On Sunday November 5th, we blogged about a 0-day exploit discovered in the wild that was targeting a Microsoft XML Core Services vulnerability. McAfee Avert Labs had been tracking and monitoring the payload deployed by this exploit.

W32/Kibik.a was the detection name assigned on Sunday, which was soon included in the McAfee VirusScan DAT release the following week. With rootkit heuristics, behavioral detection and IP blacklists being the talk of the (security) town in recent years, W32/Kibik.a makes an interesting attempt to survive in this competitive matrix of today.

W32/Kibik.a is a parasite that attaches to Windows Explorer (explorer.exe), even covering backup copies of explorer.exe in system restore, service pack installation and windows installer folders, making it a hard time for the victims to restore the original system file. On the process list, explorer.exe has its perfectly legitimate presence; on disk, the infected explorer.exe file has no distinction in filesize because W32/Kibik.a attaches to unused segments in the original file. Behavioral detection products looking for rootkit characteristics or autorun register keys will find nothing, because there isn’t any rootkit or autorun key.

To make it even difficult to track for network administrators, W32/Kibik.a sends innocent looking search requests to Google Blogsearch - only the search keywords are unique hexadecimal strings. Google Blogsearch, unlike Google Web Search that we are most familiar with, indexes blog entries with RSS and Atom feeds from blog authors. This makes blog content more readily searchable than Web search. When indexed, search results can return dynamic data, such as URLs to download, or commands to execute in a synchronized manner. At the time of writing, W32/Kibik.a’s searches have not yielded any results thus far.

From silent installation via a 0-day exploit, to silent residence and operations and virtually silent and innocent looking Google search; W32/Kibik.a could well be the start of a new trend in scalable remote controlled malware (a.k.a. botnet) in 2007. It is no wonder with its stealthy elements, few security vendors had detected or repaired W32/Kibik.a to date.

McAfee Avert Labs continues to monitor W32/Kibik.a and other malware using these techniques.

Virus Total Results 11.15.2006