​The second of the families added to the February release of the Microsoft Malicious Software Removal Tool (MSRT) is Win32/Pramro. Win32/Pramro is a family of trojans that can act as a SOCKS proxy on an infected computer. In this case, this proxy may be used to relay spam and HTTP traffic. Detection was first added for Pramro variants in January 2008.

There is a strong connection with the polymorphic file infector Win32/Sality, which shares portions of code with Pramo. For example, let's examine one of the encrypted files which is currently downloaded by a variant of Worm:Win32/Sality.AU from the host ‘baulaung.org’.  If we apply the key ‘GdiPlus.dll’ and a modified RC4 algorithm, the resultant output is a PE file. This file is detected as TrojanProxy:Win32/Pramro.F.

Image 1 - View of Pramro using a file viewer utility

Examining this particular Win32/Pramro variant, we can see that it employs the same key and decryption algorithm as this Win32/Sality variant.

 

Looking closely at some detection statistics from MSRT, we observe that variants of Win32/Pramro have been reported on 104,120 unique machines during the first week of release. The majority of the affected machines were running Windows XP (81.8%), followed by Windows 7 (12.9%). For the machines which reported a variant of Win32/Pramro, the prevalence distribution of all detection reported by MSRT is listed in the following table. As expected, the connection to Win32/Sality is supported by our data.

Table 1 - MSRT detection statistics

The geographical breakdown of machines which reported a Win32/Pramro variant appears as:

Table 2 - Geographic distribution of Pramro

Interestingly, the top reported file MD5: 543b96731b80fc30a7583bd22cd0d567 / SHA1: 1B9E07EAAF512DA72850612AC6D41207D4340E3C was reported on 76,690 unique machines. This appears to be the most current variant of Win32/Pramro. It was first reported in the wild from our customers in the first week of January 2012 and the encrypted copy is still available at location(s) used by Win32/Sality. This suggests that MSRT was cleaning computers with an active Win32/Pramro infection.

Scott Molenkamp
MMPC, Melbourne

When malware is found lurking on a system, quite often it isn't acting alone. Once malware distributors have control of a system, they will do everything they can to compromise the machine and the user for maximum gain -- for instance, hijacking a browser's search results, or using rogue security software to extract payments from affected users -- and will try to install whatever other malware components they need to in order to make this happen.

Such is the case with Win32/Fareit, which is one of two new additions to the Microsoft Malicious Software Removal Tool (MSRT) for February 2012. Win32/Fareit is a family consisting of a password stealer and a component for performing Distributed Denial of Service (DDoS) attacks, and is often present on an affected system along with a suite of other malware.

The Distributed Denial of Service component, which we detect as DDoS:Win32/Fareit, contacts a remote server, which may instruct it to flood a target server with bogus HTTP traffic. It randomly chooses several fields of the HTTP header, in order to make it difficult for the targeted server to filter the unwanted requests. Hijacking the browser and collecting payments for rogue security software are not the only methods of profiting from an infected system, and this is where the password stealing component PWS:Win32/Fareit fits in.

When run, the malware scans the system looking for installations of popular FTP clients and cloud storage clients. Most of these allow users to cache login details for servers that they often connect to, and they store these details encrypted in configuration files or registry entries. If any of these clients are present on the system, the malware attempts to retrieve this login information from the files or registry, decrypt it, and post it to a remote server controlled by the attackers. Once they have this account information, they can log in to the compromised accounts, which often provide access to web servers, and upload other malware that they wish to distribute. You can see a list of the FTP clients and other software that PWS:Win32/Fareit targets in our encyclopedia description. It also attempts to steal stored passwords from some of the major web browsers. 

PWS:Win32/Fareit first came to our attention in large numbers in October, when we noticed it being installed by Win32/FakeScanti and Win32/Cycbot.

Win32/FakeScanti is a rogue security program that was added to MSRT in October 2009 and has recently gone by names such as Cloud AV 2012, AV Guard Online, Security Guard 2012, and Opencloud Antivirus.

Win32/Cycbot is a backdoor and browser hijacker, and was added to MSRT in February 2011. At various stages we have seen Win32/Cycbot and Win32/FakeScanti also downloading or installing one another, so this month's addition of Win32/Fareit helps complete the cleaning of this multi-family infection.

Win32/Cycbot remains highly prevalent, and Backdoor:Win32/Cycbot.G was the number-one threat removed by MSRT last month. Win32/FakeScanti activity has decreased, though we continue to monitor it closely; however, we have received no new undetected samples of it so far this year. Unfortunately, this isn't a sign that the rogue distributors have given up on their nefarious activities; most likely they have simply moved on to distributing different rogue families. 

If your system has been infected with Win32/Fareit, or related families like Win32/Cycbot, and you have any account details saved in your FTP client, after cleaning your local system, we recommend that you immediately change your password for each account. Check the related servers for new or suspicious files that you did not upload, change passwords for any accounts whose details you may have saved in your browser, and check those accounts for any unexpected activity.

The password-stealing component may only need to be run once in order to steal your credentials, so, by the time MSRT has performed its monthly scan, the damage may have already been done. This emphasizes the importance of running an antivirus solution that provides real-time protection.

David Wood
MMPC Melbourne

Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor - a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database.

The spammed email contains an attached PDF file named "stratfor.pdf". Upon opening the PDF file, it displays the following content, with a reference to using security software to scan for the fictional "Win32Azee virus":

 

The link displayed in the emails appears legitimate at first glance, but looking closely at the target address, you notice that it doesn't originate from the address in the email text. Stratfor is based in Texas, United States however the download URL is located somewhere in Turkey. A sample of another PDF file contained a download link for yet another compromised site, this time in Poland.

Clicking on the link, Adobe Reader will display a warning message asking you to verify if you trust the website. The file for download is actually a Win32/Zbot variant, which Microsoft already detects as PWS:Win32/Zbot.gen!R. The malicious PDF file is detected as Trojan:Win32/Pdfphish.A.

SHA1:
38421197bc27f9ae76c01595424b41d720adea05 (detected as Trojan:Win32/Pdfphish.A)
818ef49e658aa78df4a0d9b424fafcd37bcb288c (detected as PWS:Win32/Zbot.gen!R)

- Rodel Finones, MMPC

When I was at school (many, many years ago…) a teacher once told me that if someone copies you, it's a sign of flattery. Well, right now there are numerous "companies" copying us, but we are far from flattered.

