Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2009  
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov  
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Viruslist poll
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog

Analyst's Diary

Malware taxes users


  Maria       October 30, 2009 | 12:18  GMT

comment  

Last month on our Russian blog we talked about how the Zbot Trojan was being spread via spam messages which looked as though they came from the US Federal Tax authorities.

One reader commented jokingly that we should keep tabs on tax deadlines in other countries in order to detect future mass mailings of Zbot.

And then we got an email from HM Revenue and Customs, the body responsible for taxes in the UK:

Of course the link led to a phishing site which looked very like the real HMRC site:

And of course, the exe file which pretends to be a tax statement is Zbot – looks as though this Trojan likes playing taxman!

But it's not just Zbot – phishers have jumped on the tax bandwagon as well. In the run-up to October 31st, the final deadline for submitting paper self-assessment tax forms in the UK, we've seen a number of copies of this email:

You can see how you might be tempted to respond to this message, as it's offering a tax refund rather than demanding money. But open the attachment, and you end up at a classic phishing site:

Thankfully, the site was quickly blacklisted

And the real HMRC includes information about phishing scams on its main page.

The new gumblar


  Michael       October 30, 2009 | 11:30  GMT

comment  


Around October 20th we received mails from our office in Turkey about the "possible spread of a new virus". And our colleagues were right, something was going on. Some days before that, on Oct 16th we noticed changes on some websites which we monitored since May 2009 when 'gumblar' was spreading. While the attack in April/May just worked with iframes redirecting to two malicious sites (gumblar.cn, martuz.cn), this time the spreading servers are more widely distributed - we identified more than 202 locations.


The following is a TOP 20 list of countries with 'injected' hosts who point to these malicious URLs:

7271    UNITED STATES*
704      RUSSIAN FEDERATION
675      REPUBLIC OF KOREA
619      ISLAMIC REPUBLIC OF IRAN
540      TURKEY
510      GERMANY
499      INDIA
487      JAPAN
400      THAILAND
382      POLAND
379      BRAZIL
345      ARGENTINA
298      CZECH REPUBLIC
187      HUNGARY
182      BELGIUM
173      ITALY
163      ROMANIA
159      UKRAINE
157      FRANCE
117      VIET NAM

*Note: The US count contains more than 4000 entries pointing to a Persian Blog Site, which probably was the biggest abused entry so far.

In between the compromised hosts there were also plenty of .gov machines involved. Currently we count no less than 71 .gov entries of which 47 are in Turkey. We also see about 65 .edu sites and ca. 79 .ac domains, mainly spread throughout Thailand, India and Korea.


A deeper analysis of counts in Japan revealed at least 487 compromised sites, of which 357 are still injected with malicious URLs at the time of writing.

Some estimated access counts:


21760      www.es***ne.com
20823      www.sport***.mk
19574      www.fortun***.ru
11937      www.***jinja.or.jp
10434      www.***land*.it

Our accumulated data for one week showed 443748 access hits in total - and that is only a part of the whole incident. For several days after we noticed this new threat and added detection of the malicious files targeting Adobe Reader and Flash Player, there was surprisingly little talk about it in IT security circles. The 'new gumblar' took some time to get noticed more widely and _still_ seems unnoticed by many. However, it is very active indeed and as a side effect several PC vendors support lines have been flooded with queries about sudden reboots etc. There are also reports that machines infected with a buggy version of gumblar fail to boot completely, leaving the screen black and only the mouse pointer visible.


Of course, the numbers above aren't final and are rising every day.

The evolution of rogue antivirus


  Dmitry       October 29, 2009 | 11:16  GMT

comment  

We often write about the fact that cybercriminals constantly change their tactics to take account of developments in the security and software industries. And I just came across a great example of this: it shows how the people behind rogue antivirus solutions adapt their "products" to exploit developments and changes in genuine AV solutions.

A couple of months ago, Microsoft released its free anti-malware product, Microsoft Security Essentials. It's designed to ultimately replace Windows Defender, an earlier in-built antispyware product. It looks as though the guys behind the rogue AV which I just came across aren't only playing on people's fears, but on their lack of knowledge. Malware and IT threats are getting increasing coverage in the general media, but if you're not particularly interested in IT, you're not that likely to remember all the facts. Using the name "Windows Enterprise Defender" is a neat way of getting someone who might have heard of Windows Defender, and half-remembers Microsoft's latest release, to be fooled into thinking that the rogue AV is the genuine article.

Of course, the product activation process looks very similar to the genuine Microsoft process...

This case is a great example of how social engineering tactics get modified for maximum profit, and it illustrates a kind of microevolution in rogue AV solutions:

Use a name which is not related to any other software



Require payment to delete detected viruses



Use a name which is either the same name as that of existing software, or very similar



Require payment for a "product" which is supposedly part of the operating system

With the cybercriminals becoming more and more sophisticated in their approach, rogue AV isn't a laughing matter. But there is a funny side to this: the "threats" this rogue detects don't use names from Microsoft's malware classification, but from ours :)

A black hat loses control


  VitalyK       October 22, 2009 | 10:06  GMT

comments (4)  
Malware writers today always try to conceal their identities, right? Wrong – even some of today’s profit driven cyber criminals reveal their identities. We are a bit surprised, but here is the story of how a blackhat has revealed his identity and is trying to ‘get compensation’ from Kaspersky for conducting research.

