SophosLabs blog

At SophosLabs, we receive an assortment of bank phishes every day. In this day and age, banks are taking immediate actions in bringing down phish pages down to protect their own customers.  Banks also secure their websites to prevent compromise attempts. So, what we encountered today is something that can only be considered a rare occurance. We received the following phish today:

This particular image phish targets the Italian bank Poste Italiane. The phish itself (in Italian) entices users to go to the link in order to receive 250 Euros worth of “loyalty bonus”. The phish itself is fairly typical. The link in the message goes to a compromised domain controlled by the phisher. Instead of the phish hosting on this compromised domain, a HTTP redirect is used to send the user to a second domain, where the phish page resides:

This is where my investigation took an unexpected turn.  The domain hosting the phish page, fjsb.com, seems to be a owned by Fort Jennings State Bank, a private, local bank serving the state of Ohio. The homepage of the bank is as follows:

The site’s design was a throwback to the early days of HTML and the site itself does not have a lot of the fancy menus and drop down lists that most banks now uses. It took some further investigation to confirm the ownership of the domain.

So what is happening here? It would seem that we have a bank in the US hosting a phish site of an Italian bank.  This goes to show that all sites (even bank or military sites) may be compromised and be used for malicious purposes (such as a phish campaign). We have notified the webmasters of Fort Jennings State Bank and the phish site has since been taken down. As a side note, the compromised site linked directly by the phish message itself now redirects to another compromised site.  For Sophos customers, our anti-spam products detects this phish campaign even though the redirection link has changed.

On Friday, SophosLabs saw that the website of a major African Sunday newspaper was infected with Mal/Badsrc-C. We took steps to contact the sites owners and the site is thankfully now clean. So this morning the African diaspora instead of being infected by various pieces of Malware (Troj/Iframe-AU, Mal/JSShell-B, and Mal/TinyDL-T) can read news from home without fear of infection.

So why am I blogging about Yet Another Website Infected (YAWI)? Well the graph that our automated systems generated due to this infection was interesting.

The first line of nodes on the graph are websites infected with Mal/Badsrc-C including the African newspaper and an American University. The right hand side of the graph will attempt to download and install Mal/TinyDL-T. My colleagues Fraser and Vanja will be discussing this part of the graph in their talk, on Thursday, at the Virus Bulletin Conference in Ottawa.

The part that interested me was the group of nodes on the left hand side (highlighted in purple). All four of these purple nodes are or lead to:

• Pay-Per-Click (PPC) sites
• Get Paid To (GPT) sites
• Search Engine Optimisation (SEO) sites

This attack is an example of Affiliate web-based malware and I will be talking about it further, on Wednesday, at the Virus Bulletin Conference.

If you have any comments about this blog article or any other please email via sophosblog@sophos.com.

During the last week we have seen a new trick being used by Mal/Badsrc-C. The trick is not new but like all things in the malware world old tricks get re-used on a regular basis.

This trick is to encode the URL SRC in hexadecimal.

There are valid reasons why someone would encode a URL in hexadecimal. Here it is used purely for the purpose of obfuscating the code.

The problem  for the malware author in this case is that it is easily de-obfuscated. A variety of tools will do the de-obfuscation because they need to know about the encoding e.g. WGET.

Simple tools can also be knocked up to do the job like this one in Internet Forensics (O’Reilly) .

#!/usr/bin/perl -w
die “Usage: $0 <hex encoded URL>” unless @ARGV ==1;
$ARGV[0] =~ s/\%(..)/chr hex $1/ge;
print $ARGV[0] . “\n”;

The beauty of using Perl for the job is that the code is:

• cross-platform
• easily modified
• extensible

As for the cryptic subject well that is a little puzzle and you should submit answers to sophosblog@sophos.com.

For the past couple of years there has been a significant shift in the way malware is distributed, away from email attachments to links in emails and so called drive by download from compromised websites.

The past few weeks however has seen a return to the email attachments. The secret to the success of any malware is the social engineering used. How convincing can it be to entice the user to open the attachment or click on the link.

The latest trend is spam out an official looking email proporting to be from a well known brand such as UPS. Politely informing the recipient that a delivery was unsuccessful.

The malware authors obviously found that this worked, and recycled it regularly and tried news reports, invoices, notices of suspension of internet access.

Examples of the evolution of these campaigns are :

French version of UPS malware
Airline Ticket invoice
Statement of Fees
Fedex tracking malware

And so on…

What’s next? I can make a few predictions, but one things for sure, the malware authors aren’t going to give up anytime soon

Virtum (aka Virtumonde, Virtumondo) is one of the most prevalent malware families we have seen in recent times. Barely a week goes by without seeing more samples of the damn thing. They are constantly changing, making detection difficult and they are a pain to remove from infected systems.

However, whilst developing new HIPS runtime behaviour rules to coincide with the release of SAV 7.6.0 I noticed alerts of <System>\winlogon.exe triggering the HIPS/RegMod-011 rule. Our SophosLabs testing rig for HIPS is configured so that Alert Only is turned off, meaning all detected behaviour is blocked. Due to this configuration, the alert was appearing over and over again, several times per second…this doesn’t look good, but more importantly it doesn’t look normal!

We test HIPS against new undetected malware that we receive each day, and upon further investigation I found that the files triggering this HIPS behaviour were actually undetected Virtum droppers which have injected their malicious code into the running winlogon process. The behaviour being blocked was Virtum trying to modify the registry so that its dropped DLL component would be loaded each time the system booted up.

Without this registry entry being successfully entered Virtum would not load after the computer was next switched off, which is why it was trying over and over to set it (with HIPS runtime behaviour analysis consistently blocking it). However with HIPS set to the Alert Only configuration it would succeed on the first try, triggering just one SAV alert of this behaviour against winlogon. Some users may mistakenly assume this to be an unwanted detection and will therefore ignore it.

It’s essential that users investigate all HIPS runtime behavior alerts before coming to any decision about their validity. Just because an otherwise clean file is detected it does not mean that the file has not been compromised in some way and is wreaking havoc on the computer. Users should identify the behaviour being reported by consulting the Sophos web site and at least consider if that behaviour is likely to be normal for the detected component.

But there’s more…

A new rule I developed as part of the SAV 7.6.0 release has also been seen to detect Virtum samples, this time at the point where the malicious DLL is dropped onto the system. HIPS/FileMod-006 detects this behaviour and terminates the offending Virtum process before it performs any further functions.

With HIPS runtime behavior analysis successfully detecting and preventing Virtum infections in this way it is hoped that we will see more samples sent in from customers that will help us to further develop our existing protection against this threat, whilst at the same time preventing customer infections.

Recently we have seen fake versions of the YouTube site being created for hosting malware. Now we have seen the real YouTube website being used to promote a “dating” spam campaign.

The email is being sent by YouTube’s email alert service so the body contains a genuine YouTube icon and is written in the standard YouTube alert format

The message has a subject of “Check_out_this_YouTube_Channel!”

<xyz user> wants you to checkout this YouTube Channel:
<numbered link>

The link points to http://www.youtube.com/user/<number in the link>

This link takes us to the YouTube user page which looks similar to the one below:

The website for each user is the same, an online dating site. This is just another example of a well-known service provider being exploited by spammers. The good news is that the link is blocked by us, potentially STOPPING any YouTube HookUps ;-).

… unless you leave your mobile phone behind.

Yesterday I was rudely disturbed by a mobile spam campaign. The spam had the following message:

Credit crunch biting?
government
solution to. wipe
70% of your debt.
reply with CLEAR
for more info

Does that imply one needs to text the government to ease one’s debt obligations (err … not that I have any …)? Of course I did not bother to reply to the text. I am more interested in how the government intends to restrict irresponsible bank loans in the future. Another thing, banning short-selling seems odd in a society which worships “The Market” (if you can’t stand the heat, stay out of the kitchen).

Apologies for the digression. A disconcerting difference between standard spam and mobile spam is that mobile spam may actually cost hard cash just by receiving it. If one were on holiday and received mobile spam, one would have to actually pay for it, probably! Where’s the justice?

Anyway, a quick look on several sites seems to suggest that there is an increasing backlash against mobile spam. How far is it going to get us, though, I wonder?

In the modern IT security world the presence of “joke” programs is uncommon, overwhelmed by an avalanche of malware motivated by financial incentives.

Recently we received such a “joke” program which did nothing more than display the offensive message box shown in the image above. We decided to detect the file as Joke/OffMsg-A due to its inappropriate content which may cause consternation amongst some. However, despite its content, the program has to be deemed to be inherently non-malicious and therefore not a Trojan.

It appears that there are still some people out there that continue to write such programs, sometimes bona fide malware, for fun/kudos, rather than pecuniary gain, as they used to do a few years ago. For example many USB worms do not appear to have an obvious monetary motive. Of course we will detect malware regardless of the sensibilities of their authors, including those allegedly written as a social good.

Sitting here in the lab on a sunny Saturday while friends and family are out and about enjoying themselves is, in some respects, pretty miserable. No matter how much you enjoy your job, you’d obviously rather be out enjoying the weekend with everyone else. It’s doubly harsh though when the first thing I see in our spam queues this morning is a bunch of emails telling me I’m hideously fat, drowning in debt and rubbish in bed. How utterly depressing.

Fortunately the spammers offer solutions to cheer me up, all I need to do is fork out a load of cash for piles of Anatrim, Hoodia and Viagra (that’s really not going to work in my case) and my life will turn around. Those of you wondering how I can afford the meds, it’s easy, I’ve got countless offers of unsecured personal loans of up to $50,000 which can be in my bank account by lunchtime.

Spammers play on people’s insecurities, and offer miracle cures to take away all our woes. Spend 20 minutes looking through our queues here and you’ll see:

• Amazing work-from-home job offers for long suffering, downtrodden employees
• Miracle diet patches that busily work away losing you pounds while you eat whatever you like
• Instant hair in a can for the follicly challenged
• Unbelievable ‘zero to hero’ ED & growth meds for the unfortunately endowed
• Guaranteed credit for those who’ve been turned away by everyone else
• Designer bags and watches on a budget for anyone ashamed of their more affordable high street brands.

A huge proportion of the emails we see aim to bring in the cash by chipping away at peoples’ self esteem, and then offering a solution for a price. This must be a fruitful method for the spammers, otherwise they wouldn’t continue to send out these mails by the truckload on a daily basis.

Our advice, as ever, is never to buy any goods advertised via spam. Why not take the Sophos Spam Pledge, help us to stop the spammers in their tracks. And you’d really be doing me a favour too, I’m not sure how many more depressing spam emails I can take ;)

During my trip to Interop earlier this week, I was discussing with a number of colleagues how unimaginative malware authors seem to be. No national holiday seems to go past without some form of greeting from the malware authors. Then there’s the stream of ‘Britney‘ related malware.

Other than the ongoing financial crisis and credit crunch, the big news item for the next few months is of course the US Presidential elections. Combine that with the malware authors favourite lure of pornography and attention grabbing headlines and it doesn’t take much imagination to predict what is going to be heading our way soon. We’ve already seen malware proporting to be pornographic videos of Barack Obama, what will be next?

So here are my predictions, together with the ‘odds’ of them appearing.

My attempts obviously required very little creativity, I’m sure you can come up with some better suggestions. So here’s your chance, send us with your own predictions of attention grabbing ‘headlines’ that might be used by malware authors. The best will be chosen by an expert panel and receive a prize. I had considered offering a prize for any malware that ‘actually used’ your headline, but thought that would be tempting fate.

Send your suggestions to sophosblog@sophos.com

Closing date is 6th October