox report:
    | ******************************************************
    | safeConn.exe : Not detected by Sandbox (Signature: NO_VIRUS)
    |
    | [ General information ]
    | * Accesses executable file from resource section.
    | * File length: 817152 bytes.
    | * MD5 hash: 454284b824688c9949ca58986c57a0b4.
    |
    | [ Changes to filesystem ]
    | * Creates file C:\out.dll.
    | * Creates file C:\win_srv.dll.
    | * Deletes file c:\\out.dll.
    |
    | [ Signature Scanning ]
    | * C:\win_srv.dll (446976 bytes) : no signature detection.
    |
    | (C) 2004-2006 Norman ASA. All Rights Reserved.
    |
    | The material presented is distributed by Norman ASA as an information
    | source only.
    |
    | This file is not flagged as malicious by the Norman Sandbox
    | Information Center. However, we can not guarantee that the file is
    | harmless. If you still suspect the file to be malicious and if you
    | urgently need to know for sure, please submit it to your local Norman
    | support department for manual analysis.
    | **************************************
    |
    | Art
    | http://home.epix.net/~artnpeg

    Yeah... and the site is STILL serving up the file !
     
    David H. Lipman, Feb 13, 2007
    #10
  11. Virus Guy

    Art Guest

    I decided to scan the file this morning using AVS (KAV) and to my
    surpirse it alerted (never did hear back from them). I then uploaded
    the file to VT again, and found that very few scanners alert, much as
    in the past:
    ******************************************************
    Complete scanning result of "safeConn.exe", received in VirusTotal at
    02.13.2007, 14:31:01 (CET).

    Antivirus Version Update Result
    AntiVir 7.3.1.37 02.13.2007 TR/BHO.AC
    Authentium 4.93.8 02.12.2007 no virus found
    Avast 4.7.936.0 02.12.2007 no virus found
    AVG 386 02.12.2007 no virus found
    BitDefender 7.2 02.13.2007 Trojan.BHO.AC
    CAT-QuickHeal 9.00 02.13.2007 no virus found
    ClamAV devel-20060426 02.12.2007 no virus found
    DrWeb 4.33 02.13.2007 no virus found
    eSafe 7.0.14.0 02.12.2007 no virus found
    eTrust-Vet 30.4.3394 02.13.2007 no virus found
    Ewido 4.0 02.13.2007 no virus found
    Fortinet 2.85.0.0 02.13.2007 no virus found
    F-Prot 4.2.1.29 02.12.2007 no virus found
    F-Secure 6.70.13030.0 02.13.2007 no virus found
    Ikarus T3.1.0.31 02.13.2007 Trojan.BHO.AC
    Kaspersky 4.0.2.24 02.13.2007 Trojan.Win32.BHO.e
    McAfee 4961 02.12.2007 no virus found
    Microsoft 1.2204 02.13.2007 no virus found
    NOD32v2 2057 02.13.2007 no virus found
    Norman 5.80.02 02.13.2007 no virus found
    Panda 9.0.0.4 02.13.2007 Suspicious file
    Prevx1 V2 02.13.2007 no virus found
    Sophos 4.13.0 02.12.2007 no virus found
    Sunbelt 2.2.907.0 02.09.2007 no virus found
    Symantec 10 02.13.2007 no virus found
    TheHacker 6.1.6.056 02.11.2007 no virus found
    UNA 1.83 02.09.2007 no virus found
    VBA32 3.11.2 02.12.2007 suspected of
    Embedded.Trojan.Win32.BHO.e
    VirusBuster 4.3.19:9 02.12.2007 no virus found

    Aditional Information
    File size: 817152 bytes
    MD5: 454284b824688c9949ca58986c57a0b4
    SHA1: eebdd52c8163cccf1aa97860430548bcec4a0e8b
    packers: BINARYRES
    ********************************************
    Note that I shortened the file name (I sometimes shorten to 8.3
    because of a old DOS ZIPper I'm in the habit of using).

    Doing some Googling on the file names created by this malware, it
    looks like some security products alert on win_srv.dll so it looks
    like detection is a bit more prolific than the VT result suggests. I
    don't have any BHO specific detectors installed right now, and I
    didn't get to the point where I let the thing loose on my machine to
    use it as a goat to see which products might alert on the created
    files. But I was damn close to doing that out of curiosity :)

    It's a mystery to me that so few av alert on the downloaded file
    after all this time. It sure looks to me like the evidence points to
    the file actually being a BHO aimed at IE.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Feb 13, 2007
    #11
  12. Virus Guy

    Art Guest

    Perhaps more correctly, the file seems to be a dropper of the BHO
    though the av that alert don't add the .dr designation. Whatever :)

    Art
    http://home.epix.net/~artnpeg
     
    Art, Feb 13, 2007
    #12
  13. Virus Guy

    Art Guest

    I imagine KAV also has a option to just skip the file since AVS does.
    The behaviour makes sense to me. I don't have any problem with it.
    If a drive scan results in a large # of detections, I'd want to handle
    each one individually. I'd never have a av set to automatically delete
    or disinfect because of the possibility of FPs. I'd want to
    investigate every detection. I make use of the scan log to tell me
    where the detected/suspicious files are located.

    When tracking down a suspicious file I never have realtime scanning
    enabled. I rarely enable it in any event. I download the suspects to
    a test folder and scan only that folder.

    So I have no use for quarantine. Don't like it and don't want it.
    Sample submissions should always be zipped indeed. EXE files
    (and some others) tend to disappear in the cloud never to be
    seen again whether or not they are actual malware :)
    Good. And good luck :)

    Art
    http://home.epix.net/~artnpeg
     
    Art, Feb 13, 2007
    #13
  14. Virus Guy

    Art Guest

    I don't know if he's the one who failed to respond or I would :)
    For your next mission impossible, you can try to find out what
    took them so long to add detection. Lotsa luck.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Feb 13, 2007
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.