SophosLabs blog

Earlier on today I noticed that the web site for one of the embassies in Paris has been hit by malware. This continues the ‘YAE’ (yet another embassy) series we introduced in previous blogs [1,2,3].

This current attack provides a classic example of some of the techniques that the rogue AV criminals are using.

1. SEO techniques. The attackers appear to have exploited a content management system (CMS) being used on the embassy site, in order to upload numerous keyword-stuffed pages (typically called “doorway” or SEO pages). Users searching for popular terms may end up clicking through to one of these pages, starting the infection process.
2. Traffic redirection. The SEO pages load a malicious JavaScript that has also been uploaded to the embassy site. This in turn loads another script, this time from a remote server. This second script is responsible for redirection of the user to the relevant payload. Checking the referrer, the script redirects the user if they have come via a search engine.
3. Fake AV payload. The redirection script checks the referrer before redirecting the user to the appropriate payload.

Digging deeper on the embassy site it is not surprising they have been hit. The version of the CuteNews CMS application they are using is out of date (v1.4.6 appears to the latest version).

Attackers exploiting CMS applications in order to hit/deface sites is something we have discussed before [4], and I won’t repeat the important security implications that must be considered when using them here.

Fortunately for Sophos users, the redirection script loaded in the SEO pages is pro-actively blocked as Mal/ObfJS-X.

The second redirection script that this would load is responsible for redirecting the user to the payload (assuming they came via a search engine). Interestingly, this script also checks the OS, choosing to redirect Linux/Max users to a different site.

• Mac/Linux: user is redirected to suspicious looking movie download site. (There was no apparent malware on the site at the time of writing.)
• Windows: user is redirected to the fake AV site, where they get the usual fake system scan and warning messages.

Detection for the actual fake AV malware installed from this site has been added as Troj/FakeAV-AEA.

I have contacted the admins for the site in question so they can clean up, and secure their site against future attacks.

… but there’s more to the issue than what’s currently being bickered about.

Google’s Chrome Frame plugin for Internet Explorer is meant to incorporate web 2.0 functionality that the IE browser currently does not support. As reported in this Zero-day article Microsoft fired back claiming that Google’s plugin will double the threat landscape for Internet Explorer users and that they would not recommend this plugin to their relatives. While Microsoft’s statement has some theoretical truth to it — in the superficial conjecture that more code means more vulnerabilities — it naively discounts the beneficial security features the plugin can add to the system.

What’s more important are the implications on social engineering attacks as a result of this Google plugin.

Everyone knows Google. They dominate the Internet search market. People are also used to seeing Google links on tons of other people’s websites, with AdWords sponsored links or Google Maps images. Google is a ubiquitous part of the Internet, or at the very least, a household name.

Given this context, how suspicious might the average web user be when confronted with a page that displays a message to the tune of:

“The page you requested requires this Google plugin. Click here to install…”

Disrupting the web user’s primary task with a “required plugin download” is a common tactic for malware distribution. Among the many attempts are several fake codecs as well as phony Adobe plugins. And the success of this strategy can be inferred by its growing use — note the recent adoption by Koobface malware.

I am confident it won’t be long before we will see spoofed versions of pages like this:

… where all the links point to a malicious download, not just the install button.

As some consolation, Internet Explorer 8 users at least will be well equipped to defend against such attacks, as NSS Labs Q3 Report rates IE8 as vastly superior in the detection of Socially Engineered Malware.

I received a notice that I had a new follower on Twitter, so I decided to see who it was. Nope, no one I recognized. I went to check out their page and I saw this:

I knew this is a total scam but decided to check it out anyway. I was directed to a page with a bunch of packages. So there are various levels of followers you can purchase, and varying amounts of time that it takes to achieve all of the followers. Now what I thought was amusing was the fake Paypal link. So not only would you be giving them money, but total access to your Paypal account.

I then saw another version of this scam that has an “introductory rate” of $5, but then a monthly billing rate of $99.50. It didn’t steal your credentials, but they asked for all your credit card details, so could bill your account (along with anything else they wanted to charge on there as well.)

