Certainly, phishing is not going away, but during the last several weeks, viral activity has increased sharply, and especially for the string of plug-and-play (PNP) [...]
Read more >August 11, 2010
Drive-by Malware Campaign Redirecting to Fake AV Web...
Red Condor recently blocked another wave of brand spoofing drive-by malware campaigns; this time with redirects to Fake AV we...
Red Condor recently blocked another wave of brand spoofing drive-by malware campaigns; this time with redirects to Fake AV websites.
Screenshot 1
In previous incarnations of these Plug-and-Play malware campaigns, the browser would be redirected to a “Canadian Pharmacy” or similar site after the exploit suite had been given a chance to execute. A couple weeks ago, the campaigns began redirecting the browser directly to a downloadable .exe (Windows executable file). This week, the drop-site that scammers are redirecting to is a decent looking spoof of a Windows XP Explorer window that uses attention getting graphics and animation to trick users into believing their computer is infected. (See screenshot 1)
Fake AV is more commonly encountered in malware laden search results, a poisoning usually attributed to black hat search engine optimization. Black hat SEO is an umbrella term used to describe various activities related to elevating malicious and other shady websites in search engine results. Fake AV is also commonly encountered on machines that have already been compromised by malware. In these cases, victims are coaxed into paying a fee to cyber criminals in order to “remove” the malware from their system. Fake AV represents yet another incremental step for criminals in finding ways to profit from computers turned zombies.
The drive-by component in this recent wave of brand-spoofing campaigns is using the newer exploit set that targets the Windows Help and Support Center and a few older exploits. We described this newer exploit suite a few weeks ago here: http://www.redcondor.com/blog/?p=298.
Screenshot 2
The redirect component of the campaign shunts the browser to the Windows XP Explorer window spoof and is intended to trick victims into believing that their anti-virus engine has detected “system errors” and is currently scanning their system “to prevent data lost”. While the bogus scanning activity is ongoing, a “Hardware and security errors detected” section indicates ominous errors and that “Spyware has stolen your personal information.”. This landing page is well crafted in terms of graphics (language is another matter) and is quite likely to fool less technically savvy folks. Thich adds considerably to the virulent nature of this threat.
After a few seconds of bogus scanning activity, a couple pop-ups are presented to the user. (See Screenshot 2)Humorously, the title of the first of these windows is “Contraviro Warning.” A quick search identifies Contraviro as a known fake AV malware that has been circulating for several years. Another quick search for one of the “found” viruses turns up similar results: http://www.2-spyware.com/remove-trojan-im-win32-faker-a.html
Screenshot 3
The second dialog box is modal and requires that the user click one of two buttons before control can be returned to any browser window. The pop-up entices the user to click on “OK” to “Start downloading CRITICAL security software update”. If the user complies, the browser downloads a windows executable, which evidently is hosted under various names; in this case antivirus_24.exe. (24 happened to be the affiliate ID used in the redirection URL which tends to indicate that this may be a pay-per-install campaign).
Here is the permalink to the scan results for the antivirus_24.exe file (only 8 out of 42, or 19% of AV engines detected the malware sample as dangerous): http://www.virustotal.com/analisis/dbac0281507987694f6217d655396bb7503bb4ebd2d1d140615e84b5c979171d-1281134394
After downloading the executable, another pop-up handily instructs the user how to run the software. (See screenshot 3) Judging by the hits on Virus Total, this is very likely a Trojan. If the exploit suite hadn’t already compromised the machine, it is certainly compromised now, and in all probability remotely controllable. Moreover, as the fake warnings presciently indicate, private data (e.g. login credentials, etc.) are likely in the process of being stolen.
Screenshot 4
Finally, attempts to close the browser window that started all this trouble or to navigate to another page will fail. Attempting to do so pops up another modal dialogue box, and both choices simply put control back to the malicious page. (See Screenshot 4) The browser process has to be killed to get out of the loop, but most users will probably just restart their computer. Unfortunately, doing so provides a convenient mechanism for the malware to burrow deeply into the file system.
Posted by: Team R.C.
