Twilight Eclipse Search Results Lead to Rogue AVs

  
    In today’s internet era it seems that whenever the latest hot topic appears, there’s always corresponding malware or a rogue antivirus threat lurking behind it. Cybercriminals are quick to grab every opportunity they can find to infect their next victim. Previously, visiting porn sites was the main way that your computer might commonly get infected. These days malware creators don’t limit themselves to porn sites, they’re also using other techniques to connect these threats to wherever internet users search for interesting news on the latest natural disaster, sports events or other hot topic.

     As the release date of the third installment of the popular Twilight saga draws near, it is becoming increasingly interesting to malware writers. Last June 18th, the PC Tools Malware Research Centre found a variant of Rogue AV exploiting topics such as the release date, ticket release dates and soundtrack of this movie. As with the previous installment, the upcoming Twilight Eclipse movie is no exception to the latest technique of SEO-poisoning.

Sample Search results

     Internet users searching for news about the new Twilight movie may stumble upon search results like these – and clicking one of the highlighted results will redirect you to a fake antivirus site.

Sample Redirection

     Once users click on the malicious search result, they are redirected to a rogue antivirus site where a fake alert will pop up. This incorrectly informs the victim that their computer has been infected with malware and in what appears to look like a genuine Windows security alert, offers next steps for the user. The following are examples of how these appear:


     When the user decides to proceed by accepting the ‘protection’ which is on offer, the download, installation and execution of the rogue antivirus comes next.

Recommendation:
     Internet users are encouraged to be vigilant when visiting sites that appear in internet searches for popular news topics, even when they come from a known source.

     PC Tools Spyware Doctor with AntiVirus coupled with PC Tools Browser Defender technology detects and blocks this malware and alerts users to websites hosting web threats that are using the technique mentioned above. It is recommended that users make sure their software is up-to-date by using Smart Updates, and that Behavior Guard is enabled to help ensure they are fully-protected against both current and new or unknown web threats.

Zeus Almighty’s Handcrafted PDF Files

Though primarily being distributed through spam and drive-by downloads, and in addition to social-engineering tactics, the Zeus/Zbot malware also utilizes specially-crafted PDF files to get into an unsuspecting user's computer.

The Malware Research Center has seen PDF files that carry embedded javascript codes that in turn exploit the Collab.getIcon buffer overflow vulnerability (CVE-2009-0927) and the Util.Printf buffer overflow vulnerability (CVE-2008-2992).

These vulnerability exploits allow the execution of malicious arbitrary codes that download and execute the Zeus malware on the unsuspecting user's machine.

Deobfuscated javascript code exploiting the Util.Printf vulnerability

Deobfuscated javascript code exploiting the Collab.GetIcon vulnerability

The Zeus/Zbot malware essentially steals online credentials, particularly targeting online banking information from a compromised computer.

Internet users are encouraged to ensure that their Reader software is up-to-date and to be vigilant when visiting sites and downloading and opening files, even those coming from known sources.

PC Tools strongly advice to make sure that your signature are up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.

We would like to express our gratitude to Jonathan San Jose for using the Browser Defender technology in finding web exploits in realtime and prodiving the malware samples used in this analysis.

Steve Espino

Malware Research Analyst

------------------------------------------------------------------------------------

27/04/2010 - UPDATE:

Aside from the Handcrafted PDF files which are used by Zeus bot, Malware Research Center has also seen additional exploits used by the Zbot variant. Here are the exploits used:

1. Java Exploits

The Java Runtime Environment (JRE) Vulnerability in Deserializing Calendar objects (CVE-2008-5353).

The jj.jar file contains the Hirwfee.class file which exploits the vulnerability in Deserializing Calendar objects.

Stack-based buffer overflow in the HsbParser.getSoundBank function in Sun Java SE in JDK and JRE (CVE-2009-3867).

The j.jar file contains the Uutecwv.class file which exploits the vulnerability in java using getSoundBank function (CVE-2009-3867).

2. Flash Player Exploits on different versions.

Information regarding the vulnerabilities can be found in these links:

http://www.adobe.com/support/security/bulletins/apsb08-11.html

http://www.adobe.com/support/security/bulletins/apsb07-12.html

http://www.adobe.com/support/security/bulletins/apsb09-01.html

http://www.adobe.com/support/security/advisories/apsa09-04.html

Deobfuscated javascript code exploiting the Flash player vulnerability part 1

Deobfuscated javascript code exploiting the Flash player vulnerability part 2

3. Adobe PDF Exploits

It uses iframe tag to load the file img.php

img.php file is the crafted PDF file

It also uses the vulnerability in Collab.getIcon function (CVE-2009-0927) and the util.printf JavaScript function with a crafted format string argument (CVE-2008-2992). Additionally, it exploits a buffer overflow by creating a specially crafted pdf that contains malformed Collab.collectEmailInfo() (CVE-2007-5659).

Deobfuscated javascript code exploiting the collecEmailInfo vulnerability

4. MDAC Exploit (CVE-2006-0003)

Deobfuscated javascript code exploiting the MDAC vulnerability

5. Internet Explorer Exploit

Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer (CVE-2010-0806).

