Threat Spotlight

For the week of 28 Apr 2011
Threat 1

Place an order for FakeAV

Threat Name:

Mal/PDFJs-RE

Users at Risk:

Windows users

Also Known As:

  • AVP Exploit.JS.Pdfka.djl
  • Symantec Trojan.Pidief

Removal Instructions:

Use the instructions for removing generically detected files to delete the file from your computer

About:

Mal/PDFJs-RE is a family of malicious PDF that uses JavaScript to download more malware.

In this instance, malicious PDFs were spammed out with the following Subject:

<Company>.com Order

With a message similar to the following:

Dear customer,

Thank you for placing an order with us!

We wish to inform you that we have received your order and it will be processed very shortly. Your order number is 995471-573894 and it is expected to be delivered within 2-5 working days. Please note that in most cases, delivery is faster than stated as we want you to start enjoying your purchase as soon as possible. In the meantime, you may log into the site and check your order status at any time via the 'My Account' page.

If you have any questions about your order, please feel free to email us at support@<company>.com. As soon as order has been dispatched, our Customer Service Executive will monitor the progress and keep you updated at all times.

The emails had one of the following attachments:
OrderN25031104.pdf, Order_04041136.pdf, Order94.pdf, invoice17041140.pdf

Mal/PDFJs-RE attempts to contact the following remote location:

hxxp:// zkp2 . cz . cc / y / l . php

At the time of writing, Mal/PDFJs-RE may download and execute the following file:

<Application Data>\Hivo\myev.exe (detected as Mal/FakeAV-IK)

Examples of this malware have used CVE-2010-0188 and early examples also contain CVE-2011-0610.

Threat 2

Spoofed email from NACHA leads to malware

About:

Since mid-2009, malware authors have used spam messages purporting to be from NACHA's ACH payment network to spread malicious software. The payload is the ZBot—also known as the Zeus botnet—infector. Over the past year and a half, the general attack has stayed the same, but the details have become more complex.

Beginning mid-March 2011, the phishing mail has been spoofed so it appears to be from payment(s)/ach@nacha.org. The messages originate from a Zeus-style botnet and are indiscriminate in their targets—many copies have arrived on Sophos's spam traps. Examples of the spam messages are seen below in images 1 and 2. They are all proactively detected by the Sophos PureMessage Antispam software and Sophos Email Appliance.

In most cases, the link goes to an .info domain with "nacha" in the name (example domains in image below):

All the .info domains redirect to .co.cc domains using iframes or obfuscated javascripts:

The .co.cc domains look like "404 Not Found" web pages but contain a hidden javascript beneath.

The javascript on the page creates a time-delayed event (circled). When the timer expires, a box pops up asking the user to download a ".pdf.exe" file:

 

The downloaded .exe files are packed with a rogue antivirus packer but contain an advanced ZBot payload based on the now-shared Zeus botnet source code. Sophos detection names include Mal/FakeAV-EA and Troj/FakeAV-DDY.

Once run, the ZBot payload moves itself into your Application Settings and sets itself up to run on startup. It also disables Internet Explorer cookie deletion, and Access data sources across domains and Display mixed content are fully enabled and set not to prompt the user.

Next, the malware gathers your personal information from various sources on your computer, including email databases, website caches and address books.

Finally, it contacts its command-and-control server to fetch instructions for its next activities—such as sending a NACHA email, uploading gathered data, or participating in a DDoS attack—and downloads newer versions of itself and its configuration file.

Users who are vigilant not to download or execute unknown files and who do not click on unknown links will not be impacted by this threat.
That said, the fact that this campaign has remained essentially unchanged for over a year and a half implies that it has been highly successful in convincing people to click.

Threat 3

FakeAV pesters with persistent pop-ups

Threat Name:

Troj/Agent-RGK

Users at Risk:

Windows users

Also Known As:

  • AVP Trojan.Win32.Sasfis.bhrn
  • Microsoft Backdoor:Win32/Hostil.gen!A

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Agent-RGK is a FakeAV-style Trojan that calls itself either 'XP Total Security' or 'XP Anti-Spyware 2011.'

Once executed, it pretends to scan over your system and find about 25 items needing removal. It will then request that you purchase a subscription to its service while constantly serving popups about infections.

It copies itself to ApplicationData folder and TemporaryInternetFiles folder, as well as installing itself into the registry.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information