« Freedom to Tinker and Sony DRM | Main | Hear the podcast! »
March 21, 2006
Rootkit.hearse
On March 20th, we here at Sana labs discovered an in-the-wild rootkit and Trojan that has been actively infecting machines since about the 16th of March. This kernel level rootkit was designed to stealth a Trojan that has some pretty scary capabilities. First, the Trojan can survive reboot and does not run as a separate process. Second, it can discover passwords used previously on a machine, so it does not need to log keystrokes. And third, since the Trojan is hidden by the rootkit, end users cannot see the Trojan on their disk.
This Trojan and rootkit was found during the investigation of an in-the-wild worm, named Win32.Alcra. This worm, if not stopped, attempted to contact various websites and download additional payloads. On one of these websites was the installer for this rootkit and Trojan. Once these components were silently installed on a machine, the Trojan invisibly starts communicating to yet another web server located in Russia. This web server acts as the repository for the stolen usernames and passwords.
One of the sites is still actively infecting machines. It attempts to download several pieces of Spyware, Adware, and Trojans, in addition to the rootkit. The rootkit has two pieces: the first piece is a device driver named 'zopenssld.sys', and a DLL named 'zopenssl.dll'. The device driver appears to cloak any file named 'zopenssld.sys' or 'zopenssl.dll' regardless of where they reside, though the malicious versions are located in the System32 folder.
While the DLL was invisible on the file system, it is visible as an injected DLL in many running processes. Since zopenssl.dll registers itself as a Winlogon.exe extension and does not run as a process, most users would never see it, and it can survive even in safe mode.
The Trojan appears not to be active at all times, but it does wake up and start communicating when it sees a user browsing to a website that requires authentication. To view it in action, a virtual machine was infected with the rootkit and Trojan, and then the user browsed to http://bankofamerica.com, and entered a fake username and password. All of the network traffic was recorded, and after ending the web browser session, the Trojan communication became apparent.
After further investigation, it was determined that this Malware was sending information to a web server located in Russia. Ironically, this web server was not secured, and any user browsing the site could view the information that was being stolen.
According to the dates on this web server, it has been active since at least the 16th of March. The oldest stolen data observed was from the 19th of March. Based on the sheer amount of data that has been stolen, the infection has been more than tripling in size every day.
Finally, just want to give a big thanks to sysinternals and the developers of ethereal for making such great tools (rootkit revealer, process explorer, filemon, autoruns, and ethereal).
Comments
What if it was possible to block IP's at the Domain Name Server level. this way known malicous IP's can never be reached. this would only be useful if early viruses/trojans/worms could be dissected to find their destination IP. Or what about an AV service that updates your hosts file 24/7 so you can never connect to these data miners. It seems that even the newest AV software still doesn't protect us.
Posted by: jojo at March 21, 2006 07:02 PM
yet another example of the need for secure computing models that will prevent against rootkit installers.
Posted by: Buena at March 21, 2006 09:46 PM
I found a similar article in Yahoo.
http://news.yahoo.com/s/pcworld/125163;_ylt=Aq_svJgJ_CAL2.tF.URtlLdhr7sF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
Does Russia have any idea about who this guy might be.
Posted by: *** at March 22, 2006 06:00 AM
So what are the suggestions on dealing with this exploit/malware?
It would be better if i knew which sites to block.
Posted by: John at March 22, 2006 06:30 AM
So uh. Care to perform some real crack-journalism and tell us WHAT host it is sending this data to so we can block at our firewall? C'mon.
Posted by: jjames at March 22, 2006 09:36 AM
What is the name or IP address of the Russian site so that we can block it at the firewall?
Posted by: Anonymous at March 22, 2006 12:22 PM
On March 21st my ebay password and id were hijacked by an address at Yahoo.com.tr. Suspect that this may be one of the files on the Russian server. WWW is fast becomming the Wild West Web.
D. Lawrence
Posted by: Richard Lawrence at March 22, 2006 01:28 PM
The Computerworld article indicated Sana had tested and found that 5 current vendors detect the Rootkit.hearse. Care to identify which at this point, as I'm curious if my spyware package detects this worm. Thx. Ed.
Posted by: Ed at March 22, 2006 01:59 PM
What 5 programs did you use to detect this??? this would really help people if they knew what to use to find this,!!!
Posted by: Stan J. Miranda at March 22, 2006 02:10 PM
Well, the product that Sana sells (SafeConnect) can stop these types of threats. The other products that detected the rootkit included NOD32, VBA, and a couple others that don't immediately spring to mind.
Posted by: Jeremy at March 22, 2006 04:36 PM
since the website that was hosting the compromised information has been taken down, the best course of action for detecting this specific threat would probably a snort signature. a sig that greped for 'catafalk' in the host name and 'data.php' in the GET request could tell you if you have infected machines.
also, if you have some sort of software inventory mechnism, you can search for the files 'zopenssl.dll'.
Posted by: Jeremy at March 22, 2006 04:39 PM
one last comment--if you want to block websites, ip addresses, and domains at your firewall, take a look at this project: http://www.spywarewarrior.com/uiuc/resource.htm#SitesList
Posted by: Jeremy at March 22, 2006 04:41 PM
If possible, I would like to know which AV product could detect this malware at this moment.
Thanks,
Akiho Nakata
Posted by: Akiho Nakata at March 22, 2006 04:52 PM
As of today, virtually every AV company can detect it.
Posted by: Jeremy at March 22, 2006 04:53 PM
How do I protect myself against this Trojan that is stealing passwords for monetary transactions? ('zopenssld.sys'; 'zopenssl.dll')
I use AVG Pro, Ad-Aware SE Personal,Spy Sweeper, Spyware Doctor ansd Spybot Search and Destroy.
Im I protected?
Thanks, Ahi
Posted by: Anonymous at March 23, 2006 07:12 AM
What platforms and versions are affected, if you know. Thanks!
Windows:
Unix:
Linux:
Posted by: Afzal Khan at March 23, 2006 07:20 AM
socks.txt looks like a list of hosts running a backdoor service behind port 4050.
Posted by: anonymous at March 23, 2006 08:05 AM
What is the use of hiding the host info if you forget to blind the hex values of the ethereal screenshot ????
Posted by: anonymous at March 23, 2006 08:07 AM
whats the use of looking at the hex when in a previous post i give all the information needed to find the host ;)
Posted by: Jeremy at March 23, 2006 09:13 AM
hear the podcast! http://weblog.infoworld.com/zeroday/archives/podcast/index.html
Posted by: Jeremy at March 23, 2006 09:33 AM
good
Posted by: phat at March 24, 2006 09:02 PM
OK... great how do we test and, if needed, delete this sucker?
Posted by: Lee at March 27, 2006 03:01 PM
since the driver and winlogon extension load even in safe mode, the only reliable way of cleaning an already infected machine is a different OS. ERD Commander from sysinternals, a linux boot disc that can read NTFS, WinXP PE, etc.
Posted by: Jeremy at March 27, 2006 03:22 PM
if this machine is not protected why not give it a taste of its own medicene by downloading a trojan designed to delete the hard drive or better still destroy it must be some clever person able to do this
Posted by: Joe at March 31, 2006 03:12 AM