AutoCAD Adware Trojans Target Techies
Every once in a while, you hear whispers or rumors about specially-crafted, targeted malware designed to steal a specific piece of data from a particular victim. The data thieves, in these limited cases, tend to be clever, thoughtful, and methodical in both the creation and deployment of their creations.
Rarely do malware researchers encounter these files. But it does happen occasionally, and I thought I had stumbled upon one of these kinds of spies a few weeks ago. It’s a peculiar Trojan horse which has been written not as a standard Windows application, but as an ObjectARX application — an application which can only run if you have AutoCAD, the engineering and design program from AutoDesk, installed on your PC.
Now, why do you suppose a malware author would write a Trojan that can only run on computers with AutoCAD; a Trojan that is so well designed that it prevents antivirus applications from running, and downloads specific, tailored updates for itself, depending on which version of AutoCAD the victim has on his or her PC?
Sounds a lot like a slick tool for corporate espionage, right? Well, not quite. Fark: It’s just another stupid adware client. We’re calling this dumb gimmick Trojan-Pigrig.
Jackson/Fawcett Malware is Extortion-ware
As I reported yesterday, searches for information about the deaths of Michael Jackson or Farrah Fawcett were turning up links to malware. This came as no surprise to anyone, though the speed with which the links spread was astonishing: Within minutes of the first confirmation that Jackson had succumbed to a heart attack, the first malicious blog posts began popping up in search results. We’re continuing to monitor hundreds of malicious sites touting news of Jackson’s demise — and new malicious blogs are coming up as fast as the blog services can shut them off.
The first site we encountered that referenced Jackson appeared to be a personal blog post hosted on Google’s own Blogspot service. However, we quickly determined that something wasn’t right with the post. Just visiting the page spawned a tornado of background and foreground browser activity — over 100 URLs, mostly called from ad-host Yieldmanager by an automated script hosted elsewhere, were pulled down in just the first three seconds after the page loaded; The list grew to 500 URLs by the time 32 seconds had elapsed.
To illustrate the speed that the scripts embedded in the malicious blog post were loading ads, I captured this short video, which shows the amount of activity in about 60 seconds of permitting the page to load. I can only guess that the volume of URLs was limited by the fact that I had to click through some dialog boxes that appeared during the test. Another interesting thing is that between the time I began the video and the time it ended, Google had terminated the malicious blog account — for the moment, at least. The last page to load in the video is a Google ‘404’ error message when I attempted to load the initial page a second time.
[vimeo http://vimeo.com/5329574]
Some of the sites loaded by these malicious scripts also used browser exploits to damage the test system.
Our Cup Runneth Over with Farrah Fawcett Files and Michael Jackson Malware
With the sad news circulating the globe that 70s sex symbol, TV pitchwoman, and former Charlie’s Angel Farrah Fawcett passed away this morning, it didn’t take long for the malware vultures to execute their attack.
Beginning in the afternoon, our Proactive Research team began finding tons of pages that purportedly offered a Farrah Fawcett poster or photo for download. What you got, when you clicked the link that looks suspiciously like a video player (not a static image), was — you guessed it. A load of junk.
Interestingly, hovering the mouse over the video link causes the browser to display a “preview image” that looks awfully like Google’s front door. But clicking the link to the video brings you to yet another page with something that looks like a video player, and only when you click that link do you end up with an executable on your desktop.
Few antivirus companies have the malware in their definitions. We’re identifying the files pulled down by the Fawcett installer as Trojan-Cognac (they leave, shall we say, a distinctive aftertaste), as well as Trojan-Zoeken and Adware-Sabotch. Zoeken is a nasty downloader, which brings down all kinds of badness on an infected system, and Sabotch tends to tout those wonderful rogue antivirus products we all love so much.
So far, the Fawcett-related malware is all coming from fake pages set up on blog site Vox.com. Until they clean up this mess (which I imagine will be fairly time consuming, as new ones keep popping up), don’t follow any search links headed in their direction.
And this afternoon, as rumors began to circulate that Michael Jackson was ill in hospital, the jackals pounced on that bit of news. More on that in the next post.
Drive-by Downloads Still Pack a Punch – If You Click
In the course of surfing around, looking for ways to get infected, I stumbled upon a site that offers visitors downloads of key generators, cracks, and other ways to circumvent the process used by most legitimate software companies to prevent people who didn’t pay for the software from registering or using it.
And of course, I stumbled into a morass of malware.
Well, “stumbled” isn’t entirely accurate. The site is well-known to us as a host of drive-by downloads — it’s a site that uses browser exploits to infect your computer. But I went there anyway just to see what they’re driving-by with these days. Technically, the site didn’t burn us — it came from an advertising network, which loaded a script that bounced to three separate machines before landing my test PC in the hot seat. Cold comfort if your PC happens to get slammed with this junk.
