CyberInsecure.com

Archive for the ‘Malware’ Category

New Storm worm (aka Dorf) campaign has been launched in order to infect Windows running PCs. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook.

Starting a week ago, the authors have renewed their attacks and published 3 campaigns within the last 8 days. As usual, this most recent Trojan is spread via an unsolicited email message spam that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file “fbi_facebook.exe” to infect the user’s system with malicious code.

The email subjects for the latest campaign currently include:

F.B.I. may strike Facebook
F.B.I. watching us
The FBI’s plan to “profile” Facebook
The FBI has a new way of tracking Facebook
F.B.I. are spying on your Facebook profiles
F.B.I. busts alleged Facebook
Get Facebook’s F.B.I. Files
Facebook’s F.B.I. ties
F.B.I. watching you

This latest campaign employs both domains and the IP addresses as links. The malware and spam messages changed very little even though the topics and websites were updated regularly.

Users should install anti-virus software, keep its virus signature files up-to-date and never follow unsolicited web links received in email messages.

Several airlines have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. Airlines that issued warnings include Delta Air Lines Inc., Northwest Airlines Corp., Sun Country Airlines and Midwest Airlines Inc. Sun Country also reported these e-mails to Yahoo, Hotmail and the United States Computer Emergency Readiness Team.

A researcher at McAfee Inc. confirmed the campaign in a post to the company’s blog. Messages may appear as follows (updated spam campaigns may appear different):

From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).

The e-mails, which purport to be from an airline, thank the recipient for using a new “Buy flight ticket Online” service on the airline’s site, provide a log-in username and password, and say the person’s credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge.

However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia. McAfee has labled the malware as “Spy-Agent.bw,” Symantec Corp. has labeled the same Trojan horse as “Infostealer.Monstres.”

This trojan first made a name for itself almost a year ago, when it was used to rip off more than 1.6 million customer records from Monster Worldwide Inc., the company that operates the popular Monster.com recruiting Web site.

After recent malware emails disguised as UPS and tax messages, there is a new attack circulating via bogus email messages and claims to be from “US Customs Service.” The messages may contain the following subject lines:

Customs - We have received a parcel for you

Customs, please read

Parcel requires declaration

Your parcel is at the customs office

The message indicates that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

The messages start with a greeting, and then says:

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

The attachment currently called Bill_Tax.zip, and the Trojan inside is a variation of what we’ve seen previously, detected by Sophos as Mal/Spy-A.

Users should not open attachments contained in unsolicited email messages and use anti-virus software with updated virus signature files.

More than two weeks ago Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. Microsoft began investigating active, targeted attacks leveraging this potential vulnerability. Recently, Symantec honeypots began detecting the vulnerability in the Access Snapshot Viewer ActiveX control exploited in a Neosploit wrapper. The Neosploit toolkit is an advanced exploit framework to compromise web site visitors.

The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

This vulnerability was recently added into a new version of Neosploit. The attack consists of an encrypted block that is similar to some of the Mpack variants. This primary encoder serves the Access Snapshot exploit. Once this exploit has been attempted, the user is presented with a malicious iframe, which redirects the user to a copy of Neosploit. This adds an Access Snapshot exploit to the Neosploit repertoire, albeit in an unusual way. According to Symantec, this method of adding an exploit to Neosploit was chosen because the author does not control the source of Neosploit.

As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated SQL injection attacks. Among those sites there are top-visited government, commercial, and hobby sites. The sites fall victim to SQL injection attacks and subsequently begin serving exploits to each of their visitors.

It is recommended that all Internet Explorer users, including those who do not have the Access Snapshot viewer installed, update their IPS signatures and set the kill bits mentioned in this Microsoft Security Bulletin. Switching from Internet Explorer to Firefox or Opera would also help you avoid this vulnerability (and probably many others).

During the first two weeks of July 2008, Finjan detected over 1,000 unique Website domains that were compromised by Asprox toolkit attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, this might be just the tip of the iceberg for the scope and impact of this attack.

Among the compromised websites Finjan found websites of respectable organizations, governmental institutes, healthcare organizations and other high-ranked websites. The malicious code is still being served by most of the websites and the toolkit is still in use.

Among the many websites that were compromised, there are various advertisement networks that were also used to direct users to compromised advertisements. One of the advertisement networks was atdmt.com, which Microsoft plans to acquire as part of Microsoft’s Advertiser and Publisher Solutions Group.

Among compromised legitimate websites (on some of them the malicious code no longer exists) there are government websites:

marysville.ca.us, the official website of the City of Marysville, registered by Marysville Police Department.

www.censocultural.ba.gov.br, the official website of the cultural data bank of the Department of Culture and Tourism of the State of Bahia, Brazil.

www.sfgov.org, official website of the government of the City and County of San Francisco.

Compromised healthcare websites:

nhs.uk, the official website of the National Health Service in the UK.

samedical.org, the official website of the South African Medical Association.

Other compromised legitimate websites:

Cocacolabrazil.com

Snapple.com, one of the largest soft drink makers in the US

uci.edu, official website of the University of California

The Baltimore Times Website

BMW official site in Mexico

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain. These domains are part of a fast-flux network hosted on the botnet itself, a technique widely used by another well-known Storm botnet.

The attack toolkit is designed to inject a <script> tag into legitimate [.asp] webpages. Each of the 160 different domains hosting .js points to the location of the malicious file which was unique to each and every one of them. The malicious script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation: MDAC Vulnerability, QuickTime rtsp Vulnerability, AOL SuperBuddy ActiveX Control Code Execution Vulnerability. Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine.

Websense Security Labs ThreatSeeker Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software.

Spammers quickly react to the latest major online news updates, capitalizing on these events to achieve better success rates with their social engineering tactics. The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign.

The messages include a link to a compromised site which contains an obfuscated JavaScript that tries to exploit a rather old vulnerability corresponding to Microsoft Data Access Component (MDAC). Regardless of whether the exploit succeeds or fails, the visitor is then redirected to a page showing a fake security warning encouraging users to download anti-spyware tools to repair their system. Spammers usually use this tactic to encourage users to install rogue applications. In this particular example, the malicious file installs itself as a service on the system.

The same malicious executable is used throughout different spam campaigns bearing following email subjects lines:

Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!!

The group behind the Storm Botnet has always been conscious of timing and this time a new malware spam wave had started, dedicated to Independence day of course. This spam wave directs the user to click on a link that encourages the intended victim to download an infected fireworks.exe file.

The Storm botnet launched the latest campaign in June 3rd. Here’s a partial list of subject lines seen in the latest spam messages:

Amazing Independence Day salute
Amazing firework 2008
America for You and Me
America the Beautiful
Celebrate Independence
Celebrate with Pride
Celebrating Fourth of July
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Fourth of July
Happy Independence Day
Independence Day firework broke all records
Light up the sky
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best firework you’ve ever seen
The best of 4th of July Salute
Well done 4th!

The body of the messages is similar to previous campaigns, with a one line phrase followed by an IP address, such as:

Amazing Independence Day salute http://123.456.789.000/
Amazing Independence Day show http://123.456.789.000/
Bright and joyful Fourth of July http://123.456.789.000/
Celebrate the spirit of America http://123.456.789.000/
Celebrating Fourth of July http://123.456.789.000/
Celebrations have already begun http://123.456.789.000/
Light up the sky http://123.456.789.000/
Proud to be an American http://123.456.789.000/
Stars and Strips forever http://123.456.789.000/
The best firework you’ve ever seen http://123.456.789.000/
Well done 4th! http://123.456.789.000/

Visiting the IP address would bring up a page with a fake online video player and a picture of fireworks inside the player. The following text is included below the image:

Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.

Users attempting to watch the fireworks video will instead be infected by malicious code.

The “video” links to an executable called fireworks.exe. In addition, the site also launches an invisible iframe with obfuscated malicious javascript ind.php.

Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections.

The purpose of this wave of attacks seems to be to dupe users into installing the same fake anti-virus software SophosLabs discovered on .MOBI websites earlier this week. Numerous malicious websites making use of the unusual .MOBI top level domain attempted to load a script ‘AD.JS’ located in root of each site. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:

A bogus warning message then displayed, saying that one or more of the following have been detected:

Trojan.Bakloma.A
Win32.Gattman.A
Trojan.Zapchas.F
JS.Blackworm.A
Trojan.Tibs.E
Win32.Netsky.P@mm
Trojan.Winsys
Trackware.Adctech2006
Downloader.TrafficSector
Adware.Roings

If you have seen/installed this software on your PC, consider running a trusted anti-virus as soon as possible, since your machine is infected.

After this, the user is encouraged to download and run an executable (installer.exe). This malware is detected as Mal/Packer by Sophos. If the installer was run, it installs more malicious files (Troj/FakeAV-AA) on the victim machine.

