TrandLabs engineers recently discovered that cybercriminals now use shortened URLs to spam malware via instant-messaging (IM) applications like Yahoo! Instant Messenger and MSN. As we all know, URL-shortening services are used to compress long and unreadable URLs into short, bite-sized ones. Short URLs are more portable and are now preferred over the (normally long) actual URLs when one wishes to share news within networks using their own websites, blogs, Tweets, and other social media tools.

The bad guys seem to have changed their strategy. We have gotten used to seeing malicious URLs like http://{BLOCKED}img.com/IMG-004592.com?=, http://www.{BLOCKED}ok.com/view.php?=PHOTO1598526.JPG?, and http://www.{BLOCKED}-photos.com/view.php?=PHOTO23032010.JPG? in instant messages. Now, we see a slew of instant messages containing shortened URLs like http://{BLOCKED}.com/pict04042010jpg and http://{BLOCKED}.com/va98d.

Shortening URLs may mean two things. First, this makes it harder for antivirus companies to block malicious URLs, as it would take them longer to get the landing link. Second, URL-shortening services can be used by cybercriminals to trick users into clicking suspicious links.

Malware that spread via IM applications based their messages on the OS a computer uses. Cybercriminals have also been known to use shortened URLs for spamming purposes as shown in the following screenshots.

Clicking the shortened URLs in the sample instant messages lead to the download of {BLOCKED}082010-jpg-www-facebook-com.scr detected as WORM_BUZUS.AG, which propagates via physical/removable/floppy drives and peer-to-peer (P2P) networks by spoofing the names of some popular applications, games, and movies. It is also capable of launching a denial-of-service (DoS) attack using SYN floods.

Trend Micro™ Smart Protection Network™ protects users from this kind of threat by blocking access to all related malicious URLs and preventing the download and execution of the malicious file.

Update as of April 12, 2010, 3:00 p.m. (GMT +8:00):

The links were also found to download a new KOOBFACE variant detected as WORM_KOOBFACE.ZD.

Today, Trend Micro threat researchers ran across a new ZBOT variant mainly targeting four European countries’ banking systems in Italy, England, Germany, and France.

Trend Micro detects this variant as TSPY_ZBOT.AZX. It targets major consumer European Banks and financial institutions with high-profile clientele. The targeted companies include the major UniCredit Group Subsidiary Bank of Rome; U.K.-based Abbey National (more commonly known as Abbey); Hong Kong’s HSBC; Germany’s leading IT service provider in the cooperative financial system, the FIDUCIA Group; and one of France’s largest retail banks, Crédit Mutuel.

“At this point, we do have the data that show that these banks are indeed being currently targeted. We are including some names of the banks here to make people aware,” says advanced threats researcher Ivan Macalintal.

ZBOT is a crimeware phenomena created using a toolkit. The ZeuS toolkit enables cybercriminals to create and customize their own remote-controlled malware. The infected machine then becomes part of the criminal ZeuS botnet. ZBOT variants are information stealers specializing in robbing online banking information from victims and sending back the information to its command-and-control (C&C) server.

At its most basic level, ZeuS has always been known for engaging in criminal activities, as it signals a new wave of online criminal business enterprises wherein different organizations can cooperate with one another to perpetrate outright online theft and fraud. Read up more on this malware in our white paper, “Zeus: A Persistent Criminal Enterprise.”

The domains used by TSPY_ZBOT.AZX are both hosted on the same server, which is located in Serbia under a registered name. The IP address used and its registered name are both well-known for being part of FAKEAV-hosting domains and previous Canadian pharmacy spam campaigns.

Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.

The number of systems infected by various SASFIS Trojan variants has been increasing since the end of 2009, affecting networks across the globe. SASFIS variants have recently been spotted in relation to spoofed messages supposedly from Facebook.

SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from Zeus and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

In the course of conducting research on SASFIS-related activities in the past few months, I have come across around the following infection numbers:

SASFIS variants may usually be downloaded while visiting sites that have been compromised using the Eleonore Exploits Pack as a file named load.exe. Upon execution, these create temporary files and modify registry entries. They then attempt to send a GET request to a remote site to download another file usually named max.exe, which will again download another file named max_b.exe, a FAKEAV variant.

SASFIS may be a simple Trojan downloader that downloads one or more files from a single domain via a GET request onto affected systems but like other malware, the download of several other binaries onto systems is no longer a simple matter.

SASFIS uses two primary business models. SASFIS uses the pay-per-install (PPI) business model, which has been discussed in more detail in “SDBOT IRC Botnet Continues to Make Waves.” In this model, the cybercriminals behind other malware families (e.g., ZBOT, KOOBFACE, etc.) pay those behind SASFIS to install their own creations onto SASFIS-affected systems for a fee.

The cybercriminals behind SASFIS also utilize the pay-per-access (PPA) business model wherein they hardcode a list of adult websites in some of the components their malicious creations download to redirect users to the said sites though their reason for doing so remains vague. They probably just do this to either annoy the users or to distract them to conceal the infection.

Though SASFIS has not been as notorious as other malware families, it still remains a threat. Users are advised to be wary of the sites they visit to avoid infection.

Trend Micro™ Smart Protection Network™ protects users from all kinds of SASFIS-related threats.

Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files (see Figure 1).

The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components—one steals banking-related information while the other steals email account information (see Figure 2).

Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:

• {BLOCKED}unicaobr.com/phps/procopspro.php
• {BLOCKED}unicaobr.com/working/lisinho.php

Looking for more details on webcomunicaobr.com revealed the following details:

IP: 69.162.102.130 Hosted in the USA
ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
ns1.brasilrevenda.com
ns2.brasilrevenda.com

Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far (see Figure 3), a list of PHP servers where stolen information is sent (see Figure 4), and a list of files that contained encrypted information downloaded by infected hosts (see Figure 5).

More spam campaigns from the said Web server may be seen in the days to come but Trend Micro product users need not worry as they are protected by the Smart Protection Network™, which blocks spammed messages and user access to malicious sites and domains and prevents the download of malicious files detected by Trend Micro as TSPY_BANKER.OCN and TSPY_BANKER.MTX.

SDBOT malware have been around since 2004. Most of the bots that use Internet Relay Chat (IRC) protocol communication such as AGOBOT, IRCBOT, RBOT, and others have been around as early as 2001 yet these kinds of malware rarely attract attention due to their ability to silently operate. These bot malware are neither heavy email spammers nor resource hogs. They hardly ever disrupt normal computer activities—say, Internet browsing—so their victims never notice that their computers have been infected.

“SDBOT IRC Botnet Continues to Make Waves,” the white paper being introduced here, focuses on SDBOT variants and their final payload—the installation of pay-per-install programs. It provides an overview of the SDBOT malware—how it works, how it is installed, and how it spreads using various social engineering techniques. Given the nature of SDBOT— that it is primarily geared toward downloading other malware files such as FAKEAV, Cutwail, Buzus, etc. that each have their own distinct payloads and strong connections with other malware families.

The paper goes behind the scenes to provide an overview of how the botnet operates underground, how it is structured, how it utilizes the pay-per-install business model to further its malicious cause and insights about the mindset and motivation behind the botnet. As stated, it appears that this botnet is also in the business of renting out its reach and download capability to cybercriminals. The use of the pay-per-install business model is also increasing as it is easy to use. A botnet owner gets paid to install malware on infected PCs. For instance, a FAKEAV creator pays the SDBOT gang, which already owns an IRC botnet and controls thousands of infected machines, to easily push the FAKEAV files to systems.

 

 
The entire white paper, “SDBOT IRC Botnet Continues to Make Waves,”  is now available on TrendWatch.