Shameless SEO Based on Jakarta Bombing Incident

John Bambenek over at the Handler's diary posted on this morning's shameless SEO attempts to redirect news seekers to exploit pages. The end result on a successfully compromised system is a download of FakeAv (or "scareware"). Currently, its name is presented as "Personal Antivirus":



The ThreatFire community is safe from pav.exe, and there have been a number of triggers on various versions of the file early this morning. Detection for the major vendors is very low to non-existent for the current variants.

Surprisingly, the Waledac and Zbot groups have been quiet on this news story so far. We'll monitor the situation closely.

Ongoing Downloader Activity, Now at 64.20.38.172

The gang distributing FakeAv downloaders and more have moved their goods and scheme to yet another server and adult theme. In addition to downloader filenames like streamviewer.45043.exe, tubeviewer.ver.6.21586.exe, onlinemovies.45023.exe, the group is finding success in their new addition, freepornmovies.40067.exe. The ThreatFire community is protected from these downloaders, and the newest is showing up in higher volumes.

For the most part, this downloader is being served from 64.20.38.172. The following domains currently resolve to that address:
exe-direct. com
exe-get. com
exe-online-world. com
exe-paste. com
exe-porto. com
exe-site. com
exefileformat. com
exenetsfiles. com
freeexefiles. com
hotexefiles. com
my-exe-load. com
newexefile. com
red-exe. com
robo-exe. com
soft-exe. net
the-exefiles. com
tiaexe. com

The downloader itself currently is pulling down embedded, encrypted malicious files, described in a previous post, from
myart-gallery. com
robert-art. com
superarthome. com

Be wary of codecs that may be tempting to download and run.

Advanced Virus Remover PRO at 92.241.176.188

Users continue to get slammed by a Rogue Antivirus distributor. We've posted before about the prevalent Virut family redirecting compromised hosts to download FakeAv or scareware product. You can see a screenshot of the previous scareware scam "Secure Antivirus Pro" from "Guardog Computing" at the previous post. Compare to the current version "Advanced Virus Remover PRO":



Along with modifying tcp drivers, another fairly prevalent and currently active malicious component is editing hosts files with the same effort, adding the following entries to the hosts file on victim systems:
92.241.176.188 advanced-virus-remover2009. com
92.241.176.188 www.advanced-virus-remover2009. com

Check out the image in the TE report, the lvllord component reports on its own maximum concurrent half open tcp connection editing functionality there with "VALUES HIGHER THAN 100 ARE NOT RECOMMEND! Worms will be able to spread very fast!" It is obvious what tool these distributors are bundling and reusing in an attempt to increase the networking throughput of the system.

When there is money to be made on scareware, the same behaviors will be displayed again and again in malware, including the stuff by sloppy authors.

QQ Password Stealing via ActiveX Office Web Component 0day

We have been monitoring and examining the second of the fairly prevalent ActiveX 0day in the past couple of weeks, this one targeting Microsoft Office Web components for Internet Explorer. The exploits have been distributed mostly on servers in China. Accordingly, the payloads that we have examined target a massive audience.

The final payload that is downloaded and executed after visiting one of these sites is an executable that drops a dll to disk and runs it. The dll in turn attempts to steal info from the hugely popular Tencent QQ components. It does so by using hooks and capturing screenshots of the entire desktop. These hooks steal QQ usernames and passwords, in particular QQ Game's Dungeon and Fighter. To give you an idea of the size of the target audience, QQ Game reports that it has over 200 million registered accounts.

