SophosLabs blog

Halloween traditionally sees all sorts of undesirables crawl from out of the woodwork.

Malware authors do come out to play on other days of the year but if you are looking for a last minute Halloween custom or toy then beware because malware authors may get you!

Here are some of the Halloween-related websites we are currently seeing that are infected with malicious code:

and

and

All of the above sites are infected with Mal/Iframe-F - a pernicious and long running web threat.

A massive spam campaign in Russian caught my attention today. It masqueraded as a newsletter from a major Russian mobile network MTS and advertised some too-good-to-be-true lottery program.

To participate in the so-called “bonus” program you’d need to to sent an SMS message to a premium number. Every 3rd message gets 300 rubles (~$11) added to your account and you agree to pay 30 rubles (~$1) for it. So, you have a 1 in 3 chance to win 10 times more than you put in. That’s the way to get rich despite the global financial crisis!

A search on that 7733 number reveals an SMS billing company http://smscoin.net/. A price list on their website reveals the real cost of your message: 258.3 rubles with almost 40% of it retained as a fee by SMSCoin:

The company claims a strong anti-spam/anti-fraud policy. I have no reason to doubt their good intentions and hope they stay on top of the abuse and stop these fraudulent payments.

Having said that, I also suspect that something went wrong with this spam, since the code they ask you to text does not follow a required “prefix + identification” format. So, lets hope it’s true and that there will be no victims this time.

While this campaign targets a Russian-speaking audience, I’d warn all of our readers around the world. The social engineering techniques and the “billing mechanisms” employed in this fraud are universal. Just like another scam example from 3 days ago:

From October 28, authentication is made all the boxes
at Gmail.com. To authorize the box you want to send sms
text
dam+km to the number 7733 for LPG
dam+km to number 4161 or 2322  for Russia
SMS messages free!
Boxes did not confirm the authorization automatically blocked for 3 days!

Sincerely, the administration Gmail.com

Needless to say that the spam was sent via a botnet to millions of people around the world.

I came across an interesting piece of research the other day. Martin Vuagnoux and Sylvain Pasini from the LASEC, the Security and Cryptography Laboratory at School of Computer and Communication Sciences in Lausanne, Switzerland have discovered a way of monitoring electromagnetic emanations from wired keyboards.

The video, shows how by simply using an antenna and some obviously very smart software, keystrokes can be monitored remotely and decoded.

Compromising Electromagnetic Emanations of Keyboards Experiment 1/2 from Martin Vuagnoux on Vimeo.

This reminded me of something called Van Eck phreaking, a way of monitoring what appears on a screen by picking up the emissions from the CRT using a soft drink can. I remember this getting a lot of press during the 1980s and a variety of different solutions brought out. Modern LCD monitors are less susceptible but evidently it can be done.

Whilst it’s obviously an interesting piece of research I don’t plan on lobbying the Sophos Product Management team to start including a roll of aluminium foil with each copy of Sophos Enterprise Security and Control just yet.

Watching the video of the keylogger, it would appear that the best defence from this sort of snooping is to learn how to type faster.

One of the most common forms of malware distribution en mass is to spam it out with some enticing message however as administrators slowly lock down their spam rules and block questionable content the malware authors are needing to continually find new tricks…

One tried and tested method is the encrypted zip, as it prevents scanners from examining the archive content while still maintaining a perception of being legitimate. The password of course is in the message body which the recipient (often without thinking) employs with rather dire consequences.

In order to sound appealing, many of these new-wave spams relate to invoices, statements or UPS/FedEx tracking.

In a new twist however the latest round of such spammed Trojans are infected with the W32/Parite-B parasitic virus. Whether this is an indication of an infected malware author or a deliberate attempt to add yet another layer is unclear. From my perspective, infecting anything with an old parasitic that is widely detected sounds silly but as long as our customers are protected does it really matter?

Once the infection is removed we detect the underlying worm as W32/Womble-E (and we even make efforts to detect the zip with Troj/Invo-Zip)

The most surprising thing about all this is that no matter how many hoops and obstacles are required to extract, decrypt and respond to something that is obviously bogus, people still do!!!

We have started seeing a new kind of phish campaign today. Instead of the regular bank phish, or the more recent university/webmail email account phish, this new campaign targets domain registrar accounts, as per the email below:

The email fakes the From address (purports to come from tech@enom.com) and ask the user to update their account due to some maintenance, in a manner similar to bank phishes. The following two subject lines were seen in the phish emails, some with additional words such as “attention”,  “warning”, or “IncidentID: #####”

Inaccurate whois information.
Maintenance at eNom

Clicking on the link will take the user to a link in the url format of www.enom.com.someotherdomain:

The fake login site is probably lifted from the real eNom login page in its entirety. Looking at the HTML source of the phish site, one would find that even the Google Analytics link was copied. The only HTML code that was not part of the real eNom page is the login box. Submitting credentials to the box would allow phishers to gain access to an eNom registrar account.

Why would phishers wants to go after registrar accounts all of a sudden? There have been much speculation, but the most likely explanation of all seems to point to the termination of the EST Domains as a registrar. EST Domains happens to be the registrar of choice for  many spammers, rogue anti-virus program writers, and malware writers. Shutting down this registrar would impede their ability to bulk reigster new domains. Hence, newly phished registrar accounts can be used to purchase new domains for malicious use until they can find someone else to partner with them. It remains to be seen if these registrar account phish campaigns will be here to stay.

As I was writing this blog entry, the phishers have switched to target registrar accounts at Network Solutions. Here is a capture of their phish email and phish domain:

Just like the eNom phishes, the From address is a tech@ address, and the phish site seems to be a modified version of the Network Solutions login page. Given the two targets so far, it is quite possible that other registrar providers will be targeted next. So, beware of email purporting to be coming from your registrar service and don’t give spammers and malware writers a way to obtain domains for their nefarious purposes.

2007 was the year of ‘Storm’ (also known as Dorf).

One of the social engineering techniques it used (and which probably contributed to its success) was the lure of an electronic creating card or ‘eCard’.

Over the course of the year we had a seemingly endless stream of greetings for practically every conceivable reason: Halloween, Christmas, 4th of July and so on.

Publicity around Storm seems to have died off over recent months, although there is still a lot of discussion about it in industry.

One thing is for certain though, fake greeting cards are still popular with the malware authors. Looking at the current flood of malware coming into our spam traps, eCards are back with a vengeance!

In this case, the authors aren’t even trying to make an excuse for it nearly being Halloween, instead just telling the recipient to open the attachment. Judging by the volumes, they seem to be following the “if I ask often enough, someone will open it” approach. Please don’t!!

At the same time, there is another slightly more sophisticated campaign going on, this time with links to a website, and a well crafted ‘fake’ message that appears to be from Hallmark cards.

Closer examination shows that the link is not, in fact, to ecards.msn.co.uk but to a site that appears to be hosted in Spain.

So at the risk of offending, if you receive an email saying you’ve received an ‘ecard’, you probably aren’t as popular as you think you might be. In fact you certainly won’t be if you open it, click on it, or do anything other than hit “Delete”.

Last night’s BBC One’s Watchdog talked about a scam affecting bogus apartment advertisements. Those in UK will be able to access this here.

While watching the show, I noticed a few glaring similarities to one of our own blog entries, in that both reports talked about the abuse of internet sites advertising apartments/flats. I suspect that this new scam isn’t just happening in London but in major cities throughout the World.

Assessing levels of trust on the internet is a difficult thing to do, and SophosLabs would encourage you to be more circumspect on the Internet. If you are looking for flats I would suggest you think about the following:

• Ring up the phone number. Is it within the same area code as the flat? If it is a cell ask for a landline.
• Ask for proof of ownership.
• Ask for references.
• Always try and have a viewing.

Regular readers of this blog will know that I’m keen on measuring the effectiveness of the SophosLabs response to the changing threats. I use a host of metrics to measure proactive detection, response times, spam catch rates and so on. In fact, the labs’ internal ‘dashboard’ (a live web-based system that shows many of these metrics etc) is one of the first places I visit each morning.

As our latest report shows, there has been a significant return to malware attached to spam emails. One of the reports I regularly refer to is our response time to such ‘outbreaks’ and adds some colour to this recent shift.

In the past 30 days (Sunday Sept 28th to Monday 27th October) there were 133 unique malicious attachments received on our spam traps (unique because the MD5 checksum of the attachment was different). This represents an average of over 4 ‘outbreaks’ per day.

Of these 95 (71%) were proactively detected, the average response time for the remainder was 75 minutes (1 h 15). This is the time taken for customers to receive detection on the desktop so includes publishing time etc. Spam detection of these ‘outbreaks’ is of course much quicker (often just seconds)

49 of these outbreaks were detected as Troj/Invo-Zip with subject lines like “Problems with delivery UPS” and “Tracking N 0837857433” etc.

A few years ago, such ‘outbreaks’ would have made the news headlines, but sadly we seem to have become desensitized to the onslaught of malware. In the meantime, my focus, and that of SophosLabs is to continue to increase the level of proactive detection, and reduce the response time.

Voulez vous devenir un mule de spam? Would you like to be a spam mule? Anatoly Nikolayev would like you to become one. SophosLabs is currently tracking a large French based mule campaign.

Now my French doesn’t normally get me beyond ordering a meal but this looking very phishy to me.

This morning looking through the customer submissions to Sophos (how to submit samples). I saw a sample with the ‘Rule or identity name triggered by this file (if applicable)’ form filled in as HIPS/RegMon-009.

Looking at SophosLabs automated scans of this sample it was a malicious AutoIT file. Running the file through the automated replication rigs here in SophosLabs it also hit the following HIPS rules:

• HIPS/RegMod-001
• HIPS/RegMod-002
• HIPS/RegMod-009
• HIPS/RegMod-012
• HIPS/FileMod-004

For a description of HIPS rules click here.

I have written exact detection, and disinfection, for this malicious AutoIT file as Troj/Tiotua-U. Enabling HIPS detection on your network could have prevented an infection of this Trojan.