McAfee Labs Blog

Two weeks ago, I posted a blog entry talking about the counterfeiting of legal documents. I have received many comments and requests for further data from various Eastern Europe countries, France, and even the United States, related to this type of fraud. Aside from journalists, for whom it is their job, many people have contacted or attempted to contact me. Most of them were curious and friendly, but others flooded my mailbox:

The first request was for the URLs of the websites that provide the services. At McAfee, like at most of our competitors, we almost never disclose dangerous URLs apart from researchers in the business and law enforcement agencies. And in many cases we also employ some internal testing to avoid infection or compromise. When I wrote my blog entry, that URL was safe (no malware, no iframe), but this can change, especially if their owners know it will be visited by MANY inquisitive people.

The next question was that of the counterfeiter’s nationality. No doubt they are Russian speakers.

Another request was related to the abundance of these offers. The site I visited actually contained a competitor blacklist with a dozen or so “disreputable” companies. As they were all restricted to driven licenses, I carried on further investigations on the passport field. It was not difficult to find other offers with MORE attractive prices: less than $1000 instead of the 4 or 5 thousands dollar proposed by the first one.

In this last offer, I noted the availability of Diplomatic passports (price on demand).

If you are not a google search ninja, you can just check Youtube. There, various well-phrased searches can direct you to the online shop you are looking for:

And regarding the payment methods?  It seems they all prefer Western Union however they are not very talkative on this subject as you have first to contact them via anonymous mailing services (they specify: “no ICQ, no SMS, no phone call”). However, I discovered another offer, with details about how to place an order.

At last, some people wished to know if these sites offered others materials or services. Some of them do sell carding equipment to read/write magnetic cards however the prices were exorbitant. They quoted between $9000 and $11000 when many of these devices can be found on Amazon or Ebay for $500!! Most interesting, and to prove the relevance of our previous advice regarding what you toss into your household trash, one site offers fake French EDF (national electricity company) and British Telecom utility bills for £10. In Europe, we frequently use these documents to prove our residency or proof-of-address.

Even the envelope is supplied! The least important pieces of paper can interest today’s cybercriminal!

Yesterday we discovered a new Zeus campaign.

Most of the messages associated with the new spam campaign are linked to the Asprox botnet. This time, the focus is on FedEx. Most of the attachments start with either FedExDoc[randomnumbers].exe or FedExInvoice[randomnumbers].exe. Those attachments are recognized as the Bredolab Trojan, which will download the Zeus component.

This Zeus variant has a control host on hxxp://x5vsm5.ru, but also downloads from hxxp://trachsel.biz.

The targets of these samples are a large number of banks outside the United States. We still see common U.S. targets…

• Citibank
• Comerica
• USBank
• WellsFargo

and also some banks from Europe, the Middle East, Asia, and South America…

• Neue Bank (Liechtenstein)
• Arab Bank
• MyBank (Taiwan)
• BHI Bank (United Kingdom)
• NPBS (United Kingdom)
• Banco de Sabadell (Spain)

as well as several other banks.

Watch out for Zeus’ going global.

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

Three weeks ago a ‘mysterious’ new jailbreak technique was posted to jailbreakme.com. Research to date indicates that this technique leverages two distinct vulnerabilities to gain access to devices. The first issue exploited is a FreeType CFF font handling issue, exploitable via MobileSafari. The second issue exploited is an IOSurface framework issue that allows for privilege escalation to root, and eventual complete compromise of devices.

Fortunately for many, Apple has released an update that addresses both issues (HT4291, HT4292). This update should prevent both malicious attackers from exploiting these vulnerabilities, as well as prevent the jailbreak technique from continuing to work (for devices with the update installed).

Great news on the vulnerability front, no doubt. But are 25+ million iPhones truly safe again? Maybe.

This blog was updated at 1.15 pm Pacific time on Aug. 26.

McAfee Labs has detected a new strain of spam in the wild that is not only a sophisticated forgery of a Newegg purchase receipt, but there is also some indication that the botnet may be attempting to abuse Newegg’s password reset system to further the scam.

In less than 1 percent of the cases, the spammers appear to be taking advantage of the password reset option on the Newegg website to generate an email to the victim announcing that a password reset is required. This ruse cannot be used to determine if an account exists because the Newegg site returns the same text if you request a password reset on an actual or nonexistent account. So directory harvesting does not appear to be the attackers’ goal. Newegg’s password reset option is not protected by any sort of CAPTCHA authentication unless the account has received multiple requests for a password reset, so this process could be scripted as part of the spam campaign. The password reset request does not actually reset the password unless the recipient clicks on the email that is sent and even then the password reset request does not indicate the account has been compromised. In all likelihood this scam is designed to make the recipient anxious by suggesting an unauthorized individual has attempted to access the account.

Anxiety and frustration are common emotions exploited by spam and phishing messages to make a victim click on a malware link without thinking. One common trick is to send a purchase confirmation email to a recipient, who is likely to click on the attachment or the link because he or she is afraid or is convinced that someone has already hacked the account. To continue the scam: The victims receive a forged Newegg purchase receipt shortly after seeing the legitimate password reset notice. If recipients are anxious about account tampering, they may be willing to release a quarantined spam message that claims to be a purchase receipt because they feel their accounts may have been compromised.

This spam mail appears to be associated with the Cutwail botnet, which is the second-most prolific botnet in detected infections. (Rustock is number one.) Cutwail has the highest number of infections detected in Russia, India, and Brazil. We do not know if every recipient of a Newegg spam has received a password reset notification before the spam mail arrived, but McAfee TrustedSource™ has detected a 233 percent increase over the average mail flow coming from Newegg IP addresses today.

The spam mail not only mimics the look and feel of a Newegg email, but also forges the RFC 821–received headers to pretend that it originated from Newegg servers. The email contains an HTML attachment that uses obfuscated JavaScript to forward the victim to a domain which attempts to deliver fake anti-virus software or other malware to the recipient.

This is a powerful scam: It combines forgery techniques to fool the victims, techniques to fool the filters, and outright abuse of the Newegg corporate infrastructure to scare the recipients of the malicious emails. Techniques like this are not new, but the combination of three in one package is rare. Administrators should be aware of this campaign and inform their users not to be fooled by the purchase receipt. Users who want to check their Newegg accounts should not use any links in an email but should go straight to newegg.com.

Newegg says it is investigating this issue to determine any customer impact and that it is researching any actions the company may need to take to help its customers avoid phishing scams that take advantage of their brand.

While reading Microsoft’s confirmation of the DLL preloading risks in arbitrary Windows applications vulnerability, somehow it reminded me of the wave of LD_PRELOAD vulnerabilities that were exploited many years back on multiple non-Windows-based systems. It’s not a new class of vulnerability; the recent LNK file zero-day was probably the last biggest flaw that allows untrusted components to be loaded using a legitimate technique designed into the system.

I had the privilege to speak with a few McAfee customers during the outbreak of LNK exploits and one of the most frequent questions they asked was how it could have been possible without any buffer overflow. Lately, security practitioners had been putting a lot of focus on fuzzing and buffer overflow protection against zero-day vulnerabilities, but these design flaws in general operating systems and applications are allowing libraries and executable objects to be loaded from untrusted locations without exploiting any buffer overflow or memory corruption–by legitimate design.

The original advisory used iTunes as an example, but the same flaw is likely to exist in many applications. The attacker can plant a document or media file on a remote location that is opened by the application which loads external libraries insecurely. When the file is opened, a malicious library can be loaded from the remote location.

In the following example, a Microsoft application loads a document file “screen” from network drive Q:\ and tries to search for a DLL it requires on the same drive Q:\.

The DLL is loaded and running from the network drive Q:\.

McAfee VirusScan Enterprise users may choose to configure, and test, access protection rules to prevent access of at least “*.dll” and “*.ocx” from untrusted file locations where you share documents but are unlikely to be loading program libraries from:

In this case, notepad.exe tries to read a DLL from a network drive and the operation is prevented:

Note: This rule may also block nonmalicious applications from running on network drives and should be tested in each environment.

McAfee Labs is closely monitoring the exploitation of this technique in the wild and will provide more information as we find it.

We unceasingly monitor and combat old and emerging web threats, taking different approaches to best protect our customers. Cybercriminals continuously look for new ways to steal valuable information. A recent phishing scam we’ve seen impersonates three popular institutions: PayPal, Bank of America, and free offers to check your credit score.

The recent attack on Bank of America users is arriving as spam email with a phishing link alerting users about an “account deactivation.” The scam claims online banking security regulations require users to click on the provided URL. Don’t fall for this tactic. Clicking the link “RESOLVE” redirects you to a malicious site.

A similar situation occurs with the scam a “security problem” with your PayPal account. The URL redirects victims to a fake page that is visible at the main domain. These malicious pages use the same graphics, style sheets, and links from genuine pages.

Would you trust an unsolicited email that offers to check your credit score for free? It looks authentic, but definitely is not. It’s always much safer to manually type the web address you like to visit instead of clicking a link from a suspicious email. If you receive one of these emails, do not click on the links. Users without protection who click on these links will possibly infect their computers or might reveal their data.

Remember to keep your anti-virus software up to date, and do not provide any personal or financial information to unsolicited email messages. Last year 11.1 million people were victims of identity theft in the United States; an identity is stolen every three seconds. Cybercriminals aggressively pursue unprotected users. Learn how to prevent identity theft at our McAfee Identity Protection page.

Phishing and identity theft involve not only the theft of funds. In addition to financial data, information collected by cybercriminals also can allow them to create and sell false legal documents.

On top of selling malware, renting botnets, or launching denial-of-service attacks, supplying falsified documents is another well-paid online activity. I visited such a business just yesterday.

One popular document for criminals is a passport. The following website offers a large choice classified by countries. The lowest price (US$870) is for Azerbaijan. A French passport cost US$5,530. A customer must send the forgers personal information as well as a signature and a photo, and they take care of the rest.

The site also offers a large collection of credit cards (sold 10 at a time) with balances ranging from US$2,000 to US$15,000. Some Platinum cards are guaranteed up to US$50,000.

After money and passport, a criminal might next need a driver’s license. No problem, they can find those here:

To attract customers, the document providers offer specifics for some countries and states. These examples describe Russia and Michigan in the United States:

To make these documents criminals need not only the financial data they can obtain via the usual phishing strategies; they also need more personal data. To get it, they target online and offline locations where this information is available. To protect yourself, you need to remain aware of what you give away on your social networking platform as well as what you toss into your household trash.

Last year, the U.S. government passed a law making mandatory online registration for travel for all citizens from countries eligible for the Visa Waiver Program. The Visa Waiver Program is available to citizens from the European Union, but also to citizens from other countries such as Switzerland, Japan, South Korea, and Singapore.

The registration has to be made 72 hours prior of traveling into the United States. This registration can be made only through an online form, the Electronic System for Travel Authorization (ESTA), available at the official website of the Department of Homeland Security at https://esta.obp.dhs.gov. This registration is currently free. Once a traveler registers, it remains valid for two years, regardless of the amount of travels into the United States.

As part of the Tourism Promotion Act, from September 8, 2010, onward all visitors using the Visa Waiver Program will be charged US$14 to complete this immigration form. Out of this fee, $10 will be used for international campaigns to promote holiday travels and tourism in the United States, the other $4 is an administration fee.

We weren’t surprised that some people soon figured out how to make money from this, especially as the application and payment by credit card must be made online. We’ve seen similar fraud in relation to green card application scams in the past. McAfee Labs research has shown that both types of fraud are related, and it is likely that the ESTA fee scam is run by the same organizations as the green card scammers.

McAfee has also noticed that most search results for “ESTA,” “ESTA form,” or “ESTA online registration” lead to fraudulent websites, especially if the search terms are run in non-English languages. Even worse: Most sponsored ads are leading to fraudulent websites, too.

Examining these sites, we discovered three common types of fraud. The first type offers a basic service to fill out the form for somebody, but at extra costs ranging from $30-$250. These services are rather harmless, because users probably still get their online registration. The biggest risk here is the loss of personal information to third parties, which may result in spam emails or other types of unrequested contact. In worse cases, providing personal travel dates could end in burglary, as users provide their addresses and the information when their homes will be uninhabited.

More critical than these are sites that are primarily set up to gather personal information. This type of phishing is even worse that the common banking-related phishing: Rather than banking or credit card information, users are required to enter their date of birth, passport IDs, contact address, and other personal information, in addition to the questions that are mandatory for U.S. immigration, such as medical diseases, crime records, or information about espionage activities or war crimes. These sites are even constructed to grab the information of traveling family members as well.

The third type of fraudulent sites related to the ESTA registration offer application guides or forms for download. These download forms are simply malware. It is essential you not download anything from these sites. The ESTA form is a web-based application; no forms need to be downloaded.

What these sites have in common is that they pretend to look like official government websites. Some are even available in other languages such as Japanese, German, or French. One ESTA phishing site we examined is available in 12 languages. These sites simulate authenticity by using common icons or a “safe” governmental link somewhere on the page. Some include a long section with privacy and service-term disclaimers. It is ironic that they warn users to be careful of fraudulent websites stealing your private information or overcharging for the use of their services:

Warning! Applying through a third party website may not comply with ESTA regulations. Beware of fraudulent websites that collect your private information and claim to submit the application on your behalf. Applying for your own Travel Authorization is the only way to be 100% sure that your application was submitted properly. Travelers with an invalid ESTA Travel Authorization will be denied entry by U.S. Customs and Border Protection. Download the Application Guide below and submit your own ESTA application today.

In summary, the online registration is available only at the official site of the Department of Homeland security at https://esta.cbp.dhs.gov. This secure government website gives you all important information; it is even available in all 22 languages of the countries that qualify for the Visa Waiver Program. There is no need to use a third-party service for this immigration form. Every other site offering such a service is scam–charging extra, stealing personal information, or just spreading malware.

McAfee Labs detected a new wave of the PWS-Zbot (a.k.a Zeus) spam campaign this week.

Some common phrases used in the email subject headers:

• Subject: Sales Dept
• Subject: Another candidate brought to you
• Subject: Summary of payments

These emails carried PWS-Zbot Trojan variants that are a part of the 2.x version of the Zeus botnet, and currently try to access the following URLs:

• hxxpS://193.104.{blocked}/box1/master.tmp
• hxxpS://193.104.{blocked}/box1/1.gif
• hxxpS://193.104.{blocked}/box1/update.php
• hxxpS://cisco-update-{blocked}.com/box1/1.gif (currently offline)

This variant also exhibits rootkit behavior, hooking Windows APIs to prevent users from seeing some of the files.

Examples of such hooks are:

This variant also uses HTTPS as the communication protocol with the remote servers to download encrypted data. In some instances, it was also found to patch termsrv.dll to bypass authentication while connecting to the machine via Remote Desktop.

The SSL Certificate used by the server is self-signed with default parameters and a date of July 13, exactly one month from today.

Further details of the Zbot or Zeus Trojan family are available at the Virus Information Library.

Update: We have noticed that some reports refer to the current wave of PWS-Zbot as “Zeus v3.” To clarify: The current Zbot variants are generated by the “v2 toolkit” and its variants. The Zbot Trojan has evolved from the “v1 toolkit”–which generated the 1.x.x to 1.3.x variants–to the “v2 toolkit,” which underlies the current versions.