Just a few hours ago, Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware.

This is in contrast with previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used.

As of writing, there are a couple of hunded Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak.

We advise Twitter users to prevent from clicking URLs on tweets, specially if the tweet advertises a home video.

Update 1:

It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend infected user accounts.

Update 2:

Koobface and most of its components can be cleaned by our standalone cleaner Sysclean. You may download Sysclean here.

Post from: TrendLabs | Malware Blog - by Trend Micro

Koobface Increases Twitter Activity

Detected as WORM_MYDOOM.EA by Trend Micro, it is suspected to have arrived in victims’ inboxes as an attachment to email messages. Upon execution, it registers itself as a system service (like as WMI Performance Configuration or WmiConfig) to ensure execution upon startup. It then drops component files distributed on several infected machines with lists of targets for DDoS.

It then gathers email addresses from all files located in the affected system’s Temporary Internet Files folder. It also gathers domain names, and uses them to add more email addresses by prepending the user names such as andrew, brenda, david, and george to the gathered domain names (detailed list can be read here). Additionally the threat attempts to obtain email server addresses by prepending certain strings to the obtained domain names. Emails with a copy of itself as attachment are sent to the composed addresses through its own SMTP engine. It should be noted, however, that though the code suggests that WORM_MYDOOM.EA propagates through email, we have yet to receive a sample that successfully propagates via email.

Our threat researchers are still analyzing some aspects of this malware, and it’s components, so we will update this post as necessary as more information becomes available.

Files related to network analysis tools are also deleted in order to prevent the affected user from noticing the heightened network activity caused by the DDoS attack (see Figure 1 for the threat diagram).

The DDoS attack left a number of its target websites inaccessible, which included several of South Korea’s government websites. South Korea is one of the top countries in Asia in terms of Internet usage, with an estimated 36.8 million users.

Users are strongly advised to ignore unsolicited emails to avoid unwillingly partaking in this massive attack.

Updates as of 12 July 2009:

Further analysis by our engineers reveal that WORM_MYDOOM.EA drops a specially crafted .JPG file detected as TROJ_JPEGDRPR.B. Embedded in TROJ_JPEGDRPR.B is an executable detected as WORM_MYDOOM.EB.

WORM_MYDOOM.EB overwrites the Master Boot Record of all drives in the affected system with the string Memory of the Independence Day. It then searches for files with certain file extensions, creates an archive of all found files, then deletes the original files. Found files which are 0-byte (file size is zero) are automatically deleted. The created archive is protected by a random 8-digit password.

Post from: TrendLabs | Malware Blog - by Trend Micro

MYDOOM Code Re-Used in DDoS on U.S. and South Korean Sites

Last week saw another wave of compromised websites that had one thing in common—they were all running ColdFusion on their servers. ColdFusion is a popular platform for developing Internet applications. It is currently owned by Adobe. Users blamed the effectivity of this attack on older versions of certain ColdFusion applications that sported security vulnerabilities and allowed malicious users to upload code to run on already-compromised servers. Cybercriminals then modified the compromised sites to include iframe links to malicious websites.

As with previous attacks, these compromised websites download a malicious file Trend Micro detects as TROJ_DROPPER.PXQ onto the affected system. This file then drops and runs another file detected as TROJ_DLOADR.XNI, which in turn, downloads and executes files detected as TROJ_WIMPIXO.BG and TROJ_SOMEX.C.

Just like the other attacks, the end goal of this particular wave is to steal user information. However, the files in question are already detected by Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

ColdFusion Spurs Another Mass Compromise

Click fraud has become a rapidly growing problem for legitimate companies and advertising networks as it inflates online advertising costs. In the past few years, cybercriminals have been using malicious software to perpetrate click fraud. They hijack search results displayed by engines whenever a user tries to find something online. Unfortunately, these scams can be unwieldy, as victims often quickly figure out that something is wrong when their searches are redirected to unfamiliar portals.

