October 2009 - Posts

Trojan.Bredolab is Making Yet Another Comeback – Symantec Security Blogs

Trojan.Bredolab is Making Yet Another Comeback.

Shunichi Imano's picture
Shunichi Imano
October 27th, 2009
Filed under: , , , ,
Security Response is aware of a new round of spam replacing old DHL and UPS themes in an attempt to spread Trojan.Bredolab.

Taking a Closer Look at Trojan.Bredolab
Bredolab Delivers More Parcels and Cash
 

This time the email is masquerading as a notification from Facebook that the recipient’s password has been reset.

Facebook.PNG
 
The message comes with a .zip file containing a malicious .exe file. Symantec detects the .exe files as Trojan.Bredolab.

This variant of Bredolab connects to a Russian domain and the infected machine is most likely becoming part of a Bredolab botnet.
 
Posted Friday, October 30, 2009 3:33 PM by cmosby | with no comments
Filed under: , ,

Spoofed Contract Carries Malware

Oct24
5:58 am (UTC-7)   |   by Maydalene Salvador (Anti-spam Research Engineer)

Trend Micro researchers found spammed messages with a .ZIP file attachment that contains a malware. It bears the subject, “Contract of Settlements,” and purports to come from LSM Company. It informs users to open and check the attached file that holds a contract, which in actual fact, is an executable file (contract_1.exe) detected by Trend Micro as TROJ_FAKEALE.JH.

When executed in the system, TROJ_FAKEALE.JH connects to http://{BLOCKED}edrdosubor.com/K1er0Lj5n8H0NM4E8h0u where users get another FAKEAV variant, TROJ_FAKEAV.BQN.

Click for larger view

Click for larger view

Accordingly, users cannot scan the attached file because it is password protected. However, a password is included in the email to open the said file. This is probably to trick users into thinking that the said file is legitimate.

As usual, users are advised to refrain from opening any suspicious-looking emails. Trend Micro product users are protected from this spam attack via the Smart Protection Network. Non-Trend Micro product users can utilize HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Posted Friday, October 30, 2009 3:24 PM by cmosby | with no comments
Filed under: , ,

Organized Crime. Moving beyond garbage. – Symantec Security Blogs

Organized Crime. Moving beyond garbage.

Linda Smith Munyan's picture
Linda Smith Munyan
October 23rd, 2009
Filed under: , ,

Not so long ago, the mafia used to be more interested in controlling stolen goods and garbage collectors and hackers were motivated by fame and media attention.  Things have changed.  

 
In the past couple of years we’ve seen a crime rings and hackers joining forces to steal information – credit card details, bank account logins, and even full identities.  They then sold this information in the underground economy. 
 
There has been another evolution in these attacks.  There is now a “stack” of operators in these groups, with organized crime facilitating and orchestrating the operations.  There are hackers and computer experts involved up front to get in and get the information and “mules” on the back end who are recruited to turn the identities or credit card numbers into actual money that is then funneled back to the crime leaders. 
 
A few major crime rings (see below) have all seen significant indictments and/or guilty pleas announced recently. Predicting the future operations of these crime rings is tricky, but what we do see is that these operations all seem to have been discovered long after the attack plans were complete.  The indictments we’ve seen are encouraging, but law enforcement seems to be chasing the problem, not getting in front of it.
 
Also, the current defenses at targeted organizations were not apparently sufficient to stop the 4-phase attacks (incursion, discovery, capture, and exfiltration) typically used by perpetrators.  It is quite likely that more of these sophisticated attacks are now “in play” or soon will be directed against other corporate targets.  
 
Bottom line?  These attacks are preventable.  With a combination of defenses at each stage of the attack, companies can defend themselves against organized crime and help to prevent being tomorrow’s headline.
Posted Friday, October 30, 2009 9:52 AM by cmosby | with no comments
Filed under:

Time Warner Cable Modem/Router Fail – F-Secure Weblog

<<< Friday, October 23, 2009 >>>
 
Time Warner Cable Modem/Router Fail Posted by Sean @ 13:45 GMT | postCount('00001799'); Comments (2)

When speaking about Internet worms, I like to point out that my personal computer hasn't been connected to the Internet in years, at least not directly.

I've had a WiFi router connected to the Internet via my cable modem since late 2003, which provides me with a security benefit. NAT routers act like a hardware firewall. Only requested traffic makes its way to my PC.

So, no direct Windows connection to the Internet, no worms such as blaster to worry about.

However, these days, there's malware that tries to work its way through home routers.

At that's why I want to link to this story:

chenosaurus.com

There are 64,000 SMC 8014 wireless router/cable modems that only limit Administrator access using JavaScript. Connect to the router with your browser's JavaScript disabled, and you have full access.

Including the ability to copy a configuration file that contains the administrative login and password in plain-text.

The issue was discovered by a blogger at chenosaurus.com.

I read about the story via Tim Greene at PC World.

If you have one of these SMC 8014 routers, check out the links for further details.

Signing off,
Sean

Posted Friday, October 30, 2009 9:43 AM by cmosby | with no comments
Filed under: ,

Rogue AV Uses F-Secure as Bait – F-Secure Weblog

<<< Monday, October 26, 2009 >>>
 
Rogue AV Uses F-Secure as Bait Posted by WebSecurity @ 06:20 GMT | postCount('00001800'); Comments

Lately, we've been tracking SEO attacks directing users to rogue AV sites. We've seen the people behind these attacks poisoning searches for many major world events, and some not-so-major ones as well. So it's kind of amusing — and annoying — to see F-Secure being used as the bait in this kind of thing.

We saw this search result pop up when searching for information about F-Secure:

FS Search

Clicking on the link takes the user on a redirect path as follows:

Redirect Path

After this, the attack follows the usual pattern of warning messages, misleading scan reports and so on:

FS Rogue Image

Just in case it is not obvious, this looks nothing like our products.

Finally, the user is asked to install the following:

FS Rogue Install

Which we detect as Rogue:W32/InternetAntivirus.BG. The detection covers the downloader, the downloaded installer and the main executable.

Nothing really new about this attack. Just a little more personal.


WebSecurity post by — Choon Hong

Posted Friday, October 30, 2009 9:33 AM by cmosby | with no comments
Filed under: , , ,

Hunting the Airplane Can Hijack Your Machine – Symantec Security Blogs

Hunting the Airplane Can Hijack Your Machine

Mayur Kulkarni's picture
Mayur Kulkarni
October 23rd, 2009
Filed under: , ,

People are always curious about different theories on tragedy, especially those involving airplanes or ship accidents. In fact, even after the Titanic sank decades back, hundreds of books were published and movies developed based on expert views. Malicious software authors use information related to similar tragedies to entice recipients into clicking on virus-laden links. We mentioned one such example of this in our blog last year after the earthquake in China in June 2008.

In a new spam campaign, recipients are lured by contradicting information published by a news agency regarding 9/11 Pentagon damage. Users are encouraged to spot a plane in the pictures, which are included in the email. They are also supplied with a URL link to access more information. This link redirects users to a hijacked website that will point to an HTA file (a program that can be run from an HTML document). When users execute this HTA file a download of several binaries is initiated onto the user machine. Symantec antivirus detects the main binary as Backdoor.Trojan. The "sender" information has also been spoofed so that the message appears as if it was sent by a trusted news agency.

For now, we are monitoring these attacks to check other variations and will keep readers updated with related information. Users are advised to not hastily open unanticipated HTA files, especially those that are received from an unexpected sender.

Here is a sample image of the message:

hijack.jpg

* Email body modified

Posted Friday, October 30, 2009 8:48 AM by cmosby | with no comments
Filed under: , ,

Fake Facebook Password Notification Leads to Malware – Trend Labs Malware Blog

ct28
1:02 am (UTC-7)   |   by Maria Alarcon (Anti-spam Research Engineer)

A new spam campaign that purports to be from Facebook is making rounds today. It bears the subject, “Facebook Password Reset Confirmation,” and informs users that their passwords have been changed for security purposes. It then asks them to open the attached .ZIP file that supposedly contains their new passwords, which in actual fact is a malware detected by Trend Micro as TROJ_BREDLAB.SMF.

Click for larger view Click for larger view

Upon execution, TROJ_BREDLAB.SMF connects to a malicious website and downloads a FAKEAV variant detected as TROJ_FAKEAV.BLV.

Users are advised to be wary of bogus notifications even if comes from a known source. Trend Micro product users are protected from this attack via the Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

SHARETHIS.addEntry({ title: "Fake Facebook Password Notification Leads to Malware", url: "http://blog.trendmicro.com/fake-facebook-password-notification-leads-to-malware/" });

Posted Friday, October 30, 2009 8:42 AM by cmosby | with no comments
Filed under: , , ,

FAKEAV Goes Open Source… Or Not? – Trend Labs Malware Blog

Oct23
2:38 pm (UTC-7)   |   by David Sancho (Malware Researcher)

In the recent FAKEAV spam campaign, I realized something was off. Once the user clicks the URL and gets the bogus Antivirus 2010 up and running on his/her system, files are added. The additional files I found were related to ClamAV, the open source AV toolkit for UNIX. The files include the ClamAV virus definition file and some newly downloaded DLLs such as htmlayout.dll and pThreadVC2.dll. These files (DLLs and ClamAV definition file) are needed to run the open source antivirus software. So why are legitimate AV-related files included in the routines of a FAKEAV malware?

Click

The files arrived from the first download routine of the FAKEAV installer. It also drops randomly named garbage files into the system that will later be detected as “infected.” Curious about all this, I downloaded the real ClamAV to further test if the fake scan was actually using the definition file to scan. After replacing the FAKEAV definition file for the latest one, it still detected the garbage files as “infected.” The second test I made was to take the FAKEAV definition file and run it in a real ClamAV scan against the files. However, it still showed the same results. Apparently, the ClamAV-related files were not being used at all.

The only conclusion I was left with is that the legitimate files are just a decoy to give a legitimate facade to the whole scam. Cybercriminals are also probably employing this tactic to avoid analysis behavior detection and removal. Some behavior-analyzing software might be deceived that the FAKEAV is real because of the legitimate antivirus files running in the system. I doubt it, but who knows? It might just work.

Posted Friday, October 30, 2009 8:07 AM by cmosby | with no comments
Filed under: , ,

MSRT October Release – Case Study - Microsoft Malware Protection Center Threat Research & Response Blog

MSRT October Release – Case Study

Posted Tuesday, October 27, 2009 11:45 AM by mmpc

As of October 21st, the MSRT has removed the newly added threat, Win32/FakeScanti from 56,700 infected machines. For this month, it was the 12th most prevalent threat family worldwide and 7th in the US. Overall the MSRT has cleaned 2,516,235 machines this month from all kinds of malware infections.

We all know the threat landscape is not homogenous across geographic regions.  Let’s take a look at US, China, and Brazil as a case study.

United States

China

Brazil

Family

Threats

Machines Cleaned

Family

Threats

Machines
Cleaned

Family

Threats

Machines Cleaned

Alureon

       147,387

            117,351

Lolyda

          77,781

               72,863

Taterf

          72,464

            70,069

 Taterf

       121,988

            116,217

Frethog

          21,927

               20,042

Bancos

          67,577

            59,414

FakeXPA

       108,026

            103,578

Ceekat

            9,440

                 8,767

Frethog

          33,455

            32,009

Renos

          69,147

              55,461

Conficker

            8,899

                 8,427

Banker

          27,421

            26,420

FakeRean

          78,067

              53,376

Hupigon

            5,127

                 4,879

Conficker

          19,664

            18,398

Yektel

          52,259

              51,061

Parite

            7,518

                 4,592

Banload

          18,617

            18,121

FakeScanti

          70,120

              50,260

RJump

            3,875

                 2,552

Cutwail

            8,452

              5,269

Frethog

          51,038

              49,526

Brontok

                980

                     969

Alureon

            3,656

              3,053

 Daurso

          32,205

              32,150

Taterf

            1,177

                     963

Renos

            3,192

              2,228

Koobface

          43,640

              27,793

Corripio

                980

                     855

IRCbot

            1,929

              1,874

FakeSpypro

          26,530

              26,242

Sdbot

                776

                     770

Brontok

            1,768

              1,739

  Note: Rogues in italics; Password Stealer (PWS) bolded

Some key takeaways:

  • In the US (as well as other English speaking countries) rogues are predominant.  Six of the top ten threat families in the US are rogues or rogue-related trojan downloaders. This poses a challenge for the end users to identify the legit AV products when there are so many rogue products popping up on the users’ machines. 
  • Six of the top ten threat families in China are password stealers, most of which are hunting for online gamers’ credentials.
  • Six of the top ten threat families in Brazil are also password stealers, though a lot of them (Bancos, Banker and Banload) tend to target online banking credentials in Brazil.

We close, as we always do, by urging you to take action and protect yourself. 

Scott Wu

Posted Friday, October 30, 2009 8:03 AM by cmosby | with no comments
Filed under: ,

Rogue Apps – Catch Me if You Can – Symantec Security Blogs

Rogue Apps – Catch Me if You Can

Gaurav Dixit's picture
Gaurav Dixit
October 22nd, 2009
Filed under: , , , ,

Misleading applications, also known as rogue applications, have always tried to lure users into their traps by using various techniques such as fake security scans, misleading task bar notifications, popup windows, etc. To take this to a new level, developers of these applications are now frequently changing the product name and its associated website name in order to mislead users and antivirus vendors. Clones of the same product—with different names—continue to appear almost every day. Earlier this week Symantec published its Report on Rogue Security Software, which discusses misleading apps in greater detail. A couple of examples of rogue security software are given below. We identify one such family of rogue or misleading applications as WiniGuard:

wini1.png

Those who are spreading this particular rogue app hold onto some of the associated domains for up to 24 to 48 hours. Once this domain goes down, another new domain becomes active, which will look almost the same as the original but now with a new name. However, the functionality of all of these clones is essentially the same. Digging further into this scam we found that the owner of domains related to WiniGuard has registered some 60,000+ domains in his name.

At the time of writing this blog, some of them were still active:

wini2.png

wini3.png

Of course, these sites do not provide the software for free. Users are misled to pay for a “subscription” to these fake products in order to remove purported spyware from their machines. The “detections” alleged to be found by these products are bogus and are displayed in an alarmist fashion as an attempt at scaring users into divulging personal information, providing credit card details, and often downloading further malicious software.

wini4.png

The following list is only a selection of the latest names of rogue apps from the WiniGuard family—there are many more out there and new variations are constantly being created:

•    WiniGuard
•    WiniBlueSoft
•    WinBlueSoft
•    Winishield
•    WiniFighter
•    SafeFighter
•    SaveKeep
•    Savedefense
•    SaveArmor
•    BlockDefense
•    SystemCop
•    QuickHealCleaner
•    SecurityFighter
•    SecurityVeteran
•    SecuritySoldier
•    SafetyKeeper
•    SaveSoldier
•    Softsafeness
•    SecureWarrior
•    TrustCop
•    TrustNinja
•    TrustWarrior
•    TrustSoldier
•    TrustFighter

At Symantec we come across many such campaigns for distributing fake antivirus software, such as this recent example. We recommend that users make themselves aware of these scams, which typically show exaggerated warnings, fake scan reports, and redirect users to fraudulent antivirus or Internet security websites.

We also advise users to be cognizant of these scams and always purchase software from legitimate vendor’s websites. Symantec detects this particular misleading application as WiniGuard, and advises customers to ensure that their antivirus software and definitions are kept up to date. Please download the Symantec Report on Rogue Security Software for further information on misleading applications.

Posted Friday, October 30, 2009 7:57 AM by cmosby | with no comments
Filed under: , ,

.my Websites Compromised – F-Secure Weblog

<<< Thursday, October 22, 2009  
 
.my Websites Compromised Posted by WebSecurity @ 02:51 GMT | postCount('00001798'); Comments (3)

Users aren't the only ones that have to stay vigilant when it comes to security. On the other side of the fence, keeping a website secure is a challenge for even the best webmasters.

We recently came across lots of websites under the ".my" domain that were compromised and unintentionally hosting malicious or unsafe links.

A very small sample of these sites:

.my domain hack search

Quite a few of the sites were hosting crack files:

.my domain hack cracks

.my domain hack download

Others had less savory things to offer:

.my domain hack smart results

Some sites had a page that looked like a search engine:

.my domain hack fake search

Clicking on any of the links didn't do anything, though.

The compromised sites were on multiple servers and are a disparate collection of commercial, personal and educational institution websites.

As usual, relevant malicious links were rated and F-Secure Internet Security 2010 users are protected by our Browsing Protection.


WebSecurity post by — Chu Kian

Posted Friday, October 30, 2009 7:41 AM by cmosby | with no comments
Filed under: , ,

Halloween Job Spam Spooks Users – Trend Labs Malware Blog

Oct22
2:54 am (UTC-7)   |   by Gaye Ofilas (Anti-spam Research Engineer)

Click for larger view

Holidays are spammers’ favorite times of the year. After all, these give them additional opportunities to lure more victims to their specially crafted scams apart from a theme to focus on. As one of the most celebrated holidays across the globe, it is not surprising that Halloween, which is barely a week away, has been creating a buzz.

Trend Micro threat analysts got wind of Halloween-related spam samples (see the sample on the right). These offered readers promising opportunities to earn while working from home.

Clicking the link redirects the user to a site that is now inactive. However, based on Whois.Net’s domain name records, the URLs were only created in August of this year, most probably just for spamming purposes. It is, after all, not uncommon for spammers to register domains for the minimum time period allowable to further their malicious profiteering activities.

Users are thus warned not to click links to unknown sites no matter how tempting the offer they put on the table may be. If you’re really interested in getting a legitimate job or a means to earn more, go to a trusted job-search site. Do not trust everything you read on email, especially if you do not know who the email came from.

Trend Micro Smart Protection Network™ protects users from spamming attacks by blocking unwanted email and preventing user access to malicious sites. Mac users can enjoy the same benefits by using Trend Micro Smart Surfing for Mac.

Non-users of Trend Micro products can also stay protected from such attacks with free antivirus tools such as eMail ID and Web Protection Add-On.

Posted Wednesday, October 28, 2009 2:41 PM by cmosby | with no comments
Filed under: ,

Balloon Boy Spam Drifts Through Town – McAfee Labs Blog

Balloon Boy Spam Drifts Through Town

Wednesday October 21, 2009 at 10:38 am CST
Posted by David Marcus

No Comments

It’s bad enough that we are subjected to apparently fake child-peril balloon shenanigans in the news–and I guess this was only to be expected–but it seems that spammers and scammers have latched onto Balloon Boy as a lure to sell pharmaceuticals. Given the amount of news the original story of Falcon Heene and the runaway balloon produced and the subsequent news around the possible scam, it was too attractive a lure to be ignored.

As usual, though, despite the novelty of the news event itself, the spams lead to the same types of stuff:

Subject: Drama With Balloon (Exclusive)

All leading to the same fake “Canadian” pharmacy sites. (The Chinese registrant info for this one was only a few days old!):

Bogus Canadian Pharmacy Site

Common subjects to beware of include:

Little boy trapped in balloon
Boy-balloon-madness
balloon kid’s full story
Balloon boy died
Little boy trapped in balloon
Balloon boy died
balloon kid’s full story
Boy-balloon-madness
Drama with balloon(exclusive)

Be careful what you click, and mind the news. It is often the lure the spammers look for.

My thanks to colleagues Adam Wosotowsky and Sam Masiello for the samples.

Posted Wednesday, October 28, 2009 1:26 PM by cmosby | with no comments
Filed under: ,

ZBOT and a CapitalOne Phish – Trend Labs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Oct22
6:09 am (UTC-7)   |   by Joey Costoya (Advanced Threats Researcher)

In this most recent spam campaign, our spam traps caught an uncanny combination of a CapitalOne phish and a ZBOT variant. Below is a screenshot of an email sample making the rounds:

The spam campaign would have you believe that you would need to install a Digital Certificate in order to use CapitalOne’s website. Clicking on the email link brings you to the following site: This is the phishing part. After filling in the required login information, the website now conveniently gives you a download link to the supposedly digital certificate: The download link will lead you not to a digital certificate, but to a ZBOT variant. Running the so-called ‘digital certificate’ will only install the notorious ZBOT malware into your system, and will proceed to log your keystrokes, steal personally-identifiable information, and most especially, steal your personal financial information. Trend Micro now detects the said ZBOT malware as TROJ_ZBOT.CKA. The above website does not only host a CapitalOne phish, but also a Bank of America phish. Earlier this week, the same group also had a spam campaign, but was pushing a BoA phish: The phishing website in that campaign asks a lot of questions–three pages full of these. It basically asks all of your personal information pertinent to your banking account:

The websites for both the CapitalOne and Bank of America phishing attacks are all hosted on fast flux domains, and uses wildcarded subdomains. Here’s a list of some of the domains actually used:

  • 11qioz.co.uk
  • 11qwod.co.uk
  • easder1q.co.uk
  • f1iiitl.com
  • iiizad1z.co.uk
  • ij1tli.com
  • ltiil1.com
  • nekz1mqv.co.uk
  • nezz1cza.co.uk
  • racder1c.net
  • racder1x.com
  • raeder1f.net
  • rarder1g.com
  • raxsder1.com
  • t1fliil.tc
  • tj1fiil.co.nz
  • uunuyr.com
  • yyy1yyrd.co.uk
  • yyy1yyre.co.uk
  • yyy1yyrf.co.uk
  • yyy1yyrg.co.uk
  • yyy1yyrj.co.uk
  • yyy1yyrk.co.uk
  • yyy1yyrl.co.uk
  • yyy1yyrm.co.uk
  • yyy1yyro.co.uk
  • yyy1yyrq.co.uk
  • yyy1yyrr.co.uk
  • yyy1yyru.co.uk
  • yyy1yyrv.co.uk
  • yyy1yyrx.co.uk

The IP addresses these fast flux domains point to are comprised of residential broadband IP addresses, suggesting that the machines serving the websites’ contents are hosted on compromised residential PCs. The current spam campaigns (digital certificate lure) and its corresponding websites (fast flux, wildcarded subdomains) share the same characteristics like last year’s SSL Certificate spam campaign. A screenshot of last year’s spam campaign is shown below.

It looks like as though the same group has reemerged using the same tactic they’ve used last year. Maybe last year’s campaign has been successful enough that they’re hoping to duplicate the winning formula in the recent spam wave.

Trend Micro users are now protected from this attack through the Smart Protection Network. Non-users of Trend Micro producs, on the other hand, can opt to stay protected by using the eMail ID and Web Protection Add-On.

Posted Tuesday, October 27, 2009 2:15 PM by cmosby | with no comments
Filed under: , ,

FAKEAV Uses Conficker Worm as Bait – Trend Labs Malware Blog

Oct21
3:20 pm (UTC-7)   |   by Robby Dapiosen (Anti-spam Research Engineer)

Very recently, cybercriminals have found another avenue to lure victims into their trap by using Microsoft as bait.

A screen shot of one such campaign is shown in Figure 1 below. The email asks the recipient to download and install the attached .zip file (shown in Figure 2) which is actually a malicious file which purports to scan their computer of possible Conficker worm infection.

Noticeable to these spam mails are the forged headers. The From field is the same as the address of the recipient (Figure 3).

Click for larger view Click for larger view Click for larger view

The executable file contained in the attached .zip file is a FAKEAV variant detected as TROJ_FAKEAV.BL. Upon execution, TROJ_FAKEAV.BL displays a splash screen for the fake antivirus Power-Antivirus-2009 as shown in Figure 4. It then displays the following fake scanning window to trick users into thinking that the executed file is a legitimate antivirus application (Figure 5). It then displays the following fake alerts that warns users of infection, as shown in Figure 6.

Click for larger view Click for larger view Click for larger view

With the spam message blocked and malicious file detected, Trend Micro users are fully protected from this attack. Non-Trend Micro product users on the other hand are advised to use HouseCall, Trend Micro’s scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Posted Tuesday, October 27, 2009 2:13 PM by cmosby | with no comments
Filed under: , , ,
More Posts Next page »