Malware Research Experts

Friday, September 25, 2009

Bogus MS Update

We have been receiving bogus emails claiming to be coming from Microsoft:

...public distribution of this Update through the official website »www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.

We have seen emails containing one of the following links:

hxxp://www2.sinel.com/microsoftupdate.html
hxxp://mail1.e-corecorporation.com/default.htm

They seem to be compromized websites being used by the bad guys in order to facilitate this attack.

The page default.html from hxxp://mail1.e-corecorporation.com/default.htm uses a refresh-type redirect to this url:
hxxp://0xc0.0xdc.0x6e.0xe4/microsoftupdate.html

The page microsoftupdate.html from sinel.com and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a Zeus malware with filename update09.exe.

Interestingly enough, this attack uses 0xc0.0xdc.0x6e.0xe4 to serve the malware. This IP-address translates to 192.220.110.228, which in turn resolves to summit102.summitdesign.net, another possibly compromised website used in this attack.

The presence of the following files/folders may indicate signs of infection:

%System%\sdra64.exe
%Temp%\tmp.exe
%System%\lowsec\

More here.

Tuesday, September 22, 2009

Another Shameless SEO based on Atlanta Flooding

Users Googling "Atlanta flood pictures" receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here's a screenshot of a google search result:
atlanta_flood_google

A Fiddler capture shows us the redirections:
atlanta_fiddle

So we go from

hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN

An installer named Soft_207.exe will be presented for download, which is a variant of the Total Security family of Fake AVs.

At the moment, the following domains have been observed to have been involved in this attack:

winfixscanner7(dot)com
15scanner(dot)com

These domains resolve to the following IP addresses:

89.47.237.55
89.248.174.61
213.163.89.60

But knowing the trend in scareware, there could be heaps more domains being created as we speak.

Friday, September 18, 2009

Koobface on the Move, Serving Scareware !!

We have been seeing a lot of new movement on the koobface front Lately.

koob_fiddle

As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.

The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.

fake_facebook

Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:

koob_script

115.130.27.204

123.202.200.84

151.204.31.67

196.206.65.53

221.126.0.105

24.215.207.229

41.238.76.198

61.93.34.23

67.206.253.52

68.47.48.240

69.18.107.115

69.254.215.173

70.122.242.250

70.212.232.126

71.116.37.213

71.130.216.179

71.194.236.32

71.80.105.40

72.13.138.210

72.190.87.208

75.181.171.110

75.251.94.44

76.119.98.22

76.22.160.28

76.23.203.64

81.192.192.160

98.140.58.163

98.244.224.140

98.26.40.38

99.22.74.229

The javascript component being by used by koobface, remains bascically the same as before

And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:

rogue

gotrioscan(dot)com

plazec(dot)info

At some instances, we also get these warnings:

hardware_error

At the moment, these warnings are serving Internet Antivirus Pro.

Update:
Koobface has been going at it and here's another one that spoofs youtube and serves koobface malware as a fake codec:

hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go

Thursday, August 27, 2009

Porn site distributes scareware

Another website has recently been spotted to be serving up malware in the guise of fake video codecs.

This one praises itself as "The Best Nude Celebrity Movie Site"
hxxp://alyssafan.net/1.html

face_codec

But in order to watch the any video, we would need to download and install their "Certified ActiveX video codec (VAC codec) use to protect content Copyrights"

The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe

One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.

obfuscated

This script translates to:

deobfuscated

This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe

Which then gives us scareware Safety Center:

safetycenter

Beware of fake video codecs!

Friday, August 21, 2009

Scareware asking for ransom: System Security

Scareware is BIG business. They use heaps of scare tactics in order to convince unsuspecting users into buying rogue applications. But here's one that does a bit more than just scaring.

System Security terminates almost all running processes. This basically prevents us from using our computers. More importantly, this hinders execution of tools necessary to investigate the infection and aid in removal of this rogue app.

Back in the day, in order to evade detection and removal, malware writers have targeted security-related applications. They have a black list of applications including (but not limited to) the following:

avast.exe
avp.exe
cmd.exe
icesword.exe
kav.exe
regedit.exe
taskmgr.exe

But now they block even the most harmless Windows applications such as calc.exe and notepad.exe. But not all applications should be terminated, because that basically means no Windows. No Windows means no profit so the bad guys need basic Windows functionality. Which tells us that they have probably stopped using blacklisting and shifted to whitelisting instead. They now have a list of applications that they would allow to be executed in the system.

Here's part of some disassembly taken from a sample of System Security, showing us evidence of whitelisting:

Rogue app takes a snapshot of all the processes in the system:

.rsrc:140B4B4F                 push    edi
.rsrc:140B4B50                 push    2
.rsrc:140B4B52                 call    CreateToolhelp32Snapshot
.rsrc:140B4B57                 mov     [ebp+hObject], eax
...
.rsrc:140B4B79                 push    ecx
.rsrc:140B4B7A                 push    eax
.rsrc:140B4B7B                 mov     [ebp+var_64C], 22Ch
.rsrc:140B4B85                 call    Process32FirstW
...
.rsrc:140B4BAB                 push    [ebp+dwProcessId] ; dwProcessId
.rsrc:140B4BB1                 push    0               ; bInheritHandle
.rsrc:140B4BB3                 push    1FFFFFh         ; dwDesiredAccess
.rsrc:140B4BB8                 call    ds:OpenProcess

It then terminates the processes not found in the white list:

.rsrc:140B4C00                 push    0FFFFFFFFh      ; uExitCode
.rsrc:140B4C02                 push    edi             ; hProcess
.rsrc:140B4C03                 call    ebx ; TerminateProcess

and displays this message as a notification in the system tray:

.rsrc:14039998 aApplicationCan:                        ; DATA XREF: sub_140B4ADD+16A
.rsrc:14039998                 unicode 0, 
.rsrc:14039998                 unicode 0, 
.rsrc:14039998                 dw 0Ah
.rsrc:14039998                 unicode 0, ,0
.rsrc:14039A5E                 align 10h
.rsrc:14039A60 aWarning:                               ; DATA XREF: .rsrc:140104BF
.rsrc:14039A60                                         ; sub_140B4ADD+1DB ...
.rsrc:14039A60                 unicode 0, ,0
.rsrc:14039A72                 align 4

It then resumes processing the snapshot created earlier and the cycle continues:

.rsrc:140B4CDF                 lea     eax, [ebp+var_64C]
.rsrc:140B4CE5                 push    eax
.rsrc:140B4CE6                 push    [ebp+hObject]
.rsrc:140B4CEC                 call    Process32NextW

Here's the list of applications that the scareware allows:

.rsrc:14046A48 off_14046A48    dd offset aAlg_exe      ; DATA XREF: sub_140B49CF+26
.rsrc:14046A48                                         ; "alg.exe"
.rsrc:14046A4C                 dd offset aCsrss_exe    ; "csrss.exe"
.rsrc:14046A50                 dd offset aCtfmon_exe   ; "ctfmon.exe"
.rsrc:14046A54                 dd offset aExplorer_exe ; "explorer.exe"
.rsrc:14046A58                 dd offset aServices_exe ; "services.exe"
.rsrc:14046A5C                 dd offset aSlsvc_exe    ; "slsvc.exe"
.rsrc:14046A60                 dd offset aSmss_exe     ; "smss.exe"
.rsrc:14046A64                 dd offset aSpoolsv_exe  ; "spoolsv.exe"
.rsrc:14046A68                 dd offset aSvchost_exe  ; "svchost.exe"
.rsrc:14046A6C                 dd offset aSystem       ; "system"
.rsrc:14046A70                 dd offset aIexplore_exe ; "iexplore.exe"
.rsrc:14046A74                 dd offset aLsass_exe    ; "lsass.exe"
.rsrc:14046A78                 dd offset aLsm_exe      ; "lsm.exe"
.rsrc:14046A7C                 dd offset aNvsvc_exe    ; "nvsvc.exe"
.rsrc:14046A80                 dd offset aWininit_exe  ; "wininit.exe"
.rsrc:14046A84                 dd offset aWinlogon_exe ; "winlogon.exe"
.rsrc:14046A88                 dd offset aWscntfy_exe  ; "wscntfy.exe"
.rsrc:14046A8C                 dd offset aWuauclt_exe  ; "wuauclt.exe"

As we can see, System Security is more than just scareware. You won't be able to properly use your computer unless you buy the rogue app. Sounds more like ransomeware to me.

But, now that we know that it uses whitelisting, we can do a little work around and bypass this technique. We can rename a copy of the tools that we need to run as one of the whitelisted applications and voila! We've already taken one step into regaining full use of our infected computer.

Thursday, August 20, 2009

Rogue AV Clone: Windows Protection Suite

Another scareware has been spotted and it calls itself Windows Protection Suite.

You can get Windows Protection Suite from one of these urls:


hxxp://searchscanner.net/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlaGuHjsbIo22Eh4uLt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6YU9janW1eZWpslGGbZmGXkonZ0Zqop5uikomtpXFqZmxtbWmaYZyfV5OQcQ%3D%3D
hxxp://linewebsearch.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
hxxp://guardinfo.net/?p=WKmimHVlbm2HjsbIo22EfYCIt1POo22cU9LXoKith6Swz9KwoFqbnZxxmpinc4rapZxql2OemI6WaWeZY5WK2J%2Bgo6vKnpRfpqd2ZWppaHCUXpeaaFaQl28%3D

It uses the same tactic as seen on earlier posts here and here where the website claims to scan the unsuspecting user's computer, detects heaps of infections, and offers a bogus solution.

scan

Looking at the installed scareware we find out that Windows Protection Suite is nothing but a clone of Windows Security Suite.

WPS

Even their websites are clones:

WPS_WEB

hxxp://windowsprotectionsuite.com
hxxp://windowssecuritysuite.com

Wednesday, August 19, 2009

This summary is not available. Please click here to view the post.