Research

Smitfraud meets Nsag: return of the file infector

In December 2004 we reported about the first AdWare related file infector, Virus.Win32.Implinker.a.

The number of reports was significant enough for us to include detection and disinfection for this piece of malware in our klwk cleaner.

I was sure that Implinker would change the malware landscape, and it did.
In February 2005, the Virus.Win32.Bube saga started, with multiple variants appearing within a short period of time.
Bube is more advanced than Implinker, and also more difficult to remove.

After Bube’s success, I was absolutely certain that it was only a matter of time before a massive outbreak would be caused by a file infector, most likely related to AdWare, and difficult to remove.

And this in the situation we are in now.

Virus.Win32.Nsag.a has been causing havoc across the globe for a couple of weeks now. As the outbreak involves malware which doesn’t spread automatically over the internet, statistics are hard to gather. However, the number of reports shows that we’re dealing with a massive amount of infected systems.

Nsag is the file infecting part of an infection which many people refer to as ‘Smitfraud(.c)’. It seems that several pieces of malware (e.g. Trojan-Downloaders) are downloading and/or installing Nsag onto the system.

For more details of how it infects, see Virus.Win32.Nsag.a in the Virus Encyclopaedia.

Some important factors: dedicated anti-spyware solutions can’t detect or disinfect infected files, the system is still (partly) infected even after such solutions have been run. Therefore Windows(explorer.exe) may not start properly.

Part of disinfecting wininet.dll has to be done manually. This prevents novice users from getting rid of the infection. (See Virus.Win32.Nsag.a in the Virus Encyclopaedia for removal instructions.)

So what is Smitfraud’s real aim?

It seems that all (recent) Smitfraud variants have one thing in common: They all try to persuade the user to download PSGuard, a program which claims to remove the spyware (i.e. Smitfraud) which has been installed onto the system.

Naturally the program only disinfects the infection once the user has paid for it.

Although PSGuard is questionable in terms of motive, the program itself has no malicious payload whatsoever. This means we can’t simply add detection for it to our databases.

So is this a new method of distributing Adware,Spyware and alledgedly legitimate software? Is it another nail in the coffin of dedicated anti-spyware solutions? Others have undoubtedly already seen Nsag’s major success, and the methods it uses will certainly be copied.

Will av vendors have to change their traditional code of ethics, and start detecting software which had no malicious payload at all, but is almost certainly related to Trojans, viruses or other malware?

Worrying questions, with perhaps even more worrying answers…

Smitfraud meets Nsag: return of the file infector

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox