2

Today we found a virus / trojan on our network which has thus far:

  1. Hidden all files and folders
  2. Replaced the hidden files and folders with executables of itself, with matching icons, and renamed itself to those files.

Kaspersky picks it up, and is the only virus scanner we can get to pick it up so far. Process Explorer shows a boofa.exe running when we launch any of the fake folders.

Has anyone had any experience with this type of infection? Is there anywhere we can submit a file to Symantec or another virus company? We believe it's a 0 day attack.

Related information: We had user who had her computer "driving itself" hours after we found this virus. Someone took control of her computer, went to Walmart.com, bought a WOW game card and signed off.

Also we've run wireshark while running the virus on a quarantined computer but it makes no attempt to get out to the internet.

BOMEz
  • 123
  • 5

4 Answers4

4

Symantec's virus submission portal: http://www.symantec.com/security_response/submitsamples.jsp?inid=us_sr_flyout_contact_submit

I have seen this kind of infection before over the years in various forms.

Was the 'driving itself' computer the same as the infected one, or a different computer? If it is different, you will have to nuke all machines and start from scratch, I'm afraid. You have a RAT.

schroeder
  • 123,438
  • 55
  • 284
  • 319
2

It's actually not that uncommon at all, in my experience. It's possible that you have an 0day but I would suspect that it's far more likely that you have a known virus that has been obfuscated. Correction: if the computer is 'driving itself' you most likely have a root-kit installed. Bad mojo. :-( Everything below applies but it's more academic and functional. Try something like Sysinternals RootKit Revealer, but I'd look for a more current version.

Grauwulf babbles on about virus obfuscation.... tl;dr

Most, if not all, anti-virus/malware-detection systems use signature matching to determine if a file is a virus. Signatures usually consist of a portion of the source code that is uniquely identifiable at "Virus A". Combine that with other unique characteristics like byte size or hash signatures, and you can really narrow down on a virus pretty quickly.

This is a very handy technique since it's very unlikely that you'll get a false positive. On the other hand let's say you have a perfectly good virus and some doody head has created a signature for it and ruined your day :-(

What is a script kiddy to do? Since we know that files are matched on signature elements, what if we could alter that in some way? Maybe add some junk code at the end of byteset. Maybe reset some 'magic numbers' in the code and just recompile. Anything to make it just different enough. Well you go to any one, of many, sites like virustotal.com (good for examples, no self respecting code monkey would upload their code to an off site analysis system) and you check. Do current virus scanners see your file as a virus? If so, keep tweeking. Eventually you'll change it enough that it doesn't get tagged but not have to do any actual work in writing a new virus.

In this way many 'new' viruses are just the same old recycled Nimda code used over and over again. Providing these variants to AV research labs helps them identify new stuff and deal with it faster, and can really improve the general security against this class of threat.

Then again, maybe you have an 0day. :-) Odds are though, if you get this into the right hands an AV solution can be very close behind.

Best of luck.

Community
  • 1
grauwulf
  • 955
  • 5
  • 10
2

These viruses are called FUD (Fully UnDetectible). It's most likely not a 0 day. More likely is that it's a common virus that has been crypted.

vertroa
  • 21
  • 1
1

According to the Cisco 2011 4Q Global Threat Report

"During 4Q11, 33 percent of Web malware encountered was zero-day malware not detectable by traditional signature-based methodologies at the time of encounter.

You shoudl read this article explaining how malware are genereted so that antivirus tools can't detect them : http://blog.ioactive.com/2012/11/the-future-of-automated-malware.html

You shoud try to submit you file to Virus Total in a couple of days.

null
  • 1,193
  • 6
  • 16