Archive for March, 2009

A Quiet Morning

Tuesday, March 31st, 2009

What has been described as a day of epic struggle appears to be starting quietly, with Conficker day setting in for China and S. Korea, two of the nations maintaining reportedly high Conficker infection volumes (the worm has spread to potentially a few million systems). South Korean researchers have reported that it is well into morning in Seoul, and no massive network disruption or change in infected systems has occured yet due to infected systems discovering that it is April 1st (a hard-coded date set for a recent variant to begin contacting a larger list of potential web sites).

Top Conficker infected countries to watch appear to be
1. China
2. Brazil
3. Russia
4. India
5. Argentina

If you are reading this post, your system most likely is not infected with Conficker (Conficker denies infected host systems from visiting this blog). Please update your Windows system and its software regularly with patches from the Microsoft Update site, use decent passwords for your Windows user accounts other than “1234″, install a protective set of security products (behavioral protection, firewall, AV, etc), and do not act promiscuously with your usb-based storage or network drives and shares.
Continue on with your online activity, descriptions of damaging behavior other than failed rogueware downloads by the Conficker worm will be posted here whenever they may occur.

That Darn Amanda

Thursday, March 26th, 2009

Another spam run of Zbot messages are going out as this is written.

As in previous posts, we find that the end game is to install password stealing components. Some of the subject lines look like
“FaceBook message: Very Beautiful facebook girl Dance Video! (Last rated by __insert name here__)”
“FaceBook message: facebook members Dancing In Striptease (Last rated by __name here__)”
“FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing (Last rated by __name here__)”

The message content includes text like
“You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 21, 2009! We’re absolutely shocked!”. Proceed to view full video message: hxxp://facebook.xxx.xxx(dot)personalid-aa(dot)management(dot)324uptdate(dot)com/home.htm?/logon/application=999″

Clicking on the link in turn redirects the user’s browser to another set of sites hosting a video, prompting the user to download and install Flash_Adobe11.exe. Don’t bother, it’s still not the real flash player. Instead, Zbot malware is installed. Here is a censored screenshot of one of the attacking sites:

ThreatFire is preventing the malware from running on a fair number of community systems right now. Do not run Flash_Adobe11.exe from these sites.

MSN Messenger Worm Continues to be a Problem

Thursday, March 19th, 2009

Spoofing video codecs and third party video player plugin upgrades have proven to be an effective way to fool users into running malware on their systems. Malware does not need to spread effectively by exploiting vulnerable and unpatched code on a system.

Another extremely common and effective technique has been convincing users that their friends are sending them pictures. Attackers will use a variety of legitimate sounding Urls, alter the icons of the files they want users to run so that executables appear to be image files, and modify filenames to appear to be image files. These sorts of techniques are very common right now.

ThreatFire is currently preventing a high number of users from running an IM worm and its accompanying downloaded bot. The worm attempts to send itself out to MSN Messenger users’ address book contacts, convincing friends that fun pictures await. This worm installs an IRCbot, adding the machine to yet another botnet. Here is a handful of files being spread at the moment:

Image.php hosted at hxxp://hi5-album.com, hxxp://hi5-foto.net, and a number of other legitimate sounding Urls redirect users to a variety of files at
hxxp://66.29.31.3(slash)~RIVUX
with file names like PIC2009-02-15-JPG.exe, PICT1321.JPG.EXE, PICT0018.JPG.EXE and the others in the screenshot above. The downloads icons appear exactly as in the screenshot above, and when extensions are turned off for known file types (a Windows explorer setting) a user may not realize that they have an executable and not an image on their system. And because of the icon tampering, they look even more like jpg and gif files.

We’ve been posting about this sort of scheme for some time now. It continues to be effective and users need to be more aware of the techniques used.