Published: February 09 2010, 11:01 PM | no comments
by Zarestel Ferrer

From previous blog post titled “Rogue Security Software “SysDefenders” Supports Multiple Languages”, we’ve discussed about rogue security software that is capable to support 5 languages which includes English, French, German, Italian and Russian. 

This time, emerging fake security software variants are starting to support more than 5 languages. A particular sample we'll describe is known using different names as it uses a template to construct its product name based on the infected system’s Windows operating system version.

Below is the format it uses, where <OS Version> can be XP, Vista or Win7.

• <OS version> Antispyware 2010
• Antivirus <OS version> 2010
• <OS version> Guardian 2010
• <OS version> Guardian
• <OS version> Defender 2010
• <OS version> Antivirus
• <OS version> Antivirus 2010
• <OS version> Antivirus Pro
• <OS version> Antivirus Pro 2010
• <OS version> Internet Security
• <OS version> Internet Security 2010

It can be XP Antivirus 2010, Vista Antivirus 2010 or Win7 Antivirus 2010.

This rogue security software can support 19 languages, which can make the coverage of infection larger than just having English.

1. English
2. German
3. Italian
4. French
5. Swedish
6. Spanish
7. Portuguese
8. Norwegian
9. Korean
10. Indonesian
11. Czech
12. Polish
13. Greek
14. Japanese
15. Turkish
16. Slovak
17. Malaysian
18. Dutch
19. Thai
    

This added feature widens the attack target to nations with a primary language different from English. As seen in the list it added support to some countries in East Asia (Korea, Indonesia, Japan, Malaysia and Thailand).

An example of warnings and popups created using multiple language support are shown below.

This is a fake warning message displayed by the malware in Japanese.

This is a fake Internet Security GUI displayed by the malware in Greek.

 
Access to Microsoft website will be blocked with this message, example is in Korean.

 
A false system message warning in Thai language.

A false system popup warning in Malaysian language.

          

 
Registration window in Spanish.
 

A false system warning in Dutch language.




CA detects this rogue security software as Win32/XPGuardian.A.

Always update your security software signature and always be aware of the latest security news.
 

Share this post:  Email

Share

Published: February 09 2010, 01:35 PM | no comments
by Rossano Ferraris

Cybercrime includes many things among which we enumerate the so-called “mule recruiting” issue. “Mule recruiting” is the process of recruiting “money mules,” who are people that transfer money and reship high value goods that have been fraudulently obtained in one country, usually via the internet, to another country.

A "money mule" or "money transfer agent" is required to launder the funds obtained as a result of phishing and trojan scams. After being recruited by the fraudsters, money mules receive funds into their accounts and they then withdraw the money and send it overseas using a wire transfer service, minus a certain commission payment.

Money mules are recruited by a variety of methods, including spam emails, adverts on genuine recruitment web sites, approaches to people with their CVs available online, instant messaging and adverts in newspapers. Generally the jobs posted require the victim to work at home.

We have witnessed  many spam emails in the course of the last several months where fraudsters convince victim users to become “money mules”  to further the fraudsters' criminal goals.

Here below are some examples:


Figure 1 - Part A

Figure 1 - Part B

Figure 2

The emails above demonstrate how fraudsters use persuasion to get an innocent user victim (who has probably lost her job recently) to respond.
They offer a lot of money to victims that may be facing hard economic times.
The number of emails like those above increased during 2009, and this has probably happened possibly because of the economic crisis. The economic crisis has made it easier for fraudster to exploit others.

Mule Liability

The mules cooperating in the fraud scheme in many cases are simply innocent victims just looking to make some extra money. However, that does not change the fact that they are operating illegally and will be held accountable for their actions. Most times, law enforcement will approach them expecting information and will not arrest them since they obviously did not realize they were committing a crime.
In Italy, for example, a money mule risks severe penalties, depending on the case. The risk can vary from 4 to 12 years of jail time and/or penalties from 1,000 to 15,000 Euros.

How do you avoid the scam?

CA ISBU Research Team advises all users (both corporate and consumer) to ignore and/or delete emails with the characteristics explained above. Remove them immediately and if possible consult CA ISBU and/or Law Agencies.

We foresee new forms of work-at-home scams or other jobs that require people to be “mules” and collaborate in the fraudulent operations.
Fraudsters are always inventing new sophisticated techniques of social engineering but the resulting fraud is always the same, so … look out!

Share this post:  Email

Share

Published: February 08 2010, 08:42 PM | no comments
by Mary Grace Gabriel

A lot of people nowadays have Internet addiction, and malware authors have been taking advantage of this situation to target unsuspecting users. A social engineering technique that has been used multiple times is threatening target users to suspend their internet access if they do not stop the illegal downloading of copyrighted materials, in other words advocating piracy.

CA ISBU came across an active spam email campaign containing a malware as file attachment, as seen on [Figure 1]. This spam campaign was already seen a few months back but with a different malware attachment.

                                        [Figure 1 – Fake ICS Monitoring Team Spam Email]


Distinctive Spam Email Characteristics

The email contains the Subject: Your internet access is going to get suspended

The email contains the Body:

--------------------------------------------------------------------------------------------------------

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

--------------------------------------------------------------------------------------------------------

File Attachment: report.zip

The file report.zip contains a file report.exe which CA proactively detects as Win32/Bredolab.C!generic.

If the file report.exe was executed, it will connect to 195.88.190.36 to download and execute a variant of Win32/SecurityTool.

Then, the following message box and GUI will be displayed:

                                                         [Figure 2 – Win32/SecurityTool GUI]

For more information about Win32/SecurityTool, please visit the following URL:

http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=80835

Then, it also connects to 83.133.122.160 to download a variant of Win32/Waledac.

For more information about Win32/Waledac, please visit the following URL:

http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=77741

Again, we advise users to beware of these kinds of emails, avoid executing attachments coming from unsolicited emails and ensure that your CA Security Products are updated with the latest signatures.

Share this post:  Email

Share

Published: February 08 2010, 08:17 PM | no comments
by Zarestel Ferrer

A codec or video add-on has been one of the common form of disguise used by most prevalent malware downloaders. They may arrive in spam emails with catchy subjects or downloaded by another malware.

One of the most active that we have seen recently is “New Video Add-on” scheme used by downloaders. One of its distribution vectors is thru spam email enticing target users to click on the malicious URL. Below are example email subject lines:

• A joke
• Funny cards
• Funny moments from live TV news
• Funny video tubes
• Have You Seen
• My wedding video
• Short joke for You
• The Home of Drunk Celebs
• Top 10 funniest video anecdotes
• Very funny animal
• Very funny kids

                                               [Figure 1 – Spam Emails with Catchy Subjects]

The malicious URL takes advantage of short URL services to hide and bypass mail scanners.

Once the user reaches the real malicious URL, it will show any of the following web pages tricking the user to download the malware file. The downloaded malware file has a filename format “New-Video-Addon.<random 5 numbers>.exe”.

                                 [Figure 2 – Different designs of a browser video player]

This trick has been used by a lot of malware for the past years and it has been an effective vector to distribute malware.

The downloader file is detected by CA as a variant of Win32/FakeCodec.
The downloaded malware files found vary and below are the common ones you can get if you happen to be victimized.

1. Win32/Gamepass - a family of trojans that steals login credentials and in-game information related to various Massively Multiplayer Online Role Playing Games (MMORPG).
2. Win32/Dowgent - a family of trojans that attempts to download and executes additional malware onto the computer.
3. Win32/SecurityTool – a family of fake antivirus.

To be on the safe side please avoid clicking URLs from unsolicited emails and please keep your security software’s database signature up to date.

Share this post:  Email

Share

Published: February 06 2010, 04:33 AM | no comments
by Mary Grace Gabriel

There have been different rounds of spam run this week, even though these spam campaign emails are already recycled, these are still effective way of luring victims to execute the malware.

Fake Microsoft Outlook Update

Last October 2009, we’ve blogged about Win32/Zbot’s new spam campaign, about a “Microsoft Outlook Update”. CA ISBU received spam mails and we’ve noticed that this spam campaign has been recycled by Win32/Bredolab; the only difference this time is that the spam email contains a malware as file attachment as seen on [Figure 1].

                                         [Figure 1 – Fake Microsoft Outlook Update Spam Email]

Distinctive Spam Email Characteristics

The email contains the Subject: Update for Microsoft Outlook / Outlook Express (KB910721)

The email contains the Body:

--------------------------------------------------------------------------------------------------------
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook Express
--------------------------------------------------------------------------------------------------------

File Attachment: officexp-KB910721-FullFile-ENU.zip


Fake Ecard Greetings

This is an old spam campaign already but since Valentine’s Day is already approaching, it is an effective way of luring victims to execute the malware. 

                                         [Figure 2 – Fake E-card Greetings Spam Email]

Distinctive Spam Email Characteristics

The email contains the Subject: You''ve received a postcard

The email contains the Body:

--------------------------------------------------------------------------------------------------------
Good day.

Your family member has sent you an ecard from 123greetings.com.

Send free ecards from 123greetings.com with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days.

If you wish to keep the ecard longer, you may save it on your computer or take a
print.

To view your ecard, open zip attached file.
--------------------------------------------------------------------------------------------------------

File Attachment: ecard.zip


Fake “Girlfriend” Spam Campaign

Another spammed email campaign in relation with Valentine’s Day.

Are you a single man and do not have a date this coming Valentine’s Day? Do not fall into this trap because this spammed email targets single man wishing to have a girlfriend.

                                         [Figure 3 – Fake Girl Friend Spam Campaign Email]

Distinctive Spam Email Characteristics

The email contains the Subject: Do you like to find a girlfriend like me ?

The email contains the Body:

--------------------------------------------------------------------------------------------------------
Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?

This is my photos.
--------------------------------------------------------------------------------------------------------

File Attachment: myphoto.zip

CA proactively detects the malicious file attachments as Win32/Bredolab variant.

Again, we advise users to beware of these kinds of emails, avoid executing attachments coming from unsolicited emails and ensure that your CA Security Products are updated with the latest signatures.

Share this post:  Email

Share