SophosLabs blog

SophosLabs analysts today encountered a new spam campaign that contains an embedded Trojan within the HTML message.

The original variant was first brought to our attention a few days ago and caught by SophosLabs analysts then. But today, different variants of the Trojan Troj/JSEcard-A, have been massively spammed out.

The Trojan message when run, silently performs a web download from a remote site to the file ecard.exe and appears in your browser in the following form as thus:

Naturally there is no new browser feature and clicking on the link results in the execution of the downloaded file. Sophos currently provides proactive detection of the downloaded file ecard.exe as Mal/Dorf-A.

This is another social engineering trick employed by malware authors to entice users into running their malware.

As for Troj/JSEcard-A, the embedded HTML contains encrypted code that is based on a XOR decryption routine with a specific key. In this instance, SophosLabs analysts have encountered different keys being used in variants forms for this particular malware.

To have an idea of how widespread this problem is, the picture below illustrates the sources (as indicated by the white thumbnails) of this particular spam campaign. 

Ouch.

Many attacks these days involve several stages with malicious functionality contained in different files, often downloaded from compromised web pages.

One of the crucial pieces in a multi-stage attack is a small downloading Trojan that downloads the additional components. Downloaders are usually small files with basic functionality to download and execute files. Historically they have been quite easy to detect proactively as their functionality is often obvious, although recently we have observed an increasing number of downloaders with obfuscated functionality.

The other day I came across a downloader (Troj/DwnLdr-GVU) that uses several layers of simple encryption and some anti-emulation techniques to hide its functionality from anti-virus software:

1. 13 chunks of 30 bytes and one chunk of 15 bytes of encrypted data are decrypted into a buffer, using simple xor decryption with one decryption key per data chunk.

2. The control is transferred to the decrypted buffer.

3. Floating point instructions are used to calculate a value and save it to the stack (this may stop some code emulators).

4. Self-modifying code is used to decrypt a small piece of data revealing the next decryption loop.

5. The rest of the body is decrypted with a simple add decryption and static key. This reveals a URL used to download the target additional component. An interesting thing to note is that the URL does not end with a NULL character, which does not yet make it a usable string. Again, this may prevent some anti-virus software from extracting the decrypted string and detecting on the extracted URL.

6. The next stage of decryption continues. This time it is again a simple xor decryption loop.

7. The de-obfuscation finishes with a single xor instruction that changes the last character of the URL to NULL which makes the URL a fully formed C string, which is required by Win32 API function used for downloading.

8. The location of the downloaded file is built on the stack and the APIs are dynamically imported.

9. The additional component is downloaded and launched.

However, the first action of the downloader is to add itself to the list of Windows Firewall authorized applications. The behavior immediately gets blocked by Sophos’s recently released HIPS runtime behavior analysis.

Behavior-based protection provides an essential additional layer of proactive protection against previously unknown malware.

I’m going to document some research I’m doing so that I can use it as evidence to convince my fiancee that what I’m doing is really work.

Let me explain, a few weeks ago, I noticed a spam campaign that got me intrigued. It was simply a plain message, offering ‘photographs’ to anyone that replied. There was no link, no call to action other than to reply. My theory at the time was this was simply a method of harvesting email addresses, so I replied (using a disposable account I use for gathering information on spammers). All I said in my reply was was “please send pics”. I was expecting it to simply seed my account with more spam (which it did).

However, imagine my surprise, when I got a reply, with pictures (fully clothed I hasten to add) from a nice young lady called Tatyana who is currently in Russia but is planning to “work in your country for three months” and is looking for a “nice man”, evidently she has a friend that moved to America and worked very hard having two jobs and she promises to do the same.

Tatyana goes on to say “I am not so beautiful like Hollywood Princess, but I do hope to meet my Prince and I am sure he will be not be disappoined to meet me in the real life!”

As you can see from the picture, she’s being a little harsh on herself, although if my fiancee asks she’s not my type. The picture of course could be someone completely innocent (let me know if you recognise her).

My theory now is that this is a variation on the Nigerian 419 scam, and sooner or later the lovely Tatyana will want me to send money for a plane ticket. But maybe I’m misjudging her? Should I reply? If so, any suggestions as to what I should say?

Let me know at sophosblog@sophos.com

ARP poisoning is by no means a new trick when it comes to network attacks however it is seldom employed by your typical malware, which is why it caught my attention.

The malware detected as Troj/Sniffer-P is a configurable command line network attack tool which can be used (amongst other things) to inject HTML data (such as an IFRAME tag) into network packets. What makes this interesting is that the attack can be carried out from a third-party workstation by spoofing ARP packets.

