Threat Lab

Yesterday, a few of the Threat Research folks and I had a little fun playing with a hack that had, for one day at least, pretty much decimated Google’s Image Search feature. One researcher, who stumbled into the attack purely by chance, found that a Google Images link to a map of the United States was, instead, redirecting hapless Web surfers to pages that deliver an installer of a rogue antivirus in the Security Tool family of fine, fraudulent products.

What really caught our interest was how the hack behaved, depending on the operating system and browser you used. With each different browser configuration, we were treated to one of several different, specially crafted malware delivery Web pages.

I’m not sure when the attack started, but we started analyzing it at around 10am, Mountain time. By late afternoon, the sites were offline and the attack no longer worked.

To test the extent of the hack, we played around with the manipulated search results using five different browsers: Internet Explorer 6 and 8, Safari 5, Google Chrome, and Firefox. All the browsers were set up with default settings in an otherwise identical installation of Windows XP SP3. We then searched for USA Map and clicked the second result that appeared under the header “Images for usa map.” (All but the first image result that appeared on that first page of results linked to the malicious Web site.)
read more…

As recently as a few months ago, malware distributors went to what looked like great lengths to craft complex, sophisticated Web pages designed to trick visitors into believing they were visiting a page with an embedded video and — oops! — you need to update your copy of Adobe Flash in order to view it.

Well, those days of hard work seem to have faded into memory. All we’re left now is this.

In a recent attack that came to my attention, the guys behind the attack didn’t bother to build a sophisticated Web page. Well, nothing along the lines of pages we’ve seen before, with cool graphics, slick design, or interesting programming. In fact, they hardly built a Web page at all.

In this case, the unknown person or people created an HTML file that loads someone else’s graphic, which happens to be a warning about an outdated version of Flash, that is located elsewhere. Specifically, they load a graphic that just happens to be hosted on the Coca-Cola company‘s Web server. This isn’t a site hack against the Coke people — the graphic is probably legitimate, considering how Flash-heavy the Website is — just an example of how pathologically lazy or incompetent some malware distributors can be.

read more…

While some members of our Threat Research group are attending talks at the Black Hat Briefings, the rest of the team is back at our offices, hard at work watching for novel threats.  That’s good news for gamers, and bad news for malware distributors who might try to take advantage of a confluence of events where many elite members of the security community are temporarily turned away from monitors while they attend the conference. I received a warning about one potential threat facing gamers who might turn to piracy to get a copy of Blizzard’s new real-time-strategy game, Starcraft II.

Apparently, there are a flood of torrents where gamers can download purportedly pirated versions of SC2. While your less ethical gamer might cheer this news, you might be less pleased to find out that some of the SC2 torrents appear to bring along a side order of malware. One of the torrents, for example, touted as a custom game launcher, drops the Zbot keylogger Trojan—albeit a variant we can easily detect and remove.

While this isn’t exactly new, we’re finding that the incredible demand for this game is driving malware distributors to supply something that looks like what the gamers want. We’ll keep an eye on this trend, and update the post if necessary with more details as they become available.

And if you want a copy of the game, just go out and buy it. It may not be the most thrifty use of your money, but it’s the ethical thing to do, and the safest way to get a copy of the game.

(Starcraft 2 logo courtesy of Blizzard Entertainment)

The Threat Research group sat in on a talk by HBGary CEO Greg Hoglund yesterday where the regular speaker discussed some research he’s been doing over the past year that he hopes will help connect malware samples to known groups of malware creators. While that sounds promising for law enforcement, it’s actually not as helpful for tracking down originators of malware for prosecution as it is for security researchers to preliminarily group and classify the masses of outwardly-dissimilar Trojans we see every day.

In most conventional methods of classification, researchers look for programmatic similarities or behavioral characteristics as a way to group similar pieces of malware into definitions, which then simplify the task of an antivirus tool to clean up an infection. In Hoglund’s talk, he proposed another set of criteria antimalware researchers can use to make these kinds of classifications: the “tool marks” left behind inside of malware samples as a result of compiling tools, languages, and even sloppy coding habits employed by malware creators.

On a technical level, Webroot’s Threat Research team has been using these “tool marks” as guides for some time when they perform manual analysis of malicious files. Hoglund’s talk introduced a tool he created, called Fingerprint, which can process a malware file and, in an automated fashion, provide malware researchers with simplified output they can then add to a database. With a sufficiently large sample set, surprisingly good clustering seems to appear, as shown in the photograph above, which is a snapshot of one of Hoglund’s slides.

While the characteristic “tool marks” alone are probably not sufficient to establish that an arbitrary, unknown file is malicious, it can be a good indicator that the unknown file is related — possibly in several significant ways — to files that have been established to be malicious. It is this predictive ability of the fingerprint that may be its greatest strengths…at least, until the malware authors catch on, and strip this identifiable information out of their files. For the meantime, however, laziness on the part of malware creators, and the difficulty of completely re-coding new malware, means identifiable tool marks should persist for a while, which means this fingerprinting method may remain effective for some time.

I’m at the Black Hat Briefings this week, the annual confab of the best and brightest in computer security, catching up on the trends and tricks malware authors and data thieves employ. I just saw an impressive demo by a pair of security researchers who took a deep dive into the behaviors of four pieces of highly targeted malware.

The researchers, Nicholas Percoco and Jibran Ilyas of Trustwave, ran a live demonstration of four Trojans designed to steal sensitive information and surreptitiously exfiltrate that data to the criminals. Three of the Trojans had been found installed on the servers of retail businesses, and capture credit card information — including the magnetic stripe data recorded by point-of-sale devices (ie., cash registers). The fourth Trojan, found on the computers of a large military contractor, was designed to steal any files in the My Documents folder, as well as any saved passwords on the system.

Of note was the highly targeted nature of the Trojans. In the case of the military contractor, for example, the criminals had obviously done their research, because the attack had targeted several high-level executives within the firm. According to the researchers, the attack started when a maliciously crafted Adobe PDF file was emailed only to the executives in a forged message that appeared to come from the CEO of the company. The forged message even included the CEO’s customized mail “signature” and the message text sounded convincingly similar to the language the CEO might have used.

Most importantly, all four Trojans did an outstanding job of remaining undetected for a significant period of time, which gave them more time to get the job done. Although one Trojan, which used a rootkit driver, had a tendency to “blue screen” their test machines, even a crash might not alert a victim that their computer hosts an infection. After all, Windows can crash for all kinds of reasons, and a crash isn’t necessarily an indication of a malware infection.

I’m looking forward to seeing more talks from other researchers over the course of the coming week. Of particular interest is a talk being given by Greg Hoglund about identifying the perpetrators of malware infections and even the creator(s) of widely distributed types of malware.

When it comes to spam messages, conventional wisdom dictates that you shouldn’t follow links or call phone numbers in the message, order products from the spammer, or open files attached to the email. We all should know by now that you should never open attached executable files, and spam filters now treat all .exe files as suspicious. When spammers began flooding inboxes with .zip files containing executables, we caught on pretty quickly as well.

Phishing has evolved. Learn all the ways hackers are angling for your data with our 11 Types of Phishing eBook.

But HTML isn’t executable — it’s just plain text — so does that mean it’s safe to open attachments when they’re just HTML files? Hell no! Case in point: this doozy that came through our spam bucket last week.

The message subject reads Your Funds Will Be Transfered and the body helpfully informs the recipient that I am able to complete the funds transfer late night — I hope that doesn’t mean someone sent Jimmy Fallon $28,126 from my bank account. It continues, Copies of the payment is being attached, and the message indeed has an attachment named Copies of the payment.htm which I can open and…

…uh oh. That’s where the trouble begins.

The end result: Three pieces of malware installed; Two password-stealing copies of the Zbot phishing trojan, and a remote-access backdoor to boot. Considering Zbot’s propensity for stealing bank account logins and other sensitive credentials, I suppose the subject line was correct after all. Your funds will be transferred. Just not where you thought.

A more careful look at the attachment reveals that it contains some lightly obfuscated Javascript code. When rendered in a browser, the code instructs the browser to load a page on a Web site called DreamLifeAsia, which is (suprisingly, considering the name) not a pornography site. That page contains instructions for the browser to load a one-pixel-square iframe from a page on the raceobject.ru Web site.

