VBS Malware Spreading in Latin America
During the past few months, we’ve been observing increases in the number of systems infected by VBS malware, specifically VBS_SOSYOS, VBS_JENXCUS and VBS_DUNIHI. Most of these systems were found in Latin America, a region targeted by the Banker/Bancos Trojan.
Figure 1. VBS malware activity for the past months in Latin America region (LAR)
These VBScript malware were initially seen in targeted attacks, but are now being distributed on a larger scale. Numerous VBS_ JENXCUS and VBS_DUNIHI infections were found in several Latin American countries. Based on feedback gathered from the Trend Micro Smart Protection Network, the chart below shows the number of VBScript malware infections from the region in the month of November.
Figure 2. Number of VBS malware infection in LAR for November
Figure 3. Percentage of VBScript malware vis-à-vis other common scripting malware in LAR
VBS Malware Variants Compared
When installed, VBS_DUNIHI and VBS_JENXCUS allows an attacker to execute commands. These malware have similarity in their code.
Our analysis reveals that VBS_DUNIHI’s code is based on VBS_JENXCUS. VBS_JENXCUS, however, can only execute commands (two to three) – a much lower number compared to VBS_DUNIHI, which can perform up to 13 commands. Overall, both allow remote threat actors to issue commands that will run onto the infected systems.
Both VBS_JENXCUS and VBS_DUNIHI arrive as an attached file to spam email messages. These malware are usually encrypted, which can be a roadblock during analysis. Upon successful decryption, however, users can readily distinguish the malware author(s) signature. VBS_JENXCUS has the string ‘njq8 ‘, while VBS_DUNIHI has the string ‘houdini’.
Figure 4. Comparison of JENXCUS (above) and DUNIHI (below) header after decryption
Once executed. VBS_JENXCUS drops copies of itself in %User Temp% and %User Startup% using the filenames Serviec.vbe, Servieca.vbs, Updater.vbs, and Updatea.vbs. The file names are hard-coded, in contrast to VBS_DUNIHI.
VBS_JENXCUS receives and executes commands from a remote server. We also extracted several C&C servers where the malware connects to. However, they are currently inaccessible. It also propagates by creating LNK files that point to the dropped copy of the malware in the removable drives.
Malicious files coded in VBScript are not new in the threat landscape. As early as year 2000, the infamous ILOVEU virus were distributed and caused damages to numerous systems all over the world. Being an old threat, however, does not guarantee systems are immune to this threat. Trend Micro solutions for VBS malware infection include file and behavioral detection, URL blocking and spam detection.
Disabling the Windows Script Host
This attack would not be possible if the Windows Script Host (WSH) was not present on the system. WSH is an automation tool used by administrators, programmers, power users and the like that has been installed by default since Windows 98. It provides a set of services and objects that can be used to create scripts that will run in either graphical or command-line mode.
It has been debated for a long time whether WSH should be disabled or not. Explicitly blocking or disabling it has one very obvious benefit: you can prevent all present and future VBS malware from running in your environment.
There are two ways to disable WSH. Microsoft provides one method in this TechNet article. If the user tries to run a .VBS file, this pop-up would appear:
Figure 5. Blocked VBS pop-up
Alternately, one can use the behavioral monitoring settings of third-party security software like OfficeScan in order to block the applications that make up the WSH. If the user tries to run a .VBS file, the following pop-ups would appear:
Figures 6-7. OfficeScan alerts
Preventing .VBS files does improve a system’s security, but it can also have drawbacks. In enterprise users, some users may actually be using WSH. Examples include back-up operators or anyone that does batch processing. These users should be considered if/when deciding to roll out VBS blocking.
Additional insights by Jay Yaneza.