Threat Spotlight

Threat Name:

Users at Risk:

World of Warcraft players

Further Reading:

• Sexy spamming girls aim to steal World of Warcraft passwords
• SophosLabs Blog: Don't get mounted by new World of Warcraft mounts
• SophosLabs Blog: Phishing for gamers

About:

Another day, another phishing campaign to steal World of Warcraft (WoW) account information from unsuspecting gamers. A new round of spam messages, purporting to be World of Warcraft service messages from Blizzard Entertainment, prompt the user to click a link to log into their WoW/Battle.net account and review their information. The link takes the user to a fake copy of the login site which saves a local copy of the account name and password and then passes the user on to the official site.

This campaign uses a large volume of randomized Call-to-Action (CTA) domains. Ten to twenty new domains are added each day, with older domains still used a month later. It stitches together official-looking messages based on legitimate and legitimate-sounding text from Blizzard Entertainment. By using of botnets and a popular webmail system, the phishers increase their sender reputation based upon originating IP or mail transport.

The CTA domains are hosted in China using nameservers in several countries. In China: xinnet.cn (majority), hichina.com, bigwww.com, superdns.org, cdnhost.cn, 35inter.com, myhostadmin.net, cdncenter.com. In the USA: domaincontrol.com (US), namecheaphosting.com (US), yahoo.com (US).

All messages originate at DSL addresses in China and Korea, across all major ISPs, and are sent through Hotmail's web interface. This implies the messages are being sent via a regional “botnet” of compromised computers. Though the messages are in English, this campaign targets known active email addresses globally.

After stealing users' WoW accounts and passwords, the senders can profit from item theft, character theft and account/identity theft. They are likely reselling items, characters and personal information for a real-world profit. For example, there are a number of popular resale sites online that sell WoW accounts for $200 to $500 each.

These and similar World of Warcraft campaigns have been going on for months. However, starting mid-December, the number of variants based on unique domain names and message contents increased dramatically, and the contents are increasingly similar to the text found in legitimate notifications from Blizzard.

Blizzard requests that any suspicious emails of this type be forwarded with full message headers to Hacks@blizzard.com.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: JS/iFrame.AL
• Kaspersky: Trojan-Downloader.JS.Agent.ewh
• McAfee: JS/Redirector.d
• Microsoft: Trojan:JS/Redirector.BF
• Trend Micro: JS_REDIR.SUI

Further Reading:

• SophosLabs Blog: GNU GPL malware?

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/JSRedir-AK is a variant of the JSRedir family that attacks unsuspecting users of compromised websites. Criminals place Troj/JSRedir-AK onto a website using stolen upload credentials—usually FTP logins. The attack has two parts.

First, attackers upload a set of scripts to the compromised site. These scripts are written in PHP—detected as Troj/PHPMod-B—and are used to insert the additional scripting into web pages hosted on the server. They can also be used by attackers to remotely manage the infection without further need of stolen FTP credentials.

Second, the scripts inserted into web pages—detected as Troj/JSRedir-AK—sends web browsers to other sites that host malicious content. The sites are often hosted in Russia with complex domain names such as:

• mail-ru.multiupload.com.megaporn-com.webnetenglish.ru
• partypoker-com.elmundo.es.spankwire-com.thechocolateweb.ru
• rottentomatoes-com.google.com.gazzetta-it.thelaceweb.ru

Troj/JSRedir has been used similarly in the past, notably during the Gumblar attack in May 2009.

SophosLabs recommend using a more secure protocol than FTP when uploading content to your web server, such as secure copy (SCP) or secure FTP (SFTP) with strong passwords.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Kaspersky: Backdoor.Win32.Bredolab.bra
• Avira: DR/Delphi.Gen
• McAfee: Generic Dropper.lr
• Microsoft: TrojanDownloader: Win32/Bredolab.AB

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Invo-Zip is another email-based malware that appears in the SophosLabs spam traps at regular intervals. During January 2010, this threat came in emails purporting to be from myspace.com. The messages often read as follows:

Hey ,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your MySpace.

The attached document is a zip file with a variable name beginning with MySpace_document which actually contains Mal/EncPk-MS.

In the same month, SophosLabs also saw Troj/Invo-Zip attached to emails pretending to come from UPS with various texts:

Dear customer!
Unfortunately we were not able to deliver the postal package which was sent on the 18th of June in time
because the addressee's address is erroneous.
Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.

And:

Dear customer!
We failed to deliver your postal package which was sent on the 18th of June in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our department.
United Parcel Service of America.

In both instances, opening the attached zip files—whose names both began with UPS_invoice_NR—would enable the malware sender successfully to deliver Mal/Bredo-A, as described in a previous Threat Spotlight.

The advice from Sophos is, as ever, to exercise caution with emails that arrive unexpectedly from apparently familiar sources.