| « Cisco MARS Versions X.3.4 AND MARS 6.0 Teaser | Configuring Cisco Security Agent LDAP Authentication » |
Nuwar Takes Advantage of April Fools' Day
04/01/08
Nuwar Takes Advantage of April Fools' Day
Just in time for April Fools' Day, a new variant of Nuwar is making its rounds (see my
previous write-up on nuwar here). Unfortunately, at the time of this writing VirusTotal is
reporting AV vendor detection rates at around 40%.
Just like other nuwar (and storm) variants, this version uses nginx 0.5.17 to host the
payload. Also like other variants, this depends on the user to open the payload. As a
matter of fact there are so many similarities, it's simply easier to list the differences
(note, these are based upon observed samples and are subject to change if additional samples are obtained):
| Valentine's Nuwar | April Fools' Nuwar |
| uses JavaScript unescape encoding | does NOT use JavaScript unescape encoding |
payload filenames:
|
payload filenames:
|
| rootkit functionality to hide files (burito.sys) | does NOT use rootkit functionality |
| payload creates {random file name} exe on disk | payload creates aromis.exe on disk |
| Uses peer.ini file to find peers | uses aromis.config file to find peers |
Additional Analysis
Payload delivery is pretty much the same as the valentine's day nuwar samples - a user
receives a spammed message similar to the following:
Subject: Doh! April's Fool.
Body: One who is sportively imposed upon by others on the first day of April
hxxp://89.xxx.xxx.xxx
Currently observed subject lines include:
- Gotcha! April Fool!
- Doh! April's Fool.
Once the link is clicked, the user is sent to a page with the following image:
If IE's pop-up blocker prevents the exe from being opened, the user can simply click on the
picture for another payload. Payload filenames include:
- kickme.exe (MD5: 054D65CFA8D0106F7F2CE384A86819B9)
- funny.exe (MD5: 3143DD254C4913B4A86425145BA2339D)
- foolsday.exe (MD5: 054D65CFA8D0106F7F2CE384A86819B9)
When executed, the payload performs the following actions (subject to change depending upon variant):
Creates the following files:
- %windows%\aromis.exe (MD5: 3143dd254c4913b4a86425145ba2339d)
- %windows%\aromis.config (this encrypted peer file performs the same function as the burito{random string}.ini file in the previous post)
Adds the following registry keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "" = C:\WINDOWS\aromis.exe
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Stan
dardProfile\AuthorizedApplications\List "" = C:\WINDOWS\aromis.exe:*:Enabled:enable - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Parameters "" =
time.windows.com,time.nist.gov - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Parameters "" = NTP
As with previous variants, this version of Nuwar uses UDP to communicate with peer hosts.
It's also worth repeating that the following should be considered when preventing Nuwar and other storm varians:
- Random ports and the use of UDP may make it difficult to spot nuwar in firewall logs
- Keep (H)IDS/(H)IPS/AV definitions and rules up to date
- Don't depend on one product for prevention
- Educate users on the dangers of downloading content from untrusted sources
XML Feeds©2010 by Priveon, Inc.