Can't Create a Rule

The "Rogue" computer engineer from San Francisco that granted himself exclusive administrative access, at the very least locking out admin access from other users, to a city network housing confidential city records still is in jail on $5 million bail. Earlier today, he pleaded not guilty to four counts of computer tampering. Strangely, the city still seems to be waiting for the password.

We can deal with Rogueware, or Rogue AntiSpyware. But sorry, we can't add a rule for this sort of behavior.

Fakealert Variant

Another Fakealert variant is effecting our user base.



Passing itself off as the usual "mediatubecodec_ver1.1277.0.exe" (do not run this file -- it really does not deliver useful codec components for playing videos), this downloader connects back to hxxp://xpantivirussecurity.com, and drops files like "1.exe" that deliver scary popups to alarm our users with false malware detections in an effort to coerce them into paying for a product that they don't need. Unfortunately, detection has been spotty, with some heuristics performing effectively.

I Do Not!

We continue to receive emails telling us that we're not smart enough or don't look good enough. It's not totally unusual, because that message frequently is communicated by the "beauty" and "diet" industries in magazines, tv ads, etc. How dreary.

A common scam continues to make the rounds, putting the two themes together and telling us that we even look dumb. The email message includes a link to a video file, implying we might look really dumb in this video. The message even looks like crass Onion humor -- next, they'll tell us that only nerds wear glasses. Now, they are telling me "You look really stupid". Unfortunately, users are falling for this bad line every day, and downloading and running "video1.exe" on their systems:


Also hosted at the compromised server is video.exe.

This work is from a russian gang, with the malware phoning back to a domain associated with other malware families in the russian federation:
Name: sr59.24ruhost.com
Address: 207.10.234.217
The owners of the compromised server have been notified.

These "videos" didn't show how dumb I really look. Instead, they download adware, rogueware, and other components. McAfee's researcher Paulo Palumbo beat us to the post this morning with a description of the blue screen that these downloaded rogueware installs frighten users with -- we'll note that this spammed executable link is one of its sources.
In our lab, we tried to reconfigure the Sysinternals' (acquired by Microsoft) screensaver used in this attack to "enable fake disk activity", but the necessary sysinternals components are not functional in this bundle. It's not even fun to tinker with, don't fall for this video.exe trick.

You're not ugly or dumb. You're beautiful, just right.

Elevated RBN Ip Range Activity

Currently, we are seeing user systems from all over the world being attacked by a series of rogueware and spyware components. The software is related to a web server at http://74.50.107.165, whose ip address you can find among other Coolwebsearch/Gromozon/RBN addresses in the Russian Federation (still known as the "Russian Business Network", even though much of the group moved operations to Panama and China). The authors continue to use many of the same simple filenames they started out with:
0.exe, 1.exe, 2.exe, 3.exe, 4.exe, 5.exe

Creative stuff, no?

The attack is using a variety of methods. One of the more effective techniques is simply bundling the software with "winpole2.exe" within a setup file, which was available as a another download at http://www.softportal2008-2008.com.

The dialog boxes' appearance are similar to the Microsoft Security Center, with claims that "Windows did not find Antivirus software on this computer", when the pages are not provided by "Windows" or Microsoft at all:



Clicking on one of the links provided by the Center-lookalike takes you to "thespybot.com", a one-off from the legitimate antispyware product SpyBot S&D:



The other link in the Center-lookalike takes the user to a page that reports on phony scan results:



Now, instead of dropping the rogueware known as "Brave Sentry", this new variant drops a variant of phony antivirus software "vav.exe", otherwise known as "Vista Antivirus 2008".


If that's not enough to convince the user to pay for the misleading product, they falsely alarm the user of "Spyware.IEPass.Thief" on their system.


Many of the components have very poor protection for now, see four of the scanners picking up for much of the dropped components:

Botnet Herder Pleads Guilty

Maybe botnet activity hasn't gone the way of Ruben Studdard like we thought it would, "yet another name now lost to the ages, silently fading into shadows numberless, suckled by the night sky", but this botnet herder has. Only with nowhere near as much elegance.
When authorities arrested him at his Fairfield residence last year, our herder Gregory King exited the back door, tried to hide a laptop in the bushes of his backyard, and then answered the front door. 'The government seized the laptop and searched it, finding "botnet software and references to King's various online monikers."' Yesterday, he agreed to a two year prison deal after pleading guilty to charges of DDoSing two web sites.

Last December, we pointed out that the Fbi's Bot Roast II would lead to more arrests and lots of activity in cyber-law enforcement. In January, we pointed out that the ChaseNet forums' shutdown coincided with the arrest of long-time member "Digerati" (Ryan Brett Goldstein), who was indicted as a result of the same Fbi operation at the time as 21 year old "SilenZ" (Gregory King).
While these developments expose past botnet activity and its disruption in definite terms, we also pointed out advertisements posted in underground forums by rogueware distributors looking to partner with these botnet herders, which we continue to see en masse:
"We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots."

Unfortunately, this underground and international industry is growing and evolving. Despite these arrests and drama, our Ruben will not escape suddenly into the eternal chill of crisp autumn air.

Seeing Double?

What's that? Winifixer! Here are some comments from the web site:
"Statistics approve that virus and trojan attacks damage more than $3 million/hour and the new virus appears each hour. One of them, virus Sasser. A, infected million of computers at the first hours after let out and caused billions damages. It had been corrected within a lot of months."
Scared yet? Or do you just find the wording and explanation a bit odd? Let me see, let's work with those figures. In a day, that's $72 million in damages. In a week, it's half a billion dollars. By the end of the year, that adds up to almost $200 billion.
And it points out that almost EVERYONE's system is infected! WOW! 91% is a big number!

If you haven't read our previous posts, you might not be aware that there are a number of misleading applications being distributed on the web by malicious web site operators. Stuff that we've been calling "Rogueware". Some AV vendors prefix the detections with "not-a-virus: Fraudware", some will call the stuff a "Troj_Renos", some call it a "Misleading Application" and some call it "Rogue Security Software". Some AV vendors have been blogging dramatically about this software and how it was originally distributed, via fake codecs.
Here is the page that offers up the WinIFixerInstaller.exe download for only $99.95:
























What? You're not sure if you want to install that one? Well, you can always install something just like it...called the AdvancedXpFixer! It makes the same exaggerated claims as the site mentioned above, and offers up the AdvancedXPFixerInstaller.exe download. Are you seeing double? Maybe!





















My favorite part is where they provide links on the "company" page to securityfocus articles about developing av engines and heuristics. That's good stuff.

How might you wind up with these pages or software on your system? As always, patch your system! The software is partly being distributed using a few ugly old drive-by client side exploit tricks to run some downloaders on your system without you knowing it when you browse a malicious web site. Successful exploitation also results in a huge fake alert on your system's desktop wallpaper, telling you about all the malware on your system. The malicious sites also download and execute multiple spam bots and other malware, making your system a major problem and source of spam. Double the fix, er.



Update: while double is interesting, triple is all the more exciting!

Year of the Rogueware

Another misleading AV package keeps returning to our lists, modified by its writers and rereleased constantly to minimize AV detection and widen their window of opportunity to mislead users. As previously posted, the themes for this stuff change fairly frequently. But this one, WinSpywareProtect, is like a bad rash that keeps coming back. We find users attempt to run its installer, Install1.exe, and its payload, winspywareprotect.exe, on their ThreatFire community systems far too often.

The web site is fairly convincing. It appears as though the software company has won a number of awards. Any amount of googling, however, will show that these award logos are completely illegitimate:




















AV detection is somewhat shoddy for the installer during this window of opportunity:




















Careful with what you are installing on your system. As in our previous post linked above, fraud and rogueware are rampant efforts -- social engineering can have a payout.

