Are spammers losing their touch? By looking at the (lack of) volume of Valentine-related spam we are seeing, I would vouch that this could be the case. Besides the usual little bit of boring malware masquerading as an innocent Valentine message, nothing otherwise to even awaken the anti-spammer asleep in front of his/her desk.

Maybe they’re low on money. This will explain the amount of stock spam we saw this week. Or maybe it is the fact that as of Valentine’s day, it is possible to buy Viagra over the counter without prescription in the UK - that old pill spam might not be as exciting a proposition as before.

Then there is the turf wars. Is it the case that spammers just got that old adage the wrong way around: Make War, Not Love? Maybe that is the case, for with every war, there come soldiers, and with the soldiers, prostitutes. Does that explain the increase in escort and prostitute spam lately? Or do they think that the anti-spammers have no Valentines and need alternative fulfillment?

Or maybe they are just laying low, building up their arsenals for the next big run. Well, if that is the case we’ll be waiting and they can have a bouquet of black roses as well.

Earlier today Symantec posted a description for Trojan.PPDropper.G.  The vulnerability mentioned in the description has been assigned CVE-2007-0913.  SANS added it to their missing Microsoft patches table.

However, McAfee Avert Labs’ testing shows this issue was patched today in MS07-015 along with the Office Zero-Day reported by McAfee on February 2 (CVE-2007-0671).  This testing suggests Trojan.PPDropper.G may in fact be a PowerPoint version of the Office zero-day exploit used in Exploit-MSExcel.h.

We will post an update when we have more definitive information.

Update Feb 14,  2007
Microsoft has confirmed that this is patched in MS07-015 and related to CVE-2007-0671.

In a previous blog post I warned that we should be increasingly cautious with PDFs because more and more PDF-related flaws are being released. Security experts at RSA 2007 echoed last week that corporate threats seem to be “moving to Adobe”.

Today is Microsoft’s February Patch Tuesday. Microsoft issued six critical-rated and six important-rated patches. And one of the critical flaws being addressed by those patches – you guessed it – relates to PDFs. The MS07-010 bulletin states that a specially crafted PDF file could trigger an integer overflow in the Microsoft Malware Protection Engine. This would allow remote code execution; in one attack vector, no user interaction is required for exploitation. More information about this flaw can be found on the McAfee Threat Center site.

Do we have another PDF-flaw trend fitter or what?

This is an update to the update on CVE-2007-0870.

A few days ago I blogged about a new Word vulnerability that was used in a targeted attack (I know, it’s hard to keep these straight). Later that day Microsoft stated that the vulnerability was limited to denial of service, rather than remote code execution, and the blog was updated accordingly.

Well, since then our researchers continued to look at the issue, as did Microsoft’s. Today, McAfee Avert Labs’ analysis shows that this vulnerability is likely not limited to denial of service and that remote code execution may in fact be possible. Microsoft has also acknowledged that the vulnerability may not be limited to denial of service. Word 2000 and Word XP are believed to be vulnerable, though exploiting this flaw is non-trivial.

I suspect that a Microsoft Security Advisory for this issue will be released soon.

In related news, the team is currently analyzing proof-of-concept Excel files that were posted publicly today as “Microsoft Office Excel 2003 XLS File Denial Of Service”.

Update Feb 14, 6:15pm
A short while ago Microsoft did indeed release Microsoft Security Advisory (933052).

As we know, proper marketing is crucial for any product to grow. In the case of online activity, several potentially unwanted programs (PUPs) like Adware-MemWatcher, Adware-Look2Me and Adware-Apropos have come up with different strategies. These latest strategies include monitoring a user’s browsing habits to better know the user’s interest and according to that, display various pop up ads.

Here is a case where a PUP named Malwarewipe is getting marketed by a trojan called Puper. The strategy begins with Puper dropping its supporting files on user’s system for further action and then displaying hoax balloon messages as shown below:

The trojan will often direct more hoax messages at the user about their system being vulnerable:

This trojan has a wide variety of hoax virus alert messages to make the user feel more insecure, as further shown:

If the user clicks on the OK button, the trojan directs the user’s browser to a MalwareWipe page, similar to the one shown below. This is detected as the potentially unwanted program called Adware-Malwarewipe.

We caution web users to be aware of these hoax alert messages seen while surfing the web as we continue to protect our customers against such social engineering attacks.

Our Site Advisor team noticed some active MySpace phish domains this week which lead me to wonder why someone would want to break into a MySpace account? There isn’t really any sensitive information like credit card or bank account details stored in the accounts so what are the phishers phishing for? We found several domains with perfect MySpace front pages designed to trick people into giving away their usernames and passwords like this one:

After a bit of research on the topic I quickly realised that spammers are using the phished details to login to peoples accounts and post spam messages on other people’s accounts. MySpace seems to be aware of the problem described in this blog. This poses a particular headache as MySpace can’t close down legitimate user accounts like they could if the spammer had registered new accounts and started spamming from them.

After a bit more digging around I even found a spammer advertising his services:

Or if you want to do the job yourself he’ll gladly sell you the list of login credentials:

One spammer messed up in January and published a list of 56,000 MySpace usernames and passwords online, not good for business I guess.