Following successful 0day exploitation, the malware copies out a dll, and as an evasion technique, copies rundll32 (normally used to load dlls) to myInsDll.exe in system32. The malware calls ShellExecute on this renamed rundll32 component, which loads the dropped dll. Depending on the command line argument, the dll code will delete components or start the heist.First, the dll begins to disable Windows File Protection with a well-worn technique:

On a successful WFP disable, it deletes Comres.dll from dllcache and replaces Comres.dll with a copy of itself. When c:\Program Files\Tencent\DNF\DNF.exe is started, it normally loads Comres.dll. This code illustrates the switch:

When the new Comres.dll is loaded into DNF.exe, the dll steals the QQ user name, password, serial, total money and more from unsuspecting users. To do so, it first places several hooks within TenQQAccount.dll and QQAccount.dll:

The jump hooks are written directly to the dll text segments:

All data, including captured usernames, passwords, and entire desktop screenshots were being uploaded to 080506.8866.org.

ThreatFire has been containing this threat within our global community, including our local Chinese user base.

@stealyourmoney -- TweetFace Has a Tinyurl 4u

Koobface joined the Twittersphere, and the Twittersphere is fighting back. It's good to see response from the social networking infrastructure.

Koobface has been distributed in prevalence for around a year now, with the ThreatFire community confident all along that their information is safe from the threat. In other words, if you want to keep it off of your system, careful of what you download and add a behavioral solution like ThreatFire to your system's security layers.

The Koobface family has been distributed in a couple of ways since June/July 2008, increasing its prevalence to significant volumes in December of last year. It started out as a standalone worm menacing the massive volumes of social networking users across a handful of social networks, defeating captcha, and downloading more malware to compromised systems. Now, it is more frequently distributed as part of a malware package by attacking sites, alongside other payloads delivered by exploit pages hosted by malicious web sites: Virut, click fraud components, spambots (Waledac) and scareware. Koobface can be a secondary method of propagation for these various malware distribution groups.

So it was only a matter of time before the developers figured out that Twitter is another popular Web 2.0 medium. They also figured out that Tinyurl is one way to obfuscate malicious urls and distribute these urls across tweets.



These urls lead to the standard phony codec pages that is a trademark of the group. This time you'll see "Video posted by -WizArD-", the site remains up:



When setup.exe is downloaded and run from 98.217.161.163, the user of course does not install an Adobe Flash Player Update as promised. Instead, they get an updated version of the Koobface worm. Along with the worm, the compromised system eventually is redirected to a FakeAv offer, so the group can make its money:



This morning, accounts tweeting the "My home video :) " message with a tinyurl leading to the "Video posted by -Wizard-" are receiving some cleanup attention:



The Tinyurl has been disabled as well.

itsecure.microsoft.com?

Your browser could be redirected to antivir-systempro.com, and you could be fooled into buying something from a spoofed website, following a driveby attack on your system. Or, a piece of malware could edit your hosts file and open a window to a legitimate looking Url. Right now, here is a short and active list of hosts file modifications from some active malware:
209.44.111.62 itsecure.microsoft.com
209.44.111.62 avremover-pro.com
209.44.111.62 www.avremover-pro.com

We've posted before on ugly hosts file modifications, and about the malicious authors' intention of duping users into believing that they are downloading something from a legitimate site. The current scheme is in the same vein.

Know that the ip address 209.44.111.62, when added to the hosts file with the entry "itsecure.microsoft.com", is not related to the legitimate software company's web presence. Currently, this scheme leads to FakeAv "Antivirus System PRO":

Streamviewer.exe, Tubeviewer.exe, Tubeplayer.exe, now Onlinemovies.exe!

The gang serving up malicious downloaders from a couple of servers just spiced things up, changing streamviewer and softwarefortubeview to "onlinemovies.40008.exe" to the list of obnoxious files served from 64.20.38.172. Av detection is very low. It seems that the isp's may be acting on public information -- the sites were up for only a short time today, but ThreatFire protected the community from this prevalent malware all morning.

Related names currently resolving to that address include
exe-dot.com
exe-site.com
my-exe-load.com
red-exe.com
soft-exe.net
tiaexe.com

The group seems to be branching out from the phony movie player theme, more often packaging up the downloader into serial generators and crack installers like serial.dragon.naturally.speaking.9.45042.exe and crack.sony.vegas.platinum.edition.9.0.45057.exe. Pirates and p2p users need to be careful of what they download and run.