Computer Security Articles

Previously we have written about the “i got u surprise” spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only “u?” and followed by a link, with the subject is “Hello“.

When the link is clicked, will lead to the following address:

• http://photo-album-#####.##/

The site only contains a message “Download photoalbum“, which is a link to the trojan file.

Just like previous variants, when executed, it will send the same spam message to every friend on Facebook. The data that is used for spam are obtained by querying their C&C servers, this time located at ddk100.com, which is previously located at ddk1000.org.

After decoding, we get:

1000|60000|Hello|u?
[http://goo.gl/Slqcr|http://goo.gl/QL5pE|http://goo.gl/FEUHe|http://goo.gl/4ol7i|

http://goo.gl/uvKBq|http://goo.gl/9TC4b|http://goo.gl/Si0jK|http://goo.gl/DcpVL|

http://goo.gl/mxcsM|http://goo.gl/vDFeS|http://goo.gl/5pHda|http://goo.gl/NagRi|

http://goo.gl/l7vbA|http://goo.gl/CC7kk|http://goo.gl/5uoiD|http://goo.gl/6vALZ|

http://goo.gl/ucVv8|http://goo.gl/L62bA|http://goo.gl/Rf6iM|http://goo.gl/TuHXw|

http://goo.gl/VWMUT]

Another interesting thing is, this malware able to create a dummy blog at Blogger.com, and then make the short URL of it using “goo.gl“, automatically. This blog created shortly after the victim login into their Google account. Then, the newly created blog URL and the short URL will be sent back into their C&C servers. The blog is just will be set as a redirector that will direct the victim to the malicious site that contains malware, by changing the blog template to load the address designated by “url.js”.

If you get a message that contains one of these links, please do not click!:

• hxxp://goo.gl/Slqcr
• hxxp://goo.gl/QL5pE
• hxxp://goo.gl/FEUHe
• hxxp://goo.gl/4ol7i
• hxxp://goo.gl/uvKBq
• hxxp://goo.gl/9TC4b
• hxxp://goo.gl/Si0jK
• hxxp://goo.gl/DcpVL
• hxxp://goo.gl/mxcsM
• hxxp://goo.gl/vDFeS
• hxxp://goo.gl/5pHda
• hxxp://goo.gl/NagRi
• hxxp://goo.gl/l7vbA
• hxxp://goo.gl/CC7kk
• hxxp://goo.gl/5uoiD
• hxxp://goo.gl/6vALZ
• hxxp://goo.gl/ucVv8
• hxxp://goo.gl/L62bA
• hxxp://goo.gl/Rf6iM
• hxxp://goo.gl/TuHXw
• hxxp://goo.gl/VWMUT
• hxxp://wpiulfcwa.blogspot.com/
• hxxp://kstxmjqgk.blogspot.com/
• hxxp://piajetqxo.blogspot.com/
• hxxp://lqehqblph.blogspot.com/
• hxxp://gtffwnzra.blogspot.com/
• hxxp://tcjibfezs.blogspot.com/
• hxxp://rxlabkufg.blogspot.com/
• hxxp://wydqfrnnd.blogspot.com/
• hxxp://dkrvrvhfr.blogspot.com/
• hxxp://sqpdtvhqi.blogspot.com/
• hxxp://vqujlkgco.blogspot.com/
• hxxp://balpfvhmc.blogspot.com/
• hxxp://cqfupksry.blogspot.com/
• hxxp://ahvrmdfky.blogspot.com/
• hxxp://lyglmonpx.blogspot.com/
• hxxp://acyzqudbo.blogspot.com/
• hxxp://nhbqcsrjz.blogspot.com/
• hxxp://dagmajmtr.blogspot.com/
• hxxp://fyjdppbyb.blogspot.com/
• hxxp://txghihpgs.blogspot.com/
• hxxp://oexfnbpuj.blogspot.com/

Emsisoft Anti-Malware detects the threat as a Trojan-Downloader.Win32.FraudLoad. At the time of writing this article, the detection rates are still low, only 14/41:

Join our Emsisoft Facebook page, and don’t forget to follow our Twitter to keep you stay update.

We have seen many fake security products and fake disk utilities targeting the windows platform. Of late, we have started observing an increasing trend in mobile platform too. Following on the heels of the FakeAV product sample, here is an application that masquerades as the Opera mini browser for mobile devices.

This Trojan claims to install Opera browser and displays a short EULA about sending donations through SMS. During the installation process, the sample sends SMS to a message centre that was observed within an Android Trojan seen a couple of months ago. Fig.1 shows the captured Network monitoring session showing the SMS sent by the Malware.

Fig.1:Network monitoring output of the session.

Fig.2: Installer splash screen and the welcome message

All the messages during the installation are in Russian language. The next snapshot shows the translated version of all the messages shown in the Fig.2 and subsequent diagrams.

Fig.3: Translation of messages shown in the GUI.

The social engineering messages used during the session are illustrated in fig.4.

Fig.4: Subsequent GUI messages about the connectivity and installation.

Fig.5 shows the EULA of the application. Please refer to fig.3 for the translation.

Fig.5: The EULA

The best defence against such social engineering tricks is the education of users coupled with a mobile security solution. With the exponential growth of the smart phone market, it is expected such kind of threats will be growing proportionately.

We advise users to exercise basic security principles while surfing and be sceptical of free downloads , and as always keep your security products up to date.

The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the “Big Day”. As a result, you might want to think twice before looking for jellybeans bearing the visage of Kate Middleton or strange turnips that look a bit like the future King of England when held at the right angle.

The culprit here is our search engine “friend” from this entry regarding Easter card searches.

Rummaging around for Royal Wedding sites will start off well enough, with a collection of normal looking search engine results:


Click to Enlarge

Clicking those links could be hazardous to your health, as redirects to fake AV sites such as documentscannerprotectionfree(dot)com will swing into action.


Click to Enlarge

In this instance, XP Antispyware will be the prize awarded to anybody not running in the opposite direction.


Click to Enlarge

There are also search results leading to Fake AV when hunting for wedding dresses, and you bet that pretty much every search term under the Sun between now and the wedding day will be a target for SEO poisoning.

Weddings, eh?

Christopher Boyd (Thanks to Patrick Jordan for finding this one).

Kaspersky Lab malware researcher Vicente Diaz joins the Lab Matters webcast to discuss the banking malware epidemic in Europe and offer suggestions for consumers doing business on the Web.

Doctor Web-the Russian anti-virus vendor-unveils the discovery of a malicious program belonging to the Android Spy family. The malware poses a threat to owners of Android smart phones. Once the Trojan horse gets onto a mobile device, it covertly starts sending SMS spam as commanded by criminals. In addition, Android.Spy.54 adds certain web-addresses to browser bookmarks on the smart phone. Most probably, the new threat for the Android platform has come from China.

The Android.Spy malware family targeting Android became well known in autumn 2010. In addition to retrieving and modifying contacts and short message information, sending SMS, and positioning, Android.Spy can also set themselves to be launched automatically. Some variations can also be loaded when the smart phone is turned on, but their purpose is to collect the smart phone’s ID information, set certain search parameters in the search engine forms and to open links.

The new Android.Spy modification was discovered by Doctor Web’s analysts on April 12, 2011. On the same day it was added to the Dr.Web virus database. For now only Dr.Web detects this piece of malware. It is worth mentioning that malicious programs for Android appear with increasing frequency. Only two weeks ago a new version of SMS Trojan Android.SmsSend was discovered.

Android.Spy.54 was found on the Chinese Internet resource www.nduoa.com – a web-site offering a collection of applications for the Android platform. The Trojan horse was the part of the program Paojiao – the widget, allowing users to make calls or send SMS to selected numbers. Spreading with a legitimate program is a standard model for the malware family Android.Spy.

The new modification of Android.Spy registers a background service, which connects to a malicious site and sends to criminals the victim’s identity information (such as the IMEI and IMSI). In addition, the Trojan horse downloads an xml-file containing commands that make it start sending spam SMS from the compromised device and add certain sites to the browser bookmarks.

If a program unexpectedly requires additional privileges for its operation, it indicates that the application you are installing incorporates malicious features. For example, if a genuine game only needs access to the Internet, an infected version will ask for higher privileges. If you know that an application that caused your concern, is not supposed to work with SMS, calls, contacts, etc., it is not recommended to install it. In addition, to protect your smart phone, you can use Dr.Web for Android, available for download from the Android Market and Doctor Web’s site.

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the number may change with each email.

The email is send from the spoofed addresses:

account@facebook.com
manager@facebook.com

The message has the following body:

Dear user of FaceBook.

Your password is not safe!
To secure your account the password has been changed automatically.

Attached document contains a new password to your account and detailed information about new security measures.

Thank you for your attention,
Your Facebook

The attached ZIP file has the name New_Password_IN04393.zip, note that the number at the end will change, and contains the 33 kB large file New_Password.exe.

The trojan is known as Gen:Heur.VIZ.2 (BitDefender), Mal/FakeAV-JX (Sophos), Trojan.Generic.Bredolab-2 (ClamAV).

The following files will be created:

%System%\document.doc

Several Windows registry changes will be exectued and the trojan can establish connection with the IP 193.106.34.20 on port 80.

Data can be obtained from following URLs:

• hxxp://profmiale.ru/TGQW4nHJOS/document.doc
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=8
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=9
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=uploader
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=grabbers
• hxxp://profmiale.ru/TGQW4nHJOS/grabbers.php
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=0
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=1
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=2
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=3
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=4
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=5
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=6
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=7

At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: ecc2d442886b7296b5bd7eaeaae0bcea.

We recently came across a ransom trojan that prompts the following:

“Windows license locked!“

The trojan claims that “you should complete activation” and provides several phones numbers.

The numbers:

  •  002392216368
  •  002392216469
  •  004525970180
  •  00261221000181
  •  00261221000183
  •  00881935211841

The trojan claims that the call is “free of charge” but it isn’t, and the trojan author will earn money from the call via a technique known as short stopping.

After three minutes or so, the caller is given this unlock code: 1351236.

The unlock code appears to be the same every time the number is called.

It’s a pretty clever bit of social engineering and some victims many never even realize that they’ve been scammed.

Here’s a video demonstration on the Labs YouTube channel, which also includes some discussion of other ransom trojans.

The GPcode screenshots referenced in the video can be seen here and here.

We detect this trojan (md5: 9a6f87b4be79d0090944c198a68012b6) as Trojan.Generic.KDV.153863.

A full audio recording of our call to the ransom number is here (MP3, 4 minutes).

On 11/04/11 At 02:57 PM

MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “United Parcel Service notification 48161”, where the number in the subject may vary, with more or less the same email characteristics of the previous campaign MX Lab posted earlier this week but with with a very low detection rate at the time of writing: only 5 of the 43 AV engines did detect the trojan at Virus Total!

The email is send from the spoofed addresses “United Parcel Service <****@ups.com>” where *** is filled in with various combinations like:

infoads@ups.com
infoad111@ups.com
infoad@ups.com
infosec@ups.com
infosec1@ups.com
infosec3@ups.com
infosec4@ups.com
infoser@ups.com
infoser1@ups.com
infoser2@ups.com
infoser3@ups.com
infoser4@ups.com
infosec8@ups.com
…

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

The attached ZIP file has the name UPS-document.zip and contains the 20 kB large file UPS-document.exe.

The trojan is known as Artemis!08BA3C182674 (MacAfee), Trj/CI.A (Panda).

Virus Total permalink and MD5: 08ba3c182674398cd2190cad5dc327ef.

The trojan will install itself on an infected computer and will obtain data from the following URLs:

• http://109.94.220.52/lol2.exe
• http://109.94.220.52/pod.exe
• http://109.94.220.52/spm.exe
• http://91.213.29.175/lol2.exe
• http://91.213.29.175/pod.exe
• http://91.213.29.175/spm.exe

For each of the files we have the following report:

lol2.exe:

FakeAlert-CN.gen.h (MacAfee), FraudTool.Win32.FakeRean.b (Vipree)
Virus Total permalink – MD5: 43b84209a37ebdee99996b073562203e

Will install the file %AppData%\pux.exe, modify registry, connects to IP 69.50.209.138 on port 80 and will request URL hxxp://vogunemymyko.com/1017000412

pod.exe:

Worm/Rorpian.A (AntiVir), W32/Worm-FAO!1B984534DCC8 (McAfee)
Virus Total permalink – MD5: 1b984534dcc8d761703437f10a9cf179

Will install the file %Temp%\srvB8.tmp, connects to IP 188.138.48.178 on port 80 and will request URL hxxp://188.138.48.178/service/listener.php?affid=50039

spm.exe:

Artemis!CCB935935C60 (MacAfee), W32/Spammer.AQZ.worm (Panda)
Virus Total permalink – MD5: ccb935935c60b7c931201daa9efd6af4

Will install the files %System%\mhmhbrog.dll and %System%\tmp.tmp, modify the registry, and make connections to the following IPs:

124.108.116.109, on port 25
67.195.168.31, on port 25
98.137.54.237, on port 25
98.139.54.60, on port 25
46.4.10.7, on port 8000 and 8001

This malware will also generate SMTP traffic from the spoofed email addresses:

• <info1goyoy@ups.com>
• <info47dynu@ups.com>
• <info42s@ups.com>
• <info2yu@ups.com>

This malicious payload will create the following files:

%CommonAppData%2v34rbtx7a80t655b4m22u3yx11w233mh156g3
%AppData%2v34rbtx7a80t655b4m22u3yx11w233mh156g3
%Temp%2v34rbtx7a80t655b4m22u3yx11w233mh156g3
%Templates%2v34rbtx7a80t655b4m22u3yx11w233mh156g3
%AppData%\Microsoft\conhost.exe
%AppData%\xbr.exe
%Temp%\srvC8.tmp
%System%\mtcaqnbx.dll
%System%\musawolc.dll

The following processes will be created:

conhost.exe: %AppData%\Microsoft\conhost.exe
xbr.exe: %AppData%\xbr.exe

The following hostnames are requested from the host database:

• ponel.biz
• itisformebaby.biz
• zuzosahule.com
• dafatesomyz.com
• jumonevetode.com
• gokuzajylot.com
• lukofymela.com
• jebuponip.com
• quxovasuced.com
• laqoduhisegu.com
• xyseditacif.com
• dihemehypuq.com
• wylyxaqunowy.com
• qepovexidysopy.com
• bebecebyt.com
• rumesexyzobuz.com
• kyxiteruk.com
• kexigulat.com
• jarynokab.com
• lefurasacaveta.com
• cicabijyni.com
• ridibasofetevi.com
• sihorarofiqiha.com
• ropunonic.com
• xyxukinasacujo.com
• tapahagupaji.com
• zonotunev.com
• raxukakudumow.com
• vogunemymyko.com
• zufonabubi.com
• bynoripuqoxyl.com
• kytelaticik.com
• qyvexyhun.com
• myhofociv.com
• dalebihyku.com
• kijyjajutava.com
• decufysohyh.com
• sezixalekur.com
• lolypositole.com
• hohimedag.com
• hikiniribep.com
• fyxinolydima.com
• gonifyzadiby.com
• wavupinycom.com
• xykecolun.com
• hisepelihyzex.com
• xixeriwihat.com
• vetidicawisos.com
• dijipabamefuw.com
• naxucerybaqecy.com
• hegylocimemyja.com
• roboralipijago.com
• samykacagatet.com
• fusipemura.com
• sazulipum.com
• fuxawekugygil.com

A connection attempt to itisformebaby.biz on port 8000 is executed and a connection is established to the IP 188.138.48.178 on port 80 with the request service/listener.php?affid=50039.

The following HTTP URLs were started reading:

• hxxp://vogunemymyko.com/1017000412
• hxxp://zufonabubi.com/1017000412
• hxxp://bynoripuqoxyl.com/1017000412
• hxxp://kytelaticik.com/1017000412
• hxxp://qyvexyhun.com/1017000412
• hxxp://myhofociv.com/1017000412
• hxxp://dalebihyku.com/1017000412
• hxxp://kijyjajutava.com/1017000412
• hxxp://decufysohyh.com/1017000412
• hxxp://sezixalekur.com/1017000412
• hxxp://lolypositole.com/1017000412
• hxxp://hohimedag.com/1017000412
• hxxp://hikiniribep.com/1017000412
• hxxp://fyxinolydima.com/1017000412
• hxxp://gonifyzadiby.com/1017000412
• hxxp://wavupinycom.com/1017000412
• hxxp://xykecolun.com/1017000412
• hxxp://hisepelihyzex.com/1017000412
• hxxp://xixeriwihat.com/1017000412
• hxxp://vetidicawisos.com/1017000412
• hxxp://dijipabamefuw.com/1017000412
• hxxp://naxucerybaqecy.com/1017000412
• hxxp://hegylocimemyja.com/1017000412
• hxxp://roboralipijago.com/1017000412
• hxxp://samykacagatet.com/1017000412
• hxxp://fusipemura.com/1017000412
• hxxp://sazulipum.com/1017000412
• hxxp://fuxawekugygil.com/1017000412

A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week.  The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011.

Win32/Chepvil is a trojan that downloads other malware such as Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Backdoor:Win32/Cycbot.B and VirTool:Win32/Injector.gen!BG. The retrieved malware is saved to the %TEMP% folder and then executed. Microsoft Malware Protection Center has noticed that detections over the past few days have gone from a handful to around 400k per day.

The majority of these detections are coming from the antimalware technology protecting our Hotmail customers, clearly indicating the vector – spam. At the time of this blog writing, we received a few reports of other online email service account holders receiving this trojan via spam email as well.

Below is a chart indicating observed telemetry of this trojan over a short period of time:

Image 1 – Chepvil telemetry

Nearly all of the attached files are named “United Parcel Service document.zip”.

The most prevalent SHA1s for the .ZIP attachment are:
0610CE22DF47B3D9C69DC63387705FD666C7205A
151755454A9D443A8A60996F3F1DC4E0C68A9B5D
2C25B6B2764E4DA5EC0A7D57017DFA5FF2A10873

The most prevalent SHA1s for the .EXE trojan within the .ZIP archive are:
0FB63DFF83DB643C9EE42EFE617BDD539A5FFB8F
142E8b00AA24954f9A4AA2271B8A49C445B87587
DA65B7B277540B88918076949A28E8307AD7E41A

Our geographical data from our endpoint protection products show a heavy focus on the United States:

Image 2 – Chepvil telemetry by geography

Below is one example of a spammed message containing the Chepvil trojan.

Image 3 – Sample of Chepvil trojan attachment

MMPC customers have detection for this issue through the signature TrojanDownloader:Win32/Chepvil.I.

- Holly Stewart, Joe Faulhaber, Jaime Wong & Patrick Nolan

Recent reports on trojanized applications being found on the official Android Market just came to our attention (Androidpolice.com and Reddit).

The malicious applications were uploaded using various developer names. A full listing of the applications involved appear here: http://pastebin.com/Ue8TfLgE.

According to the androidpolice.com report, on checking out one of the malicious applications, it contains a known exploit “rageagainstthecage” for gaining root access. This exploit is known to work on Android 2.2 and below.

The original androidpolice.com report indicated the malicious applications have already been pulled from Android Market – which is great news for users who haven’t yet unwittingly downloaded the malware.

Users who have already done so may still need to wait for Google to remotely remove these apps – or remove them manually.

We’ll continue to monitor the situation. We’re also looking for samples of these trojanized applications for further analysis. If you have one of the malicious samples, you might consider sending it to our Sample Analysis System.

Regards,
Zimry

On 02/03/11 At 09:33 AM

Facebook photos have become a new target for cyberthieves looking to direct users to malicious sites. Recently spam chat and email message were sent from compromised Facebook user account to their friend list.

The Facebook chat messages include text such as “hahahah foto” and the phony Facebook application pages. Clicking on the link, to look the photo will redirect users to a malicious page that will attempt to infect their systems with malware.

The file present itself as an image file but actually is a executable binary. If user try to view the image by double clicking it, malware will get execute.

In our control environment at Quick Heal Viruslab we executed and checked for its activity and found that it was redirecting to a website flashing message that the web browser needs to be upgraded.

Then malware established connection with remote IRC Server as below.
nick=”NEW-[USA|00|P|12397]”
username=”XP-4911″
password=”xxx”
JOIN #!nn!
testMODE [USA|00|P|88251] -ix
testPONG 22 MOTD

The malware also silently connected to below websites.
“xxxxx.ic.ac.uk”
“ale.xxxxx.com”
“verxxxxx.com”
“api.axxxxxory.info”

Anybody’s curiosity will increase after seeing such easy steps of online money making. Finally it diverts user to a page asking for paying some security deposits to them.

These all are fake notifications. The malware was trying to play a prank by such fake easy money making methods. Please avoid paying them.

Quick Heal detect this Trojan threat by “Trojan.Agent.fb”

Some vendors are calling it HongTouTou, others have named it Adrd, and Sophos (rather unimaginatively in my view!) treats it as a variant of Geinimi, but whatever your anti-virus product chooses to call it, there’s no denying that a new Trojan horse for Android smartphones is making headlines.

The latest Trojan horse for Google’s Android operating system has been seen posing in Chinese third-party app stores as legitimate programs such as Wallpaper apps.

The official Android Market, run by Google, does not appear to be carrying the malicious apps – but if you go “off-road” and choose to install software on your smartphone from elsewhere on the net, then you could be putting your device at risk.

For this reason, the vast majority of Android users probably have little to fear. But those who do install applications from unknown sources (known as “sideloading”) do need to recognise that they might be putting their smartphone, data and potentially finances in danger.

Once installed, the malicious application can not only gather information about your smartphone (the device’s IMEI and IMSI), but it can also emulate clicks on particular search results – giving the visited websites the impression that it is a real mobile phone user choosing to visit their pages.

The assumption has to be that those behind the Trojan horse might be earning commission through the click traffic. Furthermore, of course, it could hurt you in your pocket by eating up data bandwidth.

Interestingly, the malicious code appears to have the ability to download updates for itself via the web, which could contain additional functionality.

Sophos has been detecting the Trojan as a variant of Troj/Geinimi-A since 00:15 BST on 15 February 2011.

For more information about the Trojan, check out the blog entry from the mobile security researchers at Lookout.

A Valentine’s Day mobile application, which promises to send an romantic MMS message to a loved one, actually hides a money-making scheme that sends expensive messages to a Russian premium rate SMS number.

Security experts have come across a downloadable file called love_mms.rar, which itself contains a Java Archive (.JAR) called jimm2010.jar.

It’s unlikely, of course, that anyone outside of the Russian-speaking world would be impacted by this malware, especially as it’s installation messages are impenetrable to most of us born in other countries:

Добро пожаловать! Вас приветствует мастер установки Jimm 2010! Нажмите "Да", чтобы продолжить инсталяцию.

Установка Jimm Сейчас будет произведена установка приложения Jimm 2010 на Ваш мобильный телефон. Нажмите "Да" чтобы продолжить инсталляцию.

Что такое Jimm 2010 Это красивые иконки и логотипы, прикольные смайлики (до 386 штук), смешные звуки, а также красивый внешний вид мобильной аськи!

Что нового в Jimm? Jimm Mobile от 10 января 2010 года, который включает в себя
многочисленные доработки и изменения мода ХаТТаВ.

Пользовательское Соглашение вступает в силу с момента выражения Вами согласия с его условиями путем продолжения установки программного обеспечения. Настоящее Соглашение формулирует юридические условия пользования Сайтом, предназначено для урегулирования взаимоотношений между Владельцем и Пользователем, и включает политику Сайта по поводу правил пользования услугами и контентом, размещаемым на Сайте, а также по поводу прав, обязанностей и ограничений, связанных с использованием услуг. Данное Соглашение распространяется на настоящих и будущих Пользователей Сайта. Это лишь краткое Пользовательское соглашение, его полную версию Вы можете увидеть на сайте [LINK] В процессе инсталляции Jimm Вы можете сделать пожертвование сайту 2 раза с помощью SMS на номер 5999. Стоимость каждого sms сообщения составляет до 95 рублей без НДС, в зависимости от Вашего оператора.

The last message warns that if you continue with the installation you have agreed you that if you continue then you have agreed to various terms-and-conditions, including that you will be stung twice to the tune of 95 rubles by sending an SMS to a short code number.

The Trojan horse, reported by The Register today, is detected by Sophos as Troj/Jifake-A.

Remember to take care over any applications you install on your computing devices – whether it be a desktop PC, laptop or mobile phone. Just because it’s Valentine’s Day doesn’t mean that there’s any excuse to throw all common sense out of the window.

Sophos is intercepting a malicious spam attack, which attempts to infect recipient’s computers with a Trojan horse by pretending to contain images of the Scandinavian sender.

Here is what a typical malicious email looks like:

Subject: Hei Man,
From: "Facebook"<info@hi5.com>
Attached file: Image123.zip

Message body:
Hei Man,

Jeg vet ikke hvordan jeg skal si det, men jeg har prшvde fшr en lang tid til е sende deg noen bilder, men jeg har tenkt at du ikke er interessert i е se meg.
Men nе skal jeg sende deg bilder i vedlegg.
Last ned bilder og trekke ut de, er jeg sikker pе at du vil like de. Passordet er: 123456

Ha en flott dag.

The message, which appears to be written in Norwegian, roughly translates to:

Hey Man,

I do not know how to say it, but I have tried for a long time to send you some pictures, but I've been thinking that you are not interested in seeing me.
But now I'll send you pictures in the attachment.
Download the images and extract them, I'm sure that you will like them. The password is: 123456

Have a great day.

The attached file, named Image123.zip, is encrypted – presumably in an attempt to avoid detection by weaker anti-virus products – but the email message contains the password to unlock the ZIP and reveal the malware to you.

Of course, an attack like this is only likely to trick users who speak Norwegian (or its close linguistic neighbour Danish), but you can imagine how a message claiming to come from a Facebook or Hi5 friend might trick some people into checking out what hides behind the ZIP without thinking.

Sophos detects the Trojan horse proactively as Mal/Behav-043 and is adding detection of the ZIP file as Troj/BredoZp-BU.

Everyone is talking about the SpyEye Trojan, the info stealer malware that gained all the attention after the author of ZeuS left the underground market and sold ZeuS sources to the SpyEye team. We already wrote about SpyEye last year, when we focused on the threat claiming that it could potentially become one of the top password stealing threats. Now that the SpyEye authors have access to all of ZeuS source code, SpyEye is becoming the main kit available for sale in the underground with even more efficient coding with some additional ZeuS based technologies.

Let’s have a closer look at the new variants of SpyEye.

The SpyEye dropper comes in a UPX packed executable. After unpacking the first layer, we are lucky as we could already get to the SpyEye code. Actually, we have some samples which make use of highly-obfuscated decryption code, used for a second stage decryption loop. This second stage decryption loop make uses of its own routine able to get function addresses by parsing library export tables. The function is using name hashes instead of plain-text names. The hash is calculated by an ADD/ROL loop.

After the second decryption loop was completed, we are up to the real SpyEye executable code. The Trojan is divided in a few parts: the main executable

itself is just a stub, it acts like a pre-loader. It then contains 5 resource files and an embedded executable – which is the real SpyEye code. The resource files are named C1, C2, C3, SC1, SC2.

C1 contains the basic settings of the Trojan, like the name of the folder that the Trojan needs to create along with the name of the two files that will be stored inside the folder and the mutex used to check if theinfection is already running in the system. The folder will have the hidden flag attribute set as well. C2 contains the real configuration file, called config.bin – we’ll better explain it later in the blog post. C3 contains the config.bin password in plain text.

SC1 is instead a module that will be injected by the pre-loader inside explorer.exe process. This module is responsible of creating the folder and storing the Trojan dropper inside it, then it launches again the dropper from the new location and deletes the original dropper. SC2 is a module used by SpyEye pre-loader to get system information like the Windows build number, username account, Windows folder and a number of other data points.

SC1 module is injected inside the host process explorer.exe and does its job as showed above. The dropper now reloads from the right location and extracts the C3 resource file, reads the config.bin password and stores it as a local variable by calling SetEnvironmentVariableA API. This will help the Trojan in sharing the password between this pre-loader and the actual SpyEye code. Finally, the execution is passed to the embedded executable code.

Inside the real SpyEye code, the Trojan first check if the config.bin file has been already stored inside the hidden folder along with the dropper executable. If not, the config file is extracted from the C2 resource and is stored inside the folder. Then, the configuration file is decrypted by the Trojan. The encryption algorithm is not really complicated, and it’s just a XOR-based loop starting from the end of the file till the beginning. Every byte is XOR’d with 0xC4 key and the result is being subtracted by the value of the byte that is located at the previous location. After the decryption, the config.bin file is just a password-protected zip archive. As mentioned above, the password is the string located inside the C3 resource.

Stored inside the configuration zip package are configuration files along with specifically chosen plugins. There could be some plugins able to make the infected PC act as a socks5 server, or credit card grabbers. There are other interesting information like the servers that are contacted by the Trojan and the HTML code that is being injected inside some specific HTML pages. This is already a feature implemented in ZeuS and has been copied out by the SpyEye authors.

After the configuration file has been decrypted and parsed, the embedded executable code injects all its code inside the explorer.exe process, and the pre-loader process terminates. The code is now active in memory and it is ready to be injected in every other running process except services.exe, smss.exe, csrss.exe and system processes.

In the targeted processes, the Trojan hooks following APIs:

Some newer variants of SpyEye implement a hooking engine protected by a number of watchdog threads, able to immediately restore all the Trojan hooks if they are being overwritten or deleted by security software.

The Trojan make uses of user mode rootkit techniques to hide both its registry key located inside HKEY_CURRENT_USER\SOFTWARE\Microsoft\Current Version\Run and the folder containing the Trojan executable along with the config.bin file. The folder is usually located on the root directory of the drive where the operating system is located.

Due to the way the Trojan is designed, it is perfectly able to steal sensitive data from every PC, no matter if it runs with administrative privileges or limited user account. Moreover, after the ZeuS authors resigned, SpyEye is soon to become the leading infostealing Trojan in the underground.

The increasing number of SpyEye infections we are detecting and cleaning on infected PCs tells us that SpyEye is very widespread and you should really pay attention to your computer security, even if using a limited account. Protect your web surfing experience with Prevx and SafeOnline.

A few months old trojan Brisv that infects multimedia files has struck again with no apparent reason, as reported by our customers.

The trojan enumerates local and mapped network drives looking for the files with the extensions ASF, WMV, WMA, MP2, MP3. It will then infect the located files by injecting malicious script that instructs the media player to pop up default browser window and navigate it to the malicious web site isvbr.net, which in turn, redirects to a different URL: www.play-error.com:

When the media player plays back an infected file (on a test system, after about 10 seconds of the playback), the browser window pops up and the player stops playing the file, as shown below:

The web site the user is redirected to can be variable and may host any kind of malware. At this time of writing, isvbr.net redirects to www.play-error.com:

The traffic generated during the playback of the infected multimedia file is shown below:

To see the list of system changes, please check ThreatExpert report here.

Should you need to quickly scan your system and/or desinfect the infected multimedia files, please run the fixtool from this location.

We have done some analysis on the Chcod malware family, also known as Ogran, which has been showing up in our sandboxes since at least August 2009.  Like the Yoyoddos and Avzhan trojans, this family is also controlled predominantly from Chinese IP space and appears to be used almost exclusively as a DDoS agent.

Malcode Properties

The Chcod malware is distributed in the form of a very small unpacked executable; we have observed its size vary from 9728 to 20,480 bytes, with specimens most frequently weighing in at approximately 12.5 KB.  Here are some MD5 hashes of some representative samples:

9ec5dbc58ff6f2811596540ada704def
876718d10b42b053df1df4fb0a69f789
32291e232247e9004e520d0e638f565d
e10cf3881ce04f0cde4091c3dad78fe8

Samples are typically hosted on Chinese servers, although we have observed at least one instance of Chcod being distributed from Thai IP space.  Here are some of the (defanged) URLs that have distributed Chcod malware:

hxxp://61.147.120.135:81/zhaomingyang520.exe
hxxp://www.huoyx.com/7758.exe
hxxp://nc3comcn.vip137.2hezu.net/choujin/svchost.exe

Note that all three of these URLs live on CHINANET hosts, none of which are still serving the malware at this time.

Installation

Upon initial execution, Chcod will typically copy itself into the victim’s C:\Windows directory using a name that, more often than not, sticks out like a sore thumb; the operators of Chcod appear to make very little effort at blending in to their infected hosts.  Representative examples of installation names we have observed include:

C:\WINDOWS\QQ.exe
C:\WINDOWS\vx.exe
C:\WINDOWS\dfgc.exe
C:\WINDOWS\d.exe
C:\WINDOWS\zhaomingyang520.exe

Most variants of Chcod will set themselves up to be Windows Services that are automatically started upon system reboot.  Again, Chcod doesn’t make the slightest attempt to be stealthy when choosing a service name; representative examples include:

hytyju234567890
vsdxqq
dsff
txqqc
Aeeu01234567890

The display names Chcod uses for its installed service have often been even worse, such as this one:

Ati External Event UtilityKillOrKillOrPassKillOrKillOrPassKillOr

We have also observed at least one Chcod sample (MD5 876718d10b42b053df1df4fb0a69f789) that did not even bother to install itself as a service.

Communication Protocols

The Chcod bots phone home to their CnC servers by sending a small 56-byte block of structured data over a basic TCP socket; this message contains only the name of the victim computer (as returned by the gethostname() API) as well as a possibly truncated copy of the host name of the CnC to which it is sending the message.

We document the format of the communication protocol in the form of an equivalent C struct as follows:

// Trojan.Chcod bot-to-CnC message structure
struct {
WORD    wMagicNumber;     // Always 0x0100
char    szCnCName[14];    // NULL-terminated CnC hostname, truncated as needed, otherwise
                          //   NULL-extended
char    szVictimName[32]; // From gethostname(), NULL-terminated and extended
WORD    wWindowsVersion;  // Encoded as: 3 (Vista), 2 (XP), 1 (WinME), 0 (Win98),
                          //   or 4 (Server 2003 x64)
WORD    wPhysicalMemory;  // As returned by dwTotalPhys component of GlobalMemoryStatus()
                          //   and converted to MB
WORD    wUnknown;         // Varies; we've seen 0xb808, 0x5014, 0x1450, and 0xa00f
WORD    wZero;            // Always 0x0000
};

We do not currently know the meaning of the 16-bit value we refer to as wUnknown above, although it appears to be stored as a constant within the executable.

Here is a representative example, sent to a CnC hosted at bon19820609.3322.org, from an infected host named VICTIM:

$  0000   01 00 62 6F 6E 31 39 38 32 30 36 30 39 2E 33 00   ..bon19820609.3.
$  0010   76 69 63 74 69 6D 00 00 00 00 00 00 00 00 00 00   victim..........
$  0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
$  0030   02 00 FF 00 B8 0B 00 00                           .......

One might wonder why the bot sends the CnC’s own host name back to its CnC?  Presumably so that the operators of Chcod can support a crude form of “virtual hosting” in which multiple distinct Chcod botnets are controlled from a single CnC; each distinct botnet would be controlled via a separate CnC host name; each of these host names could then resolve back to the same IP address upon which the CnC server socket is listening on a single port.  By including its controlling host name in the bot-to-CnC message, the CnC server could in theory determine with which botnet the bot was associated and respond accordingly.

Upon receipt of this “phone home” message, the CnC may respond with one of several different message formats; the nature of the command is specified by the value of the first two bytes in the CnC response:

1. Attack command (0×02): an 80-byte block of data that specifies the victim to be attacked, as well as the parameters of that attack; the message uses the following format:

// Chcod attack command
struct {
 BYTE    nCommandCode;   // 0x02 = Launch DDoS attack
 char    szPadding[15];  // Always filled with 0x00 bytes
 WORD    wAttackType;    // 0x10 = HTTP flood; 0x02 = UDP flood
 WORD    wUnknownParam1; // ???  We have observed values of 0x32 and 0x1A
 WORD    wUnknownParam2; // ???  We have observed values of 0x32 and 0x3E
 WORD    wUnknownParam3; // ???  We have observed values of 0x32 and 0x90
 WORD    wPort;          // Port to attack
 char    szUrl[54];      // Victim URL, hostname, or IP address; NULL-terminated
};

An example from a UDP flood attack (target victim has been obfuscated):

$  0000   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
$  0010   02 00 32 00 32 00 32 00 50 00 77 77 77 2E 74 61   ..2.2.2.P.www.ta
$  0020   72 67 65 74 2E 63 6F 6D 2F 69 6E 64 65 78 2E 68   rget.com/index.h
$  0030   74 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00   tm..............
$  0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

When engaging in a UDP flood, the Chcod bot will open a large number of simultaneous UDP sockets to the specified victim and port.  UDP floods from Chcod are typically directed against port 80 on the victim.  Chcod will flood the victim with UDP datagrams from each of these sockets; each datagram contains 16 bytes of payload.  The content of each datagram payload is 16 random chosen bytes from the range 0x1E through 0x3E.  The payload is different for each datagram sent by the bot.

Thus, a possible mitigation strategy for dealing with a Chcod UDP flood might be to blacklist any source IP address that is sending a lot of 16-byte UDP datagrams that contain data bytes strictly within the range of 0x1E to 0x3E.  (On the other hand, it might not be a bad idea to blacklist any source IP sending large numbers of UDP packets to your web server’s port regardless of their content…)

Here is an example from an HTTP flood attack (again, the real target has been obfuscated):

$  0000   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
$  0010   10 00 32 00 32 00 32 00 50 00 77 77 77 2E 74 61   ..2.2.2.P.www.ta
$  0020   72 67 65 74 3E 75 73 2F 69 6E 64 65 78 2E 61 73   rget.us/index.as
$  0030   70 00 70 00 61 73 70 00 68 64 6F 32 2F 69 6E 64   p.p.asp.hdo2/ind
$  0050   65 78 2E 61 73 70 00 00 00 00 00 00 00 00 00 00   ex.asp..........

Note that, although the CnC properly NULL-terminates the string specifying the target, it apparently does not initialize the entire 80-byte buffer with zeroes prior to filling in the structure.  This often results in string fragments associated with previous victims remaining in the response buffer that is sent back to the bots (such as the “…hdo2/index.asp” fragment in the HTTP flood example above.)

2. Download command (0×03): an 80-byte block of data that specifies a URL that is to be downloaded and executed; the message uses the following format:

// Chcod download+execute command
struct {
 BYTE    nCommandCode;   // 0x03 = download URL and execute
 char    szPadding[15];  // Always filled with 0x00 bytes
 char    szUrl[64];      // NULL-terminated and extended URL to download and execute
};

An example message is as follows:

$  0000   03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
$  0010   68 74 74 70 3A 2F 2F 31 32 32 2E 32 32 34 2E 34   http://122.224.4
$  0020   38 2E 38 37 3A 38 38 38 38 2F 64 6F 77 6E 2E 65   8.87:8888/down.e
$  0030   78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00   xe..............
$  0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

Upon receipt of such a command, the Chcod bot will initiate an HTTP connection to the specified URL, save the downloaded executable to the C:\Windows directory using its original name (e.g., C:\Windows\down.exe in the above example), and execute it.  This mechanism can of course be used to update the Chcod bot with a newer version, or to drop additional malware on an infected system.

3. Uninstall command (0×05): Causes the Chcod bot to delete the Windows Service under which it is installed.

4. Logoff command (0×191): Force the infected user to be logged out of his/her session.

5. Reboot command (0×192): Force the infected host to reboot.

6. Shutdown command (0×193): Force the infected host to shutdown.

7. Idle command (0×00): a 16-byte block of zeros to indicate that the bot is to stand by and perform no action.

It also appears that Chcod supports an additional command code (0×06) with functionality that is not understood at this time.

In general, upon the completion of this message exchange, the bot will remain connected to the CnC and listen for further instructions on the established socket (barring a system shutdown, etc.)

Control Servers

To date, we have identified at least 18 Chcod CnC servers running on 15 different IP addresses; we’ve observed three instances in which a single IP address hosted two CnC servers running on different ports.  Although 17 of the 18 Chcod CnC servers are hosted in Chinese IP space, they are fairly widely distributed across net blocks, as follows:

IP Address         Port  CC   ASN   NETNAME
61.164.126.228     1777  CN   4134  TAIZHOU SOIDC NETWORK TECHNOLOGY CORP
221.12.138.226     6222  CN   4837  WANGUOCHUANZHEN QUZHOU ZHEJIANG
61.164.126.228     1777  CN   4134  TAIZHOU SOIDC NETWORK TECHNOLOGY CORP
221.12.138.226     1983  CN   4837  WANGUOCHUANZHEN QUZHOU ZHEJIANG
61.164.126.228     1888  CN   4134  TAIZHOU SOIDC NETWORK TECHNOLOGY CORP
122.224.48.87      7890  CN   4134  NINBO LANZHONG NETWORK LTD
221.181.66.77      6222  CN  24400  CHINA MOBILE COMMUNICATIONS CORPORATION
221.181.66.77      3456  CN  24400  CHINA MOBILE COMMUNICATIONS CORPORATION
61.164.127.22      1987  CN   4134  TAIZHOU YAMA NETWORK TECHNOLOGY CORP
116.117.176.5      8888  CN   4837  INNERMONGOLIAHAILAERMZAB80MH02POOL
202.97.185.109     7890  CN   4837  CHINA UNICOM LIAONING PROVINCE NETWORK
119.48.217.19      7758  CN   4837  CHINA UNICOM JILIN PROVINCE NETWORK
218.10.18.160      1118  CN   4837  CHINA UNICOM HEILONGJIANG PROVINCE NETWORK
76.164.231.59      8080  US  36114  R & D TECHNOLOGIES LLC
123.187.107.8      8080  CN  17799  CHINANET LIAONING PROVINCE NETWORK
218.60.65.135      8783  CN   4837  CHINA UNICOM LIAONING PROVINCE NETWORK
121.11.84.83       7758  CN   4134  SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A
61.190.149.232     1520  CN   4134  CHINANET ANHUI PROVINCE NETWORK
61.147.74.139      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK

The Chcod bots have the identity of their CnC hard-coded within their executable; as is common, these CnCs are identified by host name rather than raw IP address.  The majority of Chcod CnC host names are associated with the 3322.org domain, a large Chinese provider of dynamic DNS services.  Examples include:

clddos1.3322.org
cl888666.3322.org
zhaomingyang520.3322.org
bon19820609.3322.org
wbbyby.3322.org
sou8sou8.3322.org

Occasionally, Chcod CnCs live on non-3322.org host names, such as the following:

h.xuhongdiy.com
www.sowogame.cn
server01.comying.com

Note that the host name of the CnC is obfuscated within the static bot executable file; however, invoking strings analysis on a memory dump from a running Chcod bot process will yield the plain text host name of the CnC.

The operators of Chcod-based botnets clearly prefer to host their CnCs on non-standard ports as shown in the above listing.

Victims

We have been tracking various Chcod-based botnets since early October 2010 using our usual technique of periodically connecting to known Chcod CnCs and sending 56-byte messages that imitate particular Chcod specimens.  During this period of time, we have observed Chcod botnets issue DDoS attack commands against approximately 31 unique victims in China (19), Hong Kong (5), Korea (5), and the United States (2).  The victims have been distributed across the following networks:

CC   ASN   Network
CN   4134  CHINANET GUANGDONG PROVINCE NETWORK
CN   4134  CHINANET JIANGSU PROVINCE NETWORK
CN   4134  CHINANET JIANGXI PROVINCE NETWORK
CN   4134  CHINANET SICHUAN PROVINCE NETWORK
CN   4134  CHINANET XINJIANG PROVINCE NETWORK
CN   4134  CHINANET-HN HENGYANG NODE NETWORK
CN   4134  DONGGUANSHIWEIYIWANGLUOKEJIYOUX
CN   4134  JINHUA TELECOM CO. LTD
CN   4134  JINHUA TELECOM CO. LTD IDC CENTER
CN   4134  NINBO LANZHONG NETWORK LTD
CN   4134  SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A
CN   4837  HEPINGLU-COM XUZHOU JIANGSU PROVINCE
HK   9269  CITY TELECOM (H.K.) LTD
HK  17444  TOP INTERNET COMPANY
KR   3786  KOREA INTERNET DATA CENTER INC
KR   4766  KOREA TELECOM
KR   9848  KRNIC
US   6939  KARIM JELASSI
US  36351  SOFTLAYER TECHNOLOGIES INC

Victims of Chcod DDoS attacks have included several gaming-related sites (not unusual) and a Chinese university.  The typical Chcod-generated DDoS attack lasts from approximately 4 to 12 hours at a time.  However, one of the victims in particular has been on the receiving end of at least nine separate Chcod DDoS attacks in October 2010 alone; two of these attacks were sustained for almost 40 hours each.

Spot checks of victim websites have found them to be non-responsive during periods of actual attack by Chcod, suggesting that the associated botnets could be of reasonable size.

Of the 19 Chcod CnC servers we have identified, the following seven have actively engaged in DDoS attacks over the last three months:

IP Address         Port  CC   ASN   Network
113.105.169.182    8802  CN   4134  CHINANET GUANGDONG PROVINCE NETWORK
122.224.18.27      7758  CN   4134  NINBO LANZHONG NETWORK LTD
124.119.87.233     8802  CN   4134  CHINANET XINJIANG PROVINCE NETWORK
58.221.35.156      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
58.221.35.172      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.147.74.139      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.147.74.185      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK

The others have either been taken down or otherwise become non-responsive, or have not recently been engaging in active DDoS attacks.

A/V Detections

Anti-virus detection of Chcod bots is pretty good at this point.  Detection rates for the specimens we have analyzed are typically in the 75%-95% range.  Here are some representative detections:

Microsoft     Trojan:Win32/Chcod.A
Kaspersky     Trojan-Downloader.Win32.Ogran.dh
DrWeb         BackDoor.ClDdos.9
Ikarus        Trojan-Downloader.Win32.Ogran
JiangMin      TrojanDownloader.Ogran.o
McAfee        Heuristic.BehavesLike.Win32.Trojan.H
TrendMicro    TROJ_OGRAN.A
VirusBuster   Trojan.DL.Ogran.U

Summary

The Chcod/Ogran family is not nearly as active as other DDoS-focused malware families (such as BlackEnergy and Yoyoddos.)  It does, however, represent another data point in the increasingly crowded landscape of DDoS attack agents.

Much credit to Kenny MacDermid for his significant contributions to this analysis.

While the sentence of the Pinch Trojan authors is about to expire within the following few months, the code of their Trojan is still being morphed by others into other nasty forms.

Apart from its known ability to gather system information and steal confidential information such as user names and passwords, the Pinch is now capable of delivering the stolen details to the remote website by utilizing a powerful news management system called “Cute News”.

What’s not cute in this case however is that the name of the website established by the remote attackers to collect stolen credentials is disguised under the name of the forecoming movie blockbuster New Moon.

The infection starts from an image displayed with the purpose of distracting user attention while the Trojan gets activated. While the user stares at the picture, the Trojan starts harvesting user details, passwords, email addresses and other contents from the configuration files of the installed email clients Eudora, Thunderbird, Outlook, The Bat!, FTP clients FileZilla, WS_FTP, CuteFTP, and several other applications.

The Trojan then collects system information that includes installed application names and their versions, serial numbers, user and computer names, the names of the running applications, user’s email account settings, and some other system details.

The collected information is then encoded into Base64 format and posted into the remote Cute News service hosted by the attackers at http://www.newmoon-movie.net.

The post takes place via HTTP protocol allowing attackers to use the power of the Cute News system to accept, collect and use the stolen information without setting up any databases as all information is stored in flat files.

Automated analysis is available here.

The days leading up to mass media events like the Super Bowl are prime time for cybercriminals. This year’s Super Bowl, to be played between the Green Bay Packers and the Pittsburgh Steelers on Feb. 6, is especially lucrative for criminals who want to take advantage of the popularity of the teams involved.

Steelers fans are known for traveling to games all over the country and for purchasing as much merchandise as possible. Cybercriminals will try to take advantage of this fan loyalty with phishing schemes offering cheap tickets, accommodations and game merchandise.

But phishing is only one method the cybercriminals use to make their attacks. Leading into Super Bowl Sunday, they will use methods such as search-engine poisoning to push infected websites to the top of any online search involving the game or players.

After the game, expect social engineering to kick in, as malicious Web links will appear to come from friends, suggesting visits to YouTube to watch great plays from the game or replays of commercials.

“Telling the difference between a legitimate site and a malicious site can be very difficult,” explained Mark Maciw, web product manager at the U.K.-based Web and e-mail security company Clearswift. “They can look identical and even contain some of the content which is derived from the original and legitimate site, such as images.”

Clicking on a link sent via spam or found in a poisoned web search can unknowingly download a Trojan or other kinds of malicious software to your computer. Since the goal of a cybercriminal is to steal financial and other personal information, clicking on a link for super-cheap tickets to the game could end up wiping out your bank account.

“If you hold the mouse over the link in an e-mail, without clicking, then the destination URL may be shown in what’s called the ‘mouseover’”, Maciw said. “Check this link: does it match the link shown in the e-mail, and does it look like the URL for the site you’d expect? If not, then be suspicious again.

“Also, look carefully at the URL in the mouseover,” he added. “Even if it appears to be the legitimate site, be careful because just one extra character, or changed character, can take you somewhere else completely different.”

Maciw also provided these tips for keeping safe during Super Bowl week:

— Always install the latest patches to your operating systems and applications; these will often include security updates.

— Always install desktop anti-virus software, and keep virus signatures up to date.

— Companies need to ensure that their security includes spam and URL filtering, as firewalls and antivirus systems or software are not sufficient.

— Employers should also show employees sensible precautions to take and how to avoid the obvious traps. As the boundaries between work and home become blurred, it helps employers if employees are security-savvy.

The best way to protect yourself? Maciw said it’s best to always be wary and not trust everything on the Internet. If a link is sent by a friend, double-check and ask yourself if the message containing the link is legitimate. Not everyone knows if his or her site has been compromised.

Over the past year, the SecureWorks Counter Threat Unit (CTU)(SM) has seen criminals continue to target Automated Clearing House (ACH) and wire transfer transactions for fraud activity, resulting in high-value losses. Small to midsized businesses (SMBs) and not-for-profits have been hit especially hard. Neustar has published an excellent overview (PDF) of this type of threat.

View full post on SecureWorks Research Blog

Emsisoft Security Ticker: Warning! Surprise spam trojan on Facebook

Full story: a-squared – English

Emsisoft - Ever received messages from your Facebook friends containing a notice or invitation, such as an invitation to visit a particular site, added with an interesting message, like “Hey watch this, so cool!”? In most cases, the recipient of the message will be happy to follow it, especially if the message was sent by one of your best friends, which you trust. However, did you ever think that it could be sent by an intruder, spam, or even viruses?

Like yesterday, one of my friends received a “surprise” from Facebook, but then soon realized that his computer was now infected with the trojan, as well as making it a “spam machine.”

As you can see, the site was not the original of Facebook, but “hxxp://facebook-surprise-kjeg.tk/”. Through social engineering techniques, the author deliberately makes the site look like the original one, of course, to give users a false sense of security.

And when the mouse is hovering at that page, it would seem that it is a link that leads to the file “suprise.exe” (hxxp://facebook-surprise-kjeg.tk/surprise.exe). The file itself is using an icon that similar to the default icon of image file:

Once the user runs the file, it will only display a “gift” image like this:

But, without realizing it, a Trojan infecting the computers in the background.

Apparently, it all comes from a message that he received on his Facebook account. The messages look like this: “I got u surprise www.nyhelyofedoerej.blogspot.com.”

When the link is clicked it will lead to an account on Blogspot, and then it is redirected again to hxxp://facebook-surprise-kjeg.tk/.

Once the file “surprise.exe” is executed, it will then monitor all user activity, by injecting itself to the active browser, such as Internet Explorer or Mozilla Firefox. If the user tries to login into his Facebook account, the malware will record the username and password, to be used to spamming to every friend on the Facebook account. Users can find out by looking at the folder “sent”.

Interestingly, the author tells us what he was doing behind the scenes (or he forgot to remove the debug string?). These messages will appear when we run the debugger, or DebugView to monitor debug output. We obtain the following log when the malware is trying to login into the facebook account:

And the following when the trojan did spam to all friends in the Facebook account:

Before doing spam, it performs the GET request to address “ddk1000.org/ab/setup.php?act=fb_get” to obtain data used for spam, such as subject, message body, and the malicious url that is used for spam. The data is a string like this:

<data>3000|140000|Hello|I got u surprise |My Dear Friend u should look for |I have surprise for u
[www.ebyqerapinylyrato.blogspot.com|www.udenaqylinabig.blogspot.com|www.kuopyqupisee.blogspot.com|
www.sebafelumunynuly.blogspot.com|www.sypupolufoigirisyc.blogspot.com|www.ogyohanofaeqis.blogspot.com|
www.juyeliadileqaq.blogspot.com|www.gyseuodysecu.blogspot.com|www.pucoriiukiylyfo.blogspot.com|
www.yycugecuisehe.blogspot.com|www.nyhelyofedoerej.blogspot.com|www.teejoubiimanuh.blogspot.com|
www.timeteobyqufousy.blogspot.com|www.ooapetyuqatoda.blogspot.com|www.okojylimukikap.blogspot.com|
www.milurudutyfebusab.blogspot.com]</data>

Following is the malicious site that we get from the data above (please don’t visit, some link are still active):

• hxxp://ebyqerapinylyrato.blogspot.com
• hxxp://udenaqylinabig.blogspot.com
• hxxp://kuopyqupisee.blogspot.com
• hxxp://sebafelumunynuly.blogspot.com
• hxxp://sypupolufoigirisyc.blogspot.com
• hxxp://ogyohanofaeqis.blogspot.com
• hxxp://juyeliadileqaq.blogspot.com
• hxxp://gyseuodysecu.blogspot.com
• hxxp://pucoriiukiylyfo.blogspot.com
• hxxp://yycugecuisehe.blogspot.com
• hxxp://nyhelyofedoerej.blogspot.com
• hxxp://teejoubiimanuh.blogspot.com
• hxxp://timeteobyqufousy.blogspot.com
• hxxp://ooapetyuqatoda.blogspot.com
• hxxp://okojylimukikap.blogspot.com
• hxxp://milurudutyfebusab.blogspot.com

We detect this malware as Trojan-Downloader.Win32.FraudLoad!IK.

Always stay alert and be cautious with everything you receive. And don’t forget to update your Emsisoft Anti-Malware.

Full story: Emsisoft Blog

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.