A new round of PDF exploits are being pushed by websites pretending to be the US Federal Reserve. Several spammed email messages were intercepted starting last week advertising these fake Federal Reserve pages.

Figure 1. Sample email message.

This spam run is still continuing as of this writing, and it is now advertising more bogus sites. So far, the said malicious sites are using following domains:

• 1federalreservebank.com
• 1federalreservebank.net
• connection-secure.net
• fdicbanks.net
• fdicorp.org
• fdic-secure.org
• fed-reserve.com
• fed-reserve.net
• federalreserveus.com
• federalreserveus.net
• fedreservebank.net
• fedreservesystem.com
• fedreservesystem.net
• tdbanks.net
• treasurydepartment.net
• us-bankconnect.net
• us-bankers.com
• us-bankers.net
• us-securebanking.net
• usbanker.org
• usbanksecurities.net

These domains resolve to a single IP address with a relatively short TTL (time to live) of 3600 seconds. What’s peculiar with the above domains is that when one is using OpenDNS and browses to the prepared site, OpenDNS will report that the site is not loading. However the DNS requests over other ISP’s nameservers loaded the bogus Fed pages.

Figure 1.Bogus US Federal Reserve website.

The fraudulent site redirects to a porn search page a few seconds after loading, and a PDF exploit is downloaded into the system. This particular script hosting the exploit has some anti-detection routines which attempts to prevent its contents, particularly the PDF JavaScript, from being seen by nosy researchers.
Though with a little fiddling with Adobe Acrobat Pro, I was able to disable its “protection” and I readily saw the PDF JavaScript.

The PDF JavaScript is designed with downloaders of downloaders that come from different internet locations.The final component (at the end of downloader chain) the trojan infects and automatically restarts the victim PC.
After restart, the infected machine lounches out regularly malformed HTTPS transactions (with an interval of 6.5 seconds) to a certain server. The transaction can be considered malformed because the SSL handshake, used by normal SSL websites, is missing in this particular HTTPS traffic. Even though, the traffic is somehow still encrypted. This type of HTTPS bot has been spotted a few months earlier.

The regularity of the HTTPS traffic suggests that this is a botnet having a Web-based C&C. This is certainly an improvement over the Web-based bots of old, where traffic are seen in plaintext. The botherders have actually made it a point to hide the network actions of their bots from IDSes (intrusion detection systems) by encrypting their network traffic. Makes one wonder what else the bad guys have in store for us.

Trend Micro Smart Protection Network already blocks the spammed message as well as the malicious URLs involved in this and previous PDF exploit threats.

Updates as of November 17, 2008 1AM PST: Trend Micro detects the PDF exploit as TROJ_PIDIEF.DN. It connects to a remote website to download another malicious file detected as TROJ_INJECT.NI.

A flaw has been found in Wi-Fi Protected Access (WPA), currently the most widespread mode of Wi-Fi encryption, and some analysts are painting a gloomy picture. PC World reports that security researchers Erik Tews and Martin Beck have found a hole in the WPA encryption protocol that malicious users could exploit to steal data sent from routers to Wi-Fi-enabled computers. This same flaw may be used to send unsolicited data online, which may in turn lead to the downloading of malware, phishing scams, and all sorts of nasty Web-based threats.

However, Trend Micro Advanced Threats Researcher Paul Ferguson believes that WPA is not yet lost. “I think the security of WPA itself is still somewhat secure - this exploit is highly reliant on very susceptible situations,” he says. The exploit itself does not allow malicious users to steal information sent by computers to routers.

WPA was developed after several flaws in its predecessor Wired Equivalent Privacy (WEP) was identified. WPA was developed to accommodate two different ways to protect data, Temporal Key Integrity Protocol (TKIP) and Advanced Encryption System (AES). The flaw discovered by Tews and Beck only works on TKIP, which was partially based on WEP.

Other modes of Wi-Fi encryption are believed to be more secure than TKIP, which was the first solution created to improve highly non-secure WEP. WPA2 for example, usually allows both TKIP and AES encryption methods. So in essence, using WPA2 authentication with AES encryption still secures users’ Wi-Fi transactions.

Further, Ars Technica has quoted Tews saying, “If you used security features just for preventing other people from using your bandwidth, you are perfectly safe.” A long network key, a short rekeying time, and a busy network can also handily defeat this exploit.

Users shouldn’t be too scared of having their air-borne Wi-Fi data messed with. At least not yet. There’s no harm in switching to WPA2, though.

Several active exploits targeting a vulnerability in Adobe Reader are now in the wild.

Patch now.

Last week, Adobe released an update for Adobe Acrobat 8 and Adobe Reader 8 and a day later, a working exploit code for the util.printf() vulnerability was released. As expected, malware authors were quick to use the exploit for their own gain.

Trend Micro Research Manager Ivan Macalintal was alerted to the discovery of malicious .PDFs that exploit the Adobe Reader vulnerability, which Trend Micro now detects as TROJ_PIDIEF.CB. Users with unpatched Adobe Reader software may be infected when they unknowingly access a certain remote website or are redirected there from malicious banners and ads.

Upon execution, TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs under the VUNDO, VIRTUMON, and in some cases, also VIRUT families into infected PCs.

Trend Micro strongly advises users to patch their Adobe Reader to ensure they are safe from the threats that come with this vulnerability by downloading the updates found in the Adobe Security Bulletin:

• http://www.adobe.com/support/security/bulletins/apsb08-19.html

The Trend Micro Smart Protection Network detects TROJ_PIDIEF.CB at the desktop level and provides solutions for its cleanup and removal. It also blocks the related malicious URLs.

U.S. President candidate John McCain plans to impeach president elect Barack Obama, at least according to the latest post-election spam spotted today. Here’s a screenshot of the sample email message:

Our researchers have seen the following subject lines containing the same text as the above:

• Barack Obama in Danger – McCain will fight for the president post
• McCain Lawmakers Impeach Obama
• The impeachment of new president Obama
• Barack Obama can lost President’s Chair.
• POLITICAL STRIKE TIES
• McCain Lawyers Want to Stop Obama

This is to rouse the curiosity of users into clicking the link that connects to several malicious Web sites. When users access the sites, a bogus US government official website is displayed. It presents a fake video (actually an image) and tricks the user into downloading a fake Adobe Player installer from a URL ending in AdobePlayer9.exe. Trend Micro detects this file as TROJ_PACKED.JFP. It drops and executes TROJ_ROOTKIT.FX. Smart Protection Network also blocks users from accessing the malicious links in the spam, the fake video, and the URL from which the executable is downloaded.

Election-related spam in the last week:

• U.S. Presidency Race Ends, New Spam Run Begins
• More Google Searches Resulting in Rogue AV
• Post-Election Spam Leads to Fake Pharma
• Obama Malware Spam Targets Latin America

Spammed email messages supposedly from The United States Federal Reserve Bank warn their recipients of a “large-scale phishing attack” affecting several banks and credit unions. A spammed message may look like this:

Figure 1. Sample spammed message.

The email message gives details on the supposed phishing attack and adds that the US Treasury Department has also monitored a high level of illegal wire transfers. Having told recipients that, the email message then informs them of restrictions imposed on federal wire transfers as part of security measures being taken by concerned government agencies.

The message helpfully gives some links where users can get more detailed information. But instead of being directed to a legitimate website, those who click are led to .org domains with names completely different from the websites of the Federal Reserve Bank, the Treasury Department, or the Federal Deposit Insurance Corporation.

Trend Micro engineers are currently investigating this threat. We will post updates as soon as more information becomes available. Other related attacks that use the names of legitimate government organizations or mask themselves as security measures include the following:

• ‘Treasury Optimizer’ Updates Systems With Malware
• Storm Goes Economic
• Fake IRS Web Sites Found (Again)

Users are advised to refrain from clicking links in unsolicited email messages. It is best to go directly to the website of the concerned organization for more information.

Updates as of November 11, 2008 6PM PST: Users who unfortunately click on the links in the spam infect their PCs with TROJ_INJECT.DG. This Trojan restarts systems and drops TROJ_INJECT.KQ. TROJ_INJECT.KQ opens a hiddend Internet Explorer window and connects to a certain website to send and receive information.

Updates as of November 13, 2008 2AM PST: TROJ_INJECT.KQ opens a hidden Internet Explorer window to connect to a certain website. It sends to and receives information from this site, compromising system security.