The infection numbers of Troj/JSRedir-AR and Troj/JSRedir-AU haven’t been quite as impressive as those of Troj/JSRedir-AK, but the sites compromised have included several high profile victims. For instance this morning I was alerted to an infection on a major European newspaper by one of our Sophos web security appliances and earlier in the week Sophos notified a Dutch menswear outfitter of an infection on one of their sites.

The outfitter after being notified did not want ‘our help’ and three days latter hasn’t cleaned up their website.

As you can see this is another case of an old website with a redirect to the new site with extra malware on the side.

The malicious code like previous examples, Troj/JSRedir-AK and Troj/JSRedir-AR, has two distinct forms:

• injected into HTML files as a malicious <SCRIPT> tag
• the other appended to JavaScript files

You can see in the above code snippet:

var Y=F(’89910918991021′,”129″)

The code has a function F which uses the second string to perform a substitution on the first string. In Perl code:

        while (<>){
	        if (/F\('([a-zA-Z0-9]+)'\s*,\s*"([a-zA-Z0-9]+)"/) {
		        my $one = $1;
		        my $two = $2;
		        $one =~ s/[$two]/g;
		        print $one . "\n";
	        }
         }

The other variable w in the image is that of the malicious site the code redirects to.

When infected website owners have talked to us we have been able to diagnose the infection source via compromised FTP credentials.

We’ve been in this situation before. Sometimes out of curiosity or “affluenza” (also known as “I-GOTTA-HAVE-IT-NOW-NO-MATTER-WHAT”), we are tempted to install some of these free tools and applications from the web.

The unfortunate problem with freebies is that unless you know the source of where you download the tools from and whether the software author who created the application is credible, you are literally at the whim and mercy of the author should you choose to download and install the application.

To make matters worse, some download websites don’t even bother to check and verify every piece of software application that was uploaded to their website. Some do not even bother to perform any kind of anti-virus scanning of the uploaded software.

Take a look at this piece of software that was touted as a web tool obtained from a download website.

This tool was supposed to be a HTML editor but upon running, clearly something was wrong. No trace of the software was visible after running the application. This should signal a giant red flag that something is horribly amiss. To make matters worse, unless you happen to know what to look for, you’d be hard pressed to find what kind of activity or system changes has been made on your computer (click on the picture below to see a clearer image of the registry entry made by this Trojan).

In this case, this backdoor Trojan (Troj/Bifrose-ZI) manifested itself as a file on your Windows System folder and created a registry entry to run itself upon the next startup (notice how notoriously difficult it is to know what and where to look for?). You now have a backdoor Trojan active on your computer which a remote intruder can use to gain access to your computer. The type of malicious activity that can then take place on your computer can range from using your computer to download more malware, to turning your computer into a botnet zombie to stealing confidential information etc. etc. - you get the idea.

If you’re an avid internet user who loves downloading freebies, then this article should scare you and rightly so. Not everything that glitters is gold, as they say.

Great. So how do we protect ourselves against such scams and malware?

For one, I have always believed in the KISS (Keep It Simple Stupid) principle.

Before you download any application, pause and think whether it’s really necessary to have that software or whether it’s going to do nothing but put more “bloat” on your computer (you know a particular software is “bloatware” when you have not touched it in the last 6 months). If you’re uncertain, just go away from the computer for a few moments to think it over. Never ever download free software at a moment’s whim.

Last but not least when you’re browsing the web, always check that your anti-virus software is running, your firewall is enabled and ensure that all these software security solutions are updated regularly.

In the email. the IMF (supposedly) wants to transfer $10 Million into the reader’s account using NatWest Bank. The contact details within the Bank are given as follows:

Name: Mr. Donald Miller (Co-founder)
Office Address: 11 El Shams Bldgs., 8th District Nasr City
E-mail: Bernisecharityfoundationimf 'at' gmail.com
Tel: (+44) 7031-939-750
Fax: (+44) 7011830323

Some things to notice:

1. Fake e-mail addresses - Both the e-mail addresses mentioned in the message ( Intmonetaryfunds ‘at’ aol.com and Bernisecharityfoundationimf ‘at’ gmail.com ) are from common free e-mail service providers.

2. The letter is not addresed to anyone. Surely if the IMF wanted you to have their $10 Million, they would know your name?

Be very careful of such scams. They are on the rise and appear to be extremely enticing. Never ever divulge your personal details and simply delete such e-mails.

It seems that towards the end of last year the impoverished student could not afford to renew his AV subscription and has been, in effect, unwittingly running a malware honeypot on his laptop since it lapsed.

Fortunately for him he managed to acquire a particularly vicious FakeAV last week. The spoofed alerts and flashing warnings alarmed him but since he could not afford to pay the ransom to the bad guys he ignored them. That he couldn’t visit several legitimate websites irritated him but it was not until the FakeAV prevented him from accessing iTunes that he began to complain loudly to the whole household, at which point my daughter called me for advice. 

“Bring the laptop home and I’ll see what can be done” was my suggestion.

So while a colleague and I have been working on this sunny Saturday, the dirty laptop has been receiving some rather special attention here at SophosLabs.  I’m pleased to report that the months of accumulated malware was all detected by Sophos and that the laptop is now clean. What’s more it should remain clean since it is now running an up to date anti-virus package.      

It was fortunate for my daughter’s housemate that he acquired such a visible piece of malware, one that loudly announced its presence to the whole household a few days before she had planned to come home for this Mother’s Day weekend.      

So all’s well that ends well.  

But I can’t help wondering how many other youngsters are running the risk of surfing the internet without the safeguard of a good anti-virus tool and just how much malware they may unwittingly be spreading. Perhaps we parents should take responsibility for teaching our offspring the Facts Of Online Life and first and foremost should be the golden rule, do not surf without protection.

Case in point is a recent Craigslist phish, disguised as a phone update - nothing new about malware pretending to be something it isn’t, but that’s not where the story ends. Examining the executable shows that it is nothing more than a RAR self-extracting (SFX) archive - and thus not inherently malicious.

Contained within the archive are two seemingly innocent files; a HOSTS file and an internet shortcut (.url file). The internet shortcut points to craigslist and draws little or no suspicion when the object is scanned in isolation. The HOSTS file likewise contains mappings for various craigslist sub-domains, but without prior knowledge of the state of the HOSTS file, or dynamic resolution of the domains it is difficult to determine whether the mappings are legitimate (especially so when considered in isolation.)

When deployed as a complete package however, the HOSTS file remaps craigslist to some other IP so that when the internet shortcut is launched it goes to somewhere other than stated destination…in this case, a craigslist phish requesting login information.

So is it malware? Are any of the components malware? Clearly when these benign components are found acting in unison, malicious behavior is observed [1], but what about detection?

Traditional signature-based malware detection is obviously incapable of dealing with such multi-component threats, requiring instead a wider context-based observe-correlate-classify approach which draws from a variety of information sources such as reputation, nearest neighbour and behavior.

Because matches dont start fires, people do!

Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link.

• the tried and tested “delivery failed, please confirm address details” messages
• request for details confirmation for insurance quote

Example messages are shown below.

In either case, clicking on the link takes the victim to a web page which kickstarts the infection process.

Generic detection for the exploit scripts seen thus far has been added as Troj/ExpJS-R. A script used to query the browser/OS version before loading the exploit script (or redirecting to a games site) has been added as Troj/JSRedir-AW.

The malicious payloads installed in such attacks are liable to change of course, but the ones seen thus far have been either proactively detected as Mal/Dropper-Y, or added as Troj/Dloadr-CYS.

SophosLabs will continue monitoring for new attacks looking to exploit this vulnerability. In the interim, aside from keeping your protection up to date, take note of the following from the Microsoft announcement:

Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected.

If you are an IE user and have not yet upgraded to version 8, take a hint! It is strongly recommended that you do so. Aside from not being affected from this particular issues, there are a whole bundle of other security related features you are missing out on otherwise.

The SophosLabs vulnerability assessment page for the IE 0-day vulnerability will be updated accordingly.

It turns out there is also a new advisory for Internet Explorer.

For a more complete list, please see the SophosLabs Vulnerability Analysis page.

Privately disclosed vulnerabilities in Movie Maker, Movie Producer and Excel could lead to remote code being executed with the same privileges as the current user.

Apple users take note: Microsoft Office 2004 and Office 2008 for the Mac’s are currently affected by the MS10-017. As such, Mac Microsoft Office users will need to download and install an update to protect themselves.

Unfortunately, today’s patches do not address the VBScript RCE IE vulnerability mentioned in Microsoft’s advisory from the first of this month ( Advisory 981169 ).

For more information about these threats, please see the SophosLabs Vulnerability Analysis page.

If you click on any of the links returned by the search you would be redirected to an Indian site containing this image:

After allowing scripts on an unprotected/filtered machine I quickly saw the pop up:

Eventually, you will be prompted to download an executable

Quick Scanning

>>> Virus ‘Troj/FakeAV-AYU’ found in file packupdate_build9_195.exe

The Indian websites are actually detected as malware:

Quick Scanning

>>> Virus ‘Mal/FakeAvJs-A’ found in file Security Threat Analysis.html

So customers searching behind a Sophos web security appliance, or browsing with the BHO enabled would be blocked from accessing the Indian website.

