Over this weekend, McAfee Avert Labs tracked down a phishing website that claims to be selling the first 25,000 exclusive sets of Apple iPhones. This turns out to be the works of Phish-BuyPhony, a trojan designed to redirect and masquerade legitimate websites to a malicious phishing website on the victim’s browser. The evil plan is to entice victims into buying limited iPhones that never gets delivered from the fake website, and making payment through Western Union or MoneyGram to a guy in Latvia.

To improve its chances, the malware tracks the victim’s web activity and spawns a popup advertisement when the victim browses upon Apple’s official website, or popular search engines such as Google or Yahoo.

When clicked, the victim is brought to www.iphone.com, a normally legitimate webpage that is redirected to www.apple.com/iphone/. In an infected scenartio, the webpage loads a phishing website instead, from the iesecurityupdates.com domain.

The phishing website even displays a TRUSTe icon. When the victim clicks on the TRUSTe icon, it displays a fake validation page for www.iphone.com as a certified participant in the TRUSTe privacy program. This webpage does not come from truste.org, but is hosted on the malicious iesecurityupdates.com domain.

 Normally, this website displays the following data:

This phishing website is hosted on a server that was last known to be associated with several HTool-MPack exploits. We’ve just discussed loosely managed web domains repeatedly used to host new malware in a recent blog, and Phish-BuyPhony simply adds to the list.

More screen shots and details of Phish-BuyPhony at:

• http://vil.nai.com/vil/content/v_142599.htm

Parts 3 and 3.5 of this series covered when and how Zero Day Threats are released, this last part briefly covers key events over the past year and touches on what we can expect over the next year.

There have been a few significant developments in the zero day threat space over the past 12 months.  A year ago to the day, the first Month of Bug project was launched, during which browser related vulnerabilities were disclosed, one for each day of July.  Most of these threats had not been disclosed previously.  Many security researchers followed the project closely, numerous press articles were published, and just in general a lot of attention was given to the project, those behind it, and the vulnerabilities that were disclosed.  Since then there have been 8 other Month of Bug Projects.  Many of the vulnerabilities irresponsibly disclosed are considered to be zero day threats. 

While these projects are growing tiresome and the media attention has largely subsided, this existence of these projects highlight the motivations of those behind them, primarily fame, peer praise, vendor bashing, and raising awareness of the issues.  Some vendors have been more responsive than others as you’d expect.

Another fairly recent event is the release of a new Metasploit Framework.  A description from the Metasploit site:

This release speaks to the maturity of vulnerability assessment tools as well as exploit automation.  Speaking of vulnerability assessment tools, the AxMan fuzzer was used to discover nearly 20 different ActiveX flaws during the first of the Month of Bug projects.  Fuzzers are programs designed to test the inputs, or parameters, of an application. While fuzz testing dates back to 1989, recently fuzzers have been used to discover numerous critical security vulnerabilities.  Here’s a list of fuzzers released around the time of the first Month of Bug Project.

Some fuzzers used during other Month of Bug projects were also later released.

A third significant and recent event was the in-the-wild discovery of a targeted zero day attack on the infrastructure.  I’m talking about the RPC DNS Server Service Vulnerability (CVE-2007-1748). The evolution from discovery to mass-attack was not unfamiliar, but this could be a sign of times to come, where targeted attacks branch out from the more typical application vector (namely MS Office) and focus more on the infrastructure. 

So what lies ahead?

• The Month of Bug projects should start to slow down before too long; as the newness wears off and researchers look to other means of raising awareness
• The development of exploit tools will continue to mature with continued and increasing collaboration as well as availability
• The market for quality exploits will continue to expand
• Web applications will continue to be a major target for attackers
• The infrastructure will be a growing target moving forward

I hope you’ve enjoyed this blog series.  This data and commentary represents a fraction of the content that my colleges and I have been preparing for threat forecast reports covering a wide range of threat topics; content that is being used by customers and McAfee alike, to plan for the future, invest more wisely, and mitigate risk.  These forecasts are being produced and updated on a regular basis.  Look for excerpts in future blog postings and series.

There has been a raft of new variants of various Spy-Agent malware over the past few weeks, which arrive as DOC files which have a file inside which must then be double-clicked in order for it to run. Almost invariably, the files appear to be a notice of a complaint from some agency or other (IRS, Better Business Bureau, etc.) and when you open the DOC the text says only that the file inside must be double-clicked.

Note that I say nothing about any exploits, anything automatically running, or any of the sorts of scary technology we’ve become accustomed to. This is pure, simple social engineering. Scare a person into jumping through a variety of hoops. And all indications point to the fact that this technique is working remarkably well.

The question this brings up to me is, when did people stop filtering DOC files? It used to be de rigueur to filter office files at the gateway, back in the macro virus days. Despite the incredible popularity of targeted attacks using MS Office files, this seems to have fallen out of fashion.

So, I open this up to you, Dear Readers:

What file types, if any, do you filter at the gateway? Why did you choose that file type, and/or reject filtering for other file types?

Just in time for the release of the hottest gadget of 2007, the scammers are up to their old tricks again. In fact, if you use a search engine to try to find a deal on an Apple iPhone, be prepared for scam sites galore.

For example, search for keyword: iphone and check out the advertisers. Two of them allowed spammy e-mail to get sent our McAfee SiteAdvisor service. And not just a little. Our inbox averaged 66 e-mails a week after signing up with easyfreecellphones.com. But our sign-up at giveawaycafe.com resulted in a stunning 511 e-mails per week!

http://www.siteadvisor.com/sites/easyfreecellphones.com

http://www.siteadvisor.com/sites/giveawaycafe.com

The same kinds of sites result from keywords: apple iphone:

http://www.siteadvisor.com/sites/consumerresearchcorporation.com

http://www.siteadvisor.com/sites/giveawaycafe.com

And keywords: free iphone:

http://www.siteadvisor.com/sites/unclaimedfree.org

http://www.siteadvisor.com/sites/consumerresearchcorporation.com

http://www.siteadvisor.com/sites/easyfreecellphones.com

Who Wins? Who Loses? And does anyone actually get an iphone?

McAfee analysis shows that that these sites are experts at bait and switch tactics. They seem to promise a free product, typically whatever is hot at the moment – this summer that means the Apple iPhone. The sites make it seem incredibly easy to win the free merchandise. Just provide your e-mail, your mailing address and fill out an “offer” and you could have the hottest, most revolutionary gadget to hit the market! In reality, almost no one receives the promised “freebie.” These sites require consumers to start and complete three, four or even five “sponsor offers” to qualify. The offers -which require the consumer to apply for a credit card, start a student loan consolidation, or subscribe to a monthly music service– are real and often come from well known brands like eBay, Netflix, and BMG Music Club.

But few consumers are ever able to successfully complete all the requirements to actually get the free prize. Some sites even require the consumer to recruit 5 friends to complete offers. Industry insiders call it “breakage” – this inability to jump through all the many hoops – and they take pride in their ability to break 95% or more of the consumers who try.

PC World looked at this topic and helped us all understand the winners and losers.

Who loses?

• The consumer who has spammy e-mail in his inbox, a bunch of expensive subscriptions and NO IPHONE!
• The legitimate brands which get tarnished by associating with con games like these.

Who wins?

• The bait and switch “breakage” sites that walk away with big referral fees from spam advertisers and name-brand sponsors.

Did you ever ask yourself how long does it take to the bad guys improve their trojans when a new situation occurs?

Lets look at an actual case, involving PWS-Banker.

On June 16th, a major bank in Brazil, called Banco do Brasil, released a new internet banking website, changing everything from the old design.
This is one of the most targeted banks in Brazil, and most PWS-Bankers already had their ‘design’ inside it, to make people believe that they were on it and then type their passwords on a fake application which send to a remote email, like most PWS-Bankers.

Well, returning to our topic, I just came across to a source code repository of such PWS-Bankers, and there were plenty of files, for all Banks that it targeted, and one file in particular got my attention, it was called (translated), “New Banco do Brasil Screen.jpg”.

This file has the date of June 21st and had the brand new password screen of the new Banco do Brasil website!
So, assuming that the dates are accurate, in less than 5 days the miscreants had a new functional PWS-Banker trojan, updated to work/act as the new bank website!

My point on this, is that the miscreants are always working on something new and updated with new trends, and that’s just another reason to keep your defenses and paranoid radar always up! Well…at least thats what we do!:)

I can’t even begin to recall how many times I’ve gotten into this conversation lately: Someone complains about 13-year-olds in their basement writing viruses to get attention, and I counter that we just don’t see that sort of thing anymore. It’s all about the Benjamins, now.

And today, we get this article about a virus which entices people to run it by saying it has a copy of the new Harry Potter book. Obviously the promise is a fake, but what’s notable about this is that it doesn’t try to steal any system information, diddle with your data, or pwn your box – it just makes system changes such that your system becomes largely unusable.

Now, there was a time when that sort of system damage seemed like a Really Bad Thing. It is a significant pain in the rump, until you do fix it. But compared to having to change bank-accounts or fix identity theft issues, it all seems terribly quaint. The changes the virus makes are entirely fixable, and you don’t even have to call your credit card company to do it.

That being said, if people would just not run things like this in the first place and practiced good security hygiene, there would cease to be motivation to write the things that are monetarily motivated. It would be nice to someday wax nostalgic about the Bad Old Days when crimeware ran rampant, as a long distant memory.

Downloading movies is a common desire for internet users, especially for home users. During the process, innocent users might end up with message (C00D1057: A portion of the file cannot be played may require a codec).  Subsequently, users often turn to search engines for help, but may end up installing malware or fake codecs on their system instead. 

Here malware author’s target the user’s desire for instant gratification; to watch the just-downloaded movie. These websites swindle users by using keywords like “Codec”, where terminology stands to translate signals from analog to digital and vice versa, whose common usage is converted to videoconferencing.

By appearance, these socialized codec websites look professional, but there is not much difference between them as shown below, including the description of webpage (except the codec name and icon as shown).

During installation an End User License Agreement (EULA) may be displayed to deceive users.

A better way of dealing with missing codecs is to use well known players which support most movie files. 

McAfee continues to be on the lookout for new versions of such threats.

Today, at McAfee Avert Labs we came across an interesting malware, W32/Crimea that uses an undocumented feature of Windows File Protection.

Windows File Protection (WFP) is a feature of the Windows operating system, which prevents other programs from modifying/replacing/deleting critical system files. SFC.dll and SFC_OS.dll are the files that contain the functions used to monitor system files. Earlier malware used to patch these dlls or modify the registries to disable this feature. We had earlier blogged about some of the techniques used by malware targeting Windows Files.

Patching SFC.dll and SFC_OS.dll rendered many some of the system defenses useless, but Anti-Virus companies found out a way to identify these patched dlls and provided remedies to clean the user’s computer from this malice. Again malware authors have found an alternate method with help of undocumented functions in SFC_OS.dll itself.

Those interested explored it, and voila! Didn’t they hit a Jackpot! The important functions that are worth mentioning here are:
1. Ordinal 2: SfcTerminateWatcherThread
2. Ordinal 5: SetSfcFileException

The Ordinal 2 function terminates the System File watcher thread, as the name implies, and the system is open to any directory/file modifications by malware until the next reboot. This method requires the malware to inject code into winlogon.exe in order to call this function, since sfc_os.dll is used by winlogon process to achieve this protection.

Ordinal 5 function disables the WFP for a particular file for one minute normally. This is the time needed by the malware to do their work successfully!!! Now the system is back in form but is infected by the malware. Even though these techniques were out for more than a year, we are seeing these techniques used by malware these days. The second method is used by W32/Crimea to infect a system file imm32.dll.

One might start thinking, why in the world should Microsoft provide such APIs in Windows that makes the operating system vulnerable to many malware. One of the reasons could be to update system files and install the patches. But it does provide a way for the malware to infect the system easily.

Fate it seems, Microsoft is providing a way to disable their own protection using their own APIs. So, is this API a feature? Or it’s a flaw?

Better yet, did you get your email with subject PayPal E-TAN Software Nr… ? No? OK, you are lucky then, because this is one of the more recent spams with attached malware. This time the targets are German speaking people, since the mail is in German. Look this exerpt:

“Wichtig
Mit diesem Schreiben erhalten Sie einmalig ein Exemplar von Ihrem personlichen E-TAN Generator ID .”

This E-TAN generator software, which is included as an attachment, called E-TAN Software_2.68.zip is actually a Downloader which will try to download other pieces of malware to your machine, from 10 different websites. Malware such as a Generic Spy. Most of the sites are .de, but there is also one .com, one .org and one .br.

Yes, divide and conquer! So, beware of this new threat…

Last Thursday we noticed a large spam campaign atempting to discredit Spamhaus and DDOS their phone lines . This is undoubtedly linked somehow to the massive and long term DDOS attacks on the three major blacklists run by Spamhaus, URIBL and SURBL (The latter two are currently being protected buy the DDOS Jedi at Prolexic). DDOS’s on this scale are risky for the botmasters since it exposes the botnets to those interested in such things.

Here is a copy of the mail:

From: Christy June <fake-sender@fake_place.com>
Date: Fri, 5 Jul 2007 20:34:52 +0100
To: “some, one” <spamme@mcafee.com>
Conversation: Which shalom myself magnetic
Subject: What shalom herself magnetic

WORKING TO PROTECT INTERNET NETWORKS WORLDWIDE
Spamhaus tracks the Internet’s Spammers, Spam Gangs and Spam Services, provides dependable realtime anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide.

The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and – just as importantly – to delist resolved issues.

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

The Exploits Block List can be used by all modern mail servers, by setting your mail server’s anti-spam DNSBL feature (sometimes called “Blacklist DNS Servers” or “RBL servers”) to query xbl.spamhaus.org. Use of the XBL is free for users with normal mail servers (but networks with high email traffic should see DataFeed).

You can get MUCH MORE if you contact us:

The Spamhaus Project Ltd. 50 Churchill Square, Suite 6, Kings Hill, West Malling ME19 4YU United Kingdom, Tel (+44) 870 766 xxx

This is not an uncommon event for RBL owners, however this one is only unusual because of the size, duration and indescriminate nature of the campaign.

The spammer in this case also had to fake the senders address because Spamhaus’s SPF record is of the “-all” variety which sensibly denotes that they *only* permit one IP address to send mail for their domain and so affecting the bots ability to deliver further.

Obviously Spamhaus do not use botnets to send out promotional material
(If this all sounds a bit too fishy to be true you can read more about the traditional “Joe-Job” attack right here).