Online Virus / Malware News

[October 5 update at end of file]

The Storm worm marked its presence in early 2007 and became an infamous robot network primarily known for its spamming and phishing activities. Also known as Nuwar/Zhelatin/FakeAV/Peacomm, this bot reappeared early this year, distributed by fake AV software and Trojan downloaders. Storm is a major botnet when compared with many other spamming bots, due to the massive volumes of spam it sends from the victim’s machine. It also uses a fast-flux mechanism to hide its distribution areas. During our static analysis of the Storm executable, we observed it to be heavily obfuscated with an unknown packer and an infinite loop to halt its activity whenever it detects a debugging or virtual machine environment.

Storm’s spam campaign activity includes a variety of spam, with most related to online pharmacy scams and adult products. To get around, this botnet also includes malicious links to URLs that exploit several client vulnerabilities.

Our analysis of Storm confirmed and uncovered some of its unique characteristics, which help network intrusion prevention systems to implement reliable detection mechanisms for Storm’s control activity.

Static Analysis of the Storm Worm
We looked inside the variant we received in April 2010. In the initial part, this sample has various decryption routines. This binary starts with moving 0×5090 bytes to the heap and thereafter executing decryption routines to unpack the binary in stages.

After a complete execution of the loop, the binary is moved to the heap section and then decrypted:

This executable then copies itself as asam.exe into c:\windows, modifies the registry key to execute at Windows start-up, creates the process
asam.exe, and terminates itself.

Analysis of the HTTP Communications Code Within the Dropped File asam.exe

We reverse-engineered this Storm file and came across some of the unique characteristics of its control channel, which is based on base64-encoded, gzipped HTTP data. The code snippets below reveal our analysis of its HTTP communications.

URI Extensions in the POST Request
Hard-coded URI extensions and the URI length that is used in the POST request initiated by Storm:

Random Generation Functions to Form the URI Request Path

The next code snapshot shows the random character-generation function that generates 3 bytes of random alphabetical characters which are appended with the “.” to form the request URI path. Thereafter, the random generation function is called again to select any random extension from .jpg, .htm, and .gif, and completes the URI formation by appending it to the previously generated request path:

HTTP POST Request Header

These are the low-level details of how the POST request will look when the worm is executed on the machine:

As we figured out from the code above, this variant communicates with the bot master via an HTTP POST request. In examining the POST request code, another clue is the possible typo in the user-agent header, in which it is set to “Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1).” (Note “Windoss” instead of Windows. This is a very good hint that Storm is in action; intrusion prevention systems can use this hint to detect Storm on the wire.) The botnet server then responds with the spam template used by the bot to send the spam.

All the preceding data from the server is base64 encoded. After decoding the response from the server, we found following spam template:

Once the bot client decodes this data, it uses the following looped SMTP engine code to send spam mails based on the spam template.

Let’s take a look at one of the spam mails generated by this bot:

More Uncovered Commands

Early variants of this bot had different components and separate binaries for carrying out specific commands; yet the one we analyzed seems to have all the control code embedded inside the single component. As seen in the code below, we found the downloader component, which downloads additional malware onto the system, and the updater component, which downloads the latest copy of the bot executable. Once any of these commands are detected in the server response, the bot allocates the heap to store the received data.

Scanning the Drive for Files
Storm also includes a routine to scan the drives for files with the following extensions:

.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .win, .cgi, .mht, .dhtm, .jsp, .dat, .lst

It also searches for particular strings within these files, probably to extract the information about the host and email addresses contained in them:

@microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, sopho, @foo, @iana, free -av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, pgp, @avp., noreply, local, root@, postmaster@

Detecting Storm Worm on the Wire
The majority of mail traffic over the Internet is spam. We need to detect these spam bots and try to keep them from proliferating. Our analysis provides good hints for detecting Storm traffic on the network. One high-confidence approach would be to correlate multiple suspicious events happening on the network within a short time. One example is a user-agent check for the typo we saw; we can correlate this with the multiple outbound DNS MX queries from the same source within a short time. An even more reliable detection would be to correlate those two events with a spontaneous increase in the outbound SMTP connections from the source. By following up on these hints we can increase our ability to detect Storm at the network gateway.

Update:
McAfee IPS Coverage Status
McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the Storm bot under the attack ID 0×48804200 BOT: Storm Bot Activity Detected. McAfee customers with up-to-date installations are protected against this malware.

It looks like some of the recent success in taking down Zeus-using cybercriminals is coming to the United States. The FBI has recently announced that it has charged as many as 60 people and has arrested 10 as part of a global cyberfraud scam. Summaries of the incident can be found here, here, and here.

Zeus is one of the nastiest and most persistent pieces of malware we deal with. It steals banking logons, can act as a bot, and recently started targeting mobile devices, as well. Recently one of our McAfee Labs researchers, Chintan Shah, posted an excellent blog on the inner mechanisms of the Zeus Crimeware Toolkit; his article is definitely worth a read. You can also listen to a great AudioParasitics podcast episode in which my podcast-partner-in-crime Jim Walter and I discuss Zeus (also called Spy-Agent.bw).

If you are running any of our DAT-based security technologies and they are up to date, you are already enjoying excellent coverage against Zeus.

———- UPDATE October 1 —————

It now seems that Ukrainian authorities have taken action against individuals with suspected involvement in the Zeus cybercrime and money laundering network. The Ukrainian contingent seems to be associated with the more technical aspects of the infrastructure. Read detailed accounts here and here.

Let’s keep those arrests and takedowns coming and take back our Internet!

McAfee Labs has been monitoring a spam run that was launched earlier today. The message follows:

The attachments are all the same and contain an encoded JavaScript, which redirects to a web page on the numerouno-india.com domain.

The destination page does a redirect (to a page on the scaner-g.cz.cc domain) and also contains an iframe (with a target of a page on the arestyute.com domain).

The redirect domain displays the standard fake anti-virus scanning animated image and subsequent prompt to download an executable:

fake scanning image

download prompt

icon used by executable

The iframe leads to a cocktail of exploits, including a Java Development Toolkit exploit (CVE-2010-0886), as well as exploits targeting Adobe Flash and PDF vulnerabilities, including CVE-2007-5659, CVE-2008-2992, CVE-2010-0188.

The payload of these exploits is a password-stealing Trojan, which copies itself using a randomly named folder and file in the %AppData% directory and creates a registry run key to load the file at start-up, for example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  “{608F1285-57B7-C631-DE51-8A99508CC7A9}” = “C:\Documents and Settings\Administrator\Application Data\Ezudi\oqek.exe”

This password stealer injects into the iexplorer.exe process and targets dozens of mainstream financial institutions.  It also contacts the domains ohmaebahsh.ru and eexiziedai.ru.

• This fake AV executable was detected by Global Threat Intelligence File Reputation at the time of this blogging when running at Very Low sensitivity or higher.
• The first-stage domain (numerouno-india.com) is rated RED by TrustedSource and SiteAdvisor
• The second-stage domains (arestyute.com, and scaner-g.cz.cc) are rated RED by TrustedSource and SiteAdvisor
• The third-stage domains (ohmaebahsh.ru and eexiziedai.ru) have been rated RED by TrustedSouce and SiteAdvisor for weeks
• DAT file coverage is being added under the following names:
  • PWS-Zbot
  • FakeAlert-PE
  • JS/Downloader.gen
  • JS/FakeAlert-AB.dldr

Customers may download updated signatures using the extra.dat request page: https://www.webimmune.net/extra/getextra.aspx. These are also available in the beta DATs.

A new phishing scam is targeting users of the Electronic Federal Tax Payment System (EFTPS), a free service provided by the U.S. Department of the Treasury since 1996. The recent fraudulent format uses an email message that claims to be a rejected tax payment and directs users to a fake website for additional information. Remember, don’t ever provide any personal or financial information to unsolicited email messages.