For those customer who don’t have a Sophos web security appliance or don’t use IE there is hope. Sophos will soon be opening a beta for Endpoint Security and Control 9.5 which includes “Live Web protection for fixed and mobile endpoints, blocking access to malicious URLs”. To register for this Beta or find out more about the Beta Program follow this link.

Internet Explorer is still the most commonly used browser with a little above 60% market share, but its market share is steadily in decline in the last couple of years. I am fairly sure that one of the main reasons people move to Firefox or Chrome is perceived lack of security. Internet Explorer is the most common target for malware and various exploit packs although the latest versions have proved to be much more resilient to various attacks. With most of the users finally making the switch away from IE6 we hope that the exploits will be even less successful in the future. This of course means that attackers are changing their focus to other products like Adobe Reader of Flash, the most commonly used internet applications after browsers. Exploiting Flash or Adobe Reader allows the attacker to abstract the browser version and often the browser itself. Adobe’s attitude to security also does not help.

It is going to be very interesting to follow the browser race now that Microsoft had to offer an alternative web browser with Windows Update and new Windows installations. So, are we going to see other browser equally used and equally targeted by malware writers? Could we expect a flood of newly discovered vulnerabilities when vulnerability researchers change their focus?

One of the browsers that could benefit from the new browser equality is Opera whose download numbers allegedly tripled since the beginning of the new regime. It is well known that attacks come with the platform popularity and perhaps this is why a new Opera vulnerability with the accompanying proof of concept code was disclosed the day before yesterday.

The vulnerability is a classic integer overflow in opera.dll which can be triggered if the attacker changes the value of the Content Length header of the HTTP response. The integer overflow eventually causes an access protection exception due to an attempted write to a non-allocated memory page. I had a quick look at the proof of concept exploit, which only causes browser to crash to find if the bug is easily exploitable. Since I could not find anything obvious with my 101 level exploit development skills I decided to leave it to exploit development experts and go back to analysing malware and protecting Sophos users.

At first glance, they are both pyramid schemes. In both, you become a fan, then you have to suggest the page to 50 of your friends to move onto the next stage. From there the tactics diverge slightly. In the first one, you need to take a marketing quiz that asks for all sorts of personal info, and you need to put in your Facebook username and password, so they can “monitor” your profile. AND you have to provide them with your mobile number. Now wait a minute… why would they need my mobile number?

Hang on. That seems a bit “phishy” to me. Let’s check what they have to say on their wall.

Sure enough, based on the comments left on the page, this “notify” feature doesn’t work. This group had over 58,000 fans.

In the second one, it was not so much a phish as a way to get you to download a toolbar. In the invite is a shortened URL that leads to a download site. It’s a “social network” toolbar that has various “widgets” for social sites such as Facebook, Twitter, Flickr, etc. This group had over 300,000 members.

So wait a minute, more than 358,000 people have willingly given their login details with little thought. They were so concerned with who was “spying” on their profile (there’s been a lot of media about insurance companies accessing social media sites as a way to deny claims), that they fell for the bait - hook, line and sinker. If you are concerned about who is viewing your Facebook profile, please check out these links to lock down your privacy settings.

http://www.sophos.com/security/topic/facebook.html
http://www.sophos.com/security/best-practice/facebook/

During the latter half of this week we have seen a whole batch of compromised adservers injected with malicious JavaScript to silently load malicious content from a remote site. A significant number of popular sites that load ads content from these servers have therefore been affected by this attack.

The injected malicious JavaScript can be seen at the top of the ads content:

Adstreams compromised in this way are being blocked by Sophos products as Mal/Iframe-F.

Readers may recognise the target domain, masquerading as a legitimate Google Analytics site. It was mentioned in the ISC handlers diary yesterday [4].

So what happens when the compromised ads are loaded by the browser?

• 301 redirect from google-analitics dot net to a salefale dot com subdomain.
• malicious script (detected as Mal/ObfJS-BP) which attempts to load further malicious Flash (Troj/SWFExp-N), Java (Troj/Clsldr-U) and PDF (Troj/PDFJs-B) content in order to deliver the payload.
• payloads seen thus far have been Zbot (detected as Troj/Zbot-MU) and Bredo (detected as Mal/Bredo-E).

It would appear that salefale dot com is now inactive, though we can expect the attack to simply move to new sites.