Antivirus Fraud 2008

2008 continues to live up to the title "The Year of Rogueware". So far this year, bots, worms and viruses, all seem to live in the shadow of this type of activity. Users are actually trying to run this constantly changing stuff on their systems, with AV scanners missing them during their effective window ITW altogether. Rogueware themes are changing, the binaries change, and the websites change somewhat according to thematic content. You can see a lack of scanner detection here.

Accelerated numbers of "AntiVirus2008" software installs are popping up, created by our familiar developer friends in the Ukraine (yes, that is sarcasm), which can be found at "hxxp://www.antivirus-scanner.com". We're seeing installs from a file named "antvrsinstall.exe", which is dropping "antvrs.exe". Here's another fraudulent screenful from its distributors. There are no dangerous files or viruses detected on the system as they state, because the web site isn't really scanning my system:




Quarantine it if you see a popup from threatfire, warning you of "PuA.Rogueware".

Another round of rogueware

Today, we are seeing a surge in the level of ridiculous and badly written delphi malware. It's not a part of the zlob family that we wrote about last week, but there certainly is a fakealert somewhere in there. Can you find it?:

If you haven't heard, and apparently some of our readers haven't, in the course of trying to run videos on your system, you may be prompted to install what is really a phony video codec. One seems to be all the rage today and was at the very end of February, prompting the user to download and run "setup_axplugin.exe".

This setup file may have a cute avi file icon once it is downloaded, as though it is going to install an appropriate piece of software to display that wholesome video you're trying to view:

Setup_axplugin.exe drops and runs "sysockeu.exe" and a handful other files, which copies out "mywallpaper.bmp" and reconfigures your system and desktop to display the bitmap file, along with its bad grammar and mispellings that you saw in the first screenshot above:

"WARNING! YOU'RE IN DANGER! YOUR COMPUTER IN INFECTED WITH SPYWARE!"

In turn, these guys are attempting to convince the user to install and pay for what we have been calling Vundo, another piece of "Rogueware". It's a trojan that doesn't really clean up much of anything. From what we could tell, our clean lab systems that displayed this stuff weren't really putting us in much danger at all.

Developing Malware and Rogueware on the Same System

Sometimes people with bad intentions do really dumb things. Is it something to laugh at? Is it something that provokes empathy for the subject?

Well, as we research further into the so-called MonaRonaDona virus, Registry Cleaner 2008, and Unigray Antivirus, we find characteristics common to each executable binary, leading us to believe with a high level of confidence that not only are the binaries from the same group, but they were developed on the same machine.

We performed a forensic investigation of the binaries, and in the Sherlock Holmes style we can say that the author of these masterpieces is a male (possibly Pakistani), who lives in Netherlands and speaks Dutch, in his mid 30-ies, who is a freelance programmer in C++ (MFC/ATL), who is also a soccer fan, wants to study in the U.S. or Pakistan as a Fulbright scholar and likes looking at Maria Ford and Jordon Ladd. Our Mr. X has no permanent job, so he takes the projects from his bosses to build these rogue antivirus solutions and pay his rent. He wants better projects and wants to run his own business. It is his bosses who are the real masterminds behind Unigray Antivirus and MonaRonaDona - not this man himself.

Clues?

Well, the executable was compiled on a Windows box with the Netherlands regional settings using Microsoft Visual Studio 8 and MFC/ATL settings.
MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona, whose fans are likely to be in their mid 30-ies and older.
An ELance trace leads us to the web portal where freelance programmers can be hired.
Multiple others litter the files.

It's Elementary, My Dear Watson!

MonaRonaDona Mystery Solved

Brain Krebs at the Washington Post blogged today about a pretty common, unusually mysterious, and very badly named extortion scam, "MonaRonaDona":
"Nobody seems to know how the thing wiggles into infected PCs in the first place, but the one thing that's clear is that this invader's primary purpose is to call as much attention to itself as possible...This piece of malware disables a number of programs on the victim's PC, changes the title of each Internet Explorer Window to include its name, and pops up the warning shown in the adjacent screenshot."

Our talented friend Roel at Kaspersky blogged about symptoms that they've seen as well, without much to add about its origins:
"How the malware actually reaches the system isn't entirely clear at the moment. When first run, the only thing the program does is register itself to start at Windows boot. As symptoms of infection aren't immediately visible, this makes it harder for victims to pinpoint what they were doing when they actually got infected. "

We were analyzing the same threat earlier this morning, when one of our support team was contacted about the problem. Our ThreatExpert and ThreatFire protected community provided the binaries to find some answers.

Some of these users unfortunately were persuaded over the past week or so to run a version of "RegistryCleaner2008.exe" (afec3d0f13b8f866f2c2eec122024165 for you researchers out there), as can be seen here:




















Along with a particular version of "RegistryCleaner2008.exe", came a little friend by the name of "srvspool.exe" and friends. Some of the infection symptoms are somewhat simple and silly compared to other threats we've been researching -- "MonaRonaDona" appears in the Internet Explorer title bar, the "DisableTaskManager" key in the registry is set so users cannot use Ctl+Alt+Del to kill the threat on their system, and "srvspool.exe" appears in the All Users startup folder.

Interestingly, the release coincided with the shortlived appearance of an antivirus suite at www.unigray.com. Notice the "New Spyware Threats" list in the bottom right corner contains #1 new find "MonaRonaDona". At the moment of posting, googling for this dreadfully named virus family turns up no results from any of the credible AV vendors:


















Meanwhile, a mysterious poster "ParadiseForever" claimed that "The computer virus by the name Monaronadona is causing widespread havoc by infecting computers everywhere" and that "The only solution would be to install a good AntiVirus software package which can detect and kill the virus. There are a lot of free AntiVirus softwares available online. However the normal antivirus such as Norton or McAfee may not work for this Virus.
You can try dowloading the Unigray Antivirus which is considered the best for removing the monaronadona virus compared to the other spyware / antivirus programs", which can be seen here:


























And here is an attempt to lend credibility to this overpriced false positive producing Unigray scanner, by putting it in the same list as established and well known AV vendors:




















Note that it has been reported by other researchers that users' search engine results are modified in some way, but we have not witnessed this activity. Instead, the rogueware authors have posted at Digg and other sites in order to appear as top Yahoo and other search engine hits for the search term "MonaRonaDona", with pages that promote the rogueware Unigray AV scanner.
A clean system shows that the top unsponsored result at the yahoo web site takes you to the phony "ParadiseForever" post at hubpages.com:



















More of the scam can be read about on Krebs' post, where he instructs users "If you're a victim of this extortion scam, please don't pay up."

We'll have more details about the binaries and provide updated information as well. In the meantime, we are pleased to report that the source of this Rogueware is quiet at the moment:

IM Skype Spam

We continue to get copies of IM Spam in our Skype accounts. "ATTENTION! Security Center has detected malware on your computer!", all from "Mr. AntiVirus Notice". Chances are, you are too. Last year, variants of malicious worms were using skype to spread, and then slowly the rogueware money makers decided to cash in on the same methods.

We decided to visit the web sites in our labs, to find out what they still have to offer. Here is the original message. It appears that distribution of this spam message has been hitting peaks a couple of times a month since November:


























When we visited the site at the provided link, the page seemed to somehow, without prompting, scan the system for malware through my Firefox browser (legitimate software cannot and does not do this on a computer). Little progress bars began filling up and scary things were reported to be detected:






















When this supposed scan finished, the page presented a stunning warning, bad stuff was detected:





















Even though this system is completely clean, it might be fun to select the "Remove All" button. The next page that is provided is their shopping cart -- just a quick suggestion, really:






















Knowing that my system was completely clean, I clicked on the "close" button for this shopping cart. Instead of closing the shopping cart, the site immediately warned that my system would be infected, in other words, if I didn't cough up the cash. "Don't close this window if you want your PC to be clean.":





















Finally, when the user has been intimidated or confused enough to cave in and clicks "Ok", they are presented with a final order form:





















Is any malware on the machine? No. Does this user need to pay $20.00 to clean Rootkits and Backdoors off a system here? No. Ignore Skype spam and misleading advertisers.

