malware

Savings Bull Filter Removal

Another day, another infection.

This time it’s the threat that goes by the name of Savings Bull (sample.dll) which is a form of Adware / Malware that infects a user’s computer and listens by proxy to network traffic of the infected victim.

Savings Bull copies itself  to your hard disk. The typical file name is sample.dll.

Savings Bull is adware which, when installed on a PC, may embed an unwanted browser extension, plug-in or add-on.  I take it that this Savings Bull may be distributed through packaged free programs.

I haven’t encountered a single  antivirus solution which flags this. Rather I have had encounters with customers and staff I support that have had issues connecting to local resources on their respective networks; in each case connecting to either .local address spaces or resources using port 8080

In my case a user was unable to connect to Visual Studio Team Foundation Server

Removing this was simple as this:

  • Open Windows Control Panel
  • Programs > Uninstall or change a program
  • Sort by date
  • Looking for an icon with an S and named Savingbull Filter and uninstall it.

wow.dll Virus / Trojan

Hmmm; Now isn’t this fun

Our IDS was tossing out the following message: ET TROJAN Tornado Pack Binary Request for one of the users, along with various others.

After some inspection; first running the local AV solution, and other solutions like Malwarebytes which did not locate the infection. I then loaded up Sysinternals Suite App, TCPView which showed several outbound connections to remote hosts. Using Process Explorer also by Sysinternals I was able to search the handle of the wow.dll discovered in TCPView. The process was bound to explorer.exe

My inspection took me to the following location: AppDataRoamingsrpetxnshntexqwow.dll where I found the virus .dll file and a config file ending in .ini with the the following contents:

[main]
version=3.0
aid=031
servers=deppeppepp.com:80; gangganggg.com:80;188.165.232.20:80;
knock=188.165.232.20

This seems to be a control file for the virus.

For now the issue remains unresolved and the users computer is set for a new image. I will be playing with the virus more in hopes to learn more of what it does and how to quickly identify it in the future. I do however think this is a Troj/Mdrop* type of infection or some variant

Microsoft’s fight against Poison Ivy

Info of what is known: Poison ivy (Backdoor:Win32/Poisonivy.E) is a backdoor trojan that allows unauthorized access and control of an affected machine. It attempts to hide by injecting itself into other processes.

The following system changes may indicate its infection:
The existence of the following file: c:windows:svvchost.exe
The existence of the following registry entry: “StubPath” With data: “c:windows:svvchost.exe” in the subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components<CLSID>

Microsoft has released a temp fix, while they work on final solution.

“We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue,” Microsoft stated in an official blog post. Microsoft has recommended that users download the Enhanced Mitigation Experience Toolkit which is designed to help prevent hackers from gaining access to your system.

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

For now it is the recommendation of many security experts to use browsers such as Chrome or Firefox.

Over 300,000 hit by Internet blackout

According to the FBI, on Monday July 9th over 300,000 computers will no longer be able to access the internet due to a malware infection known as “DNS Changer Trojan”. The internet outage for these computers is due to the FBI shutting down the ring of cyber-criminals responsible for creating the Trojan late last year

Over the past five years, a group of six Estonian cybercriminals infected about 4 million computers around the world with DNSChanger. Themalware redirected infected users’ Web searches to spoofed sites with malicious advertisements.

News Sources:  1, 2
More info on the DNS Changer Trojan here