The Ugly Return of Virtumonde - The spyware that just keeps coming back
Results 1 to 9 of 9

Thread: The Ugly Return of Virtumonde - The spyware that just keeps coming back

Threaded View

  1. #1
    Registered User slgrieb's Avatar
    Join Date
    Feb 2003
    Posts
    4,103

    The Ugly Return of Virtumonde - The spyware that just keeps coming back

    Sometime in the last two weeks or a month, a new variant of Virtumonde (Virtumondo, Vundo, WinFixer) has surfaced that presents some major removal challenges. I'm seeing it most often in conjunction with several other bits of malware (typically Smitfraud, one or more downloaders, keystroke loggers,etc), but I want to talk about Virtumonde first.

    First off, the processes for it run in both normal and safe mode. It also detects when HijackThis is run. The detection is done by recognizing the name of the file when it is executed, so renaming hijackthis.exe to hjt.exe, randomname.exe, or whatever, effectively prevents this stealthing strategy from working.

    In other words, if you scan an infected system with HijackThis, you end up with a result that shows some evidence of infection, but most of the processes related to the malware won't appear. Renaming HijackThis and running it generates a very different scan result. Your can read more at Major Geeks and Spybot's malware removal forums, plus other sites.

    Virtumonde also interferes with some other malware removal tools as well. If you run Smitrem to clear out a Smitfraud infection, Virtumonde will cause the getSTS.exe module of Smitrem to crash. getSTS is the component that is supposed to retrieve a list of all entries in the Shared Task Scheduler. The rest of the tool appears to execute correctly, but fails to remove Smitfraud infections that have inserted themselves into the Shared Task Scheduler.

    SmitfraudFix doesn't fare much better. You don't get an error, but the segment of the program log that enumerates programs in Shared Task Scheduler is blank. So, once again, Smitfraud variants that use the Shared Task Scheduler to either reinstall themselves from compressed files, run installation programs to reload themselves, etc. won't be fixed. ComboFix is effected much the same, but since it is somewhat less specialized, it seems to have a higher success rate than Smitrem and SmitfraudFix.

    Manual removal can work, but you must have a scan generated by the renamed hijackthis.exe to succeed. Otherwise booting to the Recovery Console and attempting to delete the suspicious files from the hijackthis.exe scan will mostly result in "file not found" errors, and leave behind critical files (since they weren't reported by hijackthis.exe) so the system remains infected. Similarly, if you try to use Kilbox, Unlocker, or HijackThis's "Delete on Reboot" tool, you will find that the utilities don't function.

    Killbox, etc. will only be useful if you have a scan from a renamed executable file of HijackThis. Even knowing the full list of files you want to kill requires trial and error. Killbox will only remove infected files if you first kill the process that prevents Killbox from running. Otherwise, Killbox just says that the file(s) you want to kill can't be removed. If you try to delete these files on reboot, Killbox will fail with a message that an external process interrupted the deletion.

    Earlier, I said that these infections seem to be part of a package. What appears to be happening more and more is that customers are downloading some utility, screensaver, etc. and the installation infects their machine with many different bits of malware simultaneously. So, downloading that screensaver may hit you with Smitfraud, Virtumonde, AbsoluteKeyLogger, W32.Small.DDX downloader, Accoona, Aconti, and the like all at once. To the tune of 20 or 30 different nasties.

    What I want to emphasize is that many of these programs are legitimate, but have been downloaded (along with their "bonus features") from malicious sites, or they are in fact malware listed as "safe" by ostensibly reputable sites.

    Let's use Weather Studio as an example. This is yet another one of those ubiquitous tools that provides quick access to weather information and emergency alerts. Spybot 1.5 deletes it, as does A-Squared. In fact, A-Squared's database reports it as major threat. You can download it from many web sites.

    But, if you go to CNet's download.com site and search for it, there isn't a listing. However, you see this.

    Lookie here, we get sponsored links to two pieces of known spyware! Two links to weather studio, and one to starware; all of whose products are spyware, and are identified and deleted by Ad Aware, Spybot, NOD32, NAV 2007, etc. And from a "trusted" site.

    But, it gets even better. Let's say you want a nice screen saver for free. You know that starware, etc. are infected with spyware, so you go to a source your trust: download.com. Forget the ads. CNet would only post content for direct download that is either spyware free or clearly marked as ad-supported, right? maybe.

    Check out the Dolphins and Whales reviews. One claims that the screen saver contains spyware, and so does one of my customers.

    So, I'm seeing many computers infected with what would seem to be a package of several unusually tenacious pieces of malware that were all installed simultaneously, and, even though Smitfraud is a common infection, Zlob is conspicuous by its absence. The infections don't seem to have occurred from downloading porno video codecs, responding to phishing emails, or any of the expected channels. They came from legitimate programs downloaded from questionable sources, or programs and/or links from sources that are normally considered trustworthy.

    So, how do you kill them? First of all, you can eliminate many of the secondary infections by running standard tools, but unless you kill Virtumonde, the system won't be free of infection, and is likely to download new pests. What has worked for me is to disable or uninstall any AV software running on the infected computer and install a trial version of NOD32. The infection will generally prevent it from updating correctly, but you can fix that in a bit.

    Don't run a scan yet. Install and update Spybot S&D 1.5 and run it. You may have to install the program and the update from a pendrive or CD. Fix whatever it detects. Then run an online scan from Eset. After it has cleaned or removed any detected infections, update and run NOD32 with an in-depth scan.

    At this point you should run a scan with your re-named Hijackthis and remove any suspect entries. Restart the computer, re-scan and the system should be clean. If you want to use a for-pay tool instead of the manual removal and scans with freeware, SpySweeper 5.5 works very well, too.

    Of course, in many cases, it may be quicker and easier to restore a back up, but that's a call for the individual tech.


    Links to the programs mentioned above

    HiJackThis.exe Sometimes you can't get to places like Trend Micro, so try this one instead

    A-Squared Free Version

    NOD32 Trial download

    Eset Online Scan

    Spybot Search and Destroy This is the download page, you can choose your language on the right. Click the box icon on the right of "Spybot - Search & Destroy 1.5.1 - product description" to download Spybot - Search & Destroy 1.5.1 - product description. Immediately below that are the updates that you can get separately to update Spybot without going online.

    Once Spybot is installed, but is not running, double click the update file. If the space for where to install the updates is blank, browse to the Spybot installation directory (usually c:\program files\Spybot - Search & Destroy). Click next and follow the wizard. Spybot should detect the new updates and not ask to go online.


    Spyware Sweeper
    Last edited by NooNoo; September 10th, 2007 at 04:30 AM.

Similar Threads

  1. What keeps you coming back to WD?
    By TripleRLtd in forum Tech Lounge & Tales
    Replies: 51
    Last Post: May 25th, 2004, 10:26 PM
  2. Battlestar Galactica - coming back!
    By Stalemate in forum Tech Lounge & Tales
    Replies: 19
    Last Post: July 15th, 2003, 11:39 AM
  3. Don't you just love it...Part Cinco!
    By Lycia in forum Tech Lounge & Tales
    Replies: 99
    Last Post: September 28th, 2002, 07:50 AM
  4. [RESOLVED] return of the celeron, the e-machine strikes back
    By rootbeer_G0d in forum Tech-To-Tech
    Replies: 9
    Last Post: April 2nd, 2001, 11:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •