By Gavin Neale • August 30th, 2010 • Malware
Advertising networks pay affiliates, usually website operators, for each click on an advertisement that the affiliate has displayed on their website. Click fraud is where affiliates have no intention of waiting for people to visit their website, instead they fraudulently send imitation clicks to the ad network, often using automated scripts or botnets to quickly generate a profit. We recently took a look at Drooptroop, a Trojan horse designed to intercept browser requests for search results and send an intimation ad click to an advertising network, which in turn direct the browser to a website as if the user had actually clicked on that ad.
Drooptroop modifies windows network functions loaded by the browser so that they point to Drooptroop’s own routines where it can intercept and modify the browser’s internet traffic. The malware then waits for the user to do a search using one of several popular search engines including Google, Yahoo, Bing or Altavista. When the user clicks on one of the search results, Drooptroop sends a simulated click on an advert to an advertising network and redirects the browser to a web page chosen by that advertising network.
During the time we were observing it, Drooptroop served ads from the advertising networks 7Search.com and relestar.com as well as fake Anti-Virus websites designed to scare users into downloading and eventually buying fake AV products.
On a machine infected with Drooptroop, we did a Google search for ‘Click fraud’ and got the usual results page:
Read More
Tags: Click fraud | Cybercrime | Drooptroop
By Rodel Mendrez • August 28th, 2010 • Spam
Over the past few days, the Asprox botnet has been spamming out a fake FedEx campaign. We noticed this after we saw our old Asprox binaries downloading a new updated “196” version from the bot’s command and control server.
This Asprox update is responsible for spamming this week’s FedEx malicious spam campaign.
The attachment in this spam campaign is a downloader Trojan known by some AV products as Oficla or Sasfis. When run, the Trojan retrieves commands from its control server to download the Asprox spambot binary, that in turn, sends this FedEx spam campaign. Below is an graphical overview of this campaign.
Asprox spam campaigns come and go. A couple of months ago we blogged about a spam campaign where the Asprox binary also launched an SQL injection attack targeting ASP websites. A month after, it stopped and the command and control servers were inaccessible. Now it’s back again using the same C&C domain and seeding a new binary. Since the Asprox bot is capable of updating itself on the infected host, our concern is that the next update may launch another round of SQL injection attacks. We will certainly be monitoring it closely.
Tags: Asprox | Bredolab | Malware | Oficla | Sasfis | Spambot
By Phil Hay • August 27th, 2010 • Botnets
This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble. The chart below shows an index of Pushdo spam volume over the month of August.
So what’s the reason for this sudden decline? It turns out that the folks at TLLOD have been busy analyzing Pushdo command and control servers, and coordinating their take down. According to their blog, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers. However, there still remains a few active control servers still serving up spamming data.
As the chart above shows, this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived. Disabling control servers does not incapacitate the people behind the botnet. It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about.
Tags: Cutwail | Malicious Spam | Spambot | takedowns
By Phil Hay • August 17th, 2010 • Spam
If you thought that malware propagation through email was a dying art, or that spam is fairly harmless, think again. We are currently seeing increased levels of spam-borne malware. Our figures over the last three months show an increasing trend in the proportion of malicious spam. In the week ending 8 August, this figure spiked to over 6% of spam, or in other words, 6 out of every 100 spam messages.
So what are the underlying reasons for all this activity?
Read More
Tags: Cutwail | Malicious Spam | Pay Per Install | Pushdo
By Bradley Anstis • August 13th, 2010 • Reports
In recent press coverage several industry publications and blogs stated that between 3,000 – 4,000 Mac OS machines had been infected with the latest ZeuS Trojan. We believe that this is an incorrect interpretation of Figure 3 from our recent M86 Security Labs report.
Figure 3: Stats from the Eleonore Exploit Kit Administrative PanelFigure 3 does not show the number of infected computers. It is a screen shot of an exploit kit console that shows the number of times that the malicious page had been requested and identifies those visits by the type of operating system of the visitor’s computer. In this case, it shows that the exploit kit’s page was served to as many as 300,000 users of which 3,851 visits were from computers running Mac OS.
Tags: Exploit Kits | ZeuS
By Bradley Anstis • August 10th, 2010 • Reports
Today, we released a report of an attack targeting the UK customers of a global financial institution. This attack has been on-going since early July, and our research has discovered that approximately 3000 customers of this financial institution have fallen victim to it. We’ve estimated that close to £675,000 GBP (over $1 Million USD) has been stolen from customer accounts.
The M86 Security Labs team detected this illegal operation after discovering a malicious code attack used to infect users’ PCs with a Trojan. The team then followed the trail to a Command & Control center. The research reveals that the cybercriminals used a combination of exploit kits, the new Zeus v3 Trojan, and money mule accounts to compromise user systems, successfully avoid anti-fraud systems, and rob bank accounts. The whole operation shows a high degree of technical sophistication and complexity, and highlights the continuing and escalating battle we have with cybercrime.
Our report exposes the architecture, business model, tools and methods used by the cybercriminal operation behind this attack. You can download a copy of the report here.
The image below illustrates one of the cybercriminal’s admin panels,showing financial transactions from compromised accounts sent to money mule accounts.
M86 Security representatives have informed relevant law enforcement agencies of all criminal activities and methods used by the perpetrators of this attack.
Tags: eBanking | Exploit Kits | Money Mules | ZeuS
By Gavin Neale • August 3rd, 2010 • Spam
We’ve recently observed phishing emails targeting customers of the ASB bank, which is based in New Zealand. While these particular phishing emails are not very different from many of the other phishing emails we get every day, we did find some interesting things on the server hosting the phishing website and inside the email’s header, which hint that a group based in Nigeria could be behind these phishing attacks. Here is a sample message:
The link in the email goes to a phishing page that is hosted on a compromised web server in Hungary. It looks a lot like the legitimate banking login page for the asbbank.co.nz website.
Read More
Tags: ASB Bank | New Zealand | Phishing
By Daniel Chechik • August 1st, 2010 • Cybercrime
Phoenix Exploit’s Kit 2.0 is an upgraded version of the Phoenix Toolkit which was initially researched by the M86 Security Labs mid-2009.
The GUI of the admin panel has not changed significantly from the previous version, but in addition to new features and exploits, a new obfuscation technique has been employed.
Figure 1: The login panel of Phoenix Exploit’s Kit
Read More
Tags: Exploit Kits | Phoenix
By Rodel Mendrez • July 29th, 2010 • Botnets
We keep a close eye on spam and the malware that drives spam production. Our recent report highlighted some of the worst offenders, and Rustock is without a doubt the leader of the pack. Over the last six months, the proportion of Rustock spam in our spam traps peaked to nearly 60% and it has never returned to levels lower than 20% of total spam.
Who’s the Rustock spambot that we know?
Over time, we have observed regular updates to Rustock. There is no consistent name given to it by anti-virus vendors, but recent Rustock binaries are detected by some anti-virus engines as Bubnix. The newest Rustock variant was first detected last December 2009. A month after that we observed a large influx of Rustock spam that spiked to over 50% of the spam we observed over the next few months. Though the malware may have different detection names and OS installation behavior, it employs a similar rootkit-based spamming engine, similar command and control architecture, and similar observable patterns in spam traffic.
Read More
Tags: Canadian Pharmacy | Featured | Rustock | Spambot
By Gavin Neale • June 30th, 2010 • Malware
Each day, when we review our spam feeds, we see links to hundreds of hacked or compromised websites that are used to serve as hosts for spam content, such as images, redirect scripts or malicious IFrames. Often these websites have had code appended to the end of each file or have had new HTML or PHP files uploaded to them. For example, here is a spam email sent by the Pushdo botnet. Three of the four links in this email lead to the same compromised website.
Below are two common examples of files that have been uploaded to compromised websites.
Read More
Tags: Automation | Featured | FTP | GootKit
Another round of Asprox SQL injection attacks
Amazon, Flixster, GoDaddy names targeted by spammers