 

For some time now, rogue security programs have been trying their hardest to look just like Microsoft security products. I suppose they figure that the more they look like us, the more likely unsuspecting users are to hand over their hard earned cash to have their computers "cleaned" by these imposters.

 

Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for fake antivirus software, when Microsoft consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users at no cost. This in turn causes affected users to voice their concerns and dissatisfaction through a number of Microsoft customer feedback channels, often after being tricked into paying for the bogus antivirus to remove threats that were more than likely never present on their computer. Below are some images of imitation scans and messages displayed by rogues:

 

Figure 1: 'Scan results' displayed by a Win32/FakeRean variant, Privacy Protection

 

Figure 2: 'Windows Security Center' message displayed by a Win32/FakeRean variant

 

Figure 3: 'Scanner' displayed by a Win32/FakeVimes variant

 

Figure 4: 'Scan results' displayed by a Win32/FakeVimes variant

 

Figure 5: 'Security settings options' displayed by a Win32/FakeVimes variant

 

In addition to an increase in the number of people being affected by rogues, there seems to be increase in users receiving calls, allegedly from Microsoft support, about their "infected" computers (which Microsoft has blogged about before). To set the record straight, Microsoft would never call a user to tell them that their computer was infected.

 

So, allow me to clarify a few things:

• Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That's right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.

• We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.

• Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up.

 

We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call.

 

Jasmine Sesso
MMPC Melbourne

When I was at school (many, many years ago…) a teacher once told me that if someone copies you, it's a sign of flattery. Well, right now there are numerous "companies" copying us, but we are far from flattered.

 

For some time now, rogue security programs have been trying their hardest to look just like Microsoft security products. I suppose they figure that the more they look like us, the more likely unsuspecting users are to hand over their hard earned cash to have their computers "cleaned" by these imposters.

 

Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for fake antivirus software, when Microsoft consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users at no cost. This in turn causes affected users to voice their concerns and dissatisfaction through a number of Microsoft customer feedback channels, often after being tricked into paying for the bogus antivirus to remove threats that were more than likely never present on their computer. Below are some images of imitation scans and messages displayed by rogues:

 

Figure 1: 'Scan results' displayed by a Win32/FakeRean variant, Privacy Protection

 

Figure 2: 'Windows Security Center' message displayed by a Win32/FakeRean variant

 

Figure 3: 'Scanner' displayed by a Win32/FakeVimes variant

 

Figure 4: 'Scan results' displayed by a Win32/FakeVimes variant

 

Figure 5: 'Security settings options' displayed by a Win32/FakeVimes variant

 

In addition to an increase in the number of people being affected by rogues, there seems to be increase in users receiving calls, allegedly from Microsoft support, about their "infected" computers (which Microsoft has blogged about before). To set the record straight, Microsoft would never call a user to tell them that their computer was infected.

 

So, allow me to clarify a few things:

• Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That's right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.

• We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.

• Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up.

 

We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call.

 

Jasmine Sesso
MMPC Melbourne

We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A. Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there's more to it than meets the eye.

The website in question is a Romanian website, asistentasociala [dot] info. The term "asistenta sociala" translates to "social welfare", and is apparently quite popular. Doing a web search for the term "asistenta sociala" on various search engines, we found that the website is ranked within the first two pages of the results.

The website contains various official documents and examples on how they are filled out. It seems to have been hacked, because the original documents have been replaced with malicious executable files (detected as Trojan:BAT/Delosc.A - sample SHA1 759e3dc00415809d0df748e23dcbec1c0265afc1), as seen in Figure 1 below:

Fig. 1 The .doc file is replaced by an .exe file. The word "cerere" translates to "request" or "application")

The malicious files have the same icon as the original documents, so that when they are saved to your computer, you might not notice anything out of the ordinary. In Figure 2 below, the downloaded malicious executables have the icons of an Excel file, a PDF file, and a Word file:

Fig. 2 The malicious executable using misleading icons.

When run, the malicious executable drops the original document, as in Figure 3. This is probably done to make it appear as if nothing unexpected has occurred:

Fig. 3 The malicious executable drops the original document.

It also drops a BAT file (also detected as Trojan:BAT/Delosc.A - SHA1 ECD0C54B085BDBBECF25FA44EEF69F9B5F776621) in the Temporary Files folder as "open_file.bat". This file does the rest of the malicious actions.

The BAT file tries to delete files and folders from two software solutions mainly used in Romanian institutions: Indaco (software that offers services for legal documentation) and Aplxpert (a document management system based on regulations designed for public administration).

It also proceeds to delete folders (along with the files inside) that contain the following strings: "aplxpert", "indaco" (as previously mentioned), "mondo", "agr", "factur" (invoice), "gami", "multi", "glob", "alocati", "arenda", "social", "assist", "vmg", "asf", "lemne" (wood), "incalz" (heating) on the C, D, E, F, G, H drives, as you can see from the malware code in Figure 4:

Fig. 4 The malware code showing the strings.

Based on these actions, it seems like if you're working for a Romanian government institution and your computer gets infected by this malware, you may no longer be able to use either of these tools. In addition, folders containing files pertinent to your work may be deleted if you named your folders using any of the mentioned strings.

Aside from government employees, it also looks like this malware could cause trouble for a user who is searching for documents related to social welfare. For example, if you're looking for help on how to fill out a form for heating assistance, you might end up inadvertently having files deleted from your computer if you saved them within a folder that uses any of these strings.

The website owner has been contacted and the malicious files have been removed.

Replacing the original documents with malicious executables is something we have seen before. But this trojan is deleting files that the user seems to be looking for help for, while at the same time posing as those very files. In the process, actual important official documents may be deleted, thus posing a very real threat to users.

We recommend that you always pay attention to the downloaded files and look out for files that have the icon for one file type but the extension for another. And as always, run an antivirus solution to protect your computer against these kinds of threats. For website owners, make sure you take steps to harden your website so that you can protect its integrity.

--

Andrei Saygo && Daniel Radu

MMPC Dublin

We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A. Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there's more to it than meets the eye.

The website in question is a Romanian website, asistentasociala [dot] info. The term "asistenta sociala" translates to "social welfare", and is apparently quite popular. Doing a web search for the term "asistenta sociala" on various search engines, we found that the website is ranked within the first two pages of the results.

