Thursday, November 11, 2010

"FedEx Services" Malware, Boonana/Koobface Update, Sophos for Mac, and Firesheep

There's been plenty going on in the realm of computer security lately.  Here's a brief update.

First, the breaking news: there's a new Oficla malware attachment spreading via fake FedEx e-mails, not unlike the UPS/USPS scam e-mail I told you about recently.  Here's a sample:
From: "FedEx Services" { @} [forged From address]
Subject: Track your shipment No445272 [number may vary]
Date: November 11, 2010

This is a post notification.

Your package has been returned to the FedEx office.
The reason of the return is - Incorrect delivery address of the package

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the FedEx office in order to receive the packages.

Thank you for your attention.
FedEx Customer Services.

[Note: The rest of this was white text on a white background, intended to fool e-mail spam filters while being hidden from the e-mail recipient. This portion of the e-mail is usually different in each sample.]
-- Wo mag mein Vater, meine Mutter sein?JULIA So waschen sie die Wunden ihm mit Tränen? Ich spare meine für ein bängres Sehnen. Nimm diese Seile auf. --Ach, armer Strick, Getäuscht wie ich! Wer bringt ihn uns zurück? Zum Steg der Liebe knüpft er deine Bande, Ich aber sterb als Braut im Witwenstande. Komm, Amme, komm! Ich will ins Brautbett! Fort! Nicht Romeo, den Tod umarm ich dort. WÄRTERIN Geht nur ins Schlafgemach! Zum Troste find ich Euch Romeo: ich weiß wohl, wo er steckt. Hört, Romeo soll Euch zur Nacht erfreuen; Ich geh zu ihm; beim Pater wartet er. LORENZO Komm, Romeo! Hervor, du Mann der Furcht! Bekümmernis hängt sich mit Lieb an dich, Und mit dem Mißgeschick bist du vermählt. ROMEO Vater, was gibts? Wie heißt des Prinzen Spruch? Wie heißt der Kummer, der sich zu mir drängt Und noch mir fremd ist? LORENZO Zu vertraut, mein Sohn, Bist du mit solchen widrigen Gefährten. Ich bring dir Nachricht von des Prinzen Spruch. ROMEO Verbannung? Sei ba rmherzig! Sage: Tod!
Attachment: [file name may vary]
As a reminder, companies like FedEx, UPS, DHL, and the U.S. Postal Service never send attachments containing mailing labels or tracking numbers—and they especially won't send Windows .exe programs.

If you extract the .zip file and run the .exe application (FedEx_mailing_label.exe) on a Windows PC, it will attempt to download more malicious software onto your PC, including fake antivirus software.

The malicious attachment is currently only detected by 12 out of 43 major antivirus engines, which should tell you to always be cautious of what you download and open, because your antivirus program won't stop everything. Most of the following information is courtesy of VirusTotal:
File name: FedEx_mailing_label.exe
MD5   : b7e6a7f9f527acaac54d0dfb1b4d7d87
SHA1  : 05af292c42a2e20d45dbbc919762d3a0c2158aa2
SHA256: 0e434c9a0740ba104ef8320af39c12c599ef3a1de527ea1779d1f59e1c50a806
File size : 74752 bytes

12/43 detection rate as of 2010-11-11 22:57:27 (UTC)

33/43 detection rate as of 2010-11-13 18:30:57 (UTC)

Variously identified as: Artemis!B7E6A7F9F527, Bck/Qbot.AO, Dropper.Generic2.BTTI, Generic.dx!uqm, High Risk Cloaked Malware, TR/Bamital.H, TR/Spy.ZBot.MY, TROJ_BAMITAL.AH, Troj/Agent-PHW, Trojan:W32/Bamital.D, Trojan:Win32/Oficla.AD, Trojan.Bamital, Trojan.Bamital!gen1, Trojan.Bredolab-1027, Trojan.Generic.5074337, Trojan.Oficla.80, Trojan.Oficla.CPS, Trojan.Win32.Generic.pak!cobra, Trojan.Win32.Oficla, Trojan.Win32.Oficla!IK, Trojan.Win32.Oficla.azk, Trojan/Oficla.azk, Trojan/Win32.Oficla, TrojWare.Win32.Trojan.Oficla.~D, W32/Agent.PHW!tr, W32/Oficla.R.gen!Eldorado, W32/Pinkslipbot.gen.t, W32/Sasfis.Z!tr, Win-Trojan/Oficla.74752, Win32:Oficla-AX, Win32/Bamital.BD, Win32/Oficla.JF, etc.
Here's VirusTotal's analysis of the fake antivirus software (with a measly 7 out of 43 detection rate) that FedEx_mailing_label.exe downloads from 109.196.143 .136:
File name: avpsoft_fgdhdflgkhjkf.exe
MD5   : 7db84663de821b00423fbf3838a0030f
SHA1  : b925ffe7cb695eda324dce99a2a1f482f1b16271
SHA256: 59085adc7a91f4fc4a424ee8de925f6efcf90c7e453fdc18c26d37e6c7ed8732
File size : 987648 bytes

