SophosLabs blog

Overnight, news on the wires has indicated that a major bank has had its website compromised by hackers. We wouldn’t normally “name and shame” the site that has been hit, but as others have already named Bank of India as the victim it seems silly now not to.

The Bank of India website now appears to be clean. Although it is not clear how the site was compromised we do know what it was compromised with. There were several malicious Iframes on the site. We are currently in the process of updating our Mal/Iframe-F detection for this specific threat. However, WS1000 appliance customers will be pleased to know that the URLs referenced by the malicious webpages were blocked by Sophos over 14 days ago.

As mentioned by my colleague earlier (see post) there can be a number of different people responsible for the care of a website. The public hold banks up to a higher degree of responsibility than most businesses and yet, as I write, there has been no statement about this security breach from the company. We also don’t know what steps they may have made to prevent a similar attack from happening again in the future.

The loss of reputation, goodwill and trust from being hacked is an incalculable quantity. This hack should alert all businesses big and small that web security isn’t an optional extra - it’s a must.

No, it’s not a video of your favorite singer in a hot new music video, it’s actually an ecard malware variant. The ecard campaign resumes where it left off over the weekend, except this time they’ve reverted to their ways of giving a simple link to an IP address rather than trying to pretend to be YouTube. Whether that’s because the YouTube variation wasn’t very succesful, we don’t know, but it’s more likely than not that this won’t be the last time we see this campaign.

We’ve been seeing the body content for this campaign change almost daily for the past couple weeks, so the message content changing today doesn’t come as a surprise.

Yesterday the news sites picked up on the story of a possible rootkit on a Sony USB fingerprint device. Those of us who were in the business two years ago remember the last time this happened on a music CD when a rootkit was used to protect intellectual property (see here).

The Micro Vault device does not immediately appear to be available outside North America with Sony saying it is no longer sold. However, with multiple labs round the world we were able to dispatch an analyst to take their coffee break in downtown Vancouver and go to the shops and locate a device. What followed was the usual techie desire to pull it apart (maybe he should have bought two).

What we can tell you is that in an attempt to protect intellectual property the device does install a rootkit onto the hard drive in a folder and stealths itself and the folder so it cannot be seen by normal means. Sadly, this does mean that any malware that is placed in that folder will not be visible through normal means and this is the fundamental problem with using rootkit technology as was shown with Troj/Stinx-E in 2005.

We will provide detection for the rootkit as a Potentially Unwanted Application but in the meantime, if you are concerned that your system has potentially had this installed in the past then you can use Sophos Anti-Rootkit which has always been able to detect this particular rootkit .

Over approximately the past 2 months, PDF spam has exploded from a little used technique to making up close to 30% of all spam being sent during its peak (averaged daily). Due to spammers adjusting their campaigns, the volume of these messages has fluctuated, however over the past week PDF spam has all but dried up.

The following is a graph illustrating what the percentage of all spam received on SophosLabs traps contain an attached PDF:

Since August 21st, the volume has dropped off the graph. Could this mean the spammers behind these campaigns have moved on to develop other techniques? Taking a holiday? Only time will tell.

A few months ago on one of the many mailing lists I am on, I was asked to participate in a survey. The mailing list was one of those provided by the Anti-Phishing Working Group (APWG) a “global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.”

This morning to my surprise I received a parcel containing a fishing lure!

An unexpected bonus for filling in a survey! Now I will need to take up fishing :-)

Everyday at SophosLabs, we see multitudes of malware samples that have been created with malware ‘toolkits’. Using one of these toolkits is as simple as choosing the required functionality (perhaps to download another executable from the Internet) and pressing a big red “GO” button. Luckily the resulting executables generally share remarkably similar characteristics, allowing us to easily detect unseen variants proactively (in this case, as Troj/ToyFtp-Gen).

However, something that is decidedly less common is when we see the actual toolkit make its way into the lab. One such sample that crossed my desk today was a program for generating password stealing Trojans. This program allowed users to choose a number of different installation methods, as well as specify the credentials of a remote FTP server (or ‘dump’), which the generated Trojan uses to upload stolen information. While this is a relatively simple example, it emphasizes the fact that sometimes, creating malware really is a trivial exercise.

On the surface, a program such as this may seem pretty clever, but analysis reveals a different story. The combination of poor program design, default component names and a number of glaring logic errors all combine to prove once again that real skill among malware authors is increasingly a dying trend.

It has been a pretty quiet day today, not surprising given that it is a bank holiday weekend in the UK. One of the phishing attacks seen was vaguely amusing. The phish email used the old trick of a HTML-formatted message containing superfluous characters with a white font color. You can see all the inserted ‘y’ characters when switching between the original message and that ignoring font color:

The attack used a compromised Russian web site to host the phish site. Coincidentally, I noticed that pages served up from elsewhere on this site are detected as Troj/Decdec-A. The Russian site has been compromised - a malicious script has been appended to pages to silently load content from a remote server (via an iframe tag). HTTP requests to that remote server have been blocked by the WS1000 since July 5th.

Aside from demonstrating how compromised sites are frequently used to launch both phishing and web attacks, this case also demonstrates the lack of care taken by the bad guys (did you notice the additional ‘y’ on the first line - Clientey?)

In the last hour, another huge ‘ecard’ spamming run has been detected by SophosLabs. Aside from the usual ecard-related social engineering, some of the messages now masquerade as links to YouTube videos, for example:

Of course, the links are not to YouTube, but to the IP address of compromised machines. Clicking on the link will load a web page containing the usual embedded malicious script and manual link to the Dorf malware, for example:

Happily, the malware involved is proactively detected as Troj/JSXor-Gen (malicious script) and Mal/Dorf-E (Trojan intended to be installed) so there is no need for a detection update to be pushed out at this time.

In a post the other day, I discussed issues around responsibility when sites are compromised. The case I described involved a financial services company, with a reasonably active web site (500 or so visitors per day), whose site became compromised with a malicious JavaScript script (Mal/ObfJS-C).

Some 72 hours or so after informing the hosting provider, the site was cleaned up, and the script removed. Whether the cause of the problem (how the site/server was compromised) was identified and the hole plugged is not known. Perhaps more concerning is the message that was sent to the client. Even with an expectation of continued poor support, the message quite frankly astounded me!

So, there we have it - buck passed. Time to move to a new provider…

Over the past few days our ‘ecard’ (also known as Storm, Nuwar or Zhetalin) author has been changing his tactics. Having moved away from ‘eCards’ to offers of pornography to joining online communities like cookery groups.

It appears that none of these techniques have proved as successful for the malware author because the campaign has resorted back to Ecards again.

Maybe the motivation is to evade antispam products, as the underlying malware has not been modified enough to get past our generic detection (Mal/Dorf-E) and our automated monitoring system is ensuring it stays that way (over 2500 unique addresses have been seen in the past 7 days)

However, I think we can safely predict it’s not over yet. It’s just a matter of what’s next.