It’s déjà vu again when Internet scamsters take advantage of the approaching Christmas holidays to entice computer users into opening malicious emails in the guise of holiday promotions or postcards. In the runup to Christmas, every year we see malware authors use varying themes to infect users. And this December is turning out to be no different.

Already into the first week of December, McAfee Avert Labs has observed two active spam campaigns using  malware-laced Christmas themes. The first is a spammed e-greeting that links to an IP address hosting an old school IRC/Bot SFX package. The animated image in the email is taken from a legitimate site while the bait IP address [202.82.11.4] belonging to a compromised web server based in Hong Kong.

The second threat is a new worm christened W32/Xirtem@MM. This worm has a built-in SMTP engine that mass mails copies of itself to email addresses harvested from an infected machine. It uses subjects ranging from Hallmark E-Cards to McDonalds and Coca-Cola Christmas promotions. And to lend authenticity to the email, the images displayed in the spammed email are directly borrowed from the parent websites of Hallmark, McDonalds, and Coca-Cola.

The worm also has the capabilities of spreading via removable storage devices and peer-to-peer networks. Upon execution, it displays the above picture to trick users into believing that it was a harmless image file.

The upcoming 5453 DATs to be released today contains detection for the W32/Xirtem@MM worm while users of McAfee Artemis Technology are already protected in real-time against these type of threats

In the coming weeks, these tactics will tend to evolve rapidly, from crude to sophisticated, as spammers increasingly use Christmas based themes to lure victims. With the level of sophistication seen in today’s threats, the malicious payload could easily be hidden within layers of obfuscation or clever social engineering, and could fool even the savviest of users who try to inspect an email before opening. It is therefore imperative that users are educated on how to avoid becoming a victim. Visit the McAfee Security Advice Center to learn all about online and computer safety tips to help you stay protected.

A new variant of Koobface (a worm that spreads over Social Networking sites) was recently making the rounds on Facebook.  Users reported receiving spam messages, such as:

When a user follows the link, they’re redirected to one of many different compromised hosts, which displays a fake error message that the version of Flash is out of date.  Next the user is prompted to download/open flash_player.exe, a new Koobface variant.

If the user choose to install the executable, a fake error message is displayed.

Facebook is already aware of this threat and is purging the spammed links from their system.  But with dozens of Koobface variants known to exist, the situation is likely to get worse before it gets better.  It’s important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms.  The safe-computing practice created more than 10 years ago still applies today, which is not to open any unexpected email attachments, even if they are from someone you know.  Only in this context, it must be expanded to the following:

The upcoming DAT release contains detection for the new Koobface variant, while users of McAfee Artemis Technology are already protected in real-time against this threat.

As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup.   This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results.  Search terms are directed to find-www.net.  This enables ad hijacking and click fraud.

Fasten your seatbelts, for today we take you on a tour of fake-alert Trojans that have been doing rounds in the Internet lately. On this tour of various malware stations you’ll be taken to a system infected by a fake/rogue anti-virus application. Below is an example of a method implemented by such malware to infect a machine.

Here is your itinerary:

Station 1: Malicious web page that hosts a malware
Station 2: Browser helper object
Station 3: Fake/rogue anti-virus application downloader
Destination: Fake/rogue anti-virus application–infected system

The journey starts with a malicious web page that hosts a malware. Users reach these malicious pages through social engineering techniques such as a link via email/instant messanger, or redirection from a compromised legitimate website. A single click on these links will start the infection.

Upon visiting the malware-hosting web page, the user “buys a ticket” in the form of an executable file downloaded onto the system through some social engineering technique.

On our example tour,

• http://best[blocked]tube.net

When users visit the page above, they’re asked to download wmcodec_update.exe, which pretends to be a codec plug-in for Windows Media Player. A message box pops up repeatedly until users download the fake plug-in file, which is a Multi Dropper malware.

Upon execution, the downloaded file pops up a fake error message, as shown below:

The malware continues to execute and drops

1. Browser helper objects
2. Fake/rogue anti-virus application downloader

Our “tourists” now move to the next station, the browser helper object. At this station, the victims’ browsers are compromised. For example, a user’s search queries are manipulated to contain a link to another malicious web page. The following two images show the difference between a “clean” search and one made after a link to a malicious web page has been injected by the browser helper object. I have highlighted one malicious site; try to find five differences between the two images.

Before injection of the URL:

A compromised browser–after injection of the malicious URL:

Many spyware applications use browser helper objects to capture the surfing habits of users. This information is used later by the malware authors for pop-up ads relevant to search keywords, for example.

The next station on our tour is the fake/rogue anti-virus application downloader. Here users see two magazines, which are links to porn sites, on the desktop.

The fake application is downloaded without user intervention by the “fake” downloader. Finally the users systems are infected with a fake application malware.

At this point, users see a bogus alert from the fake application.

Scanning through the report generated by the fake app reveals that this report is exaggerated and false.

The fake-alert malware displays spurious alerts to entice users into buying products to “repair” the system from the fake, exaggerated threat.

Did you enjoy your fake-alert tour? Today, malware often work as a team to infect computers. In this tour, we saw a malicious web page hosting malware, Multi Dropper, a browser helper object, a downloader, and a fake alert work together for a common goal.

As always, we advise you to take precautions with fake plug-in downloads that loop infinitely–without giving you a chance to close that message box. Try to kill such processes of spurious messages through the Task Manager. Be careful about the links in your email, especially in anonymous mail and links in instant messages. Always practice “safe surfing,” which is the first step in keeping your computers clean.

Earlier today SANS posted an excellent blog on a recent variant of a DNSChanger Trojan. There are some significant implications to this threat, but before I go into those, here’s a brief rundown of the main DNS-changing Trojan tactics used to date:

1. Modify Windows Hosts file to map specific domain names to specific IP addresses (McAfee classifies these Trojans as QHOSTS Trojans, more of a precursor to DNSChangers
2. Modify Windows registry settings to reference specific (rogue) DNS servers [DNSChanger.f]
3. Create a scheduled task under Mac OS X to reference specific (rogue) DNS servers [OSX/Puper]
4. Exploit cross-site request forgery vulnerabilities in routers to overwrite the DNS server configuration offered to local area network clients [DNSChanger.f]

We’ve now seen a new tactic, which has the potential of impacting most devices on the local network–independent of the operating system or device (Windows, Linux, Internet-capable MP3 players,  digital picture frames, refrigerators, you name it). The tactic involves serving the rogue DNS server configuration over DHCP, the protocol responsible for distributing dynamic IP addresses, as well as other information, including DNS settings.

Here’s a scenario:

• Jill is using the free WiFi access point at her favorite coffee shop from her infected Windows laptop.
• Steve sits down at the next able and fires up his laptop, which requests an IP address over the wireless local area network.
• Jill’s PC injects a DHCP offer command to instruct Steve’s computer to route all DNS requests through a rogue DNS server.
• Steve fires up his web browser and navigates to his favorite social networking site, but while the browser displays the correct URL name, the rogue DNS server has actually directed the browser to another site.

The same applies to any local area network (LAN) where multiple system connect via DHCP.

This is significant for several reasons:

1. The DNSChanger/Puper/Zlob gang has been very successful, infecting millions of PCs during the last couple of years. This gang typically uses strong social engineering to entice victims into installing the malware.
2. Systems that are not infected with the malware can still have the payload of communicating with the rogue DNS servers delivered to them. This is achieved without exploiting any security vulnerability.
3. Locating a poisoned system on a sizable network is often a difficult task.
4. Noninfected systems can alter between using approved DNS settings and rogue settings based on an infected system being on the LAN, and a random chance that the infected system will be able to “poison” the DCHP offer.

For those interested in the details, this DNSChanger variant drops the legitimate ArcNet NDIS Protocol Driver in the drivers directory:

• %WinDir%\system32\drivers\ndisprot.sys

The Trojan uses this driver to inject DHCP Offer packets containing the rogue DNS server IPs.

Variants using this functionality are not known to be widespread at this point, though even a single infected system could potentially impact hundreds of other systems on the LAN. Though it’s awkward to check, users could examine their DNS settings to see if they have been impacted. For example, type the following from a Windows command prompt:

ipconfig /all

For insight into some of what the DNSChanger gang is after, see this post.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

We have lost count of how many blogs we have written this year that have anything to do with zero-day threats or unpatched vulnerabilities.

Today, many Internet users in China have reported an infection, presumably from browsing the web using a fully patched version of Microsoft Internet Explorer 7.x. My colleague Xiaobo Chen and I investigated the incident and found it to be an active exploit containing downloader shellcode that installs the Downloader-AZN Trojan (proactively detected as New Malware.n since 2005 when scanning with heuristics enabled).

The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll.

We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system. The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.

Fortunately, the 5404 DATs proactively detect the Downloader-AZN Trojan, but there could be other variants. Additional coverage is going into today’s DATs to detect the malicious web scripts as Exploit-XMLhttp.d or Exploit-XMLhttp.c Trojan.

Details about this vulnerability, as well as exploit code, are known to be publicly available.

More information on this situation will be posted as it becomes available.

Malware authors continue to find unique ways to ensure that their malicious code runs at system start-up.

One such method is through this lesser known registry key:

HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

This registry key is intended to specify the name of a debugger, in this case “Olly Debugger,” based on which one can debug an application when it starts.

For example:

To debug notepad.exe when it starts, one simply has to go to this registry key and create a subkey called notepad.exe.

A string value is then created for this subkey, assigned the name “debugger,” and given a value. In the case of Olly debugger, this is what it would look like:

This now ensures that every time the notepad application is invoked, Olly debugger runs instead, which, in turn, opens notepad, enabling it to be debugged.

Here’s the unique aspect about this registry key:

If we replace the debugging application (Olly debugger in this case) with a malicious executable (e.g., trojan.exe), the control will now be redirected to trojan.exe every time notepad.exe is run.

Microsoft intended this registry key to be a useful feature; however, there exists no mechanism whereby Windows can check whether the application to which control is being redirected is, in fact, a rogue application.

I managed to find information on this start-up method, which dates back to 2005. Unfortunately, malware authors are exploiting this very feature to:

1. Start up malicious files, even though the unsuspecting user intends to run another clean application
2. Disable security products, by redirecting the security products’ processes to malicious processes

Tools such as msconfig.exe, intended to check for start-up entries, are underequipped to handle this and do not detect applications that use this redirection technique. Users are advised to use “Autoruns” from Sysinternals instead.

See the screenshot below:

On a related note, the next time you happen to struggle with a severely infected machine with no anti-virus solution or with outdated signatures, you can redirect the malicious process to a clean file using the technique mentioned above.

For example, you can redirect “trojan.exe” to a “clean.exe”. See below:

The next time the malicious process tries to execute itself, the clean file will instead be executed, thus preventing the malicious file from spawning again. As always, remember to back up your registry before doing this.

Following the recent release of this year’s McAfee Virtual Criminology Report, I had the opportunity to talk with diverse European journalists. They asked me for some concrete examples of the malicious Internet “offers” that the economic crisis has produced.

Fake working-at-home opportunities
The most visible offers are not new; they are only more numerous. They involve fake recruitment sites proposing working at home, which promises to be well paid and less time consuming than an office job. In fact, these are offers for mule jobs, like the one I described last year.

No doubt these offers attract all types; but when it becomes hard to find a job, the offer can also appeal to honest people.

Fake banking services
Less well known and increasing, fake bank sites flourish over the ‘Net. These are not mirror sites used in phishing attacks; these sites are created solely to attract people searching for a financial institution that can help. When an authentic bank denies a loan, for example, what could be more natural than to search for a more welcoming business.

The next screen captures offer examples of two live websites among the 20 or so I discovered last week.

�

Fake investment firms
As we watch our investments decline in value, many of us are on the lookout for a high return. Would you welcome an 850 percent profit guaranteed within 24 hours?
 

These investments are beneficial–at least for the crooks who promote them. With scams like these, it’s not necessary to catch people by the hundreds to make a nice sum of money. But if you invest here, you’ll never again see your tied-up capital.

Fake legal services
Cybercriminals know the economic downturn can lead to more people going to court after a dispute with a banker or employer. Watch out for dubious legal offers.
 

Here, too, the “service” will ask you for a cash advance before starting the job, one which will never be honored.

In searching for scam sites I have found many other ripoffs, but I hope you are already convinced: Taking advantage of people who are already victims of financial problems is truly scandalous. Yet this is a reminder, as if proof were still necessary, that today’s crooks have no misgivings about abusing the most vulnerable among us.

Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users. Even if you’ve been online for years, it can sometimes be difficult to spot new tactics being used to e-mug you.

While it’d be nice to think that common sense will always protect you, common sense alone has shown to be only marginally effective against the evolving online fraud syndicate. The FBI’s 2007 IC3 summary reported over 200,000 complaint submissions of online fraud, up from the mere 16,000 complaints received when the program began in 2000. Of the complains received, the typical kind of scam that would give your common sense a chance to flex – Nigerian 419 scams – represented only a mere 1% of all complaints, suggesting very few people are falling for these anymore. Instead, the new big-ticket item in the underworld of fraud is phishing. Phishing is considered by the FBI as “foremost” among email based scams, and seeks to illicit information about a person’s identity – such as credit card and social security numbers, and other information which can be used to commit crimes of identity theft. Phishing is a smoke and mirrors trick designed to fool you into thinking you’re logging into your bank or credit card’s website, when in reality you’re using a mock-up site designed to steal your personal information.

Online fraud and identity theft crimes consisted of over 17% of the total complaints received in 2007. It’s no surprise that online fraud is growing given how lucrative fraud scams can be. In 2007, over $239 million was lost by those reporting complaints to IC3. This set a new record for financial loss, and yet the number of actual complaints was at a three-year low. The complaint count was similar to that of 2004, yet in 2004, only $63 million had been lost to scammers. This suggests that scammers have become much more efficient than they used to be. Today’s criminals clean people out of more money, and do it with less effort.

It’s no surprise too that 32% of these scams were perpetrated using a website, and 73% involved email correspondence. It’s relatively inexpensive to deploy a phishing site kit on hundreds of hacked or free web servers and then send out millions of email messages to hook the few unsuspecting individuals who fall for the bait. While a specialist in the field might recognize the site to be a forgery, the average computer user has only a few basic instincts to know whether they’re safe.

Most Internet users will apply some form of common sense rules when visiting a website. The most valid question they can ask is, “does the URL in my address bar match that of my financial institution?” Simply applying this one basic rule can thwart a majority of phishing attacks. Applying the wrong types of common sense assumptions can be dangerous. Replies from victims such as, “the website looked real to me”, and “the link in the email looked right” are not uncommon, and are usually the result of being taught a few bad habits.

Scammers are working actively to outsmart their victims, but what the victims might not know is that there is another factor also working against them: their financial institution. Even after years of knowing how phishing sites operate, many banking and credit card institutions continue to teach their customers bad habits by conditioning them in ways that poison their common sense. None of this is done maliciously, of course, but somehow their webmaster never got the memos about phishing. Some of the bad habits your financial institution might be teaching you include: 

Click This Link

After years of knowing this is a bad idea, many legitimate websites are still sending email messages to their customers with clickable links. Clickable links have been abused by phishing scammers since the beginning because they allow you to craft a web address that displays the legitimate institution’s website URL in the email, but will take you to the scammer’s mock-up website when you click on it.

Using clickable links in correspondence conditions the customer to fall victim to these types of scams, and causes them to ignore the URL in their address bar. 

Email sent from your company should never instruct a user to click on a link. Instead, instruct them to simply visit your website. If you must provide a URL, provide it in plain text and keep it simple.

Paste This Link

Almost as bad as clickable links is the practice of instructing a customer to copy and paste a link into their browser. This is another common bad habit that has been exploited by scammers to steal your personal data. Many scammers simply remove the leading www prefix, or the http:// protocol prefix to avoid filters from seeing the URL in their email. This conditions the customer to assume the link is valid because it’s not clickable, and might also prevent them from visibly confirming the URL.

Email sent from your company should never provide a URL so complex that it must be copied and pasted. Provide only the main URL to your website, which the customer should be able to identify with. Anything overly complex should be linked to from the website once they get there.

Multiple SIgn-On Domains

A customer can only know if they’re visiting a legitimate website if the URL in the address bar matches. Many large banks, however, have taken on the poor practice of using multiple domains, and sometimes even using outsourced, third party URLs, to sign customers in. This confuses their customer and conditions them to disregard the URL in the address bar, since they’ll never know if it’s right or not.

Your company should use a single sign-on page and only one domain name for a customer to identify with. Like the entrance to a concert or other special event, your website should funnel everyone through one central line. This will avoid confusing your customer about which domains you’ve registered; most customers don’t know how to look this information up.

Multiple Sign-On Pages

In addition to using multiple sign-on domains, many companies use different sign-on pages to log into different types of accounts, or present different pages depending on where the customer is navigating. This desensitizes the user to the look and feel of your website, making them more likely to miss the variations in counterfeit websites, which might have otherwise raised a red flag. 

The customer should not depend on whether a website “looks” real, however when they are desensitized to the layout and branding of your sign-on page, you increase their likelihood of falling for a scam. It is said that bankers are the best at spotting counterfeit currency because they work with the real thing all day. Your customers can be taught to spot a forgery simply by using one central sign-on page. This page should also have a simple URL that the user can become familiar with. All other pages on your website should link to this one sign-on page.

Log In To Verify Your Account

Scammers have used various forms of fear mongering for years that have tricked victims into logging in to verify account details. Some of these scams include informing the victim that their account is suspected of fraud, that the account has been suspended, or that they will need to verify their information to avoid an account lock. All of these notifications advise the victim to make an urgent effort to log in.

When a customer is under duress, they are more likely to skirt their normal common sense checks to address the problem. Companies engaging in this same practice cause their customers to get into the habit of responding to these types of urgent notifications, increasing their chances of falling victim to a bogus one. If a notification is urgent enough to warrant an account lock, it is important enough to be delivered to the customer via telephone, and with proper verification procedures to identify your company to the customer. Sending urgent messages via email is only inviting trouble.

Security Images

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile.  As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

Security images and other enhancements are an added layer of security, but your customers should be aware that they can be easily spoofed. Instruct your customers to rely on the website URL, rather than a security image, and to only use the security image as an added means of verification.

In addition to these bad habits, many companies avoid addressing the problem entirely, and teach their users that they can protect their account by employing policies such as strong passwords or usernames requiring a digit. Security questions are another common layer added to websites that don’t do much to them more resilient. None of these techniques will necessarily have any affect in strengthening security against a phishing attack, because the customer is providing the information directly to the scammer’s mockup site. Even revolving security questions can be easily phished when the scammer is familiar with the questions prompted by the institution.

Identifying legitimate correspondence is the first line of defense a customer has in avoiding a scam. The best thing you can do as a company is to inform your customer that you will never prompt them to click on or paste a link, never instruct them to enter their credit card number online, and familiarize them with the only website URL they should ever associate with your company.

Unfortunately, many websites still teach bad habits. Large banks continue to use multiple website domains, rather than centralizing all of their sites under a single web address. Other companies have abandoned common sense entirely and send email closely resembling existing phishing scams, complete with hot links and urgent requests. Facebook was recently slammed in the tech community for sending clickable links to their users prompting them to verify information in their account. They’re not alone, however, as many other popular online institutions have been known to follow similar practices.

