SophosLabs blog

Everyday, I look through the domains we detect as Troj/Iframe-AG because they are the domains associated with the SQL injections that have been plaguing the web over the last few months (1, 2, 3 and 4).

This morning I saw three domains making use of the .MOBI TLD. The use of a .MOBI TLD is unusual and I was going to talk about all the possible new TLDs that people could use in the future (following the ICANN meeting last week). However, something more interesting was spotted.

Quickly visiting these sites to see is they were legitimate, we (Fraser and I) noticed that the root of each site attempted to load a script ‘AD.JS’. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:

Subsequently, a bogus warning message is displayed, saying that one or more of the following have been detected:

• Trojan.Bakloma.A
• Win32.Gattman.A
• Trojan.Zapchas.F
• JS.Blackworm.A
• Trojan.Tibs.E
• Win32.Netsky.P@mm
• Trojan.Winsys
• Trackware.Adctech2006
• Downloader.TrafficSector
• Adware.Roings

After this, the user is encouraged to download and run an executable (installer.exe). This file is pro-actively detected as Mal/Packer.

If the installer was run, it installs more malicious files on the victim machine - pro-actively detected as Troj/FakeAV-AA.

Unlike, other examples of Scamware we have previously blogged about, this version does not seem to install any Mac related malware.

We’ve seen increased numbers of viruses this year, not least from the Sality family, and that’s included a fair amount of battling with corrupt infections (1, 2). But while analysing the code, I was reminded of an unusual quirk of this set of viruses - they contain code versions.

I actually worked on the first Sality samples as a more junior analyst back in 2003, when the viruses were relatively simple prependers. This is the string I saw:

As you can see, the virus actually calls itself “KUKU”, which apparently means “hide and seek” or “peek-a-boo” in Russian, and HLLP means it’s a High Level Language Parasitic (or sometimes Prepender) virus. Along with an antagonistic message to the poor infected user, the author’s even had time to sign his work - this is by someone who calls themselves “Sector”.

A few months and a few variants later, we saw this:

Fast forward 5 years, and Sality has become a much more complicated beast. It can infect in a variety of different ways, from adding itself to a new final section to storing some of its code in existing slackspace, from changing the host’s entry location to mid-infecting the host’s code. The more recent variants have added varying new tricks into the equation, including dummy API calls to try to throw off emulators. Here’s an example of a recent version string:

Gone is the message, gone is the HLLP, gone is the reference to “Sector”. What we have here is clearly an alpha version of the new wave of viruses.

A few more variants down the line, we saw this:

So it’s still in the 5 series, but moved from alpha to exp (probably for “experimental”). Perhaps Sector isn’t in charge of producing these any more, though my guess is that he probably is - while the code has got more complicated in 5 years, the general style seems much the same. It’s a shame he hasn’t found anything more productive to do with his time.

Just a typical day at Sophoslabs. I wouldn’t say quiet exactly, because we never are these days, but nothing especially new, just variations on familiar themes. On the spam front there’s been a large number of phishing campaigns as usual. The volume of fraudulent spam we see on a daily basis is really quite remarkable and it seems to have been on a steady increase.

Similarly we’ve see a steady increase in the percentage of malware executables whose aim is to pilfer funds. We’ve seen a steady increase in keyloggers and password stealing Trojans that aim to capture logon details for internet banking sites (and other sites such as ebay) and email this information to a remote location. We’ve also seen an increase in fraudulent applications whose aim is purely to coerce users into paying for a registered version of the (otherwise useless) application.

I’ve been working as a virus analyst for 8.5 years now and during that time I’ve seen trends in malware evolve and change as you would expect. However in the last couple of years I think there’s been a very significant change in the malware landscape, a significant change of emphasis born mostly from the growth of the WWW. In the past - not that many years ago - malware was mostly the product of rebellious youngsters who wanted some respect from their peers. Now a large percentage of malicious executables seem to be the product of organised crime.

It seems the internet is becoming a hot-bed of crime and I’m not sure the police authorities of the world are coping.

Two recently published articles are definitely worth a read.

Microsoft SQL Injection advisory
In a previous post [1], I discussed the fact that the recent surge in SQL injection attacks warranted more attention, to alert administrators to the issue. Without some form of alert, the work required to assess pages and update to defend against the attacks simply would not be scheduled. This week I am pleased to see that Microsoft have released an advisory (954462) [2].

Where does all the bad stuff come from?
An interesting report from StopBadware.org has been published [3] which highlights the network blocks responsible for hosting the bulk of the malicious sites. Perhaps unsurprisingly, China tops the list hosting 52% of the malicious sites. The data they report reflects quite closely that we have been seeing, and reported in our 2008 threat report [4].

Out of curiosity, I took another look at the last 25 domains we have identified that are hosting the malware loaded by the script tags inserted into legitimate pages in the SQL injection attacks, and probed where they where hosted. Interestingly, China does not feature here - the USA tops the list, closely followed by Venezuela and Canada. Why is this? Most likely because these sites are being hosted on compromised machines - we have already reported that several of the domains have been identified as using fast-flux techniques [5].

Note: this is the countries hosting the sites from where the malicious content is loaded. Previously [6], I looked at the countries hosting the sites that have been hit by the injection attacks.

Today is the first day of Wimbledon 2008, one of the four grand slams. With a large global audience, viewing figures for these top tournaments are huge. Similarly, the volume of users browsing the various web sites associated with world tennis, is also large.

Last week, a web site for one of the professional players associations was compromised. Yes, regular readers, you guessed it - via an SQL injection attack [1,2,3]. We contacted them, and they are working on fixing the issue. In my opinion not fast enough for a site that attracts a few thousand visitors each day (according to its Alexa stats). At the time of writing the site is still serving up the malicious script tags.

Today, I noticed another major tennis-related site had been hit, this time one associated with the administration of the game. We have contacted the administrators of the site and advised them of the issue. Given that over 20,000 users per day browse the site (according to Alexa stats), let’s hope they are quick to resolve the issue.

For site administrators, such defacements present an interesting dilemma, where keeping the site up and protecting visitors from malicious code are “balanced”. Personally, I believe that affected sites should be taken down, or made safe as soon as the problem is known. Knowingly exposing users to malicious code for the sake of keeping a site up, even if people are actively working on cleaning the database(s) up, is all too common.

For the time being it is clearly still “Advantage, Attackers”.

On this quiet Sunday one thing worth mentioning is definitely a new Storm campaign that was spotted in our traps about an hour ago. This time the social engineering technique combines adverts for an alleged pornographic content hosted on a compromised server with a fake anti-spyware software installation.

The campaign is, as usually, seeded by a large number of email messages containing a link to the compromised web server. If the URL link in the Storm email is followed a fake anti-spyware warning will be displayed inside the browser window. The warning looks fairly similar to the genuine Windows alert and may entice the unsuspecting user to install the ‘free’ anti-spyware repair tool.

Soon after the initial fake warning the download of the Trojan will be attempted.

The detection of this variant seems to be quite good from throughout the AV industry. Sophos detects this variant proactively as Mal/EncPk-DA.

We’ve recently seen an unusually poetic attempt at drawing people in to the ‘get rich quick’ scams in our spam queues. Someone seems to have actually put a little effort in here;

Time is getting short, so you can’t afford to dally and linger.
After launch a 100,000+ will laugh and give you the finger.

They are in a position to, they made the correct choice.
Joined FREE and are now awaiting July to start to rejoice.

Our lifestyle and plans are defined by the choices we make.
Quite often by the chances we at times are prepared to take.

If you join FREE now in July you will have in you possession.
A simple easy way that will assist you to stave off recession.

All you have to do is sign up to take your place recruit two.
Keep recruiting in twos this means extra shares in $1.000,000 for you.

Well, it makes a change I suppose. It doesn’t matter how they dress it up though, a scam is still a scam, and Sophos still blocks it as spam.

When we contact the owners of websites that have been hacked to serve up malware, we often encounter the response “Install Anti-Virus Software on a Webserver? No need mate!”. This response is fairly common, and not just from the Linux and Mac zealots.

However, installing anti-virus software on your webserver can prevent the need for you to wipe egg off your face at a later stage.

We are currently tracking a malware/porn spam campaign that is exploiting hacked webservers to host the malware.

The spam message has a list of newsworthy subjects that are being used by both the subject and the message body, for example:

The message body also contains a link to a hacked site that when opened displays a website containing porn and some malicious software.