It seems the malware folks have upgraded their look to the latest Windows 7! They have to assume people visiting their pages have upgraded to the latest Windows. After all, it seems less likely people will fall for a Windows XP My Computer looking page claiming they have malware when they’re running Windows 7. It will be interesting to see if all of these pages slowly convert to Windows 7, if this is just a one-off, or if they keep a mix of the two in the wild and just hope to get lucky.

Also for those curious as to why Google indexes these pages so highly, from the perspective of the Googlebot that indexes the web, this is what the pages looks like.

There are plenty of key words mentioning the topics they’re trying to poison, and in many cases it links to many other pages in a big network of sites that are very similar to this one. That in turn raises the Google search ranking even further so that when users like us come searching for these terms we see them near the top of the results. Unfortunately for people searching Google, instead of serving us the colorful pages they can detect that we aren’t the Google crawler and so instead they opt to redirect to the FakeAV pages.

As always be careful of links you click on when searching for the latest news on Google. Stick to sites you’re familiar with and just enter the URL manually in the address bar rather than searching for it on Google when you can.

Mariposa is the name given to a particular botnet that started getting some attention during the first half of 2009 [3]. The botnet was dubbed Mariposa thanks to the name of one of the C&C servers that is used:

butterfly dot sinip dot es

since Mariposa is the Spanish word for butterfly.

The malware behind the botnet is commonly known as Rimecud or Palevo. For Sophos customers, malicious files are detected as W32/Rimecud, Mal/EncPk-IY or Mal/Rimecud). The malware is distributed through a variety of mechanisms:

• copying itself to removable storage devices
• through instant messages
• through P2P file-sharing applications

Once running on a victim machine, Rimecud connects to a C&C server in order to receive remote commands. As is typical for today’s botnets, functionality includes the ability for additional files to be downloaded and executed on compromised machines.

The Rimecud family typifies many of the characteristics we associate with today’s threats. A kit was used to facilitate creation of new variants - known as the Butterfly Bot Kit [4]. Variants were packed using polymorphic techniques in an attempt to evade detection and obfuscate functionality. This in part explains the large volume of unique variants of Rimecud seen.

After some sterling work by the Mariposa Working Group (a joint effort between Spanish authorities in conjunction with various security firms), the Mariposa botnet was shut down at the end of 2009. At the time, it was reported that the botnet compromised over 12 million systems, which included many Fortune 100 listed companies [5].

Reports suggest that the subsequent actions of one of the alleged ringleaders (attempting to regain control of the botnet) were crucial to the arrests made in February 2010 by the Spanish authorities.

There are several well known ways to accomplish this task. The problem here is these methods are well known and security software know where to look. Which brings us to the topic of this blog entry. We recently came across a hacked copy of imm32.dll which is Microsoft’s Input Method Manager library. The authors inserted an extra imported library into the file’s import directory. The extra library name starts with “net” and the imported function name is randomized.

Oh no, nothing suspicious here

When imm32.dll is used, this additional malicious library is also loaded and all its functionality is contained in its initialization code.

We detect these hacked versions of imm32.dll as Troj/Imm32Hck-A.

Working today, I went to check to see if the local police authority had cleaned up their old web page. So I wgetted the file and scanned it. It was no longer infected (hooray!) but the file was quite big. Opening the file in lynx (a simple web browser) I saw:

I saw that now instead of malware appended to the bottom of the web page we now see spam advertising Meds.

If you are no longer using/updating your web site think about deactivating it because having malware and/or spam on it will impact on your brand image.

Today we came across such a sample arriving at one of our spamtraps through a car-related forum. The message looks like this:

Subject: Warning!

DO NOT REPLY TO THIS EMAIL!
***************************

Dear [Redacted forum user name],

You have received a new private message at [Redacted] Forum from [Redacted], entitled “Warning!”.

To read the original version, respond to, or delete this message, you must log in here:
http://[Redacted]

This is the message that was sent:
***************
Dear, [Redacted forum user names]

There are viruses’ activities from your computer! Highly recommend you to scan your computer for malicious and potentially unwanted software. If you do not follow this, I will have to make a complaint to your Internet Service Provider with attached log file (your IP address, etc.). If you want to find a report about your computer’s security and solve every problem with it, please click here: http://www.virus-total.[TLD removed]/detected/[Redacted] This is an online service that you can use for free spyware removal. Use it to scan your computer to help protect, clean, and keep your computer running at its best. Use the free scan to check for and remove viruses, spyware, and other potentially malicious software and to find vulnerabilities or shortcomings in your Internet security.

Thank you. Yours truly, [Redacted].
***************

That’s right - the malware authors registered a domain called virus-total.TLD. (The suffix is purposely removed here so that the curious won’t get themselves in trouble). This is in contrast to the legitimate site which is at virustotal.com with no dashes in the name.

