It’s that time of year again, time to fill out your taxes and pay your part. We’ve seen more than a few examples of Tax and IRS related spam. Yesterday I received mail with an interesting approach:

This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet?

Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines are not receiving commands from the C&C, so they’re not sending spam. Together with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech, Inc., Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.

The answers below refer to a new version of the HLUX botnet – it’s a different botnet but the malware being used is build using the same HLUX coding. Analysis of a new bot version for the HLUX botnet (md5: 010AC0BFF69EB945108B57B40A4784BE, size: 882176 B) revealed the following information.

Why?

As we already known, the bot distributes spam and has the ability to conduct DDoS attacks. In addition, we have discovered that:

1. The bot is capable of infecting flash drives, creating a file on them called “Copy a Shortcut to google.Ink” in the same way Stuxnet did.
2. The bot can search for configuration files for numerous FTP clients and transfer them to its command servers.
3. The bot has a built-in Bitcoin wallet theft feature.
4. The bot also includes a Bitcoin miner feature.
5. The bot can operate in proxy server mode.
6. The bot searches hard drives for files containing email addresses.
7. The bot has a sniffer for intercepting email, FTP and HTTP session passwords.

Part of the HLUX code that interacts with FTP clients

Part of the HLUX code used to steal Bitcoin wallets

Where does it come from?

The bot is loaded onto users’ computers from numerous sites hosted on fast flux domains primarily in the .EU domain zone. The bot installs small downloaders (~47 KB) on the system. These downloaders have been detected on computers in the GBOT and Virut botnets. The downloaders can be loaded to computers within minutes of a machine being infected by the malware mentioned above (GBOT and Virut). This distribution method hinders the detection of the primary bot distribution source.

Bot installations have also been detected during drive-by attacks that make use of the Incognito exploit kit.

The number of computers in the new HLUX botnet is estimated to be tens of thousands, based on the numbers in the approximately 8000 IP addresses detected in operations conducted via P2P.

Where’s it going?

As before, the HLUX botnet primarily receives commands to distribute spam. However, another malicious program, which we wrote about here, is also being installed on the botnet. Its main functionality is fraudulent manipulation of search engines along the lines of TDSS.

The passwords harvested from FTP are used to place malicious Javascripts on websites that redirect users of the compromised sites once again to Incognito exploit kit. Exploits for the CVE-2011-3544 vulnerability are primarily used when the bot is installed during these attacks. In other words, HLUX implements a cyclical distribution scheme just like that used by Bredolab.

Summary

The HLUX botnet, both old and new, is a classic example of organized crime in action on the Internet. The owners of this botnet take part in just about every type of online scam going: sending spam, theft of passwords, manipulation of search engines, DDoS etc.

It is not uncommon for new versions of botnets to appear, and it’s one of the challenges we face in the IT security industry. We can neutralize botnet attacks and delay cyber criminal activities but ultimately the only way to take botnets down is to arrest and persecute the creators and groups operating them. This is a difficult task because security companies face different federal policies and legislation in various countries where botnets are located. This causes the law enforcement investigations and legal process to be a long and arduous process.

We’ll continue monitoring this particular botnet and keep you up to speed with any technical developments.

P.S. We noticed this on one fast flux domain that was earlier spreading HLUX:

It’s not yet clear whether this is the control panel of the HLUX botnet.

Microsoft is releasing 9 Security Bulletins this month (MS12-008 through MS12-016), patching a total 21 vulnerabilities. Some of these vulnerabilities may enable remote code execution (RCE) in limited circumstances, and offensive security researchers have claimed that a "bug" fixed this month should be client-side remote exploitable, but after months of public circulation, there have been no known working exploits.

The prioritized vulnerabilities patched this month exist in Internet Explorer, a specific version of the C runtime, and .NET framework. The Internet Explorer and .NET framework vulnerabilities may result in a potential drive-by exploits, so consumers and businesses alike should immediately install these patches - mass exploitation is likely to be delivered via COTS exploit packs like Blackhole and its ilk.

Last week researchers found vulnerabilities in the Google Wallet payment system. The first vulnerability was found by Zvelo, which required root access. Rooting devices has become just short of trivial at this point with the availability of “one-click root” applications for most platforms. The vulnerability was leveraged to display the current PIN number. The very next day a new vulnerability was discovered in how application data is handled in the Wallet app. In this case no root access is needed, as thesmartphonechamp demonstrated , this is simply a flaw in how the application works. Assuming a Google Prepaid card has been set up, a user can navigate to the application management interface, and delete application data for Google Wallet. On return to the app’s interface, the user is then prompted to set up a new PIN. The flaw is that the Google Prepaid card data persists. After establishing a new PIN number, the attacker is free to use the prepaid card as though it was their own.

It may not be in the same league as Christmas and New Year, but with every year Valentine’s Day is being exploited more and more by spammers. In the week before it is celebrated this year Valentine’s spam accounted for 0.3% of all spam.

We registered the first Valentine’s spam as far back as 14 January – a whole month before the holiday itself – and it struck us as being rather unusual.

Like the majority of spam mass mailings exploiting the Valentine’s Day theme, this particular mailing was in English. It is a well-known fact that the lion’s share of English-language spam is distributed via partner programs. (Unlike other parts of the world, the practice of small and medium-sized companies ordering spam mailings or sending out spam themselves is not very popular in the USA and most western European countries.) However, the first Valentine’s spam of the year bucked this trend and had nothing to do with a partner program.

This particular offer for Valentine’s Day gifts made use of coupon services.

As you can see from the screenshot, the recipient is urged to buy a small gift for their loved one making use of a discount, an offer which the company made via the major coupon service Groupon.

Coupon services have proved to be a big success around the world. Every day various websites offer special deals on anything from two to several dozen goods or services.

Groupon is one of the biggest Internet projects of its kind and it’s fairly easy to find its promo campaigns online. The site also informs its subscribers about new deals via email. The company that sent out the first Valentine’s spam detected by Kaspersky Lab used an advert for this major portal, the legitimate Groupon email campaign plus spam advertising.

We’ve already noted that for small companies coupon services are fast becoming a credible alternative to spam advertising. Judge for yourself: the method used to spread adverts is the same – via email, but spam filters don’t block legitimate mailings from major Internet resources. Another important advantage is that the firms that offer coupon services are not breaking the law. The size of the mailing may well be less than a spam mailing that a company could order, but the legitimate mailing is sent out to the relevant region and the recipients are genuinely interested in special offers sent by coupon services. As a result, a targeted, legitimate mailing can be more effective than the typical ‘carpet bombing’ associated with traditional spam.

Coupon services have had a noticeable impact on mail traffic and Internet advertising. They have also affected spam. There are now a number of spam categories associated with coupon services.

The first is that of unsolicited mailings by the services themselves. This category of spam is quite rare – the more serious companies don’t want to tarnish their reputation by being associated with spam. However, some start-ups trying to break in to the market are willing to resort to spam in an attempt to attract subscribers or to allow their platforms to be used for promotions by other companies.

Another category of ‘coupon’ spam is that which simply uses the word “coupons” instead of “discounts” to make goods or services more attractive to users. These spam mailings can offer ‘coupons’ for some of the most unexpected items. For instance, the people behind pharmaceutical spam think nothing of offering a small discount on medications and passing it off as a coupon.

A third category of coupon spam includes things like the Valentine’s spam mentioned above. This involves a company whose offers are already available via a coupon service attempting to reach a wider audience by resorting to spam. As I see it, this approach is counterproductive. The majority of users react negatively to spam, and using it to advertise will only do harm to a company’s reputation. This is especially important as many coupon services rely on the trust of their users. Spam, therefore, can actually work against a coupon service, reducing the effect of a promotion instead of enhancing it.

The potential popularity of coupon services carries with it a specific threat. Users of the services tend to leave some money on their account balance so they can spend it at any time on a deal that takes their fancy. Although the amount of money stored on such accounts may not be very much, it is still likely to attract phishing attacks against the customers of coupon services.

So as not to play into the spammers’ hands, or to avoid falling victim to a phishing attack, when using these coupon services, users need to follow three simple rules:

1. Don’t open emails from coupon services that you haven’t registered with. On the one hand, this secures you against phishing attacks or mail traffic containing malicious code. On the other hand, if a spammer’s email turns out to be simply a commercial offer, you reduce the number of responses, making the spammers’ work less profitable.
2. If an email from a coupon service to which you are registered asks you to verify your account via a link, or to enter your login and password in some other way, do not under any circumstances do so. Remember that large organizations never ask you to send your login and password via email. Any such request should be seen as an attempt to steal your account. If you are in any doubt as to whether a message is fraudulent, it is best to enter the service’s website using the method that you normally use, e.g. by entering the address in the address bar of the browser or selecting it from a ‘favorites’ tab. Only when you have opened the site and are certain that it is genuine should you open your account and make sure there are no problems with it.
3. If you get a message from a major service about coupons that you didn’t order, don’t open the message and, more importantly, don’t download any attachments that came with the email.

Coupon services often send purchased coupons as an attachment in an email. If you have not purchased any coupons from the service, there’s a chance that an email attachment might be malicious. If you are not sure whether or not you bought the coupon, you can always check by entering your account. We have not yet detected a malicious attachment disguised as a coupon. Nevertheless, we recommend that users be careful – spammers that participate in partner programs are usually the first to react to new opportunities, including those that involve spreading malicious code. It’s just a matter of time before this type of spam traffic appears.

You’ve probably already heard about the 'Chupa Cabra', literally a "goat sucker". It’s a mythical beast rumored to inhabit parts of the Americas. In recent times it has been allegedly spotted in Puerto Rico (where it was first reported), Mexico and the United States, especially in the latter’s Latin American communities. The name Chupa Cabra has also been adopted by Brazilian carders to name skimmer devices, installed on ATMs. They use this name because the Chupa Cabra will “suck” the information from the victim’s credit card.

The Brazilian media regularly shows videos of bad guys installing their Chupa Cabra onto an ATM. Some of them are unlucky, or incompetent, and get picked up on security cameras and caught by the cops.

That’s what makes installing an ATM skimmer a risky business – and that’s why Brazilian carders have joined forces with local coders to develop an easier, more secure way to steal and clone credit card information. From this unholy alliance, the ‘Chupa Cabra’ malware was born.

A very important “internet trust” discussion is underway that has been hidden behind closed doors for years and in part, still is. While the Comodo , Diginotar, and Verisign Certificate Authority breaches forced discussion and action into the open, this time, this “dissolution of trust” discussion trigger seems to have been volunteered by Trustwave's policy clarification, and followup discussions on Mozilla's bugzilla tracking and mozilla.dev.security.policy .

The issue at hand is the willful issuance of subordinate CAs from trusted roots for 'managing encrypted traffic', used for MitM eavesdropping, or wiretapping, of SSL/TLS encrypted communications. In other words, individuals attempting to communicate over twitter, gmail, facebook, their banking website, and other sensitive sites with their browser may have their secure communications unknowingly sniffed - even their browser or applications are fooled. An active marketplace of hardware devices has been developed and built up around tapping these communications. In certain lawful situations, this may be argued as legitimate, as with certain known DLP solutions within corporations. But even then, there are other ways for corporate organizations to implement DLP. Why even have CA's if their trust is so easily co-opted? And the arbitrary issuance of these certificates without proper oversight or auditing in light of browser (and other software implemented in many servers and on desktops, like NSS ) vendor policies is at the heart of the matter. Should browser, OS and server software vendors continue to extend trust to these Certificate Authorities when the CA’s activities conflict with the software vendors’ CA policies?

