securitybananas.com

Last weekend a couple of friends asked me to look ater their websites; they got complaints from users when visiting their websites their antivirus software start alerting. So starting up my malware research machine I used Mcafee File-insight to go over the website. My avir (NOD32) went crazy and alerts popped-up.
It looked like if all index.html and index.php files were infected.

When analyzing these pages I discovered at the bottom of the source code obfuscated script code.

Putting this code up to Virustotal, I got following response:

S/TrojanDownloader.Agent.NRO trojan – NOD32
Trojan-Downloader.JS.Pegel.c – Kaspersky
MD5 : f6040c041562a481ea0b4d6a79d0ca49

After cleaning the index.* files I did a last check and downloaded the folder of the website to check if I forgot to check some files; My avir again full alerts, now all *.js files were infected.

Ok, analyzing time, what is this trojan doing:
It is injecting hidden I-frames with all kind of URL’s referring to different sites.

example:
hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg.com/zshare.net/
hxxp://wowhead-com.gougou.com.redtube-com.viewhomesale .ru:8080/58.com/58.com/google.com/rediff.com/uol.com.br/
hxxp://it168-com.sky.com.xe-com.viewhomesale .ru:8080/google.com/google.com/pagesjaunes.fr/sify.com/nate.com/
hxxp://seznam-cz.king.com.boston-com.viewhomesale .ru:8080/linkedin.com/linkedin.com

UPDATE: thx Herzel for pointing me to your blog: here are some screenshots of the code analysis:
Blog

Earlier variations of this malware were already detected, but this variant is using code obfuscating and is using two ways to spread:

- inserting script code into the bottom of index.html and index.php files
- attaching/inserting to *.js files

Word has been spread that the Gumblar team is responsible for this virus

Affected websites should:

* Delete or restore from backup infected files.
* Patch all software on the box.
* Change all password especially FTP ones
* Review logs

In the on-going battle between virus-writers and avers, different techniques and methods are use by both parties. In this short article I will discuss some of them. Virus writers are using techniques like polymophic, epo or metamorphic to hide their code. Avers already know how to battle these.
So how would you in the first place want to detect a virus? By using Wildcards. Wildcards is one of the most famous detection techniques. Example of an AV vendor using this technique is ClamAV. ClamAV searches for pattern and includes some features to detect some polymorphic engines. You can easily defat this wildcards search by using an obfuscated polymorphic engine like Marburg.
Another trick to discover a virus is by using emulation. Emulation needs an entrypoint to begin the analysis. Most of virus writers bypass the whole emulation by a trick to avoid an entrypoint is discovered.
What other techniques use Avers? Static Analysis
Static Analysis contain two types the First is code Disassembling and the second is Static analysis for Executables. Code disassembling will not be discussed in this article.
Static analysis for Executables:
This type you can simply name it “Tracing the Registers Behavior”. This Analysis work by trace the registers and search for a register that should be in the decryptor the counter or the pointer and test if there are all the decryptor’s registers’  behavior. If there are so this code is decrypting the virus so we should emulate this code and test if the virus appeared in the memory. If not so the file is not infected.
How can this be defeated? Using Dynamic Register Swapping:

This idea was recently published on certain forums. Any playing with the register will defeat the static analysis of an executable. You could simply swap the registers in the middle of the code like this:
;ecx–>counter
xchg eax,ecx
;eax–>counter or ecx–>counter

This code will swap the registers in the middle of the decrypter code. The values will be exchanged and the eax will have the value of ecx and will act as a decryptor in the next instructions.
Another example:
;ecx–>counter
mov eax,ecx
;eax–>counter or ecx–>counter
This example will make the value of eax deleted but you will have two registers have the same value and also can any one of them act like the counter. Who will detect what you choose as a counter?  More scenarios for this trick are applicable. Avers need to keep up-to-date with the ‘latest’ tricks to modify their detection methods and algorithms.