SophosLabs blog

Starting early this morning, we have seen a major uptick in the use of Twitter links inside spam messages. Here are a few different variants of them. Most of the spam refers to online med sites although a few campaigns tout making lots of money:

Following the links will lead a user to arrive at “making-money-with-Google” or Online Pharmacy sites:

The Twitter accounts themselves appear to be legitimate and do not look to be bot-registered. They contain normal-looking tweets in the previous days and months. We’re still looking into how the accounts are compromised. Certain malware such as koobface would steal Twitter credentials. There is also the possibility of the accounts credentials being compromised through phishing.

As for regular users, it’s important now more than ever to scrutinize the links you receive through Twitter. Today these links point to spam sites. Tomorrow these links could be pointing to malware.

Malware authors and software-protectionists alike go to great lengths to obfuscate and contort their code in an attempt to hide or obscure its true nature [1,2]. The assumption being that it is difficult for human or machine to make sense of the code, extending analysis time and giving the bad guys a free run.

For the most part, such obfuscations (in particular JavaScript) are relatively easy to unravel because they are static transformations [3]. The more complex encrypted forms require some form of script emulator (or your browser of choice) and a skillfully inserted alert() instead of eval(), however a new form akin to the one-time-pad concept is now being deployed.

Script obfuscated and encrypted with contextual data

Such [quasi] one-time encryptors function by generating and encrypting the content on-demand while at the same time choosing a key which is a function of the download environment, such as the referer or the last modified time. When the script is rendered it has all the necessary information to correctly decode. However when that script is submitted by the customer for analysis, the environment has long been destroyed making the script nearly impossible to decode.

Thus examining the script on Friday 13th (13/11/2009) at 11:08:23 yields (poorly) decrypted content which does not render.

Script decoded with wrong key

yet behold, on (every) 47th second of the 7th day of each month the script correctly decodes revealing its secrets - here, deciding whether to serve a (quite likely malicious) PDF, or Flash element.

Correctly decoded given context

Static offline analysis of such scripts is easily thwarted, however any scanning engine which has access to the HTTP data stream should be able to cope since it has all the relevant contextual data required at the time of rendering.

Brute-forcing aside, the only real way to tackle this problem is to use “Just in time” detection (otherwise known as on-access), failing that, NoScript remains your best protection.

I was checking my personal Twitter feed today and saw friends posting how long they’ve been tweeting along with a link. The tweet looked something like this:

“Tweeting for # years, # months, # weeks, # day, # hours, # minutes # seconds (MM DD, YYYY) How about you? <link>

Being curious, I decided to investigate the link.

The first thing it does is ask for your screen name and shows a bunch of ads of “How to get more Twitter followers”. Ok, not the best ads, but moving on. You enter the screen name, then hit go. It looks up the name and gives an accurate date, but then it offers to tweet it for you. So you enter in your username and password. Wait a minute. That would be handing over your password to an unknown entity.

I did some initial investigation of the url. It’s only been around two months and is hosted with a fairly dodgy source, a proxy hosting service. This is a private hosting so you can’t see any info on the person/business who actually own the site. Hmmm. Usually, legit sites don’t mind having that info available. I also notice it doesn’t use the OAuth verification that many Twitter sites use to mean they are trying to be legit. Again, seems suspicious.

But how many people have willingly sacrificed their passwords by using such seemingly benign tools or links or applications? They seem totally harmless, don’t they? Like I posted in my previous blog post here there’s great value to malware authors to get that info. Now I’m not necessarily condemning this particular tool, this one may be totally innocent, but I feel compelled to warn people to not just blithely hand over their passwords. PLEASE think about what you are doing, even if it seems like it’s harmless fun.

This month’s “Patch Tuesday” includes 6 security updates - of which Microsoft has rated 3 as Critical (all remote code execution vulnerabilities) and 3 Important (two remote code execution vulnerabilities and one denial of service).

Mention-worthy updates this month include MS09-065 and MS09-068.

MS09-065 addresses several kernel vulnerabilities. The vulnerability of particular concern is related to specially crafted Embedded OpenType fonts, and could be exploited to run unauthorized code in the system context.