Our research found a set of these fraudulent websites created on September 12. All the URLs are associated with the same IP address and in the same country.

The scam message:
Subject:
Your EFTPS Tax Payment ID has been rejected.

Body:
Report ID: ***. Your Federal Tax Payment ID: *** has been rejected. Return Reason Code R## – The identification number used in the Company Identification Field is not valid. Please, check the information and refer to Code R##  to get details about your company payment in transaction contacts section: http://www.eftps*******7.com/contacts

If you receive one of these messages claiming to be from the EFTPS or IRS, don’t open it or click any link. It’s safer to manually type the URL (web address) instead of clicking a link. To verify whether a government or financial institution is trying to contact you, call that agency. You’ll find useful tips for avoiding phishing scams in this McAfee publication.

Over the weekend I had the chance to put some work into my lowbie dwarf paladin named Boulderbrain. I was at the Stormwind bank minding my own business when I suddenly get this whisper:

Now normally I simply ignore most whispers I get in-game (other times I simply don’t notice them) but this one caught my attention. Zooming in I think you will see why:

This message is telling me that Blizzard suspects my account of using third-party tools to cheat and would I go to their website, login, and check my account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster, and the website itself is a phishing site:

This particular fake was hosted on an IP address that had a pretty questionable report. (HINT, HINT use our SiteAdvisor browser plug in!) World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using two-factor authentication (commonly called 2FA or simply tokens), which can add an additional layer of protection to your logon credentials:

The addition of the 2FA pin makes it extremely difficult to break into or pop the account itself. (It’s like adding a secondary token to your bank logon.) OK, now granted I got the free Core Hound pup with it, but it also has a sweet iPhone app that generates the 2FA code!

Now what were those third-party apps the original phish may have alluded to? Bots most likely. As anyone who follows this blog is aware, bots refer to robots, usually malicious in nature, but they simply automate tasks. Some of the more popular bots for World of Warcraft are farming and leveling bots. They are designed for pretty much what you would guess: They automate the “farming” of a variety of materials (later sold for in-game gold) or even honor (honor points can be used to purchase in-game items). These bots can also automate the process of leveling your character. Some examples:

and also:

Should your account be found to be using any of these, it will get banned–as it violates Blizzard’s terms of service. Credential and logon theft is one of the biggest areas of malware we at McAfee Labs deal with on a daily basis. Make sure you stay updated, properly configured and be cautious of in-game messages!

And level-up old school–the account you save may be your own!

Social engineering is probably the most common technique for to enticing unsuspecting victims to reveal information or purchase something of no value. In the anti-virus world we often see malware authors use scare tactics to sell rogue anti-virus or “fake alert” anti-virus software.

Rogue malware authors use various methods to fool victims into purchasing their products. Some of the most common methods:

• Creating links to malicious web pages in which common search terms in search engines bring these pages to the top of the list, a.k.a. search poisoning
• Disguising themselves as legitimate applications, especially under peer-to-peer and IRC networks
• Offering downloads as legitimate software using bit torrent protocol

Over the last couple of days McAfee Labs has seen an increase in submissions from customers with regards to one variant of the fake alert family classified as FakeAlert-SpyPro.gen.ai. We’ll describe the characteristic behavior of this variant in this blog. We also have a comprehensive description of this malware in our Virus Information Library.

Once this malware is run on the local machine, it displays a warning indicating that the computer is infected with various types of malware and that the user needs to click to clean the computer.

When the user clicks the warning, it pops up a window and initiates a fake scan on the computer. It shows a number of detections and warns the user that the system is infected. To “clean” the malware from the computer, users must purchase the software from the website “antiv[removed].com”

If left to run, this software attempts to use Internet Explorer to open websites with pornographic content.

The fake alert software also makes a number of changes to the Windows registry so that it can load itself at startup and disables phishing filters on Internet Explorer.
When users attempt to run a legitimate executable, this malware pops up and informs them that the file is infected and if users want to run the anti-virus software to clean the infection.

Here are a few cleaning and remediation steps you can take to remove or keep this malware at bay:

• Ensure that you have a legitimate copy of anti-virus software installed on the machine
• Ensure that software is updated regularly
• Exercise caution when you click on links. Using software such as SiteAdvisor (www.siteadvisor.com) can help because it distinguishes between safe and risky sites.
• Do not be enticed into downloading legitimate software for free, especially from P2P, IRC, or bit torrent networks
• Exercise caution while clicking links in emails that look suspicious, even If they appear to come from a known contact

Two weeks ago, I posted a blog entry talking about the counterfeiting of legal documents. I have received many comments and requests for further data related to this type of fraud from various Eastern Europe countries, France, and even the United States. Aside from journalists, for whom it is their job, many people have contacted or attempted to contact me. Most of them were curious and friendly, but others flooded my mailbox:

The first request was for the URLs of the websites that provide the services. At McAfee, like at most of our competitors, we almost never disclose dangerous URLs apart from researchers in the business and law enforcement agencies. And in many cases we also employ some internal testing to avoid infection or compromise. When I wrote my blog entry, that URL was safe (no malware, no iframe), but this can change, especially if their owners know it will be visited by many inquisitive people.

The next question was that of the counterfeiters nationalities. No doubt they are Russian speakers.

Another request was related to the abundance of these offers. The site I visited actually contained a competitor blacklist with a dozen or so “disreputable” companies. As they were all restricted to drivers licenses, I carried on further investigations on the passport field. It was not difficult to find other offers with more attractive prices: less than US$1,000 instead of the US$4,000-$5,000 asked by the first one.

In this last offer, I noted the availability of diplomatic passports (price on demand).

If you are not a Google search ninja, you can just check YouTube. There, various well-phrased searches can direct you to the online shop you are looking for:

And regarding the payment methods? It seems they all prefer Western Union, but they are not very talkative on this subject. You have first to contact them via anonymous mailing services. (They specify: “no ICQ, no SMS, no phone call.”) However, I discovered another offer, with details about how to place an order.

At last, some people wished to know if these sites offered other materials or services. Some of them sell carding equipment to read/write magnetic cards, but the prices were exorbitant. They quoted between US$9,000 and $11,000; yet many of these devices can be found on Amazon or eBay for $500! Proving the relevance of our previous advice regarding what you toss into your household trash, one site offers fake French EDF (national electricity company) and British Telecom utility bills for £10. (In Europe, we frequently use these documents to prove our residency or proof of address.)

Even the envelope is supplied! Seemingly unimportant pieces of paper can interest today’s cybercriminals.

Yesterday we discovered a new Zeus campaign.

Most of the messages associated with the new spam campaign are linked to the Asprox botnet. This time, the focus is on FedEx. Most of the attachments start with either FedExDoc[randomnumbers].exe or FedExInvoice[randomnumbers].exe. Those attachments are recognized as the Bredolab Trojan, which will download the Zeus component.

This Zeus variant has a control host on hxxp://x5vsm5.ru, but also downloads from hxxp://trachsel.biz.

The targets of these samples are a large number of banks outside the United States. We still see common U.S. targets…

• Citibank
• Comerica
• USBank
• WellsFargo

and also some banks from Europe, the Middle East, Asia, and South America…

• Neue Bank (Liechtenstein)
• Arab Bank
• MyBank (Taiwan)
• BHI Bank (United Kingdom)
• NPBS (United Kingdom)
• Banco de Sabadell (Spain)

as well as several other banks.

Watch out for Zeus’ going global.

This blog was updated at 1.15 pm Pacific time on Aug. 26.

