Many of the Wepawet reports also include a number of malicious URLs hosted at various IP addresses, at least some of which appear to be individual infected PCs whose IPs are probably dynamically assigned by the ISP.
Credit to my wife for reporting suspicious bit.ly redirect URLs that were being spread by a hacked Facebook account, which led to my investigation and discovery of these domains.
*Note that some of these domains were registered years ago. Their homepages may or may not be safe, but specific URLs hosted on these domains redirect to malicious sites or contain malware. Until the site owners remove the infected pages, these domains should not be trusted.
UPDATE, 8 Feb 2010 @ 06:20 PST: Added a second batch of sites. UPDATE, 8 Feb 2010 @ 13:40 PST: Added pablopicassosite and VirusTotal links.
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
The following .ru domains were all privately registered on one of two dates (2009.10.28 or 2009.11.22), were all last updated on the same date (2010.01.11), and all have been reported by Websense Security Labs, Malware Domain List, or others as being malicious. Following are links to each domain's Web of Trust report:
Links to these sites usually contain deceptive subdomains and directories in an attempt to trick novice Web users and to increase search result rankings (see example URLs by clicking on the Malware Domain List link below).
On New Year's Day I found an old blog post from last June written by Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham (who referenced my "How to Preview Shortened URLs" article—thanks, Gary!). I was curious to see whether one of the malware URLs mentioned in his blog post was still active more than 6 months later, and sure enough, it was. Here's what I found out:
showmealltube .com/paqi-video/7.html
used obscured JavaScript code [see the Wepawet analysis] to redirect to evamendesochka .com/go.php?sid=9
which redirected to jumbotubes .com/xplaymovie.php?id=40012
(It doesn't redirect to jumbotubes anymore, but I'll get back to that.) The jumbotubes page pretended to contain an embedded video which in reality linked to a malicious payload:
megaloadfile .com/flash-HQ-plugin.40012.exe
I submitted the file to VirusTotal and found that only 4 out of 39 engines detected it. I sent the sample to multiple AV vendors, and detection improved gradually over the next several days:
File name: flash-HQ-plugin.40012.exe
File size: 111104 bytes
MD5...: 84e8fcd09215fe4555b5532f22f1f96e
SHA1..: 5084a5ecdfd16220809c59ef5a6ca8e692237841
SHA256: 89d2f41d182fad11d71e4312b589c8b8a4ebdaf3384ae01ca9827091e4f55097 4/39 detection rate as of 2010.01.01 20:50:54 (UTC) 16/40 detection rate as of 2010.01.03 10:10:30 (UTC) 21/40 detection rate as of 2010.01.04 07:48:32 (UTC) 33/41 detection rate as of 2010.01.06 08:03:47 (UTC) Variously identified as: Artemis!84E8FCD09215, Downloader-BWS, Downloader.Generic9.AEFL, Mal/Krap-H, Medium Risk Malware, Trj/CI.A, Trojan-Downloader.Win32.FraudLoad, Trojan-Downloader.Win32.FraudLoad!IK, Trojan-Downloader.Win32.FraudLoad.ghh, Trojan-Downloader/W32.FraudLoad.111104.F, Trojan.DL.FraudLoad.VFX, Trojan.Dldr.FraudLoad.ghh, Trojan.DownLoad1.5059, Trojan.FakeAV, Trojan.FakeAV!gen11, Trojan.Generic.2928325, Trojan.Win32.FakeAV!IK, Trojan.Win32.Generic!BT, Trojan/Downloader.FraudLoad.ghh, Trojan/Win32.FraudLoad.gen, TrojanDownloader:Win32/Renos.JM, TrojWare.Win32.Trojan.Agent.Gen, W32/FakeAlert.EK.gen!Eldorado, W32/FraudLoad.GHH!tr.dldr, Win-Trojan/Downloader.111104.M, Win32:FakeAV-AES, Win32:Trojan-gen, Win32.Packed.Krap.ag.5, Win32.TrojanDownload, Win32/TrojanDownloader.FakeAlert.ADA, Win32/Warduncrypt!packed, etc.
See the Web of Trust reports for the domains mentioned above:
This malware phones home to multiple domains according to the Panda Autovin, ThreatExpert, and Anubis behavioral analyses. See the WOT reports for these phone-home domains, sorted roughly in order of least to most well known at the time of this post:
There are dozens of other malware distribution sites similar to jumbotubes; a Google search reveals many such domains (note that SafeSearch is disabled in this query, and the results will likely lead to malware):
In researching some of the phone-home domains on ThreatExpert using searches like this one, I found a number of related domains as well (again listed roughly in order of least to most widely known):
The initial detection rate for this second piece of malware is only 3 out of 41 anti-virus engines, with detection coming soon from Fortinet and McAfee:
This malware disables Data Execution Prevention (DEP) for Internet Explorer and injects a new DLL into the system, among other things, as shown in these Anubis, ThreatExpert, and Panda Autovin reports.
Stay safe out there!
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
As I've mentioned several times on this site and elsewhere, you can't trust search results to be completely safe, even if you're using a popular search engine like Google (or Bing, for that matter).
Tonight my wife searched Google using the seemingly harmless query "season 6 sytycd winner" to find out the final results from this season of So You Think You Can Dance, a popular TV show in the U.S., and she was surprised to find that the first link she clicked (the third result in the list) redirected her browser to a fake virus scan very similar to the one described here.
The search result page was hosted on modaentertainment .com, and it redirected to a fake virus scan hosted on antyvirusaccessory .net. The page tries to trick the user into downloading malware which has the following characteristics (information courtesy of VirusTotal):
File name: install.exe
File size: 1190464 bytes
MD5...: 0a4f8f846759d81f750cd68a80d33790
SHA1..: 7d9da6a60fb7b92ce9b7514cafd7c2f3e8ff2776
SHA256: 7dcfa255c93d1d678dfd2a059b26d3a29bad53907e86538126cba260c1a37caf 8/41 detection rate as of 2009.12.17 03:39:01 (UTC) 24/41 detection rate as of 2009.12.19 19:59:55 (UTC) 26/41 detection rate as of 2009.12.21 06:01:43 (UTC) Variously identified as: a variant of Win32/Kryptik.BJS, FraudTool.Win32.RogueSecurity (v), Heuristic.LooksLike.Trojan.FraudPack.H, Mal/FakeAV-AD, RogueAntiSpyware.SecurityToolFraud, Suspicious file, Suspicious:W32/Malware!Gemini, W32/FakeAlert.DX3.gen!Eldorado, Dropper.Win32.Mnless.fph, FakeAlert-KC.d, FakeAlert.NZ, Heur.Suspicious, Heuristic.LooksLike.Worm.Koobface.H, Rogue:W32/FakeAlert.gen!S, Trojan:Win32/Winwebsec, Trojan.FakeAv.ZQ, Trojan.FraudPack.aeft, Trojan.Packed.18037, Trojan.Win32.FakeAV, Trojan.Win32.FakeAV!IK, Trojan.Win32.FraudPack.aeft, Trojan.Win32.Generic!SB.0, W32/FraudPack.AEFT!tr, Win32:FakeAlert-FJ, Worm/Koobface.aeh, Trojan.FakeAV-261, Trojan.FraudPack.SAP, etc.
See also the following Panda Xandora and ThreatExpert behavioral analysis reports:
According to Google Safe Browsing, the modaentertainment site has ties to securityonlineforum .net, a known malware site which shares the same IP address (193.104.153 .2) as the antyvirusaccessory site and several other malicious domains:
UPDATE, 19 Dec 2009 @ 19:40 PST: I've included new detection names for the initial variant above. Also, the download URL now hosts a different variant of this malware:
File name: install.exe
File size: 1192512 bytes
MD5...: 0a4f8f846759d81f750cd68a80d33790 or ef18948dfa176dbf0e6666f297cf7ee8
SHA1..: 7d9da6a60fb7b92ce9b7514cafd7c2f3e8ff2776 or c3d383c7e0912de6dce1f2299bc1325131741b80
SHA256: 7dcfa255c93d1d678dfd2a059b26d3a29bad53907e86538126cba260c1a37caf or 512668f04ba6ec8060fa1755ca38bc2e9ca2384fa6601232032bb90f965fe24e 13/41 detection rate as of 2009.12.19 20:01:49 (UTC) 15/41 detection rate as of 2009.12.20 03:14:18 (UTC) 19/41 detection rate as of 2009.12.21 06:01:53 (UTC) Variously identified as: a variant of Win32/Kryptik.BMB, FakeAlert-KW, FraudTool.Win32.RogueSecurity (v), Heuristic.LooksLike.Worm.Koobface.H, High Risk Cloaked Malware, Mal/FakeAV-AD, Malware-Cryptor.Win32.General.8, RogueAntiSpyware.SecurityToolFraud, Suspicious file, Trojan.Win32.FakeAV, Trojan.Win32.FraudPack.aewt, TrojWare.Win32.FraudTool.TS.~FGA, W32/FakeAlert.DX3.gen!Eldorado, Generic16.DCM, TR/FraudPack.aewt, Trojan.FraudPack.SAO, Trojan.Packed.18524, etc.
See also the ThreatExpert behavioral analysis report.
UPDATE, 20 Dec 2009 @ 22:10 PST: Added 2 more detection names for the first variant and 4 more names for the second variant.
UPDATE, 29 Dec 2009 @ 08:10 PST: Once again, the download URL is hosting a different variant of this malware:
File name: install.exe
File size: 1167872 bytes
MD5...: a3e56b9f93ccd164f2618b1cb5afc32d
SHA1..: 6bffc64505903cad0b203eb6e41321ac625e1a3a
SHA256: ff0e91e944c606aafd918b8209dedb26c12b801deea5ed0c2407f3a0d5ddd787 8/41 detection rate as of 2009.12.28 19:35:31 (UTC) 20/41 detection rate as of 2009.12.29 15:44:10 (UTC) Variously identified as: a variant of Win32/Kryptik.BFY, ApplicUnsaf.Win32.FraudTool.ST.~CRS, Artemis!A3E56B9F93CC, FakeAlert-KW, FakeAlert.OF, Heuristic.LooksLike.Worm.Koobface.H, In-Trojan/Fakealert.1167872, Mal/FakeAV-BT, Mal/Generic-A, Medium Risk Malware, Packed.Win32.Krap.ai, RogueAntiSpyware.SecurityToolFraud, Trj/CI.A, Trojan.Fraudpack.Gen!Pac.4, Trojan.Packed.19519, Trojan.Win32.FakeAV, Trojan.Win32.FakeAV.arh, W32/FakeAlert.OF!tr, Win32.WormKoobface.B, Worm.Koobface, Worm/Koobface.bpy, etc.
See also the Panda Autovin (formerly known as Xandora) and ThreatExpert behavioral analysis reports:
A recent tweet from Panda Security Malaysia led me to do some further investigation of a new (and not widely known yet) malware distribution site (scansecurityhole .cn) and the malware it's distributing. Here's some of what I've discovered so far.
Only 12 out of 41 antivirus engines currently detect the malicious payload. From the VirusTotal analysis:
I have submitted a sample of this malware to multiple antivirus companies, so it should soon be detected more widely. I am also submitting the above malicious sites to several blacklists, so hopefully the sites will soon be blocked more widely as well.
UPDATE, 11 Nov 2009 @ 07:20 PST: Added 5 new detection names from Fortinet, MalwareURL, and VirusTotal, and also added 8 related domains identified by hpHosts and MalwareURL.
