I’m at the Black Hat Briefings this week, the annual confab of the best and brightest in computer security, catching up on the trends and tricks malware authors and data thieves employ. I just saw an impressive demo by a pair of security researchers who took a deep dive into the behaviors of four pieces of highly targeted malware.
The researchers, Nicholas Percoco and Jibran Ilyas of Trustwave, ran a live demonstration of four Trojans designed to steal sensitive information and surreptitiously exfiltrate that data to the criminals. Three of the Trojans had been found installed on the servers of retail businesses, and capture credit card information — including the magnetic stripe data recorded by point-of-sale devices (ie., cash registers). The fourth Trojan, found on the computers of a large military contractor, was designed to steal any files in the My Documents folder, as well as any saved passwords on the system.
Of note was the highly targeted nature of the Trojans. In the case of the military contractor, for example, the criminals had obviously done their research, because the attack had targeted several high-level executives within the firm. According to the researchers, the attack started when a maliciously crafted Adobe PDF file was emailed only to the executives in a forged message that appeared to come from the CEO of the company. The forged message even included the CEO’s customized mail “signature” and the message text sounded convincingly similar to the language the CEO might have used.
Most importantly, all four Trojans did an outstanding job of remaining undetected for a significant period of time, which gave them more time to get the job done. Although one Trojan, which used a rootkit driver, had a tendency to “blue screen” their test machines, even a crash might not alert a victim that their computer hosts an infection. After all, Windows can crash for all kinds of reasons, and a crash isn’t necessarily an indication of a malware infection.
I’m looking forward to seeing more talks from other researchers over the course of the coming week. Of particular interest is a talk being given by Greg Hoglund about identifying the perpetrators of malware infections and even the creator(s) of widely distributed types of malware.
When it comes to spam messages, conventional wisdom dictates that you shouldn’t follow links or call phone numbers in the message, order products from the spammer, or open files attached to the email. We all should know by now that you should never open attached executable files, and spam filters now treat all .exe files as suspicious. When spammers began flooding inboxes with .zip files containing executables, we caught on pretty quickly as well.
But HTML isn’t executable — it’s just plain text — so does that mean it’s safe to open attachments when they’re just HTML files? Hell no! Case in point: this doozy that came through our spam bucket last week.
The message subject reads Your Funds Will Be Transfered and the body helpfully informs the recipient that I am able to complete the funds transfer late night — I hope that doesn’t mean someone sent Jimmy Fallon $28,126 from my bank account. It continues, Copies of the payment is being attached, and the message indeed has an attachment named Copies of the payment.htm which I can open and…
…uh oh. That’s where the trouble begins.
The end result: Three pieces of malware installed; Two password-stealing copies of the Zbot phishing trojan, and a remote-access backdoor to boot. Considering Zbot’s propensity for stealing bank account logins and other sensitive credentials, I suppose the subject line was correct after all. Your funds will be transferred. Just not where you thought.read more…
Reading Time: ~ 4 min.
The spam comment, which reads Hello. I the beginner. I wish to show to you,scandal story and links to a drive-by download site, is a tremendous help to our researchers, who are always on the lookout for new threats.
Of course, the malware distributor could have employed a more effective hook to convince someone to click a link than the one he used.
The link claims to point to a page hosted on the free Blogspot blog site to a nude video — not of Paris Hilton, Venus Williams, or Erin Andrews — but of…Diane Sawyer, the respected, award-winning anchor of ABC’s World News Tonight.
Reading Time: ~ 7 min.
Ransomware is nothing new, but a Ukrainian ransomware Trojan that came over the transom last week demonstrated that the concept of “payment” can extend to services other than banking or finance. In this case, the Trojan (which we and several other AV companies call Trojan-Ransom-Krotten) thoroughly locks down the infected system then demands payment—in the form of credit paid to the Ukrainian mobile phone provider Kyivstar, which the victim then has to transfer to the malware distributor’s account.
Yes, Alice, the hacker wants you to pay his cellphone bill.
Once the ransomware has taken hold on a victim’s computer, it locks down the operating system in dozens of different ways, as well as changing several registry keys that add juvenile, profane text to Internet Explorer’s title bar and elsewhere on the desktop and in folders.
Paying the ransom in these cases simply emboldens the malware creator to continue his crime spree. Of course, even once a victim hypothetically pays this ransom, there’s also no guarantee that there’s any way at all for the malware distributor to reverse the damage — which takes the form of significant levels of annoyance — caused by this insipid Trojan.
Fortunately for the victim, the creator of this Trojan isn’t the sharpest tack in the box. Not only were we easily able to tease out the Trojan’s payloads and add signatures which would prevent the Trojan from delivering its payload files to a victim’s computer, but we’re able to see exactly how the author (ineffectively) tries to frustrate the kinds of behavioral analysis we and other antivirus vendors perform.
Reading Time: ~ 2 min.
Blizzard’s announcement today that they will begin a closed beta-test for the latest expansion pack is likely to generate a lot of excitement among that particularly low breed of online criminals who steal the fruits of other people’s entertainment when they commandeer passwords for other players.
While it’s hard to believe that most players of online games aren’t aware of the profusion of phishing sites attempting to steal logins, the problem clearly isn’t going away, so the warnings remain the same: Keep a close eye on your browser’s Address Bar, and make sure you’re really logging into Blizzard’s Web site, and not some phishing creep’s trap.
(Tip ‘o the hat to Threat Research Analyst Curtis Fechner for the breaking news tip.)
Reading Time: ~ 5 min.
I’m not sure how I feel about this. On the one hand, I feel sorry for the Chinese victims, most of whom are probably blissfully unaware of the dangers they now face on the Web. On the other, perhaps this will finally serve as a wake up call to Chinese authorities that they need to do something about homegrown Sino-cybercrime.
In the course of investigating some odd-looking URLs (including one which uses the name of every popular Chinese portal), I stumbled into a maze of Web sites that forcefully urge visitors to download and install software.
The scams start at Chinese porn sites — though, it must be noted, the photos on most of these sites are significantly less racy than what you’d find on your typical college coed’s MySpace page, even before Spring Break. The sites promote streamed video, but warn users that they must download and install a special “video on demand” player in order to watch the videos. Sound familiar?
In the course of a few hours, I pulled down and researched five distinct Trojaned software packages, all of which originated from a “click here to download the player” link on a Web page. At best, the programs attempt to convince users to pay 100 Yuan (about $15) for access to what the program promises is a vast library of TV shows and movies from China and the rest of the world.
At worst, the programs pull down dozens of keylogging Trojans, downloaders, and backdoors at the same time as they install benign Chinese video software, such as the popular (and completely free) QVOD player.
Reading Time: ~ 4 min.
Malware authors must have a soft spot in their hearts for the long-maligned South African vuvuzela, because once again, the most annoying noisemaker in World Cup history is driving people to Web sites which push infections down to their computers. This time, people are retweeting the malicious links attached to a message that reads “OMG! Vuvuzela banned!” along with the hashtags #worldcup and #vuvuzelabanned. At last check in Google, references to the malicious links number over 16,000.
The tweets use a variety of different link shortening services (including bit.ly, tinyurl.com, is.gd, and dr.tl) to mask the fact that their destination is actually a bogus image hosting website hosted on the .in top-level domain (supposedly used by Web sites registered in the country of India, but these sites are all hosted elsewhere). The Web site you eventually land on calls itself Image Sheep, while in the background, your PC is being herded into a botnet.
As an aside, there is a real image hosting service by the same name, but the real Image Sheep is registered elsewhere and hosted in an entirely different network than these fake Image Sheep clones.
Once the victim’s browser loads the fake Image Sheep page, it pushes a Java “image viewer” applet, named target.jar, down to the browser. It’s easy to pick apart the contents of this file, which contains additional Java applets and PHP scripts that push the malicious file (named IMG12523.jpg.exe) down to the victim’s computer. The file itself is a downloader component of an adversary we’ve seen before: Trojan-Backdoor-Protard (aka Gootkit), which retrieves additional malware and retrieves complex instructions.
Reading Time: ~ 4 min.
An attempt to push down the Trojan-Backdoor-Zbot password thief to Spaniards may signal a new wave of attacks by a crew of attackers who spent the better part of 2009 trying to convince gullible Internet users in different countries to download and execute Zbot installers poorly disguised as transaction records or other important financial documents.
A bogus Banco de España (BdE) Web site came and went quickly last week, but not before we took a deep dive and came up with a mouthful of malware. Believe me, it tasted terrible.
The page, designed to mimic closely the appearance of the Spanish central bank’s Web site, was very much a clone of the previous fake-bank pages used to foist Zbot onto victims.
Previous campaigns of this type targeted, primarily, North American victims by spoofing the Web sites belonging to Visa, Bank of America, the FDIC, the American Bankers Association, NACHA, the IRS (and its equivalent British tax authority), as well as Amazon.com, iTunes, Facebook, MySpace, AOL, the Centers for Disease Control and Prevention, and many others.
Reading Time: ~ 3 min.
For the twelve other people in the world who haven’t been watching the World Cup matches in South Africa, the Vuvuzela is a South African horn that makes an obnoxious buzzing sound when played.
The noise is said to be so irritating that fans have been watching the matches on television with the sound muted so they don’t have to hear the incessant wasp-like drone of Vuvuzela-toting fans inside the stadium.
If you haven’t experienced the full effect of the vuvuzela, consider yourself lucky. But if you’re wondering what all the fuss is about, you can make your best effort to read this blog in World Cup 2010 style. Just turn down your computer speakers or headphone volume first.
The site claims to be able to “get rid of the Vuvuzela noise through active noise cancellation” but all you get for your money is, apparently, a 45 minute long .mp3 file.
Seriously. Call it a Rogue AV (anti-vuvuzela) of a variety we haven’t seen before.
I should hope that the readers of this blog would be aware that whatever these goofballs are selling, it ain’t anything remotely similar to the active noise cancellation it is being touted to be. In fact, others have come up with a passable, working solution using equalizers and bandpass audio filters. There’s even a free, automatic filtering application you can download. It seems like this audio file would sound a lot more like a 45 minute recording of snake oil slithering. Or the sound of 3 Euros sneaking out of your pocket. Don’t be a sucker: Just reduce the volume on your TV if the vuvuzelas get you down.
Reading Time: ~ 4 min.
Some anonymous Trojan creator has taken a bold new approach towards a malware work ethic with his or her new browser hijacker Trojan: It creates an entirely new file suffix, and handling instructions within Windows, so that the new (.nak) file suffix integrates seamlessly into the operating system. The Trojan then replaces just the file suffix on any Shortcut that points to either the IE or Firefox browser, on the desktop or in the Start menu, with the new suffix. You may not even have realized that Shortcut files have file extensions. They’re normally hidden.
The net effect is that, on an infected computer, if you launch IE or Firefox by double-clicking one of the shortcuts on the desktop or in the Start menu, it opens a page to a Chinese portal — regardless of the Home Page settings in either browser.
It sounds more impressive than it turned out to be, even if it was kind of surprising at first, and despite the fact that the creators walked three sides of a square to get there. The only good news is that the changes the Trojan makes to the system are easily reversible. And you can still open IE and Firefox normally by launching them from the command line, navigating to the application itself in Explorer, or by creating new shortcuts to the applications.
Reading Time: ~ 4 min.
A spammed link campaign that spread through Facebook rapidly over the weekend delivered a malicious payload designed to take control of the Facebook account of any infected user, steal passwords, and hijack clicks in the victim’s browser. The messages appear as links sent by a friend, accompanied by the brain-damaged text “You? I find it on Google.”
Clicking the link directs recipients to a page on online-photo-albums.org which, at the time, pointed to malware hosted on a server (now offline) based in Bosnia and Herzegovina.
This installer drops no fewer than six payloads, including the “clickjacker” Trojan-Bamital, which redirects the browser to a different site when a user on an infected machine clicks a linked result in a very specific subset of search engine Web sites (such as, for example, results on the South Korean version of Google, Google.kr, but not the main Google.com site itself).
In addition, album.exe file also drops Trojan-Downloader-Suurch, which can download and install additional payloads, and leads hapless Web surfers into the abyss by hijacking searches on a broader set of search engines, and injecting its own code into the search results page. The album.exe installer also drops a DLL which captures passwords and other data entered into Web forms in Internet Explorer, and forwards that data on to a different Web domain (which happens to be hosted at the same IP address in Bosnia that was used for the album.exe download — and remains online as I publish this).
Reading Time: ~ 4 min.
While it is far from the first Trojan ever to simply fail to execute under Windows XP, it definitely caught our eye that a variant of Trojan-Downloader-Tacticlol distributed last week in a spam campaign only fully executed under Windows Vista or newer operating systems. It may have been just a fluke, but repeated tests with both a virtual machine and real hardware running Windows XP at various patch levels showed that the Trojan we received attached to a spam message simply quit when executed in an XP environment, but ran smoothly and did all its planned dirty work on a Windows Vista testbed.
The Trojan, which is capable of causing a devastating malware infection, drops a DLL with an odd name made up of random letters into the system32 folder, then registers the DLL so it loads the next time the computer boots up. After a reboot, it kicks into full swing, pulling down a variety of malware installers.
The spam message (we got a bunch of different variations, all with the same attachment) came from a variety of falsified return addresses. The message, with a subject of Statement of fees 2009/2010 contains an utterly incomprehensible body, which reads, in part: “The accomodation is dealt with by another section and I have passed your request on to them today.” It looks very similar to a message I get from the toll road authority here in Colorado that uses electronic toll collection. The real entity emails a statement every so often with an attached PDF, though the real toll road statement doesn’t appear to come from the domains “reclusivebillionaire.com” or “reelsolutions.com.” Nice try, sparky.
More interestingly, though, is the idea that this Trojan, which is so prevalent and widely distributed, may signal the start of a trend where malware authors begin turning away from XP as the dominant operating system they target.