SophosLabs blog

An increasing volume of web-based malware campaigns use compromised legitimate sites in their infection mechanisms. The technique is very common in phishing as well of course. As an example, one seen today uses two compromised sites.

Firstly, the fake login page is hosted on a compromised construction site based in the US. The hackers have simply dropped a single HTML file (postinfo.html) to that machine containing a simple redirect:


<meta content="0;url=http://(ip_address)/.www.keypointcu.com/">


The server redirected to is another legitimate box, this time in Chile! This has been compromised and is now serving up the fake login page used in the phishing attack.

A new virus appeared today albeit in a different way in which it infects and propagates.

The virus W32/Liji-A contains 2 differents core components. It has an executable (exe) and when run also drops a dynamic linked library(dll).

The functionality of the virus works in this manner:

Linked Library (DLL) - Contains the infection code. The infection routine is called via an export function found within the library. Within the infection code also contains an infection marker that will prevent files that have been previously been infected with W32/Liji-A to be infected a second time.

Main executable (EXE) - Main functional program. It has the ability to spread via network shares and removeable shared drives. In turn, it will attempt to enumerate folders on the infected computer system and infect clean executables.

In a slight twist, the infected files do not go on to infect other files. Instead, when these infected files are run, they connect to a remote website and attempts to perform a file download. The downloaded file is a copy of the main executable (W32/Liji-A). 

W32/Liji-A also contains disinfection capability that will clean executables that have been infected with the virus.

More technical details can be found on the main Sophos website.

http://www.sophos.com/security/analyses/w32lijia.html

UK element to a phishing attack against PayPal today. The spammed out phish email (below) provided three different links, all to a .location.html file on what appear to be 3 compromised boxes (one in Japan, two in Korea).

The .location.html file simply contains a short redirect script:

<script>window.location="http://(ip_removed)/.pp/confirm-account/processing.php";</script>

The IP addresses places the server within a location facility based on the Isle of Man. Looking through the files on that machine, reveals some of the usual content, including a public JavaScript (some of which appears to have been written in 2003) designed to validate credit-card details submitted in web forms! Nice to see code reuse, with no reinventing of the wheel! The harvesting site appears to have been constructed for the phishing attack, and is not using another compromised server.

SophosLabs will be at Infosec Europe next week. Come along and talk to our experts about security and control of your networks.

With so much of the malware we see being variants, I was interested in the a new ‘A’ variant published today. W32/Pahatia-A it turned out that it was using the same type of techniques as I blogged yesterday, but I was interested in some of the names used for the infected executables, “Dibalas Dengan Dusta”, “Kau Pikir Kaulah Segalanya” and others, it turns out that these are titles of Indonesian pop songs. “Kau Pikir Kaulah Segalanya” translates literally into “You Think you All Of Them”, “Dibalas Dengan Dusta” translates to “Repaid with the Lie” sung by “Audy”. A female artiste, who appears to be currently signed to Sony.

The author of the malware is obviously a music critic, but the question remains, are they are a fan or not?

Today we added detection for a simple worm W32/SillyFDC-Y which reminder me of ‘old school’ malware. The worm periodically copies itself to removable media such as USB keys. It tries to create a hidden autorun file to launch itself whenever the device is connected to an uninfected machine.

Although the technology has changed, it is strangely reminiscent of ‘old school’ viruses that spread via floppy disk when I started in the security industry all those years ago. Does anyone even remember floppy disks?

We’ve just seen some Brazilian spam promising footage from a camera-phone of the Virginia shootings.

VIRGINIA.scr which is currently detected as Mal/Packer.