All the latest UK technology news, reviews and analysis


Hackers spread Winnti malware using legitimate analysis tool

10 May 2013
Security padlock image

Hackers have been caught spreading the Winnti malware to hijack control of web users' systems using a new backdoor contained in the legitimate Aheadlib analysis tool.

Security firm Trend Micro reported discovering the backdoor while examining reports of a fresh Winnti outbreak on Thursday.

"We found this particular threat via feedback provided by the Smart Protection Network; we detect it as BKDR_TENGO.A. It passes itself off as a legitimate system DLL file, winmm.dll, like most of the Winnti samples," wrote Trend Micro's Eduardo Altares. "We believe that this was done using a legitimate tool called Aheadlib, which is a legitimate analysis tool."

The news is troubling as Aheadlib is a valid tool used by several businesses to construct C code from DLL files. The criminals reportedly used the tool, which is connected to various parts of the network it is analysing, to create a backdoor they can use to bypass the system's security protocols.

"Aheadlib accepts any DLL file and is able to construct C code to hook all the functions provided by the original library. This is very useful in analysing malware, but can also be abused to help create files that pass themselves off as legitimate system libraries," explained Altares.

Winnti is an espionage-focused malware commonly used by hackers believed to stem from China. Altares said that there is evidence the hackers have already used the backdoor to successfully to steal data from a number of targets.

"We suspect that this was used in a targeted attack. Despite this, however, the file is not encrypted and neither was it particularly hard to analyse. Its main behavior is to steal Microsoft Office, .PDF, and .TIFF files from USB drives inserted into the system," he noted.

"These stolen files are stored in the $NtUninstallKB080515$ under the Windows folder. It also creates a log file named Usblog_DXM.log. The files can be retrieved by the attacker at a later time. Aside from retrieving files, it has several backdoor commands which allow the attacker to take control of the system."

Altares said that there is no way to know if the latest Winnti attack stems from China, as the IP addresses linked to it provide conflicting information about its origin.

"Two of these IP addresses proved to be of particular interest, namely 50.93.204.62 and 98.143.145.118. They are located in the United States, but multiple Chinese-language domains point to them. All of these have been blocked as command-and-control servers," he said. "This attack highlights how information theft can be performed even with malware that is not particularly advanced or sophisticated. It also shows some of the challenges in attributing attacks of this nature."

The attack discovery follows a fresh wave of allegations against China. Most recently the US Department of Defense accused the country of mounting several sophisticated attacks on it networks, in its Military and Security Developments Involving the People's Republic of China 2013 report to Congress on Monday.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
12%
6%
10%
3%
19%
3%
47%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Senior Java Developer, J2EE, MVC

Senior Java Developer Doncaster £45,000-50,000 + 15...

Senior Business Systems Analyst - London - Banking - 65k

Senior Business Systems Analyst - London - Banking...

VIP Desktop Engineer - Windows - Bank - £50K

VIP Desktop Engineer - Windows Bank - £50k A...

Senior Web Developer - Warwick - £40,000-£60,000 + Bonus

Senior Web Developer - Warwick - £40,000-£60,000 + Bonus...
To send to more than one email address, simply separate each address with a comma.