A new reincarnation of the infamous Storm Worm -- or Zhelatin as it is called by Kaspersky Lab - has been making the rounds in the news lately. Felix Leder, Mark Schlößer and Tillmann Werner have already posted an extensive analysis , where they conclude that the new samples spreading share about 66% of code with the original Storm worm. They were so kind to share detailed analysis results (their .idb for you technical folks) with me to look into this quickly and confirm their results.

The analysis shows that it seems to be only the spam and DDoS engines extracted from the original Zhelatin, surrounded by a HTTP C&C mechanism. The samples are calling back to one central command and control server (the IP is hardcoded at the end of the file) located in the Netherlands.

ShadowServer have already contacted the hoster for takedown, so this should be an easy threat to contain. Currently, we've seen only 139 detections for Trojan.Win32.Fraudload.apnh (our detection before that specific new threat) through our KLoud Security Network and therefore consider it a relatively moderate threat.

Number of detections of current Zhelatin

Geographical distribution of Zhelatin detections

Amongst some others the Zeus bot is one of the most prolific bots in the wild and in the media. Lately there has been quite a few reports on the aspects surrounding Zeus, such as new research and the Troyak takedown.

Naturally, this is great news. However, awareness is still lacking and the heavy reporting around Zeus is making more people aware of the sophistication of the cyber criminal underground. Unfortunately, In many of the reports there is a recurring incorrectness. These reports talk about “the Zeus botnet”, which is an inaccurate reflection of reality.

The reality is that there are many, many different Zeus botnets all maintained by different cyber criminals. The amount of unique Zeus botnets is likely to be in the hundreds. The cyber criminals behind the Zeus bot will sell it to anyone who can then start their own unique botnet. Going even further there are some side-branches of Zeus maintained by other cyber criminals.

Given this situation it’s not unlikely that in a large enterprise machines may be infected with Zeus bot variants which are controlled by different cyber criminals and therefore belong to different Zeus botnets.

In order to create greater distinction we’ve seen a security company give a particular Zeus botnet another name when talking about it in the media. From my own perspective this novel idea didn’t quite work as it seemed to cause more confusion rather than less.

Sadly, I’m not convinced that a botnet naming convention for variants of a particular bot will help the public have a better understanding in the short term. So where does that leave us? Well, I think there is an easy guideline.

If the security community is reasonably sure that a certain bot is controlled by one cyber criminal group we can refer to the threat as a botnet. Examples of this rule are Conficker, Storm and Mebroot. If the bot is available in the underground we should refer to the threat as bot or botnets created by the following bot. Examples of this rule are Zeus, SpyEye and Poison Ivy.

This week I received a letter from American Express which stated that my credit card had been temporarily blocked because of potential fraudulent activity. It also said that I needed to call a number to confirm the recent transactions and get the card unlocked.

That seems like a very reasonable thing to do. However the number they asked me to call was not listed on the American Express web site. Though the letter seemed legit I did the only right thing – call their regular number and work things out from there. While digital phishing is the current hot thing to do there are still criminals forging good old snail mail letters to trick users.

It turned out that the number listed was a direct number to their fraud department which isn’t listed on the site. I’ve requested American Express to change their practices.

Yesterday we received a very enticing email offering users the chance to earn loads of money for just one hour of work per day. Put another way, it was an offer to join a financial pyramid.

The funny thing is that the spammer has obviously not tried to limit the amount of information offered to the user – the message was 7 MB. Normally, spammers try to make their emails as small as possible (usually no more than 5 KB) because it means they can send more of them.

So why are these attachments such ‘heavyweights’? As you may have noticed from the screenshot above, one file is an mp3 and the other has a .doc extension.

The text document contains 18(!) pages that explain in detail the principles behind the financial pyramid. The document stresses that though this “super program” may resemble network marketing, it is actually something completely different. However, one part has been lifted directly out of a well-known book on network marketing. It states: “THE THING IS, THERE IS A SECRET FORMULA BUILT INTO THE PROGRAM WHICH ENSURES 100% SUCCESS FOR ALL PARTICIPANTS IN THE BUSINESS WHICH IS DOWN TO FACTORS THAT ARE SO SUBTLE THAT THE HUMAN BRAIN IS INCAPABLE OF COMPREHENDING THEM. WHAT IS THIS FORMULA? IT’S A SECRET OF THE LEGENDARY CREATOR OF RMI, MIYAMOTO ICHIKAWA.”

The text includes feedback from people who have already taken up the offer, and of course they are delighted with the results. Users are promised earnings of between $100,000 and $1 million within six months.

Like any other pyramid scheme, in order to earn money you need to introduce new people to it. No doubt you can guess the recommended method of finding new ‘clients’? That’s right, spam. 20,000 addresses to start with, with 1000 addresses included when you buy into the program. One can only sympathize with those whose address ends up in the “starter package”.

The potential rewards also explain why an unusually large spam message is used – what’s the point of economizing on traffic if the future’s rosy and promises earnings of $100,000?

The love of things big extends to the audio file as well. It lasts for 43 minutes (!) and is a recording of a seminar for those who have bought into the pyramid.

18 pages and 43 minutes of listening – that’s over an hour’s worth of convincing the user that they shouldn’t miss out on this dubious scheme which is based on nothing more than sending spam. Of course, you could make much better use of your time. The choice is yours!

For over a week users of Gmail have been exchanging stories about incidents of email accounts being compromised and the uncontrolled distribution of spam, trying to guess what’s behind this strange epidemic.

The spam mailings are being sent from hacked accounts to addresses that the account owners have communicated with – these are primarily addresses from the contact list. There is no message subject and the body contains nothing more than a link to an online drug store in the .co.cc domain. This is a redirect to the recently registered website mrapgyan.net which, incidentally, doesn’t work. A copy of the message is saved to the “Sent Mail” folder just like any other sent message, and sometimes it can be found in the “Trash” folder. Some of the messages don’t make it to their recipients and remain flagged as undelivered.

It turns out that every time the spammers connected to someone’s account they did so via a mobile interface and most probably using bots. The IP addresses used to gain unauthorized access were in locations dotted around the world – the USA, Western Europe, the Middle East, Asia, Africa…

It’s worth pointing out that the cybercriminals only used their victims’ contacts to send out spam – they didn’t modify passwords to email accounts and didn’t delete any messages or contact lists.

It remains to be seen what connects all the victims. Active accounts were targeted as well as those that have lain dormant for some time. Password strength and the presence or type of antivirus solution also appears to play no role. No malware was found on the majority of affected computers. The operating systems also varied, with XP, Windows 7, Windows Vista, Mac OS, and various versions of Linux in combination with browsers such as IE, Firefox, Opera, and Chrome.

The number of compromised accounts has not been determined. Google is keeping quiet for the moment – they are supposedly investigating. In the meantime, all users of Gmail are advised to check their recent account activity, change their passwords, unclick the “Stay signed in” box on all their computers and sign out when a session ends.

On Wednesday 14th, TYPE O NEGATIVE frontman Peter Steele was rumored to have died of heart failure.

Fuse TV's Mistress Juliya twitted that she spokes to a band member, adding credibility to the rumor.

Google Trends shows that the first two "hot searches" are related to the rumor.

As you can see below there are a lot of active searches right now:

Black SEO is already being used and some of the results lead to web pages that look like this:

Depending on the links you follow, you may also end up here:

Both lead to the installation of the rogue CleanUp AntiVirus program (see the screenshot below):

Cybercriminals are using any sort of news, including rumors, to distribute their fake AV programs, and Black SEO is still being used extensively to spread them.

Unfortunately, later on the rumors of Steele’s death were confirmed. This will no doubt further increase the number of searches involving his name.

For the second day in a row the topic of Nigerian spammers has cropped up. And once again they have been sending their heart-rending messages to none other than KL employees.

