Red Condor's Security Alerts

Well, these scammers are busy…

Less than 24 hours after issuing a warning of new variations and tactics being used in the one-click, plug-and-play malware campaign that we have been monitoring the past several months, we blocked a number of new messages that spoofed Amazon, ImageShack and Gawab. All of the messages used the plug-n-play malware distribution architecture.

Interestingly, Friday’s messages reverted back to using the older exploit set that has been in use for the past couple months.

There is a new twist in these messages however… The scammers are using this opportunity to perform the drive-by download as usual, but instead of using the redirection page to drop you on a Canadian Pharmacy site, the redirection instructs the browser to download an .exe (adobe_flash_install.exe), which as of this morning, was not detected by any AV engines.

Below is the VT analysis of this malware:

http://www.virustotal.com/analisis/53b687184961fbc9799509347608a5bbddb092b46f78f271c072b72d628df8b8-1279910999

Also, just in case the browser refresh directive doesn’t work, the redirect page when loaded just looks like a blank page with a single image loaded:

http://www.thecoca-colacompany.com/images/noflash_singlevideo.gif

(The above link is safe to view. The spammers are using a legitimate image hosted on Coca-Cola’s website.)

Clicking on the image on the redirect page will also download the malicious .exe.

All this is in addition to the usual litany of exploits typically employed by these campaigns; they are using a couple different versions this time. None of these variations are detected by more than a handful of AV engines. The malicious payloads include a couple of signature-distinct executables, which most likely are two instances of the same Trojan that has simply been mutated:

http://www.virustotal.com/analisis/fe6bf009c6e3085d0f41e14022a2b5729a0c3cc7622c81c7234ab21b0d07dc9d-1279912776

http://www.virustotal.com/analisis/d6af1138118bba51c20fa74a1a6fc560f84e98d4cb3830c1a37d14a7b4d70b37-1279909339

Additionally there is the usual, freshly mutated PDF exploit:

http://www.virustotal.com/analisis/2a56e56ea197fdbf77ee7fe77125bc67a5c89474dcc99bc0789000956c198788-1279912917

And of course there are the other exploits that usually accompany these campaigns, but they do not appear to have changed much.

Update: Over the past couple of days, we have noticed another round of the Facebook blended threat email spam campaign that made headlines late last year. We have been successfully blocking these messages since the first campaign came out in October 2009, and it now appears that a new botnet expansion phase may be in the works. The fake Facebook emails are looking to steal personal information and then infect computers with malware.

In October  28, 2009, we warned Facebook users about a new blended threat email campaign targeting Facebook users.  On October 27, 2009, Red Condor’s security researchers uncovered a separate Facebook spoof email with downloadable files that included the Trojan virus Bredolab. This email threat was masked as “Facebook Password Reset Confirmation.”

The campaign was a blended threat that included both a phishing scam and a notorious “banking Trojan” virus. A link within the spam email took users to a spoofed Facebook login page requesting the user’s Facebook account information. After entering their credentials, users were then prompted to download “updatetool.exe” which was identified as a Zbot Trojan variant.

The spoofed Facebook login page was fairly sophisticated and used www.facebook.com in the sub-domain portion of the malicious URL. As a result, people with small screen resolution or small browser windows/address bars size might have thought they were actually on Facebook’s login page. The Trojan associated with the threat installed a sophisticated “banking Trojan” that is known to scour the infected hard-drive for personal banking information and various login credentials, as well as perform key logging and other nefarious activities.

The virus scam was detected by Red Condor’s proprietary Spam Trigger technology.

A second IRS spam and virus campaign, this time targeting people instead of businesses, is making its way around the Web. The campaign captured by Red Condor filters on Thursday, February 11, 2010, has a subject line, “You are in a higher tax bracket.” The unsophisticated email campaign suggests that recipients are now considered to be in a higher tax bracket, because their “annual income for the last tax year has increased.” Recipients are then asked to review their annual tax report by clicking on a link to a report.

The link goes to a page that attempts to download a PDF file containing the “JS:pdfka-gen” virus. When originally run through VirusTotal and JottiVirusScan less than 10% of virus engines had detected the campaign (3 out of 40) and Jotti showed 2 out of 20. As of the early afternoon on February 11, Red Condor had blocked more than 60,000 messages.

As mentioned in previous posts about IRS scams, the IRS will not contact individuals directly through email.

Update: As of 2:00 p.m. PDT on Friday, February 12, Red Condor had blocked more than 400,000 messages belonging to this campaign.

At around 7 a.m. Pacific time on January 21, 2010, we started blocking a new spam campaign that was directed to AOL Instant Messenger (AIM) users.

AOL AIM Spam Campaign - Blocked 1/21/2010

The message with the subject line “Your AIM account is flagged as inactive,” (among other variations) warns AOL AIM  users that their AIM account will be “deleted from the system” within 72 hours” unless they download the latest update for the AIM. The email message calls the update “critical.”

A link in the email sends users to an “AIM branded” page. A brief description on the page suggests that “AOL has released an update for AOL Instant Messenger (AIM) which fixes several major bugs.”

When clicked, the download button launches an executable that installs a Zeus bot, which has been used in past campaigns for spamming and for stealing personal information.

As of Thursday evening, Red Condor had blocked more than 250,000 messages and a rescan of viral downloads indicated only one additional anti-virus had recognized this download since the initial report to VirusTotal Thursday morning (8 hours later). This campaign is very similar to the others we have reported on, which use a zombie network for distribution, fast flux hosting, legit domain used in sub-domain portion of spam domain, Polish top level domains, zbot download, browser exploits, etc.

One of the malicious sites linked to in this campaign also attempted to download a malicious .pdf through an iframe, and appears to attempt a Flash exploit specific to version of MSIE and Firefox also through an iframe-based attack.

Red Condor has at least 74 filtering rules in place matching samples from this campaign.

This campaign was noted by Kip Q. on 12/15/09 at 4:48 pm.

For this particular campaign, email users receive an email from UPS/Fed Ex Service along with a packet number. It will say that they were unable to deliver a package sent to you on such-and-such a date.

It then asks you to print out the invoice copy attached, which launches a virus.

Cameron S. noted the following:

This campaign comes and goes (and it is 2-3 years old). There does appear to have been a small spike in activity for about four hours last week.  It looks like most of the blocking is being done by Red Condor’s AV engines. It may be that the spike was due to a mutation in the viral payload and it took four hours for the AV engines to regain a signature.

Despite efforts made to discount the threat, Snopes confirms that it is real: http://www.snopes.com/computer/virus/ups.asp