1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Infostealer Monstres Activity

HTTP Infostealer Monstres Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detect Infostealer.Monstres communicating and requesting information from its controlling server.

Additional Information

When the Trojan is executed, it creates the following mutex to ensure that only one copy of the threat is running on the computer:
__SYSTEM__91C38905__

It checks for the presence of the following firewall programs:
OUTPOST.EXE

Next, the Trojan copies itself to the following location and appends a random amount of data to the file in order to have a random size:
%System%\ntos.exe

It creates the following folder with system and hidden attributes:
%System%\wsnpoem

The Trojan then creates the following files, the first of which is used to save gathered information and the second is used to store the encrypted configuration of the Trojan:

* %System%\wsnpoem\audio.dll
* %System%\wsnpoem\video.dll


Next, the Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"pathx" = [MALWARE_ORIGINAL_FILENAME]

It also modifies the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\ntos.exe"

Next, it injects malicious code into the following running processes:

* WINLOGON.EXE
* SVCHOST.EXE


It attempts to create a malicious thread in all running processes except for the following one:
CSRSS.EXE

The Trojan creates some of the following mutexes to synchronize all active threads while running in memory:

* __SYSTEM__23D80F10__
* __SYSTEM__45A2F601__
* __SYSTEM__7F4523E5__
* __SYSTEM__91C38905__
* __SYSTEM__64AD0625__


The injected code will prevent the removal of the Trojan by blocking access and deletion of all of the malicious files and by regenerating all of the registry subkeys associated with the Trojan when they are deleted.

Next, it may add the following registry entries as infection markers for the compromised computer:
HKEY_LOCAL_MACHINE\Software\microsoft\windows nt\currentversion\network\"UID" = "[COMPUTERNAME]_[UNIQUE_ID]"

It then hooks the following system functions of NTDLL.DLL using rootkit techniques to ensure that its code gets injected into each process:

* NtCreateThread
* LdrLoadDll
* LdrGetProcedureAddress


The Trojan attempts to hook the following functions in the WININET.DLL library to have control of network functionalities and to steal sensitive information:

* HttpSendRequestW
* HttpSendRequestA
* HttpSendRequestExW
* HttpSendRequestExA
* InternetReadFile
* InternetReadFileExW
* InternetReadFileExA
* InternetQueryDataAvailable
* InternetCloseHandle


It attempts to hook the following functions in the WS2_32.DLL and WSOCK32.DLL libraries to have control of network functionalities and to steal sensitive information:

* send
* sendto
* closesocket
* WSASend
* WSASendTo


The Trojan may perform the following actions when visiting the Web sites:

* Intercept network traffic
* Redirect traffic
* Steal sensitive data


The Trojan can steal sensitive information from the monster.com Web site by using an employer/recruiter account which is provided by an attacker. It downloads the details for the account from the following location:
http://[REMOTE SERVER]/mnstr/grabv2.php?getid=1

Next, the Trojan logs in to the following monster.com Web sites using the provided account:

* http://recruiter.monster.com
* http://hiring.monster.com


It then searches for all available resumes, stealing the following information from each resume:

* Name
* Email address
* Home address
* Mobile and home phone numbers


Next, it attempts to post the stolen information to the following Web site:
http://[REMOTE SERVER]/grabv2.php

The Trojan may contact the following site to get instructions for spam and additional configuration information:
[http://][REMOTE SERVER]/sp[REMOVED]

It sends spam email and attempts to contact the following SMTP server:
smtp.bizmail.yahoo.com

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista, Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube