Research

Smitfraud meets Nsag: return of the file infector

In December 2004 we reported about the first AdWare related file infector, Virus.Win32.Implinker.a.

The number of reports was significant enough for us to include detection and disinfection for this piece of malware in our klwk cleaner.

I was sure that Implinker would change the malware landscape, and it did.
In February 2005, the Virus.Win32.Bube saga started, with multiple variants appearing within a short period of time.
Bube is more advanced than Implinker, and also more difficult to remove.

After Bube’s success, I was absolutely certain that it was only a matter of time before a massive outbreak would be caused by a file infector, most likely related to AdWare, and difficult to remove.

And this in the situation we are in now.

Virus.Win32.Nsag.a has been causing havoc across the globe for a couple of weeks now. As the outbreak involves malware which doesn’t spread automatically over the internet, statistics are hard to gather. However, the number of reports shows that we’re dealing with a massive amount of infected systems.

Nsag is the file infecting part of an infection which many people refer to as ‘Smitfraud(.c)’. It seems that several pieces of malware (e.g. Trojan-Downloaders) are downloading and/or installing Nsag onto the system.

For more details of how it infects, see Virus.Win32.Nsag.a in the Virus Encyclopaedia.

Some important factors: dedicated anti-spyware solutions can’t detect or disinfect infected files, the system is still (partly) infected even after such solutions have been run. Therefore Windows(explorer.exe) may not start properly.

Part of disinfecting wininet.dll has to be done manually. This prevents novice users from getting rid of the infection. (See Virus.Win32.Nsag.a in the Virus Encyclopaedia for removal instructions.)

So what is Smitfraud’s real aim?

It seems that all (recent) Smitfraud variants have one thing in common: They all try to persuade the user to download PSGuard, a program which claims to remove the spyware (i.e. Smitfraud) which has been installed onto the system.

Naturally the program only disinfects the infection once the user has paid for it.

Although PSGuard is questionable in terms of motive, the program itself has no malicious payload whatsoever. This means we can’t simply add detection for it to our databases.

So is this a new method of distributing Adware,Spyware and alledgedly legitimate software? Is it another nail in the coffin of dedicated anti-spyware solutions? Others have undoubtedly already seen Nsag’s major success, and the methods it uses will certainly be copied.

Will av vendors have to change their traditional code of ethics, and start detecting software which had no malicious payload at all, but is almost certainly related to Trojans, viruses or other malware?

Worrying questions, with perhaps even more worrying answers…

Smitfraud meets Nsag: return of the file infector

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox