Microsoft Files Complaints Against Scareware (Rogueware) Makers

While we've been calling it Rogueware for years around here, Microsoft and the state of Washington Attorney General's office is filing a set of complaints against "scareware" makers. It's interesting that lawsuits can be filed against "John Doe" actors in the complaints, as written up by Elinor Mills on CNet:
"Microsoft filed five new lawsuits and amended two previous complaints against SMP Soft, all relating to programs that allegedly falsely alert consumers to problems on their computers and offer to sell software fixes. The programs listed include Scan & Repair, Antivirus 2009, MalwareCore, WinDefenderXPDefender.com and WinSpywareProtect. Most of the defendants are listed as "John Doe" because investigators do not yet know the identities of the people behind the programs."



Chief Threat Officer of our research group Kurt Baumgartner was selected to present a timely last minute technical presentation on Thursday of this week on "Recent rogueware" at Virus Bulletin 2008 in Ottawa, Canada. The presentation will focus mostly on technical aspects of Rogueware currently in the wild including a couple of software packages listed in the complaint, the ridiculous but popular MonaRonaDona hoax, and various methods of delivery.
Regardless of the filings, the threats continue to evolve online and are active today, much like the image above.

Student Not Indicted

Twenty year old UT student David Kernell, suspected of hacking Vice Presidential Candidate Sarah Palin's Yahoo! account, was not indicted at a court hearing earlier today. There is speculation that the private email account is used for government purposes as well. Some discussion of lessons learned here and here.

Update: Kernell was indicted "on a single charge of accessing a protected computer by a grand jury in U.S. District Court for the Eastern District of Tennessee in Knoxville" on Oct. 8th. He is pleading not guilty.

Fakealert Droppers

A high number of Fakealert droppers are showing up on the radar today and yesterday. A crack under the name "crack_ver1.454.0.exe" in a "zebradesigner pro.zip" package is being distributed from a fairly popular crack site. The standard phony codec distributions are making the rounds from various sites and exploits: "MediaTubeCodec_ver1.938.0.exe", "HDVideoExtension_ver1.6119.0.exe", "Setup_ver1.1620.0.exe", "MEDIATUBECODEC_VER1.573.0.EXE".

Do not be fooled by the consistent phony codec scams.

Facebook, Open These Images Scheme -- dvc-foto010.jpeg_www.facebook.com

No, it is not a link, it is a file that does not have photos that you are interested in, and will not direct you to jpegs you are interested in on the facebook site. Also making the rounds is "newestpicture0021.jpeg-www.imageshack.com", and other "imageshack.com" files.

Another worm is propagating with a .com extension, which is actually an executable format on Windows systems. The file, when run, drops a copy of itself to the system32 directory as "symlasvc.exe" or "symlssdr.exe", and hides its process from monitoring tools with rootkit components. In both cases, it adds itself to the Run key as the "Symantec Administration Service" so that it starts at every boot. Among other activities, it kills a set of tools that may be used to identify its presence on the system, and mangles the hosts file to prevent access to security information, security software and security update sites, including this blog. Here is an example:
127.0.0.1 blog.threatfire.com
127.0.0.1 www.threatexpert.com
127.0.0.1 blog.hispasec.com
127.0.0.1 mailcenter.rising.com.cn
127.0.0.1 mailcenter.rising.com
127.0.0.1 www.rising.com.cn
127.0.0.1 www.rising.com

ThreatFire currently is preventing these worms as "Worm.Injector". In the past, we've seen similarly effective social engineering schemes:
MSN IM Worm
Surge in IM worm activity -- don't look at that cute puppy
New Undetected Worm
Bot on the loose -- careful with images

Please do not run these files when they arrive.

MultyCodecUpgr.7.exe Is Not What You Think It Is

If you download and plan on running what you think is a codec named "multycodecupgr.7.<20xxx>.exe" (as in "multycodecupgr.7.20680.exe"), you should be aware that users have been effected by this phony codec over the weekend and today in surprisingly high numbers. The file drops a couple of executables. In our lab they were often named a singular letter, like "a.exe", "b.exe", "d.exe", you get the idea. These few files then barrage the user with the usual shock messages that the system is infected, although now they also claim that your system is "probably" infected...



The malware drops "sav.exe" in a self created "program files\AntiVirus 2008" directory. It's all related to the AntiVirus 2008 software, warning the user of Blaster.Sasser and other inaccurate scanning results that need to be cleaned up for a price:



Pricing can be found at hxxp://www.s-av2008.com, starting at almost 40 clams. Avoid the site:



It seems now that Atrivo/InterCage is off the grid, these groups are moving resources to host urls like "dowload -best -warez.com" (66.232.126.78, 66.232.126.193) quickly.


Update: What started out as a few redirect links from a potentially compromised small-business t-shirt selling web site is now spreading. While the pages served at the iframe-based redirect link from the original site is down, the phony codec file is showing up on numerous adult sites.
It is advisable not to run the multycodec executables in circulation right now.

Nominee's Yahoo Account Hacked

At BlackHat 2006, the organizers handed out books titled "Perfect Passwords", a fantastic writeup on selecting, using and evaluating passwords: "Author Mark Burnett has accumulated and analyzed over 1,000,000 user passwords and through his research has discovered what works, what doesn't work, and how many people probably have dogs named Spot". Unfortunately, some of the government attendees must have set that book aside to read later. They have the opportunity to reread the text at the book's preview on Google's book search.



Yesterday, a link to wikileaks.org made the rounds, along with comments for Sarah Palin, a U.S. Vice Presidential nominee currently in the political media limelight. She reportedly was accused of using a Yahoo! email account for government business to avoid requests under Alaska law for the communications, and hacktivists recently attained access to her Yahoo! account, although it is unclear how they attained access. They posted contents and an index of the mail account on the wikileaks site. Some screenshots of the information were posted on sites like gawker.com. The wikileaks site is either overwhelmed with traffic today or was altogether taken down last night. The Fbi and Secret Service reportedly are investigating the breach.

Simple security practices are necessary to follow. Use a strong password that you can remember, and it's not "Spot" or "password" (see Perfect Passwords). Pay attention to what you are doing when using your computer and visiting websites or responding to IM and emails or requests for information, and finally, use the secure resources that include antimalware protection provided by your organization.

Update -- it appears that the "Forgot your password?" feature was exploited to gain access. Standard security practices would have avoided that problem.

IPLOGS -- Let Them Wait for a Reply

A recent wave of spam seems to have hit users in the U.S. and Germany with a theme playing on end users' confusion regarding software security. This one has the subject line "I am wait your reply" and starts "I am tired of receiving messages containing malicious computer programs (viruses) from your e-mail address!", attempting to convince the user to extract the attached "IPLOGS.zip" file and run IPLOGS.exe, because "I am sending you the copy of the document containing your data and logs of sending malicious programs as the proof of your fault !!!!!!" Threats that action will be taken and police contacted are all phony.



This file is not a log of online activity, the file is known to carry a banking password stealer.

Anytime an unexpected email arrives with instructions like these, your suspicions should be raised. It is a cheap con job at best.

The iplogs.exe dropper is packed and maintains an interesting list of anti-debug tricks. It attacks a couple of well-known commercial firewalls, in order to gain outbound access. It copies itself to the system32 directory as 'oembios.exe', adding a couple kilobytes of encrypted data.
The code also drops a system driver as sysproc86.sys and loads it into kernel space. Once loaded, this code then removes itself from the loaded module list but modifies the OS to hide dropped files and startup registry entries.

Your Internet Access Is Going to Get Suspended

A spammed email is making the rounds with the subject line "Your internet access is going to get suspended" from the "ICS Monitoring Team". Some ThreatFire users started seeing it and were protected from the executable late last night.
Have you been paying your bills? Sure you have. Have you been performing any illegal online activity? I hope not.

Anyways, the zipped attachment includes a nasty piece of spyware sometimes named "user-ea49943x-activities.exe" that ThreatFire prevents as "Spyware.Goldun". Do not test your software with it, delete the message and the attachment along with it.


Update: The guys at mxlab included some technical details on their post last night.

Spyware Detected on Your Computer!

Not really. See previous post. This scheme has been ongoing this year.



Unfortunately, if this one has run on your system, System Restore points have been deleted from the system and a new restore point created post infection. Cleanup will be a bit more difficult.