Category Archives: Phishing Trojans

Trojan software designed to steal login credentials, either by keylogging or by retrieving saved credentials from the victim’s Registry, browser cache and elsewhere.

WoW Patch Brings Out the Malware Trolls

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Last week, Activision/Blizzard released a long-anticipated patch for its immensely popular game, World of Warcraft. While I don’t play this game, a number of our Threat Researchers do, and they’ve been on the lookout for shenanigans. Curtis Fechner found a doozy.

The update comprises a major overhaul of many core systems within the game, affecting the graphics engine, game rules, player abilities, and also the interface. Many players use downloadable, player-created add-ons to further customize the appearance of the user interface; Patches as comprehensive as this one mean that many of the old add-ons simply won’t work until the add-on’s creator releases a new version.

So this week’s rush to patch the game and update some add-ons led to some interesting news. One of the add-ons Curtis uses is something called RatingBuster, written by a player who goes by the name WhiteTooth. The add-on, available from a number of locations, typically comes in the form of a .zip archive and contains several plain text files (called LUA files). But earlier this year, someone registered the domain name ratingbuster.org and began serving Trojans from this legitimate looking Website instead of the RatingBuster add-on.

This fake RatingBuster comes in the form of an executable file named rbv1.4.9.exe — running unknown executables is a big no-no most WoW players know to avoid. This particular executable is a self-extracting RAR archive, which utilities like WinRAR can easily unpack. Inside the archive is another file, a single executable named bot.exe (22794 bytes, MD5: 6831c35e6d19ea0a1e1e9e346368b3e3). This is our malware installer, stored inside the other installer.

Continue reading

Patchy Phisher Forces Firefox to Forego Forgetting Passwords

Posted on by

By Andrew Brandt

Every browser can, at the user’s discretion, be set up to remember passwords. In general, Webroot advises most users not to set the browser to store login credentials, because they’re so easily extracted by password-stealing Trojans like Zbot. In Firefox, for example, you can click Tools, Options, then open the Security tab, and uncheck a box that tells the browser to remember passwords entered into Web forms. (The box is checked by default.)

But in the course of taking a more thorough look at a Trojan that came to our attention in July, we were surprised to see the Trojan modify a core Firefox file. Upon closer inspection, the Trojan patches a file named nsLoginManagerPrompter.js. The patch adds a few lines of code (displayed above), and comments-out other portions of code, that dictate whether Firefox prompts the user to save passwords when he or she logs into a secure site.

Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password. After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user.

Continue reading

Fake Flash Update Needs Flash to Work

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

If you live in the US, you may have played sports, barbequed, or enjoyed the last long weekend of the summer outside doing something fun outdoors. Unfortunately, that wasn’t an option here in Boulder, where a large wildfire generated a thick plume of smoke and ash. So, what’s a malware analyst to do indoors on a beautiful day with toxic smoke outside? Why, spend some quality time with Koobface, of course.

I took a closer look at the worm’s behavior and also noted that, since the Migdal keylogger site went dark for the Koobface crew, they’ve switched to using a new domain as the dead drop for credentials stolen by the Koobface password stealer payload: m24.in, the Web site of some sort of media company based in India. The behavior I saw by the keylogger was virtually identical to that used by the Migdal variant, reported in a previous post. The payload is even named m24.in.exe, just like the Migdal payload was named after the domain where it posted stolen passwords.

It’s been a while since the worm changed its primary method of infection: For nearly its entire existence, Koobface has spread by manipulating the social network accounts of infected users so it appears the user posted a link to a video. Of course, the worm does the posting in the name of the user, and the link points to a page which purports to be some sort of streaming video, but actually pushes the malware on anyone who visits.

And, in order to take on the appearance of a real online video, it uses Flash.

Continue reading

Pro-Israel Website Receives Passwords Stolen by Koobface

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Is the team behind the Koobface worm taking a stance on the Israeli-Palestinian peace talks, or is this notorious worm’s most recent, bizarre twist just a coincidence?

We’ve seen Koobface hijack legitimate Web sites for more than a year, using them not only to host malicious payload files, but also to work as proxy command-and-control servers for the botnet. One such hijacked Web domain, migdal.org.il, popped up in a number of blog posts and on Web sites which list the domains used to host malware, as far back as this past May, when the Koobface crew began using a slew of new hijacked servers as distribution points for its malicious files.

