With all the hoopla these days surrounding the “Storm Worm”, our Research Team feels that there are some EXTREMELY DANGEROUS threats out there that are being overlooked. One such threat is Trojan.Netview. You may recall that it was observed being installed during the Bank of India hack.
One variant that we have recently found being distributed is actually detected quite well. Some appear to be general heuristic detections, but the malware itself is over one month old so most antivirus companies should be detecting it by now. It is interesting, however, that no attempts have been made to change it’s signature in order to defeat security software.
While detection by major antivirus companies is good, there are still several factors that make this Trojan extremely dangerous.
1. It uses Net View to find vulnerable network shares to steal data from
The name “Trojan.Netview” was devised by the simple fact that this malware uses the net view command. According to Microsoft:
Net view displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.
You can try this yourself by typing the command “net view” inside of a command prompt.
By using this command, the Trojan is able to search for vulnerable network shares to steal information from. A server or workstation containing accounting databases, credit card information, bank account information, system backups, company trade secrets or any other sensitive data, doesn’t need to be infected in order for the data to be stolen. Instead, just a single infected user on the network who has access to network shares containing this data, is putting their company or business at serious risk.
Once the Trojan has identified these vulnerable systems, the data is copied from them and uploaded to an FTP server located in Russia.
2. It is highly distributed
For over a one month now, the MD5 hash of the Trojan has not changed. This fact, may be itself an indicator that the malware is having success. Typically, malware authors re-compile their code quite often in order to defeat security software (as an example, the “Storm Worm” typically changes every sixty (60) seconds).
In addition, Trojan.Netview is usually bundled with massive malware infestations that usually contain software which disables security software.
These days, it seems that we cannot get away without mentioning the Storm Worm, but there happens to be a relationship between Storm and Trojan.Netview. On 10/11/2007, the Storm Worm code changed a little bit. One of these changes was the ability for it to make multiple copies of itself on the infected system with the name “_install.exe”. Another change in the Storm code is the ability to inject malicious IFRAMES into HTML documents (htm, php, asp, xml, etc). This mean that any webmaster making modifications to a webpage and is infected with Storm, is aiding in the propagation of additional malicious code. With the sheer volume of infected Storm hosts, there is no doubt that some websites are going to be automatically defaced by this added functionality.
One recent webpage analyzed by our research team containing the injected code, is responsible for the installation of Trojan.Netview, as well as several other pieces of malware:
Unfortunately, this hotel PMS (Property Management System) appears to be yet another victim of the Storm. Notice that there is a copy of storm, “_install.exe”, which we mentioned earlier located on this remote server:
It is unknown what other data may have been stolen from this hotel.
3. It does a decent job of hiding itself
Trojan.Netview typically copies itself to your root directory as “wsusupd.exe”, with the hidden system file attribute set. While this may seem a bit archaic compared to more sophisticated malware that use rootkit technology to hide, it does not mean that this stealthing technique is ineffective. Out of the box, Windows is not configured to show system hidden files and most end users do not bother to set the option to view them.
4. Specific targets?
Trojan.Netview appears to search for specific data to collect, exibiting a particular interest in transaction systems, database backups, and even antivirus quarantine folders (which we observed earlier during the Bank of India hack). For obvious reasons, there are pictures that we can’t share be here are some that we can.
This appears to be a phisher who had his/her information stolen:
This Giftshop’s data is now in the hands of the bad guys:
Pictured here is a dump of credit card transactions. The logs have since been removed from the server:
This appears to be a 911 emergency center system. While we are not 100% certain, “STATION1” could be one indicator:
So what can be done protect yourself or organization from this threat? As we have preached many time before: Keep your systems patched and use up to date antivirus software or other security software. Of course, a full scan with CounterSpy or CounterSpy Enterprise will remove all variants of this Trojan that we know about.
To see if you are currently infected, it might be a good idea to monitor your network for traffic flow to the IP address: 220.127.116.11. And while you are at it, be sure to deny all access to this address on your firewall.