It’s not the usual maximizing of resources to achieve as many goals as possible. It’s rather the opposite; and it’s actually using all resources, and all possible means in order to achieve one big goal – and that is to amass a lot of money!

This is probably what the creators of the malware families of STRATION and MEDBOT are doing. On one hand, there’s this comeback of mass-mailers whose main purpose is just to make zombies out of the hundred of thousands of computers to serve Image Spam. This is described in the paper, The Real Motive Behind Stration.

Meanwhile, there’s this fairly new strain of IRC bots that was released almost at the same time as the first variant of STRATION came out – and that was last August 2006. This is MEDBOT, an IRC bot that also attempts to infect computers with the goal of making them zombies to send out SPAM regarding the usual pharmaceutical line of ‘viagra’ and ‘cialis’. This is further described in the previous blog, WORM_MEDBOT.AI and SPAM.

Here are some snapshots of the spam mails we generated and that are being sent out from MEDBOT-infected machines to millions of target recipients:

What’s the connection you say?

Running WHOIS on the domains of the advertized ‘viagra’ sites from the MEDBOT spam emails gives us:

Domain Name:genrunkasderunkion.com
Registrant: Dima li
jungonglu1219hao
200093
Administrative Contact: Dima li

Whoa! Now does that name or alias sound familiar! Dima Li! But of course, this is one of the aliases, along with Wang Pang, used by the same registrants or admins of the domains being used by the STRATION worms. Coincidence?… Add to that the fact that both malware families appeared almost at the same time adds more to the assumption that these malware families may indeed be connected. Coincidence again?… And the ultimate goal – which is sending ‘viagra’ spam…

Take a look at the advertized site from MEDBOT:

And now take a look at the one advertized by STRATION:

Coincidence?…

And the plot thickens! Are they using more than one malware family to acheive their goal of SPAM? Are they using two, three or possibly more stones to hit the grand prize? More chances of winning, eh? More on this as we continue our investigations…

Lately, TrendLabs has been receiving numerous reports of WORM_MEDBOT.AI infections – so TMIRT and our malware Escalation Team went on to investigate, this is what we’ve found…

To know more about WORM_MEDBOT.AI than what is already posted at our Virus Encyclopedia, we sniffed through WORM_MEDBOT.AI traffic and found out it connects to the IRC server reg.raxoper.com with the user nick jebr-1_(four digit random number)_(four digit random number).

Once a private session is established, the controller may issue several commands programmed into MEDBOT. For the session we monitored, the controller issued a download and execute command for four files (modul32e.m.exe, injs.n.exe, hdd.h.exe and ssd32.j.exe) located in http://up.medbod.com/up. On initial analysis, these files seems to be Trojan downloaders. The four files are already submitted to the service team for detection.

Most notable of the four downloaded files is modul32e.m.exe which accepts a URL as a parameter. Downloading the file from the URL parameter reveals that the file also contains a lot of URL links to other files. A brief summary of the file lists include – a s3.2.txt file from the seeky.mootseek.com domain; a domain.cab file; fname.cab; lname.cab; pattern.txt from the up.medbod.com domain; and a lot of other files from the seek(1-2 digit number).mootseek.com domain.

Surprisingly, the s3.2.txt file contains an e-mail template that resembles SPAM. The domain.cab, fname.cab and lname.cab contains the arhived files domain, fname and lname respectively. The domain file contains a list of various domains, fname contains a list of common first names, while lname contains a list of last names. The file pattern.txt on the other hand contains phrases that can be used as e-mail subjects.

The various files from the seek(1-2 digit number).mootseek.com domain are text files containing lists of generated e-mail addresses not covered by the combinations of strings found in fname/lname@domain.

It is worthy to note that all these files are constantly updated. The s3.2.txt file that serves as an e-mail template was updated twice during our session, with each template changing the URL link being advertised on the template spam mail. The same goes for the numerous files from the seek(1-2 digit number).mootseek.com domain. The only files that remained constant are the domain, fname and lname files.

Summing up all these files reveals the real intention of WORM_MEDBOT, that is, to turn infected computers into SPAM machines. The MEDBOT infection is a case of an elaborate and collaborative effort of a malware writer(s) attempt for profit. The use of multiple component files and the collaboration with at least 3 domains all points out that there is an organized group behind all of this, and for them to set-up such a complicated system – the returns must be really, really good…

On the 14th of November, Microsoft will be releasing its monthly security bulletins, for this month’s release One bulletin affecting Microsoft XML Core Services will be released, the highest Maximum Severity rating for this is Critical. MS will also release five Microsoft Security Bulletins affecting Microsoft Windows the highest Maximum Severity rating for these is also Critical.

A lot of zero-days have been coming out this month and hopefully Microsoft will include the fixes for them in this month’s upcoming bulletins. Be sure to patch your machines after the release. =)—A friendly reminder from your friendly neighborhood TMIRT. =)

Yes. And that is not a typo of “Myspace” in the title; although that is what it is actually meant for – a typo. The domain, myspaace.co.uk(with two a’s), has been bought for 100 GBP just last October 25, 2006.

The said social networking site’s popularity is now at its peak, just like all domains that fall under the umbrella of Web 2.0, and with this kind of surge of activity from users, there’s almost always a dark side just a few feet away.

A couple of examples of the abuse of Myspace’s popularity includes but is not limited to the Myspace worm last year; the bunch of adwaresthat infected more than 100M users last July, 2006; or just the recently discovered 0day Myspacevulnerability.

This write-up is not aimed at jumping the gun, so to speak…

But with the rising incidents of typo-squattingusing popular sites such as Googleand Trend Micro, it wouldn’t take long enough for malicious hacker groups to take advantage of the popularity of Myspace, and the fact that users may just type in an extra letter such as the letter ‘a’ to go to the Myspace site… and then WHAM! It could be another big malware infection incident – considering the numbers of Myspace users and would-be users around the globe!

With that said, let us take extra care in and check what we have typed in our browser windows before hitting on the Enter button. And rest assured too that the Trend Micro Incident Response Team will be monitoring any malicious use of this newly-bought domain, Myspaace, or any other typo-squatting incident for that matter.

Just an FYI, we are currently being spammed with emails containing a trojan as an attachment.

The attachment name is New_Folder_01NOV2006.rar, you can begin filtering this out on your systems for proactive protections.

I have to say, the social engineering tactics made by the malware author to fool users into executing the attachment is above standards, so customers will have to be extra careful to keep them from being fooled.

The contents of New_Folder_01NOV2006.rar are shown below

As you can see, there are two objects

• New Folder – an actual folder (nothing to it)
  
• New Folder_01NOV2006(215 SPACES).exe (an exe file with a folder icon, the 215 spaces is there to fool users into thinking that it is not an exe file. This is the same logic used by worms like WORM_MYTOB.)

I can only guess that the folder “New Folder” is inside the archive for more social engineering. As the user extracts the files from the archive, he clicks on “New Folder” which will open as a folder as it really is one. Raising the chances of the user clicking New Folder_01NOV2006(215 SPACES).exe under the assumption that it is a folder too.

The exe file has already been given to the service team for detection and has been given the name TROJ_DLOADER.HAP.

Again with good social engineering TROJ_DLOADER.HAP downloads http://www.[blocked]nrg.org/tmp/about.html, making anyone watching the network think that the file downloaded is just an html file when it actually is an exe file which will be downloaded as iexplore.exe in your C: directory.

The great thing is that this is already detected by Trend as TROJ_DLOADER.FUO.

From TROJ_DLOADER.FUO begins a stream of downloads ultimately ending in phishing attempts on several banks.

Here is a list of files that were downloaded beginning with TROJ_DLOADER.FUO, all files come from a single ip address.

• http://[blocked]/ieschedule.exe (TROJ_DLOADER.FUX)
  
• http://[blocked]/ib14.dll (TSPY_VB.BRF)
  
• http://[blocked]/smss.exe (TROJ_DELF.DSJ)
  
• http://[blocked]/iexplore.exe (TROJ_DLOADER.FUO)
  
• http://[blocked]/ieserver.exe (TROJ_DELF.DSH)
  
• http://[blocked]/dsrss.exe (TROJ_DELF.DSF)
  
• http://[blocked]/preredir.exe (TROJ_DELF.DSI)
  
• http://[blocked]/ieredir.exe (TROJ_DELF.DSG)

All files except for ib14.dll (TSPY_VB.BRF) have an internet explorer icon, another social engineering tactic which will elevate the chances of a user executing the file.

Although it is great to note, that all malwares used by TROJ_DLOADER.HAP have all been previously detected by Trend Micro. The URLs of the files have also been given to the url blocking team.

With all the social engineering tactics that has been used by these malwares, it is important for users to be more vigilant and make sure to only execute files that are known to be good.

More and more of these cases are showing up. Different malwares working together for profit just like the case with TROJ_LINKOPTIM. We are continually seeing this trend on malwares. No more fast spreading worms but trojans downloading trojans ultimately leading to profit by the malware author.