The Blackhole Exploit Kit is one of the most notorious exploit kits currently in circulation among the cybercriminal underground today. Thus, we continuously monitor for incidents and attacks involving the exploit kit itself.

Last week we reported about the spam campaign leveraging the birth of Prince William’s and Kate Middleton’s son. Our analysis of the campaign yielded its connection to other currently-ongoing campaigns that used other recent news events, such as the controversy surrounding the upcoming movie Ender’s Game.

Some of the other connected campaigns also used Facebook and eBay as lures to get users to click malicious links.

The volume of spammed messages related to this spam run reached up to 0.8% of all spam messages collected during the time period — a relatively large percentage compared to other runs. We’ve also identified a list of countries that we detect where the bulk of the spam is coming from, and found that a large portion of them were from the US.

Another notable aspect of this run is its payload, which includes the information stealer TSPY_FAREIT. TSPY_FAREIT variants are often used as payload in campaigns that leverage BHEK.

The exact variant in this particular run, detected as TSPY_FAREIT.AFM, not only steals FTP client account information on the system it affects, but also steals stored email credentials, stored login information from browsers and ALSO brute-forces Windows login with a list of predetermined passwords. It basically plunders the affected computer of personal information that can be used to compromise the user’s financial accounts, personal information and even the security of the system they’re using.

These recent developments regarding this particular exploit kit can certainly be disconcerting, but nothing particularly new in regards to BHEK being used in new, unpredictable ways. What we can glean from this, however, is that even such an old approach is still effective in getting victims, which means that more users need to be protected about this threat. And user protection is not all that hard – as we’ve reminded everyone in the past, guarding against this kind of threat is a simple matter of a)being vigilant against socially-engineered attacks and b) having a security solution that blocks out the threats themselves.

Infection can be avoided by extra vigilance by users on not clicking on the links that present themselves through suspicious mails such as these. Other precautions include: always installing the latest Java security update (Find out more on how you can use Java safely here), and using a web reputation security product.

Trend Micro users are protected from all the malicious elements involved in this overarching spam campaign. For more information regarding the Blackhole Exploit Kit, refer to our paper on the subject here.

With additional inputs from Matt Yang and Rhena Inocencio.

The Andromeda botnet is still active in the wild and not yet dead. In fact, it’s about to undergo a major update real soon. This botnet was first reported back in 2011 but has recently risen to prominence due to the latest modifications in the threat.

Initially, this project to update Andromeda was about to die but the botnet’s author found a successor (even though he did not officially retire). Here is the author’s previous post, which basically says that if no buyer is found to take over the software, the service will be discontinued.

Online Post on Underground Forum

Just recently, however, we’ve uncovered that there is an ongoing development in the Andromeda botnet. This latest announcement was posted just recently and basically says that Andromeda code is going to be updated heavily. They suspended the sales of plug-ins to focus more on developing the new version. Here is the rough translation of the post (it’s in Russian) about what this major update:

Attention!
Currently suspended sales of all plug-ins.
The project is undergoing a global modernization. In the near future will happen a few important but not visible changes:
1. Will update the admin principal. Externally, will remain the same, but the principle of storage change that will reduce the load.
2. All plugins will undergo fundamental changes both in format and structure. Those who wrote plugins for andromeda, need to ping waahoo for further informations.
3. why such a change? First of all – it fixes bugs and flaws found, secondly because of the bugs found that have to completely change the approach to plug-ins that have this pain in the ass and should not not pop up in future.
4. I’m not going on vacation for a long time. On the work of Andromeda or its purchases – please contact the author of the project

Rootkit and socks5, which are popular plugins, are also now free of charge. Previously, the rootkit was sold $300 and $1000 for socks5 with BackConnect. BackConnect is a plug-in used to turn an infected machine into a SOCKS5 proxy — it allows the criminal to control the infected machine directly via infected machine IP and a random port.

As of this writing, there is no definite date on when the new version will come out. But once implemented, this latest version of Andromeda is expected to be more stable and powerful than the previous ones and may come with more plug-ins.

As July winds down, infection counts for PE_EXPIRO have been trending downwards recently. This file infector can infect Windows files on both 32-bit (detected as PE_EXPIRO.JX) and 64-bit (detected as PE64_EXPIRO.JX) systems. At its peak, we saw thousands of infection counts but then dropped eventually (as seen in our Smart Protection Network feedback).

Because of the threat’s interesting blend of routines (file infector with info theft routines and exploit kit connection), we think that this is a good opportunity to discuss the various solutions that are available to help users. For more information about the threat, users can read our previous entry here.

Utilizing Trend Micro Solutions To Stamp Out EXPIRO

First of all, URLs associated with this attack are already blocked to avoid further damage, re-infection, or information leakage. Here’s an example wherein Trend Micro’s OfficeScan Web Reputation Service (WRS) blocked a URL associated to the EXPIRO malware:

WRS blocks the C&C URLs associated with the EXPIRO malware.

The above screenshot was taken from OfficeScan 10.6 Service Pack 2 with the Custom Defense Pack. This enhanced version of Officescan allows administrators to visualize high profile attacks; it uses the Trend Micro Smart Protection Network Global Intelligence list to inform administrators of the activities of any C&C servers and point out which hosts may need immediate remediation.

More detailed information is available if Deep Discovery Inspector is in use. It allows the administrator to watch the network for such events – even if there is no security software installed on the endpoint. For very large networks, it makes it even easier for administrators to determine which endpoint violated a certain policy as they are able to view information – including  the MAC address – of the offending endpoint.

The following screenshots show the Deep Discovery Inspector can provide about connections to malicious C&C servers, ranging from DNS queries:

To information about the connection:

Files copied to the affected machine:

And information about the EXPIRO malware itself:

Preventing similar infections in the future

This unusual attack used several noteworthy methods, with both Java and PDF exploits to deliver the file infectors to potentially vulnerable systems. That being said, there are two things that will help minimize similar attacks in the future:

• Have effective patch management, even for third party software such as Java and Adobe Acrobat
• Block unknown or unverified web sites. Web sites that are unknown or unverified may contain malicious files. A web filtering solution – either at the gateway or the endpoint itself – may be useful.

If third party software patch management is not in use, “virtual patching” may be useful. Deep Security or OfficeScan’s Intrusion Detection Firewall plug-ins can prevent vulnerabilities from being executed, preventing these threats from reaching user systems. For more information on the related Deep Security solution, you may read our previous blog entry here.

Conclusion

One weakness in the network is all that is needed for this threat to re-occur. EXPIRO is indeed a traditional file infector (with an added twist of data stealing) and cleaning systems that have been infected with this malware is pretty straight forward. The various Trend Micro solutions at the disposal of system administrators allows them to effectively fix, and prevent, these threats in the enterprise environment.

With additional inputs from Jay Yaneza and Rhena Inocencio.

We spotted yet another threat lurking around social media sites targeting users of either Google Chrome or Mozilla Firefox. This threat uses fake extensions for both browsers to infiltrate user systems and hijack social media accounts – specifically, Facebook, Google+, and Twitter accounts.

To install these fake extensions, users would see various lures on social media sites to try to get users to install a fake video player update. In reality, this player update is a malicious file detected as TROJ_FEBUSER.A, installs a browser plugin depending on the browser currently being used.

One earlier version we saw for Google Chrome, detected as JS_FEBUSER.A, identifies itself as Chrome Service Pack 5.0.0. In the case of Mozilla Firefox, the fake plugin is Mozilla Service Pack 5.0.

Figure 1. Names used by the malicious plugin

Google Chrome has since flagged this particular plugin as malicious. An updated version of the plugin, detected as JS_FEBUSER.AB, is identified as F-Secure Security Pack 6.1.0 (for Google Chrome) and F-Secure Security Pack 6.1 (for Mozilla Firefox) .

Figure 2. Names used by the updated malicious file

Once installed, it connects to a malicious URL to download a configuration file. It uses the details on that configuration file to hijack the user’s social media accounts and perform the following actions, without any authorization from the user:

• Like pages
• Share posts
• Join a group
• Invite friends to a group
• Chat with friends
• Post comments
• Update status

This threat tries to perform the above actions on three different social networks: Facebook, Google+, and Twitter. Because of this, in effect, the attackers are able to hijack the accounts of the users and could, for example, use them to spread links to other malicious sites.

One more thing to note: the fake video player update is digitally signed. Digital signatures are a way for developers and publishers to prove that a file did come from them and has not been modified. Potential victims may take this to mean that the file is legitimate and harmless.

Figure 3. Valid digital certificate of the malicious video player update file

It is not yet clear if this signature was fraudulently issued, or a valid organization had their signing key compromised and used for this type of purpose.

Users are once more reminded to always be aware and vigilant of such scams. Cybercriminals are getting better at making their lures much more convincing, even resorting to abusing legitimate services and users in order to appear legitimate.

Trend Micro already blocks all URLs associated with this threat and detects the malicious files.

Update as of July 31, 2013, 6:38 PM PST
Both TROJ_FEBUSER.AA and JS_FEBUSER.AA have been renamed to TROJ_FEBUSER.A and JS_FEBUSER.A respectively.

Spoofing – whether in the form of DNS, legitimate email notification, IP, address bar – is a common part of Web threats. We’ve seen its several incarnations in the past, but we recently found a technique known as header spoofing, which puts a different spin on evading detection.

Header spoofing is when a URL appears to be downloaded from a certain domain, but in reality it is downloaded from a different and (very likely) malicious one. Unlike other types of spoofing techniques, this action is done without any system or file modification. Instead, header spoofing is performed by modifying the network packet, in particular adding the new domain to the request header once malware has connected to server and right before it sends the data. My colleague Jessa dela Torre mentioned this behavior in her research on the StealRat botnet.

One interesting malware that performs this is the malware TROJ_RODECAP.SM. Figure 1 shows the GET command to the link http://www.google.com/d/conh11.jpg, as well as the header of the downloaded file.

From the network traffic, it can be seen that the reply came from the domain {BLOCKED}.104.93, which is located in Russia and is not connected to Google at all. Thus, network administrators might skip or regard the traffic as harmless because the purported requested link is a legitimate domain and merely leads to an image file. This spoofing provides a good way to cover up the communication between the malware and the remote server that ultimately avoid rousing any suspicion, without revealing itself to end users.

As we mentioned earlier, this technique was used by the StealRat botnet which brought its own novel ways of sending spam. These incidents highlight how threat actors are coming up with new tools and techniques to evade detection by security vendors.