Deobfuscated javascript code exploiting the iepeers vulnerability

6. The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11) vulnerability (CVE-2009-1136).

Deobfuscated javascript code exploiting the Spreadsheet vulnerability

These vulnerability exploits allow the execution of malicious arbitrary codes that download and execute the Zeus malware on the unsuspecting user's machine.

Upon installation of the Zeus malware on the user’s machine, it drops a copy of itself in windows system folder with the filename sdra64.exe, it then sets the file time to that of the file %SystemFolder%\ntdll.dll. It also set the file attributes as hidden, system file, read only and archive.

It also creates the folder lowsec in windows system folder with the hidden attribute to create the following files:

• local.ds

• user.ds

• user.ds.lll

These files are the configuration file and the log file where Zeus malware uses to gather and steals information.

This Zeus bot malware also have an autostart technique by attempting to add the string %SystemFolder%\sdra64.exe, in the below registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit = %Original value%

Example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit = "c:\Windows\System32\userinit.exe, c:\Windows\System32\sdra64.exe,"

Furthermore, once this Zeus bot failed to modify the above mentioned registry entry, it will create the below autostart registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

userinit = "%SystemFolder%\sdra64.exe"

This Zeus bot malware disable Windows Firewall by creating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

EnableFirewall = dword:00000000

Also creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Network

UID = "%ComputerName%_%HexNumber%"

This Zeus/Zbot malware also attempts to gather information about the below FTP applications to steal ftp servers and the desired username and password if available.

• FlashFXP

• Total Commander

• WS_FTP

• FileZilla

• WinSCP

• CoreFtp

• SmartFtp

This Zeus bot malware inject its code in certain processes.

One of the process it inject its code is the windows winlogon.exe process.

The injected Zeus code in the winlogon.exe is also capable of injecting another code in windows svchost.exe which is capable of downloading the configuration file of this malware.

The injected code in svchost.exe consists of decryption of the URL where it downloads the configuration file, and the decryption routine of the downloaded configuration file.

Basically, the configuration file contains the following:

• URLs of updated copy of itself

• URLs for another Configuration file

• Html Script codes which the Zeus bot used to fake the login to the bank sites

• Bank sites where this bot monitors for information theft

• Non Bank sites where the Zeus bot also monitors for account information theft

This Zeus bot malware is detected by PC Tools as Trojan-Spy.Zbot.YETH

PC Tools strongly advice to make sure that your signature are up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.

~Jonathan N. San Jose

Malware Research Analyst

Yet Another Koobface Attack!

     Koobface is a network worm that tries to propagate using social engineering techniques. While it mainly targets the popular social-networking site “Facebook”, it also targets other sites such as “Twitter” and “MySpace” as the vector for infection.

     On 10th March 2010, PC Tools’ Malware Research Centre found another Koobface variant lurking in Facebook. Like its predecessors, it uses existing Facebook accounts by hijacking them and trying to spread by generating a URL directing users to a malicious page. Visiting the malicious URL will redirects users to a webpage with malicious script forcing the user to download a malicious executable that poses as an installer for a video codec.

     Upon execution, this fake video codec silently drops a copy of itself, downloads its components, accesses fake AV sites and continuously monitors an unsuspecting user waiting for him/her to log in to his/her account so as to hijack it. It then uses the acquired account to silently log into Facebook Lite (Twitter version of facebook) to create another loop of infection.

Past reports could be found here

The Propagation Loop

SOCIAL ENGINEERING:

     Koobface uses the hijacked account to send enticing URLs to the “walls” of an account holder’s friends as well as posting another URL to its own wall, in case one of its friends visited its profile.

     Once one of the account holder’s connected friends clicks onto the malicious URL, it will direct him/her to a page which contains a malicious script.

<script src='[randomname].php'></script>

Here is an example of a page with malicious script:

(The text varies from time to time)

This php (mentioned above) will execute the following malicious code:

     Then from the list of IPs coming from the script, it will try to access it, adding “/go.js?/” to each IP.

     Successful access takes a user/account holder to another redirect page where the user is enticed to download the malicious file by way of a video codec:

Closing or clicking anywhere the page will download “setup.exe”

INSTALLATION:

     Upon execution of the downloaded file, Koobface will then start to download and install itself to the user’s machine, stealthily running in the background waiting for the user to log into Facebook so as to hijack the account and infect another unsuspecting friend.

File Installation:

Koobface drops a hidden copy of itself in Windows Directory (one of the following):

• %windows%\bill[random chars].exe
• %windows%\pp[random chars].exe
• %windows%\fb[random chars].exe
• %windows%\freddy[random chars].exe

Koobface installs its components:

• %system%\erokosvc.dll (most probably a random filename)
• %system%\drivers\imapioko.sys (most probably a random filename)

where %windows% is the windows directory (usually, C:\Windows\)

where %system% is the system directory (usually, C:\Windows\system32)

Registry Installation:

     Koobface creates its own registry entry in order for the malware to be automatically executed upon every boot up.

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• sysfbtray = <path of the dropped file mentioned above>

Upon successful installation, the initial file in execution will be deleted, automatically executing and loading the dropped file and its components. The malware will now be running in the background and start its malicious motive—that is, to hijack Facebook accounts, access spam and fake AV sites as well as connecting to its own C&C Server.

