NEWS FROM THE LAB - Wednesday, October 22, 2008

Virus.VBS.Confi Posted by WebSecurity @ 15:22 GMT

One of our Web Security Analysts — Chu Kian — came across a relatively old threat this week.

It was during his day-to-day work that he encountered a VBS malware, Virus.VBS.Confi.

It's not something new, detection was added in 2005, but it still works and it can still infect some unpatched systems if they browse websites with the malware code present.

Visiting an infected website with the malicious code will prompt for a Java virtual machine component installation, shown below:


On one of our test machines, after selecting to download, the sample displayed a script error. Luckily Windows Script Debugger was open to prompt of any scripting errors, and so up came the actual decoded script of the malware.


Inspecting the decoded script shows that it will try to save the downloaded file as KERNEL.DLL or KERNEL32.DLL (detected as Virus.VBS.Confi) depending on where WSCRIPT.EXE is located. This downloaded file is also used to reference the startup registry key as well as in its shell spawning routine which is achieved by modifying the registry key in opening DLL files. It can also infect files that have extensions of HTM, HTML, ASP, PHP, and JSP.

Taking a look at the infected website and viewing the page source, we saw that the site is actually embedded with the malware code. Maybe this is unknown to the website owner that is why it's still there. (We've now sent abuse messages regarding this.)


Having come across one site, we looked further using Google. You can easily discover more websites that contain the same malware code. Here are some sample search results:


So even though most of today's threats live and die within a few days, there's still some old script malware that exists it can still infect unwary travelers.