Some months ago my colleague Roel Schouwenberg wrote a blog post about a money mule recruitment campaign through Facebook. We’ve been monitoring this activity and found new, quite active and successful campaigns of the same recruitment purpose and in the same social network but with a bit different approach: creating groups to follow.

An example of one of such groups:

The criminals promise that= their potential mules will get more than $ 6,000 USD per month and will only need to work no more than 18 hours a week. The mule site has a GeoIP javascript, which customizes some parts of the offer according to your current geographical location. So, it’s another old, but in some cases, effective trick to lure more potential mules.

I was surprised to see how many followers this money mule group had:

We’re talking about 224 thousand people! Who knows how many of them accepted the offer to be a money mule?= When I checked the list of members of the group I even found some people I had met personally in my life.

It’s always important to remember that the criminals behind online money stealing are in a better (safer) position than their mules. They also get the biggest part of the money. And what about mules…? The mules, instead of money, get to go to jail. If someday you receive an invitation by email, IM or some social network to be a part of such business, don’t let to be fooled by the criminals; odds are you’ll get prison time, not free money.

A user discovered potential malware on his computer the other day – the files “autorun.exe” and “autorun.inf” on the C: drive which, the user claims, reappear after being deleted.

After an initial analysis it was found that a number of files are downloaded, including .NET FrameWork, which is quietly installed in the background. That was quite a surprise – it’s been a while since I’ve seen malware cheeky enough to install .NET. So I decided to investigate this sample in full. It turned out to be very interesting both in terms of the malicious functionality and the method used to install its components.

The autorun.exe source file is an SFX archive created using WinRK, an archive utility that is not currently very widespread. After it is run a whole chain of various files are executed:

Autorun.exe -> .exe -> !.bat -> start.vbs -> .bat -> Hidden Start inst.bat -> evntstart.exe;

The interesting thing about this sequence is that it uses only standard, legitimate software:

• “Autorun.exe” – WinRK SFX;
• “.exe” – BatToExe;
• “inst.bat” – launched using Hidden Start;
• “evntstart.exe” – WinRK SFX;

Today was the opening day of the CARO 2010 Workshop, which is hosted by F-Secure in Helsinki.

Mikko Hypponen, the CRO of F-Secure opened the conference by announcing this year's theme, which is Big Numbers. With between 30,000-50,000 new malicious samples daily, this is a very hot topic in the industry.

One of the highlights of the conference was undoubtedly the keynote address by Dr Alan Solomon.

This weekend we monitored three attacks of Brazilian cybercriminals on Twitter, all with the same goal: spreading malware bankers using Direct Messages and compromised accounts, targeting Brazilian users.

This can be considered new in Brazil especially because around 90% of all Brazilian malware are spread through e-mail, using spam techniques and many social engineering tricks. The malicious scheme started when users receive a direct message from another user:

“Check out Twitter 2.0 with pictures and more, sign up now in the Beta”

The direct message is sent automatically by a user who has had his account compromised or his login stolen. These notifications of direct messages use the twt.tl service, a shortener URL of Twitter. The malicious scheme uses a lot of redirections to finally arrive at a .com providing an executable file, a banker Trojan:

If executed, the malware creates a file called hash.dll in the folder C:\Windows\HASH and register a BHO in the browser with random CLSID. This DLL has a really low rate of detection. After it is activated, the Trojan banker monitors all the user’s connections and steals credentials of Internet banking services of Brazilian banks.

What’s more interesting in this attack was the quick spread. In less than one hour the malicious link used on the message was visited more than 2,000 times, almost all by Brazilian users:

This malware is detected by Kaspersky as Trojan-Downloader.Win32.Homa.cgc.

The features of malicious programs for mobile devices continue to expand: the first malicious program for mobile phones has been detected that steals logins and passwords for the Russian-language social networking site VKontakte.

Account credentials for various social networking sites are in high demand on the black market. That’s why criminals are trying to steal as many logins and passwords as possible using phishing pages and a variety of malicious programs. An example of this kind of malware is a new Trojan for mobile devices.

The malicious program Trojan-PSW.J2ME.Vkonpass.a is a 17 KB JAR archive called vkmob.jar which masks itself as an application for accessing the popular VKontakte site from a mobile phone.

If the application vkmobile (the name of the Trojan when installed on phones) is launched, the following will be displayed on the screen:

If the user enters his/her login and password and presses "Go!", the Trojan will attempt to send the data via SMTP to the criminal’s e-mail. If the attempt is unsuccessful a "connection error" message is displayed; if the attempt is successful, "Error 401" appears on the screen.

Users need to be careful when using applications that pass themselves off as clients for various social networks, because in some cases those “clients” turn out to be malicious. Legitimate applications (if they exist) are usually available from the social networking sites themselves.

Just few hours ago Twitter officially announced the launch of their new iPhone application called “Twitter for iPhone”. The news quickly became a trendy topic in Twitter and as it used to be the criminals took advantage of this one more time. The difference this time is that the criminals behind this particular attack didn’t want to use Rogue AV malware but a Worm with dropper functions to deliver Trojan banker malware to the users machine.

This is an example of detected malicious twitts by us:

The initial Trojan is downloaded to the victim machine by a malicious Java archive file. It has several malicious features, for example: spreading through USB devices; it disables Windows task manager, the regedit application and also notifications from Windows Security Center. Also it creates a copy of itself in the system with the name of Live Messenger. The criminals even included an anti-virtualization feature. The worm checks if the hard drive of infected system is virtualized or not. If found to be in a virtual system, the malicious code won’t be executed.

As I mentioned the main goal of this Trojan is to steal on-line bank credentials of the victims!

This malware is very harmful since credit cards and on-line banking credentials are in the game. Please, be really careful specially with trend topics (searches) since in many cases they are being used by criminals.

Kaspersky Anti-Virus detects the threat as Worm.Win32.VBNA.b

Today i found a new tool which will allow anyone to create a malicious program with just a few simple mouse clicks. When the malicious program is executed the infected computer is connected to a botnet which communicates via Twitter and is used for various illegal purposes.

The tool, which is publically available, is called TwitterNET Builder. It only requires two mouse clicks to create a malicious program which will turn a normal computer into a node in a botnet. TwitterNET Builder will create a profile on Twitter which the infected computer will contact to receive commands and instructions.

This malicious code does not contain any distribution mechanism and must be manually run on the victim computer, but these tools can be executed when combined with a drive-by attack or a worm that spreads via a new-found vulnerability, for instance.

Last year, when I moved into my current home, there used to be an unprotected WiFi network available called ‘Constantine’. This is normal behavior almost everywhere around the world, but I thought it was funny when the network was renamed to ‘Buy your own net’ only a few days later. I suspect Mr Constantine grew tired of his neighbors piggybacking on his Internet link and wanted to send a message. I also suspect he didn’t know how to enable encryption in the first place, because another week later, he finally turned on WEP. He kept the name, though.

I think the Google sniffing story from earlier today is related to exactly that:

http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html

During a recent investigation by the Data Protection Authority from Hamburg, it came to light that Google has been accidentally sniffing the traffic on WiFi networks with its Google cars, during the routine mapping of the roads. If your house had an open WiFi network and a Google car passed near it in the past months, then it's likely that bits of your network traffic have ended in Google's hands.

Yesterday, May 14 we saw the first new Cyrillic domains available on the Internet for public visiting. One of those domains is the official site of the President of Russia, Dmitry Medvedev http://президент.рф

Prior to seeing the Cyrillic language domains, we have also seen the first domains in the Arabic language, which are also available for public for all Internet users to see. As an example, the domain: http://وزارة-الأتصالات.مصر

It's good to see that some nations now have their own language domain names. However it brings up some new potential challenges and possibly some problems. All of the countries that are now getting their own language domains have up until now had all of their domains in Latin characters, those domains are easier to decipher for Internet users and users have learned how to distinguish a fake phishing domain from legitimate domains. Unfortunately, it's just a question of time, as to when cyber criminals will start registering phishing domains using the same names; however they will be translated or transliterated into a native local language. It may confuse a lot to ordinary users, which may lead them to become the victim of a cyber crime.

Another problem that may arise is how you can differentiate between a legitimate or a phishing domain if it is in a local language? Imagine if you work in an anti-phishing lab and have to classify messages. That may be very difficult if they are in a local language. Analysts must not present any doubts when classifying a domain as a phishing domain, the mistake may mean that a legitimate domain pays the price.

As each day goes by, I see more and more people complaining when it comes to Facebook and privacy:

I’d like to make my friend list private. Cannot.
I’d like to have my profile visible only to my friends, not my boss. Cannot.
I’d like to support an anti-abortion group without my mother or the world knowing. Cannot.

And these are things that get shared while Facebook is being conscious and while their users have previously agreed to this.

It gets even worse. Let's think of all the information that can get leaked without anybody wanting it, neither Facebook, neither the users. Let's take a look at the latest publicly disclosed Facebook vulnerability. Yes, livechat sessions potentially exposed to attackers. Friend lists and other personal data that could get compromised. Pretty bad.

You're not under control, no matter how much you would like to be. Try to imagine for a moment that everything would be perfect. Facebook would have 100% accurate and customizable privacy controls and only your few really good friends will be able to access your phone number or the pictures of how you got drunk during last night's party. Also, the social networking platform itself would be technically flawless, with absolutely no vulnerabilities. I know, it's an utopia, but we have to push things to the extreme. Even in this heavenly world where everything is perfect, imagine one of your trusted Facebook friends gets infected and his account gets compromised. From this point, everything that you carefully shared previously can potentially reach any audience. And it's not even your fault.

The solution is simple. Just delete your account. Problem solved. Simple, huh? Yes, but let's face it, we're not going to do this anytime soon. We'll continue to complain, only to go back home and log-in to Facebook once again.

I propose something different. And I'm always giving this advice to anyone who asks me about privacy and social networks: as long as you have a social networking account, make sure you behave thinking that sooner or later, the things you do online can be seen by anyone. Expect the best, but think of the worst. Don't upload a picture, don't post a link or a comment unless you are prepared to take responsibility for your actions. I know it might be hard to decide, but if in doubt, just don't do it. Don't do it unless it's something that you're ready to share with any person from your past, present or future life. Be honest to yourself first and you won't have any problems. I think it's common sense.

    Some months ago I wrote a blog post called “Rogue AV raising the stakes” which mentioned a new trend in the graphical user interfaces of Fake Anti-viruses. Our predictions were correct, as today my colleague Fabio Assolini found a Web site with an interface very similar to Kaspersky Anti-Virus. See for yourself:

This isn’t the first time we’ve found this kind of fake imitation of our solutions. The interesting part is that during our research we found fake versions of other Anti-Virus solutions on the same malicious host. Can you spot the difference?

These are just some of the examples. Since some Internet users know what the most popular Anti-Virus solutions look like they can be confused and pay for a Rogue AV solution. This is the main goal of the criminals; to confuse as many people they can, and to get as much money as possible.

On this same malicious server we found 256 different malicious rogue domains with different content but with the same intention: to cheat people by making them pay money for nothing.
Please be careful and always check the domain of the page you're visiting. Don't be a victim of criminals!

It’s a classic type of network fraud: you receive a letter asking you to send the login and password for your e-mail/online wallet/gaming account/etc. If you fail to comply, the phoney “support service” that sent the message threatens to limit or even block your access to the service.

Today our spam traps detected a letter like this in which the fraudsters were trying to swindle users out of out their activation codes for…Kaspersky Lab products! However, that’s not all – they also wanted to know the recipient’s residential address, mobile phone number and credit card number. They only stopped short of asking for the house keys.

“Dear User! Thank you for choosing our products. Unfortunately, recently more and more hackers have tried to use our name to steal information! Kaspersky Lab always cares about your security therefore we believe it is necessary to inform you about new malware! Please be informed that we have carried out preventive measures aimed at combating hackers! To confirm that you are using our licensed product please send us your full activation code information. Please also send your residence address, mobile phone number, credit card number (in order to pay for a license extension). Otherwise, our company will have to impose severe sanctions, including blocking access to your operating system. Best regards, Kaspersky Lab.”

Hopefully, our users are not naïve enough to fall for such a primitive scam. There’s no need to explain that Kaspersky Lab would never send out letters like this, especially such threatening messages. It’s nothing more than a crude attempt to obtain some confidential data from some unsuspecting user.

To be fair, the letter does contain a number of true statements. For instance, it states that hackers make use of our name, which they do. And the authors state that Kaspersky Lab cares about the security of its users. That’s also true.

Gumblar malware first appeared in spring 2009. Since then it has attracted a lot of attention of local ISPs in many countries, because it steals FTP credentials and injects malicious links in legitimate content as well as uploading backdoors on compromised servers.

