This is volume II of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware
Carrying on from where we left off earlier…
Who aM I?: What is ProsLikeFan?
While the typical autorun malware is usually a Microsoft Portable Executable(PE) file, ProsLikeFan however, is JavaScript based. Unlike PE malware, malware written in a scripting language have their limitations like exposing their malicious intent in plain text. To overcome this, the malware author needs to employ various encryption and obfuscation techniques.
ProsLikeFan uses the WMI (Windows Management Interface) query language to retrieve sensitive system information and posts this information to a remote host. It also exploits the autorun mechanism to propagate to other computers, brings down system security level by modifying certain registry entries, infects pen drives, sends out Facebook chat messages, ‘likes’ a Facebook page, downloads and runs an executable, changes IE homepage settings etc., all the while actively listening to any commands from its C&C server. It does all the above mentioned without giving away much about what it intends to do, to a large extent. This is achieved by keeping its code encrypted to multiple levels there by avoiding readability.
What I Can Do?: Overview of What the Worm Can Do
To begin with, this worm is VM aware i.e., it can detect if it is being run on a virtual environment like VMware, Bochs, and VirtualBox etc. It achieves this by retrieving the system information using the Windows Management Instrumentation interface and verifies the same against known virtualization systems. It looks for BIOS manufacturers, processor names, SCSI Controller’s manufacturer names, disk drive model, computer system manufacturer name etc. for matching.
The worm hides itself from the victim, by using standard registry modifications techniques that are widely employed by most malicious software. It disables notifications from the ‘Windows Security Center’, turns off the Windows firewall, blocks the usage of proxy servers, prevents access to the user’s homepage settings and disables system restore.
The worm then copies itself to a location under %appdata% and %program files% with a random filename of 5-6 characters. It also places a copy of itself in the startup folder. Once executed, it can retrieve a trove of information from the user’s machine. It looks into specific locations for stored FTP passwords and user names. It then uploads the stolen data (Computer Name, Anti-Virus Software, Current User Name etc.) extracted through WMI and other means to a remote server. It keeps enumerating all running processes at regular intervals and tries to terminate any security software related process.
To spread across to other computers, the worm uses the autorun technique. It waits for a removable drive to be connected on the infected computer. Once connected, the worm creates a directory with a copy of the main JavaScript file in the removable device. It then proceeds to hide all folders and creates shortcuts to these folders with a folder icon. This shortcut would in turn execute the main ‘.js’ file before opening the corresponding folder.
Apart from removable devices, the worm also uses file-sharing networks to spread. It places a copy of the main script in a zip file in the shared folders of well-known P2P application like Ares, Bearshare etc.
Images courtesy of:
nickberardi.com
simple-living-in-suffolk.co.uk
sheherkanayakameena.files.wordpress.com
Kaarthik RM & Raja Babu A
K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
https://labs.k7computing.com/feed/
