The link will lead the user to the familiar phony Yuotube “Broadcast Yourself” page with video frame and flash installer prompt “This content requires Adobe Flash Player 10.37. Would you like to install it now?”. The “setup.exe” file from “SquarePants”. When setup.exe is run, this file in turn drops and runs “bill103.exe” or “bill104.exe” and begins its badness. ThreatFire prevents it effectively.

Past posts on Koobface here.

If you are prompted to install the Flash Player, you can skip the install and go to the vendor’s site directly to download the player’s installer and install it in your web browser. Then browse the page you want to view. For legitimate sites, the content should play.

The bots produced by the kit were in turn called ”Ntos” and ”Zbot” by major software security vendors. We’ve kept on top of its activity over the past couple of years, describing its distribution as a part of other attacks, drive by attacks, and spam blasts. The ThreatExpert blog maintains posts here and here. ThreatFire is one of the most effective, if not the most effective, products on the market at detecting and preventing the Zbot variants on user systems. It detects them clearly as “Spyware.Zbot”. Because one gang of the bot distributors have been so determined and successful at distributing the malware to high-value targets over the past couple of years, an individual zbot botnet currently made up of a reported 74,000 zbot infected systems is being renamed as the “Kneber Botnet“, based on the username this Zbot variant uses.

We have posted a dozen times about Zbot over the past couple of years, including stats on Zbot-downloading Bredolab variants being run on user’s systems. Locations of the tens of thousands of systems on which users have run Zbot itself over only the past six months vary across globe, but here are a recent top ten from the ThreatFire community.

These Zbot hits are the malware that get through spam filters, mail AV scanners, etc, and Zbot actually was run on the user’s system and then prevented by ThreatFire. It’s also interesting to know that over 70% of ThreatFire users are running another security solution on their system (indicating that ThreatFire is first and only to detect and prevent in a startling number of incidents). ThreatFire protected all of our users that were tricked into running Zbot, and it’s a good thing. The vast majority of these variants were configured to steal banking credentials, in addition to other valuable user data.

Note – the Dns domains registered to “Hilary Kneber” from which the attacking web sites served the zbot spyware (which cleverly must helped in naming the botnet), maintained the Zbot executables as “bot.exe” from a couple of different directories. One would think that this filename may be a giveaway to security monitors. On victim systems where the malware was run, it seems that the file was downloaded and renamed to both “svchost.exe” and random names like “58e.tmp” so as to camoflage its purpose. It predictably then would attempt to copy itself to c:\windows\system32\sdra64.exe.

Fake scan results are presented immediately…

As we have been presenting for the past several years, the user is tipped off that something is amiss when their software claims it is “unregistred”, see the window’s title bar.

Following the “Attention: DANGER!” message, the Windows user may attempt to open Internet Explorer. The FakeAv has modified the browser and instead pops up a window, claiming the system is infected with Trojan-BNK.Win32.Keylogger.gen, recommending activation of XP Internet Security 2010…

When the user attempts to activate the phony product, a purchase window for “Windows Defender 2010″ appears…

Running down the side of the page, they make fraudulent claims to have won awards from West Coast Labs and Virus Bulletin:

Entering personal information into the form POSTS the information to “live-windowsantivirus. com” (the domain is registered in Turkey, while the site is hosted in the US at 206.217.211 .243). We recommend you avoid entering any personal information and clean up the infection instead:

ThreatFire prevents it from running on users’ systems as “Trojan.FakeAv”.

Victims of this scam will have a hard time ignoring the screaming new message on their desktop, “YOUR SYSTEM IS INFECTED”. The familiar red X appears in the system tray in the lower right corner of the screen, and multiple phony scan images subsequently pop up.

Next up is a phony but thorough listing of all the detected malware that doesn’t really exist on the user’s system, described with a “Critical vulnerabilities found!” header and a mishmash of security industry buzzwords thrown together in a non-sensical phrase “Proactive system found several active vulnerabilities on your computer”…

And, after shocking the user with this series of blatently false warnings, coming up is the money maker, a suggestion that the user get a license or pay for Internet Security 2010:

If the user ignores the above warnings and tries to continue their work, they instead are assailed with scare-tactic messaging from the bottom right corner of the screen…”Click here to protect your computer from spyware!”…

And “System Warning! Continue working in unprotected mode is very dangerous”, another phony taunt…

Good thing that ThreatFire can keep this stuff off of your system in the first place, and Spyware Doctor+AV is known to effectively clean up previously infected systems.

 And here is a screenshot with the extensions visible:

Some of the names being used and designed to fool users include…

UPS_INVOICE_NR81913.ZIP
UPS_INVOICE_NR81913.EXE
UPS_invoice_NR43193.zip
UPS_INVOICE_NR43193.EXE
UPS_invoice_NR12090.zip
UPS_INVOICE_NR12090.EXE
UPS_invoice_NR74225.zip
UPS_INVOICE_NR74225.EXE
UPS_INVOICE_NR10124.ZIP
UPS_INVOICE_NR10124.EXE
UPS_INVOICE_NR85411.ZIP
UPS_INVOICE_NR85411.EXE
UPS_INVOICE_NR76225.ZIP
UPS_INVOICE_NR76225.EXE

Be sure to examine the contents of .zip files prior to attempting to open them. We will update this post as more information is available.

Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that  millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.

Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.

As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.

The latest Koobface trick includes thousands of accounts at Google Reader (many continue to be up). Here is a shot of what today’s Reader pages look like hosting phony YouTube videos:

Of course, these Google Reader pages are not new, and are not particularly notable, as other groups have used the same scam in the past year to drive the same redirections to other sites that host the malware. Here is one that is up today, a giveaway is the Title of the page “YuoTube”, instead of “YouTube”:

At the same time, the older Koobface style of flash player update pages served by the same gang all over the web appear to be more attractive to users, and attract many more hits. They are up and fooling users as this post goes up, here is a representative page to look out for, which, if you read this blog, you’ve seen before:

The phony “setup.exe” codec installer (which is really the Koobface malware) and the scheme still tricks many users. Don’t get fooled.

The bulk of the protected systems were in the U.S., where the number of Facebook users are higher than anywhere else. Below is a non-exhaustive list of banks that the group has targeted with Zbot payloads from the ip address that the Bredolab downloaders pulled from. Surprisingly, the cybercrime group decided to mess with U.S. military members at usaa.com:

https://businessonline.huntington .com
https://business-eb.ibanking-services .com
https://securentrycorp.nbarizona .com
https://treas-mgt.frostbank .com
https://www8.comerica .com
https://cashmgt.firsttennessee .biz
https://www.usaa .com
https://*netspend .com
https://www.mybank.alliance-leicester.co .uk

If reviewer predictions are realized, the platform will overtake Windows XP as the Windows OS of choice in high volume. Which provides a whole new platform of interest and attention from money making malware writers. It is inevitable that they will shift their attention to the newest defenses implemented in the most widely deployed platform.

The most common single piece of malware run on Windows 7 Rtm systems, as observed in the ThreatFire Community to-date, has been Protection System FakeAv variants and its droppers. The dropper is usually a part of a crack or keygen distributed at crack sites and over P2P. It drops out multiple other unwanted components, including the FakeAv. It is a common thing to have seen in the past on other platforms. What is different here, is that User Account Control, a feature introduced in Windows Vista, has been reviewed and modified, newly delivered with 7.

At runtime, the Windows 7 related scareware files are dropped to disk and the dropper creates some porn-related shortcuts on the desktop. The offending dropper makes registry key creations to ensure persistence across reboots without a peep from UAC in its default settings, even when logged in as a Standard User. Another executable responsible for many of the popups is copied to the profile directory. A phony scan is kicked off (thousands of pieces of malware were stored on the system and all were not detected), and two hard coded detections are displayed. And no, there isn’t a legitimate vendor that maintains malware family names as variants of “GayCodec”:

Multiple pop-ups appear for phony malware detections and payment/activation. All without a peep from Windows 7 UAC. At reboot, the malware persists, restarts, and performs its worthless rescan again, this time spoofing messages from the Windows firewall with a randomized list of malware that are not running on the system:

It’s reported to attempt uninstall on other security products, which was not observed on lab machines.

All in all, the release seems to be a hit. As volume picks up, most likely so will Windows 7-targeting malware. Users should be aware of scams like this one and always purchase software from legitimate vendors. And install a behavioral layer of protection over and above UAC on your system like ThreatFire, which runs well on Windows 7 and keeps your system protected.

The installer drops cs.exe to c:\program files\cs\cs.exe on your system and runs it, which prompts the user with nagging popups. If you are seeing “Cyber Protection Center reports that ‘Cyber Security’ is inactive” on your system, do not activate it:

Standard set of phony detections to scare the victim into paying for the software:

“Cyber Protection Center” gui has become the “usual” Microsoft security center spoof:

The naming has changed a bit. The typical download Url will look like a variant on this scheme:
91.212.107. 5/download/Soft_40s5.exe
91.212.107. 5/download/Soft_257.exe (starting 10/13)
91.212.107. 5/download/scanner-323_2007.exe
91.212.107. 5/download/scanner-323_2007.exe (starting 9/8)
91.212.107. 5/download/antivirus-8D5D21_2015-5.exe
91.212.107. 5/download/antivirus-32CED34_2007.exe (starting 8/12)

This month’s moves include ip and domain changes:
91.212.107.5
best-antispyware-09 .com
best-antispyware-11 .com
computer-protection-7 .com
computer-protection-9 .com
quick-antimalware-2 .com
top-antispyware-scan9 .com
topantimalwarescan5 .com
wwwantispyware-01 .com
your-pc-protection0 .com
your-pc-protection2 .com
yourantispyware-2 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

83.133.119.154
yourspywarescan0 .com
computer-protection-7 .com
computer-protection-9 .com
ftp.dot5productions .com
your-pc-protection0 .com
your-pc-protection2 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

85.12.24.12
computer-protection-7 .com
computer-protection-9 .com
your-pc-protection0 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

Do not activate the product:

What will the group have in store in November? We’ll wait and see. In the meantime, PC Tools ThreatFire users and the recently award winning Spyware Doctor with AntiVirus 2010 (with Behaviorguard) are well protected from this round of scareware.