Is proving to the world you are one of the “popular kids” really worth that much? Not to me, it isn’t.

The direct message arrived in my Twitter account: “rofl is this you on here?” followed by a link.

Oh no!  Are there embarrassing pictures of me on the Internet?  Again?!

After calming down a bit, my cynicism prevails. Let’s see what’s really going on here.

The link itself was to a URL shortener.  This one redirects to a page that looks very much like the login page for Twitter. Looking at the browser address bar, however, reveals a non-Twitter URL. In fact, the URL resolves to a server in China.

While some of the hyperlinks on the page point back to Twitter proper, others point to the Chinese site.  These are signs of a phishing attempt.

A user trying to log in to Twitter on this page would be sending login credentials to this suspicious server.

I was curious what would happen if I typed in a fake user name and password.

Username: DidYouReallyThinkThisWouldWork?

Password: SillyPhisher

Entering this information on the real Twitter page causes it to prompt for username and password again hoping to get actual login credentials this time.

Entering the same information on the fake Twitter login page renders the following image:

And as I ponderously stare at this whale and the improbably strong birds, the Chinese server is trying to break into my Twitter account using the username and password I just typed in so that it can send the same message to all my contacts.

I don’t often receive spam through my work address and when I do I investigate and block it so our customer can be protected. Imagine my surprise this morning when I received an email from the BBC!

From: Thomas Wellington <bbcheirhunters@bbc.co.uk>
Subject: Across Your Contact

Hello There,

I am writing you from Heir Hunters Company in the United kingdom , Heir Hunters probate detectiveslooking for distant relatives of people who have died without making a will, here is our websitepage on BBC TWO News,

http://www.bbc.co.uk/iplayer/episode/b00cfx9y/Heir_Hunters_Series_2_Hilliard/?src=ip_ra

We came across your email while searching and we will be glad if you can get back to us with yourfull name, date of birth, address and your direct number if it corresponds with the one on ourdata base in order to enable us carry out necessary process and to get your claim across to youwithout any delay.

Thomas Wellington.Heir Hunters BBc TWO News E-mail: bbcheirhunters@yahoo.com.hk

A few things in the above email suggested to me that the email was fake even before I looked at the headers.

• The BBC categorises the Heir Hunters program as :Factual, Life Stories or Money. Not News.
• The capitalization of BBC is BBC not BBc.
• Why would the Email address for a UK based program be in Hong Kong?

For once the link was genuine though :)

Today, SophosLabs witnessed a bogus website with a fake online AntiAdware scanner. When the website is accessed, it executes embedded javascript within the webpage. This script will cause the victim’s computer to display a fake progress bar pretending to scan the victim’s computer. After some time, a warning popup message appears and alerts the victim’s computer that it was infected by several spyware and viruses. It subsequently provides a link for the victim which when clicked will initiate a file download named Setup.exe. This file is malicious and is detected by SophosLabs as Troj/FakeAV-ABD. Access to the website has also been blocked in the Sophos Web Appliance.

Moreover, the website was able to change interface and language depending on your IP address. Here is the example:

In the past few months SophosLabs has highlighted several different tricks [1,2,3,4] exploited by FakeAV to encourage the users to purchase the products. However, this bogus Online AntiAdware Scanner is a new variation of the same theme. Users should be aware against online scammers especially those which are not affiliated to a known anti-virus/security software company. Also to avoid becoming a victim, never download any file from websites that you are not familiar.

I recently came across a rogue security software (aka “Fake AV”) variant Troj/FakeAv-AAL which, in addition to the scareware component, downloads and runs a packet sniffer Troj/Sniffer-R. After peeling away the encryption layers, the credential-sniffing logic is quite simple. The trojan initially sets up a socket to receive all incoming and outgoing packets and sits in a loop, waiting for packets with a source or destination port of 21 — the FTP control port number. It captures the host name, user name and password for any outgoing FTP connections, and checks the user and password combo are valid by parsing incoming FTP traffic for the ‘login success’ status code. Only the credentials which result in a login success are subsequently reported to a remote server — which currently maps to a known malicious domain associated with rogue security software.

