|
Archive for May, 2009
Wednesday, May 20th, 2009
A couple of anti-malware firms have grumbled about the number of successful web site compromises a group has been making in order to inject malicious web pages on these victimized sites and refer to the threat as “Gumblar“, reportedly using stolen ftp credentials and possibly other configuration issues and vulnerabilities. These hijacked web sites in turn attack visiting users’ web browsers with the goal of downloading and executing more malware hosted on a remote server. Originally the exploit/trojan/spyware hosting site was gumblar.cn, it was changed to martuz.cn, and the domain most likely will change again.
The large numbers in the news refer not to the trojan, or the malware that was hosted on gumblar and martuz. The large numbers are detections of web pages that, however accurate the volume reporting may be, most likely are a part of hijacked web sites redirecting browsers to the exploits and trojans on the gumblar.cn and trojans on the martuz.cn domains.
When a user doesn’t patch their system for whatever reason, they may be maintaining known vulnerabilities in their software, which in turn is exploited when visiting a hijacked web presence. Following successful third party plugin exploitation, the delivered dropper is executed. The dropper uses an interesting technique to register loaded components for auto start on an unsuspecting user’s system. Instead of the usual run key and service locations, this writer decided to abuse a user-mode auxiliary audio driver location that is loaded when Internet Explorer is started. This ThreatExpert report and here shows a “Infostealer.Daonol/Trojan-Dropper.Win32.Agent.apfn/Troj/Daonol-Fam” trojan abusing the “Drivers32″ key, much like the original gumblar variant:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
aux = “%Temp%\..\doo.val”
The group is not using any 0day attacks. Instead, they are sending down malformed .pdf and .swf files. It seems that enough reminders cannot be sent out about updating third party software:
Antivirus 360 Distribution – Update Third Party Plugins
PDF Reader Exploitation 2009
Pdf Reader Exploitation 2009 (cont)
Rigged pdf files
browser-security.microsoft.com Hosts File Modification
We will post more data as it is gathered, the trojan itself is not in high prevalence in the ThreatFire community — the attack has gotten far enough to launch the trojan on only a couple of systems and is prevented as “Spyware.Grumbler”.
In the meantime, be sure to update your favorite third party plugins, applications and your system software.
Posted in Exploit, Spyware, Vulnerability | No Comments »
Friday, May 15th, 2009
A rogueware distribution gang known for their use of Rbn services and phishing scams continue to maintain a couple of the busiest servers in our daily prevented malware lists. Starting on May 6th, the group moved their downloaders and malware (similarly named to softwarefortubeview.4000.exe) from being served at 195.88.80.41 to exclusively 91.212.65.54.
This group appears to be getting quite a bit of traction out of their ongoing FakeAv scheme, in addition to the phishing activities. They started out in late 2008 on 94.247.3.232 with tubeviewer.95.exe, and in mid-January, moved tubeviewersetup..exe to several other addresses:
216.195.40.88
94.247.3.232
91.211.64.131
and since May 6th, they have served softwarefortubeview.40019.exe (among other names) at 91.212.65.54, for which we see multiple domain names registered:
cls-softwares.com
kol-programmers.com
kxc-softwaresportal.com
rol-programms.com
sdfv-programs.com
sgh-topprograms.com
slk-softwareportal.com
slk-softwareportal.com
hex-programmers.com
kor-programms.com
res-supersoft.com
You can see our previous posts regarding their FakeAv malware downloaders, with some of the most popular scareware messages: “you have a security problem” and “security system has detected spyware infection!”.
The redirection to this executable most often comes from blog posts offering free current movies, like “Watch Push Movie Online Free”. You get what you pay for. Notice the video frame at the bottom of the post. Avoid this blog and others like it:
“Anika”, the poster of the phony blog above, also set up a number of other blogs, hoping to capture more curious cats looking for “movie online free”:
Eventually, clicking on the posts’ link sets up the browser for a series of javascript redirections to “watch-for-free.net”, where the phony executable is finally offered to watch the non-existent flick.
For example, a few clicks for a “movie online free” Mr. Bean video link redirects the browser through several links and eventually the fake video iframe coughs up the download prompt for the gang’s malware:
hxxp://watch-mr-bean-movie-online-free.blogspot.com/ –>
hxxp://video-trailers.net/hotnews.php?id=Mr._Bean –>
hxxp://watch-for-free.net/hotnews.php?id=Mr._Bean&was=1 –>
hxxp://premier-tube-site.com/xplay.php?id=40018
Update: an excellent post describing related activity and infrastructure at the GazTranzitStroyInfo site and related russian ISP’s. And the group moves their malware to yet another provider.
Posted in Downloader, FakeAlert, Rogueware, Scams and Monetization | No Comments »
Tuesday, May 12th, 2009
What is a virus i-worm trojan anyways? Well, it’s not a legitimate detection with a valid CARO name, it’s gibberish to lead a user to “Click ‘Ok’ to Install System Security Antivirus”, either on XP:
Or with a more sleek look on Vista:
The distributors of System Security Antivirus, another rogueware or FakeAv product, are redirecting Turkish users to a site encouraging them to download the malware with a familiar scheme: To watch this video you must have the Flash Player installed.
It appears that the group is worming through Windows Live Messenger to attract downloads in increasing prevalence. We’ll be investigating it in depth and posting details here.
The phony video page this time appears in Turkish, hosted on a Turkish server:
“Flash Player version uyumsuzlugu:
Tarayiciniz bu videoyu goruntuleyemiyor.
Bu videoyu izleyebilmek icin Flash Player yaziliminizin guncel olmasi gerekiyor.
Flash Player yaziliminizi guncellemek icin «Devam» butonuna tiklayiniz.”
The downloaded file, flashplayerupdate_01.exe, drops and runs advhost.exe from system32 to perform the dirty work and injects adlaunch32.dll into all newly started applications.
An interesting characteristic for the flashplayer_01 executable is its use of a spoofed, invalid digital signature, supposedly signed from Microsoft:
Conveniently, the english version of the attacking web page is hosted on the same server:
Of course, the payload appears to be a bit different, serving up a doctored install_flash_player_9.04.exe package that includes the legitimate mIRC client.
Posted in FakeAlert, IM Worm, Rogueware, Social Engineering, Worm | No Comments »
|
|
|
|
