SophosLabs blog

This morning people began receiving messages in their Facebook inbox with a subject of “Look at this!” and a message body containing a simple link pointing you to fbstarter.com. Yesterday we saw a similar looking domain attempting to phish peoples information on the domain fbaction.net. According to Google Trends, “fbstarter.com” is currently the #1 hottest topic on Google right now. In fact, it’s also the #11 as “fb starter” and #21 as “www.fbstarter.com”.

The domain was just registered today, and at the time of publishing this blog it doesn’t seem to resolve to anything and thus isn’t hosting any content. We suspect that at some point today it will be hosting a Facebook phish site in an attempt to steal your login information.

It was sad but not at all surprising to see spammers exploiting the swine flu topic.

Today we came across a yet another example of Internet “entrepreneurs” being cynical enough to use the situation for their financial benefit.

Rx-Partners is one of many affiliate networks promoting and selling generic drugs online. They do it via a MLM-like network of affiliate “webmasters” who generate and drive traffic to online stores. A successful affiliate would rely on a variety of SEO techniques (often including blog and forum comment spam) to earn their portion of a profit. I don’t have a specific example at hand, but there is evidence that some may even resort to an old-fashioned e-mail spam.

Today, the Rx-Partners blog site announced an addition of a new item to the store:

The title says “Cure people from swine flu — sell Tamiflu“.

“Starting today, you have an option to sell Tamiflu -  a pill that fights swine flu and lowers severity and duration of the decease. Given the recent outbreak that already killed a few hundred people worldwide, this pill will be in high demand…”

The post is complete with instructions on how to add the pill to your store catalog. The real pill’s name is  “Oseltamivir”, apparently, which is a generic version of Tamiflu (TM) produced by Indian pharmaceutical factories.

The author of the post and its reader are quite amused by the idea:

“Wishing you good sales, and your customers – happy treatment. :)

Comments:

You guys rock! Rapid response and decent prices.”

A quick search reveals that RX-Partners is the same network that was offering Tamiflu (TM) as a cure for the “bird flu” during the last outbreak.

UPDATE (Apr 30):

The idea seems to be working quite well so far. Here is a new blog comment from a  happy affiliate:

“We added it to our stores last night and the results are obvious. 20% of all sales - tamiflu [...] If you haven’t started yet, do go ahead white the topic is hot!”

Yesterday, I wandered around the first day of InfoSec Europe . I have been visiting InfoSec for the last 10 years and this was the first time at Earls Court. Maybe it was the fact that RSA had just happened or the credit crunch was biting but this year I felt the mood was subdued. In fact you could say InfoSec was pants!

Last year, all the buzz seemed to be about NAC and a large number of stands were solely pushing NAC. This year there was no definite theme though there was an undercurrent of Data Leakage Protection (DLP). At the Sophos stand (G50) you can collect a Data Leakage for Dummies book (or apply online).

Today, at the Sophos stand you can listen to Vanja Svajcer “Typhoid Mary: SophosLabs’ research of Linux threats” and an excellent talk by Duck on “Who said JavaScript was easy? Live web-based malware demo.”

Or you could just call into the Sophos stand and get some pants!

Predictably enough, today we started to see spam taking advantage of concerns around the current Swine Flu outbreak.

Surprised? We shouldn’t be. Just another day in the office for spammers. Crawling news sites for suitable stories to use in campaigns is commonplace and very easy to automate. We only have to go back a few weeks to see the death of Natasha Richardson being exploited in order to infect users with fake anti-virus.

In the campaign seen earlier today, the purpose of the spam is meds related. Anyone clicking on the link in the message is redirected to an all too familiar Canadian Pharmacy site.

As ever, users should be careful with links received in email that they click on, and ensure they use a good quality anti-spam solution to block such content from even hitting their mailboxes. Forget fish and chip paper - today’s news is tomorrow’s spam theme.

I came upon this installer today called “Microsoft Virus Fix”. Being somewhat curious, I proceeded to run the application and the following message appears:

Ok. I was somewhat underwhelmed (not impressed) by the application’s appearance. In fact, it already tells me that this application is highly dubious and is likely to be malwarish in nature.

To begin with, it is littered with several spelling and grammatical mistakes.

But “more” importantly, as every Microsoft Windows user knows, the application “doesn’t use up enormous amounts of system memory”. And of “horror of horrors”, there are also no traces of any fancy or flashy doohickeys within the user interface (the user-interface appears to be done by someone with a passing knowledge of Visual Basic). *wink*

Delving further into the application, the following message is shown:

Now we definitely know this is a fake. No self respecting Microsoft programmer would use cheesy names like “Yoyodyne”, “Ty coon”, “James Hacker” and “President of Vice” as examples. I know many a programmer who have been guilty of making bad puns (myself included) but this is taboo territory here.

Oh, incidentally, we detect the installer as W32/IRCBot-AEG. A quick static analysis also yields the malware author’s not-so-intelligent project workspace settings (“Fake Fix\Project 1.vbp” anyone?) (please click on the picture to see an enlarged image).

In short, we know this application to be fake. That’s because to have Microsoft release such a utility tool is, in the words of the Sicilian criminal genius Vizzini in the movie, The Princess Bride, simply “Inconceivable!”

:)

For those of you tired of seeing and hearing about malware being distributed via the infamous UPS emails, here’s a little something new for you this morning from our spam traps;

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

There’s been a lot of talk in the last couple of days about a large botnet announced by the folks over at Finjan. We detect the malware behind that network as Mal/Dropper-DL which installs several more pieces of malware, including the usual raft of fake anti-malware software and the infamous Troj/Virtum-Gen, aka Virtumundo.