Visiting the affected PlayStation site runs a script that pretends to perform the same online security scan of your computer, and presents a bogus warning message you can see on the image above. Users frightened by the fake ‘warnings’ might rush to spend money on useless software.

The fact that the Sony PlayStation site has been attacked in this way suggests that someone with malicious intent could place other harmful malware there and infect a very high number of Sony PlayStation website visitors.

Sony PlayStation’s site hasnt been targeted by hackers, it’s been targeted automatically in between the rest of thousands of other pages that were SQL injected with a malicious coldwop.com domain (yet another SQL injection attack by Chinese hackers). There are no reports of hacked Sony PlayStation’s database or customers private details, the flaw in Sony’s website only allowed injection of redirection code that loads a script from malicious site.

Security researchers from SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat, Apple’s instant messaging and video chat software, and Limewire.

SecureMac, a Mac-specific anti-virus vendor, researchers discovered the Trojan in June 19. The Trojan, AppleScript.THT, was classified as a “critical” threat. SecureMac’s warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug.

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger’s and Leopard’s Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it’s injected after a successful attack using another vulnerability, such as a browser bug.

Users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application. MacScan 2.5.2 (a software by SecureMac) can also protect your system against this threat if you got the latest Spyware Definitions update (2008011), dated June 19th. SecureMac recommends that users download files only from trusted sources and sites.

Nuwar spammers have recently moved from real news of natural disasters and current affairs to creating their own fictional events in an attempt to infect users computers. This new high volume spam campaign is using some attention drawing subjects to lure people into clicking on the links.

The spam message has a list of newsworthy subjects that are being used by both the subject and the message body. Here is a list subjects discovered so far by Sophos and McAfee:

Bad press surrounds US Army as renegade soldiers open fire on civilians
Boston’s MIT hit by massive corruption scandal
Click here for a massive boost to your sex life
Columbia admits directors have been stealing
DA rolls over on Britney foot-fault case
Don’t belittle the effects of power enlargement
Don’t let old age shrivel away your self esteem when you can maintain with herbal supplements
Don’t panic when you cannot score with the girl that you have a crush on
Dutch disqualified from Euro Championships
Enlargement does not involve putting a big hole in your pockets
Ex-Pentagon lawyers challenged on sex abuse in Iraq
Fantastic upgrade to your manhood available now
Gather your loose change to try out the revolutionary herbal supplement
Get the latest herbal enhancements to grow your large howitzer now
Gloomy Americans still spending money admist economy gloom
Great improvement to your sex life guaranteed
Harvard Medical School admits embezzlement by directors
Heir to Prada empire found strangled
Herbal supplement at merely 5 cents a day
Hollywood hit by Aids scandal, more than 20 stars implicated
Italy showed France the difference in length
Keep this new herbal supplement out of reach from your friends
Lakers bombed out after big loss to Celtics
Lindsay Lohan converts to Islam, causes uproar
Make sure you do not miss the action - get your organ enlargement package now
Obama caught with pants down with Clinton
Opponents of gay marriage stay quiet
Ralph Lauren found dead in country home
Red cross shown to abuse power in latest aid
Ring it up for Celtics after fantastic win
Studies have shown that this herbal solution really makes a difference in men’s health
The enlargement is so powerful it will make you increase in your strength
The greatest gift of all is the secret to the fountain of youth
The most affordable herbal supplement that works to increase your self esteem
The real reason why Anne Hathaway splits from longtime love
Try out the latest herbal solution that will make you a new superhero
US election campaign shames after sex scandal exposure
US Soldier throws boy off cliff, villagers enraged
You better be home to receive this package that will change your life
Britney found hanged in locker room
White House hit by lightning, catches fire
Oprah found sleeping the streets
Eiffel Tower damaged by massive earthquake
Donald Trump missing, feared kidnapped
Lastest! Obama quits presidential race

This clever social engineering technique exploits people weakness for news of natural disasters and celebrities. The emails contain plain text and always include a link that looks fairly harmless but in fact redirects to a web page that attempts to install malware.

In this particular campaign all the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video, which is actually just an image, it tries to download an executable file. This is detected by McAfee as BackDoor-DNM and also by most other anti-virus products. The spam is also currently detected by anti-spam products.

Users are advised to run updated anti-virus software and never click on links in an email unless they come from a verified person.