Recently in Spyware Research Category




Asobi Seksu are one of my favourite bands of recent years, and while trying to work out where to buy an acoustic album they released not so long ago, I happened to come across a website called

music-megaupload.com

They're clearly riding on the back of the name of the legit file download site Megaupload. More importantly, they claim to be offering up a full version of one of their albums:

asobi1.jpg
Click to Enlarge

As you've probably guessed, that is NOT anything remotely resembling an album - rather, it's an executable file pretending to be an album.

Oh, the blasphemy.

Anyway, once the file is on the PC, you can't help but notice...well....take a look for yourself:

asobi2.jpg

Does that icon look like an Oscar? Why yes, it does...a little strange, don't you think?

Run the file, and you'll see an installer prompt for one of those not-so-wonderful fake media codecs:

asobi3.jpg
Click to Enlarge

Continue with the installation process, and you'll find your browsers aren't working. That's because this is a variant of the DNS Changer trojans that enjoy breaking your internet, usually while downloading fake backgrounds warning of dire infections that only rogue removal tools can fix. Here's your tampered-with DNS settings:

asobi4.jpg

Lovely.

The executable is served up from

implugins.net

which has been around since March 2009, with an EMail address associated with numerous malicious domains. Coverage is rather poor for this file at present, here's the Virustotal results:

asobi6.jpg

As you can see, only 5 out of 40 scanners pick it up at the moment.

In conclusion, then, we have

1) A fake weblog trading off the Megaupload domain name
2) Endless fake MP3 and albums served up from a second domain, which are actually DNS changer trojans disguised as media codecs. This is itself an interesting tactic, as usually fake media codecs are served up in exchange for what the user thinks are movies, not music.

If you really want to grab some Asobi Seksu music for free, I'd suggest doing it the legit way - visit their official media page.

You definitely don't want the Oscar remix edition...

Chinese malware attacks WoW community

| | Comments (2)

I realize this might not be new to the WoW community, but there are obvious threats out there that need some attention.  Recently the team here at Facetime Security Labs has seen one threat in particular that we feel is especially evil.  The story begins like most of these stories begin; with someone downloading something without scanning for a virus first.

There are about 10 million players on World of Warcraft - most of which are in China.  The amount of malware coming out of China in the last several years has been staggering.  Its no surprise really that World of Warcraft players would become a target. 

The first thing this trojan does it watch for the user to login to their WoW account and store the information to be sent to the attacker.


login.png

The attacker also creates numerous entries in the Image File Execution Options to prevent the victim from removing the application.  This way, the user is forced into removing the application manually, or biting the bullet and reformatting.

The list below is all the programs that are rendered useless by this trojan:

regtool.exe
KPPMain.exe
egui.exe
kpfw32.exe
kwatch.exe
kpfwsvc.exe
kavstart.exe
kaccore.exe
kissvc.exe
kmailmon.exe
esafe.exe
ravtool.exe
ravtask.exe
ravstub.exe
UpLive.exe
UmxPol.exe
UmxFwHlp.exe
UmxCfg.exe
UmxAttachment.exe
UmxAgent.exe
UIHost.exe
TrojDie.kxp
Trojanwall.exe
TrojanDetector.exe
SysSafe.exe
symlcsvc.exe
SREng.EXE
SmartUp.exe
shcfg32.exe
scan32.exe
safelive.exe
Rsaupd.exe
RegClean.exe
QHSET.exe
PFWLiveUpdate.exe
KAV32.exe
mmqczj.exe
mcconsol.exe
MagicSet.exe
KWatchX.exe
KWatch9x.exe
kvupload.exe
KVStub.kxp
KVSrvXP.exe
KVScan.kxp
KvReport.kxp
kvolself.exe
kvol.exe
KVMonXP_1.kxp
KvfwMcl.exe
KvDetect.exe
KVCenter.kxp
KsLoader.exe
KRepair.com
KRegEx.exe
KMFilter.exe
KMailMon.exe
KISLnchr.exe
KAVStart.exe
KAVSetup.exe
KAVPFW.exe
KAVDX.exe
KASTask.exe
KASMain.exe
KaScrScn.SCR
kabaload.exe
isPwdSvc.exe
HijackThis.exe
FTCleanerShell.exe
FileDsty.exe
ccSvcHst.exe
CCenter.exe
AvMonitor.exe
avgrssvc.exe
autoruns.exe
AppSvc32.exe
AgentSvr.exe
IceSword.exe
adam.exe
WoptiClean.exe
nod32krn.exe
mmsk.exe
Ras.exe
vsstat.exe
NPFMntor.exe
webscanx.exe
avconsol.exe
Navapsvc.exe
KPFW32.exe
KAVPF.exe
procexp.exe
safebank.exe
rfwproxy.exeFYFireWall.exe
avp.com
rfwsrv.exe
rfwmain.exe
rfwstub.exe
idag.exe
WinDbg.exe
OllyICE.EXE
OllyDBG.EXE
360safe.exe
qqkav.exe
qqdoctor.exe
safeboxtray.exe
360rpt.exe
360safebox.exe
360tray.exe
qqsc.exe
ati2evxx.exe
Iparmor.exe
PFW.exe
navapsvc.exe
Navapw32.exe
KVwsc.exe
KVsrvXP.exe
KVFW.EXE
rav.exe
ravtimer.exe
RAVmon.exe
RAVmonD.exe
rising.exe
KAVsvcUI.exe
kavsvc.exe
avp.exe
runiep.exe


