SophosLabs blog

As much as we wish ecard spam was gone, we can’t say we’re surprised to see Halloween themed ecard messages. As usual they’re back with only a few words of content, the usual IP address link, and this time a seasonal subject header about Halloween such as “Happy Halloween” and “Dancing Bones”. When you click the link you see a page as follows.

As tempting as it sounds to play a funny sexual halloween game with a dancing skeleton, I opted not to give the game a try. When visiting the page there is some malicious javascript code (detected as Troj/JSXor-Gen) which tries to get you to download a number of infected files. The link on the page itself links to a “halloween.exe” file which again is detected as Mal/Behav-146.

Interestingly enough, while doing analysis on the site we refreshed the page a few minutes after first visiting it only to find a new image for users to click.

It’s a lot prettier than their first attempt at a page, which in turn could make it a little more convincing for users to download the file.

It should be interesting to see what new variation they come up with next.

In his post at the end of last week Dancho Danchev reported some of Possibility Media’s online publications serving up malware.

Doing a search though the SophosLabs data, we also see Possibility Media related infections. Below is a diagram illustrating one of the more complex attacks we have seen. (Note that over 3000 other compromised web pages are omitted from the diagram to maintain clarity.)

The Possibility Media site (detected as Troj/Unif-B) is highlighted in yellow at the center of the picture. As you can see, the complexity arises from the site linking to three different attack sites! When I checked the domain it appeared to be parked (although the placeholder page still contains the malicious script).

The websites of magazines owned by Possibility Media are all PHP-based and so it may be that hackers compromised the sites via some PHP vulnerability. The magazines all have contact details pointing to the ‘Tech Media Network’ whose contact details are a Possibility Media email address.

We are seeing a large number of other web sites compromised with Troj/Unif-B. Most of these sites are compromised to link to only one attack site:

As for the previous diagram, a large number of web pages are not plotted for clarity. In this case, the total number of sites compromised in the attack is just over 1300.

At first glance you might think Possibility Media were specifically targeted in these attacks. However, when you look at the bigger picture (for example the sheer number of sites compromised to link to the attack sites in the first image) it is clear that the hackers are targeting more than just Possibility Media. They are targeting you, the web user.

Last night, a colleague beat me to the punch with a posting about hacked websites and spam. I was planning to write a similar article this morning. My perspective on the spam was a little different so I am going to forge ahead.

This particular series of hacked sites is the same as one posted earlier this month. At the time we had seen a few sites, mainly in Greece, hacked and being used for various types of medical spam (viagra and stop-smoking). Now the hacked sites are spread more globally and are serving dating spam.

You will have to zoom-in to the large image.

The sites on the top are nearly all infected with Troj/Rectoun-A and all point to the same ‘attack site’.

In his post Dmitry mentioned the links to count and log the hits to this website. However, as the above image shows it will attempt to access a file doexe.php.

Quick Scanning

>>> Virus 'Mal/EncPk-BD' found in file doexe.php

1 file scanned in 6 seconds.
1 virus was discovered.
1 file out of 1 was infected.

Currently, this file is detected as Mal/EncPk-BD previously however, the file was detected as Troj/Agent-GEA.

SophosLabs will continue to monitor this threat and update detections where appropriate. However, as we mentioned in an earlier posting the speed at which web attacks move means our job just gets more complex.

Just like millions of other men and women worldwide I keep seeing letters that appear to come from some lonely Russian girls. The amount of spam of this nature have seemed to increase significantly in the last few days.

Hello :) I'm unmarried girl from Russia and look for contacts. My name is Endgel and I'm 31 y.o.

See my image at my home page. Need you! ;)

I realize that “Endgel” couldn’t possibly know that I am already married to a Russian girl… I’m also not going to question her spelling, even though “Endgel” is hardly a good name for a lady. But I do not appreciate the fact that Endgel’s “home page” is hidden behind a number of compromised web servers around the world. So, I decided to take a closer look at what is behind the scenes.

The link in the e-mail took me to a site owned by some manufacturing representatives for military and commercial electronics. Only this time it was “owned” by “Endgel’s representatives”, who planted a new page there that redirects you to a dating site:

The website is hosted in China. I was also not surprised to find out that the link to unsubscribe did not take me anywhere…

This website is just a traffic generator for an online dating agency called TopLop. It’s easy to understand how this scheme works by visiting their “Affiliates” section:

So, we all receive spam advertising this agency, but the agency itself is not responsible for it. At least not directly. They just pay the “highest commission” to the spammers. Tricky…

But lets go back a bit… If you go to the root page of the compromised site linked to spam, you’ll see a little JS code added to the bottom home page. The code is heavily obfuscated, but when it runs it sends the following to your browser:

The above site sends you yet another piece of heavily obfuscated JS code:

With this content behind:

I believe that all this redirection scripting was set so that the spammer could count the website visitors and record their IPs.