The website contains various official documents and examples on how they are filled out. It seems to have been hacked, because the original documents have been replaced with malicious executable files (detected as Trojan:BAT/Delosc.A - sample SHA1 759e3dc00415809d0df748e23dcbec1c0265afc1), as seen in Figure 1 below:

Fig. 1 The .doc file is replaced by an .exe file. The word "cerere" translates to "request" or "application")

The malicious files have the same icon as the original documents, so that when they are saved to your computer, you might not notice anything out of the ordinary. In Figure 2 below, the downloaded malicious executables have the icons of an Excel file, a PDF file, and a Word file:

Fig. 2 The malicious executable using misleading icons.

When run, the malicious executable drops the original document, as in Figure 3. This is probably done to make it appear as if nothing unexpected has occurred:

Fig. 3 The malicious executable drops the original document.

It also drops a BAT file (also detected as Trojan:BAT/Delosc.A - SHA1 ECD0C54B085BDBBECF25FA44EEF69F9B5F776621) in the Temporary Files folder as "open_file.bat". This file does the rest of the malicious actions.

The BAT file tries to delete files and folders from two software solutions mainly used in Romanian institutions: Indaco (software that offers services for legal documentation) and Aplxpert (a document management system based on regulations designed for public administration).

It also proceeds to delete folders (along with the files inside) that contain the following strings: "aplxpert", "indaco" (as previously mentioned), "mondo", "agr", "factur" (invoice), "gami", "multi", "glob", "alocati", "arenda", "social", "assist", "vmg", "asf", "lemne" (wood), "incalz" (heating) on the C, D, E, F, G, H drives, as you can see from the malware code in Figure 4:

Fig. 4 The malware code showing the strings.

Based on these actions, it seems like if you're working for a Romanian government institution and your computer gets infected by this malware, you may no longer be able to use either of these tools. In addition, folders containing files pertinent to your work may be deleted if you named your folders using any of the mentioned strings.

Aside from government employees, it also looks like this malware could cause trouble for a user who is searching for documents related to social welfare. For example, if you're looking for help on how to fill out a form for heating assistance, you might end up inadvertently having files deleted from your computer if you saved them within a folder that uses any of these strings.

The website owner has been contacted and the malicious files have been removed.

Replacing the original documents with malicious executables is something we have seen before. But this trojan is deleting files that the user seems to be looking for help for, while at the same time posing as those very files. In the process, actual important official documents may be deleted, thus posing a very real threat to users.

We recommend that you always pay attention to the downloaded files and look out for files that have the icon for one file type but the extension for another. And as always, run an antivirus solution to protect your computer against these kinds of threats. For website owners, make sure you take steps to harden your website so that you can protect its integrity.

--

Andrei Saygo && Daniel Radu

MMPC Dublin

In our everyday world, we sometimes make use of thin clients, which don't have a lot of functionality but are easy to maintain, as their functionality is based on data they receive from remote servers. Malware authors have adopted a similar technique, in which malware is able to download executable code without actually downloading an executable image. We're talking about malware that isn't a typical trojan downloader.

The typical routine for trojan downloaders is that the downloaded file is normally modified on the server side, and the downloader itself offers only a download and execute function, which is cheap to produce and therefore expendable in terms of antivirus detection. As a result, we currently detect over eight million trojan downloaders for Windows, most of which download the executable to disc or inject it into other processes.

Unfortunately there is no need for malware writers to download an executable at all. We recently analyzed a sample, TrojanDownloader:Win32/Poison.A (SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182), that downloads a blob of position-independent code, and executes it in the context of a previous non-malicious application.

At first, the sample appeared to be a very small Visual Basic-written application that accesses the website of a Tibetan restaurant. I expected a trojan downloader using the normal routine, but during fast static analysis I couldn't see any file access operation, or any other suspicious system call. Instead, it simply displayed Figure 1 below:

Figure 1: Error message displayed when run on an isolated machine

Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as "misys.exe" (as shown in Figure 2 below), and started keylogging, although the static analysis did not indicate this kind of functionality.

Figure 2: The file "misys.exe" on a computer connected to the Internet

The question is: where does that file come from? The mystery was solved when I looked at the HTML code of the restaurant webpage, which begins with the following hex instructions:

&H55, &H8B, &HEC

These characters make up the standard x86 function prolog:

Figure 3: The assembly code for the hex instructions

So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The "downloader" becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the "downloader", thus the "downloader" inherits the malware functionality.

After the whole HTML page was converted into binary as in Figure 4, the file name in Figure 2 was clearly visible:

Figure 4: The file name is visible after conversion to binary

The downloaded binary blob is a variant of the Win32/Poison family. The functionality of the downloaded code is widely documented in its entry in the MMPC Encyclopedia.

The Win32/Poison trojan can be created with an easy-to-use Builder Tool, which allows malware authors to customize a build according to what they want to steal. We discuss the kit and its distribution in the MMPC Threat Report – Poison Ivy paper we released in November of this year. A possible reason why Win32/Poison is so prevalent, although it's quite an old trojan, is the fact that it allows malware authors to create with one click of the mouse, position-independent code that has the trojan functionality, instead of creating an executable, as shown in Figure 5:

Figure 5: Win32/Poison builder allowing shellcode or PE creation

So while the malware we discussed here, TrojanDownloader:Win32/Poison.A, is a different kind of trojan that takes a while to build, in minutes it was just another threat detected by Microsoft AV products.

 

-- MMPC

In our everyday world, we sometimes make use of thin clients, which don't have a lot of functionality but are easy to maintain, as their functionality is based on data they receive from remote servers. Malware authors have adopted a similar technique, in which malware is able to download executable code without actually downloading an executable image. We're talking about malware that isn't a typical trojan downloader.

The typical routine for trojan downloaders is that the downloaded file is normally modified on the server side, and the downloader itself offers only a download and execute function, which is cheap to produce and therefore expendable in terms of antivirus detection. As a result, we currently detect over eight million trojan downloaders for Windows, most of which download the executable to disc or inject it into other processes.

Unfortunately there is no need for malware writers to download an executable at all. We recently analyzed a sample, TrojanDownloader:Win32/Poison.A (SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182), that downloads a blob of position-independent code, and executes it in the context of a previous non-malicious application.

At first, the sample appeared to be a very small Visual Basic-written application that accesses the website of a Tibetan restaurant. I expected a trojan downloader using the normal routine, but during fast static analysis I couldn't see any file access operation, or any other suspicious system call. Instead, it simply displayed Figure 1 below:

Figure 1: Error message displayed when run on an isolated machine

Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as "misys.exe" (as shown in Figure 2 below), and started keylogging, although the static analysis did not indicate this kind of functionality.

Figure 2: The file "misys.exe" on a computer connected to the Internet

The question is: where does that file come from? The mystery was solved when I looked at the HTML code of the restaurant webpage, which begins with the following hex instructions:

&H55, &H8B, &HEC

These characters make up the standard x86 function prolog:

Figure 3: The assembly code for the hex instructions

So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The "downloader" becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the "downloader", thus the "downloader" inherits the malware functionality.

After the whole HTML page was converted into binary as in Figure 4, the file name in Figure 2 was clearly visible:

Figure 4: The file name is visible after conversion to binary

The downloaded binary blob is a variant of the Win32/Poison family. The functionality of the downloaded code is widely documented in its entry in the MMPC Encyclopedia.

The Win32/Poison trojan can be created with an easy-to-use Builder Tool, which allows malware authors to customize a build according to what they want to steal. We discuss the kit and its distribution in the MMPC Threat Report – Poison Ivy paper we released in November of this year. A possible reason why Win32/Poison is so prevalent, although it's quite an old trojan, is the fact that it allows malware authors to create with one click of the mouse, position-independent code that has the trojan functionality, instead of creating an executable, as shown in Figure 5:

Figure 5: Win32/Poison builder allowing shellcode or PE creation

So while the malware we discussed here, TrojanDownloader:Win32/Poison.A, is a different kind of trojan that takes a while to build, in minutes it was just another threat detected by Microsoft AV products.

 

-- MMPC

Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home -- specifically, Seattle Washington. They're seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form:

Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink and the time and date of the “offense” changes among iterations of the spam. It's interesting to note that the "Date of Offense" is in European format (DD/MM/YYYY), which is a strange deviation from the date format used in most of the U.S. (MM/DD/YYYY). So far, we’ve seen the hyperlink point to several recently registered domains.

If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP 93.190.44.171. This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006.

If the exploit is successful, it will download and execute a file named "info.exe" from the domain “doofyonmycolg.ru”. At the time of writing, we detect this file as Worm:Win32/Cridex.B (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051). Once the malware is running, it tries to connect to “jahramainso.com” (IP 95.57.120.104, registered January 11, 2012) using SSL. The malware is able to update itself through communicating with the server. At present, this host is serving the exact same file as the malware running on the affected computer (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051).

We started seeing reports of this file earlier today, although we were not previously aware of the distribution vehicle until the City of Seattle alerted us about the spam. It's also interesting to note that the doofyonmycolg.ru domain was registered only a few days ago, so this is a new spam campaign.

While this particular campaign is new, Win32/Cridex variants originated around September 2011. As is usually the case, the malware authors attempted to evade detection by updating the malware and altering the hosts that it communicates with. You can read more about Worm:Win32/Cridex.B in the MMPC malware encyclopedia.

The best way to remain protected against this type of attack is to:

• Keep your security software and Windows security updates current
• Teach yourself to recognize and avoid phishing emails and other messages

Also, note that neither the Seattle Police Department nor Department of Motor Vehicles (DMV) sends tickets by email -- only by “snail mail” (post). The Seattle Police Department published an alert on their site at the following link: http://spdblotter.seattle.gov/2012/01/19/beware-phishy-email-titled-seattle-traffic-ticket/

-- Tareq Saade, Microsoft Security Response Center 

Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home -- specifically, Seattle Washington. They're seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form:

Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink and the time and date of the “offense” changes among iterations of the spam. It's interesting to note that the "Date of Offense" is in European format (DD/MM/YYYY), which is a strange deviation from the date format used in most of the U.S. (MM/DD/YYYY). So far, we’ve seen the hyperlink point to several recently registered domains.

If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP 93.190.44.171. This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006.

If the exploit is successful, it will download and execute a file named "info.exe" from the domain “doofyonmycolg.ru”. At the time of writing, we detect this file as Worm:Win32/Cridex.B (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051). Once the malware is running, it tries to connect to “jahramainso.com” (IP 95.57.120.104, registered January 11, 2012) using SSL. The malware is able to update itself through communicating with the server. At present, this host is serving the exact same file as the malware running on the affected computer (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051).

We started seeing reports of this file earlier today, although we were not previously aware of the distribution vehicle until the City of Seattle alerted us about the spam. It's also interesting to note that the doofyonmycolg.ru domain was registered only a few days ago, so this is a new spam campaign.

While this particular campaign is new, Win32/Cridex variants originated around September 2011. As is usually the case, the malware authors attempted to evade detection by updating the malware and altering the hosts that it communicates with. You can read more about Worm:Win32/Cridex.B in the MMPC malware encyclopedia.

The best way to remain protected against this type of attack is to:

• Keep your security software and Windows security updates current
• Teach yourself to recognize and avoid phishing emails and other messages

Also, note that neither the Seattle Police Department nor Department of Motor Vehicles (DMV) sends tickets by email -- only by “snail mail” (post). The Seattle Police Department published an alert on their site at the following link: http://spdblotter.seattle.gov/2012/01/19/beware-phishy-email-titled-seattle-traffic-ticket/

-- Tareq Saade, Microsoft Security Response Center 

I was recently having a conversation online in a forum about online reputation and about refuting false claims posted on customer complaint sites. In this particular conversation I was having, the person was falsely accused of bad business practices.

In the States, if you experience an injustice from a bad business dealing, you can complain and report that business to an organization named the Better Business Bureau (BBB). In this particular incident, the falsely accused party wasn't reported to the BBB, but a claim was posted to a site named "ripoffreport".

In a slight coincidence, and not long after the conversation, I noticed an email message in my inbox with the subject "Re: BBB Case # 77518746" and a spoofed sender email address impersonating the Better Business Bureau, complete with a copy of the official BBB logo, obviously from the BBB site. The email body contained a hyperlink, and an ominous claim about a "complaint from one of your associates":

I learned that the BBB is aware of the spam and posted an alert on their site, and also offer the following suggestions:

To verify the legitimacy of BBB complaints, contact Better Business Bureau locally. Consumers or businesses who have received the fraudulent emails are asked to report them to http://bbb.org/scam/report-a-scam.

The hyperlink in the message labeled "click here" pointed to an HTML page "index.html" on a compromised domain. I retrieved the index HTML page and its content was very minimal, yet suspicious, with links to a JavaScript file named "ajaxam.js" (example SHA1: eba97868820c92a3fd8cd2d3671b530c6c434b7c) in three other domains:

The domains referenced in the script appear to have been compromised for this attack. Two of the links for the "ajaxam.js" script were dead but a third was not. That .JS file contained a simple one line document location instruction to yet another domain and server-side PHP script (SHA1: ff27f95681c1dd19ad48e133107d532f6f6f8644):

This request results in the delivery of an obfuscated script file that, when run, attempts to exploit CVE-2010-1885. This particular vulnerability is also known as the "Help Center URL Validation Vulnerability", mitigated by Microsoft Security Bulletin MS10-042. On a vulnerable computer, this script exploit would have dropped and executed malware detected as PWS:Win32/Zbot.gen!AF (SHA1: 291aa262ab0a41675b733d1cddfb5b4b).

This scheme of redirection and executing obfuscated script with these certain exploits was none other than the "Blackhole" exploit pack, aka Blacole.

This BBB spam run occurred at least twice in the month of December and employed the Blacole exploit. The Blacole exploit pack is developed and sold as a collection of attack code that uses various exploits. It is typically purchased by an attacker and installed on servers that have already been compromised through various other attack methods. Through iterations and development of the Blacole exploit pack, the malware attempts to exploit several of the following vulnerabilities in order to deliver and install malware within vulnerable computers:

• CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
• CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
• CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
• CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
• CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
• CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
• CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
• CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
• CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
• CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
• CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
• CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
• CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
• CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
• CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

Prevention

Protection against the Blacole exploit pack requires that your third-party applications, specifically multiple components of Oracle Java and Adobe applications, are updated to the latest available and secure versions. It is important that vulnerable versions are removed and not left installed for malware to abuse and exploit.

For personal computers, there are security applications, such as the following, that offer vulnerability scanning and can assist in identifying vulnerable installations:

• Personal Software Inspector (PSI) by Secunia
• CNET TechTracker by CBS Interactive
• Software Updates Monitor (Sumo) by KC Software

And as keeping software up-to-date applies for all systems, check out "MetaQuark AppFresh" to help identify software that needs updating on Mac operating systems.

It's worth mentioning again (and without fear of being redundant!) to reduce risk against Blacole, replace insecure programs with secure versions. In conclusion, we remind you to use best practices and to use security software to promote a healthy digital ecosystem.

--Patrick Nolan, MMPC

I was recently having a conversation online in a forum about online reputation and about refuting false claims posted on customer complaint sites. In this particular conversation I was having, the person was falsely accused of bad business practices.

In the States, if you experience an injustice from a bad business dealing, you can complain and report that business to an organization named the Better Business Bureau (BBB). In this particular incident, the falsely accused party wasn't reported to the BBB, but a claim was posted to a site named "ripoffreport".

In a slight coincidence, and not long after the conversation, I noticed an email message in my inbox with the subject "Re: BBB Case # 77518746" and a spoofed sender email address impersonating the Better Business Bureau, complete with a copy of the official BBB logo, obviously from the BBB site. The email body contained a hyperlink, and an ominous claim about a "complaint from one of your associates":

I learned that the BBB is aware of the spam and posted an alert on their site, and also offer the following suggestions:

To verify the legitimacy of BBB complaints, contact Better Business Bureau locally. Consumers or businesses who have received the fraudulent emails are asked to report them to http://bbb.org/scam/report-a-scam.

The hyperlink in the message labeled "click here" pointed to an HTML page "index.html" on a compromised domain. I retrieved the index HTML page and its content was very minimal, yet suspicious, with links to a JavaScript file named "ajaxam.js" (example SHA1: eba97868820c92a3fd8cd2d3671b530c6c434b7c) in three other domains:

The domains referenced in the script appear to have been compromised for this attack. Two of the links for the "ajaxam.js" script were dead but a third was not. That .JS file contained a simple one line document location instruction to yet another domain and server-side PHP script (SHA1: ff27f95681c1dd19ad48e133107d532f6f6f8644):

This request results in the delivery of an obfuscated script file that, when run, attempts to exploit CVE-2010-1885. This particular vulnerability is also known as the "Help Center URL Validation Vulnerability", mitigated by Microsoft Security Bulletin MS10-042. On a vulnerable computer, this script exploit would have dropped and executed malware detected as PWS:Win32/Zbot.gen!AF (SHA1: 291aa262ab0a41675b733d1cddfb5b4b).

This scheme of redirection and executing obfuscated script with these certain exploits was none other than the "Blackhole" exploit pack, aka Blacole.

This BBB spam run occurred at least twice in the month of December and employed the Blacole exploit. The Blacole exploit pack is developed and sold as a collection of attack code that uses various exploits. It is typically purchased by an attacker and installed on servers that have already been compromised through various other attack methods. Through iterations and development of the Blacole exploit pack, the malware attempts to exploit several of the following vulnerabilities in order to deliver and install malware within vulnerable computers:

• CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
• CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
• CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
• CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
• CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
• CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
• CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
• CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
• CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
• CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
• CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
• CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
• CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
• CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
• CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

Prevention

Protection against the Blacole exploit pack requires that your third-party applications, specifically multiple components of Oracle Java and Adobe applications, are updated to the latest available and secure versions. It is important that vulnerable versions are removed and not left installed for malware to abuse and exploit.

For personal computers, there are security applications, such as the following, that offer vulnerability scanning and can assist in identifying vulnerable installations:

• Personal Software Inspector (PSI) by Secunia
• CNET TechTracker by CBS Interactive
• Software Updates Monitor (Sumo) by KC Software

And as keeping software up-to-date applies for all systems, check out "MetaQuark AppFresh" to help identify software that needs updating on Mac operating systems.

It's worth mentioning again (and without fear of being redundant!) to reduce risk against Blacole, replace insecure programs with secure versions. In conclusion, we remind you to use best practices and to use security software to promote a healthy digital ecosystem.

--Patrick Nolan, MMPC

The January 2012 edition of the Microsoft Malicious Software Removal Tool (MSRT) includes detection and removal of the Win32/Sefnit family of trojans. This trojan family moderates and redirects web browser search engine results for Bing, Yahoo! and Google.

The earliest reported variant in this family can be traced back to August 2010. The installation mechanism employed by early samples remains very similar to samples we observe in the wild today. Variants of Sefnit employ the use of a Nullsoft Scriptable Install System (NSIS) dropper to install an obfuscated a dynamic link library (DLL) component. The component is executed by the dropper by using "rundll32.exe" and also will execute during Windows logon.

