SophosLabs blog

It’s February 29th.  If you’re a single man that means you’re living in mortal fear that your girlfriend will realise that you have been ignoring her hints for the last 4 years, take advantage of the Leap Year, and propose marriage to you.

If, however, you’re British and work in IT security then you should know that today is also the last opportunity you have to petition Prime Minister Gordon Brown to create a central e-crime police unit.

As we blogged last month, it has been almost two years since the National High-Tech Crime Unit (NHTCU) was closed down and its work transferrred to the Serious Organised Crime Agency (SOCA).  Many people, including the Metropolitan Police and the Association of Chief Police Officers, are concerned that not enough is being done to fight computer crime in the UK and have called for the creation of a central e-crime police agency.

If you’re a UK citizen you can sign the petition on the official government website:

http://petitions.pm.gov.uk/ecrime/

Michael Barrett, PayPal’s chief information security officer, is reported in the press today as recommending that surfers use Internet Explorer, Firefox or even Opera in preference to Apple’s web browser, Safari.

Safari is the default web browser which ships on Apple Mac computers, laptops and even the iPhone, but a version for Windows was also unveiled to the world in June 2007.

Safari doesn’t command the same kind of marketshare as Microsoft Internet Explorer and Mozilla Firefox (the latter of which is also available in an Apple Mac version), but it’s likely that many Apple owners have stuck with the default web browser which shipped with their computers. 

In PayPal’s opinion, Safari users are making a mistake.  PayPal thinks that (at the moment at least) Opera, Firefox and Internet Explorer are safer for the average user.

People’s ears prick up when a company as prestigious as PayPal make a statement like this - but what’s the truth? 

The fact is that phishing is primarily a human problem, rather than a technological one. Yes, it’s a good idea to keep your browser up-to-date with patches, and if your browser has strong anti-phishing technology built into it - all the better.   But ultimately it’s the user who decides to click on a web link in an unsolicited email, or enter their username and password on a site which later turns out not to be trustworthy.

Browsers can help reduce the risk through technology - but it would be a mistake to rely on them entirely for the security of your data.

If you don’t have confidence in the workers in your company, and worry that they are putting your business at risk by using unauthorized web browsers then consider using application control to police what programs get used by which users.  And whichever browser your company ends up choosing to access the web, ensure that surfing is being secured and controlled with a solution like the WS1000 Web Appliance which can block access to sites containing malware, spyware and other online threats.

PayPal and its sister company eBay, like Sophos, are members of the Anti-Phishing Working Group (APWG), an organization dedicated to wiping out internet scams and fraud. The companies have published several tutorials on how to spot phishing emails:

• eBay tutorial on spoof emails
• PayPal advice on how to protect yourself from fraudulent emails
• Sophos best-practice advice on how to prevent being phished
• Listen to a Sophos expert examining the phishing phenomenon in this podcast

Following the blog entry by the colleagues at AVERT and subsequent media attention I decided to investigate reports about a new worm for Windows Mobile and Windows Smartphone platforms. The worm is packaged together with a number of legitimate mini-games such as Mahjongg and a version of Tetris, with just enough social engineering to entice unsuspecting user into installing the package on their device.

Apart from the usual warning about the fact that the package is not signed and therefore should not be trusted, there are no other obvious signs that the package is malicious. The warning is generally ignored by most of the users with no bad consequences, except that with this package they will get more than they bargained for. One of the files in the package, 000Setup.017 is clearly malicious, with a functionality to copy itself to any inserted flash card and more. We decided to detect this worm as WCE/Meiti-A. During the installation the file is copied to mservice.exe in the Windows folder of the device and the mservice.exe file is launched.

Additional games are indeed installed in the usual Games folder but this is where the fun stops.

Although I have looked at some previous examples of Windows Mobile malware I would not say that I am the greatest expert in Windows executable analysis for ARM. However, with the help of IDA, the disassembly is similar to disassembly of any other Windows executable. Thanks to WIn32 API, majority of the used functions are similar.

Unfortunately, my time for the analysis was quite limited so I am fairly sure I have missed something interesting. The execution of the worm starts with lowering the security settings so that the device does not complain about the fact that programs are not signed. This is done through a simple registry write, just like on any desktop version of Windows. Depending on the file name another file, mservice2.exe may be created, possibly indicating that the file contains self-updating capability. The next stage, common with desktop malware as well, is to ensure that mservice.exe is started every time the device is powered on. WCE/Meiti-A does this by creating a shortcut in the Windows Startup folder mservice.lnk.

Handlers for various events, such as flash memory card insertion and connection of device to network are created. If a new memory card is created, mservice.exe will created a copy of itself in the folder \2577\ with the file name autorun.exe. This ensures that the file runs every time the memory card is inserted into the device, or indeed any other WIndows mobile device. The folder name 2577 indicates the model of the processor. This is the model number used by Windows for any ARM4 or later compatible CPUs. This mechanism for automatic startup is well documented in MSDN library.

