Threat Advisory: Bondat

Transcription

Threat Advisory: Bondat
McAfee Labs Threat Advisory
Bondat
January 21, 2015
McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent
malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to
mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs.
To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and
Threat Reports” at the following URL: https://sns.snssecure.mcafee.com/content/signup_login.
Summary
Bondat malware has the ability to infect removable media devices. Infection starts either with manual execution of
the infected file or by invoking the corresponding .lnk files that could cause automatic execution of the worm. After
infection it may also download other malware or updates to itself directed by the command and control (C&C)
server.
The following variants of Bondat have been seen in the wild:





JS/Bondat.a
JS/Bondat.b
JS/Bondat.c
JS/Bondat.d
JS/Bondat.e
Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections:






Infection and Propagation Vectors
Mitigation
Characteristics and Symptoms
Restart Mechanism
Indicators of Compromise (IOC)
McAfee Foundstone Services
Infection and Propagation Vectors
The Bondat worm spreads by creating copies of itself in removable storage devices in the following location:

%removabledrive%\.Trashes\<random folder>\ random_file.js
The worm also checks files in the removable drivers, creates .lnk files with the same file name, and moves the files
to the “%removabledrive%\.Trashes\” location if it encounters any of the following extensions:








doc
docx
pdf
rtf
txt
mp3
m4a
ogg














wav
wma
mp4
avi
webm
flv
mov
wmv
mpeg
mpg
gif
jpg
jpeg
png
The .lnk files point to a malicious javascript file which is already copied to the “%removabledrive%\.Trashes\<random folder>\” location.
Mitigation
Mitigating the threat at multiple levels such as file, registry, and URL can be achieved at various layers of McAfee
products. Browse the product guidelines available here (click Knowledge Center, and select Product
Documentation from the Content Source list) to mitigate the threats based on the behavior described in the
“Characteristics and symptoms” section.
VirusScan Enterprise (VSE)

Refer to the following KB articles to configure Access Protection rules in VirusScan Enterprise:
o KB81095 - How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console
o KB54812 - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x

Users can configure and test Access Protection Rules to restrict the creation of new registry keys, files,
and folders when there are no other legitimate uses.
Disable the Autorun feature on Windows. You can do this remotely using Windows Group Policies




(http://support.microsoft.com/kb/967715).
Restrict the use of USB drives in mission-critical and server machines.
Implement and test Access Protection Rules through the McAfee product to prevent writing of *.lnk files in
removable media.
Restrict access to the URLs mentioned in the Indicators of Compromise (IOC) section.
Host Intrusion Prevention System (HIPS)




To blacklist applications using a Host Intrusion Prevention custom signature, refer to KB71329.
To create an application blocking rules policy to prevent the binary from running, refer to KB71794.
To create an application blocking rules policy that prevents a specific executable from hooking any other
executable, refer to KB71794.
To block attacks from a specific IP address through McAfee NitroSecurity IPS, refer to KB74650.
Characteristics and Symptoms
The Bondat worm has several checks to determine if the sample is running in a virtual environment. The worm
terminates further execution upon encountering a positive response for any of the following checks:
Upon execution, the worm copies itself into the following location:

%Appdata%\<random folder>\ random_file.js
NOTE: %AppData% refers to the current user’s Application data location.
Also, the worm creates copies “wscript.exe” in the “%Appdata%\<random folder>\” location.
In our test, we found that the file name of “wscript.exe” is chosen from the combination of the following strings:
String-1
String -2
Win
Cmd
Process
Proc
Disk
Dsk
monitor
Mon
Ms
Hp
Sys
Host
Intel
Amd
Dll
Tcp
Udp
Mgr
Update
updater
The worm creates .lnk files in the following location to ensure the malicious java script file executes every time
when Windows starts:


%Appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk
The .lnk file executes malicious java script with the help of wscript.exe, which is newly created in the
“%Appdata%\<random folder>\” location.
The worm terminates processes if the process name matches any of the following strings:























Regedit
windows-kb
mrt
rstrui
msconfig procexp
avast
avg
mse
ptinstall
sdasetup
issetup
fs20
mbam
housecal
hijackthis
rubotted
autoruns
avenger
filemon
gmer
hotfix
klwk
mbsa






















procmon
regmon
sysclean
tcpview
unlocker
wireshark
fiddler
resmon
perfmon
msss
cleaner
otl
roguekiller
fss
zoek
emergencykit
dds
ccsetup
vbsvbe
combofix
frst
mcshield
It then shows a fake warning message to the user as follows:
The worm deletes files in the startup location if the file name matches any one the following strings:
 .exe
 .js
 .vbs
 .jse
 .vbe
The following registry values have been modified by the worm:


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = 2
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0
Finally, the worm collects the following information from the compromised machine, encrypts it, and sends it to a
remote server:


user name
computer name


operating system version
language settings
Restart Mechanism
The .lnk files present in the following locations would enable the worm to execute every time when Windows starts:


%Appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk
Indicators of Compromise (IOC)
The following indicators can be used to identify potentially infected machines in an automated way.
Network communication to any of the IP addresses at the network gateway/IPS level:



cdn.httpowered.com
217.23.3.136
httpoptions.com
Getting Help from the McAfee Foundstone Services team
This document is intended to provide a summary of current intelligence and best practices to ensure the highest
level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of
strategic and technical consulting services that can further help to ensure you identify security risk and build
effective solutions to remediate security vulnerabilities.
You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx
This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy,
relevance, and timeliness of the information and events described; they are subject to change without notice.
Copyright 2014 McAfee, Inc. All rights reserved.