INSIDE THE VICTIM’S MACHINE:

     While the malware is running in the background, Koobface will be doing some of the following types of behaviours.

1. Bypassing Captcha

     It will first download and automatically execute its component files - bypassing captcha.

     From time to time, it will present a window mimicking the captcha test. The user will be forced to comply with this test since it disables other applications and prompts a message that the machine will shutdown unless a user complies. These “captcha” words will be used for creating accounts and/or sending messages. (More details on Koobface’s ability to resolve facebook’s captcha)

2. Contacting Rogue Sites

     Not only it does propagate but it also tries to connect and market rogue software to be installed in the computer’s machine, while running in the background

3. Hijacking Facebook Accounts

     And lastly, the main purpose of this malware - hijacking Facebook accounts for propagation.

     It continues to monitor the computer until a user logs into his/her Facebook account. Once logged-in, the malware will hijack the current logged in Facebook account and make its own session using Facebook Lite.

Then it will automatically send an enticing message that includes the malicious URL, to each of the user’s friends. And the propagation loop starts over.

     In time, the user will find out that he/she has sent a message that he/she didn’t send at all.

     And not only does Koobface send crafted messages unknowingly but also publishes an enticing post to the user’s own Facebook wall.

RECOMMENDATION:

     Internet users are encouraged to be vigilant when visiting sites, even those coming from a known source. 

     Affected users are advised to immediately change their Facebook account password. The hijacked credentials may be used again as a vector for malware propagation with more dangerous intent.

     PC Tools detects this malware as Net-Worm.Koobface. It is recommended to make sure that your signature is up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.

Malware May Lurk Behind The Turkey Earthquake

Another earthquake has struck, another hot news, and another vector of malware infection.

Scientists may say that these series of earthquakes were just a coincidence and the end of the world is far from beginning.

But in most probability, hours after the news has broken, it will be the beginning of malicious deeds from malware writers and take advantage of this hot news through social engineering and Search Engine Optimization (SEO); And spread malwares such as Bots, Trojans and Rogue AVs.

Internet users should be careful of clicking the links, and visiting the sites that were coming from unknown source.

Make sure that your Antivirus Software is up to date and be ALWAYS vigilant to what you are clicking and visiting in the internet.

Have a virus free day!

Cheers!

Exploiting Google

SEO : Search Engine Optimization.

No, it's not another buzz word. It's a technique used by malware authors to propagate their malware. They use one of the most respected search engines today (Google) to make their way into the user's machine. Piggybacking on a prestigious, and highly trusted search engine is an efficient and effective way to reach out to billions of users worldwide.

Rogue AVs usually use this method. They create fraudulent sites (site A) which redirects to another site (site B) which in turn downloads Rogue AVs into the system. The malware industry makes sure that Site A gets a hit during Google search by targeting search queries that are sensational or new, for example, the Haiti earthquake.

In light of this, users are advised to be vigilant when accessing sites. When even Google is used as a medium by malwares, blind trust on returned links is unacceptable.

Virus.Virut takes the spotlight

In this era of spywares, file infectors have little exposure left. But nevertheless, they are still a challenge to antimalware engineers. Years ago, the names Nimda and CIH were famous in both the malware and antimalware industry. These past few years, the spotlight is on Virut.

Last year we saw an influx of Virus.Virut infected samples. Virus.Virut is, in my opinion, one of the best viruses in a while. Despite the fact that viruses are harmful, I cannot help but admire the work done to create such a virus.

Virut is a polymorphic file infector. What makes Virut different is the fact that it employs all known infection routines: Entry-Point Obscuring, appending, prepending, cavity. Not only does it employ all these techniques, it can combine them (e.g. EPO appending, EPO + cavity + appending, cavity + appending). It also has decryption layers, the algorithm of which can change from ADD/ SUB/ XOR, etc. Both detection and analysis pose as a challenge, but is one that the antimalware industry has met head-on.

xoxo

Disasterware strikes again, as they call it!

The magnitude 6.4 earthquake does not only rattle Taiwan but even the internet users as well. It is another opportunity for Malware writers to poison returned results from searches about this disaster. It now became a constant attack every time there is major news, earthquake, tsunami or any other event that would call the attention of the people. It seems now it guarantees every news has equivalent virus site. This abused infection vector by fake AVs serve as a warning.

Once unsuspecting users click the malicious site, it will be redirected to fake AV online scan page and shows different annoying pop-ups warning the user that his system is infected and vulnerable to attacks. This might lead the user to download and install the Rogue Antispyware such as Security Antivirus. They have used multiple malicious domain names to prevent them to be easily identified. This infection routine is the same with other reports as you might have read from the previous blogs. But despite of awareness campaign, there are still an increasing number of victims fallen to this scam and worst, lost their money.

I have seen few malicious searched results which start with comma (,) and dash (-) such as above screen shot and from this blog. It is advisable to prevent from visiting these kinds of searched results. Internet users should be very careful in picking which sites to read the latest news. It is much better to read from reputable sources.