Gamers: Fight the Phishers
Last week, I posted a blog item that explained how gamers face a growing security threat in phishing Trojans — software that can steal the passwords to online games, or the license keys for offline games, and pass them along to far-flung criminal groups. We know why organized Internet criminals engage in these kinds of activities, because the reason is always the same: There’s a great potential for financial rewards, with very little personal risk.
So I thought I’d wrap up this discussion with some analysis of how the bad guys monetize their stolen stuff. After all, how do you fence stolen virtual goods? And knowing that, is there a way to put the kibosh on game account pickpockets?
read more…
If You’ve Got Game, Phishers Want Your Stuff
Since the beginning of the year, my colleagues in the Threat Research group and I have been researching an absolutely astonishing volume of phishing Trojans designed solely to steal what videogame players value most: the license keys that one would use to install copies of legitimately purchased PC games, and/or the username and password players use to log into massively multiplayer online games, such as World of Warcraft.
I can only imagine that it takes very little effort for the jerks behind this scheme to retrieve thousands of account details. (We began covering this issue briefly last week.) With such an effortless infection method, and the difficulty of prosecution (let alone identifying the perps), they don’t even seem to be concerned in the slightest about covering their tracks.
These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers — typically, perhaps unsurprisingly, located in China. We know the exact servers they contact, and what kinds of information they’re sending. And we know why: Thar’s gold in them thar WoW accounts, and the rush is on to cash in.
Today, I’m going to go deeper into how the infections happen.
May Threat Trend: Misleading Malware
The latest data from our customers indicate that, at least in the month of May, we were blocking and removing some of the nastiest threats on the Web. Among the spies we took out, we hit Fakealerts and Rogue Security Products hard. These spies simply try to fool you into making purchases you otherwise wouldn’t. After taking a hiatus of several months, the makers of these types of malware appear to be making a comeback. Simply put, a Fakealert is just a piece of adware. Unlike traditional ads, however, the ads a Fakealert pops up take on the appearance of official-looking error dialogs and Windows-esque warning messages — albeit, not always as poorly worded as the example shown here. Many present themselves as clones of the Windows Security Center control panel, or as those cartoon-voice-bubble popups from the System Tray. Fakealerts push their particular brand of stale baloney on the unsuspecting public for one reason: They want to trick you into downloading and running a program that looks, for all intents and purposes, like a system utility or an antispyware or antivirus product. The program displays realistic-looking “scans” that “find” allegedly malicious files on your computer. The joke of these “scans” is that they’re often no more than Flash animations. Because they run on any operating system that can display a Flash video, you can even get them to “scan” a Mac or Linux box, and “find” malicious files in parts of the filesystem that don’t even exist on those platforms. Oh well; you can’t blame a fraudster for trying. Many of these threats are installed when users inadvertently click a popup message that warns the user that they need to run a file in order to load a missing video codec, or install an ActiveX control that supposedly will perform a “free scan” of a system. Sometimes the people behind these ads even put a fake “close box” in the upper right hand corner of the fakealert message, to trick you into clicking inside the active area of the ad window. If you see this kind of ad appear, hold down the Alt key on your keyboard while you press the F4 key — that will close the ad window without requiring you to click anywhere inside of it. The bottom-line message to you is that while you should remain vigilant against potential frauds and scams, keeping your PC updated with the latest threat definitions is equally if not more important.
5 PC Gaming Threats and How To Beat Them
By Mike Kronenberg
E3, the annual trade show for the computer and video games industry, kicked off in Los Angeles yesterday, not long after the unofficial start of summer on Memorial Day. These events got me thinking about what many students might do with their free time over the next three months. I imagine that for legions of young PC gamers, this could mean hour after blissful hour spent honing their skills as a blacksmith and earning gold in their favorite online fantasy universe. You can bet cybercriminals are imagining the same thing, too – and banking on it.
In PC gaming, it used to be that hackers would seek to steal log-in information to take control of someone’s character for their own personal enjoyment. But they’ve figured out in-game currency translates into real-world money, and now many people log onto World of Warcraft or Lineage to find their account balances wiped to zero.
To help keep hackers out — and hopefully make their summer a little less lucrative – I’ve outlined the most common tactics for infection during gaming and how gamers (of all ages) can avoid them. read more…
Adware client tags you as its pitchman
Over the past week, someone has been spamming the file sharing site ThePirateBay.org with comments advertising a new “product” called BittorrentBooster. According to the site’s administrators, the spammer used a large number of fraudulently registered accounts to post the messages as feedback, attached to hundreds, possibly thousands, of downloadable .torrent files, which file-sharers use to initiate a peer-to-peer download session.