This time one of my colleagues received a message on the Russian-language social network Vkontakte which was a perfect example of the usual Nigerian scam letter:

It claims to be a message from the representative of a millionaire who died in an air crash with his family two years ago. Sounds familiar, right? 50 per cent of Nigerian letters start like this or in a similar vein. The “representative” goes on to talk about $13.5 million and how he has searched unsuccessfully for two years for any surviving relatives of the deceased. The letter claims that the lucky recipient has the same surname as the victim and therefore should inherit the $13.5 million, after the transaction costs have been covered. The “personal postal address” of the representative is attached of course.

So far, this is all pretty familiar. But apart from the fact it was sent to a KL employee there is another interesting aspect: it wasn’t received via e-mail as is usually the case for Nigerian letters, but on a Russian social networking site!

Virtually no information can be gleaned from the sender’s profile, except a name, city, school number and the year of graduation – amazingly, the “legal representative of the dead millionaire" only finished school this year.

That fact that this type of international spam found its way onto Vkontakte is, among other things, a sign of the gradual globalization of the resource. But the main conclusion to be drawn here is that Nigerian spammers have started to explore the vast world of Web 2.0.

Hello from Barcelona, where me and my colleague Sergey Novikov are attending the BlackHat Conference Briefings, 2010.

This year marks an important milestone, as the conference was relocated from Amsterdam to Barcelona in order to accommodate the increasing number of delegates. Another change is the number of tracks, with three this time round compared to two last year.

The conference started with a keynote presentation from Max Kelly, CSO of Facebook:

Max provided a very interesting insight into how Facebook handles attacks. He pointed out that while vulnerabilities are important, they are at the lower end of the priorities scale; the top priority is going after the attackers themselves. Long term, this could work better than the usual game of hack and patch, but of course it requires a certain amount of resources to be invested in lawsuits and the tracking down of cybercriminals.

Another very interesting presentation came from Stephan Chenette, from Websense. Stephan presented FireShark, a new free project that can be found on the internet as of today at:

http://www.fireshark.org

FireShark is a browser plugin which can be used to automate the process of browsing malicious websites and extracting malicious links from them in order to build visual graphs of criminal connections and to identify injection patterns. If you are interested in web injections, or researching threats such as Gumblar and Pegel, be sure to check it out.

If you want to stay in touch with what's happening here, the live Twitter feed is quite active: #BlackHatEU - enjoy!

Last week we received a mass mailing that at first glance appeared no different from the usual mailbox clutter. The messages were in German and advertised an online casino. Nothing out of the ordinary there – after all, gambling-themed spam is one of the most popular in the German-speaking realms of cyberspace.

But after a closer inspection, these messages turned out to be of much more interest - all the links in the messages led to pages created on legitimate sites that had been compromised. The links looked like this: *******.com/news_.php or *******.com/1500.php.

Of course, there’s nothing new in hacking a site and using it to host pages that advertise Viagra or fake designer goods. Spammers have been using this approach to bypass spam filters for quite some time now.

The method may not be new, but it’s also not that common, mainly because hacking a site is a real hassle. It is much easier for spammers to create doppelganger sites with unpronounceable names on second-level domains they have purchased or to use the services of short URLs.

The messages were also of interest simply because they are aimed at German-speaking users. This method of bypassing spam filters by German spammers was, until now, practically unheard-of. And then suddenly this burst of mass mailing using a large number of legitimate sites. And the types of sites being used vary. Most of them are part of the .com, .org and .net domains. About half the compromised sites are in Spanish and Portuguese. One of them was also infected by a Trojan program.

The pages created on the hacked sites automatically redirected users to two sites: *****casinos.com from the news_.php pages, and *****play.biz from the 1500.php pages.

In recent months German-speaking spammers have started making much greater use of a variety of methods to bypass spam filters. Less than a year ago ‘noisy’ text in German spam was very rare; now it is being used more and more. It seems that German-speaking spammers have now decided to try out the effectiveness of compromised sites.

It remains to be seen which of the many techniques applied by Russian and US spammers will be next.

Rogue antivirus programs have been around for years now, trying to scare people into buying fake products. This time, Desktop Security 2010 RogueAV comes with an interesting new trick to frighten users.

The main rogue component creates a remote thread in taskmgr.exe in order to call LoadLibrary from its dll component: taskmgr.dll.

This dll is part of the scare tactics.

As you can see in the screenshot below, the words "virus free" and "infected" were inserted in front of process names:

The dll is packed with a custom packer. Once the dll has been unpacked, it's easy to find out how it performs the modification.

Here is a small snippet from the unpacked dll to understand how it manipulates Task Manager:

As you can see above, it uses the SetColorText API function to change the text color. A comment has been added to the color parameter on the screenshot. Finally, the DrawTextA API function is used to add the text.

This is a simple but effective trick to scare those people who use Task Manager to detect and remove malware.

This month’s patch Tuesday is a big one. Not only did Microsoft release their bulletins, but Adobe also released critical updates for Adobe Reader and Acrobat 9.3.1 for Windows and Mac and Unix along with updates for Reader and Acrobat 8.2.1 for Windows and Mac. These updates address multiple issues including memory corruption, buffer overflows and cross-site scripting.

Adobe has also decided to activate their new updater that will allow users to easily keep their Adobe products up to date. The updater will determine a time when your computer isn’t busy and silently install Adobe’s updates.

Considering Adobe is one of the programs exploited regularly this sounds great right? Well here is the thing, Adobe is releasing the updater, but they have no plans on activating this feature by default in this release. What this means is that people won’t be getting automatic updates unless they choose to turn on the updater.. Adobe however does say they feel this is the best option for most users and they are currently evaluating options for the best long-term solution. One of the solutions they might choose would be to provide users with an opt-in screen as part of the next phase in the roll out.

My feeling is that Adobe needs to take security seriously and start using the more secure methods as default settings.

In the Microsoft world today brings 11 bulletins addressing 25 vulnerabilities in Windows, Microsoft Office and Exchange. This month’s bulletins affect all operating systems including Windows 7. The ratings for the 11 bulletins range from moderate to critical with 5 critical, 5 important and one moderate. This month’s updates include bulletins addressing the critical SMB vulnerability Microsoft notified us about last November and the vulnerability in VBScript from March of this year.

MS10-019 - is resolving two vulnerabilities in Windows Authenticode Verification. These vulnerabilities may allow attackers to modify executables (PE and CAB files) without making the signature invalid. This bulletin addresses this issue by performing additional verification operations when signing and verifying a portable executable or cabinet files.

MS10-020- is the bulletin Microsoft released addressing the SMB vulnerability. This affects both SMBv1 and SMBv2. The SMB client is mainly used to provide shared access to files and printers on a network. If exploited this could lead to a Denial of Service attack.

MS10-022 - Addresses the vulnerability in VBScript that could allow remote code execution. Users can be exploited by visiting a specially crafted web page and tricked into pressing the F1 key. This bulletin is rated important for users running windows 2000, XP or Server 2003. Users running Windows 7, Server 2008 or server 2008 R2 there is no severity rating. Microsoft is calling it a defense-in-depth measure.

MS10-025 - Resolves a vulnerability in which by modifying the way Windows Media Unicast Services handles transport info network packets. An attacker would be able to take complete control of the computer. Something to note is that on Windows 2000 server Windows Media Services is an optional component and isn’t installed by default.

MS10-026 - Is addressing a vulnerability in how Windows handles MPEG Layer-3 (MP3) audio stream. If a user were to open a specially crafted AVI file the attacker would have complete control of the system.

MS10-027 - Is fixing a vulnerability in Windows Media Player. For users to be exploited they would need to view the malicious web site and open the specially crafted media.

For information about the rest of the bulletins and detailed information about today’s Microsoft release please visit Microsoft Security Bulletin Summery or Adobe Security bulletin.

While updating, keep in mind all of these updates require a restart so make sure you’re ready for a reboot.

An interesting and unknown feature used by sysadmins around the world in some large corporate networks is the use of proxy-auto config (pac) files. This benign feature is accepted by all modern browsers and is described in detail here. It contains a function to redirect your connection to a specific proxy server.

Unfortunately this simple and smart proxy technique are being largely used by brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions. A .pac script URL is configured in the browser, in the field “Use automatic configuration script”:

Here an example of a malicious .pac file in the wild:

After being infected by a Trojan banker, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.

