Lest you think that the ANI thing was the only thing going on today, you’d miss the other part of today’s entertainment. There’s a new Trojan spam going around trying to entice you to download MSFT IE7.0 Beta 2 (never mind that it’s been released). This is, in fact, a new Trojan (Grum) and appears to be entirely unrelated to the ANI threat. The emails have a shiny “download IE7″ graphic in them:
If you dig into the source of the emails, you’ll see a bunch of text designed to possibly get past spam filters. It doesn’t show up in the HTML (just that shiny picture with a link to IE7.0.exe) does.
This thing was a bear to reverse, by the way. It performs a lot of remote thread injection and defense itself nicely. It blocks IDA Pro, it kills OllyDbg, it blinds a bunch of processes, and the main process (%User%\Local Setting\Temp\winlogon.exe) sleeps quietly if it’s being traced too much. This kept hosing up my XP analysis box. A pretty good sandbox analysis is on the Anubis project website. So far Anubis is the only sandbox that did anything useful with it. Here’s a list of domains we’ve seen used so far for this one (with many more missing from this list):
As fast as these domains appear, get spammed, and get killed, they re-appear. If you run a network stream, you can easily look for “/IE7.0.exe” with a tool like ngrep or flowgrep and look at the download sites. This one is aggressive and is going to get a lot of play. AV detection was poor earlier in the day, and it’s not much better. Names like Agent.CL and Grum are being used, but even 12 hours later the detection for it is pretty weak. It’s got an unrecognized packer and some methods that seem uncommon. All in all, one busy day.