Vundo - Aggressive Spyware still going strong after 4 years
Posted
Monday, June 09, 2008 1:15 PM
by
hwaldron
Trend Micro shares a comprehensive overview and history of one of the most prolific spyware attacks. The reason for Vundo's success include:
* Vundo installs automatically and silently from visiting malicious websites.
* More aggressive variants can lock down Windows and IE services in a manner that makes it difficult to both detect and remove
* Malware writes continue to adapt Vundo for new attacks, so that once AV or Anti-spyware detection is in place, a new variant is then launched (Trend reports that there are 2,165 unique variants they provide protection for).
AVERT Labs - Almost always in Top 10 infectors in every category
http://myavert.avertlabs.com/myavert/default.aspx
Vundo - Aggressive malware still going strong after 4 years
http://blog.trendmicro.com/uncovering-vundo/
QUOTE: A piece of VUNDO history: the first variant we have seen in the wild was TROJ_VUNDO.A (Sept 6, 2004, almost 4 years ago). It is capable of monitoring IE activities such as visited Web sites and sending data to a remote Web site. These data are used for advertising and marketing activities. Nobody expected it to still be alive now and used as a component of chain infection.
Some known rogue antivirus products that could be automatically installed or advertised on an affected system are: Wintools, HuntBar, BargainBuddy, Toolbar888, Altnet, BrillantDigital, Points Manager, E2Give, AdawareDelete, AlfaCleaner, AdwareBazooka, Antivirus Pro, BreakSpyware, SpyCut, CurePcSolution, DriveCleaner 2006, ErrorSafe, PerfectCleaner, ExpertAntivirus, SpyAway, AdwareSheriff, SystemStable.
VUNDO variants have different payloads depending on the nature if infection:
Example 1: The user visits a malicious Web site and gets infected by a DLL file VUNDO variant. This DLL then registers itself as a Browser Helper Object (BHO) to run every time Internet Explorer is opened. This will be used to redirect you to a rogue antivirus download page.
Example 2: The dropped DLL VUNDO variant injects into WINLOGON.EXE and EXPLORER.EXE for memory residency and prevents easy detection and removal. Once injected into those 2 processes, it monitors running processes before downloading other possible malicious files in the affected system. The possible monitored processes are mostly antivirus-related processes.