The link in the forum message would bring an unsuspecting user to a page which says:

“We detected viruses activity from your computer. If that is really so, we highly recommend you to install our security tool and keep your computer running at its best.. Please, wait for a moment. You’ll be redirected to perform scanning…”

This page will then redirect to page /scanning/ at the same website which generates the following popup:

The above popup would follow by the loading of a fake scanning page inside the browser:

One of the interesting parts of this fake page is that the “Windows Security Alert” pop-up is actually a time-delayed object inside the page. Even though the box looks like a window box from Windows XP, it is not moveable at all.

When the fake scanning completes, another pop-up will be generated asking the user to download a file called security_tool_setup.exe. Needless to say, this file is malicious and is yet another one of the Fake Antiviruses. Fortunately, this executable has already been proactively detected as Mal/FakeVirPk-A.

The moral of the story is even though there are helpful people out there trying to warn others about malware, this technique is also abused by malware authors for their own gain. So, no matter if a link comes from a friend, family, or a close acquaintance, one has to be careful what link you access.

The reason is a simple one - not only are humans good at associating meaning to names, they are also exceptionally good at filling in the blanks, while machines are not. Thus, by carefully selecting particular names for insertion into the version information of malware samples, such as those of reputable software houses, the authors attempt to exploit this human condition. Presumably, they also hope to bypass security scanners which approve files based on such superficial attributes.

What on earth is a “BitTorrent Microsoft Enumerator”, how does it relate to “DirectX Avast” and is it really a product on offer from Salfeld Computer (a company that produces parental control software)? Sounds like a case of Confused Personality Disorder or a really bad $2 disguise.

Putting on a fancy wig and red nose won’t make you a clown, but double-clicking on files with such eclectic version information certainly will!

1. Pages using server side kits to fool search engine bots into ranking them high in results are uploaded to legitimate web sites. If all goes to plan, when a user searches for a popular term, high up in the search engine results are links to these pages. In the example below, the malicious SEO page was the 2nd item in the search results (highlighted in blue).
2. When the user arrives on such a page (highlighted in green in the example below), the referrer is typically checked to ensure they came from a search engine. If so, there are redirected (302 redirect) to another site (orange below).
3. There are typically additional levels of redirection from this point. In the example shown below, the user is bounced from the .org to the .in site (purple).
4. Finally, the user will be redirected to the fake AV distribution site (red). This is where the user receives the usual visual trickery, in order to fool them into installing the rogue application.

So how do you protect against these attacks? Of course, detected the fake AV itself is important, and as Graham indicated, Mal/FakeAV-BW does just that for this spate of attacks. But there are additional layers of protection as well, which are equally important.

The first is URL filtering - blocking access to the malicious sites used in these attacks. This is highly effective, made ever more challenging with attackers continually using freshly registered domains (.in being a current favourite). On top of this, detection of some of the redirect pages themselves can be really valuable. Earlier this week I added Troj/JSRedir-AT for this very purpose. Additionally, detection for the scripts used in the fake AV distribution sites themselves provide another tier of protection (blocked as Mal/FakeAvJs-A). With this detection in place, when the user clicks on the SEO link in the search engine they simply see a block page and the attack is thwarted.

If I look through some of the URLs on which we have been detecting Troj/JSRedir-AT over the past 24 hours, I can extract the search terms that the user was using. The usual suspects are present: ‘killer whales’, ‘Winter Olympics’, technology, Tiger Woods (sigh) and ‘American Idol’ (bigger sigh).

jagr+hit
ovechkin+hit+on+jagr
Cheryl+Bernard+swimsuit
Dawn+Brancheau
hannah+storm+outfit+picture
Hannah+Storm
olympic+hockey+bracket+2010
seaworld+accident
shamu+attacks
who+did+tim+urban+replace+on+american+idol
tiger+woods+apology+video
american+idol+judges
motorola+backflip+specs
Scotty+Largo+Pictures
seaworld+trainer+killed
shamu+attacks
usa+hockey+roster
natalee+holloway+latest+news
natalie+holloway
yu+na+kim
whale+kills+trainer+video

As ever, it is the combination of product technologies that provide the best protection against such threats.

It turns out that the Police Authority has a new site and the infected site is an old one that just leads the user to the new site:

Unfortunately, the old site also contains a malicious script, appended after the closing </HTML> tag.

There are several ways of migrating users to a new website:

• Deleting the old and let a search engine take the strain
• Doing Server side redirects
• Asking the ISP to point the old website to the new sites IP address.
• and relying on client side redirects.

There are benefits and costs for all the above methods, however, from a security point of view having an old abandoned (not updated and secured) website is the worst.