Internet Security | Home Network Protection | Avast
Putting an end to Retadup: However, in some cases, we have also observed Retadup distributing the Stop ransomware and the Arkei password stealer. The disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct. At the time of publishing this article, the collaboration has neutralized over , unique infections of Retadup.
Putting an end to Retadup: However, in some cases, we have also observed Retadup distributing the Stop ransomware and the Arkei password stealer. The disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct. At the time of publishing this article, the collaboration has neutralized over , unique infections of Retadup. This article will begin with a timeline of the disinfection process.
A map illustrating the amount of neutralized Retadup infections per country. Most victims of Retadup were from Spanish-speaking countries in Latin America. As a part of our threat intelligence research, we always actively hunt malware that utilizes advanced techniques in an attempt to bypass our detection. At the time, a malicious Monero cryptocurrency miner piqued our interest because of its advanced stealthy process hollowing implementation.
They liked our idea and have opened a case on Retadup. While the Gendarmerie was presenting the disinfection scenario to the prosecutor, we were busy analyzing Retadup in more detail. We created a simple tracker program that would notify us whenever there was either a new variant of Retadup or if it started distributing new malicious payloads to its victims.
We then tested the proposed disinfection scenario locally and discussed potential risks associated with its execution. Up to this point, the malware authors were mostly distributing cryptocurrency miners, making for a very good passive income. All of the executable files on the server were infected with the Neshta fileinfector.
The authors of Retadup accidentally infected themselves with another malware strain. This only proves a point that we have been trying to make — in good humor — for a long time: Avast Antivirus would have protected them from Neshta. As a side effect, it may also have protected them and others from their own malware. Alternatively, they also could have used our free Neshta removal tool. Apanas is an alias for Neshta based on a string contained in Neshta binaries.
In July , the Gendarmerie received the green light from the prosecutor, meaning they could legally proceed with the disinfection. In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The Gendarmerie alerted the FBI who took them down, and on July 8 the malware authors no longer had any control over the malware bots. This meant that they could no longer drain the computing power of their victims and that the malware authors no longer received any monetary gain from mining.
The most interesting piece of information for us was the exact amount of infections and their geographical distribution. To date, we have neutralized over , unique infections of Retadup, with the vast majority located in Latin America.
We were able to determine that the most infected computers had either two or four cores the average number of infected computer cores was 2. Some also had it disabled, which left them completely vulnerable to the worm and allowed them to unwittingly spread the infection further.
Because we are usually only able to protect Avast users, it was very exciting for us to also help protect the rest of the world from malware on such a massive scale. Bragging anonymously on Twitter Despite hundreds of thousands of machines infected by Retadup, it seems like the worm never got the attention it warranted from the security community. Trend Micro published a series of technical articles on Retadup back in and Interestingly, the authors of Retadup decided to brag about their malware on Twitter.
D i will rule the world soome day: Note that since there were multiple variants of Retadup each with its own separate control panel , this control panel displays information about only one variant of Retadup, so the real number of bots is much higher than what is shown here. Since no instructions on how to remove Retadup were available from the security industry, plenty of independent removal tutorials emerged online. On YouTube, the top five Retadup removal instructional videos have over , views combined.
Given the geographical distribution of Retadup infections, it is not surprising that they are mostly in Spanish. While these tutorials usually deal with just one specific variant of Retadup, the instructions given in them should work fairly well, and they appeared to help a lot of people. Unfortunately, these tutorials only deal with AutoIt variants of Retadup. There are also other variants, which are written in AutoHotkey, for which we found no tutorials.
On the other hand, almost every string in AutoHotkey variants is randomized, so victims most likely do not know how and where to look for help. Most of these variants are very similar in functionality and only differ in how the functionality is implemented. The core is written in either AutoIt or AutoHotkey. In both cases, it consists of two files: This is in contrast to most AutoIt malware strains nowadays which are generally composed of just a single malicious executable that contains both the interpreter and the malicious script.
In AutoHotkey variants of Retadup, the malicious script is distributed as source code, while in AutoIt variants, the script is first compiled and then distributed. Fortunately, since the compiled AutoIt bytecode is very high-level, it is not that hard to decompile it into a more readable form. The core follows the same simple workflow in most variants. First, it checks if another instance of Retadup is already running.
If it is, then it exits silently so that only a single instance of Retadup is running at any given time. Then it makes some basic checks to see if it is being analyzed. If it detects that it is under analysis, it also exits silently. Subsequently, it achieves persistence and attempts to spread itself. There are many anti-analysis checks and their specific implementation differs in various Retadup variants.