We have already described the general architecture of the Gumblar system here. The only thing which has changed since that time is the number of compromised servers and the additional layer of servers in the infection process chain. The infection process now starts from a legitimate webpage which has an injected <script> tag (such page called an html-redirector) which refers to a server that has php (called a php-redirector) that produces javascript that further redirects the browser. There may be between one and four redirections like this and finally the browser gets the content from the server that’s the actual infector. The last server in the chain has a bundle of exploits which is used to attack Internet users. Recent numbers show how many URLs of different types are in that process:

The numbers above show only a slice of the real picture that we were able to get, which means that the real numbers may be much bigger. At this moment no one has information on how many compromised client machines are in the Gumblar botnet, but we believe it’s more than just the number of compromised servers, because the number of servers represents only the count of infected users that have their own websites and use FTP clients on the infected system.

We counted the total number of Gumblar server backdoors and it currently stands at about 4,460.

The danger from the Gumblar system lies not only in the potentially huge client botnet, but also in the aggregated power of the compromised servers. This is clearly understood by security researchers and ISPs. Many attempts have been made to analyze how big the system is and who stands behind it.

Japan was one of the countries which dedicated a lot of resources to the problem of Gumblar because:

• Japanese servers are in the top 5 in terms of number of infections worldwide;
• 2.there is not as much local malware in Japan as in other countries, so Gumblar - which blindly crosses international borders – quickly gained a lot of attention.

We have been tracking Gumblar from the beginning from our Japanese research lab. In fact, downloading new samples, decoding and unpacking shellcodes and extracting new URLs has become a daily routine for many researchers in Japan, not only us.

Gumblar developers have noticed non-stop activity coming from many Japanese IPs targeting their system. The hard work analysing the threat and the active online data being harvested from Japan resulted in a response from the bad guys. Not so long ago we came across a new variant of the infector script created by the Gumblar developers which verifies where the remote client is coming from. The script uses a free IP-to-country database to locate the country of the client. And if the country turns out to be Japan, the script halts and doesn't attack. Below is the part of the code which implements it:

In the highlighted piece of code, the function ‘gC’ gets the country code of the current client and if this equals ‘111’ (which stands for JP in the IP-to-country database) the code sets the value of the variable ‘$zz’ to 0 which halts the application.

Similar activity has been seen at FTP servers that we are monitoring. Japanese servers are no longer reinfected, while other countries are still under attack (the interval between server reinfections varies from 11 to 33 hours).

Unluckily for the bad guys we are an international team of researchers, so even if they try to ban Japanese IPs - which may limit the number of data harvesters coming from Japan - we still have resources to continue our research from other countries.

Jose Nazario of Arbor Networks recently posted an analysis of Trojan.Heloag on their blog, mentioning that some observed behaviour might be related to Peer-to-Peer C&C functionality. However, Jose's analysis was dynamic only and thus he was not certain about this when I contacted him (also thanks to Alex Cox for sharing network traces of his honeypot). Being interested in Peer-to-Peer botnets (e.g. Stormfucker: Owning the Storm Botnet [MP4 Video]), I had to take a deeper look.

The Heloag binaries I've looked at (6ede527bb5aa65eae8049ac955b1018d dropped by d9b14a7bc0334458d99e666e553f0ee0) did not contain any Peer-to-Peer C&C functionality! Instead, the bot rather speaks a very simple protocol over TCP with the following command types supported (encoded as the first byte of the packet):

0. DDoS another host using different techniques:
   • TCP DDoS, connect(..) based (does not send data)
   • UDP DDoS, sendto(..) based (sends some random data)
   • HTTP DDoS requesting / with User-Agent "helloAgent", InternetOpenUrlA based
   • HTTP DDoS crawling links from / with User-Agent "Google page"
1. Download and execute an URL of up to 0xA4 bytes, zero-padded URL
2. Send the current computer name
3. Stop with the currently executing DDoS command
4. Disconnect from current server and connect to new C&C server

Disassembly for function 4

This means that even though during dynamic analysis, multiple C&C servers were observed, it is just some kind of hand-over to another C&C server which can be used for load-balancing or renting out bots. Since there is always only one server, the bot is connected to at a time, this does not add a lot to take-down resilience (phew!).