{"id":6312,"date":"2017-01-23T15:50:17","date_gmt":"2017-01-23T23:50:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-150\/"},"modified":"2017-01-23T15:50:17","modified_gmt":"2017-01-23T23:50:17","slug":"news-150","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-150\/","title":{"rendered":"MSRT April release features Bedep detection"},"content":{"rendered":"<p>As part of our ongoing effort to provide better malware protection, the <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/malicious-software-removal-tool-details.aspx\" target=\"_blank\">Microsoft Malicious Software Removal Tool <\/a>(MSRT) release this April will include detections for:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Bedep\" target=\"_blank\">Win32\/Bedep<\/a> \u2013 Trojan family<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Upatre\" target=\"_blank\">Win32\/Upatre<\/a> \u2013 Trojan family<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:MSIL\/Samas\" target=\"_blank\">Ransom:MSIL\/Samas<\/a> \u2013 Ransomware family<\/li>\n<\/ul>\n<p>In this blog, we\u2019ll focus on the <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\">Bedep<\/a> family of trojans.<\/p>\n<p>&nbsp;<\/p>\n<h2>The bothersome Bedep<\/h2>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Bedep\" target=\"_blank\">Win32\/Bedep<\/a> was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=JS\/Axpergle\" target=\"_blank\">JS\/Axpergle<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=HTML\/Axpergle\" target=\"_blank\">HTML\/Axpergle<\/a><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=JS\/Axpergle\" target=\"_blank\">JS\/Axpergle<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=HTML\/Axpergle\" target=\"_blank\">HTML\/Axpergle<\/a> have been known to carry and drop <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\">Bedep<\/a> around by redirecting unsuspecting users to compromised websites.<\/p>\n<p><a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\">Bedep<\/a> is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:<\/p>\n<ul>\n<li>Download other malware, such as:\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=MSIL\/Dofoil\" target=\"_blank\">Dofoil<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Ursnif\" target=\"_blank\">Ursnif<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Zemot\" target=\"_blank\">Zemot<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Fareit\" target=\"_blank\">Fareit<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 30px\">All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.<\/p>\n<ul>\n<li>Collect information about your PC to send it off to the malware perpetrator<\/li>\n<li>Update the downloaded malware<\/li>\n<\/ul>\n<p>The good thing is, <a href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/windows-defender-in-windows-10\" target=\"_blank\">Windows Defender<\/a> detects and removes <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\">Bedep<\/a> and its variants.<\/p>\n<p>This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/BedepGeoDist3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-6855\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/BedepGeoDist3-1024x556.png\" alt=\"BedepGeoDist3\" width=\"891\" height=\"484\" \/><\/a><\/p>\n<p><em>Figure 1: The map shows Win32\/Bedep\u2019s prevalence in North America, Latin America, Europe, and South <\/em><em>East Asia in the last six months.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><em><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/BedepPie.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-6854\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/BedepPie.png\" alt=\"BedepPie\" width=\"603\" height=\"442\" \/><\/a>\u00a0<\/em><\/p>\n<p><em>Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>The exploit shellcode sometimes loads <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\">Bedep<\/a> directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.<\/p>\n<p>It can either be installed as 32bit DLL (<a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Backdoor:Win32\/Bedep.A\" target=\"_blank\">Backdoor:Win32\/Bedep.A<\/a>) or 64bit DLL (<a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Backdoor:Win64\/Bedep.A\" target=\"_blank\">Backdoor:Win64\/Bedep.A<\/a>), depending on the affected Windows OS version.<\/p>\n<p><a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\">This<\/a> threat is initially loaded by shellcode running in an exploited browser process (for example, <em>iexplore.exe<\/em>). Then, the threat downloads a copy of itself and injects that into <em>explorer.exe.<\/em><\/p>\n<p>We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser&#8217;s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.<\/p>\n<p>We&#8217;ve also seen that <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\">Bedep<\/a> can drop itself as <a href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/variables.aspx#programdata\" target=\"_blank\"><em>%ProgramData%<\/em><\/a><em>&lt;{CLSID}&gt;&lt;filename&gt;.dll<\/em><\/p>\n<p>Example path and file names: <em>C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.