Red Condor's Security Alerts

Red Condor recently blocked another wave of brand spoofing drive-by malware campaigns; this time with redirects to Fake AV websites.

Screenshot 1

In previous incarnations of these Plug-and-Play malware campaigns, the browser would be redirected to a “Canadian Pharmacy” or similar site after the exploit suite had been given a chance to execute. A couple weeks ago, the campaigns began redirecting the browser directly to a downloadable .exe (Windows executable file). This week, the drop-site that scammers are redirecting to is a decent looking spoof of a Windows XP Explorer window that uses attention getting graphics and animation to trick users into believing their computer is infected. (See screenshot 1)

Fake AV is more commonly encountered in malware laden search results, a poisoning usually attributed to black hat search engine optimization. Black hat SEO is an umbrella term used to describe various activities related to elevating malicious and other shady websites in search engine results. Fake AV is also commonly encountered on machines that have already been compromised by malware. In these cases, victims are coaxed into paying a fee to cyber criminals in order to “remove” the malware from their system. Fake AV represents yet another incremental step for criminals in finding ways to profit from computers turned zombies.

The drive-by component in this recent wave of brand-spoofing campaigns is using the newer exploit set that targets the Windows Help and Support Center and a few older exploits. We described this newer exploit suite a few weeks ago here: http://www.redcondor.com/blog/?p=298.

Screenshot 2

The redirect component of the campaign shunts the browser to the Windows XP Explorer window spoof and is intended to trick victims into believing that their anti-virus engine has detected “system errors” and is currently scanning their system “to prevent data lost”. While the bogus scanning activity is ongoing, a “Hardware and security errors detected” section indicates ominous errors and that “Spyware has stolen your personal information.”. This landing page is well crafted in terms of graphics (language is another matter) and is quite likely to fool less technically savvy folks. Thich adds considerably to the virulent nature of this threat.

After a few seconds of bogus scanning activity, a couple pop-ups are presented to the user. (See Screenshot 2)Humorously, the title of the first of these windows is “Contraviro Warning.” A quick search identifies Contraviro as a known fake AV malware that has been circulating for several years. Another quick search for one of the “found” viruses turns up similar results: http://www.2-spyware.com/remove-trojan-im-win32-faker-a.html

Screenshot 3

The second dialog box is modal and requires that the user click one of two buttons before control can be returned to any browser window. The pop-up entices the user to click on “OK” to “Start downloading CRITICAL security software update”. If the user complies, the browser downloads a windows executable, which evidently is hosted under various names; in this case antivirus_24.exe. (24 happened to be the affiliate ID used in the redirection URL which tends to indicate that this may be a pay-per-install campaign).

Here is the permalink to the scan results for the antivirus_24.exe file (only 8 out of 42, or 19% of AV engines detected the malware sample as dangerous): http://www.virustotal.com/analisis/dbac0281507987694f6217d655396bb7503bb4ebd2d1d140615e84b5c979171d-1281134394

After downloading the executable, another pop-up handily instructs the user how to run the software. (See screenshot 3) Judging by the hits on Virus Total, this is very likely a Trojan. If the exploit suite hadn’t already compromised the machine, it is certainly compromised now, and in all probability remotely controllable. Moreover, as the fake warnings presciently indicate, private data (e.g. login credentials, etc.) are likely in the process of being stolen.

Screenshot 4

Finally, attempts to close the browser window that started all this trouble or to navigate to another page will fail. Attempting to do so pops up another modal dialogue box, and both choices simply put control back to the malicious page. (See Screenshot 4) The browser process has to be killed to get out of the loop, but most users will probably just restart their computer. Unfortunately, doing so provides a convenient mechanism for the malware to burrow deeply into the file system.

Well, these scammers are busy…

Less than 24 hours after issuing a warning of new variations and tactics being used in the one-click, plug-and-play malware campaign that we have been monitoring the past several months, we blocked a number of new messages that spoofed Amazon, ImageShack and Gawab. All of the messages used the plug-n-play malware distribution architecture.

Interestingly, Friday’s messages reverted back to using the older exploit set that has been in use for the past couple months.

There is a new twist in these messages however… The scammers are using this opportunity to perform the drive-by download as usual, but instead of using the redirection page to drop you on a Canadian Pharmacy site, the redirection instructs the browser to download an .exe (adobe_flash_install.exe), which as of this morning, was not detected by any AV engines.

