New variant of Trojan via Hotmail Instant Message

Be warned and on the lookout for a new round of Hotmail accounts being hacked
and suspicious links being sent to you from your contacts.
You might receive a message from a known contact that will contain a link to
what initially appears to be a to a profile picture.
What it is actually doing is trying to get you to download a windows Trojan.
Hotmail Message from Hacked Account

The message you will receive could look something like the following:

Hacked Hotmail Account Message | Trojan Dropper

The text will say something similar to the above: "ahha is this you??
hxxp://images-id.com/profile.php?=yahoo:shinerweb@yahoo.com"

How does the attack work?

If you receive the above message or similar, because it has come from a "trusted
friend" in your Hotmail contact list, you are probably likely to believe
the link to have come from them.
Most people will just click on the link, but don’t worry, you haven’t been
hacked just yet. In this case of this attack it actually requires you to install
it, but believe it not, many people will do just that.

In this instance, clicking on the link above will download a self-extracting
zip file to your PC. (Yes, we are talking a Windows Trojan here).
But you still haven’t infected your PC. You now have to actually run the self-extracting
zip file by navigating to the location where it was downloaded and clicking
on it. (Some chat programs allow you to open the downloaded file by simply
clicking on it from within the chat program).
But you still haven’t been infected if you do just that. All you have done
is to extract the actual virus to your PC.
It still requires you to now navigate to where the file was extracted and open
it.
Only now will you have infected your machine.

At the time of writing, only one anti-virus vendor was giving a warning, with
two other vendors marking the file as suspicious.
It will take most of the leading Anti-virus companies up to another 6-12 hours
before they release new definitions to catch this one.
It will probably be a few days before the rest of the bunch catch up with some
taking up to a week.
So even if you have the most up-to-date virus definitions, you are not going
to detect this trojan just yet.

Despite the number of manual steps involved in order to become infected, many
hundreds of thousands of users around the globe will still do just that.
Some will do it primarily because the link and the files came from someone
in their Hotmail contact list that they probably trust.

So why did my Hotmail contact send me this link?

Actually, your contact didn’t. The bad guys have gained access to
your contacts username and password and have control of their account.
There are a number of ways that the bad guys can gain access to these details.

Trojan: The payload in this instance is a trojan that installs
other software to capture personal information from the infected machine. The
user could already have been infected with this trojan or another similar
and the Hotmail account details stolen (via a Keylogger for example).

Phishing: There have been a number of incidents already this
year whereby legitimate sites have displayed adverts or malware inserted by
the bad guys. This presents the visitor with a dialogue box very similar (almost
an exact copy) of the Hotmail Login screen. The user then blindly enters their
Hotmail Username and Password. The bad guys scripts will then usually display
a failure message before redirecting the visitor the genuine Hotmail Login
screen. But by this stage it is too late, they already have your Hotmail account
details.

In this instance, this is what I suspect to have happened in that the user
has fallen foul of a phishing attempt on a site they have recently visited.

The short answer is that your Hotmail contact did not send
you the message. In fact, they probably have no knowledge what-so-ever of any
messages being sent to you.
They will probably tell you that they didn’t even have their computer switched
on at the time so it could not have come from them.
The bad news is that it didn’t need to be. The bad guys already have their
username and password and they use a program of their own to login and send
the messages from any computer they like.

At a later date, I will post an update on how to prevent or reduce the chances
of falling foul of these types of attacks.
Some quick advice though is:

  • Never to trust any files sent by friends
    no matter how much you trust them. It might not be them sending it in the
    first place.
  • Always have your chat program configured to run an anti-virus scan of
    ALL downloaded and transferred files. (Though this would not have protected
    you in this instance).
  • Any file you are not sure of, upload it to Virus
    Total
    and see what they have to say about it.

The information below is the technical information about how the virus works.

How the attack works – breakdown of payload

In this case, the link will attempt to download a file called PICT0573.JPG.EXE

The following is the initial report from Virus
Total
.

Additional information
File size: 97281 bytes
MD5…: cc259a2aa044d105d7159b2c5a8aa5eb
SHA1..: f3a9f1de1243683fce79d29dcfa2338cb5b3d57d
SHA256: d71788cfd5d99af611fee16e9c2b6abddda6505ed851a836298e2971a3a72e08
SHA512: 208e2d97247b406a3aa179b237549b6251342f022bdb7f81e4b1b939a0b21aa3
e1b6a1894e0f45981880b3ac0aa8cc1f8877cb6e374ea43510e52d17d7823cc4
ssdeep: 1536:b5GJEhlcbW5sk1BlfLvveIbXWm+nwN6J3rs5gqtXZPoeSVfOgRJNVB5uulU
6EE:VGu9BlfzWIbXWm+w0Jg5TSVfRJNYulU4
PEiD..: –
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x645c
timedatestamp…..: 0x480251cd (Sun Apr 13 18:32:45 2008)
machinetype…….: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x99c8 0x9a00 6.58 fd7744c26c2bf4d279968be94b283b11
.data 0xb000 0x1be4 0x400 4.25 99858e86526942a66950c7139f78a725
.rsrc 0xd000 0xd9f0 0xda00 6.72 37630b96b2c90e9f0a4951e15d50197f

The file is actually an executable (self extracting) Zip archive. (Note it
ends with .exe and is just made to look like an image).
Usually they do a better job of hiding the .exe by using multiple spaces, but
not in this case.

If you run the file, it extracts another executable which is the trojan itself.
The name of the file in this instance was: buriminew.exe

Only when you actually run buriminew.exe will you now infect
your PC.

Currently this is what VirusTotal has to say about this file:

Additional information
File size: 31744 bytes
MD5…: fe546d6dece496a4e4a3ca47f15e5937
SHA1..: 4acc9a1196539919238387863d8585e4fd43f017
SHA256: a3d90312ab961adbeb7062350643b74d5b43d35dcc963eccf4295ce375b29908
SHA512: c0f2aab84a75e8dd0a30743de66332cb058148544cb68514bee588b13b0bf92c
e9d5c6e5ffdaf5f6f8553191dff0dcfb4d3aae2cb594446531c099f86bafcacd
ssdeep: 768:qrOV9YKGFjCZXwNKLWBOp07uu51xlXTOm/q:egYRcW7uIxRKm
PEiD..: –
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1e80
timedatestamp…..: 0x49b0f1a1 (Fri Mar 06 09:49:21 2009)
machinetype…….: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x11be 0x1200 6.25 a0f569558af5fc265be797139ffd38d8
.rdata 0x3000 0x60b6 0x6200 7.97 3fe31e2297e4fb70643d182fd955d7d2
.data 0xa000 0x163e0 0x400 5.54 629e2248ee12ab91a5a46c4c0c17d51e

( 1 imports )
> KERNEL32.dll: GetProcAddress, LoadLibraryA, lstrlenA, GlobalAlloc

( 0 exports )

The file appears to be a new variant of a Trojan called Buzus.
When run it will display a dialogue box.

Trojan Buzus | Screen Capture

From the site ThreatExpert, it has the following information:

Trojan.Buzus opens a backdoor on the infected machine and tries to steal
various information like personal financial data (like credit card numbers,
online banking details etc.), passwords from various email and FTP applications
(like Trillian, Microsoft Outlook, CuteFTP etc.) It also tries to compromise
security settings of various security related products.

At the time of writing, only Microsoft was identifying the threat as: VirTool:Win32/Injector.gen!U

If anyone wants a copy of the trojan to do their own analysis, you can contact me via the contact form on my profile page

You can also check the status of anti-virus detection by visiting the VirusTotal
page for buriminew.exe
.