Threat Lab

Redirectors are a popular tactic used by cybercriminal on their way to trick Web filtering solutions. And just as we’ve seen in virtually ever segment of the underground marketplace, demand always meets supply.

A newly launched, DIY ‘redirectors’ generating service, aims to make it easier for cybercriminals to hide the true intentions of their campaign through the use of ‘bulletproof redirector domains’. Let’s take a peek inside the cybercriminal’s interface, list all the currently active redirectors, as well as the actual pseudo-randomly generated redirection URLs.

More details:

read more…

By Dancho Danchev

Operating in the open since 2009, a bulletproof hosting provider continues offering services for white, grey, and black projects, as they like to describe them, and has been directly contributing to the epidemic growth of cybercrime to the present day through its cybercriminal-friendly services.

From Traffic Distribution Systems (TDS), to doorways, pharmaceutical scams, spam domains and warez, the provider is also utilizing basic marketing concepts like, for instance, promotions through coupon codes in an attempt to attract more customers.

More details:

read more…

By Dancho Danchev

In need of a good reason to start using Craigslist ‘real email anonymization’ option? We’re about to give you a pretty good one. For years, the popular classified Web site has been under fire from spammers using DIY email collecting tools, allowing them to easily obtain fresh and valid emails to later be abused in fraudulent/malicious campaigns.

Let’s take a peek at some of the DIY Craigslist themed spamming tools currently in (commercial) circulation.

More details:

read more…

How would a cybercriminal differentiate his unique value proposition (UVP) in order to attract new customers wanting to purchase commoditized underground market items like, for instance, harvested and segmented email databases? He’d impress them with comprehensiveness and ‘vertically integrated’ products and services. At least that’s what the cybercriminals behind the cybercrime-friendly market proposition I’m about to profile in this post are doing.

Tens of millions of harvested and segmented email databases, spam-ready bulletproof SMTP servers and DIY spamming tools, this one-stop-shop for novice spammers is also a great example of an OPSEC-unaware vendor who’s not only accepting Western Union/Money Gray payments, but also, has actually included his SWIFT wire transfer bank account details.

More details:

read more…

Throughout the last couple of years, the persistent demand for geolocated traffic coming from both legitimate traffic exchanges or purely malicious ones — think traffic acquisition through illegally embedded iFrames — has been contributing to the growing market segment where traffic is bought, sold and re-sold, for the sole purpose of monetizing it through illegal means.

The ultimately objective? Expose users visiting compromised, or blackhat SEO-friendly automatically generated sites with bogus content, to fraudulent or malicious content in the form of impersonations of legitimate Web sites seeking accounting data, or client-side exploits silently served in an attempt to have an undetected piece of malware dropped on their hosts.

A recently spotted cybercrime-friendly underground traffic exchange service empowers cybercriminals with advanced targeting capabilities on per browser version basis, applies QA (Quality Assurance) to check their fraudulent/malicious domains against the most popular community/commercial based URL black lists, and ‘naturally’ we found evidence that it’s already been used to serve client-side exploits to unsuspecting users.

More details:

read more…

Among the most common misconceptions about the way a novice cybercriminal would approach his potential victims has to do with the practice of having him looking for a ‘seed’ population to infect, so that he can then use the initially infected users as platform to scale his campaign. In reality though, that used to be the case for cybercriminals, years ago, when managed cybercrime-as-a-service types of underground market propositions were just beginning to materialize.

In 2013, the only thing a novice cybercriminal wanting to gain access to thousands of PCs located in a specific country has to do is to make a modest investment in the (managed) process of obtaining it. Let’s take a peek at one of the most recently launched such services.

More details:

read more…

Apple Store users, beware!

A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve successfully received a legitimate ‘Gift Card’ worth $200. What’s particularly interesting about this campaign is that the cybercriminal(s) behind it are mixing the infection vectors by relying on both a malicious attachment and a link to the same malware found in the malicious emails. Users can become infected by either executing the attachment or by clicking on the client-side exploits serving link found in the emails.

More details:

read more…

In a series of blog posts, we’ve been highlighting the ease, automation, and sophistication of today’s customer-ized managed spam ‘solutions’, setting up the foundations for a successful fraudulent or purely malicious spam campaign, like the ones we intercept and protect against on a daily basis.

From bulletproof spam-friendly SMTP servers, to segmented harvested databases for any given country internationally, managed spamming appliances, to segmented databases of APT-friendly (advanced persistent threat) emails belonging to the U.S government/military, for years, the cybercriminals operating these managed services have been directly contributing to the epidemic dissemination of fraudulent/malicious emails internationally.

We’ve recently spotted a Russian one-stop-shop for spammers offering virtually everything a spammer can ‘vertically integrate’ into, in an attempt to occupy a bigger share of this underground market segment. Let’s take a peek at the service and discuss its unique value proposition (UVP).

More details:

read more…

British users, watch what you execute on your PCs!

An ongoing malicious spam campaign is impersonating U.K’s O2 mobile carrier, in an attempt to trick its customers into executing a fake ‘MMS message” attachment found in the emails. Once socially engineered users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals whose activities we continue to monitor.

More details:

read more…

Bank of America (BofA) customers, watch what you click on!

A currently ongoing malicious spam campaigns is attempting to entice BofA customers into clicking on the client-side exploit serving URLs found in legitimate looking ‘Statement of Expenses’ themed emails. Once users with outdated third-party applications and browser plugins click on the link, an infection is installed that automatically converts their PC’s into zombies under the control of the botnet operated by the cybercriminal/gang of cybercriminals behind the campaign.

More details:

read more…

PUA’s (Potentially Unwanted Applications) are often nuisance applications which serve little purpose other than using your computer as a gateway for online advertisements or as a catalyst to deliver annoying applications that may pester you to the point where you want to throw your computer out a window.  Anti-Malware companies usually have pretty weak detection of these types of programs and have generally failed to protect their customers’ computers from this sort of bloatware.  As a result, countless users have to suffer through agonizing pains of pop-up windows, webpage redirects, search redirects, and sometimes even bluescreens just to try and get their daily TMZ fix.

The problem from an Anti-Malware point-of-view stems from the fact that many of these types of PUA applications could have legitimate uses for some people who choose to install the software.  Some people may enjoy the fact that their Google search results are redirected to some no-name search company (that often still uses Google results anyway) and that advertisements are inserted into their browser window all in exchange of being able to use that email smiley program for free.  But the reality is, most people who obtain software in such a way have no interest in all the redirects, pop-up’s and advertisements.  They simply want their smileys – which leads to the second problem.

People don’t read what appears on the screen!

If users of such downloaded software would often just read the dialogue windows that appear, they would see that a combination of a few carefully selected ratio boxes would usually allow them to obtain their much-desired smiley program without obtaining all the garbage that comes along with it.

From a malware research perspective, it’s downright impossible to determine the intent of all the users of a software product.   If we know that a certain application is being distributed via a deceptive download manager, but also, know some people use that same product for their own personal benefit, it becomes a difficult task in trying to make a determination whether or not to advise removal of the software in question. Many of us grew up in an era where the folk who were knowledgeable with computers would advise novice users to “download a program and just click next, next, next, until it is installed”.  People learned the behavior of not reading and just clicking.  (SouthPark devoted an entire episode to this exact issue)  So I guess it should only be expected that people who have a financial motivation to install software to your computer have capitalized on this fact.

Take example the image to the left.  This particular download manager attempts to install at least 5 different applications (We cut the image by 1 screen for the sake of saving space).  After all the applications have been installed, our home page and search results were redirected.  Advertisements were inserted to our browser windows and plugins were added to the browsers themselves.  Simply reading the screen and clicking the ‘Decline’ button would have thwarted almost all of those unwanted behaviors.

Cases like what are shown above are usually quite easy to make a determination.  We’ve previously written about many different campaigns that were distributing Potentially Unwanted Applications.

Other cases are a bit more vague, and making a determination on these types of installations is not so easy.  We’re not setting out to write a blog post where we call-out reputable software vendors who bundle software with their products for the sole purpose of trying to earn a few dollars, but we would like to point out a recent example which has come to our attention and which highlights the difficulty we face when trying to make determinations within the PUA category.

We have recently been provided a WinZip installer that we are flagging as PUA.Open.Install.  The file in question writes files to the computer system identified as OpenInstall.  Users who downloaded this particular Winzip wrapper were not presented with any sort of opt-out mechanism and after installation the users have software related to the security vendor AVG installed to their machine, plus have their homepage redirected without consent or authorization.  (Please note that we don’t detect any of the WinZip or AVG files as PUA, simply the download wrapper.)

The MD5 in question can be seen from the following VirusTotal page:

https://www.virustotal.com/en/file/6fc0686c4bd358696725be090319eda117a1d96ddf271cd5b68f2e0b067e4853/analysis/

Note the ‘Behavioural information’ tab.  The information contained clearly indicates the creation of files related to OpenInstall as well as associated Network traffic:

Opened files
C:DOCUME~1<USER>~1LOCALS~1TempOIC1.tmp (successful)
C:DOCUME~1<USER>~1LOCALS~1Tempoi_WgCsg9bAeBOIAssistWTD.exe (successful)

Written files
C:DOCUME~1<USER>~1LOCALS~1TempOIC1.tmp (successful)
C:DOCUME~1<USER>~1LOCALS~1Tempoi_WgCsg9bAeBOIAssistWTD.exe (successful)

Runtime DLLs
c:docume~1<USER>~1locals~1tempoic1.tmp (successful)

HTTP requests
URL: http://st.cloins.com/
TYPE: POST
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; OI build 3287)
URL: http://inst.avg.com/serve/getSetup.php?pid=2793661&k=43a9519ed4b5e9c75eb7d683e3d1e09708f9b34a&sid=&pid=2793661&k=43a9519ed4b5e9c75eb7d683e3d1e09708f9b34a&sid=&user_agent=Mozilla%2F5.0+%28compatible%3B+MSIE+10.0%3B+Windows+NT+6.2%3B%29