Below is the VT analysis of this malware:

http://www.virustotal.com/analisis/53b687184961fbc9799509347608a5bbddb092b46f78f271c072b72d628df8b8-1279910999

Also, just in case the browser refresh directive doesn’t work, the redirect page when loaded just looks like a blank page with a single image loaded:

http://www.thecoca-colacompany.com/images/noflash_singlevideo.gif

(The above link is safe to view. The spammers are using a legitimate image hosted on Coca-Cola’s website.)

Clicking on the image on the redirect page will also download the malicious .exe.

All this is in addition to the usual litany of exploits typically employed by these campaigns; they are using a couple different versions this time. None of these variations are detected by more than a handful of AV engines. The malicious payloads include a couple of signature-distinct executables, which most likely are two instances of the same Trojan that has simply been mutated:

http://www.virustotal.com/analisis/fe6bf009c6e3085d0f41e14022a2b5729a0c3cc7622c81c7234ab21b0d07dc9d-1279912776

http://www.virustotal.com/analisis/d6af1138118bba51c20fa74a1a6fc560f84e98d4cb3830c1a37d14a7b4d70b37-1279909339

Additionally there is the usual, freshly mutated PDF exploit:

http://www.virustotal.com/analisis/2a56e56ea197fdbf77ee7fe77125bc67a5c89474dcc99bc0789000956c198788-1279912917

And of course there are the other exploits that usually accompany these campaigns, but they do not appear to have changed much.

In more than one blog post during the last several months, we have discussed a sophisticated plug-and-play malware campaign that infects users’ computers with a single click. During the last several months, the spammers have spoofed several major brands, including Facebook, Ebay, Amazon, YouTube, GoDaddy.com, WordPress and Wikipedia. Today, we blocked another variant, which at the time we blocked it, the drive-by downloader component had only been detected by a single anti-virus engine (as is typical for these campaigns).

One of the emails in the campaign had this subject line: “Unauthorized ACH Transaction.” The email warns recipients that an unauthorized ACH transaction was recently initiated from their bank account, but it was rejected by the “Electronic Payments Association.” The user is then invited to click on an embedded link to review the transaction report. The single-click could infect users’computers with a Trojan virus.

We also noticed other campaigns today that were using this technique, but spoofing Xerox WorkCentre messages which are used to send scanned documents as attachments over email.

The one-click malware spammers finally switched out one of the older exploits they had been using (CVE-2006-0003) for months. This exploit was replaced with another more recent one– the Windows Help Center vulnerability (CVE 2010-1885). This exploit was reported in early June, and Microsoft recently issued a patch. For the first time that I am aware of, this particular vulnerability is being exploited in combination with yet another vulnerability CVE-2010-2265 that allows cross-site scripting (XSS), thereby classifying this spam attack as a blended threat and ultimately achieving remote code execution.

It appears that the code used in this attack was copied verbatim from public exploit repositories that collect such threats for research purposes. It’s worth noting that the previous exploits from this campaign also used proof-of-concept code virtually unchanged from public sources.

Game-changing, plug-and-play attacks

Here is an example of the newly introduced code being used in this attack:

https://www.metasploit.com/redmine/projects/framework/repository/revisions/9495/diff/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb

I’ve been writing about this new trend in one-click malware <http://www.redcondor.com/blog/?p=258> for months now.  Recently, I had an epiphany.

Essentially the spammers have constructed an efficient malware distribution framework where they can use their “normal” spam campaigns in double-duty mode. This allows an efficient search of Internet-connected hosts to find and exploit vulnerable machines.

This activity is transparent to the normal function of their spam campaigns. In other words, they can spamvertize any website as usual, but now have the added bonus of piggybacking these campaigns with modular attacks that can be updated by criminals at any time and with little effort.

For this reason I have started referring to this technique as a “plug-n-play” architecture because they can simply chain on exploits as they become available without needing to modify their spam campaigns in any way. They can use this technique in any spam campaign that uses a URL based call-to-action. This is a game changer.

Spammers ironing out the kinks

Despite their sophistication, it appears that the spammers are still trying to iron out some kinks. One of the samples that we blocked earlier in the day had a broken call-to-action URL, and in another sample that I analyzed, the redirect page was broken too. The redirect requests the browser to navigate to the malware distribution site instead of the usual Canadian Pharmacy (or similar) drop-site. This may indicate that there is some type of kit that is behind this recent wave and some spammers haven’t quite figured out how to use it effectively.

