Wednesday, December 16, 2009

So You Think You Can Trust Google Results

As I've mentioned several times on this site and elsewhere, you can't trust search results to be completely safe, even if you're using a popular search engine like Google (or Bing, for that matter).

Tonight my wife searched Google using the seemingly harmless query "season 6 sytycd winner" to find out the final results from this season of So You Think You Can Dance, a popular TV show in the U.S., and she was surprised to find that the first link she clicked (the third result in the list) redirected her browser to a fake virus scan very similar to the one described here.

The search result page was hosted on modaentertainment .com, and it redirected to a fake virus scan hosted on antyvirusaccessory .net.  The page tries to trick the user into downloading malware which has the following characteristics (information courtesy of VirusTotal):
File name: install.exe
File size: 1190464 bytes
MD5...: 0a4f8f846759d81f750cd68a80d33790
SHA1..: 7d9da6a60fb7b92ce9b7514cafd7c2f3e8ff2776
SHA256: 7dcfa255c93d1d678dfd2a059b26d3a29bad53907e86538126cba260c1a37caf

8/41 detection rate as of 2009.12.17 03:39:01 (UTC)

24/41 detection rate as of 2009.12.19 19:59:55 (UTC)

26/41 detection rate as of 2009.12.21 06:01:43 (UTC)

Variously identified as: a variant of Win32/Kryptik.BJS, FraudTool.Win32.RogueSecurity (v), Heuristic.LooksLike.Trojan.FraudPack.H, Mal/FakeAV-AD, RogueAntiSpyware.SecurityToolFraud, Suspicious file, Suspicious:W32/Malware!Gemini, W32/FakeAlert.DX3.gen!Eldorado, Dropper.Win32.Mnless.fph, FakeAlert-KC.d, FakeAlert.NZ, Heur.Suspicious, Heuristic.LooksLike.Worm.Koobface.H, Rogue:W32/FakeAlert.gen!S, Trojan:Win32/Winwebsec, Trojan.FakeAv.ZQ, Trojan.FraudPack.aeft, Trojan.Packed.18037, Trojan.Win32.FakeAV, Trojan.Win32.FakeAV!IK, Trojan.Win32.FraudPack.aeft, Trojan.Win32.Generic!SB.0, W32/FraudPack.AEFT!tr, Win32:FakeAlert-FJ, Worm/Koobface.aeh, Trojan.FakeAV-261, Trojan.FraudPack.SAP, etc.
See also the following Panda Xandora and ThreatExpert behavioral analysis reports:

http://xandora.security.net.my/?p=1631 [site is no longer accessible]
http://www.threatexpert.com/report.aspx?md5=0a4f8f846759d81f750cd68a80d33790 [archive]

For additional information on the sites spreading this malware, see my Web of Trust reports for these domains:

https://www.mywot.com/en/scorecard/antyvirusaccessory.net
https://www.mywot.com/en/scorecard/modaentertainment.com

According to Google Safe Browsing, the modaentertainment site has ties to securityonlineforum .net, a known malware site which shares the same IP address (193.104.153 .2) as the antyvirusaccessory site and several other malicious domains:

https://www.mywot.com/en/scorecard/securityonlineforum.net
http://www.malwareurl.com/ns_listing.php?ip=193.104.153.2 [archive]

UPDATE, 19 Dec 2009 @ 19:40 PST: I've included new detection names for the initial variant above.  Also, the download URL now hosts a different variant of this malware (information courtesy of VirusTotal: sample 1, sample 2):
File name: install.exe
File size: 1192512 bytes
MD5...: 998b769df2ac21db9dd3471e89c2828a or ef18948dfa176dbf0e6666f297cf7ee8
SHA1..: 648dc270bc501ee24c43ae155291c602e7ff5c8b or c3d383c7e0912de6dce1f2299bc1325131741b80
SHA256: 7d390d8229c4dc4da844e05d0c3f8c98b308c5d43f0dc2930bc718b2854e591e
or 512668f04ba6ec8060fa1755ca38bc2e9ca2384fa6601232032bb90f965fe24e
Sample 1: 13/41 detection rate as of 2009.12.19 20:01:49 (UTC)
Sample 2: 15/41 detection rate as of 2009.12.20 03:14:18 (UTC)
Sample 2: 19/41 detection rate as of 2009.12.21 06:01:53 (UTC)
Variously identified as: a variant of Win32/Kryptik.BMB, FakeAlert-KW, FraudTool.Win32.RogueSecurity (v), Heuristic.LooksLike.Worm.Koobface.H, High Risk Cloaked Malware, Mal/FakeAV-AD, Malware-Cryptor.Win32.General.8, RogueAntiSpyware.SecurityToolFraud, Suspicious file, Trojan.Win32.FakeAV, Trojan.Win32.FraudPack.aewt, TrojWare.Win32.FraudTool.TS.~FGA, W32/FakeAlert.DX3.gen!Eldorado, Generic16.DCM, TR/FraudPack.aewt, Trojan.FraudPack.SAO, Trojan.Packed.18524, etc.
See also the ThreatExpert behavioral analysis report.

UPDATE, 20 Dec 2009 @ 22:10 PST: Added 2 more detection names for the first variant and 4 more names for the second variant.

UPDATE, 29 Dec 2009 @ 08:10 PST: Once again, the download URL is hosting a different variant of this malware (information courtesy of VirusTotal):
File name: install.exe
File size: 1167872 bytes
MD5...: a3e56b9f93ccd164f2618b1cb5afc32d
SHA1..: 6bffc64505903cad0b203eb6e41321ac625e1a3a
SHA256: ff0e91e944c606aafd918b8209dedb26c12b801deea5ed0c2407f3a0d5ddd787

8/41 detection rate as of 2009.12.28 19:35:31 (UTC)
20/41 detection rate as of 2009.12.29 15:44:10 (UTC)
Variously identified as: a variant of Win32/Kryptik.BFY, ApplicUnsaf.Win32.FraudTool.ST.~CRS, Artemis!A3E56B9F93CC, FakeAlert-KW, FakeAlert.OF, Heuristic.LooksLike.Worm.Koobface.H, In-Trojan/Fakealert.1167872, Mal/FakeAV-BT, Mal/Generic-A, Medium Risk Malware, Packed.Win32.Krap.ai, RogueAntiSpyware.SecurityToolFraud, Trj/CI.A, Trojan.Fraudpack.Gen!Pac.4, Trojan.Packed.19519, Trojan.Win32.FakeAV, Trojan.Win32.FakeAV.arh, W32/FakeAlert.OF!tr, Win32.WormKoobface.B, Worm.Koobface, Worm/Koobface.bpy, etc.
See also the Panda Autovin (formerly known as Xandora) and ThreatExpert behavioral analysis reports:

http://autovin.pandasecurity.my/?p=2017 [site is no longer accessible]
http://www.threatexpert.com/report.aspx?md5=a3e56b9f93ccd164f2618b1cb5afc32d [site is no longer accessible]


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Tuesday, November 10, 2009

"AntiMalware" Fake Security Product: Malware Analysis and Related Domains [Updated]

A recent tweet from Panda Security Malaysia led me to do some further investigation of a new (and not widely known yet) malware distribution site (scansecurityhole .cn) and the malware it's distributing.  Here's some of what I've discovered so far.

Only 12 out of 41 antivirus engines currently detect the malicious payload.  From the VirusTotal analysis:
File name: antimalware.exe
File size: 1572864 bytes
MD5...: d7cb2ac94a4ad92df54f46fa1a1518dc
SHA1..: 065af3ef68d32b686b61b0a144c83bdfa352b2e1
SHA256: 959d2f7efc5aa7fa719067d466f73aa4c015adddc5149663351a604beda47314

12/41 detection rate as of 2009.11.10 18:25:06 (UTC)

Variously identified as: Artemis!D7CB2AC94A4A, FraudTool.Win32.RogueSecurity (v), Mal/FakeAV-BP, Medium Risk Malware, Packed.Win32.TDSS.aa, Trojan:Win32/FakeCog, Trojan.FakeCog.DZ, Trojan.Win32.Alureon, W32/FakeAV.C!genr, Win32/Adware.CoreguardAntivirus.A, Adware/CoreguardAV, Win32/AntiMalware.A, Win32:Jifas-BY, Win-Trojan/FakeAV.1572864, HomeProtectionCenter, Adware/SystemGuard2009, Malware-Cryptor.Win32.Trac, Packed/Win32.Tdss.gen, TR/FakeAV.AS.1, TROJ_FAKECOG.AJ, Trojan.FakeAV-200, Trojan.FakeAV.AS.1, Trojan.Generic.2649775, Trojan.TDSS.aa, Trojan.Win32.FakeCog, Trojan.Win32.Generic.51F11C66, Trojan.Win32.Malware.1, Generic.TRA!d7cb2ac94a4a, W32/FakeAlert.DY.gen!Eldorado, Trojan/W32.TDSS.1572864.I, Trojan.Tdss.Dhy, Packed.Tdss.adic, Packed.Win32.Tdss.y (v), etc.
Behavioral analyses of this malware:
Web of Trust (WOT) reports for scansecurityhole .cn and several sites to which the malware phones home:
I have submitted a sample of this malware to multiple antivirus companies, so it should soon be detected more widely.  I am also submitting the above malicious sites to several blacklists, so hopefully the sites will soon be blocked more widely as well.

UPDATE, 11 Nov 2009 @ 07:20 PST: Added 5 new detection names from Fortinet, MalwareURL, and VirusTotal, and also added 8 related domains identified by hpHosts and MalwareURL.

UPDATE, 13 Nov 2009 @ 12:10 PST: Added 14 new detection names from McAfee and VirusTotal.  Detection is still fairly low at only 27 out of 41 engines.  In other news, with help from hpHosts the malicious URL hosted at 95.211.14.163 has been taken down.  Additionally, the antimalware.exe hosted on scansecurityhole .cn has changed, and has a very low detection rate (currently 5 out of 41):
File name: antimalware.exe
File size: 1585152 bytes
MD5...: 8d48379fd946e06b12d1ee8fe9efc65b
SHA1..: de3f142cf15ac4fc4eb97b14a3c7ad9a73acb227
SHA256: 647320fa125cd4b540faab30513ca5a3517affc73bf9bb9b48b7507a8fd03246

5/41 detection rate as of 2009.11.13 18:58:28 (UTC)

Variously identified as: Artemis!8D48379FD946, FraudTool.Win32.RogueSecurity (v), Sus/UnkPacker, Trojan.FakeAlert.Gen!Pac.13, W32/FakeAV.C!genr, Packed.Win32.TDSS.aa, W32/FakeAlert.FL!tr, Heur.Suspicious, Medium Risk Malware, Packed.Win32.Tdss, SHeur2.BRRJ, TR/PCK.Tdss.AA.1855, TROJ_FAKEAV.BNY, Trojan:Win32/FakeCog, Trojan.FakeAV, Trojan.PCK.Tdss.AA.1855, Trojan.Win32.Generic.51F15672, W32/FakeAlert.DY.gen!Eldorado, Win-Trojan/FakeAV.1585152, Win32:Malware-gen, Win32/Adware.CoreguardAntivirus.A, Generic FakeAlert.c, Trojan.Tdss.Dkx, Win32/AntiMalware.D trojan, Trojan.TDSS-1247, Packed.Tdss.adld, etc.

Behaviorally it appears to be very similar to the previous sample (see the Xandora, ThreatExpert, and Anubis analyses), except that it contacts different domains:
One interesting thing from the Xandora analysis is that this version installed faster, so the screenshot taken after 90 seconds showed a scan result—with "Nothing found!"  However, that doesn't mean it's a legitimate product; case in point, ThreatExpert's analysis shows that it disables Windows' Security Center service, which no legitimate antivirus product would do automatically upon installation.  Perhaps the software intentionally doesn't find anything in its first scan for the sole purpose of looking legitimate to malware analysts and automated systems.  It's also worth noting that malware creators can specifically design their programs to act differently when being analyzed, as Brian Krebs wrote about in his recent Security Fix article titled Former anti-virus researcher turns tables on industry.

UPDATE, 16 Nov 2009 @ 08:20 PST: Added 2 new detection names from VirusTotal for the first sample.  Current detection is now 30/41.  Also added 14 new detection names from Kaspersky, Fortinet, and VirusTotal for the second sample.  Current detection is now 24/41.  As of the time of this update, scansecurityhole .cn (which has hosted both variants of antimalware.exe) is inaccessible. 11:30 PST: The site is back up again, and it's still hosting the second variant.

UPDATE, 18 Nov 2009 @ 18:30 PST: Added 3 new detection names from VirScan for the first sample and 5 new detection names from McAfee and VirScan for the second sample.


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Monday, November 9, 2009

UPS Scam E-mail with Cutwail/Pandex Trojan Attachment

Quite similar to the recent DHL scam e-mail campaign, malicious e-mails have recently been circulating that claim to be from UPS (United Parcel Service of America) and use social engineering to trick users into opening an attachment.

Following is a sample e-mail:
From: "UPS Service" {fake address @ recipient's ISP or e-mail provider}
Subject: UPS Delivery Problem
Date: November 5, 2009
Dear customer!

Unfortunately we were not able to deliver the postal package which was sent on the 20th of June in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.


Attachment: inv.zip (22,317 bytes)
If an unsuspecting individual opens the attachment, the malware copies itself with the file name "reader_s.exe" to the user's profile folder (e.g. C:\Documents and Settings\User\reader_s.exe) and to the system folder (e.g. C:\Windows\system32\reader_s.exe) and registers itself as a startup item in the registry.  It phones home to multiple IP addresses on port 80 (see a list below).

Initial detection of the malware was somewhat low; the earliest VirusTotal report I could find showed that 18 out of 40 major antivirus engines detected this threat (a good demonstration of why it's never a good idea to open a suspicious attachment; you can't count on your antivirus software to detect all malware, especially new samples).  The sample is currently detected by nearly all antivirus software.  Most of the following information is courtesy of VirusTotal:
File name: inv.exe (it has also been submitted to Prevx as reader_s.exe, winner.exe, photo.exe, etc.)
File size: 51200 bytes
MD5...: 3b9c3d653c3e5cb40c93e9599ee507de
SHA1..: 3277a9dd2d1f9a242d431ca76e2a8362221da129
SHA256: 98b368e66ec3e3e583603fbd8ab575c44e9a11f0733062b1ce179fea0f004731

37/40 detection rate as of 2009.11.09 10:26:55 (UTC)

Variously identified as: Backdoor.Small.CPDR, Backdoor.Small.zs, Backdoor.Win32.Small.51200.D, Backdoor.Win32.Small.zs, Backdoor/W32.Small.51200, Cutwail, Heur.Suspicious, High Risk Cloaked Malware, SHeur2.BPZQ, TR/Crypt.XPACK.Gen, Trj/Downloader.MDW, TROJ_AGENT.AWYQ, Troj/Agent-LNC, Trojan-Downloader.Win32.Small, Trojan:W32/Cutwail.CW, Trojan.Crypt.XPACK.Gen, Trojan.Cutwail.Z, Trojan.DownLoad.37236, Trojan.Downloader-81329, Trojan.Pandex, Trojan.Win32.Generic!SB.0, Trojan.Win32.Generic.51F056EF, Trojan.Win32.Malware.1, TrojanDownloader:Win32/Cutwail.gen!C, TrojanDownloader.Adload.gpa, W32/Cutwail.C!tr.dldr, W32/Smalltroj.UMSB, W32/Trojan3.BLY, Win32:Malware-gen, Win32/Cutwail.AVH, Win32/Wigon
ThreatExpert behavioral analysis:
http://www.threatexpert.com/report.aspx?md5=3b9c3d653c3e5cb40c93e9599ee507de

Anubis behavioral analysis:
http://anubis.iseclab.org/?action=result&task_id=190104cdf50c547945dee873bc504a3ea

Prevx report which includes additional file names:
http://info.prevx.com/aboutprogramtext.asp?PX5=9A2D0213008907A0C81100571FB790000D9B48BD

See also the Web of Trust (WOT) reports for several IPs to which this malware phones home (IP block owners in parenthesis):

http://www.mywot.com/en/scorecard/61.158.167.52 (China Unicom)
http://www.mywot.com/en/scorecard/61.158.167.59 (China Unicom)
http://www.mywot.com/en/scorecard/69.162.117.50 (Limestone Networks [Texas, USA])
http://www.mywot.com/en/scorecard/72.167.161.72 (GoDaddy [Arizona, USA])
http://www.mywot.com/en/scorecard/174.133.104.210 (The Planet [Texas, USA])
http://www.mywot.com/en/scorecard/218.61.7.9 (China Unicom)
http://www.mywot.com/en/scorecard/221.12.89.137  (China Unicom)
http://www.mywot.com/en/scorecard/221.230.2.208 (Chinanet)
http://www.mywot.com/en/scorecard/222.138.109.99 (China Unicom)

Friday, November 6, 2009

Lose/Lose and psDoom: Art, Games, or Malware?

Now and then, a program comes along about which the security community has difficulty agreeing on a classification.  Such is the case with a Mac software "art project" called Lose/Lose, described by its creator as "a video-game with real life consequences."  If you don't read the warnings carefully, Lose/Lose might appear to be a simple Space Invaders-like game where you shoot at alien spaceships to protect your own ship and earn points, but in this case doing so has the dangerous side effect of deleting your personal files as demonstrated in this Symantec video:



In spite of all the recent press coverage of Lose/Lose, fewer than half of Mac antivirus makers currently offer detection of the program. (Specifically, the Mac antivirus programs that detect it include CA Anti-Virus, Intego VirusBarrier X5, ProtectMac AntiVirus, Sophos Anti-Virus, Symantec Norton AntiVirus, and Trend Micro Security, while conversely ALWIL Avast!, BitDefender, ClamXav, Dr.Web, Kaspersky Anti-Virus, McAfee VirusScan/Security, and PC Tools iAntiVirus do not detect it.  See VirusTotal's analysis, as well as Intego's blog post and ProtectMac's malware list since these programs are not included in VirusTotal.)

Some security analysts, including Chris Boyd from FaceTime Communications/SpywareGuide and Vitalsecurity.org, feel that it's laughable to identify Lose/Lose as malware or a Trojan horse, pointing out that the Web site hosting the so-called malicious file—not to mention the application itself—includes a warning in red capital letters explaining that the program will delete files.  In his article, Boyd points out that part of Symantec's justification for flagging Lose/Lose as malware is that "there's nothing stopping someone with more malicious intentions from modifying it slightly and then passing it on to unsuspecting users."  In light of this rationale, Boyd mentions psDoom, an old game based on the DOOM engine that allows players to kill running processes by shooting at demons, and suggests that if Symantec and other companies are going to flag Lose/Lose as malware because it can cause data loss when used carelessly and "on the basis someone could 'modify and do naughty things with it'" they should be consistent and consider psDoom to be malware as well.

I asked Ben Nahorney, senior information developer at Symantec and author of the article quoted by Boyd, what his thoughts were regarding psDoom.  Nahorney replied:
"While psDoom is similar in nature to Lose/Lose, it doesn't cause any irreparable damage on the computer. Yes, playing it will likely result in your computer crashing, but restarting the computer will fix any issues. In comparison, Lose/Lose is deleting files on the computer and provides no 'undo' option. Based on this, we consider it to be behaving maliciously."
Nahorney's explanation makes sense, although one could argue that psDoom can cause irreparable damage, for example if a user had unsaved data in one of the applications that psDoom killed.  As is the case with Lose/Lose, a user who plays psDoom without reading the warnings may inadvertently become a victim of data loss.  However, losing a few unsaved documents is probably not as bad as losing a substantial amount of one's personal files, so Symantec maintains that psDoom is less of a threat because it's less likely to cause significant damage.

Graham Cluley, senior technology consultant at Sophos who also recently published an article on Lose/Lose, shared with me his opinion about Lose/Lose vs. psDoom:
"Personally I wouldn't want either running on my corporate network. With Sophos Anti-Virus we have an application control functionality that allows sysadmins to control what categories of software users can run beyond just malware protection.  I would say that psDoom was probably a candidate for inclusion in an app control category."
In other words, although Sophos doesn't detect psDoom as malware, Cluley suggests that system administrators concerned about psDoom may want add a custom exclusion for it.

Lenny Zeltser, member of the board of directors at SANS Technology Institute and incident handler at the Internet Storm Center, shared his opinion with me:
"psDoom is a novelty process manager with a game-like user interface. Its purpose and capabilities are clear to its user. In this, it is no different from Task Manager, Process Explorer, and other process managers. If psDoom was unclear about its purpose, attempted to mislead the user, or had hidden capabilities, such as a backdoor, then I'd consider it malware."
Zeltser makes a good point that psDoom was originally intended as a *nix process manager with a fun interface, although it's worth noting that the Mac version is listed as a game rather than a system administration utility on VersionTracker and CNET Download.com.  Zeltser continues:
"Lose/Lose is similar to psDoom in that it provides a game-like front-end for performing system tasks: deleting files. A major difference between Lose/Lose and psDoom is that the processes psDoom kills will less likely to lead to permanent loss of significant amount of data, while the files Lose/Lose deletes may truly hurt the user. Another significant difference, because Lose/Lose seems to pick the files to delete at random, Lose/Lose behaves very much like the game of a Russian roulette. Some people may need to be protected from themselves when playing Russian roulette. Lose/Lose is pretty clear about its adverse effects on the system, because its opening screen states 'KILLING IN LOSE/LOSE DELETES YOUR FILES.'  I can see some users not realizing that the files are deleted in a real sense, especially in our world of short attention spans. Taking these factors into account, I would consider Lose/Lose as 'potentially unwanted software,' rather than malicious software."
The final person to respond with his thoughts was Peter James, a spokesman for Mac-exclusive antivirus maker Intego who recently wrote about Lose/Lose on Intego's blog.  Said he:
"We will block this program, as we will any other similar program. However, psDoom is unlikely to be used very much, since it is an X11 program, and does not run natively on Mac OS X. The problem with such programs, though, is that unsavvy users may run such programs and cause damage or, in the case of lose/lose, delete files. We have many enterprise customers who certainly don't want programs like this run on their computers."
James makes a very good point about psDoom being much more difficult to run than Lose/Lose.  When I tried to run it, I discovered that I had to make the program executable first by running chmod from the command line (which a novice is not going to know to do since it's not even mentioned in the documentation).  After that, I was able to get psDoom to run on Snow Leopard, but even then the process management functionality did not work properly, which seems to be caused by a difference in UNIX commands starting with Leopard.  If I couldn't easily get psDoom to kill any processes on the latest release of Mac OS X, it's doubtful that accidental process termination and data loss while playing psDoom will be a problem for the vast majority of users, which is quite a dramatic difference from Lose/Lose.  In spite of this, based on what James said it appears that Intego will soon be the only antivirus vendor to detect psDoom.

Lose/Lose is variously detected (mostly by non-Mac antivirus software) as Application.OSX.Loselose.A, Game/KillFiles, Mac.LoseLose, MacOS!IK, MACOS/LoseLose, MacOS/Loselose.A, OSX_LOSEGAM.A, OSX.Loosemaque, OSX.LoseGame, OSX/LoseGame-A, OSX/LoseLose.A, OSX/LoserGame, Trojan:MacOS_X/Loosemaque.A, and Trojan.OSX.Loselose.A.

psDoom is not currently detected by any antivirus engine.


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Monday, November 2, 2009

"New Moon" Movie Attracts Malware Makers

These days, malware campaigns target pretty much anything that people are likely to search for on Google (in fact, some campaigns even target seemingly random searches).  One of the latest malware campaigns targets fans of the Twilight book series in anticipation of the upcoming movie New Moon.

As reported by ThreatExpert, the new Trojan (dubbed "PWS-CuteMoon" by McAfee) harvests passwords from a variety of e-mail and FTP client applications—including but not limited to Outlook, Thunderbird, Eudora, The Bat!, CuteFTP, FileZilla, and WS_FTP—and sends the stolen credentials to the malicious site newmoon-movie .net, which receives the data via the Cute News service.

PWS-CuteMoon is also detected as Trj/CI.A, Trojan-Downloader.Win32.FakeRean, TrojWare.Win32.PSW.LdPinch.Gen, and Win32/TrojanDropper.Agent.OKG, according to McAfee.

For more details, see ThreatExpert's blog post and automated analysis of the malware.  See also the Web of Trust (WOT) reports for these affiliated sites:

Friday, October 16, 2009

DHL Scam E-mail with Bredolab Trojan Attachment

Malicious e-mails are circulating that claim to be from DHL (an international shipping company) and use social engineering to trick users into opening an attachment.

This is very similar to another fake DHL e-mail scheme from back in March 2009 (see, for example, this post from Sophos' Graham Cluley).  Additionally, DHL (the real one) warned about a fraudulent e-mail campaign just last month that apparently distributed the same malware again.  This time around, however, it's a different Trojan altogether.

Here's a sample e-mail:
From: Manager Daphne Rubin {services @ dhl-usa.com} [forged From address]
Subject: DHL customer service. Get your parcel Nr.45269
Date: October 16, 2009

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!


Please note!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

Attachment: DHL_print_label_bf46d.zip
Here's another sample, with the manager's name as "Charity Woot" and a different random string in the attachment's filename.

The .zip archive contains a malicious .exe program.  At present, the malware is only detected by 16 out of 41 major antivirus engines, with detection in the works from at least one additional vendor.  Most of the following information is courtesy of VirusTotal:
File name: DHL_print_label_*.exe [* = random 5-digit alphanumeric string]
File size: 23552 bytes
MD5...: 8960322225b6a842bad87a285f028f5f
SHA1..: e8998eaf92a6e993018fe41079cf3b946c37193a
SHA256: 95c8f95a70e82ed808854d2818b3f8d126dc2e6acb98a2c158dec2f7f5aec27a

16/41 detection rate as of 2009.10.17 00:20:21 (UTC)

Variously identified as: a variant of Win32/Kryptik.AVH, Artemis!8960322225B6, Backdoor.Win32.Bredolab.akk, Mal/EncPk-KY, Medium Risk Malware, TR/Crypt.ZPACK.Gen, Trj/Sinowal.WOP, Trojan.Bredolab-318, Trojan.Crypt.ZPACK.Gen, Trojan.FakeAV!gen3, Trojan.Win32.Bredolab, TrojanDownloader:Win32/Bredolab.X, W32/Bredolab!Generic, W32/Obfuscated.D2!genr, X.W32.kryptik.bredo, Bredolab.gen.d, etc.
ThreatExpert behavioral analysis:
http://www.threatexpert.com/report.aspx?md5=8960322225b6a842bad87a285f028f5f

Anubis behavioral analysis:
http://anubis.iseclab.org/?action=result&task_id=1eddf69e4a1adce8441a785cef6c52879

See the Web of Trust (WOT) and MalwareURL reports for mmsfoundsystem .ru, a domain to which this malware phones home, and a related domain:

http://www.mywot.com/en/scorecard/mmsfoundsystem.ru
http://www.malwareurl.com/listing.php?domain=mmsfoundsystem.ru

http://www.mywot.com/en/scorecard/mmmserver.ru
http://www.malwareurl.com/listing.php?domain=mmmserver.ru


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Saturday, September 26, 2009

Microsoft Escalated Support Rep Trusts Scam Site [Updated]

Ever been fooled by a malicious site?  Microsoft has.

The other day I came across this scam page, and I was surprised to see that it shows up in Bing search results:

hxxp://explorersecuritysuite .com/info.php?af=213&url=http://www.facebook.com/login.php

This alert appears in any browser, even if you go directly to the site.  The scam page pretends that you're getting an official warning from Microsoft.

The page claims:
This website has been reported as unsafe
We strongly recommend to discontinue the use of this website.
[link] Activate my Web protection software
This website has been reported to Microsoft for containing threats that might steal personal or financial information from your computer
If you click on the link, it takes you to this page:

...and if you further click on "Click Here!" you'll be taken to this page:

A non-savvy Web user could easily be tricked by the initial warning into following the links, perhaps even thinking that Microsoft wanted them to buy this "Total Security" product (or perhaps not thinking, due to fear of identity theft and a frantic desire to protect oneself).  After all, what could make someone feel safer online than "total security"?  But surely a more seasoned individual, say for example an advanced Microsoft employee, wouldn't be tricked by such a scheme.  Or would they?

I followed Microsoft's directions for submitting malicious sites, and dutifully reported the deceptive page to Microsoft's Bing support team.  A friendly lady from Bing Technical Support replied and said that "I understand that you are reporting a scam site listed in Bing results. I know the importance of this issue. I will now be escalating your email to our product specialists for further investigation. They will directly take action on your request and will be contacting you with an update soon."  That sounded very promising.  Imagine my surprise when I got this response later:
Hello Joshua,

We have already reported the www.explorersecuritysuite .com.  If you check the query on BING, you should be able to see the warning on the vertical result.

I have provided a link for the query:

http://www.bing.com/search?q=explorersecuritysuite.com

Thank you for reporting this matter.

Best Regards,

[name redacted]
Microsoft Global Escalations

Of course, the search query brings up the malicious page at the very top of the results, as seen here:



However, there's no warning from Microsoft anywhere on the search results page.  The closest thing is Bing's quotation of the scam page.  I replied to Microsoft's Global Escalations representative, explaining that "The site itself is malicious, and it pretends to have been reported to Microsoft.  Try the direct malicious link in any other browser and you'll get the same warning when you visit the page.  The warning comes directly from the site, not from Bing or Microsoft.  This is clearly not an official Microsoft alert."  I provided a direct link to the malicious page (non-sanitized, in case this individual might have been confused by hxxp or a space in the domain name).  I sent this reply well over 24 hours ago.  I still haven't gotten a response, and the scam page is still indexed on Bing.

So, how about that?  Even someone who works for Microsoft's Global Escalations department can get fooled by a malicious scam site.

UPDATE: Two days after I sent my last reply to Microsoft Global Escalations, a different representative responded:
Hello Josh,

My name is [redacted] with Microsoft Global Escalations.

I have re-investigated the said site ([unsanitized URL redacted]) and would confirm with you that the site is indeed misleading.

We will be taking action to remove this as soon as possible.

Thank you for reporting this and again brining [sic] this to our attention.

Best Regards,

[name redacted]
Micsrosoft Global Escalations [sic]

Yet another two days after getting this reply, the site was finally removed from Bing.  So from the time I first reported the site to Microsoft until it actually got delisted from Bing's search results was roughly 5.5 days.


Fun storytelling aside, here's the technical stuff, for anyone who might be interested.

http://wepawet.iseclab.org/view.php?hash=493989f2a5387f5176781a3f11e969e8&t=1253948333&type=js (Wepawet analysis showing affiliated domains)
http://www.mywot.com/en/scorecard/explorersecuritysuite.com (Web of Trust report)

A nearly identical domain, windowssecurityinfo .com, also comes up in Bing search results, although the site is not loading at the moment:
http://www.bing.com/search?q=windowssecurityinfo.com (example Bing search that brings up this actual domain as a result, just like with explorersecuritysuite)
http://cc.bingj.com/cache.aspx?d=76745708601589&w=4c13551f,ac670a51 (Bing cache, not linked because it tries to load images and CSS directly from the domain; use caution)
http://www.malwareurl.com/listing.php?domain=windowssecurityinfo.com
http://www.mywot.com/en/scorecard/windowssecurityinfo.com


Related fake warning sites that are currently inactive:

browsersecurityinfo .com
http://malwaredatabase.net/blog/index.php/2009/07/08/website-selling-multiple-rogue-programs-as-legitimate-pt-2/
http://wepawet.iseclab.org/domain.php?hash=c9e5f4ba1f2a19e94c0294ab39f499ea&type=js (Wepawet analysis showing affiliated domains)
http://www.malwareurl.com/listing.php?domain=browsersecurityinfo.com
http://www.mywot.com/en/scorecard/browsersecurityinfo.com

suspiciousdomainblock .com/pre1/?af=14s1
http://www.cybertechhelp.com/forums/showpost.php?p=1116477&postcount=1
http://wepawet.iseclab.org/view.php?hash=1ef044d5571341b35240cd8fa4f843e0t=1249738635&type=js (Wepawet analysis showing affiliated domains)
http://www.malwareurl.com/listing.php?domain=suspiciousdomainblock.com
http://www.mywot.com/en/scorecard/suspiciousdomainblock.com

Reports for affiliated domains:
http://www.mywot.com/en/scorecard/winnetworkstatus.com (redirects from explorersecuritysuite to expresssoftwarepayment)
http://www.mywot.com/en/scorecard/expresssoftwarepayment.com (including protected.expresssoftwarepayment .com)
http://www.mywot.com/en/scorecard/protectionbytesoft.com ("Eco Antivirus"/"Total Security" fake AV site, mentioned on payment page)
http://www.mywot.com/en/scorecard/cnnnewspoint.com (redirected from suspiciousdomainblock to authorized-payments)
http://www.mywot.com/en/scorecard/authorized-payments.com (including protected.authorized-payments .com)
http://www.mywot.com/en/scorecard/cyberstrongstore.com ("Eco Antivirus"/"Total Security" fake AV site, mentioned on payment page)
http://www.mywot.com/en/scorecard/ieprotectionlist.com (linked from browsersecurityinfo)
http://www.mywot.com/en/scorecard/bennysaintscathedral.com (redirected from ieprotectionlist to buysecuritysoftwareonline)
http://www.mywot.com/en/scorecard/buysecuritysoftwareonline.com (including secure.buysecuritysoftwareonline .com)


Fake warning sites from a different fake/rogue antivirus campaign, all of which are currently active:

hxxp://safewebway2009 .com/warning/
http://www.mywot.com/en/scorecard/safewebway2009.com

hxxp://trusted-web-way .com/warning/
http://www.mywot.com/en/scorecard/trusted-web-way.com

hxxp://protect-my-web .com/warning/
http://www.mywot.com/en/scorecard/protect-my-web.com

hxxp://rightsafeway .com/warning/
http://www.mywot.com/en/scorecard/rightsafeway.com

hxxp://web-safe-and-clean .com/warning/
http://www.mywot.com/en/scorecard/web-safe-and-clean.com

All of these sites redirect to hxxp://yesantivirusplus .com/buy.php?id=
http://www.mywot.com/en/scorecard/yesantivirusplus.com

Payment site for Antivirus Plus: hxxps://my-secure-payment .com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus4&advert=
http://www.mywot.com/en/scorecard/my-secure-payment.com


More fake warning pages:
hxxp://www.malwareurl.com/search.php?s=Fake+Warning&urls=on&redirs=on (site defunct, and URL was not saved on archive.org)

Friday, September 25, 2009

New Malware (ddos-bot.exe, etc.) and Malicious Domains

Last night I found a report for the following malicious file:

hxxp://gorodsnov .cn/file13.exe

Since the file was suspicious but wasn't detected by any major antivirus engine (except as a "suspicious file"), I decided to investigate further.

ThreatExpert's analysis shows that the executable downloads two files (as discussed below) and phones home to mylfix4 .cn:
http://www.threatexpert.com/report.aspx?md5=f7a0f8d044c333ad3b7d65a6485af931
http://anubis.iseclab.org/?action=result&task_id=1020202f49ecf30742da827c810205c13
Initial VirusTotal assessment (2/41 - "Heuristic.LooksLike.Win32.Suspicious.H!87"):
https://www.virustotal.com/analisis/193589553f8f0d8d5c0d1712d72e4143c7fbd002bac06bc9c95b4e96eb47d098-1253847644
Lists of other malware files and exploits hosted on the same domain:
http://wepawet.iseclab.org/domain.php?hash=02d30b0b4ba304b039d8efb9aa2b5c71&type=js
http://www.malwareurl.com/listing.php?domain=gorodsnov.cn

This malware is clearly a Trojan downloader, but most antivirus products didn't detect it at all.  I submitted the file to multiple companies.  Here's the current assessment as of the time of this post (main source VirusTotal):
File size: 29184 bytes
MD5...: f7a0f8d044c333ad3b7d65a6485af931
SHA1..: a381aed69ed753618e0b3930c78243701af44d7d
SHA256: 193589553f8f0d8d5c0d1712d72e4143c7fbd002bac06bc9c95b4e96eb47d098

13/41 detection rate as of 2009.09.25 20:04:02 (UTC)

Variously identified as: Artemis!F7A0F8D044C3, Downloader, Heuristic.LooksLike.Win32.Suspicious.H!87, TR/Sasfis.nyk, Troj/DwnLdr-HXD, Trojan.MulDrop.35369, Trojan.Win32.Sasfis.nyk, W32/Small.KFU!tr, Win32.SuspectCrc, Win32/Oficla.AG, Generic.TRA!f7a0f8d044c3, Generic.dx!fij, etc.
The malicious software described above automatically fetched the following files:

hxxp://pobedaim .cn/svchost.exe

Initial VirusTotal assessment (2/41 - "Trojan.DownLoad.42082"):
https://www.virustotal.com/analisis/c363a96530f122c75664af4afc77c63fb9a349aef648cfe2f0a91dd7e4ba4b29-1253849155
ThreatExpert's analysis shows that the file creates a startup registry entry for itself:
http://www.threatexpert.com/report.aspx?md5=6bb2a57c3bb3308b3a1519c987caddf4
The Anubis assessment shows that this file phones home to proxy5my .cn:
http://anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10

Again, due to almost no detection from antivirus solutions, I submitted the file to multiple vendors.  Here's the current virus assessment as of the time of this post:
File size: 38400 bytes
MD5...: 6bb2a57c3bb3308b3a1519c987caddf4
SHA1..: 7b0c73e4d9b5fd58c89fc117a5f8ab576145898d
SHA256: c363a96530f122c75664af4afc77c63fb9a349aef648cfe2f0a91dd7e4ba4b29

15/41 detection rate as of 2009.09.25 20:04:08 (UTC)

Variously identified as: Artemis!6BB2A57C3BB3, High Risk Cloaked Malware, TR/Agent.cxge, Troj/Agent-LGK, Trojan Horse, Trojan.Agent.cxge, Trojan.Agent.OPPW, Trojan.DownLoad.42082, Trojan.Win32.Agent, Trojan.Win32.Agent.cxge, W32/Agent.CXGE!tr, Win32/Delf.OOR, Generic.TRA!6bb2a57c3bb3, Generic.dx!fio, etc.
The second file downloaded by file13.exe is this very suspiciously-named executable:

hxxp://pobedaim .cn/ddos-bot.exe

ThreatExpert's analysis shows that it creates a file nups.sys in C:\WINDOWS\system32\drivers\ and registers it as a service called "Nups":
http://www.threatexpert.com/report.aspx?md5=4af3dc7f09f3dc39068ba4c176531937
The Anubis assessment shows that it creates a file named asyncmac.sys in C:\WINDOWS\system32\drivers\ and phones home to suxumzulum .cn:
http://anubis.iseclab.org/?action=result&task_id=19879314e87e2d93481ccec7a43498a6f&call=first
Initial VirusTotal assessment (2/41 - "Heuristic.LooksLike.Win32.Suspicious.B!87"):
https://www.virustotal.com/analisis/11be232b824bae5ffbdd51892979b2cecfad3a28de6784ac4e76fe352720901f-1253849161

Once again, due to only "suspicious" detection,  I submitted the file to multiple antivirus companies.  Here's the current assessment as of the time of this post:
File size: 93696 bytes
MD5...: 4af3dc7f09f3dc39068ba4c176531937
SHA1..: 679a49279a7c26971ba6183bac78325fa720bfc2
SHA256: 11be232b824bae5ffbdd51892979b2cecfad3a28de6784ac4e76fe352720901f

13/41 detection rate as of 2009.09.25 20:04:19 (UTC)

Variously identified as: Artemis!4AF3DC7F09F3, Heuristic.LooksLike.Win32.Suspicious.B!87, TR/TDss.asbz, Troj/Agent-LGJ, Trojan.Dropper, Trojan.MulDrop.35371, Trojan.Win32.Tdss.asbz, W32/Agent.ASBZ!tr, Win32.SuspectCrc, Win32/SpamTool.Agent.NBW, Generic.TRA!4af3dc7f09f3, Generic.dx!fke, etc.
Reports for these two malware hosts, and three domains to which the malware phones home:
http://www.mywot.com/en/scorecard/gorodsnov.cn
http://www.mywot.com/en/scorecard/pobedaim.cn
http://www.mywot.com/en/scorecard/mylfix4.cn
http://www.mywot.com/en/scorecard/proxy5my.cn
http://www.mywot.com/en/scorecard/suxumzulum.cn

Other domains that have previously hosted variants of this malware, and were hosted on the same IP:

esenins .cn
http://www.malwareurl.com/listing.php?domain=esenins.cn
http://www.malwarebytes.org/forums/index.php?s=3e38bf9bf7fb2c4b059da6ecb97d9bb7&showtopic=24758
http://www.malwaredomainlist.com/forums/index.php?topic=3190.150 (search the page for ddos-bot.exe or svchost.exe)
http://anubis.iseclab.org/?action=result&task_id=157f7e6d3d884b2841507aa750d6cb22d - Anubis analysis of ddos-bot.exe from eseins .cn
http://www.threatexpert.com/report.aspx?md5=bbb64be95cc017dd30fa36a848fdcc6c - ThreatExpert analysis of ddos-bot.exe from eseins .cn
http://www.superantispyware.com/malwarefiles/DDOS-BOT.EXE.html - SUPERAntiSpyware's listing for "Trojan.Agent/Gen" with the same file name and MD5 hash, bbb64be95cc017dd30fa36a848fdcc6c
http://anubis.iseclab.org/?action=result&task_id=1fa6798ca3a124b34599302c57d1286b9 - Anubis analysis of svchost.exe from eseins .cn
http://www.mywot.com/en/scorecard/esenins.cn

7oydomen .cn
http://www.malwareurl.com/listing.php?domain=7oydomen.cn
http://wepawet.iseclab.org/view.php?hash=4e39f0d6097d6e980bb77775e86f5611&t=1252590543&type=js
http://anubis.iseclab.org/?action=result&task_id=1071bf336e899c014ad62b6d13f705cf4 - Anubis analysis of ddos-bot.exe from 7oydomen .cn
http://www.virustotal.com/analisis/a89e9524c50b0af3c058ce7639feac20f1066b3ff14ee58aceab5a7692c5f517-1252590543
http://www.malwaredomainlist.com/forums/index.php?topic=3190.135 (search the page for ddos-bot.exe)
http://www.mywot.com/en/scorecard/7oydomen.cn

Reports for other domains on the same IP address (210.51.166 .247):
http://www.malwareurl.com/search.php?s=210.51.166.247&rp=200&urls=on&ip=on
http://wepawet.iseclab.org/domain.php?hash=02d30b0b4ba304b039d8efb9aa2b5c71&type=js
http://www.mywot.com/en/scorecard/pay-day.cn
http://www.mywot.com/en/scorecard/posledniy.cn
http://www.mywot.com/en/scorecard/predposledniy.cn
http://www.mywot.com/en/scorecard/ledyzpizdik.cn
http://www.mywot.com/en/scorecard/domainadminpanel.cn
http://www.mywot.com/en/scorecard/zelenayajava.cn
http://www.mywot.com/en/scorecard/dmitrygaiduk.cn
http://www.mywot.com/en/scorecard/admnqtc.cn
http://www.mywot.com/en/scorecard/bezzpaleva.cn
http://www.mywot.com/en/scorecard/megobill.cn (reported by Wepawet; it's unknown whether this domain has hosted malware)

Searches for ddos-bot.exe on MalwareURL and Malware Domain List:
http://www.malwareurl.com/search.php?s=ddos-bot.exe&rp=200&urls=on
http://www.malwaredomainlist.com/mdl.php?search=ddos-bot.exe&colsearch=All&quantity=50

Reports for other possibly related files:
http://www.prevx.com/filenames/X1722639219385542672-X1/DDOS-BOT.EXE.html
http://www.threatexpert.com/report.aspx?md5=8b2a9afa42df42bef4c904713e2cfc21


Here are some other new malware domains I came across last night, unrelated to the malware described above. Most of these domains are related to Zbot malware and/or an Autostart worm, and several were registered within the past 48 hours:

http://www.mywot.com/en/scorecard/redbullarts.com
http://www.mywot.com/en/scorecard/scarlettartsgallery.com
http://www.mywot.com/en/scorecard/myfoundryart.com
http://www.mywot.com/en/scorecard/allfilesstorage.com
http://www.mywot.com/en/scorecard/allfilesstoragecenter.com
http://www.mywot.com/en/scorecard/givemereasonx.com (including subdomain core2700.givemereasonx.com)
http://www.mywot.com/en/scorecard/psimage.cn
http://www.mywot.com/en/scorecard/htm6.co.cc
http://www.mywot.com/en/scorecard/explorersecuritysuite.com


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Tuesday, September 22, 2009

"Windows PC Defender" Malware and Malicious Site Reports

Windows PC Defender malware iconThere's a lot of fake ("rogue") antivirus malware in the wild, as I've mentioned previously.  Sometimes it's relatively easy to remove; just kill the process with Windows Task Manager (press Ctrl-Shift-Esc, click on the malicious process e.g. pav.exe, and click End Process) and then delete the offending executable file.  Yesterday I came across a new variant of "Windows PC Defender" and was surprised at how many changes it made to the system.  Not only were there HOSTS file and search engine modifications, but the malware also effectively disabled Windows Task Manager—and even McAfee VirusScan Enterprise, which unfortunately failed to detect the new malware before being disabled by it.

What heinous malware sorcery was needed to disable a major corporate antivirus product?  Nothing more than a simple registry hack.  Several application file names were added to the following location in the registry, with svchost.exe set as the debugger (which effectively prevented all processes with those file names from running at all):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Although McAfee didn't stop the malware and was subsequently disabled by the infection, Spybot-Search & Destroy was able to find some—but not all—of the registry modifications (the entries that Spybot found were identified as Hupigon13, Win32.Agent.tdd, Win32.Delf.uv, and Win32.VB.PW infections).  Spybot's findings pointed me in the right direction so I could manually find and remove some of the other registry changes.  A partial list of disabled applications can be found at the ThreatExpert link below.  When cleaning this or a similar infection, you can safely delete any entries with "svchost.exe" set as the debugger.  Note that if regedit.exe is disabled by this hack, you can just make a copy of it on your desktop and rename it to something else, e.g. regedit-works-now.exe, and then open the renamed copy.  You can find the original at C:\WINDOWS\regedit.exe on your hard drive, or look in the I386 folder on your Windows installation disc.

HijackThis pointed out that there were HOSTS file infections.  Several Google domains were being forced to resolve to 206.53.61 .77, but even more interesting was that several domains related to other fake antivirus products were being forced to resolve to 74.125.45.100—the real Google.  (Apparently the creator of this malware didn't want any competition from certain other fake antivirus products, but I find it somewhat amusing that the malware author chose to redirect those sites to the real Google while redirecting real Google sites elsewhere; why not just redirect your competitors' sites to 206.53.61 .77 as well?)  HijackThis was unable to remove the HOSTS file infections, and FileASSASSIN was unable to delete the infected HOSTS file, so I used Spybot's file shredder utility to rename it, and then used Spybot to create a new HOSTS file in its place.  I then used GiPo@MoveOnBoot to mark the renamed infected file for removal the next time the system boots.

The malware also changed SearchScopes entries in the registry so that searches would be redirected to search-gala .com.  To clean an infected system, you will need to search the registry for "search-gala" and replace anything that looks similar to this:
hxxp://search-gala .com/?&uid=201&q={searchTerms}
...with something safe like this:
http://www.google.com/search?hl=en&q={searchTerms}

Details about the malicious executable, parts courtesy of VirusTotal:
File name and location:
C:\Documents and Settings\All Users\Application Data\090943c\WP0909.exe
File size: 2185216 bytes
MD5 : db50541ff7a46ddeb64fbccdb3bea9d9
SHA1 : 6839e11a015469255f8a1e93a058e5b35c5f74da
SHA256: 6b52a1f71544d3328720cacb7f27034826241cc6bcec33eb6f9c19c48ad3136d
6/41 detection rate upon first scan at 2009.09.22 00:20:13 (UTC)

14/41 detection rate as of 2009.09.22 17:54:05 (UTC), and McAfee and Fortinet plan to add detections for it soon

Variously identified as: Trojan.Win32.FakeVimes!IK, TR/FakeVimes.A.64, Trojan.FakeAV.SG, Trojan.Win32.FraudPack.uci, Artemis!DB50541FF7A4, Trojan.FakeVimes.A.64, Trojan:Win32/FakeVimes, Win32/Kryptik.AKT, Trj/CI.A, Mal/Basine-C, Trojan.Win32.Generic!BT, Suspicious.MH690.A, Misc/FakeAV, FakeAlert-WPS.gen.a
For more details regarding the malicious payload and associated domains, see:

In other news, last night I discovered a new fake virus scan and malware distribution site at rampir .info, which I reported to numerous malware site blacklists.  So far hpHosts, Malware Domain List, and DNS-BH have added it to their lists.  See the following reports:
Here's another of my reports that was recently published on DNS-BH, related to another black hat SEO malware campaign targeting America's Got Talent/Kevin Skinner searches, and my Web of Trust (WOT) reports for each of those domains:

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Friday, September 4, 2009

What 'Dr. Seuss Coloring Pages' and 'Red Spots on Face' Have In Common

A recent trend amongst malware distributors has been to bombard Google with loads of useless pages containing keywords and phrases that will put them high in search results for particular queries.  Sometimes these pages target recent news events, and sometimes they're about seemingly random things such as Dr. Seuss coloring pages (believe it or not, I've actually seen that specific example). In the search engine's text snippet previews, these pages appear harmless and perhaps even useful, but when an unsuspecting Web surfer clicks on one of these search result links, the page immediately redirects to a fake antivirus scan (a form of scareware), exploits, drive-by downloads, or other malicious content.  I uncovered just such a scam today while investigating an infected PC.

This page...

hxxp://rodrigoeastbury.moqxqpuxz .cc/red_spots_on_face_that_wont_go_away.html

...automatically redirected to a page on langlan .net, which redirected to a page at pconlinescan .net, which loaded a fake virus scan that to the novice user may appear to be an actual Windows security alert (click on the screenshot to see it full size):
The malware authors obviously designed this scam page to look like Windows XP's default blue theme.  (As you can see in this screenshot, even in a Mac browser the page looks the same.)  If the panicked victim clicks on the "Remove all" button (or, in fact, anywhere on the page—even the Cancel or red X buttons), malware is downloaded onto the machine.  This malware is not yet detected by most antivirus software, but I'm submitting a sample to multiple security vendors so it should be more widely detected within the next day or so.

File details courtesy of VirusTotal and VirSCAN:
File name: setup_build206_157.exe
File size: 263168 bytes
MD5 : aedd952609bd1c6056df337443fb951e
SHA1 : 8b09fa1e55e5e5501ed5b9f6833e71d04fb12b01
SHA256: 7b89c480f25f14b2bc744a141fb252d796bdcd90f77dcff7e4a8bce06963e508
Variously identified as: TR/Dldr.Fake.PS.14, Trojan-Downloader.Win32.FraudLoad.fkt, Trojan.Dldr.Fake.PS.14, Mal/Behav-321, TROJ_AGENT.PQAB, etc.
For more details regarding the malicious payload and associated domains, see:
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Tuesday, August 25, 2009

Breaking News: Mac OS X Snow Leopard Built-in Antivirus?

I just noticed a very intriguing post on Intego's Mac Security Blog claiming that Apple's upcoming operating system, Mac OS X v10.6 "Snow Leopard," will have built-in antivirus functionality. The following screenshot is alleged to show a system warning after downloading malware via Safari:


Intego's blog post is sparse on details, but one thing that they haven't explored is which antivirus engine Apple might be using behind the scenes. The only clue seems to be the name of the malware in the screenshot.

The name "OSX.RSPlug.A"—one of many names of a particular type of Mac-infecting malware—is used by Intego[1] and Symantec[2], while Sophos and McAfee use different names (OSX/RSPlug-A[3] and OSX/Puper.a[4], respectively).

ClamAV seems like a logical engine for Apple to choose since it's freely available and has been part of Mac OS X Server for years, but ClamAV doesn't appear have a virus definition called OSX.RSPlug.A; it apparently only detects it as "OSX.RSPlug"[5].

Since Intego obviously didn't know about this until today, it's clear that Apple didn't license the technology from Intego. The only other company that appears to use the same malware name is Symantec. Could it be that Apple licensed Symantec's virus scanning engine? Or could Apple have developed its own custom AV engine?

Regardless of whose engine is being used, it's exciting that Apple may be including anti-virus functionality in its next-gen consumer OS (if you believe the "reports" that Intego claims to have seen).

UPDATE: Ryan Naraine from Kaspersky Lab and Threatpost says in his ZDNet column that he has "confirmed that Apple is not using the open-source ClamAV engine to handle these scans so it's likely the company has entered into an agreement with a commercial anti-virus company." This supports my theory that Apple may have licensed the technology from Symantec, maker of Norton AntiVirus. The latest I've heard through the grapevine is that Apple is indeed using a Symantec API.

UPDATE 2: The Register cites an anonymous source who claims that rather than including a full-fledged virus scanner, Apple is only checking for two specific types of malware: "Based on an analysis of a corresponding preferences file called XProtect.plist, it appears that the feature checks for only two known Mac trojans. And it only flags those files if they were downloaded from the internet using Entourage, iChat, Safari, and a handful of other applications, according to this person. Files that were downloaded using Skype and dozens of other net-facing applications aren't covered, nor are files on DVDs and thumb drives." According to MacRumors, this XProtect.plist file is located here on a drive with Snow Leopard (note that the file does not exist in Mac OS X v10.5 Leopard):

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

MacRumors identifies the second type of Mac malware as "OSX.Iservice", although it is unclear whether this is the actual name used in Snow Leopard. This malware is known variously as OSX.Iservice (Symantec)[6], Trojan.OSX.iservices.A (ClamAV), OSX.Trojan.iServices.A (Intego), OSX/iWorkS-A (Sophos), and OSX/IWService (McAfee).

If Apple hasn't licensed technology from Symantec, at the very least Apple is clearly favoring Symantec's malware names.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Wednesday, July 8, 2009

Google Chrome OS: No Viruses, Malware, or Security Updates?

Yesterday evening, Google announced a brand new operating system project called the Google Chrome Operating System, based on some of the concepts behind its Chrome Web browser. Google Chrome OS is supposed to be a lightweight operating system designed with low-powered computers such as netbooks in mind. In the announcement, Google made some pretty bold claims about the security of the upcoming OS which I feel should be addressed. From the press release (bold emphasis mine):
"Speed, simplicity and security are the key aspects of Google Chrome OS. ... And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work."
To make such claims about the security of an operating system—especially one that's still in its early stages of development—is laughable. Granted, it could turn out to be true that fewer viruses will be designed specifically for Google's Chrome OS than for competing platforms; if recent trends continue, most malware authors will continue to primarily target Windows since it has the lion share of the market and thus has the most potential for ill-gotten revenue through software or user exploitation. Google's marketing spin is similar to that of Apple, which claims that Mac users don't have to deal with viruses or malware in spite of the fact that there are a handful of Mac OS X-infecting Trojan horses in the wild, not to mention platform-independent browser exploits.

But how can Google possibly claim that users won't have to deal with security updates? No matter how secure one might think a piece of software is, given enough time and motivation someone will probably discover an exploit for it. To give Google the benefit of the doubt, perhaps the authors of the press release (Sundar Pichai, VP Product Management and Linus Upson, Engineering Director) simply meant that security updates will be applied automatically without any user interaction, similar to how the Chrome browser is capable of updating itself automatically on Windows by keeping an updater process always running in the background.

It will be interesting to see what becomes of the Google Chrome OS, and in particular how it will deal with security threats. But no matter how awe-inspiring Google's marketing hype is, the new OS will not be a panacea for computer security.

Tuesday, June 9, 2009

Malware, Malicious and Spam Site Reports: search-and-destroy, antimalware-live-scanv3 [Updated]

Last week I researched some malware distribution sites including search-and-destroy dot com and antimalware-live-scanv3 dot com.

For more detailed reports for search-and-destroy dot com and its malicious payload, see:
File details courtesy of VirusTotal:
File name: SearchAndDestroy.exe
File size: 15403586 bytes
MD5 : 8fb526b68a826cd3c87f0bf39a22c8df
SHA1 : 2175cbb71d63f667a460d776361225d7195748d0
SHA256: 896e81b6d01cf13e91105de296607ef8f457116d36870ad2cc717a14657b8374
Variously identified as: Riskware.FraudTool.Win32.SearchAndDestroy!IK, DR/Fraud.SearchAndDestroy.A.2, Fake_AntiSpyware.AMR, Application.Generic.27393, Win32.FraudTool.Sear, FraudTool.Win32.SearchAndDestroy.a, Trojan.Dropper.Fraud.SearchAndDestroy.A.2, Win32/Adware.AntiVirusPro, FakeAV.VU, Adware/SearchAndDestroy, etc.
This deceptively-named, fraudulent malware and is advertised by spamming anti-virus forums or article comments. This malware and the associated site have no relation whatsoever to the legitimate anti-spyware utility Spybot-Search & Destroy; the malware authors are seeking to piggyback on Spybot-S&D's good reputation by giving their malware a similar name. Only 16 out of 40 antivirus products currently detect this payload as malware. NOTE: I tried to submit this sample to multiple anti-virus vendors for analysis, but unfortunately most companies seem to have limitations on sample file sizes that they accept. Since this sample is larger than usual (about 15 MB), it is apparent that the malware author made it very difficult to submit the sample to most anti-virus/anti-malware companies. This reveals a major flaw in the sample submission systems of many AV vendors; if their dropboxes only accept small files, a malware creator can prevent detection by simply making their payloads a bit too large for independent security researchers to upload to these vendors.

Another site and malware file that I researched recently is antimalware-live-scanv3 dot com. For more detailed reports for this domain and its malicious payload, see:
File details courtesy of VirusTotal:
File name: Install_2009-1541.exe or or Install_2007.exe or Install_0000.exe
File size: 147456 bytes
MD5 : a5ca6016e61a916470af3dfa3092653e
SHA1 : 308c1c10a0d0b4e4fa809dca28c09a795030b9a8
SHA256: 4bc080e77782f27ab2f0578086b37d185a5ef22708d0a55435c6ef1d2bc8bb95

Variously identified as: Win-Trojan/Fraudpack.147456.B, TR/BurnInHell.D, W32/FakeAV.KS, Win32:Rootkit-gen, Generic13.BDHW, Trojan.FraudPack.onq, Win32.Banker, Trojan.Win32.FraudPack.onq, W32/FraudPack.ONQ!tr, Trojan.BurnInHell.D, Trojan:Win32/FakeXPA, Win32/Adware.PersonalAntivirus, TROJ_FAKEAV.BIM, Spyware.FraudPack.147456.A, etc.
As of last Wednesday, only 1 major antivirus product (Prevx) detected the payload as malware. I submitted the sample to multiple vendors and two have replied so far (Kaspersky and McAfee) stating that they have added the file's signature to their definitions as Trojan.Win32.FraudPack.onq and FakeAlert-di respectively. I have not rescanned the file since then, but other vendors may have added this signature to their detection libraries by now. UPDATE: As of 9 June, rescanning the file with VirusTotal shows that 24 out of 39 virus/malware scanning engines now detect this threat (see the report). I have added an additional file name and several detection names above.

Following are some other malware-associated domains that I've recently reported. The links go to my McAfee SiteAdvisor report for each domain:
Following are some spam sites I've reported recently. I've limited this list to those that don't show many results in a Google search. Again, the links go to my McAfee SiteAdvisor report for each domain:
Please stay tuned for more updates to the JoshMeister on Security by subscribing to the RSS feed, or follow me on Twitter.