Well not quite…yet… by the authorities I mean. But busted for what? Busted for selling marijuana online? Or busted for hosting a Trojan-Spyware in the said website?


The site is aptly titled “Marijuana Mail Order” and is implicated in hosting a file named as mod.gif that is in fact a dropper for a trojan-spyware that actually steals e-Gold account information from affected users. The mod.gif file is downloaded to an infected system by a trojan mass-spammed in bogus eGold transaction emails just this early morning (GMT -08:00).




Both the mass-mailed and downloaded trojans are detected by Trend Micro as TROJ_SMALL.CRZ and TSPY_GOLDUN.CQ respectively.

Just an FYI. The PoCs for Microsoft Vulnerabilities MS06-34, MS06-35 and MS06-36 is now posted by Milw0rm.com. We are now on the look out for malwares who may possibly use these PoCs for malicious intent.

Right now we are receiving a continuous influx of emails being spammed with an attachment name of screen.zip. The attachment, having a filesize of 8,191 bytes, has an MD5 hash of 64abfe0756951ed807a16d01762b85c5, and with an executable file inside named as screen.jpeg (59 spaces in between) .exe that in turn has a filesize of 8,485 bytes.


Shown below is a screenshot of the email being spammed:

Update (Ivan, Sun, 23 Jul 2006 08:11:18 PM)

The spammed trojan will be detected as TROJ_SMALL.CRZ using OPR 3.595.00.

Update(Ivan, Mon, 24 Jul 2006 04:31:36 AM)

Trojan-phishing it is…


After further investigation, the EXE file was found to drop and install a DLL file downloads a mod.gif (11,570 bytes) file from:


http:// [blocked]marijuana.ca/images/


The mod.gif file is also an EXE that in turn installs another DLL which has the capability to ‘spy on’ and steal e-gold account information from the infected system.


If you check out the site, they actually sell weed varieties on-line! What’s more, some customers of the said site say that the author does not accept e-gold payments… This is really funny – the perpetrator does not accept e-gold payments but rather hosts a trojan-spyware that does ‘accept’ or more accurately, steal e-gold account information. Went straight to the source of where the money is, eh?

An infamous underground virus-writing group has released their annual e-zine that includes various new technologies, techniques and concepts in computer virus and malware creation, as they always do in their yearly releases. Some of these new concepts that were released in the Internet as proof-of-concept malware codes have been seen in the media, a couple may have been used or modified for some malwares that have actually been found in the wild, and at least one could also have been part of the reason why a previous supposed-to-be feature of Microsoft Vista was eventually shelved because of ‘security implications’.


The authors who wrote the e-zines were not script-kiddies nor cyber-criminals with the intent of releasing their creations with malicious intent to the public. Rather, they were released to show a concept – that ‘it’ can actually be done.


Awareness is the key here, and we in the antivirus and security industry must see to it that our solutions cover these proof-of-concepts. No, there are no reports yet that these are in the wild. But we’re not supposed to wait until this happens, right?


So to make us all aware, here are some new interesting things that are worth taking a closer look at:


======================================


File-Infection Using F#

[snip]


In 2004/2005 Microsoft has started a new field of researching – with an interesting idea: Combining a functional language with the .NET Framework. The result of the research is a language called F#.


[snip]


You can find more information about F# in Microsoft’s site.


F# has now been used in three new file-infection implementations wherein a prepending, appending and an EPO type of infection were proven to be possible by the same author responsible for a vast array of proof-of-concepts such as the first MONAD or Microsoft Command Shell file infectors we reported last year and the more recent first infector for Microsoft Infopath.




————————————–


ASP.NET Infection

ASP.NET is a pre-compiled language running on web-servers like IIS. Three types of .aspx file-infectors have also been released and this will be detected by Trend as
VBS_ASPLUX.


————————————–


WikiWorm

[snip]


Malware which uses wikipedia for spreading. It downloads a random article, searchs the title of the article, downloads the article’s edit page, changes all external wiki links to a worm-download-page, and opens the HTML file.


[snip]


Trend detects this as
TROJ_DLOADER.AMI.


————————————–


Tamiami

This is one of the most interesting creations that can also be called as a ‘blended-threat’.


WORM_TUTIAM.Ahas its own HTTP server and Web-page creation code for the creation of a website on the infected computer. Aside from mass-mailing itself as an attachment, it massmails emails or sends out links with the a URL linking towards the said ‘website’ in the infected computer with a link to the worm binary. The worm spreads emails, creates websites and sends out links in two languages (German or English) depending on the system where it was executed. It also infects or ‘infiltrates’ RAR and ZIP files by inserting a copy of itself in the archives, and can also infect MS Word DOC files by dropping a VBS file detected as VBS_TUTIAM.A that inserts its code in the Normal.Dot template. The worm also uses a file named as TakeCareOnMe that restarts the worm when it is terminated.


————————————–


First Powershell aka Monad Polymorphic Worm

The first threats for Monad or Powershell were released last year and were featured in one of our posts titled RRLF Monad file infectors. Just this recent May, a polymorphic version of the file-infector, BAT_POLYMSH.A, was released that also has the capability to propagate via P2P. Consequently, the author of this first polymorphic Powershell worm is none other than sk0r aka Czybik who is consequently also the author of this new MSH/Powershell/Monad worm detected by Trend as
WORM_KIBYZ.A.


————————————–


ISO Worm – WORM_BAHISHO.A

This is reminiscent of the .ISO image infector seen last year. Now things got a little more complicated. You can see more information from
here. Quoting the virus-writer:


[snip]


“The w0rm determines randomly which dirs should be searched for iso images each time it get’s started. When found an image, it adds itself to the end of the image, adds a root dir record and upates the volume size. It also adds a autostart file that executes the w0rm when put into a Windows cdrom with autorun enabled.”


[snip]


————————————–


MATLAB Polymorphic File-Infector

Last April, we have received reports of what seems to be the first file-infector to be written that infects m-files (m-files refer to Matlab source files). Matlab is a high-level programming language created by Mathworks, designed to aide us in mathematical problem-solving. More description can be found
here.


Now it comes with polymorphism. Trend detects it as MATL_LAGOB.A

————————————–


Malware Targets IDA Pro

There is also the first virus to make use of a security researcher’s reverse-engineering tool, IDA Pro, to propagate. More information have been posted
in the TMIRT blogand in our Virus Encyclopedia.




————————————–


There are a couple more interesting things to be found in the e-zine archive. They are not meant to cause any damage in a computer system. They can be
‘made to’, however. Therefore, it would be advisable if we take a closer look at these creations and see if we are really prepared for these kinds of threats in the event that they become widespread or if they are eventually used in the world of cyber-crime.

Just a heads up, a spammed malware is currently making the rounds on the net posing as Microsoft Update.

The trojan is making use of the fact that there are a lot of Microsoft vulnerabilities surfacing and the paranoia that it makes on the users.

It spams an email with these details

From: update@microsoft.com
Subject: Warning! New Virus On The Internet! Update Now!

The email contains a url directing it to the malware link.

It certainly looks legitimate as the link looks like this

update.microsoft.[blank]/[blank].exe

except its not from Microsoft and its certainly NOT legitimate.

Not to worry though because the file has already been sent to our engineers and is currently being processed.

Also, so as to not be duped by this kind of attack and still be able to protect your system from the new vulnerabilities that is plaguing Microsoft, just go to the Microsoft site and don’t go there using links through emails or forums. To be safe open Internet Explorer and under tools menu click Windows Update, that will surely take you to the right update page.