QuickTime Player (version 7.6.6) allows movie files to trigger the download of files and cybercriminals are using this to download malware from malicious websites.

Trend Micro threat research engineer Benson Sy encountered two .MOV files (salt dvdrpi [btjunkie][xtrancex].mov and 001 Dvdrip Salt.mov) that both used the recent movie Salt, starring Angelina Jolie. It looks suspicious enough because of its relatively small size compared with regular movie files.

When the movie files are loaded to QuickTime, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation. We are still investigating whether the malware is exploiting a vulnerability or using a known functionality to download other malware.

The first .MOV file connects to http://{BLOCKED}.{BLOCKED}.53.196/stat1/pix1.php, which redirects to http://{BLOCKED}.{BLOCKED}.8.120/cms/976/1/QuickTime_Update_KB640110.exe. It then asks the user to save or run the file. Trend Micro detects this as TROJ_TRACUR.SMDI.

On the other hand, the second .MOV file connects to http://play.{BLOCKED}nstaller.com/0.c, which points to http://player.{BLOCKED}nstaller.com/d77.php. It then downloads a file that Trend Micro detects as TROJ_DLOAD.QWK. Similarly, it asks the users to save or run the file.

Trend Micro users are protected from this attack via the Trend Micro^TM Smart Protection Network^TM that blocks the malicious URLs to prevent the download of malicious files onto the system.

Update as of July 30, 2010, 1:57 p.m. (UTC):

Trend Micro detects the two .MOV files (001 Dvdrip Salt.mov and salt dvdrpi [btjunkie][xtrancex].mov) as TROJ_QUICKTM.A. As of this writing, we’ve contacted Apple regarding this issue.

Update as of July 30, 2010, 8:07 p.m. (UTC):

Upon execution, TROJ_DLOAD.QWK downloads a .CAB file, which installs the Tango Toolbar and its components. The said file also contains binaries that Trend Micro detects as TROJ_DLOADR.TAN and TROJ_DLOADR.GAB, respectively.

Update as of July 30, 2010, 8:42 p.m. (UTC):

According to Apple, the two .MOV files do not make use of an exploit, instead “they rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is not related to the vulnerability reported by Secunia.”

Update as of August 2, 2010, 1:00 p.m. (UTC):

According to Threats Analyst Brian Cortes, these malicious files appear to be using a feature in the Quicktime specification known as wired actions, which allows Quicktime files to take certain actions–in this case, go to a URL. This is roughly analogous to the /launch feature in PDF files that was abused by malware earlier this year.

However, this feature does not appear to be implemented in all media players that are compatible with Quicktime files. Testing with the VLC media player indicates that this particular feature is not implemented.

TSPY_ZBOT.CQJ is one of the new ZeuS/ZBOT 2.0 variants spotted earlier this year. Let’s take a look at one of the methods it uses to steal users’ banking credentials.

These new ZBOT variants intercept the information users enter into a bank’s Web page by inserting predefined JavaScript code into the said page. At present, this threat successfully inserts its predefined code when affected users use Internet Explorer and Firefox.

A downloaded ZBOT configuration file contains a list of target websites. It also specifies how these targets will be modified. In some cases, Web forms are added for users to fill in. Here’s a screenshot of part of a targeted bank’s website:

Here is the modified version. Note the added field, Clavo de Operaciones, which refers to another security key:

The latter version has been extensively modified with the addition of a script that was not present in the original version:

This script performs the actual information theft, capturing any entered credential. It prompts the user to fill in the inserted Web form field if left blank/empty.

This second password is used by institutional accounts that have different levels of user privileges. The bank’s website will ask for this second password if transactions involve money (such as paying bills, transferring funds, etc.) are made by the user. Clearly, this is something that cybercriminals would like to steal.

Added fields in forms are not the only tactic used. In other cases, a fake secondary login page asking for the second password is displayed instead:

The goal here is similar to the first instance wherein secondary passwords needed to complete financial transactions are stolen.

In addition to detecting the ZBOT files themselves, Trend Micro products now also detect the scripts inserted into Web pages as JS_ZBOT.SM and JS_ZBOT.CNX. A white paper detailing the activities of the ZeuS/ZBOT botnet is also available here.

Additional information provided by Advanced Threats Researcher Ranieri Romera.

Busy day in TrendLabs today, first the full analysis of and news on ZeuS and SALITY, which are exploiting the Windows shortcut vulnerability. Now we’ve identified a ton of compromised websites leading to an “online pharmacy.”

We’re currently seeing a wave of fake pharma spam that do not directly advertise the URL of the fake pharma site. Instead, the spammed messages advertise URLs that point to HTML pages hosted on compromised sites.

Obfuscation Layer for Spam

These HTML pages are uploaded to the Web root of the compromised sites while the HTML redirectors provide an obfuscation layer to hide the final landing page, in this case, the real fake pharma site—the infamous “Canadian Pharmacy” or “Pharmacy Express.”

These HTML pages are very simple redirectors. From what I’ve seen so far, they either use a meta refresh or a JavaScript redirect.

We’re seeing a daily average of around 1,000 new compromised sites caught by our spam traps. Some of these sites were repeatedly compromised, as indicated by several HTML redirectors uploaded in their Web roots.

In most cases, two files are uploaded to the compromised sites—the HTML redirector and a .JPEG file. The .JPEG file bears the same file name as the .HTML file and is used as the display image in the spam, as shown in Figure 4 above.

The Underlying Compromise

The compromised sites’ Web platforms vary; some don’t even use any CMS, only plain .HTML files. There is also no commonality between the Web platforms the compromised sites use, ruling out the possibility that these were compromised via Web application exploits.

Logic tells us that the easiest way to compromise a lot of these sites is through stealing FTP credentials. After all, stolen FTP accounts are widely being traded in underground markets. An enterprising buyer can get get as many as 300,000 FTP accounts for only 250 WMZ (WMZ or Web money currency where 1 wmz = US$1). Tools to do mass file uploads given a list of FTP credentials are also readily available.

Researchers from another security firm already tracked the spam sample above and confirmed that it is a product of the prominent Rustock spam bot. This suggests that the operators behind this mass Web compromise and the operators of the Rustock spam botnet have very close ties, if not one and the same.

Recommendations for Web Masters

Most websites nowadays are managed by fancy CMS software with user-friendly administrative interfaces. This makes managing websites very easy. The downside is that Web masters may not notice small .HTML files that are uploaded to their sites. To address this, Web masters are advised to do the following:

1. Regularly check the Web root for any dropped .HTML files. The file names of these .HTML files follow some conventions (like ovary40.html, slouch77.html, island57.html, e.html, and b.html). Sometimes, however, the file names are just random (like yfogewef.html, esyqaso.html, and oxbm.html).
2. Delete such files if found.
3. Change FTP passwords after cleaning up the site to prevent reinfection. Remember to use a strong password.

If a malware infection—a keylogger, more specifically—is suspected, users are advised to revert to the last known clean backup, to change FTP passwords, and to install an integrity-checking tool such as OSSEC or Deep Security to help protect the site. Lastly, and most importantly, users are advised to keep their security software up-to-date and running to ensure that they’re protected from the latest threats.

Additional text by Martin Roesler (Director for Threat Research)

As reported last week, exploits targeting the Windows shortcut zero-day vulnerability have risen in number.

It is also now being used to spread ZBOT variants via malicious attachments to spammed messages, now blocked by Trend Micro products, with the subject Microsoft Windows Security Advisory and the following message:

The message claims to come from Microsoft and suggests that users apply the attached update to protect them from a threat that is currently proliferating in the wild. It even gives the password to the protected .ZIP file attachment as well as instructions for installing the supposed security update. Note, however, that Microsoft has not issued a patch to resolve the said vulnerability, only a “fix tool” which disables .LNK and .PIF.

Upon investigation, we found that the attached archive contains a malicious .LNK file that Trend Micro proactively detects as LNK_STUXNET.SM. Also included is a malicious .DLL file detected as TROJ_ZBOT.BXW.

When the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. TROJ_ZBOT.BXW is one of the ZBOT 2.0 variants that we spotted earlier this year, highlighting how widespread the vulnerability is now being exploited.

SALITY file infectors are now using this vulnerability as well, as demonstrated by PE_SALITY.LNK-O:

Let us compare the previous commonly used method by USB malware, AUTORUN.INF, to spread:

It should be made clear, however, that malware using the LNK vulnerability can spread more easily than those that use the AUTORUN.INF file. Until a patch to resolve the vulnerability is released, even more malware families are likely to exploit it.

Update as of August 3, 2010, 3:30 a.m. (UTC-7)

Microsoft has issued an out-of-cycle patch to resolve this issue. Details may be found here.

Additional text by Julius Dizon and Marvin Cruz, Escalation Engineers

Imagine playing a whack-a-mole game where the mole moves to a different hole in the amount of time it takes one to raise and lower a mallet. Instead of just six holes, however, there are millions.

Few would want to play such a game. People would rightfully conclude that random attempts to hit the mole would improve their chances. With so many holes, the mole will proceed unabated, except in the rare cases that it does get hit. Stopping phishing attempts is similar to playing such a game.

Normally, an email message is accepted after checks are made against the sources’ reputation. As in the whack-a-mole game, the amount of time given for one to react with a mallet is comparable to the amount of time allotted for reputations to accumulate then propagate. To help deal with this, Author Domain Signing Practices (ADSP), an extension of DomainKeys Identified Mail (DKIM), allows Author Domains to make assertions about whether they use DKIM to sign all of their outbound email messages or not.

This is the introduction to a more in-depth article discussing email authentication, Author Domain Signing Practices (ADSP), and a proposed addition—third-party authorization labels, which makes email authentication a more complete solution.