Recently we have been looking into a new service for malware writers: [avtracker dot info]. This is an online service designed to track AV vendors. The home page of [avtracker dot info] describes the service which includes protection for malicious programs against analysis by malware researchers and also calls for a DDoS attacks against security companies:

Moreover, some of our fellow researchers shared a network request with us that was used to report back to [avtracker dot info]. This request was used in a special spy program which was distributed to various antivirus labs by the owner of [avtracker dot info]. If executed, this spyware would contact the owner and describe the environment of the infected machine. We played around with this request, and substituted various random strings instead of the user name and system parameters.

The WHOIS listing was of no use – [avtracker dot info] was registered anonymously. This was no surprise – cyber criminals usually do register domains anonymously to hinder identification.

So far, nothing out of the ordinary – a normal day in the life of an antivirus company. And then…surprise – the owner of the malware writers’ service contacted us and revealed his identity. Moreover, he even demanded a ransom of 2000 euro to compensate his purported losses when we attempt to ‘break’ his new toy.

At the time of writing, we have received the spy program, which had the following message in its code pointing to the same person who contacted us:

Naturally, we have gathered all relevant data and forwarded it to our lawyer who will now take the next steps. If all cyber criminals were as cooperative as this one, life would be much easier for AV companies.

Epassports and anonymity - what I think


  Eugene       October 20, 2009 | 17:14  GMT

comments (1)  
There seems to be quite a loud response to what I thought was a rather simple idea. In this post, I am going to go over the main points – somewhere when I have more time I’ll share my ideas in detail so people could see exactly what I am proposing.

  1. Common users are NOT anonymous for police and governments. Today the authorities can find any person they are after easily. There is a wrong perception about Internet-anonymity – very few people realize that it does not exist for ordinary users. But the worst part of the story is that the ones who are truly anonymous are professional cyber criminals, because they know what to do to hide their real identities in the Internet. That is why we have millions of malicious programs and successful network attacks every years, and we don’t know who’s behind of them.

  2. When I say "no anonymity" I mean only "no anonymity for security control". I don't care about the way people behave on blogs, forums, social networks and pirate torrent portals. You may use nicks or real names as you want (as we do today). The only "no more anonymity" improvement - you MUST present your ID to your Internet provider when you are connecting online. It is only the provider who needs to know your real identity.

  3. Another way to go is dedicated anonymous networks and dedicated business/gov networks - why not? But all LEGAL businesses/services will want to use secure networks, and unsecure networks will be probably limited to casual communication.

  4. When is it going to happen? Never… or in one-two generations. After some really serious IT- incidents, which will have a serious impact on national and\or global economies. I am now talking not only about cybercrime, but also about cyberterrorist attacks. We already see the first signs of emerging cyberterrorism – and global anonymity is a really favorable factor for these people.

    Imagine that everyone flying in your plane is anonymous, so you don’t know who they are and what they’re up to – are you really going to approve of this? And Internet is as critical and as vulnerable as the air transportation network. So why do we have different security standards for these two global networks?

  5. But we are already on the way – some European countries have introduced digital IDs, which they use for secure online banking and in some cases for online voting. National and municipal elections via the Internet are not a matter of science fiction – they are already here, and ID authentication is a vital part of such election systems.

    Another prototype of e-passports is the two-factor authentication we now use to access corporate networks. The only thing that is missing today is a common standard.

Anyway, I am happy to see that my ideas have raised so much discussion; I think that open public discourse and idea-sharing is the only way to make Internet a safer and a better place.

OWA Phish - a new vector (2)


  Sergey Golovanov       October 15, 2009 | 18:04  GMT

comment  
Here are some technical details to expand on the previous post from Darya.

1. The Spam

According to our preliminary research, the spam emails which attacked OWA users, including Kaspersky, were sent using the pushdo botnet – which is based on malware from the Backdoor.Win32.NewRes family. These Trojans spread via spam, social networks (in conjunction with the Koobface family) and through hacked websites.

The spam emails link to a phishing webpage which is registered to 15 dynamic IP addresses located in separate IP sectors and which are constantly changing.

2. The Phish

An analysis of the phishing site proves that the criminals are using rock phishing techniques – typical rock phish structure and together with dynamic content which morphs to target users from the domain under attack.

3. The Trojan

This OWA phishing attack is spreading a variant of Trojan-Spy.Win32.Zbot – a Trojan which steals passwords fstored on the infected machines; specifically passwords to local applications, passwords to websites etc. The Trojan also has keyboard logger functionality. Finally, this Zbot can also download other malware if required. In this instance, the command and control center is located in the Ukraine.

