|
Archive for June, 2008
Friday, June 20th, 2008
Last Thursday’s post commented on malware commonly bundled with crackz. A large number of users are running files that appear to be distributed from a number of crack sites. We will not publish those domains on this post.
The filename bundles carry a common theme for a downloader that delivers more than a user would expect. Crack.exe, keygen.exe, patch.exe and install.exe have been bundled within phony cracks and released to a number of sites. They contain trojan downloaders, among other things, pulling down and executing spambot variants and many other malware executables, including our old friend Vundo. Here are just a handful of the bundle names that we’ve been seeing:
Microsoft_Office_Professional_Plus_2007.txt.exe
WINDOWSXPSP2ACTIVATIONCRACK.ZIP.EXE
popcapzumadeluxe!v1.0crack.zip.exe
COMMAND_AND_CONQUER_GENERALS_ZERO_HOUR_MULTI_KEYGEN_BY_FFF.ZIP.EXE
MAGICISO_V3.5_BUILD_0064.ZIP.EXE
WINDOWS_XP_HOME_EDITION_OEM_BUILD_2600_ACTIVATION_CRACK_BY_AMOL_A._MORE.ZIP.EXE
nero_8.2.8.0_serial.txt.exe
DYNOMITE_DELUXE_V2.71.ZIP.EXE
WARCRAFT_3_REIGN_OF_CHAOS_BY_RAZOR.ZIP.EXE
osadobephotoshopcs2tryouttofullactivationkeygenoscaria.zip.exe
SONIC_FOUNDRY_ACID_PRO_V4.0B.ZIP.EXE
ADOBE_PHOTOSHOP_CS2_CS2_SERIAL_NUMBER.TXT.EXE
Notice the clever(?) use of the double file extension, ending in .zip.exe or .txt.exe. DO NOT download and run these files.
In our labs, we find that running these files results in a ridiculous attack. The volume of malware that ends up running on the system is so large that the system becomes entirely unusable. We haven’t seen an attack quite so bad since the 2nd-thought.com site was taken down.
One of the components infects services.exe on the system (often named “axer.exe”), and drops rootkit and spambot components (surprisingly, we see a consistent driver filename “pqasghjd.sys”), sending out waves of spam from this system process. The kernel level driver component hooks SSDT entries NtCreateKey, NtOpenKey and NtTerminateProcess, in an attempt to hide registry keys and prevent termination of the malware’s user-mode processes. It also attaches to the Ntfs file system driver, in order to obscure access to its presence on-disk.
The spambot components download updated lists of user accounts and available smtp servers over http, and then peddles rather “adult” themes in outgoing messages. All of the messages include a link to phony “personal growth” pills for men. Here are a couple of “mentionable” subject lines, just to get a small percentage of users to actually open the message:
“Life will get better with this”
“Wanna know why she’s hot”
“Jessica Alba bikini pics”
“All the love you need”
“Scarlett Johansson and Justin Timberlake spotted together”
“Get ready for a stunning improvement to your love life”
“Scarlett Johansson and Tom Brady spotted in Mexico”
Posted in Adware, Dropper, Rootkit, Social Engineering, Spam, Undetected malware | No Comments »
Thursday, June 19th, 2008
Another round of Storm spam is now unscrupulously offering video footage of “details of this terrible disaster”, with a link to “beijing.exe”. We are seeing a low percentage of users receiving this payload so far, mostly in Dubai, falling for the message:
“A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either “Open” or “Run”.”
Do not visit the website:
Of course, instead of a link to a video, the code behind the “mov.gif” image of a video object directs the user to download “beijing.exe“, seen as “beijing[1].exe” on TF users’ systems. When run, this executable drops and starts “msvupdater.exe” in the windows directory on the system. The msvupdater component carries with it the familiar P2P code that Storm uses, and attempts to send out email from the system.
Hidden away in the last line of html source is tiny iframe linking to “ind.php”, as seen here:
iframe src=”ind.php” width=”1″ height=”1″ style=”visibility:hidden;position:absolute”
This php file contains quite a bit of obfuscated javascript. After dissecting the script, we find that it is attacking an older NCTAudioFile2 ActiveX vulnerability, the more recent RealPlayer vulnerability, a older BaiduBar Soba vuln, and a couple of ancient setSlice and WebFolderView vulnerabilities. Basically, these guys have a newer commodity attack kit with some new obfuscation features.
Posted in Bot, Rootkit, Spam, Storm, Undetected malware | No Comments »
Wednesday, June 18th, 2008
We continue to receive emails telling us that we’re not smart enough or don’t look good enough. It’s not totally unusual, because that message frequently is communicated by the “beauty” and “diet” industries in magazines, tv ads, etc. How dreary.
A common scam continues to make the rounds, putting the two themes together and telling us that we even look dumb. The email message includes a link to a video file, implying we might look really dumb in this video. The message even looks like crass Onion humor — next, they’ll tell us that only nerds wear glasses. Now, they are telling me “You look really stupid”. Unfortunately, users are falling for this bad line every day, and downloading and running “video1.exe” on their systems:
Also hosted at the compromised server is video.exe.
This work is from a russian gang, with the malware phoning back to a domain associated with other malware families in the russian federation:
Name: sr59.24ruhost.com
Address: 207.10.234.217
The owners of the compromised server have been notified.
These “videos” didn’t show how dumb I really look. Instead, they download adware, rogueware, and other components. McAfee’s researcher Paulo Palumbo beat us to the post this morning with a description of the blue screen that these downloaded rogueware installs frighten users with — we’ll note that this spammed executable link is one of its sources.
In our lab, we tried to reconfigure the Sysinternals’ (acquired by Microsoft) screensaver used in this attack to “enable fake disk activity”, but the necessary sysinternals components are not functional in this bundle. It’s not even fun to tinker with, don’t fall for this video.exe trick.
You’re not ugly or dumb. You’re beautiful, just right.
Posted in Adware, Rogueware, Social Engineering | No Comments »
|
|
|
|