Most remote code execution vulnerabilities we see typically run in the user context at the same privilege level as the currently authenticated user. Now, if you’re the user this means that all your files are at risk, but the system itself is reasonably safe (unless your administrator hasn’t been adhering to best practices, and has granted you administrative privileges … in which case you’ve pretty much granted the attacker’s code access to the entire box). With this kernel-mode driver remote code execution vulnerability, the current user’s privilege level is irrelevant. It doesn’t matter how unprivileged the current user is - the unauthorized code has unfettered access to the local system. Assuming, that is, the attacker doesn’t destabilize the system and BSOD before their code runs. Kernel vulnerabilities have a habit of not just bringing down processes, but bringing down entire boxes.

MS09-068 is mention-worthy, as it addresses issues in Microsoft Word, for both the Windows AND Apple platforms. Windows users that have automatic updates configured will automatically have protection provided to them - but Apple users will have to rely on the Microsoft Office Update Utility “Microsoft AutoUpdate” or go to here, here or here, to download the relevant update.

You can find the rest of our analysis here.

And, as always, if you’ve found our vulnerability posts to be valuable, or have some suggestions for how we can better serve you, please let us know at sophosblog@sophos.com

I saw in the news today about Facebook groups being hijacked through a design flaw. When a group is created on Facebook, you have the option of it being an open group (anyone can join) or a closed group (invite only). Then there is an owner and an administrator of the group. Usually they are the same person, but you can delegate. If the owner/admin no longer wishes to be a part of the group, they can leave, but that means the group no longer has an owner. Anyone can then take ownership of the group to keep it going.

I am not going to debate whether this is a good or bad policy on the part of Facebook. What I want to talk about is the blatant hacking of the group “Control your info”. While I understand their desire to “help” hacking and defacing groups on Facebook is hardly the way to go about it.

Once they joined a group and took it over, they would post the following message there:

“This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly.

For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear - we won’t. We just renamed it Control Your Info. Because this is really all we want:

Think about the safety in your social media life to the same extent you do in your real life.

Watch the videoclip for more information or check out for more tips soon!

We promise to restore your group name and leave the group by the end of next week. Don’t worry - we won’t mess anything up.

Best regards”

What they are doing really is no different to a hacker gaining control of a group and defacing it. Two wrongs do not make it right. While this group may think they are “helping” they are in fact making themselves look just as bad as a black hat. Think about the hacker that “Rickrolled” a bunch of iPhones that Graham posted about. Does it really make it right to hack into computers, phones, and websites to “try to raise security issues”? Not in our books.

I’ve been watching the latest phishing attack happening on Twitter for the last week or so. It seems to be one major campaign that keeps changing the DM (direct message) text every couple of hours. It’s been messages like

“woah… you’re on this ”
“LOL..Nice look ”
“This thing has your pic ”

The links got to videos.twitter. and videos.blog.. Sophos customers using the WS1000 are safe as we’ve been blocking the domain. Interestingly, we’re now seeing new URL shorteners being used, such as wapurl.co.uk and others. Seems the malware authors are tired of bit.ly and 3.ly blocking their stuff or perhaps because third party applications such as TweetDeck won’t preview those, but will happily open them.

I had someone ask the question “Why phish for Twitter credentials?” We saw this type of attack on Facebook. Lots of phishing messages, links, and posts were posted to capture credentials. Then later on we saw the malware attachments spammed out to the email addresses associated with the compromised accounts and when the malware was run, it became part of a botnet to send yet more spam. Taking this history, we are wondering if this will take a similar turn and start sending out malicious emails purporting to be from Twitter saying “Update your account/password” or “Updated Terms of Service, please open.”

Another reason for the phishing attacks would be to expand the “attack surface”. More and more people are tweeting from their iPhones, Androids, Blackberries, Palms and other smart phones. This means a whole new vector to be exploited, since again, most third party Twitter apps do not preview the shortened URL.

We have to say it again, PLEASE be careful out there. Just because a message came from a friend/follower doesn’t mean it’s completely trustworthy. Check the link with an expander service such as LongURL, use NoScript and URL expander plugins and keep your security software and OS up to date. Otherwise, your machine is likely to be “dinner”

For those of you who aren’t mixed martial arts fans, this past Saturday night was the Strikeforce television event where one of the worlds greatest fighters Fedor Emelianenko fought Brett Rogers, and what a fight it was. It was a fairly significant fight since Fedor is generally not seen fighting in North America and his exposure is fairly limited, but it aired on regular cable TV on CBS so you can be sure plenty of people saw it. As the fights were being televised at one point the gym that each fighter trained at was shown on the screen and I didn’t give it a second thought until this afternoon.

