Published: December 29 2009, 09:36 AM | no comments
by Akhil Menon

On December 25th 2009, a young Nigerian, Umar Farouk Abdul Mutallab, boarded Northwest Airlines Flight 253 from Amsterdam to Detroit. Various news channels and websites later reported that he allegedly tried to detonate an explosive on board and claimed that he did so under the instructions of Al-Qaeda.  No sooner than this report started spreading, malware authors who are keeping a close check on the latest news events occurring worldwide seemed to have used the same to their advantage.

It is very likely that someone looking for more information on this event would perform an online search for the name of the alleged bomber, Umar Farouk Abdul Mutallab.  Currently this search results in many links relating to the event. However amidst the first few results are maliciously crafted web links that redirect the user to Fake scan pages which in turn attempts to trick the user into downloading and installing Rogue Security Software on their machines. One of such Blackhat SEO attack is illustrated in the following pictures:

The malicious binary “WinProtectionUpdate_15.exe” if allowed to run downloads Rogue Security Software called Total PC Defender which is detected by CA products as Win32/TotalPCDefender variants.

[Figure 4] illustrates a few of the malicious links and Fake Scan pages discovered with the search.  At the time of writing this blog, an interesting aspect noticed with this Blackhat SEO attack was that more than one Rogue Security Software is being pushed onto the unsuspecting user. The other Rogue Security Software installers found being downloaded onto the CA ISBU lab machine belong to PC Live Guard and Security Tool  [Figure 5] which are detected by CA  products as Trojan Win32/PCLiveGuard and Win32/SecurityTool variants respectively.

It was also noticed that certain other search keywords such as “Flight 253”, “Delta Flight 253”, “Countess Vaughn Myspace”, “Courtney Freil Maxim”, “After Xmas Sales Laptop” etc. are resulting in malicious links that also redirects into some of the Fake Scan Pages discovered while investigating this Blackhat SEO.  These search terms appear unrelated to each other and hence may cause more harm since they may reach out to a wider audience of people searching for different things on the Internet.

Kindly be wary of such attacks while searching for more information on hot news events. As always, we recommend that you exercise extreme caution while surfing the net and always keep your CA products up-to-date with the latest signatures.

Share this post:  Email

Share

Published: December 23 2009, 07:08 PM | no comments
by Zarestel Ferrer

CA ISBU found a new variant of Win32/Fruspam, this family of malware is known to send spam mails disguising as a legitimate sender, together with the malware file as email attachment.

Previous themes used for social engineering attack are “Twitter invitations”, “hi5 invitations”, “Amazon shipping update” and “Hallmark holiday e-cards”. Please see related blog entry here.

This Yuletide season is not different; Fruspam sends spam mails with the following details

From: e-cards@123greetings.com
Subject: You have received a Christmas Greeting Card!
Message:

You have just received a Christmas greeting card!
To see your custom card and who sent it, please check the attachment.

Attachment: Christmas Card.zip 

                                             [Figure 1: Sample spam mail coming from Fruspam]

CA detects this malware as Win32/Fruspam.BH.

Once this malware executes in your system, it will send the same spam mail to all of your address book contacts. We do not want that incident to happen.

                                         
                                        [Figure 2 – Win32/Fruspam malware file]

In case you receive a similar email please do not open/execute the attachment.

Please take extra precaution opening attachments from unsolicited emails this holiday.

CA ISBU wishes you all a Happy Christmas!

Related entries

Invitations from Fruspam

In the Wild: Win32/Fruspam Using American Greetings

‘Tis the Season to be Extra Aware of Malware

Share this post:  Email

Share

Published: December 17 2009, 01:42 AM | no comments
by Zarestel Ferrer

Last month we covered a piece of ransomware that activated when a limited-time, free access to a video expired. We have found some more of the same but with a different ransom note and different SMS contact numbers.

Please see the images below.

                                               [Figure 1 – Win32/RansomTableLock ransom note]

Rough English Translation

--------------------------------------------------------------------------------------------
You have been given a test (6 hours) free access to view the video.
 
Remember that by agreeing to the rules of free trial access, you are under
user agreement, pledged to pay the full monthly access, within
6 hours after the provision of free access

6-hour period since the provision of free access has expired.

Notification will be appearing until no payment will be made

To pay, send SMS

with the text of 590909484 to the number 9691

Enter the received code _____

Warning! Failure to pay may harm your computer.

Accompaniment: uacontroller {dot} com

--------------------------------------------------------------------------------------------

                                                [Figure 2 – Win32/RansomTableLock ransom note]

Rough English Translation

--------------------------------------------------------------------------------------------

Notification to pay

You have been given a test (1 hour) free access to view the video.
 
Remember that by agreeing to the rules of free trial access, you are under the user agreement, pledged to pay the full monthly access, within 1 hour from the moment the trial free access.

1 hour from the time of the trial of free access has expired.

Notification will be appearing until no payment will be made

To pay, send SMS

with the text of 592112535 to the number 5155

Enter the received code ___________

Warning! Refusal to pay, and any action related to an attempt to cheat the system may harm your computer and cause the loss of important information

Accompaniment: uacontroller {dot} com
--------------------------------------------------------------------------------------------

Similar to the previous ransomware we’ve discussed here, this variant attempts to extort money from users of the infected systems to enable them to remove the malware from their machine.

The good news is that the key generation logic for these Win32/RansomTableLock variants remains the same, thus the keygen tool we created still work for these latest ones.

• Ransomware and free access to an erotic video

You can get the RansomTableLock keygen here.

However, if you think that you’ve spotted a variant that is unsupported by this tool, please feel free to send the sample to virus@ca.com and type “ransomware” in the subject and/or the message body. This will assist us track your submission specific to this kind of threat.    

Additional Information

This ransomware usually has the filename “install_flash_player.exe” and the icon similar to flash installer (please see Figure 3).

                                                 
               [Figure 3 – Win32/RansomTableLock disguising as a legitimate filename and icon]

CA ISBU advises you to obtain the latest software updates and installers from legitimate sources, namely the companies that develop the software.

Detection for the ransomware discussed is covered in the following detection names: Win32/RansomTableLock.B; Win32/RansomTableLock.C; Win32/RansomTableLock.D; and Win32/RansomTableLock.E.

Related posts

Make Sure You Have the Correct and Current Adobe Updates

Share this post:  Email

Share

Published: December 16 2009, 05:49 AM | 1 Comment(s)
by Zarestel Ferrer

Recently, Win32/Bredolab launched another spam run using old themes like “Facebook Password Reset Confirmation” and “DHL Customer Services Response”. Making use of social engineering has been an effective way of distributing new malware samples specially this Christmas season where most of us are expecting presents, e-cards and emails.

                                               [Figure 1 – Spam mail samples containing Win32/Bredolab]

The attachment in the spam mail is a Win32/Bredolab variant which CA proactively detects as Win32/Bredolab_G!generic.

During this spam rerun we have seen again these families of malware working side by side to steal personal information and to push other malware in the infected system. It seems that “divide and conquer” really works for these guys.
 

          
                                                           [Figure 2 – Strategic Malware Function]

Win32/Bredolab family of malware is known as a downloader type of malware. In this case when the user executes the Bredolab malware it downloads a Win32/Zbot variant in wapdodoit{dot}ru domain, after a while Win32/Zbot downloads its configuration file containing the location of Win32/Cutwail.

                                                                       [Figure 3 – HTTP Monitor Log]

Win32/Cutwail’s function is to distribute spam mails having the zipped Win32/Bredolab as attachment to email addresses instructed by its C&C server.

                                               [Figure 4 – Win32/Cutwail send spam mail with Win32/Bredolab]

Win32/Bredolab, Win32/Cutwail and Win32/Zbot are the main malware working in this strategic operation.
However, we have seen in the past other malwares like Win32/FakeAV, Win32/Fakealert, Win32/Sipay and Win32/Hiloti to be pushed in infected systems as well.

We advise users to avoid executing attachments coming from unsolicited emails and keep your CA security product updated.

Please also have a look on our Top Ten Safety Reminders this holiday season.

Related posts

• Christmas is knocking on the door, so does the malware
• Real Friends and Money Don't Send Spam
• More Bredolabs…More Problems
• Bredolab Delivery Problem  

Share this post:  Email

Share

Published: December 15 2009, 11:43 PM | no comments
by Methusela Cebrian Ferrer

Adobe recently released a security bulletin APSA09-07, confirming a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier version for all platforms including Windows, Macintosh and Unix operating system. (Referred as CVE-2009-4324)  

This 0-day vulnerability was spotted in-the-wild, and an earlier report indicates that maliciously crafted PDF (400,918 bytes) arrives via an email limited to its target victims.

Investigation of the specially-crafted PDF code shows that vulnerable users can be easily exploited allowing remote attacker to successfully execute arbitrary code on the victim's machine.

Figure 01 – As highlighted, this instruction denotes that the attacker exploits the newPlayer() method in Doc.media object thereafter execute its payload

Cyber criminals may take advantage of this exploit and utilize it for massive distribution of threats using Drive-by attacks. The most known exploited Adobe PDF vulnerability that is still prevalent and currently being used are “Collab.getIcon” referred as CVE-2009-0927, “util.printf“referred as CVE-2008-2992 and “Collab.collectEmailInfo” referred as CVE-2007-5659.[Read our recent related post] 

Thus, we advise users to exercise caution and to follow our recommendation on how to avoid this attack:

1. Prevent your default browser from automatically opening PDF documents.

To do this, open your Adobe Reader by clicking on Start > All Programs > Adobe Reader <x> (where ‘<x>’ is the version).

Once open, click Edit > Preferences > Internet, and uncheck Display PDF in Browser.

2. Disable JavaScript in Adobe Reader and Acrobat.

Click Edit > Preferences > JavaScript and uncheck Enable Acrobat JavaScript.

3. You may choose to install an alternative PDF reader to avoid this threat.

4. Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

CA detections relating to this attack are PDF/Pidief.NQ, Win32/KillAV.PO, Win32/SillyDl.RQQ.

Share this post:  Email

Share