0 Replies Latest reply on Jun 9, 2008 7:16 AM by HarryWaldron

    Vundo - Aggressive Spyware still going strong after 4 years

      Trend Micro shares a comprehensive overview and history of one of the most prolific spyware attacks. The reason for Vundo's success include:

      * Vundoinstalls automatically and silently from visiting malicious websites.

      * More aggressive variants can lock down Windows and IE services in a manner that makes it difficult to both detect and remove

      * Malware writes continue to adapt Vundo for new attacks, so that once AV or Anti-spyware detection is in place, a new variant is then launched (Trend reports that there are 2,165 unique variants they provide protection for).

      AVERT Labs - Almost always in Top 10 infectors in every category
      http://myavert.avertlabs.com/myavert/default.aspx

      Vundo - Aggressive malware still going strong after 4 years
      http://blog.trendmicro.com/uncovering-vundo/

      QUOTE: A piece of VUNDO history: the first variant we have seen in the wild was TROJ_VUNDO.A (Sept 6, 2004, almost 4 years ago). It is capable of monitoring IE activities such as visited Web sites and sending data to a remote Web site. These data are used for advertising and marketing activities. Nobody expected it to still be alive now and used as a component of chain infection.

      Some known rogue antivirus products that could be automatically installed or advertised on an affected system are: Wintools, HuntBar, BargainBuddy, Toolbar888, Altnet, BrillantDigital, Points Manager, E2Give, AdawareDelete, AlfaCleaner, AdwareBazooka, Antivirus Pro, BreakSpyware, SpyCut, CurePcSolution, DriveCleaner 2006, ErrorSafe, PerfectCleaner, ExpertAntivirus, SpyAway, AdwareSheriff, SystemStable.

      VUNDO variants have different payloads depending on the nature if infection:

      Example 1: The user visits a malicious Web site and gets infected by a DLL file VUNDO variant. This DLL then registers itself as a Browser Helper Object (BHO) to run every time Internet Explorer is opened. This will be used to redirect you to a rogue antivirus download page.

      Example 2: The dropped DLL VUNDO variant injects into WINLOGON.EXE and EXPLORER.EXE for memory residency and prevents easy detection and removal. Once injected into those 2 processes, it monitors running processes before downloading other possible malicious files in the affected system. The possible monitored processes are mostly antivirus-related processes.