Category Archives: Trojan

Recover from a Trojan or virus

If you know what specific malicious program has infected your computer, you can visit one of several anti-virus web sites and download a removal tool. Chances are, however, that you will not be able to identify the specific program. Unfortunately your other choices are limited, but the following steps may help save your computer and your files.

 

1.  Call IT support

If you have an IT support department at your disposal, notify them immediately and follow their instructions.

 

2.  Disconnect your computer from the Internet

Depending on what type of Trojan horse or virus you have, intruders may have access to your personal information and may even be using your computer to attack other computers. You can stop this activity by turning off your Internet connection. The best way to accomplish this is to physically disconnect your cable or phone line, but you can also simply “disable” your network connection.

 

3.  Back up your important files

At this point it is a good idea to take the time to back up your files. If possible, compile all of your photos, documents, Internet favorites, etc., and burn them onto a CD or DVD or save them to some other external storage device. It is vital to note that these files cannot be trusted since they are still potentially infected. (Actually, it’s good practice to back up your files on a regular basis so that if they do get infected, you might have an uninfected set you can restore.)

 

4.  Scan your machine

Since your computer (including its operating system) may be infected with a malicious program, it is safest to scan the machine from a live CD (or “rescue” CD) rather than a previously installed antivirus program. Many antivirus products provide this functionality. Another alternative is to use a web-based virus removal service, which some antivirus software vendors offer (try searching on “online virus scan”).

 

The next best action is to install an antivirus program from an uncontaminated source such as a CD-ROM. If you don’t have one, there are many to choose from, but all of them should provide the tools you need.

 

After you install the software, complete a scan of your machine. The initial scan will hopefully identify the malicious program(s). Ideally, the anti-virus program will even offer to remove the malicious files from your computer; follow the advice or instructions you are given.

 

If the anti-virus software successfully locates and removes the malicious files, be sure to follow the precautionary steps in Step 7 to prevent another infection. In the unfortunate event that the anti-virus software cannot locate or remove the malicious program, you will have to follow Steps 5 and 6.

 

5.  Reinstall your operating system

If the previous step failed to clean your computer, the most effective option is to wipe or format the hard drive and reinstall the operating system. Although this corrective action will also result in the loss of all your programs and files, it is the only way to ensure your computer is free from backdoors and intruder modifications.

 

Many computer vendors also offer a rescue partition or disc(s) that will do a factory restore of the system. Check your computer’s user manual to find out whether one of these is provided and how to run it.

 

Before conducting the reinstall, make a note of all your programs and settings so that you can return your computer to its original condition.

It is vital that you also reinstall your anti-virus software and apply any patches that may be available.

6.  Restore your files

If you made a backup in Step 3, you can now restore your files. Before placing the files back in directories on your computer, you should scan them with your anti-virus software to check them for known viruses.

 

7.  Protect your computer

To prevent future infections, you should take the following precautions:

  • Do not open unsolicited attachments in email messages.
  • Do not follow unsolicited links.
  • Maintain updated anti-virus software.
  • Use an Internet firewall.
  • Securing your web browser.
  • Keep your system patched.

To ensure that you are doing everything possible to protect your computer and your important information, you may also want to read some of the articles in the resources section below.

Actually – What is a virus?

What is a virus?
A computer virus is a program that spreads by first infecting files or the system areas of a computer or network router’s hard drive and then making copies of itself. Some viruses are harmless, others may damage data files, and some may destroy files. Viruses used to be spread when people shared floppy disks and other portable media, now viruses are primarily spread through email messages.

Unlike worms, viruses often require some sort of user action (e.g., opening an email attachment or visiting a malicious web page) to spread.

What do viruses do?
A virus is simply a computer program–it can do anything that any other program you run on your computer can do. Some viruses are designed to deliberately damage files, and others may just spread to other computers.

What is a worm?
A worm is a type of virus that can spread without human interaction. Worms often spread from computer to computer and take up valuable memory and network bandwidth, which can cause a computer to stop responding. Worms can also allow attackers to gain access to your computer remotely.

What is a Trojan horse?
A Trojan horse is a computer program that is hiding a virus or other potentially damaging program. A Trojan horse can be a program that purports to do one action when, in fact, it is performing a malicious action on your computer. Trojan horses can be included in software that you download for free or as attachments in email messages.

Can I get a virus by reading my email messages?
Most viruses, Trojan horses, and worms are activated when you open an attachment or click a link contained in an email message. If your email client allows scripting, then it is possible to get a virus by simply opening a message. It’s best to limit what HTML is available in your email messages. The safest way to view email messages is in plain text.

How can I avoid a virus infection from email?
Most users get viruses from opening and running unknown email attachments. Never open anything that is attached to an email message unless you know the contents of the file. If you receive an attachment from a familiar email address, but were not expecting anything, you should contact the sender before opening the attachment. If you receive a message with an attachment and you do not recognize the sender, you should delete the message.

Selecting the option to view your email messages in plain text, not HTML, will also help you to avoid a virus.

What are some tips to avoid viruses and lessen their impact?

  • Install anti-virus software from a reputable vendor. Update it and use it regularly.
  • In addition to scanning for viruses on a regular basis, install an “on access” scanner (included in most anti-virus software packages) and configure it to start each time you start up your computer. This will protect your system by checking for viruses each time you run an executable file.
  • Use a virus scan before you open any new programs or files that may contain executable code. This includes packaged software that you buy from the store as well as any program you might download from the Internet.
  • If you are a member of an online community or chat room, be very careful about accepting files or clicking links that you find or that people send you within the community.
  • Make sure you back up your data (documents, bookmark files, important email messages, etc.) on disc so that in the event of a virus infection, you do not lose valuable work.

Europeans most at risk from surge in Dyre malware attacks June2015

The Dyre malware campaign returned with nasty new features in the first three months of 2015 causing a spike in infections, Trend Micro has reported.

The company said that infections of the malware on computers rose 125 percent to around 9,000 in in the period from January to March.

Some 39 percent of the infections were in Europe, although North America was only just behind on 38 percent. Infections in Asia-Pacific were lower at 19 percent.

French web users were most at risk. Around 34 percent of all infections in the region were in the country, followed by Germany on 14.5 percent and Spain on nine percent. The UK was fourth with just under nine percent.

Trend Micro said that the malware variant is delivered through spam emails that use scare tactics about taxes, usually relating to VAT, to trick people into opening an attachment that contains the malware.

The new variant, labelled TSPY_DYRE.IK, is particularly nasty as it contains several new functions that allow it to bypass detection, including the ability to disable firewalls and network-related security tools.

Once installed it can carry out a variety of functions, such as man-in-the-middle attacks via browser injections, taking browser screenshots, and stealing personal security certificates and online banking credentials.

Trend Micro also said that the malware switches off Windows’ default anti-malware feature in a bid to make Dyre downloads easier, an example of just how cunning cyber criminals are becoming, according to Bharat Mistry, cyber security consultant at Trend Micro.

“As more users turn to internet banking, cyber criminals are focusing their attention on easy targets for the bigger payout,” he said.

“The quality of the applications and security controls on mobile platforms are still maturing and cyber criminals are seeing these as ‘easy pickings’.

“The criminals carrying out this latest string of attacks are using numerous sophisticated techniques. The resulting banking credentials theft is the focus and is ultimately what is used to illicitly transfer money from victims’ accounts.”

Trend Micro urged internet users to remain on their guard against emails relating to tax and other banking issues and to be wary of clicking on any attachments.

Dyre first hit the headlines last year when Salesforce warned customers that they were being targeted by the malware.

Skeleton Key Malware Analysis

Summary

Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. Threat actors can use a password of their choosing to authenticate as any user. This malware was given the name “Skeleton Key.”

CTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services. Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.

The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted. CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.

