Downloader.Ponik Seeks Long Term Relationship

Contributor: Jeet Morparia

Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.
 

Figure 1. Downloader.Ponik spam campaign world map
 

One of the most recent malicious spam campaigns we encountered used online dating as its lure. While broad in scope, targeting users around the world, this campaign was largely focused on users in the United States, the United Kingdom, and Australia.
 

Figure 2. Sample Downloader.Ponik dating spam email
 

The email messages used in the campaign claims to be from someone named “Kat” with varying subject lines:

  • It’s a pleasure to meet you here
  • Write me again, ok? I really need your advice
  • How are you today? What are you doing now?
  • You dont know me, so Im here to fix it!
  • Hey how are you?
  • Hello there!
  • Im glad to see you!
  • Hola!
  • How do you do?

The body of the message is identical in each email:

Hello from Kat. I got some information about you from a=dating site. I found out that you are looking for a woman for LTR. I’m expec= to find a perfect match. Also I wish to exchange photos with you and may=e try to know you better. I will be waiting for your reply with impatience.

It is interesting to note that the emails claim that they obtained information on the target through an online dating site.

Attached to each message is a file named photo.zip, which contains a threat that we detect as Downloader.Ponik. Downloader.Ponik is known for bringing some baggage with it. This particular version of Downloader.Ponik downloads the following malware:

As always, be careful when opening attachments in emails from unknown sources. I think it is safe to say that this is one long-term relationship you don’t want to get involved in.

New Malware can Automatically Register Facebook Applications

A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.

This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The malware searches for encrypted files containing either Facebook or Blogger credentials (Myspace is left aside). If such files are found and contain credentials, the malware then connects to a C&C server (74.50.119.59, hosted in Florida) to request an “action script”. Such scripts look like C programs and are interpreted by the malware itself. The main goal is to automate Internet Explorer actions. On Monday, April 11th, the script sent when Facebook credentials were found on the local machine was the following:

 

 

The function names are self-explanatory. The script, when executed, performs the following actions:

  • Create a visible instance of Internet Explorer.
  • Navigate to facebook.com.
  • Log in.
  • Go to the Facebook app #119084674184 page: this application, named VIP Slots, has been around for a few years.
  • Grant access to this application.
  • Close the browser instance.

The permission required by VIP Slots is only “Basic information”, meaning your name and gender, profile picture, networks, and list of friends. The application itself does not seem to exhibit malicious behavior, but the fact that a malicious program interacts with it is very troubling. The end-goal is not determined at this stage: registering the user could serve as aggressive spamming (application posts appearing on your news feed), or a way to get more users to use the app, for monetary purpose (by buying virtual credits). The application could simply be an innocent party.

Another script was also distributed. The actions taken by this generic script were the following:

  • Create an invisible instance of Internet Explorer.
  • Go to google.com.
  • Search for “auto insurance bids”.
  • Close the browser instance.

This script could serve experimentation purposes. It could also be a very convoluted way to measure the propagation of their creation: Google Trends report a recent peak for this search term.

As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running.

Our latest definitions detect this malware as Trojan.Gen. Facebook users may see which applications they are currently subscribed to by checking their Privacy settings > Apps and Websites page.