The raceobject.ru page contains scripting that instructs the browser to download and execute a payload from yet a third Web site, problemdollars.ru. It just so happens that these fine, upstanding Russian-registered Web sites are hosted on the same server, located at the same IP address.

Whomever scrabbled together this row of dominoes must have thought they were being really clever when they made their code hard to read. Take a look at the line below, for example. At first glance, you might not be able to determine what it’s supposed to do. It looks like gobbledygook, right?

Well, take out every other character in the line encircled in red, and the cloying concatenation code, and this is what you get:

Yeah, genius, we figured out your awesome trick. It’s the “insert a random letter between every character” encryption algorithm, first invented in the year one by a five year old girl who wanted to pass a clay tablet to her friend in class without the teacher being able to read her Aramaic. The only significant difference is that there are no little hearts drawn over the “i”s. RSA and Bruce Schneier, eat your hearts out. These guys are obviously l33t.

In the end, the page directs a vulnerable browser to download the backdoor to the victim’s computer. The backdoor pulls down Zbot. Zbot contacts its command and control server, pulls down a data file with instructions, and makes another copy of itself on the infected computer’s hard drive.

In addition, the backdoor changes all the Security Zone settings in IE, clears your cookies, changes the settings for the Windows firewall to permit Windows Explorer (not IE) to receive data from anyone on the Internet, and makes other modifications to security settings that make it far more likely a victim will further infect him- or herself.

Bottom line, it doesn’t matter what kind of attachment you get. Don’t open anything attached to a spam email in a browser. After all, it’s pretty obvious that this is just a ruse. Jimmy Fallon doesn’t need your money, just some decent Nielsen numbers in his time slot, and that’s one thing Zbot can’t steal.

I just want to take a moment to thank the malware author who posted a spam comment to the Webroot Threat Blog blog the other day. You guys make my job so easy.

The spam comment, which reads Hello. I the beginner. I wish to show to you,scandal story and links to a drive-by download site, is a tremendous help to our researchers, who are always on the lookout for new threats.

Of course, the malware distributor could have employed a more effective hook to convince someone to click a link than the one he used.

The link claims to point to a page hosted on the free Blogspot blog site to a nude video — not of Paris Hilton, Venus Williams, or Erin Andrews — but of…Diane Sawyer, the respected, award-winning anchor of ABC’s World News Tonight.

“Diane Sawyer Nude” — seriously? News anchor porn? Whatever happened to malware authors touting nude photos of starlets as an enticement?
read more…

Ransomware is nothing new, but a Ukrainian ransomware Trojan that came over the transom last week demonstrated that the concept of “payment” can extend to services other than banking or finance. In this case, the Trojan (which we and several other AV companies call Trojan-Ransom-Krotten) thoroughly locks down the infected system then demands payment—in the form of credit paid to the Ukrainian mobile phone provider Kyivstar, which the victim then has to transfer to the malware distributor’s account.

Yes, Alice, the hacker wants you to pay his cellphone bill.

Once the ransomware has taken hold on a victim’s computer, it locks down the operating system in dozens of different ways, as well as changing several registry keys that add juvenile, profane text to Internet Explorer’s title bar and elsewhere on the desktop and in folders.

Paying the ransom in these cases simply emboldens the malware creator to continue his crime spree. Of course, even once a victim hypothetically pays this ransom, there’s also no guarantee that there’s any way at all for the malware distributor to reverse the damage — which takes the form of significant levels of annoyance — caused by this insipid Trojan.

Fortunately for the victim, the creator of this Trojan isn’t the sharpest tack in the box. Not only were we easily able to tease out the Trojan’s payloads and add signatures which would prevent the Trojan from delivering its payload files to a victim’s computer, but we’re able to see exactly how the author (ineffectively) tries to frustrate the kinds of behavioral analysis we and other antivirus vendors perform.

read more…

Blizzard’s announcement today that they will begin a closed beta-test for the latest expansion pack is likely to generate a lot of excitement among that particularly low breed of online criminals who steal the fruits of other people’s entertainment when they commandeer passwords for other players.

While it’s hard to believe that most players of online games aren’t aware of the profusion of phishing sites attempting to steal logins, the problem clearly isn’t going away, so the warnings remain the same: Keep a close eye on your browser’s Address Bar, and make sure you’re really logging into Blizzard’s Web site, and not some phishing creep’s trap.

If history serves, they’ll try to lure you with false promises of getting access to the beta. Don’t fall for the trap.

(Tip ‘o the hat to Threat Research Analyst Curtis Fechner for the breaking news tip.)

Malware distributors in China have started pushing the same kinds of fake codec scams on unsuspecting Chinese Web surfers that criminals elsewhere in the world have mastered.

I’m not sure how I feel about this. On the one hand, I feel sorry for the Chinese victims, most of whom are probably blissfully unaware of the dangers they now face on the Web. On the other, perhaps this will finally serve as a wake up call to Chinese authorities that they need to do something about homegrown Sino-cybercrime.

In the course of investigating some odd-looking URLs (including one which uses the name of every popular Chinese portal), I stumbled into a maze of Web sites that forcefully urge visitors to download and install software.

The scams start at Chinese porn sites — though, it must be noted, the photos on most of these sites are significantly less racy than what you’d find on your typical college coed’s MySpace page, even before Spring Break. The sites promote streamed video, but warn users that they must download and install a special “video on demand” player in order to watch the videos. Sound familiar?

In the course of a few hours, I pulled down and researched five distinct Trojaned software packages, all of which originated from a “click here to download the player” link on a Web page. At best, the programs attempt to convince users to pay 100 Yuan (about $15) for access to what the program promises is a vast library of TV shows and movies from China and the rest of the world.

At worst, the programs pull down dozens of keylogging Trojans, downloaders, and backdoors at the same time as they install benign Chinese video software, such as the popular (and completely free) QVOD player.
read more…

Malware authors must have a soft spot in their hearts for the long-maligned South African vuvuzela, because once again, the  most annoying noisemaker in World Cup history is driving people to Web sites which push infections down to their computers. This time, people are retweeting the malicious links attached to a message that reads “OMG! Vuvuzela banned!” along with the hashtags #worldcup and #vuvuzelabanned. At last check in Google, references to the malicious links number over 16,000.

The tweets use a variety of different link shortening services (including bit.ly, tinyurl.com, is.gd, and dr.tl) to mask the fact that their destination is actually a bogus image hosting website hosted on the .in top-level domain (supposedly used by Web sites registered in the country of India, but these sites are all hosted elsewhere). The Web site you eventually land on calls itself Image Sheep, while in the background, your PC is being herded into a botnet.

As an aside, there is a real image hosting service by the same name, but the real Image Sheep is registered elsewhere and hosted in an entirely different network than these fake Image Sheep clones.

Once the victim’s browser loads the fake Image Sheep page, it pushes a Java “image viewer” applet, named target.jar, down to the browser. It’s easy to pick apart the contents of this file, which contains additional Java applets and PHP scripts that push the malicious file (named IMG12523.jpg.exe) down to the victim’s computer. The file itself is a downloader component of an adversary we’ve seen before: Trojan-Backdoor-Protard (aka Gootkit), which retrieves additional malware and retrieves complex instructions.

read more…

An attempt to push down the Trojan-Backdoor-Zbot password thief to Spaniards may signal a new wave of attacks by a crew of attackers who spent the better part of 2009 trying to convince gullible Internet users in different countries to download and execute Zbot installers poorly disguised as transaction records or other important financial documents.

A bogus Banco de España (BdE) Web site came and went quickly last week, but not before we took a deep dive and came up with a mouthful of malware. Believe me, it tasted terrible.

The page, designed to mimic closely the appearance of the Spanish central bank’s Web site, was very much a clone of the previous fake-bank pages used to foist Zbot onto victims.

Previous campaigns of this type targeted, primarily, North American victims by spoofing the Web sites belonging to Visa, Bank of America, the FDIC, the American Bankers Association, NACHA, the IRS (and its equivalent British tax authority), as well as Amazon.com, iTunes, Facebook, MySpace, AOL, the Centers for Disease Control and Prevention, and many others.

read more…