7/43 detection rate as of 2010-11-12 00:10:34 (UTC)

24/43 detection rate as of 2010-11-13 18:31:16 (UTC)

Variously identified as: FraudTool.Win32.RogueSecurity (v), Gen:Variant.Kazy.3155, Generic.dx!uqn, Heur.Suspicious, Mal/FakeAV-DO, Medium Risk Malware Dropper, Rogue:Win32/Winwebsec, TR/Kazy.3155, Trj/CI.A, TROJ_FAKEAV.SMES, Trojan.Agent/Gen-Backdoor, Trojan.Fakealert.19447, Trojan.Win32.FakeAV.rnh, W32/FakeAV.ABDX, W32/FakeAV.DO!tr, W32/Kryptik.ZZ!tr, Win-Trojan/Fakeav.987648.DU, Win32:FakeAlert-ST, Win32/Adware.SecurityTool.AD, etc.
See the Web of Trust report for showtimeru .ru and a couple of Russian IPs to which the e-mail attachment phones home and attempts to download additional malware:
Since a lot of people asked about this last time, I'd like to remind readers that Windows .exe files can only infect Microsoft Windows operating systems.  If you're using a Mac, Linux, or other operating system (and assuming you haven't installed Parallels, VMware, CrossOver, Wine, etc. to enable you to run Windows apps on your Mac) you can't be harmed by accidentally downloading a malicious Windows .exe application.

Second, an update about the Boonana/Koobface malware, which I recently mentioned. A new variant is circulating according to reports from ESET and SecureMac, and even Microsoft's Windows-only antivirus product is detecting the Mac version of this malware. (Components of this malware are variously detected as Boonana, JAVA_JNANA.A, Java/Boonana.A, OSX/Koobface.A, Troj/Boonana-A, Trojan-Downloader.Java.Alboto.a, Trojan:Java/Boonana, Trojan:MacOS_X/Boonana, Trojan.Jnana.1, Trojan.Jnanabot, trojan.osx.boonana.a, trojan.osx.boonana.b, Win32/Boonana.A, etc.)

As I mentioned previously, disabling Java and being careful to not click on suspicious links on Facebook, Twitter, other social networks, and unexpected e-mails should help you avoid malware of this type.  If you're on Windows, I recommend uninstalling Java, and if you're on a Mac, I've posted instructions for disabling Java on Macs and a link to get SecureMac's free removal tool (which has been updated to remove the new "b" variant). Of course, it would also be wise to install antivirus software, which brings me to...

Third, commercial antivirus vendor Sophos recently released their antivirus software for free to all Mac users (for personal home use only).  You can download it at

Fourth, I thought I should at least briefly mention Firesheep, since it's been in the news a lot recently. Firesheep is an add-on for Firefox that makes it incredibly easy for anyone to hijack someone else's unencrypted Web browser sessions, allowing wannabe hackers and script kiddies to, for example, break into the Facebook or Twitter account of someone who's sharing the same public Wi-Fi hotspot at the local coffee shop.  It doesn't just allow bad guys to break into social networking sites, though; also affected are Amazon, Google (except Gmail), Bing, Windows Live, Dropbox,, Flickr, The New York Times, and other sites. Firesheep has already been widely distributed, with more than 721,000 downloads in under 3 weeks.

The best way to avoid getting hacked by Firesheep users is to use a VPN (a secure remote connection to a private network, for example securely logging into your home computer and using the browser on that computer rather than browsing directly from your laptop, iPad, or other device on an unencrypted Wi-Fi network). Using the EFF's "HTTPS-Everywhere" Firefox add-on (whose name is actually a misnomer, since it can't enable https:// for all sites) can help force secure connections for only a handful of specific sites, while sessions on other sites will remain vulnerable. Public Wi-Fi providers (Starbucks, McDonald's, hotels, etc.) can help protect users by enabling WPA/WPA2 encryption and giving out the password to guests, rather than providing unencrypted wireless networks (see the links hereafter for details on how this works). However, perhaps the best way to fix the problem is for every Web service provider to encrypt the full browser session, not just login pages. Start encouraging the sites you use to enforce https:// access to all pages of their site to protect their customers/users from Firesheep session hijacking. For further analysis of Firesheep, see Steve Gibson's blog and audio podcasts (with searchable text transcripts) here and here.

UPDATE, 13 Nov 2010 @ 10:50 PST: Added additional malware names and current detection rates.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

1 comment:

  1. My wife got this in an email on her yahoo account. Thanks for the heads up.


Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)