During a regular network transaction to request a webpage, the following sequence of events takes place:

• Client issues an ARP request to obtain the web servers physical MAC address using the servers known IP address
• Client receives ARP reply and can now establish a connection to the server
• Client issues HTTP requests
• Server responds with HTTP responses

The Trojan attempts to interfere with this process by continually transmitting fake ARP replies onto the network with the intention of making the client believe the attack node is the web server.

This can be achieved because as soon as the client sends the ARP request there are several (fake) replies already in transit. The MAC address obtained by the client will not be that of the web server but of the attacking node. The client however is blissfully unaware and continues with the transaction.

Unbeknown to the client, the data is really being sent to the attack node which forwards it to the server acting as the “man in the middle”. As the HTTP data returns via the established TCP/IP connection thru the attack node it is injected with some of the attackers own data.

The injected data could be anything from malicious javascript to an iframe referencing some adware.

This style of attack has the ability to bypass web content filtering at the gateway and offers a means of localised network propagation without needing to compromise the server.

The prevention of such attacks cannot rely on a single piece of security technology but instead should utilize a number of perimeter and end-point solutions to maximize coverage of the attack surface.

The original meaning of the the word assassin was from the Arabic meaning an eater of hashish.

This particular ‘assassin’ looks to have been consuming a fair amount of something if they believe that this hoax would be profitable. By spreading fear, uncertainty and doubt the scammer is trying to solicit money with menace (a criminal act). This is a hoax, in many ways similar to previous ones.


ATTENTION:

I WISH TO INFORM YOU THAT YOUR DESTINY LIES IN YOUR HANDS NOW. YOU DON'T KNOW ME, AND CAN NEVER KNOW/SEE ME IN YOUR LIF TIME.

A CONTRACT OF $90,000.00 HAS BEEN SIGNED FOR ME TO ASSERSINATE YOU IN THE NEXT FEW DAYS, AND AS YOU ARE READING THIS EMAIL, MY MEN ARE MONITORING YOU AND SCATTERED AROUNG, EVEN FROM THE HOSPITAL. YOUR LINES ARE BEEN MONITORED AND ANY ATTEMPT TO CONTACT THE POLICE WILL BE THE SIGNING OF YOUR DEATH WARRANT YOURSELF.

HAVING INVESTIGATED ON YOUR PERSON FOR THE PAST FEW DAYS, I HAVE COME TO REALIZE THAT WE ARE BEING CONTRACTED DUE TO SELFISH INTEREST BY OUR BOSS TO ELIMINATE YOU. SO IF YOU CO-OPERATE WITH ME, I WILL SEND BACK THE HANDS OF DEATH TO THE PERSON THAT WISHES YOU DEATH.

YOU SHOULD REMAIN CALM AND ONLY ACCEPT MY OFFER, THEN I WILL ALLOW YOU TO LIVE AND YOUR ENEMY DEAD. BUT IF YOU MAKE ANY ATTEMPT TO REVEAL THIS TO A THIRD PARTY, WILL BE A BREACH OF TRUST THAT WILL LEAVE ME WITH NO CHOICE THAN TO SEND THE BULLETS INTO YOUR BRAINS.

GET BACK TO ME IMMEDIATELY BY EMAIL: XXXXXXXXXXX@yahoo.com

I WILL INFORM YOU OF MY NEGOTIATION RULES.

YOUR FRIEND/KILLER


SophosLabs recommendations for hoaxes like this:

• Do not get back to the scammer
• Do not forward them on to colleagues
• Submit them to SophosLabs
• Delete the emails

Only a few hours left before Apple iPhone arrives in stores, but why bother if you can get one “FOR FREE”?!

A variety of spam campaigns playing on the iPhone hype have been arriving on our traps for quite some time now. One of the campaigns received today offers $600 (to go towards your iPhone) for taking a survey. The campaign featured a range of spammer techniques like “hashbusters”, “web bugs”, character obfuscations, varying URLs and subject headers:

"Be the first to get an Apple iPhone On Us at N0 C0st"
"Get Your Fun  iPhone Toy Quickly"
"Be the First to Get the Revolutionary iPhone"

I wonder how long it will take before we see e-mail luring people to a malicious website by offering free iPhones?

While analysing a trivial sample written using AutoIt, we received the following bad news.

Oh no!

But don’t worry, he is still alive, living happily along with other users on your computer….

However, we have a slight doubt that this is written by J.K. Rowling herself as the user is greeted with the following message at every login:

In addition, everytime I open Internet Explorer, my start page is redirected to a page of this book….

This is part of the “story” told by W32/Hairy-A. W32/Hairy-A attempts to spread this newest chapter of Harry Potter to the world via dropping a copy of itself into various removable drives.

Hairier than Hagrid’s beard!

Today SophosLabs received a new worm from the field which was quite similar to the W32/SillyFD family, but different enough to make it a new family. Detection has been added as W32/Amca-A.

The worm is written  in VisualBasic by some Turkish hackers. The name is coming from a reference in the code saying “Paylasim Acma(C,D).exe“.

It has several components packed into a WinRar SFX. Besides installing itself into the system32 folder, it creates two simple command files  <System>\acd.cmd and <System>\acd2.cmd which are used to share the drives of the infected machines. These files contain a simple command:

net share PATRON1=d:\ /unlimited /remark:"RockStar"

Also, similarly to the SillyFD worms, it spreads to USB drives, creating 2 hidden files there: activexdebugger32.exe and Autorun.inf.  This latter one is used to autorun the exe when the drive is connected to a new machine.

It was not too long ago that each unique variant of a threat would be assigned a variant letter (-A, -B, -C etc) and a description. Recent times are a whole lot different. Certain families (and I can think of several notorious ones) contain so many variants that assigning variant letters is practically impossible, and even if it were done, useless. In this post, I look at a snapshot of one such family Mal/Cimuz - a family of Win32 trojans whose chief payload is the stealing of banking credentials.

A new web attack was noticed recently with various sites compromised creating drive-by sites to hit victims. The purpose of the attack was the installation of Cimuz. Let’s start from the bottom up, Cimuz itself.

It would be fair to say we have seen a huge number of Cimuz variants over the past 6 months. Thankfully, the publication of a number of generic detections (1,2,3) have resulted in these all being proactively detected. Aside from protecting customers, this also enables us to track the threat over time. The graph below shows the number of unique samples, proactively detected, received each day over the past 6 months. The numbers are huge, with several hundred unique binaries being received on several days. For all you variant letter fans we would be well past Cimuz-NTP by now!

Without wanting to read too much into the numbers (there are some caveats with the raw data), there are several conclusions we can draw:

• the whole Cimuz campaign is aggressive, coordinated and persistent
• we have received samples in waves, suggestive of waves of attack
• the bad guys are using automation to churn out huge numbers of ‘variants’ (some would take issue at the use of the term variant here, but that is an uninteresting digression)
• generic detection is absolutely required for threats such as this

An installation of Cimuz is typified by symptoms such as:

• DLL of name IPV6MONL.DLL in %SysDir%
• this DLL installed as a BHO
• Registry key set to allow Internet Explorer through the Windows firewall

Once installed, specific behaviour varies through the family, but the payload is stealing credentials related to online banking. For example, many Cimuz variants will monitor the active browser session, and log keystrokes when the user browses a site of interest (banking related).

So how is Cimuz installed? What is the next link up the chain? A large number of the Cimuz variants are installed via a Trojan dropper. This is some utility written for the purposes of dropping and executing a piece of malware. Commonly, the dropper carries the malware in an encrypted form (helping to evade detection). Many droppers attempt to terminate security software prior to dropping and executing the malware. In the case of Cimuz, various droppers have been used. Recent months have seen the use of a dropper we proactively detect as Mal/Binder-C.

Stepping up the chain another level, we come to the wonderful world of downloader Trojans. A plethora of downloaders are encountered every week - they provide a convenient tool for the bad guys to use in the installation of malware. The downloader Trojan family used by Cimuz is another notorious family - Mal/Clagger (1,2,3,4,5,6). This downloader Trojan has continuously evolved over the past few months in attempts to evade detection.

Finally, the first link in the chain concerns the delivery of the Clagger downloader. Many have been spammed out (directly or via links), but more recently we have seen web attacks using drive-by sites to hit unpatched client browsers and silently download/execute Clagger. The most recent attack is using a malicious script (proactively detected as Mal/ObfJS-A). Several sites have been compromised, the most humourous of these being a foot-fetish site!

The lengthy infection mechanisms used by Cimuz to hit victims are not unique - many other families take a similarly aggressive approach. As illustrated in a previous posting, even if not all of the components are proactively detected, so long as several are, users can still be protected *. By tracking such campaigns, and ensuring we maintain detection for the various components involved, the chance of providing protection is significantly increased.

* This is particularly true for the ‘utility’ Trojans (downloaders, droppers) which can be reconfigured and used in other attacks to download/drop different malware.

Malware authors use many tricks to lure users into executing code. The following is one we haven’t seen for a long while:

Were you to follow the link you would be taken to a web page containing JS/Dload-E which would download further malware.