The obfuscation technique used has changed from the “spaghetti-style” of numerous unconditional branches between small islands of code to one that is “in plain sight”. In the following example, we can see the immediate value of 1Bh move via the local variable ‘var_1’ to the cl register, rather than being moved directly.

Figure 1. Example of simply obfuscated subroutine from a recent Sefnit variant

Once this component of Sefnit is installed, it attempts to perform browser search result redirection for Bing, Yahoo and Google search engines. Win32/Sefnit is often installed by different exploit kits including such as "Blackhole" (detected as Blacole), or distributed on file sharing networks with enticing "keygen" or "crack" styled file names.

If we examine the reports during December 2011 from a total of 81,147 unique customer machines which reported a Sefnit infection to MMPC, we observed the following:

• Blacole was the second most reported family, affecting 9.3% of computers
• FakeRean was the most reported family, affecting 9.78% of computers
• Following closely in third place was Sirefef, affecting 9.15% of computers

Consider this month's release of the MSRT like a digital beagle, sniffing out Sefnit as if it were a doggy biscuit and disposing of it properly. Thank you for reading!

Scott Molenkamp
MMPC Melbourne

The January 2012 edition of the Microsoft Malicious Software Removal Tool (MSRT) includes detection and removal of the Win32/Sefnit family of trojans. This trojan family moderates and redirects web browser search engine results for Bing, Yahoo! and Google.

The earliest reported variant in this family can be traced back to August 2010. The installation mechanism employed by early samples remains very similar to samples we observe in the wild today. Variants of Sefnit employ the use of a Nullsoft Scriptable Install System (NSIS) dropper to install an obfuscated a dynamic link library (DLL) component. The component is executed by the dropper by using "rundll32.exe" and also will execute during Windows logon.

The obfuscation technique used has changed from the “spaghetti-style” of numerous unconditional branches between small islands of code to one that is “in plain sight”. In the following example, we can see the immediate value of 1Bh move via the local variable ‘var_1’ to the cl register, rather than being moved directly.

Figure 1. Example of simply obfuscated subroutine from a recent Sefnit variant

Once this component of Sefnit is installed, it attempts to perform browser search result redirection for Bing, Yahoo and Google search engines. Win32/Sefnit is often installed by different exploit kits including such as "Blackhole" (detected as Blacole), or distributed on file sharing networks with enticing "keygen" or "crack" styled file names.

If we examine the reports during December 2011 from a total of 81,147 unique customer machines which reported a Sefnit infection to MMPC, we observed the following:

• Blacole was the second most reported family, affecting 9.3% of computers
• FakeRean was the most reported family, affecting 9.78% of computers
• Following closely in third place was Sirefef, affecting 9.15% of computers

Consider this month's release of the MSRT like a digital beagle, sniffing out Sefnit as if it were a doggy biscuit and disposing of it properly. Thank you for reading!

Scott Molenkamp
MMPC Melbourne

This post is part two of two.

In our previous post, we came across a couple of files that used some popular games as part of its social engineering technique. One of the files, which was named "diablo3-crack.exe" (after Diablo the video game series) is currently detected as Backdoor:Win32/Fynloski.A. It piqued our interest because we're avid gamers, and much to our surprise when we took a closer look we found out that the obfuscation technique it uses was also interesting.

An initial look at the file (sha1: a3ca4151c31181a3b948b7cd6a1ef97754fcce22 ) revealed an intriguing thing about the way it decodes its strings, as in Figure 1 below:

Fig. 1 - Backdoor:Win32/Fynloski.A code

We can see from Figure 1 that this code will copy the file into a temporary folder, but we can't see the name that is being used for the copy yet. We'll need to decrypt it first.

We've seen this type of encryption used in various other threats, like Worm:Win32/Ainslot.A, Worm:Win32/Skopvel and Worm:Win32/Rebhip.A so we decided to dig deeper. In order to decrypt the code and see what it does, we've translated it into its C# equivalent (shown in Figure 2):

Fig. 2 - Decryptor for Backdoor:Win32/Fynloski.A converted to C#

By adding the two strings (the encoded string and the key) to our decoding routine, we can get more information about what the malware does. For example, from the image above, after decryption we can see that the malware is using svchost.exe as a name for the dropped file.

Now that we've decrypted the code, let's have a look in Figure 3 at the start of the injection routine:

Fig. 3 - Start of the injection routine for Backdoor:Win32/Fynloski.A (note that this is an incomplete code snippet)

The routine is obfuscated, but once we decode the strings and resolve the data structures, we get a human-readable version, shown in Figure 4, of what's going on:

Fig. 4 – C#-like translation of the code snippet shown in Figure 3

From here on, the code is straight forward. The backdoor routine is accessed and injected into various legitimate processes via the WriteProcessMemory API. A detailed description of what the malware does can be found in its encyclopedia description.

As always, run an antivirus solution to protect your computer against these kinds of threats.

--

Andrei && Francis

This post is part two of two.

In our previous post, we came across a couple of files that used some popular games as part of its social engineering technique. One of the files, which was named "diablo3-crack.exe" (after Diablo the video game series) is currently detected as Backdoor:Win32/Fynloski.A. It piqued our interest because we're avid gamers, and much to our surprise when we took a closer look we found out that the obfuscation technique it uses was also interesting.

An initial look at the file (sha1: a3ca4151c31181a3b948b7cd6a1ef97754fcce22 ) revealed an intriguing thing about the way it decodes its strings, as in Figure 1 below:

Fig. 1 - Backdoor:Win32/Fynloski.A code

We can see from Figure 1 that this code will copy the file into a temporary folder, but we can't see the name that is being used for the copy yet. We'll need to decrypt it first.

We've seen this type of encryption used in various other threats, like Worm:Win32/Ainslot.A, Worm:Win32/Skopvel and Worm:Win32/Rebhip.A so we decided to dig deeper. In order to decrypt the code and see what it does, we've translated it into its C# equivalent (shown in Figure 2):

Fig. 2 - Decryptor for Backdoor:Win32/Fynloski.A converted to C#

By adding the two strings (the encoded string and the key) to our decoding routine, we can get more information about what the malware does. For example, from the image above, after decryption we can see that the malware is using svchost.exe as a name for the dropped file.