And since the summer, Koobface has been delivering a password stealing Trojan among the several payloads it brings down to an infected computer. That Trojan’s name is migdal.org.il.exe, and the stolen passwords it scrapes from infected computers are sent right back to the migdal.org.il Web server, which is physically located at an ISP in the UK.

Migdal also seems to be (if you can believe the content posted to the Web site) a French jewish organization that provides aid and resources to Israeli children and border guards, and whose leadership opposes many of the Israeli concessions that Palestinian negotiators have requested during the long peace process. Have the Koobface gang gone political, or are they just capitalizing on a convenient situation with an abandoned Web site?

(Update: The site went down on September 3rd, the day after this post went live. Thanks, helpful ISP who shall remain nameless.)

Continue reading

A Cave Monster from Hell Wants Your Financial Data

Posted on by

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

By Andrew Brandt

A novel and pretty sneaky Trojan designed to steal financial data appeared on our radar screen last week. The Trojan, once installed on a victim’s computer, rootkits itself to prevent detection, then watches the victim’s browser for any attempt to connect to the secured, HTTPS login page of several online banks. When the victim visits the login page the Trojan has been waiting for, the Trojan generates a form that “hovers” over the login page asking for additional verification information.

“In order to provide you with extra security, we occasionally need to ask for additional information when you access your accounts online,” reads the popup window. Everybody needs extra security, right?

Of course, the additional information that the bank appears to be asking for is all information the bank already should have if you have an account there: The number on your credit and debit cards; a Social Security number; your date of birth and mother’s maiden name; The PIN code for your debit card and the security code printed on the front of any credit card issued by the bank.

The problem is, the form completely blocks the full page, preventing you from logging in — until you fill in all the fields in the form it displays. Then it sends that information (encrypted with SSL, mind you) to a server at the IP address 121.101.216.234, part of the address space allocated to Beijing Telecom.

Your bank may outsource some of its customer service tasks, but stealing your financial identity isn’t part of the normal services your bank provides.

Continue reading

“Fingerprint” Helps Identify Malware Authors

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The Threat Research group sat in on a talk by HBGary CEO Greg Hoglund yesterday where the regular speaker discussed some research he’s been doing over the past year that he hopes will help connect malware samples to known groups of malware creators. While that sounds promising for law enforcement, it’s actually not as helpful for tracking down originators of malware for prosecution as it is for security researchers to preliminarily group and classify the masses of outwardly-dissimilar Trojans we see every day.

In most conventional methods of classification, researchers look for programmatic similarities or behavioral characteristics as a way to group similar pieces of malware into definitions, which then simplify the task of an antivirus tool to clean up an infection. In Hoglund’s talk, he proposed another set of criteria antimalware researchers can use to make these kinds of classifications: the “tool marks” left behind inside of malware samples as a result of compiling tools, languages, and even sloppy coding habits employed by malware creators.

On a technical level, Webroot’s Threat Research team has been using these “tool marks” as guides for some time when they perform manual analysis of malicious files. Hoglund’s talk introduced a tool he created, called Fingerprint, which can process a malware file and, in an automated fashion, provide malware researchers with simplified output they can then add to a database. With a sufficiently large sample set, surprisingly good clustering seems to appear, as shown in the photograph above, which is a snapshot of one of Hoglund’s slides.

While the characteristic “tool marks” alone are probably not sufficient to establish that an arbitrary, unknown file is malicious, it can be a good indicator that the unknown file is related — possibly in several significant ways — to files that have been established to be malicious. It is this predictive ability of the fingerprint that may be its greatest strengths…at least, until the malware authors catch on, and strip this identifiable information out of their files. For the meantime, however, laziness on the part of malware creators, and the difficulty of completely re-coding new malware, means identifiable tool marks should persist for a while, which means this fingerprinting method may remain effective for some time.

Weird Malware on Display at Black Hat

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

I’m at the Black Hat Briefings this week, the annual confab of the best and brightest in computer security, catching up on the trends and tricks malware authors and data thieves employ. I just saw an impressive demo by a pair of security researchers who took a deep dive into the behaviors of four pieces of highly targeted malware.

