The Ackantta mass-mailing worm made its first appearance about a year and a half ago. Since then, it has continued to evolve and update its malicious features. We have recently observed one of the latest samples, from the variant W32.Ackantta.B@mm, which demonstrates very interesting tricks and strategies that greatly improve the worm’s stealthiness and its spreading capabilities.
Main purpose: advertise
Ackantta does not limit itself to spreading to new computers. The purpose of the worm is to drop and run a copy of Trojan.Mozipowp, a Trojan that specializes in advertising. Mozipowp will hijack major Web browsers (Firefox, Opera, Chrome, Internet Explorer) in order to display targeted advertisements on the compromised computer.
Spread! Spread! Spread!
Ackantta tries a variety of strategies to propagate itself, along with its advertisements.
P2P and Downloads folders
The worm will scan the compromised drive, searching for folders with names of popular file-sharing programs. If any are found, it will copy itself to those folders using the filenames of popular software or pretend to be ‘cracks’ or key-generators for popular software.
Image 1: Ackantta tries to disguise itself as legitimate software, cracks, or keygens.
The worm has the functionality to search the user’s Windows Address Book archive (a file that contains all email contacts saved by Outlook) in order to gather all the email addresses stored by the user. It then will try to send itself to all the gathered contacts using a misleading title such as “You have got a new message on Facebook!” or “Cindy would like to be your friend on hi5!” The email will contain a .zip file attachment with a misleading filename, such as “Invitation Card.zip”. The attachment contains a file that is a copy of the worm itself with a name such as “Document.chm .exe”. This trick tries to lure the user into believing that the email is from a legitimate source and that the attachment is safe, while in reality it’s an executable whose filename contains many spaces in order to conceal the .exe extension.
Image 2: An example of a misleading filename used for both the ZIP archive and the contained executable file.
The worm will also try to gather email addresses by scanning all document files that it can find. It will avoid sending itself to email addresses containing blacklisted words such as “abuse” or “support” in order to avoid sending itself to the good guys.
Image 3: An example of fraudulent email sent by the worm.
Note that the email example above attempts to appear as though it’s coming from Hallmark, which has nothing to do with malicious activities. The worm is trying to disguise its email messages to make it appear as though they are coming from a legitimate company. To do this, the worm copies names of popular websites into the messages in order to lure the user into trusting the email and opening the malicious attachment.
Ackantta will try and copy itself in the RECYCLER folder of removable drives:
Image 4: The worm hides itself in the RECYCLER folder of a removable drive, also infecting it with a malicious “autorun.inf” file.
The worm will scan the computer for the presence of IIS or Apache Web servers. If found, it will copy itself to the root location of the Web server, along with the following fake index.html page:
Image 5: The fake security warning that replaces the index page of a compromised website. The link points to the executable file of the virus.
In this trick, if the compromised computer is hosting a website, its home page will be replaced by a fake security warning with a link to the worm itself. Whoever visits the website will see the fake page and may be lured into downloading and executing the worm.
When it is run, this new Ackantta variant will use the direct kernel object manipulation (DKOM) technique—popular in rootkits—to hide its own process. This technique is usually performed in kernel mode by loading system drivers or by injecting and running code in kernel mode with some well-known technique or exploit. The interesting thing is that Ackantta uses the DKOM technique instead, without requiring any execution of code in kernel mode. To do so, it uses the undocumented ZwSystemDebugControl Windows function. This function is not new; it has been discussed and documented by researchers in the past. It has also been used by malware because it allows a user-mode application to read or write to memory locations that are in kernel mode, meaning that an application can effectively access and modify the kernel’s code and data. In particular, Ackantta is interested in modifying the list of running processes in order to hide its own process from Task Manager.
Turn off security
To avoid being detected or blocked, the worm will try to bypass common security products and features. It will:
• Disable User Access Control.
• Add itself to the allowed list of applications for the Windows Firewall.
• Stop and remove services from known security products.
• Remove the Run keys of known security products.
• Terminate processes from known security products.
• Remove all hooks from the kernel’s system service dispatch table (SSDT) in order to neutralize security checks imposed by products such as antivirus software.
This last trick again requires the ability to manipulate kernel mode memory. And, again, Ackantta is able to accomplish this task without running code in kernel mode. It will not use the technique mentioned above involving ZwSystemDebugControl. Instead, the worm will use another old and well-known technique that relies on the use of the \Device\PhysicalMemory system object. This object is a device to which applications can interface with, offering the possibility of having direct access to physical memory. In particular, the worm will access the physical memory pages that contain the kernel mode SSDT and will overwrite it with a known, clean version of the original SSDT that does not contain any hooks.
This is an old trick and it has been observed in the past. It is unusual to see the use of two different techniques to accomplish the same task—this may be down to several different reasons. Maybe the author found it simpler to use one technique in the first case and the other in the second. Or maybe the code was updated by a different person. In any case, Microsoft has updated their operating systems and these techniques no longer work on newer kernels. This means Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7 are protected. The 64-bit version of Windows XP is protected; however, the 32-bit version is not.
In conclusion, the level of sophistication in this threat has greatly improved. It uses many tricks that, when combined together, make this a dangerous worm. Be careful when handling email messages with attachments or when downloading executables from file-sharing networks. Also, don’t blindly trust data from removable media or emails from friends. Being cautious is always the best security practice a user can follow.