Almost all Retadup samples first check the filesystem path they are running from. Most samples also implement a way to delay their execution. At the start of their execution, they either perform a single long sleep or a series of many short sleeps. Finally, some variants also check if processes with names such as vmtoolsd.
This particular sample expects to be stored in a path such as C: The scheduled task is created using the schtasks. AutoIt variants of Retadup typically use hardcoded registry value names , while AutoHotkey variants tend to use both registry values and scheduled tasks with randomly generated names. Persistence mechanisms established by an AutoHotkey sample of Retadup.
Retadup primarily spreads by dropping malicious LNK files onto connected drives. When it is spreading, Retadup iterates over all connected drives where the assigned letter is not C. Then it goes through all folders that are located directly in the root folder of the currently-selected drive.
For each folder, it creates a LNK file that is supposed to mimic the real folder and trick users into executing it. The LNK file is created under the same name as the original folder, with only a short string such as copy fpl. We have received hundreds of erroneous false positive reports on malicious LNK files created by Retadup. Every time such a request is made, the sample encodes some information about the victim in the path of the requested URL.
For example, one AutoHotkey sample in our testing environment sent a request to: After decoding, the path would look like: After decoding it similarly to the HTTP request, we get: Most of the commands contain a prefix and suffix that identify the command download- and -download in the above case and the command arguments are enclosed between them separated by the:!: For some reason, the suffix for the update command is -update in some variants and -updatee in others.
The set of supported commands is currently pretty small — there used to be more of them in older variants. The authors probably realized that they do not need the other commands and wanted to keep their malware simpler.
The most prevalent commands currently are: Instead of downloading and executing the PE payload directly, an AutoIt script was fetched first. Embedded in the AutoIt script was a shellcode capable of loading an embedded PE file. The shellcode was copied into executable memory allocated through VirtualAlloc.
The AutoIt function DllCallAddress was then used to transfer control to the shellcode which in turn loaded and passed control to the final PE payload. The purpose of this indirection was presumably to avoid dropping the PE payload to disk, which would have increased the chance of detection. But the above-described workflow was not used exclusively.
Deobfuscated UAC bypass code found in Retadup. Since the core is distributed either in the form of AutoHotkey source code or AutoIt bytecode which is easy to decompile , the authors tried to obfuscate it to make analysis harder. The hardest one for us to deobfuscate was CodeCrypter. CodeCrypter encrypts strings with AES. AES decryption is performed by a custom shellcode there is both a bit and a bit variant.
The shellcode is loaded into the memory of the AutoIt interpreter process. Since it is embedded in the script in a compressed form, it is first decompressed by another shellcode — this time it is code from the popular aPLib decompression library.
The AES key used to encrypt strings is further obfuscated and encrypted with another key. The way that CodeCrypter calls the shellcode is interesting — it uses the CallWindowProc function from user CodeCrypter calls it and passes the address of the shellcode to call as its first argument.
CallWindowProc internally calls the address pointed to by its first argument and passes the following arguments to it, so this is a nice way to call arbitrary native code without using suspicious AutoIt functions such as DllCallAddress. CodeCrypter also renames all variables and user-defined functions to random-looking strings.
All of these new names also share the same prefix and suffix which makes it visually difficult to tell them apart without renaming them. The first thing that interested us, was whether there were any server-side anti-analysis checks.
The only thing that hindered our analysis was that the server kept track of which commands were sent to which victims and only sent each command to each victim once.
Take a look inside
Avast Premier. This product is now a part of Avast Premium Security. Login to Avast Account Login to the Cloud Management. More than just antivirus, Avast Premium Security is complete.
Avast Internet Security
AVAST Software Avast’s Free Antivirus costs nothing, but it does an excellent imitation of a security suite, tossing in a password manager, a hardened browser, a gaming mode and a Wi-Fi scanner. It also works with all recent Windows versions and lets you customize the program to suit your computing style. On the downside, Avast’s malware defenses are a rung below the best, and you’ll have to suffer through long scans and deal with its complicated interface.
The latest version as released by the company can be accessed from their https:productkeyfree. org.
VIDEO REVIEW: Premier | Best Avast Antivirus | Complete Protection | Avast
Avast Premier. This product is now a part of Avast Premium Security. Avast Free Antivirus offers lots of extra features, but its malware protection is mediocre and it may collect your browsing history. Avast Free Antivirus is an efficient and comprehensive antivirus program. It is one of the most popular antivirus programs available, thanks to.