W32/Kibik.b – Seeking Them Out From Your Codecs and Winlogon.Exe

Websites delivering malicious payload either in the form of web exploits or plain old executables masquerading as multimedia or legit applications is not uncommon. In the past year, we must have blogged a dozen times how the popularity of Internet audio and video has turned them into a malware wonderland – from movie infecting worms to dodgy codec installers, yes even on MacOS; and most recently, Puper trojans capitalizing on the Bhutto assassination video. From widespread infection that hit the headlines the next day, to stealthy backdoors and password stealers aimed to stay quiet and reside in your computer for as long as possible.

McAfee’s SiteAdvisor^TM technology performs behavioral analysis looking for suspicious activities in code that resides within the inter-twined nests of exploited sites. Be it rogue administrators or compromised servers, such sites might certainly host safe downloads, but they are far more likely to host something malicious than your average site.

Just before Christmas 2007, when our crawlers detected dodgy behavior that was attributed to a site linked to a nest of exploits, our system quickly escalated it for human review. It turned out to be a variant of W32/Kibik, a stealthy limited parasitic virus that targets only specific files and stays low under most radar. The website tricks the user into downloading a fake media codec, now detected as W32/Kibik.b.

Figure 1. Instruction to download fake media codec

Like its big brother, the new variant is hard to detect as it infects Winlogon.exe by quietly planting the virus in an unused null-ed out segment of the file, and unlike most viruses, does not change the size of the file. It also does not leave a trace in the Windows registry or modifies other files in the computer, but starts each time the system starts up.

W32/Kibik.b retrieves commands from the server hosted at swf1.flashxyx.com. This domain appears to be hosting free games for download, but is (ab)used as a command and control server for W32/Kibik.b.

On each startup, the following several actions are performed once:
1) A network connection is made to swf1.flashxyx.com.
2) At the time of our investigation, the host was active but not delivering any files, but our static analysis shows it can and will download and execute additional files:

Figure 2. Download and execute code in DLL

It goes on to poll the website in 5-minute intervals to retrieve further commands from the controller.

As its actions are relatively low-noise, and was active during the holiday season, few security vendors have detected W32/Kibik.b, as was its older variant.

More details of W32/Kibik.b are available.