Skeleton Key requires domain administrator credentials for deployment. CTU researchers have observed threat actors deploying Skeleton Key using credentials stolen from critical servers, administrators’ workstations, and the targeted domain controllers.

Analysis

CTU researchers initially observed a Skeleton Key sample named ole64.dll on a compromised network (see Table 1).

Attribute Value or description
Filename ole64.dll
MD5 bf45086e6334f647fda33576e2a05826
SHA1 5083b17ccc50dd0557dfc544f84e2ab55d6acd92
Compile time 2014-02-19 09:31:29
Deployed As required (typically downloaded using malware and then deleted after use)
File size 49664 bytes
Sections .text, .rdata, .data, .pdata, .rsrc, .reloc
Exports ii (installs the patch)
uu (uninstalls the patch)
DllEntryPoint (default DLL entry point)

Table 1. Skeleton Key sample ole64.dll.

When investigating ole64.dll, CTU researchers discovered an older variant named msuta64.dll on a “jump host” in the victim’s network (see Table 2). The jump host is any system previously compromised by the threat actors’ remote access malware. This variant includes additional debug statements, which allow the Skeleton Key developer to observe the memory addresses involved in the patching process.

Attribute Value or description
Filename msuta64.dll
MD5 66da7ed621149975f6e643b4f9886cfd
SHA1 ad61e8daeeba43e442514b177a1b41ad4b7c6727
Compile time 2012-09-20 08:07:12
Deployed 2013-09-29 07:58:16
File size 50688 bytes
Sections .text, .rdata, .data, .pdata, .rsrc, .reloc
Exports i (installs the patch)
u (uninstalls the patch)
DllEntryPoint (default DLL entry point)

Table 2. Skeleton Key sample msuta64.dll.

The threat actors used the following process to deploy Skeleton Key as a 64-bit DLL file:

  1. Upload the Skeleton Key DLL file to a staging directory on a jump host in the victim’s network. CTU researchers have observed three filenames associated with the Skeleton Key DLL file: ole64.dll, ole.dll, and msuta64.dll. Windows systems include a legitimate ole32.dll file, but it is not related to this malware.
  2. Attempt to access the administrative shares on the domain controllers using a list of stolen domain administrator credentials.
  3. If the stolen credentials are no longer valid, use password theft tools to extract clear text domain administrator passwords from one of the following locations, which suggest a familiarity with the victim’s environment:
    • memory of another accessible server on the victim’s network
    • domain administrators’ workstations
    • targeted domain controllers
  4. Use valid domain administrator credentials to copy the Skeleton Key DLL to C:WINDOWSsystem32 on the target domain controllers.
  5. Use the PsExec utility to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command. The threat actor’s chosen password is formatted as an NTLM password hash rather than provided in clear text. After Skeleton Key is deployed, the threat actor can authenticate as any user using the threat actor’s configured NTLM password hash:
    psexec -accepteula %TARGET-DC% rundll32 <DLL filename> ii <NTLM password hash>
  6. Delete the Skeleton Key DLL file from C:WINDOWSsystem32 on the targeted domain controllers.
  7. Delete the Skeleton Key DLL file from the staging directory on the jump host.
  8. Test for successful Skeleton Key deployment using “net use” commands with an AD account and the password that corresponds to the configured NTLM hash.

CTU researchers have observed a pattern for the injected password that suggests that the threat group has deployed Skeleton Key in multiple organizations.

The use of PsExec can be detected within a Windows environment by alerting on the Windows events generated by the utility. The following Event IDs observed on the targeted domain controllers record the PsExec tool installing its service, starting the service, and stopping the service. These events are created every time PsExec is used, so additional analysis of the events is required to determine if they are malicious or legitimate:

  • Unexpected PSEXESVC service install events (event ID 7045) on AD domain controllers:
    Log Name: System
    Source: Service Control Manager
    Summary: A service was installed in the system.
    Service File Name: %SystemRoot%PSEXESVC.exe
  • Unexpected PSEXESVC service start / stop events (event ID 7036) on AD domain controllers:
    Log Name: System
    Source: Service Control Manager
    Summary:

    • “The PSEXESVC service entered the running state.”
    • “The PSEXESVC service entered the stopped state.”

