It seems as if security firm, Trusteer, has identified a new variant of the Gozi financial malware. This one is more sophisticated and requires your attention. This new variant infects the Master Boot Record (MBR) on your computer — which is a boot sector software device that resides at the beginning of your hard drive that tells your computer how to boot up.
Just like TDL4, another MBR infector, this malware is hard to detect and remove. The main idea behind Gozi, though, is to wait for Internet Explorer to be launched on the victim’s machine, and malicious code is injected into the Process. This allows the malware to intercept web traffic, and inject its own code to webpages, misleading the user and collecting financial information (as well as social security numbers, birth dates, etc.).
Some speculate other developers have taken over, since apparently the main developer as well as accomplices were arrested not long ago. Looks like the new developers have a more sophisticated twist on the whole situation.
What’s different? The MBR rootkit component. This component makes the malware more sophisticated, because the removal of such threat can cause the computer to fail booting. The main problem at trying to fix infections in the MBR is that occasionally, the backup code that is placed in a different sector, is modified to not work when the infection locks in. This makes you have to keep it on the machine. However, it’s more effective to use private tools to help remove it.
One of the private tools, well sort of private, is the Kaspersky Rescue Disc. There are others that are available also, including TDSSKiller, which may or may not work out correctly.
If you need further help, we would love to assist. Please comment at any time!
TDL4 is the newest type of the TDSS rootkit, which is a classic rootkit malware/virus that has been infecting computers and constructing a botnet since 2006. Now, with its new dangerous properties, it has the ability to sneak in to government agency computers, ISPs, and even popular companies. It uses stealthy properties and exploits to get itself installed, where it can hide itself in a different partition on the computer or create its own partition.
The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.
In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.
TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals – without counting threats like Stuxnet, Flame,Gauss and others that are believed to have been created by nation states for cyberespionage purposes.
TDL4 is part of a category of malware known as bootkits – boot rootkits – because it infects the hard disk drive’s Master Boot Record (MBR), the sector that contains information about a disk’s partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.
Much of this information pulled from TechWorld.
One of the newer partition infections includes a dropper located at c:\windows\svchost.exe
Protect your computer from rootkits by the makers of TDSSKiller, Kaspersky Lab for only $59.95 (a $79.95 value):
As we reported a few days ago, Shamoon is a new trojan malware that has the ability to take control of a computer and then infect the MBR. However, from a full study, it does not appear to be as “up-to-speed” as researchers thought.
ThreatPost reports on the issues: “Some clumsy coding discovered during an analysis of the Shamoon malware has led researchers to conclude that it is probably not related to the Wiper malware that hit some Iranian networks recently and likely isn’t the work of serious programmers.”
“This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems,” wrote Kaspersky Lab researcher Dmitry Tarakanov in a Securelist post.
Instead, researchers are seeing that the Shamoon malware only steals data from the machine, before infecting the MBR. Some consider the work of Shamoon malware, like we also do, the work of a skiddie.
Also, it seems the malware is misbehaved, because it relies on a Windows Service, set to Start and Run Automatic. If the Service is stopped, half the malware doesn’t work. This kind of peculiar sense shows that this Shamoon malware may just be a test of the abilities of the hacker, and could possibly lead to other complicative malware.
As usual, stay tuned here for more updates in the future on the Shamoon malware.
Get some Popchips and have seat and read the newest info about a new MBR-infecting malware. Now, let’s keep in mind these won’t be new techniques, just a new name for an old technique.
According to Israeli security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization’s network.
For the attacking process, it also allows the command-and-control server to be in effect from a second computer (huh?), in which the first computer originally communicated that data to. Which means, there is an alternative trojan being used on the second computer that accepts the data and communicates to the servers for the hackers privately.
We call this second computer a “master”. Which means it is the core computer used to send data to the server. This second computer can accepts data from multiple computers, not just one first computer (hope that makes sense). This is a similar method to the botmasters we see on the IRC networks. Very similar work done, except only automatic.
Shock is found that malware is crippling the computer, after the data is stolen. Normally, malware writers or hackers tend to just withdraw from a computer and no damage is done, except maybe one or two infected files. It is unknown at this point what the algorithm is to overwrite the files, but it is known that the MBR shall be infected in this process.
What does this malware like to overwrite though? Documents, pictures, videos, etc. It likes to kill personal, salvageable data. Sadly, even after removing the malware, your data cannot be recovered. It doesn’t hold it for ransom. It just overwrites it. Right now, it is also unknown whether or not it overwrites the files with malicious code that – when executed – will distribute more malware to the computer. That is… if the computer can be disinfected of the MBR infection first… and hopefully the operating system is accessed.
In the end, it’s just another malware to be removed!
Now, time for technical details:
Reporting agent (keeps in touch with hacker) %systemroot%\system32\netinit.exe
Dropper (distributed malware on system) %systemroot%\system32\trksrv.exe
Kernel Mode Driver (clean driver used to gain root access, so MBR can be infected) %systemroot%\system32\drivers\drdisk.sys
File wiping module (literally wipes files on the system) %systemroot%\system32\[RANDOM_NAME].exe
Service information for trksrv.exe:
Display Name: Distributed Link Tracking Server
Service name: TrkSrv
File name: trksrv.exe
After done with its MBR deletion or modification methods, you may get one of few messages on system startup:
- Operating System not found (75% of the time probably)
- (Windows Advanced Options Menu Appears) Windows has failed to start… (10% of the time probably)
- Blue Screen of Death (other 15% of the time probably)
The statistics in parentheses are only speculation. It is imagined that no matter what, system failure or unlikely to boot is caused by this malware. Beware!
Purchase Malwarebytes’ Anti-Malware to protect against the download and install of computer-controlling malware.
In addition, it is best to have a good data backup plan, in order to prevent damage due to malware like this. Please consider the following as a purchase of your next protection method: