SophosLabs blog

April Fools Day is an opportunity for many to play practical jokes on each other. Unfortunately it’s not just harmless pranks, but malware authors are also jumping on the bandwagon.

Those behind the “Dorf” malware have decided to make use of “April Fools” day to launch another new spam/malware attack. SophosLabs spam traps were hit hard today by many messages with varying body and subject lines attempting to direct users to an IP based URI pointing to machine hosting malware.

Example subject lines include:

All Fools’ Day
April Fools’ Day
Doh! All’s Fool.
Doh! April’s Fool.
Gotcha!
Gotcha! All Fool!
Gotcha! April Fool!
Happy All Fool’s Day.
Happy All Fools Day!
Happy All Fools!
Happy April Fool’s Day.
Happy April Fools Day!
Happy April Fools!
I am a Fool for your Love
Join the Laugh-A-Lot!
One who is sportively imposed upon by others on the first day of April
Surprise!
Surprise! The joke’s on you.
Today’s Joke!
Today You Can Officially Act Foolish
Wise Men Have Learned More from Fools…

While the content of the email did vary, the page itself seems to be remaining static, and is being detected as Troj/DorfHtml-B:

Which links you to a number of different filenames (e.g. “foolsday.exe”, “funny.exe”, “kickme.exe”) all detected as Troj/Dorf-BA.

Over the past few weeks we have noticed an increasing number of sites compromised with a malicious script we detect as Troj/Unif-B. Our automation systems dutifully process the data, extracting target URLs, downloading other content to ensure we block the necessary URLs and detect the appropriate malicious content. However, I have been meaning to dig further into this spate of attacks to uncover their purpose, and get a better idea of their coordination.

I decided to query our data for all records processed since March 1st 2008 (so approximately 4 weeks worth of data). The data reveals almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, approximately 150 new domains each day (and this is just what we are seeing).

To get an impression of the purpose of the attacks, you need to delve further into the data. We can look at the ‘targets’ of the iframe that the malicious Troj/Unif-B script adds. For the 4,500 compromised domains, these targets fall into two categories:

1. additional attack sites. Some other site which hits the victim with exploits.
2. redirect or ‘control’ sites. Some other site, controlled by the attacker, which can be used to direct traffic (as discussed previously). Typically, these sites direct victims to one of several other attack sites (though there may be several redirects in use).

There a number of prominent attacks visible in the data:

• ~30% use a renowned attack site for installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
• Tibs: over 10% are redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
• Zbot: almost 10% load exploits intended to install a member of the Mal/Zbot family.
• Gpack: approximately 5% point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.

GPack is something recently talked about by Roger Thompson, on the Exploit Prevention Labs blog. Interestingly, of the domains we have identified that are compromised to point to the GPack attack site, 70% are hosted by the same ISP. The same is true for the some of the other attacks listed above - targeting server farms is an effective strategy for the attackers.

The grouping within the compromised pages is not surprising, it simply reflects the coordinated attacks that are taking place. Also not surprising (though perhaps less well known) are the relationships between some of the groups. This is particularly evident when you monitor certain redirect sites over time. As speculated previously, it is not unlikely that these sites could be used to make money by selling ‘traffic flow’ (attackers essentially paying for victims to be directed to their attack sites for a period of time).

From a protection standpoint, this sort of data is important. It lets us focus on the most important parts of the attack in order to provide the maximum protection to customers. As you can see from this recent Troj/Unif-B activity, the attack and control sites are the critical elements to identify. We are then able to block requests to the malicious URLs, and monitor the content they host to ensure we retain appropriate detection.

Earlier this morning SophosLabs noticed a new scam designed to fool users into viewing a web site where they would be hit with a malicious script that installs a spy Trojan. We saw several spam messages alerting users to the supposed shooting of the e-Gold founder, for example:

A variety of domains have been used in the scam. Browsing to each of the domains redirects to a malicious page on another server. This page contains a malicious Javascript which attempts to install a Trojan on the victim’s computer. Fortunately, the malicious script is pro-actively detected as Mal/ObfJS-B. The script attempts to exploit several client-side vulnerabilities in order to download and install a Trojan (click image to enlarge).

The Trojan is detected by runtime HIPs protection as HIPS/FileMod-005:

Specific detection for the Trojan and the files it installs has been added as Troj/Agent-GUJ.

