Threat Lab

By Dancho Danchev

On the majority of occasions, Cybercrime-as-a-Service vendors will sell access to malware-infected hosts to virtually anyone who pays for them, without bothering to know what happens once the transaction takes place.

A newly launched E-shop for malware-infected hosts, however, has introduced a novel approach for calculating the going rate for the hacked PCs. Basically, they’re selling actual malicious binary “executions” on the hosts that the vendor is managing, instead of just selling access to them.

A diversified international underground market proposition? Check. A novel approach to monetize malware-infected hosts? Not at all. Let’s profile the actual market proposition, and discuss in-depth why its model is flawed by design.

More details:

read more…

By Dancho Danchev

In 2013, Liberty Reserve and Web Money remain the payment method of choice for the majority of Russian/Eastern European cybercriminals. Cybercrime-as-a-Service underground market propositions, malware crypters, R.A.Ts (Remote Access Trojans), brute-forcing tools etc. virtually every underground market product/service is available for purchase through the use of these ubiquitous virtual currencies.

What’s the situation on the international underground market? Next to accepting PayPal and consequently all major credit cards, we’ve been observing an increase in market propositions starting to accept Bitcoins. Is this a trend or a fad, and does the currency’s P2P model about to be embraced ecosystem-wide due to its (current) pseudo-anonymous model?

Let’s find out.

More details:

read more…

We have found a new threat we are calling Android.TechnoReaper. This malware has two parts: a downloader available on the Google Play Market and the spyware app it downloads. The downloaders are disguised as font installing apps, as seen below:

read more…

By Dancho Danchev

Cybercriminals are currently spamvertising tens of thousands of bogus emails impersonating New York State’s Department of Motor Vehicles (DMV) in an attempt to trick users into thinking they’ve received an uniform traffic ticket, that they should open, print and send to their town’s court.

In reality, once users open and execute the malicious attachment, their PCs will automatically join the botnet operated by the cybercriminal/cybercriminals behind the campaign.

More details:

read more…

By Dancho Danchev

Kindle users, watch what you click on!

Cybercriminals are currently mass mailing tens of thousands of fake Amazon “You Kindle E-Book Order” themed emails in an attempt to trick Kindle users into clicking on the malicious links found in these messages. Once they do so, they’ll be automatically exposed to the client-side exploits served by the Black Hole Exploit Kit, ultimately joining the botnet operated by the cybercriminal/cybercriminals that launched the campaign.

More details:

read more…

Over the past 24 hours, we’ve intercepted yet another spam campaign impersonating Citibank in an attempt to socially engineer Citibank customers into thinking that they’ve received a Merchant Billing Statement. Once users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal/cybercriminals.

More details:

read more…

Need a compelling reason to perform search engine reconnaissance on your website, for the purpose of securing it against eventual compromise? We’re about to give you a good one.

A new version of a well known mass website hacking tool has been recently released, empowering virtually anyone who buys it with the capability to efficiently build “hit lists” of remotely exploitable websites for the purpose of abusing them in a malicious or fraudulent fashion. Relying on Google Dorks for performing search engine reconnaissance, the tool has built-in SQL injecting options, the ability to add custom exploits, a proxy aggregation function so that no CAPTCHA challenge is ever displayed to the attacker, and other related features currently under development.

More details:

read more…

Everyday, new vendors offering malicious software enter the underground marketplace. And although many will fail to differentiate their underground market proposition in market crowded with reputable, trusted and verified sellers, others will quickly build their reputation on the basis of their “innovative” work, potentially stealing some market share and becoming rich by offering the tools necessary to facilitate cybercrime.

Publicly announced in late 2012, the IRC/HTTP based DDoS bot that I’ll profile in this post has been under constant development. From its initial IRC-based version, the bot has evolved into a HTTP-based one, supporting 10 different DDoS attack techniques as well as possessing a featuring allowing it to heuristically and proactively remove competing malware on the affected hosts, such as, for instance, ZeuS, Citadel or SpyEye.

More details:

read more…

On a regular basis we profile various DIY (do it yourself) releases offered for sale on the underground marketplace with the idea to highlight the re-emergence of this concept which allows virtually anyone obtaining the leaked tools, or purchasing them, to launch targeted malware attacks.

Can DIY exploit generating tools be considered as a threat to the market domination of Web malware exploitation kits? What’s the driving force behind their popularity? Let’s find out by profiling a tool that’s successfully generating an exploit (CVE-2013-0422) embedded Web page, relying on malicious Java applets.

More details:

read more…

Over the last day, cybercriminals have launched yet another massive email campaign to impersonate FedWire in an attempt to trick users into thinking that their wire transfer was processed incorrectly. Once they execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals.

More details: read more…

Recently we have seen an increase in fake Microsoft security scams, which function by tricking people into thinking that their PC is infected.  With these types of scams there are a number of things to remember:

1. Microsoft will never call you telling you that your PC is infected
2. Never allow strangers to connect to your PC
3. Do not give any credit card info to somebody claiming to be from Microsoft
4. If in doubt, shut down your PC and call Webroot

The current scam will display a webpage that is very similar to the one in Figure 1. There are a number of ways to figure out that this is a false alert. The first is that it’s a website message and not a program; the second is that location of the web site will be a random string of letters.

These websites will normally only stay active for 24-48hrs before they are pulled down. The websites’ primary function is to get you to run a “removal tool” called “security cleaner”. This file is the infection and, if ran, will infect the PC and start displaying pop-ups (like the one in Figure 2).

Figure 1: Fake Alert

At this stage, the PC is not infected so it’s safe to close the browser and ignore any alerts from the website. Noting the website that displayed the message is good idea as you can notify the webmaster (if it’s a legitimate website).

I have seen examples of this type of fake webpage being linked from advertising links. Using a browser that has a pop-up blocker will reduce the likelihood of encountering a bad advertising link. With scams like this, the most important way to stop getting infected is to be diligent when you’re online.

If a website asks you to run a file that you haven’t asked for, be extremely cautious. The same goes for emails (even from friends). Do not open executable files unless you are 100% sure they are good.

Figure 2: Fake AV Pop-up

Behavior

The info below is only a guideline as the payload can change. However, it follows the same pattern of dropping a fake AV that stops you from opening most programs.

• Drops a randomly named file in the current users folder (Fake AV payload)
• Creates a service for the above file
• Disables Windows Firewall or modifies the settings to allow the file full access to the PC
• Creates a number of files in the windows recycler folder (usually Zero Access)
• Flags any opened program as an infection (by modifying the open shell reg key)
• Fake AV will then prompt the user to pay to remove the detected “infections”

Webroot Detection logs:
Infection detected:
c:usersownerappdatalocalmicrosoftwindowstemporary internet filescontent.ie5wckxi56gsecurity_cleaner[1].exe

MD5: 68D9F9C6741CCF4ED9F77EE0275ACDA9
Detection rate of the file 28/46 Vendors on Virus Total.

Registry Changes:
Below is an example of some of the changes. The first shows how it modifies the open shell command so when you open any file it will run the Fake AV. The second shows the security center notifications that are disabled.

hkcrw1shellopencommand”C:UsersUserAppDataLocalgpt.exe
hklmsoftwareclientsstartmenuinternetiexplore.exeshellopencommand
HKLMSOFTWAREMicrosoftSecurity Center  AntiVirusDisableNotify   00000001
HKLMSOFTWAREMicrosoftSecurity Center  AntiVirusOverride   00000001

How to protect yourself from these scams

There are a number of ways to ensure your PC is protected from these types of scams. The first step is simply being aware that these scams exist! Also, make sure to:

• Use Webroot Secure Anywhere
• Keep Windows updates turned on and set them to automatically update
• Use a modern secure browser like Firefox  or Chrome
• Update any 3^rd party plugins (Java/Adobe Reader/Flash player)
• Use an ad-blocker add-on in Firefox/Chrome

I have seen a number of infections that would have been prevented if Windows was up to date. Microsoft is constantly updating Windows to patch various security updates.

Removal

Webroot SecureAnywhere automatically blocks the installation of the infection so it won’t even run (Figure 3).  If the PC has no AV software installed, booting into Safe Mode with networking and installing Webroot Secure Anywhere will remove the threat.  Manually removing this threat is possible; however, there may be some system damage that will need to be repaired.

Webroot support is always available to help with removal and questions regarding this infection.  Please visit the Webroot support web site for more detail at: http://www.webroot.com/support/.

Figure 3: SecureAnywhere Removal