New Alureon Rootkit Takes Malware To New Level

Trailrunner7 writes "A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected. Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components."

A silly question

[countertrolling]

Why can't the system be installed on ROM? At the very least, it will boot clean every time...

Re:A silly question

[improfane]

Malicious software can still be malicious while in memory, send spam, botnet etc. A running exploit of a readonly system is just as compromised as a running writable one, until you turn it off of course. You would never be able to patch it unless you patch the ROM or receive memory patches.

Re:A silly question

[datapharmer]

EEPROM can be... this is essentially what coreboot is.

Re:A silly question

[countertrolling]

On the other hand that could be achieved with any USB stick with a write protect switch.

That would be the proper procedure that I would find perfectly acceptable, but all the present day USB sticks with write protect do it with software. It's not like the floppies that made it physically impossible to write by literally turning off the ability to write. It's one of the giant steps backwards that the industry has made.. intentionally? I don't know, but my suspicions run high.

Re:A silly question

[hairyfeet]

Because then all they have to do is figure out a buffer overflow for the default browser and you can't patch it so you're boned? As a PC repairman my question would be this....why bother? Do you have ANY idea how many unpatched XP boxes are out there? Boxes with NO AV, or the same trialware Norton crap it came with in 05, loaded up with P2P crap or running "Razr1911 Pro SP2 Corp" that has WU turned off to keep from getting WGA'd? If the number was less than 60 million frankly I'd be amazed.

So I don't see why they are bothering with this now when they have so much low hanging fruit left, unless they are planning on using it for a spear phishing attack. The time to be releasing something like this would be about 6 months before XP EOL, when the amount of unpatched "Razr1911 Windows 7 all versions pre-activated" will be much higher, although even then most likely all the updates will be turned off (already seeing that BTW, as MSFT figured out how to kill the Razr1911 OEM hack on the RTM version so pirates are just killing WU like they did with XP) so again hacking will be easy.

As a guy that cleans them for a living I can tell you infecting a Windows box simply isn't that hard, not because MSFT built a bad OS (I'd argue that properly patched an XP or 7 box is actually pretty solid) but because there are so many pirated versions, boxes controlled by people that will happily click on any email attachment, or download "Hot_Lesbos.avi.exe" and run it without a second thought.

Hell Limewire has been dead for a couple of years yet I still see new boxes infected with malware calling itself "the new Limewire" because simply ripping off the old Limewire icons is enough to get the clueless to happily turn off any security that attempts to stop them installing it so they can snatch the latest pop crap. Social engineering with literally millions of clueless users makes it butt simple to infect masses of boxes with just a little carrot at the end of a stick. This seems like a hell of a lot more work than required unless they have some corporate target in mind.

Re:A silly question

[tlhIngan]

That would be the proper procedure that I would find perfectly acceptable, but all the present day USB sticks with write protect do it with software. It's not like the floppies that made it physically impossible to write by literally turning off the ability to write. It's one of the giant steps backwards that the industry has made.. intentionally? I don't know, but my suspicions run high.

A floppy drive is easy - a floppy drive is just some motors in a cage - the floppy controller resides o nthe motherboard and tells those motors how to operate. The write protect switch can easily disable the floppy drive's write amplifier.

Something like a hard drive is hard - you can't disable the read/write line to the (PATA) drive, because you have to write to the registers in order for it to work. It's why forensic labs have drive write blockers - they pass through everything except the write commands - these things require intelligence in order to perform their tasks.

Ditto USB drives - you can't disable writing to the NAND flash chips itself, because you have to write to them in order to read from them (as well as do things like identify the capacity and such), so the controller has to have intelligence to handle ignoring write commands from the USB host (and even then some drives still do wear levelling and garbage collection on the raw media - so you need lots of firmware hooks to disable that, too).

The problem is, there's no way to physically make it impossible to write. Some flash chips it was possible - you protected it by disabling the high-voltage programming power source - without that voltage, programming would be problematic. But these days, the charge circuits to do that are built into the silicon so the manufacturers don't have to spend the extra dollar on external power supply circuits and PCB routing, because the intent for writable nonvolatile memory was being able to write to them.

Making a write-protect switch these days is difficult and often requires extra circuits in order to have the necessary intelligence to block write commands and not all writes (which disables normal read operations as well).

Re:A silly question

[drsmithy]

EEPROM can be... this is essentially what coreboot is.

If the end user can do it, the end user can be convinced to do it by malware.

Re:A silly question

[v1]

I would have found that hard to believe before having seen it in action myself.

My camera uses an SD card of course, but it can use that open source camera software too. But to use it, you have to write to to a new card, and then turn on the write protect switch or the camera won't boot it. Once thge new software is booted, it can save pictures to the card. Good proof that the write protect on the SD card is more of a "suggestion" than a "switch".

Worthless Summary

[OverlordQ]

A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected. Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components.

A new version of well-known Alureon is out which has odd things to make it hard to analyze. It's odd, and is not normal and makes it's hard to analyze. It's well known and is a rootkit.The new version is odd and makes it hard to analyze.

We got that after the first sentence, how about actually providing some fscking detail.

Make up your mind

[ledow]

Summary says: "The newest version of the malware exhibits some behavior that researchers haven't seen before"

The article says: "In 1999, a new virus, Win32/Crypto, was discovered... Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life... Another interesting tidbit is that an initial version of this obfuscator first arrived in our lab in the first half of 2009."

That's kinda stretching the definition of "haven't seen before", which may be true in a technical sense (because they haven't seen THIS EXACT MALWARE before, but they've certainly seen lots like it).

Don't worry, Microsoft is on it

[digitaldc]

"We're closely monitoring Alureon to ensure that our users are always protected. In fact, Alureon has been part of the Microsoft Malicious Software Removal Tool (MSRT) since April 2007."

I am putting my full faith and hope in to the Microsoft security team to eliminate it with their latest Malicious Software Removal tool.
I have given up on being paranoid about viruses, and I am much happier now!

Not really.

[Viewsonic]

Only for major major updates, and it wasn't a pain in the ass. You unplugged the chip and stuck the new one in. Back then it was pretty common for users to hack their Amigas anyways, so it wasn't that big of a deal to open her up and swap it in. The pain the ass was expanding the chip memory by soldering lines to a new socket. I was 12 when I had to do this for my Amiga 500. Worked fine.

Re:Not really.

[Tx]

Kickstart was more of a BIOS-equivalent than an OS. You couldn't do anything with Kickstart by itself, kickstart booted the actual OS (Workbench). Some RiscOS machines OTOH did boot a reasonably advanced GUI OS from ROM, in fact if I'm not mistaken there are some such still in production.