Chapter 2. The Conficker countdown melodrama.

The melodramatic Conficker countdown is starting to resemble one of those never-ending TV soap operas; everyone is talking about it, but it never draws to an end. Well, at last the countdown is in the final straight, because if not we could end up with mass hysteria.

So let's see what new information there is about Conficker. It would seem that some opportunists are taking advantage of the notoriety of Conficker, downloading malware onto computers from domains that are ranked highly in Google searches for the name of this virus. It’s not surprising, when you see how widely the news is being reported.  Google Trends illustrates the point:

What is most interesting is the ranking of countries where this information is being most widely reported, and where most people are searching for this information. Bearing in mind the number of domains that are downloading malware by exploiting the interest in Conficker, without actually having any connection with it, it is likely that although people in these countries may escape the wrath of Conficker, there may still be users who have downloaded other Trojans simply by searching for news about Conficker… Ironic really. Perhaps on April 2 we will be talking about another epidemic in Indonesia or Austria…

What new information is there about Conficker? Absolutely none, other than everyone is waiting with baited breath to see when the apocalypse starts. This all takes me back to when, in the laboratory, we had a calendar for marking the payload dates of notorious viruses such as Friday 13 or Barrotes. So does this mean we are returning to the days of epidemics with payloads and countdowns?

Paradoxically, while we are all waiting to see what happens tomorrow, who knows what is actually going on in the background, and how many people are lining their pockets thanks to Conficker. And to get back to soap operas, what are the odds on a happy ending to the Conficker saga?

Don’t get taken in by the Conficker panic

Lately it seems everybody is talking about Conficker and its variants. And much more so if we have to take into account the build up fear around the coming day of April 1st.  It’s been a while since we saw so much coverage in the general media and I don’t want to tell you to disregard this, because it does contribute to general awareness and make users more conscious.  But I also want to say that perhaps it does more harm than good. Let go back over the issues that are flying around the world.

Regarding the damn date… will Conficker be activated 1st April? No. But it will do something that day, won’t it? Yes, Conficker is a malware that creates random URLs everyday and the PCs infected with it check if there is any new available version to download. It does so 250 times a day.  What will happen then 1st April? The last variant creates 50,000 new URLs. We can’t know if any of them will host an update of the malware, its author could host a new version or even some other type of malware. It checks the date in the Internet; we say this in case somebody has thought of changing the system date of their computer 😉

If any URL contains an update of the worm, which actions will the new variant carry out? In fact, no one has been able to guess the final aim of Conficker. What we remember from previous infections is that the author’s motive is to become famous, but we doubt very much if it all ends there. If we think about the different business models that there are currently behind malware (mentioned in this blog many times before), it is obvious that its author –or authors- will be looking to make money in some way. But, in which way? It can be by harnessing the infected PCs net to send spam, by installing on the infected PCs some type of rogue antimalware to warn users that their computer is infected enticing them to buy a fake antivirus, by downloading password stealer type Trojans… There are many speculations, but nothing for sure.

Another question posed is if it’s really more dangerous than other types of malware. The answer is no, it’s not more dangerous, though its update functionality leaves a door open to new attacks that could be more dangerous. Its success lies in having exploited a recent MS vulnerability to distribute itself, and that’s why, it has reached many PCs. In this way, its author has been smart and has taken the model of classic viruses. An “intelligent” move of the author has been to use different means of infection, especially through USB keys, MP3 players, etc. What is true is that from version to version it has made its detection more difficult by obfuscating code. And although we can’t talk about a polymorphic virus, it follows this direction.

What stands out from all these are the means of infections through USB devices, as we said before, is the attempt to reach the maximum number of PCs.  And in the way that infected PCs can communicate with each other to update without the need to download a new version from an URL as they use P2P.

The infection level of the previous weeks has been reducing to low levels.  There are probably still malware infecting PCs but not at the levels we were seeing in the previous months. With this situation, the author could take various actions:

a) create a new variant which exploits another 0 day vulnerabilities takes no time to spread and this was the plan all alone for Conficker.
b) Keep alive  the three variants which are distributing, monitoring how much money they are making day by day, to the end.
c) Get bored and do something else…

We bet on option a). Not necessarily for April 1st, but on its way.  It will be a shame to go to so much trouble without getting anything. Because of this we think that it won’t go away so easily.

Above all, don’t get taken in by the panic.  What do users do on the April 1st?  If you have your PCs protected by a good and updated antivirus, nothing.  If you don’t have one, we recommend you to install one (you don’t have to wait until April 1st…) and you can use Panda ActiveScan to be sure you are not infected.  And also we recommend you to install the free tool we have created to avoid contamination through UBS keys.

How To: Infect yourself with Malware

Last time we talked about cyber
criminals using YouTube's Video
Annotations feature
to guide victims to Malware ridden websites.  Today we'll talk about
yet another method being used within YouTube and other social media
websites.  

Malware distributors have been
creating instructional "How to" videos to get victims to willingly
visit malicious websites and infect their own computers.

Once on the site the victim is lured to install Adware/SystemSecurity rogue software. 

The best way to avoid these types of scams is by researching the product prior to installing it on your computer.  Sometimes a simple Google search can literally save you hundreds of dollars in repair costs. 

 

Blackhat SEO Fueled Rogue Security Campaign

Today we observed yet another Blackhat SEO campaign fueling the distribution of the System Security Rogue Anti-Malware from Pandora Software.

Blackhat SEO is a method used by criminals to trick search engines into displaying their content ahead of other legitimate sites. You can learn more about it here.

(E.g. One of the hijacked searches)

 

Accessing the link redirects the victim to the rogue anti-malware site, which then prompts the user to download and install the malicious software.

Sample hijacked search terms [Full List]:

Cinderella Full Story In Script
Swollen Throat Rash Chest Pains Symptoms
Body Aches All Over And Extreme Fatigue
Candy Bar In Illustrator
Humerous Marriage Definitions
Art Ideas For Babies
Possesive Worksheet
Free Online Scan Malware
Proxy Which Allows Java
Cd Key Do X Blades
Swollen Lymph Nodes And Dry Cough
How To Write Law In Graffiti
Index Of Best Songs
Keys Of Digi Tv
Free Space Crafts For Preschoolers
Execution Of Women Video
Labeled Diagram Of A Foot
Facebook Skins Free
Ear Infections And Sore Muscles

This post has been written by Sean-Paul Correll.

 

MS09-008. Does the patch work?

The vulnerability MS09-008 affects the DNS server, more specifically WPAD (Web Proxy Autodiscovery Protocol) registration. This is a service that allows automatic configuration of proxy settings of the computers wihin a network without user intervention.

This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.

As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters, as you can see in the following screenshot:

Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.

Usually, if you are vulnerable to an attack and you patch the system you feel safe. For instance, all of you know about Conficker, which infects the system using the vulnerability MS08-067. Even if you have been previously infected, you can apply the patch and you won’t be infected anymore through this vulnerability.

However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.

To sum up: in case a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.

To solve this, it is only needed to add in the registry to the value GlobalQueryBlockList the data wpad and restart the DNS service.

Microsoft guys have blogged about this, you can find more information here.

Kudos to David Sanchez for the research.

Facebook Malware Refocusing on Bank of America

The perpetrators behind the recent Classmates and Facebook Malware incident are now refocusing their attack on Bank of America customers.  The new website is designed to look like a Bank of America Help page and reads:
“You have not been permitted to access the Bank of America Direct® login page because your browser did not provide a valid digital certificate. In order to access Bank of America Direct, you must have a valid Digital Certificate installed on your PC.  For help, please select from the help links below.”

The page includes a fake video which is labeled as an “Installation Demo” but points to a Malicious Executable named Adobeflashplayer.exe, which we detect as Trj/Spyforms.BZ.

Trj/Spyforms.BZ is primarily distributed through links in spam e-mails and the Trojan is designed to monitor network traffic and steal ftp, icq, pop3, and imap passwords.  The stolen data is then sent back to a server located in Hong Kong. 

Malware Impersonates Classmates and Facebook Websites to Deliver Password Stealing Trojan

Websites designed to look like Classmates.com and Facebook are currently being used to distribute a password stealing Trojan, which we detect as Trj/Spyforms.BZ.   Some of you may remember the Spyforms Malware family from a previous incident involving Barack Obama spam campaigns. In this most recent incident, the malicious web links are still primarily distributed via spam e-mails. Once clicked, the victim is presented with a realistic looking Classmates or Facebook website.  The website contains a fake YouTube video, which prompts a dialog stating “Please Download correct Flash Movie Player!  Installation: Double-click the downloaded installer.  Follow the on-screen instructions!” and attempts to download a file named Adobemedia10.exe or Adobemedia11.exe. 

Once installed, the Trojan intercepts network traffic in order to obtain ftp, icq, pop3, and imap passwords and then sends the data back to a server in a Hong Kong based ISP (HOSTFRESH).  You may recall the last major Malware incident involving the Hong Kong based ISP, which was one of the providers involved in the malware distribution operation taking place inside of the Atrivo/Intercage network.

ID Theft Malware is Infecting Computers at Alarming Rates

Today
we're announcing results of a study that analyzed 67 million computers in 2008
and revealed that 1.1 percent of the worldwide population of Internet users
have been actively exposed to identity theft malware. We predict that the
infection rate will increase by an additional 336 percent per month throughout
2009, based on the trend of the previous 14 months.

Here
are the highlights from our study on the evolution of online identity theft:

–Over
three million of the audited users in the U.S. and more than 10 million users
worldwide were infected with active identity theft-based malware last year

–1.07%
of all PCs scanned in 2008 were infected with active malware (resident in
memory during the scan) related to identity theft, such as banker Trojans

–35%
of the infected PCs had up-to-date antivirus software installed

–The
number of PCs infected with identify theft malware increased by 800 percent
from the first half of 2008 to the second half

–Arizona, California and Florida
continue to be the states with the highest per-capita incidence of reported
identity theft

Active
malware means malware that is loaded into the PC's memory and actively running
as a process. For example, users of PCs infected with this type of identity
theft malware who utilize online services such as shopping, banking, and social
networking, have had their identities stolen in some fashion. According to the
Federal Trade Commission (FTC), the average time victims spend resolving identity
theft issues is 30
hours per incident. The cumulative cost in hours alone from identity theft
related malware based on Panda Security's projected infection rate could reach
90 million hours. 

The
study revealed that an alarming 35 percent of the PCs infected with this type
of malware were using up-to-date antivirus software. Antivirus labs are
receiving a massive amount of new malware samples each day (22,000 new samples
per day according to PandaLabs), and antivirus vendors are continually updating
their services to keep up with the overwhelming volume of new malware surfacing
each day. AV detection labs such as PandaLabs have made advances in automated
detection and classification capabilities. These new detection methods as well
as improved surveillance and cloud-based detection techniques have reduced the
risk of individual identity theft incidents and its associated costs. Some
global banks, notably in Brazil,
have made changes to banking authentications using electronic tokens and
virtual keyboards, but these approaches have been slow to be adopted in the U.S.

How to detect a spammer in Twitter

This is a visual test to distinguish a real Twitter account from a spammer’s account.

It’s very easy. If the account has been recently created and already has many followings and few followers, the username is nonsense (for example a random combination of characters) and in the section “web” there is a URL of a service like Tinyurl, it is almost certainly a spammer. Besides, if the photo displayed belongs to a rather sexy/striking woman (by any reason, men’s photos are hardly used, could it be because women are less likely to fall into the trap?), you can be sure that it is a spammer.

Here you have two examples of a spammer’s Twitter account:

 

We have recently found several examples of spam in Twitter which were almost identical, even in the “Bio”. Additionally, the message was the same in both cases. This means that it is a traditional spamming technique applied to Twitter.

Thanks to Alberto Gomez Vaquero for the information.

A hole in spotify

Spotify is an application to listen to music online. The fact that it is brand–new has not saved them from being attacked, that is, they have suffered their first hazing. Last week a group of attackers communicated the company that they had cracked their protocols and that had had access to information which they could use to obtain their clients’ passwords, email addresses, birthdates, zipcodes… that is, the data we are generally requested when we register in any website.

In spite of the recommendations given by computer security companies, this data is generally used to create the passwords by the users. Passwords usually consist of birthdate plus zipcode, email address plus birthdate, or just the birthdate. And what is worse, a unique password to access the email account, the applications, or even banking entities. This means that if something fails, everything can fail. Caution is the best practice to keep protected against these threats.