Snowshoe Spammers Target the British Royal Wedding

With just over two months to go before the wedding of Prince William and Kate Middleton, it’s no surprise to find this significant event is being used to promote products. Emails advertising a replica of Princess Diana’s engagement ring wer…

With just over two months to go before the wedding of Prince William and Kate Middleton, it’s no surprise to find this significant event is being used to promote products. Emails advertising a replica of Princess Diana’s engagement ring were observed in the past few days, sent by well established spammers.

Although infected botnet machines are responsible for the vast majority of spam sent globally (77% at the end of 2010), these attacks do not fall in that category, and in fact the IP which is sending the spam is the same as the one hosting the domain which is linked to in the email. This domain has also been used in other spam campaigns, such as the long running Who’s Who social networking spam messages (see our May 2008 State of Spam report for similar attacks). It was registered on February 9, 2011, using Moniker Privacy Services for anonymity, and since then has been used in at least half a million spam emails. This spammer has registered many different domains across a range of IPs in a technique that is sometimes known as “snowshoe spamming”.

If the user clicks on the link in the email, it firstly redirects to the ‘lynxtrack.com’ domain, which checks that the user’s IP is based in the US, before redirecting to the final destination product site. The product site was registered much earlier, on December 21, 2010, using a different registration service, indicating that the people behind the site might be purchasing spam services rather than sending it themselves.

Symantec Brightmail has had predictive filters in place to block these particular snowshoe attacks since October 2010. The graph below shows how many messages per day have been blocked from this spammer.

As the British Royal wedding gets closer though, we do expect to see it featured in other spam campaigns to attract users’ attention; at the very least in scraped news headlines.

Thank you to Pavlo Prodanchuk for contributed content.

This Time it’s Social Networking over Presidents’ Day

In the United States, Presidents' Day is celebrated on the third Monday of February to honor two of America’s greatest presidents, Abraham Lincoln and George Washington. This year, Presidents' Day will be celebrated on February 21. Recent…

In the United States, Presidents' Day is celebrated on the third Monday of February to honor two of America’s greatest presidents, Abraham Lincoln and George Washington. This year, Presidents' Day will be celebrated on February 21. Recently, Symantec has observed spam attacks leveraging Presidents' Day and has seen attempts to exploit the "groups" function of a social networking site.

The samples shown below are screenshots of one such group from a social networking website. The group is quite obviously trying to exploit the Presidents' Day event:

 

The group description “MEGA SPAM!... Spam YOUR A TOOL! on your messages” [sic] is an attempt to inspire group members to start flooding spam messages at a specific time ("FEB 15 AT 11 AM”). Inexperienced users may be unaware of the risks involved with joining untrustworthy groups such as this. Please be wary of the types of groups or users that you associate with on social networking sites.

Simultaneously, spammers have yet again begun providing fake offers by promoting products at discounted prices. The sample shown below is the screenshot of a spam Web page targeting Presidents' Day:
 

Basic tips for avoiding spam messages and online scams:

-    Avoid submitting any personal information to unknown websites.
-    Do not click on suspicious links in email messages.
-    Most social networking websites now allow applications, groups, etc. to be blocked and/or reported. Use these options to deny any other requests from unwanted applications.
-    Frequently update your security software, which protects you from potential online scams.

Note: Thanks to Anand Muralidharan for contributing this blog.

The BlackHole Theory

Symantec has been monitoring the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. At present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix…

Symantec has been monitoring the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. At present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:


 

End-to-end Analysis of the BlackHole Exploit Kit

 

•    When a victim visits a clean site that has been injected with a malicious iframe, the iframe redirects the user to the BlackHole exploit kit server. The figure below shows the obfuscated iframe script:

Here is a decoded version of the script:

•    BlackHole uses the below technique to obfuscate the exploits. The page contains a large array inside the <textarea>. When decoded, the array results in various exploits for popular vulnerabilities such as PDF, JAVA, HCP, MDAC, etc.

The below image shows the code that decodes the array. The variable “ivtl” contains the string “url(data:,va….” after the “.match()” method. The String “wjw = g["e"+ivtl.substr(0,2)+"l"];” results in “eval” as “ivtl.substr(0,2)” evaluates to “va”. String “s”, which contains the decoded script, is passed to “wjw” to be executed.

•    The page contains the code that redirects the user to download a malicious jar file. One of the classes inside the jar file extracts the value passed to it in the script, and then decodes it into a URL:  


 
The below images show the code inside the jar file:
 


 

The decoded string has the pattern “d.php?f=[0-9]{1,2}&e=[0-9]{1,2}”. This URL is then used to perform other malicious downloads.