X-Cleaner.exe isn't on there?!  I'm insulted.  As you can see this threat hinders the ability for several mainstream anti-virus, anti-malware, rootkit detector, and process explorer.

After the trojan blocks access to your security applications, it sits and listens for any kind of Warcraft traffic that it might potentially steal.  The attacker will have the ability to consistently ping the infected PC and take information as needed.

wireshark.png

We currently detect this threat as PWS.Game.rnq.  Mind your clicks.


There seem to be quite a few of these in circulation over the past day or so:

Download the latest version! <URL Removed>

About this mailing:
You are receiving this e-mail because you subscribed to
MSN Featured Offers. Microsoft respects your privacy.
If you do not wish to receive this MSN Featured Offers e-mail,
please click the "Unsubscribe" link below. This will not
unsubscribe you from e-mail communications from third-party
advertisers that may appear in MSN Feature Offers.
This shall not constitute an offer by MSN. MSN shall
not be responsible or liable for the advertisers' content
nor any of the goods or service advertised. Prices and item
availability subject to change without notice.

2008 Microsoft | Unsubscribe <http://www.msn.com>  |
More Newsletters <http://www.msn.com>  |
Privacy <http://www.msn.com>

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052


As you might have guessed, it's fake. Microsoft don't send out EMails asking you to download files from random, non-Microsoft websites. This:

ie71.jpg

....is not what it appears to be. Run the file, and instead of IE7, you're actually more likely to see a fake antivirus program appear on your desktop:

top106.jpg

Click to Enlarge

By the time you see this, its probably too late.  This threat also i known to send the user fake infected alerts to provoke the victim into buying the product.  It also utilizes the Sysinterals fake Blue Screen of Death Screen Saver to scare the victim.  As you can see below, there have been several options taken out of the desktop properties window to hinder users from restoring the default settings.

background.png

This particular product is detected by us as Fake.AV, and is also being pushed quite heavily via the recent CNN videos scam. You can see another example of these emails here. There is more than one URL being used for this attack, so be alert!

Additional Research: Chris Mannon, Senior Threat Researcher

Sysda Act

| | Comments (0)
Oh hi there.  Apologies for the Whoopee movie reference, but its hard to come up with something catchy.  This latest threat coming through the Facetime Security Labs steals passwords related to chinese sites.  This is not really a threat to most businesses in the US, but judging from the malware trend coming from China and spreading to the rest of the world I'd say its only a matter of time before we start seeing the same method of theft.  The name of this new threat has been named SysdaSysda lies dormant until a certain site is navigated to.  This site is generally related to when a user attempts to change their password for the site.  After that it simply posts the information back to the attacker.  Users should be on the look out for a file called "sysdajchv.dll".  All it really needs is to hook into iexplore.exe to steal your user credentials. 

crack.PNG
The above illustrates that Sysda is attempting to steal login credentials to Sohu.com.  Whether this is simply a new way to phish for information, or something more sinister along the lines of fraud are still unclear at this point.  I'll let you know what I found out.

SoundBot Exploits Network Vulerabilities

| | Comments (0)
Hey there.  It is time for another thrilling adventure into the world of security threats.  This time I'll be going over a worm we like to call SoundBot.  This worm has the potential to leak sensitive information to the attacker about the victim's network infrastructure.  It manages to do this by not only blocking many of the security applications designed to detect it, but also by using legitimate processes that make removal difficult.

The main culprit in this infection is a file called Soundman.exe.  If you see this file on your computer don't panic just yet.  Its also a legitimate process.  Here are some things you should watch for:

One of the first things SoundBot does is disable any type of program that would detect or remove it.  It uses 2 separate methods to do this.  When installed, it disables several legit services related to security applications such as:
kmailmon.exe
kavstart.exe
shstat.exe
runiep.exe
360safe.exe
360tray.exe
cacls.exe
ccenter.exe
rav.exe
iris.exe
vpcmap.exe
vmsrvc.exe
vmusrvc.exe

It also sets up Image File Execution Options to make sure if the processes are restarted they are ineffective.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe       
...360safe.exe       
...360safebox.exe       
...360tray.exe       
...CCenter.exe          
...KPPMain.exe       
...KWatch.exe       
...QQDoctor.exe       
...QQKav.exe       
...RavMon.exe       
...RavMonD.exe       
...safeboxTray.exe
AND finally,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe    Debugger    "SoundMan.exe"

This shows us that Soundman.exe is ran instead of ctfmon.exe whenever executed.  This is an effective way of making sure the worm file is ran.  This effectively removes the need to have an Autostarter value (which are common investigative techniques used when attempting to pinpoint the actual infection in a forum environment).


soundman.PNG This is a closer look at the actual worm file.  Upon closer inspection of Soundman.exe we see that it is iterating through a common network structure looking for open ports.  This gives the attacker certain advantages when/if he ever decides to infiltrate the victim's network.

endpoint.PNGThe above picture depicts just exactly what is going on while Soundman.exe is running.  It makes ARP requests and epmap requests throughout the entire network looking for potential holes.

A malware infection  just wouldn't be a malware infection unless it phoned home to install numerous other infections.  Soundbot is no different.  It contacts a site to download a .jpg file that is no mere picture file.  It is actually collection of download links to more bad files.

jpg2.PNG
The final blow to this worm is dealt by another file that poses as a legitimate process.  It creates a service called "helpsvc" related to another file that intializes soundman.exe.

helpsvc.PNG
Network administrators should look for any unnecessary or suspicious traffic happening on their network as explained above.  If you suspect your organization is under attack from this threat, then I suggest using our handy MicroScanner!








Bang the Gong

| | Comments (0)

Gong is a Trojan that has the ability to alter Windows Explorer and other Windows programs so that it can run happily without the user ever knowing of its existence. After it's installed by a large Trojan bundler like Dloader.Small.ele or ConCommand, it quickly phones home and gets an infected file named "svchost.exe" whose true purpose is sinister, but not entirely unexpected. This installs a file called "ctfmon.exe" which runs with autorun.inf.
http://blog.spywareguide.com/upload/2007/10/autorun-thumb.PNG
This .inf sets alters Windows to run the infected file whenever they try to open or explore.

http://blog.spywareguide.com/upload/2007/10/ustrightclick-thumb.PNG
Clicking either of these will run ctfmon.exe.

When Ctfmon.exe is run, it creates several hidden windows with a single minded purpose...clicks. Clicks mean revenue, and revenue means there are bound to be bad actors.

While those hidden windows are running they are frantically clicking as many hyperlinks as fast as they can in order to drive, or appear to drive, visitors to their site.


How can you detect these hidden windows? Good question and it might depend on your build of computer. In our X-cleaner proudce there is a handy feature that allows you to see any and all windows open at the time. No magic, just technical vision!

http://blog.spywareguide.com/upload/2007/10/xclean-thumb.PNG
From here you can see what is causing the attack and even kill the process.

More and more rogues and cyber bandits are are using these kinds of below-the-belt tactics to inflate numbers to their websites in order to pump up revenue. You may not know who they are, but you can know what they are using.- Click and inspect so you are aware of what programs are soaking up your processing power and you can return your system to its rightful owner- you. With a click and kill.

Ingreslock Exploit: Alive and Well

| | Comments (0)

There has been a large steady stream of new Trojans coming out of China lately. Now it seems like its starting to look more drastic than that. It all begins with Downloader-Arun. Like most other downloaders, its purpose is to download as many Trojans as possible. This is just how bad it can get:

arun.png
Breakdown of what Downloader-Arun installs on the victim PC.

