June 2009 - Posts

New Koobface Component: A DNS Changer – TrendLabs Malware Blog

Jun28
6:12 pm (UTC-7)   |   by Ryan Flores (Advanced Threats Researcher)

Aside from the new Twitter component we’ve also seen Koobface download a new component with the filename dns.exe, whose main purpose, it seems, is to modify the system’s DNS registry settings.

It is accomplished by inserting 213.174.139.72 (IP of the rogue DNS server) into the values of NameServer and DhcpNameServer found in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\{Device ID}

What this system modification does is, every time a website is visited, the domain of the website is resolved by asking the rogue DNS, which can then serve a bad IP that will redirect the unsuspecting user to a malicious or phishing site.

As of writing, the rogue DNS IP is inactive, but we recommend anyone who suspects that something fishy is happening while browsing should search for the presence of that bad IP and remove it (do NOT remove your original DNS IP though). The rouge DNS IP has a history of hosting various malware and malicious pages before so whatever it will do when it wakes up will be anything but good.

The said DNS changer is now detected as TROJ_DNSCHANG.UB, thus the Smart Protection Network also protects Trend Micro users from this.

Other notorious DNS-changers in the past can be read here:

Posted Tuesday, June 30, 2009 2:01 PM by cmosby | with no comments
Filed under: , , ,

Google Home Biz Kit is NOT endorsed by Google – Symantec Security Response Blog

Google Home Biz Kit is NOT endorsed by Google

06-29-2009 11:16 AM
John Park Symantec Employee writes...

During one of my recent journeys around the Internet there was a particular ad being displayed on a website that caught my attention. The type of ad I am referring to wasn’t a totally new concept—ads like it have been running on websites for years, and actually found their start in print in the decades previous. You must have seen them. These are the ads that promise incredible monetary returns for working from home, but without doing a lot of work. Recently, this site and many others have been serving "Google pays me $5k a month" ads:

 

 

 

These particular ads usually redirect users to one of the following sites:


jamesmakesmoney.com
jasongetsrich.com
jennifersmoneyblog.com
joshmadecash.com
kevinmakesmoola.com
marylifeblog.com
matthewsmoney.com
scottsmoneyblog.com

All of the above sites bear the same theme in their domain name of <Name><Money>blog.com. It is always some sort of blog site that is telling a life story and offering the greatest secret of online advertising called the "Google Home Biz Kit." All I need to do to get one of these kits is to pay for the shipping:

 

 

 

 

Because the website design is not “Google-esque,” it is not that difficult to spot that the Google Home Biz Kit is not endorsed by Google. But, for a couple of bucks, what have I got to lose?


The catch is, what you are getting is not just the Google Home Biz Kit. You are also agreeing with them to charge you $40 to $80 each month for the membership, which has not been mentioned in the checkout page (only in the fine print in the terms and conditions page):

 

 

 

 

By the time you notice the extra charges on your credit card bill, you will have already spent more than you bargained for. You could cancel it at that time, but you are not entitled to any refund according to their terms and conditions.


Now, I am not bashing the membership revenue model, which is a valid payment plan if disclosed properly. These ads aren’t unique to one particular site, since other ads in popular ad networks have similar revenue generation techniques. For example, the following advertisement was displayed recently while I was viewing my webmail:

 

 

 

 

When I clicked on it, it brought me to a personal blog site. "My name is ___ and I lost 50lb, too good to be true? You can try this pill for free. Just pay shipping."


Sound familiar? These hidden membership charge schemes don’t exist without the knowledge of major ad networks. The ad network support forums are plastered with complaints about these sites:

 

 

 

 

The latest scheme goes beyond using fake blogs and instead uses bogus newspaper websites such as:


losangeles-tribune.com/finance
nyguardian.com
theatlantatribune.com
thenewyorktimesonline.net
thesanfranciscotribune.com
usajobjournal.com

 

 

 

 

 

This might sound like a broken record, but here are some guidelines when purchasing online:


1) If it sounds too good to be true, then it is likely not to be true.


2) If you still think it is a good deal and decide to buy, then be cautious. Read the fine print. Use a one-time-use credit card number if you can.


3) If you have already fallen for a scheme, then contact your credit card company to try to get a refund. If that doesn’t work, in the United States you can contact your state’s attorney general’s office, Better Business Bureau, or the FTC or similar office in other jurisdictions.

 

 

 

 

 

 

 

 

 

Message Edited by Trevor Mack on 06-29-2009 11:21 AM
Posted Monday, June 29, 2009 4:27 PM by cmosby | with no comments
Filed under: , ,

Files for Ransom… or Not – TrendLabs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Jun28
11:33 pm (UTC-7)   |   by Jessa De La Torre (Threat Response Engineer)

A new ransomware spreading through email is on the loose.

On the outset, the worm detected by Trend Micro as WORM_RANSOM.FD may look like a normal mass-mailing worm but further analysis reveals that this comes with a deadly payload. With only a few exceptions (files with .rwg, .dll, .exe, .ini, .vxd, and .drv extensions are not affected), it encrypts files in the affected system using the Blowfish algorithm, thereby rendering them unusable. A .RWG extension is then appended to the filenames to serve as a marker.

Defying the norm of a typical ransomware however, WORM_RANSOM.FD does not ask for money in exchange for the files. Instead, it gives the affected user three options as to how he or she can retrieve his or her files:

Click for larger view

So, unless Windows users are willing to migrate to Linux or wait for the decryptor program that may or may not come, Option 1 may seem the only plausible solution. Resourceful techies may opt to try their hand in manually decrypting the files, but for those stuck with Option 1, Trend Micro already provides a fixtool that will automatically restore the files.

Our experts believe that ransomware is a high-risk/moderate reward business model that will not significantly increase. This is because it goes against one of the key features most cybercriminals are relying on in terms of developing malware, which is stealth. Almost all aspects of a ransomware attack is quite visible.

For one, the payload is visible — users are informed that their files are held hostage, so these users can easily turn to their AV vendors for help in detection/cleanup, mitigating further infection from other users. Another is that cybercriminals have to leave contact details for the payment. These contact details can be used by law enforcement to track down the attackers.

Users who’ve found themselves victims of this attack are may either use Trend Micro’s fixtool or ask for assistance.

Posted Monday, June 29, 2009 2:43 PM by cmosby | with no comments
Filed under: , , ,

Michael Jackson Malware – F-Secure Weblog

<<< Monday, June 29, 2009  
 
Michael Jackson Malware Posted by Mikko @ 08:36 GMT | postCount('00001709'); Comments

There has been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected.

Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites.

When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message:

michael jackson malware

We detect the dropper and the backdoors as Trojan.Win32.Buzus.bjyo.

Posted Monday, June 29, 2009 2:00 PM by cmosby | with no comments
Filed under: , ,

How Malware Defends Itself Using TLS Callback Functions – SANS Internet Storm Center

How Malware Defends Itself Using TLS Callback Functions
Published: 2009-06-26,
Last Updated: 2009-06-26 14:10:33 UTC
by Lenny Zeltser (Version: 2)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6655&rss'; digg_title = 'How Malware Defends Itself Using TLS Callback Functions'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

Malware authors employ numerous and creative techniques to protect their executables from reverse-engineering. The arsenal includes an anti-debugging technique called TLS callback. The approach is not new, yet it is not widely understood by malware analysts, so I'd like to describe in this note. (Thanks to Christian Wojner from CERt.at for his insights regarding this topic!)

What is TLS?

According to Microsoft, Thread Local Storage (TLS) is a mechanism that allows Microsoft Windows to define data objects that are not automatic (stack) variables, yet are "local to each individual thread that runs the code. Thus, each thread can maintain a different value for a variable declared by using TLS." This information is stored in the PE header. (Windows uses the PE header to store meta information about the executable to load and run the progrem.)

A programmer can define TLS callback functions, which were designed mainly to initialize and clear TLS data objects. From the malware author's perspective, the beauty of TLS callbacks is that Windows executes these functions before execuding code at the traditional start of the program.

How Can TLS Callbacks Confuse Debuggers and Analysts?

Analysts often examine the a malicious program's code by starting with the instructions located at the Entry Point of the executable. The Entry Point is a field in the PE header that stores the address of the "first" instruction in the program that Windows is supposed to execute; debuggers typically take us to that instruction after loading the executable. TLS callback functions allow malware authors to execute malicious code before the debugger has a chance to pause at the traditional Entry Point. This allows malware to infect the system or disable the debugger before the analyst has a chance to look at the sample's code.

Consider the TLS callback technique employed by the Nadnadzzz bot about a year ago. If you load the bot's executable into OllyDbg, you expect to have the debugger pause at its entry point. Instead, OllyDbg seems to immediately say that the process terminated. What happened? You just infected yourself!

The problem is that before OllyDbg had a chance to pause at the traditional Entry Point instruction, it executed a TLS callback function.

How to Bypass the TLS Callback Defense

To bypass the TLS callback defense to debug the program starting from its "true" beginning of the TLS callback function:

  1. Configure the debugger to pause on the system entry point, instead of the traditional program entry point.
  2. Identify the address of the TLS callback function, instead of the traditional program Entry Point.
  3. Set the breakpoint on the TLS callback function, then run the program if you wish.

If using OllyDbg, you can tell it to pause before TLS callback by going to Debugging options > Events. By default, it's set to pause at "WinMain (if location is known)." Instead, set it to pause at "System breakpoint." This will allow you to control the program before TLS callback functions execute.

Now you will have a chance to set the breakpoint on the TLS callback function. You need to find it first, though. Ilfak Guilfanov describes a convenient way to do that with IDA Pro in his blog posting. To locate the TLS callback function, load the malicious executable into IDA Pro, then press Ctrl+E to view the executable's entry points. The address of the TLS callback function should be among them.

Now you know where to start debugging or otherwise analyzing the program's code. You can do this in IDA Pro. If you prefer OllyDbg, you can return to OllyDbg, and load the malicious program; OllyDbg will now pause at the "system entry point" in ntdll.dll. Press Ctrl+G and enter the address of the TLS callback function, which you located via IDA Pro; set a breakpoint there and continue the analysis.

For additional information about TLS callbacks used by malware for anti-debugging, see the links mentioned earlier, as well as:

Update:

Sylvain Sarmejeanne reminded us that GRUM malware used TLS callback to execute its unpacking code, as outlined in this Websense blog posting. Sylvain also shared with us a link to his personal blog posting (in French), which explains how one could  use TLS callbacks to create a UPX-packed file that runs differently depending on whether was statically uncompressed ("upx -d") or whether it dynamically uncompresses itself in memory. (Here's a link to the Google auto-translate of Sylvain's posting.)

If you have other tips and examples of TLS callbacks used by malware, please let us know.

Liked this note? Tweet it!

-- Lenny

Lenny Zeltser - Security Consulting

Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.

Posted Monday, June 29, 2009 1:56 PM by cmosby | with no comments
Filed under:

Image Spam Déjà Vu – Symantec Security Response Blog

Image Spam Déjà Vu

06-26-2009 09:57 AM
Robert Vivas Symantec Employee writes...

The spammers of enhancement medication have recently revitalized the use of obfuscated image attachments and are therefore reemerging as a top threat to email users. By using .jpg-formatted image attachments, these spammers are trying every trick in the book to bypass spam filters, including randomizing the subject lines with misspelled sexually suggestive catch phrases, using minimal message body content, and closing with obfuscated attached images.


Here are some examples of the kinds of message body content that has been observed:

 

•    Canadiian policce ads pulled from gang Web sites
•    Chocoholic squtirrel steals treatts from Finnish shop
•    Perpetual Student Wants Onnne More Year
•    The animal that stows its tongue inn its rib cage
•    New Orleans R&B star begins posthumous mayoral bid


The interesting highlight of this spam trend is the manipulation of images by using geometric shapes and figures in the image background. In the past, we have encountered background color blocks, wavy text, and multi-colored blurred backgrounds. Spammers are using a combination of all of the above in this recent wave of attacks.

Below are a few examples we have tracked since image spam started reemerging this year. As you begin scrolling through the images you will notice the complexity of obfuscation spammers are using, which started around late April 2009 and continues on in the middle of June 2009.

The sample on the right shows grid lines in the background. Note that we’ve blacked out some of the rude text.

 

 

 

 

At the beginning of the month we posted a blog related to a spike in spam carrying .rtf attachments, which involved the download of an .rtf file that allowed an advertised spam domain to be displayed. On Friday, June 12, 2009, we started seeing a new breed of this attack. Spammers are using .gif-formatted image attachments with different colored backgrounds and random lines.

 

 

 

 

 

 

Twenty-four hours later on June 13, 2009, the spammers mutated the image—being more offensive with their image selection by using two cartoonish image comparisons of the male anatomy that were accompanied by an advertised website.

 

 

 

 

 

As always, Symantec recommends that users remain wary of any messages received that have come from an unknown or unexpected source. And remember, if you’ve received a message that is selling something that sounds to good to be true, it’s probably because it is.

Note: Thanks to the key contributors to this blog: Joe Krug, Niall O’Reilly, and Sammy Chu.

 

 

 

Posted Monday, June 29, 2009 1:52 PM by cmosby | with no comments
Filed under:

Google Cash Club Makes Headlines in Phishing Attack – TrendLabs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Jun25
5:47 pm (UTC-7)   |   by Verna Sagum (Fraud Analyst)

We have recently discovered a version, of online fraud that takes the guise of a legitimate-lookng news website. At first glance, the content of the purported news page appears real but after conducting further analysis, one will realize that the news page is actually a spammy site.

googlecash1 googlecash2

What’s supposed to be a news article is actually an writeup that explains how Google can supposedly provide online users the opportunity to earn easy money. To make it more convincing, the page also claims to have several positive responses from anonymous online users. Clicking any of the links from the spam website shown above leads to a phishing page.

googlecash3The page contains a spoofed countdown timer that hopes to make the user panic and quickly fill up the form. Clicking the See If I Qualify button then directs the user to another page containing an affirmation of the user’s qualifications, which will then require him/her to fill up another form with his/her credit card information.

Related phishing schemes have also been found using the same technique but with different keywords other than Google Cash Club. Below are some of the keywords used:

  • Make Money with Google
  • Google Money Monster
  • Google Home Income
  • Easy Google Profit
  • Google’s Business Kit

Inquiries on the legitimacy of the service have been posted on Google’s support forum, and we agree with what most of the users have posted: Google Cash Club is a scam.

The phishing URL is already blocked by the Trend Micro Smart Protection Network.

Posted Monday, June 29, 2009 1:10 PM by cmosby | with no comments
Filed under: , ,

Michael Jackson Video Leads to Malware Download – TrendLabs Malware Blog

Jun29
12:07 am (UTC-7)   |   by Argie Gallego (Anti-spam Research Engineer)

Cybercriminals once again used the passing of Michael Jackson, the ‘King of Pop,’ a few days ago as an opportunity to go about with their malicious activities and attack innocent users.

We spotted an email (see Figure 1 below) about Michael Jackson’s death written in Spanish claiming to be from CNN Mexico.


Click Click

Upon closer analysis (see Figure 2 above), we found that the sender of the email isn’t valid – info@hi5.com which is a spammed sender. The email also contained accurate information about Michael Jackson, buying itself credibility in order to lure users into clicking the links contained within the message.

The said email also contained a suspicious-looking link to an ‘exclusive CNN video’ about the event. Most of the other links on the spammed message were inaccessible and could not display the correct website. But one link—el sitio en internet TMZ (translated to English: ‘found in the TMZ website’)—which was a link to the site where the video is supposedly hosted but it redirects the user to another malicious site—http://{BLOCKED}.com/openbb/avatars/imagen/CNN/indexx.php. The threat in the said page is detected by Trend Micro as HTML_DLOADR.ARM.


Click Flash

This site does not contain anything but a black background and a message box telling the user that the Flash player version running on his/her system cannot play the said video. The message box contains three buttons (see Figure 3 above), clicking any of which will trigger the download of a malicious file—flash-installer-windows.exe—which claims to be the right Flash player version that will allow him/her to view the exclusive video. The said malicious file is detected as BKDR_IRCBOT.BW. BKDR_IRCBOT.BW connects to a certain IRC server and then joins an IRC channel where it waits for commands from a remote user.

Quite notable is that even if a user chooses the Cancel button, which should allow him/her to quit from downloading the file, the site will continue to push the download of the codec, leaving users with no choice but to deal with the malicious file downloaded into their system.

The spam message and malicious website used in this attack are already blocked by the Trend Micro Smart Protection Network.

Posted Monday, June 29, 2009 12:53 PM by cmosby | with no comments
Filed under: ,

Koobface Tweets – TrendLabs Malware Blog

Jun25
6:23 pm (UTC-7)   |   by Jonell Baltazar (Advanced Threats Researcher)

Twitter is a very popular platform for expressing whatever is on a user’s mind, making it a favorite target of malware authors. Trend Micro has published several blog entries that discussed attacks on Twitter. Now, the creators of Koobface included a new component in the malware to target the vast number of Twitter users. They’ve come up with the latest update to the Koobface loader binary and other known Koobface components that target social networking sites like Facebook, MySpace, Hi5, Bebo, Tagged, and Netlog.

The new component uses a victim’s Twitter account to post tweets using Internet-browsing cookies to log in to the target user’s account. Tweets can more successfully be posted when the victim is currently logged on to his/her Twitter account as the ‘evil’ Koobface binary runs in the background.


Figure 1. Twitter account of an infected PC

The supossed tweets are retrieved from a Koobface C&C domain and use Tinyurl.com to shorten and kind of obfuscate the URL included in the message.


Figure 2. Network stream of an affected PC

Visiting the posted URL leads to a Koobface redirector page that opens the same old ‘fake’ YouTube page that hosts the Koobface loader posing as an Adobe Flash Player update also known as the infamous setup.exe.


Figure 3. Fake YouTube page that installs setup.exe

As with earlier Koobface-related attacks, however, Trend Micro product users need not worry about being infected as Smart Protection Network already blocks malicious sites and files from running on their systems. They should, however, still keep in mind that an ounce of prevention is always better than a pound of cure.

Related posts on Koobface:

Twitter, likewise, was never that safe from attacks:

alt=

Update on June 28:

Setup.exe is now detected as WORM_KOOBFACE.DC. It has the ability to fetch information from the affected PC and to send said info to URLs via HTTP POST.

Moreover, Koobface writers immediately updated their mal-tweets, cleverly using current events related to Michael Jackson’s death. Luckily, the URL included in the message did not change and is still being blocked by Smart Protection Network.

Along with the updated tweets is an update of a Koobface binary (TROJ_KOOBFACE.AJ) targeting Facebook. This binary is already being processed. More details will be provided as analysis progresses.

SHARETHIS.addEntry({ title: "Koobface Tweets", url: "http://blog.trendmicro.com/koobface-tweets/" });

Posted Monday, June 29, 2009 12:48 PM by cmosby | with no comments
Filed under: ,

A new variant of Generic Rootkit.d – McAfee Avert Labs Blog

A new variant of Generic Rootkit.d

Monday June 29, 2009 at 5:32 am CST
Posted by Rachit Mathur


A few days ago I got a chance to look at a recent variant of the DNSChanger.ad. It drops a prevalent rootkit which is mostly associated with FakeAlert and DNSChanger trojans. Over a period of time the dropped sys file names have changed from tdss*.sys to seneka*.sys to skynet*.sys and so on. Our memory detection and cleaning for this rootkit is Generic Rootkit.d. The techniques of this threat are well known now. It basically uses inline hooks on: IofCallDriver, IofCompleteRequest, NtFlushInstructionCache, NtEnumerateKey etc. This trojan removes permissions from its registry entries as well.

The malware has a hidden sys file in system32\drivers directory with a name like skynet*.sys. One can use a rootkit analysis tool or just windbg to restore the inline hooks installed by the malware. Even though the malicious file is no longer hidden after hook restoration it was interesting to note that malware is able to re-create the file upon deletion. It is common that malware try to ‘watch’ or recreate their components but the curious thing was that filemon was not showing any activity and other API tracing based approaches also didn’t point to anything that could explain recreation of this file.

Taking a closer look it turned out that the malware is using one of the delayed system worker threads to call ZwCreateFile in a loop at regular intervals created using KeDelayExecutionThread. The following figure shows the relevant malware code and thread.

Figure 1 File Creation loop

That explains how the file is recreated upon deletion. This thread also watches the malware’s registry. Additionally, this thread continuously restores the system service descriptor table (SSDT) using the code shown below. So any tracing utility that hooks SSDT to monitor activity would not work.

Figure 2 SSDT rewrite

If it was just SSDT rewriting then filemon should have been able to report the file activity. But the malware also removes all filesystem filter drivers and since filemon also uses a filesystem filter it didn’t report anything. The figure below shows the device stack before and after infection. Note that all filters are removed after infection.

Figure 3 Device stack before and after infection

Figure 3

And here is the code that removes attached filters.

Figure 4 Detach filter

Actually the attached device field for only ntfs is nulled out and the rest of the stack remains dangling.

Figure 3 also shows that not only is the filemon filter driver removed but even the Filter Manager has been effectively removed. Removing all filters and rewriting SSDT will thwart analysis tools that use these techniques but may also break other software as well. Obviously it does not matter to malware as long as its rootkit works in a stealthy manner in most environments. It’s a trade off that many malware make and this one has made its choice as well.

Posted Monday, June 29, 2009 9:54 AM by cmosby | with no comments
Filed under: ,

Med Spam Litters Silverlight Forums – TrendLabs Malware Blog

Jun24
2:42 pm (UTC-7)   |   by Ryan Flores (Advanced Threats Researcher)

While testing some Google searches, I came across an interesting result searching for Cialis, a popular anti-erectile dysfunction drug commonly sold by dubious online resellers. The fourth Google result returned a forum for Silverlight, a programmable web browser plugin by Microsoft (Figure 1). Interested, I clicked on the link and found an interesting post.

Click for larger view Click for larger view

This doesn’t really look like a med spam, since everything is just plain text advertisement with no Buy Now or Click this link, but this is close to being a med spam, probably a failed attempt to create one on the Silverlight forum website. So I kept on looking and found other Silverlight forum members peddling other Cialis and other drugs, and this time, successfully creating a med spam site on the Silverlight site.

Click for larger view Click for larger view
Click for larger view Click for larger view

I found around fifty of these med spam pages hosted free by Silverlight, all of which are supposed to be profile pages of Silverlight Community members, but crafted by the “member” to advertise med spam.

More troubling is that this doesn’t end with med spam. Some spam profile leads to fake anti-virus programs. Several “RedTube” profiles (supposed to be porn video streaming) link to a site which needs you to “download the Tube Video player to play this video”.

Click for larger view Click for larger view Click for larger view

The downloaded file install.exe is actually a fake AV detected as TROJ_FAKEAV.ODN.

We’ve alerted Microsoft of this abuse. We are hoping that the spam posts will be deleted as soon as possible. Meanwhile the Trend Micro Smart Protection Network provides users complete protection against this threat.

Posted Monday, June 29, 2009 9:42 AM by cmosby | with no comments
Filed under: ,

Sharing is Caring, Even for Spammers – Symantec Security Response Blog

Sharing is Caring, Even for Spammers

06-23-2009 03:06 PM
Eric Park Eric Park writes...

With more people using the Internet now than ever before, free homepage hosting providers are increasing in popularity. These sites offer users free Web space so that they can make their own homepage, publish it, and share with friends and family. When the popularity of this type of service was near its peak, spammers began to use these websites as part of their spamming efforts. This was accomplished through the creation of many free websites, often using automation, and sending spam with a newly created webpage URL. The randomization of such URLs hindered typical anti-spam efforts. When an unsuspecting user clicked on one of these newly created URLs, more often than not they were taken to a page similar to the one shown here:

 

 

While this spam material (online pharmacy spam) is nothing new, the page that contains the actual spam content resides underneath the layer of a legitimate Web hosting site. Therefore, this technique presents a challenge to basic anti-spam efforts.

User groups provide users a shared space in which they can conduct various activities. These include blogs, link postings, and discussion forums. Many years ago we witnessed spammers attempting to exploit this by sending a spam message to the master group email address. This in turn relayed that message to all members of the group. When system providers caught up to this abuse, spammers simply made their own groups and started to spam using links like this one:

 

 

The Internet is slowly evolving to become a more collaborative space. One prominent website provides a free service that enables users to share documents with one another. This allows one central location of a file, which makes attaching the same document over and over again via email obsolete. As popularity of this service rises, Symantec is observing an increase in attacks using links such as this:

 

 

The Internet has and will continue to provide us with interconnectivity and the many conveniences that come with it. However, our examples have demonstrated that spammers are always trying to take advantage of new features for their personal profit. Sharing is caring, even in the world of spam.

 

 

 

Posted Monday, June 29, 2009 9:13 AM by cmosby | with no comments
Filed under: ,

Blackhat SEO Quick to Abuse Farrah Fawcett Death – Trend Labs Malware Blog

Jun25
6:03 pm (UTC-7)   |   by Macky Cruz (Technical Communications)

Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news about the death of Charlie’s Angels star Farrah Fawcett, who, at age 62, finally ended a long struggle with cancer.

Blackhat
Figure 1. Blackhat SEO links for Farrah Fawcett searches sets in

Hosted on is-the-boss domains (last seen in the H1N1 blackhat SEO attack), the links that come up in search results redirect to other URLs that eventually land on all-too-familiar territory: a rogue antivirus download.

In one specific infection chain traced by Research Manager Ivan Macalintal, the initial link redirects to another URL in the same domain, and then redirects another URL that has referrer checks before unfolding its contents. This is an evasion technique used by cybercriminals to avoid analysis by security researchers or being crawled (and rated) by search engines.

Once the requester is cleared, the URL redirects to two more URLs before finally landing on a download page (within a certain thesecuritytools domain–now blocked by Trend Micro). The page downloads install.exe, which is a rogue antivirus detected as TROJ_FAKEAV.BBM.

As this report is being written our engineers are analyzing the behavior of this malware. Trend Micro Smart Protection Network already blocks malicious URLs related to this attack.

Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities.

One of the more famous blackhat SEO manipulation attack we have documented thus far include the attack that happened shortly after Heath Ledger’s death.

Update (2:30 am (UTC-7)): TROJ_FAKEAV.BBM behaves fairly similarly to other rogue antivirus we’ve seen to date. Here’s a screenshot of its “scanning window”:

TROJ_FAKEAV.BBM window
Figure 2. The rogue antivirus program’s window

Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system.

SHARETHIS.addEntry({ title: "Blackhat SEO Quick to Abuse Farrah Fawcett Death", url: "http://blog.trendmicro.com/blackhat-seo-quick-to-abuse-farrah-fawcett-death/" });

Posted Friday, June 26, 2009 4:38 PM by cmosby | with no comments
Filed under: , ,

Michael Jackson Death Prompts Malicious Spam – Websense Alerts

Michael Jackson Death Prompts Malicious Spam

Date:06.26.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has discovered spam emails offering recipients links to unpublished videos and pictures of singer Michael Jackson. According to news reports Michael Jackson's death was confirmed yesterday.

The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr (MD5: 664cb28ef710e35dc5b7539eb633abca). This file is located on a legitimate Web site hosted in Australia belonging to a radio broadcasting station. Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

In the background, three further information-stealing components are downloaded and installed by the malware. One of the downloaded files is called michael.gif, which has low AV detection rates - see VT results here. The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll and this GUID {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Translation of the email is as follows: 

Screenshot of the malicious spam:

Screenshot of the malicious file masquerading as a video:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Posted Friday, June 26, 2009 4:32 PM by cmosby | with no comments
Filed under: ,

Michael Jackson Spam Distributes Malware – SANS Internet Storm Center

Michael Jackson Spam Distributes Malware

Published: 2009-06-26,
Last Updated: 2009-06-26 15:57:36 UTC
by Lenny Zeltser (Version: 2)

0 comment(s) Facebookacebook witter

As we anticipated in our yesterday's diary, spammers are starting to exploit attention-grabbing headlines of recent celebrity deaths. Sophos described one such message, with the subject "Confidential===Michael Jackson", in their blog posting. Today we're starting to see reports of these messages directing viduals to websites that distribute malicious software.

For example, Steve Basford emailed us a link to his blog posting, where he discusses a spammed fake news item invites the victim to download a "video" to download. The message said: "As redes de televisão americanas CBS e ABC também estão noticiando a morte do cantor, assim como a versão online do jornal New York Times e da revista Variety..." (See screen shot below.)

The victim was asked to download the "video" file is named "Michael.Jackson.videos.scr" was actually a malicious program--a downloader that would start the infection chain. See the VirusTotal report.

Update 1: Websense is reporting that they are seeing this campaign as well in their blog posting, and offer a few additional details.

Update 2: Here's the ThreatExpert report on the downloader, detailing the files it attempts to install on the victim's system.

Liked this note? Tweet it!

-- Lenny

Lenny Zeltser - Security Consulting

Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.

Posted Friday, June 26, 2009 4:30 PM by cmosby | with no comments
Filed under: , ,
More Posts Next page »