Slenfbot

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Aliases
The majority of Antivirus (A/V) vendors use the following naming conventions when referring to this family of malware (the * at the end of the names is a wildcard for all the possible classifications and/or distinctions for this malware family):


 * Slenfbot
 * Stekct

Publicly Known Efforts
None publicly known.

Summary
Slenfbot is a worm that spreads using links to websites containing malicious software (malware) via instant messaging programs, which may include MSN/Windows Live Messenger, AOL Instant Messenger (AIM), Yahoo Messenger, Google Chat, Facebook Chat, ICQ and Skype. The worm propagates automatically via removable drives and shares, or on the local network through the Windows file sharing service (i.e., Server or LanmanServer service). Slenfbot also contains backdoor capabilities that allow unauthorized access to an affected machine. The code appears to be closely controlled, which may provide attribution to one group and/or that the malware authors share a significant portion of the code. Slenfbot has been seen in the wild since 2007, obtained new features and capabilities over time, and subsequent variants have systematically gained similar, if not the same, feature sets. Because of this, Slenfbot continues to operate as an effective infector and dynamic downloader of additional malware; thus, making it a highly functional delivery mechanism for other spyware, information stealers, spam bots as well as other malware.

Installation
When executed, Slenfbot copies a duplicate of the malicious payload to the %SYSTEM% folder with a filename, which varies per the particular variant and sets the attributes for the copy to read only, hidden and system to hide the contents in Windows Explorer. The worm then makes changes to the registry to maintain persistence so that the malware executes a duplicate copy on each subsequent startup of the system (e.g. copying the malicious executable to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run subkey). Several variants may modify the registry during installation to add the malware to the list of applications that are authorized to access the Internet; thus, allowing the malware to communicate without raising Windows security alerts and run unimpeded by the Windows Firewall.

In some cases, variants may instead modify the registry to install the malicious payload as a debugger for the benign system file ctfmon.exe so that ctfmon.exe executes on system startup, which leads to the execution of the malware. In most cases, Slenfbot will attempt to delete the original copy of the worm. Some variants may make additional modifications to the registry in order to delete the originally executed copy of the worm when the system restarts.

Some Slenfbot variants may, on initial execution, test to see if MSN/Windows Live Messenger is currently running by looking for a window with the class name "MSBLWindowClass". If the worm finds the window, the malware may display a fake error message.

If Slenfbot is launched from a removable drive, some variants may open Windows Explorer and display the contents of the affected drive. Certain Slenfbot variants may inject a thread into explorer.exe, which periodically checks for the presence of the malware in the System folder. If the file is not found, the malware downloads a new copy from a specified server and launches the new copy.

Instant Messaging
Slenfbot uses instant messaging as an attack vector to spread the worm to other accounts and contacts. The  remote attacker may use the worm’s backdoor capabilities to instruct Slenfbot to spread via MSN/Windows Live Messenger, AOL Instant Messenger (AIM), Yahoo Messenger, Google Chat, Facebook Chat, ICQ and Skype. The worm connects to a remote server and sends a copy of a URL, which contains a list of possible messages to send randomly; creates a ZIP archive, which contains a copy of the malware; and then sends the ZIP archive to other instant messaging client contacts. Following are some examples of the messages the worm may spread:


 * Are you serious...is this really you?
 * HAHA! this is funny! here, read this guys shirt.
 * Is this really a pic of you?
 * OMFG look at this!!!
 * This is my dream car right here!

The ZIP file includes a file name for the Slenfbot executable, and may also contain a URL for a file to download in situations where the attacker instructs the worm to send arbitrary file(s).

Removable Drives
Slenfbot may spread to removable drives by creating a directory called “RECYCLER” in the root directory of the removable drive. The malware will then create a subdirectory in the “RECYCLER” folder (e.g. “S-1-6-21-1257894210-1075856346-012573477-2315”), and copy the malicious payload to the directory using a different name for the executable (e.g. “folderopen.exe”). Slenfbot may also create an autorun.inf file in the root directory of the drive so that the worm may execute if the drive is connected to another system. Certain variants may download an updated copy of Slenfbot from a location specified in the worm, and write the file to a directory (e.g. using the name “~secure”). For all the locations the worm copies itself to, Slenfbot sets the hidden and system attributes on the respective directories and files. In some circumstances due to a programming issue, Slenfbot may only create one directory rather than two (e.g. “E:\RECYCLERS-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe”).

