2010 « M86 Security Labs Blog

Archive for 2010

Hi my love, please don’t click that “pic.exe” file

By Rodel Mendrez • November 3rd, 2010 • Spam

Nowadays, spammers usually craft elaborate and enticing scams to lure a lot of people into taking action. However, a spam campaign we observed recently is one of the more cruder forms of social engineering. Attached to the spam message is simply an executable file named “pic.exe” that claims be naked pictures. This spam has been circulating with the subject line, “hi my love“:

Spam sample 2

Thankfully, with this low level of social engineering, this spam campaign would probably not fool most people. But, being curious, we gave in, opened the attachment and analyzed what it does. The file “pic.exe” is a downloader Trojan that fetches and executes malicious files from the Web.

Trojan code that downloads additional malicious files

Trojan performing a HTTP request to download files

The first file downloaded is “ebulker_dlfjihgsleigh.exe” an installer of the infamous “SecurityTool” fake antivirus, the same flavour of fake AV distributed by other downloaders such as Bredolab and Sasfis. The installer phones home to its affiliate server by using the HTTP request with this format, http://<remote IP>/cb_soft.php?q=<hexadecimal>.

SecurityTool - A fake AV

The second malicious file downloaded is “outlook.exe”, a sniffer Trojan that monitors FTP, SMTP and POP3 traffic in the infected machine and sends captured data back to its control server. We did not observe any data being sent, but it is most likely targeting user credentials.

Trojan code that monitors the FTP (port 21),POP3 (port 110) and SMTP (port 25) protocol.

This sniffer Trojan drops a legitimate file wpcap.dll and packet.dll in the Windows system directory as well as the packet filter driver npf.sys. This files are commonly used by legitimate network monitoring software such as WireShark. In this case, the Trojan utilizes these DLLs for malicious purposes.

There are a couple of points to this story. The first is that spammers probably don’t care if a spam campaign is unsophisticated. They can send millions of messages, and a few people will inevitably get sucked in anyway. Secondly, these days getting infected usually means multiple pieces of malware doing different things on your computer. Some malware may be obvious like Fake AV, but most will be hidden.

Tags: Data Stealer | Fake AV | Malicious Spam | Social Engineering

USAA Credential Phishing

By Gavin Neale • November 2nd, 2010 • Spam

Today we started seeing a new phishing campaign which is being sent by the Cutwail spambot, targeting customers of the United States Automobile Association (USAA). Cutwail is the spamming component installed by the Pushdo botnet. The phishing emails ask the recipient to fill out a ‘confirmation form’ which they can access by clicking on a link in the message.

Phishing spam targeting USAA customers

To hide the URL of the phishing web page, these emails contain a link to one of several different URL shortening services such as http://bit.ly which redirect the browser to the actual phishing page.

The link ‘Access USAA Confirmation Form’ in the spam email above points to http://bit . ly/agWGNG. When we tested this link, bit.ly had already determined that there may be a problem with the URL it was redirecting to and displayed a warning page rather than redirecting us to the phishing page.

bit.ly warning page

If we choose to ignore this warning and continue to the un-shortened URL, we end up at the page below, a phishing website aimed at stealing information from USAA members. This page, titled ‘Cardholder Form’, asks the user to provide information such as their online ID, password, name, card number, card security code and PIN. When the user clicks the submit button all of the details are sent to the criminals’ server and the users’ browser is redirected to the real USAA website.

The USAA phishing page

For now, this phishing site, which is hosted on the domain vsdfile (dot) ru is not serving up any malicious content. The USAA provides a banking and credit card service which may be the intended target of these criminals once they have tricked a customer into divulging their cardholder details.

We have not seen one of these large scale phishing campaigns from Cutwail for some time, as the cybercriminals switched to spamming out links to the data-stealing Zeus malware. With the recent high profile arrests of several Zeus perpetrators, and all the subsequent public attention on Zeus, maybe phishing, where you politely ask for data instead of stealing it, will come back in fashion?

Tags: Bit.ly | Phishing | URL Shortener | USAA | ZeuS

Persistent Tax Refund Scam

By Rodel Mendrez • October 21st, 2010 • Spam

A month ago, the New Zealand Department of Inland Revenue (IRD) issued a warning advising people not to respond to scam emails claiming to offer tax refunds. We have observed these types of scams before, but the individual campaigns come and go. Like any other phishing scam, this email campaign appears to look like a legitimate notification from Inland Revenue complete with the logo.

IRD Tax refund scam email

The link in the message body points to a phony web page that mimics the New Zealand IRD website. But the odd thing is the instruction in a red font stating “Please click on your following bank logo to continue the refund procedure”.

PDF Reader Upgrade Scam

By Gavin Neale • October 20th, 2010 • Spam

Over the past few days our spam traps have been receiving emails that claim to be from Adobe notifying the recipient of a software upgrade for Adobe Acrobat reader. Links in the e-mails direct the recipient to a different product, PDF 2010, which you have to pay for to download

We have seen these scam emails with the following subjects:

Action Required : Upgrade Your New PDF Acrobat Reader
Action Required : Download Your New Adobe Acrobat Reader
Action Required :Active Your New Adobe PDF Reader

Scam e-mail message

We have seen the following domains in similar messages:

adobe-software-upgrade . com

adobe-software-2010 . com

adobe-software-download . com

adobe-acrobat-software . com

adobe-acrobat-sofware . com

These domains all redirect to pdf-new-2010-download.com, shown below, which looks nothing like the Adobe Acrobat web page. In fact the scammer is just using Adobe’s brand to attract more customers.

Tags: Acrobat | Adobe | PDF | Reader | Scams

Don’t Get Infected By Zombies

By Gavin Neale • October 15th, 2010 • Vulnerabilities

Today we had a peek inside an exploit kit known as the Zombie Infection Kit. This kit is not as widely used as some of the more popular kits such as Eleonore and Phoenix and compared to these other kits, Zombie is not really that sophisticated. However it does carry the usual range of exploits that have been effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched by the vendors concerned.

As well as exploiting an old vulnerability in IE 6 and the recent Windows help center vulnerability, the Zombie Infection Kit also uses exploits targeting two Java vulnerabilities, four vulnerabilities in Adobe PDF readers and two vulnerabilities in Adobe Flash.

Success rates for the various exploits use by the Zombie infection kit

According to the exploit statistics page in the admin control panel, the two most successful vulnerabilities are in Oracle’s Java, accounting for just over 60 percent of successful infections between them. Following closely behind the Java vulnerabilities is ‘PDF’ which is actually a PDF file containing exploits for four Adobe PDF vulnerabilities; the most recent of which (CVE-2009-4324) has been patched since December 2009.

Another stats page shows a breakdown of victims by browser type, showing the percentage of successful installs for each browser.

Victim browser statistics. The last column is the percentage of successfully infected victims.

This table isn’t really indicative of how secure each browser is, as only Internet Explorer is targeted for browser specific vulnerabilities whereas all browsers are used to target vulnerabilities in Adobe Flash and PDF readers, and Java.

What this does show is that 15 percent (15.39 in the top row of the browser stats image, above) of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed.

Java exploits are becoming increasingly useful for web attackers, as many people don’t even know that Java is installed on their machines, or that it may need to be updated. What is worse is that it is possible to have multiple versions of Java installed on a machine so you can still be vulnerable even after you install the latest version, giving you a false sense of security.

We strongly recommend users uninstall Java if they don’t use it, or remove old versions and upgrade to the latest version just released by Oracle which fixes 29 flaws in the previous version for which exploits have recently been published.

Tags: Adobe | Exploit Kits | Java | Unpatched

Spam Volumes Drop After Spamit Shakeup

By Phil Hay • October 14th, 2010 • Spam

The last few weeks has seen quite a shakeup in the spamming world. Our Spam Volume Index, which records relative movements in spam volume sent to a bundle of domains we monitor, has recorded a substantial drop two weeks in a row.

M86 Security Spam Volume Index

A major cause of the drop was a sudden drop in spam output from Rustock, one of the major spamming botnets of recent times. We noticed the decline starting around 20 September and dropping to negligible levels by 23 September. This happened at the same time as initial reports surfaced that the notorious SpamIt.com operation was shutting down.

Rustock Spam Volume Decline

Spamit.com is underground group of email spam affiliates closely linked to GlavMed, which in turn is responsible for one of the largest and oldest affiliate programs called “Canadian Pharmacy”. In recent times Canadian Pharmacy has been the dominant spammed program, simultaneously spammed by most of the major spamming botnets. In late September, the SpamIt.com domain had the following message announcing its impending shutdown on 10 October.

SpamIt.com web page prior to 10 October

Today, the SpamIt.com domain has the following page, which translated, reads “10.10.10 The King is dead! Long live the king!”

SpamIt.com: "The King is Dead. Long Live the King!"

Rustock, in particular, has had a long history of association with the Canadian Pharmacy program. In fact, for much of its life that we have observed, its spam output has been mostly or solely Canadian Pharmacy spam. The Rustock botnet itself has not gone away. Its control servers are still up, we have observed Rustock spamming in our lab, and some of our customers are still experiencing a low level of Rustock spam hitting their servers.

So what of the other botnets? There has been some suggestion that we may have confused Rustock spam with Pushdo. Not so. We observe these bots closely in our lab and know their traits, habits and templates well. The following chart shows Pushdo’s spam output over the same time frame.

Pushdo's ouput dips, gains and dips again

In the chart above we can see the big dip following the disruption to Pushdo’s control servers in late August. But inevitably Pushdo’s output recovered as it added new control servers. We observed another big dip on 3rd October, in line with other observers. At this stage we are unsure whether this latest dip is related to the SpamIt.com closure. Researchers are taking a close interest in Pushdo and there may well be other factors impacting on it (for instance see here).

Even more recently, since the weekend, the Grum botnet, another major spammer has also gone very quiet. Here is a chart from the same period, that shows a marked drop in spam output after 8 October, very close to the 10 October “official” SpamIt.com closure.

Grum's output dips after 8 October

So, what to make of all this? It seems that the SpamIt.com closure has had a major impact on the volume of spam output, as some botnet operators/spammers have lost one of their major affiliate programs, or in other words, sources of cash. How long it will last is another question entirely. There are competing affiliate programs for botnet operators to sign up for. We have noticed that one of the smaller botnets, Xarvester, who we have previously linked to Spamit.com has already swapped from Canadian Pharmacy to Ultimate Replicas. And it may well be that SpamIt.com and Canadian Pharmacy have gone into hiding, and after a brief hiatus, will reemerge in another guise. Only time will tell. In the meantime we are not complaining.

Malicious LinkedIn Campaigns Continue

By Phil Hay • September 30th, 2010 • Spam

The malicious LinkedIn spam campaigns of the last few days are continuing in force. The source is the Pushdo botnet, which is back in full force following disruption to its operations last month. The campaigns mimic a LinkedIn update notification. Here is a sample from today:

LinkedIn Update with URL pointing to malicious web page

The malicious web page displays code that includes an iframe that loads the Phoenix exploit kit, which attempts to exploit the victim’s browser.

Web code includes iframe incorporating Phoenix exploit kit

The Phoenix admin login page was at the same server location as the index.php file.

Phoenix exploit kit login page at the same location

And, just in case the auto-exploit doesn’t work, the user is prompted to manually download flash_player_07.78.exe, which is none other than the Zeus (Zbot) data stealing trojan.

User prompted to install a "Flash Player"

This campaign is slicker than normal. The LinkedIn email and the Flash Player download image look convincing, signifying that these cybercriminals have taken it up a notch. Going by the number of URL hits we intercepted with our TRACEnet system, some users are falling for it too. Don’t be one of them.

Tags: LinkedIn | Malicious Spam | Phoenix exploit | ZeuS

Russian Pro-Spam Registrars

By Gavin Neale • September 22nd, 2010 • Spam

Since CNNIC, China’s domain regulator, introduced stricter rules for domain registration at the end of last year, spammers have moved on to the Russian .ru TLD to register their spam domains. Similar rules that were apparently made effective on April 1st for Russian registrars do not seem to have had the same effect. Every day we see a continuous stream of newly registered .ru domains in spam email. In fact, in the last month one third of all unique domains we have seen in spam have been .ru domains. This is the highest proportion of any TLD, with .com the second highest accounting for just under one third of spammed domains.

Nearly all of these .ru domains are registered though two registrars, Naunet and Reg.ru (also known as NAUNET-REG-RIPN and REGRU-REG-RIPN).

Spammers generally advertise each domain for only a couple of hours and register new ones all the time. In the last month from spam alone we have seen over 4000 .ru domains registered through Naunet. These are hosting a variety of spam web sites including Ultimate replica, Dr Maxman, online casinos, Via grow and Eurosoft software.

We have also seen over 1800 domains registered through Reg.ru in spam over the last month, all of which lead to Canadian pharmacy websites. Reg.ru actually has a feature to register up to 600 domains at once, pretty useful for a spammer:

Reg.ru bulk domain registration. Translated via Google Translate.

These spammed web sites are generally non-malicious as in they don’t try to exploit vulnerabilities on the visitor’s machine, although we’re not sure they would be so generous with your credit card details if you were to buy one of their ‘products.’ We have however seen domains registered with both of these registrars used as controllers for the Zeus crimeware kit. And recently, Naunet was used to register domains used as control servers for the Asprox botnet, although these were done on a much smaller scale than the spam domains.

Several anti-spam groups have already pointed out these registrars as the source of Russian spam domains and that these registrars often ignore requests to suspend illegal domains. With domain blacklisting being a popular anti-spam measure, a continuous supply of fresh domains is vital for any spam operation. These sorts of registrars are making the business of spamming that much easier.

Tags: Asprox | Registrars | Russia | ZeuS

Cutwail’s Spam Cocktail

By Rodel Mendrez • September 21st, 2010 • Spam

Since June of this year when we first saw a FIFA World Cup 2010 spam campaign, we have regularly observed spam campaigns where an HTML attachment contains obfuscated JavaScript redirect code.

The Pushdo botnet’s spamming component, Cutwail, has been the culprit behind these types of malicious campaigns. Many different themes and subject lines have been used, such as the following:

America’s Got Talent

Apartment for rent

Shipping Notifications

Labels and such

Invoice for Floor Replacement

Delivery Status Notification (Failure)

Welcome Letter

NFL Picks Week 2

and other random subjects including this one that uses celebrity names:

Figure 1. Cutwail spam campaign sample

The attached HTML source code is an obfuscated JavaScript, and the snippet of code below is just one of the many variations:

Figure 2. Obfuscated JavaScript code

Tags: Cutwail | Fake AV | Javascript | Malicious Spam | Pushdo

Adobe Security Update for Flash Player

By Satnam Narang • September 20th, 2010 • Vulnerabilities

Today, Adobe announced the release of a security update for its Flash Player software, which was originally scheduled for release on September 27th. The update was moved up a week, as it addresses a critical vulnerability (CVE-2010-2884) in Flash Player, which has been seen in attacks in the wild. This vulnerability impacts all versions of Flash, including Mac and Linux as well as Android, Google’s mobile operating system.

Running unpatched versions of software is one of the key vectors used in attacks in the wild today. We strongly encourage our readers to update to the latest version of Adobe Flash Player (version 10.1.85.3), which can be obtained from the Adobe Flash Player Download Center. An update has also been made available for Android users, which can be obtained through the Android Marketplace.

Tags: Adobe | Flash | Patches