Someone also pointed out to me that people tend to use the same password on multiple sites. With lots of information about you from your MySpace page and your password it wouldn’t be hard for the phishers to do something even more sinister with your identity! Having access to your MySpace account would also give a hacker the ability to replace a music file you are sharing with an infected file thus infecting the machines of anybody you share that file with.

The moral of the story is to be careful when logging into any site, not just your bank account!

According to the January 2007 RSA Monthly Online Fraud Intelligence Report, the percentage of nationwide US banks targeted by phishing attacks rose from 28% to 31%. Concurrently, the percentage of regional institutions jumped from 37% to 46%. While 2006 saw many US Credit Union attacks, the main target in January 2007 has been smaller financial institutions.

The chart below represents the monthly figures I collected in various Anti-Fraud Command Center reports. It shows that the main targets are US regional institutions. As they are small, it is possible the cybercriminals think they are not as well protected compared to larger institutions, which constantly improve their protections. The focus has turned towards stealthier and more targeted attacks. Smaller institutions are ideal for this.

The full report, with all the January 2007 RSA trend analysis, can be downloaded at the following address : http://www.rp-net.com/online/104/0701_RSA_PIR.pdf

Downloader-AAP a.k.a Clagger has been an active family of trojans that has been regularly spammed since May 2005. This trojan downloader provides an excellent case study of how a carefully thought out social engineering approach can deceive users into opening executable attachments in mail.

The Downloader-AAP trojan is usually targeting German computer users who by now must be familiar with receiving spammed mails with executables named “Rechung.pdf.exe or Rakningen.exe or Empfangs.exe”. You would think most organizations would be blocking executables by extension at the email gateway or that people would be careful about running .EXE files. Out of morbid curiosity as to how successful the authors of Downloader-AAP are with their approach, I decided to follow the trojan’s trail back to the author.

Upon infection, the trojan does a WHOIS on the ip address of the infected machine and posts all cached passwords to a webserver hosted in Germany, with folders arranged according to country’s domain name.

Apparently business is good!! There were around 95 countries in all starting from .AE (UAE)  to .ZW (Zambia). Pretty decent payback for plain social engineering huh? Looking at the file folder for .DE (Germany), one can see many folders created for infections that occurred around the time the trojan was mass spammed to users.

Each sub folder is created based on a unique hash value generated for every infected machine and contains text files with the stolen passwords. A sample text file with cached auto complete passwords is as follows:

Given that there are thousands of folder and files, how do the authors look for interesting information? Apparently the authors are using bash scripts and the favorites searches are for “bofa, citi, chaser, hsbc and nordea”. (No prizes for guessing the $$$Bank$$$ connection.)

The modus operandi of these criminals is to target vulnerable *nix machines on the internet running Apache. Once the server is compromised, they mass spam an undetected version of the trojan to thousands of email address and any stolen passwords from infected users are posted to this server. Once the rogue server has been found out and taken offline, they find a new target and this vicious circle of crime continues.

The good news is we got root access to the server and were able to collect some incriminating evidence to pass on to the authorities. Hope to hear something soon from them.

It is funny to pick on malware writers…I like it… This time I would like to recommend that they use anti-virus as well, otherwise they can also be infected !

There is no honor among malware writers and we know that. Today I was looking at a file downloaded by what was looking like a common PWS-Banker.dldr (a downloader for Password Stealer Bankers). While doing some analysis on the file, another virus detection came out: W32/Gael.worm.a. This one is a parasitc virus. This made it a bit more suspicious because it is not common to see a PWS-Banker downloader downloading a parasitics virus (really different skills). So, I attempted to clean it to try to make things a bit more clear. I cleaned the file and BINGO! another file came out, detected as PWS-Banker.gen.q ! Which means that the malware created/bought by the malware writer was infected or he/she got infected before posting the file on the site to be downloaded… . Yeah, my job is tooo funny!

It struck me today how much things have changed in the handful of years I’ve been looking at malware. It used to be that they would frequently give you some little message box or image to make you think you hadn’t just run something nasty or non-functional. But lately that’s fallen out of fashion - I can’t actually remember the last time I saw something that actually went to that much effort! But today I got something that reminded me of those old tactics, a new W32/Feebs variant.

This pretends to be an installer for Online Trading software, including a set of almost-compelling looking installation screens:

It’s a bit less convincing if you actually go to look for the installed product, as there’s no Program Files folder like it says it’s creating.

I wonder why it is this sort of technique fell out of favor. I would think it’s a warm and fuzzy sort of reassurance to the hapless user that should happen to double-click this malware that maybe what they clicked isn’t evil. (Of course they’d be wrong, but that’s beside the point - it’s all about user perception here!) Instead, most malware give nothing at all. No error, no image, no message box. Wouldn’t that seem particularly fishy to even an uninformed user? Wouldn’t this prompt phone calls to someone more knowledgeable? (i.e. “Hey, my ISP says if I don’t run this file to update my account, I’m gonna get shut off. But the file doesn’t do anything when I run it. I better see what’s wrong!”)

I’m guessing it doesn’t, considering how popular these “silent” malware are now… though I imagine as the general user-base knowledge level goes up in the years to come, perhaps we’ll see a resurgence of these malware with distraction-screens.