SophosLabs blog

Free virus scan - Download the Sophos Threat Detection Test

Fake Facebook e-mail “Subject: updated account agreement”

It has been a busy week so far for the writers of e-mail exploits and this Friday morning they continue to try to trick the public into installing their malware. The latest threat to fall into the Sophos spam traps purports to come from Facebook and requests the user to update their account agreement by unzipping and executing an attached file called agreement.exe.

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Of course we all know that it is pure folly to unzip and run an unknown executable attached to an e-mail, however the implied threat of finding their access to Facebook restricted by ‘the deadline’, whenever that may be, is obviously severe enough to panic a number of the users of Facebook into falling for this trick.  

They really should think twice, by agreeing to install agreement.exe they will install a Trojan.

Sophos detects this threat as Troj/Dloadr-CWS.

Posted on November 6th, 2009 by Julie Yeates, SophosLabs UK
Filed under: Malware, Spam

                                         

How a phish works

Recently we have received a PayPal phishing email and it looks like this.

 

It is not hard to spot that this email is a phish since clicking on the link does not take us to PayPal.com but to some remote site (which is already blocked by Sophos’s web appliance).

The web page loaded from this site disguises itself as PayPal.com as shown below.

 

However, this web page is just an image of the real PayPal.com web page. All the tabs and links on this fake web page can not be selected and only the email address and password text field can be used. This is another obvious sign that the web site is fake. By logging in with some fake  email address and password we were lead to the following page.

 

By clicking on the link we were directed to another web page as shown below.

How can we tell that this web page is fake? It is quite simple, this page has the following URL.

We  provided some fake  account and address information, the site then redirects  us to a page asking us to supply our banking details.

We then decided to supply more fake banking information to the web page and see where it will lead us. As a result we were lead to the following page.

 

Finally, the site will refresh and redirect us to the genuine PayPal.com web page.

 

Posted on November 6th, 2009 by Victor
Filed under: General

                                         

Is it art? Controversy over OSX/LoseGame-A

Last week, SophosLabs released detection for OSX/LoseGame-A and following Symantec’s publishing detection (which they call OSX.Loosemaque) there has been some controversy about whether this is a game or malware (see 1, 2, 3).

From my point of view this is malware. Why?

1. The warning screen isn’t  multi-lingual if English isn’t your first language you will still recognize ‘PRESS ANY KEY TO CONTINUE’.
2. Even if English is your first language a child looking for games on the computer will not read the warning but press through to the game.



3. Would our corporate customers want this on their networks?

The concept behind OSX/LoseGame-A is ill conceived and it is likely to have malicious consequences not considered by the author.

Posted on November 5th, 2009 by Pob, SophosLabs, UK
Filed under: Macintosh, Malware

                                         

You have won a lottery!!!

Malware coming in the form of attachments is not unusual these days.

However, malware can also be found in links provided within e-mails:

According to its name,  “You have won!.pdf”, it suggests to people that they have won some kind of a lottery.  However,  the URLs lead you to a malicious file, which seems to have been taken down (access to which is already blocked by Sophos’s web appliance).

So, please beware of such malicious links and their fake claims that you have won some money ;-).

If you are curious of what you did win, you can always click on the link and win yourself a piece of malware ;-).

Posted on November 5th, 2009 by Liang Zhang, SophosLabs AU
Filed under: General

                                         

From Server/Outlook update to FDIC to facebook phish: now with a twist

In the past few weeks, the authors behind Zbot has been busy. Around October 12 we have seen the server upgrade spam with links. Later on the 14th we’ve seen the same campaign with the malware attached to similar-looking server upgrade notices. By the 22nd of October, the spam messages touts Outlook updates.

For a few days during the past week, the group has turned their attention to the Federal Deposit Insurance Corporation (FDIC), spamming out links to malware sites with the message below:

With the global economy as it is, notice of bank failures would certainly draw a lot of attention and irrational behavior. After all, thoughts of hard-earned money being gone forever is going to scare a lot of people. Of course, downloading the “personal FDIC insurance file” would give nothing but grief. The bank deposits are still safe, but the computer would probably get infected.

After the blast of FDIC messages, the Zbot authors turned to facebook as their latest platform to spread malware. However, they added a twist to it. The messages are well-crafted to look like a real Facebook message:

The message asks the user to update their facebook account. The new twist is that, when they get to the linked site, there is no link to download an executable yet. Instead, they’re shown with a fake Facebook login page:

Victims who have entered their facebook login would get their account details phished, probably for the purpose of spreading more malware. Since this is not a real facebook page, any random login info would bring you to this next page:

It is on this page where the malware author provides an executable for download. This file, updatetool.exe is a Zbot executable that is proactive detected as Mal/EncPk-LE.

With the creative social engineering that the Zbot authors have been using, users should be real careful when reading messages, whether it’s in an email or from a social network. Avoid clicking links directly, manually type the address to access the site, and not executing files would do a lot in protecting one’s computer.

