Several days ago, a number of leaked documents from the “Syrian Ministry of Foreign Affairs” were published on “Par:AnoIA”, a new wikileaks-style site managed by the Anonymous collective.

One of our users notified us of a suspicious document in the archive which is detected by our anti-malware products as Exploit.JS.Pdfka.ffw. He was also kind enough to send us a copy of the e-mail for analysis.

We’ve checked the e-mail, which contains a PDF file with an exploit (CVE-2010-0188, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188), a typical spear-phishing attack:

Earlier today, Softpedia reported that an Algerian hacker using the nickname MCA-CRB has managed to deface the Romanian sites of Google (google.ro) and Yahoo! (yahoo.ro).

Screenshot of the defaced Google.ro domain

When we found out about this incident we were pretty skeptical of these websites being hacked. A website as large as Google can be hacked, in theory, but it’s highly unlikely. We then noticed that both domains resolve to an IP address located in the Netherlands: 95.128.3.172 (server1.joomlapartner.nl) – so it rather looks like a DNS poisoning attack.

The question which remains unanswered up until now is where exactly the DNS spoofing/poisoning attack has happened.There are several possible scenarios here:

Recently, a new Remote Administration Tool has been discovered that started appearing here and there in targeted attacks. This tool is “PlugX”. Researchers have even tracked someone suspected of creating that malware – one of the members of the Chinese hacking group NCPH, which is allegedly in the service of PLA. Among others, this group has been accused of attacking high-profile US organizations.

But PlugX has been detected in targeted attacks not only against military, government or political organizations, but also against more or less ordinary companies. And this is quite a strange situation. No matter whether penetrators have been hired or they work for themselves, if they tend to attack “serious” organizations/persons how come we’ve also seen very different types of targets - absolutely peaceful companies – hit by the same group? We could not locate any site where this tool (or rather its kit or builder) has been offered for use, so we can’t confirm that PlugX has been shared between cybercriminal communities or other potential attackers (although we can’t deny that possibility).

On our side we have detected attacks using this infamous tool against a company which is far from military, politics, critical infrastructure and so on. This company has been bombarded for a month with spear-phishing emails with attachments containing exactly this PlugX program. The first samples were of the same type that had been already described, i.e. some sort of debug version with plenty of logging of potential errors in a bug.log file. But several days ago attackers sent a bunch of emails with a new version of PlugX. This version differs from the previous one in terms of logging activity. The virus writer has removed almost all the lines of code for processing potential errors that were present in the old version. The following awful picture represents where the logging function has been invoked in the old version of PlugX code:

They’re stalking, taking advantage of the anonymity offered by the Internet and using the most advanced techniques to deceive their victims. They pose a persistent threat. They are often very patient and have sometimes communicated with their victims over a number of days, weeks, months and sometimes for over a year before they finally arrange to meet with the young person. They are a new breed of predators.

Several days ago, our colleagues from Symantec published an analysis of a new destructive malware reported in the Middle East. Dubbed “Narilam”, the malware appears to be designed to corrupt databases. The database structure naming indicates that targets are probably in Iran.

We have identified several samples related to this threat. All of them are ~1.5MB Windows PE executables, compiled with Borland C++ Builder. If we are to trust the compilation headers, they appear to have been created in 2009-2010, which means it might have been in the wild for a while:

The earliest known sample has a timestamp of “Thu Sep 03 19:21:05 2009”.

The title of this blog reminds me of the old zombie horror movies back from the 80-ies, but what im going to write here is more like a comedy. Some of you guys have probably read my blog post about the time when i tricked them into accessing websites under my control, which led to me collecting alot of information about the callers.

After that blog post i didn’t receive any calls... until today. I was sitting in my home office, drinking my daily smoothie and writing on my paper for the Virus Bulletin magazine, and suddenly i hear the phone ringing. I don’t care about that anymore, because i hear that my wife answers the phone, but after a few minutes she enters my room and tells me that "they" are calling again.

