SophosLabs blog

Free virus scan - Download the Threat Detection Test

Another FakeAV, for Windows 7!

With Windows 7 becoming increasingly popular, more and more software companies have begun to upgrade their interface for the latest Microsoft operating system. Manufacturers seem to understand the need for a beautiful user interface for their products. However, not all software behaves as good as it looks.

Today, I saw a Fake Antivirus program with a newer, more jazzed up interface, which we detect as Troj/FakeAle-RK.

This malware specifically targets users of Windows 7 and appears in the form of a pop-up dialogue box, which attempts to tell you that your Windows 7 PC has many serious threats. When a user clicks “Remove all Threats immediately”, another pop-up will be generated asking them to download a file called win_protection_update.exe.

This file is malicious and is yet another Fake Antivirus program, which we proactively detect as Mal/FakeAV-AA.

Needless to say, the user will be offered the option of paying money to update the expired license, which in turn would fix all their computer’s ‘problems’. Those problems were never there in the first place.

The interesting thing is that the malware’s author makes a careless spelling mistake (see the red circle).

Obviously, I won’t enter my credit card details at all. Neither should you.

Posted on March 21st, 2010 by Liang Zhang, SophosLabs AU
Filed under: General

                                         

Scam of the Day - Bredos targeting Facebook

Today we have seen a surge in emails pretending to be from the social networking site Facebook.

The message suggests that Facebook has modified the user’s password to enhance user safety and that the new password is in a attached document. The message looks like this:

Hey XXXXXXX ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team.

------------5GHH3B84G384ABF1
Content-Type: application/zip; name="Facebook_details_345.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Facebook_details_345.zip"

UEsDBBQAAAAIAPSxcTxpN05+ldoAAAD4AAAYAAAARmFjZWJvb2tfZGV0YWls
c18zNDUuZXhllPZjsDBczC0IHp/zHNu2bdu2bdu2bdu2bdu2bc57vzvdNVM9
VdOdqlSSnbXXTvInW0YzHgAcAAAA5D/9+wMAMFMAAIiuBQDgB/j/L/7/KTtc
ZXFhnhANTySV9AyBsrmFE769o52Zo4ENvpGBra2dM76hCb6jiy2+hS2+sJwS
vo2dsQktDAwk8f+bQ14EAEAaEBgAdPJS9P/g3QeAA4QCRAD+zwEAwP9P6QEB

The attachment is called “Facebook_details_<some number>.zip”. This attachment is malicious and should not be opened.

Sophos detected this file as Troj/BredoZp-AD and the executable inside the zip file as Troj/Bredo-BN.

Posted on March 18th, 2010 by Prashant Kumar, SophosLabs AU
Filed under: General

                                         

Troj/JSRedir-AU: Troj/JSRedir-AK redux?

Late last year I blogged about Troj/JSRedir-AK and how it was very prevalent ~40% of web-based malware. Earlier this year I mentioned it had changed and late last month I saw that it had changed again into Troj/JSRedir-AU.

The infection numbers of Troj/JSRedir-AR and Troj/JSRedir-AU haven’t been quite as impressive as those of Troj/JSRedir-AK, but the sites compromised have included several high profile victims. For instance this morning I was alerted to an infection on a major European newspaper by one of our Sophos web security appliances and earlier in the week Sophos notified a Dutch menswear outfitter of an infection on one of their sites.

The outfitter after being notified did not want ‘our help’ and three days latter hasn’t cleaned up their website.

As you can see this is another case of an old website with a redirect to the new site with extra malware on the side.

The malicious code like previous examples, Troj/JSRedir-AK and Troj/JSRedir-AR, has two distinct forms:

• injected into HTML files as a malicious <SCRIPT> tag
• the other appended to JavaScript files

You can see in the above code snippet:

var Y=F(’89910918991021′,”129″)

The code has a function F which uses the second string to perform a substitution on the first string. In Perl code:

        while (<>){
	        if (/F\('([a-zA-Z0-9]+)'\s*,\s*"([a-zA-Z0-9]+)"/) {
		        my $one = $1;
		        my $two = $2;
		        $one =~ s/[$two]/g;
		        print $one . "\n";
	        }
         }

The other variable w in the image is that of the malicious site the code redirects to.

When infected website owners have talked to us we have been able to diagnose the infection source via compromised FTP credentials.

Posted on March 17th, 2010 by Pob, SophosLabs, UK
Filed under: Exploits, General, Macintosh, Malware, Vulnerabilities, Web

                                         

The Dangers Of Freebies

The internet is rife with free tools from anything to everything (almost) - from free HTML web editors to free applications to free games and so on.

We’ve been in this situation before. Sometimes out of curiosity or “affluenza” (also known as “I-GOTTA-HAVE-IT-NOW-NO-MATTER-WHAT”), we are tempted to install some of these free tools and applications from the web.

The unfortunate problem with freebies is that unless you know the source of where you download the tools from and whether the software author who created the application is credible, you are literally at the whim and mercy of the author should you choose to download and install the application.

To make matters worse, some download websites don’t even bother to check and verify every piece of software application that was uploaded to their website. Some do not even bother to perform any kind of anti-virus scanning of the uploaded software.

Take a look at this piece of software that was touted as a web tool obtained from a download website.

This tool was supposed to be a HTML editor but upon running, clearly something was wrong. No trace of the software was visible after running the application. This should signal a giant red flag that something is horribly amiss. To make matters worse, unless you happen to know what to look for, you’d be hard pressed to find what kind of activity or system changes has been made on your computer (click on the picture below to see a clearer image of the registry entry made by this Trojan).

In this case, this backdoor Trojan (Troj/Bifrose-ZI) manifested itself as a file on your Windows System folder and created a registry entry to run itself upon the next startup (notice how notoriously difficult it is to know what and where to look for?). You now have a backdoor Trojan active on your computer which a remote intruder can use to gain access to your computer. The type of malicious activity that can then take place on your computer can range from using your computer to download more malware, to turning your computer into a botnet zombie to stealing confidential information etc. etc. - you get the idea.

If you’re an avid internet user who loves downloading freebies, then this article should scare you and rightly so. Not everything that glitters is gold, as they say.

Great. So how do we protect ourselves against such scams and malware?

For one, I have always believed in the KISS (Keep It Simple Stupid) principle.

Before you download any application, pause and think whether it’s really necessary to have that software or whether it’s going to do nothing but put more “bloat” on your computer (you know a particular software is “bloatware” when you have not touched it in the last 6 months). If you’re uncertain, just go away from the computer for a few moments to think it over. Never ever download free software at a moment’s whim.

Last but not least when you’re browsing the web, always check that your anti-virus software is running, your firewall is enabled and ensure that all these software security solutions are updated regularly.

Posted on March 17th, 2010 by CheeHui, SophosLabs AU
Filed under: General

                                         

IMF money-making scam

I have seen a lot of these lately. This one currently doing the rounds tries to dupe the reader into thinking that the International Monetary Fund (IMF) wants to use their accounts to transfer money meant for charity.

 

In the email. the IMF (supposedly) wants to transfer $10 Million into the reader’s account using NatWest Bank. The contact details within the Bank are given as follows:

Name: Mr. Donald Miller (Co-founder)
Office Address: 11 El Shams Bldgs., 8th District Nasr City
E-mail: Bernisecharityfoundationimf 'at' gmail.com
Tel: (+44) 7031-939-750
Fax: (+44) 7011830323

Some things to notice:

1. Fake e-mail addresses - Both the e-mail addresses mentioned in the message ( Intmonetaryfunds ‘at’ aol.com and Bernisecharityfoundationimf ‘at’ gmail.com ) are from common free e-mail service providers.

2. The letter is not addresed to anyone. Surely if the IMF wanted you to have their $10 Million, they would know your name?

Be very careful of such scams. They are on the rise and appear to be extremely enticing. Never ever divulge your personal details and simply delete such e-mails.

Posted on March 16th, 2010 by Prashant Kumar, SophosLabs AU
Filed under: General

                                         

A Change From Dirty Laundry…

Yesterday evening my student daughter arrived home for the weekend bringing a bag full of laundry, one full of books and, for a change,  the laptop belonging to one of her housemates.

It seems that towards the end of last year the impoverished student could not afford to renew his AV subscription and has been, in effect, unwittingly running a malware honeypot on his laptop since it lapsed.

Fortunately for him he managed to acquire a particularly vicious FakeAV last week. The spoofed alerts and flashing warnings alarmed him but since he could not afford to pay the ransom to the bad guys he ignored them. That he couldn’t visit several legitimate websites irritated him but it was not until the FakeAV prevented him from accessing iTunes that he began to complain loudly to the whole household, at which point my daughter called me for advice. 

“Bring the laptop home and I’ll see what can be done” was my suggestion.

So while a colleague and I have been working on this sunny Saturday, the dirty laptop has been receiving some rather special attention here at SophosLabs.  I’m pleased to report that the months of accumulated malware was all detected by Sophos and that the laptop is now clean. What’s more it should remain clean since it is now running an up to date anti-virus package.      

It was fortunate for my daughter’s housemate that he acquired such a visible piece of malware, one that loudly announced its presence to the whole household a few days before she had planned to come home for this Mother’s Day weekend.      

