I'll Have a 419 With a Side Order of Malware, Please....

No this isn't about an order being placed at my local Chinese restaurant or takeaway; their menu item number don't go up that far, believe me I have checked ;-).

So for starters, let me show you a screenshot of an e-mail I received this morning:



Looks like a pretty typical 419 scam e-mail doesn't it? A little more terse than usual, I'll grant you, but still a 419 scam, hang on it has an attachment, most unusual! Here's a screenshot showing the attached file:



An executable file, very suspicious and most unusual for it to be attached to a 419 scam. I wonder what the Bad Guys and Girls from Lagos are up to now? I think a bit of testing and investigation is in order, don't you?

Some details on the executable file first:

FileName: 108 3386 8257.exe
FileDateTime: 26/06/2008 11:38:39
Filesize: 303842
MD5: 3e5480b34a38d2dc5e1f45f561c7d5f2
CRC32: F7A3CF76
File Type: PE Executable

Which is a WinRAR SFX [executable archive] and this contains the following files:

108 3386 8257.txt
gbt.exe
gbthk.dll
inst.dat
kw.dat
pk.bin
rinst.exe

So, let me extract the files, no not by running the RAR SFX file, as that would infect my system with the malware contained inside it.

Of these only one is a true executable file, this is:

FileName: rinst.exe
FileDateTime: 24/06/2007 21:08:18
Filesize: 19456
MD5: f3d0beef15eb987dbcec8e803bf6c89d
CRC32: 94F8865E
File Type: PE Executable

This file "rinst.exe" is packed using Armadillo and the executable itself appears to be written using Microsoft Visual C++.

This is the main installation file, and if you are foolish enough to run the attachment, all the enclosed files are dropped to "C:\WINDOWS\TEMP\RarSFX0" and then it proceeds to run "rinst.exe" to perform the install of the malcode; in this case it also tries to identify and kill any recognised anti-malware tools. Once installed it attempts to load the "108 3386 8257.txt" file which contains the following text:

MTCN CONTROL NUMBER 108 3386 8257
AMOUNT : $3,450USD
RECIEVER : JONATHAN NWEKE,LAGOS NIGERIA

The rest of the files appear to be obfuscated files that are part of the installation of a keylogger, so not only is this malware attempting to kill any security defences you have in place, it is also trying to record what you type, etc. Nasty!

So next time you receive a 419, have a closer look and see if the Bad Guys and Girls from Lagos have included an attachment to get you to infect your computer and steal your personal data. It seems that they have finally learned that this is now a multi-billion dollar business, and if they fail to adapt then they will either get left behind or other professional cyber-criminals will take their traditional business away from them.

If you want to know more about 419 scams and their genesis, then you can find more here.

Right, back to my analysis of this to find out what else it does...

Would You Rather Be A Mule [REDUX]?

How many of you out there have seen job offers [both part-time and full-time positions] that look like the following screenshots:








Tempted to apply, or do they seem too-good-to-be-true?

Well, they are too-good-to-be -true, all the screenshots of the e-mails are nothing more than an attempt to recruit staff to act as money launderers, also known as mules.

I've written about mules before on this blog, but I though it was time to revisit the area as the bad guys and girls have been very active in trying to recruit new mules just recently.

So, a quick recap

"We are not talking about four legged creatures that are half horse and half donkey….think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea hat what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc."

Next time you see a job advert on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule, or as the song goes:

"Would you like to swing on a star
carry moonbeams home in a jar
and be better off than you are
or would you rather be a mule

A mule is an animal with long funny ears
he kicks up at anything he hears
His back is brawny but his brain is weak
he's just plain stupid with a stubborn streak
and by the way if you hate to go to school
You may grow up to be a mule..."

The full lyrics can be found here.

By all means swing on a star, but not if it means you grow up to be a mule...to fund the lifestyle, and end up broken, saddled with a criminal record, and end up corralled in jail with numerous other mules, while those that run the scams get away with turning the endless train of desperate people [including students] into yet more mules.

They're Back!!! Beijing Earthquake

Early this morning we started to see emails pushing a new variant of the so-called 'Storm Worm'. These are using a similar tactic to those that gave the malware authors their name, in this case it isn't real storms it is a fictional new earthquake in Beijing, China.

Here is a screenshot showing many of the subject lines seen so far for this new Storm Worm run:



Here is a screenshot of one of the e-mails I have received:



Most of them do not have the anti-virus scanning message at the bottom, I picked this one as I'm not sure whether this was added by one of the infected clients, or as part of the next wave, as some form of extra social-engineering ploy. It should also be noted that they have gone back to using real domain names for this run, instead of their more usual dotted IP addresses. According to F-Secure, these are all flast-fluxed.

Here's a screenshot of the website you would end up on if you clicked on the link:



The file offered is not a video, it is, not surprisingly an executable file, here are the details of a sample I downloaded earlier today.

FileName: beijing.exe
FileDateTime: 19/06/2008 12:56:05
Filesize: 83608
MD5: 3752f1a45c897471369f5f17dc42c8ee
CRC32: DA97A2FB
File Type: PE Executable

Here are the scan results of the currently offered file 'beijing.exe' as scanned by over 30 up-to-date malware scanners:

@Proventia-VPS NOT DETECTED
AntiVir Worm/Zhelatin.zc
Avast! Win32:TDrop [Drp]
AVG NOT DETECTED
BitDefender Trojan.Peed.JLV
CA-AV NOT DETECTED
CA-AV (BETA) NOT DETECTED
ClamAV NOT DETECTED
Command NOT DETECTED
Dr Web NOT DETECTED
eSafe File [100] (suspicious)
Ewido NOT DETECTED
F-Prot NOT DETECTED
F-Secure NOT DETECTED
F-Secure (BETA) NOT DETECTED
Fortinet NOT DETECTED
Fortinet (BETA) NOT DETECTED
Ikarus Email-Worm.Win32.Zhelatin.zy
Kaspersky NOT DETECTED
McAfee NOT DETECTED
McAfee (BETA) NOT DETECTED
Microsoft NOT DETECTED
Nod32 Win32/Nuwar worm
Norman NOT DETECTED
Panda NOT DETECTED
Panda (BETA) NOT DETECTED
QuickHeal NOT DETECTED
Rising NOT DETECTED
Sophos W32/Nuwar-E
Sunbelt NOT DETECTED
Symantec NOT DETECTED
Symantec (BETA) NOT DETECTED
Trend Micro NOT DETECTED
Trend Micro (BETA) NOT DETECTED
VBA32 NOT DETECTED
VirusBuster NOT DETECTED
WebWasher Worm.Zhelatin.zc
YY_A-Squared NOT DETECTED
YY_Spybot Worldsecurityonline.FakeAlert,,Executable

It should also be noted that the Storm-Worm gang are trying something new with this new variant, they are using Alternate Data Streams [ADS] , in this case there is an ADS called Zone.Identifier, which is a text file that contains:

[ZoneTransfer]
ZoneId=3

I'm not quite sure what they are using this for at the moment, maybe some form of tracking data?

UPDATE: This may actually be nothing to do with the Storm Worm gang after all [the ADS part, that is], as it seems that this may be a new 'feature' of Firefox 3.x instead, sneaky!

So what do you do if you receive such an e-mail? Simply delete it, do not click on the link and definitely do not download and launch the file that is offered, and finally update your anti-virus at least once a day, as otherwise you will become a victim. Hopefully most anti-virus products will be able to detect this within the next 24 hours.

Every Little Helps...

Is the catchphrase for Tesco [a very well known UK supermarket] who sent me an e-mail today informing me that I "have added an additional email address to my account", see below for the full e-mail:



The email address it was sent by was "customer@tesco.com" which is also the return address in the raw e-mail headers too. So, let's see where we end up when we click on one of the four links in the e-mail itself, shall we?

Here's a screenshot of the website that we end up on [using Opera 9.50].....Hmmmm...Tesco.com [according to the tab text]. Looks like the real thing, but is it?



How many of you spotted the red warning in the browsers address bar? It reads [!Fraud site]*. Bit of a giveaway, and also when I clicked on the link in the e-mail it actually goes to a dotted IP address, before being redirected [probably some form of click fraud] to the bogus Tesco.com site shown in the screenshot above. Yes, it is a Phishing site, not the real Tesco.com at all!

So, what is the site and what is it trying to achieve?

Well, this appears to be a Phishing scam, but instead of being targeted at a bank or other financial organisation, or Paypal, eBay, eGold, etc. it is targeting customers of a supermarket instead. This is the first time I've seen a supermarket being the target of a Phishing scam run, most unusual!

Not sure why the bad guys and girls are targeting Tesco customers, unless the stolen customer login details are just a way for them to gain access to any stored credit/debit card details on the Tesco.com account? Maybe they are just hungry ;-)

So, is this a new trend, can we expect similar Phishing scams for Sainsbury's, Waiterose, Marks and Spencer's and Morrisons? Unfortunately, I expect so, so please be very careful and if you have the option on any such service do NOT store your credit/debit card details, it may make shopping faster, but it also makes identity theft easier too.....as Tesco states "Every Little Helps", just don't let it be true for the bad guys and girls allowing them to gain access to your personal information and credit/debit card details.

* This is a new feature in the latest version of Opera.