As always, i booted up my VMware image with a totally FRESH installation of Windows XP and start talking to the scammers. For you who are not familiar with the scam, please read my other blog post which can be found below because i won’t cover it in this post. http://www.securelist.com/en/blog/208193750/Trying_to_unmask_the_fake_Microsoft_support_scammers

This time the scammers where using some different methods trying to convince me that my compute where infected with some malware. They even gave me the name "Frozen Trojan", and went to Google and tried to look it up for me. But they only ended up on results talking about the bird flue and other biological viruses which i thought was quite entertaining.

A few days ago, an interesting piece of Linux malware came up on the Full Disclosure mailing-list. It's an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario.

Last night, reports have appeared on several Russian forums regarding a Skype account hijacking exploit. The information has been made available on several Russian blogs and is now actively exploited in the wild.

Microsoft is patching a fair number of vulnerabilities in their software with 19 flaws being fixed. All of them are being updated in six Bulletins this month (MS12-071 through MS12-076). Four of the Bulletins are rated critical with only two of them being rated urgent for immediate deployment by larger customers concerned with compatibility and performance. At the same time, Internet Explorer 10 is not vulnerable to exploitation by the related set of three flaws, and newly released Windows 8 is affected by yet another font parsing flaw described by CVE-2012-2897, similar to the vulnerability exploited by Duqu. The font malware is especially interesting because the Duqu exploit is currently being included in mass exploitation kits alongside widespread Java and Adobe Reader exploits to spread Ransomware, ZeroAccess, and other trojans of all sorts. Even though Duqu was spread years ago, the patch delivered months ago, the vulnerability continues to be included in the kits and successfully exploited.

Earlier, we wrote about the tricks that fraudsters often use on their gullible victims. There’s a prize for you, just pay a small fee to open a bank account (or transport costs, bank fees, overheads etc.), and you will be a millionaire! Sounds familiar, doesn’t it? However, old tricks become stale over time, and readers become alert and suspicious to them. So, the fraudsters have come up with a new variation of an old scam.

A Twitter phishing scheme is spreading its wings, as the previous couple of phishing domains used by this scheme late last week have been taken down. So its operators have decided to put up multiple effective domains. Here are a couple of things to look for.

When you are using a browser like Google Chrome and you are visit twitter.com, the browser displays a green url indicator that the domain has been verified by an extended SSL CA. Now, with the CA breaches that we've seen in the past year (the Diginotar breach report was finalized this past week), that may not mean everything. But, in this case, here is how you might verify that you are using the legitimate twitter site:

This Direct Message attracts phish with a dramatic notice: "Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on here". There are a handful of messages in use, as the GFI guys mentioned here last week.

If you were to click on that bit.ly shortened link, your browser will be redirected through a click tracking service:
hXXp://client1.gtisolutions.co.uk/track?type=click=|||hXXp:// tivvtter.com/r1?zcms
And on to the unverified, carefully selected domain. At first glance, this one almost looks like the twitter domain itself:

Do not enter your username and password at this site. Also, there are at least a half dozen other domains that look fairly close to "twitter.com", like this one. These guys are using all of them with the same page and graphics to tempt you into entering your credentials. This theft can be a risk if you re-use your passwords across accounts. Also, there is often other personal information within these twitter accounts, like the user's email address used to create the Twitter account. So please keep an eye out for this sort of play on word recognition-domains.

Gruezi (Swiss for "hello") from the Hashdays conference, together with my colleagues Marta Janus and Marco Preuss, held in beautiful Lucerne in Switzerland . The event is hosted by DEFCON Switzerland, which was founded in 2008. Their mission is to educate in IT security skills and know-how. According to them, the best way to show how to prevent systems from becoming unsecure or getting hacked is to introduce and demosntrate current attack techniques. Additional fact: this is the third edition of the conference and it's sold out for the first time. This already proves the high quality of the event. Honestly, this is easily one the best conferences I attended so far. The quality of both the content and the delivering has been outstanding so far. I can recommend anyone interested in IT security taking part in it.