Slenfbot

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Aliases

The majority of Antivirus (A/V) vendors use the following naming conventions when referring to this family of malware (the * at the end of the names is a wildcard for all the possible classifications and/or distinctions for this malware family):

Publicly Known Efforts

None publicly known.

Malware Profile

Summary

Slenfbot is a worm that spreads using links to websites containing malicious software (malware) via instant messaging programs, which may include MSN/Windows Live Messenger, AOL Instant Messenger (AIM), Yahoo Messenger, Google Chat, Facebook Chat, ICQ and Skype. The worm propagates automatically via removable drives and shares, or on the local network through the Windows file sharing service (i.e., Server or LanmanServer service). Slenfbot also contains backdoor capabilities that allow unauthorized access to an affected machine.[1][2][3][4][5][6] The code appears to be closely controlled, which may provide attribution to one group and/or that the malware authors share a significant portion of the code. Slenfbot has been seen in the wild since 2007, obtained new features and capabilities over time, and subsequent variants have systematically gained similar, if not the same, feature sets. Because of this, Slenfbot continues to operate as an effective infector and dynamic downloader of additional malware; thus, making it a highly functional delivery mechanism for other spyware, information stealers, spam bots as well as other malware.[4]

Installation

When executed, Slenfbot copies a duplicate of the malicious payload to the %SYSTEM% folder with a filename, which varies per the particular variant and sets the attributes for the copy to read only, hidden and system to hide the contents in Windows Explorer. The worm then makes changes to the registry to maintain persistence so that the malware executes a duplicate copy on each subsequent startup of the system (e.g. copying the malicious executable to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run subkey). Several variants may modify the registry during installation to add the malware to the list of applications that are authorized to access the Internet; thus, allowing the malware to communicate without raising Windows security alerts and run unimpeded by the Windows Firewall.[1][2][3][4][5][6]

In some cases, variants may instead modify the registry to install the malicious payload as a debugger for the benign system file ctfmon.exe so that ctfmon.exe executes on system startup, which leads to the execution of the malware.[1]

In most cases, Slenfbot will attempt to delete the original copy of the worm. Some variants may make additional modifications to the registry in order to delete the originally executed copy of the worm when the system restarts.[1][2][3][5][6]

Some Slenfbot variants may, on initial execution, test to see if MSN/Windows Live Messenger is currently running by looking for a window with the class name "MSBLWindowClass". If the worm finds the window, the malware may display a fake error message.[1]

If Slenfbot is launched from a removable drive, some variants may open Windows Explorer and display the contents of the affected drive. Certain Slenfbot variants may inject a thread into explorer.exe, which periodically checks for the presence of the malware in the System folder. If the file is not found, the malware downloads a new copy from a specified server and launches the new copy.[1][4][6]

Method of Propagation

Instant Messaging

Slenfbot uses instant messaging as an attack vector to spread the worm to other accounts and contacts. The remote attacker may use the worm’s backdoor capabilities to instruct Slenfbot to spread via MSN/Windows Live Messenger, AOL Instant Messenger (AIM), Yahoo Messenger, Google Chat, Facebook Chat, ICQ and Skype. The worm connects to a remote server and sends a copy of a URL, which contains a list of possible messages to send randomly; creates a ZIP archive, which contains a copy of the malware; and then sends the ZIP archive to other instant messaging client contacts.[1][2][3][4][5][6] Following are some examples of the messages the worm may spread:

The ZIP file includes a file name for the Slenfbot executable, and may also contain a URL for a file to download in situations where the attacker instructs the worm to send arbitrary file(s).[1][5][6]

Removable Drives

Slenfbot may spread to removable drives by creating a directory called “RECYCLER” in the root directory of the removable drive. The malware will then create a subdirectory in the “RECYCLER” folder (e.g. “S-1-6-21-1257894210-1075856346-012573477-2315”), and copy the malicious payload to the directory using a different name for the executable (e.g. “folderopen.exe”). Slenfbot may also create an autorun.inf file in the root directory of the drive so that the worm may execute if the drive is connected to another system.[1][6]

Certain variants may download an updated copy of Slenfbot from a location specified in the worm, and write the file to a directory (e.g. using the name “~secure”). For all the locations the worm copies itself to, Slenfbot sets the hidden and system attributes on the respective directories and files.[1][5][6] In some circumstances due to a programming issue, Slenfbot may only create one directory rather than two (e.g. “E:\RECYCLERS-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe”).[1]

File and Print Shares

Slenfbot may spread to accessible shares upon successful compromise of a system. The worm may also spread to file and print shares by exploiting known vulnerabilities such as MS06-040 or MS10-061, which pertain to issues with the Server and Print Spooler services, respectively. The attacker would have to instruct the worm to spread to the remote system via exploit or instant messaging in order to continue the propagation of Slenfbot.[1][5][6][7][8]

Payload

Prevention

The following steps may help prevent infection:

Recovery

Slenfbot uses stealth measures to maintain persistence on a system; thus, you may need to boot to a trusted environment in order to remove it. Slenfbot may also make changes to your computer such as changes to the Windows Registry, which makes it difficult to download, install and/or update your virus protection. Also, since many variants of Slenfbot attempt to propagate to available removable/remote drives and network shares, it is important to ensure the recovery process thoroughly detects and removes the malware from any and all known/possible locations.

One possible solution would be to use Microsoft’s Windows Defender Offline Beta to detect and remove Slenfbot from your system. For more information on Windows Defender Offline, go to: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline [1][2][3]

See also

References

  1. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Microsoft Malware Protection Center (2008-08-26). "Win32/Slenfbot". Microsoft. Retrieved 2012-06-17.
  2. 1 2 3 4 5 6 7 Microsoft Malware Protection Center (2012-02-15). "Worm:Win32/Stekct.A". Microsoft. Retrieved 2012-06-17.
  3. 1 2 3 4 5 6 7 8 Microsoft Malware Protection Center (2012-02-29). "Worm:Win32/Stekct.B". Microsoft. Retrieved 2012-06-17.
  4. 1 2 3 4 5 6 7 8 Microsoft Malware Protection Center (2008-09-17). "Win32/Slenfbot - Just Another IRC bot?". Hamish O'Dea. Retrieved 2012-06-17.
  5. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Methusela Cebrian Ferrer (2008-10-01). "Win32/Slenfbot". CA Technologies. Retrieved 2012-06-17.
  6. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ESET Threat Encyclopaedia (2011-01-17). "Win32/Slenfbot.AD". ESET. Retrieved 2012-06-17.
  7. Microsoft Security Tech Center (2006-08-08). "Microsoft Security Bulletin MS06-040". Microsoft. Retrieved 2012-06-17.
  8. Microsoft Security Tech Center (2010-09-14). "Microsoft Security Bulletin MS10-061". Microsoft. Retrieved 2012-06-17.
  9. "Malwr.com". Retrieved 2012-06-17.
  10. "VirusTotal". Retrieved 2012-06-17.
  11. "Anubis". Retrieved 2012-06-17.
  12. "Wepawet". Retrieved 2012-06-17.
  13. Kurt Avish (2012-05-22). "Stekct.Evl". Sparking Dawn. Retrieved 2012-06-17.
  14. Maninder Singh (2012-05-22). "Stekct.Evi". HackTik. Retrieved 2012-06-17.
This article is issued from Wikipedia - version of the Saturday, August 29, 2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.