Threat Spotlight

For the week of 08 Mar 2010
Threat 1

More FakeAV hides in encrypted attachments

Threat Name:

Malware: Mal/EncPk-NP

Also Known As:

  • Kaspersky: Trojan.Win32.FraudPack.amxs
  • Avira: TR/FraudPack.amxs
  • McAfee: FakeAlert-XPSecCenter
  • Microsoft: Trojan:Win32/FakeRean
  • Symantec: AntiVirus2010
  • Trend: TRAJ_FRAUDPAC.NN

About:

Mal/EncPk-NP is a malicious program that contains highly obfuscated code that has been encrypted and compressed. This program typically arrives as an email with an attachment that tries to entice the user to open the malicious file attachment using various social engineering tricks.

This program can:

  • Download code from the internet
  • Steal user credentials
  • Sell fake anti-virus software

Recently, Mal/EncPk-NP arrived as an email attachment in a variety of ways. A typical email containing this malware appears as follows:

Subject: A new settings file for the <email address of the user> has just be released.
Message body:
Dear use of the <some domain> mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox <email address of the user> settings were changed. In order to apply the new set of settings open attached file.
Best regards, <some domain> Technical Support.
Attached file: settings.zip
Threat 2

Energizer USB charger malware

Also Known As:

  • Kaspersky: Trojan.Win32.Arugizer.a
  • Avira: BDS/Arurizer.A
  • McAfee: Generic BackDoor.u
  • Microsoft: Backdoor:Win32/Arurizer.A

Further Reading:

About:

Troj/Bckdr-RBF shipped with the Energizer USB battery charger installation file — UsbCharger_setup_V1_1_1.exe — which was downloadable from Energizer's website on March 5, 2010. The installation program uses Inno Setup technology and has a digital signature on it with a timestamp of 31 July 2007. (Note: The software has not passed the Windows Logo testing according to a Windows popup dialog during the installation.)

The backdoor components of the Trojan will be registered to start every time Windows starts, even if the Energizer application isn't running:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Arucer
rundll32 C:\WINDOWS\system32\Arucer.dll,Arucer

The backdoor will be extracted to %WINDOWS%\System32 directory as Arucer.dll. When started, it creates a mutual exclusion (mutex) and window class called “liuhong-061120.” It also creates a thread and listens on port 7777 (0x1E61) for remote instructions.

The attacker can perform the following commands:

  • Delete a particular file from the compromised machine
  • Run a particular file on the compromised machine
  • Set an arbitrary value for the following registry to autostart:
    SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce svchost
  • Perform a recursive search in a particular folder and get the result

The instructions are XOR-encoded with key 0xE5 and the backdoor uses in-place decryption when processing an instruction. The attacker will get either 'NO' or 'OK' response depending on the result of command executed.

The backdoor includes standard C functions of MSVCRT.dll. This DLL is reportedly for Visual C++ 4.2 to 6.0, which reflects the backdoor written long time ago. The backdoor has a timestamp of 10 May 2007.

Threat 3

"Canadian" pharmacy spammers moving from China to Russia

About:

Messages offering discounts on "Canadian" pharmaceuticals traverse the internet by the millions, decreasing responsiveness to legitimate traffic at all network levels. People who respond to these messages are signed up to more spam and become subject to identity theft; those who purchase are subject to further identity theft and fake or misrepresented products.

Though this threat originates from Russian "Canadian Pharmacy" companies and their affiliates, it is distributed worldwide, with most campaigns targeting U.S. citizens. "Canadian Pharmacy" spam has been pandemic for a number of years, and has grown to be a significant percentage of all email sent. Recently, the spammers have had to move off of their Chinese call-to-action domains and have become more creative in the structure and the delivery of their messages.

Due to the volume of messages the spammers send out, they need only a small percentage of responses to be profitable. Offloading the message distribution to botnets decreases cost of distribution and automating message generation means few man-hours are needed to manage the campaign.

Some tricks that the spammers use:

  • Use of botnets to distribute the spam
  • Affiliate sites registered daily on "disposable" domains
  • Hashbuster paragraphs – essentially “white noise” in email text added to make it seem less offensive to anti-spam filters)
  • Use of newsletter-style templates with random words/non-words for the template text
  • Short call-to-action paragraphs with dynamically generated generic text linking to affiliate sites
  • Images advertising the pills linked to call-to-action domains
  • Images rotate between varying styles, and have a hashbusting random noise generated background
  • Images hosted on multiple free image hosting services
  • Images included in message content

As the graphs show, China's tightened policies around domain registration do make an impact in spam distribution. Specifically, China now requires proof of Chinese citizenship in order to register .cn domains -- non-Chinese individuals and companies can no longer register a .cn domain. If other countries follow suit with their domain policies, this style of spam will become cost-prohibitive and will likely vanish.

Subject Line Samples:

### Monthly Sale, |emailid! Exclusive 80% off ###
For you only, emailid. Best 84% off prices
Help yourself being more sensual
Sales Event get 77% off
Special Discount 73% for emailid@domain.com
Surprise for emailid! 73% Off right now
Your Future Order with 76% off retail
© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy