Malware Gangs Run Ads To Hire New Coders

An anonymous reader writes "Think crime doesn't pay? Think again: an increasingly common sight on underground cybercrime forums are ads paid for by malware writers who are looking to hire talented new programmers. The most common ads are for 'crypters' designed to disguise known malware, and 'Web injects,' plug-ins made to run alongside crime kits like ZeuS and SpyEye. Salaries range from $2,000 to $5,000 monthly, health benefits not included."

Re:Vundo and friends

[iMouse]

Doesn't delete the Start Menu shortcuts....it moves them into a hidden folder called smtemp in your user's Temp directory. They can be restored fairly easily if you haven't already blown away everything in that folder.

Some new variants are removing the registry key that shows the "Show Hidden Files and Folders" option from Folder Options. While re-importing the key is fairly trivial, you have to get rid of the malware first. Even better than that, they then associate any .exe file extensions with the Trojan Horse. If you remove the Trojan Horse, rundll32 asks what program you wish to launch program.exe with.

There is a really nice reg file that someone exported and threw on a website that addresses this issue and fixes the file association. Since reg files can be run without actually opening regedit, it will import if the file association is already jacked. This file is intended for XP, but will work with Vista and 7...it just throws an error that you can ignore.

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip [dougknox.com]

Fun and games. If you stop/remove the Trojan, run the command below from a command prompt with admin privs (for Vista and 7 users...XP runs the command as admin as long as you are a user with admin privs). If the malware is still running, you may still have some time to get some of your stuff moved off if you're worried about losing it or just want to restore the box.

attrib -h /S /D C:\*.*

The malware is cleanable and the OS is repairable, believe me....but it takes a lot of work and time to understand what the malware has already done and what changes need to be reversed.

Hope this helps someone!

Re:Honeypot?

[Eil]

Honestly, if I was even considering writing malware, this would smell like a major sting operation.

It's not (yet) illegal to write any kind of software you like, no matter what its purpose. What's illegal is how it's used and/or distributed.

If ever it became illegal to write software which exploits security vulnerabilities in software, there would be a whole community of white-hat researchers who'd be out of a job overnight.

Re:Vundo and friends

[Hitokiri Battousai]

I deal with this type of malware for a living. Once you know what it does it's quite quick to clean up a system.

Fist off, it's foolish and counterproductive to try to remove malware by using the OS that's infected. Boot to a live CD (like BartPE so you can mount the registry) and at the very least disable it from startup. From there feel free to boot to the OS and repair the damage.

The start menu is indeed moved to the user's Temp folder. In detail:
smtemp\1 is the public start menu
smtemp\2 is the user's start menu
smtemp\3 is the public desktop (I think, I've only seen this folder once)
smtemp\4 is the user's desktop
It also disables the listing of recently used programs in the start menu and un-pins everything. It's easy to turn that back on.

The following is a terrible idea:
attrib -h /S /D C:\*.*
as it will unhide everything on the computer.

It's quite easy to instead just select all the profiles under \Users\, go to properties, uncheck hidden, and apply to all sub objects. Afterwards, go into each profile and rehide only the top folder of AppData and all of the files in the root of the profile (things like ntuser.dat). In XP there are a number of other folders under the profile that are hidden by default. Reference a known good computer to see which ones.

It may also set some group policies to disable the desktop, the task manager, and disable changing the wallpaper. Delete these.

The particular malware that does this does not alter .exe associations, but if you need to fix those, there is a far more reliable free tool from Kaspersky called AVZ. The option is under File -> System Recovery. (Tip: you can rename avz.exe to something like avz.com so you can run it. Or manually fix the association for .exe and let the tool fix the rest.)

Another spot to look out for is IFEO debugger entries. Look under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Inside you will find keys of image names (like iexplore.exe). Under each key you may see a string value called Debugger. It's data will be set to the path of the malware that's infected the computer. If such a key exists, the 'debugger' will be launched whenever you try to execute the specified image.

That about sums it up for all of the 'modern' 'viruses'. Quite pathetic. The only reason these things work is because people are tricked into letting them through UAC. The new Mac infections function nearly identically. They require that the user enter their root password for them to install, and all they do is put themselves in the Mac's startup locations, so they're even easier to remove.