New Version of Alureon Ups the Ante on Encryption

A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn’t the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected.

A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn’t the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected.

Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven’t seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components.

Researchers at Microsoft took apart the newest version of Alureon and found that the malware now uses what is essentially a brute-force attack to decrypt its own encrypted components.

“A particular set of files was taking longer to exhibit malicious
behaviour than others. We started looking for why this was so, and ended
up with a blast from the past. This time the malware was using
Win32/Crypto-style decryption to elude anti-virus scanners,” the researchers said.

“The decryption function keeps a record of all previously tried keys to
avoid using the same key over and over again and so running for an
exceptionally long time on a user’s machine. This means that the
function will try at most 255 times before successfully recovering the
key. This magic value used in the last decryption step is previously
retrieved from the header of the encrypted file.”

The Microsoft researchers found that not only did the new version of Alureon employ the encryption and decryption routine, but it also tries to complicate matters by spreading the encrypted data out all over the place.

“Interestingly enough, the encrypted buffer supplied as input for the
decryption function is not found as a contiguous memory region but
instead is scattered throughout the PE’s image, being spread between
code, data, resources, etc. This makes static recovery of the encrypted
file more complicated,” Microsoft’s Marian Radu and Daniel Radu wrote in their blog post on the malware.

Older versions of Alureon, which also is known as TDL and TDSS, have included some other interesting capabilities, as well. A version discovered last November had the ability to bypass the driver-signing protection on Windows 7 and Vista that is meant to prevent malicious code from being loaded at start up. TDL4 was able to do this by changing the applications that Windows will allow to load an unsigned driver.

Suggested articles

Discussion

  • Anonymous on

    Actually, this approach is not new, there are older viruses that used to spread themselves in the "air" inside a file. This is just an updated approach to an older technique.

  • Anonymous on

    I always have problems with Alureon.  If a scan picks it up, regardless what AV scanner I use, I urge my clients to undergo a low-level formate/reinstallation of the OS and programs because most scanners cannot remove it!

     

     

  • Anonymous on

    You're right about that! However, I've found that combofix & tdsskiller by kaspersky will take it out. That being said, even if they remove them, very often there are other rootkits on the machine that can't be practically removed, so I too tell my customers that I will back up their data, wipe the hard drive clean, & reinstall everything. And I make sure I reset the mbr & update the BIOS to ensure the hard drive doesn't get reinfected again from the same bug. Once the computer leaves my shop though, it could get reinfected, especially if its got xp on it. The 64-bit versions of vista & 7 seem to be more resilient to malware. But I have linux on my home machine, since I got tired of wiping my hdd off so many times.

  • Roo on

    I had to remove a TDSS4 infection from my little brother's computer last weekend. The damn thing inserted itself into the mbr and was causing the machine to BSOD with an "Internal_power_error" message. What a nightmare. Eventually got it under control after using tdsskiller and updating the BIOS. He thinks he got the infection from a poisoned game torrent (ironically, the game Worms). The stupid infection even went as far as REMOVING the windows security center integration! It was definitely the most challenging malware removal I've done in a long time.

  • Anonymous on

    This really shouldn't be that difficult folks. Insert your windows disc, get to the recovery console and/or cmd through the disc. On XP: fixboot, fixmbr. Vista/7: bootrec /fixboot, bootrec /fixmbr. Then, boot into safe mode. In safe mode, use process explorer, and make sure nothing fishy is running. Load msconfig and look for erroneous entries in startup and such. If you do not find anything, reload in normal mode and do the same. Process explorer and similar tools will usually allow you to see both the file that spawned the process in question, as well as all related processes. You need to kill the process tree of the virus, and remove the file that spawns it. With Alureon, it typically puts things in your MBR, respawning it if you remove it with a scanner. These nasty little bugs can also throw bits of themselves in a multitude of locations C:Windows, C:Documents and SettingsLocal Settings, and so on. Wipe and reinstall is just amateurish. As a professional, you should never have to resort to a format. Why would your customers need to go to you for that if every 16 year old in their neighborhood can accomplish the same thing?

  • Anonymous on

    "This really shouldn't be that difficult folks." - Translation: "I have never done this, have nothing meaningful to contribute, but am able to regurgitate the terms you all used.

    "Then, boot into safe mode.  In safe mode, use process explorer, and make sure nothing fishy is running." - Translation: "These things sound neat, and 'safe' mode could never have anything 'unsafe' running, so this must be the end-all, be-all way to fix things.  Nothing could ever run outside a visible process... no never."

    "If you do not find anything, reload in normal mode and do the same."  - Translation: "Of course nothing was found in safe mode... it's 'safe' mode after all.  Once running in Normal mode a virus won't have any protection or ways of avoiding detection so you can just stop it like anything else.  After all, that's how the virus I read about on CNET worked back in 1994."

