We examined a variant of this Clampi family of password stealers (also known as Ilomo) that was second most prevalent within the ThreatFire community. As described in previous posts, malware often injects malicious code into other processes (or hijacks other processes) running on a system for a variety of reasons. Two Win32 apis are most frequently called to do so: WriteProcessMemory and CreateRemoteThread. In the case of Clampi, we see that Clampi creates a new Internet Explorer process. Instead of using the worn out method of writing to the process memory space and then creating a thread on it, these guys pass a non-ASCII string of characters as a parameter to iexplorer.exe. For our fellow researchers, Ilomo‘s CreateProcess lpCommandLine string starts like this:

“C:\Program Files\Internet Explorer\iexplore.exe” üë^‹þW¬Zt,AÀàŠØ¬,AêëìXÃèáÿÿÿILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAI

The parameter is copied to a region within the process virtual space by the process loader. Clampi’s malicious injector then calls VirtualQueryEx an arbitrary number of times on the Iexplore process until it finds a match on the memory region it is interested in, and then ReadProcessMemory and a lower level memory comparison to find an exact match on the shellcode content passed as parameter and maintained within the iexplore virtual memory space. Upon exact match, CreateRemoteThread is called on that memory location and the injected code runs within iexplore.

These sorts of unusual methods are invariably the result of determined efforts by the malware writers to evade security solutions that base their matches on WriteProcessMemory calls. This evasion is not effective against ThreatFire.

Posted in The Law | Leave a comment

Just a quick update on the ongoing tubeviewer/porntubeviewer/streamviewer downloader activity whose prevention has been showing up as prevented in high volumes in the ThreatFire community…the downloaders have moved from the previous address at some time around July 21/22nd, and two new ip addresses and corresponding dns domains started to appear on our radar. Steer clear:

64.20.55.163
hot-exe-load.com
exe-file-xxx.com
094k.ofspokesman.com

95.211.8.20
boardexefiles.com
cool-exe-file.com
exeasts.com
exefreefiles.com
exeloadsite.com
exeloadworld.com
exenets-files.com
exepinkfiles.com
last-home-exe.com
theexefile.com
thesiteexe.com
topexesite.com

Posted in The Law | Leave a comment

A number of users are being duped into downloading and running a file currently given names similar to foto049.com, which is being served off of a system hosted in Moscow:
vfoto.fromru.su /foto049. com
The link appears to be spread over email in messages claiming to link to photos and videos.

The file is a downloader that pulls down multiple encypted executable files from systems in Brazil that also are known to serve up Zbot banking password stealers. These encypted files are downloaded and copied with “.html” and “.txt” extensions into a “\winnt_” directory that the downloader creates off of the system’s root drive. The seven files are decrypted, renamed, added to autorun locations in the registry and run. As you can see in the ThreatExpert report, the files are consistently given names looking similar to system filenames:
C:\winnt_\winntR1.exe
C:\winnt_\winntR2.exe
C:\winnt_\winnt2.exe
C:\winnt_\winnt3.exe
C:\winnt_\winnt4.exe
C:\winnt_\winnt5.exe
C:\winnt_\winnt6.exe

One component harvests email addresses from Orkut and other accounts, and others appear to be mainly interested in stealing information provided to Brazilian banks like Itau, Bradesco, BancoBrasil, etc. Our ThreatFire community in Brazil and other parts of the world has been protected from the threat since this variant first appeared on Friday, and users must be wary of running unsigned (or any) executables from links that are spread over email, even from friends.

Posted in The Law | Leave a comment

We received a malicious PDF file last week, on analysis, we found that the malicious PDF file is different from recently analysed PDF exploits. This Adobe Flash zero-day exploit appears to be exploited in the wild. This exploit affects Adobe Reader 9.1.2 and earlier 9.x versions and Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions.

In this PDF file, there are two flash files embedded in it. One of them, fancyball.swf, doesn’t seem to do anything malicious, the other flash file save.swf (or oneoff.swf) uses action script to do heap spraying.

The shellcode downloads and executes 2 executable files named SUCHOST.exe and temp.exe. Both of the executable files are embedded inside the PDF file itself.

Download Browser Defender for free to protect yourself against these sorts of threats.

Posted in The Law | 1 Comment

The banking password and information stealer Clampi recently was described as infecting anywhere from 100,000 and 1 million windows PC’s. Let’s take a closer look at this menace, and what interesting Clampi behaviors ThreatFire has been preventing in our community.