•    The URL downloads Trojan.Carberp, which is a highly sophisticated Trojan that is being compared to ZeuS because of its ingenious techniques for avoiding detection.

•    The Trojan posts a unique ID to the command-and-control (C&C) server that will be used every time a transaction takes place between the Trojan and the C&C server. The URL has the pattern “/set/task.html

•    Next, the Trojan will post all of the running processes on the victim’s computer to the C&C server. The URL has the pattern “set/first.html” and the data posted has the pattern “id=(Unique number posted on /set/task.html)&os=(Name-version of OS)&plist=(List of all running processes)”

•    The Trojan then downloads three modules:

1) stopav.plug – This module disables the antivirus installed on the victim’s computer.
2) miniav.plug – Checks for the presence of other Trojans, such as Zeus, and if found, the Trojan deletes its  competitor(s).
3) passw.plug – It will hook the export table of a number of WININET.dll and USER32.dll functions and will log every username/password combination that is typed, as well as any URLs visited.

•    The C&C server sends the “multidownload” command to the Trojan:


 
•    The first file downloaded (1.exe) is Trojan Hiloti (a.k.a. Trojan.Zefarch), which makes requests to a free file-hosting site. One of the patterns of the domain is “[a-z0-9]{12].weirden.com”. The request page has the pattern “/get2.php?c=[A-Z]{8}&d=<long Hex String>”. The server always replies with “File Not Found” upon retrieval of the requested file.

•    The second file downloaded (2.exe) is FakeAV:   

The good news is that Symantec customers are protected from this attack. Symantec IPS and AV engines have generic detections for BlackHole's traffic, exploits, Trojans, and the rogue application FakeAV. Today, the crimeware industry maintains a fully fledged business model and the BlackHole exploit kit is a very good example of the business model's sophistication and distribution. Exploit kits pose a great challenge to security vendors, considering the ever-increasing list of modern exploits and ever-changing obfuscation techniques. Thus, we at Symantec urge the readers to install all security patches and definitions regularly. For more information, please see our recent Attack Toolkits and Malicious Websites report.

Note: My thanks to the co-author of this blog, Parveen Vashishtha.

Android.Adrd Versus Android.Geinimi

With the recent discovery of Android.Adrd, I thought it was really interesting that a few security companies decided to bundle this threat with the same detection name as Android.Geinimi, even though Android.Adrd is unique in its own right. This is the…

With the recent discovery of Android.Adrd, I thought it was really interesting that a few security companies decided to bundle this threat with the same detection name as Android.Geinimi, even though Android.Adrd is unique in its own right. This is the first Trojan horse for Android whose purpose is search engine manipulation. In today’s blog, I will compare these two threats.

Propagation
Both of the threats use pirated software to infect user devices. The threat author has selected popular apps to “Trojanize” and deliver malicious content on top of clean content.

Initialization
Both threats register themselves to run at boot time. Android.Adrd also registers itself when a phone call is made or network connectivity settings are changed.

Functionality
Android.Geinimi opens a back door on a device. It has over twenty functions, such as making calls, sending SMS messages, and stealing sensitive information. On the other hand, Android.Adrd is very basic in comparison. When Android.Adrd is running, it receives a collection of strings from a remote server and then repeatedly performs search operations in the background (i.e. not visible to the user). The search operations are made through HTTP requests in the following format:
 

wap.baidu.com/s?word=[ENCODED SEARCH STRING] &vit=uni&from=[ID]

Interestingly, the immediate goal of these requests is to boost the site ranking of a Chinese mobile Web site known as 聚焦网(Focus Online) through Baidu’s Traffic Union program. The HTTP requests result in many artificial “searches” for the terms supplied by the Trojan’s author(s), thereby artificially increasing the mobile site’s ranking in the Baidu search engine’s “Recommended Sites” listings for certain search terms.

Encryption
Both threats use DES encryption to encrypt communication.

The Money Trail
Android.Adrd doesn’t beat about the bush; its primary intent is search engine manipulation/click fraud from a mobile device. To make sure the threat is continuously productive, the creators have even gone to the extent of adding routines to identify the connection method being used (WiFi or 3G access). The interesting twist here is that fraudulent apps running on mobile devices have an advantage in that they can switch between connection methods, which can help them evade fraudulent click-checking mechanisms. In contrast, there currently is no definitive financial motive that can be attributed to Android.Geinimi.

Even though Android.Adrd does not appear to be hugely complex, one should bear in mind that it includes an update function that allows the attacker to update and modify functionality or behavior when required. Given this, please ensure that your mobile device antivirus product is up to date.