While I was looking into some of the related malware this morning it blocked access to Windows and displayed a large warning message:

If your high-school Russian classes are just a distant memory, like mine, you’re probably wondering what that says. Thanks to one of the polyglots in the Vancouver lab we have a handy translation.

WINDOWS BLOCKED
To unblock send an SMS
To number 3649
With Text :k2590620008
Enter the received code:
*Any action mimicking activation will result in data loss and computer violation


Yes, it’s yet another way for the bad guys to hold your data for ransom. Using SMS messaging to a premium rate number is a nice easy way to collect your cash. However, if you’re a victim outside Russia or you quite rightly don’t want to pay you could have some trouble getting back to your data. Happily the guys over at Dr. Web have produced a useful tool that figures out the unlock code for you.

I’ve reported on a wide variety of tests on this blog. Some have been very good whilst others have been very questionable. Today, my attention has been drawn to another testing site that claims to have a new take on testing the effectiveness of anti-virus products. OITC have an Antivirus Systems’ Performance Analysis Center where they claim to analyse different products ability at detecting near zero day threats.

The methodology is to obtain malware samples that are supposedly brand new, check that they really are malware and then send them to Virustotal to see what the results are. Unfortunately OITC look at the results and only include the files if less than 25% of vendors detect them.

Does anyone actually fall for this? How can a reputable testing house make such a naive decision? They are effectively saying that if more than 25% of vendors detect a sample then it must be an old file that every vendor must have already seen. OITC have happily ignored the possibility that vendors have generic detection, in Sophos case known as Behavioral Genotypes. They have also ignored the possibilities of Suspicious detection and HIPs detection. Need I go on?

This type of test actually bears no resemblance to what a user might actually experience and certainly doesn’t compare to any other major comparative test. There are numerous testing houses out there whose figures are much more credible - av-test, av-comparatives and Virus Bulletin are 3 key players who all get very different detection results compared to these guys. I trust these tests even when I don’t like the actual results.

Choosing a test site to use is very much a matter of personal taste and what you are trying to demonstrate. If I wanted a quick and easy real time comparative site then I would probably go to SRI where happily Sophos are top of the league :-)

Sophos are part of AMTSO and, along with all the major testing houses, are committed to improving the quality of testing to make tests relevant to the readers and users of them. Clearly here is a test to get our teeth into. AMTSO has its next meeting in 2 weeks time in Budapest and I know this test will be a topic of conversation over a few beers.

What surprised me most of all about this saga was the fact that a major bank is now using the OITC results as justification for pushing their latest offering…

Recently, there have been a few reports of new Sinowal (aka Mebroot or StealthMBR) variants having been spotted in the wild [1,2]. We have been seeing this activity ourselves at SophosLabs. In this post I will highlight some interesting characteristics of the scripts that are being used for infecting victims with Sinowal in web attacks.

Of course, there is nothing novel or particularly exciting in malware authors injecting malicious code into legitimate sites in order to infect victims through drive-by attacks. However, what makes Sinowal’s approach slightly more interesting is the use of a date-driven domain generation algorithm within the injected, malicious script. (Ok, so not as “exciting” as that used by Conficker, but nonetheless, an interesting highlight amongst the plethora of other rather dross, static redirects used elsewhere in web attacks.)

The malicious scripts currently being used by Sinowal for redirection are being detected as Mal/ObfJS-AG. The malicious content is heavily obfuscated and unreadable, but sufficiently large to make it fairly easy for site admins to spot the rogue content within affected pages.

Obfuscated injected script (Mal/ObfJS-AG)

Once deobfuscated, it is simple to find the algorithm used to generate the target domain. Multiple variants have been seen, but the algorithms used are virtually identical. Modifying the scripts, it is easy to generate a list of the domains from which the script will load content on any given day.

Part of the domain generation algorithm used in Mal/ObfJS-AG

For each of the variants investigated thus far, the algorithm used generates a new domain every few days (using just over 100 domains for entirety of 2009, for each variant).

Generated domains used in Sinowal attacks

The content loaded from the generated domains consists of further malicious scripts (detected as Mal/ObfJS-AV). These proceed to infect the victim with the Sinowal dropper. Inspection of the MBR following infection reveals the infection (detected as Troj/Mbroot-E).

MBR after infection with Sinowal (Mebroot)

Game Over. A quick summary of the protection provided against such Sinowal infections is shown below.

• Access to the domains Sinowal is using is prevented (for web appliance users)
• The malicious redirection scripts injected into legitimate pages are being detected as Mal/ObfJS-AG
• The malicious scripts used on the attack sites to infect the victim are being detected as Mal/ObfJS-AV
• The Sinowal droppers are detected as Mal/Sinowa-A
• The modified MBR is detected as Troj/Mbroot-E

Finally, it should be noted that a large number of the target domains being used by Sinowal appear to have been successfully “sinkholed” to help protect users from this nasty threat over coming months. This is obviously a good thing. However, it is a safe bet that the attacks will simply continue to evolve, evading such measures.

The drudgery of fake antivirus. After countless permutations (P_n, P_n+1….P_n+9999) of these fake AVs, it is very hard to keep the enthusiasm high. Lately, a ‘not-another-fake-av’ groan came with a slight variation. This time, the authors have figured out a new way to sell their product by integrating it into Windows Security Center. The fake antivirus has self elevated its importance and just might be able to convince consumers into spending money on its license.

Nice work <3 However, they still need to learn how to spell ‘disabled’.