Archive for the ‘Zlob’ Category

Newer Entries »

Notes from the underground II

Wednesday, January 2nd, 2008

AV veteran Peter Ferrie of Symantec noticed that the vx scene he has been fighting for so long has been winding down. The scene’s virus writers are beginning to post their farewellz and shoutz on the 29A forums and others.

He also points out that the trojan scene has steadily been replacing the activity of vx writers:
“We are striving to put them out of business. Once they’re all gone, those Trojans will keep us in business for a long time. Not that we want them, either.”

Even those trojan groups are beginning to disappear. The ChaseNET forums, a major international source of “Remote Administration Tool” (RAT for short, otherwise known as “Trojan Horse”) activity since 2004, are closing down as well. This shutdown curiously coincides with the Fbi arrest of longtime ChaseNET member “Digerati”. He faces up to five years in prison and a $250,000 fine if convicted of conspiracy to commit computer fraud, as we posted previously last year.
While the oldest of the groups might be drying up, unfortunately there are more growing to replace the vxers in different parts of the world. Recently released “Zines” from these newer groups publish technically sophisticated source details of password stealing, advanced rootkitting techniques, and more. These zines follow the trend away from virus writing for reputation to password stealer writing for profit. Plug in the slow cooker, cuz we’ll see more “Bot Roast” style arrests in 2008.

Unfortunately, we are also seeing more posts overseas from individuals seeking bot herding partners, looking to install more adware on victims’ systems and raise revenues for those involved. This sort of collaboration and malware should also continue throughout 2008, as we have been seeing a high level of this activity at the end of 2007.
Some of the most prevalent malware ThreatFire currently is seeing comes from the Zlob or Popuper families that are distributed in this manner. And here is one of the requests that we are seeing on an overseas forum regarding rogueware installs:
We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots.”

Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as “Digerati”. His deal includes a two year prison term.

Posted in Adware, Bot, ChaseNET, Fbi, Password stealing, RAT, Rootkit, Zlob, vx scene | No Comments »

40,000 googled pages, an ineffective link that gets fixed, and tons of system-freezing downloads

Wednesday, November 28th, 2007

We’ve been tracking the malicious search campaign involving thousands of domains and pages cited at the Internet Storm Center desk this morning for some time now. A couple of the sites in China each host approximately 5,000 web pages that each incorporate the same link to one malicious javascript page targeting Windows users. Other servers around the world have basically the same configuration. ThreatFire users are protected.

It’s a pretty complicated attack. Basically, when visiting one of these google results, the malicious server will prompt you to download a malicious executable, at the same time while analysing your system for vulnerabilities and attempting to attack them. All this work in an effort to install lots of “rogue security software” that will scan your system, attempt to intimidate the user with fraudulent scan results into purchasing the product. Complete with pop-ups for pharaceuticals sprouting up on the screen.

Yesterday afternoon, we installed their executable manually (displayed at the Sunbelt blog as “VideoAccessCodecInstall.exe”). It runs on a user’s system and then attempts to connect to a website and perform more downloads. The server at that destination was up, but the malicious download was not available.
However, the servers that the “video codec” connects to came back up overnight. Around 55 Internet Explorer windows and various screen prompts on one of our infected lab systems now tell me that malware and porn has been found all over the system (which were not when we started), and we need to buy their products to clean it up and keep my kids away from porn. What garbage.
Some of the product names look like this:
YourPrivacyGuard, ABSSearch, SecurePCCleaner, UltimateDefender, ADWare Remover2007, XPAntivirus, UltimateCleaner

So we’ve been visiting these malicious web sites in the lab, and they appear to prompt you to install a video codec, enticing you to check out the video that is about to play onscreen. But, in the background, the web page’s javascript identifies the OS, browser and JavaVM version of the visiting user and attacks the browser accordingly. Based on this information, it attacks multiple Microsoft vulnerabilities: MS06-014, MS06-006, MS05-001, MS03-011. It also can attack a couple of old Firefox vulnerabilities: first MFSA 2005-50, and if that attack fails on your firefox browser, it resorts to attacking MS06-006, which overflows a buffer in unpatched versions of Firefox.

Simply put, the best way to deal with this threat is to update your Windows operating system and application components and keep your system’s third party utilities patched, and maintain effective security products on your system.
We’ll keep you updated on the situation.

If you see this on your system while you are browsing the web with Firefox, do NOT download and execute the executable:

If you see this on your system while you are browsing the web with Internet Explorer, do NOT allow the executable to run:

Here is an example of ThreatFire identifying one of the downloaders, running on a lab system:

Posted in Commodity Kit, Exploit, Vulnerability, Zlob, cybercrime | No Comments »

Newer Entries »