Click fraud Trojans are as old as Internet advertising itself. These usually come in one of the following two types:

• Browser hijackers that change a user’s start page and searches to redirect to a third-party search engine
• Trojans that silently pull down a list of advertising URLs and generate fake clicks on the ads in a hidden Internet Explorer window

The new Trojan, however, differed, as every click on an advertisement is user generated. The user does not even notice any change in his or her Web-browsing activities.

This Trojan may also be unknowingly downloaded by a user while visiting malicious websites. It executes and attaches an NTFS Alternate Data Stream (ADS) to a legitimate system file. It then deletes the .EXE file after execution to prevent detection and consequent removal, leaving the ADS in place. Afterward, it connects to a remote URL to download its configuration file. Once done, it monitors the user’s Web-browsing activities and redirects searches in Google to the website found in the downloaded configuration file.

Trend Micro product users need not fret though as Smart Protection Network already protects their systems from this threat.

Post from: TrendLabs | Malware Blog - by Trend Micro

Click Fraud Takes a Step Forward with TROJ_FFSEARCH

The shellcode of the exploit is XOR encrypted. Below is the screenshot of the decrypted shellcode:

Microsoft already released a security advisory regarding this vulnerability. More information can be found in the following page:

• Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution

Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates antivirus software processes, and drops other malware on the affected system.

As of this writing, all domains are blocked already by Smart Protection Network. Furthermore, OfficeScan users with Intrusion Defense Firewall plugin installed are protected from this threat if they have updated to the latest filters (IDF09021).

Post from: TrendLabs | Malware Blog - by Trend Micro

Zero-day MPEG2TuneRequest Exploit Leads to KILLAV

See sample message below:

These messages contain links to a site which appears to be from Youtube:

Figure 2: The website with the supposed video

The video supposedly shows a fabulous fireworks show, but in reality attempting to play the video results in downloading a copy of WORM_WALEDAC.DU. This particular technique has been used many, many times before, but it’s still quite effective.

Fortunately, however, the malicious file is already detected by the Trend Micro Smart Protection Network, so users don’t need to worry about this threat.

Post from: TrendLabs | Malware Blog - by Trend Micro

WALEDAC Celebrates Independence Day, Too

Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, hxxp://pics. bubbled.cn/gallery/
hardcore/?23c4f60c1b9f604d6ffb21cba599301f (hxxp = http, and without the spaces). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page.

“If (the) requesting IP is from the Latin America Region (LAR), users are redirected to the ‘Choose English or Spanish’ page—and then bingo!” Macalintal says.

The landing page is found to display only if the requesting IP www.bestbuy.com is from LAR (see Figure 1).

The source code (see Figure 2) of the landing page shows a garbled set of code found at the bottom of the script, a clear sign of code obfuscation. Beneath a 3-layer obfuscation, an iframe redirects the user to a Luckysploit-laden site. The Luckysploit web exploit kit and the obfuscation seen is reminiscent of that found in Gumblar.

The WHOIS screenshot of the .CN site (see Figure 3) states that it has been created just last June 4, 2009 by the same old criminals.

Further investigation shows that the first .CN site (see Figure 4) is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again.

Best Buy has been informed of the said URL redirections and is resolving the matter as of this writing.

More information to follow.

Hat tip to Advanced Threat Researcher Paul Ferguson for providing more information.

Post from: TrendLabs | Malware Blog - by Trend Micro

Gumblar Invades Best Buy

The spam message suggests that the icon was killed, and that information on who murdered him can be seen on the given URL.

Clicking the said link leads to a website, where the user is asked to execute a file, which supposedly contains secret information, in order to find out who killed Michael Jackson.

But of course, the executable is not at all related to Michael Jackson’s murderer, or to Michael Jackson at all, as the file is really an data-stealer detected by Trend Micro as TROJ_ZBOT.AXY. The Trojan TROJ_ZBOT.AXY connects to a certain URL where it downloads a configuration file containing a list of banking-related websites. Once the user attempts to visit any of the listed sites, a spoofed site is displayed instead of the real one, thus any critical information entered on the spoofed site will be sent to a remote user.

This threat however, doesn’t stand a chance against the Smart Protection Network as of its all components — spam, URL and file — are already either blocked or detected.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spam Speculates Michael Jackson’s Murder

Exactly three months ago, the whole IT sector was waiting with bated breath for April 1. The latest DOWNAD/Conficker variant–WORM_DOWNAD.KK–was poised to strike. We know that on that day, it would attempt to access 500 of 50,000 websites and download new malicious files. This led to fears–somewhat misplaced–that new, possibly damaging payloads could cause severe problems, not just for systems already affected by DOWNAD but the Internet as a whole. Many sectors assumed the worst.

April 1 came and went, and… nothing happened. Several days later, another variant appeared, but without the Internet ending (as some of the worst reporting would have led readers believe) most people believed that DOWNAD, as a major threat, was gone.

While it may no longer be as in the news at it was at its height, DOWNAD didn’t suddenly go away. Recent estimates from the Conficker Working Group place the number of unique IP addresses affected by the top 3 DOWNAD variants at well over 5 million. Even considering the group’s disclaimer of putting the number of actually infected systems at only 25-75% of that number, a minimum of 1.25 million infected systems is nothing to laugh at.

The Trend Micro World Virus Tracking Center (WTC) numbers bear this out as well. Almost 790,000 systems were found to be infected with DOWNAD variants in the first three months of the year. In the three succeeding months, that number was almost 1.9 million. Clearly, DOWNAD did not decide to quietly go away.

In addition, out of the public eye, DOWNAD went off and did something with all those infected systems: it went off and formed its own botnet. This was documented in mid-April by Advanced Threat Researchers Paul Ferguson and Ivan Macalintal. The short version, however, is simpler: DOWNAD was used to create a botnet. These can be used for the usual range of threats: spam, Denial of Service attacks, spreading FAKEAV malware, and so on.

Like it or not, malware threats are part of what users have to deal with day in, day out. Like anything people deal with regularly, people become used to malware threats. What was once noteworthy and unusual becomes dull and ordinary. However, this in fact does not make the threat any less dangerous. If anything, it can be argued that it makes the threat more dangerous, as users are more likely to be caught unaware of a threat that may not be something they’re looking out for.

In a very real way, threats like DOWNAD become part of the background noise that is a part of life on the Internet. While it may be unrealistic to expect individual users to keep in mind all threats, but good computing practices will help immensely. The most important one may be: keep your software up to date. This is particularly true for your operating system–a properly patched system would have been proof against most DOWNAD variants. Trend Micro users would have been protected via the Smart Protection Network, of course, but closing the underlying vulnerability would still have been essential.

The price of using your computer freely in today’s Internet may well be constant and unceasing vigilance.

Post from: TrendLabs | Malware Blog - by Trend Micro

Three Months Later: Where’s DOWNAD?

I readily agree that a seasoned criminal will focus his/her shoulder-surfing efforts on a user’s keyboard than on his/her screen. For an attacker with keyboard-side access, password masking has zero value anyway. However, I think Bruce underplayed the prevalence of possible daily shoulder-surfing activities such as providing IT support to a user, stopping by a colleague’s workstation to review a document, polishing a presentation while on an airplane, or turning on a computer for children who aren’t entitled to unsupervised access. It is also worth considering that there may be situations where it would be inappropriate to ask your current shoulder-buddy (the CEO or your grandmother, you choose) to look away while you enter a password.

There are some small security advantages that password masking does offer. For example, unskilled attackers will be looking at the screen when you start entering your password. By the time they realize their mistake, they will only see *** and have already missed a good portion of your password. (Hopefully, knowing the end of your password won’t help them decode the beginning.) Password masking also encourages frequent users of a service to memorize their passwords. I have many passwords that I could not tell you no matter how hard I tried. My fingers know them or I may know a mnemonic but the keystrokes are the only thing I retain. This is not as helpful for more casual users though.

