McAfee Labs Threat Advisory Bondat January 21, 2015 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://sns.snssecure.mcafee.com/content/signup_login. Summary Bondat malware has the ability to infect removable media devices. Infection starts either with manual execution of the infected file or by invoking the corresponding .lnk files that could cause automatic execution of the worm. After infection it may also download other malware or updates to itself directed by the command and control (C&C) server. The following variants of Bondat have been seen in the wild:      JS/Bondat.a JS/Bondat.b JS/Bondat.c JS/Bondat.d JS/Bondat.e Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections:       Infection and Propagation Vectors Mitigation Characteristics and Symptoms Restart Mechanism Indicators of Compromise (IOC) McAfee Foundstone Services Infection and Propagation Vectors The Bondat worm spreads by creating copies of itself in removable storage devices in the following location:  %removabledrive%\.Trashes\<random folder>\ random_file.js The worm also checks files in the removable drivers, creates .lnk files with the same file name, and moves the files to the “%removabledrive%\.Trashes\” location if it encounters any of the following extensions:         doc docx pdf rtf txt mp3 m4a ogg               wav wma mp4 avi webm flv mov wmv mpeg mpg gif jpg jpeg png The .lnk files point to a malicious javascript file which is already copied to the “%removabledrive%\.Trashes\<random folder>\” location. Mitigation Mitigating the threat at multiple levels such as file, registry, and URL can be achieved at various layers of McAfee products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Content Source list) to mitigate the threats based on the behavior described in the “Characteristics and symptoms” section. VirusScan Enterprise (VSE)  Refer to the following KB articles to configure Access Protection rules in VirusScan Enterprise: o KB81095 - How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console o KB54812 - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x  Users can configure and test Access Protection Rules to restrict the creation of new registry keys, files, and folders when there are no other legitimate uses. Disable the Autorun feature on Windows. You can do this remotely using Windows Group Policies     (http://support.microsoft.com/kb/967715). Restrict the use of USB drives in mission-critical and server machines. Implement and test Access Protection Rules through the McAfee product to prevent writing of *.lnk files in removable media. Restrict access to the URLs mentioned in the Indicators of Compromise (IOC) section. Host Intrusion Prevention System (HIPS)     To blacklist applications using a Host Intrusion Prevention custom signature, refer to KB71329. To create an application blocking rules policy to prevent the binary from running, refer to KB71794. To create an application blocking rules policy that prevents a specific executable from hooking any other executable, refer to KB71794. To block attacks from a specific IP address through McAfee NitroSecurity IPS, refer to KB74650. Characteristics and Symptoms The Bondat worm has several checks to determine if the sample is running in a virtual environment. The worm terminates further execution upon encountering a positive response for any of the following checks: Upon execution, the worm copies itself into the following location:  %Appdata%\<random folder>\ random_file.js NOTE: %AppData% refers to the current user’s Application data location. Also, the worm creates copies “wscript.exe” in the “%Appdata%\<random folder>\” location. In our test, we found that the file name of “wscript.exe” is chosen from the combination of the following strings: String-1 String -2 Win Cmd Process Proc Disk Dsk monitor Mon Ms Hp Sys Host Intel Amd Dll Tcp Udp Mgr Update updater The worm creates .lnk files in the following location to ensure the malicious java script file executes every time when Windows starts:   %Appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk The .lnk file executes malicious java script with the help of wscript.exe, which is newly created in the “%Appdata%\<random folder>\” location. The worm terminates processes if the process name matches any of the following strings:                        Regedit windows-kb mrt rstrui msconfig procexp avast avg mse ptinstall sdasetup issetup fs20 mbam housecal hijackthis rubotted autoruns avenger filemon gmer hotfix klwk mbsa                       procmon regmon sysclean tcpview unlocker wireshark fiddler resmon perfmon msss cleaner otl roguekiller fss zoek emergencykit dds ccsetup vbsvbe combofix frst mcshield It then shows a fake warning message to the user as follows: The worm deletes files in the startup location if the file name matches any one the following strings:  .exe  .js  .vbs  .jse  .vbe The following registry values have been modified by the worm:   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = 2 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "ShowSuperHidden" = 0 Finally, the worm collects the following information from the compromised machine, encrypts it, and sends it to a remote server:   user name computer name   operating system version language settings Restart Mechanism The .lnk files present in the following locations would enable the worm to execute every time when Windows starts:   %Appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk Indicators of Compromise (IOC) The following indicators can be used to identify potentially infected machines in an automated way. Network communication to any of the IP addresses at the network gateway/IPS level:    cdn.httpowered.com 217.23.3.136 httpoptions.com Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities. You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy, relevance, and timeliness of the information and events described; they are subject to change without notice. Copyright 2014 McAfee, Inc. All rights reserved.