While Downloader-Arun is installing, it contacts another Chinese site to download sercer.exe onto the victim's PC. Sercer.exe is immediately ran and moved to C:\Program Files\Internet Explorer as SPLOAE.exe.

http://blog.spywareguide.com/upload/2007/08/directory-thumb.png
Sercer.exe has the same file size and MD5 hash as C:\Program Files\Internet Explorer\SPLOAE.exe.

Once SPLOAE.exe is running, it gets information that is stored in SPLOAE.dat.

http://blog.spywareguide.com/upload/2007/08/packetcapture-thumb.PNG
This is the same information that is stored in SPLOAE.dat.

Since the infection is in the Internet Explorer directory, it's probably a good idea to check out what kinds of connections are taking place. Looking closer at the connection you'll see that someone is attempting exploit your computer! You may recognize this type of attack if you were a playboy customer in '98.

http://blog.spywareguide.com/upload/2007/08/ingreslock1524-thumb.PNG
A connection has been made at port 1524. Foul play is sure to follow.

Now would be a good time to check and see what kinds of connections are currently active on the infected PC.

http://blog.spywareguide.com/upload/2007/08/netstat-thumb.png
You can tell if there is a connection to your computer by using the netstat -a -n command.

There is a connection established to the same IP address that was seen during the installation. Taking a closer look at the domain brings you to *dramatic pause* his blog!

http://blog.spywareguide.com/upload/2007/08/hack-thumb.png
The established connection redirects to a blog of questionable safety.

Fortunately for the victim, there is a very easy way to tell if you are being exploited by this threat. If you are infected by this particular threat, there will be an autostarter value called "MrXiaokan".

http://blog.spywareguide.com/upload/2007/08/autostarter-thumb.png
This threat auto starts using the value "Mrxiaokan"

This was just 1 of the files that was installed from the original Trojan Downloader-Arun. Other threats are out there just waiting to be clicked. My advice to you is this: Mind your clicks.

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

Noted blogger John Battelle reports in his blog based on a couple of pieces...about who Google (NASDAQ:GOOG) is working with these days.

One example from HomeLandStupidity.us he references:

IT contractors and intelligence officials familiar with the arrangement confirmed to HSToday.us that Google had been providing assistance to the intelligence community, but would not say under what authority that assistance had been requested or provided.

The intelligence community appears to be interested in data mining Google's vast store of information on each user who uses Google's services. Google collects data on each user's search queries, which web sites users visited after making a query, and through its Google Analytics service, can also track users on cooperating web sites. It's not clear what level of access to or how much of this information has been made available to intelligence agencies.

John goes on to note:

This might be filed in the Tin Foil Hat category, or it might be something we look back on and wonder how we ever missed it. I don't have any idea which. That alone sort of scares me.

The story says that Google is working with the Govt. in the war on terror. It depends a lot on ex CIA agent Robert Steele, who may or may not be a trustworthy source.

I've seen this story all over the place this weekend, and it strikes me as possibly accurate on at least one level: If the CIA/Dept. of Homeland Security was NOT trying to secretly work with Google, it's even lamer than we might imagine. After all, the company has just about the best infrastructure in the world to help them do their job. Is it legal? Moral? Right? Another question entirely....

This is ironic for two reasons:

1) Chris Boyd (Microsoft Security MVP) and head of our Malware Research Labs (currently on hiatus preparing for our talk at the RSA show and something he want talk about called The Fourth Wall) and yours truly- Wayne Porter, also Microsoft Security MVP, Director of Special Research, currently working on e-commerce analysis....were recently, along with the Facetime Communication's team and our Security Labs team, noted publicly on Google's Security thank you page:

Google Thanks You People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience. We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:

* Alex Shipp, Messagelabs
* Bryan Jeffries
* Castlecops
* H D Moore
* Jeremiah Grossman
* Johannes Fahrenkrug
* Martin Straka
* Team Cymru
* Yahoo! Paranoids
* Wayne Porter & Chris Boyd, FaceTime Communications
* Alex Eckelberry, Sunbelt Software
* Richard Forand

I add as an odd aside that after commenting on an article at ThoughtShapers on Google's move into podcasting/adsense and how they are tearing up top down media all kinds of people pinged me on whether I was one of the 'trusted sources" who leaked this to Jeff Molander. The answer is no. I made that clear in my personal blog notably here (The Google Rumor Mill Redux- Getting Details Straight) and an aside here Leaked Papers and Google Adsense.

Going back to John's observations though I have no idea how Google or to what capacity they are working with Homeland Security- I am just a cog. With their processing and information gathering power I would be hard pressed to say that it wouldn't make sense for DHS and / or the CIA not to want to do so.

Remember that GUID I talked about at Revenews? (Note: GUID is a Globally Unique Identifier. A GUID is often a pseudo-random number used in software applications. Each generated GUID is "statistically guaranteed" to be unique.)

For example, the concept of a GUID or the longer they use a service (even anonymously and in aggregate) makes it easier to determine who they are. Granted Google may not have any nefarious purposes for this, but what happens when other agencies do? You might be ?anonymous? to Google, but when another agency plays connect the dots after obtaining access to your machine and subpoenas activity around a GUID- you aren?t so anonymous anymore. In reality, you become an online novel- I can perhaps establish your character by your queries. Of course, this risk exists with any tracking mechanisms, but a service as ubiquitous as Google, especially one that looks at queries, is all the more potent.

2) I do know that Homeland Security does pay attention to cyberthreats- as they should. I was surprised to find some of our research in their daily briefing reports, specifically around some notable worms. These reports a.k.a. The DHS Daily Open Source Infrastructure Report (Daily Report) is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. They divide it up by the critical infrastructure sectors and key assets defined in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.

An Example- this was over the KMeth Worm, which I find interesting.

  • Kmeth Worm noted by DHS [PDF Document]
  • Most of these Daily Briefings- which are free and unclassified appear on the DHS.gov site, although to search them you need to use the FEMA.gov site...

    Tin Foil Hats? I don't know. Safety and privacy and security are all different but related and require a delicate balance. Then you have to think back to the NSA wiretaping scandal. Did people really notice? Did they really care?

    Take a look at Google Trends (given the questions is this a good place to validate this question?). Google trends is a fairly good indicator of search activity. It is an indirect reflection of what is going on online.

    Here we see the terms: wiretapping, NSA scandal, wiretapping scandal, wire tapping

    Click to See Chart

    Interesting...there is some movement there.

    Now: NSA scandal, wiretapping scandal, ATT scandal, NSA wiretapping, phone tapping

    Click to See Chart

    Nada, zilch. Not even if you analyze U.S. queries only- despite major press coverage. Try your own strings and see what turns up.

    Of course per Google: "Google Trends aims to provide insights into broad search patterns. As a Google Labs product, it is still in the early stages of development. Also, it is based upon just a portion of our searches, and several approximations are used when computing your results. Please keep this in mind when using it."

    The Center for Democracy and Technology has released their latest report on advertising intermediaries, which include ad networks, affiliate networks, and cpa networks. The document might be confusing if you are not practiced in the world of online advertising but the CDT does a pretty good job of making a complex economy simple.

    The takeaway is that advertisers and advertising intermediaries need to practice more due dilligence in their business practices.

    Find below the download links for the Following the Money Trail Series Part I and the latest Part II. If you want to understand how malware and money are the new fuel for Internet mayhem this is a good place to start.

    To give you an idea how complex some of the relationships become while we track the money trail on cases take a look at this sample screenshot from the report. Rest assured we have seen cases far more tangled than this cloud.

    adware-advertising-small.gif


    "Companies need to take responsibility when their advertising dollars go to support companies that prey on unsuspecting consumers," said CDT Policy Analyst Alissa Cooper, who co-authored the report. "Whether placed directly or through intermediaries, these ads diminish the Internet experience for millions of people. Advertisers that work with these distributors are running out of excuses, and must either start policing their advertising spending, or answering to their customers who have been harmed by adware."

    Indeed! We could not agree more.

    Take the time to get educated with these great reports from the CDT and pass them along to your friends. Have an advertising question? Drop us a comment and and I will be happy to answer it for you or find someone who can.

    Part 1 of the CDT Report [PDF]

    Part 2 of the CDT Report [PDF]

    Report Write-Up: Wayne Porter, Sr. Dir. Greynets Research

    Pages

    About this Archive

    This page is a archive of recent entries in the Spyware Research category.

    Spam is the previous category.

    Technical News Round Up is the next category.

    Find recent content on the main index or look in the archives to find all content.