With the number of bot malware discovered and analyzed by the security industry over the years, it is easy to claim that we have seen it all. Enter
PHP_PBOT.A, a PHP script-bot sporting a routine heretofore only practiced by Trojan-downloaders: Web server upload.

As a bot, its backdoor capabilities and possible vulnerability exploits warrant a been-there-done-that. The fact, however, that it can be uploaded to target Web servers adds the oomph to its otherwise blah routine. Thus, via affected Web servers, users who access the Web page that contains this malicious script get their systems affected pronto.

This is a new twist to how bots create a zombie network. Most bots propagate via network shares. True, it’s easy to infect a whole network, but at least one machine in that network should get infected first and spark the propagation. The biggest challenge for a bot is therefore is to affect that first system.

With the use of Web servers, PHP_PBOT.A brings bot propagation from local networks to the biggest network of all — the Web. Whether that is a leap forward for bots or actually a step backward, we have yet to know.

Are script-bots on Web servers the next big bot trend? Are they the next step in the evolution of a more powerful zombie?

Have you seen this yet?

Interesting…isn’t it? That’s the AIM message that I received on my own AIM account a couple of hours ago but, I will not try to visit the url if I were you…

But, just in case you visit the URK (just in case…), you will land to the same default page, index.html.

If your ActiveX Control setting of your web browser is not safely configured, a file named, mpg2-3.0.1.exe will be automatically downloaded to your system. But, even if it is properly configured and you are unaware of what you are getting yourself into because of the tempting url and the deceiving page (pretend to offer real video clip), you might also download and run the abovementioned file.

Upon execution of the file that was just downloaded, it will present a message box with a fake message that there has been a problem but what is really happening in the background is that, the downloaded file that you have just executed downloads another malicious file from the internet. This second malicious file is accessed through the url http://tiny-url.us/f.php and will later be saved and executed to the affected system as mstc.exe.

So guys and gals, you better make sure what you are getting into nowadays, try to be extra careful please and do not forget to update to the latest pattern file of your antivirus program (this can help you not to get into much trouble…).

Note:

All urls mentioned are already submitted to the Web Blocking Team.

The sample mpg2-3.0.1.exe and mstc.exe have been given the detection names TROJ_DLOADER.IBZ and WORM_NUGACHE.G, respectively.

On the 12th of December, this coming Tuesday will be the exciting monthly Microsoft patch day and according to them we should expect on this day the following:

• Five Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical.
• One Microsoft Security Bulletins affecting Microsoft Visual Studio. The highest Maximum Severity rating for these is Critical.

More information here.

I didn’t visit mIRC for a while so I intended to visit it at the start of my shift. I join a couple of channels then after sometime I received a private message with a link pointing a binary file. Yeah, just as I expected, malwares still use MIRC for their own purposes.

The binary file is an undetected WORM_DREFIR.A and is already being processed by the Service Team. This malware caught my interest because aside from having a destructive payload wherein this malware replaces all files that it can access with an empty file of the same filename, it has the ability to add a copy of itself into a RAR file that is found in affected user’s computer. It uses a random generated filename for the copy of itself to be added to the RAR file.

A computer affected by this malware is used as a host to spread the malware. It opens port 80 [http] where potential victims will be able to get a copy of the malware through this port. The malware sends private messages to potential victims through the MIRC channel it has connected. The message sent contains a link to a copy of the malware using the IP of the affected computer.

Example:

A potential victim receives the following message via IRC

– “http://www.google.com/url?q=http://xxx.yyy.zzz/TrialXXXView.scr”

Where: http://xxx.yyy.zzz will be the IP address of a compromised machine hosting the malware.

The payload of the malware is activated every 29th of the month where the system time seconds is above 30. Here’s the displayed messaged:

It is a good practice not to click and click URL links from IRC messages even if it comes from a known acquaintance. It is possible that your friend’s computer was compromised and it is the malware who sent you the message.

Have your antivirus pattern files updated regularly to be secured from malwares which are being discovered in-the-wild.

I’m writing down this post to let you know about targeted attacks we’re facing in Europe, especially in Italy.

The “Italian Job”, (a.k.a. Linkoptimizer, a.k.a. Gromozon) appears to be orchestrated by a well-organized gang, using several aliases to avoid recognition but in the end, still refers to the same malware chain.

An infection by Linkoptimizer could triggered by

• A downloaded malware. It uses attractive filenames, like “www.google.com” or “www.sport.com”
  
  
• A Trojanised WMF File (Downloader)
  
  
• ActiveX/OCX File (dropper)
  
  
• ByteVerify (Java exploit)

The downloaded malware, when executed, installs

• A rootkit
  
  
• Various files hidden through ADS (Alternate Data Streams)
  
  
• Random files encrypted using EFS
  
  
• Linkoptimizer (hidden by a rootkit)

Once you got infected, Linkoptimizer downloads other Trojans, adware and installs other spyware applications, pop-ups several IE pages which redirect users to other malicious websites as well. With all of these installed, the machine is nearly unusable and really tough to clean up. You can easily find a machine infected by Linkoptimizer hosting more than 10 or 20 different malware.