The handler that detects network connectivity (quite possible for GPRS networks as well) simply triggers uploading of potentially confidential information about the user and the device status to the attacker’s website. Suspiciously, code for sending SMS messages also exists, although from static analysis it is not easy to see the number used as the destination of the message. More work is needed tomorrow. The HTTP protocol is used by several other subroutines in order to upload ZIP files created on the device.

Overall, this worm is very similar to many removable device worms we see for Windows desktop. It is fairly obvious that the worm was programmed by somebody with previous experience of software development for Windows Smartphone. The worm most probably originates in China, like so many other malware these days. It remains to be seen whether this sample will be a first indicator of increased effort into writing malware for Windows Mobile and Smartphone devices.

We have previously blogged about Zbot banking Trojans being installed in various web attacks [1]. Since then, the authors have kept themselves busy. We have identified numerous malicious web sites using exploits in order to try to infect victims. Last week our colleagues at F-Secure recently blogged about Finnish spam linking to a site which infected visitors with a Zbot variant [2].

Earlier on today I was investigating the site of a company based in London who specialize in helping clients obtain visas for international travel. We had reports of their site being infected with a malicious script (Troj/Unif-B). Sure enough, the site has been compromised, with a malicious script that writes an iframe to the page in order to load content from a remote machine (in Russia). Multiple exploits are used in the attack including:

• AskJeeves vulnerability (CVE-2007-5107)
• Xunlei Thunder vulnerability (CVE-2007-5064)
• MySpace uploader vulnerability (CVE-2008-066)
• Yahoo! Music Jukebox vulnerability (CVE-2008-0623,CVE-2008-0624)
• iMesh IMWebControl vulnerability (CVE-2007-6492)

In addition to these, some of the regular old favourites are being used (NCTAudio, WebViewFolderIcon, SuperBuddy, MDAC and friends).

The exploits attempt to install a Win32 downloader trojan which downloads a Zbot variant. Fortunately for Sophos users, both files are proactively detected as Mal/EncPk-CJ. If undetected and allowed to install, Zbot would copy itself into the system directory using the somewhat notorious filename of ntos.exe. There are many variants within this family, triggering generic detections such as Mal/EncPk-CJ, Mal/Zbot-A or Mal/Zbot-B. Once running, Zbot stealths the presence of itself and some other configuration/data files, as can be seen if you run an anti-rootkit scanner:

(For readers not running a Sophos product who may be infected, I tested using Sophos’s free anti-rootkit scanner to remove Zbot and cleanup worked fine.)

Historically, Zbot banking malware has targeted multiple banking institutions, using a variety of techniques including:

• screen capture
• sniffing network traffic (hooking WS2_32.DLL and WSOCK32.DLL functions)
• keylogging
• clipboard
• redirecting traffic (may modify HOSTS file in addition to hooking network functions)

Users should make use of all the technologies Sophos provides to block this (and other threats). In particular, suspicious file detections and runtime HIPs protection provide a vital layer against today’s aggressive malware campaigns. As an example, if these Zbot variants were not already detected during a file scan, the user would still be protected by HIPs which would block its installation (HIPS/RegMod-012 and HIPS/FileMod-001).

During the day of a virus analyst, it so happens that when you do encounter a poorly written piece of malware, you don’t know whether to:

a. shake your head
b. laugh or
c. cry.

Take for instance, this little wannabe malware author who wrote Troj/Agent-GQO. When the Trojan is run, the following message box is displayed which purports to be stealing money from the infected machine.

In reality, all the Trojan does is attempt to contact a remote website (and it doesn’t hide the fact that it is trying to access the website). Despite its “terrifying” message, Troj/Agent-GQO does not perform any activities directly related to information gathering or information stealing.

To add further insults to the user, the Trojan creates a Text file on the Windows Desktop (aptly titled “OWNED BY EVIL KIDD!!!”), which when opened, reveals more immature rants.

In this case, I am tempted to go with option b. Laughter, they say after all, is the best medicine.

Within the last hour spammers have changed the distribution method of Troj/Exchan-Gen . On Friday I talked about the last incarnation of this attack (blog).

The spammers are still using ‘Celebrities’ to lure users into installing their malware. Obviously the spammers are hoping that people will want to know more about the their favorite stars.

Messages are more varied this time:

With subjects like:

SophosLabs have updated the spam rules to catch this campaign.

One of the oldest spammer tricks is the abuse of free email and web hosting services. The former allows them to hide behind a legitimate email service. The latter gives them an ability to host spammy images and content on otherwise legitimate domains.

One of the more recent trends is the abuse of AOL Mail and Microsoft’s SkyDrive services at the same time. The spam is coming from @aim.com accounts through the AOL WebMail system. It points to a randomly generated URL on bay.livefilestore.com to load the images containing spam content, i.e.:

This is an example of stock “pump-n-dump” spam using the technique. But we’ve also seen it used in spam promoting “viagra”, fake Rolex watches, casino, etc. The format of the messages stays the same, but the content (”hashbusters”) and the URLs are changing.

This campaign will be challenging for anti-spam filters that rely heavily on sender reputation technologies (no one will be willing to block AOL IPs). It may also create difficulties for URL and checksum based filters as they get heavily randomized.

