Over the last 48 hours we've seen a huge increase in ZIP'd malicious e-mail attachments being spammed. The subjects have been:
Your Tracking #xxxxxxxx (where xxxxxxx is a random number) New Ticket #xxxxx (where xxxxx is a random number) Accounts Operations Report Your Statement between 1/1/08 and 10/30/08
The ZIP file typically contains a file that looks like a document (.DOC) but it is really an EXE, there's just a lot of whitespaces between .DOC and .EXE.
Some of these ZIP files are protected by a password which makes it more likely to be allowed through an e-mail server. The password is always in the e-mail message so that the recipient can easily see it.
Using e-mail attachments has made a come back in popularity amongst malware writers during the last few months. We detect this latest batch as variants of the Worm:W32/Autorun family.
As most of you likely know, Microsoft released an out-of-band update on October 23, 2008. This usually indicates a worm-capable vulnerability when there are already in-the-wild exploits. MS08-067 is very similar to MS06-040, the netapi vulnerability few years back.
We've been working through the weekend, monitoring the situation around this vulnerability.
We did some time line analysis on Trojan-Spy:W32/Gimmiv which exploits the vulnerability. As far as we can see, the first versions of Gimmiv were compiled around the 19th of September which is well over a month ago. We also did code comparison between the variants, and mostly, the changes in the variants are because the attackers were changing parameters instead of introducing new features.
Analysis of the code inside the Gimmiv trojan clearly shows that whomever is behind it is an inexperienced coder. Their code is riddled with bugs in places where the author clearly didn't read his API documentation closely enough.
Interestingly also, Gimmiv has a self-destruction date. On the earlier samples the date was set to October 5th 2008 23:59 local time, which of course fails to work at this point, unless your computer's date is incorrectly set. On the newest samples the self-destruction date is set to November 30th 2008 23:59 local time which gives the latest round of Gimmiv a month to spread.
The weekend was really quiet. We received about a handful of Gimmiv variants and no other malware that uses the same vulnerability. Though last night, a new proof of concept for the exploit was released that targets Chinese language Windows systems. We are keeping a really close eye on the situation since all it takes is a single working "universal" public exploit for things to go downhill pretty fast.
It doesn't happen very often, but when it does, it's for a good reason. Yesterday, Microsoft released an out-of-band patch for a new, critical vulnerability in Windows.
The patch, MS08-067, fixes a remote procedure call (RPC) issue that would, if successfully exploited, enable an attacker to remotely execute applications on a computer running all currently supported versions of Windows.
This is exactly the type of vulnerability Blaster and Sasser used to infect millions of computers back in 2003 and 2004.
The reason for the out-of-band patch is that there is already a trojan actively using the vulnerability to infect computers, which we detect as Trojan-Spy:W32/Gimmiv.A. This trojan steals confidential information from the infected computer and sends it back to the attacker.
The situation is not as dire as in earlier years, as Windows XP SP2 and newer have a firewall in place by default. If you have file or printer sharing enabled however, your computer could be affected.
We recommend that everyone apply the update as soon as possible.
One of our Web Security Analysts — Chu Kian — came across a relatively old threat this week.
It was during his day-to-day work that he encountered a VBS malware, Virus.VBS.Confi.
It's not something new, detection was added in 2005, but it still works and it can still infect some unpatched systems if they browse websites with the malware code present.
Visiting an infected website with the malicious code will prompt for a Java virtual machine component installation, shown below:
On one of our test machines, after selecting to download, the sample displayed a script error. Luckily Windows Script Debugger was open to prompt of any scripting errors, and so up came the actual decoded script of the malware.
Inspecting the decoded script shows that it will try to save the downloaded file as KERNEL.DLL or KERNEL32.DLL (detected as Virus.VBS.Confi) depending on where WSCRIPT.EXE is located. This downloaded file is also used to reference the startup registry key as well as in its shell spawning routine which is achieved by modifying the registry key in opening DLL files. It can also infect files that have extensions of HTM, HTML, ASP, PHP, and JSP.
Taking a look at the infected website and viewing the page source, we saw that the site is actually embedded with the malware code. Maybe this is unknown to the website owner that is why it's still there. (We've now sent abuse messages regarding this.)
Having come across one site, we looked further using Google. You can easily discover more websites that contain the same malware code. Here are some sample search results:
So even though most of today's threats live and die within a few days, there's still some old script malware that exists it can still infect unwary travelers.
We received reports from our colleagues in Hong Kong yesterday about more malware being distributed on Facebook.