In July, we published findings that SPF/DKIM usage was declining among the Fortune-500 companies. Of the 500 wealthiest companies, less than half were implementing the simple, free anti-forgery countermeasures to protect users from spoofed email. You can read more about this at this link.

Businesses can’t prevent their customers from being scammed, but they can help to educate and condition them to recognize legitimate correspondence. The first step in doing this is to encourage sound practices when visiting your website. By helping your customers avoid becoming victims, you’re helping to avoid headaches that will ultimately become yours, and ensure that your customers remain satisfied ones, likely to return.

From fake online banking to regionally targeted celeb porn – that’s just two days in the life of a “FormSpy” (a.k.a. “Infostealer”) malware campaign. In the past few days a spam run started to promote a fake “Bank of America” web site, announcing a change of the online banking’s interface to its “customers.” For these “customers” to be able to have a quick look at the “demo” page, a preview link is provided as shown in the sample spam mail:

Innocent users that follow the lure by clicking the link are presented a fake banking web site which uses the well known missing-codec-trick that is used to convince users into downloading an additional component for a website or video to work. This time it is an apparent update for “Adobe Flash Player” which they require you to install for their “demo page” to work. The update of course isn’t any legit software but a trojan instead.

We have taken a concise look under the trojan’s hood – it not only installs a rootkit but also collects private information from the infected computers. This information is leaked to a server using HTTP POST requests and in the end may either be sold or used to spread the attacking party’s malware further.

The embedded rootkit is written to harddisk once the trojan is executed – the rootkit driver’s Portable Executable header can be seen in the screenshot below.

Among this private information are POP3, IMAP and FTP server credentials but also credentials for the popular “ICQ” instant messenger. See below for a screenshot of the malware’s pseudocode:

The trojan moreover is capable of receiving and executing commands from the malicious host that it phones home to, so the malware’s behavior may change and “improve” anytime.

The list of commands currently understood by this variant of the trojan is as follows:

• “VER” – sets a “version” key underneath the Windows Registry path “HKEY_CURRENT_USER\Software\Microsoft\InetData” to a particular string
• “EXE” – updates itself by downloading a new version, storing the resulting executable to the Windows path. The filename is randomly chosen, depending on the current time
• “DL” – downloads an executable from the Internet (but doesn’t run it)
• “DL_EXE” – downloads and runs an executable from the Internet
• “DL_EXE_ST” – downloads an executable from the Internet, adds its path to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” and executes it
• “REBOOT” – forces the computer to reboot

An additional spam run targeting Swiss Internet users has been reported by the “Reporting and Analysis Centre for Information Assurance MELANI” just yesterday. The mail, written in German language, promotes a Swiss adult web site hosting celebrity videos. Subjects include “Bl*wj*b with Madonna” or “Britney Spears in front of porn camera – scandal“. When following any link contained in the mail, the user is directed to one of many different malicious domains showing pages similar to the one seen below.

Just like with the fake banking web site mentioned above, the videos presented on this celeb page are told to not work without a codec – too bad! This time the user is bribed with a high definition video plugin named “Adobe Player HD plugin”. Again, this of course isn’t a missing codec but rather a trojan aimed at downloading further malware. Noteworthy about this downloader is it’s contacting a web server with a traffic management system installed – contextual to the user’s Geo-Location, different malware is delivered. While, for instance, a user from Germany will be sent a file called “de.exe”, …

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:33:58 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****.com/de.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

… a user from Switzerland will get “305.exe”:

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:39:48 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****/305.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

By comparing the malware currently spread by the malicious host, Swiss residents are delivered a variant of the same “Infostealer” family as seen in the “Bank of America” spam campaign shown above. Users from Germany are delivered a spam bot instead. So spam mails are sent from victims in one country, and information being stolen on computers of victims from another country.

The “FormSpy” (a.k.a. “Infostealer”) malware is blocked by Artemis as “Generic!Artemis (trojan or variant)”, additional coverage is in the 5461 DATs.