Search My Blog

Wednesday, September 7, 2011

Hackers Flip Filenames to Create "Safe" File Extensions - MarketWatch

Sept. 7, 2011, 8:02 a.m. EDT

Hackers Flip Filenames to Create "Safe" File Extensions

Unicode Feature Misused to Infect Computers on a Payment-Per-Install Basis

PRAGUE, CZECH REPUBLIC, Sep 07, 2011 (MARKETWIRE via COMTEX) -- "What you see is not what you get," thanks to a new wave of malware that misuses a special language display feature to trick people into opening supposedly "safe" files. The new exploit misuses features in Unicode -- the computing industry's standard for representing text -- to mask executable malware as "safe" files with a .doc or .jpg extension. It has been named "Unitrix" by AVAST Software analysts.

The Unicode feature is designed to display alphabets written in a right-to-left schema such as Arabic or Hebrew and flips the displayed text after special hidden codes such as 0x202E (right-to-left override) are added to the file name. For example, the executable malware file ending with "gpj.exe" is displayed to the recipient as the more innocent sounding "photo_D18727_Collexe.jpg".

"The typical user just looks at the extension at the very end of the file name; for example, jpg for a photo. And that is where the danger is," said Jindrich Kubec, head of the AVAST Virus Lab. "The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file."

The AVAST Virus Lab tracked a steady increase in the number of detections during August, with a daily peak of over 25,000. "From the email messages and the traffic pattern, this is clearly aimed at businesses," said Mr. Kubec. The attacks are almost exclusively made during the working week, with daily detections dropping below 5,000 on the weekend.

The most common Unitrix file is a malware downloader with connections to several URL addresses which then act as command and control centers. "Based on our analysis of over fifty samples, it appears to be part of a pay-per-install network with the capacity to send infected users a variety of malware," explains Mr. Kubec. Additional Unitrix information is on the AVAST blog.

"It is not possible to make a single universal, foolproof detection for it because this would create a lot of false positives, but there are definite ways to deal with this," said Mr. Kubec. He pointed out that avast! Antivirus end users are protected in two ways:


Unpacking the “Unitrix” malware

September 7th, 2011 Lyle Frink

The “Unitrix” exploit takes several Unicode features designed for right-to-left languages and uses them to mask malicious executables as safe text or video files. Here is a short list of the main options.

But, this is just the start of the detective work. Analysis of this exploit shows that the hackers do not directly takeover the infected computers. Instead, they have a “pay per installation” network that provides outsourced infection and malware distribution services for other cybergangs – apparently based in Russia and the Ukraine  – after giving each infected computer its own identification number. And, this gang has the ability to change the final payload thanks to its downloader: rootkit today, tomorrow something else.

We’ve titled this malware W32:Fivfrom. It’s a malware downloader which, after activation, connects to several distribution centers to download and install malware to the infected computer.  We analyzed over fifty separate files, all of which initially looked quite different. But when we looked inside, we found some similar patterns. All files were packed with UPX, and then there was a polymorphic loader which generated the final exe file. This means the malware contained two layers of protection – UPX as the first layer and a polymorphic loader for the second layer.

Here is the binary data at the entry point for two different samples. Although they look completely different, their output is always the same.

Figure 2. Polymorphic loader 1 (Above)


Figure 3. Polymorphic loader 2 (Above)

Although this may seem complicated, extracting the code of loader is very simple. In OllyDBG, put breakpoint on VirtualFree, and run the application. When the debugger stops, you will see this in your stack window:

0012F3BC   00921909  /CALL to VirtualFree from 00921907

0012F3C0   00970000  |Address = 00970000           <<<<

0012F3C4   00004400  |Size = 4400 (17408.)

0012F3C8   00004000  \FreeType = MEM_DECOMMIT

where memory block being currently unallocated contains the code of the downloader itself. Figure 4 shows the window of debugger at the moment when we can dump the original (unpacked and loaded) downloader.

Read More and see more images...

Prett Nasty - Tricky Stuff... Watch Out!:O


Unitrix Trojan Virus
Hackers flip characters to disguise malware - Computerworld
unitrix trojan virus - Google Search
PostOffice 2: Hackers Flip Filenames to Create "Safe" File Extensions
unitrix hackers flip characters - Google Search
avast unitrix - Google Search
avast! blog » Unpacking the “Unitrix” malware
Hackers Flip Filenames to Create "Safe" File Extensions - MarketWatch

Most Popular

  1. Slide Show

    The 10 best places to live in the U.S.

  2. Al Lewis

    Feds say Bank of America worse than Countrywide

  3. Market Snapshot

    U.S. stocks log first win in four sessions

  4. Outside the Box

    You can still get 7% some places

  5. Indications

    Wall Street set to rise; Yahoo in focus

No comments: