SophosLabs blog

As online gaming focuses more and more on social networking, the same kind of phishing we see on sites like Facebook and MySpace become more and more common on gaming networks — particularly those where ownership of games is tied to accounts.

This morning I received a pretty suspect message from someone on Valve’s Steam network asking me if I was interested in addons for their new zombie shooter Left 4 Dead. Steam is both a gaming community and a content distribution method for online and single player games. Individual games are bought by users and tied to their Steam accounts, allowing them to download and play anything they’ve purchased on that account — something that makes them quite attractive to phishers.

Yesterday afternoon we wrote and published detection for an unusually  ’old school’ style worm, complete with hacker graphics, something that we don’t see too much of anymore. It’s all a bit retro.

I have to confess to completely misreading this particular hacker name initially, and for a few minues thought we were dealing with someone called “Bantamhacker”.  Turns out it’s actually Batamhacker who’s behind this one, an Indonesian  according to a quick Google search.

A full description of the worm can be found here, but what was of interest to me was the fact that it included the following hidden window:

(I’m pretty sure that face is a rip-off of a game graphic, but can’t for the life of me think which one. Send us an email if you can put me out of my misery)

If you’re infected by the worm this won’t be an obvious sign given that it’s a hidden window, but here’s one that will be blatant, you’ll see a file called “about me” dropped onto your desktop, and if you open it you’ll see this:

You’ll also notice that Mr Chicken Hacker creates his own user profile on your computer, so if you log out or switch user you’ll his name listed.

Not quite the professional stealthy nasty that we’re used to dealing with, but a pain all the same for anyone who gets infected. As you’ll see from our description of this worm it does have an unpleasant payload as it’ll attempt to overwrite your files. It’s also a reminder of the varied threat landscape we all face, although the vast majority of malware we see is written by organised criminals for financial gain, there’s still the odd old school nutcase out there attempting to wreak havoc with your system purely for fun.

We’ve said it before and we’ll say it again - there’s no such thing as a “good worm”.

Today we saw a Visual Basic Script popping up repeatedly on a customer’s network. On investigation, we found that it deleted malicious files called autorun.* on network and removable drives. And how did it know what files were malicious? Simple; if they weren’t copies of itself, they were obviously malicious.

The author obviously thought this was such a good idea that it would be a waste to keep it for himself. So he made the script copy itself to the network and removable drives after it scanned them, along with a bunch of autorun.* files. When you plug your drive in elsewhere, this script will leap on to that system too and try to delete more files, and from there to more drives, etc. Spread the love, and all.

Personally, I’d rather he kept the love to himself.

If this script finds a malicious (remember, by that I mean “not written by this guy”) file on your drive, it displays the following message:

I’ve blanked out the name of the college in India, as well as the IT MSc course number that the author seems to have attended. Such audacity never ceases to surprise me.

We’ve seen talk of “good worms” and “good viruses” before (1, 2, 3), and our opinion remains unchanged: whatever the intention, this is malware pure and simple. We detect it as VBS/Malnir-A.

I’ve come across something recently that some may find to be rather amusing. Though this particular FakeAV template has been out in the wild for quite some time now, something in particular caught my eye. The page is almost an exact replica of the My Computer view in Windows XP, with one minor difference. Apparently my computer now has a DVD-RAM drive which I wasn’t aware of. I’m guessing what they actually meant to write was DVD-ROM.

It’s such a shame, all that time spent building a very convincing page only to have a minor detail ruin the whole thing. They almost had me fooled up until I spotted that.

Do you like internet fads that are so far past their sell-by date they’re starting to whiff a bit? Do you consider 4chan to be the pinnacle of internet humour? Annoyed that your tastes aren’t reflected in the current crop of prevalent malware? Worry no more!

Today we received a sample of Troj/Giveup-A, a tiny Visual Basic program that does little more than open a new Internet Explorer window to the YouTube rickroll video every ten minutes. Often we’d let this kind of thing get away with a slightly less serious prefix of Joke/ rather than Troj/ but there were a few of things to consider with this particular program that swung the balance over in favour of calling it malware:

• The user’s startup folder is used as an autostart point. Depending on how user profiles are set up, this could actually be a network copy to a remote machine.
• It copies itself to the “All Users” startup folder on the local computer which causes it to run for every user on the system.
• I hate rickrolls. I hate Visual Basic. I hate the startup folder. I really hate 4chan. I have nothing but contempt for 99% of the internet and this program represents everything I despise. Each moment I wasted analyzing this Trojan was time I’d rather have spent boiling in a vat of angry bees.

Just let me take a picture of the malware and overlay it with a fresh new catchphrase in an Impact font. YEEEEEAAAAH! *tilts chair back*

So, you might ask, who is responsible for this creation? Who are these giants pushing the boundaries of humour in a way not seen since Andy Kaufman wrestled a woman to the ground on TV? Luckily for us, these heroes — no doubt soon to become cultural icons — have left us a clue in the program’s version information.

Comments :
InternalName : roll
ProductName : RickRollProject
CompanyName : [college name deleted] College
LegalCopyright :
ProductVersion : 1.00
FileDescription :
LegalTrademarks :
PrivateBuild :
FileVersion : 1.00
OriginalFilename : roll.exe
SpecialBuild :

Mystery solved (for us at least; you’ll have to guess).

“Do not trust any kind of ‘Sexy View’ application and be careful even if you get a message from a known contact”, say our threat researchers, “particularly these days, when Symbian users are under attack from the next generation of malware that targets the S60 3rd Edition phones and those compatible with them”.

You may be surprised to find out the so called ‘Sexy View’ application from a ‘Play Boy’ vendor conceals a monster that will steal your confidential details as well as the bill that you’ll have to pay for all those SMS messages that were sent from your device .

This monster (Symb/Yxes-Gen) is a clever thing, as in addition to claiming to provide English and Chinese language options upon installation it arrives as a SISX installation file with the valid Symbian certificate.

The new era of a mobile botnet has begun. Are you ready? Is your protection is up-to-date? SophosLabs can help you 24/7.

Whilst checking out a very basic packer recently, one of my colleagues in the lab spotted something in the version information that led him to a malware writing forum. Actually ‘malware writing forum’ is being overly kind, it’s more a sort of script kiddie after school club. Anyway, the point being while he was there he spotted something almost unheard of. A girl! an actual real life girl. With makeup and everything. I know, my reaction was exactly the same as his, and seemingly the same as everyone else on the forum. “It can’t be a real girl, it must be a lad in disguise”.

The username “dollygirl” and a userpic of a young teenage girl isn’t enough to convince anyone of anything these days, which of course is a good thing when you think about it. It’s kind of comforting that the kids are cynical here about believing anything they’re told about the identity of an unknown user. The funny thing is the way the argument goes. I obviously can’t post the link as these forums are universally a Bad Thing, but here for your entertainment is the gist of the argument;

• girl: “I need help writing a visual basic packer”
• user1: “ur a girl? pm me!
• user2: “that’s no girl that’s a pervert with a girl avatar”
• user3: “it’s a n00b boy pretending to be a girl”
• user4:” this is a boy forum girls don’t like computers”

At this point dollygirl plays the webcam card, and supposedly writes down the username of one of the guys and posts a pic of herself with it. Proof? well it made us stop in our tracks a bit. Of course there’s nothing to say that it’s not a lad getting a friend to play along.

The point of all this is of course that female malware authors really do seem to be so rare that we all take a lot of convincing that one really exists. I always like to think that it’s largely because we have better things to do.

Of course there’s one female virus writer we know about, mostly through her displays of affection for our very own Graham Cluley.

If you regularly follow computer security related blogs you may have read that recently there was some discussion about a potentially new variant of the Conficker worm. SRI researchers, in their detailed and interesting analysis decided to call the new variant Conficker B++.

Admittedly, SophosLabs has been slow to discuss this new variant.

The reason? Well, it’s very similar to variant B of Conficker, with a few changes, including the modified self-updating functionality. And the good news is that Sophos products detect this latest variant proactively, without requiring new updates, as Mal/Conficker-A.

SophosLabs researchers are currently analysing the new variant and will update the description of Mal/Conficker-A with the additional details soon.

We’ve seen Waled pretend to be Barack Obama’s website, we’ve seen it delivering fake Valentine’s Day ecards - now Waled is sending out spam pretending to offer you coupons.

You can click the image here to enlarge it, but you shouldn’t click anything on the real malware site - instead of coupons, you’ll find executable files with a variety of names including coupon.exe, coupons.exe, print.exe, save.exe, and this malware is unlikely to save you any money.

Even though the executable files keeps changing due to server-side polymorphism, we detect them proactively as Mal/WaledPk-A, and in fact the custom packer hasn’t changed all that much since the interesting case I mentioned recently. The webpage itself is also changing regularly (giving different filenames, among other things), and we’re now detecting it as Mal/WaledJs-A.

Don’t let your desire to get a good deal cloud your judgment - think before you click that link!

Today we saw another malicious PDF attempting to exploit the new zero-day vulnerability in Adobe Reader and Acrobat [CVE-2009-0658, APSA09-01]. The Sophos advisory for this vulnerability can be found here. This latest sample is also proactively detected, as Mal/JSShell-B.

I quickly fired up a goat machine, intentionally disabling this detection in the Sophos product to see how the buffer overflow protection (BOPs) would fare. Success! BOPs triggered shortly after loading the malicious PDF in Adobe Reader 9.0.0 (freshly downloaded and installed).

As in the previous attack, the payload in this case was a remote access Trojan (detected as Mal/Packer).

Whilst we wait for a patch from Adobe, to help protect yourselves from attacks:

• Ensure you keep your products correctly updated
• Enable runtime protection (HIPs and BOPs) - not just in alert-only mode
• Consider some of the mitigation steps outlined in my previous post.