Threat Lab

A payload file installed along with some variants of the rogue Internet Security 2010 “antivirus” program modifies victims’ networking settings within Windows, inserting itself into the network stack and preventing victims from visiting some of the Web’s most popular Web sites. More than 40 sites have been targeted, including: Microsoft’s live.com and Bing search engine; social networking giants Facebook, Twitter, MySpace, Bebo, LinkedIn, and YouTube; news organizations including Fox News, The New York Times, the Washington Post, and the UK’s Guardian and BBC news sites; and blogs hosted by blogger.com, livejournal.com, and wordpress.com.

The payload modifies the Layered Service Provider (LSP) so that calls to those Web sites pass through the malicious file, which displays a warning message in the browser instead of the blocked Web site. The message says:

This web site is restricted based on your security preferences

and

Your system is infected. Please activate your antivirus software.

We’ve seen an increase in the number of spies that bollix the LSP chain lately. In cases where this happens, if you simply remove the malicious file that is referenced in the LSP, the computer remains unable to connect to the Internet afterwards. To fully repair the PC, you’ll need to fix that broken chain.

Fortunately, the fix for this spy — which we’re calling Trojan-Annoyinator — is fairly easy. Users of Webroot’s products can simply sweep, and the spy along with its LSP modifications will be removed upon reboot. If you don’t have one of Webroot’s antimalware product installed, you can go through the process manually, which isn’t difficult for someone familiar with Windows tools such as Regedit. The only problem might be getting to Microsoft’s Web site (where the instructions are posted) from an infected computer.
read more…

The Zbot keylogger campaign-of-the-month targets users of AOL Instant Messenger (AIM) with a message that claims to be an update notification for users of the instant messaging client application. Users unfortunate enough to click through the link in the email message to download what they think is something called “aimupdate_7.1.6.475.exe” will be in for a rude awakening.

The malicious page delivers its payload whether or not a victim clicks the link to get executable file: It opens an iframe to a site that attempts to use vulnerable versions of Adobe Reader to push the Zbot keylogger down to the victim’s computer, then execute it, within a few moments of the page loading.

The address of the iframed page resides in a particularly sketchy corner of the net. The network the IP address is part of, known as AS50369, goes by the name VISHCLUB-as Kanyovskiy Andriy Yuriyovich. Sure sounds a lot like someone’s name for their phishing gang. The same network has been in use for the past week delivering payloads on well-worn Outlook Web Access and HMRC Zbot download pages.

Seriously, though: Vishclub? Is that the best the Russian hackers can come up with? It sounds like what you’d call a fisherman’s smoking lounge on the Baltic coast, where thick clouds of cheap tobacco is the only thing that can overpower the putrid stench of rotting seafood.

The fake page has the outward appearance of a page hosted by AOL, but it clearly isn’t the real deal. Once you take a closer look, the site and its social engineering tricks begin to smell a bit like day-old fishwrap, as well.

read more…

A new variant of the Koobface social networking worm is sending social networkers links that lead to fake videos supposedly posted by the beloved cartoon antihero Spongebob Squarepants. The fake videos only display a popup message labeled “Adobe Flash Player Update” that says “This content requires Adobe Flash Player 10.37. Would you like to install it now?” Clicking anywhere on the page downloads the Koobface installer to the victim’s PC.

The technique isn’t new, but this is the first sign that the crew behind Koobface is switching from ‘holiday mode’ (when they sent around links to videos that were supposedly posted by Santa Claus) to ‘post-holiday mode.’

In other ways, the worm features a few small tweaks: Its Captcha tool, which attempts to convince infected users to enter the text of a captcha into a dialog box, has been modified to read and properly display the new ReCaptcha format used by some social network sites. The new format randomly places black circles ‘behind’ the text, and inverts the text of the captcha phrase where the text and black circles intersect.

read more…

By Curtis Fechner and Andrew Brandt

While we’ve touched on the subject of World of Warcraft phishers (and the Trojans they attempt to spread) a handful of times in the past several months, it’s worth mentioning the ongoing problems phishing posts cause both players and Blizzard, the game’s operator.

To recap, the official message board for World of Warcraft is under constant attack by phishers, who use stolen credentials to post message board articles containing malicious links under the names of the innocent players whose passwords have been stolen. The links, which can be tied to virtually any kind of social engineering tease, typically point to Web sites that contain scripting code which either pushes a WoW-credential-stealing keylogger down to the victim’s computer, or aggressively “suggests” that the victim should download and install some purportedly missing component (often, a fake Flash player update) that does the same thing.

The authors who plague the forums, in-game chat and email with these posts containing malicious links are a crew of dimwits, but they aren’t so thick that they fail to recognize an opportunity when they see it. Beginning in early December, for instance, they took full advantage of the incredibly busy state of the official forums, which were filled with posts tied to the release of a highly anticipated update to the game, and rumors about “beta testing” access to the update.

The heavier-than-normal traffic kept forum moderators busier, and subsequently the phishing posts remained active on the forums much longer before administrators deleted them. A longer exposure time means it’s more likely that victims will click through the malicious links, and with the customer support staff busy solving patch-related issues, compromised accounts remain compromised — keeping paying players locked out of the game — for even longer than they normally would. The problems have become so overwhelming that even Blizzard itself has been forced to acknowledge the scale of the problem.

read more…

Spammers hawking “fun videos” have been worming their way into Google Groups, the global message board Google built on the skeleton of the old Usenet network. Only, the pages the spammers point victims to, which don’t actually contain videos, come with a nasty surprise: Rogue antivirus apps.

The attacks began late last year, but have been increasing in frequency through the holidays, and haven’t abated in the new year. The users sending out the spam messages all use free Gmail accounts (one even named his spam account Santa Claus), and have been requesting access to both open-membership and closed-membership Groups, the latter of which require an administrator’s approval. Once added to a group’s member list, the spam accounts post brief messages (an example shown at left) with a link.

The URLs originate from a number of link-shortening services, but they all work the same way: Each shortened link points to a different, unique subdomain of the Utah-based free Web hosting service 150m.com. Those pages contain a single line of code which redirects the browser to one of several servers with Chinese domain names. Those servers, in turn, redirect the browser to the website hosting the rogue antivirus installer. The shortlinks and Chinese websites only remain viable for a day or two, at most.

read more…

It’s not clear whether the past year will go down in history as a particularly bad year for malware, but one thing is certain: It was bad enough, at times, that fighting infections and cleaning PCs took priority over virtually all other work. Neither home users nor businesses were immune from wave after wave of increasingly nasty malware tricks, though there were a few bright spots: A fix issued by Microsoft mid-year meant that worms are far less likely to be able to spread using portable storage like thumbdrives or digital photo frames; A corresponding dropoff in overall worm detections has borne out the effectiveness of that update. And the social engineering tricks employed by malware gangs are, at least for the moment, repetitive enough that they’ve become fairly easy to identify. What follows is Webroot’s list of the five most egregious examples of malicious software that, even if some of them didn’t initially appear in 2009, progressed to serious threats throughout the past year.

Worm-Koobface

Also ringing in the new year with 2009, the Koobface worm has now become the most serious threat facing users of social networks. Initially targeting users of Facebook, the worm — actually a complex, well-coordinated combination of malicious applications, each of which is designed to carry out specific tasks — continues to circulate within more than a dozen social networks. Koobface also brought to the fore the utility of social engineering (through PT Barnum-esque trickery) as a means for malware to propagate itself, not just infect an initial victim’s PC. Koobface almost represents its own branch on the family tree of malware, a malicious organism that can be used to distribute any number of undesirable files to an infected computer. The success of Koobface, and its continued development and improvement throughout 2009, shows no sign of abating into next year.

Trojan-Backdoor-Zbot

With Koobface highlighting the effectiveness of social engineering, others have joined the bandwagon. The second half of 2009 showed how trickery could lead to infections even with keyloggers as mature as Zbot, which has been seen in the wild in various forms since 2006. However, 2009 saw Zbot infections on the rise, as one or more malware gangs crafted coordinated spam campaigns that fooled recipients into believing that the messages’ legitimate origin were banks, or government organizations (both in the US and elsewhere), trade groups, or financial institutions, or even Microsoft itself. The A-list organizations spoofed by these campaigns read like a Fortune 100 who’s who list: Visa International, the IRS (and its UK counterpart the HMRC), DHL, FedEx, Chase, Bank of America, the US Postal Service, and the Federal Deposit Insurance Corporation, just to name a few. These spam messages, leading to fairly sophisticated fake Web pages, were put together with one goal in mind: To convince potential victims to download and execute the Trojan horse installer themselves. These campaigns show no sign of letup, and it’s not hard to foresee more of the same continuing into 2010.

read more…

By Mike Kronenberg

Do you use a social networking site? Be prepared, because I predict in 2010 it’ll be a major target for cyber criminals. Among the threat experts here at Webroot, we’ve discussed the ROI opportunity that social networks present an enterprising hacker who strings together the personal information people choose to share on social networks, or who creates a program to infect PCs with one click of a malicious link.

I’ve also discussed the issue with my colleagues in the security industry. Each of us acknowledges that users of all kinds – be it individuals, public figures, nonprofits, or corporations – assume a certain level of risk when signing on to one. But we all agree social networks are pretty much essential in today’s networked society and economy.

Given that, I’d like to share my take on the top five reasons why social networks hold such great appeal for cybercriminals so you can begin thinking about how you’ll use them in 2010. read more…

Here’s a mind-bender for you to ponder over the holidays: What do diva musician Beyonce, the massively-multiplayer game World of Warcraft, the anime series Naruto, and Libertarian politician (and failed presidential candidate) Ron Paul have in common?

I couldn’t guess what you might come up with, but we’ve found a drive-by download attack that delivers malware, using these disparate icons as a hook to convince Web surfers to click malicious links. The hack attempt was discovered by a Threat Research Analyst who also happens to be a Ron Paul fanatic (and I do mean fanatic — that’s a photo of his truck parked out back). While doing his daily search for Ron’s latest words of wisdom, he encountered a cleverly crafted campaign to manipulate search results which originated with Twitter feeds suddenly lighting up with links supposedly pointing to YouTube videos.

A large number of Twitter accounts tweeted messages like “YOUTUBE RON PAUL – BEST NEW VIDEO – WATCH NOW” or “YOUTUBE NARUTO CHAT ROOM 1 | BEST NEW VIDEO | WATCH NOW” — you get the idea — all within a short amount of time. Each of those screaming teasers was accompanied by a URL shortened using the bit.ly (and to a lesser extent, TinyURL.com) service; The bit.ly URLs pointed to a (now deleted) hidden subdirectory on the website of Stage Time magazine, an online only, stand-up-comedy industry publication (neither YouTube nor Stage Time was, knowingly, involved in the hack — they were victims as well). And the many first-time visitors to that site found their computers in a world of hurt shortly after following one or another of those links.

The malicious pages on Stage Time hosted PHP scripts that pushed down several new malware samples; The scripts exploited security vulnerabilities in older versions of Adobe Flash and Adobe Reader, loading maliciously crafted SWF and PDF files in order to force the browser to pull down and run malicious executables which had virtually no detection across the spectrum of antivirus vendors. Some of these samples were droppers, others were downloaders; In either case, the drive-by payloads left the PC in a very bad state.

Drive-by downloads such as these serve to illustrate a point I can’t emphasize enough: No matter how careful you might think you are, one wrong click can lead to an infection. In the case of this drive-by, the malicious website attempted to load first an Adobe Flash video, then a PDF file, which tricked the browser into downloading more malware. Now more than ever, browser plug-ins like Flash and Adobe Reader need to be kept up to date. For additional protection, you can disable Javascript in Adobe Reader; in this case, it would have stopped the initial infection in its tracks.

read more…

Security Websites are buzzing with news that a new zero-day exploit against Adobe Reader and Acrobat is circulating today, causing computers to become infected with malware simply by visiting certain Web pages. While the exploit itself is worthy of note, nobody is talking about the payload it downloads: It installs a trio of files dressed up to look like Windows system files which have been digitally signed with a security certificate supposedly issued by Microsoft. The digital signature gives the casual user the impression that the two signed files — an executable and a DLL both named “LNETCPL” — are legitimate Microsoft components.

The fake certificates appear in the properties sheets of both the installer and two of the three executable payloads dropped by the installer. One giveaway is that the sheet identifies the signer as Microsoft but lacks both an email address and a time stamp. Legitimate system files digitally signed by Microsoft identify the signer as Microsoft Corporation and always have a time stamp. The bogus signatures are identified as invalid, but only when you click the Details button on the Properties Sheet’s Digital Signatures tab.

A legitimate Microsoft-signed file is issued by the “Microsoft Code Signing PCA” certificate authority, and will also display a countersignature from Verisign; The fakes have no countersignature, and appear to have been issued by “Root Agency” — a made up name for a nonexistent certificate authority the malware creators are using to generate these files. In fact, the malware creators may actually be using Microsoft’s own Certificate Creation Tool (which is supposed to be used for testing) to facilitate generating these signed files.

While we’ve seen a number of digitally signed files come through our research queue over the years, authors of Trojan horse apps rarely go to the trouble of digitally signing files in this way. It’s not clear why they would be digitally signing files, but clearly the person or people behind this are up to no good. We’ve published a new definition to remove both the installer and these payload files; Trojan-Certispaz will be available to help our customers clean up infections in our next definitions update.

read more…

By Jeff Horne

On December 11, 2009, users of Twitter submitted questions to Webroot’s Director of Threat Research, Jeff Horne, as part of a live Q&A session. Webroot’s Twitter followers asked questions about connecting safely to the Internet while traveling during the holidays. A variety of questions came in live, with some others through direct messages in advance, and one non-twitter user asked a question via Webroot’s Facebook page. The interview was tracked using the #webroot hashtag, which has been omitted from the tweets to make them easier to read. We’ve posted a transcript of the Q&A on the following page.

read more…

The gang of malware distributors who are currently flooding the Internet with bogus Facebook “Update Tool,” CDC “H1N1 Flu Vaccination Profile,” and IRS “Tax Statement” emails and Web pages are at it again — this time, targeting Visa with a fake email alert that leads to a page hosting not only a Trojan-Backdoor-Zbot installer, but that performs a drive-by download as well. This is the second time in less than a month that malware distributors have targeted Visa; Just before Thanksgiving, we saw a similar scam involving links to bunk Verified By Visa Web pages.

I’d say it’s ironic that malware distributors are using fraudulent transaction warnings as a method to infect users with a keylogger capable of stealing their credit card information when the victim enters it into a shopping Web site, but Visa doesn’t issue these kinds of warnings—the Visa-card-issuing bank warns customers of suspected fraud themselves, and they never do anything with that level of urgency via email.

Once you click through to the Web page, you end up on a page dressed up in its holiday best to look like an official Visa Web site. The top of the page even has your credit card number printed on it! Well, not the whole credit card number. It just prints the number “4XXX XXXX XXXX XXXX” (then goes on to say “to protect your private information, part of the card number is hidden with X’s“). How considerate.

Of course, all bank-issued Visa card numbers in the US are sixteen digits long and begin with a “4” so it’s actually a pretty good guess that the Visa in your wallet right now looks just like that.

The bogus Web page even sports a URL that begins with “reports.visa.com,” followed by a random six- to eight-character domain name, but there the similarities end. The servers hosting the fraudulent pages are based in foreign countries where you wouldn’t expect a major company like Visa to operate its Web presence from, such as Morocco, on networks known to harbor both Koobface and Zbot Trojans. The text on the page claims to have a downloadable transaction report for your card. If you haven’t already guessed, the “statement” is just an installer for the Trojan.

read more…

Over the past several months, we’ve seen Koobface steadily progress in its ability to infect systems with malware. In our latest tests, we’ve found that the most recent version of this social-networm has a few new holiday-themed tricks up its sleeve. Among those tricks are a new, improved “captcha breaker” utility; A tool to check whether you have a Google and/or a Blogspot account (and, if not,  it creates a new Google account); And a tool designed to create Google Reader pages on the fly, which the worm then uses to post malicious code. Those Google Reader accounts then end up linked in private messages and wall-to-wall posts on a variety of social network sites.

The Koobface-generated Google Reader pages have been floating around for a little while now, but I’d never seen the worm in action. What I found fascinating was that I could observe the process of the worm creating a new Google account on my testbed.

In order to create the Google account, it downloaded and ran four new applications: “v2googlecheck” simply looks at your browser cookies to determine whether you already have a Google account; “v2newblogger” creates a new account if one doesn’t already exist; “v2captcha” prompts the user of the infected machine to enter a captcha into a dialog box that looks like a Windows login dialog (in order to complete the account creation); and “v2reader,” which creates the new page, and passes that information to the worm.

Once the Google account is created, it then uses that account to generate a new, malicious Google Reader page.

read more…