These campaigns occurred almost simultaneously with several other variants, all using the same “ACH” and Xerox templates. But instead of using the redirection URL that is the earmark of this plug-n-play exploit framework, they instead used a direct link to a windows executable (.exe). Additionally, another variant was observed that embedded the malicious executable within an archive attached directly to the spam. These more direct and traditional methods of infection occurring along side the plug-n-play variant suggests that the scammers are testing which delivery method is more successful.

A final note: The executables being used in the campaign appear to be Zbot/Bredo variants–“banking” Trojans that Red Condor has reported on in past security alerts.

This morning Red Condor detected and blocked an email campaign that masquerades as “Digg Digest,” a weekly summary of top Digg stories. The message contains bogus “Best of Digg” links. Red Condor’s anti-spam filter blocked approximately 100,000 email messages in the first hour of detection. This malware spam campaign is another variation of the “drive-by-download” spam trend that Red Condor reported earlier.

WARNING: USERS SHOULD NOT CLICK ON THE LINKS CONTAINED IN THE BOGUS DIGG DIGEST EMAIL.

Clicking on any of these links will cause the user’s computer to become infected with a Trojan virus during a delayed redirect to a Canadian Pharmacy page. (Click here to find out how infection occurs.)

Red Condor today issued a warning of a new sophisticated email malware threat that spoofs YouTube and uses a redirect on a compromised website to a common Canadian Pharmacy web site to distribute malicious PDFs via drive-by download. The pharmacy page is actually a red herring that has distracted many security researchers from the true motive of these campaigns, a stealth drive-by download. With a single click, users can infect their computers.

The malware, which as of the morning of June 9, 2010 had not been detected by any anti-virus engines, comes in the form of a malicious PDF download. Red Condor has captured 10 versions of the malicious PDF, which likely exploits vulnerabilities in Adobe Acrobat. The campaign appears to be part of a much larger attack first detected by Red Condor several weeks ago (see Red Condor blog entry April 23, 2010) and has also recently spoofed Facebook and Twitter, among other popular brands.  As unsuspecting users wait for what they believe is a YouTube or Twitter friend request, a greeting card, or even a Facebook login page to load, their browsers download and execute the malicious code, and then the Canadian Pharmacy page appears.

“The amount of effort behind these new campaigns is not commensurate with the typical Canadian Pharmacy spam campaigns that we have seen in the past. It’s the primary reason we started to suspect weeks ago that these campaigns have an ulterior motive and are more than just a series of mundane Canadian Pharmacy spam,” said Dr. Thomas Steding, CEO of Red Condor. “After analyzing this threat over the past several weeks, we now believe that this malicious drive-by downloading may be a new trend; a double-purposing spam campaign, or a twist on the blended threat spectrum of attacks we have seen so prevalent in the past year.  Spammers are starting to use social engineering hooks, including those common with phishing attacks, which will generate clicks. If users click on the spam link, there is an opportunity for a sale and to steal their identities while infecting their computers – a sophisticated one-two punch.”

An interesting feature of this malware campaign is the distribution points appear to actively take measures to make researching the exploits difficult. The malware is served only if it thinks it can infect, and even then only upon the first request. Subsequent, identical requests from the same IP address do not result in the malware download.  This level of intelligence and effort prevents traditional email security solutions, which rely on only automated detection methods from stopping the threat. Red Condor’s email security experts monitor for and analyze new threats twenty-four hours a day, seven days a week.

Key attributes of this new campaign include:

1. The URL uses a compromised middleman redirect that includes a slight delay before the redirect (http-refresh) occurs. The redirection page includes an iframe injection from a known malware distribution point. When users click on the link in the spam message, a blank page opens up in their browser and five seconds later a Canadian Pharmacy site pops up. While the user was waiting for what they think is a YouTube friend request to appear, a malicious JavaScript is fetched from the remote server referenced in the iframe resource.
2. The malware distribution point mentioned changes behavior depending on the details of the browser request. For example, it appears to be sensitive to User-Agent, as well as Accept HTTP Get request header items, which specify to the HTTP server what kind of device is making the request and what its capabilities are.
3. Only one request is allowed per IP.  After the initial request, subsequent requests issue a null response (0 data returned).
4. There is likely a timing component as well that triggers the malware download.