We all get phishing emails. Some of us more than others, so it’s no surprise that sometimes people take out their frustrations on the phishing form, letting the phisher know just what they think of him or her.

While it might make you feel better, it isn’t always a good idea. For instance, if you were to do this on a phishing page hosted by the Asprox botnet, you might get more than you bargained for. The Asprox phishing form backend has a bit of extra logic added to it. If the form looks like it has been filled out with legitimate data, you get redirected to the main page of the bank website.

However, fill it out incompletely or use certain words like “phish” or NSFWUYAS (Not Safe For Work Unless You’re a Sailor) language, and your browser will be subjected to a number of exploits. If you are running Windows and haven’t recently installed your security updates and patched all your browser plugins/ActiveX controls, you might find yourself infected with your very own copy of Asprox.

Not only do you then get the opportunity to unknowingly send phishing emails on behalf of the botnet, you will likely get some extra goodies, since Asprox is also a downloader trojan. You won’t notice it running, but you might notice some of the things it downloads and installs.

For instance, you might find your desktop wallpaper changed to a “spyware alert” type of message, and now all your screensaver shows is scary blue-screens-of-death. Of course, if you’re familiar with the Windows desktop properties dialog, you can change all that back, right?

Oops. the rogue antivirus program has removed that functionality for you. But hey, at least it gives you a chance to look over the license agreement, right?

Except you’ll notice the lack of a “I disagree” or even a “close window” button at the top of the dialog (which can’t be minimized, and stays on top of all your other windows). So there’s no easy way to continue using your computer without clicking on the “Agree and install” button. But don’t worry, Antivirus XP 08 has already installed itself, whether you click through the license agreement or not. Eventually you will see this:

Of course, you’re not infected with everything this program says you are - it’s scareware, designed to get you to fork over $50 or $100 in order to clean your system of all these nasty threats. But it doesn’t actually detect or clean anything, especially not the Asprox bot you’re hosting now.

And at any time, Asprox might deliver another malicious payload and install it for you - and it could be much worse: we’ve seen the Zbot banking trojan installed by Asprox in the past. So instead of a dealing with a nuisance program, you might be silently sending your banking and credit card information to the botnet owners. Something to think about before venting your frustrations on the bad guys. Sometimes phish bite back.

Writing good antivirus software is hard. Just ask the developer at a major antivirus company who was infected with the Coreflood trojan on his personal computer for over a year. Perhaps he was just testing their product, but it seems odd to have allowed the trojan to capture some of his personal information.  Fortunately the antivirus developer was not a domain administrator on the company’s network, so Coreflood didn’t spread to every other system in the Windows domain like it did at several other businesses, hospitals and government organizations.

One might assume that by now, that the antivirus company, employing the developer, would detect the specific version of Coreflood that he was infected with on February 23, 2007. Sadly, they still do not. The reason probably stems from the overarching problem that all antivirus companies face, and Coreflood is as good an example as any. There have been dozens upon dozens of Coreflood variants over the last six years. Virus and trojan authors these days are in it for the money, and more infections equals more money. And less detections equals more infections. So constantly rebuilding the Coreflood trojan to evade detection is part of the bad guys’ business model. And it’s easy - programs that scramble a trojan’s code to avoid anti-virus detection are available everywhere and most of them are free. The antivirus industry is really fighting a losing battle - they have to invest as much effort in reverse-engineering executable packers as the whole of the criminal underground spends in writing them, and this translates into a lot of time spent (and profits lost), since it always takes longer to reverse-engineer something than it did to engineer it. Therefore it’s not surprising that AV detection rates for new variants of most malware are simply abyssmal.

But while the packed Coreflood code might change weekly, it is interesting to note that the network traffic pattern that Coreflood uses when checking in with the controller has not changed substantially in the last two years! The intrusion (really extrusion) signatures we wrote for our clients back in 2006 are still effective at locating Coreflood infections today. It goes to show that fighting malware requires a multi-faceted approach: defenses against the infection vectors (exploits and social engineering), system-level protection, and extrusion detection to fill the gaps. Increasingly we are using our iSensor(™) intrusion prevention platform to do just this. Every day our malware research department analyses a large number of malware samples in order to improve our clients’ security posture and prevent information leakage by botnets like Coreflood.

Of course, we’re not alone in recognizing extrusion detection as a key part of defense-in-depth. For example, the Emerging Threats project maintains sets of extrusion-detection rules for the open-source Snort IDS platform. Since Snort operates in detection (instead of prevention) mode, using it won’t stop data leakage or malicious commands from being downloaded by infected systems, but it can at least alert network administrators of infected workstations so that they can respond, and hopefully re-evaluate their defenses based on the frequency and types of infections occuring on their network.

At its core, the determination of malware versus non-malware with 100% certainty can only be accomplished by knowing the intent of the author, something that can’t always be divined by scanning the bits and bytes of the code. Thus, no product can ever provide a 100% solution against past, present and future malware infection.  However, extrusion detection and prevention continue to be invaluable tools in today’s world, where botnets lurk in the shadows and siphon data from every corner of the network.

If you saw the following browser window pop up on your desktop today for no apparent reason, you are:

 

 

 

The latest Storm variants have a new twist. They now use a 40-byte key to encrypt their Overnet P2P traffic. This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that’s the case, we might see a lot more of Storm in the future.

The good news is, since we can now distinguish this new Storm traffic from “legitimate” (cough) Overnet P2P traffic, it makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic (I.E. not corporate networks, we hope!).

Matt Jonkman over at Bleedingthreats.net has written some signatures to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet sizes typical of Storm, occuring over a certain threshold. Since there’s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply.

For several years now, there has been a steady, increasing effort by computer criminals to utilize malware in order to steal data from victim computers. Often the criminals don’t actually write the malware, they simply download a trojan kit, configure it for their purposes and then spread it using various methods. We talk about these schemes all the time, yet there’s no good term to describe these miscreants.

They’re not exactly phishers, although they have the same goals.

They’re not VXers, and “trojan-fraudsters” doesn’t quite have a ring to it. But, if we think about what it is these criminals do for a living, it is quite analogous to piracy on the high seas. Hijacking (boarding) your computer and stealing your money, all done over the Internet, where no single jurisdiction applies.

Thus, I propose we redefine the term “computer piracy” to mean “the hijacking/unauthorized entry of another person’s computer for the purpose of stealing resources, data or money”. What most people think of as computer piracy these days isn’t really piracy anyway, it’s copyright infringement. It’s time to take back the definition of piracy and apply it to something it actually fits. The trojan-using fraudsters and thieves are nothing more than modern pirates.

Having this redefinition also suggests alternate ways of dealing with the problem - in days of old, private parties were commissioned with capturing and seizing the assets of pirates by letters of marque and reprisal. Although it sounds like an archaic concept, letters of marque are still authorized by the U.S. Constitition, and in fact, have been suggested as a possible means for capturing Osama bin Laden, in the Marque and Reprisal Act of 2001 introduced into Congress by Rep. Ron Paul of Texas.

You may be thinking “yes, but privateers were often indistinguishable from pirates in previous centuries.” Yes, that’s true - it was difficult for a country issuing a letter of marque to monitor the activities of its privateers on the high seas. This kind of unchecked power plus the amount of wealth that travelled on merchant ships often led to greed and corruption.

These days we have computer security researchers already tracking down the pirates in their spare time, for free. They’re not looking for a payoff for their efforts other than seeing the miscreants go to jail and/or pay restitution. Seizing an asset these days might simply mean forcing a registrar to remove a domain name or an ISP to identify and/or disconnect a customer (given proof of fraudulent activity) - something the private crimefighter currently doesn’t have the authority to do. Most already work with law enforcement at home and abroad, however it is becoming increasingly clear that the current level of law enforcement effort is not making a noticeable impact in the amount of trojan activity.

 

We’ve gotten some inquiries as to how to find users infected by the recent BBB/IRS/FTC/Proforma trojan scams on corporate networks where an IDS/IPS device that can detect the exfiltration traffic might not be in play.

If you keep logs of firewall/proxy or DNS server traffic, you may be able to spot infected users by traffic analysis. This activity has been going on since at least February, so it is prudent to go back in the logfiles at least until the beginning of 2007 when searching.