File and Print Shares
Slenfbot may spread to accessible shares upon successful compromise of a system. The worm may also spread to file and print shares by exploiting known vulnerabilities such as MS06-040 or MS10-061, which pertain to issues with the Server and Print Spooler services, respectively. The attacker would have to instruct the worm to spread to the remote system via exploit or instant messaging in order to continue the propagation of Slenfbot.

Payload

 * Slenfbot attempts to connect to an Internet Relay Chat (IRC) server via a particular TCP port (the IRC channel and port number may vary per the variant), joins a channel and then waits for commands; the attacker may then use the backdoor to perform additional actions on the compromised system such as delete the malware, join another IRC channel, download/execute arbitrary files and/or propagate to other instant messaging accounts
 * Slenfbot makes modifications to the hosts file by replacing %SYSTEM%\drivers\etc.\hosts with a file of its own; the modified host file may contain several entries to point various anti-virus and security related domains to localhost (i.e. 127.0.0.1) or to a random IP address, which obstruct the user from visiting the list of domains; the file may also contain numerous blank lines to give the appearance that the hosts file has not been modified
 * Slenfbot runs commands to delete files named *.zip and *.com in the current directory as well as the user's "Received Files" directory, which is the default location where Windows Messenger stores downloaded files; the latter may be to delete the original copy of the worm, which was received via Windows Messenger
 * Some Slenfbot variants may create a file (e.g. "RemoveMexxxx.bat") in the %TEMP% directory, which is a batch file that tries to delete the copy after execution to prevent detection
 * Slenfbot deletes various registry keys and any subkeys and values that they may contain in order to disable system restore, task manager, the use of the Windows Registry Editor and/or prevent the viewing of files with hidden attributes; the worm may also disable antivirus, firewall as well as attempt to disable Data Execution Prevention (DEP) by making other modifications to the system; some variants may periodically rewrite the changes in order to maintain persistence on the system
 * Slenfbot may terminate security-related processes as well as stop, disable and delete services on the compromised system in order to remain undetected and maintain persistence
 * Slenfbot may inject code into the Explorer process to "lock" the file in order to prevent the worm from being deleted and/or to reopen the payload upon process termination
 * Slenfbot may also be capable of hiding the malicious process from task manager
 * Slenfbot variants may create a mutex that differs according to variant
 * Slenfbot may execute additional commands after receiving data from another remote system; commands may include additional instructions to further modify the compromised system
 * Slenfbot may download and install additional malware to relay spam, steal information, install spyware toolbars as well as propagate other malicious campaigns; the initial Slenfbot payload serves as a first-stage downloader for the purpose of loading additional malware on the compromised host

Prevention
The following steps may help prevent infection:


 * Get the latest computer updates for all your installed software
 * Use up-to-date antivirus software
 * Limit user privileges on the computer
 * Have the sender confirm that they sent the link before clicking on it
 * Use caution when clicking on links to webpages
 * Use caution when opening attachments and accepting file transfers
 * Use online services to analyze files and URLs (e.g. Malwr, VirusTotal, Anubis, Wepawet, etc.)
 * Only run software from publishers you trust
 * Protect yourself against social engineering attacks
 * Use strong passwords and change passwords periodically

Recovery
Slenfbot uses stealth measures to maintain persistence on a system; thus, you may need to boot to a trusted environment in order to remove it. Slenfbot may also make changes to your computer such as changes to the Windows Registry, which makes it difficult to download, install and/or update your virus protection. Also, since many variants of Slenfbot attempt to propagate to available removable/remote drives and network shares, it is important to ensure the recovery process thoroughly detects and removes the malware from any and all known/possible locations.

One possible solution would be to use Microsoft’s Windows Defender Offline Beta to detect and remove Slenfbot from your system. For more information on Windows Defender Offline, go to: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline