A new Trojan quietly circulating in the wild uses components from a commercial optical character recognition (OCR) application to decode captchas, those jumbled-text images meant to help a website discern human activity from automated bots.
The OCR-using captcha breaking tool is just one component of the Trojan. Its main purpose appears to be to fill out contest entries, online polls, and other forms relating to marketing campaigns originating in the US, and it uses the OCR-cracking software in order to read the captchas and submit the form entries, on pages where the website presents a captcha to the user.
And this is not just any captcha-cracka, but a Swiss Army Knife of sorts. The maker of the “Advanced Captcha Recognition Engine” tool, based in China, claims that the tool is capable of bypassing more than 30 different captcha systems, including those used by Yahoo, MSN, and some of the largest portal sites and banks in China.
The captcha decoding tool itself is a kludge, marrying some bespoke files and components expropriated from an older version of a commercial optical character recognition (OCR) suite called TOCR. The UK-based company that makes the TOCR software, Transym Computer Services, also licenses its components to third parties, though it’s not clear they knowingly have a relationship with the Chinese captcha cracker maker, nor were they aware that parts of their engine was repurposed for sale to Chinese malfeasants. The files appear to have been stolen or pirated, and used without Transym’s knowledge.
We’ve just tallied the top 10 threats Webroot’s consumer products detected during the month of April, and some interesting trends appear to be shaping up.
Conficker aside, the first quarter of 2009 seemed to be dominated by worms that spread not only over a network, but to virtually anything you can plug into a USB port to store files. Thumbdrives and portable hard drives immediately come to mind, but so do MP3 players, digital picture frames and memory cards — like the kind you’d use in cameras, cellphones, or videogame players.
April proved to be no different. It’s very much a case of what’s old is new again, reminiscent of the era when sharing an infected floppy disk could wreak havoc.
We’re also seeing malware distributors still trying to use old vulnerabilities to try to infect computers. Even JPEG image files containing the MS04-028 vulnerability code — a bug that was fixed in Windows four and a half years ago, are still floating around the net trying to take advantage of older, unpatched system, as are scripts attempting to exploit the ADODB.Stream vulnerability. If you ever needed a reason to run Windows Update, this is it.
Over the past year, we’ve seen a huge jump in the number of mass downloader spyware. These small executable files have just one job, and they do it very well: They pull down huge numbers of additional installers, which in turn place a large number of password stealing Trojans, ad-clickers, and still more downloaders on the unfortunate victim’s PC.
The trend appears to be that most of the servers from which these phishing Trojans originate are registered within China’s .cn top-level domain, and the phishers themselves target (mostly) the login details for online multiplayer videogames played, primarily, in China, and in some cases, more widely in Asia.
Putting aside the rationale for what the phishers target (the goal may be purely financial, but that’s a discussion for another time), what’s really interesting is how the techniques to massively infect a victim’s PC have evolved, possibly to avoid network-based signature detection techniques that can identify Windows executable files while they’re traveling over the wire. It also seems that the various groups appear to compete with one another, even going so far as to block the domains used by competing groups’ downloaders once they’ve infected the machine.
So not long ago, another interesting mass downloader development seemed to drop into my work queue. These downloaders pull down bitmap images — not just executables with a different file extension, but real graphics files — then convert the color data into binary code, which transforms the data in the picture file into a small executable phisher installer. Continue reading →
Late last year, we read all the buzz about ChromeInject, a malicious DLL that was being billed as the first malware specifically targeting Firefox. It was interesting to see that someone built a phishing Trojan for a different browser platform, but ChromeInject was also clearly an early phase in Firefox malware development: It was fairly obvious, and it was easy to eliminate, because it generated an entry in the Plugins menu called “Basic Example Plugin for Mozilla” which you could simply disable with a single mouse click.
Well now it looks like the bar’s been raised. In the past few weeks, we’ve seen malware writers up the ante in their bets against Firefox. Two new spies came across the transom in the past week, and easily managed to load themselves into a freshly installed copy of Firefox 3.0.7. I should note that this isn’t due to any problem or negligence on Mozilla’s part; once you execute malicious code on your PC, any application is vulnerable. Firefox just happens to be a big target.
Last year, we at Webroot (as well as many other people) saw a huge spike in two specific types of malware: Rogue antispyware products — the ineffective, deceptive kind — and the various tricks the companies that sell rogues use to trick you into downloading (and eventually buying) their bogus products, something we refer to, generally, as Fakealerts.
Here’s usually how the trick works: First, you’re fooled into browsing to a Web site which employs any of a number of tricks to install the Fakealert code onto your PC. The Fakealert then begins popping up messages warning you about some sort of infection in the System Tray, or in dialog boxes, and/or by opening browser windows to pages that look uncannily similar to control panels or dialog boxes used by Windows XP and/or Vista. Later, after you’ve been provided a smoke-and-mirrors “free scan” of your system (which, of course, reports all kinds of salacious and undesirable “detections”), you’re directed to a page where, for just $59 you can be rid of your spyware problems forever.
The tricks these guys employ get more creative with every new iteration. We’ve seen them drop hundreds of junk files on a hard drive, which are then “detected” as infections; install screensavers that look just like your computer is going through Blue Screen of Death convulsions; and run every dirty trick and cheap gimmick to get a sale.
So it came as no surprise when we encountered yet another Fakealert — we decided to call it Adware-Loserbar — that leads, eventually, to a rogue product. What set this one apart was its sheer gall — and a few new tricks we hadn’t seen before.