Frequent traffic to the following IP addresses may be a sign of an infection and data leakage from executives within the company:

 

Destination IP Address	Protocol/Port
203.121.69.232	TCP/80 or TCP/3128
203.121.69.233	TCP/80
221.1.143.74	TCP/80
221.1.146.146	TCP/80
221.1.150.241	TCP/80
221.1.153.61	TCP/80
221.1.159.234	TCP/80
221.195.42.67	TCP/80
66.49.158.172	TCP/80
67.19.167.20	TCP/80
70.87.90.226	TCP/80
83.103.227.41	TCP/12345 or TCP/12346

If you have detailed DNS server logs, another indicator you can look for is frequent attempts to resolve one or more of the following hostnames:

• business-complaints.com
• importtrenz.com
• mp0w3r2.webhop.net
• mp0w3r3.webhop.net
• premiersoccershop.ca
• rtx-ltd.com
• www.firegoods.com

This is not a complete list, but should cover at least one host from each of the recent scams. If you discover these addresses/hostnames in your logs, the next step is to investigate the internal system sending the traffic and determine if the user has previously received one of the phishing emails. If they have, it is likely that they have been infected since that time, and any information they have submitted to any website in that timeframe has been sent to the phishers. Firewall/proxy logs or Internet Explorer history files may be useful in determining to what sites data has been intercepted.

If the user has never received one of the emails, the traffic could indicate visits to another virtual host on the same IP address, but caution should still be taken to thoroughly investigate the source of the traffic. Some of the listed sites are legitimate sites which have been hacked to host the phisher’s backend code, so it could also indicate a normal access to the other areas of that website. The key to detecting the infection is seeing regular traffic to those sites, interspersed with visits to every other website.

If a machine is identified as being infected, it should first be cleaned of the infection (the recommended course of action being to reformat the infected workstation and restore from backups made prior to the infection date). Then any authenticated accounts should be checked for suspicious activity and all passwords should be changed.

There are many variants of the trojan installed by these phishing scams, and antivirus engines may not always detect any/all components of the trojan. If you are unsure how to determine where the malware might be located on a machine suspected of being infected, contact your MSSP for assistance in locating and remediating the threat.

Since we first wrote about the BBB phishing emails, we’ve seen variants change from forging BBB complaint letters to false IRS criminal investigation notices to FTC investigation notices. We’re now seeing messages from the same phishing group posing as “Proforma” invoices, now being sent with a Word document attachment (actually MS Word this time, not RTF doc files as in the other BBB/IRS phishing scheme).

The actual email looks like:
———————————————————————————————-
From: accounting@beckman.com
To: [your name]
Sent: Thu Jun 14 10:45:52 2007
Subject: Proforma Invoice for [your company] (Attn: [your name])
[845f3287d35219769d51b892d2509077]

Hello,

The Proforma Invoice is attached to this message. You can
find the file in the attachments area of your email software.

PS: The invoice also includes the cost for the services
provided for the second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks.

Beckman Instruments, Inc.
2500 Harbor Boulevard, E-26-C
Fullerton, CA 92634-3100

MSG ID:
#40fe0d7c683afa8c7ebda09f55ca88b5:a575f05b1e4d358120a5c98881262691
SIGNATURE:
#c2b2595f0b4d12cfde5315dabeeb7bae:3c19c0592a80d229aed41bd11b5ca545
ANTIVIRUS OK: #5fc97adcc79e2c4c46613281deaf3ade
———————————————————————————————-

Of course, the email is not really from Beckman Instruments. Embedded in the .doc file is of course, the iwebho trojan.

We’ve seen around 200 users infected since yesterday, so clearly the social-engineering is working to some extent. While 200 infections may not seem like such a huge number in this day and age of million-zombie botnets, you have to remember that these emails are only being sent to executives/high-level management at companies, meaning most of the targets will be highly profitable for the phisher, instead of the hit-and-miss proposition of targeting home PC users. Of course, SecureWorks Network Intrusion Protection clients are protected from this trojan. And for non-SecureWorks NIP clients, SecureWorks has developed a Snort signature to detect leakage of data from the trojan, which can be found at: http://www.secureworks.com/research/threats/bbbphish

Recently we detailed the workings of two different phishing emails designed to install malware on the computers of executives through social engineering ploys. The first ploy was an email pretending to be a complaint routed through the Better Business Bureau. We saw this used to install two different families of malware. The second ploy, posing as a criminal investigation notice from the IRS, has now been seen installing the same two families of malware.

The one that got our attention in the first place, known as Troj-iwebho, has a simple yet powerful tactic - steal ALL data being sent from the victim’s web browser. Banking, email, shopping, stock trading, prescription/healthcare data and casual (sometimes very personal) browsing - everything the user does online is databased by the attacker. It seems on the surface that it makes for an identity theft scam with a very high payoff potential.

This time we see that the attacker registered a new domain and set up a new server to host the latest scam. That domain is registered in China, to one “li hu”, and the server is physically located in China as well.

Normally we expect whois information for malware-hosting domains to be forged, but it is still a compelling piece of evidence that the attacker may very well be Chinese or at least able to read and write Chinese, as the domain registrar’s site is Chinese-language only.

Typically when we see malware from China, it has one of two purposes - to either steal documents related to trade secrets of companies and military/government institutions, or to steal accounts from online role-playing games. This new scam doesn’t seem to fit into either category, so it may represent the emergence of a new kind of Chinese-based cybercrime. The question is then, just what do Chinese malware authors intend to do with the vast amount of data they’ve stolen from over a thousand U.S. corporate executives?

Microsoft is not alone when it comes to writing vulnerable code. It’s downright hard to write secure code in low-level languages. It’s understandable, especially when most of your core code was written before buffer overflow exploits were even understood by most programmers.  But when a vulnerability is pointed out in your code, and you claim to spend inordinate amounts of time developing and testing patches for it, wouldn’t it make sense to spend a little time auditing the rest of the code for the same bug?

I’m talking about the new zero-day bug found in Windows (all versions, even Vista) that allows an attacker to gain control of fully-patched machines through the use of a malicious animated cursor file. Sounds vaguely familiar, doesn’t it? Well, it should - back in 2005, eEye reported such a bug to Microsoft. Apparently, some code in user32.dll would read the “anih” header of a .ANI file into a static buffer when loading an animated cursor. Nothing wrong with that - except they took the length of memory to copy into the buffer from a value provided in the header itself. This is the most common vulnerability found in binary file format parsers - they trust the file format to tell them how much memory can be written to.

Microsoft closed this hole with the MS05-002 patch - or so we all thought! Turns out Microsoft overlooked some nearby code which does the exact same copy operation from the “anih” header. So, some two years later, we have a zero-day exploit on our hands - all the attackers had to do was figure out how to format the .ANI file to reach this second bit of code. At this point, with no patch in sight from Microsoft, a thorough code audit could have saved a lot of frustrated Windows administrators and end users a lot of headache this month.

Recently I took a look at the Rustock trojan in order to see what the financial motive behind it was. No surprise, as it turns out the motive is spam. Using a sandnet, I injected myself into the botnet - able to capture (and blackhole) a small portion of the spam being sent through the system. And, as with a lot of spam these days, it′s the pump-and-dump kind - spam touting penny stocks to would-be investors.

The specific spam sent by the Rustock botnet a few days ago can be seen at right. The stock being promoted is a penny stock that trades at fractions of a cent on a normal basis. I tracked both the spam and the stock price over the course of a few days, and did a few calculations.

As you can see in the stock chart below, the stock was trading at $0.0008 a share when several relatively small transactions were made. In total 11,532,726 shares changed hands. Now, it′s not possible to tell if these were shares bought or sold, but lets assume that these were all sold to our spammer. We can make this assumption because this stock has very little volume traded normally - sometimes no shares change hands in a days time at all. So suddenly 11,532,726 shares change hands in multiple transactions in a single day, driving the price of the stock from $0.0008 to $0.0011. I′m no stock expert, but that sounds like a buy. At that price, that many shares would cost around $9,000 or so.

So, at close on Friday Dec 15, the stock is at $0.0011. Suddenly, the Rustock botnet begins spewing out the spam shown above. All weekend it churns away, sending millions of emails. Monday morning, Dec 18, sees the stock immediately rise to $0.0019 a share, then all the way to $0.0025 a share, as some recipients of the spam begin to purchase the stock. A far cry from the spammer′s target of $0.02 a share, but lets see how much that adds up to. If the spammer sells his shares early on Monday, when the stock has peaked, those 11,532,726 shares could be worth nearly $29,000, leaving the spammer with a cool $20K profit for one weekend. I wonder if the spams touting Viagra and Rolexes have ever made that much profit so quickly for the spammers with so little effort and almost zero overhead. It’s little wonder why stock spam is taking over.

I also have to wonder, are all these subsequent purchasers of the stock really unaware that this is a scam? Or are they simply greedy, hoping to cash in on the movement of the stock if they′re quick enough? If you look at these stocks over time, you do see that the spamvertised stock price indeed does go up, just as the spammer predicted. If there are such day-traders who watch their email inbox eagerly for such spam, they are the engine that drives the scheme, and they are ultimately to blame for the stock spam the rest of us have to deal with.