Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Upatre: Emerging Up(d)at(er) in the wild

01 Nov 2013   #1
Microsoft MVP

64-bit Windows 10 Pro
Upatre: Emerging Up(d)at(er) in the wild

The MMPC is constantly monitoring emerging threats that are impacting our customers the most.

Recently, we started seeing Win32/Upatre being distributed in the wild. This chart shows how this threat has impacted customer machines in just about two months.

Chart showing increase of Win32/Upatre infections in August to September of 2013

Figure 1: Monthly telemetry data on Win32/Upatre downloader

As we see in this next chart, the concentration of infections is in the United States with 96% of total infections, followed by the UK, Canada, and Australia. The high rate of infections in the US may be due to the spam distribution methods, such that infections are being reported via online email services.

Pie chart showing geographic spread of Win32/Upatre

Figure 2: Monthly telemetry data on Win32/Upatre by country

We have seen this malware distributed via spam campaigns with email attachments such as the following:
•USPS_Label_<random number>.zip
•USPS - Missed package
•Statement of
•TAX_<variable names>.zip
•Case_<random number>.zip
•Remit_<variable names>.zip
•ATO_TAX_<variable names>.zip

The <variable names> can be domains, company and individual names, or may be just random letters or words.

Furthermore, based upon the telemetry, Win32/Upatre is also distributed via exploits kits - such as those delivered via Java and PDF-related exploits.

Win32/Upatre’s end purpose is to download and install PWS:Win32/Zbot.gen!AM. The month after its first appearance, Win32/Upatre also started downloading the VBR bootkit TrojanDownloader:Win32/Rovnix.I.

In the past, PWS:Win32/Zbot.gen!AM was known to use domain generation algorithm (DGA) generated URLs and attempt to download updates. DGA URLs are harder to track than normal URLs as they are usually registered for a very short time by the attacker’s choice. As the attacker knows the algorithm, they are able to predict which domain the malware to attempt to connect at any given date and time.

However, recently we have seen this variant of Zbot configured to download other malware. In particular, we have seen it downloading the "CryptoLock" ransomware that we detect as Trojan:Win32/Crilock.B. After a few days, it was modified to download a different malware, detected as Trojan:Win32/Necurs.A.

This diagram shows the infection chain:

Infection chain for Win32/Upatre

Figure 3: Upatre and Zbot infection

It is worth noting that a recent variant of this downloader (TrojanDownloader:Win32/Upatre.B) shares common modules with its payload malware, Win32/Zbot. The way Upatre’s code has evolved over time has made it easier to allow more URL links to be embedded. It has an export function named loaderConfigSource() that does not contain codes but rather data on URLs from which to download malware:

Figure 4: loaderConfigSource export function

Pseudo code of the core downloading module

Figure 5: Pseudo code of the core downloading module

This may also impact the proper system remediation of Win32/Zbot (or other malware used as the payload in Win32/Upatre variants) because failure to properly detect and block Win32/Upatre may mean your system will get re-infected by Win32/Zbot.

The MMPC team is constantly monitoring emerging threats and ensuring that our protection covers them. As always, we recommend keeping your security products up-to-date.

Rodel Finones
Read more at: Upatre: Emerging Up(d)at(er) in the wild - Microsoft Malware Protection Center - Site Home - TechNet Blogs

My System SpecsSystem Spec

04 Nov 2013   #2
Layback Bear

Windows 7 Pro. 64/SP-1

I thought they caught the people doing the Zbot a while back.
My System SpecsSystem Spec

 Upatre: Emerging Up(d)at(er) in the wild

Thread Tools

Similar help and support threads
Thread Forum
Emerging standards, and questions, about the Internet of Things
Read more at: Emerging standards, and questions, about the Internet of Things | ZDNet
UPATRE Ups the Ante With Attachment Inside An Attachment
Source A Guy
Security News
Mozilla aims for the emerging world with plans for the $25 smartphone
Source A Guy
Thumbnails emerging from custom folders
I replaced the thumbnail folder icons in imageres.dll and now I have the actual thumbnails emerging from the folders and it looks all weird. Now I don't want to see them stick out of the folders, but I want to keep thumbnails on, so I can actually view them with out having to click on the file...
Emerging Win7 x64 BSOD Vulnerability
Apparently a simple piece of HTML code, executed in Safari, causes the Windows kernel to perform an instant BSOD (it only affects 64 bit builds). A simple HTML tag will crash 64-bit Windows 7 ? The Register It's presently unclear whether this could execute in other browsers, but since the...
Security News
Emerging Malware Issue: Visal.B
More - Emerging Malware Issue: Visal.B - Microsoft Malware Protection Center - Site Home - TechNet Blogs

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 14:16.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App