Malware authors have been pro-active in including exploit code for almost every new vulnerability reported into bots with utmost professionalism. Apart from the numerous Microsoft windows vulnerabilities where exploit code has been methodically incorporated into bot code, McAfee Avert Labs is seeing a trend where popular applications from software vendors are being targeted. In recent weeks we have seen bots that target vulnerabilities or weak passwords in the following applications:

Famatech Remote Admin http://vil.nai.com/vil/content/v_140984.htm
Symantec Antivirus http://vil.nai.com/vil/content/v_140978.htm

Although the vulnerabilities in the above software are dated and patches available, bot authors still found them enticing enough to target machines running vulnerable versions of the these software applications.

Other popular software applications with vulnerabilities that have been targeted by bots in the recent past include:

• CA BrightStor
• Dameware
• MySQL
• WU-FTP
• VNC

Most of the major software vendors like Adobe, Microsoft and Oracle now follow a monthly patching cycle and administrators have their hands full in ensuring that every machine on the network is patched. Sadly, most administrators do not have the flexibility to deploy patches immediately to machines on the network for policy reasons. For example, the organization could be using legacy software which could break if a new service pack was applied and keeping these legacy applications running takes precedence over applying the latest hot fixes. In rare cases a fix could break something else in the operating system or adversely affect other applications. Administrators need more time to first deploy these hot fixes in a test environment and QA them properly before deploying them to the entire enterprise.

Given the trend where malware authors are expanding their attack horizon by targeting vulnerable software applications, it wouldn’t be surprising if an exploit directed at popular instant messaging (IM) clients should surface. IM is popular both in consumer and corporate networks and an exploit that gives remote shell on a machine running an instant messenger would be stunningly effective.

That being said, it will be interesting to wait, watch and revisit this topic if and when an instant messenger remote shell exploit surfaces.

The most common use of the popular HTTP error code, 404 is to communicate that the client was able to reach to the server, but the server could not find the requested file. To a naive user this pretty much means “Let’s move on!”

We present the following information to warn users of a social engineering attack currently in vogue with several malware authors. McAfee Avert Labs recently evaluated a website called 404dnserror(dot)com. At the time of writing this blog, the website throws a “fake” 404 file not found page. But a closer look at the error page, as depicted below, shows that the server tries to install an ActiveX control and the installation message communicates that page is not available as it’s blocked by an adware/spyware. It also proposes to install a security product called “System Doctor” to remove this adware/spyware.

Further analysis of System Doctor reveals this is actually a flavor of the “WinFixer” application that claims to fix registry and hardware errors or to clean adware/spyware.

We caution web users of these “fake” error codes seen while surfing web and continue to protect our customers against these attacks.

____________________UPDATE DEC, 6 2006_________________________________

“On 5 December 2006 we incorrectly reported that “Spyware Doctor”, published by PC Tools was involved in this scam resulting in the publication of fake error codes to induce end users to download their software (in the above blog titled “404 Not Just “File Not Found”"). It has since come to our attention through further research that the software in fact was “System Doctor”, a rogue software product which attempts to trade off its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor.”

This weekend brought us yet another XSS vulnerability in MySpace being used to modify users’ profiles for malicious ends. Much like in the Windows virus space, we’re apparently past the phase of MySpace worms being used purely for notoriety, and well into the phase of worms for profit.

This worm (JS/QSpace) uses an intended function of QuickTime movies to use JavaScript code to open additional URLs. The additional URL in this case is a JavaScript file which modifies the user’s MySpace profile to include the malicious movie.

This boils down to two primary problems:

1. QuickTime will load external URLs without user consent
2. MySpace will embed or modify content without user consent, even from external sites

The MySpace part of the equation seems pretty straight-forward to address. Couldn’t something be set up to verify that a human is actually intentionally modifying content, especially if done in bulk?

The QuickTime issue being an intended feature makes this a bit trickier. It seems painfully naive to me, for a feature like this to be added with no precautions put in place to prevent malicious use.

One of the biggest reasons movie files are becoming increasingly popular as distribution methods for malware is that between newly discovered vulnerabilities and features like this, the “return on investment” for malware authors using these file-types is sky-rocketing. Very few people hesitate to view a movie file unless the context it comes in is incredibly suspect (and that’s mostly to avoid getting canned for watching porn at work, or getting the snot scared out of you by the car ad with the zombie that jumps out at the end).

But really, never mind the zombie. There are much more disturbing things potentially lurking in videos now.

We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.

The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).

MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A.

SymbOS/Mobispy.A is based on an early version of commercial call and SMS recording software. SymbOS/Mobispy.A installs on a phone and records incoming and outgoing SMS messages. It also tracks the phone numbers of all dialed and received calls. The purchaser of the software gets an account on a central server. SymbOS/Mobispy. A sends all the data it’s captured to that account.

Considering that data-stealing and other for-profit malware have made their entrance on mobile phones, it is worrisome to see spyware make its debut. Around eight months ago a commercial remote phone monitoring application was released. There was much speculation on how much time it would take for malware authors to integrate it into their own malware. We have seen malware authors create custom prototype code to implement new attacks but it is interesting to see them purchase commercial spyware to do their job for them.

It would appear that the SymbOS/MultiDropper.CG author has made a wise choice in using commercial products, avoiding the hassle and expense of creating a new hit single by using an existing one. There are two things though that complicate the picture:

• The software is licensed for only one phone ID(IMEI). As soon as the monitoring account on the central server receives logs from an unregistered IMEI it’s expected to be shut down.
• It is unlikely that the author of SymbOS/MultiDropper.CG is the original purchaser of this copy of the software. Only the original purchaser would have access to the results of SymbOS/Mobispy.A’s spying.

Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit.

As per reader’s feedback on my earlier blog “404 not just “File Not Found“, they wanted more information regarding how a Potentially Unwanted Program, called “System Doctor”, gets installed. So I will emphasis more on this programs behavior in this post.

System Doctor tries to fools users by utilizing images that are similar to a legitimate product from PC Tools called “Spyware Doctor” as shown below:

Installation on the victim’s machine is via an ActiveX control, as shown below, which needs user’s interaction:

Upon installation, System Doctor scans the user’s system and displays an “Error Message” box as shown below:

If the innocent user clicks on the “Repair Now” button he will redirected to another page, where they are asked for credit card details:

In my previous blog it was incorrectly reported as “Spyware Doctor” instead of “System Doctor”. Through further research and discussion, the software is in fact “System Doctor”, a rogue software product that attempts to leverage its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor as per discussion with PC Tools.

We caution web users from entering their card details and CVV number into these masked doctors seen while surfing web as we continue to protect our customers against such social engineering attacks.

Many of you have heard about the Nigerian Email Scam (aka 419 Fraud) that proliferates through email traffic and usually sits waiting in your Inbox or Junk Mail folder for the next victim. Many do not know, however, that the scam has been successful for over a decade now since the 1990’s and gets its origins as far back as the 16^th century.

The Nigerian Email scam is a derivative of the Spanish Prisoner Con where a victim is told about a Spanish prisoner that is extremely wealthy who needs somone’s help in getting free. This so-called prisoner is relying on the con artist to raise enough money to free him. The con artist approaches his victim with the story and allows him to help with a portion of the fundraising with the promise of high reward and financial gain. There was even a Hollywood movie called The Spanish Prisoner made in 1997 based on this plot.

The first instances of the Nigerian Scam were seen in the early 1990’s. Back then, it was delivered via postal service or fax. Over ten years later, its main method of delivery is email and to this day there are still people falling victim to the scam. Losses are estimated in the billions of dollars. Brian Ross of ABC News has recently completed an interesting investigative report following the trail of these Nigerian con artists.

To add insult to injury, there is an immensely popular song and music video in Nigeria whose lyrics flaunt the success of the scam (“you be the mugu², I be the master”) and ridicule Caucasians’ greed (“Oyinbo³ people greedy, I say them greedy”).

“I Go Chop Your Dollar” (video)

I Go Chop Your Dollar (lyrics)
I don’t suffer no be small
Upon say I get sense
Poverty no good at all, no
Now I’m make I join this business
419¹ no be thief, it’s just a game
Everybody they play ‘em
If anybody fall mugu², ha! My brother I go chop ‘em

Chorus

National Airport now me get ‘em
National Stadium now me build ‘em
President now my sister brother
You be the mugu² , I be the master
Oyinbo³ I go chop your dollar, I go take your money disappear
419¹ is just a game, you are the loser I am the winner
The refinery now me get ‘em,
The contract, now you I go give ‘em
But you go pay me small money make I bring ‘em
You be the mugu², I be the master… now me be the master ooo!!!!

When Oyinbo³ play wayo, them go say now new style
When country man do ‘em own, them go the shout bring ‘em, kill ‘em, die!
Oyinbo³ people greedy, I say them greedy
I don’t see them tire that’s why when them fall enter my trap o!
All day show them fire

1. Nigerian criminal code that the scam violates
2. Nigerian Pidgin for “fool”
3. Nigerian Pidgin for “Caucasians”

Last Wednesday, Microsoft posted an advisory for a targeted “zero-day” attack using a Microsoft Word vulnerability CVE-2006-5994, we refer to this as “Microsoft Word 0-Day Vulnerability I”.

In our tracking of this new 0-day vulnerability, I analyzed a Word Document sample for MessageLabs. Just when you would have thought this could be the same 0-day which was most recent, Microsoft confirmed upon our request that we are seeing double trouble — this was really “Microsoft Word 0-Day Vulnerability II”.

I previously wrote about non-executable file formats being a popular vector in recent years; this is a trend that will continue into 2007 and deserves to be given ample consideration in planning for security resources, policies and user education programs.

McAfee Avert Labs released DAT coverage for payload associated with “Microsoft Word 0-Day Vulnerability I” in DAT version 4914 for Downloader-AZQ and Downloader-AZR. The new threat that is exploiting “Microsoft Word 0-Day Vulnerability II” is now covered in DAT version 4915 as Exploit-MSWord.b.

I’ve seen a number of fake charity sites crop up over the last week or so, and the cynic in me knows it’s that time of year again. Christmas is a time of joy and happiness, good will to all men, peace on earth, and thank whoever you believe in you’re not a turkey! It’s not restricted to the Christmas period but, at this time of year, we are more likely to think of those less fortunate and that is exactly the feelings the fraudsters are trying to exploit with fraudulent sites purporting to help needy children who are abandoned, distressed, endangered, exploited, homeless, hungry, sick or suffering.

The websites I’ve seen so far are very professional with a fairly high amount of graphical content (flash and html versions no less) and a good amount of verbiage designed to make the reader feel upset, guilty, sentimental, or otherwise relieved of a tear or two. Much of the layout and content on one of these fraudulent sites was directly copied directly from a legitimate charities websites with simply a name and a logo changed. These websites are as bad as some of the leaflets that drop through your door, but they cost less, well at least in the short term.

Q:Can you tell the difference?

I’ll save the answer until later. So how many real charities use compromised machines to host their websites or botnets to send their email? Not one! Here is a sample of the spammed image from one of the recent campaigns. (Doesn’t it look a bit like the recent stock spams?) I expect the quality of the email content to improve in the future however.

Please be very wary of any donation opportunities appearing via email, just as you would if a stranger was knocking at your door, cap in hand. This FTC site has some good advice on responsible donating.

A:The Red one was the fraud site.

Here’s a concept that might inflate everyone’s ego a little, as well as (hopefully) making them a little more wary: It’s not just CxOs whose names and info are valuable. It’s yours and mine, too.

In Italy, trojan spammers are sending emails which appear to be from lawyers, threatening legal action if the recipient doesn’t clean up their allegedly-infected machine. Of course, this email includes a “helpful link” to a removal tool which is, in reality, a trojan. The most notable thing here is that the email includes actual lawyers’ names and contact information, which is causing significant problems for the lawyers whose names have been used.

We’ve also received reports from Italy indicating people are getting similar emails, but from people who appear to be angry business partners, rather than from lawyers.
Miscreants have also taken to heart the figures regarding the lack of security awareness in smaller businesses. Small companies may feel that they’re too insignificant to be targeted, but their machines may actually be just as valuable as someone in a Fortune 500 company. Small businesses’ bandwidth is often better than a home user’s, their employees’ name and contact info can be used in schemes like this, they might be more apt to be hurt by Denial of Service attacks or extortion attempts, while they’re less apt to have trained or dedicated security staff.

Really, everyone’s data has a useful place in the internet criminal’s arsenal. Doesn’t that just warm the cockles of your heart?

So what do we take away from all this? Regardless of how urgent an email appears to be, it pays to double-check links and attachments with the apparent sender if you’re not expecting it. And to keep yourself from being an “apparent sender”, consider very carefully what information you make available on the internet. Do you need to post your employees’ name and phone numbers publicly or would something more general be feasible?

As we know there are many websites offering videos of celebrities for free where its major viewers are youngsters.

Here we have a webpage “www(dot)leaked[REMOVED]videos(dot)com” which by its title looks to have a large collection of celebrity videos. The user visits the site, follows the instructions, then ends up installing a worm instead of watching celebrity videos.

The webpage displays “Windows Media Player cannot play video file. Click here to download missing Video ActiveX Object” attempting to get the user to install “missing plugins” for Media Player as shown below:

If user clicks on the (Click Here) hyperlink in the browser they will end up downloading a program called mpg2-3.0.1.exe, as shown below:

Upon execution, mpg2-3.0.1.exe displays the fake error message box shown below and installs a worm called Nugache.

We caution all internet users from getting infected by these fake online video sites found while surfing the web as we continue to protect our customers against such social engineering attacks.