EdgeWave's Security Alerts

By now, most people who are aware of who RSA is and what they do, should know that a couple weeks ago they finally admitted that their security tokens had been compromised. Spammers earlier today took advantage of this news, crafting a new malware campaign to ride the wave of bad press surrounding the security company.

Spammers sent out messages hijacking the NSA logo and using subjects such as “Go id token update”, “Security token update”, “Token software update” and similar permutations. The body of the messages indicate that “A important vulnerability has been discovered in a certain types of our token devices.” evidently confusing the distinction between RSA and the NSA. The poor grammar should be a dead give-away to most that this is a bogus message, but for those who just skim and click, they may find themselves embroiled in a malware party, where the guests are most certainly unwanted.

Malware campaign hijacking the NSA logo.

The two links in the body of the message both lead to a Windows executable, one named blocked_list.exe, the other token_security_update.exe. Both appear to be the same malicious payload. The malware is being identified as Zbot and Kazy depending on the particular antivirus vendor and is currently detected by only 30% the 40+ AV engines at VirusTotal.

Zbot is a persistent and very dangerous piece of malware. It has historically been associated with enabling sophisticated bank fraud by silently enabling remote attackers to hijack online banking sessions initiated by a legitimate user on an infected machine, among other nefarious capabilities.

Thanks to the iGuard team for helping to identify this campaign.

Me neither, but if you are, consider yourself a potential target for the latest scam from the criminal underground.

Yesterday, our defense network flagged an anomalous clustering of messages which when analyzed revealed an interesting virus campaign. The messages come with subjects such as “The IRS 2011 Summer Forums”, and “The Internal Revenue Service 2011 Summer Forums Invitation”, among other similar variants.

Malicious Email

The body of the message starts with the salutation “Exclusively for [targeted individual],” (only, the recipient’s full name appears where the bracketed text is). The message goes on to describe the events, which seems like something only tax practitioners would be even remotely interested in. Apparently the IRS does host such events, and a quick look shows that the IRS is aware of the malicious campaign.

It seems a strange hook to be used as a means of tricking end-users into opening a malicious attachment. This obscurity may imply that the perpetrators of this particular crime have their targets set on small-business individuals who have privlaged access to financial information and systems. This kind of targeted attack is called spear-phishing and it continues to be one of the most significant threats on the web today.

Attached to this wolf-in-sheep’s-clothing is a specially crafted Microsoft Word Document which contains an Adobe Flash based exploit. The document itself would just appear to be a blank document to the victim, or it might crash the program. Either way, opening the document (named application_form.doc) would initiate the attack against the user’s system. This would result in code being executed which would then download other malicious software to be executed on the now compromised system. That malware is typically associated with root-kits which give attackers a backdoor into the system. This allows a remote attacker to monitor keystrokes, search the hard drive and even piggyback encrypted sessions with online banking systems.

The vulnerability is codified as CVE-2011-0611 which is listed as “Critical” by Adobe and was initially discovered back in April of this year, circulating in the wild as a 0day exploit. This vulnerability was also implicated in some of the high-profile targeted attacks earlier this year as noted in my previous post.

At the time of our detection, the malicious .doc was only recognized by two of the 43 antivirus engines at Virus Total. As of the time of this writing, nearly 24 hours later, the detection remains low with a paltry five engines–or not quite 12% detecting the malware.

This campaign is a continuance of a string of Advanced Persistent Threats which security researchers are coming to know as the new face of spam. Gone are the days when spam was a mere annoyance, blasted out indiscriminately across the web. Over the past year spam has taken an ugly turn towards low-volume, more specific targeting and rather innocuous seeming, or downright misleading content. A mere click could end up granting access to the machine (and the privileged access that machine enjoys in a larger network context) to cybercriminals potentially thousands of miles away. Spam volume may be down, but the threats are more sophisticated and dangerous than ever.