First, let’s talk about the distribution over the past year. Most of the Clampi executables appear to be unique, and appear to have been run on no more than one machine. The bulk of these executables are repacked and re-obfuscated to evade AV solutions, so only a quarter of the Clampi malware prevented in the ThreatFire community over the past year showed up on more than one system. Mostly all of the Clampi variants seen on multiple user desktops appear to have been delivered via an Adobe Acrobat client-side exploit. As posted previously about mainstream Windows pdf readers, be sure to update the software on your system, especially popular web browser third party plugins. A high number of these Clampi-delivering exploits successfully attacked Acrobat 7.0. Unfortunately, while the message may be getting out that third party plugins need to be updated on a regular basis, the advice does not seem to be followed reliably.

The trojan runs a new instance of Internet Explorer and injects it with executable code of its own, accesses the personal store of saved passwords, and phones the data off of the system to multiple web sites. It’s not a set of new malicious techniques, but highly problematic nonetheless. ThreatFire prevents these behaviors reliably, and PC Tools AV reliably detects the malware with one of several heuristic routines: Trojan.DL.Ilomo.Gen!Pac, Trojan.DR.Ilomo.Gen!Pac.2, Trojan.DL.Ilomo.Gen!Pac .

Symantec named this malware Trojan.Clampi, and it has been labelled inconsistently by other groups with a handful of other names, including Clomp, Downloader, Inject, Rscan, Small, Ilomo, Agent2, Agent, and often it is detected by its packer’s characteristics. Unfortunately, its packer changes and old signatures can become ineffective against this malware as it appears on systems around the world over time. PCTAV heuristics were effective over time, however.

Update: Please see post with a bit of technical information regarding Clampi variant’s injection technique.

Posted in The Law | Leave a comment

In another “duh!” moment, it was discussed that government workers and contractors probably should not be sharing their drive contents using P2P software. In a recent hearing, U.S. lawmakers discussed sensitive content like “FBI files, medical records, Social Security numbers and even a file containing information about a safe house location for [the U.S.] President” that was accessed over LimeWire.

While this post does not present a stance on the policymaking or even the level of intelligence it takes to accidentally share drive contents over LimeWire, the ThreatFire continues to trigger and protect our community against a number of malware executables accessed over the LimeWire sharing network. Always be careful of the shared content on these networks — too often, things are too good to be true, as posted previously. Today, ThreatFire protected user information from more crackz bundled with malware, like another “Age of Mythology[ENGLISHVERSION] Crack Keygen” with a malicious setup file.

When the unsuspecting P2P user runs the setup file, this trojan downloader contacts a server at www.diespamdie. com, where adware and additional bot malware are served up. One of the served files includes a nasty bot sometimes identified by its packer, its circa 1999 injection technique, and its string references, Tdss.

Posted in The Law | Leave a comment

As out-of-band patches are released today, we are not yet seeing memory corruption attacks targeting these newly patched vulnerabilities that effect Internet Explorer 6,7, and 8. Nonetheless, be sure to visit the Microsoft updates site and patch your system soon.

Instead, ThreatFire continues to prevent prevalent attacks from malicious pages like those currently hosted on cxim-way. cn, where javascript identifies third party plugins on the system and attacks the user’s system accordingly. Pseudocode here:

while name = navigator.plugins[i].name

if((name.indexOf(“Adobe Acrobat”) != -1) || (name.indexOf(“Adobe PDF”) != -1))
then iframe src=”cache/readme.pdf
if(name.indexOf(“Foxit Reader”) != -1) then iframe src=”cache/update.pdf
if(name.indexOf(“Flash”) != -1) then iframe src=”cache/flash.swf

The resulting malicious payload is prevented by ThreatFire. “Load.exe” is pulled down from the site on a successfully compromised system, renamed to “pdfupd.exe”, and run. This malicious downloader/dropper currently evades most AV scanners. It drops a couple of drivers, and possibly may be a rustock bot variant, which we are looking further into:

ThreatFire users are protected from multiple layers of the attacks. In addition to patching your system, install a behavioral-based layer of protection on your system.

Posted in The Law | Leave a comment

As people look for information or video online, it’s important that they understand that cyber-criminals may be using this opportunity to find more victims. This is just another example of how cybercriminals capitalize on global events or major news stories with wide consumer interests, events that are lucrative markets for cybercriminals. Other recent examples are Swine and the recent release of Harry Potter and the Half Blood Prince, for example.