The definition of malware according to Google web definitions is a program or file that is designed to specifically damage or disrupt a system. Generally when we think malware, we think viruses, worms, trojans, or spyware. So what is the best way to protect yourself against malware? Get an anti-virus or anti-spyware program of course! Ever wondered if that trial spyware/malware cleaner you just downloaded and ran on your computer itself could be malware?

We at SophosLabs quite often come across fraudulent spyware/malware cleaning programs. Typically these cleaners offer a free scan of your computer, report a whole bunch of clean files as infected, and try to scare you into purchasing their product. Normally these programs can be uninstalled using Add or Remove Programs, and end of story.

Recently I came across Troj/FakeVir-AK which showed all the classic characteristics of a fake spyware/malware cleaner. After reporting my computer was severely infected (a spyware program reporting viruses and trojans?) things started to get nasty.

The spyware took complete control over my test machine. It prevented me from starting any new programs, accessing any files using Explorer, even running any command line tools! It changed my desktop wallpaper with a message which read: “WARNING! YOUR PC IS INFECTED! The virus installed on your computer can steal your passwords, accounts of credit cards and to intercept pressing keys and to send them on e-mail.”

Finally my monitor displayed this message:

I hit the only smart button I could imagine, “EXIT”, which fired up my default browser and attempted to take me to a secure webpage where I could purchase the full version of this anti-spyware cleaner.

A peek inside one of the files installed by our fraud spyware cleaner had told me that it was going to intercept me accessing bank webpages, PayPal , eBay, and some popular email sites. But until now I had no way of firing up a browser or indeed any program. So I took the liberty of attempting to access PayPal instead of purchasing the anti-spyware cleaner, and as expected a message flashed warning me that all my information was about to be stolen by some virus.

The moral of the story is that you should not download and run anything from the internet unless you absolutely trust its authenticity. Even programs which appear to be good Samaritans can hide nasty alter-egos.

I was pleased to read today that Direct Revenue have shut up shop.

Why should I be pleased when another small company shuts down in these sometimes difficult times?

Well this one has been repeatedly linked with creating ’spyware’. Actually it is adware, the primary purpose is to generate revenue by displaying advertising on users desktops.

On the topic of spyware, I’m afraid I buck the trend for calling software like that developed by Direct Revenue spyware. Spyware has been around since the later 90’s (remember all those AOL password stealers?) they’ve always been detected by Sophos. The challenge for traditional vendors came with adware and other forms of Potentially Unwanted Applications (PUAs) because these often included an end user license agreement (EULA) which explained to the user that by agreeing to the software, they were agreeing to having their personal details collected and passed on and personalized advertisements delivered to them.

Security vendors couldn’t simply remove them or call them malicious for fear of prosecution for infringement of that license agreement.

A new breed of products took advantage of this and called them ’spyware’ instead, and made sure that the lawyers were happy - and the term ‘Anti spyware’ was born.

Sophos detects and removes adware as well as other potential unwanted applications as well as detecting traditional ’spyware’.

So the closure of Direct Revenue is one small victory for the consumer and organisations like the Anti Spyware Coalition (of which Sophos is a member), lets hope it is the first of many.

Last night, BBC TV in the UK broadcast an investigation into Facebook security on their flagship consumer affairs program, Watchdog.  Their findings have been reported in news stories worldwide.

BBC investigators set up a fake Facebook id called “Amba Friend”, contacted 100 people at random with friend requests, and reported how many accepted the invitation from a total stranger. Sure enough, plenty of people accepted the invitation and information such as home addresses and dates of birth were available for a potential identity thief to spirit away.

Sound familiar?  Well, it should do because back in August Sophos conducted a  remarkably similar experiment (we contacted 200 people, and used a photograph of a small plastic frog called “Freddi Staur” - an anagram of “ID Fraudster”).  Unlike the BBC we stopped short of taking out credit cards in innocent people’s names - but did publish a best practice guide and record a podcast about how people can better protect their privacy on the social networking website.

The BBC contacted us a few weeks ago asking how we had run our experiment, and even suggested strongly that they might want Freddi the frog - and members of SophosLabs - to appear on camera in the studio. 

We didn’t hear any more until suddenly Watchdog broadcast their startlingly similar investigation last night on BBC One.  Alas, there was no sight of plastic amphibian bath toys or mention of Sophos.  

It’s a shame the BBC didn’t involve us more, because we could have taken the story further.  For instance, earlier this month we revealed how joining a geographic network on Facebook opens up your profile to other people even if you haven’t accepted them as friends and even if you have previously been quite careful with your privacy settings. That’s quite a problem when you realise that, for example, the London Facebook network has over 1.2 million people (and growing).  Do you really want over a million strangers knowing your date of birth, cell phone number or that you’re going to the South of France on holiday for two weeks?