A list of potential subjects

Bad press surrounds US Army as renegade soldiers open fire on civilians
Boston's MIT hit by massive corruption scandal
Click here for a massive boost to your sex life
Columbia admits directors have been stealing
DA rolls over on Britney foot-fault case
Don't belittle the effects of power enlargement
Don't let old age shrivel away your self esteem when you can maintain with herbal supplements
Don't panic when you cannot score with the girl that you have a crush on
Dutch disqualified from Euro Championships
Enlargement does not involve putting a big hole in your pockets
Ex-Pentagon lawyers challenged on sex abuse in Iraq
Fantastic upgrade to your manhood available now
Gather your loose change to try out the revolutionary herbal supplement
Get the latest herbal enhancements to grow your large howitzer now
Gloomy Americans still spending money admist economy gloom
Great improvement to your sex life guaranteed
Harvard Medical School admits embezzlement by directors
Heir to Prada empire found strangled
Herbal supplement at merely 5 cents a day
Hollywood hit by Aids scandal, more than 20 stars implicated
Italy showed France the difference in length
Keep this new herbal supplement out of reach from your friends
Lakers bombed out after big loss to Celtics
Lindsay Lohan converts to Islam, causes uproar
Make sure you do not miss the action - get your organ enlargement package now
Obama caught with pants down with Clinton
Opponents of gay marriage stay quiet
Ralph Lauren found dead in country home
Red cross shown to abuse power in latest aid
Ring it up for Celtics after fantastic win
Studies have shown that this herbal solution really makes a difference in men's health
The enlargement is so powerful it will make you increase in your strength
The greatest gift of all is the secret to the fountain of youth
The most affordable herbal supplement that works to increase your self esteem
The real reason why Anne Hathaway splits from longtime love
Try out the latest herbal solution that will make you a new superhero
US election campaign shames after sex scandal exposure
US Soldier throws boy off cliff, villagers enraged
You better be home to receive this package that will change your life


The hacked websites serve a page with highly salacious content. The page is made up of pornographic images that link to ‘videos’ [a large naturist image and several smaller images of adult content]. The ‘videos’ are actually a malicious executable hosted on the hacked servers, detected as Mal/EncPk-DA. A webserver running anti-virus would have caught the ‘videos’, alerting the administrator to the hack!

This morning, to generate the list of ~40 subjects, I downloaded ~1000 message bodies. Those message bodies had ~80 unique links to hacked sites. As you can see below, the bulk of these sites are running Apache. As I write, 25% of the sites are still actively serving up malware.

Why aren’t these webservers running anti-virus? You tell me sophosblog@sophos.com.

Several analysts from Sophos recently attended the RECon’08 Reverse Engineering conference held in Montreal. Although not an “anti-virus industry” conference, the quality of trainers, presenters and delegates was outstanding and gave us a chance to mingle and talk to other reversers, sharing an occasional “trick” or two.

Several of the talks were of particular interest, like Bruce’s talk about Targetted attacks with Office Documents - something that I’ve blogged about here. Other valuable talks included writing IDA plugins, unpacking, deobfuscation and RE techniques.

With the Olympic games in Beijing a little over a month away, spammers and malware authors are coming up with new campaigns to take advantage of this highly anticipated event. Today, we received a new spam campaign that reports a “new powerful disaster” in China, which threatened to derail the upcoming Olympic games.

A message sample is shown below:

The message claims that an earthquake has just occurred in China, and provides a link to a .cn domain for users to obtain extra information. When a user visits the site, they’re shown the following page:

The message on the site claims that a 9.0 Richter scale earthquake has hit Beijing and caused millions in casualties. To see additional details, a user may open or run the video. With the recent China Earthquake in Szchuen still fresh in people’s memory, many would open the file without a second thought. Unfortunately, instead of an online video as it appears to be, opening the link will actually execute the .exe file beijing.exe. Needless to say, the file contains malware and delivers a malicious payload.

Looking into this campaign, the .cn domains linked by the spam messages are likely part of a botnet. Each query to the nameservers for these domains returns a different IP address, indicating fast-flux behavior. The domains also serve webpages using the same web server seen in a number of botnet campaigns.

The spam messages for this campaign was blocked automatically as soon as they started to appear. The malware .exe is detected as W32/Nuwar-E.