Thursday, April 16, 2015

Upatre Malware Quick Discussion

Cyberoam had posted about the Upatre Malware a week or two ago. I've seen this since then and though it was worth a mention.

User gets an email claiming they have an Invoice due or something ridiculous like that. Hopefully your mail provider catches and blocks this as spam or a virus, but based on how malware signature detection works, it's entirely possible that newer variants of this pass right through to the user's inbox because it didn't match the signatures known.

User clicks the malicious file (perhaps a zip file, exe, pdf, word doc, etc.) and instantly some malware is likely installed or deposited in your temp folders and executed.

That malware then, as I've seen this happen, first makes a call to something like checkip.dyndns.org to get the user's Public IP Address.

Some additional calls are then made to a C&C server sending information about the client's workstation.
Ex: hxxp://141.105.141.87:13839/0104us22//0/51-SP3/0/GKBIMBFIBL

That initial request to the C&C probably gets a response back of where to download the next phase of the malware. Then you'll see additional calls out to download and run that extra malware. That cycle could then go on for a long time, infecting your workstation over and over again with more and more crap, things such as Zeus, Rovnix VBR, and Banking Trojans.

If you see a pattern similar to this where there's a checkip call, followed by a url containing your workstation name, it's a pretty safe bet you're infected, and who knows with what. So best to re-build/re-image that device ASAP.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment