Purveyors of rogue security products continue to bulk up their arsenal of stupid tricks, all of which are designed to induce either fear or frustration in victims. Increasingly, certain distributions of rogue antivirus include a payload that blocks the infected computer from receiving antivirus updates. That part isn’t new; Many Trojan installers drop a Hosts file onto the infected machine which effectively prevents the computer from reaching any Web site listed in the file. But malicious Hosts files are easy to identify and remove, because they’re always in the same location (C:Windowssystem32driversetc), and the minute you delete a malicious Hosts file, the computer can connect to the previously-blocked Website.
This new dirty trick employs components of a commercial software firewall development kit, called WinpkFilter, the Windows Packet Filter Kit, from NT Kernel Resources. WinpkFilter isn’t inherently evil or even necessarily undesirable. It’s a set of tools that other developers can license to create small network filtering applications. But in this case, the malware author uses these tools to block access to the Web sites used by at least half a dozen antivirus vendors. We’re calling this malware Trojan-Netfilter; Some of the affected vendors call it either Liften or Interrupdate.
For several months, we’ve been seeing spam and phishing Web sites which purport to be IRS notifications of delinquent non-payment of income taxes. Who can blame the fraudsters — almost no three letter agency of the US government inspires more dread and fear than good old Internal Revenue.
In the UK, the counterpart to the IRS is called Her Majesty’s Revenue & Customs (or HMRC), even though it is the British government, and not the Queen’s Coldstream Guards, who dutifully stick a fork in the populace to pay up. The income tax filing deadline in the UK (for people who file using paper returns), October 31, is fast approaching. And a stern warning from the Taxman is no laughing matter, no matter where you live. So it was inevitable that we’d see this successful phishing routine repeated elsewhere (and, probably, again as we get closer to the UK’s electronic tax filing deadline, at the end of January).
The phish attempt begins with an email message warning users that they are about to incur penalties for “Unreported/Underreported Income.” In fact, the wording of both the spam email and the phish page are virtually identical on both the IRS and HMRC versions. The email links to a formal-looking Web page, which contains the officious message “Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement.”
Of course, the linked file isn’t a tax statement. It’s a malicious executable, just under 90KB in size, named tax-statement.exe. We classify the files as Trojan-Backdoor-Progdav (other vendors call this spy Zbot), a general-purpose smash-and-grab Trojan designed to give the malware’s distributor total control over the infected machine, mainly for the purpose of aiding identity theft.
As we’ve discussed so many times in the past, search terms that include the names of celebrities make good targets for malware authors, and search terms that include the name of dead celebrities make great targets for malware authors. Now there’s a new corollary to this postulate: Search terms that include the names of dead celebrities who release new material make fantastic targets for the bottom-feeders of the malware-distribution world.
So, as you’re out there searching for the brand new Michael Jackson track, please be aware that the bad guys are using this opportunity to foist malware onto your machine. The screenshot at left is just one example of what you’ll see when you accidentally click a search result link pointing to a malicious page. The “video” pops up a warning that tells you to download and run the “movie_hd_plugin_update.40014.exe” in order to see…I don’t know, something interesting? Probably more interesting than you would like. I think by now we should all burn into our memories this precise screenshot, with its misspelled “Raiting 8/10” text near the bottom, as an obvious fake that has been repeatedly employed by distributors of rogue security products. Beware!
By Mike Kronenberg
Be suspicious. About email swindles, bogus security products and online scams. I’m not kidding around. You need to pay attention and be diligent, because cyberthreats are lurking everywhere.
What got me thinking about this was President Obama’s proclamation of October as National Cyber Security Awareness Month. He said that all users — not just those in government — have to practice safe computing. The President is taking this seriously. At the start of the month he authorized the Department of Homeland Security to hire 1,000 cyber security specialists over the next three years. The goal for these professionals is to analyze risks, figure out our vulnerabilities and devise cyber-incident response strategies.
The President sounds right on target. For one thing, every unprotected PC (and those without up-to-date security software) is potentially open to attack. If your system is infected with, say, a back-door Trojan, a hacker can grab your passwords, credit card and other account numbers, and increase your risk of identity theft. On top of that, on a national scale, your infected PC can turn into a virtual, brain-dead zombie (what an image!), propagating malicous cyberattacks, and contributing to the damage of the digital infrastructure.
If you’re reading this blog, no doubt you know the obvious ways to bolster your protection: Keep your AV and AS tools updated, double-check that your firewall’s working, check for OS patches, and make sure your wireless router’s WPA is enabled. And with the focus on awareness, you might take a minute and help a novice computer user fortify his or her defenses.
But aside from the usual security tactics, I implement other safeguards on my PC at home and on the family notebook. Read on for a few you can try.
How can that be? After all, it’s the search engines’ own servers that are supposed to deliver relevant results based on their super-secret sauce algorithms. But black hat, or rogue, search engine optimization (SEO for short) has ruined the trustworthiness of virtually any search.
Just a few years ago, companies began to spring up making outrageous promises about how they can get a client’s Web site ranked closer to the top of certain search results. Then the purveyors of various worms, fake alerts, and rogue antivirus products got involved, because they quickly discovered that it’s easier to convince someone to infect their own computer by clicking a search result link than to discover and implement an elaborate network vulnerability.
After all, according to our latest research, about one out of every five of surveyed Web surfers implicitly trust whatever a search engine delivers as the first page of search results every time they search.
So, all year long, we’ve seen rogue SEO tricks used to promote malicious search results. Many of those links foist various fake antivirus programs onto unsuspecting Web surfers’ computers. The effect is almost instantaneous, as if it was automated: A breaking news story hits the Internet, and within moments, the rogues have turned their attention to pushing bad links based off of whatever keywords the story-of-the-moment might entail. That’s not really unexpected; Google Trends, for instance, makes it incredibly easy for black hat SEOs to target whatever’s hot. Searches for news as diverse as Indonesian earthquakes, elections in Iran, and the untimely deaths of various celebrities served equally well to deliver victims to the rogues.
Now, even the Internet meme of the moment appears to drive victims to malicious Web pages. One of our researchers pointed out a funny screenshot that was making its way through Digg, the social link-sharing site. The screenshot showed some of Google’s suggested search results that appear when you type “Google will” into the search field. Among the auto-completions were “Google will not search for Chuck Norris,” “Google will eat itself,” and “Google will you marry me?”
A new Trojan quietly circulating in the wild uses components from a commercial optical character recognition (OCR) application to decode captchas, those jumbled-text images meant to help a website discern human activity from automated bots.
The OCR-using captcha breaking tool is just one component of the Trojan. Its main purpose appears to be to fill out contest entries, online polls, and other forms relating to marketing campaigns originating in the US, and it uses the OCR-cracking software in order to read the captchas and submit the form entries, on pages where the website presents a captcha to the user.
And this is not just any captcha-cracka, but a Swiss Army Knife of sorts. The maker of the “Advanced Captcha Recognition Engine” tool, based in China, claims that the tool is capable of bypassing more than 30 different captcha systems, including those used by Yahoo, MSN, and some of the largest portal sites and banks in China.
The captcha decoding tool itself is a kludge, marrying some bespoke files and components expropriated from an older version of a commercial optical character recognition (OCR) suite called TOCR. The UK-based company that makes the TOCR software, Transym Computer Services, also licenses its components to third parties, though it’s not clear they knowingly have a relationship with the Chinese captcha cracker maker, nor were they aware that parts of their engine was repurposed for sale to Chinese malfeasants. The files appear to have been stolen or pirated, and used without Transym’s knowledge.
By Andrew Brandt and Brenden Vaughan
As we’ve seen for the past several months, a celebrity ended up the top news story, which started a cascade of malware distributors racing to get their driveby pages to the top of search results. Today’s victim/subject is Roman Polanski, the renowned film director arrested on decades old charges of statutory rape. This kind of gossipy, tabloid headline is like candy for rogue antivirus distributors.
We began our search the minute we found out the news, and yes, within about half an hour of the story breaking, the pages began appearing in the search results on various engines. While some of the malicious pages were linked to search terms based on the name of the director, many also reference his victim, Samantha Geimer. The results redirect you into a fake virus scan page, which in turn leads you to a download of Windows PC Defender, a known rogue in the same vein as Antivirus 2010 and the other scam fantivirus tools so popular among Web criminals this year. Trojan-IM.Win32.Faker, indeed.
Not only does this rogue pretend to be an anti-malware tool, but it throws a monkey wrench into almost any existing protection, adding Image File Execution Options registry keys that prevent nearly all legitimate free and commercial antimalware tools from running. It also drops a Hosts file which prevents infected computers from contacting 12 payment processing domains associated with Antivirus 2010, and redirects all Google (including nearly 200 international Google domains), Yahoo, MSN, and Bing search results through a server belonging to search-gala.com, whose IP address is geolocated to an ISP in Brampton, Ontario, Canada (go Timberwolves!).
Not content to be a single-solution product, Windows PC Defender is a full faux-suite, offering completely fictitious desktop firewall results as well as antivirus. The rogue uses a modified copy of a free tool called Multi Password Recovery to extract your Windows license and display it in the firewall “alert,” presumably to raise the anxiety level of person who sees the “warning” message. The warning claims that “your computer is making an unauthorized personal data transfer” to an IP address assigned to NASA, which is currently not in use. Because everyone knows NASA wants your Windows license key, for, you know, space missions. amirite? Could an imaginary anti-phishing toolbar be around the corner? Who knows what’s next for these enterprising, though predictable, con artists.
Not to be outdone, distributors of black market drugs began using Twitter to spread ads as well, with an under-140-character tagline promising juicy Polanski-arrest news. We’ll keep an eye on the situation, but it’s probably best to steer clear of links to unfamiliar sites, especially those promising revealing or “previously undisclosed” pictures, movies, or other such nonsense.
After all the brouhaha surrounding the NYTimes.com website hosting ads which spawned rogue antivirus Fakealerts last weekend, I spent a considerable amount of time looking at so-called exploit kits this week. These are packages, made up of custom made Web pages (typically coded in the PHP scripting language), which perform a linchpin activity for malware distributors. Namely, they deliver the infection to the victim, using the most effective methods, based on parameters which help identify particular vulnerabilities in the victim’s browser, operating system, or applications.
There’s no indication that an exploit kit was used by the attackers in the NYTimes.com incident, but it easily could have gone that way. All an exploit kit needs in order to begin the process of foisting an infection is for a potential victim to visit its specially crafted Web page. The end result is what we call a drive-by download.
According to reports, the code injected into the Times website’s ad calls simply spawned another browser window, which in turn displayed fake alert and virus scan results messages. It wasn’t even a website hack; the site’s ad sales department were fooled into accepting a paid advertisement containing the code.
This time, that browser window was used to trick the site’s visitors into executing, and eventually buying, the rogue product. It could have been far worse.
After spending a day investigating a relatively new package, which calls itself (with a total lack of irony) the Liberty Exploit System, it’s easy to see how something like what was done on the Times website could have led news enthusiasts down a much deeper, scarier rabbit hole.
As autumn approaches, the world typically sees an increase in the number of online shopping trips, as people take advantage of bargains from late-year sales, and prepare for various holidays. And, right on cue, we’re also seeing an increase in the number of Trojans distributed in the guise of “shipping confirmation” email messages. And these Trojans are packing a triple threat of backdoors designed to steal logins and take command of infected PCs.
The Trojan arrives attached to a vaguely-worded email message thanking the recipient for their order of a high-ticket item. Previous versions of this same kind of message were crafted as though the message source was one of the major shippers, such as FedEx, UPS, DHL, or the US Postal Service, and the message (purportedly) contains tracking information.
But these new versions appear to come directly from an online retailer, with attached files in the form of a zip archive containing an executable with an icon that makes it look like an Office document, such as an Excel spreadsheet. These email messages also imply that the document contains tracking information, but they give the user an extra nudge to open the file by telling the user to “print the label to get your package.”
Um, wait, what? Why would I need to print a label to receive a package? That makes no sense whatsoever. Do the malware authors think we’re dumb, or what? No, don’t answer that, because we’re not dumb. They’re using psychology against us.
A new variant of the Koobface worm started striking out this week, with a twist: Where the older Koobface would steal and use the cookies saved by Internet Explorer which store social network logins in order to spread its infectious messages in the victim’s name, this new variant is pulling down a tool designed to steal credentials saved by Firefox (in the form of cookies and stored passwords). Users of the Firefox browser were, until now, able to thwart the pernicious spy’s ability to hijack a victim’s social network accounts, because the two browsers store their cookies in different locations, and in different formats.
We got wind of the new variant as we saw the characteristic links spreading through various networks yesterday. In our early tests, the worm exhibited similiar skill at spreading over multiple networks: In addition to Facebook, the MySpace, Hi5, Friendster, Tagged and Netlog accounts we use for testing its behavior were used to spread malicious links, posted either to the victim’s “wall” or status, or as messages sent to all of the account-holder’s friends.
Using a well-documented hack to access the Firefox cookie file, the payload (appropriately named ff2ie.exe) looks for a copy of the file sqlite3.dll on the victim’s hard drive, then uses the functionality of that file to pull social network cookie information from the Firefox cookie database (as shown in the screenshot, above), and write an Internet Explorer cookie containing all that information. With the IE cookie(s) in place, the rest of the Koobface payloads work as they did before.
The worm continues to query the download server for payloads targeting 10 social networking services, but for an undetermined reason, it only delivered six targeted payloads. We also saw that, instead of downloading the executable payloads directly, the worm downloaded installers, each of which place various payloads in the Windows folder, then self-delete.
The body’s barely cold from last week’s BlizzCon, but the script kiddies who write phishing kits have been hard at work putting their best foot forward, crafting account-stealing code that targets gullible WoW players who want an early peek at the just-announced Cataclysm expansion. These Catphish pages, linked off of YouTube video postings that offer promises of early, exclusive access to the expansion, lift graphics and design characteristics directly from the pages hosted by Blizzard, the publisher of the WoW franchise.
Unfortunately for the script kiddies making and hosting the pages, they’re making some of the most boneheaded mistakes imaginable.
Take, for example, this page. The creator of this page was so eager to get his l33t phishing site posted on his favorite message board, he forgot to take a close look at what he was including with his phish kit. It includes not only log files containing links to the live site where he’s hosting this phishing scam, but also to a site where he’s hosting another phishing scam intended to steal a promotional code given to WoW fanatics as a bonus after they paid to watch BlizzCon streamed live to their computer.
Yesterday, at the opening of our BlizzCon coverage, we showed you just how commonly phishers target WoW players by posting innocuous-looking links in message board or forums frequented by players. Today, we’ve produced a really short video that shows exactly how someone infects their computer with a phishing Trojan.
As you can see in the video (even through the “censorship”), the page the victim eventually ends up on emulates the appearance of a Flash-video-based porn site. Every single link on the page links to the malware installer, which means that no matter where on the page the victim clicks, he or she is presented with a download dialog box. Check it out.
This simple social engineering trick, so commonly used of late by Koobface to fool social network users, still manages to convince people to execute the malware installer in order to view the video.
We’d all like to take a moment to give one simple piece of advice: If you follow a link and end up on a site you clearly weren’t intending to go to, stop. Don’t download any executable files—and absolutely don’t run any executable files if you happen to download them. If you have to, hit the Alt-F4 keyboard combination to kill the browser right there, but just don’t run anything else.
Misled gamers who download and run the flash “installer” won’t see any obvious difference on their computers to indicate that they are infected. At this point, the Trojan is ready to start stealing login credentials. These infections are often fairly simple in their configuration, though as with all malware there are much more complex versions that can steal the passwords for multiple games.
The installer executable simply drops a DLL file onto the victim’s hard drive, typically to the System32 or another Windows subdirectory. That file performs the keystroke logging, then sends that data to the phisher behind the scam. The installer also modifies the Registry so the DLL loads with every startup.
Keyloggers aren’t the only threats targeting online games. Others include spam phishing-type posts on the public forums for individual guilds, malicious URLs communicated through the in-game chat channels, and even exploits against security weaknesses in Web sites and message boards frequented by members of the WoW playing community.