Nuwar (aka Storm Worm) changed tactics yet again. Now it attempts to lure its victims by a promise of a good laugh at a “Psycho cat”:

If you do click on the URL you get a page loaded with the usual cocktail of exploits etc.:

So, if you’re not running an on-access antivirus you are in trouble. The page itself pretends to be a funny greeting, complete with a ShockWave clip of a laughing kitty with an appropriate and rather infectious (pun intended) laughter audio.

And, of course, pretty much wherever you click on the page, you get nothing but Nuwar.

Š

On September 20, 2007 I spoke with you about money mules recruitment sites using, as a front, some UK retailing stores carrying Apple products. For your further information and education, the recruitment goes on. I received a new proposal and discovered a new counterfeit site.

But let’s get back to the first deal. As I kept up the enrollment process, I wanted to share with you this experience.

First, I quickly received an e-mail.

My future employer gave me a link leading me to a Frequently Asked Questions (FAQ) about Freelance Job. He also asked me for a full CV (Curriculum Vitae or resume).

The FAQ appeared clear, but contained all the usual and deceptive ingredients:

• The Company cannot receive payments directly from its Customers because they do not have branch in Europe (only in UK) ;
• Consequently, employee will receive payments only on his local bank account ;
• His manager will call him before the bank transfer ;
• Average amount of each bank transfer is estimated 3000-8000 EUR for each bank transfer ;
• Employee will send back the money to the Company via Western Union or MoneyGram ;
• Employee retains 7% of the amount from each bank transaction ;
• 2 or 3 transfers a week can be processed.

Given the fake nature of this offer, I sent them one of my fake CVs!! ;-).

Readers, please remember that even if you have nothing to do with an extraction of funds from another person’s account, by allowing your account to be used to receive and transfer such funds, you will be acting illegally.

Yesterday, I received a new e-mail with my employment contract.

Page 1/3

Page 2/3

Page 3/3

What professional documentation!! I am going to study it now. Let’s wait to see what happens next…..

Comments to my yesterday’s blog prompted me to clarify why the Web site that described a death of a spammer is, in fact, a hoax. The Web site pretends to be a blog and even have a list of previous’ months entries. None of them work though because they do not exist (all point to “sorry.html” and the whole Web site consists of only a single page about the spammer’s murder):

No wonder that all the historical links do not exist - the Web site itself was registered on 11 October 2007 only few hours before the “breaking news” appeared on it.

Plus, neither Russian search sites nor Google have ever heard of this particular spammer (which would be impossible as he is depicted as one of the most prolific). And there is no trace of this murder case in the news, on TV or on the Web. In a word - it is definitely a hoax.

I tend to agree with our colleagues at Sunbelt (http://sunbeltblog.blogspot.com/2007/10/alexey-tolstokozhev-spammer-dead.html) that it could be an attempt to create a highly referenced URL and later it might get populated with exploits and malware.

We’ve got quite a few new variants of JS/Feebs recently. Previous variants tend to have pretty dull examples of social engineering tactics, but today brings a new tactic which is rather perplexing.

Here’s a few examples of subject lines:

• Biohazard in teh USA and other countries!
• Biohazard in the USA and other cuontries!
• Biohazard in the USA and ohter countries!
• The huge meteorite moves to teh Earth!
• The hgue meteorite moves to the Earth!

I figure the odd, roving spelling errors could be explained by one of three possible scenarios: They could be misspelling to try to be “more” convincing (like it’s written by a human), they could be trying to pass spam filters, or it could be they just keep stabbing in the dark at spelling correctly. Sort of an Infinite Monkey theory of social engineering.

The message bodies are where it gets really odd. Here’s the variations for the Biohazard message:

• The fatal virus promptly extends by the planet.
  The virus was killed already nearby by 3000 person in the USA!
  All people are in danger. We dno’t trust in it, btu unfortunately it is teh truth.
  Authorities while are silent to not create a panic. But we already should operate, we should rescue the children!
  Details and instructions in the attached file. You send this message to all whom know!
  Help us the God..
• The fatal virus promptly extends by the planet.
  T
  he virus was killed already nearby by 3000 person in the USA!
  All people aer in danger. We don’t trust in it, but unfortunately it is the truth.
  Authorities while are silent to not create a panic. But we already should operate, we should rescue the children!
  Details and instructions in the attached file. You send this message to all whom know!
  Help us teh God..
• The fatal virus promptly extends by the palnet.
  The virus was killed already nearby by 3000 person in the USA!
  All people are in danger. We don’t trust in it, but unfortunately it is the truth.
  Authorities while are silent to not create a panic. But we already should operate, we sohuld rescue the children!
  Details and instructions in the attached file. You send this message to all whom konw!
  Help us the God..

And now for the discussion of the meteorite:

• The huge meteorite moves to the Earth.
  Scientists have counted up - the trajectory of a meteorite passes precisely through our planet.
  All poeple are in danger. We don’t turst in it, but unfortunately it is the truth.
  Authorities while are silent to not create a panic. Btu we already should operate, we should rescue the children!
  Details and instructions in the attached file. You send this message to all whom know!
  Help us the God..
• The huge meteorite moves to the Earth.
  Scientists have counted up - the trajectory of a meteorite passes precisely through our planet.
  All people are in danger. We don’t trust in it, but unfortunately it is the truth.
  Authorities while aer silent to not create a panic. Btu we already should operate, we should rescue the children!
  Details adn instructions in the attached file. You send this message to all whom know!
  Help us the God..

Whoa. Maybe it loses something in translation.

Suffice it to say, we should all continue getting our news about biohazards and meteorites from sources other than strange, spammy emails.

With Skype gaining popularity in the VoIP-IM space, it has become an attractive target for malware authors. Very recently we had blogged about the W32/Pykse.worm which used Skype for spreading.

Today we came across a new trojan - PWS-Pykse which attempts to steal Skype usernames and passwords. This trojan purports itself as a “Skype-Defender” plug-in for Skype. It displays a fake login window to trick the user into entering the login credentials:

The PWS-Pykse trojan does not spread by itself. It relies on social engineering techniques to trick the victim into executing it and is usually posted onto dodgy sites or forums. Upon execution, this trojan kills any running instance of Skype and displays a fake login window of Skype. It then captures the username and password entered by the victim, and posts it via http to the trojan author’s website.

An alert Skype user would notice that it looks very different from the normal Skype login window – especially since none of the hyperlinks or options displayed are functional! McAfee users are protected against this threat with the 5143 dat onwards.

The latest trick Nuwar (aka Storm) plays looks like this:

Like previous variants, the HTML page contains a script that attempts to execute the malicious file hosted on the webserver. However even if this exploit code gets blocked by AV software or not executed at all because of security settings in the browser - the user still has the option to click on the download button and infect their machine.

Make sure you’re protected so you do not join the Storm network!

Today Apple announced the planned release of an SDK in February to allow the development of native third-party Applications on the iPhone. This seems like a logic step after various hacks that allow installation of unauthorized third-party applications, but reading the announcement closely, there is something groundbreaking:

“It will take until February to release an SDK because we’re trying to do two diametrically opposed things at once—provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc.”

In the initial design phase of the SDK security is specifically mentioned as a major aspect for it’s development! This is certainly a great step into the right direction and if everyone would look at security aspects and not just features during development, the electronic world may be a much safer place then it is now.

Also in openly acknowledging that malware for mobile phones is an issue and will become a bigger one with more sophisticated mobile phones, Jobs takes the right step in making the public aware of a problem and taking steps against it, unlike many other who’d rather play it down.

I applaude this move and will heavily recommend this as an example for others to follow.

A vulnerability in Microsoft ActiveSync 4.x has been found that allows an attacker to discover the device password of a Windows Mobile smartphone. Normally you can lock your Windows Mobile phone by setting a password. Even if someone uses ActiveSync to connect to your phone they still need to enter the password before they get access to your email and private data.

The vulnerability is in the method ActiveSync uses to encrypt the password it sends to the phone. The attacker can sniff the USB cable network connection and capture the password. Due to the way the password is encrypted the decryption key is effectively included multiple times, one copy of the key for every character. Once the attacker has the decryption key, they’ve also got your password.

Fortunately, while this is an interesting vulnerability it’s not likely to be heavily exploited. There are a few obstacles in the attacker’s way.

First, the attacker needs to have physical access (a USB connection) to your Windows Mobile phone. They can only sniff the network from the ActiveSync host PC.

Secondly, the vulnerability only applies to the password that is sent to the phone. If the attacker can’t get the user to enter the correct password, they won’t be able to steal it. The Windows Mobile phone does not send the password to the ActiveSync PC.

At McAfee Avert Labs we have been looking into other possible attacks on Windows Mobile smartphones, especially those performed with malware. We’ve recently published some of our research in a white paper titled “Mobile Malware: Threats and Prevention “.

Among the topics it covers:

• Text Messaging (SMS interception)
• Audio and Video (Remote eavesdropping)
• File format attacks (Malicious .DOC,.XLS files)

We’ve also included a number of ways to prevent these attacks.

A few weeks ago, in my colleague Lysa Myers’ blog Hacking Vital Infrastructure, she mentioned how some in the general public seem to believe that situations (like the one demonstrated in the video created by the Department of Homeland Security) are just conspiracy theories. The story I read tonight, although not as dire, is another example of how a hacker can infiltrate a vital U.S. system and wreak havoc.

A 19-year-old computer-hacking prankster from Washington state faces 18 years in prison because he evidently thought it would be funny to hack into the Orange County, California’s 9-1-1 emergency system, spoof his number, and fabricate a story that sent a heavily armed SWAT Team storming into an innocent California family’s home.

“The caller goes from a drug overdose to talking about shooting someone,” said Sgt. Mike McHenry, who led the investigation. “Then it changes again saying that he’s been shot in the shoulder by his sister and that he just shot and killed her and would shoot anyone who came near.”

“They surrounded the home, inside were a husband and wife and their two toddlers,” said Farrah Emami, a spokeswoman with the Orange County District Attorney’s office. “The husband heard rustling outside of his home and believed it to be a prowler. He took a knife and went into the backyard. Instead of finding a prowler he found a SWAT team pointing assault rifles at him. It really easily could have escalated into an innocent person being killed,” she added. “We’re lucky that they didn’t shoot him.”

The prank (called “swatting”) cost an estimated US$18,000 and was only one of almost 200 such calls he made all over the United States through the years. Luckily, this kid was just a juvenile delinquent instead of someone with more serious malicious intent.
�

McAfee Avert Labs has observed a new wave of pump-and-dump spam today that we believe to be originating from the Storm worm botnet. The spammed .mp3 attachments promote a company enjoying huge success in Canada and expecting amazing results in the USA.

These audio files are of very poor quality and one has to literally strain one’s ears to hear what’s being announced. The spammed .mp3 files have been encoded using “LAME 3.97“–an open-source mp3 encoder. The filenames are pretty dynamic; here’s a list:

In the last year or so we have seen multiple file types being used in spam runs in an attempt to subvert traditional anti-spam detection techniques. From plain text to ASCII art, image spam, DOC, FDF, PDF, RAR, and XLS–thinking out of the box has given stunning results for these creative spammers.

But this latest spam run isn’t just rank stupid but nonsensical. The audio quality is awful! And since one can’t understand what is being said, how do spammers expect this to actually work? Maybe the next spam run will contain video spam or spam of links to video? Only time will tell…