    "These nasty little bugs can also throw bits of themselves in a multitude of locations C:Windows, C:Documents and SettingsLocal Settings, and so on." - Translation: I picked directories that I saw, but I couldn't even do that right since there is no 'Local Settings' in 'Documents and Settings'.  Next time I'll make other obvious statements like 'nasty little bugs can also throw bits of themselves (pardon the pun) on the hard drive in places where they didn't start!'  That'll be revolutionary so I'll start to patent the idea tomorrow."

    "Wipe and reinstall is just amateurish." - Translation: "I am just amateurish."

  • Anonymous on

    Latest post was made by a toolbag (Anyonymouse @ 5:32).  Learn how to remove malware without a restore, it's possible.  Also, stop mocking people that use legitimate methods to fixing MBR viruses.

  • Paul on

    Yes you can remove nasties, it is not rocket science BUT try to explain to your client that they have to pay you for X hours of work to remove what they see as a minor issue.  It is sometimes quicker and cheaper for the client to do a format and reload.  I hate having to do that as reloading all your drivers, progs, etc is a pain in the ass.  Either way it takes a lot of time to clean these malware progs.  Pity folks don't run winsux in a locked down mode.

  • Anonymous on

    Although I agree that wiping and reinstall is amateurish, the methods described by Anonymous @ 4:35PM are too generic. He's explaining the steps for basic spyware removal that also happen to be amateur and unfortunately the steps he's explained don't work half the time.

  • Anonymous on

    What's the difference between always reformatting and never reformatting, they are both dogma.

  • slw on

    It's one thing removing all the malicious code. Sure, rewriting the mbr and finding and killing the malicious binaries is relatively easy(The suggestion to use msconfig gave me a good laugh btw, I hope you don't work in IT), although Alureon generally hides itself from Windows UI and hooks the bios HDD interrupts, so you will need to have quite a good idea what you are looking for and where. Undoing all the changes the virus has made in the computer however, is pretty much impossible without reverse engineering the entire thing.

    So yeah, for Alureon, wipe and reinstall is generally the best course of action.

  • Anonymous on

    Even though TDSSKiller and ComboFix are two of the better scanners / cleaners that I know of, the only way to be absolutely sure that your infection is gone is the scorched earth method of erasing, formatting, and reinstalling the OS using known clean media. There are plenty of essays by smarter people than I who stress this method. ----I had ComboFix stopping at a copy of an MBR rootkit which had copied itself to some unused disk space at the end of the drive. I had to create a partition, format it, then optionally delete the partition to be rid of that warning. ----The point is that the authors of malware are not easing up or becoming less insidious over time. Also, scanners can only react to known samples and expected heuristic behavior, thus perpetually one step behind. ----That being said, I clean boxes to the best of my ability and efficiency with a high degree of confidence of no further infection. However, when parts of ComboFix crash during the MBR examination, my hackles are raised because there is no way to know at that moment if the problem is due to some hardware weirdness, a bad driver, or an undetected rootkit / malware. ----We use McAfee: It's somewhat better than nothing at all.
  • Anonymous on

    Anonymous @ 4:35 is decently right. Of course, I would think he ought to use CCleaner instead of MSConfig, but whatever your preference. I like to start with automatic scanners, go to manual using other tools next, and if all else fails pull up a Linux live disc, search through the registry, search through the filesystem. Though I rewrite the mbr and boot sector when any virus is detected at all... just because I get paranoid.

  • CyberMonkey on

    The Best Anti Virus software I ever installed is called Linux.

    I formated my drive and installed Linux in about 20 minutes. I have no need for AV software.

    Problem solved.

  • TotamPole on

    The guy from Mon, 05/16/2011 - 4:35pm is describing a very basic approach to this that won't work for the more sophisticated attacks. 

    Please listen to the individuals like:  slw (not verified) on Tue, 05/17/2011 - 6:37am or Anonymous (not verified) on Tue, 05/17/2011 - 1:43pm. 

    Bottom Line: Once you are infected, you DO NOT know what the virus has done. There is NO WAY you can be 100% sure that the file you found that looks suspicious is NOT a decoy. You don't know if it is using a part of your drive that you cannot see for its own storage or whether it runs all the time or spawns at 4am to do its work. The most secure way when dealing with it is throw out the machine as some attacks can overwrite firmware on your NIC or video card. Obviously as everyone would say, that is way too extreme and I understand that. Zeroing out the full drive is the next best step and you can use a linux tool called `dd` for that. Some people just reformat the drive and I don't suggest that as formatting the drive does not overwrite the entire drive just a small section of it. 

     


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.