I decided to take a closer look, because the product’s claims — to be able to give file-sharers a massive speed boost during the “leeching” (or, downloading) phase of their torrent session — sounded pretty implausible. Impossible is more like it: The spammed ads for the product state, in characteristically broken English, it can help users “get your torrents download in 10 times faster!!”
The simple fact is, the amount of bandwidth available to you, network congestion, the number of people sharing a file, their bandwidth capabilities, and many other factors out of any individual PC’s control determine the download speed for a given torrent. No program can deliver a download performance increase of the scale promised by this product.
So, assuming the claims were snake oil, I took a closer look at what else the program was capable of. As it turns out, it’s a very capable delivery mechanism for advertising—in places I didn’t expect.
read more…
Facebook Miscreants Dealt a Temporary Smackdown
After more than a week of harassment by goofballs spamming links, Facebook users can breathe a sigh of relief that, for now, at least one source of trouble has been eradicated.
Last week’s worm-like spread of links to the mygener.im domain, and this week’s use of the ponbon.im and hunro.im domains to phish Facebook users’ credentials, have been a puzzling diversion from my normal malware analysis tasks. The mygener.im link that was spammed into Facebook accounts redirected users to a page hosted elsewhere that contained nothing but perplexingly obfuscated Javascript (with variables — shown at left — that appear to be comprised mostly of words in Latin) that, as far as I and other researchers here can tell, didn’t do anything at all.
But yesterday I decided that enough was enough, so I emailed the source of the .IM top-level domains — the Isle of Man domain name registry, nic.im — to ask what the heck was going on with all these .IM domains being used for malicious purposes. After all, as a result of the metric tons of malicious code and browser exploits I see that originate on Web sites registered in the .biz and .info top-level domains (TLD), I personally no longer have any confidence in a site registered under either of those TLDs. The big question in my mind was, is .IM on its way to becoming another lost cause?
As it turns out, .IM’s operators really jumped on the problem. The registry’s representative promptly replied to my messages, and the registry has suspended not only the three domains I’ve named, but twelve others I hadn’t heard of that were registered in the .IM TLD through the same intermediary and, in his words, “which we suspect were being used for malicious purposes.”
“We take the reputation of the IM registry seriously and police it to try and prevent events like this from arising,” he continues. “Where we can, we block users from registering via a variety of means and, in the main, this has to date been succesful [but] from time to time we have to make changes to our processes, and these events will act as a prompt to review them to see where we can tighten things up.”
So for now, Facebook users, breathe easy — until the bad guys find a domain registry willing to look the other way. And thank you, .IM, for showing us all how a responsible (and responsive) top-level domain NIC deals with criminals — by swiftly shutting them down.
Old Chinese Hack Tool Used for New Tricks
This week’s installment of what’s-old-is-new-again in the world of malware comes from one of the many groups making and distributing phishing Trojans in China. Earlier this year, someone discovered a hacktool called ZXArps, and began distributing it in earnest as a payload from another malicious downloader.
Unlike most malware we see these days, ZXArps (which dates back to 2006, and was discovered by the English-speaking security community the following year) isn’t designed to perform a single task. It’s more like a Swiss Army knife, giving its users a great deal of control over not only the computer on which it’s running, but the immediate network environment in which that computer sits.
In essence, the tool is designed to inject specially-crafted data packets into the network, and some of those packets can manipulate the behavior of the infected computer as well as others on its network. In most networks, a router or gateway acts as a sort of traffic cop, directing information between computers on that network and other networks, and to/from the Internet. The power of ZXArps comes from its ability to impersonate that traffic cop, fooling the network into directing traffic wherever the malware-maker wishes.
And in this case, infected PCs are directed to Web sites hosted in China which, when visited, infect the computer with even more malware. It’s a nasty trick, and it works beautifully. Read on for its damage potential. read more…
Malware targets mobile IMers
Once in a while, you don’t have to do anything at all and malware just drops into your lap. That happened to me the other day, when I received a buddy request from a total stranger in my decade-old ICQ instant messenger account. It’s never failed to be a rich source for malicious links, SPIM, and other fun stuff (that is, from a malware research perspective).
ICQ is a multi-lingual community, and this request was written in the Cyrillic alphabet. My client didn’t render it properly, so I couldn’t read the text of the come-on. But I could read the plain-ASCII URL that was linked at the bottom. So, curious, I took a look. The page looks pretty basic, with text (badly translated to English) which reads “There is my candid photos))do you will hear me on him?” and a link to download a file.
I’m a sucker for grammatically tortured social engineering, so I couldn’t resist. Yes, I thought to myself, I do will hear you on him.