This is yet another example of the attackers using a blend of spam and malicious web sites to infect victims. Such cases provide perfect illustrations of the need for quality security solutions, encompassing anti-spam, web content inspection, URL filtering and runtime protection technologies in addition to ‘plain old’ file scanning.

“Im ************, i swim in money $$$
I want you to swim with me!!! send this file to all friends and join me!!”

If you are swimming with Troj/Nymod-A and looking at what appears to be the random picture of some person (:P), you are definitely swimming with the sharks. Troj/Nymod-A drops a file called ^^^^^.exe (proactively detected by Sophos as Mal/Basine-C) and sets it to autostart everytime you reboot your computer. File ^^^^^.exe has process monitoring which just respawns itself if you kill the handle running ^^^^^.exe. Finally it tunnels through your firewall and contacts a remote server whose domain ends in “.ru”! This has opened your computer to the $$$ sharks who might steal information from you, or steal your computer’s resources = $$$ for them.

We’ve seen continued activity from the author of Pushdo this year, with new variants being pushed out on a regular basis, usually by spam.

One of the latest tricks we’ve seen them use is to use unusual API calls with the intention of them failing with particular error codes, and then feeding those error codes into some maths to generate the key which the Pushdo then uses to decrypt its executable payload.

This sort of technique seems deliberately aimed at throwing off the majority of emulators, since it’s unlikely that they would know to fail with exactly the right error codes all the time, which would then lead to the wrong decryption key being used, resulting in a garbled string of bytes instead of an embedded executable file.

It’s also noteworthy that Mr Pushdo has changed the way he’s structured his code - in the past a Pushdo Trojan would decrypt a file into memory and pass execution to it, then that file would drop two .sys files to disk and usually another executable to memory (all of these injected and dropped components were Pushu Trojans) … this convoluted process of one file dropping another file dropping more files is described some more here, but it was obviously a little unwieldy and droppers within droppers inflates the size of malware code somewhat.

This may explain his current approach - recent Pushdos decrypt a file into memory as before, but this file is relatively small and doesn’t carry other files around within its body - instead it contacts a remote IP address and downloads data that it splits up into files and drops to disk (usually to the Temp folder) or into memory (typically injecting it into svchost.exe). This means the original executable file he seeds out is smaller, and he can also change what files get downloaded and dropped or injected with greater ease.

Of course from our perspective though it’s much the same - the file that gets dropped into memory and all the files that get downloaded are detected as Troj/Pushu-Gen.

It’s clear Pushdo and Pushu will continue to evolve, not just from trends we’ve seen so far but also from clues left to us by the author - strings inside recent variants refer to corresponding debug symbol files with names including “Back to the Future”, “Future Generation” and “Mutant of the Future”. As with all malware authors, this one needs to get out more.

Troj/MacSwp-B is a standard piece of scareware, only notable because it is one of the few examples that has been written for Mac OS X. The author has made a little effort with the presentation, to ensure that it looks slick enough to fit in with other Apple Macintosh applications. But they would do better to have someone check their spelling:

The word “iMunizator” is questionable, but “binnaries” is indubitably wrong. This is the sort of mistake commonly made by phishers - and just like in phishing emails, it provides a big warning to the user that something is not right. Any threat detection tool that requests users to pay a subscription should have a thorough enough quality control procedure to weed out simple errors like this one.

What’s the easiest (and cheapest) way to get a faster computer? Delete Windows of course!

At least, that’s the joke that’s been going around probably since the advent of Windows 95 in the mid 1990’s. Thankfully, the more recent incarnations of the Windows operating system have improved significantly on their predecessors and this old jest becomes a lot less funny as it ages.

However, the performance of Windows still remains a thorn in the side of newer computer users. Typically, these users have had their new computer for a year or so, and, while suitably impressed with its performance initially, have watched it slowly grind to a halt as numerous tools and applications insist on clogging up their system drive with poorly written uninstallers, gigabytes of temporary files and those annoying startup agents that load with Windows and sit resident in memory just in case they’re needed.

It’s common then, for these users to turn to third party tools to clean up their computers. For the most part, these tools work pretty well. However, these programs are not always what they seem. Take, for instance, the tool pictured in the screenshot below.

To the unsuspecting computer users, this software looks like the perfect thing to clean up their computer. It appears simple, easy to use, small and free. Just the sort of things we’re looking for right? Wrong! This tool will “optimise” your computer by deleting a lot of critical system files.  The end result is that your computer is rendered un-bootable and you’re left hoping that you have made a full system backup recently. Luckily, this malicious program is detected by Sophos as Troj/Sysdel-B, so customers are automatically protected against this nasty piece of work.

Excuse the title - we have previously had ‘Get married…‘, ‘Get a visa…‘, ‘Get a domain…‘, so I thought it was appropriate.

Recently SophosLabs identified a malicious script on the website of a European ticket re-sale company, currently building up to selling tickets for the forthcoming Euro 2008 championships.

The site has been compromised in an attempt to create a classic drive-by download attack. Attempting to purchase tickets through the site will expose the user to a malicious script embedded in the pages (detected by Sophos as Mal/ObfJS-R). The script is intended to load further malicious content from a remote site. However, initial analysis suggests the script is somewhat buggy, perhaps broken whilst being obfuscated?

So, for now, users may not become infected when browsing the site (in some browsers at least). Just as well. The site is likely to attract high numbers of visitors as the championships get closer, and I have had no luck in trying to resolve the issue (contact via email and telephone has thus far been fruitless). Using search engines to find a suitable ticket vendor shows the site has quite a high ranking, including a presence amongst the sponsored links.

It is not the first time we have seen a sporting event involved in an attack - shortly before the 2007 Superbowl the web site of the Miami Dolphins was compromised in order to infect victims logging on in the days leading up to the event. The Superbowl attack was almost certainly targeted, timed just before the event. In contrast the Euro 2008 ticket site has most probably not been specifically targeted, but caught up in a larger, widespread attack.

As we have said many times before, gone are the days when being careful about where you browse is sufficient. The huge number of legitimate sites being compromised presents a risk to all of us, even those that are careful.

I’ve had a number of queries recently about the Secunia website.

Secunia is provider of security and vulnerability research and information, and one of the lists of data they provide is a chronological list the latest viruses and malware such as this

However, eagle eyed customers and prospects have noticed that Sophos have not appeared in any of these lists since March 4th. This is the date when we launched the updates to both our alerting process (we now send a summary email at the end of the day, rather than an email every time we send out and update) and our web site.

Unfortunately, the team at Secunia were relying on certain pages on the Sophos website being available so their method for updating their own website has broken. I’ve been in contact with Secunia and they hope to resolve the issue soon.

In the meantime, if anyone wants to know what updates have been sent out in the last 24 hours it can be found here, or better still if you wish to receive a daily summary of protection provided here. Or get all the latest information via our various RSS feeds.

*** Update ***
The Secunia website is now back to normal

An interesting area of research is finding malware samples scattered about the internet. The aim is to find samples and ensure we provide detection before any of our customers are affected. There are several different ways to go about this ranging from custom web crawlers, peer-to-peer (P2P) clients and even search engine results. Unfortunately it doesn’t take a lot of effort to find something of interest.

One of the simplest ways the bad guys can try and distribute their malware is by using P2P networks. P2P networks such as KaZaA and Gnutella are file sharing systems and typically host, possibly illegal, copies of MP3s, films and software. These networks might seem like an odd choice to spend time researching since the primary users of these networks are probably under the age of 14. The point is that they are simply a distribution system and the chances are high that malware found on these networks will also appear in other locations. P2P networks are also relatively easy to crawl.

Within a P2P client we did some keygen related searches. Keygens (key generators) are programs that generate valid serial numbers / registration codes for applications so they are basically used by software pirates. A couple of searches we carried out were:

Sophos keygen
Linux keygen

These are ridiculous searches since no Sophos product uses this type of registration model and Linux certainly doesn’t! They did however turn up some (not so unexpected) results:

Troj/Agent-GGQ
PlayMP3z Installer
Troj/Agent-GFL (twice)

On this occasion we found some Trojans and adware installers that are getting on for 5 months old – nothing too exciting but it highlights the price you pay for trying to steal software.

Sophos customers will probably be aware that they can prevent access to P2P networks using Application Control and I’d strongly recommend using it if you aren’t already. Groups such as FAST (The Federation Against Software Theft) are dedicated to prosecuting those involved in software theft so the last thing you want to find is an illegal repository of copyrighted material on your corporate servers.

Here in SophosLabs we can only see a few legitimate uses of P2P networking software in a corporate environment and even then, only for certain staff. If you disagree and actually use P2P networks for legitimate reasons, why not let us know by emailing us.