The researchers, Nicholas Percoco and Jibran Ilyas of Trustwave, ran a live demonstration of four Trojans designed to steal sensitive information and surreptitiously exfiltrate that data to the criminals. Three of the Trojans had been found installed on the servers of retail businesses, and capture credit card information — including the magnetic stripe data recorded by point-of-sale devices (ie., cash registers). The fourth Trojan, found on the computers of a large military contractor, was designed to steal any files in the My Documents folder, as well as any saved passwords on the system.

Of note was the highly targeted nature of the Trojans. In the case of the military contractor, for example, the criminals had obviously done their research, because the attack had targeted several high-level executives within the firm. According to the researchers, the attack started when a maliciously crafted Adobe PDF file was emailed only to the executives in a forged message that appeared to come from the CEO of the company. The forged message even included the CEO’s customized mail “signature” and the message text sounded convincingly similar to the language the CEO might have used.

Most importantly, all four Trojans did an outstanding job of remaining undetected for a significant period of time, which gave them more time to get the job done. Although one Trojan, which used a rootkit driver, had a tendency to “blue screen” their test machines, even a crash might not alert a victim that their computer hosts an infection. After all, Windows can crash for all kinds of reasons, and a crash isn’t necessarily an indication of a malware infection.

I’m looking forward to seeing more talks from other researchers over the course of the coming week. Of particular interest is a talk being given by Greg Hoglund about identifying the perpetrators of malware infections and even the creator(s) of widely distributed types of malware.

Beware Spam With HTML Attachments

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

When it comes to spam messages, conventional wisdom dictates that you shouldn’t follow links or call phone numbers in the message, order products from the spammer, or open files attached to the email. We all should know by now that you should never open attached executable files, and spam filters now treat all .exe files as suspicious. When spammers began flooding inboxes with .zip files containing executables, we caught on pretty quickly as well.

But HTML isn’t executable — it’s just plain text — so does that mean it’s safe to open attachments when they’re just HTML files? Hell no! Case in point: this doozy that came through our spam bucket last week.

The message subject reads Your Funds Will Be Transfered and the body helpfully informs the recipient that I am able to complete the funds transfer late night — I hope that doesn’t mean someone sent Jimmy Fallon $28,126 from my bank account. It continues, Copies of the payment is being attached, and the message indeed has an attachment named Copies of the payment.htm which I can open and…

…uh oh. That’s where the trouble begins.

The end result: Three pieces of malware installed; Two password-stealing copies of the Zbot phishing trojan, and a remote-access backdoor to boot. Considering Zbot’s propensity for stealing bank account logins and other sensitive credentials, I suppose the subject line was correct after all. Your funds will be transferred. Just not where you thought.

Continue reading

WoW Expansion Beta Likely to Spawn Phishers, Scams

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Blizzard’s announcement today that they will begin a closed beta-test for the latest expansion pack is likely to generate a lot of excitement among that particularly low breed of online criminals who steal the fruits of other people’s entertainment when they commandeer passwords for other players.

While it’s hard to believe that most players of online games aren’t aware of the profusion of phishing sites attempting to steal logins, the problem clearly isn’t going away, so the warnings remain the same: Keep a close eye on your browser’s Address Bar, and make sure you’re really logging into Blizzard’s Web site, and not some phishing creep’s trap.

If history serves, they’ll try to lure you with false promises of getting access to the beta. Don’t fall for the trap.

(Tip ‘o the hat to Threat Research Analyst Curtis Fechner for the breaking news tip.)

Keylogger Poses as Document from Spain’s Central Bank

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

An attempt to push down the Trojan-Backdoor-Zbot password thief to Spaniards may signal a new wave of attacks by a crew of attackers who spent the better part of 2009 trying to convince gullible Internet users in different countries to download and execute Zbot installers poorly disguised as transaction records or other important financial documents.

A bogus Banco de España (BdE) Web site came and went quickly last week, but not before we took a deep dive and came up with a mouthful of malware. Believe me, it tasted terrible.

The page, designed to mimic closely the appearance of the Spanish central bank’s Web site, was very much a clone of the previous fake-bank pages used to foist Zbot onto victims.

Previous campaigns of this type targeted, primarily, North American victims by spoofing the Web sites belonging to Visa, Bank of America, the FDIC, the American Bankers Association, NACHA, the IRS (and its equivalent British tax authority), as well as Amazon.com, iTunes, Facebook, MySpace, AOL, the Centers for Disease Control and Prevention, and many others.

Continue reading