Fake alert for Spyware.CyberLog-X

A new round of the FakeAlert family has been released this past weekend, the same family of rogueware components that Alex Eckelberry of Sunbelt has posted. We are seeing a surge in hits for new components installed as "MultiMedia Software" codecs that result in a barrage of popups identifying "Spyware.CyberLog-X" and "Trojan-Spy.Win32@mx" on the system:



















Of course, there was no spyware on these clean lab systems prior to the codec install, and no legitimate video codecs were installed on the machine as a result of running the setup.exe program.

New (delf?)lob or (z?)lob variant

We are seeing a number of hits from binaries served up from the Ukraine via web pages' prompts from domains registered in China and hosted in the U.S. Now that's international.
These sites in the Ukraine are linked to by servers all over the world, and serve up "Rogueware", or fraudulent adware, similar to the Zlob family. A couple of vendors are assigning it vague family names like "Delflob" or "Delf".
Through a redirected http session, the user sees the standard video codec hoax. Recently, this same hoax coldly was used with other shocking news like the Bhutto assassination and the Zoey Zane death, and most likely will continue to be used throughout 2008. This site could have been a part of the fake codecs on blogger effort, but because detection is so low, it is most likely a new effort or will be a part of a new effort. Notice the "play video" title bar and the instruction "You must download the Video ActiveX Object to play":
























Once the user is suckered into clicking on the image to download the adware posing as a legitimate video codec, a file with variations on the name install_video_3913230.exe is served up. If the user runs the installer, thinking of it as a legitimate codec, it in turn writes out G76-tmp_.exe, which also installs toprates.dll. Toprates.dll is a file that claims to be a video driver in its properties, but it is nothing more than rogueware (also called rogue antispyware), or adware making fraudulent and threatening claims that a user's system is infected and in a dangerous state. And by paying up, the user will soon fix this dangerous situation.
ThreatFire users have been seeing prompts regarding the temp file's (%TEMP%\GL76-tmp.exe) adjustments to security settings:























If the user allows the action to occur and then double clicks on "My Computer", or opens an explorer window another way, they are prompted with an intimidating warning. If the intimidated user clicks on "Ok", this adware directs user's browser to a web site peddling IeDefender, fraudulently claiming that the user's system has been infected by an "unknown trojan" (implicitly something other than this garbage):











Unfortunately, AV detection for the variant has been low since our ThreatFire community started seeing this malware:


























Even if one of our Threatfire users accepted the temp file's attempt to change the system's security settings, TF would prompt a second time on the source of the disingenuous warnings as it attempts to intimidate the user with more confusing ads. At this point the user really should quarantine this rogueware. If ThreatFire hasn't seen the specific delivered binary before, it prompts the user:























ThreatFire will be picking these off as a part of the "Zlob" family.

You might notice that this hoax has a lot to do with the very last line of a previous post, quoting an ad from the distributor of these sorts of rogueware installs.

Sunbelt IeDefender/zoey zane find still up and running

Monday morning, Adam Thomas of the Sunbelt crew posted about a sick0 scheme to use the information from a shocking news story about the death of a girl to lure in new rogueware IeDefender victims. While we haven't seen a large spike in the downloads of this stuff, we've been monitoring the site -- it remains up.

In our lab, we saw closely related but slightly different results. The videomp3_setup_.exe file, when manually run, pops a couple of different and changing windows:
























Following the rogueware install, the software will open an Internet Explorer window, conveniently googling the term "sex" for you, and injecting its own html into the results, spoofing the google results. The first chunk of injected HTML is a warning posing as though it is from google: "Google Error! Your computer is infected!..."
The second chunk immediately follows the fraudulent claim. It inserts a pornographic image next to a phony link that claims to be on the youtube site (clicking on it directs you to a completely different porn domain, not youtube). You can see the (censored) fraudulent results here:





















Unfortunately, scanner results seemed to be spotty to non-existent for this threat:

We've distributed samples to the appropriate people for inclusion in other security products' protection.