CyberInsecure.com

Archive for the ‘Malware’ Category

The group behind the Storm Botnet has always been conscious of timing and this time a new malware spam wave had started, dedicated to Independence day of course. This spam wave directs the user to click on a link that encourages the intended victim to download an infected fireworks.exe file.

The Storm botnet launched the latest campaign in June 3rd. Here’s a partial list of subject lines seen in the latest spam messages:

Amazing Independence Day salute
Amazing firework 2008
America for You and Me
America the Beautiful
Celebrate Independence
Celebrate with Pride
Celebrating Fourth of July
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Fourth of July
Happy Independence Day
Independence Day firework broke all records
Light up the sky
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best firework you’ve ever seen
The best of 4th of July Salute
Well done 4th!

The body of the messages is similar to previous campaigns, with a one line phrase followed by an IP address, such as:

Amazing Independence Day salute http://123.456.789.000/
Amazing Independence Day show http://123.456.789.000/
Bright and joyful Fourth of July http://123.456.789.000/
Celebrate the spirit of America http://123.456.789.000/
Celebrating Fourth of July http://123.456.789.000/
Celebrations have already begun http://123.456.789.000/
Light up the sky http://123.456.789.000/
Proud to be an American http://123.456.789.000/
Stars and Strips forever http://123.456.789.000/
The best firework you’ve ever seen http://123.456.789.000/
Well done 4th! http://123.456.789.000/

Visiting the IP address would bring up a page with a fake online video player and a picture of fireworks inside the player. The following text is included below the image:

Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.

Users attempting to watch the fireworks video will instead be infected by malicious code.

The “video” links to an executable called fireworks.exe. In addition, the site also launches an invisible iframe with obfuscated malicious javascript ind.php.

Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections.

The purpose of this wave of attacks seems to be to dupe users into installing the same fake anti-virus software SophosLabs discovered on .MOBI websites earlier this week. Numerous malicious websites making use of the unusual .MOBI top level domain attempted to load a script ‘AD.JS’ located in root of each site. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:

A bogus warning message then displayed, saying that one or more of the following have been detected:

Trojan.Bakloma.A
Win32.Gattman.A
Trojan.Zapchas.F
JS.Blackworm.A
Trojan.Tibs.E
Win32.Netsky.P@mm
Trojan.Winsys
Trackware.Adctech2006
Downloader.TrafficSector
Adware.Roings

If you have seen/installed this software on your PC, consider running a trusted anti-virus as soon as possible, since your machine is infected.

After this, the user is encouraged to download and run an executable (installer.exe). This malware is detected as Mal/Packer by Sophos. If the installer was run, it installs more malicious files (Troj/FakeAV-AA) on the victim machine.

Visiting the affected PlayStation site runs a script that pretends to perform the same online security scan of your computer, and presents a bogus warning message you can see on the image above. Users frightened by the fake ‘warnings’ might rush to spend money on useless software.

The fact that the Sony PlayStation site has been attacked in this way suggests that someone with malicious intent could place other harmful malware there and infect a very high number of Sony PlayStation website visitors.

Sony PlayStation’s site hasnt been targeted by hackers, it’s been targeted automatically in between the rest of thousands of other pages that were SQL injected with a malicious coldwop.com domain (yet another SQL injection attack by Chinese hackers). There are no reports of hacked Sony PlayStation’s database or customers private details, the flaw in Sony’s website only allowed injection of redirection code that loads a script from malicious site.

Security researchers from SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat, Apple’s instant messaging and video chat software, and Limewire.

SecureMac, a Mac-specific anti-virus vendor, researchers discovered the Trojan in June 19. The Trojan, AppleScript.THT, was classified as a “critical” threat. SecureMac’s warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug.

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger’s and Leopard’s Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it’s injected after a successful attack using another vulnerability, such as a browser bug.

Users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application. MacScan 2.5.2 (a software by SecureMac) can also protect your system against this threat if you got the latest Spyware Definitions update (2008011), dated June 19th. SecureMac recommends that users download files only from trusted sources and sites.

Nuwar spammers have recently moved from real news of natural disasters and current affairs to creating their own fictional events in an attempt to infect users computers. This new high volume spam campaign is using some attention drawing subjects to lure people into clicking on the links.

The spam message has a list of newsworthy subjects that are being used by both the subject and the message body. Here is a list subjects discovered so far by Sophos and McAfee:

Bad press surrounds US Army as renegade soldiers open fire on civilians
Boston’s MIT hit by massive corruption scandal
Click here for a massive boost to your sex life
Columbia admits directors have been stealing
DA rolls over on Britney foot-fault case
Don’t belittle the effects of power enlargement
Don’t let old age shrivel away your self esteem when you can maintain with herbal supplements
Don’t panic when you cannot score with the girl that you have a crush on
Dutch disqualified from Euro Championships
Enlargement does not involve putting a big hole in your pockets
Ex-Pentagon lawyers challenged on sex abuse in Iraq
Fantastic upgrade to your manhood available now
Gather your loose change to try out the revolutionary herbal supplement
Get the latest herbal enhancements to grow your large howitzer now
Gloomy Americans still spending money admist economy gloom
Great improvement to your sex life guaranteed
Harvard Medical School admits embezzlement by directors
Heir to Prada empire found strangled
Herbal supplement at merely 5 cents a day
Hollywood hit by Aids scandal, more than 20 stars implicated
Italy showed France the difference in length
Keep this new herbal supplement out of reach from your friends
Lakers bombed out after big loss to Celtics
Lindsay Lohan converts to Islam, causes uproar
Make sure you do not miss the action - get your organ enlargement package now
Obama caught with pants down with Clinton
Opponents of gay marriage stay quiet
Ralph Lauren found dead in country home
Red cross shown to abuse power in latest aid
Ring it up for Celtics after fantastic win
Studies have shown that this herbal solution really makes a difference in men’s health
The enlargement is so powerful it will make you increase in your strength
The greatest gift of all is the secret to the fountain of youth
The most affordable herbal supplement that works to increase your self esteem
The real reason why Anne Hathaway splits from longtime love
Try out the latest herbal solution that will make you a new superhero
US election campaign shames after sex scandal exposure
US Soldier throws boy off cliff, villagers enraged
You better be home to receive this package that will change your life
Britney found hanged in locker room
White House hit by lightning, catches fire
Oprah found sleeping the streets
Eiffel Tower damaged by massive earthquake
Donald Trump missing, feared kidnapped
Lastest! Obama quits presidential race

This clever social engineering technique exploits people weakness for news of natural disasters and celebrities. The emails contain plain text and always include a link that looks fairly harmless but in fact redirects to a web page that attempts to install malware.

In this particular campaign all the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video, which is actually just an image, it tries to download an executable file. This is detected by McAfee as BackDoor-DNM and also by most other anti-virus products. The spam is also currently detected by anti-spam products.

Users are advised to run updated anti-virus software and never click on links in an email unless they come from a verified person.

Botnet operators are using false reports about an earthquake near Beijing that could disrupt the Olympic games to spread malware. Unsolicited emails discovered to be a part of a new malicious spam campaign that claims another earthquake has just occurred in China, and could derail the upcoming Olympic Games.

Samples of the bogus alert doing the rounds intercepted by SophosLabs, featuring subject lines such as “Million dead in Chinese quake” and links to websites on a .cn domain. These sites claim a quake measured in at 9.0 on the Richter scale has caused millions of casualties. The pages contain links to a supposed video that actually downloads the Nuwar-E malware onto the Windows based PCs.

Net security firm Sophos reports that the .cn domains advertised in that attack are likely to be part of a botnet. Each DNS query for the domains returns a different IP address, indicating a changing network of compromised hosts are serving up the malware.

The recent Chinese earthquake is still so fresh in people’s minds, that many computer users won’t think twice before opening this email and clicking on the link. The spammers are using one of the most common tricks in an attempt to spread their malware, and if people continue to open unsolicited emails, unfortunately the spammers will continue.

Sophos experts note that by using the highly-anticipated Olympic Games due to take place in Beijing in August, the spammers are hoping to take advantage of the excitement surrounding the event in order to trick unsuspecting computer users into downloading their malware. Spammers are hoping that computer users will be so eager to find out more that they’ll forget their common sense when it comes to their emails. According to Sophos, we’re likely to see more spam messages referencing the upcoming Olympic Games as we get nearer to the event.

Recent versions of the notorious “Zlob” Trojan are checking the victims for wireless or wired hardware router. The Trojan attempts to guess the password needed to administer the suitable router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS translate names into IP addresses and changed settings might expose victims Internet traffic.

The new Zlob Trojan, also known as DNSChanger, is using same old technique and presents itself as a video codec required to view content on certain infected websites. When installed in the system, it tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers. The DNS hijack occurs during the installer program, so by the time the user sees the fake codec installer screen, the malware has already attempted to change DNS settings on the victim’s router.

This appears to be the first time this behavior has been spotted in malware released into the wild. This new function should worry users since Zlob is among the most “popular” types of Trojans downloaded onto Windows machines (14.3 million instances of Zlob-related malware from customer machines in the second half of 2007, according to Microsoft).

Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Users will not look to the router settings, if the Internet connection seems to be functioning fine. In reality, the router might still send traffic to malicious logging servers, even when the system is virus-free.

Sunbelt confirms that the malware successfully changes DNS settings on a Linksys router (model BEFSX41). It was a new, of the factory, box with a default username and password. Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.

Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked. According to Eric Sites, chief technology officer at Sunbelt, this is something they have not seen before and it was only a matter of time before someone started using this attack. Sites said his team is testing the new Zlob variants against multiple routers to see how they fare against the malware.

Captured traffic shows that the new Zlob variant is trying to reconfigure different routers by requesting the local Web page for various “setup wizards” that ship with the devices. Routers on machines infected by Zlob/DNSchanger should be reset to its default configuration if the settings have been changed. If there are other Zlob-infected machines using the same router, they will need to be cleared of the trojan before resetting the router. Otherwise,the malware will simply go back and change the router’s DNS settings a few minutes after the reboot. You will need to reconfigure any security settings you had in place prior to the reset.

Credit: Sunbelt Blog, Washingtonpost Security Fix Blog

Over the last few months endless malware campaigns abused Google and DoubleClick redirect links in their spam. Clicking on such safe looking link will result a redirection to a malware hosting site and an infection of user’s Windows running machine.

Even though it took Google some time to close this redirection, the malware authors have successfully switched to Dogpile.com redirection vulnerability. Here is an example of Dogpile.com cross-site scripting vulnerablity that allows redirection of visitors who click a link originating from dogpile.com domain:

http://www.dogpile.com/clickserver/_iceUrlFlag=1?
rawURL=http://CNN.com&0=

It is safe clicking on this link, it will just redirect you to CNN.com. Malware authors are actively using this redirection to infect users by sending them confusing, safe looking links to exploit hosting sites. The sad thing about it is that another redirection vulnerability on Dogpile was discovered and reported back in Novermber 2007. It is still unfixed.

Google has done quite a bit to fix the redirection problem, Dogpile should aslo fix it soon (hopefully), but the party will just move on to a different location. A good example would be a redirection vulnerability on Devicelock.com, reported by XSSed and still unfixed.
DeviceLock, Inc. is a “worldwide leader in endpoint device control security” and on their website they offer a security solution that prevents unauthorized access to USB devices. They are proudly using a Content Managment System (CMS) called Bitrix and here is the redirection example on their website:

http://www.devicelock.com/bitrix/redirect.php?event1=
demo_out&event2=sm_demo&event3=pdemo&goto=http://CNN.com

Lets say an average user is receiving an email with a link like the one above. The email says that he is a winner of some free DeviceLock promotional product and all he needs to do to claim it is clicking that link. User clicks the link, being redirected to a malware hosting site and another Windows machine probably gets infected. Although the number of popular and trusted domains is limited, it seems malware spam techniques will contain various redirection links for a long time.

A new version of Gpcode, which was recently discovered, uses a complex encryption algorithm to encrypt user files, making it impossible to open them. The files that might be encrypted by this virus are .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and some others. Encrypted files original name will remain but a suffix “._CRYPT” will be added to each file. It also drops a file called “!_READ_ME_!.txt” onto the same folder with encrypted files, which contains the following text:

“Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: ********@yahoo.com”

Files encrypted by previous versions of Gpcode were possible to decrypt. In the past, signatures for Virus.Win32.Gpcode.ai have been added to the Kaspersky Anti-Virus databases. This time quick and painless decryption should be impossible, since Kaspersky analysts confirmed a strong 1024 bit encryption that can not be decrypted without the original key.

Kaspersky Lab offers affected users to contact them at stopgpcode@kaspersky.com by using another PC in case of this particular infection. Users who did not reboot or turn off their infected PC, who can tell what did they do before the infection occurred and who can tell the exact infection time and date, will be helped and Kaspersky Lab promises to do everything they can to restore the encrypted files.

If your files have been encrypted by Gpcode, Kaspersky Lab strongly recommends that you should not pay money to the creators of this virus, as this will encourage further crime. There is also no guaranty you will receive the decryption key after payment.

Recent Adobe Flash vulnerability is already abused in another mass compromise through another SQL injection attack. This current malware attack has been traced back to Chinese hackers, once again. They are using a zero-day exploit to infect users with password stealing malware.

This zero-day exploit taking advantage of an unknown vulnerability in Adobe Flash Player, allowing malicious users to install info stealing trojans on affected PCs. Integer overflow in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file with a negative Scene Count value, which passes a signed comparison, is used as an offset of a NULL pointer, and triggers a buffer overflow.

Legitimate sites were found to have been injected with scripts that lead browsers silently to sites hosting exploits for the Flash vulnerability. Upon meeting certain system conditions that allow the exploitation to commence, PCs download and execute info-stealers (like TSPY_UPACK.D) or droppers (like TROJ_DROPPER.NAK), through infected .SWF files SWF_DLOADER.YVM and SWF_DLOADER.YVN, as they are detected by TrendLabs. More patterns in this infection detected as HTML_DLDR.BF, TSPY_UPACK.D, TROJ_DROPPER.NAK, HTML_DLDR.BF, TSPY_UPACK.D, TROJ_DROPPER.NAK.

Some domains in this attack spoof the domain name of legitimate and known phone company Nokia, as well as that of the popular online game Defense of the Ancients (DotA). Other domains are lkjrc.cn and woai117.cn (obviously, since .cn domains cost about 1 cent each).

Here is a list of domains that currently serve malicious files, as posted on Dancho Danchev blog:

tongji123.org
bb.wudiliuliang.com
user1.12-26.net
user1.12-27.net
ageofconans.net
lkjrc.cn
psp1111.cn
zuoyouweinan.com
user1.isee080.net
guccime.net
woai117.cn
wuqing17173.cn
dota11.cn
play0nlnie.com
0novel.com
117276.cn
woai117.cn

At this moment there is no known patch available from Adobe, and no known workaround. Again, avoid visiting unknown sites or use Firefox with NoScript plugin.

Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 9.0.115.0 and earlier, not the latest version 9.0.124.0.

Official statement by Adobe.

Users are advised to ensure that Flash is updated to version 9.0.124.0.

Adobe Flash Player is prone to an unspecified remote code-execution vulnerability. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions may also be affected.

