SophosLabs blog

Today I came across this phishing attempt that a customer had submitted to us. Now while a sharp eye can detect all the errors, it’s not a bad job.

 Here’s just a few that we found:

1) If this was indeed Yahoo!, surely their logo would be first.

2) Gmail is the American name. It’s GoogleMail in the UK.

3) Doesn’t it seem a bit odd for the form to be sent to a Gmail address?

Feel free to add your own to the list.

Providing the best protection, is not just about detection, but also about making products brilliantly simple to use.

As part of our development process of new Sophos products, the engineering team are running a number of Usability workshops for Sophos Enterprise Console and integrated Network Access control solutions.

This is an opportunity to not only visit our Oxfordshire offices, but also to contribute directly in assessing usability. Lunch will be provided, as well as the opportunity for a guided tour SophosLabs and meet some of the contributors to this blog in person.

If you’re interested and would like to come along, please complete the application form and the beta team will contact you with more details. The SEC workshop will be on the 25th of September and the NAC workshop on the 2nd of October 2008.

A few months ago I highlighted the importance of control over user web traffic in today’s attacks [1]. Compromised web sites and spam messages containing URL links are the main ways today in which attackers get user traffic. Once they have this, they can deliver the payload of their choice.

Often the spam messages themselves do not link directly to a malicious site. Instead they link to content hosted on legitimate sites which then redirects the victim appropriately (an old trick to evade anti-spam security products). In this blog I will highlight two good examples of this which we have seen recently.

1. Email & Facebook spam, blog site redirection

A few weeks ago we spotted a fairly aggressive Facebook spam campaign enticing users to visit a site hosted on a popular free blogging site.

Subsequently, we have been seeing other spam (not Facebook) along much the same lines.

In either case, clicking on the link takes you to the blog page, which contains an embedded malicious Javascript (detected as Mal/Budcr-A). The heavily obfuscated script has a simple role in the attack - redirection. The user is redirected from the blog site to another site where the payload of the attack is delivered. For the Facebook spam, the payload is suspected to be a phishing scam (harvesting their Facebook credentials). For the email spam, the purpose of the attack appears to be selling online medications.

2. Email spam, image hosting site redirection

A second example of redirection was seen in an attack a couple of days ago. Large volumes of spam messages offering free XP and Vista updates were seen, each containing a link to malicious Flash (SWF) files hosted on a free image hosting service.

The purpose of the SWF (detected as Troj/SWFDlDr-F) was (you guessed it) redirection. Anyone clicking the link in the spam message would see the following:

Clicking on the ‘Run’ button would infect the victim with (drum roll…) fake alert malware (sigh). Thankfully, variants of this are detected as Mal/EncPk-EU.

These two examples are not unusual, or particularly unique. Just good examples of the tricks the attackers go to in order to evade detection, trick victims, and ultimately make money. The use of SWF files in the latter example is yet another indication of attackers adoption of Flash abuse.

The conveyor belt of fake alert malware has continued apace over recent days. As previously reported [1,2,3], the attackers are using a variety of tricks and social engineering in order to infect victims.

In contrast to other malware, where the attackers only need to infect victims, fake alert malware requires a second step to be successful. For the attackers to make money, the victim has to be duped into actually paying to register the product.

This is ordinarily achieved by a neverending cascade of system tray alerts and popup warning messages, all intended to scare the user into paying up. However, recently I noticed some of this malware delivering other quite nasty social engineering tricks.

For example, when infected with ‘Antivirus 2009′ (variants of which are being proactively detected as Mal/EncPk-CZ), when attempting to access the Microsoft web site:

Or when viewing the Sophos web site:

When accessing Google, the user is presented with a particularly realistic warning:

The latter warning is the most cunning of the tricks that I have observed thus far. I suspect it is sufficiently believable to fool many users.

One of the current malware spammings has an interesting social engineering lure.

Protecting your family is one of the primal urges and social engineering techniques work best when they make use of strong emotions.

How many people will open photo.zip? Only to discover Troj/Resex-Fam.

Not too long ago we reported on how GMail’s effort to kick out “419 fraud” spammers from its networks resulted in a positive decrease. Clearly, this problem is not specific to large webmail providers like GMail or Yahoo!, but is well observed across most of the ISPs with webmail services.

For example, recently I’ve been tracking down a large number of scam e-mail sent through Free.fr (Proxad) ISP:

Thankfully, the webmail system used (Horde IMP) adds X-Originating-IP header (in addition to the Received chain), which indicates the IP address that the sender used to connect to the web e-mail interface. In the case of “419/Nigerian” scams, these IP usually points to an Internet cafe network somewhere in Africa. But not this time:

Received: from server.unlockweb.org (server.unlockweb.org [64.22.117.2])
   by imp4.free.fr (Horde MIME library) with HTTP; ...
Subject: Att: Sir/Madam,
X-Originating-IP: 64.22.117.2

The IP in question resolves to server.unlockweb.org host, which is a known “free web anonymizing proxy” site. The “web proxies” are the most common technique for end-users to bypass web filtering products and the battle between “proxy owners” and the security labs is becoming increasingly similar to the the anti-spam war.

In SophosLabs we constantly update a list of known anonymizing proxy URLs to use in our Sophos Web Appliance products. Each day we automatically discover and classify many dozens of new “proxy URLs” to use on top of the real-time detection technology available in the product.

It’s interesting to see how different aspects of computer security converge and interrelate. The malware and spam problems used to be completely different years ago. Today, they are two parts of the same problem. Now, the “web proxy” owners employ traditional spam techniques (i.e. content obfuscations, domain rotation) to avoid automated detection. And on the other side, 419 spammers rely on proxy sites to anonymously connect to the abused webmail servers. Yet another reason for having an integrated security research and response team to deliver the protection data.

The ISPs around the world should make a serious effort in eliminating outbound webmail spam from their networks. Failing to do so will result in decreasing reputation of their e-mail networks and eventual delivery problems. In this particular case, denying access from known anonymizing proxy sites seems like a “low-hanging fruit” to me. It’s not going to solve the problem completely, but will make the scammer’s life a little harder and may even push them out of your network. Another focus should be given to things like efficient handling of abuse reports, limiting number of outbound e-mail per account and spam scanning of outbound traffic to flag or prevent the abuse.

We’re continuing to see high volumes of Fedex and UPS spam at the moment, and we’ve just started to see a parallel campaign by the same authors with the subject “Statement of fees 2008/09″ and the following message body:

Please find attached a statement of fees as requested, this will be posted today.

The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.

The attachment is called Fees_2008-2009.zip, containing a file called Fees_2008-2009.doc______________.exe which we detect proactively as Mal/EncPk-ES.

We’ve seen this same family of malware in campaigns from bogus contractual agreements to flight ticket notifications. Don’t let curiosity get the better of you - don’t open the attachment if you didn’t order the package, or the tickets, or the contract, or the accommodation … or whatever else they’ll come up with next.

It saddens me to report that Fraser may have been premature in rejoicing the demise of Britney from malware social engineering. But he was right about the changing subject lines, though. Just for fun I decided to throw together a web 2.0 cloud thingy based on word pairs appearing in the subject lines of recent malware seeding runs:

As you can see, “Britney Spears” is still deemed more newsworthy than “Batman Robin”, but slightly less so than “Brad Pitt” and “Angelina Jolie”. Oddly enough, “Steve Jobs” puts in a stronger showing than both “Paris Hilton” and “Barack Obama”, while “Kylie Minogue” ranks below “pedicurists piranhas” and “donut city”. Note to Kylie: time for a new publicist?

The other day I came across an interesting piece of malicious Javascript. Whilst investigating a whole slew of web pages compromised in a fairly large attack, I noticed there were two malicious scripts added to the pages (both heavily obfuscated). One served the purpose of dropping an iframe into the page (to initiate the attack [1]). This iframe carries a specific name attribute as you can see below:

The other script was very simple, but a little more interesting - the code (prettified) is shown below:

The code essentially enumerates all iframes within the page and attempts to remove any deemed to be suspicious (set to be invisible, or with small width/height) with a different name attribute to that above. Hence the title of this blog entry - “Defensive Iframing“.

To illustrate the script in action, consider a page containing content loaded from 4 iframes (green, blue, orange and black). The page is then compromised with a malicious iframe added (”red cross”), together with a script that sequentially removes all other iframes.

You get the idea.

Exactly how successful the technique is at preventing other malicious iframes delivering their payload before they are removed depends on a number of factors. Not least exactly when the check_content() function is called and the position of the various elements within the page. Brief testing suggests there are browser-dependencies that affect the timing of events as well.

Of course, the battle between groups of attackers is nothing new. Historically we have had the Bagle vs Netsky wars and W32/Nachi removing W32/Blaster to name but two.

A new wave of mass-mailed Fedex spam is circulating this fine Thursday morning. The text from the message reads as follows (with slight variations in the tracking number, month and date fields):

Subject: Tracking N <some random digits>

Unfortunately we were not able to deliver postal package you sent on <Month> the <date> in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your FEDEX
www.fedex.com

The attached zip archive and the executable inside the archive is detected by us as Troj/FakeAV-BY. This is yet another mutation of spam which also brought you:

• Your Online Flight Ticket N <some random digits>
• Fedex Tracking N_ <some random digits>
• Fedex tracking number <some random digits>

Please be careful about attachments from unknown sources in your email and don’t rush to the nearest Fedex office looking for that long overdue package; Fedex usually calls versus mass emails :)