Now that we've decrypted the code, let's have a look in Figure 3 at the start of the injection routine:

Fig. 3 - Start of the injection routine for Backdoor:Win32/Fynloski.A (note that this is an incomplete code snippet)

The routine is obfuscated, but once we decode the strings and resolve the data structures, we get a human-readable version, shown in Figure 4, of what's going on:

Fig. 4 – C#-like translation of the code snippet shown in Figure 3

From here on, the code is straight forward. The backdoor routine is accessed and injected into various legitimate processes via the WriteProcessMemory API. A detailed description of what the malware does can be found in its encyclopedia description.

As always, run an antivirus solution to protect your computer against these kinds of threats.

--

Andrei && Francis

This post is part one of two.

Popular games are often used by malware writers as social engineering bait as documented in previous blogs ("Dota Players Own3d" and "Keeping Kerrigan From Infection"). So, with a watchful eye for anything related to games used as an infection vector, we came across a couple of interesting files:

• "dota 2 Betakeys.txt.exe" (detected as Backdoor:MSIL/Pontoeb.J)
• "diablo3-crack.exe" (detected as Backdoor:Win32/Fynloski.A)

These files noted as being available through different torrent/file sharing websites.

The first file we found refers to Defense of the Ancients (DotA) 2, which is an update for the popular custom scenario map DotA for Warcraft III : The Frozen Throne. The second refers to Diablo III. Although the official release date for both games is still in 2012, beta versions are available for testers. However, the curiosity for these games seems to lead to other dangers, like in the wilderness of Diablo II (released in 2000 – more than a decade ago!). We played the previous versions of both Diablo and DotA, with and against each other (during our free time of course :) ).

The "fun" begins once the Pontoeb malware is executed. Pontoeb gathers power through obtaining information from the infected system, which it then sends back to a remote attacker. The information is gathered through a WMI query that retrieves data such as SerialNumber, SystemDrive, Operating system and processor architecture. But its ultimate goal is to morph the infected system into a zombie. It installs a backdoor where an attacker connects to in order to control the infected system and execute certain commands (for example, download a file, update itself, visit a website, and perform HTTP, SYN, and UDP flooding). A detailed description of what the malware does can be found in its encyclopedia description.

The second sample, Fynloski, which mimics the Diablo icon, is a remote access tool (RAT) that is used for malicious purposes, as outlined by our colleague Daniel here.

Figure 1: icon used by Fynloski

It's basically a backdoor trojan that gains access to almost all the resources and information in your computer; for example, it can log keystrokes, download and run arbitrary files, and disable security settings. More details about Fynloski are available in its encyclopedia description. But what really got our attention was the obfuscation technique that it uses, which we will discuss in our next post.

If you're running Microsoft Security Essentials, you're protected against these threats like you would be in Diablo if you have a Blade Barrier. And of course, if you want to continue enjoying your video games in a secure environment, please visit the official DotA and Diablo websites for the actual beta versions.

As always, enjoy playing and be vigilant! GG (Good Game) everyone!

--

Andrei && Francis

SHA1s used in this post:
803fbc9388203458060f354b0fd3ffe68c506275 – Backdoor:MSIL/Pontoeb.J
a3ca4151c31181a3b948b7cd6a1ef97754fcce22 – Backdoor:Win32/Fynloski.A

This post is part one of two.

Popular games are often used by malware writers as social engineering bait as documented in previous blogs ("Dota Players Own3d" and "Keeping Kerrigan From Infection"). So, with a watchful eye for anything related to games used as an infection vector, we came across a couple of interesting files:

• "dota 2 Betakeys.txt.exe" (detected as Backdoor:MSIL/Pontoeb.J)
• "diablo3-crack.exe" (detected as Backdoor:Win32/Fynloski.A)

These files noted as being available through different torrent/file sharing websites.

The first file we found refers to Defense of the Ancients (DotA) 2, which is an update for the popular custom scenario map DotA for Warcraft III : The Frozen Throne. The second refers to Diablo III. Although the official release date for both games is still in 2012, beta versions are available for testers. However, the curiosity for these games seems to lead to other dangers, like in the wilderness of Diablo II (released in 2000 – more than a decade ago!). We played the previous versions of both Diablo and DotA, with and against each other (during our free time of course :) ).

The "fun" begins once the Pontoeb malware is executed. Pontoeb gathers power through obtaining information from the infected system, which it then sends back to a remote attacker. The information is gathered through a WMI query that retrieves data such as SerialNumber, SystemDrive, Operating system and processor architecture. But its ultimate goal is to morph the infected system into a zombie. It installs a backdoor where an attacker connects to in order to control the infected system and execute certain commands (for example, download a file, update itself, visit a website, and perform HTTP, SYN, and UDP flooding). A detailed description of what the malware does can be found in its encyclopedia description.

The second sample, Fynloski, which mimics the Diablo icon, is a remote access tool (RAT) that is used for malicious purposes, as outlined by our colleague Daniel here.

Figure 1: icon used by Fynloski

It's basically a backdoor trojan that gains access to almost all the resources and information in your computer; for example, it can log keystrokes, download and run arbitrary files, and disable security settings. More details about Fynloski are available in its encyclopedia description. But what really got our attention was the obfuscation technique that it uses, which we will discuss in our next post.

If you're running Microsoft Security Essentials, you're protected against these threats like you would be in Diablo if you have a Blade Barrier. And of course, if you want to continue enjoying your video games in a secure environment, please visit the official DotA and Diablo websites for the actual beta versions.

As always, enjoy playing and be vigilant! GG (Good Game) everyone!

--

Andrei && Francis

SHA1s used in this post:
803fbc9388203458060f354b0fd3ffe68c506275 – Backdoor:MSIL/Pontoeb.J
a3ca4151c31181a3b948b7cd6a1ef97754fcce22 – Backdoor:Win32/Fynloski.A

We have recently seen the emergence of several samples of a ransomware family localized into different languages. Malware that relies on localized social engineering tactics has been around for a few years, as we discussed in our two-part series on Program:Win32/Pameseg, and as evident in the surge of password stealers targeting Brazilian online banking websites. Ransomware, which renders a computer unusable and then demands payment, supposedly to make it usable again, has existed for quite some time as well.

What is remarkable in the cases of ransomware we've seen lately is the effort that the authors have put into creating different versions for every targeted country. We've so far seen variants localized into four languages: English, Spanish, German, and Dutch. The list of imitated institutions is also quite long. It includes:

• The German Federal Police
• GEMA (Germany's performance rights organization)
• The Swiss "Federal Department of Justice and Police"
• The UK "Metropolitan Police"
• The Spanish Police
• The Dutch Police

Figure 1 – Some of the banners used by ransomware. Note that some of these banners don't exactly match the entities being imitated. For example, the Spanish police is called "Policia Nacional" rather than "La policia Española"

Upon execution, the ransomware locks the computer, displays the localized screen using one of the banners in Figure 1, and demands the payment of a "fine" for the supposed possession of illicit material. In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are not involved in any way with the scammers' scheme; instead, they are being used for malicious purposes.