The pushers of Fake AV are constantly on the run, and stolen FTP credentials are just one of the tactics used by this wily group of miscreants. The authors are registering new domains and shifting existing domains to new IP ranges on a daily basis — frequently changing the location where their scareware is hosted thereby avoid network blacklists for a short time. They are also stuffing their web pages with bogus keywords on hot topics (see Fake AV and Swine Flu) — driving search-engine users unwittingly to their malicious sites.

As highlighted by the malicious advertisements streamed via the NYTimes, there is much to be gained from the exposure on legitimate sites. First off, the malware author achieves both the new hosting location and search engine traffic by leeching off the existing reputation and user-base of the legitimate site. Secondly, not only is the entire user-base of the website exposed to any embedded malicious links, the users are likely less skeptical while browsing a site they already trust and perhaps more vulnerable to fall victim to the phony scareware warnings.

As suspected with the recent Gumblar SQL injection attacks, stolen FTP credentials can lead to widespread compromise on legitimate sites. Let this be a reminder to all website administrators out there; be a good network citizen — make sure your server and any machine you use to administer your server is secure and up-to-date.

As you have probably read in Graham’s blog, over the weekend attackers managed to poison an ad-stream such that users browsing the New York Times web site where hit with malware (see New York Times alert).

This attack provides a perfect demonstration of how being able to inject malicious content into ad content is a powerful way of hitting a large audience. Inspecting the ad script earlier this morning revealed it was still serving up malicious content.

Those who have read Troy Davis’ analysis of this attack over the weekend, will notice the .cn site used in the redirect is different. Instead of 'sex-in-the-city.cn' we now have 'russell-brand.cn' (though both appear to be hosted on the same IP). Similarly the the rogue security site to which the user is ultimately redirected is now ‘online-antivir-scan09.com‘.

The scripts used in the rogue security site to trick the user into downloading and installing the fake AV malware where proactively detected as Mal/FakeAvJs-A. Additionally, Troj/FakeAV-AAS and Troj/JSRedir-W detections have been added for the fake AV malware and the malicious ads content respectively. And of course, the rogue sites used in the attack are all suitable blacklisted for those using the Sophos Web Appliance.

Update: As of 2pm GMT, the ad content appears to no longer contain malicious content.

Today we saw a Viagra campaign hitting our spamtraps. It’s not unusual to see Viagra campaigns, the notable aspect is the different tactics the spammers are implementing  to evade spam filters 1,2.

In today’s case we saw spammers using newsletter templates in their emails. Online newsletters are the most common mechanism used by most organisations to keep their customers up to date. Spammers are exploiting this technique to evade spam filters and fool users by trying to appear legitimate.

To make this look more authentic you can also see them including useful links at the bottom of the mail. if you click on any of the URL’s believing this to be a legitimate newsletter, you will land on this Canadian pharmacy page.

Sophos successfully blocks this campaign. Next time you see unsolicited emails with legitimate newsletter templates think twice before you click on the links.

On the surface things would appear to have been fairly quiet so far today. Not too many samples requiring attention and not much in the way of new, aggressive spam campaigns. But in terms of malware distribution, today has just been business as usual. Thankfully proactive detections are thwarting the attackers’ efforts.

The mass-spamming of Bredo variants has continued all morning, messages now using a shipping confirmation theme as it evolves from the previous DHL, UPS messaging.

The message within the spam entices the recipient to open the ZIP attachment, for example:

Thankfully, Sophos customers are protected from this threat - in addition to blocking the messages as spam, the malware itself is proactively detected (as Mal/Bredo-A, Mal/BredoZp-A and Troj/BredoZp-C).

If the malware where to be executed on an unprotected machine, it proceeds to report home for further commands. This ‘callhome’ would be blocked for customers running the Sophos web appliance - the remote site is already known and classified as a known C&C point. Job done.