<\/em><\/p>\n<p>It then creates the following registry entries:<\/p>\n<p style=\"padding-left: 30px\">In subkey: <em>HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32<\/em><\/p>\n<p style=\"padding-left: 30px\">Example: <em>HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32<\/em><\/p>\n<p style=\"padding-left: 30px\">Sets value: &#8220;<em>ThreadingModel<\/em>&#8220;<\/p>\n<p style=\"padding-left: 30px\">With data: &#8220;<em>Apartment<\/em>&#8220;<\/p>\n<p style=\"padding-left: 30px\">Sets value: &#8220;&#8221;<\/p>\n<p style=\"padding-left: 30px\">With data: <em>%Bedep Filename%<\/em><\/p>\n<p style=\"padding-left: 30px\">Example: &#8220;<em>C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll<\/em>&#8220;<\/p>\n<p style=\"padding-left: 30px\">In subkey: <em>HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%<\/em><\/p>\n<p style=\"padding-left: 30px\">Example: <em>HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}<\/em><\/p>\n<p style=\"padding-left: 30px\">Sets value: &#8220;<em>DriveMask<\/em>&#8220;<\/p>\n<p style=\"padding-left: 30px\">With data: <em>dword:ffffffff<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>For details about various Bedep variants, see the following malware encyclopedia entries:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Ursnif\" target=\"_blank\">Win32\/Bedep<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=MSIL\/Dofoil\" target=\"_blank\">Backdoor:Win32\/Bedep<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Zemot\" target=\"_blank\">Backdoor:Win32\/Bedep.A<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Backdoor:Win64\/Bedep.A\" target=\"_blank\">Backdoor:Win64\/Bedep.A<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Mitigation and prevention<\/h2>\n<p>To help stay protected from Bedep and other threats, use an <a href=\"http:\/\/www.microsoft.com\/security\/portal\/mmpc\/help\/updatesoftware.aspx\" target=\"_blank\">up-to-date<\/a> <a href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/windows-defender-in-windows-10\" target=\"_blank\">Windows Defender<\/a> for Windows 10\u00a0as your antimalware scanner, and <a href=\"http:\/\/windows.microsoft.com\/en-us\/windows-8\/join-maps-community\" target=\"_blank\">ensure that MAPS has been enabled<\/a>.<\/p>\n<p>Though trojans have been a permanent fixture in the malware ecosystem, there\u2019s still something that you or your administrators can proactively do:<\/p>\n<ul>\n<li>Block the IP addresses of the corresponding compromised websites soon as the administrator identifies the list of sites that <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\">Bedep<\/a> maliciously redirects into.<\/li>\n<li>Always be careful on clicking the\u00a0User Account Control (UAC) prompts.<\/li>\n<li><a href=\"https:\/\/blogs.windows.com\/msedgedev\/2015\/12\/16\/smartscreen-drive-by-improvements\/\" target=\"_blank\">Use Microsoft Edge to get SmartScreen protection<\/a>. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/02\/24\/locky-malware-lucky-to-avoid-it\/\" target=\"_blank\">Disable the loading of macros in Office programs<\/a><\/li>\n<li><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/ee857085.aspx\" target=\"_blank\">Disable macro loading through the Group Policy settings<\/a>.<\/li>\n<li>Keep your software <a href=\"http:\/\/www.microsoft.com\/security\/portal\/definitions\/adl.aspx\" target=\"_blank\">up-to-date<\/a> to mitigate possible software exploits.<\/li>\n<li>Protect derived domain credentials with <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/mt483740%28v=vs.85%29.aspx\" target=\"_blank\">Credential Guard\u00a0for Windows 10 Enterprise<\/a>.<\/li>\n<li>Secure your code integrity with <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/dn986865%28v=vs.85%29.aspx\" target=\"_blank\">Device Guard for Windows 10 Enterprise<\/a>.<\/li>\n<li><a href=\"http:\/\/download.microsoft.com\/download\/5\/1\/6\/516F59A7-91EE-4463-8612-C85FD3BEBDC7\/pop-securing-lateral-account-movement.pdf\" target=\"_blank\">Secure the lateral account movement in your\u00a0enterprise<\/a>.<\/li>\n<li>Use two-factor authentication with <a href=\"https:\/\/blogs.windows.com\/buildingapps\/2016\/01\/26\/convenient-two-factor-authentication-with-microsoft-passport-and-windows-hello\/\" target=\"_blank\">Microsoft Passport and Windows Hello<\/a>.<\/li>\n<li>Ensure that a strong <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc770394%28v=ws.10%29.aspx\" target=\"_blank\">password policy<\/a> is implemented throughout the enterprise.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><em>Jonathan San Jose<\/em><\/p>\n<p><em>MMPC<\/em><\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for: Win32\/Bedep \u2013 Trojan family Win32\/Upatre \u2013 Trojan family Ransom:MSIL\/Samas \u2013 Ransomware family In this blog, we\u2019ll focus on the Bedep family of trojans. &#160; The bothersome Bedep Win32\/Bedep was first&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10834,10835,10836,10837,10838,10839,10806,6490,10797,10700,10840,10786,10841,10833,10842,10843,10844,10762,10788,10845],"class_list":["post-6312","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-angler-exploit-kit","tag-axpergle","tag-backdoor","tag-bedep","tag-bedep-geodistribution","tag-dofoil","tag-macro-based-malware","tag-maps","tag-microsoft-active-protection-service","tag-microsoft-edge","tag-microsoft-edge-smartscreen-protection","tag-msrt","tag-smartscreen","tag-trojan","tag-ursnif","tag-win32dofoil","tag-win32fareit","tag-windows-defender","tag-windows-defender-blogs-for-home-users-and-small-businesses","tag-zemot"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6312"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6312\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6312"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}