Skip to content

Thanks for Lazy, Repetitive Malware Scams, Mal-Slackers

2011-11-24

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As another Thanksgiving rolls around, I’d like to take a moment to give thanks for the things that make my life and work a little easier. So, thank you, cybercriminals, for having so little ability to craft an original scam or thought. The fact that you’re using tired, hackneyed social engineering scams in your attempt to infect computers with malware makes it far easier for everyone to identify those same boring, repetitive attacks—and avoid them. Your laziness and sloppy consistency is a gift.

For the past several weeks, we’ve been watching the criminals rev up their activities with email spam and exploit kits. You might recognize some of the names of companies referenced in the spam email we’ve been receiving: The trade association NACHA; UPS, DHL, the US postal service (whose initials, USPS, these criminal masterminds cannot help but confuse with UPS); and online stores like Athleta and YesAsia.

Regifting: It’s what the cybercriminals are doing this holiday season.

While all of the scam messages eventually lead to an infection, some of the messages contain Zip attachments, while others appear to link to documents on external Web sites. In most cases, the messages appear to be a confirmation that you’ve ordered something online and either (a) your “order” has gone through, (b) your “order” has shipped, or (c) your credit card transaction (usually for a high-ticket item) has been cancelled.

Of course, at this time of year, it’s far easier for the average person to mistake one of these malicious emails for a real one, which is why it seems to always ramp up around the holidays. As always, it pays to use a little caution and closely scrutinize any email’s links, especially when you didn’t order the thing(s) the message says you did, and avoid opening those Zip attachments.

Some of the NACHA emails we received, for instance, linked to Web sites hosting the Blackhole Exploit Kit. Blackhole is one of the more common exploit kits in use, though it shares many characteristics in common with other exploit kits.

Generally speaking, when your browser visits one of these sites, the site throws everything it knows at the browser and any browser plugins known to be vulnerable, in an attempt to infect the computer.

The bad news is, on a computer which hasn’t been kept up to date, Blackhole and other exploit kits remain an effective tool for forcing the computer to infect itself with malware. The good news is, updating your computer and third-party software — especially things like Java, Adobe Flash, and Adobe Reader — will prevent most of the exploits from functioning.

In our tests, where we allowed testbed computers to become infected, those three applications were the most frequently attacked; Take a look at the crazy code used to push down this malicious Java JAR file. The latest versions of these third-party apps prevented the exploit kit from functioning, which kept the infections at bay.

When we visited these sites, the browser displayed a simple message: Please wait page is loading… was the text that appeared on the blank browser window, but the browser itself was busy getting owned by the bad guys. In the background, hidden to the user, scripts were running that, in some cases, led to malware being executed on the testbeds, and in others it just crashed the browser.

In one case, a Flash vulnerability led to an infection with an intriguing game phishing malware from China. It started with a small executable, which downloads two files that have the .OCX file suffix of an ActiveX control (but are actually DLLs)…

…loads them, which makes a bunch of very interesting changes on the file system…

…then begins swapping a lot of data with a lot of different Chinese-operated Web servers, always passing the email address p1wdvdatmfk9@changyou.com as a parameter.

Chang you too, buddy.

The malware pulls down a new list of URLs to phone home to about every 15 minutes. It’s a big list. The traffic from this Trojan was just enormous. Staying under the radar is not this bad boy’s concern.

In another attack, a malicious PDF loaded into an older, vulnerable version of Adobe Reader exploited a vulnerability that resulted in the Zeus Trojan becoming installed…

…with a legitimate-looking payload — the command line WinRAR archiving tool, version 4.1.0. (Properties of the file named wpbt0.dll, above, shown below)

The Jorik malware, a downloader that came as an attachment to various shipping confirmation emails, installed a rogue product named after the System Restore feature in Windows.

This System Restore rogue (and its companion Fakealert loader) triggers Windows to load a large number of dialog boxes with ominous-sounding, dire warnings about the state of the computer’s hard drive. The messages say:

Windows – Delayed Write Failed

Failed to save all the components for the file \\System32005604. The file is corrupted or unreadable. The error may be caused by a PC hardware problem.

It also sets the Hidden attribute to every file on the hard drive, and then toggles the switch that lets you see files marked as Hidden on the hard drive. Nothing goes missing, but it’s a convincing ruse to an unsuspecting, unsophisticated computer user.

By the way, if you need to reverse the Hidden files attribute changes made by this rogue, just open cmd.exe (as an Administrator, if you’re running Vista or 7) and type the following into the console window. (Modify the drive letter as necessary, because this jerk likes to hide all files on all mapped hard drives. Jerk.)

attrib -H c: /S

As always, the rogue is just trying to convince you to pay for software you don’t need, and won’t quit until you send your credit card data to a Russian payment server.

Using tools like the NoScript add-on for Firefox, which stops the malicious Javascript code from functioning, defeats virtually all exploit kits. But that shouldn’t stop you from updating Flash, Acrobat, and Java as well.

When it comes to the email attachments, the best advice we can offer is to remain vigilant. Don’t click anything you aren’t expecting to receive. Even an HTML attachment can contain exploit code, or redirect your browser to a site where that exploit code is hosted.

Other things you can do is to check the reputation of Web sites before you visit. Norton SafeWeb, McAfee SiteAdvisor, Webroot’s Brightcloud, and Web of Trust all offer plugins for Firefox. Sites such as URLVoid and Virustotal let you paste a URL into a field and check the reputation against many more services.

Firefox and Chrome also check URLs against the Stopbadware database and warn you about sites known to be vehicles for an infection before you visit.

Have a safe and happy holiday season, and may your Black Friday bring you no unwanted surprises.Solera blog stats

%d bloggers like this: