Anatomy of a Rogue Security Campaign

Reference for diagram:

Step 1: Blue Shows the process at which the user will be directed to the infected website.

Step 2: Red Shows the path of the harvested information from the user to the black market.

Step 3: Green Shows the payments from the user through the malicious websites.

 

The amount of rogue anti-malware programs have increased every month since February of this year with the intent of infecting users computers and ultimately extorting cash from the user.  This paper will explain how some of these attacks work.

A user can be browsing the internet and start a search through a major online search engine (Google, MSN, etc.).  In certain cases, top search results have been found to point to websites that have been compromised to host and/or redirect the user to malware.  The malware creators take advantage of modern SEO optimization techniques to get a higher rank on searches (SEO Poisoning) as well as use SQL injection techniques to compromise legitimate websites.  The tainted search result will appear to be valid and show content relevant to what the user searched for.  Once clicked, it starts the process to infect the computer through some social engineering and sheer persistence.

Typically, a pop-up will appear on the users screen saying that they have been infected and that they should run a scan to clean the infection.  The page providing the pop-up however has been written in such a way that it is difficult to stop the process at this point.  Closing the pop-up messages will only bring more and more until the user proceeds with the suggested scan.

Now the user is taken to a fake anti-malware website that appears to be selling an anti-malware software product (Antivirus 2009, Virus Remover 2009, etc.).  A scan page will load and it seems as if it is scanning the computer and of course, it finds 'viruses' on the computer.  These fake scans will use well-known terminology (keylogger, trojan, spyware, etc.) to convince or the user that they are in fact infected, and need the software that is being advertised in order to remove it.  A download will automatically start and because the user is concerned about being infected, they will typically allow the download.

Once executed, the malware starts downloading all needed files from different servers that are operated by the malware creators or legitimate websites that have been compromised.  Now the rogue program starts running and will immediately scan your computer again.  As before, malware is 'found' on the system and in order to remove the infection you must purchase the software.  According to Panda Labs research, of all infected computers, approximately 3% of them, the user willfully hands over their financial information along with the $49-$69 (depending on rogue variant) for the 'purchase' of the software.  Of course, shortly after buying the software, it's obvious that the program is not legitimate because the pop-ups do not stop appearing, no infections are removed, and the rogue program cannot be removed in the conventional way (Add/Remove Programs).

Some of the payment gateways used in processing these 'orders' are usually hosted in a country that do not have laws in place to combat this type of fraud.  Additionally, most if not all of the financial information gathered from these servers may end up on the black markets for sale to the highest bidder.

The group(s) responsible for this rash of rogue-antimalware software is also using affiliate systems such as Pandora Software.  These affiliates will allow websites to 'sell' this rogue-antimalware software through Pandora Software for a small commission so anyone can get in on the game of spreading this malware.

All in all, the lengths at which these group(s) go through to steal money from people and harvest financial information, get more and more complex as each month passes.  New techniques of infecting computers have allowed them to infected computers more and more each month.  From Panda Security's statistics, the amount of infections has increased from 296,071 computers to 843,835 computers in just two months.

*Special thanks to Ryan Ash for this post.

ICANN Terminates Contract with EstDomains

The Internet Corporation for Assigned Names and Numbers (ICANN) has terminated its contract with the widely criticized domain registrar, EstDomains.  For those who don't know, EstDomains is an Estonian company registered as a United States Corporation in Delaware and their business provided domain names and web hosting services worldwide.

The problems began when EstDomains facilitated the creation of domains used by criminals mostly for the purpose of "Rogue Security Software" sites and similar malware related campaigns.  To learn more about Rogue Security Software Campaigns, please see the following post entitled "Anatomy of a Rogue Security Campaign". Online criminals were easily able to purchase domains anonymously to later be used in their malicious campaigns.

The problems continued when ICANN was made aware that the CEO of EstDomains, Vladimir Tsastsin, was convicted of forgery, credit card fraud, and money laundering. These cyber-crime related convictions violated the ICANN contract which specifically stated that ICANN may terminate the Registrar Accreditation Agreement (RAA) before its expiration when, "Any officer or director of [a] Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.”  You may see the official ICANN site for more information.

Although this does mark a small victory, it does not mean that the malicious sites and "Rogue Security Software" attacks will stop, as they are likely to continue because of the profitability factor.  The criminals are already starting to find new domain registrars to invade and we are actively monitoring them to protect our customers.

New ways to distribute rogueware

Nowadays, the most prevalent infections belong to rogueware, which are those fake antivirus, antispyware or anti-anything that try to take the money from the users by making them pay to remove nonexistent threats. As we showed recently, they are making huge amounts of money.

They are usually installed on victim's computers using drive-by-download techniques, as well as using the typical social engineering stuff we see to distribute any kind of malware through spam. We see this kind of spam on a daily basis, some samples are the usual spam message with a link to a supposed greeting card, others come with a trojan downloader that if run will download & install the rogueware, anothers are links to websites with photos or videos that will ask you to install some fake codecs (rogueware) to see them:

 

 

But today we have found an even more smart way to fool users. At first I though it was the typical message flowing around to get valid e-mail addresses:

 

Once you click on the link it takes you this place:

When clicking on "Download" the user will find out that it was not as free as he could have thought:

 

Of course the rogueware is not free; in fact it is not at all, as you pay and obtain nothing in exchange. Taking a look at the URL, I've notice that it has the word "antivirus2" in it. Then I removed the "2" and that's what I've obtained: 

Of course it belongs to a diiferent scam from the same guys.

As stock market drops malware rises

As the U.S. stock market indexes dramatically declined in September, cybercriminals began organizing their efforts to sustain profitability. While the stock market shows a sharp declining trend, malware has a very different trend which indicates growth during periods of economic uncertainty or recession. In essence, cybercriminals are adapting tactics in response to changes in the market, therefore proving that they are gaining rather than losing ground in these times of economic upheaval.

When the lab began looking into the specific effects cybercriminals had on the economy during times of duress, we found a startling and unexpected connection: the criminal economy is closely interrelated with our own economy. Based on our extensive research and analysis of malware patterns, we believe criminal organizations are closely watching market performance and adapting to ensure maximum profit: activity appears to increase during times of fluctuation in the markets and the economy.

Between Sept. 1st and Oct. 9th, as the stock market values continued to drop, the threat activity continually increased: activity on the “malware market” grew substantially as the stock markets declined.

This appears to be a deliberate strategy to infect as many consumers as possible during heightened economic fear as a way of changing the odds in their favor to maximize profits. A notable example is the recent orange alert PandaLabs issued earlier this month: 30 million victims were infected with fake security software, and of those infected 3.5 percent paid out of fear of loss from identity theft due to the compelling pop-ups informing that the computer was severely infected.

Heightened fear during economics crises plays into cybercrime strategies: as the Dow looses significant value, the perception of economic instability leads to more victims succumbing to fake AV software. Essentially out of fear of loosing everything the victim pays. This strategy is working very well as it plays into the lack of confidence in the markets. When timed right it works very well in terms of generating mass revenue ($14 million USD per month) in a short period of time..

Figure 1 shows the general decline of market indicators (average of DJIA, NASDAQ, and S&P 500) for a period of one and a half months with correlating significant spikes in new malware detections.

Figure 2 narrows the range to between Sept. 8 and Sept. 16. The indexes dropped 3.0% on Sept. 9 while malware increased to over 24,000 new threats: over 100% increase from previous day. Sept. 16 saw more than 5.5% decline in value while malware threats climbed to over 31,000 new intances.

Figure # 1 – U.S. stock market vs. malware market 9/1/08 – 10/9/08

Figure # 2 – U.S. stock market vs. malware market 9/8/08 – 9/16/08

As evidenced by this compelling data, there will be no end to the persistence and pervasiveness of cybercriminals and their attempts at exploiting malware for financial gain. Regardless of the economic state we are in, cybercriminals are continually adjusting their strategies, and from this evidence are capitalizing on economic lows to prey on unsuspecting victims and enterprises. With continued analysis, we have a deeper understanding of the relationship between the economy and the evolution of cybercrime. By remaining vigilant and aware of these findings, we can all become better prepared to protect ourselves and the economy from the very real dangers of malware.

Fake Email of the Federal Police of Brazil (Computer crimes investigation unit)

This fake email seems to be sent from the Computer crimes investigation unit of the Brazilian federal police department. It pretends to frighten users by accussing them of having accessed to ilegal websites from their computer and entices them to view the report by following a link. However, it is just another bait used by the cyber-crooks to install in our computers a worm related with banking entities.

This "police report" which we have called W32/Banbra.GDB.worm, initially works as if it were a Trojan downloader, allowing it to download the rest of the components of the worm.

The main feature of the worms is to spread themselves, but this malware is also designed to carry out more malicious actions. On the one hand, it downloads from different domains located in Brazil & United States the configuration files to create the spam messages that will be sent to other users, and on the other, it is activated when the user accesses the website of a certain Brazilian banking entity in order to obtain the access data to such bank.

Microsoft Updates for November

This month two new security bulletins have been published ( MS08-068 and MS08-069 ) as part of the usual launch of Microsoft Updates.

According to Microsoft's classification one of the bulletins are rated as "critical" and the last one as "important". So we recommend you to update your system as soon as possible.

You can find more information about this security bulletins by clicking the followings links:

• MS08-068: It solves a vulnerability in the Microsoft Server Message Block (SMB) protocol which could allow an attacking user to execute remote code.
• MS08-069: It solves three vulnerabilities in Microsoft XML Core Services, which could allow remote code to be executed and information to be disclosed if the user follows a link to a specially crafted website which exploits the vulnerability.

Facebook and MySpace's worm

PandaLabs has recently detected a new variant of the Boface family that affects the social networks Facebook and MySpace. In this case, the worm sends all the user's friends a message which contains a link to a supposed YouTube video.

In order to view the video, the user is required to download a Flash Player update. However, the downloaded file is not an update but a copy of the worm.

This shows that cyber-crooks are still interested in the social networks to distribute their creations. In fact, Facebook and MySpace with millions of registered users have become a profitable target for them. 

Panda Security's users are already protected against this worm, Boface.G, and Facebook has started taking measures to solve this problem. You can check it here.   

 

Barack Obama's Spam & Malware Campaign

Shortly after having known the results of the US presidencial elections, the cyber-crooks have used this topic to distribute malware in spam messages.

One of these malicious emails seems to be sent from an online newspaper from Peru. Its content is in Spanish and talks about the results of the US elections and invites users to view a video addressed to the Latin community.

The video is actually the file "BarackObama.exe" which has been detected as Banker.LLN. This malicious code modifies the file HOSTS of the infected computer, redirecting the http connections of some websites belonging to one of the biggest banking entities from Peru to the local IP address local 127.0.0.1, in  which a fake page of the bank is displayed in order to obtain our access data.

                      

Another example of this kind of spam is the one informing that Barack has become the 44th US president and the first Afro-American president. This email contains a link to a fake website that seems to have the  America.gov domain. Besides the mentioned piece of news, we can view a video but an adobe flash update (adobe_flash9.exe) is required to view it. However, this file is not an update but the malicious code.

This malware consists of Trj/Spyforms.BQ and the rootkit detected as Rootkit/Spyforms.BR in order to hide the worm component. It is designed to capture the network traffic and harvest information related to ftp, icq, pop3, imap connections, etc…

We recommend you to be cautious when accessing the links included in these type of emails, because besides being unwanted emails, they can compromise our privacy.