Previously, we discussed the “Here You Have” mail attack and the associated malware, WORM_MEYLME.B. Today, let’s look into the backdoor payload, BKDR_BIFROSE.SMU.

The “Here You Have” Payload: A Powerful Backdoor

Not all backdoor applications are created equal. As such, it can be said that the cybercriminals behind WORM_MEYLE.B deliberately opted to use a BIFROSE backdoor program for several reasons. In our simulated environment, we saw that an attacker can use a BIFROSE variant to transfer files to and from an infected system, delete files, terminate processes, and steal sensitive information off an infected system such as the computer’s name; lists of active users, processes, and windows; and serial keys, among others. It can also access and modify registry information, log and retrieve keystrokes, create a remote shell, issue commands that the infected user’s shell can offer, and routinely capture and retrieve images of an affected user’s screen.

WORM_MEYLME authors used the downloaded backdoor to do most of the dirty work. Upon execution, the backdoor will connect to its command-and-control (C&C) server at {BLOCKED}inziad.no-up.biz. Upon successfully connecting to this server, attackers can now retrieve the passwords they stole earlier. That’s only for starters, however. By maximizing all of the features offered by the BIFROSE backdoor, an attacker can cause serious damage.

Read the rest of this entry »

In early September, the “Here You Have” wave of spammed messages hit users’ inboxes, which was discussed in the following Malware Blog posts:

• Old Malware Out of Its Shell
• From Alicia to Africa to Anywhere Else: Possible Origin of the “Here You Have” Spam Campaign

At that time, the attention focused on the spam. However, it is also wise to understand the capabilities of WORM_MEYLME.B, the main malware component used in this spam campaign.

The WORM_MEYLME.B binary contains login information to certain Gmail accounts that have since been terminated, which helped us connect the dots that made up the entire spam campaign.

Read the rest of this entry »

Jailbreaking has been in the news lately largely because of the very public online iPhone jailbreaking tool that uses vulnerabilities in the iOS platform.

Initial security concerns were raised due to the discovery of a loophole that was used by the jailbreaking tool. Whether people should jailbreak their devices or not, however,  is in itself a good question.

What Is Jailbreaking?

First, a definition. Jailbreaking is the act of modifying a device to allow it to run unsigned and thus unauthorized code that does not normally do so. For Apple’s iOS devices, this means that users can download and run applications from sources other than the official App Store. They can also modify or add features to their jailbroken devices.

In theory, Apple reviews applications before they are posted on the App Store. No means of app review and signing appears to be done on apps in Cydia, a common alternative app store for jailbroken iOS device users. This means that applications are free to exhibit malicious behaviors, as is the case with Windows-based systems.

Was it really a good or necessary move for jailbreakers to use such a serious vulnerability to get what they want? Previous jailbreaks have not had the serious security implications this last one had. Since jailbreaking has now been legalized, more users may consider this option. However, the more security-conscious may wonder if increased consumer choice is all that the jailbreakers are interested in or if they are also interested in spreading malware.

Jailbreaking for Competition?

For consumers, competition in the form of alternative app stores is a good thing. Let’s look at the current situation: Apple controls all aspects of iOS devices; it makes and sells the hardware and software and completely controls the means to distribute them. The reaction if Apple’s competitors had the same level of control will be different.

As a consumer, freer choice is a good idea. However, the way choices are made available has to be both ethical and legal. The reality, however, is that Apple created the platform and locked it down fairly thoroughly. It chose to do so. Whether it is willing to let third parties create their own app stores for its device users or not is an entirely different matter.

Of course, the value of Apple’s app review is not clear as well. A more complete security review of the iOS platform should have been able to see the vulnerability that was exploited earlier. Even some applications have had hidden functionality like tethering, which was discovered after passing Apple’s app review process. So it may also be good to ask if Apple can really say that it reviews all applications for both malicious content and vulnerabilities.

In the end, there is no single answer to the question this blog entry poses. Users have to go into it with eyes wide open because jailbreaking brings both advantages and risks. What’s right for one person may not be right for someone else but the security implications of jailbreaking must be clear to anyone who chooses to jailbreak his/her device.

Does this warning message look familiar?

This new rogue antivirus is detected by Trend Micro as TROJ_FAKEAV.BUH. Ever since FAKEAV malware began making itself look as realistic as possible, its attempts have become increasingly more convincing and sophisticated as shown below.

Along the way, it has added some new quirks like prompting an infection message every time a specific process is run (which then prevents that process from executing) as shown below.

However, some countermeasures can still help users in this situation. Some processes such as Internet Explorer (IE) and Windows Explorer will still run. Users can also try renaming other programs to enable these to run normally.

In the past, unfortunate users have faced legal problems because of adult images on their machines due to malware. FAKEAV has adopted this behavior as well, as TROJ_FAKEAV.BUH displays the following adult website.

With all these malicious routines as well as being present in the infection chain of other malware, it is easy to see why fake antivirus malware is such a significant threat.

Trend Micro product users, however, need not worry as Smart Protection Network™ prevents the download and execution of TROJ_FAKEAV.BUH on their systems.

We have discovered a new Adobe Reader/Acrobat exploit (detected since 24 June 2008 as TROJ_PIDIEF.AC) hosted on the following URL:

http://{BLOCKED}e-actions.com/secure.cgi?…

The vulnerability targeted by this Trojan causes Adobe Acrobat to execute arbitrary malicious code that downloads and executes a file found in:

http://{BLOCKED}e-actions.com/secure.cgi?…

The downloaded file is saved inside a temporary folder as Eyal.exe. Trend Micro detects this file as TROJ_DLOAD.BO. This Trojan modifies the current wallpaper of the infected user to:

Figure 4. Wallpaper modified by TROJ_DLOAD.BO.

Furthermore, TROJ_DLOAD.BO downloads screensavers that disable the Screensaver tab in the Display Properties of the compromised PC:

Figure 5. TROJ_DLOAD.BO disables the Screensaver tab normally found among the tabs under Display Properties.

TROJ_DLOAD.BO then displays random screensavers, some of which are shown below:

Figure 6. Sample screensaver 1

Figure 7. Sample screensaver 2

Figure 8. Sample screensaver 3

Figure 9. Sample screensaver 4

According to the Adobe Security Bulletin on this issue, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2. From our analysis the exploit does work on lower versions but only causes 8.1.2 to crash.

We believe that this was not the first time this specific vulnerability was exploited. So far, we have two other reports of malicious PDFs that behave in somewhat the same manner as the exploit discussed here. They are TROJ_PIDIEF.NN (detected since 07 June 2008) and TROJ_PIDIEF.AE (detected since 24 June 2008).

As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads. It thus becomes all the more important to employ a protection suite that cuts off infection at various points of the attack.

In this case, Trend Micro Smart Protection Network already blocks the malicious URLs and detects the file taking advantage of the critical vulnerability. Users are highly encouraged to update their scan engines and to immediately update their software once patches are available from the vendor.