Threat Lab

Now that the turkey and pumpkin pie has settled, and everyone’s gotten a good night’s sleep, shoppers are busily hustling the Web for the best deals. I’ve been doing the same thing, and wanted to share some of my tips that may help you avoid becoming snared in the most prolific cyberscam of the moment: fake virus alert messages (otherwise known as fakealerts).

For months, the perpetrators of this fraud have been honing their skills at targeting malicious web pages to rise in search results for  whatever is in the popular zeitgeist-of-the-moment. Victims experience a computer that appears to be out of control, seemingly unable to do anything but download whatever application the fakealert forces upon them.

A typical “warning” from a malicious fakealert

Take a look at this video. Earlier in the week I tried searching for news about Black Friday or deals on the toy that appears to be the Tickle Me Elmo of 2009, the hard to find Zhu Zhu Pets. What I found were a flood of fakealert sites mixed in with the legitimate search results.

[vimeo 7825517]

The good news is, it’s not hard to avoid these fakealert sites, but you have to be an alert Web surfer, and carefully scrutinize the results before you click a link. Read on for my top six tips to shop online safely this Black Friday, Cyber Monday, or anytime this holiday season.

read more…

In general, the use of fakealerts — those bogus warnings that look like your PC has started some sort of antivirus scan on its own, then predict imminent doom if you don’t buy some snake oil product right this minute — is on the rise. Fakealerts constitute a particularly effective social engineering trick, earning the makers of bogus, ineffective “antivirus” programs millions of dollars (and the scorn of victims) in the process. So it should come as no surprise that the fakealerts themselves have gone through some technological advances in the past year.

In the past few months, the fakealert-makers have slowly been migrating their techniques to a new platform: The browser. As recently as six months ago, the majority of fakealerts we saw were generated by small Trojan Horse applications running on a victim’s PC. Today, most fakealerts we see simply reshape the browser to mimic the appearance of a generic antivirus application.

It makes good economic sense for the creators of fakealerts to do this. The Windows application fakealerts only run on Windows (obviously). Like all Windows software, fakealert apps subject to being blocked by both the operating system (which, like the fakealerts themselves, prompts users with warnings in dialog boxes), by real-time detection mechanisms in legitimate antivirus software, and/or by savvy users themselves.

One typical load-sequence for the components of a scripted fakealert

Using a scripting technology such as Javascript to reproduce the “fakealert experience” is a natural extension of the success of fraudulent, rogue antivirus products. After all, a fakealert is no more than an elaborate performance for the targeted victim — the goal of the fakealert is simply to convince the victim to download and run a file, typically a rogue antivirus product. Javascript can run in virtually every browser and operating system (save for special cases, like the Firefox browser with the NoScript Add-On installed).

Scripts such as these bypass most traditional malware protection because, in essence, there is no malware installed until the victim installs it his- or herself. Unlike a static binary executable, the contents of a script can be tweaked, on the fly, to maximize effectiveness (or just to change the name of the fraudulent product). And the scripts themselves which make up the Web fakealert experience are highly obfuscated, which makes them more challenging for automated systems to block.

In the course of researching a new malware sample unrelated to fakealerts — an installer of Trojan-Downloader-Dermo on a page purportedly offering an update to Windows Media Player — I observed one common fakealert script as it ran soon after the testbed PC was infected. I was able to reconstruct its modus operandi.

read more…

By Gerhard Eschelbeck

It’s been a busy year in Internet security — cybercriminals were crafty and creative while we security vendors worked hard to stay a step ahead. Let’s take a look back at the biggest security trends of 2009, and at predictions for what’s ahead in 2010.

2009 — The Year in Review

Conficker. Targeted at enterprise networks but also crossing over to individuals who could bring it home on a USB stick, Conficker generated a lot of media discussion which drove confusion among consumers and concern among IT admins. Conficker renewed the public’s focus on Internet security, at a time when the threat landscape was growing more complex.

Consolidation. In 2009, we saw Symantec acquire MessageLabs, McAfee acquire MX Logic, Cisco acquire ScanSafe, M86 acquire Finjan, and Barracuda acquire Purewire. Many large vendors have track records of poorly integrating smaller companies after acquiring them for a key piece of technology. At the endof this year, we’re left asking, will true innovation now only be possible among the few independent vendors remaining?

Social Media. Concerned about productivity and infection, enterprises struggled with corporate usage policies of social networks — media that is now ubiquitous, and also integral to communicating with and understanding customers. Meanwhile, consumers adopted social networks en masse, providing cybercriminals with a huge target for harvesting personal data via Koobface and various spam campaigns.

The Cloud. While the definition of “cloud computing” and “in the cloud” held different meanings in 2009, enterprises continued to adopt security as a service for its easier, faster, more efficient and cost-effective distribution of security updates. Vendors extended their SaaS-based technology into their consumer solutions after proven success in the enterprise market — an exciting convergence of technologies.

Malware Trends. We saw a changing Internet user who is highly mobile, presenting a new set of attack vectors for malware authors. We also saw increasingly sophisticated malware — cybercriminals using email to distribute malicious Web links and manipulating SEO by programming malicious links near the top of search results for popular news stories — and an explosion of social engineering tactics employing fake security alerts and rogue AV products with new variants launched seemingly in real-time.

2010 — The Year Ahead

Threat Landscape. The malware attacks of today are different than in recent years. Hybrid malware, combining the use of Web and email to carry out sophisticated attacks, will become even more prevalent in 2010. Narrowly targeted malware, which requires the presence of specific applications or data to engage in malicious activity, will also be on the rise. Finally, the increasing “real-feel” of phishing sites and emails — as evidenced by a recent Verified by Visa scam — are keeping security vendors, IT directors and consumers on their toes.

Social Media. Attacks on social networks will continue to increase in volume and scope, targeting communities such as Facebook and Twitter as well as those we’ll see emerge in the coming year. Social networks present a very good ROI for cybercriminals using them as a platform for perpetrating URL-based attacks. This trend will intensify — through shortened links, user-generated content, videos, and so forth. Friend, Follower, Tweeter, beware.

The Cloud Grows. We predict cloud computing as the computing platform, such as the Amazon data center model, will be the next generation of the Internet. Computing will become like a utility, similar to how we use electricity today. We will pay for what we use; the PC will become the visualization tool we look into for applications in the cloud. More cloud computing platforms will become available as we capitalize on this economical, scalable model.

While this may seem like a daunting list of threats and predictions, the good news is, the security industry has never been stronger: The level of innovation, the raised awareness, the healthy competition among vendors — together make for an optimistic outlook. We at Webroot wil continue to work hard to create effective technologies to make the Internet and the cloud a safe place for consumers and businesses alike.

When you sign up for a credit card — even with one of those pre-approved applications — you still have to provide the bank with your name, address, mother’s maiden name, social security number, and a host of other personally identifiable information. Once the bank issues the card, it shouldn’t ever need to ask you for all of that information again. But a phishing scam making the rounds this week — one that appears to be targeted at holiday shoppers who buy gifts online — aims to fool victims into doing just that.

The scam begins with an email, informing the recipient that they can sign up for Verified by Visa, a real program offered by the eponymous credit card company. The email links to a bogus page (part of which is shown at left) designed to lure an unsuspecting online shopper into the trap.  (And this is only one of several scams you should watch for, leading up to Black Friday, Cyber Monday, or whenever it is you decide to go online for deals on that fruit basket for Grandma. Webroot released findings today on additional data-stealing malware, and the larger pool of online shoppers this year which it appears to be targeting.)

Once you register with the (real) Verified by Visa service, participating merchants permit you to enter a password in addition to your card information. In addition to providing the purchaser with an additional layer of safety, the password also gives the merchant some assurance that larger-than-normal transactions (like the ones you make during holiday shopping season) will be approved quickly, without triggering fraud alerts.

The thing is, you don’t have to go to a special Web page to sign up for Verified by Visa. You are supposed to be offered the chance to sign up while you’re completing your purchase on the participating merchant’s Web site, as you’re entering your billing details. The Visa Web site spells this out in a simple graphic (though there have been some interesting problems with the way the system works).

In the phishing scam, you’re sent to a Web page that asks you for, essentially, all the information you gave the card-issuing bank at the time you first signed up for the credit card. That’s Red Flag #1, but it’s worth repeating: In a real sign-up form for Verified by Visa, you won’t be asked to provide your mother’s maiden name, social security number, birthdate, or any other sensitive details that you wouldn’t otherwise enter into a Web-based order form while shopping online.

read more…

Coming on the heels of similar fraud schemes that targeted victims using the names of such familiar institutions as the FDIC, IRS, and HMRC, scammers are trying to get people to infect their own computer using a different organization’s name—one that is probably unfamiliar to most people. NACHA is a not-for-profit association that “oversees the Automated Clearing House (ACH) Network, a safe, efficient, green, and high-quality payment system.” In other words, they write the rules for the organizations that run the pipes through which money flows between banks and businesses–the circulatory system of the financial world.

In fact, more than 15,000 banks passed 18 billion electronic transactions through the ACH in 2008 alone. ACH is a linchpin in the world’s financial system. But as a rule-making body, NACHA also typically acts behind the scenes, which is why most people who don’t work in the financial services industry probably have never heard of them.

That said, when the world’s largest clearinghouse for transfers of funds between banks supposedly sends you an email like this one, you probably would perk up and pay attention:

The email’s dire warning: “The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association.”

But it’s a scam, as you probably already guessed.

read more…

In a move sure to raise the ire of Sesame Street fans everywhere, the black hat SEO gangs that have been manipulating Google results for the better part of the year have seized on a new target from which they’ve launched their current salvo of rogue antivirus guano. That’s right, the lovable, giant jaundiced avian friend to child and adult alike is being used to hijack searches and rope unsuspecting users into a vortex of popups and fake scans.

They have besmirched Big Bird. And on his birthday, of all days. Have the rogue AV purveyors no shame?

Actually, they’ve just once again demonstrated that they, too, can take advantage of Google Trends, which rates the ‘hotness’ of searches for “Big Bird’s Birthday” today as “Volcanic.” It’s not surprising, really. Big Bird’s legs replaced the “L” in the Google logo this morning (in honor of the 40th anniversary of the popular character’s first Sesame Street appearance). So of course, people are clicking away at those feathered gams, trying to find out why they’re there.

The fake alerts touting the equally fake Internet Antivirus Pro warns users, through a series of browser popup alerts, that (like a fine strip of beef destined for the jerky factory) “your computer…need to be cured as soon as possible.”

The same advice we’ve given in the past prevails. Parents, also take note that you shouldn’t necessarily click — or let your kid(s) click — any old link that purports to lead to something child-friendly. The first link we saw appeared as the seventh search result on the first page of Google results. Many more appeared lower down. The text beneath the malicious result link read, in part, “Make your child s big day extra special with a personalized birthday banner!”

read more…

Yet another new phishing campaign targeting users of Facebook struck over the Halloween holiday weekend. After scammers began filling inboxes last week with bogus “Facebook update” attachments, this weekend we saw a different group at work. Employing URLs with random domain names registered under the .eu top-level domain, the campaign looks similar to messages distributed in a recent series of phishing campaigns that attempt to convince the user that the mail comes from a legitimate source, such as the FDIC, IRS, HMRC (the UK’s tax authority), your IT department, or any of several well-known banks.

The email messages, which use a forged From: address that makes the message appear to originate from the legitimate facebookmail.com domain, and were timed for just after Facebook’s highly publicized changes to its homepage had just gone live, clearly indicate that the phishers were going for the jugular. When you follow the link, you’re presented with a login dialog identical to that used by Facebook. Once you enter your password into that form, you’re presented with a page titled “Account Update” where you’re prompted to download and execute something called the Facebook Update Tool.

The messages read, in part:

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.

…followed by the typical tease to “click here” and a link-that-doesn’t-lead-where-you-think-it-will. The URLs in the message begin with “www.facebook.com” but that’s part of the ruse: The full URL is www.facebook.com.(some random letters).eu followed by a query string that includes a long string of numbers and the recipient’s email address (see example).

In the past, links formatted in precisely the same way led directly to pages hosting versions of the Trojan-Backdoor-Progdav (aka Zbot) keylogger. That’s also true in this case. So the bad guys don’t just want your Facebook password. They want all of your passwords.

We’ve seen a lot of this style of phishing campaign just in the past few weeks and if history serves as a guide, the small number of links in the spam messages we received over the weekend will likely be followed by dozens more versions, each with a distinct URL. Facebook users would be well advised to refrain from following the links in the message; If you suspect that you’ve inadvertently fallen victim to this dirty trick, change your Facebook password immediately — from another computer.

It was a particularly busy weekend for spammers, especially the creepy, evil ones who are trying to steal information (as opposed to the merely scungy pill vendors and their ilk). Webroot’s Threat Research team has recently seen a glut of phishing messages which, like most, purport to come from banks and ask you to update your account information. But unlike most phishing messages, which contain a link to a Web site, these phishing messages include an attached HTML file which, in essence, puts the phishing page right on your hard drive.

When launched, the HTML file renders a sparse but effective phishing form in the browser. The pages warn the victim that “This account has been temporarily suspended for security reasons” and ask the victim to “confirm that you are the rightful owner of this account” — by providing the “bank” with a wide range of personally identifiable information they should already have, and never would ask you to provide through a Web-based form in the circumstances described in the message.

These pages also pull graphics from the banks’ Web sites–activity that, when it comes from a phishing site hosted on a server not belonging to the targeted bank, typically alerts the banks to phishy behavior. Because the graphics are loaded only once, from the desktop of the targeted victim, the banks can’t put a stop to it before it’s too late.

read more…

Hot on the heels of the spam campaigns involving emails which purport to come from the IRS, HMRC, and from your IT department comes another round of fake “notification” spam emails — this time, warning users to download and install a patch for the Outlook and Outlook Express email clients.

Like the previous rounds, the file a victim is prompted to download and (hopefully, won’t) install is the prolific, widely-disseminated keylogger we call Progdav (aka “Zbot”). The faux Web page which hosts the malicious file is dressed up to look like a Microsoft Update page, titled “Update for Microsoft Outlook / Outlook Express (KB910737).” In an attempt to legitimize the payload, the page states “This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.”

Uh huh. Highest levels like a fox!

The “update” file/Trojan installer is named officexp-KB910737-FullFile-ENU.exe and comes in at just under 100KB, which puts it in the welterweight class of Stupid Malware Trickery. A cursory glance at the Microsoft Knowledge Base Web site reveals the hardly-surprising fact that, no, there is no Knowledge Base article 910737.

read more…

Word came down from our Threat Research team this morning about a new spam campaign that uses upstart Bing search engine’s own redirection mechanism to bypass spam filters and send undesirable links over email. On top of that, the spammers are also abusing MySpace’s lnk.ms link shrinking system to further obfuscate the destination that the spammed link points to.

When you view an RSS feed in Bing (such as their news feed, for example)  all the clickable links in the feed use Bing’s internal redirection mechanism, so before you end up on the news story you want to read, your browser first connects to http://www.bing.com/news/rssclick.aspx?redir= followed by the full URL of the site you intend to visit.

The thing is, anyone can plug anything into the end of that URL, and it’ll redirect to that site. For instance, you could come back to the front page of this blog. Of course, there’s nothing in place to prevent a criminal from redirecting users to something worse, like a drive-by download or phishing page. But in this case, recipients who click the link end up bounced through MySpace’s link shrinker, and finally into a site selling a “work at home making money from Google” pyramid scheme.

Purveyors of rogue security products continue to bulk up their arsenal of stupid tricks, all of which are designed to induce either fear or frustration in victims. Increasingly, certain distributions of rogue antivirus include a payload that blocks the infected computer from receiving antivirus updates. That part isn’t new; Many Trojan installers drop a Hosts file onto the infected machine which effectively prevents the computer from reaching any Web site listed in the file. But malicious Hosts files are easy to identify and remove, because they’re always in the same location (C:Windowssystem32driversetc), and the minute you delete a malicious Hosts file, the computer can connect to the previously-blocked Website.

This new dirty trick employs components of a commercial software firewall development kit, called WinpkFilter, the Windows Packet Filter Kit, from NT Kernel Resources. WinpkFilter isn’t inherently evil or even necessarily undesirable. It’s a set of tools that other developers can license to create small network filtering applications. But in this case, the malware author uses these tools to block access to the Web sites used by at least half a dozen antivirus vendors. We’re calling this malware Trojan-Netfilter; Some of the affected vendors call it either Liften or Interrupdate.

read more…

For several months, we’ve been seeing spam and phishing Web sites which purport to be IRS notifications of delinquent non-payment of income taxes. Who can blame the fraudsters — almost no three letter agency of the US government inspires more dread and fear than good old Internal Revenue.

In the UK, the counterpart to the IRS is called Her Majesty’s Revenue & Customs (or HMRC), even though it is the British government, and not the Queen’s Coldstream Guards, who dutifully stick a fork in the populace to pay up. The income tax filing deadline in the UK (for people who file using paper returns), October 31, is fast approaching. And a stern warning from the Taxman is no laughing matter, no matter where you live. So it was inevitable that we’d see this successful phishing routine repeated elsewhere (and, probably, again as we get closer to the UK’s electronic tax filing deadline, at the end of January).

The phish attempt begins with an email message warning users that they are about to incur penalties for “Unreported/Underreported Income.” In fact, the wording of both the spam email and the phish page are virtually identical on both the IRS and HMRC versions. The email links to a formal-looking Web page, which contains the officious message “Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement.”

Of course, the linked file isn’t a tax statement. It’s a malicious executable, just under 90KB in size, named tax-statement.exe. We classify the files as Trojan-Backdoor-Progdav (other vendors call this spy Zbot), a general-purpose smash-and-grab Trojan designed to give the malware’s distributor total control over the infected machine, mainly for the purpose of aiding identity theft.

read more…