When run, Skeleton Key performs the following tasks:

  1. Check for one of the following compatible 64-bit Windows versions. The malware is not compatible with 32-bit Windows versions or with Windows Server versions beginning with Windows Server 2012 (6.2).
    • 6.1 (Windows 2008 R2)
    • 6.0 (Windows Server 2008)
    • 5.2 (Windows 2003 R2)
  2. Use the SeDebugPrivilege function to acquire the necessary administrator privileges to write to the Local Security Authority Subsystem Service (LSASS) process. This process controls security functions for the AD domain, including user account authentication.
  3. Enumerate available processes to acquire a handle to the LSASS process.
  4. Obtain addresses for the authentication-related functions that will be patched:
    • CDLocateCSystem — located in cryptdll.dll
    • SamIRetrieveMultiplePrimaryCredentials — located in samsrv.dll
    • SamIRetrievePrimaryCredentials — located in samsrv.dll
  5. Perform OS-specific adjustments using the global variable set during the compatibility check in Step 1.
  6. Use the OpenProcess function to acquire a handle to the LSASS process.
  7. Reserve and allocate the required memory space to edit and patch the LSASS process’s memory.
  8. Patch relevant functions based on the operating system:
    • CDLocateCSystem (all compatible Windows versions)
    • SamIRetrieveMultiplePrimaryCredentials (only Windows 2008 R2 (6.1))
    • SamIRetrievePrimaryCredentials (all compatible Windows versions other than Windows 2008 R2 (6.1))

Skeleton Key performs the following steps to patch each function:

  1. Call the VirtualProtectEx function to change the memory protection to allow writing to the required memory allocations (PAGE_EXECUTE_READWRITE, 0x40). This step allows the function’s code to be updated in memory.
  2. Call the WriteProcessMemory function to change the address of the target function to point to the patched code. This change causes calls to the target function to use the patch instead.
  3. Restore the original memory protection by calling VirtualProtectEx with the original memory protection flags. This step is likely to avoid suspicious writable and executable memory allocations.

After patching, the threat actor can use the Skeleton Key password configured at the time of deployment to log in as any domain user. Legitimate users can still log in using their own passwords. This authentication bypass applies to all services that use single-factor AD authentication, such as web mail and VPNs, and it also allows a threat actor with physical access to a compromised system to unlock the computer by typing the injected password on the keyboard.

Possible link to domain replication issues

The Skeleton Key malware does not transmit network traffic, making network-based detection ineffective. However, the malware has been implicated in domain replication issues that may indicate an infection. Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve. These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism. Figure 1 shows the timeline of these reboots and the threat actors’ subsequent password theft, lateral expansion, and Skeleton Key deployment. Redeployments typically occurred within several hours to several days of the reboot.

Figure 1. Relationships of deployments and reboots observed by CTU researchers, April - July 2014. (Source: Dell SecureWorks)
Figure 1. Relationships of deployments and reboots observed by CTU researchers, April – July 2014. (Source: Dell SecureWorks)

Countermeasures

The Skeleton Key malware bypasses authentication and does not generate network traffic. As a result, network-based intrusion detection and intrusion prevention systems (IDS/IPS) will not detect this threat. However, CTU researchers wrote the YARA signatures in Appendix A to detect a Skeleton Key DLL and the code it injects into the LSASS process’s memory.

Threat indicators

The threat indicators in Table 3 can be used to detect activity related to the Skeleton Key malware.

Indicator Type Context
66da7ed621149975f6e643b4f9886cfd MD5 hash Skeleton Key patch msuta64.dll
ad61e8daeeba43e442514b177a1b41ad4b7c6727 SHA1 hash Skeleton Key patch msuta64.dll
bf45086e6334f647fda33576e2a05826 MD5 hash Skeleton Key patch ole64.dll
5083b17ccc50dd0557dfc544f84e2ab55d6acd92 SHA1 hash Skeleton Key patch ole64.dll

Table 3. Indicators for the Skeleton Key malware.

Conclusion

The CTU research team recommends that organizations implement the following protections to defend against the Skeleton Key malware:

  • Multi-factor authentication for all remote access solutions, including VPNs and remote email, prevents threat actors from bypassing single-factor authentication or authenticating using stolen static credentials.
  • A process creation audit trail on workstations and servers, including AD domain controllers, may detect Skeleton Key deployments. Specifically, organizations should look for the following artifacts:
    • Unexpected PsExec.exe processes and the use of the PsExec “-accepteula” command line argument
    • Unexpected rundll32.exe processes
    • Process arguments that resemble NTLM hashes (32 characters long, containing digits 0-9 and characters A-F)
  • Monitoring Windows Service Control Manager events on AD domain controllers may reveal unexpected service installation events (event ID 7045) and service start/stop events (event ID 7036) for PsExec’s PSEXESVC service.

Appendix A — YARA signatures

The following YARA signatures detect the presence of Skeleton Key on a system, by scanning either a suspicious file or a memory dump of Active Directory domain controllers suspected to contain Skeleton Key.

rule skeleton_key_patcher
{
strings:
       $target_process = "lsass.exe" wide
       $dll1 = "cryptdll.dll"
       $dll2 = "samsrv.dll"

       $name = "HookDC.dll"

       $patched1 = "CDLocateCSystem"
       $patched2 = "SamIRetrievePrimaryCredentials"
       $patched3 = "SamIRetrieveMultiplePrimaryCredentials"

condition:
       all of them
}


rule skeleton_key_injected_code
{
strings:
       $injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 
	   00 48 81 C4 58 01 00 00 C3 }
	   
	   $patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 
	   8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 
	   00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 
	   84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
	   
	   $patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 
	   24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 
	   08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 
	   78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 
	   8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
	   
	   $patch_SamIRetrieveMultiplePrimaryCredential  = { 48 89 5C 24 08 48 89 6C 24 10 
	   48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 
	   40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 
	   66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 
	   8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }

condition:
       any of them
}

DO-NOT-REPLY Datasharp UK Ltd – Monthly Invoice & Report – Word doc malware

DO-NOT-REPLY Datasharp UK Ltd – Monthly Invoice & Report pretending to come from ebilling@datasharp.co with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details.

All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Datasharp.co.uk is a legitimate tech company in Cornwall UK that deals with IT support and telecoms for a multitude of companies and organisations. They are not sending these emails and their systems have not been hacked or compromised. Please do not ring them or continually email them. They have absolutely no control over these emails. They are innocent victims of this attempt to spread malware in the same way as every recipient of the email is.

This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them.  If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you. Definitely DO NOT follow the advice they give to enable macros to see the content. Almost all of these malicious word documents appear to be blank when opened in protected view mode, which should be the default in Office 2010, 2013 and 365.

What can be infected by this
At this time, these only affect windows computers. They do not affect a Mac, IPhone, Blackberry, Windows phone or Android phone. The malicious word or  excel file can open on any system, and potentially the macro will run on windows or mac BUT the downloaded malware that the macro tries to download is windows specific, so will not harm or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or word.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them

The email looks like:

THIS MESSAGE WAS SENT AUTOMATICALLY

Attached is your Invoice from Datasharp Hosted Services for this month.

To view your bill please go to www.datasharp.co.uk.  Allow 24 hours before viewing this information.

For any queries relating to this bill, please contact hosted.services@datasharp.co.uk or call 01872 266644.