A quite interesting fact is that the geographical distribution for most of the samples coincides well with the targeted countries. In the case of Trojan:Win32/Ransom.DU, which is a generic detection for a German-language variant of the ransomware that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany, as we show in Table 1.

Table 1 – Geographical distribution of Trojan:Win32/Ransom.DU, a German-language ransomware variant, from July 2011 to November 2011

During our research we found out that this localized ransomware family can be distributed through drive-by downloads and that the Blackhole Exploit Kit is involved. That doesn't really come as a surprise, since nowadays Blackhole distributes many widespread malware families: Worm:Win32/Gamarue, PWS:Win32/Zbot, Rogue:Win32/Winwebsec, Trojan:Win32/FakeSysdef, PWS:Win32/Sinowal, and others.

In Figure 2, we show how the distribution scheme works for Trojan:Win32/Ransom.FL and Trojan:Win32/Lockscreen.BO, which again target German-language speakers. One scenario is that a user visits a legitimate website that has been compromised with malicious JavaScript code. This results in the browser being redirected to a URL in which the exploit kit is hosted. Another possible way one can land on a Blackhole domain is by clicking on a spammed link. We are aware of several spam campaigns that contain links to the exploit kit and we know that some of the spam is generated by the Cutwail botnet.

The Blackhole exploit kit checks for the presence of several vulnerabilities on the system, as visible in Figure 2. If the user hasn't installed all of the available Microsoft security updates or is using a browser with vulnerable plug-ins, malware may be downloaded and executed automatically, without human intervention. The good news is that no zero-day exploits that we know of are involved, so keeping your software up to date will considerably reduce the likelihood of infection.

Figure 2 – The distribution of Trojan:Win32/Ransom.FL and Trojan:Win32/Lockscreen.BO using the Blackhole exploit kit

Upon execution, all the ransomware versions discussed so far lock the computer due to what they say is illegal activity found by the authorities. For example, Trojan:Win32/Ransom.FS displays the screen shown in Figure 3, supposedly from the Swiss "Federal Department of Justice and Police":

Figure 3 – Main screen of Trojan:Win32/Ransom.FS

The intimidating message, used to scare people into paying, roughly translates to "Attention! Illegal activity was detected. The operating system was locked for infringement against the laws of Switzerland. Your IP address is <removed>. From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities".

It then goes on to ask for a payment of 150 CHF within 24 hours over Paysafecard, or the computer's hard disk contents will supposedly be erased. To seem more legit, Trojan:Win32/Ransom.FS queries a legitimate public IP address geolocation service at tools.ip2location.com/ib2 to determine the country and the ISP from which the infected computer is connecting to the Internet.

Let's go back to the German case. The previously mentioned Trojan:Win32/Ransom.FL asks for payment via Ukash. In this case, the user buys a Ukash voucher from one of its widely available global locations, and in exchange receives a 19-digit PIN number. The user then enters the PIN number into a form provided by the ransomware, along with the value shown on the Ukash voucher. This is exactly the same as handing your wallet to the bad guys and losing all the cash you have in it. To quote a security tip on the Ukash website "Ukash works just like cash. Giving your Ukash voucher code to someone you don't know or a merchant that is not approved by Ukash puts you at risk of losing your money".

Similar to bills, Ukash vouchers are only available in certain values such as, 10€, 20€, 50€, 100€ and so on. If you want to pay, say, 15€ and the voucher is worth 20€, a legitimate service will generate and send you a new PIN for the "change", the difference between the payment amount and the voucher value. Of course, the authors of the scam don't bother to do this so you get no change back.

The PIN form is actually embedded in an HTML page, rendered by a WebBrowser ActiveX control. Looking at the JavaScript involved in PIN validation in Figure 4, it's clear that the unlock code is posted to a server owned by the perpetrators of the scam, but the HTTP response is just discarded. So even those who pay don't get their computers unlocked. In the unfortunate case that your computer is infected with this malware, don't even consider paying. If you do so, your computer will not get unlocked anyway, so paying does not actually solve your computer problem.

Figure 4 – JavaScript code that processes the Ukash pin

All the localized versions of the ransomware that we've encountered so far, except for the more recent GEMA case, have a very similar codebase. The HTML front-end has been translated, while the back-end stays almost the same, with the exception of some obfuscation layers. This fact indicates that they were created by the same gang, which has put some effort into designing an easy-to-localize solution. Another difference among samples is the amount of the supposed "fines" requested from victims for each targeted country.

Table 2 – Amount of the supposed "fine" for each targeted country

Lately, we've seen malware authors perfecting old money-making scams. Considering the wide distribution of scams such as this ransomware, it's clear that there's a lot of money at stake. That's why the bad guys invest in making their scams look more convincing for the unsuspecting user. This includes adapting social engineering techniques to the specifics of various countries and pretending to be the local authorities. Another point to remember is that a lot of malware is distributed nowadays through exploit kits such as Blackhole. Make sure you install all the relevant Microsoft security updates and that your browser and browser plug-ins are up to date to mitigate the risk of drive-by downloads. Instructions on how to update commonly used software can be found here. And manual removal instructions for each of the discussed threats can be found in the MMPC malware encyclopedia entry for that particular threat (click on any of the links below to go straight to the entry).

Samples discussed in this post:

• Trojan:Win32/Ransom.DU – 01b3718bc1dca17770cd2fc8a7e1f445c8a78773
• Trojan:Win32/Ransom.FS - f9e0f996b45b813d306597939bceac33737469bf
• Trojan:Win32/Ransom.FL - cbc346bcbb5dd921d0ed9c486e571a6603ea5ddc
• Trojan:Win32/Lockscreen.BO - 1acaa119143bad6b3efc09c8ac5086b3bbcc0f1d

 

PS: Just today we encountered a sample targeting residents of France. It poses as a warning from the "Gendarmerie nationale" and demands the payment of 200€. It's also detected as Trojan:Win32/Ransom.FL (SHA-1 21007c5c048f4763750b912b5c89da54a86d34f2).

Figure 5 – The banner used by a recent sample that targets residents of France

-Horea Coroiu, MMPC