The Barracuda Labs Internet Security Blog

Posted by: Barracuda labs

This afternoon, a Purewire employee received an email that claimed to be from UPS:

From: United Parcel Service of America [mailto:vfgcq@boeme.com]
Sent: Friday, May 29, 2009 2:48 PM
To: < redacted >@purewire.com
Subject: Postal Tracking #VERFP82389JC2GF

Hello!

We were not able to deliver postal package you sent on the 14th of May in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

The email was accompanied by a zip file attachment that (according to the email) was an “invoice”. The file in the archive even had a Microsoft Excel icon.

However, the file was not an Excel document, but a malicious executable. If the user’s operating system was configured with default settings (as in the picture above), they would not have known the file actually ended in .exe.

This email (and the corresponding file) is an example of a social engineering attack, which attempts to trick the user into compromising their system. If an unsuspecting user attempted to “view” the above file, they would actually infect their system with bot malware. In this case, the bot uses HTTP to communicate with a Command and Control (C&C) server located in the Ukraine:

hxxp://dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=1826882368&rnd=8520045

and then proceeds to download additional malware:

hxxp://bklinkov.ru/files/dfi.exe
hxxp://bklinkov.ru/files/ok1.exe

which can be used for any number of illicit purposes. Business professionals should be increasingly weary of suspicious emails that conveniently relate to their work (e.g., sending packages as part of their day-to-day activities), as these kinds of attacks have been specifically created for them.

PWSS customers are protected from the above threat even if they are infected, as all C&C communications are blocked by the service.

Posted by: Barracuda Labs

Today a customer using the PWSS was directed to a Rogue AV website after viewing a news article on USAToday.com. The redirection occurred via an ad (included on the article page) that had malicious javascript appended towards the end of it; neither clicking nor hovering over the ad was required to activate the malicious code. In addition, it should be noted that the ad could have been (and likely was) served almost anywhere on USA Today’s website; for example, a PWSS developer was redirected to a different Rogue AV site (that was part of the same campaign) upon simply visiting the “Life” section (http://www.usatoday.com/life/default.htm).

The ad itself was for Roxio Creator 2009, and was served from http://idatrinity.com/?id=51546405 . The domain idatrinity.com is not malicious, but part of a legitimate ad network. Regardless of how it got there, malicious javascript accompanied the ad content, which directed the user to:

hxxp://liveavantbrowser2.cn/go.php?d=2006-40&key=0522c7066&p=1

The above URL is a landing page that redirects the user to one of at least two different Rogue AV domains:

hxxp://antivirusquickscanv1.com/1/?id=2006-40&smersh=a54b37c24&back=%3DzQ21zT3MAQNMI%3DM
hxxp://fullantispywarescan.com/1/?id=2006-40&smersh=a54b37c24&back=%3DzQ21zT3MAQNMI%3DM

which both contain javascript-based Rogue AV pop-up scanners.

If the user clicks “OK” on the dialog box asking whether they want to download the “Personal Antivirus” and remove the (fake) threats on their system, one of the following URLs:

hxxp://antivirusquickscanv1.com/download.php?id=2006-40
hxxp://fullantispywarescan.com/download.php?id=2006-40

provide the Rogue AV binary. Detections for this malware instance are poor; only 1/40 tools identify it as malicious:

http://www.virustotal.com/analisis/79e1e90e45c3a30222d5d4b6f30c3450

Users of the PWSS are protected from this threat.