If you're a Facebook user, you may get a message such as this, supposedly from a "friend". Since the message was sent by a friend, the likelihood that you would click on the link is much higher. Upon clicking the link, you would be redirected to a hi5.com site that looks something like the one below.
Not surprisingly, the website will tell you that you need to update your Adobe Flash Player by downloading a file. Of course, no matter how many times you try, you don't get to see the video. You do get infected though.
When we investigated this yesterday, the links were down and obtaining a sample for analysis was not possible at that point in time. Thanks to Lordian however - who tried again after being woken up by his neighbors late last night — we succeeded in obtaining a sample, which is detected as Net-Worm.Win32.Koobface.bp. Depending on the user agent, Net-Worm.Win32.Koobface.bm might also be served up.
Incidentally, if you are using any platform other than Windows, you just get redirected to the real YouTube.
It looks as if Facebook is increasingly becoming a popular target for all sorts of attacks. You can read through the numerous topics on this issue at the Facebook Public Discussion Board. Do note that some of the discussion topics include live links though, so be careful what you click.
Everyone gets malware-tainted spam nowadays. Here's one targeted at the Brazilian online banking crowd.
Clicking on the imagen2.jpg link will prompt a popup link asking you to download "the image". That link downloads a file detected as Trojan-Downloader:W32/Banload.FUA. Executing this file downloads and executes Trojan-Spy:W32/Agent.BSV and Trojan-Spy:W32/Banker.ITH. These trojan-spies harvest personal and banking information from the infected machine.
Trojan-Spy:W32/Agent.BSV gathers e-mail addresses, then uploads a text file containing the harvested data to the server ftp://ftp.golfacil.web.br.com/[...]/[...]/. As you can see in the code for the spam e-mail below, all the addresses in the text file are then targeted for more spam. Chances are, most of these e-mails won't reach native Portuguese speakers. Reading spam e-mail — great reason to learn a new language.
Incidentally, the server also has PHP files used for spamming. One is detected as HackTool:PHP/Spammer.A, and the other is detected as HackTool:PHP/Spammer.B.
Meanwhile, Trojan-Spy:W32/Banker.ITH gathers banking information and posts the data into a php file of the same server.
To hide all this activity, the attacker(s) put up this message on the home page.
Hmm. The page is "under construction", but there's a live URL leading to it in spam e-mails? Cute.
The art of hiding codes via XOR is simple, easy and extremely ancient. Despite its antiquity though, it is still in use today.
Here's a great example: Trojan-Downloader:W32/Tibs.VX. It performs a very simple operation to hide its executable components inside six JPEG files. Since the JPEG files also contain valid pictures, they can be easily dismissed. The trojan then downloads the JPEG files, saves them temporarily on the system, retrieves the executables and installs them.
If any of the files are opened with an image viewer, this image is displayed:
Perfectly innocent, right? But after performing the XOR operation, the executable file becomes evident:
This is not a very common tactic, though we've seen it before in Rogue:W32/AntivirusXP2008 variants. Still, even tricks as simple as a single assembly language opcode never really get old.
When phishing was young, many phishers registered lookalike domains, along the lines of bankofamerika.com, login-chase.com, and paypal-account-verification.com.
Eventually most of the phishing gangs moved on to random domains in far-away countries and just prepended the domain to create host names along the lines of www.bankofamerica.com.444hzjr4zp2b8oacgd.org.ve, www.chase.com.host8.asia, and www.paypal.com.dll-s.eu.
But every now and then we run into new fraud sites that are using the old school tricks. Like today, when somebody spammed around e-mails such as these:
The link takes you to sbooff.com, which desperately tries to mimic sboff.com, the official home page of Standard Bank Offshore:
Do note that isn't technically a phishing site, as it doesn't try trick you into entering your details to a fake site. It just tries to convince you to install a "Upgrade Certificate". Which is a program. Which is actually the Trojan-Downloader.Win32.Agent.aiqo banking trojan.
The site has been reported and should be offline soon.
The antivirus industry's most important annual conference — Virus Bulletin — is in full swing.
It seems incredible but this is my 15th VB — and I have the card to prove it!
Pretty much everybody is here — as can be seen from this excellent video shot by the Sophos gang. The video was shown in the annual gala dinner last night — be sure to check it out.
This year, we had our Kimmo Kasslin deliver a presentation on the opening day of the conference.
The audience seemed quite astonished to hear the full story behind the most advanced malware we've seen so far: Mebroot. Kimmo characterized it as a "Commercial-grade framework" and as a "Malware Operating system".
The research needed to fully understand this malware was done as a joint operation between F-Secure and Symantec. Our fellow, Kimmo, worked together with Elia Florio from Symantec Security Response in this great example of cross-industry co-operation.