My main objection to the demise of password masking is the message that it sends to casual users. We enter a case of do-as-I-say-not-as-I-do. How can we ask our users to secure their password reminders if the entire password appears clear as day on the screen every time they enter it? Masking a password sends the message to the user that it is important that they not share their passwords, that they should not even show these to you, reinforcing the never-give-out-your-password tenet. In many cases, masking discourages copying and pasting passwords though only through naïveté (see here for a laugh).

The usability concern is indeed valid. The question becomes this, Where do we draw the line between security and usability? In my opinion, masking is a valid layer of security, though easily breached, it does raise barriers to entry even if only by a small margin. These barriers are also larger for the casual user. The more slowly a password is entered, the more time it would be on the screen, if unmasked. More importantly, it sends a firm message to users that their passwords should be protected.

Also, let’s not forget the principle of minimum astonishment—how many times would you have to use an application before you notice that your password is now being displayed on-screen in clear text? One possible compromise would be to provide a configuration option. However, this would not be friendly to a casual user who needs it most. I encourage application developers to seek out other usability accommodations (e.g., two-factor options, biometrics) before globally unmasking passwords.

Post from: TrendLabs | Malware Blog - by Trend Micro

To *** or Not to Mask: Usability Versus Security in Password Masking

We spotted an email (see Figure 1 below) about Michael Jackson’s death written in Spanish claiming to be from CNN Mexico.

Upon closer analysis (see Figure 2 above), we found that the sender of the email isn’t valid – info@hi5.com which is a spammed sender. The email also contained accurate information about Michael Jackson, buying itself credibility in order to lure users into clicking the links contained within the message.

The said email also contained a suspicious-looking link to an ‘exclusive CNN video’ about the event. Most of the other links on the spammed message were inaccessible and could not display the correct website. But one link—el sitio en internet TMZ (translated to English: ‘found in the TMZ website’)—which was a link to the site where the video is supposedly hosted but it redirects the user to another malicious site—http://{BLOCKED}.com/openbb/avatars/imagen/CNN/indexx.php. The threat in the said page is detected by Trend Micro as HTML_DLOADR.ARM.

This site does not contain anything but a black background and a message box telling the user that the Flash player version running on his/her system cannot play the said video. The message box contains three buttons (see Figure 3 above), clicking any of which will trigger the download of a malicious file—flash-installer-windows.exe—which claims to be the right Flash player version that will allow him/her to view the exclusive video. The said malicious file is detected as BKDR_IRCBOT.BW. BKDR_IRCBOT.BW connects to a certain IRC server and then joins an IRC channel where it waits for commands from a remote user.

Quite notable is that even if a user chooses the Cancel button, which should allow him/her to quit from downloading the file, the site will continue to push the download of the codec, leaving users with no choice but to deal with the malicious file downloaded into their system.

The spam message and malicious website used in this attack are already blocked by the Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Michael Jackson Video Leads to Malware Download

On the outset, the worm detected by Trend Micro as WORM_RANSOM.FD may look like a normal mass-mailing worm but further analysis reveals that this comes with a deadly payload. With only a few exceptions (files with .rwg, .dll, .exe, .ini, .vxd, and .drv extensions are not affected), it encrypts files in the affected system using the Blowfish algorithm, thereby rendering them unusable. A .RWG extension is then appended to the filenames to serve as a marker.

Defying the norm of a typical ransomware however, WORM_RANSOM.FD does not ask for money in exchange for the files. Instead, it gives the affected user three options as to how he or she can retrieve his or her files:

So, unless Windows users are willing to migrate to Linux or wait for the decryptor program that may or may not come, Option 1 may seem the only plausible solution. Resourceful techies may opt to try their hand in manually decrypting the files, but for those stuck with Option 1, Trend Micro already provides a fixtool that will automatically restore the files.

Our experts believe that ransomware is a high-risk/moderate reward business model that will not significantly increase. This is because it goes against one of the key features most cybercriminals are relying on in terms of developing malware, which is stealth. Almost all aspects of a ransomware attack is quite visible.

For one, the payload is visible — users are informed that their files are held hostage, so these users can easily turn to their AV vendors for help in detection/cleanup, mitigating further infection from other users. Another is that cybercriminals have to leave contact details for the payment. These contact details can be used by law enforcement to track down the attackers.

Users who’ve found themselves victims of this attack may either use Trend Micro’s fixtool or ask for assistance.

Post from: TrendLabs | Malware Blog - by Trend Micro

Files for Ransom… or Not

It is accomplished by inserting 213.174.139.72 (IP of the rogue DNS server) into the values of NameServer and DhcpNameServer found in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\{Device ID}

What this system modification does is, every time a website is visited, the domain of the website is resolved by asking the rogue DNS, which can then serve a bad IP that will redirect the unsuspecting user to a malicious or phishing site.

As of writing, the rogue DNS IP is inactive, but we recommend anyone who suspects that something fishy is happening while browsing should search for the presence of that bad IP and remove it (do NOT remove your original DNS IP though). The rouge DNS IP has a history of hosting various malware and malicious pages before so whatever it will do when it wakes up will be anything but good.

The said DNS changer is now detected as TROJ_DNSCHANG.UB, thus the Smart Protection Network also protects Trend Micro users from this.

Other notorious DNS-changers in the past can be read here:

• DNS Changer Malware Evolves – Again
• New ZLOB Rigs Routers
• Blended Targeted Attack in Mexico Now a DNS Changer and a Botnet

Post from: TrendLabs | Malware Blog - by Trend Micro

New Koobface Component: A DNS Changer

Here is how this is done:

1. It retrieves the URL where the malicious script is located.
2. It retrieves its own function and adds the string of the URL.
3. It computes the CRC of the function plus the URL.
4. It decrypts an encrypted code in the script body using the CRC that was computed.
5. It executes the decrypted code using the eval() function.

Figure 1. Obfuscated code of JS_VIRTOOL

It uses its function and URL location as a decryption code. In this case, the encrypted code which is the real routine of the malware will not execute if the function is tampered and/or the URL is not correct.

If a malware analyst only has the script file sample without knowing where the file was downloaded from, he will not be able to know the malware’s actual routines since the URL is necessary for the decryption to take place. In addition, if this script is placed on another website aside from the “correct” one, it will not be successfully decrypted.

Currently, we have multiple samples that all use this particular technique, but have different encrypted contents. We suspect that they have the same decrypted data, the only difference being the URL location which will decrypt each sample. We believe that this as a technique which is intended to make it more difficult to track the source and cause of infection. This could potentially increase the time before these malicious scripts are detected and the appropriate solutions are released to users.

Post from: TrendLabs | Malware Blog - by Trend Micro

New Anti-analysis Technique for Script Malware

When recipients of such messages click on any of these links, they are prompted to save a file named PIC-IMG029-www.hi5.com.exe (with an MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family.

More updates shortly. Stay tuned.

Update as of 27 June 2009

The botnet is said to push the templated messages through an IRC to the client to be spammed. Below is a sample screenshot of the botnet’s activity:

The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity. More information on PUSHDO can be found here:

• Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)
  
• Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
  
• Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)
  
• Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)
  
• Pushdo/Cutwail – Traditional AV is Useless (Part 5 of 5)
  

A whitepaper showing findings by the research of Trend Micro analysts on PUSHDO/CUTWAIL is also available and can be downloaded here.

Trend Micro clients are rest assured that all URLs are already blocked through the Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

MSN Bot Plays on Controversy over Michael Jackson’s Death