I guess we shouldn’t feel too miffed - after all, anything which raises awareness about individuals’ security online has to be a good thing.

But, of course, there is an enormous irony about being ripped off by a BBC consumer affairs show.  Oh well, they say imitation is the sincerest form of flattery!

How would you like it if one day you ran a seemingly innocent file and every single MP3, WAV, AVI and MPG file on your harddisk died?

That’s what could happen if you were to be infected with Troj/MediaDel-A. It’s a small VisualBasic script that replaces all of the aforesaid media files on your system with the following text message: 

“you should not steal our hard work. thanks for understanding why we did this. RIAA/MPAA.”

Now, it’s almost certain that the RIAA and MPAA are not stupid enough to distribute malware that would trash people’s media files indiscriminately. It’s more likely the work of a lone anti-piracy advocate or a script-kiddie looking to avoid blame, regardless its one nasty trick.

Fortunately this malware is not widely spread and we here at Sophos plan to keep it that way.

A customer recently sent us samples of some AMD64 and Itanium executables that W32/Vetor-F had managed to infect, apparently unintentionally, despite being an x86-only executable virus. The Itanium version would definitely not have executed properly, as the virus had simply infected it with x86 instruction code at the entry point, which is meaningless to an Itanium processor. The AMD64 file, however, may well have executed as the instructions for AMD64 and x86 are very similar.

For W32/Vetor-F the existing detection and disinfection worked normally, but it’s easy to imagine a situation in which the AV product is not expecting to find infection code for one architecture in an executable for another - and, even worse, if the architectures are similar enough then the infection may still be dangerous.

This cross-architecture infection was unintentional in Vetor. It’s a bug, but like many bugs in virus infection mechanisms it’s one that can make it tricky to identify and disinfect infected files.

Other examples include infectors that fail to check the PE section layout properly and end up writing the viral code across two or more sections and infections that don’t take account of data appended to the host executable. Many of these bugs can create oddities in the file structure that challenge the detection and disinfection code used by AV companies.

While most of the weird replicants arising from bugs are inoperable and harmless, sometimes the viral code executes even when the original host is broken. This can be an annoying situation for AV companies: a replicant resulting from a buggy infection that is too strange to be detected by the existing signature for that virus, but is still intact enough to cause further damage when executed.

Even though many virus writers claim — usually to create some ridiculous justification for their actions — to be interested in artificial life, they seem to be unware of the role of imperfect replication in evolution and tend to completely misunderstand the subject in general. Sometimes they even work against it. This is the case not just in trying (and, in this case, failing) to prevent broken replicants, but also in the design of most metamorphic engines that go out of their way to eliminate code mutations from the previous generation, a feature which removes any chance of cumulative selection and inheritance.

One last thing — it would be interesting to find out if there actually are any older x86 viruses, aside from trivial prependers (which replace the entire executable image with themselves so they’d run in 32-bit mode), that infect AMD64 executables by accident and still work. If there are, they’re probably fairly straightforward.

It is said that pr0n is what makes the internet go round (or is that up and down?)

Spammers and malware authors appear to know this all too well judging by their continued use of smut in an attempt to increase the size of their botnets.

So lets think this through. You’ve received about a dozen messages from various email addresses none of which you recognise, all of which have similar subject lines of:

“Hot pictures”, “Hot game” and “Here is it” - someone queue the cheesy porn music…

By now I’ve already deleted them, but not you…why? Do you really think a dozen random people are going to share their pictures of naked Angelina Jolie with strangers, or has the promise of a bit of flesh put your logical thinking on hold?

Ok, so you’ve opened the email and behold! You are warmly greeted by the sender who then offers a rather lurid description of the supposed content of the attached zip file.

Good afternoon, old chap!
Wanna see very sexual Angelina Jolie in short leather skirt and white silk blouse.
She slowly gets undressed and shows her big tits… ;)
Watch in your attachment!

Best Regards.

when they can obesity. It may even in the shuffle, the report says. Numerous studies and lots of of free play time, report says. have the resources, develop problem-solving the pressure, prepared by two he not be on par own thing,”

Ok, so you’re tempted by the tease, but what’s this down the bottom? Have all our new found pen-friends got a copy-and-paste problem? In the industry, we call that a hash-buster, effectively making such template messages unique by inserting random text.

So you’ve still not deleted the messages? GAAAHHH, what more proof do you need that Angelina is not about to pose nude for you? Ask yourself this, how much of Angelina can you possibly fit in a 20KB attachment? You say its zipped, I say delete the email before your computer unwillingly joins someone else’s botnet.

Such attachments are too small to contain images but can easily contain malware.

If in doubt, delete it! Otherwise you might get caught with your pants down!