Details of Mebroot functionality uncovered in the presentation included:
Mebroot is the most advanced and stealthiest malware seen so far
It operates at the lowest level of the Windows operating system
Mebroot writes its startup code to the first physical sector on the hard drive
When an infected machine is started, Mebroot loads first and survives through the Windows boot
Mebroot hides all changes made to the infected system
It heavily uses undocumented features of Windows
It creates a complex network communication system, involving pseudo random domain names
Large parts of the code is highly obfuscated
Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder
All botnet communication is encrypted with advanced encryption mechanism
The malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level
The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs
The botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modules
As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines
The authors of Mebroot remain unknown at this time. However, it's obvious they are well organized and well funded.
To download the slide set prepared by Kimmo and Elia, click on the image below.
Signing off, Mikko
P.S. This would seem like a great opportunity to plug another conference: T2 will be held in Helsinki later this month and Kimmo will be talking there as well, on the Evolution of Kernel-Mode Malware. The agenda as a whole looks very good, take a look.
On sites that refer to Pandora Software, you'll also find many cross-references to Innovagest2000. The innovagest2000.com website lists their contact address as Madrid, Spain.
Innovagest2000 claims to provide simply the best entertainment online. And just what kind of entertainment do they provide?
Entertainment such as SystemDefender, yet another rogue. More scareware.
Oh no, 324 threats! Is it the animation that's supposed to be fun… ?
It isn't that much fun if you click on the Free Scan Now button.
Do that and you'll get a file that we detect as Trojan-Downloader.Win32.Adload.ma.
Trojan-downloaders are kind of a killjoy when it comes to entertainment.
SysCleaner's website is also one of Innovagest2000's efforts from the looks of it.
Huh. SysCleaner also detects 324 things to fix, just like SystemDefender does. Guess that's part of the entertainment.
Another selection of text from these sites yields many search results that are definitely not safe for work, i.e. pornography. Really obscene stuff. Morally upright citizens of the world, these guys — not.
The company that provides this so called entertainment is urbangestdesarrollos.com. The Urbangestdesarrollos site, which also claims a contact address of Madrid, Spain, is a carbon copy of Innovagest2000. Both Urban and Innova state that credit card statements may show New Concept Business SL.
New Concept Business S.L. claims to be from Barcelona, Spain. Hmm, Spain again. Whois records list the location as Barcelona but the contact person is located in Amsterdam, ES and has a phone number starting with +1.800.
ES as in Spain? Amsterdam, Spain? With a US toll-free phone number? Right, that's probably accurate, you think?
And just who is the target of their lawsuit? Texas-based Branch Software and its owner James Reed McCreary. RegistryCleanerXP is the name of his scareware application. The Whois information for registrycleanerxp.com, which is still online by the way, actually seems to have legitimate contact details.
Why isn't McCreary more anonymous? It's probably because he isn't the worst of the scareware that's out there. Yeah, he's guilty of deceptive and misleading advertising, and we're happy to see something being attempted, but there's lots worse out there.
The lawsuit against McCreary could very likely devolve into a First Amendment speech case attempting to define deceptive practices, and then eventually he'll walk. Just like spam king Jeremy Jaynes, who had his spam conviction overturned a few weeks ago. Jaynes was incredibly guilty, and yet the Virginia law just wasn't good enough. Too broad.
We can always hope that Washington has better laws, and a judge that understands all of the technical details, but we aren't holding our breath while waiting for the results.
What about the worst of the purveyors? The ones behind stuff such as Antivirus 2009, Malwarecore, WinDefender, WinSpywareProtect and XPDefender?
In a separate action, Microsoft filed five "John Doe" lawsuits to learn the identities of individuals responsible for marketing other scareware products.
Oh, John Doe lawsuits. That will take care of the problem, no? Once we learn the identities of the individuals, we'll just have to track them down in Dortmund/Madrid/Barcelona/Victoria/Amsterdam in Germany/Spain/Seychelles… and that's just the supposed locations for the John Does involved with the WinDefender chain of apps.
The Antivirus 2009 gang… is located in an entirely different set of European countries.
We applaud the effort, but we think it's going to take a lot more than the Attorney General of Washington to fix this problem. The Internet has no borders. Perhaps the effort would be better spent to create an international agency with the enforcement power to shut down rogue sites, many of which are hosted in the US?
Here's some final screenshots for you. Do see the tiny little red asterisk above the "y" in the word "Utility"?
That's a disclaimer.
Is the text to small for you to read?
It says Typical system scan that shows how the real WinDefender product will be scanning your computer. Advertising purposes only.