Tag Archives: Trojan-Pushu

New Bank Phisher Brings Added Functionality, Problems

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

I didn’t want to let too much time pass before I wrote about a new Zbot-like bank phishing Trojan variant that came across my desk last week. The keylogger started arriving the first week of February as an attachment to a spam email designed to look like it came from United Parcel Service. No, the old malware trope of spammed shipping invoices is not dead yet, Alice, but we’re going to follow this one down the rabbit hole anyhow.

The brief message had a Subject line of “United Parcel Service notification” followed by a random, five-digit number, and a file named USPS_Document.zip attached to the message. Why spammers seem to confuse the US Postal Service with UPS eludes common sense, but I think it has been made abundantly clear by now that, by and large, the people who send these kinds of files around aren’t the sharpest tacks in the box. The HTML body of the message indicated that the .zip file contains a tracking number, but that’s just part of the ruse.

The Trojan is readily identified by its appearance. It uses an old Adobe PDF document icon, but the programmers picked a version of that icon with an X drawn over the top. D’oh. The file also throws an error when run in a virtual machine that forces the VM to bluescreen, but that didn’t affect our ability to analyze the file. We could execute it and observe its behavior without a problem. This new Trojan installs services that remain memory resident after the installer has run, dropped its payloads in the Application Data folder, and deleted the original copy of itself.

Continue reading

Keylogger Poses as Document from Spain’s Central Bank

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

An attempt to push down the Trojan-Backdoor-Zbot password thief to Spaniards may signal a new wave of attacks by a crew of attackers who spent the better part of 2009 trying to convince gullible Internet users in different countries to download and execute Zbot installers poorly disguised as transaction records or other important financial documents.

A bogus Banco de España (BdE) Web site came and went quickly last week, but not before we took a deep dive and came up with a mouthful of malware. Believe me, it tasted terrible.

The page, designed to mimic closely the appearance of the Spanish central bank’s Web site, was very much a clone of the previous fake-bank pages used to foist Zbot onto victims.

Previous campaigns of this type targeted, primarily, North American victims by spoofing the Web sites belonging to Visa, Bank of America, the FDIC, the American Bankers Association, NACHA, the IRS (and its equivalent British tax authority), as well as Amazon.com, iTunes, Facebook, MySpace, AOL, the Centers for Disease Control and Prevention, and many others.

Continue reading

Spammed Trojan Won’t Run Under Windows XP

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

While it is far from the first Trojan ever to simply fail to execute under Windows XP, it definitely caught our eye that a variant of Trojan-Downloader-Tacticlol distributed last week in a spam campaign only fully executed under Windows Vista or newer operating systems. It may have been just a fluke, but repeated tests with both a virtual machine and real hardware running Windows XP at various patch levels showed that the Trojan we received attached to a spam message simply quit when executed in an XP environment, but ran smoothly and did all its planned dirty work on a Windows Vista testbed.

The Trojan, which is capable of causing a devastating malware infection, drops a DLL with an odd name made up of random letters into the system32 folder, then registers the DLL so it loads the next time the computer boots up. After a reboot, it kicks into full swing, pulling down a variety of malware installers.

The spam message (we got a bunch of different variations, all with the same attachment) came from a variety of falsified return addresses. The message, with a subject of Statement of fees 2009/2010 contains an utterly incomprehensible body, which reads, in part: “The accomodation is dealt with by another section and I have passed your request on to them today.” It looks very similar to a message I get from the toll road authority here in Colorado that uses electronic toll collection. The real entity emails a statement every so often with an attached PDF, though the real toll road statement doesn’t appear to come from the domains “reclusivebillionaire.com” or “reelsolutions.com.” Nice try, sparky.

More interestingly, though, is the idea that this Trojan, which is so prevalent and widely distributed, may signal the start of a trend where malware authors begin turning away from XP as the dominant operating system they target.

Continue reading

Fake Amazon.com Order Emails Bring a Trojany “Friend”

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

An ongoing campaign where malware distributors use email spam to deliver dangerous programs to unwitting victims has begun to change its tune, switching the scam to incorporate different brands. In the latest scam, the message appears to be an order confirmation from Amazon.com for the purchase of an expensive consumer electronics item, or a contract (spelled, tellingly, “conract“) for expensive home improvement work, purportedly to be done on the recipient’s home.

A few weeks ago, the emails switched from a “shipping confirmation” hook to one which claims the contents of the attachment include a code worth $50 on Apple’s iTunes online store.

The spam messages for several months have included a .Zip compressed attachment. The file inside the .Zip, which looks like a Microsoft Word document, is a malicious program we classify to the definition Trojan-Downloader-Tacticlol.

An extremely dangerous downloader, the Web sites and domains from which Tacticlol (aka Oficla or Sasfis) retrieves its payloads have been remaining online longer than normal. Typically the download site is shut down within a few days, effectively neutralizing the downloader and preventing it from retrieving anything. Recent variants, however, have use Web domains that remain online for weeks or even months.

Malicious sites that remain active only increase the danger that someone who inadvertently opens the attachment a few weeks after the message arrives will still infect their computer.

In addition, the payloads delivered by the download site Tacticlol contacts are being rotated as the days go on. In the initial infection period, within about 36 hours after the spam messages arrive, the download sites deliver a number of different payloads, including the Trojan-Backdoor-Zbot keylogger, the Trojan-Pushu (aka Pushdo) spam bot, and rogue antivirus installers. After a week, the payloads switch to the installers for botnets, which zombify the infected machines and turn them into longer-term hacker workhorses. Recent payloads have included a “dead man switch” which can render the infected computer unbootable.

I’ll discuss the ramifications of opening attachments such as these in an upcoming blog post. Nevertheless, it should be second nature that you avoid opening any attachment that arrives through email unless you can confirm — by telephone, or some other method — that the attached document is legitimate and was deliberately sent to you. Also, train yourself to avoid opening any attachment with an .exe file extension, regardless of its appearance or origin.wordpress blog stats

Trojan Masquerades as iTunes Gift or Résumé

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

If you received one or more email messages over the past week that claim to contain an attached gift certificate for the Apple iTunes store or an unsolicited résumé, you probably received the latest scam involving the Tacticlol downloader.

The iTunes-themed spam messages use the forged return address of gifts.certificate@itunes.com and read, in part, You have received an iTunes Gift Certificate in the amount of $50.00. You can find your certificate code in the attachment below. The resume messages simply say Please review my CV, Thank you! — using the abbreviation for Curriculum Vitae, the British analogue to the word résumé.

The Trojan’s ongoing campaign attempts to trick victims into opening Zip-compressed attached files, which themselves contain an executable installer. The attachments almost always use the icon of a Microsoft Word document, and we usually see the Trojan launch an instance of Word and modify the default document template (named normal.dot) in the course of the infection.

We followed this Trojan down its particular rabbit hole and discovered logs and other files that indicate that, in just one day of operation, the Trojan had infected more than 9000 computers around the world and had begun to download one of three payloads, one of which was immediately identifiable as the prolific spambot we call Trojan-Pushu (aka Pushdo or Cutwail). The other two payloads were a keylogging password stealer, and a rogue antivirus installer.

The campaign is clearly connected to the most recent spamming of something we saw a few weeks ago, in which the message (in hilariously misspelled English) claims the attachment is a recording contract of some kind, with a forged return address of what appears to be a record company. A similar campaign was waged over the past several weeks, in which the recipient was told that the document contains a new password for their Facebook account. However, the end result of opening the alleged iTunes Gift Certificate is no different than opening the Facebook document, the “Conract,” or the shipping label or invoice documents: Instant infection, with the promise of more infections to come.

Continue reading

Getting a “Conract” Doesn’t Make You a Rock Star

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

If you’re a rock-and-roll star, anticipating the imminent arrival of a new recording contract from your lawyer, you can stop reading this post. If you’re not, I’m sorry to be the one to tell you, it was not your hours of practice playing Rock Band, or singing in the shower, that attracted the attention of the music industry. A spammed message, supposedly from a record company, which claims to have a contract attached, is (surprise!) malicious.

The contract, in this case, is no contract at all, but a Trojan that can brick your computer if you run the file inside the Zip archive attached to the message.

We’ve been watching our favorite spam-propagated malware, Trojan-Downloader-Tacticlol (aka Oficla, Sasfis, Fregee, or Losabel). This is its new, extra stupid come-on of the moment. The message appears to come from Rock Out Records and says, in part:

“We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.”

In our tests of the Trojan, it pulls down a number of malicious payloads, some of which modify key Windows files responsible for the operation of the computer. As a consequence of the infection, your computer may not be able to boot up, instead leaving you stuck with a blue screen of despair.

Continue reading

Pushu Variant Spams Hotmail, Cracks Audio Captchas

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

A new version of Trojan-Pushu is doing some interesting stuff to bypass captchas used by Microsoft’s Hotmail/Live.com/MSN webmail services in order to spam people with links to malicious Yahoo Groups pages.

The three-year-old spy (known by a variety of other aliases, including Cutwail, Pushdo, Diehard, and Rabbit) has always been, primarily, a spam bot. In this case, however, the spy is not sending spam by connecting to open mail relays or more traditional means; It’s spamming through the Hotmail/Live.com Web mail interface. Most interestingly, during the course of the spam sessions, the spy apparently pulls down “audio captchas” and successfully sends back the correct response, which permits it to continue spamming.

Audio captchas are just what they sound like they are: A voice, often female, reads a sequence of 10 numbers in an artificially noisy background. The purpose is simple: to ensure that a human being, and not some automated process, is entering data into a form. Just as you would type in the scrambled-up letters from a captcha image to proceed, with an audio captcha you have to type the correct numbers from the recording, or the site won’t let you continue.

That doesn’t seem to be a problem for this Pushu variant. We’ve seen Trojans attempt to crack visual captchas a number of ways, including using optical character recognition; employing a mechanical turk service (where humans are paid fractions of a penny for each correctly entered captcha); or by prompting the victim him- or herself to enter captcha text, disguising the captcha form as some sort of Windows prompt. This is the first time I’ve heard of a Trojan attempt to crack the audio captcha, let alone succeed.

Continue reading