It has been almost a year since the rogue anti-virus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via drive-by downloads, search-engine-optimization poisoning, spam campaigns, and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

• Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

• Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

• Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

• Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

If you read Geok Meng and Xiaobo’s blog published in December last year, this must almost seem like a movie sequel. Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.

At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this Trojan. Many of these sites are what you and I would not consider “malicious” or “dodgy.” For example, some of them are school websites or the local community club’s website that had been hijacked or infected.

When browsing these sites (hijacked site #1), the victim is hyperlinked to hijacked site #2, which seems to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is, subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.

During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn”  and “.edu.cn” domains, which are used by Chinese government and education sites, respectively. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:

• Exploit-MSDirectShow.b (zero-day)
• Exploit-XMLhttp.d
• Exploit-RealPlay.a
• JS/Exploit-BBar
• Exploit-MS06-014

Each of these exploits targets a different application that could be vulnerable–Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar–that can be accessed via the Internet Explorer browser.

From past investigations, this toolkit has been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.

When successful, the attacker installs a downloader Trojan that could download other malware.

This zero-day vulnerability has been verified to affect at least Windows XP systems with Internet Explorer 6.x and 7.x. However, on IE 7, the browser on Windows Vista systems, risky ActiveX objects are blocked by default, which may mitigate this zero-day attack. Users should ensure that their systems are always kept up to date against the older exploits.

The zero-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader Trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (released March 28).

We will post more information as we receive it.

(Thanks to our colleague Wei Wang for assistance in this analysis.)

Today McAfee released its July 2009 Spam Report, which reveals the Top 15 spam subject lines by domain, among other highlights. So what was the one subject line that was most popular in six continents this quarter? Viagra.

For the .COM domain, “hi” and “hello” hit the most in-boxes, while Viagra and “Salute, man!” subject lines were the most common in the .UK domain.

Among the other findings in the June Spam Report:

• Cybercriminals try to hide from local authorities by sending their spam to foreign addresses

• Recipients of spam are blocking emails from entire regions of the world–meaning the large quantity of spam being hosted by developing nations may hurt the growing legitimate businesses there that are trying to send valid emails

The current Top 5 spam subject lines for the .COM domain are:

1. Hello
2. Hi
3. RE: DISCOUNT 80% 0FF on Pfizer !
4. Replica Watches
5. Undelivered Mail Returned to Sender

See the Top 15 subject lines for each major domain (.ORG, .UK, .CN, etc.), as well as the rest of McAfee’s July Spam Report here.

Since we reported about the new attacks against Internet Explorer exploiting a vulnerability in a DirectShow ActiveX object, we have released DATs/coverage updates for many of our products and technologies.

Current status for each of the content areas:

• Malware: Coverage is provided for exploit code in the 5668 DATs, released on July 6
• HIPS: Generic buffer overflow should provide coverage
• McAfee Network Security Platform: Coverage was provided on July 6
• McAfee Vulnerability Manager: Coverage was provided on July 6
• MNAC: Coverage will be provided in the next release
• VirusScan Enterprise: Buffer overflow protection should provide coverage
• McAfee Web Gateway, Anti-Malware Edition: Behavior analysis provides coverage against currently known exploits

Other Internet users and website administrators can also download the free Stinger tool to scan computers and web pages for known malware relating to this attack:

• http://download.nai.com/products/mcafee-avert/stinger.exe

We will continue to monitor the situation to provide comprehensive coverage.

In our blog from yesterday, we described how Exploit-MSDirectShow.b has been widely deployed on hijacked websites in China, targeting Internet Explorer users. When a victim browses one of these sites, malware is downloaded to the computer. To better understand the current impact of these attacks, we have monitored the prevalence of its downloaded malware through Artemis.

Since yesterday, our Artemis technology has detected new malware installed by Exploit-MSDirectShow.b that was targeted to certain geographical regions of the world.

In China, a new sample variant was queried by Artemis more than 180 times at more than 70 unique IP addresses (ISP, not end point) over a 24-hour period. This is represented by the many red dots in the following figure:

This particular sample was first seen only in mainland China, but we soon saw Artemis queries from Korea, Japan, Australia, Singapore, Taiwan, and the United States in very small numbers. As we know, the web has no boundaries and the potential risks of the DirectShow zero-day vulnerability is not limited to specific languages or regions. We will closely monitor this trend.

This sample is already heuristically detected in the DATs and Artemis. After our analysis, it has now been classified as Downloader-BRT Trojan.

Adobe Flash applications have been a major security concern during the past couple of years. The large number of Flash vulnerabilities published, coupled with its popularity and wide distribution, makes Flash files an attractive target for cybercriminals. Infecting banner ads are not new; these Flash-based “malvertisements” have plagued adservers and popular websites for a very long time.

A malicious Flash file can be crafted to contain an image or an animation to fool unsuspecting users into believing the file is legitimate. Lately, we have observed a spike in the number of websites hosting malicious flash files that exploit the integer-overflow vulnerability in the DefineSceneAndFrameLabelData tag. These are popularly known as Exploit-CVE2007-0071.

Although the vulnerability has been fixed for some time, the bad guys are always coming up with new and progressive mechanisms to evade detection.

Flash Player 9 and later comes with a new virtual machine called ActionScript Virtual Machine 2 (AVM2), which is designed to execute programs written in the ActionScript 3.0 language. ActionScript 3.0 supports a native method called loadBytes().

The flash.display.Loader class supports the loadBytes method, which takes a byte array to fill the loader with data. The bytes injected can be in the form of GIF, JPG, PNG, or SWF files. Embedding the vulnerable SWF (small web format) file inside the loader provides attackers the multifold advantage of ensuring successful exploitation while complicating the analysis for researchers.

The image above shows the embedded malicious SWF file inside the loader file. This loader uses the loadBytes method to inject the bytes into the security context of the application.

In recent versions of the exploit, the embedded SWF file is encrypted using various obfuscation techniques such as byte-shifting algorithms or random XOR keys, as shown in the figure below.

We expect this trend to continue as cybercriminals target low-hanging fruit such as applications, and Flash is no exception. As always, make sure you are protected and the Flash player is updated to the latest version. Happy surfing .

We recently received a new sample of the Mac malware OSX/Puper.a. This file [MD5 Sum: 428143005E07E510302BA431FE0C28CC], which disguises itself as a Mac Cinema Installer, was recently mentioned in PC Magazine.

When the DMG file is executed on the Mac, it displays the following message:

As the execution continues, the malware gets installed on the machine with the root user’s credentials. Below is a screen shot of the malware after installation:

The file AdobeFlash in the screen above is the malicious script file. This file is obfuscated using Uuencode and looks like this before decoding:

And like this after decoding:

From the shot above we can see another set of obfuscated code after the schedule-task instructions. We can also see that the malware creates a scheduled job to run itself once every five hours, shown as below:

Decoding the rest of the script reveals the following:

From the screen above we see that the malware downloads the file generator.pl and executes it.

Although the number of malware for Macs still remains tiny when compared with the number of malware for Microsoft Windows, new variants of malware such as this remind us to be careful.

As a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of the McAfee Network Security Platform (formerly known as IntruShield).

Unlike traditional ActiveX exploits, in this case the Microsoft Video ActiveX controls are being used to load malicious image files and trigger the vulnerability. McAfee Network Security Platform detects this exploit attempt using the attack signature HTTP: Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution. At this point, we have seen active attempts in the wild trying to exploit this vulnerability. Figure 1, below, shows one such attempt as viewed on the Alert Viewer and Figure 2, bottom, shows the corresponding packet capture from the evidence report.

Figure 1. Exploit attempt alert

Figure 2. Packet capture from evidence report

Microsoft Security Advisory 972890 says customers can set the kill bit for a bunch of Class Identifiers. Any attempt to use these Class Identifiers for exploitation can be detected using the audit signatures HTTP: Potential Harmful Microsoft Video ActiveX Control I, HTTP: Potential Harmful Microsoft Video ActiveX Control II, and HTTP: Potential Harmful Microsoft Video ActiveX Control III.

All of the attack signatures described above were released on July 6 in the following network security signature sets.
• 5.1.22.14
• 4.1.52.14

McAfee Avert Labs has received a new variant of the Koobface worm. Unlike the previous variants, this one spreads using Twitter by sending fake tweets.

These fake tweets contain links to a video; some of these videos are named “My home video.” When users click these links they are prompted to install a video codec. However, upon following the instructions it actually downloads a variant of the Koobface worm and installs it.

At McAfee we detect this variant as W32/Koobface.worm.gen.e and W32/Koobface.worm.gen.h. The detection for this variant will be available to the public in today’s release (DAT 5675).

Today, Microsoft released a security advisory on active attacks in the wild using a vulnerability in Microsoft Office Web Components. Computers installed with Microsoft Office features that uses vulnerable versions of the Microsoft Office Web Components could be infected with malware when browsing upon malicious websites in Internet Explorer. 

From our investigation, Exploit-CVE2009-1136, a new 0-day exploit was added into web exploit toolkits that widely released Exploit-MSDirectShow.b  on hijacked websites in China just the previous week.  Since the start of this new wave of attacks, new trojans installed by Exploit-CVE2009-1136 has been detected by Artemis technology which also allow us to get a global view of the spread of this new threat.

In one of the new trojan samples used by Exploit-CVE2009-1136, we first saw Artemis queries coming from China at 11:53 GMT on July 13th, 2009. We didn’t have automatic protection for this at this point, but various systems analyzing the threat details soon mark this as malicious.

By now, this sample has spread to many other Internet users in China, and is now queried and blocked by Artemis more than 328 times at more than 145 unique IP addresses (ISP , not end point).

Besides China, we only saw Artemis queries coming from Virus Total (Spain) and fellow malware researchers in the UK and Germany in small numbers.

We will post more information as we receive it.