The websites hosting these malicious files are constantly updated and adding new content very fast. Because of this, we’re seeing many different version of the same malware.

Here are some malware families involved here

• TROJ_LINKOPTI
  
  
• TROJ_AGENT
  
  
• TROJ_SMALL.Y
  
  
• TROJ_CLICKER
  
  
• TROJ_DROPPER
  
  
• TROJ_DLOADER
  
  
• TROJ_SPABOT
  
  
• TROJ_SPYWAD
  
  
• DIAL_DIAMIN
  
  
• DIAL_ADDIAL
  
  
• ADW_SMALL
  
  
• ADW_SYSTEMDOCT

You may ask why this threat is typically localized in Italy. The primary reason is that most of the malicious websites are using Italian keywords. A simple search on Google using Italian words can easily bring you to a malicious website.

Cleaning this malware infestation is a difficult, if not impossible, task, no thanks to the installed rootkit, which hides all the other malware files. But once the rootkit is disabled, you can start cleaning up the malware files. But with the malware constantly updated or modified, this makes the cleanup a bit tougher. An additional solution is to have a URL filtering solution to filter out the known malicious websites and avoid further infection through the known malicious websites.

Italian .bizness

While struggling with Linktoptimizer, Italy is getting harassed yet again by another menace, dubbed as the “Italian .Bizness”, a.k.a TROJ_AGENT.HDX.

It arrives by email, in Italian, asking you to download a removal tool to clean up your machine. It contains an HTTP link inside the body – the link uses a .biz domain, hence, the nickname.

Below is the English translation of the email text:

I am not an expert in this matter, anyway our technician states that those “e-mails” from you Are not made on purpose but can be caused by a virus. Moreover he say that it is possible to remove this worm with the AV program that you can download from the following address: http://www.spyware<BLOCKED>smasher.biz

I don’t have the knowledge nor the time to verify if this hypothesis is correct but I must “legally warn” you from keeping on sending undesired e-mails to my working e-mail. If I will receive again JUST A SINGLE MESSAGE of this kind, I will proceed with a legal action without any notice.

Stop sending or if it is a virus worm remove it immediately since probably I am not the only one receiving this trash from you.

I remind you that the police have the instruments to trace the real identity of the owner of an e-mail address even if registered with a fantasy name or international registration. So donâ??t think you can continue to infect my mail box with this kind of things.

Waiting for your kind reply,

This is a clever use of social engineer, using the “scare tactic” quite well.

Clicking on the link directs you to a webpage asking the user to download a removal tool. The download link is quite hard to miss; it is advertised by a green button:

The so-called “removal tool” (filename removal_tool.exe) uses the following icon, making it all the more attractive.

Once the malware (the ‘removal tool’) is executed it drops a dll file, webdesk.dll in windows system32 folder, and it installs this as a BHO (Browser Helper Object).

The files removal_tool.exe and webdesk.dll are detected as TROJ_AGENT.HDX and can be cleaned up using our latest DCT.

The emails being spammed also advertise other URLs, such as

• http://www.privacy<BLOCKED>wall.biz
  
  
• http://www.notmore<BLOCKED>spyware.biz
  
  
• http://www.spyware<BLOCKED>executioner.biz
  
  
• http://www.kill<BLOCKED>malaware.biz
  
  
• http://www.pc-<BLOCKED>protector.biz
  
  
• http://www.spyware<BLOCKED>smasher.biz
  
  
• http://www.safe<BLOCKED>master.biz
  
  
• http://www.watchware<BLOCKED>murderer.biz
  
  
• http://www.adware<BLOCKED>zap.biz
  
  
• http://www.nowim<BLOCKED>protected.biz
  
  
• http://www.SpyStuff<BLOCKED>Killer.biz
  
  
• http://www.adware<BLOCKED>wipe.biz
  
  
• http://www.safe<BLOCKED>master.biz
  
  
• http://www.myclean<BLOCKED>pc.biz
  
  
• http://www.TenKiller<BLOCKED>Direct.biz
  
  
• http://www.watchare<BLOCKED>assassin.biz
  
  
• http://www.free-spyware-<BLOCKED>killer-software.biz
  
  
• http://www.spyware<BLOCKED>murderer.biz

As can be seen, these websites hosts known rogue anti-spyware applications (http://en.wikipedia.org/wiki/Rogue_software). The modus operandi, it seems, is to spam a lot of people, use social engineering techniques to visit malicious websites, and install rogue anti-spyware applications.

There are probably many other websites hosting these malicious files. Most of these websites are pointing to the same IP address, hosted in Russia.

A peculiar characteristic of these websites is that they could only be accessed from Italy, not from an Italian Windows system but geographically from Italy. Even using an Italian DNS or Proxy you won’t be able to connect to these sites from another country.

Both of these local outbreaks are specifically targeted to Italy. I guess several groups working in concert are involved here – one sub-group created the websites as fast as we can send an SMS, another created the malware, another spams the emails and another hosting the bot network for sending spam.