A lot of the Brazilian malware is using this trick nowadays. Not only Internet Explorer users are affected, but also users of Firefox and Chrome. The malware changes the file prefs.js, inserting the malicious proxy in it:

And finally to make sure the malicious proxy will be not removed by the user, a malicious DLL is inserted on initialization by rundll32.exe to always rewrite the proxy, if removed.
This particular family of malware is detected and removed by our products with names such as Trojan.Bat.Proxy.

TSince 27 March a new game called 3D Antiterrorist has been cropping up on quite a few international freeware sites offering downloads for Windows Mobile smartphones. As well as the game itself, the 1.5 MB archive contains the file reg.exe which is actually a Trojan that calls premium rate international numbers and leaves smartphone owners significantly out of pocket. As of 8 April this malicious program has been detected by Kaspersky Lab as Trojan.WinCE.Terdial.a. Let’s take a closer look at what happens.

After the antiterrorist3d.cab installation file is launched, the game is installed in Program Files, while the malicious file reg.exe (5632 bytes) is copied to the system directory under the name smart32.exe.

A closer inspection of the malicious program’s code revealed that:

• it was created by Russian-speaking virus writers;
• calls are made to 6 different premium-rate numbers every 50 seconds;
• it uses the CeRunAppAtTime function to self-launch, and it launches at night when the smartphone owner is most likely to be asleep.

Here is the list of numbers where the calls are made:

• +882******7 - International Networks
• +1767******1 - Dominican Republic
• +882*******4 - International Networks
• +252*******1 - Somalia
• +239******1 - Sao Tome and Principe
• +881********3 - Global Mobile Satellite System

A year ago we wrote about a porno dialer for smartphones running Symbian. The calls were made to international premium rate numbers to get access to adult content and the owner received advanced warning that a call was being made to an international pay-per-call number.

Now we’re dealing with the first malicious program that makes calls to international premium rate numbers, with the writer(s) of this illegal piece of malware getting rich at the expense of unsuspecting smartphone owners.

    Some time ago I wrote an article about how Brazilian banker Trojans work but time is running out and Brazilian coders are trying to improve their skills, making more complex methods of infection. The proof of this is the sample I worked on today. The infection scheme is the classic one:


A new (for Brazil) concept takes place between second and third stages when the Trojan.Downloader downloads and installs the Banker. On the one hand Brazilian coders obfuscate the download links using several techniques and on the other hand now they also crypt the Banker to be downloaded to the system.

For example, if you deobfuscate the malicious links and try to download the Trojans behind them you will see something like this:

It’s a crypted (specially packed) PE file. The coders from Brazil use this technique to prevent an automated malware analysis and monitoring mode by AV companies. This sample downloaded as it is on the server won’t be functional on the user machine unless it’s decrypted. The decryption mechanism in this case is included into the initial Trojan.Downloader, which first downloads malware, and then decrypts it to be able to infect the user machine:

Now spot the difference: It’s the same file but after decryption looks like a standard malicious PE file and can be used to infect the victim:

    This particular sample is detected by Kaspersky Anti-Virus as Trojan-Banker.Win32.Banker.aumz and it attacks customers of the 3 most largest banks of Brazil.

This year, Christians all over the world will be celebrating Easter Day on 4 April.

The Easter holidays of today barely resemble the quiet exchange of chocolate eggs and cards that they once did. Thanks to ruthless exploitation by all and sundry, Easter now encompasses a whole host of events and activities completely unrelated to the death and resurrection of Jesus Christ. Naturally, spammers wouldn’t miss such a golden opportunity to get in on the action too and have rather predictably come up with some ‘Easter themed’ mass mailings of their own.

It has to be said that the spammers have been quite inventive in their exploitation of the Easter theme this time though. The most popular Russian messages contain an advert for a sightseeing tour supposedly taking place on the Easter weekend. Below is a screenshot of the spam mailing offering users the chance to visit a number of religious sites located in the regions surrounding Moscow:

English-language spammers have taken it one step further.