September 2009 - Posts

Microsoft Security Essentials SEO Poisoning


Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV.

Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association.

When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31.

An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc)
If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split).
The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site, to check internet connectivity.
Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted).

Since yesterday the Websense ThreatSeeker Network has been monitoring SEO poisoning of search terms related to Microsoft Security Essentials. It appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today.

Screenshot of Google search results:

Screenshot of rogue AV Web site:

Screenshot of download prompt:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Pacific Tsunami Unleashes a New Tide of Malware

Hon Lau's picture

An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web searches to make sure that their results are returned near the top of the page.

Searches for topics relating to this latest earthquake disaster such as “Western Samoa”, “Earthquake”, or “Tsunami” will return some pages that are bad and attempts to perform fake antivirus scans with the usual offers to clean up your computer for a fee. One such example is shown below:
When the link is followed, it displays several popup windows informing you that your computer is infected:


Since you are not given a choice to say no, the only course of action once this popup appears is to click OK, which then leads to the now all-too-familiar fake Windows scanning page:


The scan inevitably finds a motley collection of security risks and threats that need to be removed. Clicking Remove all then leads to the downloading of a file named setup_build7_195.exe.


Once executed, the bogus software begins to start downloading components and performs another fake scan which eventually reports a whole host of threats that needs fixing.


Notice that the authors of this software have gotten ahead of themselves somewhat, my computer is running in the Classic theme of Windows XP, but yet the window that pops up is a Windows Vista style, not available in XP. This is a potential giveaway that something fishy is afoot.


Activation of the product promises to remove these threats and also relieve you of over a hundred dollars of your hard-earned cash. If you don’t activate the product then you will be constantly nagged with System Tray popups and blacked-out windows warning you of the threats on your computer.

Followers of this blog will no doubt notice the similarities between this attack and many other recent ones such as the spawned by the Serena Williams outburst, and also the Twitter based attacks of a similar nature reported by my colleague Ben a couple of weeks ago. The people behind these attacks are constantly evolving and adapting their attacks to suit current news events so don’t be surprised to see more from this crew. Users of Symantec products are of course already protected as we detect and remove this software as Antivirus 2008.

<<< Wednesday, September 30, 2009  
Samoa Earthquake News Leads To Rogue AV Posted by WebSecurity @ 08:03 GMT | postCount('00001779'); Comments

It seems SEO poisoning is the current "trend" for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii.

Readers looking for news articles on the earthquake may come across this page in the Google search results:

Samoa earthquake, Google

On clicking the link, the user is redirected to a series of sites via 302 redirects:
Samoa earthquake redirect
The final landing page warns the user that their "system is infected":

Samoa earthquake, Rogue AV

The Windows Security Center warning looks authentic enough, but it is fake. Users are prompted to download rogue antivirus software.

As usual, be careful when browsing. These websites are blocked by our Browsing Protection.


Updated to add: Looks like tweets are also being used to direct people looking for tsunami news to rogue AV. Searching Twitter with the term "tsunami" turned up the following tweet:

Samoa earthquake, Twitter

Which lead to the following message:

Samoa earthquake, Twitter

How nice, a free system scan. Then a notification that "Your computer is infected" appears:

Samoa earthquake, Twitter

Note that the whole "folder" is really just an image. Users then get messages asking them to download a rogue AV to clear the supposed infections.

Web Security post by — Chu Kian & Choon Hong

Rebranded Rogue Anti-Virus Strikes Again

No Comments

Recently, we analysed samples of a new fake anti-virus program that brands itself as “Alpha Antivirus”. This program uses the following filenames: alphaav.exe and msnaoladdon.dll.

“Alpha Antivirus” is a new FakeAlert variant evolved from the “Personal Antivirus” family of rogue anti-virus software. Like many FakeAlert malware, “Alpha Antivirus” promotes itself through the use of pop-up web pages hosted on malicious websites. These web pages mimics a “Windows Explorer” folder and a “Windows Security Alert” dialog,  and performs a free but fake online scanning of the affected system.

online scanning

The following domains were known to host the fake online scanning web pages and the main executable of “Alpha Antivirus“:


It follows to prompt the user to install “Alpha Antivirus” . Once executed, it launches fake scanning and reports multiple infections:

Alpha AV

Alpha AV

It also displays misleading pop-up warnings on the Windows taskbar.

Alpha AV

Alpha AV

This variant drops a copy of itself as %ProgramFiles%\AlphaAV\AlphaAV.exe and a msnaoladdon.dll component in the Windows System folder, and installs the DLL file as a Browser Helper Object (BHO).

(%ProgramFiles% refers to the Programs  folder, e.g. X:\Program Files; where X: refers to the Windows installation drive)

AlphaAV.exe is detected as FakeAlert-DI while msnaoladdon.dll is detected as FakeAlert-EQ.

Frequently, we see abrupt changes in branding, filenames and GUIs used by the same fake anti-virus programs.  As more security vendors and researchers publish their findings about new rogue antivirus programs, malware authors try to repackage their “products” with new brand names,  filenames and tries to use more obfuscation and encryption on its files in an attempt to avoid being recognised by the end users and in some cases evade detection by security vendors.

Some known brand name and filename changes:

1. From pav.exe + winexplorer.dll to personalav.exe + msxmlm.dll. (Personal Antivirus), then again, to alphaav.exe + msnaoladdon.dll (Alpha Antivirus)

2. From frmwrk32.exe to winupdate.exe (Antivirus XP/Pro)

3. From pcdef.exe + mousehook.dll + ntdll64.dll (WinPC Defender) to winav.exe + ieocx.dll + iehostcx32.dll (WinPC Antivirus).

4. From Spyware Protect 2009 to Antivirus System Pro

As a gentle reminder to all users, avoid visiting untrusted websites and install anti-malware product from only trusted and legitimate sources and update the DATs regularly.

No Trial Mounts For You Posted by Response @ 05:50 GMT | postCount('00001778'); Comments (2)

Say you play World of Warcraft (WoW) and you really, really want a mount. Then someone pops up and tells you about a new website where Blizzard is offering new trial mounts:

WoW phishing

So you visit the site and see this:

Phishing site

Yes, it's another phishing website, which looks exactly like the real login page. A player entering his details into the page expecting to get a mount basically gets his account pwned instead. Apart from losing all the gold and items saved, a compromised account could also be used to send out the malicious messages to other victims, adding insult to injury.

An interesting detail about this particular site is that a reverse-IP check on its IP address turned up over a dozen other WoW phishing sites.

As usual, be careful while gaming. These phishing websites are blocked by our Browsing Protection.

Inside the Jaws of Trojan.Clampi

Patrick Fitzgerald's picture

It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi.  In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.

Trojan.Clampi has been around for a number of years now.  During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.

From our analysis it seems that Clampi has mainly  affected machines in the US.  Clampi infection rates seem to be skewed towards countries where English is the primary language.  This may indicate the first infections were as a result of malicious drive-by attacks on English websites.   The top 5 rates of new infections over the last two weeks are:

  1. North America
  2. Great Britain
  3. Canada
  4. New Zealand
  5. Mexico

The following graph shows the trend in Clampi detections over the last year.  There are two notable spikes which correspond to the release of updates to this Trojan.  The variant released on July 15, 2009 is what we are currently seeing in the wild.


The next graph shows the geographical distrubution of this threat over the last two weeks:


Clampi uses a commercial utility to help prevent analysis of its code.  This utility is supposed to be used to protect intellectual property by making it extremely difficult analyze and subsequently crack copyrighted software.  The techniques used to prevent analysis include:

  • Executable code virtualization (built-in virtual machine)
  • Packing
  • Encryption

The combination of these techniques makes it very difficult and time consuming to get at the underlying code to see exactly what the code is doing.  This also makes it difficult to create detection for malware protected in this way.  Symantec products detect all known variants as either Trojan.Clampi or Trojan.Clampi!gen.  The first sets of definitions to detect these were:

Functionally, Clampi appears to be a quite versatile.  It has the capability to download arbitrary binaries that are then stored in the registry and loaded straight to memory, avoiding traditional antivirus scanning techniques that scan files on disk.  It remains active on the network, connecting back to a server and waiting for commands.  Clampi also has the ability to spread to other machines on the network through network shares—this feature is the reason we are seeing such widespread infections.

All communications are encrypted using the Blowfish algorithm created by Bruce Schneier. Without knowing the keys, decrypting this information may be impossible in a reasonable time.  There is also evidence which points to Clampi functioning as a backdoor.  So far the motivation behind Clampi appears to be financial.  It has the ability to steal login credentials for online banking sites, something we have observed in a controlled lab environment.  In one case we saw attempts to inject JavaScript into a well known banking site in an attempt to steal login details.  Given this functionality, its modular nature, and the variety of functions seen to date, it’s also possible that Clampi may be a botnet for hire. 

As the layers of protection are peeled away we gain more insight into what this threat is doing and what it is capable of.  The analysis also raises more questions but one thing remains clear—this is a very interesting threat.  We hope you’ll enjoy the coming articles which will explore this threat.

Tweeting Misleading Applications

Ben Nahorney's picture

A lot can be said with 140 characters. It’s just enough to convey a point, but constricting enough to make things concise. No wonder microblogging sites such as Twitter have become so popular.

Unfortunately one of the limitations here is sharing Web pages with long URLs. In order to address this issue, URL-shortening utilities have grown in popularity on the site. Using such tools allows you to include a link well within the 140-character limit, which will redirect anyone who clicks it to the longer URL and thus the site you wanted to share.

There’s one downside here, from a security point of view—you’ll often have no idea where the link leads until you click it. Clicking any link like this is entirely a security leap of faith. Unfortunately malware authors have caught on to this and are currently distributing misleading applications using these shortened URLs. Using enticing tweets and commonly used twitter search terms, their goal is to get other users to click on their links, leading to malicious code.

The following video shows one of these malicious tweets in action:

Now, neither Twitter nor the URL shorting services are at fault here. This is simply another case where malicious attackers are using a neutral technology as a means to their deceptive ends. Both Twitter and the URL-shortening services are convenient technologies that we don’t see going away any time soon.

So how do you protect yourself? The good news is that both Firefox and Internet Explorer offer browser plug-ins that will check a shortened URL for you and show you the final URL before you even click on it. While this won’t tell you for sure if the link is malicious, it will at least allow you to look more carefully before clicking.

While the misleading applications currently being served up in this manner all seem look very similar today, we’re likely to see more variety in the future. If you’re running Symantec antivirus software, there’s no need to worry. The current IPS signatures will detect and block these risks from being downloaded onto your computer.

Monday, September 28, 2009  
XSS Worm on Posted by Mikko @ 11:12 GMT | postCount('00001777'); Comments

Reddit ( is a social news website, and it's much better than Digg or Slashdot.

However, it got hit today by a XSS worm that was spreading via comments on the site.


It all started with a user called, suitably enough, xssfinder.

His account has already been deleted.


This user posted some test comments exploiting the fact that Reddit wasn't filtering out JavaScript in certain instances when you were hovering your mouse over text.


When xssfinder got his script working, he tested it by posting one comment to a popular link called "Guy on a bike in New York 'high fives' people hailing cabs".

After this, things happened quickly.

People reading comments ended up sending massive amounts of new comments to Reddit threads.

Right now things have calmed down. Reddit was never down, and Reddit administrators have closed this vulnerability. Malicious comments are being mass deleted right now.


Online ‘Monopoly’ a Reminder That Spammers Don’t Play Fair

1 Comment

In the latest social-engineering tactic targeting online games players, a new spam campaign attempts to lure users into downloading a Monopoly game–though it’s more like a game of Russian roulette. The email is a seemingly innocuous invite from a random user (your first clue that this is something to avoid!). The message uses a subject line such as “Play Online Together” or “Tom has invited you to play Monopoly.”

If recipients follow the link to, they are greeted with a web page that looks fairly well done. It advertises “Monopoly” while giving a brief history of the game and providing some fun facts. It also, of course, encourages users to download the app using several links dispersed throughout the page.

No code is injected on users’ computers just by visiting the web page. They need to download and install monopoly.exe, which the site delivers. The executable file is just the first stage of the process, however. A fairly common tactic deployed by hackers is that the code installed as a result of the download is only the beginning. At this point the Trojan is activated on the victims’ computers, and it links to another computer and downloads the second stage of the malware, the piece that turns machines into a spam-sending zombie touting Canadian Pharmacy products.

To help sell the deception, the folks who created the page include a hit counter to suggest that there are people playing the game online right now. Don’t be fooled. This ruse is merely the number of how many people have visited the page thus far.

W32/Xpaj: Know Your Polymorphic Enemy


Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technologies. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist, (a.k.a. Mistfall) code emulators are not the best approach. We recently came across a new W32/Xpaj variant that is actively spreading. It utilizes well-known techniques to evade detection that are otherwise seldom found in live virus analysis.

The new W32/Xpaj uses a random code block integration technique to infect files. It does not change the original entry point of the file. Instead, W32/Xpaj builds several code blocks responsible for different functionalities and moves them into random locations throughout the code section of the infected file. It is similar to what W32/Zmist used to employ, but W32/Xpaj uses code replacement instead of code insertion.

Its polymorphic decryptor is represented by a number of code blocks linked by unconditional jumps. Once executed, the polymorphic decryptor gains control and performs different tasks:

  1. Saving the original state of the infected application and preserving all the registers used by the virus
  2. Changing the protection flags of the memory where the virus body is located
  3. Decrypting the virus body
  4. Jumping to the decrypted virus body, etc.

Each task may be located in a separate block of code or combined in one big block.

Once decryption is done, control passes to the main virus body, usually located in a different section. Its authors decided to use register-based jumps instead of relative jumps. The former, together with a heavily encrypted virus body and stolen functions, make this new variant more complicated to repair:

In an attempt to make sure the virus is executed at least once, W32/Xpaj searches and replaces a number of call instructions to point to the beginning of one of the virus code blocks created during the infection.

The random location of the polymorphic code blocks means that for some samples, code emulators may never reach the viral instructions. Such samples may present a hidden surprise to some anti-virus vendors, which might not be able to detect all instances of W32/Xpaj, missing a certain percentage of infected files. However, in other cases, the virus may never gain control at all, such as in the following samples found in the wild:

  • 4843998e3564ac1a1e137149bc3ce28e
  • 8e4260d0a29c0133bad3bc0e39057456
  • db4fff8a4a21e9c824cde3ebd151fbf2

While decrypting the virus body, W32/Xpaj may generate millions of iterations. Code emulators without decent support of dynamic code translation may fail to run it through correctly. It integrates itself into infected files and becomes a part of the host program control flow. Original functions replaced with the virus decryptor are saved, encoded, and are located in the same section with the virus body.

This variant of W32/Xpaj increases the virtual size of the section containing the virus body by 150KB. It is heavily obfuscated and contains functionality to receive further instructions from remote servers:

  • (
  • (

The server is currently active and located in Belgium, and sends instructions through the following file:

  • hxxp://{blocked}/stamm.dat

Interestingly, the malware authors decided to monitor its own virus activity and included logging support to this beast. Every file infected with W32/Xpaj reports to the above-mentioned server and sends information about the system (OS version, Service Pack, IP, etc.) on which the infected file is running:

os=00000005.00000001.02000B28 & amp;cm=18B51294&adn=A120BB0F & amp;knv=00000012 & amp;hdd=002F606E & amp;cid=0000000C & amp;vvr=00000001

The majority of AV vendors do not currently detect this W32/Xpaj variant (as seen in these VirusTotal results):

Published: 2009-09-21,
Last Updated: 2009-09-21 08:30:26 UTC
by G. N. White (Version: 1)
0 comment(s) digg_url = ''; digg_title = 'Microsoft Releases A "Fix it" Workaround For SMBv2 Vulnerability'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

As pointed out by several folks writing in to the ISC Handlers group, Microsoft has updated its Security Advisory 975497 - Vulnerabilities in SMB Could Allow Remote Code Execution - to include a "Fix it" workaround that makes it rather easy to disable SMBv2.

The "Fix it" links can be found in two locations:

- Microsoft Knowledge Base Article 975497

(and my personal favorite)

- The Microsoft Security Research & Defense Blog


G.N. White

ISC Handler On Duty (Maybe they should call it "One Click")

<<< Sunday, September 20, 2009  
Mass-Generating Fake Twitter Accounts for Profit Posted by Mikko @ 09:43 GMT | postCount('00001773'); Comments (3)

We're seeing more and more fake Twitter accounts being auto-generated by the bad boys.

The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically.


All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans.

And where do all the links eventually end up to?

Of course, they lead to fake websites trying to scare you into purchasing a product you don't need:


Be careful out there.

Search-Engine Manipulation Evolves as Trust Abuse Grows

No Comments

I revisited the topic of search-engine manipulation (a.k.a. blackhat SEO) in two recent posts. Something caught my eye while investigating cases of search-result poisoning–a shift away from tactics used by the attackers earlier in the year.

Previously, attackers mostly registered free websites to pull off their attacks. They would create a bunch of new sites, cross-link them, and use other tricks to get their pages indexed and ranked high on relevant search result pages (again, largely targeting the most popular search terms of the day, such as those found on Google Trends.) I blogged earlier in the year about how the user forum on was leveraged to link a high-ranking site with newly created malicious sites.

It seems now that attackers are combing various elements of different attacks to achieve blackhat SEO.

There are currently many examples of high-ranking poisoned results that lead to compromised legitimate sites. This is a bit different than in the past, as now security vulnerabilities are being exploited simply for the sake of search-engine manipulation.

Historically we’ve seen attackers upload malicious content to compromised sites, either directly by injected exploit code, or indirectly by injecting an iframe or script that brings in exploit code from a remote site.  Such situations can lead to site users notifying the compromised site administrator that they were attacked while visiting that site. Redirecting victims to a completely different site can help conceal the poisoned site.

The attackers go a step further by implementing a well used trick, which is to redirect conditionally.  It’s not enough for people to go to a compromised page; they must arrive there from a search-result page. In other words, users (or site admins) navigating to will not be redirected to a payload site unless they are coming from a Google search-result page.

Some of the compromised sites are running older, vulnerable phpBB and Word Press applications.  Others sites are serving attacker HTML pages, perhaps from compromised admin/user credentials or misconfigured web servers.

These events further blur the line between “trusted” sites and malicious content. This trend is likely to continue for years to come.

Fake Monopoly Game Downloader


Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network discovered a new spam campaign that is targeting players of the Monopoly game.

The Monopoly World Championships take place every four years, and Las Vegas is the host city of 2009. Because the Monopoly Regional Championships are going on all over the world and many Monopoly enthusiasts take part, the spammers utilize this chance to play their tricks.

Our email honeypot systems detected over 30 thousand Monopoly spam messages on September 21, 2009 alone. The spam uses a social networking technique to "invite" you to play the online board game. It then provides a link to the fake Monopoly game download site, which in fact downloads a Trojan.

Screenshot of the email message: 


Screenshot of the rogue download site: 


Websense Messaging and Websense Web Security customers are protected against this attack.

<<< Friday, September 18, 2009 >>>
Hacker Forum Got Hacked Posted by Mikko @ 07:09 GMT | postCount('00001771'); Comments (3)

A web forum called was one of those "underground" forums where people discuss hacking techniques and sell malware code, bank logins and stolen credit card numbers.


But now, Pakbugs is gone.

Turns out someone hacked this hacker forum and posted the results to the Full Disclosure mailing list.


What was made available was the full userlist of the forum with logins, email addresses and password hashes.


The website has been up and down over the last hours.

More Posts Next page »