February Malware Roundup

March 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)

February started off with some compromised tour sites, one about Thailand and the other about the Pyrenees Mountains in Spain. As Valentine’s Day approached, numerous mailboxes probably received spammed messages containing a link where NUWAR’s latest variant could be downloaded. The rest of the month was filled with spammed messages, uncovered exploits and compromised Web sites and towards the last few days of February we witnessed another wave of the Italian Job. Here is last month’s malware roundup.

Notable Malware

TSPY_LDPINCH.FE
This malware is the one behind the compromise of Udiya Northern Thailand Tours Web site. Early in February, several pages in the Web site have been compromised. When a link on the landing page of the Web site is clicked, the user’s browser is redirected to a series of URLs, eventually leading to a download of this LDPINCH variant. On a similar note, the same technique is also used in the compromise of this Pyrenees Mountain tours Web site, only a different malware family is involved.

JS_IFRAME.HX
This is a malicious Javascript that downloads a variant of ZLOB. The malicious code is present in a PHP page that is returned as a Google search result when a use enters the search string “Japanese schoolgirls.” Hentai has been previously seen as a social engineering technique, particularly around October last year, when a Trojan detected as TROJ_PUSHDO.AD was received via spammed email messages bearing a Hentai image.

WORM_NUWAR.AR
As expected, the infamous Storm worm (Nuwar) made its appearance once again shortly before Valentine’s Day. The malicious link contained in its spammed email messages led to a copy of the worm variant. It seems that this particular Nuwar variant contained routines bypass heuristic detection mechanisms of antivirus software. Upon close inspection of its code, Nuwar contained references to bogus API functions, clearly a ruse to avoid detection.

BKDR_AGENT.AKJZ
On February 18, a lunar eclipse occurred. Unfortunately this astronomical event was taken advantage of by malware authors to lure users into downloading a malware into their systems. A spammed email message spread around during this time, with a link to a video of the eclipse. Of course, clicking on the link brings no video but downloads a copy of BKDR_AGEN.AKJZ instead.

RTKT_PUSHU.AC
This rootkit is a component of the malware families of WORM_NUWAR, TROJ_PUSHDO and TROJ_PANDEX. The catch: RTKT_PUSHU.AC actually disables other rootkits previously installed on the system, but only to infect the system with its own rootkit components or update components previously installed on the system.

Web Incidents

For February there were more than 10 web threat incidents that were reported. 43% of the reported incidents are actually legitimate Web sites that have been compromised to distribute malware. With respect to Web site category, 20% of the reported incidents are related to entertainment.

Exploit

EXPL_PIDIEF.O
Discovered by iDefense Labs researcher Greg McManus, this exploit was initially reported to Adobe in October 2007 but remained unacknowledged. SANS Internet Storm Center reported that the flaw remained unfixed, only to be patched three weeks after the first report of an exploit was found in an Italian forum. Served up through banner ads or spammed through email, the malicious PDF file designed to exploit this vulnerability connects to a certain IP address to download possibly malicious files.

Myspace Exploit
A vulnerability in the image uploader used by MySpace and Facebook was recently discovered by security researchers, bringing about issues of the possibility of exploits and malicious users gaining access to affected systems. Aurigma’s Image Uploader Control Library was found to have a buffer overflow vulnerability that could be exploited by an unknown user to compromise systems. MySpace and Facebook use the application for their image uploading functions.

That’s all for today. What’s in store for March? As of this writing, we’ve just received reports of an email message being spammed around, apparently containing news of Fidel Castro’s death. The link contained in the message supposedly leads to a backdoor … More of this on next month’s malware roundup.

Looking For Pyrenees Travel Info Unwittingly Leads Users to Malware

February 7th, 2008 by Macky Cruz (Technical Communications)

Yet another Web site compromise was discovered by Research Project Manager Ivan Macalintal, this time in Spain.

Spanish tourism and travel site Pyrenees Guide, which provides information on trips to the Pyrenees Mountains, has been discovered to be compromised and serving malicious code.

Examining the source code of the site’s main page, we find the following injected script:

The malicious script serves a URL which leads to yet another URL carrying yet another malicious code, via a hidden iFrame. This leads to one of two malicious URLs — one which attempts to exploit a vulnerability in RealPlayer. Upon initial analysis, the redirection(s) seem(s) to eventually lead to the download of a Trojan, which in turn, downloads a configuration file containing a list of several files that include dozens of MMORPG (Massively Multiplayer Online Role-Playing Game) password stealers (already detected as TSPY_ONLINEG.WN, TSPY_ONLINEG.DTQ, and TSPY_ONLINEG.CZX) and generic packers.

Trend Micro Web Threat Protection protects users from this attack by proactively blocking the related URLs and detecting the files that the attack attempts to download onto the system.

Additional Note: Advanced Threats Researcher Paul Ferguson (a.k.a. “Fergie”) has alerted the domain technical contact (email bounced), the IP owner contact, and the CCN-CERT (Spanish Governmental National Cryptology Center - Computer Security Incident Response Team).