Saturday, September 26, 2009

Microsoft Escalated Support Rep Trusts Scam Site [Updated]

Ever been fooled by a malicious site?  Microsoft has.

The other day I came across this scam page, and I was surprised to see that it shows up in Bing search results:

hxxp://explorersecuritysuite .com/info.php?af=213&url=http://www.facebook.com/login.php

This alert appears in any browser, even if you go directly to the site.  The scam page pretends that you're getting an official warning from Microsoft.

The page claims:
This website has been reported as unsafe
We strongly recommend to discontinue the use of this website.
[link] Activate my Web protection software
This website has been reported to Microsoft for containing threats that might steal personal or financial information from your computer
If you click on the link, it takes you to this page:

...and if you further click on "Click Here!" you'll be taken to this page:

A non-savvy Web user could easily be tricked by the initial warning into following the links, perhaps even thinking that Microsoft wanted them to buy this "Total Security" product (or perhaps not thinking, due to fear of identity theft and a frantic desire to protect oneself).  After all, what could make someone feel safer online than "total security"?  But surely a more seasoned individual, say for example an advanced Microsoft employee, wouldn't be tricked by such a scheme.  Or would they?

I followed Microsoft's directions for submitting malicious sites, and dutifully reported the deceptive page to Microsoft's Bing support team.  A friendly lady from Bing Technical Support replied and said that "I understand that you are reporting a scam site listed in Bing results. I know the importance of this issue. I will now be escalating your email to our product specialists for further investigation. They will directly take action on your request and will be contacting you with an update soon."  That sounded very promising.  Imagine my surprise when I got this response later:
Hello Joshua,

We have already reported the www.explorersecuritysuite .com.  If you check the query on BING, you should be able to see the warning on the vertical result.

I have provided a link for the query:

http://www.bing.com/search?q=explorersecuritysuite.com

Thank you for reporting this matter.

Best Regards,

[name redacted]
Microsoft Global Escalations

Of course, the search query brings up the malicious page at the very top of the results, as seen here:



However, there's no warning from Microsoft anywhere on the search results page.  The closest thing is Bing's quotation of the scam page.  I replied to Microsoft's Global Escalations representative, explaining that "The site itself is malicious, and it pretends to have been reported to Microsoft.  Try the direct malicious link in any other browser and you'll get the same warning when you visit the page.  The warning comes directly from the site, not from Bing or Microsoft.  This is clearly not an official Microsoft alert."  I provided a direct link to the malicious page (non-sanitized, in case this individual might have been confused by hxxp or a space in the domain name).  I sent this reply well over 24 hours ago.  I still haven't gotten a response, and the scam page is still indexed on Bing.

So, how about that?  Even someone who works for Microsoft's Global Escalations department can get fooled by a malicious scam site.

UPDATE: Two days after I sent my last reply to Microsoft Global Escalations, a different representative responded:
Hello Josh,

My name is [redacted] with Microsoft Global Escalations.

I have re-investigated the said site ([unsanitized URL redacted]) and would confirm with you that the site is indeed misleading.

We will be taking action to remove this as soon as possible.

Thank you for reporting this and again brining [sic] this to our attention.

Best Regards,

[name redacted]
Micsrosoft Global Escalations [sic]

Yet another two days after getting this reply, the site was finally removed from Bing.  So from the time I first reported the site to Microsoft until it actually got delisted from Bing's search results was roughly 5.5 days.


Fun storytelling aside, here's the technical stuff, for anyone who might be interested.

http://wepawet.iseclab.org/view.php?hash=493989f2a5387f5176781a3f11e969e8&t=1253948333&type=js (Wepawet analysis showing affiliated domains)
http://www.mywot.com/en/scorecard/explorersecuritysuite.com (Web of Trust report)

A nearly identical domain, windowssecurityinfo .com, also comes up in Bing search results, although the site is not loading at the moment:
http://www.bing.com/search?q=windowssecurityinfo.com (example Bing search that brings up this actual domain as a result, just like with explorersecuritysuite)
http://cc.bingj.com/cache.aspx?d=76745708601589&w=4c13551f,ac670a51 (Bing cache, not linked because it tries to load images and CSS directly from the domain; use caution)
http://www.malwareurl.com/listing.php?domain=windowssecurityinfo.com
http://www.mywot.com/en/scorecard/windowssecurityinfo.com


