Koobface: The saga continues

The gang behind the Koobface worm has been hard at work in releasing the next iteration of their worm. We've already identified over 60 active domains spreading the content through the usual method of posting a message linking to a "CooooL Video" on Facebook.

Sample malspam:

After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes the them off to a fake codec site specifically designed for the social network they came from.

Fake codec site:

The Koobface gang uses the same old "Flash Player upgrade required" tactic to trick users into opening the executable, which then ultimately transforms their machine into a distribution point for the infection to further propagate. 

Koobface connection log:

On infection, the Koobface worm immediately attempts to download three additional exectuable files.

After turning the victims computer into its next distribution point, it also attempts to monetize by installing "Total Security" Rogueware.

Visualizing the Twitter Trends Attack

Post Updated on 6/24/09 at 7:52 PM

For the past few weeks, cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs.  If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered.

Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue.  From June 2nd – 3rd we noticed over 3,000 of these malicious tweets (actually, the number is a lot higher than 3k because we only tracked the main abuse site and excluded the shortened URL’s from the initial search).  On June 6th, the main site was taken offline and the attack shifted from Adware/PrivacyCenter to the Adware/FastScan. On June 23rd, the fake screen saver website appeared. 

 

Update

In the last 48 hours we have observed over 54,000 malicious tweets on
Twitter.  

We have been working tirelessly with various URL shortening services, in
conjunction with Blogspirit, Bloglines, and Twitter to get these malware sites and
accounts taken down as soon as possible.  The attack has reduced by now,
but it's not going to go away.  Understand that we are witnessing the
evolution of Blackhat SEO right in front of our eyes.  In the past, the
cyber criminals had to wait for search engines to index their malicious
content. This meant that they could not take advantage of 100% real-time
trends.  With an open communication tool and a readily available API,
cyber criminals are now able to prime their SEO campaigns in real-time via Twitter.
At the same time, they also generate the same old BHSEO campaigns on the search
engines.  Evidence of this was first shown in our earlier posts of a
tandem attack on Google search results and Twitter (http://bit.ly/XSwBS, http://bit.ly/lFde3) Luckily,
Twitter's problem is easier to fix than the problem with search engines, which
must rely on search algorithms.  Since Twitter has not publicly
acknowledged the situation, we'll just have to wait and see what they do. 

 

 

Current targeted phrases:

Outlook 2010, Spain, HTC-Touch, Korea, Argentina, Transformers 2, Perez Hilton, Ed McMahon, #iranelection, free, invites, fake, girls, follow, blackout, control, tehran, Fathers Day, Fake Twitter Invites, WordPress 2, Fallon, Top Chef, Tila Tequila Live, AT&T, Limp Bizkit, Sytycd, iPhone, Adam Lambert, Wipeout, Holocaust Museum, Miss California, Claim your Facebook, Squarespace, Lakers, NBA Finals, Zack Morris, addict, video, trailer.

Tag Cloud:

 Malicious Tweet:

 

Malware distribution sites: (Updated 6/24/09 6:57 PM)

 Bloglines page 

 

 

Blogspirit Page 

 

Fake screen saver website

 

Fake codec website

Fake scan site

File: Adobe-Flash-Player-Upgrade-Pack_125.exe

File: Setup_build6_27.exe (MD5: efe9ddbea8bd71fdfee44d44811e4695 )

Installer:

Adware/FastAntivirus

Visualization:   (Updated: 6/24/09)

Blue = Twitter Account
Yellow = Tweet

2 hour capture of malicious tweets (Updated 6/24/09 6:57 PM)

 Zoom in:

The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon.  We’re all going to have to work together in taking these threats down and the good news, in this case, is that I have already received a response from the abuse team at TinyURL and they have responded by killing the redirections on their end.  Now all we need is for everyone else to start working together and we’ll be able to help take these dangerous accounts down sooner!   

Cyber Criminals Exploit Drupal CMS to Distribute Malware

In a previous post, I stressed the importance of updating web applications frequently. Cyber criminals are always on the lookout for newly exploitable
distribution methods and will go to great lengths to take advantage of any
website. It may not be widely known, but web application vulnerabilities
pop-up just as frequently as Software or Operating System vulnerabilities
do.

If you are using dynamic web applications, such as Content Management Software, E-Commerce or blogging software, then it's especially important to make sure that those applications are always up-to-date with the latest security patches. If you don't, not only do you put your viewers at risk for possible SQL injection related infections, but you also open up to the possibility of a data breach, which can leak all kinds of sensitive data out to the hands of cyber criminals.

Today, I came across a State University website which was running a
vulnerable version of the popular Drupal CMS software. The site was
exploited by cyber criminals and over 3600 links were injected and indexed
by Google in less than 10 hours of exploitation.

Search Results:

Malicious Site:

If any of the links are accessed, the user is put through a series of
redirections to various Rogueware sites where the user is told
that their computer is infected and prompted to install a file called
onlinescan.exe, which we detect as Adware/PrivacyCenter

,a

Rogueware campaign on Twitter continues…

The Twitter Trends based attack we blogged about yesterday has expanded from just one trend to nearly all of them!   Over the past 24 hours, there have been several thousand tweets targeting trending topics on Twitter and the numbers continue to rise. 

Example Tweets:

As you can see from the example tweets, the cyber criminals are targeting twitter trends in real-time.    I went ahead and captured every tweet up until about 8PM tonight and put together a Tag Cloud so that you can see what terms were targeted more frequently.

Clicking on any of the links will put you through a series of redirects, at which point you will arrive at a website prompting you to install a fake Adobe Flash plugin (flash_player_plugin.exe).  If the so-called “plugin” is installed, then the computer will be infected with Adware/PrivacyCenter.

The emergence of this type of threat distribution method demonstrates how cyber criminals are adjusting and evolving to the newer services offered on the Internet.  It’s especially dangerous with sites like Twitter, which offer up to the second updates (or live tweets) of events as they unfold in real time.  In the future, sites which promote an unfiltered and open dialog through a global hive of users will have to think twice about the potential threats exposed by features or even API services that they offer.    

Cyber Criminals Target Air France, YouTube, E3, Microsoft, Project Natal, and more…

It seems like these days every other news breaking story is paralleled with a similar Blackhat SEO fueled Rogueware campaign. Today, Luis Corrons and I were talking about Microsoft’s recently announced Project Natal when his Google search for a video of the technology in action turned out to place a malicious link in the very top of the search results.

Connection: (Google to Rogue)

 

**UPDATE** 6/04/09 – 

16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website.  It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file.

 

Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:

Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
  8,930 links targeting "Microsoft" (Project Natal)
  3,380 links targeting "E3"
  2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
  2,850 links targeting “Sony”

The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.

Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories.

All of the links associated in this attack have already been blocked for Panda users.

Rogueware Campaigns blending in with Twitter Trends

 Update: 6/4/09 – Rogueware campaign on Twitter continues…

"PhishTube Broadcast" became a trending topic on Twitter today. The word “tube” is a big red flag to any Threat Researcher these days, so naturally I had to investigate it.

I clicked on the section inside of the trending topics group and ironically the links in the tweets looked fishy.

I started to investigate further and found that while there was definitely legitimate tweet traffic for the band Phish, several zombie accounts were posting hundreds of strange and highly suspicious messages. Eventually the links led me through several redirections and finally to PornTube malware websites.

Connections/Redirects leaving Twitter:

 

Clicking on any element inside of the PornTube page resulted in a run of the mill Adware/PrivacyCenter infection, but the interesting part of it all is that cyber criminals are starting
to target social networking sites more than ever. In this case they
took advantage of the open dialog on Twitter and essentially blended in
with the trending topics in order to effectively trick unsuspecting
users into clicking malicious links. This technique is strikingly
similar to the Blackhat SEO tricks criminals use on search engines to
place their malicious links at the top of search results.

 

 

YouTube riddled with comments leading to Malware

A few months ago, we talked about YouTube's Annotations feature being used as a tool for Cyber Criminals to help spread their malicious Rogueware campaigns. Today, we have a similar case, but this time its automated comment Malspam (Malware spam). My initial search turned up about 30,000 malspam comments all pointing to a fake pornography website called "PornTube 2.0".

Like the last time, Cyber Criminals are targeting people who are searching YouTube for pornography. In the comments each malicious link is accompanied by a few search terms. Some common keywords we have seen are Adalt (sic), Tit s, Latina, Kinky, Girl, Porn, Sex, and the names of various pornography stars.

By targeting these keywords the Cyber Criminals are able to optimize and improve their success rates by infecting those who are truly looking for pornographic material.

Note: It appears that all of the malicious links have brackets in between the " .com" portion of the comment. It's unclear if this is a temporary action done by the YouTube abuse team or if the criminals are just trying to evade detection.

Upon arriving at the website, we see a page that looks like a legitimate video website labeled "PornTube 2.0", but it is actually the malware site.

Malware Site:

Click for the original uncensored image (Warning: NSFW)

If you click anything on the website it will prompt you to download a fake Adobe Flash plugin, which is the malware installer for Adware/Privacy Center

Click for the original uncensored image (Warning: NSFW)

Adware/PrivacyCenter Rogue (fake) Antivirus

Rogue Antivirus is one of the most prolific Malware in the threat landscape today. PandaLabs has received more Rogue Antivirus samples in Q1 of 2009 than in all of 2008 as demonstrated by the following illustration.

In this case, Cyber Criminals aim to profit from human vulnerabilities and inherent curiosities.

Metatags in malware websites: II part

A couple of days ago we mentioned how some creators of websites that host malware add metatags to them, so that they are not indexed by the search robots.

Today, we are going to mention the opposite case. Let’s take the following URL as an example: http://malwa<blocked&gt;.com

The following tag can be found in the source code of the website:

 

The FOLLOW attribute allows the links included in the website to be scanned.

The ALL attribute allows all the files to be indexed completely.

The INDEX attribute allows the search engines to index the website.

Generally the creators of this type of websites want the malware to spread widely and asap. That’s why they decide not to add metatags or to add them, so that the indexing robots could index and scan the links easily. This way, when users make queries in the search engines, they are likely to access a malicious website, causing their computers to get infected with the malware hosted in them.

Metatags in malware websites

An indexing robot is a program which tracks websites, storing their content in databases and following the links which point to other websites.

Rogue antimalware creators don’t usually add tags to the code of their websites or they add them so that the websites are indexed by the robots of the searchers. This way, they are more accessible and malware can be widely spread.

Lately we have found several cases that prove quite the opposite: tags are added to go unnoticed.

Let’s take the following URL as an example:
http://<blocked>akedpics.blogspot.com

When clicking the video to view it, we are redirected to the following URL http://<blocked>pomp.com/index.php?q=Adrienne-Bailon-Naked-Pics, which in turn redirect us to http://crack-<blocked&gt;.com (*) and finally to http://fast<blocked&gt;.com/xplays.php?id=40004 from which we will download the file viewtubesoftware.40004.exe, detected as Adware/MSAntiSpyware2009

(*) This URL redirects us to different malware hosting websites randomly, depending on the time.

If we look at the source code of the URL http://fast<blocked&gt;.com/xplays.php?id=40004, we can find the following tag: <META content=noindex,nofollow,noarchive name=robots>

1. The noindex tag doesn’t allow the search engines to index a website.
2. The nofollow tag doesn’t allow the search engines to scan the links of the document.
3. The noarchive tag prevents the website from being cached.

It seems that these techniques are aimed at making malware analysts’ and antivirus companies’ job more difficult. They are also used to prevent the proactivity, in the sense of preventing the infection with techniques such as URL blocking, which consists in making queries of specific parameters in the search engines.

Rogue Fake Codec – Finding the differences

In the last days we have received a good number of new variants of rogue fake codec. That’s why we propose you a little game that consists in finding the differences between the images:

All these variants have been detected as Adware/VideoPlay. Their behavior is similar: when installing the program, a file, whose name is usually matrix(random numbers).exe or bootmatrix.exe, is run. This file spreads by making copies of itself in the removable drives and it also creates an autorun.inf in order to be run when they are accessed.

This file collects the data stored in the browsers, such as cookies, passwords, profiles, email accounts, etc, and connects to a remote address to send the information.

In the last month there has been an increase of almost 400% in the number of samples of this malware received in our inboxes comparing with the previous month.

 

 

This nasty piece of malware is the same as the one that was being distributed using Digg and YouTube.