CERT mailing list archives

Previous By Date Next
Previous By Thread Next

TA15-098A: AAEH

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Thu, 09 Apr 2015 08:14:34 -0500
NCCIC / US-CERT

National Cyber Awareness System:

TA15-098A: AAEH [ https://www.us-cert.gov/ncas/alerts/TA15-098A ] 04/09/2015 12:00 AM EDT 
Original release date: April 09, 2015

Systems Affected

  * Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8 
  * Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012 

Overview

AAEH is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including 
password stealers, rootkits, fake antivirus, and ransomware.

The United States Department of Homeland Security (DHS), in collaboration with Europol, the Federal Bureau of 
Investigation (FBI) and the Department of Justice (DOJ), released this Technical Alert to provide further information 
about the AAEH botnet, along with prevention and mitigation recommendations.

Description

AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Also 
known as VObfus, VBObfus, Beebone or Changeup, the polymorphic malware has the ability to change its form with every 
infection. AAEH is a polymorphic downloader with more than 2 million unique samples. Once installed, it morphs every 
few hours and rapidly spreads across the network.  AAEH has been used to download other malware families, such as Zeus, 
Cryptolocker, ZeroAccess, and Cutwail.

Impact

A system infected with AAEH may be employed to distribute malicious software, harvest users' credentials for online 
services, including banking services, and extort money from users by encrypting key files and then demanding payment in 
order to return the files to a readable state. AAEH is capable of defeating anti-virus products by blocking connections 
to IP addresses associated with Internet security companies and by preventing anti-virus tools from running on infected 
machines.  

Solution

Users are recommended to take the following actions to remediate AAEH infections:


  * "Use and maintain anti-virus software" - Anti-virus software recognizes and protects your computer against most 
known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for 
more information [ http://www.us-cert.gov/ncas/tips/ST04-005 ]). 
  * "Change your passwords" - Your original passwords may have been compromised during the infection, so you should 
change them (see Choosing and Protecting Passwords for more information [ http://www.us-cert.gov/ncas/tips/ST04-002 ]). 
  * "Keep your operating system and application software up-to-date" - Install software patches so that attackers can't 
take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is 
available, you should enable it (see Understanding Patches for more information [ 
http://www.us-cert.gov/ncas/tips/ST04-006 ]). 
  * "Use anti-malware tools" - Using a legitimate program that identifies and removes malware can help eliminate an 
infection. 

Users can consider employing a remediation tool (examples below) that will help with the removal of AAEH from your 
system.

Note: AAEH blocks AV domain names thereby preventing infected users from being able to download remediation tools 
directly from an AV company. The links below will take you to the tools at the respective AV sites. In the event that 
the tools cannot be accessed or downloaded from the vendor site, the tools are accessible from Shadowserver 
(http://aaeh.shadowserver.org).

The below are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support 
any particular product or vendor.

References

  * F-Secure Online Scanner for Windows Vista, 7 and 8 [ http://www.f-secure.com/en/web/home_global/online-scanner ] 
  * F-Secure Removal Tools for Windows XP [ 
http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 ] 
  * McAfee Stinger for Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8 [ http://www.mcafee.com/stinger ] 
  * Microsoft Safety Scanner for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP [ 
http://www.microsoft.com/security/scanner/en-us/default.aspx ] 
  * Sophos Virus Removal for Windows XP SP2 and above [ http://www.sophos.com/VirusRemoval ] 
  * Trend Micro Threat Detector for Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003/2008, and 
2008 R2 [ http://www.trendmicro.com/threatdetector ] 

Revision History

  * April 9, 2015: Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: