Threat Lab

Last week, Activision/Blizzard released a long-anticipated patch for its immensely popular game, World of Warcraft. While I don’t play this game, a number of our Threat Researchers do, and they’ve been on the lookout for shenanigans. Curtis Fechner found a doozy.

The update comprises a major overhaul of many core systems within the game, affecting the graphics engine, game rules, player abilities, and also the interface. Many players use downloadable, player-created add-ons to further customize the appearance of the user interface; Patches as comprehensive as this one mean that many of the old add-ons simply won’t work until the add-on’s creator releases a new version.

So this week’s rush to patch the game and update some add-ons led to some interesting news. One of the add-ons Curtis uses is something called RatingBuster, written by a player who goes by the name WhiteTooth. The add-on, available from a number of locations, typically comes in the form of a .zip archive and contains several plain text files (called LUA files). But earlier this year, someone registered the domain name ratingbuster.org and began serving Trojans from this legitimate looking Website instead of the RatingBuster add-on.

This fake RatingBuster comes in the form of an executable file named rbv1.4.9.exe — running unknown executables is a big no-no most WoW players know to avoid. This particular executable is a self-extracting RAR archive, which utilities like WinRAR can easily unpack. Inside the archive is another file, a single executable named bot.exe (22794 bytes, MD5: 6831c35e6d19ea0a1e1e9e346368b3e3). This is our malware installer, stored inside the other installer.

read more…

The Tacticlol downloader, responsible for a lot of infections over the past year, propagates in two ways: via drive-by downloads, and as a .zip archive attached to messages. Maybe the spam filtering companies finally caught on to the trick, or maybe the Tacticlol distributors are just trying to mix it up, but the latest sample to come over the transom has me scratching my head.

Like most others, this sample came attached to an email made to look like a message that UPS would never send. Once again, the message tries to convince the recipient that the attached file is a shipping label the recipient needs to open and print before he or she can “receive the parcel.” And, as always, the attachment contains an executable installer for the Trojan.

Dear customer

Your parcel has arrived at the post office on October 9. Our
Driver was unable to deliver the parcel to your address.
To receive a parcel you must go to the nearest UPS office and
show your mailing label.
Mailing label is attached to this letter.

You need to print mailing label, and show it in UPS office to
receive the parcel.

Thank you for your attention.
UPS International Services.

But this time, instead of sending a .zip archive with a .zip extension, they sent a message with a .zip archive that has a .jpg extension. And, yeah, that just doesn’t work.

The file isn’t a JPEG image file. If you try to open it in a browser or an image editor, the editor simply errors out and tells you it isn’t an image file, and the story ends right there. I’m sure some Russian malware distributor has been double-facepalming over the waste of a perfectly good scam. Social engineering: You’re doing it wrong.

read more…

It’s been more than a week since we started seeing spam email, supposedly sent by the EFTPS (Electronic Federal Tax Payment System, a division of the US Department of the Treasury), informing recipients in dire, bolded text that Your Federal Tax Payment ID: 01037513 has been rejected. I had hoped it would be a faded memory by now, but apparently it just won’t die.

Spam, ladies and gentlemen. It’s a lie, cooked up in a criminal’s troubled mind, with the goal of convincing signficant numbers of people to click a link in the message. It’s a pretty contrived message, which also informs the recipient, in characteristic Spamglish, to “In other way forward information to your accountant adviser.” Apparently, whoever began the campaign needs a refresher in the history of recent Internet scams — this particular scam has been going on again, off again for four years.

Judging by the number of other people asking about this online, the campaign must have been massive. And like a squirrel harassing birds on a feeder, it’s not likely to go away anytime soon.

In this case, the link looks like it’s supposed to go directly to the EFTPS Web site, but the author of the spam simply hyperlinked the URL to point elsewhere. In the case of some of the samples we’ve seen, the messages link to a page on the domain freesite.org; That page contains a single line of HTML to redirect victims to yet another site, which has since been shut down.

So while the spam messages continue to percolate through the email networks, it’s a tiger with no teeth or claws anymore. If you clicked the link, only to end up on a blank page at eftpsid0353546.com — a domain hosted in Russia, on the same server as such esteemed Web sites as qualityhealthmall.com and fdadrugmall.com — rest assured, you’re probably safe, but need to practice the first two parts of Stop. Think. Connect.

Every browser can, at the user’s discretion, be set up to remember passwords. In general, Webroot advises most users not to set the browser to store login credentials, because they’re so easily extracted by password-stealing Trojans like Zbot. In Firefox, for example, you can click Tools, Options, then open the Security tab, and uncheck a box that tells the browser to remember passwords entered into Web forms. (The box is checked by default.)

But in the course of taking a more thorough look at a Trojan that came to our attention in July, we were surprised to see the Trojan modify a core Firefox file. Upon closer inspection, the Trojan patches a file named nsLoginManagerPrompter.js. The patch adds a few lines of code (displayed above), and comments-out other portions of code, that dictate whether Firefox prompts the user to save passwords when he or she logs into a secure site.

Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password. After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user.

read more…

Today’s the official kickoff for National Cyber Security Awareness Month, and the organizations supporting the event, including the National Cyber Security Alliance, the Anti-Phishing Working Group, and dozens of corporate citizens including Webroot, want you to protect your computer and your personal information. So they’ve come up with a three word campaign slogan they hope will become conventional wisdom for every Internet user: Stop. Think. Connect. Think of it as the 21st century equivalent of looking both ways before crossing the street.

In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.

It’s hard to think of a major cybercrime outbreak over the past year that hasn’t relied, to some extent, on the naivete of its targets. Security professionals call these tricks “social engineering,” but that’s just a geeky term for criminal skullduggery that’s as common offline as online. The ruse almost always tries to invoke an adrenaline-fueled need for an immediate response — usually out of fear, greed, or panic — on the part of a victim. The victim ends up in a mental state where they are likely to make rash, impulsive decisions. And they do.

Putting the brakes on social engineering tricks usually takes all the steam out of them. To that end, I’d like to show you examples of five of the most common cyberscams that lead to the loss of personal information or sensitive data. Hopefully, if you know what to expect, you’ll simply walk away from the encounters unscathed.

read more…

It’s been more than a week that we at Webroot, and countless others, have been getting floods of bogus messages with HTML attachments. I thought I’d give the curious readers of this blog a quick glance at one of the drive-by sites that load in the browser if you try to open the file.

As I’d mentioned previously, the HTML files themselves simply contain highly obfuscated Javascript (code that’s hard for humans to read but easy for machines to interpret). When you try to load those malicious scripts into a browser, the script instructs the browser to load a page from another Web site. In fact, the file I saw today goes to server 1, which bounces the browser to server 2, and then a script on server 2 loads more files from servers 3 & 4 in a full-screen iFrame.

In the end, what I saw looked like an update to what has become the “classic” Javascript fakealert. Unfortunately for the malware distributors, this so-called update is laughably obvious. These are clearly not the sharpest tacks in the box.

It all starts with a warning popup which reads:

There is a big chance that your computer is infected! They can cause data loss and file  damages and need to be fixed as soon as possible. Return to Microsoft Security Assessment Tool and download it to   guard your PC.

Wow, really? How big is the chance? Is this more like a scratch-off lottery ticket level of chance, or is it closer to a look under the bottle cap to see if you win chance? What they don’t tell you is that your chance of becoming infected with an annoying rogue increases to about 100% if you continue down this well-worn path. read more…

Bootlegged copies of Civilization 5, the highly anticipated, just-released real time strategy game, are already popping up in file sharing services. And, as we’ve come to expect, some of the pirated copies of the game come with that little something special — malicious components.

One of our Threat Research Analysts, who also happens to be an avid gamer, started looking for pirated copies of the game Friday morning and, within five minutes of looking, found Trojans in some of the torrents in circulation. I’ve chosen to focus on one of these files, not only because it was the first we saw, but also the most interesting. The Trojan, bundled in a torrent with the ISO image of the Civ 5 installation disc, is called ‘read me before burn.exe‘ (MD5: 2f7ff2ecef4b5cf1c9679f79d9b72518).

On a typical Windows system, the file appears to be a text document, but only because it uses a file icon of a text document. With the file extension visible, however, it’s clearly an .exe with a mission.

read more…

If you hadn’t already noticed, an ongoing spam campaign where someone is sending email messages with attached HTML files continues to be a problem. The current campaign appears to be a new wave of spam similar to the one I reported about in July.

The messages, which began arriving a week ago, have subject lines pulled from news headlines (“Cops kill shooter at Johns Hopkins Hospital,” “America’s Got Talent Judges Were They Shocked,” “Daniel Covington”) and with a financial angle (“Apartment for rent,” “Invoice for Floor replacement,” “credit card,” and the ever-popular “Shipping Notification”).

The messages themselves are brief, such as the one shown above, and encourage the recipient to open the attached file.

Several readers have already sent me messages complaining about the volume, and asking what to do about the spam. My answer is the same with these spam messages as with any other spam messages: Delete them, mark them as spam, or do whatever you can to train your email spam filter to learn and block those messages.

One thing you should not do is open the HTML file.

read more…

In the world of first-person shooter games, getting the most headshots — hits on the opponent which instantly take the opponent’s avatar out of the game — is a prized goal. The headshot is the quickest way to dispatch a foe in virtually every shooter, which is why the file name of a malware sample, currently in circulation, stood out.

The file, yogetheadshot.php.exe (VT), is a dropper, a glorified bucket designed to tip over and spill other malware all over a PC. But where other droppers might leave behind a handful of payloads, this one utterly decimated a testbed PC with a malware headshot — an unusually overt infection that, defying conventional wisdom about malware infections, took no apparent effort to mask its behavior or remain low key.

The file, extracted from network traffic recorded while a test system got manhandled by a drive-by download site, was only one of several executable payloads that originated from the same domain hosting the drive-by.

But this sole dropper was more than capable of delivering the terminal blow to a middle aged Windows XP box. We first saw it appear on September 7th, but it has become more widespread since then.

(Update, 22 Sept.: Here’s a video that shows what happens on a system when someone executes this dropper. The dropper is near the upper-left corner of the screen. The rest of the screen is taken up with Process Explorer, which lets you see just how many payloads the dropper delivers.)

[vimeo 15167753]

read more…

For years, the makers of those snake oil security programs we call Rogue Security Products have spent considerable effort making up new names, developing unique graphic design standards, and inventing backstories for their utterly useless, expensive scam products. Now a new rogue has taken this never ending shell game one step further, releasing a single program that calls itself one of five different names, depending on what button an unfortunate victim clicks in a highly deceptive dialog box. Let’s call it what it really is, though: A malicious play in five acts.

The rogue’s delivery method, or Act 1 in this melodrama, is no different from the many we’ve seen in the past 18 months which use a Javascript-enhanced Web page to convince viewers they’re watching a live malware scan on their computer. This trick is so hackneyed, it’s become the cybercrime equivalent of the dastardly villain in a silent movie tying the hapless woman to a railroad track, then twisting the ends of his mustache for dramatic effect. Does anyone still fall for this?

Only, this time the fakealert delivers a different payload: When the victim runs the rogue executable (named simply setup.exe), Act 2 begins. The rogue displays a dialog box that looks like an alert message issued by Microsoft Security Essentials, cautioning the victim that a legitimate Windows component present on most or all installations of Windows, such as iexplore.exe or cmd.exe, is actually a piece of malware.

The rogue helpfully offers to perform some sort of online scan, and that’s where it gets weird. The rogue pretends to scan the hard drive with 32 different antivirus engines, a-la VirusTotal. The vast majority of them are well known, at least in the security community. But five are new, and it’s those five that merit closer inspection.

read more…

By Ian Moyse, EMEA Channel Director

Hardly a week goes by when the national press doesn’t carry a story about how social networks represent a threat to privacy or security, or both. These news stories aren’t wrong: Users of social networks face a raft of risks, ranging from malware attacks and identity theft, to cyberbullying, grooming from sexual predators or stalkers, viewing or posting inappropriate content, and the ever-present risk that you (or someone you work with) might end up with your foot (or is it your keyboard?) firmly in mouth.

Using social networks to give out too much information about yourself can also lead to some predictably poor outcomes. One Australian employee, fired from his job, had posted about skiving from work after a night of heavy drinking. A group of call center employees swapped brags about abusing customer information on Facebook and were fired. Is it hard to believe that the employer used the employees’ own Facebook posts as a virtual admission of guilt?

With Facebook adding over 400,000 users a day and LinkedIn 400,000 a week, social networks can no longer be ignored by employers, as employee misuse of social networks accelerate.

read more…

In what seems to be a trend in my September blog posts, the research team has run across a program meant for criminally-minded people which has a nasty surprise inside.

The program in question is called the ZombieM Bot Builder, which is used by the kind of upstanding citizens who spread Trojans in order to build up botnets — a collective of infected computers that can act as one entity. The creators of this program, an Argentinian group called Arhack, sell it for 180 euros. But don’t pull out your stolen credit cards just yet, because Arhack doesn’t take Visa: They sell this garbage exclusively via Western Union money transfer.

Well, someone has cracked both the earlier, 1.0 version of their bot generator and the latest, 2.0 version, and posted it online for other criminals — the cheap kind, who don’t have 180 euros to spare — to use. The cracked version lets you use all aspects of the program to generate bots and manage the botnet without the need for a customized username and password, which you would otherwise need in order to start up the program.

But there’s a hitch: Whenever you run the cracked version, it also installs Trojan-Backdoor-PoisonIvy, a different but equally nasty botnet Trojan. The backstabbing Trojan trifecta is in play.

read more…