new malware represent a threats and when this malware being undefined by any antivirus organization make the risk high and more you can not determine the source of originating the malware it become urgent to study. let us see one of this type of threats
Introduction
Through QCERT team follow up of malware activity in http://qlab.qcert.org we have notice some attacks coming from IP address within the range of QATAR trying to originating malware with certain signature and we look for the details of analysis we discover the mentioned malware does not detected by any antivirus engine. then we decide to go in deep and make some investigation , from the dynamic and behavior analysis this give us indication that the malware do some malicious changes over the victim machines. let us go to see more details on how we collect it and analyze and the result of analysis and our recommendation to mitigate the risk associated with something like this
Method
we have a collection of sensors , malware analysis portal, and some sandboxes we are able to collect malware sample from the internet , all collected samples go to one server and saved into database to submit after this step two sandboxes start run the malware for analysis purpose a the same time check if the file signature exist in any antivirus engine to calculate the threat level and risk associated and then host all of the mentioned information to our malware analysis lab to be available over the internet from public level with limited info to private limited info for different sector in the national level. Figure 1 shows the diagram
Result
1-Malware with MD5 (e03ce5e602855faaf426fcd00f096f8c) has been detected by the first time in 08th MAR 2012
2- Non of more than 40 Antivirus engine did not detect it as malicious attacks
3-what is doing exactly
a-create a file in the root system and inject the thread into svchost.exe
b-Create some keys in the registry
-add services
-Change firewall policy
-connect to the following domains using DNS queries
samples of domain are
imotqe.cc, aozxmth.cc , xaomgnnegq.net , xpunnsjrazl.biz ,bayieizvm.ws ubyzjw.ws ,urqqi.org , itiyzrnle.cc , acbzz.cc , jebiwiyf.org , fojdq.net
-connect to the following IPs using port 80 http protocol
USA, UK, and China and all are malicious web site
when we inspect the network traffic we have found sinkhole for conficker in chaina with IP 221.8.69.25
and another IP address check the victim machine IP address 91.198.22.70 with domain name checkip.dyndns.org
4-Originating malware IP addresses
all of the IP addresses orginating the mentioned malware are 3G connections IP addresses
Conclusion
a-new malware exist running over internal in Qatar and not detected by any antivirus
b-Originating IP addresses using 3G connection which is very hard to detect in our situation
c-Risk is very high because of threats nobody can detect and trace back is very hard.
