As expected, criminals are now taking advantage of the notoriety of Stuxnet as a mechanism to deploy malicious code. Senior Threats Researcher Ivan Macalintal found poisoned search results that leveraged on this notorious malware threat. Some of the search strings used in this blackhat SEO campaign include “stuxnet SCADA,” “stuxnet removal tool,” “stuxnet cleanup,” “stuxnet siemens,” and “stuxnet worm” among others. Some of these poisoned search words/phrases appeared on top results. One of the malicious URLs ({BLOCKED}lo-canada.org/2008/stuxnet.html) where the search strings points to, leads users to sites that exploit vulnerabilities as described in CVE-2010-0886 and CVE-2010-1885. Moreover, in some of the search results seen, users are redirected to sites with PDF and SWF exploits.

In effect, it leads to various payloads which include a downloader that installs other malicious codes on the system, and a FAKEAV variant detected as TROJ_FAKEAV.SMZU. FAKEAV variants are known for banking on popular searches and news events to lead users into buying rogue antivirus software.

Another example is the malicious URL, {BLOCKED}l.com/loja/media/stuxnet.html (another malicious site that the search strings yield) that guises itself as a fake Youtube page pointing users to a malware. Trend Micro detects it as TROJ_CODECPAY.AY.

In the past, cybercriminals have taken advantage of popular security threats like Conficker to proliferate their malicious deeds.

Users who were infected by Stuxnet and/or curious about this threat maybe lured into clicking these poisoned search results. As a safety precaution, never clicked on these URLs and get information (about Stuxnet) from trusted websites only.

Here are some previous blog posts that have discussed Stuxnet:

• http://blog.trendmicro.com/usb-worm-exploits-windows-shortcut-vulnerability/
• Exploits for Windows Shortcut Vulnerability in the Wild

Trend Micro users are protected from this attack via its Trend Micro™ Smart Protection Network™ that blocks all related malicious URLs and detects the malicious files.

Update as of October 1, 2010, 12:30 AM, UTC-7

The PDF and SWF exploits that were seen in these attacks are now detected as TROJ_PIDIEF.XE and SWF_AGENT.WAW, respectively.

Stuxnet was first seen in relation to the Windows LNK zero-day vulnerability, as discussed in the following link:

Trend Micro has been alerted that certain ZeuS/ZBOT variants are now able to break into users’ bank accounts in spite of two-factor authentication systems. These are frequently used to enhance bank security. These ZeuS variants can specifically use mobile malware to defeat systems that rely on text messages sent via mobile phones on Symbian OSs.

The technique behind these attacks is simple. A ZBOT variant modifies target bank sites in such a way that whenever the bank asks for an authentication code to be sent to the mobile phone or not, the user is prompted to enter that phone’s number first. The user then receives a text message containing a link to a rogue Symbian application.

This piece of mobile malware, once installed, intercepts all text messages from the specific senders (e.g., banks) and forwards them to a separate number under the control of the attacker. Because the attacker has both the victim’s user name, password, and any authentication code sent over the mobile phone, he/she can conduct malicious business as if the two-factor authentication never took place.

While two-factor authentication is definitely a good thing in terms of security, this attack is a reminder that it is not a cure-all that protects against all forms of information theft. This will be an important thing to remember in the succeeding months, as Google has announced that two-factor authentication will be made available to users in the coming months. This will, however, not put a stop to information theft but will make it more difficult.

Trend Micro continuously detects new and emerging ZBOT variants to protect users against this continuing threat. In addition, users of mobile security products are able to detect the installer for this mobile malware as SYMBOS_ZEUSMIT.A while the main malicious application is detected as SYMBOS_ZBOT.A.

Hat tip to S21Sec for first finding and discussing this threat.

Blizzard’s World of Warcraft (more popularly known as WoW) is one of the most popular massively multiplayer online role-playing games (MMORPGs) in the world. With more than 11.5 million subscribers as of 2008, WoW is plagued by a thriving underground online gaming economy.

The most common scam in WoW that Trend Micro has seen uses the in-game chat/whisper system.

An unsuspecting player will receive an in-game chat/whisper from an unknown player offering free gifts (usually in-game pets, riding mounts, and vehicles) that they can avail of by registering at the website that is included in the chat message.

The website included is, of course, a phishing site that will gather the user’s Battle.net account name and password. Read the rest of this entry »

One of the “standard” behaviors of the ZeuS/ZBOT Trojans is that it downloads a configuration file. This configuration file contains details on its bot routines such as what sites to target, what URLs to access to download an updated copy of itself, what URLs to send stolen information to, and what URLs to access to download additional/backup configuration files.

Recently, however, I’ve been seeing ZeuS variants whose default configuration file references a suspicious list of URLs from which it can download backup configuration files.

This particular list is from a ZeuS variant detected by Trend Micro as TSPY_ZBOT.BVQ. The list from its configuration file seems longer than most of the typical of ZeuS variants and the domain names looked atypical. When I checked, all of these URLs are already inaccessible and most of the domains are unregistered.

In addition, the list of URLs does not include {BLOCKED}ikal.com, where its drop zone and updated copy are located. It is typical of ZeuS variants’ drop zones, updated copies, and configuration files to be contained in the same domain.

Checking the code of the malware itself revealed that the malware does actually download its main configuration file from http://{BLOCKED}ikal.com/eu5.bin.

From what I can see, cybercriminals using ZeuS intentionally did this to prevent security researchers from easily gathering information on their activities. Alternately, these extra URLs can be used as backup update locations, just in case the main location is taken down.

Furthermore, I found that the more recent ZeuS variants no longer run in a virtual machine environment, meaning that security researchers now need to exert more effort to test ZeuS samples in actual Windows environments. Clearly, efforts by antivirus companies are taking their toll on cybercriminal operations and are forcing criminals to make analysis more difficult.

All things considered, this is really not unexpected. ZeuS is still a continuing threat and it continuously evolves to become more dangerous and elusive.

For more information on ZeuS, you may check out our report, Zeus and Its Continuing Drive Toward Stealing Online Data. You may also consult our white paper on ZeuS, ZeuS – A Persistent Criminal Enterprise.

Update as of September 29, 2010, 6:15 PM UTC-7

Upon further analysis, the malware does not directly detect virtual machines. It queries the affected machine’s system information via the ZwQuerySystemInformation (SystemProcessorInformation) API. It will then check for a specific value of the system’s ProcessorLevel (defined by the CPU vendor). If the ProcessorLevel matches, it will not continue its execution.

A new bot family was found in the wild around April this year. This family was named “Avzhan.” Avzhan malware, detected by Trend Micro as Mal_Scar-1, mostly affected Asia where most of the affected users resided.

Avzhan bots install themselves onto the Windows system directory using the file name  {six random lower-case letters}.exe.

After installation, it deletes its original copy then executes the copy it installed. It registers itself as a service to run at every system startup, as shown by the service named Q MUSCIC below.

This malware tries to connect to the following domains to receive instructions from botnet herders:

• avzhan1.{BLOCKED}2.org
• ei0813.{BLOCKED}2.org
• wanmei8013.{BLOCKED}2.org
• xhsb.{BLOCKED}2.org

These domain names are registered on a well-known China-based dynamic DNS service. The IP addresses also lead to ISPs in China.

As is typical of botnet zombies, Mal_Scar-1 can execute various commands received from its command-and-control (C&C) servers, including downloading and executing potentially malicious files. This also allows complete takeover of users’ systems.

In addition, it also steals certain information about users’ systems. This stolen information is part of the data sent back to the botnet’s servers, which includes the following:

• Computer name
• CPU speed
• Language used
• Memory size
• Windows version

On their own, the behaviors of Azvhan bots do not differ too much from other older, more established malware families. However, its emergence highlights the continuing evolution of malware, as new threats continually present themselves over time.

Though this malware is already proactively being detected by Trend Micro as Mal_Scar-1, some new variants are still being encountered though the number of new infections has significantly decreased.

Hat tip to Arbor Networks for first writing about the discovery of this new bot here.