ThreatFire Research Blog » Incident

FBI IC3 2009 Report

admin — Sat, 13 Mar 2010 16:48:21 +0000

The Fbi released its Internet Crime Complaint Center (IC3) 2009 report. The organization maintains that cyberfraud losses reported to them doubled year over year.

The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.

The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.

Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.

U.S. Cybersecurity Changes with H.R. 4061

admin — Thu, 04 Feb 2010 21:36:39 +0000

It seems that the recent and unusually public disclosure of the Google breach (and dozens of other U.S. corporations) has turned some heads. As Google reaches out to the NSA for help to secure its networks, a prominent cybersecurity bill passed the House today. It will drive large new cybersecurity efforts in the U.S. and will be an interesting bill to follow through the Senate. A summary of H.R. 4061 here.

PDF Reader Exploitation 2009

admin — Wed, 11 Mar 2009 19:06:00 +0000

Pdf readers are commonly used, and so far this year, they have been a highly abused third party plugin. Tens of thousands of malcrafted pdf exploits have been prevented from running by ThreatFire on our community systems so far this year. This information is being presented to encourage our users to upgrade their pdf reader software to the latest version and remind them of the versions available.

Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.

Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):

Reader v9 less than 1%
Reader v8 48%
Reader v7 50%

This list does not mean that Acrobat Reader 7 is the most vulnerable of the versions. As a matter of fact, the top five subversion info, in order of highest number of incidents, is 8.1.0.137, 7.0.8.218, 7.0.0.0, 7.0.5.172, 8.0.0.456. However, it may tell us that the highest number of users that install ThreatFire continue to use one of the version 7 products and seeing it attacked. If you are using any of the Adobe Reader versions, please upgrade to the latest at their web site.

Some of the most common payloads for the exploits’ shellcode are downloaders. Unfortunately, that leaves the explanation a bit hazy, because by definition, a downloader simply pulls down more software and “loads” it. Well, from our vantage point, most commonly the downloaders fetch and install FakeAV software, otherwise called rogueware. One example that we discussed last year was an Antivirus 360 downloader, which seemed to replace the Antivirus 2009 attacks. Current examples are sites delivering downloaders like hxxp:(slashslash)f-o-r(dot)ms(slash)xrun.tmp
We also see a number of banking/identity password stealers delivered via malcrafted pdf files, with Zbot leading the charge, followed by a variety of Hupigon stealers and FakeAV.
This morning, we witnessed v9 exploited on multiple users’ desktops by malcrafted pdf files with the shellcode downloading a gaming password stealer from hxxp:(slashslash)202(dot)67(dot)215(dot)110(slash)caonimabi.exe. This link is live and serving malware — DO NOT download and run it.
And on a more recent trend, malcrafted pdf files will download more exploit code. For example, malcrafted pdf files generated by the LuckySploit exploit pack will pull down more javascript served at 72(dot)233(dot)79(dot)18(slash)prn(slash), and wreck more havok, installing a rootkit to hide more downloaders installed on the victim system.

So what techniques are employed most frequently in the shellcode?
The shellcode is generally around 215 bytes long, following a lengthy nop sled. UrlDownloadToFile, ShellExecute and WinExec are the most commonly implemented api calls in the malicious pdf based shellcode that we’ve examined.

If you have installed pdf reader software on your system, no matter how often you think that you use them, please be sure to upgrade. It’s useful stuff so it’s ubiquitous, and become a common target of commodity exploit kits.

Retirement Community Computers, brastk.exe and AntiVirus 2009

admin — Mon, 01 Dec 2008 20:38:00 +0000

Malware shows up in the most unexpected places. One of my previous colleagues regularly considered the idea of computer infections ridiculous, but wired Windows systems really are ubiquitous. And this last week’s Thanksgiving trip provided another location to observe computer malware effecting unsuspecting Windows users.

This year’s birthday celebration for our 92-year old grandmother was fantastic at her new home. Singing, dessert, multiple generations of our family were together for the holiday and grandma was in a great mood in her new digs.

In the meantime, a few of us celebrants, full of pizza and cake, left the party to check out the community building — the pool table on the fourth floor, pianos on the first. After knocking an 8ball around the pool table at 8 p.m. in the relative quiet of the home, we noticed a computer center along the way back to the elavators. The monitors in that center could not have displayed a more disappointing screen.
Next to a little “M” square in the system tray (a competing AV product that will remain nameless here), was a large red circle with a white X through it and a familiar fakealert bubble caption containing a frightenting message about an infection and loss of privacy: “Privacy Violation Alert! Antivirus 2009 detected a Privacy Violation”.

A quick look at the registry and taskman showed a spambot, the brastk.exe fakealert downloader, AntiVirus 2009, and a vundo component all installed and running. The brastk.exe downloader, one of the most familiar fakealert components that is being prevented in the ThreatFire community, was running full bore. And the Vundo dll locked up the CPU from within the explorer process. Add a half dozen ads open in half a dozen hung Internet Explorer windows, and the system was unusable.
There were various poker game shortcuts on the desktop, so I’m guessing that one of the senior citizens looking to play a game mistakenly installed a package of malware on the system, assuming that the free software game was innocent and the system was protected.
For a group of elderly that don’t know much about technology but want to use it, this is very disappointing and discouraging.

Along those lines, the recent unusual and severe Mytob infection bringing down several british hospitals (the London Chest Hospital, the Royal London Hospital and St Bartholomew’s) highlights the need for layered security as well. Malware is as ubiquitous as the PC itself.

Cnet headline needs clarification

admin — Fri, 09 May 2008 22:56:00 +0000

I came across another headline that needs some clarification. The FireFox effort doesn’t really deserve this one: “Firefox add-on infected with Trojan”

The language pack add-on in particular, vietnamese_language_pack-2.0-fx-win.xpi, was not infected with a trojan. We inspected some of the allegedly “trojanized” files ourselves. The “.xpi” package can simply be renamed to “.zip” and its contents extracted. Then, we extracted vi-VN.jar. Buried deep within the directories, we can find a help directory. There, multiple “.xhtml” files exist. At the very bottom of these files, we find some script code:

< c = “h xx p : / / %6A %73 %2E %6B%30%31%30%32%2E%63%6F%6D/ %30%31%2E%61%73%70″>

This statement can be decoded and when viewed, redirects a browser to hxxp://js. k0102. com/ 01. asp

At this point, nothing of a highly damaging nature has occured. Web pages redirect browsers to ads all the time, for example. This particular web page redirected browsers to some advertisements.
How often might the redirection have occurred? I am not really sure. In my browser, I installed the language pack, but couldn’t find a way to display the related help pages with the script code. It seems the distributed files would not have readily effected FireFox users. But it appears to not be virulent.

So how come this script code wasn’t detected before it was released? Well, the AV scanners that the Mozilla team was using didn’t detect this line of code. It’s somewhat surprising that the scanners didn’t catch it, considering the viral family that most likely left this line of code and was running on the developer’s machine has been in the wild in the Asian region since at least 2006.

Nonetheless, it is never good when any developers are working on infected systems. Release quality comes into question when things like this happen, but this one doesn’t seem to be terribly alarming. The group appropriately froze access to the package, removed the dozen or so xhtml files, and re-released the package. All in plain view.