Many ISPs, small and medium enterprises (SMEs) and universities are becoming acutely aware of the problems associated with spam emanating from within their networks. Just about anyone who manages on-premise email services understands the necessity of filtering inbound email to remove spam and other annoying or harmful content.
Outbound mail is another animal, and easily overlooked by many organizations –until it bites. All it takes is a single virus outbreak on your network or compromised email account. Even a few hours of worth of spam egress can add up to days or weeks of damage control for smaller organizations.
If your early warning system consists of a sudden influx of abuse reports, or discovery of an abnormal number of destination mail servers suddenly rejecting your mail, you’ll soon find yourself engaged in the unpleasant task of de-listing your MTAs from a litany of independently controlled blacklists, each with different and sometimes complex removal requirements. Adding insult to the injury of your now tarnished reputation are the headaches and confusion users suffer when their mail is unexpectedly delayed or outright discarded.
But before you can even begin to unknot the problems caused by an outbound spam leak, you first need to identify the source of the breach. This is not often an easy or a straightforward process. Should another wave of spam emanate from your infrastructure, many blacklist operators will be less forgiving the second time around.
Hijacking Methods Abound
There are many ways spammers can hijack an organization to perform their dirty work. For example, targeted attacks like spear phishing, commonly directed at universities, ISPs and ESPs can net a surprisingly high response rate. This gives spammers a foothold into the network where they can then authenticate as legitimate users.
Other methods involve compromised machines infected with Trojans and in some cases, spam can be sent unchecked through corporate borders simply because the traffic originates from a workstation turned zombie inside the DMZ.
Naive Assumptions About Inbound Solutions
The outbound spam problem differs considerably from inbound spam. But many people, IT staff included, are unaware of the challenges of stopping outbound spam even if they are well versed in techniques that prevent inbound spam. A common, yet naïve assumption that simply reversing an inbound solution will suffice for filtering the outbound stream can quickly lead to unhappy users; the problem is not symmetric.
Look at it this way: For inbound mail, almost every connection made to your filter is a spammer, but for outbound, almost every connection is legitimate. This asymmetry is an important observation because many of the assumptions about inbound mail filtering don’t apply to outbound filtering.
In fact, gray listing (in-session defenses), IP/sender reputation (RBLs, black/white lists), and knowledge of valid recipients are the primary front-line defenses utilized by nearly all inbound spam filters. Yet these make less sense and are less effective, and can even cause problems for legitimate mail when applied to the outbound stream.
Not being able to rely on these mainstay techniques to remove the bulk of outbound spam requires fresh thinking on how to distinguish good messages from bad. What is needed is behavioral modeling, accurate content filtering and sensible application of throttling mechanisms, and a healthy dose of security awareness.
Frustrating Game of Whack-a-Mole
Deliverability is always a concern for spammers, and so is the overhead incurred from blasting out their messages. ISPs are a great target because their reputation can be hijacked, resulting in less delays and increased success in message acceptance at the destination. ISPs with poor outbound protection are also much less likely to even notice an outbound spam problem until the damage is already done.
As for SMEs and universities, they often don’t have the staff required to ensure their systems are secure, or to track down the source of a breach once it has occurred. The task of identifying compromised accounts can become a frustrating game of whack-a-mole while the scammers are busy leveraging the institution’s computational horse-power and bandwidth for their own ends.
Posted by: C.S.
C.S. is a regular contributor to the Red Condor Security blog and a master at writing anti-spam rules—handwritten scripts that target new, slippery spam campaigns that automated methods such as session defenses, virus scans and static policy settings can’t detect. The Red Condor filters use up to 60,000 rules at any one time, with new rules being added in near real-time. Team Red Condor sat down with C.S. this week to ask him about this process.
Is rule-writing a science or an art?
Both. The science involves text processing and analysis at a minimum, but can get fairly elaborate with machine learning and statistical methods to aid in expert analysis – particularly useful in exposing invariant components of what would appear to the uninitiated as a mind-numbing degree of randomization in spam campaigns.
And the art?
The art comes with years of hands-on experience, and learning to balance the many constraints spam reviewers must keep in mind. For example, we need to ensure that our rules are fast and efficient, block spam and never ham (good mail), and don’t target trivial aspects of a campaign that are unstable and likely to change during a campaign run or over longer time intervals as the spammers continue to randomize their approach. The rules need to be general so that we’re not writing them in a one-to-one ratio with spam samples, but not so general that they end up matching unanticipated features of legitimate email. And we need to make the rules as fast as possible in response to real-time events.
Describe the rule-writing process–from detection of a new campaign to creating and activating the rule to block it.
The cycle looks something like this: A novel campaign emerges that seeps through our defenses, and we begin obtaining samples immediately. The samples are analyzed by our 24/7/365 review staff, who then describe features of the campaign to our filter stack, which is then updated within seconds to all deployed gateway security devices. This causes the samples from the new campaign to cease arriving in the reviewers’ queue as the breach has been dealt with. Rinse, repeat.
Are junk mail and spam rules different?
Yes. One of the complexities of using a spam filter is that I have a notion of what spam is, but my neighbor’s definition is likely different. There simply is no satisfactory definition for spam that covers everyone who uses email. Some people consider spam to be anything that they receive that they didn’t want. Others may view any email that has some sort of advertisement as spam, even if they have purchased items from the company in the past and specifically opted in to receive discounts and what not. Because Red Condor doesn’t model its filters at an individual mailbox granularity we have to make some compromises and Junk rules are part of how we accomplish this. Our notion of spam is meant to drive at the heart of an almost universal commonality in perspective of what spam is: spam either explicitly uses deceptive tactics to make its way past filters, or has content that is intended to deceive or harm the recipient in some way.
According to your bio, your favorite rules are “simple gems.” What do you mean by this?
Occasionally we detect annoyance campaigns, usually associated with probing activity where there is no sensible payload to the spam. These can be completely randomized with very little to “bite on”. This makes describing the campaigns more difficult (essentially tantamount to describing patterns in the decimal expansion of pi), which can result in rather convoluted looking rules where several features have to be present for a match to take place. To me, these are just ugly beasts when compared to say a simple eight-byte string that has blocked millions of spam over several years without generating any false positives.
How do you measure a rule’s worth?
Well, one standard would simply be the number of hits that it acquires over its lifetime. However there is complexity here, too, related to volume. Just because a rule targets the lower volume campaigns doesn’t mean it’s worth less than a rule that targets high-volume spam. It’s just where the rule lies in the distribution. We have to have rules that cover all scales or else customers will receive spam.
A better measure of worth is the false-positive rate. It’s not uncommon for us to discard rules that generate just two or three false positives, even when they have blocked millions of spam, but we have very strict standards and take reports of false positives very seriously; we always strive to do better.
Posted by: Team R.C.
Well, these scammers are busy…
Less than 24 hours after issuing a warning of new variations and tactics being used in the one-click, plug-and-play malware campaign that we have been monitoring the past several months, we blocked a number of new messages that spoofed Amazon, ImageShack and Gawab. All of the messages used the plug-n-play malware distribution architecture.
Interestingly, Friday’s messages reverted back to using the older exploit set that has been in use for the past couple months.
There is a new twist in these messages however… The scammers are using this opportunity to perform the drive-by download as usual, but instead of using the redirection page to drop you on a Canadian Pharmacy site, the redirection instructs the browser to download an .exe (adobe_flash_install.exe), which as of this morning, was not detected by any AV engines.
Below is the VT analysis of this malware:
Also, just in case the browser refresh directive doesn’t work, the redirect page when loaded just looks like a blank page with a single image loaded:
http://www.thecoca-colacompany.com/images/noflash_singlevideo.gif
(The above link is safe to view. The spammers are using a legitimate image hosted on Coca-Cola’s website.)
Clicking on the image on the redirect page will also download the malicious .exe.
All this is in addition to the usual litany of exploits typically employed by these campaigns; they are using a couple different versions this time. None of these variations are detected by more than a handful of AV engines. The malicious payloads include a couple of signature-distinct executables, which most likely are two instances of the same Trojan that has simply been mutated:
Additionally there is the usual, freshly mutated PDF exploit:
And of course there are the other exploits that usually accompany these campaigns, but they do not appear to have changed much.
Posted by: C.S.