Please put your account number on your reply to prevent delays

Kind Regards Ebilling

DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report

Update: Dynamoo’s blog informs us that this malware attempts to download an additional component from the following locations:

http://TICKLESTOOTSIES.COM/js/bin.exe

http://nubsjackbox.oboroduki.com/js/bin.exe

The tickletootsies.com download location has been cleaned up, but the other one is still working at it downloads a file with a VirusTotal detection rate of 5/56.

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend,  you can easily see if it is a picture or document & not a malicious program. If you see .EXE or .COM or .PIF or .SCR at the end of the file name DO NOT click on it or try to open it, it will infect you.

With these malformed infected word and other office documents that normally contain a vba macro virus, the vital thing is do not open any office document direct from your email client or the web. Always save the document to a safe location on your computer, normally your downloads folder or your documents folder and scan it with your antivirus. Many Antiviruses do not natively detect vba  macro-viruses in real time protection and you need to enable document or office protection in the settings.

Be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still  using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007.  Many of us have continued to use older versions of word and other office programs, because  they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.  The risks in using older version are now seriously starting to outweigh the convenience, benefits and cost of keeping an old version going.

I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.

All modern versions of word and other office programs, that is 2010, 2013 and 365, should  open all Microsoft office documents that is  word docs, excel files and PowerPoint etc  that are downloaded from the web or received in an email  automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document until you are 100% sure that it is a safe document. If the protected mode bar appears when opening the document DO NOT enable editing mode the document will look blank, but will be safe.

The algorithm of the Trojan

The trojan horse which I have created appears itself as an antivirus program that scans the computer for malware programs. However, in reality it does nothing other than eating up the hard disk space on the root drive by filling it up with a huge junk file. The rate at which it fills up the hard disk space it too high. As a result, the the root drive gets filled up completely with in minutes of running this program.

Once the disk space is full, the trojan reports that the scan is complete. The victim will not be able to clean up the hard disk space using any of the cleanup program. This is because, the trojan intelligently creates a huge file in the WindowsSystem32 folder with the .dll extension. Since the junk file has the .dll extension it is often ignored by the disk cleanup software. Hence there is now way to recover the hard disk space other than reformatting the drive.

The algorithm of the Trojan is as follows:

  1. Search for the root drive.
  2. Navigate to %systemroot%WindowsSystem32 on the root drive.
  3. Create the file named “spceshot.dll“.
  4. Start dumping the junk data onto the above file and keep increasing its size until the drive is full.
  5. Once the drive is full, stop the process.

You can download the Trojan source code Space_Eater. Please note that I have not included the executable for security reasons. You need to compile it to obtain the executable.

How to test this trojan horse?

To test the trojan, just run the SpaceEater.exe file on your computer. It will generate a warning message at the beginning. Once you accept it, the Trojan runs and eats up the hard disk space.

NOTE: To remove the warning message you’ve to edit the source code and then re-compile it.

How to fix the damage and free up the space?

To remove the damage and free up the space, just type the following in the “run” dialog box:

%systemroot%system32

Now search for the file “spceshot.dll“. Just delete it and you’re done. No need to re-format the hard disk.

List of Trojan Creation Programs or Software

This list is here to make sure you know how to defend yourself.

Links …well search yourself.

 

RAT?  means Remote Administration Tools.

Xtreme Rat
HerpesNet
MicroRat
SpyNet
ZeuS (Bot)
SpyEye (Bot)
LostDoor
DeeperRat
Apocalypse
Arabian Attacker
Cerberus
CyberEye
Poison Ivy
Daleth RAT
DarkMoon
DRAT 2009
Erebus
Golden Phoenix Rat
GraphicBooting RAT
m0sck3r
MiniMo
miniRAT
MofoTro
NetDevil
NovaLite
Nuclear
Omerta13
Optix
Pocket RAT
ProRat
SharpEye-Rat
solitude_1.0
SubSeven_2.3
Synrat v4.3.1
theef_210
Turkojan4
Vanguard
Venomous Ivy
VorteX RAT
Y3kRat2k5RC10
Yuri_V12
xHacker