While doing my daily rounds of digging through newly infected pages I spotted something in a link that looked familiar, Red Devil Sports Club, the gym Fedor trains at. The infected page was being hosted on a website used to help promote MMA gyms, and sure enough when you Google the terms “Red Devil Sports Club” the website in question appears on the first page of results. Following the link led to a page that had been compromised with the latest Gumblar variation which Fraser blogged about yesterday.

It seems recent celebrity deaths aren’t the only thing hackers abuse to find new victims. Granted, the method of delivery is a little more obscure since not everyone is going to go and Google the name of the gym Fedor trains at that they heard while watching TV, but it’s just one of many methods this kind of malware uses to spread.

Readers may have noticed some of the recent rumours about new Gumblar-related activity (see for example here or here). The original Gumblar attack (May 2009) involved the mass-defacement of huge numbers of legitimate sites with a malicious script Sophos products blocked as Troj/JSRedir-R. The purpose of this was to infect users with a data-stealing Trojan known as Troj/Daonol-Fam.

The payload of the recent attacks looks similar, the malicious binaries now being detected as Mal/Daonol-A.

As with the previous wave of site defacements, it appears to be stolen FTP credentials that is driving the new attacks. These enable the attackers to upload malicious PHP scripts which can then be used to construct the attack. Contrary to the previous attacks, the payload is now also being hosted on compromised hosts, making the attacks more resilient.

At the end of last week, we managed to get hold of one of the key PHP script components being used by the attackers. Analysis of the script gives us some interesting insights into these attacks.

The PHP script can be used by the attackers to inject a malicious script into all suitable pages on the victim site. Files below ~200kB whose extension do not match any of the following are targeted (up to a maximum of 5 within any particular directory):

• .zip
• .rar
• .gz
• .jpg
• .gif
• .avi
• .mp3
• .wma
• .mpg
• .png
• .txt
• .swf
• .css
• .js
• .log
• .pdf
• .ppt
• .fla
• .as
• .tar

Some simple techniques are used to make the injected scripts mildly polymorphic (between each injected page). These include function/variable substitution and simple string obfuscation.

The purpose of the injected script is simple - adding a script element to the page which will cause the browser to load further malicious content from a remote server (hosted on another compromised site).

The PHP script makes it trivial for the attackers to change the redirection payload of the scripts that are injected into pages. Issuing a HTTP request to the PHP script with the desired target domain in the query string is all that is required. So, requesting http://compromised_site_A/path/gumblar.php?dom=compromised_site_B will result in:

• removal of any injected scripts previously added to suitable pages on compromised_site_A
• injection of new scripts, whose payload will be to load content from compromised_site_B

This makes the new wave of attacks more resilient to URL filtering. Sophos customers are protected - aside from detecting the payload as Mal/Daonol-A, pages injected with the redirection scripts are blocked as Troj/JSRedir-AE. Indications at this point are that a large volume of sites have been affected - the detection is already contributing to almost 4% of all web-based threats for the past 48 hours.

Additionally, detection for the malicious PHP scripts uploaded to compromised sites has been added as Troj/PHPMod-B. If you are a webmaster or hosting provider and encounter this detection, please let us know. It would be interesting to collect further samples of the PHP kits being used.

Recently we have received a PayPal phishing email and it looks like this.

It is not hard to spot that this email is a phish since clicking on the link does not take us to PayPal.com but to some remote site (which is already blocked by Sophos’s web appliance).

The web page loaded from this site disguises itself as PayPal.com as shown below.

However, this web page is just an image of the real PayPal.com web page. All the tabs and links on this fake web page can not be selected and only the email address and password text field can be used. This is another obvious sign that the web site is fake. By logging in with some fake  email address and password we were lead to the following page.

By clicking on the link we were directed to another web page as shown below.

How can we tell that this web page is fake? It is quite simple, this page has the following URL.

We  provided some fake  account and address information, the site then redirects  us to a page asking us to supply our banking details.

We then decided to supply more fake banking information to the web page and see where it will lead us. As a result we were lead to the following page.

Finally, the site will refresh and redirect us to the genuine PayPal.com web page.

Malware coming in the form of attachments is not unusual these days.

However, malware can also be found in links provided within e-mails:

According to its name,  “You have won!.pdf”, it suggests to people that they have won some kind of a lottery.  However,  the URLs lead you to a malicious file, which seems to have been taken down (access to which is already blocked by Sophos’s web appliance).

So, please beware of such malicious links and their fake claims that you have won some money ;-).

If you are curious of what you did win, you can always click on the link and win yourself a piece of malware ;-).