Video Screencast Help
Security Community Blog

W32.Changeup keeps on giving - Support Perspective and Battle Plan

Created: 30 Nov 2012 • Updated: 27 Sep 2013 • 15 comments
Brandon Noble's picture
+5 5 Votes
Login to vote

I. BACKGROUND:
In mid-2009, W32.Changeup, was first discovered on systems around the world. Over the last few years, Symantec Security Response has profiled this threat, explained why it spreads, and shown how it was created.  Since November 2012 we have seen weekly spikes the number of W32.Changeup detections and infections. The increase in detections is a result of a renewed W32.Changeup campaign now active and in-the-wild.

 

II. THREAT DETAILS:
When a system is compromised, W32.Changeup may install additional malware. These secondary threats have the ability to download even more malware onto the compromised machine.  The worm copies itself to removable and mapped drives by taking advantage of the AutoPlay feature in Windows.

This current campaign has an additional social engineering trick built in. The threat writes itself to shares and attempts to imitate the share name and icon. It then hides the actual folders in the share. All this has the effect of fooling the end-user into clicking on the threat and running it, as if it were the share they were trying to access.

Known Aliases:

  • W32/Autorun.worm.aaeh [McAfee]
  • Gen:Variant.Symmi.6831 [F-Secure]
  • Worm.Win32.VBNA.b [Kaspersky]
  • Win32/Vobfus.MD [Microsoft]
  • Trj/CI.A [Panda Software]
  • W32/VBNA-X [Sophos]
  • WORM_VOBFUS [Trend]
  • Win32/Vobfus.MD [ESET-NOD32]

How it spreads:

  • W32.Changeup uses AutoPlay (autorun.inf) files to launch remotely. 
  • W32.Changeup copies itself to open shares, hides legitimate folders, and then imitates folders in the share.
  • W32.Changeup’s current iteration does not appear to be also using the LNK vulnerability to spread, but that functionality may return as Changeup downloads new versions of itself very quickly.
  • In many cases the initial infector appears to be through a Trojan.Zbot received through a spam run.
  • The threat also can save copies of itself into .win and .rar containers.

Common file names:

  • Porn.exe
  • Passwords.exe
  • Sexy.exe
  • Secret.exe

Quickly Appearing Variants:
Changeup downloads new versions frequently to evade AntiVirus signatures. The W32.Changeup write-up has a list of specific domains the threat is known to reach out to for updates.

Communication for the current Changeup campaign:

  • ns1.anytime1.org
  • ns1.anytime4.com
  • ns1.anytime3.org
  • ns1.anytime3.net
  • ns1.anytime2.org
  • ns1.anytime2.net
  • ns1.anytime1.com
  • ns1.anytime1.net
  • ns1.anytime2.com
  • 22625.z0dns.com
  • domai.xddns.biz
  • domai.dns00.net
  • 59423.z0dns.com
  • 65497.z0dns.com
  • 41512.z0dns.com
  • 20415.z0dns.com
  • ns1.boxonline1.com
  • ns1.boxonline1.net
  • ns1.boxonline1.org
  • ns1.boxonline2.com
  • ns1.boxonline2.net
  • ns1.boxonline2.org
  • ns1.boxonline3.com
  • ns1.boxonline3.net
  • ns1.boxonline3.org
  • ns1.backdate1.com
  • ns1.backdate1.net
  • ns1.backdate2.com
  • ns1.backdate2.net
  • ns1.backdate2.org
  • ns1.backupdate1.com
  • ns1.backupdate1.net
  • ns1.backupdate3.org
  • ns1.backupdate4.net

Symantec Endpoint Protection:

Antivirus Signatures

Intrusion Prevention System

Applying the 5 Steps of Virus Troubleshooting to a W32.Changeup Outbreak AKA Changeup Battle Plan

Step 1. Identify the threat

  • See above, but don't guess. Submit the files if you're not sure.

Step 2. Identify infected machines:

  • Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
  • The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
  • Traffic on the ports or to known W32.Changeup domains is a good indicator of a potentially infected machine. See W32.Changeup
  • Protecting and managing fileservers is often the key to solving any outbreak scenario. - unprotected NAS devices are at risk!

Step 3. Quarantine the infected/unprotected/under protected machines: 

  • Changeup updates itself VERY quickly and that "unprotected server in the closet" will pull down an as-yet-undetected variant sooner or later, infecting the whole network once again.
  • Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
  • Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

Step 4. Clean the infected machines:

  • Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
  • Don’t forget file servers. This bears repeating.
  • Folders may have to be manually renamed or unhidden
  • Windows Update may have to be manually re-enabled. 
  • These changes cannot be done as part of the automatic repair routine of Endpoint, as many users have intentionally hidden folders or disabled automatic Windows Update.

Step 5. Prevent future outbreaks:

  • AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
  • An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
  • Remove write-access on shares from users not needing this level of access.
  • Maintain a strict patching regimen. Changeup and threats like it often add new capabilities in response to new vulnerabilities.
  • Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
  • Upgrade to SEP 12.1 with SONAR and Download Insight

 

What W32.Changeup is not:

  • It isn’t a File Infector.   W32.Changeup is not infecting files and detected samples should be quarantined or deleted
  • It doesn’t break AntiVirus.  A variant a few years ago disabled AV, this one (so far) doesn’t.
  • It isn’t magic. It’s easy to panic in an outbreak, but don’t let your imagination run away with you and let you attribute all unexpected behaviours to the malware. There is actually nothing unusual about this worm’s ability to spread. Its biggest feature is the number of variants it can quickly download into an environment.
  • It isn’t gone. Historically, Changeup has wrought havoc for a week and then gone quiet for a short time, only to flare back up again. Stay vigilant. Once clean, strongly consider a full implementation of Sep 12.1. 
  • It isn’t a targeted attack.  There are no indications that this campaign is a targeted attack, at this time.

 

III. REFERENCES:
Security Response Blog - W32.Changeup - A Malicious Gift That Keeps On Giving

http://www.symantec.com/connect/blogs/w32changeup-malicious-gift-keeps-giving

Chicken or Egg: Where does W32.Changeup Come From?
https://www-secure.symantec.com/connect/blogs/chic...

W32.Changeup
http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99

Preventing AutoRun Feature
http://www.symantec.com/business/support/index?page=content&id=TECH104447

Credits:
Original content borrowed from:
Satnam Narang - Symantec Security Response
Christopher Johnson - Symantec Enterprise Support

Appendix: Change Log

Sept 27 2013
Updated C&C server info

Aug 20th 2013
Updated C&C server info

May 28th 2013
Updated C&C server info

May 17th 2013
Updated C&C server info
added Bloodhound.MalVB

May 13th 2013
Updated C&C server info

May 8th 2013
Updated C&C server info

March 26th 2013
Updated C&C server info
Accented NAS devices

Dec 5th 2012
Added to "How it spreads" section:
In many cases the initial infector appears to be through a Trojan.Zbot received through a spam run.
The threat also can save copies of itself into .win and .rar containers.

Added to reference section:
Chicken or Egg: Where does W32.Changeup Come From?
https://www-secure.symantec.com/connect/blogs/chicken-or-egg-where-does-w32changeup-come

 

 

Comments 15 CommentsJump to latest comment

JMan1018's picture

I got this new variant of the W32.Changeup virus on our system.  Symantec techsupport has helped me to download the latest definitions for 11/30/12 and have run a full system on all the clients and server.  Found the client that was affecting the system and removed it from the network.  Now my shared folders on the server and a NAS file server we can not see.  I know they are there because I can type the path in Windows Explorer and see the folders.  On the server I have a shared folder for our ERP software and can not start the database services because it can not see the files.  How do I unhide these folders and files?

JMan1018

+2
Login to vote
Brandon Noble's picture

@Jman1018
The folders are set to either "hidden" or "super hidden".

You will need to show first "show hidden files and folders" and then in check "hide protected system files". This will allow you to see the folders.
Next, change the settings on the folders to not be hidden.
Finally, rename the folders, as necessary

Good luck!
Brandon

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
qitupx's picture

Hello,

 

I installed a utility called Febooti file tweak that will let you change the attributes easily. The main issue is that I have all the definitions up to date on all of these machines (we are on SEP 11 with latest defs), ran full scans, yet it seems symantec does not reconize that one of files (google.com under the Application Data) and the file runs, does it's damage, THEN symantec reconizes the common sexy, porn and what not files as the virus, But now the damage has been done and I have to go back and remove all the hidden file and delete the fake files it creates.

-1
Login to vote
Brandon Noble's picture

It looks like the attacks have resumed as of Tuesday Jan 8th and Wednesday, saw one of the largest impacts we have seen during this run.