Many of the apps we enjoy are free. Well, to call them free is a bit misleading. You pay for the apps by looking at advertisements. This is a platform we should all recognize from the sidebar of Facebook, or Google, or almost any service that doesn’t charge a premium to use it. Advertising has paved the way for many services to gather a huge audience audience and still profit.

On Android and in many cases iOS, the advertisers have gotten very aggressive. They now collect all kinds of data through multiple forms of advertising. I’d like to take a look now at what you can expect.

The Adobe AIR and Adobe Flash Player Incubator program updated their Flash Platform runtime beta program to version 5, delivered as Flash Player version 11.2.300.130. It includes a "sandboxed" version of the 32-bit Flash Player they are calling "Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems". It has been over a year since Adobe discussed the Internet Explorer ActiveX Protected Mode version release on their ASSET blog, and the version running on Google Chrome was sandboxed too.

Adobe is building on the successes that they have seen in their Adobe Reader X software. Its sandbox technology has substantially raised the bar for driving up the costs of "offensive research", resulting in a dearth of Itw exploits on Reader X. As in "none" in 2011. This trend reflects 2011 targeted attack activity that we’ve observed. 2011 APT related attacks nailed outdated versions of Adobe Flash software delivered as "authplay.dll" in Adobe Reader v8.x and v9.x and the general Flash component "NPSWF32.dll" used by older versions of Microsoft Office and other applications. Adobe X just wasn't hit. IE Protected Mode wasn't hit. Chrome sandboxed Flash wasn't hit. If there are incident handlers out there that saw a different story, please let me know.

    Perhaps the worst possible scenario is when a bank website is hosting malicious ads: you never know what can be installed and when on your computer if you click on the ad banners.
Something similar happens with security websites hosting malicious ads. They are supposed to be for security information. The people browsing such sites trust the content to be safe, but in actual fact because of the ad banners the resources may be anything but trustworthy.

Will the Bouncer be effective in addressing the malware problems with Android apps?

First of all, this is a good and really necessary move Google is taking, however the solution will be only partial. Based on the public information around this service, all apps will be scanned for known malware. Basically that means a multi-scanner or something similar will be used, so the quality of malware detection will depend greatly on what AV engines Google will use to analyze apps. Not all AV engines have the same quality, so there is a possibility some malicious apps won't be detected as malicious. The second step offered by Google is emulation. It's a good approach, however it can also be cheated by anti-emulation tricks or a malicious app can be programmed to behave differently once an emulation is detected, making the app appear to be non-threatening.  So, basically the same malware tricks used to bypass Windows security can be implemented now on Android.

Is it still a good idea to use a mobile security program for protection even with Bouncer in place?

Yes, for sure it's a good idea. The situation is many people download apps not only from the official Android Market, but also from third-party sources.  Nobody knows for certain what kind of apps are out there on private market stores, run by people not affiliated with Google. Additionally as we mentioned if Google's multi-scanner won't count on all AV engines but only some of them, it's certainly good to use AV detection on your phone as a second opinion for anything that might have slipped past Google’s scanner.

Are there ways for hackers to sneak infected apps into the store despite Bouncer?

Yes and one of them is by hacking well known and trustful developers accounts. In fact I believe that will happen in the near feature. I say this because of Google says it will check all new developers account. If a developer is already known and trusted by Google, that developer account will be a prime target for cybercriminals. Also, even though we haven’t seen it happen yet, we know cybercriminals can start developing apps that work differently in specific geographic zones. For example, an app could be designed to only behave maliciously if it detects a Latin American carrier…if the same app is used by a US carrier, no malicious behavior will be detected. That's also an anti-emulation trick which can be exploited by cybercriminals in order to avoid Bouncer detection.

In this webcast, Kaspersky Lab senior security researcher Roel Schouwenberg talks about the Diginotar certificate authority breach and the implications for trust on the Internet. Schouwenberg also provides a key suggestion for all major Web browser vendors.