Related fake warning sites that are currently inactive:

browsersecurityinfo .com
http://malwaredatabase.net/blog/index.php/2009/07/08/website-selling-multiple-rogue-programs-as-legitimate-pt-2/
http://wepawet.iseclab.org/domain.php?hash=c9e5f4ba1f2a19e94c0294ab39f499ea&type=js (Wepawet analysis showing affiliated domains)
http://www.malwareurl.com/listing.php?domain=browsersecurityinfo.com
http://www.mywot.com/en/scorecard/browsersecurityinfo.com

suspiciousdomainblock .com/pre1/?af=14s1
http://www.cybertechhelp.com/forums/showpost.php?p=1116477&postcount=1
http://wepawet.iseclab.org/view.php?hash=1ef044d5571341b35240cd8fa4f843e0t=1249738635&type=js (Wepawet analysis showing affiliated domains)
http://www.malwareurl.com/listing.php?domain=suspiciousdomainblock.com
http://www.mywot.com/en/scorecard/suspiciousdomainblock.com

Reports for affiliated domains:
http://www.mywot.com/en/scorecard/winnetworkstatus.com (redirects from explorersecuritysuite to expresssoftwarepayment)
http://www.mywot.com/en/scorecard/expresssoftwarepayment.com (including protected.expresssoftwarepayment .com)
http://www.mywot.com/en/scorecard/protectionbytesoft.com ("Eco Antivirus"/"Total Security" fake AV site, mentioned on payment page)
http://www.mywot.com/en/scorecard/cnnnewspoint.com (redirected from suspiciousdomainblock to authorized-payments)
http://www.mywot.com/en/scorecard/authorized-payments.com (including protected.authorized-payments .com)
http://www.mywot.com/en/scorecard/cyberstrongstore.com ("Eco Antivirus"/"Total Security" fake AV site, mentioned on payment page)
http://www.mywot.com/en/scorecard/ieprotectionlist.com (linked from browsersecurityinfo)
http://www.mywot.com/en/scorecard/bennysaintscathedral.com (redirected from ieprotectionlist to buysecuritysoftwareonline)
http://www.mywot.com/en/scorecard/buysecuritysoftwareonline.com (including secure.buysecuritysoftwareonline .com)


Fake warning sites from a different fake/rogue antivirus campaign, all of which are currently active:

hxxp://safewebway2009 .com/warning/
http://www.mywot.com/en/scorecard/safewebway2009.com

hxxp://trusted-web-way .com/warning/
http://www.mywot.com/en/scorecard/trusted-web-way.com

hxxp://protect-my-web .com/warning/
http://www.mywot.com/en/scorecard/protect-my-web.com

hxxp://rightsafeway .com/warning/
http://www.mywot.com/en/scorecard/rightsafeway.com

hxxp://web-safe-and-clean .com/warning/
http://www.mywot.com/en/scorecard/web-safe-and-clean.com

All of these sites redirect to hxxp://yesantivirusplus .com/buy.php?id=
http://www.mywot.com/en/scorecard/yesantivirusplus.com

Payment site for Antivirus Plus: hxxps://my-secure-payment .com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus4&advert=
http://www.mywot.com/en/scorecard/my-secure-payment.com


More fake warning pages:
hxxp://www.malwareurl.com/search.php?s=Fake+Warning&urls=on&redirs=on (site defunct, and URL was not saved on archive.org)

Friday, September 25, 2009

New Malware (ddos-bot.exe, etc.) and Malicious Domains

Last night I found a report for the following malicious file:

hxxp://gorodsnov .cn/file13.exe

Since the file was suspicious but wasn't detected by any major antivirus engine (except as a "suspicious file"), I decided to investigate further.

ThreatExpert's analysis shows that the executable downloads two files (as discussed below) and phones home to mylfix4 .cn:
http://www.threatexpert.com/report.aspx?md5=f7a0f8d044c333ad3b7d65a6485af931
http://anubis.iseclab.org/?action=result&task_id=1020202f49ecf30742da827c810205c13
Initial VirusTotal assessment (2/41 - "Heuristic.LooksLike.Win32.Suspicious.H!87"):
https://www.virustotal.com/analisis/193589553f8f0d8d5c0d1712d72e4143c7fbd002bac06bc9c95b4e96eb47d098-1253847644
Lists of other malware files and exploits hosted on the same domain:
http://wepawet.iseclab.org/domain.php?hash=02d30b0b4ba304b039d8efb9aa2b5c71&type=js
http://www.malwareurl.com/listing.php?domain=gorodsnov.cn

This malware is clearly a Trojan downloader, but most antivirus products didn't detect it at all.  I submitted the file to multiple companies.  Here's the current assessment as of the time of this post (main source VirusTotal):
File size: 29184 bytes
MD5...: f7a0f8d044c333ad3b7d65a6485af931
SHA1..: a381aed69ed753618e0b3930c78243701af44d7d
SHA256: 193589553f8f0d8d5c0d1712d72e4143c7fbd002bac06bc9c95b4e96eb47d098

13/41 detection rate as of 2009.09.25 20:04:02 (UTC)

Variously identified as: Artemis!F7A0F8D044C3, Downloader, Heuristic.LooksLike.Win32.Suspicious.H!87, TR/Sasfis.nyk, Troj/DwnLdr-HXD, Trojan.MulDrop.35369, Trojan.Win32.Sasfis.nyk, W32/Small.KFU!tr, Win32.SuspectCrc, Win32/Oficla.AG, Generic.TRA!f7a0f8d044c3, Generic.dx!fij, etc.
The malicious software described above automatically fetched the following files:

hxxp://pobedaim .cn/svchost.exe

Initial VirusTotal assessment (2/41 - "Trojan.DownLoad.42082"):
https://www.virustotal.com/analisis/c363a96530f122c75664af4afc77c63fb9a349aef648cfe2f0a91dd7e4ba4b29-1253849155
ThreatExpert's analysis shows that the file creates a startup registry entry for itself:
http://www.threatexpert.com/report.aspx?md5=6bb2a57c3bb3308b3a1519c987caddf4
The Anubis assessment shows that this file phones home to proxy5my .cn:
http://anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10

Again, due to almost no detection from antivirus solutions, I submitted the file to multiple vendors.  Here's the current virus assessment as of the time of this post:
File size: 38400 bytes
MD5...: 6bb2a57c3bb3308b3a1519c987caddf4
SHA1..: 7b0c73e4d9b5fd58c89fc117a5f8ab576145898d
SHA256: c363a96530f122c75664af4afc77c63fb9a349aef648cfe2f0a91dd7e4ba4b29

15/41 detection rate as of 2009.09.25 20:04:08 (UTC)

Variously identified as: Artemis!6BB2A57C3BB3, High Risk Cloaked Malware, TR/Agent.cxge, Troj/Agent-LGK, Trojan Horse, Trojan.Agent.cxge, Trojan.Agent.OPPW, Trojan.DownLoad.42082, Trojan.Win32.Agent, Trojan.Win32.Agent.cxge, W32/Agent.CXGE!tr, Win32/Delf.OOR, Generic.TRA!6bb2a57c3bb3, Generic.dx!fio, etc.
The second file downloaded by file13.exe is this very suspiciously-named executable:

hxxp://pobedaim .cn/ddos-bot.exe

ThreatExpert's analysis shows that it creates a file nups.sys in C:\WINDOWS\system32\drivers\ and registers it as a service called "Nups":
http://www.threatexpert.com/report.aspx?md5=4af3dc7f09f3dc39068ba4c176531937
The Anubis assessment shows that it creates a file named asyncmac.sys in C:\WINDOWS\system32\drivers\ and phones home to suxumzulum .cn:
http://anubis.iseclab.org/?action=result&task_id=19879314e87e2d93481ccec7a43498a6f&call=first
Initial VirusTotal assessment (2/41 - "Heuristic.LooksLike.Win32.Suspicious.B!87"):
https://www.virustotal.com/analisis/11be232b824bae5ffbdd51892979b2cecfad3a28de6784ac4e76fe352720901f-1253849161

Once again, due to only "suspicious" detection,  I submitted the file to multiple antivirus companies.  Here's the current assessment as of the time of this post:
File size: 93696 bytes
MD5...: 4af3dc7f09f3dc39068ba4c176531937
SHA1..: 679a49279a7c26971ba6183bac78325fa720bfc2
SHA256: 11be232b824bae5ffbdd51892979b2cecfad3a28de6784ac4e76fe352720901f

13/41 detection rate as of 2009.09.25 20:04:19 (UTC)

Variously identified as: Artemis!4AF3DC7F09F3, Heuristic.LooksLike.Win32.Suspicious.B!87, TR/TDss.asbz, Troj/Agent-LGJ, Trojan.Dropper, Trojan.MulDrop.35371, Trojan.Win32.Tdss.asbz, W32/Agent.ASBZ!tr, Win32.SuspectCrc, Win32/SpamTool.Agent.NBW, Generic.TRA!4af3dc7f09f3, Generic.dx!fke, etc.
Reports for these two malware hosts, and three domains to which the malware phones home:
http://www.mywot.com/en/scorecard/gorodsnov.cn
http://www.mywot.com/en/scorecard/pobedaim.cn
http://www.mywot.com/en/scorecard/mylfix4.cn
http://www.mywot.com/en/scorecard/proxy5my.cn
http://www.mywot.com/en/scorecard/suxumzulum.cn

Other domains that have previously hosted variants of this malware, and were hosted on the same IP:

esenins .cn
http://www.malwareurl.com/listing.php?domain=esenins.cn
http://www.malwarebytes.org/forums/index.php?s=3e38bf9bf7fb2c4b059da6ecb97d9bb7&showtopic=24758
http://www.malwaredomainlist.com/forums/index.php?topic=3190.150 (search the page for ddos-bot.exe or svchost.exe)
http://anubis.iseclab.org/?action=result&task_id=157f7e6d3d884b2841507aa750d6cb22d - Anubis analysis of ddos-bot.exe from eseins .cn
http://www.threatexpert.com/report.aspx?md5=bbb64be95cc017dd30fa36a848fdcc6c - ThreatExpert analysis of ddos-bot.exe from eseins .cn
http://www.superantispyware.com/malwarefiles/DDOS-BOT.EXE.html - SUPERAntiSpyware's listing for "Trojan.Agent/Gen" with the same file name and MD5 hash, bbb64be95cc017dd30fa36a848fdcc6c
http://anubis.iseclab.org/?action=result&task_id=1fa6798ca3a124b34599302c57d1286b9 - Anubis analysis of svchost.exe from eseins .cn
http://www.mywot.com/en/scorecard/esenins.cn

7oydomen .cn
http://www.malwareurl.com/listing.php?domain=7oydomen.cn
http://wepawet.iseclab.org/view.php?hash=4e39f0d6097d6e980bb77775e86f5611&t=1252590543&type=js
http://anubis.iseclab.org/?action=result&task_id=1071bf336e899c014ad62b6d13f705cf4 - Anubis analysis of ddos-bot.exe from 7oydomen .cn
http://www.virustotal.com/analisis/a89e9524c50b0af3c058ce7639feac20f1066b3ff14ee58aceab5a7692c5f517-1252590543
http://www.malwaredomainlist.com/forums/index.php?topic=3190.135 (search the page for ddos-bot.exe)
http://www.mywot.com/en/scorecard/7oydomen.cn

Reports for other domains on the same IP address (210.51.166 .247):
http://www.malwareurl.com/search.php?s=210.51.166.247&rp=200&urls=on&ip=on
http://wepawet.iseclab.org/domain.php?hash=02d30b0b4ba304b039d8efb9aa2b5c71&type=js
http://www.mywot.com/en/scorecard/pay-day.cn
http://www.mywot.com/en/scorecard/posledniy.cn
http://www.mywot.com/en/scorecard/predposledniy.cn
http://www.mywot.com/en/scorecard/ledyzpizdik.cn
http://www.mywot.com/en/scorecard/domainadminpanel.cn
http://www.mywot.com/en/scorecard/zelenayajava.cn
http://www.mywot.com/en/scorecard/dmitrygaiduk.cn
http://www.mywot.com/en/scorecard/admnqtc.cn
http://www.mywot.com/en/scorecard/bezzpaleva.cn
http://www.mywot.com/en/scorecard/megobill.cn (reported by Wepawet; it's unknown whether this domain has hosted malware)

Searches for ddos-bot.exe on MalwareURL and Malware Domain List:
http://www.malwareurl.com/search.php?s=ddos-bot.exe&rp=200&urls=on
http://www.malwaredomainlist.com/mdl.php?search=ddos-bot.exe&colsearch=All&quantity=50

Reports for other possibly related files:
http://www.prevx.com/filenames/X1722639219385542672-X1/DDOS-BOT.EXE.html
http://www.threatexpert.com/report.aspx?md5=8b2a9afa42df42bef4c904713e2cfc21


Here are some other new malware domains I came across last night, unrelated to the malware described above. Most of these domains are related to Zbot malware and/or an Autostart worm, and several were registered within the past 48 hours:

http://www.mywot.com/en/scorecard/redbullarts.com
http://www.mywot.com/en/scorecard/scarlettartsgallery.com
http://www.mywot.com/en/scorecard/myfoundryart.com
http://www.mywot.com/en/scorecard/allfilesstorage.com
http://www.mywot.com/en/scorecard/allfilesstoragecenter.com
http://www.mywot.com/en/scorecard/givemereasonx.com (including subdomain core2700.givemereasonx.com)
http://www.mywot.com/en/scorecard/psimage.cn
http://www.mywot.com/en/scorecard/htm6.co.cc
http://www.mywot.com/en/scorecard/explorersecuritysuite.com


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Tuesday, September 22, 2009

"Windows PC Defender" Malware and Malicious Site Reports

Windows PC Defender malware iconThere's a lot of fake ("rogue") antivirus malware in the wild, as I've mentioned previously.  Sometimes it's relatively easy to remove; just kill the process with Windows Task Manager (press Ctrl-Shift-Esc, click on the malicious process e.g. pav.exe, and click End Process) and then delete the offending executable file.  Yesterday I came across a new variant of "Windows PC Defender" and was surprised at how many changes it made to the system.  Not only were there HOSTS file and search engine modifications, but the malware also effectively disabled Windows Task Manager—and even McAfee VirusScan Enterprise, which unfortunately failed to detect the new malware before being disabled by it.

What heinous malware sorcery was needed to disable a major corporate antivirus product?  Nothing more than a simple registry hack.  Several application file names were added to the following location in the registry, with svchost.exe set as the debugger (which effectively prevented all processes with those file names from running at all):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Although McAfee didn't stop the malware and was subsequently disabled by the infection, Spybot-Search & Destroy was able to find some—but not all—of the registry modifications (the entries that Spybot found were identified as Hupigon13, Win32.Agent.tdd, Win32.Delf.uv, and Win32.VB.PW infections).  Spybot's findings pointed me in the right direction so I could manually find and remove some of the other registry changes.  A partial list of disabled applications can be found at the ThreatExpert link below.  When cleaning this or a similar infection, you can safely delete any entries with "svchost.exe" set as the debugger.  Note that if regedit.exe is disabled by this hack, you can just make a copy of it on your desktop and rename it to something else, e.g. regedit-works-now.exe, and then open the renamed copy.  You can find the original at C:\WINDOWS\regedit.exe on your hard drive, or look in the I386 folder on your Windows installation disc.

HijackThis pointed out that there were HOSTS file infections.  Several Google domains were being forced to resolve to 206.53.61 .77, but even more interesting was that several domains related to other fake antivirus products were being forced to resolve to 74.125.45.100—the real Google.  (Apparently the creator of this malware didn't want any competition from certain other fake antivirus products, but I find it somewhat amusing that the malware author chose to redirect those sites to the real Google while redirecting real Google sites elsewhere; why not just redirect your competitors' sites to 206.53.61 .77 as well?)  HijackThis was unable to remove the HOSTS file infections, and FileASSASSIN was unable to delete the infected HOSTS file, so I used Spybot's file shredder utility to rename it, and then used Spybot to create a new HOSTS file in its place.  I then used GiPo@MoveOnBoot to mark the renamed infected file for removal the next time the system boots.