The longest solar eclipse in the last century occured two days ago across Asia attracting a significant amount of media, user and therefore cybercriminal interest.

Feeding off the intense interest, innocent users have been attacked as they view search results about the eclipse.

In one example, on the 21st of July, searching ‘solar eclipse 2009 time’ yielded search results that led to the download of a fake Antivirus program.

When the user clicked on the link in Google, they were redirected to http://[....]ever.cn/go.php?id=2010-10&key=b8c7c33ca&p=1 which then was redirected further to http://[....]scannerv2.com/1/?id=2010-10&query=b387f2133&q=%3 which is the fake Antivirus Page.

After two days, the malicious domain is still in the top 10 of Google search results; luckily the domain it redirects to is no longer available.

In a second example, the same search query shown below produces a result whose selection causes the display of an image. The image appears to be a movie ready to be played. However, upon clicking on this image a malicious download Trojan.FakeAlert is initiated.

Details of Trojan.FakeAlert

PC Tools Threat Expert analysed the downloaded file as follows:

Trojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes some settings of Windows® which include:- disabling permissions for the user to change the background image and setting the active desktop to ‘show web content’. It is usually installed in conjunction with a rogue anti-spyware application.

View the full report here.

Download Browser Defender for free to protect yourself against these sorts of threats.

Posted in The Law | Leave a comment

Google Trends seems to be a nice reference tool for the attackers to know which hot topics currently generate the maximum of public interest – a compass that leads them to the victims.

Here is another example of how a randomly picked up hot topic (today it was “Chris Brown Apology Video”) predictably leads to rogue antispyware installations.

The cyber crooks behind this malware seem to be catching fish on a naked hook; until the fish gets smarter, they’ll probably stick to these cheap tricks for awhile.

Posted in The Law | Leave a comment

John Bambenek over at the Handler’s diary posted on this morning’s shameless SEO attempts to redirect news seekers to exploit pages. The end result on a successfully compromised system is a download of FakeAv (or “scareware”). Currently, its name is presented as “Personal Antivirus”:

The ThreatFire community is safe from pav.exe, and there have been a number of triggers on various versions of the file early this morning. Detection by the major AV vendors is very low to non-existent for the current variants.

Surprisingly, the Waledac and Zbot groups have been quiet on this news story so far. We’ll monitor the situation closely.

Posted in The Law | Leave a comment

The gang distributing FakeAv downloaders and more have moved their goods and scheme to yet another server and adult theme. In addition to downloader filenames like streamviewer.45043.exe, tubeviewer.ver.6.21586.exe, onlinemovies.45023.exe, the group is finding success in their new addition, freepornmovies.40067.exe. The ThreatFire community is protected from these downloaders, and the newest is showing up in higher volumes.

For the most part, this downloader is being served from 64.20.38.172. The following domains currently resolve to that address:
exe-direct. com
exe-get. com
exe-online-world. com
exe-paste. com
exe-porto. com
exe-site. com
exefileformat. com
exenetsfiles. com
freeexefiles. com
hotexefiles. com
my-exe-load. com
newexefile. com
red-exe. com
robo-exe. com
soft-exe. net
the-exefiles. com
tiaexe. com

The downloader itself currently is pulling down embedded, encrypted malicious files, described in a previous post, from
myart-gallery. com
robert-art. com
superarthome. com

Be wary of codecs that may be tempting to download and run.

Posted in The Law | Leave a comment

Users continue to get slammed by a Rogue Antivirus distributor. We’ve posted before about the prevalent Virut family redirecting compromised hosts to download FakeAv or scareware product. You can see a screenshot of the previous scareware scam “Secure Antivirus Pro” from “Guardog Computing” at the previous post. Compare to the current version “Advanced Virus Remover PRO”:

Along with modifying tcp drivers, another fairly prevalent and currently active malicious component is editing hosts files with the same effort, adding the following entries to the hosts file on victim systems:
92.241.176.188 advanced-virus-remover2009. com
92.241.176.188 www.advanced-virus-remover2009. com

Check out the image in the TE report, the lvllord component reports on its own maximum concurrent half open tcp connection editing functionality there with “VALUES HIGHER THAN 100 ARE NOT RECOMMEND! Worms will be able to spread very fast!” It is obvious what tool these distributors are bundling and reusing in an attempt to increase the networking throughput of the system.