UPDATE, 13 Nov 2009 @ 12:10 PST: Added 14 new detection names from McAfee and VirusTotal. Detection is still fairly low at only 27 out of 41 engines. In other news, with help from hpHosts the malicious URL hosted at 95.211.14.163 has been taken down. Additionally, the antimalware.exe hosted on scansecurityhole .cn has changed, and has a very low detection rate (currently 5 out of 41):
Behaviorally it appears to be very similar to the previous sample (see the Xandora, ThreatExpert, and Anubis analyses), except that it contacts different domains:
One interesting thing from the Xandora analysis is that this version installed faster, so the screenshot taken after 90 seconds showed a scan result—with "Nothing found!" However, that doesn't mean it's a legitimate product; case in point, ThreatExpert's analysis shows that it disables Windows' Security Center service, which no legitimate antivirus product would do automatically upon installation. Perhaps the software intentionally doesn't find anything in its first scan for the sole purpose of looking legitimate to malware analysts and automated systems. It's also worth noting that malware creators can specifically design their programs to act differently when being analyzed, as Brian Krebs wrote about in his recent Security Fix article titled Former anti-virus researcher turns tables on industry.
UPDATE, 16 Nov 2009 @ 08:20 PST: Added 2 new detection names from VirusTotal for the first sample. Current detection is now 30/41. Also added 14 new detection names from Kaspersky, Fortinet, and VirusTotal for the second sample. Current detection is now 24/41. As of the time of this update, scansecurityhole .cn (which has hosted both variants of antimalware.exe) is inaccessible. 11:30 PST: The site is back up again, and it's still hosting the second variant.
UPDATE, 18 Nov 2009 @ 18:30 PST: Added 3 new detection names from VirScan for the first sample and 5 new detection names from McAfee and VirScan for the second sample.
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Quite similar to the recent DHL scam e-mail campaign, malicious e-mails have recently been circulating that claim to be from UPS (United Parcel Service of America) and use social engineering to trick users into opening an attachment.
Following is a sample e-mail:
From: "UPS Service" {fake address @ recipient's ISP or e-mail provider}
Subject: UPS Delivery Problem
Date: November 5, 2009
Dear customer!
Unfortunately we were not able to deliver the postal package which was sent on the 20th of June in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.
Attachment: inv.zip (22,317 bytes)
If an unsuspecting individual opens the attachment, the malware copies itself with the file name "reader_s.exe" to the user's profile folder (e.g. C:\Documents and Settings\User\reader_s.exe) and to the system folder (e.g. C:\Windows\system32\reader_s.exe) and registers itself as a startup item in the registry. It phones home to multiple IP addresses on port 80 (see a list below).
Initial detection of the malware was somewhat low; the earliest VirusTotal report I could find showed that 18 out of 40 major antivirus engines detected this threat (a good demonstration of why it's never a good idea to open a suspicious attachment; you can't count on your antivirus software to detect all malware, especially new samples). The sample is currently detected by nearly all antivirus software. Most of the following information is courtesy of VirusTotal:
File name: inv.exe (it has also been submitted to Prevx as reader_s.exe, winner.exe, photo.exe, etc.)
File size: 51200 bytes
MD5...: 3b9c3d653c3e5cb40c93e9599ee507de
SHA1..: 3277a9dd2d1f9a242d431ca76e2a8362221da129
SHA256: 98b368e66ec3e3e583603fbd8ab575c44e9a11f0733062b1ce179fea0f004731 37/40 detection rate as of 2009.11.09 10:26:55 (UTC) Variously identified as: Backdoor.Small.CPDR, Backdoor.Small.zs, Backdoor.Win32.Small.51200.D, Backdoor.Win32.Small.zs, Backdoor/W32.Small.51200, Cutwail, Heur.Suspicious, High Risk Cloaked Malware, SHeur2.BPZQ, TR/Crypt.XPACK.Gen, Trj/Downloader.MDW, TROJ_AGENT.AWYQ, Troj/Agent-LNC, Trojan-Downloader.Win32.Small, Trojan:W32/Cutwail.CW, Trojan.Crypt.XPACK.Gen, Trojan.Cutwail.Z, Trojan.DownLoad.37236, Trojan.Downloader-81329, Trojan.Pandex, Trojan.Win32.Generic!SB.0, Trojan.Win32.Generic.51F056EF, Trojan.Win32.Malware.1, TrojanDownloader:Win32/Cutwail.gen!C, TrojanDownloader.Adload.gpa, W32/Cutwail.C!tr.dldr, W32/Smalltroj.UMSB, W32/Trojan3.BLY, Win32:Malware-gen, Win32/Cutwail.AVH, Win32/Wigon
Now and then, a program comes along about which the security community has difficulty agreeing on a classification. Such is the case with a Mac software "art project" called Lose/Lose, described by its creator as "a video-game with real life consequences." If you don't read the warnings carefully, Lose/Lose might appear to be a simple Space Invaders-like game where you shoot at alien spaceships to protect your own ship and earn points, but in this case doing so has the dangerous side effect of deleting your personal files as demonstrated in this Symantec video:
In spite of all the recent press coverage of Lose/Lose, fewer than half of Mac antivirus makers currently offer detection of the program. (Specifically, the Mac antivirus programs that detect it include CA Anti-Virus, Intego VirusBarrier X5, ProtectMac AntiVirus, Sophos Anti-Virus, Symantec Norton AntiVirus, and Trend Micro Security, while conversely ALWIL Avast!, BitDefender, ClamXav, Dr.Web, Kaspersky Anti-Virus, McAfee VirusScan/Security, and PC Tools iAntiVirus do not detect it. See VirusTotal's analysis, as well as Intego's blog post and ProtectMac's malware list since these programs are not included in VirusTotal.)
Some security analysts, including Chris Boyd from FaceTime Communications/SpywareGuide and Vitalsecurity.org, feel that it's laughable to identify Lose/Lose as malware or a Trojan horse, pointing out that the Web site hosting the so-called malicious file—not to mention the application itself—includes a warning in red capital letters explaining that the program will delete files. In his article, Boyd points out that part of Symantec's justification for flagging Lose/Lose as malware is that "there's nothing stopping someone with more malicious intentions from modifying it slightly and then passing it on to unsuspecting users." In light of this rationale, Boyd mentions psDoom, an old game based on the DOOM engine that allows players to kill running processes by shooting at demons, and suggests that if Symantec and other companies are going to flag Lose/Lose as malware because it can cause data loss when used carelessly and "on the basis someone could 'modify and do naughty things with it'" they should be consistent and consider psDoom to be malware as well.
I asked Ben Nahorney, senior information developer at Symantec and author of the article quoted by Boyd, what his thoughts were regarding psDoom. Nahorney replied:
"While psDoom is similar in nature to Lose/Lose, it doesn't cause any irreparable damage on the computer. Yes, playing it will likely result in your computer crashing, but restarting the computer will fix any issues. In comparison, Lose/Lose is deleting files on the computer and provides no 'undo' option. Based on this, we consider it to be behaving maliciously."
Nahorney's explanation makes sense, although one could argue that psDoom can cause irreparable damage, for example if a user had unsaved data in one of the applications that psDoom killed. As is the case with Lose/Lose, a user who plays psDoom without reading the warnings may inadvertently become a victim of data loss. However, losing a few unsaved documents is probably not as bad as losing a substantial amount of one's personal files, so Symantec maintains that psDoom is less of a threat because it's less likely to cause significant damage.
Graham Cluley, senior technology consultant at Sophos who also recently published an article on Lose/Lose, shared with me his opinion about Lose/Lose vs. psDoom:
"Personally I wouldn't want either running on my corporate network. With Sophos Anti-Virus we have an application control functionality that allows sysadmins to control what categories of software users can run beyond just malware protection. I would say that psDoom was probably a candidate for inclusion in an app control category."
In other words, although Sophos doesn't detect psDoom as malware, Cluley suggests that system administrators concerned about psDoom may want add a custom exclusion for it.
Lenny Zeltser, member of the board of directors at SANS Technology Institute and incident handler at the Internet Storm Center, shared his opinion with me:
"psDoom is a novelty process manager with a game-like user interface. Its purpose and capabilities are clear to its user. In this, it is no different from Task Manager, Process Explorer, and other process managers. If psDoom was unclear about its purpose, attempted to mislead the user, or had hidden capabilities, such as a backdoor, then I'd consider it malware."
Zeltser makes a good point that psDoom was originally intended as a *nix process manager with a fun interface, although it's worth noting that the Mac version is listed as a game rather than a system administration utility on VersionTracker and CNET Download.com. Zeltser continues:
"Lose/Lose is similar to psDoom in that it provides a game-like front-end for performing system tasks: deleting files. A major difference between Lose/Lose and psDoom is that the processes psDoom kills will less likely to lead to permanent loss of significant amount of data, while the files Lose/Lose deletes may truly hurt the user. Another significant difference, because Lose/Lose seems to pick the files to delete at random, Lose/Lose behaves very much like the game of a Russian roulette. Some people may need to be protected from themselves when playing Russian roulette. Lose/Lose is pretty clear about its adverse effects on the system, because its opening screen states 'KILLING IN LOSE/LOSE DELETES YOUR FILES.' I can see some users not realizing that the files are deleted in a real sense, especially in our world of short attention spans. Taking these factors into account, I would consider Lose/Lose as 'potentially unwanted software,' rather than malicious software."
The final person to respond with his thoughts was Peter James, a spokesman for Mac-exclusive antivirus maker Intego who recently wrote about Lose/Lose on Intego's blog. Said he:
"We will block this program, as we will any other similar program. However, psDoom is unlikely to be used very much, since it is an X11 program, and does not run natively on Mac OS X. The problem with such programs, though, is that unsavvy users may run such programs and cause damage or, in the case of lose/lose, delete files. We have many enterprise customers who certainly don't want programs like this run on their computers."
James makes a very good point about psDoom being much more difficult to run than Lose/Lose. When I tried to run it, I discovered that I had to make the program executable first by running chmod from the command line (which a novice is not going to know to do since it's not even mentioned in the documentation). After that, I was able to get psDoom to run on Snow Leopard, but even then the process management functionality did not work properly, which seems to be caused by a difference in UNIX commands starting with Leopard. If I couldn't easily get psDoom to kill any processes on the latest release of Mac OS X, it's doubtful that accidental process termination and data loss while playing psDoom will be a problem for the vast majority of users, which is quite a dramatic difference from Lose/Lose. In spite of this, based on what James said it appears that Intego will soon be the only antivirus vendor to detect psDoom.
Lose/Lose is variously detected (mostly by non-Mac antivirus software) as Application.OSX.Loselose.A, Game/KillFiles, Mac.LoseLose, MacOS!IK, MACOS/LoseLose, MacOS/Loselose.A, OSX_LOSEGAM.A, OSX.Loosemaque, OSX.LoseGame, OSX/LoseGame-A, OSX/LoseLose.A, OSX/LoserGame, Trojan:MacOS_X/Loosemaque.A, and Trojan.OSX.Loselose.A.
psDoom is not currently detected by any antivirus engine.
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
These days, malware campaigns target pretty much anything that people are likely to search for on Google (in fact, some campaigns even target seemingly random searches). One of the latest malware campaigns targets fans of the Twilight book series in anticipation of the upcoming movie New Moon.
As reported by ThreatExpert, the new Trojan (dubbed "PWS-CuteMoon" by McAfee) harvests passwords from a variety of e-mail and FTP client applications—including but not limited to Outlook, Thunderbird, Eudora, The Bat!, CuteFTP, FileZilla, and WS_FTP—and sends the stolen credentials to the malicious site newmoon-movie .net, which receives the data via the Cute News service.
PWS-CuteMoon is also detected as Trj/CI.A, Trojan-Downloader.Win32.FakeRean, TrojWare.Win32.PSW.LdPinch.Gen, and Win32/TrojanDropper.Agent.OKG, according to McAfee.
For more details, see ThreatExpert's blog post and automated analysis of the malware. See also the Web of Trust (WOT) reports for these affiliated sites:
Malicious e-mails are circulating that claim to be from DHL (an international shipping company) and use social engineering to trick users into opening an attachment.
This is very similar to another fake DHL e-mail scheme from back in March 2009 (see, for example, this post from Sophos' Graham Cluley). Additionally, DHL (the real one) warned about a fraudulent e-mail campaign just last month that apparently distributed the same malware again. This time around, however, it's a different Trojan altogether.
Here's a sample e-mail:
From: Manager Daphne Rubin {services @ dhl-usa.com} [forged From address]
Subject: DHL customer service. Get your parcel Nr.45269
Date: October 16, 2009
Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please note!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.
Thank you for attention.
DHL Express Services.
Attachment: DHL_print_label_bf46d.zip
Here's another sample, with the manager's name as "Charity Woot" and a different random string in the attachment's filename.
The .zip archive contains a malicious .exe program. At present, the malware is only detected by 16 out of 41 major antivirus engines, with detection in the works from at least one additional vendor. Most of the following information is courtesy of VirusTotal:
File name: DHL_print_label_*.exe [* = random 5-digit alphanumeric string]
File size: 23552 bytes
MD5...: 8960322225b6a842bad87a285f028f5f
SHA1..: e8998eaf92a6e993018fe41079cf3b946c37193a
SHA256: 95c8f95a70e82ed808854d2818b3f8d126dc2e6acb98a2c158dec2f7f5aec27a 16/41 detection rate as of 2009.10.17 00:20:21 (UTC) Variously identified as: a variant of Win32/Kryptik.AVH, Artemis!8960322225B6, Backdoor.Win32.Bredolab.akk, Mal/EncPk-KY, Medium Risk Malware, TR/Crypt.ZPACK.Gen, Trj/Sinowal.WOP, Trojan.Bredolab-318, Trojan.Crypt.ZPACK.Gen, Trojan.FakeAV!gen3, Trojan.Win32.Bredolab, TrojanDownloader:Win32/Bredolab.X, W32/Bredolab!Generic, W32/Obfuscated.D2!genr, X.W32.kryptik.bredo, Bredolab.gen.d, etc.
This alert appears in any browser, even if you go directly to the site. The scam page pretends that you're getting an official warning from Microsoft.
The page claims:
This website has been reported as unsafe
We strongly recommend to discontinue the use of this website.
[link] Activate my Web protection software
This website has been reported to Microsoft for containing threats that might steal personal or financial information from your computer
If you click on the link, it takes you to this page:
...and if you further click on "Click Here!" you'll be taken to this page:
A non-savvy Web user could easily be tricked by the initial warning into following the links, perhaps even thinking that Microsoft wanted them to buy this "Total Security" product (or perhaps not thinking, due to fear of identity theft and a frantic desire to protect oneself). After all, what could make someone feel safer online than "total security"? But surely a more seasoned individual, say for example an advanced Microsoft employee, wouldn't be tricked by such a scheme. Or would they?
I followed Microsoft's directions for submitting malicious sites, and dutifully reported the deceptive page to Microsoft's Bing support team. A friendly lady from Bing Technical Support replied and said that "I understand that you are reporting a scam site listed in Bing results. I know the importance of this issue. I will now be escalating your email to our product specialists for further investigation. They will directly take action on your request and will be contacting you with an update soon." That sounded very promising. Imagine my surprise when I got this response later:
Hello Joshua,
We have already reported the www.explorersecuritysuite .com. If you check the query on BING, you should be able to see the warning on the vertical result.
Of course, the search query brings up the malicious page at the very top of the results, as seen here:
However, there's no warning from Microsoft anywhere on the search results page. The closest thing is Bing's quotation of the scam page. I replied to Microsoft's Global Escalations representative, explaining that "The site itself is malicious, and it pretends to have been reported to Microsoft. Try the direct malicious link in any other browser and you'll get the same warning when you visit the page. The warning comes directly from the site, not from Bing or Microsoft. This is clearly not an official Microsoft alert." I provided a direct link to the malicious page (non-sanitized, in case this individual might have been confused by hxxp or a space in the domain name). I sent this reply well over 24 hours ago. I still haven't gotten a response, and the scam page is still indexed on Bing.
So, how about that? Even someone who works for Microsoft's Global Escalations department can get fooled by a malicious scam site.
UPDATE: Two days after I sent my last reply to Microsoft Global Escalations, a different representative responded:
Hello Josh,
My name is [redacted] with Microsoft Global Escalations.
I have re-investigated the said site ([unsanitized URL redacted]) and would confirm with you that the site is indeed misleading.
We will be taking action to remove this as soon as possible.
Thank you for reporting this and again brining [sic] this to our attention.
Best Regards,
[name redacted] Micsrosoft Global Escalations [sic]
Yet another two days after getting this reply, the site was finally removed from Bing. So from the time I first reported the site to Microsoft until it actually got delisted from Bing's search results was roughly 5.5 days.
Fun storytelling aside, here's the technical stuff, for anyone who might be interested.
This malware is clearly a Trojan downloader, but most antivirus products didn't detect it at all. I submitted the file to multiple companies. Here's the current assessment as of the time of this post (main source VirusTotal):
Again, due to almost no detection from antivirus solutions, I submitted the file to multiple vendors. Here's the current virus assessment as of the time of this post:
File size: 38400 bytes
MD5...: 6bb2a57c3bb3308b3a1519c987caddf4
SHA1..: 7b0c73e4d9b5fd58c89fc117a5f8ab576145898d
SHA256: c363a96530f122c75664af4afc77c63fb9a349aef648cfe2f0a91dd7e4ba4b29 15/41 detection rate as of 2009.09.25 20:04:08 (UTC) Variously identified as: Artemis!6BB2A57C3BB3, High Risk Cloaked Malware, TR/Agent.cxge, Troj/Agent-LGK, Trojan Horse, Trojan.Agent.cxge, Trojan.Agent.OPPW, Trojan.DownLoad.42082, Trojan.Win32.Agent, Trojan.Win32.Agent.cxge, W32/Agent.CXGE!tr, Win32/Delf.OOR, Generic.TRA!6bb2a57c3bb3, Generic.dx!fio, etc.
The second file downloaded by file13.exe is this very suspiciously-named executable:
Once again, due to only "suspicious" detection, I submitted the file to multiple antivirus companies. Here's the current assessment as of the time of this post:
Here are some other new malware domains I came across last night, unrelated to the malware described above. Most of these domains are related to Zbot malware and/or an Autostart worm, and several were registered within the past 48 hours:
the JoshMeister (Joshua Long) is a computer security researcher from Southern California. He has a Master of Information Technology degree concentrating in Internet Security.
For several years Josh has been reporting spam, phishing scams, and malware sites to help protect others online. He regularly submits samples of viruses, Trojan horses, backdoors, rootkits, and other types of malware to major anti-virus vendors whenever he finds undetected malware in the wild.
McAfee Labs Publishes ‘March Spam Report’
-
McAfee Labs today published its March Spam Report. This month authors Adam
Wosotowsky and Elan Winkler discuss a possible charity scam in France that
takes...
Twitter starts Direct Message phishing filtering
-
Twust and Safetwy
Del Harvey who leads Twitter’s Trust and Safety team blogged yesterday that
the social networking/micro-blogging service has begun filter...
Nose Biometrics
-
Really:
Since they are hard to conceal, the study says, noses would work well for
identification in covert surveillance.
The researchers say noses have...
Click Fraud II
-
Click fraud is a lot like shoplifting. It’s not the most shocking crime you
know of, and it’s not really victimless. It is theft. But observing and
identif...
Internet Explorer 0-day targeted in spam runs
-
Hot on the heels of the Patch Tuesday announcements yesterday (see blog or
links to vulnerability assessment pages), came the announcement of a new
zero-da...
Microsoft Updates Office 2004 and 2008
-
Microsoft has released updates for Office 2004 and 2008, which include
security fixes for “vulnerabilities that an attacker can use to overwrite
the conten...
Microsoft Releases March Security Bulletin
-
Microsoft has released an update to address vulnerabilities in Microsoft
Windows and Office as part of the Microsoft Security Bulletin Summary for March
20...
Posts