Posted on November 4th, 2009 by SavioL, SophosLabs, Canada
Filed under: Exploits, General, Malware, Spam, Uncategorized, Vulnerabilities

                                         

Mal/Iframe-N: Another winning infection?

Back in May, we posted some stats on the prevalence of Troj/JSRedir-R. Last week, I asked was Mal/Iframe-N: The next big threat?. Looking through our stats on malware hosted on websites this morning I saw that Mal/Iframe-N fifth in the overall stats for October.

Looking at the latter part of the month from the 21st (when the detection was published) onwards.

Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!

Late last week, I downloaded:

• 2819 infected URIs infected with Mal/Iframe-N
• hosted on 2294 different domains
• with 163 different TLDs including:

.edu.in
.edu.tr
.edu.tw
.edu.ua
.ej.am
.eng.br
.es
.eu
.fi
.fr
.fr.cr
.ge
.go.th
.gov.br
.gov.pk
.gov.tr
.gr

I have had a few correspondences with other security researchers regarding this threat (see iframes are EVIL! Hate Zeus!) particularly with Unmask Parasites who has gone into more details of this type of threat (see 1, 2) who like me originally thought that the ‘onload’ attribute wasn’t legal in an iframe. Two things changed my mind:

1. Visiting an infected site on a goat machine.
2. The number of infected sites (>40, 000).

In someways the second fact is more persuasive as malware authors don’t tend do things for no reason.

Posted on November 2nd, 2009 by Pob, SophosLabs, UK
Filed under: General, Malware, Web

                                         

There’s Malware on Elm Street this Halloween … with pumpkins!

 

It appears that this Halloween the malware writers preferred choice of infection vector is by using SEO (Search Engine Optimization) techniques to poison popular search terms.

We at SophosLabs have seen relatively few email campaigns that exploit Halloween this year, but there have been plenty of campaigns pushing malware loaded URL’s into festive search terms.

We have various Fake AV families featuring highly:

and

Which leads to the familiar:

and

There are also families that pose as fake media codecs exploiting Halloween to push their wares:

As users wise up to the dangers of email attachments we are seeing SEO poisoning becoming a more and more popular attack vector.

Sophos detects this years nightmares variously as Mal/FakeAvJs-A, Mal/Krap-A and Mal/EncPk-LH.

Posted on October 31st, 2009 by James Wyke, SophosLabs UK
Filed under: General, Malware

                                         

Look and feel great! Try this pill (Or how to make your wallet lighter?)

Another Twitter direct message (DM) scam was happening today, but apparently this time the hook was to prey on users’ vanity. Several messages were seen with the following text:

“I lost 25lbs using this ”
“whoa this works. i feel good and look good ”
“lol it’s amazing. look and feel great with ”

When a user clicked on the link, it redirected you to this site:

All you had to do to get your “free” bottle was fill out your name, address, phone number and email. However, once you submitted that, you then get to the screen to input your billing information and input your credit card details. Why do you need to input credit card details for something that’s free? With all that information, the cybercrooks have more than enough info to commit identity theft and fraud on your card. They have your name, address, card info and you’ve even confirmed that the address you gave is the billing address too.

At the risk of sounding preachy, these pills never work. They only thing that gets “slimmer” is your wallet.

Posted on October 29th, 2009 by Beth Jones, SophosLabs US
Filed under: General, Spam, Web

                                         

Are you old enough to watch this?

I was watching some of the activity on Twitter today and noticed a really some really odd tweets. It was only one, every couple hours and while the text “Haha, look at this vid” didn’t change, the link did. It seemed worth checking out.

I followed the link and it went to a fake YouTube page with the following text.

“This video or group may contain content that is inappropriate for some users, as flagged by YouTube’s user community. To view this video or group, please verify you are 18 or older with your cell phone”

Huh?

How does that prove anything to do with your age? I know parents who have given their young children cell phones. I’m guessing this is a great scam to get legitimate phone numbers for those “market affiliates” that call to try to sell you “long term auto insurance” and other such scams.

Definitely more tricks than treats today on Twitter.

Posted on October 28th, 2009 by Beth Jones, SophosLabs US
Filed under: General

                                         

No, it’s not you on there

Twitter users should be especially careful this morning as there’s a new Twitter phish campaign going on. The message that is being seen is using a known tactic where it tries to trick the user into believing there’s some content on the internet about them, whether it be a photo or a video, and tricks them to browse to the link to find out what it is. Similar tactics have been seen in messages on Facebook and even via email. The message simply states the following.

“hi. this you on here? http://blogger.djh****.com”

The good news is if you do a search on Twitter, you’ll have a hard time finding an example of the original message since there’s an overwhelming number of people tweeting to their friends warning them about this campaign. Slowly but surely, people are learning to be more cautious.

Posted on October 28th, 2009 by Onur Komili, Researcher, SophosLabs, Canada
Filed under: General, Mobile, Spam, Web