When there is money to be made on scareware, the same behaviors will be displayed again and again in malware, including the stuff by sloppy authors.

Posted in The Law | Leave a comment

We have been monitoring and examining the second of the fairly prevalent ActiveX 0day in the past couple of weeks, this one targeting Microsoft Office Web components for Internet Explorer. The exploits have been distributed mostly on servers in China. Accordingly, the payloads that we have examined target a massive audience.

The final payload that is downloaded and executed after visiting one of these sites is an executable that drops a dll to disk and runs it. The dll in turn attempts to steal info from the hugely popular Tencent QQ components. It does so by using hooks and capturing screenshots of the entire desktop. These hooks steal QQ usernames and passwords, in particular QQ Game’s Dungeon and Fighter. To give you an idea of the size of the target audience, QQ Game reports that it has over 200 million registered accounts.

Following successful 0day exploitation, the malware copies out a dll, and as an evasion technique, copies rundll32 (normally used to load dlls) to myInsDll.exe in system32. The malware calls ShellExecute on this renamed rundll32 component, which loads the dropped dll. Depending on the command line argument, the dll code will delete components or start the heist.First, the dll begins to disable Windows File Protection with a well-worn technique:

On a successful WFP disable, it deletes Comres.dll from dllcache and replaces Comres.dll with a copy of itself. When c:\Program Files\Tencent\DNF\DNF.exe is started, it normally loads Comres.dll. This code illustrates the switch:

When the new Comres.dll is loaded into DNF.exe, the dll steals the QQ user name, password, serial, total money and more from unsuspecting users. To do so, it first places several hooks within TenQQAccount.dll and QQAccount.dll:
The jump hooks are written directly to the dll text segments:

All data, including captured usernames, passwords, and entire desktop screenshots were being uploaded to 080506.8866.org.

ThreatFire has been containing this threat within our global community, including our local Chinese user base.


							
Posted in The Law | Leave a comment

Koobface joined the Twittersphere, and the Twittersphere is fighting back. It’s good to see response from the social networking infrastructure.

Koobface has been distributed in prevalence for around a year now, with the ThreatFire community confident all along that their information is safe from the threat. In other words, if you want to keep it off of your system, careful of what you download and add a behavioral solution like ThreatFire to your system’s security layers.

The Koobface family has been distributed in a couple of ways since June/July 2008, increasing its prevalence to significant volumes in December of last year. It started out as a standalone worm menacing the massive volumes of social networking users across a handful of social networks, defeating captcha, and downloading more malware to compromised systems. Now, it is more frequently distributed as part of a malware package by attacking sites, alongside other payloads delivered by exploit pages hosted by malicious web sites: Virut, click fraud components, spambots (Waledac) and scareware. Koobface can be a secondary method of propagation for these various malware distribution groups.

So it was only a matter of time before the developers figured out that Twitter is another popular Web 2.0 medium. They also figured out that Tinyurl is one way to obfuscate malicious urls and distribute these urls across tweets.

These urls lead to the standard phony codec pages that is a trademark of the group. This time you’ll see “Video posted by -WizArD-”, the site remains up:

When setup.exe is downloaded and run from 98.217.161.163, the user of course does not install an Adobe Flash Player Update as promised. Instead, they get an updated version of the Koobface worm. Along with the worm, the compromised system eventually is redirected to a FakeAv offer, so the group can make its money:

This morning, accounts tweeting the “My home video :) ” message with a tinyurl leading to the “Video posted by -Wizard-” are receiving some cleanup attention:

The Tinyurl has been disabled as well.

Posted in The Law | Leave a comment

Your browser could be redirected to antivir-systempro.com, and you could be fooled into buying something from a spoofed website, following a driveby attack on your system. Or, a piece of malware could edit your hosts file and open a window to a legitimate looking Url. Right now, here is a short and active list of hosts file modifications from some active malware:
209.44.111.62 itsecure.microsoft.com
209.44.111.62 avremover-pro.com
209.44.111.62 www.avremover-pro.com

We’ve posted before on ugly hosts file modifications, and about the malicious authors’ intention of duping users into believing that they are downloading something from a legitimate site. The current scheme is in the same vein.

