Zeus Infection Spoofing Bitdefender AV

by


Over the Christmas period, we here at Webroot  have noticed a large amount of Zeus infections that are spoofing the Bitdefender name.

While infections spoofing AV companies aren’t unusual, it’s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone!

The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into their online banking website.

Infection Information:

  • File size is normally around 200-300kb
  • It’s located in one path of the users appdata folder with a random path+file name
  • C:\users\testPC\Appdata\<random letters>\<random letters.exe
  • Usually dropped via an exploit kit (Blackhole being the most popular)
  • However, it has also been seen attached to Spam emails
  • Can disable Windows Firewall and Security Center
  • Has the ability to connect to a remote server to download updates
  • Can download other infections

Behaviour:

This infection can get onto a user’s PC via a number of different methods, but the most common is through an exploit kit. The commonly used Blackhole exploit kits uses Java Exploits to drop and execute a file.

Unless the user is very alert, they typically won’t even notice they are infected. Once executed, the infection will try a number of methods to make sure it is automatically ran on start-up.

The first is a registry key which points to the infection directly [1]
The second is a fake Security Center update scheduled task [2]
The third  is to create a service that auto starts again point to the infection [3]

  1. hklm\software\microsoft\windows\currentversion\run   “C:\Users\User\Application Data\Obunat\ongekie.exe”
  2. %windir%\tasks\ SECURITY CENTER UPDATE – 4048458695.JOB
  3. hklm\system\currentcontrolset\services\securitycenterserver673348880   U5″C:\WINDOWS\system32\igizhaot.exe” -service “C:\Users\User\Application Data\Obunat\ongekie.exe”

After this, the infection may connect to a remote server and receive updates and it can also download other infections (Cryptolocker/ICE and other Rogue AV`s)

Due to the large number of variants, I won’t go through all the behaviours, but generally the infection route follows one of the patterns above. This infection can disable the Windows security center or modify the Firewall settings to allow remote access to the PC.

Examples:

MD5 PATH FILE NAME FILE SIZE
83890496EB018EA524E72CE18CD37209 %appdata%\ukhecy REHEI.EXE 221,334KB
70AACDCEC7C9D35393CD9D382C8A0454 %appdata%\pawary YVPULUV.EXE 217,222KB
ED098AB9A5E13D1B12BE816659C4172C %appdata%\qaxuile\ PAIDP.EXE 217,222KB
79776C5BE35DFC4089312D42EC70F903 %appdata%\hoydatem\ SAAFIFV.EXE 217,222KB
25D00FC9F06E1720A7B4E4C9293D32AE %appdata%\siuvmyw\ PYRUOV.EXE 218,783KB
79776C5BE35DFC4089312D42EC70F903 %appdata%\zoobir\ EQDUG.EXE 215,105KB

 

MD5 PATH FILE NAME FILE SIZE PC Count
A748FEB8EE581E2225CE7F983E364EC0 %temp% JAVA_UPDATE_71972350.EXE

222,827

181

EC9FC4EE2AA75D0CD6E0490853F27B21 %temp% JAVA_UPDATE_7bb116be.EXE

215,105

105

DB97134AFFDA00379CAF3FCD00BBFFFF %temp% JAVA_UPDATE_93D4FD64.EXE

216,678

231

4FCD4FD7D3D3A5D24EF663CE3419D7CC %temp% JAVA_UPDATE_0EEF9307.EXE

217,222

174

D4BC7886F04574E5628FD6BBFBB01C19 %temp% JAVA_UPDATE_8C3C4799.EXE

218,873

134

In total, we have seen over 40k files and this is increasing every hour. Most of the files have a digital vendor that is close to the real version (shown below). As you can see from the screenshot above, a number of the files are pretending to be Java updates.

BitKefender S.R.L. with 869 unique MD5`s
BitNefender S.R.L.|BitNefender Antivirus Scanner with unique 19,305 MD5`s

Removal:

Due to the infection route of this particular infection, it is advisable to have the latest version of Java installed and preferably use a modern secure browser with the latest Windows updates installed. The latest build of Firefox disables Java plugins by default, which should help stop this particular attack vector.

As mentioned earlier, this infection has also been seen to be spread by email. It is advisable to use an email provider that has good SPAM filtration. Google and Microsoft mail services are efficient at blocking these emails.

Always be alert to any email attachments, even if they’re from friends/relatives, and especially executable files that are inside a zip file. Over the Christmas period, we have also noticed a targeted attack from malware authors using well known store names lie Costco, Walmart, etc. in spoof emails.

Since SecureAnywhere doesn’t rely on traditional definitions, we can react instantly to this new trend of Zeus. Webroot SecureAnywhere can safely block this infection. Likewise, if installed on a pre-infected PC, Webroot SecureAnywhere can remove the infection.