There is has been nothing much different with the latest runs, with one minor exception. A new downloader component was added. Symantec has added detection for the part as W32.Changeup!gen34

So it seems the attackers took a bit of a holiday and now it’s back to work.

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
js15's picture

Everything is up to date yet ZBOT attachments are never stopped when launched by a foolish end user. Why doesnt SEP catch this????

0
Login to vote
Brandon Noble's picture

We are still seeing this threat very commonly in-the-wild. new variants come in waves several times a week.

Sep 12.1 with SONAR does a great job of protecting against it, but SEP 11 with AV only just doesn’t have the tech to be proactive.

Also... as I called out in Stp 2 of the Battle plan "unprotected NAS devices are at risk!". A lot of folks think that since these are generally non-windows devices, they don’t need the protection. This is disastrously false.

You need real-time protection on your NAS device. Not mapping the drive and scanning from a SEP client and not a scan engine tha allows the traffic and then cleans up afterword. You need to have something in front of your NAS or File Server that prevents malicious files from being written to it.

  • YES. Scanning files makes files copy and execute slower.
    Will this affect my production?
     
  • How much slower?
    Much of this depends on this amount of traffic, load balancing you can give the scanning machine, and the product and configuration you use.
  • What are my options.
    Talk to your account team about getting a trial for the scan engine that fits your environment.

 

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
Mick2009's picture

Symantec Protection Engine (formerly know as Scan Engine) is an excellent tool for NAS: more details... http://www.symantec.com/protection-engine-network-attached-storage

With thanks and best regards,

Mick

0
Login to vote
js15's picture

Really disappointed here. I have always used Symantec for all my customers. This thing has gotten through SEP too many times and unfortunately executed by some endusers causing many problems. I've become an expert at finding and killing it myself. I thought that was Symantecs job. I think I will find a new AV product for my customers.

0
Login to vote
Brandon Noble's picture

@JS15
Im sorry you are hagin a hard time with this.

SEP 12.1 with SONAR has been very effective at stopping this threat. SEP 11, much less so.

We saw this type of attacking as likely and have developed the additional components to handle it. If your using AV only, then your not going to have very much luck at preventing it from getting into your networks.

Please feel free to send me a message or open a case and I'll see if there is something we can do to help out with the situation.

 

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
Brandon Noble's picture

Just updated the C&C information with a new one.
As of May-7th the threat started using domai.dns00.net as well.

 

 

 

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
Brandon Noble's picture

Updated the C&C information again.
As of May-7th the threat started using domai.xddns.biz as well.

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
Brandon Noble's picture

Updated C&C information again

As of May-17th the threat started using the following domains:

ns1.anytime1.org
ns1.anytime4.com
ns1.anytime3.org
ns1.anytime3.net
ns1.anytime2.org
ns1.anytime2.net
ns1.anytime1.com
ns1.anytime1.net
ns1.anytime2.com

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
Brandon Noble's picture

Updated C&C information again

As of May-28th the threat started using the following domains:

22625.z0dns.com
domai.xddns.biz
domai.dns00.net
59423.z0dns.com
65497.z0dns.com
41512.z0dns.com
20415.z0dns.com
 

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
Brandon Noble's picture

Added new C&C data

ns1.backdate1.com
ns1.backdate1.net
ns1.backdate2.com
ns1.backdate2.net
ns1.backdate2.org
ns1.backupdate1.com
ns1.backupdate1.net
ns1.backupdate3.org
ns1.backupdate4.net
port: 7005

Removed old C&C data
ns1.datetoday1.com
ns1.datetoday1.net
ns1.datetoday1.org
ns1.datetoday2.com
ns1.datetoday2.net
ns1.datetoday2.org
ns1.datetoday3.com
domai.dns00.net
domai.xddns.biz

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation 
www.symantec.com

+1
Login to vote
RajR...'s picture

Updated C&C information:

ns1.dateback4.com  
ns1.dateback3.org  
ns1.dateback3.net  
ns1.dateback2.org  
ns1.dateback1.su  
ns1.dateback1.org  
ns1.dateback1.net  
ns1.dateback1.com  
ns1.dateback5.net  
ns1.dateback5.com  
ns1.dateback2.com  
ns1.dateback2.net  
ns1.dateback3.com  
ns1.dateback5.org  
 

+1
Login to vote