Know that the ip address 209.44.111.62, when added to the hosts file with the entry “itsecure.microsoft.com”, is not related to the legitimate software company’s web presence. Currently, this scheme leads to FakeAv “Antivirus System PRO”:

Posted in The Law | Leave a comment

The gang serving up malicious downloaders from a couple of servers just spiced things up, changing streamviewer and softwarefortubeview to “onlinemovies.40008.exe” to the list of obnoxious files served from 64.20.38.172. Av detection is very low. It seems that the isp’s may be acting on public information — the sites were up for only a short time today, but ThreatFire protected the community from this prevalent malware all morning.

Related names currently resolving to that address include
exe-dot.com
exe-site.com
my-exe-load.com
red-exe.com
soft-exe.net
tiaexe.com

The group seems to be branching out from the phony movie player theme, more often packaging up the downloader into serial generators and crack installers like serial.dragon.naturally.speaking.9.45042.exe and crack.sony.vegas.platinum.edition.9.0.45057.exe. Pirates and p2p users need to be careful of what they download and run.

Posted in The Law | Leave a comment

The botnet driven distributed denial of service attack that started over the weekend has been attacking American agency web sites like the White House web site, the FTC site, NYSE site, FAA, NSA, Dept of Homeland Security, the Treasury, and many more agency web sites is a pretty bold thing to do. The botnet also has many South Korean web sites in its crosshairs as well, including the president’s and various news and commerce sites.

We are examining the binaries involved, and ThreatFire could have protected those systems from the bot, stopping its dropper, and in turn, prevented at least some of the DoS flood on these U.S. and the many South Korean web sites. The underlying code itself appears to be fairly unsophisticated.

One of the malicious DoS components is delivered unpacked, sets itself up as a service, and contains a handful of commonly used user agent strings to camoflage its GET and POST traffic. Interestingly, we find “Accept-Language: ko, UA-CPU: x86″ in the http headers. We are further looking into an unusual dependency on pcap for network traffic requests: pcap_open, pcap_sendpacket, and other functions are abused by this malware, but it uses common winsock calls to perform its network activity too.
Here it uses an extremely common registry editing technique to disable the compromised host’s Windows firewall:

In the meantime, government, network operators and web masters in both countries are working to tame this thing.

Posted in The Law | Leave a comment

The recent Michael Jackson Zbot variant implements a variety of IAT hooks to perform its data stealing and stealth on victims’ compromised systems. Its user-mode hook techniques have been described as “implemented properly” for malicious user-mode hooks. The Zbot releases have changed in various ways over time, and a couple of new additions reveal ongoing development by the same writers.

The Zbot family of malware continues to use multistaged component injection to achieve its final goal of stealing sensitive and confidential information off of the machine. It attempts to kill off two fairly prevalent firewalls at startup, functionality that seems to be present across all Zbot releases. It also continues to hide its ondisk components by hooking NtQueryDirectory within ntdll, and uses much of the same list of hooked win32 calls since the original release as its basis to plant more hooks:
LdrLoadDll
LdrGetProcedureAddress
NtCreateThread

A couple of hooks have been a common part of their ongoing releases to steal data:
GetClipboardData has always been used to steal information from the clipboard — copying and pasting your username/password won’t get past this malware.
TranslateMessage – buffers keyboard input from windows messages, converts the input to unicode, and sends it to the controller process’s pipe to be sent off of the victim’s machine.

A couple of newer hooks placed by the malware are new and related to what is known as screenscraping:
BeginPaint/EndPaint – appear to be hooks designed to determine when to perform the screenshot functionality found in the DefWindowProcW hook.
DefWindowProcW – mechanism to extract a device context from a window and generate a bitmap from it. In other words, this functionality is used to take screenshots on the victim’s machine as they are using it.

All in all, Zbot is one of the nastier malware families in circulation with a fairly regular release cycle and is actively used by cybercrooks. ThreatFire has been effectively preventing this malicious family from stealing information for a couple of years now.

Posted in The Law | Leave a comment

The MsVidCtl 0day has been passed around and fully distributed since at least the 6th. We have been monitoring multiple groups abusing Internet Explorer’s capability to render streaming video.

Some of the fairly recent and interesting activity has been the exploit writers’ javascript evasion techniques, splitting what was one page of javascript into 10 files, one for each line of javascript, and rendering some pattern matching solutions useless. This sort of attack would be most effective against the most performance sensitive security layers, like network based ones, and some other fairly unsophisticated client side solutions.

The payloads vary, from adware to social network credential stealing. ThreatFire has been preventing the exploit within the community from the start. We anxiously await a hotfix, something past the killbit workaround. Georg Wicherski points out that the vulnerability is a trivial one, in which the attacker can abuse the SEH handler. But really the current heap spray attack code that we have seen is reliable and less effort to implement with the spray. What has worked in the past will continue to be put out in prevalence!

In the meantime, your information is safe and protected against observed and unknown exploits attacking this vulnerability with ThreatFire.

Posted in The Law | Leave a comment

The results and the PoC are in, congratulations to Mark Dowd and Ben Hawkes for uncovering 12 vulnerabilities in the open source Google Native Client: “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser neutrality, OS portability, and safety that people expect from web apps“.

The project raises the question “Do we need another ActiveX?”, or rather, “do we need a safer ActiveX for running untrusted and arbitrary code from within a browser on all platforms?”. While the contest showed that BoF can be present in the sandbox itself, several of which appear to remain open issues, Google claims that the architecture in itself has been strengthened and validated by the contest: “This contest helped us discover implementation errors in Native Client and some areas of our codebase we need to spend more time reviewing. More importantly, that no major architectural flaws were found provides evidence that Native Client can be made safe enough for widespread use. Toward that end, we’re implementing additional security measures, such as an outer sandbox”. The contest seems to be an great way to clean up code, but the claims seem somewhat questionable. Just see what Dave Aitel has to say about what architectural flaws really are.

Posted in The Law | Leave a comment

Over the past couple of months, the Waledac spam/botnet effort seemed to be dwindling. A large software company attempted to take credit for cleaning up the “ecosystem” of Waledac with their cleanup tool release.

In the meantime, Waledac’s presence on systems started to change and appear in lower volumes, flying under the radar of many groups. The ThreatFire community saw Waledac code injected into svchost processes and prevented by ThreatFire in low volumes, bundled with other attacks.

So, it is somewhat surprising that the botnet group just cannot pass up another holiday, blasting out attention-attracting mail and flashy websites. Symantec reported on the spam messages sent out to entice users to visit malicious Waledac web sites, download and install the bot. In addition to the spam, here is the grammatically incorrect Waledac text from a screenshot of the YouTube spoofed sites set up by the distributors to fool users into running the downloaded malware:

“Colorful Independence Day events took place throughout the country

This year July 4th firework’s shows were surprisingly amazing. The largest firework happend this Saturday. Unprecedented sum of money was spent on this fabulous show even despite crisis. The American Pyrotechnics Association has named South Shore’s Fourth of July fireworks show as the best pyrotechnic displays in the nation. If you want to see this fantastic show just click on the video below and press “Run”.”

When a user clicks on the phony video frame, the malicious Waledac executables with names like “video.exe”, “movie.exe”, “run.exe”, “setup.exe” and others are served up.
The victim must then run the executables, no client side exploits are being delivered on multiple observed Waledac sites. Currently, fast-flux domains to avoid for this Waledac run include (but are not limited to):
4thfirework. com
holifireworks. com
video4thjuly. com
holidayfirework. com
moviefireworks. com
fireworksnetwork. com
movies4thjuly. com
happyindependence. com
freeindependence. com
fireworkspoint. com
movie4thjuly. com
fireworksholiday. com
moviesfireworks. com

Instead of registering these domains through Xin Net Technologies, this time around they were registered through China Springboard, Inc. It is quite likely that this provider will be one to watch for the next few holidays.

The bot itself continues to maintain a list of peer nodes for its P2P over HTTP technology in clean XML formatted data and is packed with techniques consistent with those used prior to this release — not much has changed here.

Happy Fourth of July to our American readers and safe browsing!

Posted in The Law | Leave a comment

The Ftc recently settled against a FakeAv purveyor. While this settlement won’t remove all of the variants out there, it is welcome news nonetheless with ongoing progress and the caselist here. The fewer distributors of XP Antivirus the better: “The two settling defendants were part of a massive deceptive advertising scheme that tricked more than a million consumers into buying “rogue” computer security products, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, according to the FTC’s complaint.” ThreatFire users were protected from a number of these scareware software packages, including XP Antivirus, in high volumes within the community back in mid-2008 and earlier.

The FTC’s complaint from December calls this stuff scareware, also called “rogueware”. It’s amazing how many users really fell for and continue to fall for this stuff, and then cannot get their money back. According to the complaint:
“Unaware of the Defendants’ trickery, more than one million consumers have purchased the Defendants’ software products to cure their computers of the non-existent problems “detected” by the Defendants’ fake scans…
Although some consumers later realize they have been defrauded by Defendants and attempt to seek refunds, Defendants routinely delay, obstruct and refuse to honor such requests.”

Posted in The Law | Leave a comment

The Green Dam project to filter or censor web access on PC’s sold in China is blossoming into a controversy. From the Wolchok, Yao, Halderman analysis of the software that added to the buildup:
“According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material…We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors…In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.”

In light of the issues, the installation mandate seems to have been delayed indefinitely. We’ll add more info as it comes to light and wikileaks comes back up.

Posted in The Law | Leave a comment

Yesterday, amid the heavy Michael Jackson news coverage and tabloid autopsy speculations, another round of email was spammed out with the following text:

Michael Jackson Was Killed…
But Who Killed Michael Jackson?
Visit X-Files to see the answer:
(hxxp://xfiles link here)

The link redirected to a site hosted at 87.97.116. 131 in an x-file-esque directory “x-files/x-file-mjacksonkiller.exe”, which is currently down. The site hosted a malformed pdf and Zbot banking password stealing variant. The ThreatFire community prevented the file in very low prevalence, so very few users are falling for this sort of shameless scam. But we remind you to always think twice before running an unknown executable or visit an untrusted site (the url for this one is most likely not a domain one would recognize: jillih. com), regardless of the news. And update third party plugins on your system like pdf readers.

Update (7/8/09): hooks added to the Zbot code described here.

Posted in The Law | 2 Comments

The New York Times reported on the developing challenges in confronting cybersecurity challenges with government bodies in an article about the differing approaches between Russia and the U.S.: “The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet. ” The countries’ political leaders will meet later this week, which may result in higher levels of cooperation between law enforcement agencies on an international level, more discussion around treaties, or absolutely nothing at all. We’ll be watching.

Posted in The Law | Leave a comment

We have been investigating and analyzing a variety of malicious components delivered from some recent downloaders. Some of the filenames stand out as unusual. In particular, “podmena”,
which translates from russian to english as “Substitution or replacement made in a covert way (“pod” – “sub” or “under”, sort of under cover; “mena” – the root of word exchange); thus, it often stands for “spoof”, “fake”, etc. “Spoof”. It is fitting.

The two “podmena” files dropped by the phony codec/viewer installs seem to be gathering much interest and gaining prevalence. They’ll be discussed here and the post itself will be updated with new information as it is uncovered.

First off, the files are dropped as one of the may payloads during the phony codec downloader attacks described in previous posts here, here and here. The components seem to be a part of a click fraud scheme and a way to generate potentially artificial traffic volume to several search engines, including bee-find.com, missngpage.com, 102.123bounce.com, and www.search.pro.

Podmena.dll gets registered as a ServiceDll to be run via svchost.exe -k podmena.dll.
Podmena.sys is installed as a kernel driver to run at startup and attaches to \Device\Tcp, intercepting all tcp related IRPs.

The Dll upon startup sends a DeviceIoControl() request to the driver opened on \\.\podmena\. The initial IO control code tells the driver to monitor outbound tcp port 80, and redirect all packets to 127.0.0.1:8085. Then, the dll sends a second io control code to the driver, which activates the forwarding.

The Dll will create a bound listening port on 8085 which now acts as an HTTP proxy for all outbout port 80 traffic. Upon packet reception (after it is redirected by the driver), the Dll will scan the requested url for search keywords based on the domain name of the request. (ie: search.yahoo, google, youtube, yahooapis, metacafe, sugg.search, aolcdn, etc)

When a keyword is found, it will submit the text to its parent controller (the binaries that we have seen hard code “zz-dn.com”, which is unavailable, and then falls back to 85.13.236.134, an ip hosted in London). Depending on some timing randomization, the Dll will then load up and send the web browser to urls based on the response it receives back from this parent controller.

In our lab, subsequent requests were sent to a variety of sites, with all of these sites hosting a variety of ads, even without visiting a search engine. The svchost process loaded up with podmena.dll can visit hundreds of sites approximately every ten minutes, depending on the instruction response it receives.

Oddly, we have not seen higher target moneymakers like banking userid’s and passwords stolen by these components.

Posted in The Law | Leave a comment

You’re going to have to wait for it to come out. And if you don’t, you may be sorry you didn’t wait.

The group pushing blackhat SEO tactics to abuse the most popular networks, including digg.com, blogspot.com and others, continues to prey on those interested in upcoming movie releases.

First, a user most likely will come across popularized phony links within the blogosphere. Here is an example of the group’s digg.com abuse, where they entice Harry Potter fans with text: ‘Watch “Harry Potter and the Half-Blood Prince” online free’, and fill up the digg comment list with related keywords to attract more search engines:

This link redirects to a blogspot post that contains more images from the movie itself, intensifying the anticipation and convincing the user that the movie is only one click away ‘Watch “Harry Potter and the Half-Blood Prince” movie 2009 online for free’. See an example of the blog post here:

Clicking on any one of these links on the blog post redirects the user to the standard phony video offer:

It is here that the user is prompted to download and install the additional “streamviewer” malicious downloader component from exe-center .com at 64.20.38.171, which we have been monitoring. This phony viewer is really a downloader component that has been installing all sorts of malware, changing its selection of malware on a daily basis: Koobface (the digg user most likely is into social networking), adware, scareware, click fraud components, spambots, spyware and more. Missing out on an early peek at Harry Potter is then the least of the user’s worries.

This theme predictably will be used over p2p networks and other vectors of delivery in the coming weeks. Stay tuned.

Posted in The Law | Leave a comment

No, probably not. This fake alert most likely has to do with the streamviewer exe that you downloaded and ran.

We’ve been monitoring a FakeAv/Koobface/spyware delivery scheme, and today the group dropped their standard FakeAv moneymaker and added a set of phony codec gimmickry to their back of tricks, redirecting the user’s browser to v-s-codecpro.com/purchase.php?code=, all while popping scareware messages about corrupt sound and video codecs. See the prompt in the lower right hand corner here:


The codecs on your system are most likely not corrupted, they were not corrupted on our infected lab system.

Posted in The Law | 1 Comment

Our post last week warned on a group moving their FakeAv-Koobface-Vundo-Spyware “softwarefortubeview” phony codec downloader to a new home last week, and this week, we are examining a similar scheme that downloads, surprise, surprise, Koobface, FakeAv prompting BHOs like iehelper.dll’s prompts for “Antivirus system PRO”, performs some level of click fraud, installs podmena.dll and podmena.sys…this one also includes a nice ftp credential stealing component, stealing passwords from FileZilla, Coffee Cup, FTP Control, CuteFtp and more.

Streamviewer.40050.exe (and other streamviewer + random version names) has been flying off the shelf at a server on 64.20.38.171. That ip hosts multiple badware domains:
go-exe-go.com
reverse38-170.reserver.ru
gruzzilla.com
hot-exe-area.com
last-exe-portal.com
main-exe-home.com
super-exe-home.com

Interesting about the downloader is the way in which additional malware is downloaded and dropped by this phony codec. It contacts a set of servers with encoded data about the system.
reportsystem32.com (216.240.146.119)
terradataweb.com (66.199.229.229)
dvdisorapid.com (64.27.5.202)
superimagesart.com (95.211.8.61)
thenewpic.com (66.148.80.4)

It then pulls out data from a decoded xml file containing a list of urls to contact for a variety of .gif images (titem.gif, qwerce.gif, 217.gif, etc).
superimagesart.com
thenewpic.com
stockshopimages.com
imagesoffline.com
theimagesphoto.com
imageheadphones.com

At the time of download, gif viewers will display titem.gif with a political message about french politician Christine Boutin:

Know that we do not endorse any political message with this post. But this gif image is no ordinary image. If it were, its size might reach 35 kb at the most. Embedded in the image is the encrypted payload, bloating the image out over a couple hundred kilobytes (~270 kb).
The downloader gathers the response information from the previous sites to find more urls to contact and finds its decryption key. It then uses its key to decrypt the code embedded within downloaded gifs.

Much like the recent (and possibly related) beladen downloader and the older Tibs downloaders, this malware delivery embedded image scheme attempts to evade gateway appliance based protection and optimized AV scans with gif-based encrypted payloads. It stymies automated web crawling based research efforts. No longer are we seeing simple xor decoding schemes with visible PE headers in downloaded image files. The encryption implemented for this attack was another previously commerical and proprietary encryption algorithm.
ThreatFire is preventing this downloader in fairly high prevalence.

Posted in The Law | 1 Comment

Following reports about pirated Trojan-Infested Windows 7 Builds, it is quite interesting to see what wrappers are used at the “crack stores” to lure as many people as possible. Some of these wrappers look pretty hilarious:





Posted in The Law | Leave a comment