U.K. Tax Scams on the Horizon

As the saying goes: Death and taxes are the only constants in life. This adage can be applied to scams on the Internet as well. Every tax season we can count on scams like these to raise their heads and try to bilk users out of their identity information and hard-earned money. A few of the messaging and spam researchers at McAfee Labs sent me some samples earlier today that I would like to share.

Take a look at the following sample and you will see the typical scam we see during tax season. This one is targeted at United Kingdom computer users and is a decent lure:

This particular scam promises a refund of GBP 239.41 if replied to within 72 hours, cites a few financial institutions, and asks the email reader to click the submission link. That link leads the user to the following fake site:

I found this site interesting because it has a few valid links embedded at the top, but the rest were bogus. Also notice that there is no SiteAdvisor rating at the bottom right. The real HMRC site is rated as green by SiteAdvisor:

All things considered it is a pretty good fake and I am sure will fool quite a few people. If you have SiteAdvisor installed or are using a browser with some built-in phishing protection, you would be proactively protected:

As always, make sure you are staying updated with your security technologies and expect these types of scams and lures in their seasons. A little healthy skepticism might just save one’s identity or bank account!

So Predictable: St. Patrick’s Day Scams

I have blogged many times about how cybercriminals and scammers use holidays, sporting events, and disasters as lures in their never-ending schemes. Just like with tax season, every Valentine’s Day we see more scams. Most high-profile sporting events, such as the FIFA World Cup, inspire them; and certainly recent events like the earthquakes in Haiti, Chile, and Japan server as bait for these schemes. St. Patrick’s Day finds itself in the same situation.

Just a bit ago I received a few examples that I would like to share:

This one leads to a fairly uninteresting ecard site that distributes a “free” toolbar most of us detect as FunWeb, but I did find the next one a bit more interesting:

This one, as you can clearly read, launches right into a sales pitch about making money online. It also uses shortened URLs (a common tactic) to hide the actual site they are sending the recipient to. Various forms of short URL abuse is something McAfee Labs highlighted in our yearly predictions paper, which is definitely worth the download and read. The short links lead to the following site:

This site, which is flagged “yellow” by our SiteAdvisor technology, proclaims to have techniques, knowledge, and software that can turn anyone into the next Internet millionaire! Pretty odd when you consider it came from an email that wished you Happy Paddy’s Day, no? Predictable as these are, they are nonetheless effective and will be with us for years to come.

Stay informed. Stay updated. Stay safe.

Malware in Recent Korean DDoS Attacks Destroys Systems

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns. (Click on chart for details.)

This is further supported because the list of first-layer servers can be updated at any time.

The red code blocks deal with contacting the first-layer C&C server, the green code blocks retrieve the list of the second-layer servers, and the blue code blocks handle file downloads from the second-layer servers.

Botnets of infected computers usually receive commands directly and carry out the nefarious intent of their controllers. In this case, however, the C&C application behaves more like a downloader. Instead of directly interpreting commands, the application simply downloads files to the local hard disk. Secondary malware components that run independently of the main service find these files and then evaluate their contents to carry out an attack.

The two layers make it harder to analyze the malware because an analyst must understand many components and cannot simply follow the code flow within one malware binary. However, forensics are easier because in postmortem we can identify which task files have been created on an infected computer.

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The list of file extensions that will be overwritten is particularly interesting. It contains typical document data:

  • doc, docx, docm
  • xls, xlsx
  • pdf, eml (Outlook Email)

The list also contains some programming-language file extensions, such as c, cpp, h, and java. Wonder what they thought would be on the infected machines? Or did they already know?

One thing is clear: This is a serious piece of malware. It uses resilience techniques to avoid a takedown and even has destructive capabilities in its payload. This year is quickly shaping up to be a period of serious attacks and escalations on the cyberfrontier.


Our standalone malware-removal tool Stinger has been updated with a more generic detection of the malware involved in this attack. Stinger is available for download here.

Heroin, Cocaine & Rockets – But please don’t panic…

This little gem of a spam run was widely broadcast last night and caused some alarm. Take a look, I’m sure you’ll see why.

1. Heroin, in liquid and crystal form.
2. Rocket fuel and Tomohawk rockets (serious enquiries only).
4. New shipment of cocaine has arrived, buy 9 grams and get 10th for free.
Everyone is welcome, but not US citizens.
ATTENTION. Clearance offer. Buy 30 grams of heroin, get 5 free.
Prices upon reqeust:
Our email: <redacted>@<redacted>.COM
PHONE 0093 (0) 20 <redacted>
FAX 0093 (0) 70 <redacted>

This is actually a really old prank, originally targeted at the Dark Profits website in 2003. This is simply a prank twist of a traditional email Joe Job., designed to flood a mailbox/phone/fax with responses.

We saw a couple of different flavors of this campaign targeting different entities however all were appropriately caught.

Snopes have a great article in their archive if you’d like a refresher.

Don’t panic. Nothing to see here!