So all’s well that ends well.  

But I can’t help wondering how many other youngsters are running the risk of surfing the internet without the safeguard of a good anti-virus tool and just how much malware they may unwittingly be spreading. Perhaps we parents should take responsibility for teaching our offspring the Facts Of Online Life and first and foremost should be the golden rule, do not surf without protection.

Posted on March 13th, 2010 by Julie Yeates, SophosLabs UK
Filed under: Malware

                                         

Phishing craigslist - but is it malware?

Malware has traditionally been easy to spot and classify, mainly because it was created to serve a specific nefarious purpose and nothing else. In the ongoing arms race between malware authors and the security industry, stealth and other ‘in plain sight‘ technologies are emerging as clear favorites.

Case in point is a recent Craigslist phish, disguised as a phone update - nothing new about malware pretending to be something it isn’t, but that’s not where the story ends. Examining the executable shows that it is nothing more than a RAR self-extracting (SFX) archive - and thus not inherently malicious.

Contained within the archive are two seemingly innocent files; a HOSTS file and an internet shortcut (.url file). The internet shortcut points to craigslist and draws little or no suspicion when the object is scanned in isolation. The HOSTS file likewise contains mappings for various craigslist sub-domains, but without prior knowledge of the state of the HOSTS file, or dynamic resolution of the domains it is difficult to determine whether the mappings are legitimate (especially so when considered in isolation.)

When deployed as a complete package however, the HOSTS file remaps craigslist to some other IP so that when the internet shortcut is launched it goes to somewhere other than stated destination…in this case, a craigslist phish requesting login information.

So is it malware? Are any of the components malware? Clearly when these benign components are found acting in unison, malicious behavior is observed [1], but what about detection?

Traditional signature-based malware detection is obviously incapable of dealing with such multi-component threats, requiring instead a wider context-based observe-correlate-classify approach which draws from a variety of information sources such as reputation, nearest neighbour and behavior.

Because matches dont start fires, people do!

Posted on March 12th, 2010 by Pete, SophosLabs AU
Filed under: General, Malware, Spam, Web

                                         

Internet Explorer 0-day targeted in spam runs

Hot on the heels of the Patch Tuesday announcements yesterday (see blog or links to vulnerability assessment pages), came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806).

Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link.

• the tried and tested “delivery failed, please confirm address details” messages
• request for details confirmation for insurance quote

Example messages are shown below.

In either case, clicking on the link takes the victim to a web page which kickstarts the infection process.

Generic detection for the exploit scripts seen thus far has been added as Troj/ExpJS-R. A script used to query the browser/OS version before loading the exploit script (or redirecting to a games site) has been added as Troj/JSRedir-AW.

The malicious payloads installed in such attacks are liable to change of course, but the ones seen thus far have been either proactively detected as Mal/Dropper-Y, or added as Troj/Dloadr-CYS.

SophosLabs will continue monitoring for new attacks looking to exploit this vulnerability. In the interim, aside from keeping your protection up to date, take note of the following from the Microsoft announcement:

Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected.

If you are an IE user and have not yet upgraded to version 8, take a hint! It is strongly recommended that you do so. Aside from not being affected from this particular issues, there are a whole bundle of other security related features you are missing out on otherwise.

The SophosLabs vulnerability assessment page for the IE 0-day vulnerability will be updated accordingly.

Posted on March 10th, 2010 by Fraser Howard, SophosLabs UK
Filed under: Exploits, Malware, Web

                                         

Patch Tuesday Continues.. Now With IE Vulnerability!

This patch Tuesday had been quiet, perhaps too quiet.

It turns out there is also a new advisory for Internet Explorer.

For a more complete list, please see the SophosLabs Vulnerability Analysis page.

Posted on March 10th, 2010 by mjc, SophosLabs Canada
Filed under: Exploits, General, Vulnerabilities

                                         

March Patch Tuesday …. pay attention Mac users

This patch Tuesday has been relatively quiet with Microsoft only issuing two patches, of which, both bulletins they rate as only important.

Privately disclosed vulnerabilities in Movie Maker, Movie Producer and Excel could lead to remote code being executed with the same privileges as the current user.

Apple users take note: Microsoft Office 2004 and Office 2008 for the Mac’s are currently affected by the MS10-017. As such, Mac Microsoft Office users will need to download and install an update to protect themselves.

Unfortunately, today’s patches do not address the VBScript RCE IE vulnerability mentioned in Microsoft’s advisory from the first of this month ( Advisory 981169 ).

For more information about these threats, please see the SophosLabs Vulnerability Analysis page.

Posted on March 9th, 2010 by Michael Shannon, Researcher, SophosLabs UK
Filed under: General