McAfee Labs has detected a new strain of spam in the wild that is not only a sophisticated forgery of a Newegg purchase receipt, but there is also some indication that the botnet may be attempting to abuse Newegg’s password reset system to further the scam.

In less than 1 percent of the cases, the spammers appear to be taking advantage of the password reset option on the Newegg website to generate an email to the victim announcing that a password reset is required. This ruse cannot be used to determine if an account exists because the Newegg site returns the same text if you request a password reset on an actual or nonexistent account. So directory harvesting does not appear to be the attackers’ goal. Newegg’s password reset option is not protected by any sort of CAPTCHA authentication unless the account has received multiple requests for a password reset, so this process could be scripted as part of the spam campaign. The password reset request does not actually reset the password unless the recipient clicks on the email that is sent and even then the password reset request does not indicate the account has been compromised. In all likelihood this scam is designed to make the recipient anxious by suggesting an unauthorized individual has attempted to access the account.

Anxiety and frustration are common emotions exploited by spam and phishing messages to make a victim click on a malware link without thinking. One common trick is to send a purchase confirmation email to a recipient, who is likely to click on the attachment or the link because he or she is afraid or is convinced that someone has already hacked the account. To continue the scam: The victims receive a forged Newegg purchase receipt shortly after seeing the legitimate password reset notice. If recipients are anxious about account tampering, they may be willing to release a quarantined spam message that claims to be a purchase receipt because they feel their accounts may have been compromised.

This spam mail appears to be associated with the Cutwail botnet, which is the second-most prolific botnet in detected infections. (Rustock is number one.) Cutwail has the highest number of infections detected in Russia, India, and Brazil. We do not know if every recipient of a Newegg spam has received a password reset notification before the spam mail arrived, but McAfee TrustedSource™ has detected a 233 percent increase over the average mail flow coming from Newegg IP addresses today.

The spam mail not only mimics the look and feel of a Newegg email, but also forges the RFC 821–received headers to pretend that it originated from Newegg servers. The email contains an HTML attachment that uses obfuscated JavaScript to forward the victim to a domain which attempts to deliver fake anti-virus software or other malware to the recipient.

This is a powerful scam: It combines forgery techniques to fool the victims, techniques to fool the filters, and outright abuse of the Newegg corporate infrastructure to scare the recipients of the malicious emails. Techniques like this are not new, but the combination of three in one package is rare. Administrators should be aware of this campaign and inform their users not to be fooled by the purchase receipt. Users who want to check their Newegg accounts should not use any links in an email but should go straight to newegg.com.

Newegg says it is investigating this issue to determine any customer impact and that it is researching any actions the company may need to take to help its customers avoid phishing scams that take advantage of their brand.

We unceasingly monitor and combat old and emerging web threats, taking different approaches to best protect our customers. Cybercriminals continuously look for new ways to steal valuable information. A recent phishing scam we’ve seen impersonates three popular institutions: PayPal, Bank of America, and free offers to check your credit score.

The recent attack on Bank of America users is arriving as spam email with a phishing link alerting users about an “account deactivation.” The scam claims online banking security regulations require users to click on the provided URL. Don’t fall for this tactic. Clicking the link “RESOLVE” redirects you to a malicious site.

A similar situation occurs with the scam a “security problem” with your PayPal account. The URL redirects victims to a fake page that is visible at the main domain. These malicious pages use the same graphics, style sheets, and links from genuine pages.

Would you trust an unsolicited email that offers to check your credit score for free? It looks authentic, but definitely is not. It’s always much safer to manually type the web address you like to visit instead of clicking a link from a suspicious email. If you receive one of these emails, do not click on the links. Users without protection who click on these links will possibly infect their computers or might reveal their data.

Remember to keep your anti-virus software up to date, and do not provide any personal or financial information to unsolicited email messages. Last year 11.1 million people were victims of identity theft in the United States; an identity is stolen every three seconds. Cybercriminals aggressively pursue unprotected users. Learn how to prevent identity theft at our McAfee Identity Protection page.