In our case, the best approach was to use Sophos’s Spam Genotype technology. A definition consisting of non-mutating campaign features should detect all of these samples reliably.

The web provides a number of mechanisms for people to make money. Advertising, per-per-click, referrals, sales - all these mechanisms (and more) have been abused by attackers. Web traffic is money, the ability to control or direct the traffic is power. One of the interesting characteristics of web attacks is the use of ‘traffic control’ systems. I will try to illustrate what I mean with an example.

Regular readers will be familiar with the flowcharts I have used to illustrate how an attack works. Let’s consider a classic driveby attack:

• multiple compromised sites loading content from various pages on a domain controlled by the attacker
• which load content from an attack site
• which hits the victim’s browsers with multiple exploits to install a Trojan

So, familiar territory which we can illustrate as follows:

The top row of nodes represent compromised sites. Globally distributed, and triggering various detections these pages all load content from an attacker site hosted in China. This site then loads exploits from the attack site (highlighted in yellow).

The concept of ‘traffic control’ lies with the middle row of nodes (a page on a site hosted in China). Anyone with control over this page, has the power to control the attack, to dictate which exploits and what payloads the victim will get hit with. I label this the control site therefore.

Monitoring a few of these control sites over time shows some interesting characteristics.

• periodically they flow into different attack sites, changing the nature of the attack
• WHOIS registration information and other details suggest the same groups behind numerous control sites

Illustrating how the control sites change over time is awkward. Presenting a similar flowchart but with different domain names in the nodes does not work well. Showing the attack geographically shows the many-to-one relationships between the compromised sites and the control site very effectively.

Each red dot shows the location of where each of the domains involved in the attack is hosted. Blue lines are shown between compromised sites and the control site. A red line shows the link from the control site to the attack site (hosting the exploits).

I am curious as to the financial role and importance of these control sites. Are they available for hire? An administrator of a control site referenced by lots of compromised sites would be in a perfect position to sell his services. Other hackers could hire ‘redirect time’ in order to hit victims with their malware. Maybe close monitoring of some carefully chosen attacks over time will give us some clues if this business model is in use.

Over a past few weeks SophosLabs have been tracking the spamming of a link to malware. Thankfully the link destination appears to be down now but earlier in the week it was serving Troj/Exchan-Gen. The link was using Google redirection to try to fool users and make life difficult for anti-spam products.

SophosLabs issued protection for the malware and the spam. The subjects of the messages were:

“Sensation.New Video - make haste to look!!!” or “Sensation.Video New - make haste to look!!!“.

An example message body, referring to the high profile inquest into the deaths of Dodi Al-Fayed and Princess Diana, is shown below:

Other message bodies referenced:


Bred Pitt marks a birthday!!!
Britney Spirs made a match!!!
CIA tortures prisoners!!!
Harry Potter was purchased by pentkhaus!!!
Hillari Clinton stood up for daughter!!!
Hollywood stars George Clooney!!!
"Jumper" is a fantastic film of producer Doug Liman - presentation!!!
Maccartni!!!
Madonna reinvents herself as film director!!!
Michael Jakson glued up a person a plaster!!!
Mobile replacement of Blu-ray and HD DVD is created!!!
Pamela Anderson divorces in third times!!!
Princess Diana 'could have been killed by MI6' - conclusions of experts!!!
Secrets of Cambridge 'porn' library revealed!!!
The extramarital son of John Kennedy appeared in Canada!!!
The first photos of new-born son Agilery are published!!!
The first roller is presented to the film "Indiana Jons - 4"!!!
Two powerful earthquakes happened in the USA!!!


So long as a sufficient percentage of users are fooled by the social engineering, the use of ‘news’ stories to push malware looks like a continuing trend.

Earlier this week we were asked to investigate a URL by a journalist working at The Register. A web user had contacted The Register claiming they were prompted to install some software when browsing a page on ITV.com, the website of the UK’s independent television network (the competitors to the BBC).

When I visited the site I saw the prompt to install some software. After downloading I scanned it and Sophos Anti-Virus identified Cleanator Installer (a PUA). Further investigation was then needed.

When I re-visited the site on a machine with all analysis tools to hand, I saw some interesting sites get loaded.

The above snippet from the proxy log has been edited to obscure the malicious site. Upon downloading the ‘PHP’ file I saw that it was actually a Macromedia Flash file, now detected as Troj/Gida-B. It contained a link to another PHP file on the same site. This loaded a Shockwave Flash file, also detected as Troj/Gida-B. The Shockwave file contained a script to redirect to another site that then loaded the cleanator dot com page.

Once on the Cleanator page I was presented with the following:

After several different button presses I was presented with these worrying images.

And:

Cleanator has become somewhat infamous recently, and the group behind it are widening their scope beyond Windows users. Recently we saw MacSweeper, the first rogue application targeting Mac users. Sure enough, in the case described here, if the user browsing the ads is on a Mac (browser user-agent string suggestive of Safari), they get redirected to the macsweeper dot com page.

Some interesting information about Cleanator, MacSweeper (and others) is available here. The facts are simple - loading content from other parties is potentially dangerous (see older blog article).