Summary

This particular attack is using well-known methods overall. The notable features of the attack are the domain name spoofing and the creation of a phishing site which mimics OWA pages. The rest is as usual.

OWA Phish - a new vector


  Darya Gudkova       October 15, 2009 | 16:09  GMT

comment  
Yesterday we saw a phishing attack targeting users of Outlook Web Access (OWA) service – used worldwide to access email from Microsoft Exchange Servers via the Internet. Users received emails which told them that a security upgrade required them to apply new settings by clicking on the enclosed link.

This is a typical phishing text, but the criminal used domain spoofing to make the email seem as if it came from the recipient’s own domain. In reality, by clicking on the link victims landed on a phishing page which only looked like a standard OWA page.

Once on the phishing page, the user was asked to download an .exe file in order to update security settings. Instead of security updates, the victims were installing a Zbot Trojan (Trojan-Spy.Win32.Zbot family).

Interestingly enough, all of the phishing domains were in the .eu and .co.uk zones – which is actually a rare case, since most phisher domains are located in Third World countries.

OWA is a popular service in the business community today so the phishers are likely to reach significant numbers of people. Once again, we remind people to check emails carefully before clicking on links – and recommend network admins to warn their users about this attack.

Multiple critical patches - a busy day


  Josh       October 13, 2009 | 22:18  GMT

comment  
Today marks the largest patch Tuesday ever from our friends in Redmond with 13 vulnerabilities addressed, covering a total of 34 potential exploits. Three of the exploits have had public code posted while 11 of them are rated as likely to be consistently exploitable.

The most alarming vulnerability this month is MS09-050, which according to its discoverer, was introduced by the patch for MS07-063. MS09-050 was first published publicly on security researcher Laurent Gaffié’s blog on September 7th outlining a denial of service vulnerability in SMB 2.0, specifically the srv2.sys driver. You might remember some of the buzz when this was first released as several people immediately added that that this was not only a denial of service, but could easily lead to remote code execution. What should be just as concerning for Microsoft, however, is the fact that the vulnerability affects Windows Vista and Windows 7 machines and not Windows XP - not an encouraging sign.

Included in this patch are also updated kill bits for ActiveX controls ala MS09-035, which if you remember was related to several vulnerabilities in ATL. Also, MS09-060 appears to address these vulnerabilities as they pertain to MS Office. It’s less than settling to see this vulnerability still has not been fully patched.
Another highly visible patch this month is the fix for the SSL certificate impersonation vulnerability, MS09-056. Those who attended Blackhat LV in July won’t have forgotten that this was the exploit being enthusiastically described to a standing room only audience by Moxie Marlinspike. Interestingly enough, this vulnerability was discovered by Dan Kaminsky.

As always, make sure to apply these patches as soon as possible and especially this month if you are using Windows Vista or later with SMB enabled!

Friendly fire


  Fabio       October 13, 2009 | 22:02  GMT

comment  
During routine malware analysis we sometimes find new techniques which are being used by Brazilian cybercriminals to remove security protection. Now it's Brazilian banking Trojans are using Gmer, a well known standalone anti-rootkit tool to remove GBPlugin, a very popular security mechanism used by the four largest Brazilian banks. There are around 15 million Brazilian computers running GBPlugin which is designed to prevent the theft of personal banking data.

It’s common behavior for malware developers to use legitimate software to remove antivirus and other security solutions. We saw it with PSEXEC of Sysinternals. In Brazil this is the second time we know of that local malware has used a legitimate tool; the first was when Avenger, another anti-rootkit tool, was used to remove the same GBPlugin files.

The malware which we've just looked at downloads an old version of Gmer (1.014) from a legitimate, but compromised, Chinese server. Its saves it as System%\logsvc.exe and once it's installed, the malware registers a special service to remove GBPlugin using rootkit technology.

A bat file is created on the system and inside the file you can see the commands designed to kill all running files of GBPlugin, using the
–killfile parameter.



Another driver with commands to delete the GBPlugin files is installed to ensure that all the files will be removed:



This Trojan is already detected by our products as Trojan-Downloader.Win32.Homa.yw, and the driver is detected as Rootkit.Win32.Agent.neg.

How to fight corruption


  Maria       October 13, 2009 | 17:17  GMT

comment  
Imagine you live in the former Soviet Union. Now imagine that you get a message saying 'How to overcome GAI corruption' [GAI – State Automobile Inspectorate, or, to put it more crudely, the traffic cops].



You're a driver, so you've likely been stopped by a cop or two in your time, and maybe made to cough up some money on a flimsy pretext. Yes, corruption's something you'd like to see stopped.

So you read on, and find out that you can send your suggestions to the head of the GAI by sending an SMS to a short number. The message even tells you that this service is supported by the Ukrainian Automobile State Inspectorate.

Is this scam starting to sound familiar? It's not just cops who are corrupt...
<< Previous Page  |  Page Top  |  Next Page >>

 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com