Bot herders beware: the feds are now on your tail.

The United States FBI launched June 13 a nationwide initiative to go after bot herders and put them behind bars. Bot herders are believed to have the capability to do any or all of the following once a botnet, or a collection of compromised computer systems, are under their command and control: steal a user’s identity, spam large volumes of messages, commit click fraud, and launch denial of service (DoS) attacks.

Because ongoing investigations peg potential victims at over 1 million users, botnets are now a matter of national security, and an actual threat to the national information infrastructure and the economy. The operation has so far apprehended three people.

Working closely with industry partners like the CERT (Computer Emergency Response Team) Coordination Center at Carnegie Mellon University, the FBI is hopeful that more bot masters will fold as the operation progresses. The Bureau also advised against calling them directly as they are “not in a position to provide technical assistance.” Instead, they recommend for users (who suspect their systems have been compromised) to contact their ISPs first because they “can help you determine if your computer has been infected, and what steps to take to restore it.” Affected users may choose to file a complaint online with the Internet Crime Complaint Center. Lastly, they warned against phishing attempts that could be made by dubious parties; they made it clear that they would not contact anyone to ask for personal information online.

More information about the operation is available in this page.

The last notable Sohanad variant, WORM_SOHANAD.U, was detected last February. It rode on the popularity of the Windows Vista release for its social engineering tactic. The current Sohanad spreading in the wild, however, is using a more “classic” Sohanad trick. Detected late last May as WORM_SOHANAD.BO, this particular variant is propagating via instant messages in Vietnamese.

Late last year when the shift in the threat landscape was just beginning to be accepted industry-wide, specialized threats like WORM_SOHANAD variants carrying Viet pop culture references and written in Vietnamese, of course, helped cement a distinguishing characteristic of the rising group of threats. This rising group is more target-specific. While they execute regular worm routines like propagation and backdoor capabilities, their social engineering tactics heralded the coming of more customized threats.

This brings us back to WORM_SOHANAD.BO. It does the usual Sohanad tricks down to disabling Task Manager and Registry Editor. The appearance of another variant from this particular malware family seemingly promises to continue what previous variants have started, which makes sense for a family that figured considerably in the shaping of the current Web threat trend.

TrendLabs has recently received reports of a new file infector targeting .MEL files.

If you’re not familiar with the extension name, you’re not alone. :) Personally, I’ve never heard of such a file type until now. A quick research on the Web, however, revealed that .MEL files are actually script files related to Maya 3D applications — as in the application used to render 3D graphics and animations.

TrendLabs is currently working on a in-depth analysis of this malware, which is to be detected as MEL_YAMA.A. From the looks of it, though, it seems that whoever created this malware is targeting a specific group of users (i.e., graphic artists, etc). Kinda reminds us of the ALS_BURSTED family that affected AutoCAD software, no?

Thanks to David Sancho for finding and reporting the sample of this malware. Updates to be posted soon.

While browsing over the Internet today, I came along a suspicious looking URL (znewly[dot]hk). Now I call it suspicious-looking because when I visited the site, the page took (suspiciously again) a long time to load and after a few seconds, the browser suddenly closed. Several seconds later and I was staring at a Windows shutdown message-my machine was shutting down!

Now what did just happen here?

It turns out that the page contains an obfuscated script that loads several more HTML pages with malicious code. The loaded HTML documents contain known exploits that are in turn loaded through an IFRAME tag. It is worth mentioning that one of the exploits is similar to the one TROJ_ANICMOO used, which is concerned with a vulnerability in handling animated cursors. Eventually, a malicious executable file (fun.exe) is downloaded from “znewly[dot]hk/fun.exe”. Once the download has begun, the browser closes and the .EXE file attempts to shutdown Windows. The shutdown operation won’t work if the group policy for restricted access to the Shut Down command is enabled in Windows XP.

Further inspection of the site’s HTML source also reveals that it uses a pinch of social engineering to trick unsuspecting users into downloading the malicious file. Similar to the download sections of popular sites, it contains a statement telling the user that if he encounters a problem with the automatic download, he can obtain the file from this location: (znewly[dot]hk/fun.exe).

Trend will detect the malicious web page as JS_DLOAD.AZ. The EXE file will be detected as a Trojan, TROJ_TIBS.ABO.