Tuesday, November 10, 2009

"AntiMalware" Fake Security Product: Malware Analysis and Related Domains [Updated]

A recent tweet from Panda Security Malaysia led me to do some further investigation of a new (and not widely known yet) malware distribution site (scansecurityhole .cn) and the malware it's distributing.  Here's some of what I've discovered so far.

Only 12 out of 41 antivirus engines currently detect the malicious payload.  From the VirusTotal analysis:
File name: antimalware.exe
File size: 1572864 bytes
MD5...: d7cb2ac94a4ad92df54f46fa1a1518dc
SHA1..: 065af3ef68d32b686b61b0a144c83bdfa352b2e1
SHA256: 959d2f7efc5aa7fa719067d466f73aa4c015adddc5149663351a604beda47314

12/41 detection rate as of 2009.11.10 18:25:06 (UTC)

Variously identified as: Artemis!D7CB2AC94A4A, FraudTool.Win32.RogueSecurity (v), Mal/FakeAV-BP, Medium Risk Malware, Packed.Win32.TDSS.aa, Trojan:Win32/FakeCog, Trojan.FakeCog.DZ, Trojan.Win32.Alureon, W32/FakeAV.C!genr, Win32/Adware.CoreguardAntivirus.A, Adware/CoreguardAV, Win32/AntiMalware.A, Win32:Jifas-BY, Win-Trojan/FakeAV.1572864, HomeProtectionCenter, Adware/SystemGuard2009, Malware-Cryptor.Win32.Trac, Packed/Win32.Tdss.gen, TR/FakeAV.AS.1, TROJ_FAKECOG.AJ, Trojan.FakeAV-200, Trojan.FakeAV.AS.1, Trojan.Generic.2649775, Trojan.TDSS.aa, Trojan.Win32.FakeCog, Trojan.Win32.Generic.51F11C66, Trojan.Win32.Malware.1, Generic.TRA!d7cb2ac94a4a, W32/FakeAlert.DY.gen!Eldorado, Trojan/W32.TDSS.1572864.I, Trojan.Tdss.Dhy, Packed.Tdss.adic, Packed.Win32.Tdss.y (v), etc.
Behavioral analyses of this malware:
Web of Trust (WOT) reports for scansecurityhole .cn and several sites to which the malware phones home:
I have submitted a sample of this malware to multiple antivirus companies, so it should soon be detected more widely.  I am also submitting the above malicious sites to several blacklists, so hopefully the sites will soon be blocked more widely as well.

UPDATE, 11 Nov 2009 @ 07:20 PST: Added 5 new detection names from Fortinet, MalwareURL, and VirusTotal, and also added 8 related domains identified by hpHosts and MalwareURL.

UPDATE, 13 Nov 2009 @ 12:10 PST: Added 14 new detection names from McAfee and VirusTotal.  Detection is still fairly low at only 27 out of 41 engines.  In other news, with help from hpHosts the malicious URL hosted at has been taken down.  Additionally, the antimalware.exe hosted on scansecurityhole .cn has changed, and has a very low detection rate (currently 5 out of 41):
File name: antimalware.exe
File size: 1585152 bytes
MD5...: 8d48379fd946e06b12d1ee8fe9efc65b
SHA1..: de3f142cf15ac4fc4eb97b14a3c7ad9a73acb227
SHA256: 647320fa125cd4b540faab30513ca5a3517affc73bf9bb9b48b7507a8fd03246

5/41 detection rate as of 2009.11.13 18:58:28 (UTC)

Variously identified as: Artemis!8D48379FD946, FraudTool.Win32.RogueSecurity (v), Sus/UnkPacker, Trojan.FakeAlert.Gen!Pac.13, W32/FakeAV.C!genr, Packed.Win32.TDSS.aa, W32/FakeAlert.FL!tr, Heur.Suspicious, Medium Risk Malware, Packed.Win32.Tdss, SHeur2.BRRJ, TR/PCK.Tdss.AA.1855, TROJ_FAKEAV.BNY, Trojan:Win32/FakeCog, Trojan.FakeAV, Trojan.PCK.Tdss.AA.1855, Trojan.Win32.Generic.51F15672, W32/FakeAlert.DY.gen!Eldorado, Win-Trojan/FakeAV.1585152, Win32:Malware-gen, Win32/Adware.CoreguardAntivirus.A, Generic FakeAlert.c, Trojan.Tdss.Dkx, Win32/AntiMalware.D trojan, Trojan.TDSS-1247, Packed.Tdss.adld, etc.

Behaviorally it appears to be very similar to the previous sample (see the Xandora, ThreatExpert, and Anubis analyses), except that it contacts different domains:
One interesting thing from the Xandora analysis is that this version installed faster, so the screenshot taken after 90 seconds showed a scan result—with "Nothing found!"  However, that doesn't mean it's a legitimate product; case in point, ThreatExpert's analysis shows that it disables Windows' Security Center service, which no legitimate antivirus product would do automatically upon installation.  Perhaps the software intentionally doesn't find anything in its first scan for the sole purpose of looking legitimate to malware analysts and automated systems.  It's also worth noting that malware creators can specifically design their programs to act differently when being analyzed, as Brian Krebs wrote about in his recent Security Fix article titled Former anti-virus researcher turns tables on industry.

UPDATE, 16 Nov 2009 @ 08:20 PST: Added 2 new detection names from VirusTotal for the first sample.  Current detection is now 30/41.  Also added 14 new detection names from Kaspersky, Fortinet, and VirusTotal for the second sample.  Current detection is now 24/41.  As of the time of this update, scansecurityhole .cn (which has hosted both variants of antimalware.exe) is inaccessible. 11:30 PST: The site is back up again, and it's still hosting the second variant.

UPDATE, 18 Nov 2009 @ 18:30 PST: Added 3 new detection names from VirScan for the first sample and 5 new detection names from McAfee and VirScan for the second sample.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Monday, November 9, 2009

UPS Scam E-mail with Cutwail/Pandex Trojan Attachment

Quite similar to the recent DHL scam e-mail campaign, malicious e-mails have recently been circulating that claim to be from UPS (United Parcel Service of America) and use social engineering to trick users into opening an attachment.

Following is a sample e-mail:
From: "UPS Service" {fake address @ recipient's ISP or e-mail provider}
Subject: UPS Delivery Problem
Date: November 5, 2009
Dear customer!

Unfortunately we were not able to deliver the postal package which was sent on the 20th of June in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

Attachment: inv.zip (22,317 bytes)
If an unsuspecting individual opens the attachment, the malware copies itself with the file name "reader_s.exe" to the user's profile folder (e.g. C:\Documents and Settings\User\reader_s.exe) and to the system folder (e.g. C:\Windows\system32\reader_s.exe) and registers itself as a startup item in the registry.  It phones home to multiple IP addresses on port 80 (see a list below).

Initial detection of the malware was somewhat low; the earliest VirusTotal report I could find showed that 18 out of 40 major antivirus engines detected this threat (a good demonstration of why it's never a good idea to open a suspicious attachment; you can't count on your antivirus software to detect all malware, especially new samples).  The sample is currently detected by nearly all antivirus software.  Most of the following information is courtesy of VirusTotal:
File name: inv.exe (it has also been submitted to Prevx as reader_s.exe, winner.exe, photo.exe, etc.)
File size: 51200 bytes
MD5...: 3b9c3d653c3e5cb40c93e9599ee507de
SHA1..: 3277a9dd2d1f9a242d431ca76e2a8362221da129
SHA256: 98b368e66ec3e3e583603fbd8ab575c44e9a11f0733062b1ce179fea0f004731

37/40 detection rate as of 2009.11.09 10:26:55 (UTC)

Variously identified as: Backdoor.Small.CPDR, Backdoor.Small.zs, Backdoor.Win32.Small.51200.D, Backdoor.Win32.Small.zs, Backdoor/W32.Small.51200, Cutwail, Heur.Suspicious, High Risk Cloaked Malware, SHeur2.BPZQ, TR/Crypt.XPACK.Gen, Trj/Downloader.MDW, TROJ_AGENT.AWYQ, Troj/Agent-LNC, Trojan-Downloader.Win32.Small, Trojan:W32/Cutwail.CW, Trojan.Crypt.XPACK.Gen, Trojan.Cutwail.Z, Trojan.DownLoad.37236, Trojan.Downloader-81329, Trojan.Pandex, Trojan.Win32.Generic!SB.0, Trojan.Win32.Generic.51F056EF, Trojan.Win32.Malware.1, TrojanDownloader:Win32/Cutwail.gen!C, TrojanDownloader.Adload.gpa, W32/Cutwail.C!tr.dldr, W32/Smalltroj.UMSB, W32/Trojan3.BLY, Win32:Malware-gen, Win32/Cutwail.AVH, Win32/Wigon
ThreatExpert behavioral analysis:

Anubis behavioral analysis:

Prevx report which includes additional file names:

See also the Web of Trust (WOT) reports for several IPs to which this malware phones home (IP block owners in parenthesis):

http://www.mywot.com/en/scorecard/ (China Unicom)
http://www.mywot.com/en/scorecard/ (China Unicom)
http://www.mywot.com/en/scorecard/ (Limestone Networks [Texas, USA])
http://www.mywot.com/en/scorecard/ (GoDaddy [Arizona, USA])
http://www.mywot.com/en/scorecard/ (The Planet [Texas, USA])
http://www.mywot.com/en/scorecard/ (China Unicom)
http://www.mywot.com/en/scorecard/  (China Unicom)
http://www.mywot.com/en/scorecard/ (Chinanet)
http://www.mywot.com/en/scorecard/ (China Unicom)

Friday, November 6, 2009

Lose/Lose and psDoom: Art, Games, or Malware?

Now and then, a program comes along about which the security community has difficulty agreeing on a classification.  Such is the case with a Mac software "art project" called Lose/Lose, described by its creator as "a video-game with real life consequences."  If you don't read the warnings carefully, Lose/Lose might appear to be a simple Space Invaders-like game where you shoot at alien spaceships to protect your own ship and earn points, but in this case doing so has the dangerous side effect of deleting your personal files as demonstrated in this Symantec video:

In spite of all the recent press coverage of Lose/Lose, fewer than half of Mac antivirus makers currently offer detection of the program. (Specifically, the Mac antivirus programs that detect it include CA Anti-Virus, Intego VirusBarrier X5, ProtectMac AntiVirus, Sophos Anti-Virus, Symantec Norton AntiVirus, and Trend Micro Security, while conversely ALWIL Avast!, BitDefender, ClamXav, Dr.Web, Kaspersky Anti-Virus, McAfee VirusScan/Security, and PC Tools iAntiVirus do not detect it.  See VirusTotal's analysis, as well as Intego's blog post and ProtectMac's malware list since these programs are not included in VirusTotal.)

Some security analysts, including Chris Boyd from FaceTime Communications/SpywareGuide and Vitalsecurity.org, feel that it's laughable to identify Lose/Lose as malware or a Trojan horse, pointing out that the Web site hosting the so-called malicious file—not to mention the application itself—includes a warning in red capital letters explaining that the program will delete files.  In his article, Boyd points out that part of Symantec's justification for flagging Lose/Lose as malware is that "there's nothing stopping someone with more malicious intentions from modifying it slightly and then passing it on to unsuspecting users."  In light of this rationale, Boyd mentions psDoom, an old game based on the DOOM engine that allows players to kill running processes by shooting at demons, and suggests that if Symantec and other companies are going to flag Lose/Lose as malware because it can cause data loss when used carelessly and "on the basis someone could 'modify and do naughty things with it'" they should be consistent and consider psDoom to be malware as well.

I asked Ben Nahorney, senior information developer at Symantec and author of the article quoted by Boyd, what his thoughts were regarding psDoom.  Nahorney replied:
"While psDoom is similar in nature to Lose/Lose, it doesn't cause any irreparable damage on the computer. Yes, playing it will likely result in your computer crashing, but restarting the computer will fix any issues. In comparison, Lose/Lose is deleting files on the computer and provides no 'undo' option. Based on this, we consider it to be behaving maliciously."
Nahorney's explanation makes sense, although one could argue that psDoom can cause irreparable damage, for example if a user had unsaved data in one of the applications that psDoom killed.  As is the case with Lose/Lose, a user who plays psDoom without reading the warnings may inadvertently become a victim of data loss.  However, losing a few unsaved documents is probably not as bad as losing a substantial amount of one's personal files, so Symantec maintains that psDoom is less of a threat because it's less likely to cause significant damage.

Graham Cluley, senior technology consultant at Sophos who also recently published an article on Lose/Lose, shared with me his opinion about Lose/Lose vs. psDoom:
"Personally I wouldn't want either running on my corporate network. With Sophos Anti-Virus we have an application control functionality that allows sysadmins to control what categories of software users can run beyond just malware protection.  I would say that psDoom was probably a candidate for inclusion in an app control category."
In other words, although Sophos doesn't detect psDoom as malware, Cluley suggests that system administrators concerned about psDoom may want add a custom exclusion for it.

Lenny Zeltser, member of the board of directors at SANS Technology Institute and incident handler at the Internet Storm Center, shared his opinion with me:
"psDoom is a novelty process manager with a game-like user interface. Its purpose and capabilities are clear to its user. In this, it is no different from Task Manager, Process Explorer, and other process managers. If psDoom was unclear about its purpose, attempted to mislead the user, or had hidden capabilities, such as a backdoor, then I'd consider it malware."
Zeltser makes a good point that psDoom was originally intended as a *nix process manager with a fun interface, although it's worth noting that the Mac version is listed as a game rather than a system administration utility on VersionTracker and CNET Download.com.  Zeltser continues:
"Lose/Lose is similar to psDoom in that it provides a game-like front-end for performing system tasks: deleting files. A major difference between Lose/Lose and psDoom is that the processes psDoom kills will less likely to lead to permanent loss of significant amount of data, while the files Lose/Lose deletes may truly hurt the user. Another significant difference, because Lose/Lose seems to pick the files to delete at random, Lose/Lose behaves very much like the game of a Russian roulette. Some people may need to be protected from themselves when playing Russian roulette. Lose/Lose is pretty clear about its adverse effects on the system, because its opening screen states 'KILLING IN LOSE/LOSE DELETES YOUR FILES.'  I can see some users not realizing that the files are deleted in a real sense, especially in our world of short attention spans. Taking these factors into account, I would consider Lose/Lose as 'potentially unwanted software,' rather than malicious software."
The final person to respond with his thoughts was Peter James, a spokesman for Mac-exclusive antivirus maker Intego who recently wrote about Lose/Lose on Intego's blog.  Said he:
"We will block this program, as we will any other similar program. However, psDoom is unlikely to be used very much, since it is an X11 program, and does not run natively on Mac OS X. The problem with such programs, though, is that unsavvy users may run such programs and cause damage or, in the case of lose/lose, delete files. We have many enterprise customers who certainly don't want programs like this run on their computers."
James makes a very good point about psDoom being much more difficult to run than Lose/Lose.  When I tried to run it, I discovered that I had to make the program executable first by running chmod from the command line (which a novice is not going to know to do since it's not even mentioned in the documentation).  After that, I was able to get psDoom to run on Snow Leopard, but even then the process management functionality did not work properly, which seems to be caused by a difference in UNIX commands starting with Leopard.  If I couldn't easily get psDoom to kill any processes on the latest release of Mac OS X, it's doubtful that accidental process termination and data loss while playing psDoom will be a problem for the vast majority of users, which is quite a dramatic difference from Lose/Lose.  In spite of this, based on what James said it appears that Intego will soon be the only antivirus vendor to detect psDoom.

Lose/Lose is variously detected (mostly by non-Mac antivirus software) as Application.OSX.Loselose.A, Game/KillFiles, Mac.LoseLose, MacOS!IK, MACOS/LoseLose, MacOS/Loselose.A, OSX_LOSEGAM.A, OSX.Loosemaque, OSX.LoseGame, OSX/LoseGame-A, OSX/LoseLose.A, OSX/LoserGame, Trojan:MacOS_X/Loosemaque.A, and Trojan.OSX.Loselose.A.

psDoom is not currently detected by any antivirus engine.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Monday, November 2, 2009

"New Moon" Movie Attracts Malware Makers

These days, malware campaigns target pretty much anything that people are likely to search for on Google (in fact, some campaigns even target seemingly random searches).  One of the latest malware campaigns targets fans of the Twilight book series in anticipation of the upcoming movie New Moon.

As reported by ThreatExpert, the new Trojan (dubbed "PWS-CuteMoon" by McAfee) harvests passwords from a variety of e-mail and FTP client applications—including but not limited to Outlook, Thunderbird, Eudora, The Bat!, CuteFTP, FileZilla, and WS_FTP—and sends the stolen credentials to the malicious site newmoon-movie .net, which receives the data via the Cute News service.

PWS-CuteMoon is also detected as Trj/CI.A, Trojan-Downloader.Win32.FakeRean, TrojWare.Win32.PSW.LdPinch.Gen, and Win32/TrojanDropper.Agent.OKG, according to McAfee.

For more details, see ThreatExpert's blog post and automated analysis of the malware.  See also the Web of Trust (WOT) reports for these affiliated sites: