Online Virus / Malware News

This week in Troyes, France, the University of Technology hosted the fourth French-Speaking Days on Digital Investigations, designed for investigators, prosecuting attorneys, and legal experts in charge of fighting cybercrimes. All the participants in the congress were members of the AFSIN, the Francophone Association for Digital Investigation.

In addition to the usual presentations on improving the administration of these fields, various talks covered juvenile protection and the tools used to unmask pedophiles and prove their guilt.

(Source: Police Headquarters, Paris)

Investigating alleged cybercriminals is difficult work that often must be completed in 48 hours, the time that police can hold a suspect. The main problem is the amount of data that police must analyze.

On average, each suspect owns:

• 5 hard disks
• 140 CDs or DVDs
• 17 floppy disks
• 4 memory cards and USB sticks

When searching a home or office, finding USB drives is always a challenge. They can be concealed in a pen, a lighter, or many other hard-to-examine locations.

The records for a single business are sometimes staggering:

• Up to 31 hard disks
• 14 terabytes of data
• 2.5 million pictures
• 11,000 MSN Messenger contacts to investigate

Only a well-organized methodology, automation, and devotion to the cause can produce results. For security reasons, I cannot describe the characteristics of the police’s child-abuse image scanners, but I was impressed by the technology they use–which not only searches for precalculated hashes of known clean and “illegal” images but also, based on similarities, analyzes images and videos to find and group child sexual-abuse elements. With 200 legal actions in 2009 and 70 police arrests, these computers run 24 hours a day.

Another talk discussed Facebook investigations. They can run on three fronts:

• By analyzing the data stored locally on the computer of the user (cookies and traces). They can be uncovered by searching Internet artifacts and by using forensic techniques.
• By requesting Facebook provide data stored on the server, with or without user knowledge (for example, IP address at creation, IP at connections, contacts, etc.). When requested via subpoena[@]facebook.com, responses have been positive in some occasions. Despite the fact that Facebook’s Law Enforcement Guidelines document is confidential, many versions are available on the Internet.



• By querying data deliberately left by the user. This information is visible in the public area, but above all they are accessible via a set of APIs and tools that include Facebook Query Language, Graph API, and Old REST API. Using scripting languages, the searches can be automated.

With GraphAPI, it is also possible to extract several photos’ metadata information that is not included in the tables. This is a very valuable feature for analyzing users or groups that store illegal photos.

I gave a talk on criminal searches using open sources, and recapped the methods McAfee used to investigate the business Innovative Marketing Ukraine.

We frequently read of the immense gap in cybersavvy between police forces and cybercriminals. The bad guys are way ahead of any attempt to stop them, some say. In Troyes, however, we saw that police investigations have changed and are much more sophisticated than in the past. Despite restricted budgets, law enforcement uses all possible modern equipment and works hand in hand with the security industry and the courts.

It looks like some of the recent success in taking down Zeus-using cybercriminals is coming to the United States. The FBI has recently announced that it has charged as many as 60 people and has arrested 10 as part of a global cyberfraud scam. Summaries of the incident can be found here, here, and here.

Zeus is one of the nastiest and most persistent pieces of malware we deal with. It steals banking logons, can act as a bot, and recently started targeting mobile devices, as well. Recently one of our McAfee Labs researchers, Chintan Shah, posted an excellent blog on the inner mechanisms of the Zeus Crimeware Toolkit; his article is definitely worth a read. You can also listen to a great AudioParasitics podcast episode in which my podcast-partner-in-crime Jim Walter and I discuss Zeus (also called Spy-Agent.bw).

If you are running any of our DAT-based security technologies and they are up to date, you are already enjoying excellent coverage against Zeus.

———- UPDATE October 1 —————

It now seems that Ukrainian authorities have taken action against individuals with suspected involvement in the Zeus cybercrime and money laundering network. The Ukrainian contingent seems to be associated with the more technical aspects of the infrastructure. Read detailed accounts here and here.

Let’s keep those arrests and takedowns coming and take back our Internet!

During the last six years, botnets have become one of the biggest threats to security professionals, businesses, and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk, to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in botnets and social media:

• Twitter-controlled bots are the most prevalent example of using social media to receive and execute bot commands
• KreiosC2, though a proof-of-concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
• Protocol standards such as XMPP, used for authentication, presence, and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The dangers from controlling a bot or botnet through an application such as Twitter cannot be understated. Using widely adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. There’s nothing to it: Log into a Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and send an update:

Then we send our command:

It really is as simple as that: decentralized, application-based control of one or many bots. Don’t try this at home: I ran this exercise from a private Twitter account with only one follower (my other Twitter account) in a research environment, so there was no danger!

The McAfee Labs research team has released a report that examines TwitterBots, KreiosC2, and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control, and attack.

During the last six years, botnets have become one of the biggest threats to security professionals, businesses and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in relation to botnets and social media:

-Twitter controlled bots are the most prevalent example of using social media to receive and execute bot commands
-KreiosC2, though a proof-of concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
-Protocol standards like XMPP, used for authentication, presence and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The danger’s from controlling a bot or botnet through an application like Twitter cannot be understated. Using WIDELY adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. It is as simple as logging into one’s Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and sending an update:

Then we send our command…..

It really is as simple as that – decentralized, application-based control of one or many bots. BTW – This was done from a private Twitter account with only 1 follower (my other Twitter account) in a research environment so there was no danger!

Our research team has released a whitepaper that examines TwitterBots, KreiosC2 and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control and attack.

Today, McAfee released a report based on a survey of more than 1,000 decision-makers about the use of Web 2.0 technology for business. The report reveals some interesting results (for example, who would have thought the United States is among the countries with the lowest adoption rate, and Germany is the country with the most companies not having policies governing the use of Web 2.0 in place?) and the unsurprising finding that security concerns are the greatest hindrance to adopting Web 2.0 and social networking.

Business leaders worldwide see the value of Web 2.0 in supporting productivity and driving new revenue, but they remain deeply concerned about security threats associated with deploying the technology. The survey of decision-makers in 17 countries found that half of businesses were concerned about the security of Web 2.0 applications such as social media, microblogging, collaborative platforms, web mail, and content-sharing tools. 60 percent were concerned about loss of reputation as a result of Web 2.0 misuse. Six out of ten organizations have already suffered losses averaging US$2 million, for a collective loss of more than US$1.1 billion in security-related incidents last year. Brazil, Spain, and India led in adoption of Web 2.0 technology for business, while adoption was lowest in Canada, Australia, the United States, and the United Kingdom.

The report, “Web 2.0: A Complex Balancing Act–The First Global Study on Web 2.0 Usage, Risks and Best Practices,” was commissioned by McAfee and authored by faculty affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University in Indiana, examines the drivers for Web 2.0 and social networking use in business, and assesses their benefits and risks. Overall, the research highlights that although organizations see the potential value of Web 2.0 tools, decision makers continue to debate whether or how to allow employee usage of the technology in the workplace. “Web 2.0 technologies are impacting all aspects of the way businesses work,” said George Kurtz, chief technology officer for McAfee. “As Web 2.0 technologies gain popularity, organizations are faced with a choice: They can allow them to propagate unchecked, they can block them, or they can embrace them and the benefits they provide while managing them in a secure way.”

Key Report Findings:

• Web 2.0 adoption rates vary across countries. Overall, Web 2.0 adoption rates are high, reaching 90 percent or above in Brazil, Spain, and India. Adoption is lowest in the United States, United Kingdom, Australia, and Canada.
• New revenue streams are the highest driver of Web 2.0 adoption. Three out of four organizations reported that expanded use of Web 2.0 technologies creates new revenue streams, while 40 percent said the tools have boosted productivity and enhanced effective marketing strategies.
• Security is the leading concern. Half of respondents named security as their primary concern for Web 2.0. One-third identified fear of security issues as the main reason Web 2.0 applications are not used more widely in their businesses. Companies’ top four perceived threats from employee use of Web 2.0 are malicious software (35 percent), viruses (15 percent), overexposure of information (11 percent), and spyware (10 percent).
• Reputation damage is the biggest business consequence. Sixty percent of companies reported that the most significant consequence from inappropriate Web 2.0 and social media usage is loss of reputation, brand, clients, or confidence. One-third of respondents reported unplanned investments related to workarounds related to social media in the workplace. Fourteen percent of organizations reported litigation or legal threats caused by employees disclosing confidential or sensitive information, with more than 60 percent of those threats caused by social media disclosures.
• Many businesses block Web 2.0 rather than put policies in place. Worldwide, 13 percent of organizations block all Web 2.0 activity, while 81 percent restrict the use of at least one Web 2.0 tool because they are concerned about security. Yet almost one-third of organizations reported that they do not have any social media policy in place. A quarter of organizations monitor how staff use social media and 66 percent have introduced social media policies, 71 percent of which use technology to enforce them.

Executives and industry experts who contributed to the research agreed that successful organizational use of Web 2.0 is a complex balancing act. Enterprises must analyze business challenges and opportunities while mitigating the risks and ensure staff training and robust technologies are in place to avoid cyberattacks.

“Web 2.0 and social networking technologies can be used effectively for business,” said Eugene H. Spafford, founder and Executive Director of CERIAS. “But to reap the benefits of Web 2.0, organizations must be proactive about understanding and managing the challenges. That involves putting the right policies in place, and deploying the technology that can enforce those policies.”

McAfee will host a webcast, “Bridging the Web 2.0 Security Gap,” on October 6 at 2 p.m. Eastern time, with Chenxi Wang of Forrester Research. This webcast will cover a recent Forrester Web 2.0 security trends study commissioned by McAfee. The session will help educate enterprise users on protecting their businesses while successfully using Web 2.0 technologies.

“Web 2.0: A Complex Balancing Act–The First Global Study on Web 2.0 Usage, Risks and Best Practices” is available for download at www.mcafee.com.

Stuxnet has received a lot of attention since McAfee first blogged about it in July. This post will answer some of the frequently asked questions we’ve received.

Q: What is Stuxnet?
A: Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729).  It also uses a rootkit to conceal its presence, as well as two stolen digital certificates.  Additional information is provided in the Mcafee Virus Information Library.

Q: When did it first appear and where was it first reported?
A: The threat was discovered in July, but is believed to have been released a year before. McAfee Global Threat Intelligence (GTI) File Reputation first became aware of Stuxnet components starting in January and several File Reputation detections took place before Stuxnet became widely known in July (Artemis!97FD438F25A4, Artemis!4589EF6876E9, Artemis!CC1DB5360109). Early telemetry showed the highest concentration in the Middle East.

Q: What is McAfee’s product coverage for the threat?
A: There are many aspects to Stuxnet, including two recently patched vulnerabilities, and two yet-to-be patched privilege-escalation vulnerabilities. Coverage of the two announced vulnerabilities follows:

CVE-2010-2568

CVE-2010-2729

Coverage of the malware itself:

Stuxnet

Product coverage information has been previously communicated through the free McAfee Labs Threat Advisory service and Virus Information Library.

Q: How does McAfee Global Threat Intelligence (GTI) help protect me against this threat?
A: McAfee GTI File Reputation can identify and block all malware files associated with the Stuxnet worm. In addition, GTI Web Reputation and Network Connection Reputation prevent outbound connectivity to Stuxnet’s command servers, which are used for uploading confidential SCADA data collected by Stuxnet malware from industrial-control systems.

Q: If I have discovered a file identified as Stuxnet on my computer or in my environment, does that mean I was targeted by the creators of the threat?
A: Not necessarily, for a couple of reasons:

1. Although Stuxnet targeted SCADA systems, it also spread through removable media, such as USB devices, via a previously unknown Windows vulnerability, allowing nontargeted systems to be a carrier of the virus. Thousands of McAfee consumer product users have reported binaries that were intended to target systems running Siemens industrial-control systems.
2. Once the Stuxnet attack vector became known, unrelated attackers starting exploiting the same vector. Generic detection signatures can overlap with the initial attack such that other attacks are detected by the Stuxnet name. Although McAfee chose to name generic signatures separately from the signature detecting the original attack binaries, other vendors may not have done so. More than 1,000 binaries have been flagged by various vendors as Stuxnet over the past few months.

Tune in later for additional Stuxnet-related information.

The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of stealing personal information–by infecting users’ computers and capturing all the information entered on banking sites. Apart from stealing passwords, this bot has variety of methods implemented for stealing identities and controlling victims’ computers.

Over the years Zeus has been released in a lot of versions, adding or changing functionality, and is highly flexible in its configuration. So this is just a snapshot of one version (1.2.7.19), giving an overview of its functionality.

In the first part of this blog I will disclose the process involved in building and distributing a Zeus botnet in the wild. In the second part, I will discuss how Zeus captures personal information by injecting code dynamically, and finally I’ll offer some thoughts on command and control.

Zeus serves as a heads up for all those who believe that banking transactions on HTTPS can never be intercepted.

Zeus builder toolkit

I’ve been busy researching how Zeus is built and distributed in the wild. It has been a pretty high-profile botnet since it was discovered, due to its high rate of infections. During our research activity I was able to get hold of a Zeus builder toolkit. It was priced at US$700 to $1,500 then; a few months later, a free version of this toolkit was public.

Building and Configuring Zeus Bot

The process of building and configuring the Zeus bot requires just a couple of steps.

Step 1)  Configuration specification:

Specifying all the static configuration parameters in the configuration file.



The “edit config” button will allow you to enter various parameters to control the botnet as  described below.

timer_logs : Time interval to upload the logs to server
timer_stats : Time interval to upload infection statistics to server
url_config : Server URL for fetching the config file
url_compip : Server URL for reporting the victim
encryption_key : Encryption key to encrypt config file
url_loader : URL for fetching latest version of the zeus.exe
url_server : Command and control server
file_webinjects: This parameter is the file name containing HTML web injection code.
AdvancedConfigs : URL for fetching the backup config file
WebFilters : Contains the masked list of URLs that should be monitored for capturing login credentials.
WebDataFilters: Contains the list of URLs that should be monitored for specific string matches. If patterns such as “Passw” or “login” is matched, data is captured and sent to C&C server, e.g., http://mail.rambler.ru/*” “passw;login”
WebFakes: URLs that should be redirected to the fake websites

TANGrabber:

Step 2) Building an encrypted configuration file

Let’s have a look what happens when we press the “Build config” button. The toolkit will build the final encrypted configuration file with an option to save it. This configuration file is then uploaded by the bot master on the C&C server.

Step 3) Building the bot executable

The bot master can build the Zeus executable with the “Build loader” button option.

Zeus Network Communications

When the bot is executed in a virtual machine, initially it communicates over HTTP and sends a GET request to the command and control server to retrieve the configuration file. The server replies with the requested configuration file. This request is made repeatedly on the basis of the timer value configured in the configuration file.

The bot sends the information of the infected computer to the control server according to the “url_server” parameter specified in the configuration file.

One interesting observation

Upon closer analysis of the Zeus network communications, we have come across an interesting similarity between the GET response from the server and the next POST request sent by the bot.

For sample 1:

For sample 2:

As observed above, we see this similarity in the initial part of the GET response from the server and the POST request from the bot, starting at the third byte after the HTTP header ends. We have made similar observations with the older versions of the Zeus bot. This consistent trait is something we can use to implement generic detection for this bot on a network gateway!

HTML injection on SSL-secured banking transactions

As banking websites evolved, they have added an extra layer of security to mitigate keystroke-logging attacks. On the other hand, continuously evolving malwares have also come out with new techniques to bypass these security measures and steal login credentials. Password-stealing botnets such as Zeus now use HTML code-injection techniques, whereby a bot on the infected computer injects HTML code into the legitimate web pages of the banking site to request additional personal information not required during the transactions. This lures the users into inputting more credentials than required. They are captured by the bot and posted to the Zeus bot masters command and control server.

Before injecting into HTML pages, the targeted site looks like this:

After injecting into HTML pages, same targeted site looks like this:

This shows even forms that are supposed to be HTTPS encrypted can be manipulated by a bot to entice the user into typing arbitrary amounts of personal information, which can be captured (using key logging) and sent off to the C&C master.

Heuristic detection for web injection activity:

Another technique that can be used is detecting the difference in the HTML form fields.  The idea is to detect the change in the number of HTML form fields while accessing the banking site and when the data is posted on the server. This can be detected on the Network gateway. In the case of Zeus, as the banking sites are accessed over HTTPS, the perimeter device needs to be armed with SSL man-in-the-middle functionality to detect this form of network traffic.

Intercepting mouse clicks and capturing virtual keyboard screenshots

Banking websites have come up with the virtual keyboard technique to mitigate the keystroke-logging attacks. Zeus counterattacks this security feature by capturing the screenshots on each mouse click. Each click will be intercepted and a screenshot captured that will be sent to the drop server which is then combined sequentially to extract the entered password as shown below.

Analysis of the decrypted configuration file

Once a machine is infected with the Zeus bot, you can use the Zeus decoder tool available here to decrypt the encrypted config file.

Let‘s take a look at the decrypted config file. We see the HTML injection code that this bot has added into it.

http://172.16.230.183/bt.exe

http://172.16.230.183/gate.php

!*.microsoft.com/*

!http://*myspace.com*

https://www.gruposantander.es/*

!http://*odnoklassniki.ru/*

!http://vkontakte.ru/*

@*/login.osmp.ru/*

@*/atl.osmp.ru/*

https://banking.*.de/cgi/ueberweisung.cgi/*

*&tid=*

*&betrag=*

https://internetbanking.gad.de/banking/*

KktNrTanEnz

https://www.citibank.de/*/jba/mp#/SubmitRecap.do

SYNC_TOKEN=*

https://www.mybank.com/loginform.asp

(Fake banking URL that I added while building the config file.)

HTML injection code in the config file:

Following is the abbreviated list of banking sites targeted by this bot; it’s found in the decrypted configuration file.

https://online.wellsfargo.com/signon*

https://www.paypal.com/*/webscr?cmd=_account

https://www.paypal.com/*/webscr?cmd=_login-done*

https://www#.usbank.com/internetBanking/LoginRouter

https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*

https://www#.citizensbankonline.com/*/index-wait.jsp

https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx

https://www.suntrust.com/portal/server.pt*parentname=Login*

https://www.53.com/servlet/efsonline/index.html*

https://web.da-us.citibank.com/*BS_Id=MemberHomepage*

https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary

https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService

https://resources.chase.com/MyAccounts.aspx

https://bancaonline.openbank.es/servlet/PProxy?*

https://extranet.banesto.es/*/loginParticulares.htm

https://banesnet.banesto.es/*/loginEmpresas.htm

https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*

https://www.gruposantander.es/bog/sbi*?ptns=acceso*

https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html

https://www.bancajaproximaempresas.com/ControlEmpresas*

https://www.citibank.de*

https://probanking.procreditbank.bg/main/main.asp*

https://ibank.internationalbanking.barclays.com/logon/icebapplication*

https://ibank.barclays.co.uk/olb/x/LoginMember.do

https://online-offshore.lloydstsb.com/customer.ibc

https://online-business.lloydstsb.co.uk/customer.ibc

https://www.dab-bank.com*

http://www.hsbc.co.uk/1/2/personal/internet-banking*

https://www.nwolb.com/Login.aspx*

https://home.ybonline.co.uk/login.html*

https://home.cbonline.co.uk/login.html*

https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do

https://welcome23.smile.co.uk/SmileWeb/start.do

https://www.halifax-online.co.uk/_mem_bin/formslogin.asp*

This toolkit comes with a control panel installation that is typically used to track the botnet infections. This is a PHP application that can be run on a web server along with the other required database software (MYSQL). It also enables the attacker to remotely control and send commands to the victims’ computers.

I opened one of the scripts that came with this toolkit and I found the bot can be given the following commands:

$_COMMANDS_LIST = array

(

‘reboot‘ => ‘Reboot computer.’,

‘kos‘ => ‘Kill OS.’,

‘shutdown‘ =>  ‘Shutdown computer.’,

‘bc_add [service] [ip] [port]‘ => ‘Add backconnect for [service] using server witn address [ip]:[port].’,

‘bc_del [service] [ip] [port]‘ => ‘Remove backconnect for [service] (mask is allowed) that use connection to [ip]:[port] (mask is allowed).’,

‘block_url [url]‘   => ‘Disable access to [url] (mask is allowed).’,

‘unblock_url [url]‘ => ‘Enable access to [url] (mask is allowed).’,

‘block_fake [url]‘   => ‘Disable executing of HTTP-fake/inject with mask [url] (mask is allowed).’,

‘unblock_fake [url]‘ => ‘Enable executing of HTTP-fake/inject with mask [url] (mask is allowed).’,

‘rexec [url] [args]‘   => ‘Download and execute the file [url] with the arguments [args] (optional).’,

‘rexeci [url] [args]‘ => ‘Download and execute the file [url] with the arguments [args] (optional) using interactive user.’,

‘lexec [file] [args]‘ => ‘Execute the local file [file] with the arguments [args] (optional).’,

‘lexeci [file] [args]‘ => ‘Execute the local file [file] with the arguments [args] (optional) using interactive user.’,

‘addsf [file_mask...]‘ => ‘Add file masks [file_mask] for local search.’,

‘delsf [file_mask...]‘ => ‘Remove file masks [file_mask] from local search.’,

‘getfile [path]‘ => ‘Upload file or folder [path] to server.’,

‘getcerts’ => ‘Upload certificates from all stores to server.’,

‘resetgrab’ => ‘Upload to server the information from the protected storage, cookies, etc.’,

‘upcfg [url]‘ => ‘Update configuration file from url [url] (optional, by default used standard url)’,

‘rename_bot [name]‘ => ‘Rename bot to [name].’,

‘getmff’ => ‘Upload Macromedia Flash files to server.’,

‘delmff’ => ‘Remove Macromedia Flash files.’,

’sethomepage [url]‘ => ‘Set homepage [url] for Internet Explorer.’

We found an interesting feature of this toolkit during the botnet building process: If the bot master accidently infects his own computer, he can remove the botnet with the “Remove spyware from this system” button. Too bad that command isn’t available to Zeus’ victims.

Social engineering is probably the most common technique for to enticing unsuspecting victims to reveal information or purchase something of no value. In the anti-virus world we often see malware authors use scare tactics to sell rogue anti-virus or “fake alert” anti-virus software.

Rogue malware authors use various methods to fool victims into purchasing their products. Some of the most common methods:

• Creating links to malicious web pages in which common search terms in search engines bring these pages to the top of the list, a.k.a. search poisoning
• Disguising themselves as legitimate applications, especially under peer-to-peer and IRC networks
• Offering downloads as legitimate software using bit torrent protocol

Over the last couple of days McAfee Labs has seen an increase in submissions from customers with regards to one variant of the fake alert family classified as FakeAlert-SpyPro.gen.ai. We’ll describe the characteristic behavior of this variant in this blog. We also have a comprehensive description of this malware in our Virus Information Library.

Once this malware is run on the local machine, it displays a warning indicating that the computer is infected with various types of malware and that the user needs to click to clean the computer.

When the user clicks the warning, it pops up a window and initiates a fake scan on the computer. It shows a number of detections and warns the user that the system is infected. To “clean” the malware from the computer, users must purchase the software from the website “antiv[removed].com”

If left to run, this software attempts to use Internet Explorer to open websites with pornographic content.

The fake alert software also makes a number of changes to the Windows registry so that it can load itself at startup and disables phishing filters on Internet Explorer.
When users attempt to run a legitimate executable, this malware pops up and informs them that the file is infected and if users want to run the anti-virus software to clean the infection.

Here are a few cleaning and remediation steps you can take to remove or keep this malware at bay:

• Ensure that you have a legitimate copy of anti-virus software installed on the machine
• Ensure that software is updated regularly
• Exercise caution when you click on links. Using software such as SiteAdvisor (www.siteadvisor.com) can help because it distinguishes between safe and risky sites.
• Do not be enticed into downloading legitimate software for free, especially from P2P, IRC, or bit torrent networks
• Exercise caution while clicking links in emails that look suspicious, even If they appear to come from a known contact

Two weeks ago, I posted a blog entry talking about the counterfeiting of legal documents. I have received many comments and requests for further data related to this type of fraud from various Eastern Europe countries, France, and even the United States. Aside from journalists, for whom it is their job, many people have contacted or attempted to contact me. Most of them were curious and friendly, but others flooded my mailbox:

The first request was for the URLs of the websites that provide the services. At McAfee, like at most of our competitors, we almost never disclose dangerous URLs apart from researchers in the business and law enforcement agencies. And in many cases we also employ some internal testing to avoid infection or compromise. When I wrote my blog entry, that URL was safe (no malware, no iframe), but this can change, especially if their owners know it will be visited by many inquisitive people.

The next question was that of the counterfeiters nationalities. No doubt they are Russian speakers.

Another request was related to the abundance of these offers. The site I visited actually contained a competitor blacklist with a dozen or so “disreputable” companies. As they were all restricted to drivers licenses, I carried on further investigations on the passport field. It was not difficult to find other offers with more attractive prices: less than US$1,000 instead of the US$4,000-$5,000 asked by the first one.

In this last offer, I noted the availability of diplomatic passports (price on demand).

If you are not a Google search ninja, you can just check YouTube. There, various well-phrased searches can direct you to the online shop you are looking for:

And regarding the payment methods? It seems they all prefer Western Union, but they are not very talkative on this subject. You have first to contact them via anonymous mailing services. (They specify: “no ICQ, no SMS, no phone call.”) However, I discovered another offer, with details about how to place an order.

At last, some people wished to know if these sites offered other materials or services. Some of them sell carding equipment to read/write magnetic cards, but the prices were exorbitant. They quoted between US$9,000 and $11,000; yet many of these devices can be found on Amazon or eBay for $500! Proving the relevance of our previous advice regarding what you toss into your household trash, one site offers fake French EDF (national electricity company) and British Telecom utility bills for £10. (In Europe, we frequently use these documents to prove our residency or proof of address.)

Even the envelope is supplied! Seemingly unimportant pieces of paper can interest today’s cybercriminals.

Yesterday we discovered a new Zeus campaign.

Most of the messages associated with the new spam campaign are linked to the Asprox botnet. This time, the focus is on FedEx. Most of the attachments start with either FedExDoc[randomnumbers].exe or FedExInvoice[randomnumbers].exe. Those attachments are recognized as the Bredolab Trojan, which will download the Zeus component.

This Zeus variant has a control host on hxxp://x5vsm5.ru, but also downloads from hxxp://trachsel.biz.

The targets of these samples are a large number of banks outside the United States. We still see common U.S. targets…

• Citibank
• Comerica
• USBank
• WellsFargo

and also some banks from Europe, the Middle East, Asia, and South America…

• Neue Bank (Liechtenstein)
• Arab Bank
• MyBank (Taiwan)
• BHI Bank (United Kingdom)
• NPBS (United Kingdom)
• Banco de Sabadell (Spain)

as well as several other banks.

Watch out for Zeus’ going global.