TYPE: POST
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; OI build 3287)

DNS requests
st.cloins.com (173.203.98.33)
inst.avg.com (173.203.98.33)

As can be seen, several files relating to OpenInstall (OI) are written to the box and a specialized User Agent string is added to the network connection.  Simply Googling the OIAssistWTD.exe file turns up many pages indicating that the software is not a desirable application.  Additionally, the results indicate that several of our competitors also have detection criteria for the software, as-well-as being identified as unwanted by a variety of malware-related blogs:

• • http://forums.malwarebytes.org/index.php?showtopic=101345
  • http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Adware%3AWin32%2FOpenInstall&ThreatID=157719
  • http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=3420873#none
  • http://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Open%20Install/detailed-analysis.aspx
  • http://www.wilderssecurity.com/showthread.php?t=341325
  • http://www.scumware.org/report/install.winzip.com
  • http://kimletkeman.blogspot.com/2012/11/winzip-and-avg-partner-to-be-worlds.html

To verify the behavior that we had seen on the submitted file, we downloaded the most recent version of the Winzip file from the Winzip website.  On this particular version of the software, there were no disclaimers or warnings advising of the changes.  Screenshots have been included below which show the various screens during the install process.  Note that none indicated the installation of OpenInstall or AVG products.

When conducting these very same steps again today (while preparing for this blog entry), we see that the Winzip installer is now providing a disclaimer and ‘opt-out’ functionality prior to initiating the download.  This quick change shows the fast-paced and quickly evolving landscape that we find ourselves in, and shows the difficulty we face with Download Managers that are capable of changing their wrapper at a moment’s notice.

So, who is OpenInstall?  According to Bloomberg Businessweek, OpenInstall “operates as a cloud based installation company”, and that ‘the company offers CloudInstaller to manage software download and installation for development teams to focus on their core product and for marketing teams to provide input into the conversion funnel for their software’.  The overview goes on to state that OpenInstall “provides a management platform to make right offers to right users at the right time”.  The overview provides the company web address of www.openinstall.com .  Clearly, the Company Overview indicates an advertising agenda.  Trying to access the OpenInstall.com website proves to be an act of futility as the site is no longer online.  This downed website comes despite the fact that some download locations for the Winzip software still indicate that “By clicking download, you agree to the OpenInstall EULA and Privacy Policy”.  Those EULA and Privacy Policy links attempt to direct users to the OpenInstall.com website.

A bit more research into the company turns up a filing with the S.E.C. which indicates that security vendor AVG acquired OpenInstall in January 2012.

I think we can all agree that reputable companies such as Winzip and AVG are not performing activities on computers which would be deemed malicious, but it’s hard not to ignore the fact that the OpenInstall product does write files to the computer (OI related files) and that in at least some cases, a means to opt-out is not provided, and yet that in even more cases, there is not a valid EULA.

As if all the above information isn’t confusing enough, the data produced by the Webroot Security Intelligence Network reveals some interesting information regarding files related to OpenInstall.  We would like to highlight some file characteristics which most people won’t have the ability to see on a large scale, but from a Malware Research perspective seem quite suspicious.

In the below view, we have grouped together a partial listing of the OpenInstall files.  The following files all share the same internal data-points, meaning they are all files that share a similar code-base.  None of the files have ever been seen on more than 1 PC.  We have columns for: File Name, Vendor (from the file properties tab), Product Description, Version, and Digital Vendor.  Take note of some of the included entries.  Several of the files have file names relating to one product, Vendors relating to other products, and then Digital Vendors relating to something totally different.  Our Intelligence Network has identified thousands of similar files.  Even people who don’t spend their days researching malware must acknowledge that conflicting Filenames, Vendors and Digital Vendors should be a characteristic that stands out as not being normal.

Being presented with all this varying and sometimes conflicting information, what type of determination should a Malware Analysis take on this type of software?  At least in some cases, users have no option to opt-out.  If they can’t opt-out, users face changes to their search provider as well as a home page reset.  The software in question has a dubious reputation among members of the Anti-Malware community, and some of our competitors have detections for this software.  From an analysis perspective, we see some interesting (to say the least) aspects with the topical information of files.  Search results for the written files (OIAssistWTD.exe) indicate OpenInstall as the owner, yet there is no website information for OpenInstall, and thus no available EULA under that name.  It takes a good bit of research to uncover the fact that the OI related files are now owned by AVG.

Considering all of this, how do we not consider the software in question to be Potentially Unwanted?

Maybe others will have a different view.  We’re more than willing to entertain a discussion on this topic.  If you have a different opinion or viewpoint regarding this issue, we would be more than happy to hear it.  Leave your thoughts in the comments section below and we will be sure to read them.

We’ve just intercepted a currently circulating malicious spam campaign that’s attempting to trick iPhone owners into thinking that they’ve received a ‘picture snapshot message’. Once users execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals, whose activities we’ve been closely monitoring over the last couple of months.

More details:

read more…