According to Symantec, this issue is being actively exploited in the wild and hence the DeepSight ThreatCon is being raised to Level 2. The flaw occurs when processing a malicious SWF file. Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. At the moment these domains do not appear to be resolving, but they may come back in the future. Further analysis into these attacks, specifically the woai117.cn attack, uncovered another domain involved dota11.cn.

Google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site. A wide variety of legitimate third-party sites appear to be affected. The code then redirects users to sites hosting malicious Flash files exploiting this issue. According to ZDNet, this zero-day flaw has been already added to the Chinese version of the MPack exploit kit.

Currently there are no vendor-supplied patches. Users are strongly advised to disable Flash until patches are available, avoid browsing to untrustworthy sites and deploy script-blocking mechanisms, such as NoScript for Firefox.

Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 9.0.115.0 and earlier, not the latest version 9.0.124.0.

Official statement by Adobe.

Users are advised to ensure that Flash is updated to version 9.0.124.0.

Spammers and scammers are always ready to jump on the latest disaster or big news headline to try and exploit users. This time its time to exploit the Chinese earthquake disaster, which killed more than 50,000, to push scams and malware spam.

In one report scammers sent out text messages enticing people to send donations to fund the aid for helpless victims. Today there was a report of spam message allegedly from a Filipino seeking financial aid to follow his wounded wife in China.

Here are the first and last portions of the long-winded letter designed to get merciful recipients to take action, i.e. donate money. It starts with:

Dear friend,

I do not know your exact name. I can only guess. I ask you to read through my letter up to the end.

And ends:

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

Next there are emails with infected Word attachments that include MalDoc-Fam Trojan. They being distributed in messages that pose as news about the disaster, net security firm Sophos reports. The malware-tainted emails typically appear with body text suggesting they contain news from China’s official press agency, Xinhua:

BEIJING, May 20 (Xinhua) — The death toll from the earthquake in southwest China’s Sichuan Province has risen to 34,074 nationwide as of 2 p.m. Saturday, while 198,347 people were injured, according to the Information Office of the State Council. Pay attention to attachment for more.

Opening the attached Word document triggers an exploit that downloads malware onto vulnerable Windows PCs. The MalDoc-Fam Trojan is more than a year old, dating from March 2007.

These schemes, much like during those that surfaced during previous tragedies, are surely only some of the many that will continue to use this ploy.

Recent reports tell that even the official Web site for donations to the eathquake victims in China, the Chinese Red Cross, has itself been hacked to divert donations elsewhere. Ironically, even if you carefully donate only to legitimate organizations, you can never be sure who will actually get the money nowadays.

Users should be extremely cautious in extending their help. If possible, keep a closer watch of who gets the donation and where it goes.

Two days ago there was a report about Chinese and Chinese language websites compromised and SQL-injected in order to infect visitors with malware. According to net security firm ScanSafe, recently new rounds of SQL injection attacks mostly target English language sites on .com domains, some of them hosted in China.

This time the attack purposefully avoid Chinese government sites. The latest attacks inject an iFrame onto compromised sites that loads malicious scripts from qiqigm.com, a domain registered on 16 May. These scripts includes the text “silent love china” in an apparent greeting of other Chinese hackers. The malicious code exploit popular RealPlayer and Internet Explorer vulnerabilities to install a password-stealing Trojan that hides its presence on Windows PCs.

More than 7,000 sites have been compromised in this way so far. Among compromised websites there is Hong Kong stock brokerage website (kgieworld.com) and Kodak camera reviews (digitalcamerareview.com). There are also sites of Israel Humanitarian Foundation, London-based Child Rights Information Network, the UK’s West Midlands Local Government Association, and AsiaObserver news portal. All these sites redirect to other domains and lead to the download and execution of http://******gol.com/xx.exe, which is detected as BKDR_HUPIGON.CFV by Trend Micro.