Monthly Archives: September 2009

Roman Polanski Arrest Spawns Headline-Hooking Rogues

Posted on by

By Andrew Brandt and Brenden Vaughan

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090928-polanski-fakealert-cropAs we’ve seen for the past several months, a celebrity ended up the top news story, which started a cascade of malware distributors racing to get their driveby pages to the top of search results. Today’s victim/subject is Roman Polanski, the renowned film director arrested on decades old charges of statutory rape. This kind of gossipy, tabloid headline is like candy for rogue antivirus distributors.

20090928-polanski-resultsWe began our search the minute we found out the news, and yes, within about half an hour of the story breaking, the pages began appearing in the search results on various engines. While some of the malicious pages were linked to search terms based on the name of the director, many also reference his victim, Samantha Geimer. The results redirect you into a fake virus scan page, which in turn leads you to a download of Windows PC Defender, a known rogue in the same vein as Antivirus 2010 and the other scam fantivirus tools so popular among Web criminals this year. Trojan-IM.Win32.Faker, indeed.

20090928-polanski-firewall-cropNot only does this rogue pretend to be an anti-malware tool, but it throws a monkey wrench into almost any existing protection, adding Image File Execution Options registry keys that prevent nearly all legitimate free and commercial antimalware tools from running. It also drops a Hosts file which prevents infected computers from contacting 12 payment processing domains associated with Antivirus 2010, and redirects all Google (including nearly 200 international Google domains), Yahoo, MSN, and Bing search results through a server belonging to search-gala.com, whose IP address is geolocated to an ISP in Brampton, Ontario, Canada (go Timberwolves!).

Not content to be a single-solution product, Windows PC Defender is a full faux-suite, offering completely fictitious desktop firewall results as well as antivirus. The rogue uses a modified copy of a free tool called Multi Password Recovery to extract your Windows license and display it in the firewall “alert,” presumably to raise the anxiety level of person who sees the “warning” message. The warning claims that “your computer is making an unauthorized personal data transfer” to an IP address assigned to NASA, which is currently not in use. Because everyone knows NASA wants your Windows license key, for, you know, space missions. amirite? Could an imaginary anti-phishing toolbar be around the corner? Who knows what’s next for these enterprising, though predictable, con artists.

Not to be outdone, distributors of black market drugs began using Twitter to spread ads as well, with an under-140-character tagline promising juicy Polanski-arrest news. We’ll keep an eye on the situation, but it’s probably best to steer clear of links to unfamiliar sites, especially those promising revealing or “previously undisclosed” pictures, movies, or other such nonsense.

wordpress blog stats

One Click, and the Exploit Kit’s Got You

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090918_liberty_effectiveness_cropAfter all the brouhaha surrounding the NYTimes.com website hosting ads which spawned rogue antivirus Fakealerts last weekend, I spent a considerable amount of time looking at so-called exploit kits this week. These are packages, made up of custom made Web pages (typically coded in the PHP scripting language), which perform a linchpin activity for malware distributors. Namely, they deliver the infection to the victim, using the most effective methods, based on parameters which help identify particular vulnerabilities in the victim’s browser, operating system, or applications.

There’s no indication that an exploit kit was used by the attackers in the NYTimes.com incident, but it easily could have gone that way. All an exploit kit needs in order to begin the process of foisting an infection is for a potential victim to visit its specially crafted Web page. The end result is what we call a drive-by download.

According to reports, the code injected into the Times website’s ad calls simply spawned another browser window, which in turn displayed fake alert and virus scan results messages. It wasn’t even a website hack; the site’s ad sales department were fooled into accepting a paid advertisement containing the code.

This time, that browser window was used to trick the site’s visitors into executing, and eventually buying, the rogue product. It could have been far worse.

After spending a day investigating a relatively new package, which calls itself (with a total lack of irony) the Liberty Exploit System, it’s easy to see how something like what was done on the Times website could have led news enthusiasts down a much deeper, scarier rabbit hole.

Continue reading

“Shipping Confirmation” Malware on the Rise

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

fraudemail_cropAs autumn approaches, the world typically sees an increase in the number of online shopping trips, as people take advantage of bargains from late-year sales, and prepare for various holidays. And, right on cue, we’re also seeing an increase in the number of Trojans distributed in the guise of “shipping confirmation” email messages. And these Trojans are packing a triple threat of backdoors designed to steal logins and take command of infected PCs.

The Trojan arrives attached to a vaguely-worded email message thanking the recipient for their order of a high-ticket item. Previous versions of this same kind of message were crafted as though the message source was one of the major shippers, such as FedEx, UPS, DHL, or the US Postal Service, and the message (purportedly) contains tracking information.

fraudemail_fileBut these new versions appear to come directly from an online retailer, with attached files in the form of a zip archive containing an executable with an icon that makes it look like an Office document, such as an Excel spreadsheet. These email messages also imply that the document contains tracking information, but they give the user an extra nudge to open the file by telling the user to “print the label to get your package.”

Um, wait, what? Why would I need to print a label to receive a package? That makes no sense whatsoever. Do the malware authors think we’re dumb, or what? No, don’t answer that, because we’re not dumb. They’re using psychology against us.

Continue reading

‘Koobfox’ variant digs for Firefox cookies

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

koobfox_stringsA new variant of the Koobface worm started striking out this week, with a twist: Where the older Koobface would steal and use the cookies saved by Internet Explorer which store social network logins in order to spread its infectious messages in the victim’s name, this new variant is pulling down a tool designed to steal credentials saved by Firefox (in the form of cookies and stored passwords). Users of the Firefox browser were, until now, able to thwart the pernicious spy’s ability to hijack a victim’s social network accounts, because the two browsers store their cookies in different locations, and in different formats.

We got wind of the new variant as we saw the characteristic links spreading through various networks yesterday. In our early tests, the worm exhibited similiar skill at spreading over multiple networks: In addition to Facebook, the MySpace, Hi5, Friendster, Tagged and Netlog accounts we use for testing its behavior were used to spread malicious links, posted either to the victim’s “wall” or status, or as messages sent to all of the account-holder’s friends.

Using a well-documented hack to access the Firefox cookie file, the payload (appropriately named ff2ie.exe) looks for a copy of the file sqlite3.dll on the victim’s hard drive, then uses the functionality of that file to pull social network cookie information from the Firefox cookie database (as shown in the screenshot, above), and write an Internet Explorer cookie containing all that information. With the IE cookie(s) in place, the rest of the Koobface payloads work as they did before.

The worm continues to query the download server for payloads targeting 10 social networking services, but for an undetermined reason, it only delivered six targeted payloads. We also saw that, instead of downloading the executable payloads directly, the worm downloaded installers, each of which place various payloads in the Windows folder, then self-delete.

Continue reading