The malware also changed SearchScopes entries in the registry so that searches would be redirected to search-gala .com.  To clean an infected system, you will need to search the registry for "search-gala" and replace anything that looks similar to this:
hxxp://search-gala .com/?&uid=201&q={searchTerms}
...with something safe like this:
http://www.google.com/search?hl=en&q={searchTerms}

Details about the malicious executable, parts courtesy of VirusTotal:
File name and location:
C:\Documents and Settings\All Users\Application Data\090943c\WP0909.exe
File size: 2185216 bytes
MD5 : db50541ff7a46ddeb64fbccdb3bea9d9
SHA1 : 6839e11a015469255f8a1e93a058e5b35c5f74da
SHA256: 6b52a1f71544d3328720cacb7f27034826241cc6bcec33eb6f9c19c48ad3136d
6/41 detection rate upon first scan at 2009.09.22 00:20:13 (UTC)

14/41 detection rate as of 2009.09.22 17:54:05 (UTC), and McAfee and Fortinet plan to add detections for it soon

Variously identified as: Trojan.Win32.FakeVimes!IK, TR/FakeVimes.A.64, Trojan.FakeAV.SG, Trojan.Win32.FraudPack.uci, Artemis!DB50541FF7A4, Trojan.FakeVimes.A.64, Trojan:Win32/FakeVimes, Win32/Kryptik.AKT, Trj/CI.A, Mal/Basine-C, Trojan.Win32.Generic!BT, Suspicious.MH690.A, Misc/FakeAV, FakeAlert-WPS.gen.a
For more details regarding the malicious payload and associated domains, see:

In other news, last night I discovered a new fake virus scan and malware distribution site at rampir .info, which I reported to numerous malware site blacklists.  So far hpHosts, Malware Domain List, and DNS-BH have added it to their lists.  See the following reports:
Here's another of my reports that was recently published on DNS-BH, related to another black hat SEO malware campaign targeting America's Got Talent/Kevin Skinner searches, and my Web of Trust (WOT) reports for each of those domains:

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Friday, September 4, 2009

What 'Dr. Seuss Coloring Pages' and 'Red Spots on Face' Have In Common

A recent trend amongst malware distributors has been to bombard Google with loads of useless pages containing keywords and phrases that will put them high in search results for particular queries.  Sometimes these pages target recent news events, and sometimes they're about seemingly random things such as Dr. Seuss coloring pages (believe it or not, I've actually seen that specific example). In the search engine's text snippet previews, these pages appear harmless and perhaps even useful, but when an unsuspecting Web surfer clicks on one of these search result links, the page immediately redirects to a fake antivirus scan (a form of scareware), exploits, drive-by downloads, or other malicious content.  I uncovered just such a scam today while investigating an infected PC.

This page...

hxxp://rodrigoeastbury.moqxqpuxz .cc/red_spots_on_face_that_wont_go_away.html

...automatically redirected to a page on langlan .net, which redirected to a page at pconlinescan .net, which loaded a fake virus scan that to the novice user may appear to be an actual Windows security alert (click on the screenshot to see it full size):
The malware authors obviously designed this scam page to look like Windows XP's default blue theme.  (As you can see in this screenshot, even in a Mac browser the page looks the same.)  If the panicked victim clicks on the "Remove all" button (or, in fact, anywhere on the page—even the Cancel or red X buttons), malware is downloaded onto the machine.  This malware is not yet detected by most antivirus software, but I'm submitting a sample to multiple security vendors so it should be more widely detected within the next day or so.

File details courtesy of VirusTotal and VirSCAN:
File name: setup_build206_157.exe
File size: 263168 bytes
MD5 : aedd952609bd1c6056df337443fb951e
SHA1 : 8b09fa1e55e5e5501ed5b9f6833e71d04fb12b01
SHA256: 7b89c480f25f14b2bc744a141fb252d796bdcd90f77dcff7e4a8bce06963e508
Variously identified as: TR/Dldr.Fake.PS.14, Trojan-Downloader.Win32.FraudLoad.fkt, Trojan.Dldr.Fake.PS.14, Mal/Behav-321, TROJ_AGENT.PQAB, etc.
For more details regarding the malicious payload and associated domains, see:
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.