FREE Anti-Virus Software...

I thought it is about time for me to cover this again due to the current world-wide credit crunch and fuel, power and food costs soaring. This means many people are looking for ways to cut costs; including costs for protecting their computers. FREE isn't a bad word, but the bad guys and girls have started to make it feel like it ought to be. The phrase Caveat Emptor [Let The Buyer Beware] seems to be more pertinent than ever.

What do I mean by "the bad guys and girls have started to make it feel that it ought to be"? Let me explain:

Look at these for examples of the rather naughty ways that the bad guys and girls are trying to get you to download and use their anti-virus:

First they try scare tactics:



Then they try a little more direct approach:



If you are foolish enough to go to the sites, then this is what you'd currently see:



Looks very professional, doesn't it? Hard to believe that this is a bad site! Want proof? OK, here it is:



That is the very same site [URL] but visited using Firefox 3.x instead.

But that isn't all, this site is also being promoted by a botnet called Asprox. This botnet searches for sites using SQL, and it then tries to run exploit code, which if successful, overwrites all URLs in the database with a single link. If this now 'bogus' link is clicked on a website using the SQL injected database for content, it starts a chain reaction, which often ultimately ends up either on the site shown above, or it may infect vulnerable systems using exploit code that was run as part of the chain reaction. This may include infecting your system and making it part of the Asprox botnet.

But there's more.....

Here's a screenshot of another e-mail I received recently:



The link, if foolishly clicked on, takes you here:



Does it look familiar?

Here's a screenshot of the source of the above page:



Notice how it uses the REFRESH function to popup a download of the executable they offer; no it isn't anti-virus software, it is actually malware!

So, who can you trust if you want FREE anti-virus software?

These are the FREE ones I'd personally recommend include:

• AVG


• Avast


• AntiVir

Please be aware that there are a number of 'bogus' anti-spyware tools out there too and probably even 'bogus' personal firewalls.

You can find all the links mentioned above, and other useful tools, etc. here.

At the end of the day to help keep you system free of net nasties and their kin, you need to ensure that you have a personal firewall, up to date anti-virus installed, anti-spyware tool(s) installed, and last but not least practice 'Safe-Hex'.

Computer problems are bad enough most of the time which means the following anti-stress kit might be useful? However once you add malware to the more usual computer problems it becomes a must have piece of kit, well it stops the common hair-loss normally associated with stress! ;-)





Hopefully, this posting will help you retain your sanity, or at least reduce the cranial damage you may do to yourself using the above anti-stress kit.

Be careful out there, the web is a dangerous place without suitable protection...

If any of you out there in blog land have other security software that you recommend then please feel free to drop me a line or leave the details in a comment.Thanks!

Phishing for Feedback?

According to the e-mail I received this morning HSBC have a customer survey they would like me to take.

For starters here's a screenshot of the e-mail I received:



I'm always willing to give feedback to companies I use, but I am not an HSBC customer, so let us see where we go when the link is clicked?



Looks like a normal survey so far, apart from the dodgy website address [IP dotted]. So let me fake some data and click on the submit button, here goes:



Ah, now I smell something very phishy indeed [even if I didn't before ;-)]. They want some account details; Ker-ching!

Oh, yes and there is no prize money, so don't expect to win, just like the fake lottery notifications that you get, it is just a scam.

Each phishing e-mail I receive is checked; all links are tested against the Netcraft toolbar, and any new ones, that the Netcraft toolbar doesn't yet know about are submitted for inclusion in their database. Nothing too unusual there. However, once in a while I spot something that makes a new phish stand out from the crowd, such as this one.

At the time I tested these links to the bogus [phishy] HSBC survey site it was not detected by the Netcraft toolbar, or even the Firefox anti-phishing functions which are now built into the browser. As I finish up writing this post Netcraft should now have it in their database as I sent them the details.

Just be careful when acting on requests for participating in surveys for companies you use, as they may be phishy and you may get more than you bargained for. In those phishy cases it is likely that your personal data will be stolen and used to make fraudulent transactions on your account.

A Stormy Independence Day...

It seems that the so-called 'Storm Worm Gang' are back and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a 4th of July [American Independence Day] firework show. This latest wave started early this morning:

The subjects of the e-mails I've seen so far include:

America the Beautiful
Celebrating the spirit of our Country
Time for Fireworks
Well done 4th!
Light up the sky
The best firework you've ever seen
Long Live America
Celebrating the Glory of our Nation
American Independence Day

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Amazing Independence Day show
Stars and Strips forever
Well done 4th!
Celebrate the spirit of America
Happy Independence Day
Home of the Brave
Spectacular fireworks show
Long Live America
Amazing Independence Day salute

Here's a screenshot of one of the emails that I've received this morning:



Here's a screenshot of another one of the emails that I've received this morning [Can you spot the difference ;-)]:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



And here is the source of the web page currently in use:



The more eagle-eyed of you may have noticed that the code includes an IFRAME which loads a PHP file called 'ind.php; this is what part of the page source code looks like for that file:



You may notice that this uses an obfuscated JavaScript routine, the end result, if you have JavaScript enabled in your web browser and your anti-malware doesn't detect this malcode, is that a dropper will be written to your hard disk. This is effectively a 'drive-by-download' as you don't have to click on anything on the webpage to download the file hidden in the JavaScript in 'ind.php'. The lower part of the code has been digitally munged by myself, as you don't need to see all of it.

At the time of posting this blog entry the detection of the offered 'fireworks.exe' file was still not complete, with only 20 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different, not in size but the MD5 hash is not the same. I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today.

For those of you celebrating this particular holiday, I would like to wish you a very happy day and enjoy the real fireworks rather than the fake ones being offered in the latest Storm Worm run.

Oh by the way, I forgot to mention that this isn't the first time that fireworks have been used to get people to infect their own computers, anyone remember 'Happy99.exe' (also-known-as 'Ska')?

The Tax Man Giveth....

If you are anything like me you probably can't remember the last time the 'Tax Man' [those from HM Revenue and Customs] told you that you had paid too much tax and that he [or she] would like to return some money to you....Yeah right, like that is going to happen! I think I can honestly say that I have NEVER had any form of refund from them, ever, and I've been working for almost 30 years.

So, when I received the following e-mail [screenshot below] I was already rather sceptical:



The email looks quite believable, doesn't it? Even the link looks real.

If you are foolish/brave enough to click on the link, this is what you will see in your web browser:



Again, very believable, especially if you have no anti-phishing solutions in place.

If you are foolish/brave enough to fill in the requested data and then click on the link, this is what you will see in your web browser next:



Finally, if you are foolish/brave enough to fill in the requested financial data and then click on the link, this is what you will see in your web browser:



Yes, if you clicked on the final page you will be taken from the 'phishy' HMR&C site to the 'real' HMR&C site, none the wiser that you have been 'phished'. The final image [above] is the real HMR&C site.

Usual fare for the Phishers, they want your personal details so that they can steal money from your account or use the details to open new accounts or credit arrangements in your name, so when they default on the loan, you'll be the one being hassled or taken to court for non-payment.

Meanwhile your credit rating will nose-dive, and it will take you weeks, months or even years to recover from the effects. All because you were 'phooled by a phish'.

So, if you get an e-mail stating that you have a tax refund.....be warned as you may end up even more out of pocket than you would if you were dealing with the real HMR&C, at least they are up-front about it! So, to finish the second half of the line used for the title of this posting "The Tax Man Giveth [NOT] and the Phishers Fake it to Take it all!"

I'll Have a 419 With a Side Order of Malware, Please....

No this isn't about an order being placed at my local Chinese restaurant or takeaway; their menu item number don't go up that far, believe me I have checked ;-).

So for starters, let me show you a screenshot of an e-mail I received this morning:



Looks like a pretty typical 419 scam e-mail doesn't it? A little more terse than usual, I'll grant you, but still a 419 scam, hang on it has an attachment, most unusual! Here's a screenshot showing the attached file:



An executable file, very suspicious and most unusual for it to be attached to a 419 scam. I wonder what the Bad Guys and Girls from Lagos are up to now? I think a bit of testing and investigation is in order, don't you?

Some details on the executable file first:

FileName: 108 3386 8257.exe
FileDateTime: 26/06/2008 11:38:39
Filesize: 303842
MD5: 3e5480b34a38d2dc5e1f45f561c7d5f2
CRC32: F7A3CF76
File Type: PE Executable

Which is a WinRAR SFX [executable archive] and this contains the following files:

108 3386 8257.txt
gbt.exe
gbthk.dll
inst.dat
kw.dat
pk.bin
rinst.exe

So, let me extract the files, no not by running the RAR SFX file, as that would infect my system with the malware contained inside it.

Of these only one is a true executable file, this is:

FileName: rinst.exe
FileDateTime: 24/06/2007 21:08:18
Filesize: 19456
MD5: f3d0beef15eb987dbcec8e803bf6c89d
CRC32: 94F8865E
File Type: PE Executable

This file "rinst.exe" is packed using Armadillo and the executable itself appears to be written using Microsoft Visual C++.

This is the main installation file, and if you are foolish enough to run the attachment, all the enclosed files are dropped to "C:\WINDOWS\TEMP\RarSFX0" and then it proceeds to run "rinst.exe" to perform the install of the malcode; in this case it also tries to identify and kill any recognised anti-malware tools. Once installed it attempts to load the "108 3386 8257.txt" file which contains the following text:

MTCN CONTROL NUMBER 108 3386 8257
AMOUNT : $3,450USD
RECIEVER : JONATHAN NWEKE,LAGOS NIGERIA

The rest of the files appear to be obfuscated files that are part of the installation of a keylogger, so not only is this malware attempting to kill any security defences you have in place, it is also trying to record what you type, etc. Nasty!

So next time you receive a 419, have a closer look and see if the Bad Guys and Girls from Lagos have included an attachment to get you to infect your computer and steal your personal data. It seems that they have finally learned that this is now a multi-billion dollar business, and if they fail to adapt then they will either get left behind or other professional cyber-criminals will take their traditional business away from them.

If you want to know more about 419 scams and their genesis, then you can find more here.

Right, back to my analysis of this to find out what else it does...

Would You Rather Be A Mule [REDUX]?

How many of you out there have seen job offers [both part-time and full-time positions] that look like the following screenshots:








Tempted to apply, or do they seem too-good-to-be-true?

Well, they are too-good-to-be -true, all the screenshots of the e-mails are nothing more than an attempt to recruit staff to act as money launderers, also known as mules.

I've written about mules before on this blog, but I though it was time to revisit the area as the bad guys and girls have been very active in trying to recruit new mules just recently.

So, a quick recap

"We are not talking about four legged creatures that are half horse and half donkey….think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea hat what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc."

Next time you see a job advert on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule, or as the song goes:

"Would you like to swing on a star
carry moonbeams home in a jar
and be better off than you are
or would you rather be a mule

A mule is an animal with long funny ears
he kicks up at anything he hears
His back is brawny but his brain is weak
he's just plain stupid with a stubborn streak
and by the way if you hate to go to school
You may grow up to be a mule..."

The full lyrics can be found here.

By all means swing on a star, but not if it means you grow up to be a mule...to fund the lifestyle, and end up broken, saddled with a criminal record, and end up corralled in jail with numerous other mules, while those that run the scams get away with turning the endless train of desperate people [including students] into yet more mules.

They're Back!!! Beijing Earthquake

Early this morning we started to see emails pushing a new variant of the so-called 'Storm Worm'. These are using a similar tactic to those that gave the malware authors their name, in this case it isn't real storms it is a fictional new earthquake in Beijing, China.

Here is a screenshot showing many of the subject lines seen so far for this new Storm Worm run:



Here is a screenshot of one of the e-mails I have received:



Most of them do not have the anti-virus scanning message at the bottom, I picked this one as I'm not sure whether this was added by one of the infected clients, or as part of the next wave, as some form of extra social-engineering ploy. It should also be noted that they have gone back to using real domain names for this run, instead of their more usual dotted IP addresses. According to F-Secure, these are all flast-fluxed.

Here's a screenshot of the website you would end up on if you clicked on the link:



The file offered is not a video, it is, not surprisingly an executable file, here are the details of a sample I downloaded earlier today.

FileName: beijing.exe
FileDateTime: 19/06/2008 12:56:05
Filesize: 83608
MD5: 3752f1a45c897471369f5f17dc42c8ee
CRC32: DA97A2FB
File Type: PE Executable

Here are the scan results of the currently offered file 'beijing.exe' as scanned by over 30 up-to-date malware scanners:

@Proventia-VPS NOT DETECTED
AntiVir Worm/Zhelatin.zc
Avast! Win32:TDrop [Drp]
AVG NOT DETECTED
BitDefender Trojan.Peed.JLV
CA-AV NOT DETECTED
CA-AV (BETA) NOT DETECTED
ClamAV NOT DETECTED
Command NOT DETECTED
Dr Web NOT DETECTED
eSafe File [100] (suspicious)
Ewido NOT DETECTED
F-Prot NOT DETECTED
F-Secure NOT DETECTED
F-Secure (BETA) NOT DETECTED
Fortinet NOT DETECTED
Fortinet (BETA) NOT DETECTED
Ikarus Email-Worm.Win32.Zhelatin.zy
Kaspersky NOT DETECTED
McAfee NOT DETECTED
McAfee (BETA) NOT DETECTED
Microsoft NOT DETECTED
Nod32 Win32/Nuwar worm
Norman NOT DETECTED
Panda NOT DETECTED
Panda (BETA) NOT DETECTED
QuickHeal NOT DETECTED
Rising NOT DETECTED
Sophos W32/Nuwar-E
Sunbelt NOT DETECTED
Symantec NOT DETECTED
Symantec (BETA) NOT DETECTED
Trend Micro NOT DETECTED
Trend Micro (BETA) NOT DETECTED
VBA32 NOT DETECTED
VirusBuster NOT DETECTED
WebWasher Worm.Zhelatin.zc
YY_A-Squared NOT DETECTED
YY_Spybot Worldsecurityonline.FakeAlert,,Executable

It should also be noted that the Storm-Worm gang are trying something new with this new variant, they are using Alternate Data Streams [ADS] , in this case there is an ADS called Zone.Identifier, which is a text file that contains:

[ZoneTransfer]
ZoneId=3

I'm not quite sure what they are using this for at the moment, maybe some form of tracking data?

UPDATE: This may actually be nothing to do with the Storm Worm gang after all [the ADS part, that is], as it seems that this may be a new 'feature' of Firefox 3.x instead, sneaky!

So what do you do if you receive such an e-mail? Simply delete it, do not click on the link and definitely do not download and launch the file that is offered, and finally update your anti-virus at least once a day, as otherwise you will become a victim. Hopefully most anti-virus products will be able to detect this within the next 24 hours.

Every Little Helps...

Is the catchphrase for Tesco [a very well known UK supermarket] who sent me an e-mail today informing me that I "have added an additional email address to my account", see below for the full e-mail:



The email address it was sent by was "customer@tesco.com" which is also the return address in the raw e-mail headers too. So, let's see where we end up when we click on one of the four links in the e-mail itself, shall we?

Here's a screenshot of the website that we end up on [using Opera 9.50].....Hmmmm...Tesco.com [according to the tab text]. Looks like the real thing, but is it?



How many of you spotted the red warning in the browsers address bar? It reads [!Fraud site]*. Bit of a giveaway, and also when I clicked on the link in the e-mail it actually goes to a dotted IP address, before being redirected [probably some form of click fraud] to the bogus Tesco.com site shown in the screenshot above. Yes, it is a Phishing site, not the real Tesco.com at all!

So, what is the site and what is it trying to achieve?

Well, this appears to be a Phishing scam, but instead of being targeted at a bank or other financial organisation, or Paypal, eBay, eGold, etc. it is targeting customers of a supermarket instead. This is the first time I've seen a supermarket being the target of a Phishing scam run, most unusual!

Not sure why the bad guys and girls are targeting Tesco customers, unless the stolen customer login details are just a way for them to gain access to any stored credit/debit card details on the Tesco.com account? Maybe they are just hungry ;-)

So, is this a new trend, can we expect similar Phishing scams for Sainsbury's, Waiterose, Marks and Spencer's and Morrisons? Unfortunately, I expect so, so please be very careful and if you have the option on any such service do NOT store your credit/debit card details, it may make shopping faster, but it also makes identity theft easier too.....as Tesco states "Every Little Helps", just don't let it be true for the bad guys and girls allowing them to gain access to your personal information and credit/debit card details.

* This is a new feature in the latest version of Opera.

The FBI Have Contacted Me!

I received the following e-mail [screenshot below] this morning which says it has come from the FBI, not only that, it states that it was sent by FBI Director Robert S.Mueller the Third of the Anti-terrorist and Monetary Crimes Division and if I don't respond and/or supply the requested information that I'll be charged!





It goes on to say that I have $10,500,000.00 being wired to me via a Secured Diplomatic Transit Account [S.D.T.A] and I need to prove that I have the required paperwork, including a Diplomatic Immunity Seal of Transfer [DIST] and an FBI Identification Record (aka a Rap Sheet or Criminal History Record) to prove I am who I claim to be and that I'm not a terrorist or drugs dealer. If I can supply these proofs, then the money is all mine!

OK, how many of you out there reading this would go along with this? Hands up, so I can count ;-)

Now, how many of the rest of you smell something fishy? Well, it isn't a Phish at all, it is just another new version of the so-called 419 scam.

The twist here, is that the Boys and Girls from Lagos [or almost anywhere else in the World now] are using fear as a new social engineering tactic to get you to part with personal data which they will then either mis-use or sell to others.

If you somehow, miraculously come up with the requested proofs, then guess what, you won't get any money at all, because there is no money in the first place, and the e-mail isn't from the FBI [or anyone in law-enforcement], surprise! ;-)

Whatever you do don't fall for this scam [or any of it's relations], it relies on what the Lagos boys call Wad [rich, greedy people]. They also use a less polite name for the people they dupe; Mgbada*.

To the Boys and Girls from Lagos [the 419ers that run these scams], it is a business, some say it should be considered an African cottage industry, however they want to try and justify it, it is still a crime, no more, no less.

Other unusual examples of 419s I've covered include

• Scam Victims Compensation Payments


• Barclays FIVE MILLION US Dollar Transfer


• A Google Product Too Far?


• Secret Intelligence Service SCAM ALERT!! E-mail

Lots of other examples have also been covered oer the years on this blog, and I have written several articles for Virus Bulletin on 419s, which can be found here.

* If anyone can tell me what this means in English, then please e-mail me, thanks.

EICAR 2008 Conference Paper Now Available

This is a quick update on my posting from yesterday, and to announce that the full paper for the EICAR 2008 conference which was held earlier this week is now available for download as a PDF [Adobe Acrobat] file.

To refresh you memories,here is the abstract from the paper, entitled "Where To Now: Detecting The Unknown":

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn't a week ago and that they can't access the Windows 'Task Manager' or open a command prompt any more.

Is this caused by malware or is it a 'user' problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the 'suspect' system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for 'odd' system or network behaviour.

The paper can be downloaded via the following links:

• http://momusings.com/papers/EICAR2008-Where-To-Now-1.01.pdf


• http://momusings.co.uk/Documents/EICAR2008-Where-To-Now-1.01.pdf

As usual all feedback is most welcome.

No, I [Still] Haven't Fallen Off The Edge Of The World....

Or been kidnapped by aliens, gone over to the dark side or gone down with a virus [or should that now be malcode?].

It seems that about this time, every year, I end up writing a post like this, so here is this years version. ;-)

Sorry for the lack of blog entries over the last month or so, but I've been writing a conference paper for the EICAR international conference which is, as I write this, being held in Laval, France.

So, am I writing this blog entry from there? No, unfortunately not, let me explain...

Why am I not presenting my paper at EICAR 2008 in Laval, France? Why am I not there today?

Well, the decision was made that because we [the new team/service I'm part of] was in the middle of a major analysis of new malcode, and this was a very high priority. It was decided at a commercial level that it would be better if I were available at a moments notice if new samples were found that required immediate analysis. If I were in Laval, France I would be unable to work on live malcode and keep in contact.

So, I'd like to apologise once more to EICAR that I was unable to attend and present my paper at the conference. Hopefully, if the team I'm now part of is expanded this won't have to happen again. Anyone that attended EICAR will have still seen my paper presented, but by Eric Filiol [who does not work for IBM or ISS] instead. This was the best solution we could come up with at the last moment.

The paper will be made available later this week at the following locations*:

• http://momusings.com/papers


• http://momusings.co.uk/publications.aspx

Writing the paper for EICAR is only one of the reasons for my lack of posting, other changes have been afoot!

Firstly, I have moved to a new company, well sort of, I now work for Internet Security Systems, who as some of you may know were acquired by IBM a while ago. So, I now work for ISS, which is owned by IBM. However, my role has changed as I now work in the X-Force Professional Security Services section as a Malware Analyst and Consultant.

So, what does this new role involve?

The main part of it is malware analysis and reverse-engineering. So, in some ways I have stepped back in time to the sort of work I used to do when I wrote my own anti-virus detection and remediation tools [whilst I was working for another company]. However, the game has changed quite a bit since then; luckily my skills are not that rusty, so I have managed to get back up to speed very quickly. Other skills I have picked up and honed over the years will probably also be required for other parts of my new role; more on that another time.

However, that is not all that has kept me from posting recently, other things include:

• Lecturing at the University of Warwick on malware and internet security later this month, so my slides need to be updated and tweaked before then.


• Writing and submitting abstracts for this years Virus Bulletin conference to be held in Ottawa, Canada this year.


• Building systems and finding/creating tools to help in the analysis of new samples, they just keep coming!


• Working very long hours on malcode analysis.

Normal, [once or twice a week postings] service will be resumed as soon as I can find that elusive 25th hour in the day, or I decide to give up trying to get any sleep at all!



* All my published papers and articles can be found at those web addresses.

Don't 'Fool' For It...

Normally I do my own April Fools blog posting, using some bogus malware, anti-malware or other computer related bit of nonsense for a bit of fun, and hopefully you find them funny, or at least interesting?

However, this year I didn't need to bother, as the Bad Guys and Girls have their own; trouble is, it isn't a joke, and it certainly isn't funny!

It seems that the so-called 'Storm Worm Gang' are back playing the fool again and couldn't resist the opportunity to try and get you to infect your computer using the guise of a April Fools e-card. This new wave started late last night/early this morning [depending where you are in the world]:

The subjects of the e-mails I've seen so far include:

Surprise!
Happy April Fools!
Happy All Fool's Day
Gotcha! April Fool!
Gotcha! All Fool!
I am a Fool for your Love
Today You Can Officially Act Foolish
Join the Laugh-A-Lot
Surprise! The joke's on you

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1]

Here's a screenshot of one of the emails that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



After 5 seconds you'll see a download dialogue box, like this:



And here is the source of the web page currently in use:



However you spend the day, whatever jokes you play, or end up the victim of, don't 'Fool' for this one, as otherwise you computer will get infected and the Bad Guys and Girls will have the last laugh again, at you expense!.

At the time of posting this blog entry the detection of the offered 'funny.exe' file was rather poor, with less than half of 32 tested scanners identifying that this is a malicious file. This is the default file and is automatically offered for download [within 5 seconds of the page rendering].

You may have noticed that two other filenames appear in the HTML source; these are:

kickme.exe
foolsday.exe

If you click on the image, you get kickme.exe, and if you click on "click here" you get foolsday.exe. instead.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

Whilst I was browsing the web looking for a good basis for an April Fools blog posting, I found these:

• Unusual banking trojan found today


• RAPIL - a slap in the face for hackers and virus writers

Please let me know if you spot any more, thanks!

3D Screensaver E-mails?

This morning I started to receive e-mails offering me screensavers. I immediately smelt a rat, well at least a malware author, anyway! ;-)

So, I took a look at it in more details, here's a screenshot of one of the e-mails:



I clicked on the link to see where I'd end up, and you can see what I found, below:



Looks like a very professional and polished website offering 3D Screensavers; very believable, isn't it?

So, I clicked on one of the links offered and I ended up here:



Still very believable, so I proceeded to download a copy of the screensaver offered, so that I could analyse it [you didn't think I was actually going to install it, did you? ;-)].

Will you be surprised to learn that the results of my analysis showed that this wasn't a screensaver at all, it was a piece of malware. I then proceeded to download several other samples, from the other selections offered, and the resulting files, although having different names, were all the same size [18,944 bytes], had the same MD5 hash value [which means they are all effectively identical internally], and were not being detected by a number of anti-malware tools.

At the time of posting this the files I downloaded from the site were named "Screensaver-66713.scr", "Screensaver-8719.scr" and "Screensaver-83580.scr", this of course may change, and there are certainly others with different filenames being offered.

If you see an e-mail like the one shown above, then simply delete it, as otherwise you will infect your computer, rather than save it's screen.

Hopefully by the end of today most anti-malware vendors should have updated their products to detect it.

So, in those immortal words, "Be careful out there...."

Stealthed Spam, Redux II!

The spammers are upping the stakes in the stealthed spam arena again. This entry will cover a stealthed spam I received this morning, but before that let me suggest that if you don't know what I am talking about, then you should take a look at my previous blog entries covering this area. These are [30th January 2008] and [17th October 2007]. This will also allow you to follow the development of this as a spamming technique.

So, now if you know what I mean by stealth and stealth spam, let me show you the latest example I have seen, just today, in fact:

The body of the e-mail would have you believe that it is from 'Irwin Bank and Trust':



With the above example, all the URLS [web-links] except one, used in the e-mail point to the real Banks site! All the text is probably taken from the real Banks website. This e-mail passes the tests that most of us use to decide if something is spam or not, in other words it pretty easily passes the 'Eyeball' test fairly easily as it looks pretty genuine. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what does it look like when I enable 'allow remote images' in the e-mail program?

It looks like this [yes, it is the same e-mail]:



Now it fails the 'Eyeball' test with ease.

Although, the stealthed e-mail shown above is pretty convincing, it isn't perfect as the e-mail address it shows as the from address [admin@viagra.com] and the subject used [RE:February 83% OFF] are not consistent with the rest of the e-mail, and are obviously spammy. So, the spammers need to sort these problems out to create the perfect stealthed spam.

Why do I call this 'Stealthed Spam'? Well, simply because the spam component is hidden and not in plain view, at first.

As they say "Keep 'em peeled!", which means keep your eyes open and stay alert. Or, as other might say, "don't believe everything you see or read", it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!

Out of Office Notifications Are...

An accident waiting to happen!

In fact a number of these accidents have already happened. But I'm getting ahead of myself. So, why do I think that they are inherently bad?

Personally, I hate out of office notifications, not because it means that I can't get a reply from the person I sent an e-mail too in the first place, but because they can be misused by not just the person who is 'Out of the Office' but also by the 'Bad Guys and Girls'. Let me explain in more detail, what I mean...

1. Too Much Information
Often when people enable 'Out of Office' they offer too much information; such as when they are going and coming back, and where they are going to. They also often include a second person's details to contact in their absence; including their full e-mail address. This is then often enabled for all incoming e-mail to their e-mail address, which means that not only internal [company/organisation] colleagues are informed, but also, in many cases anyone on the internet that sends them e-mail. The next two points explain in more details why this is a 'bad' thing.

2. Confirmation that your e-mail address exists
As mentioned above, if you enable your 'Out of Office' notification to send an automatic response to all e-mail that is received, you are assisting spammers, scammers and malware authors by confirming that the e-mail address is in use [that makes it worth more]. If you also include another persons details to contact while you are away, then the 'Bad Guys and Girls' can also harvest that to either sell on for profit to others, misuse it themselves, or often both. The end result is more spam, scams and malware arriving in yours and anyone else's inbox that you kindly supplied in your 'Out of Office' notification, I'm sure that they will be quick to thank you for all the extra 'crud' they are now receiving ;-)

3. Physical and Cyber attacks while you are 'away'.
If you are unwise enough to indicate you are on holiday or just out of the country where you normally reside, then the 'Bad Guys and Girls' can do a number of things whilst you are not at home. If they have enough data on you, then you could come back to find your house burgled, full of squatters, vandalised or even worse.

If they don't have access to that level of information then can hack into your personal webspace, social networking and other web sites you may use. They could also perform a 'Joe Job' or a 'DDoS' to discredit you or damage your business or reputation. While you are away they may use your stolen identity to take out loans, credit cards and even mortgages in your name. If they already have some of your financial data, such as bank account or credit card data, you could suddenly find your bank account empty or unathorised charges [and ATM withdrawals] on your debit or credit cards.

In all these cases listed above, this is only likely to happen if you have come to their attention; such as being a thorn in their side, or making life difficult for them, or someone else is willing to pay for the information and/or attacks to take place.

If you don't believe that these things happen, then I can assure you that many of the cyber attacks happen to many of us who work in computer security, especially those that are widely published or who work for anti-malware companies or in law-enforcement.

Figure 1: Too Much Information is an Invitation for Trouble!

4. Bounced Spam
This is the latest way that 'Out of Office' notifications can be mis-used and it affects all of us who are already on spammers/scammers and malware authors lists (or soon will be).

Here is the scenario:
The Bad Guys or Girls sign up for a free webmail account, at say, Google, Yahoo, Live, etc. and then enable the 'Out of Office' feature. They then place the spam message they want to distribute in the 'Out of Office' e-mail body.

Next, the spammer sends this new webmail account with the enabled 'Out of Office' feature, lots of e-mails using spoofed 'From:' addresses so that the 'Out of Office' reply will be sent to the intended victim [the spoofed From: address].

Why do this? Well, e-mail sent from this booby-trapped spamming webmail account will contain anti-spam header information, such as DKIM, DomainKey, Sender ID or any of the other similar systems, which means that the mail server that deals with the intended victims email will be more likely to let the spam through as it has come from a trusted source.

This is now easier for the spammers to do, as the CAPTCHA systems used by Yahoo and Googlemail have been cracked; so that they can now automate the creation of these 'trusted' 'Out of Office' spam relays.

Figure 2: Out of Office Spam Setup

So, next time you go to enable your 'Out of Office' feature, think carefully about what information you provide, and if you can do not enable the respond to internet address option, as you may live to regret it!

A Right Royal Grant?

Wow, according to the e-mail I received today I have been awarded a grant of half-a-million pounds [£500,000.00], not just from any old society or company, but from one calling itself 'Queen Elizabeth's Foundation'!

I'm honoured, that I have personally come to the attention of our countries ruling monarch, and what's more she feels that I deserve half-a-million in cash with her head on it all...

Here's a screenshot of the e-mail, so that you can see it for yourself, and bask in my glory:



OK, yes I'm not really being serious, or getting too big for my boots, or thinking that I'm now above you all ;-) I know it is a scam and I'm just playing along.

So, let me start by checking out if the domain that the email claims to be sent from actually has a website:



Nope, no website, most odd! OK, so let me know check to see who the domain is registered with and to whom:



If I didn't already know that this was a 419 scam, then I would by now, so let me dig deeper. Next, let me check out the phone numbers, they look real and they are, but they are not registered to any charity or person, they are so-called 'personal' numbers being offered for FREE by the following company:



So, what do we know so far? There is no such society or organisation, the telephone numbers given are real but suspect, they have no website and the domain isn't even registered [so how could they send e-mail from it?], and finally they want me to reply to a different e-mail address, and they can't make their mind up as to who I should be replying to, is it:

Rooney James or Williams Anderson?

To get to the bottom of the mystery of where the e-mail was sent from, I took a quick peek at the raw headers, and what did I find? I found that the e-mail was actually sent via the webmail service of the company shown in the final screenshot, below:



Yes, they sent the e-mail using a webmail service based in Hawaii, for the United Kingdom monarch who's name is used for an organisation that doesn't exist, doesn't have a website or own a domain at all, and they want me to reply to an email account hosted on Microsoft Live, just so that they can send me half-a-million quid!

So, do you smell a rat now, or would you send them the data they ask for?

Just to be crystal clear about this: There is no money, as usual, this is a scam which has been around in one format or another for many years, all that happens if you get caught up with these scammers is that you will lose money, not gain any.

Just because they use the name of the Queen of the United Kingdom, and names of well known real organisations such as UNICEF, doesn't mean that this is real [even if the money actually existed, which it doesn't]. This is just another twist in 'The Game' that is collectively known as 419 or Advance-Fee-Fraud.

Sorry, Your Majesty, but I'm going to have to turn down your kind offer...

FREE Greetings FOR YOU !!!

Looks like a busy day for me today, just what I need, not!

Here's a screenshot of another tempting* email that I've received this afternoon:



If you are foolish enough to click on the link in the email, you'll end up being offered a file called 'greeting.exe', this file appears to be hosted on the free web-hosting service called ZeroCatch. Here's a screenshot of the default page for the sub-domain hosting the file. As you can see the malware author couldn't even be bothered to put a basic page together:



So, I hear you all ask, do you get FREE Greetings, as promised? Nope, all you'll get is an infected PC for your trouble, although it will be FREE! ;-)

At the time of posting this blog entry the detection of the offered 'greeting.exe' file was very poor, with only 6 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered appears to be a static binary, as in my testing so far all samples downloaded are the same size and produce the same MD5.

[*] Only really tempting if I had a lobotomy or suffered other severe head or brain trauma which seriously affected my common-sense.

Another Stormy Valentine's Day...

...Coming To A PC Near You, Soon!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Thursday?

It seems that the so-called 'Storm Worm Gang' are back playing cupid again and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a valentine e-card, again. The latest wave of these started early this morning:

The subjects of the e-mails I've seen so far include:

Blind Love
Heart pump
Love Rose
Phone Love
With All My Love
Valentine Friends
Happy Valentine's day!
The love Train
You're Super Sweet
Me & You

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Love You
My Heart
Rockin' Valentine
Smiley Kiss
You Stay In My Heart
Valentine Friends

Here's a screenshot of one of the email that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like one of these [these are not all the known permutations], the graphic shown on the website is randomly chosen from a pool of at least 6:







And here is the source of the web page currently in use:



However you spend the day, whatever you do for the 'love-of-your-life', don't become part of the collateral damage of the annual 'Valentine's Day [Malware] Massacre'.

If I see anymore 'bogus' Valentine's Day e-mails, I'll try and post details here when I can. Also, if you see any that I haven't yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle! ;-)

At the time of posting this blog entry the detection of the offered 'valentine.exe' file was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different in size, I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

UPDATE: The URLs [Web links] included in the e-mail may also now be domain names containing the word 'moon' which I will omit from the web links I have seen so far, see below:

• [the-m-word]starfood.com
• destroythe[the-m-word].com

I suspect that others will appear shortly, please do not go to those domains as they contain live malware, you have been warned!

Presenting at The University of Loughborough...

Once more I have been asked to present at a conference, this time it is one being held at the University of Loughborough in Leicestershire.

So, this is another one for me to add to my collection of Universities I've presented/lectured at. These include: The Open University and Warwick University.

This presentation is on Rootkits, and is an updated version of the one I gave at the Virus Bulletin 2006 conference in Montreal, Canada. If you are interested in finding out more about rootkits, then the paper can be found here: http://momusings.com/papers

As usual you will not only find the Rootkit paper there, but also all my published papers and magazine articles too.

I'm hoping that the weather doesn't cause any issues with the trains, and that the rails have been repaired after this mornings crash on the same line!

For those of you that are interested, here is a link to the UCISA website covering the details and agenda for the event.

The travel time from where I live is about 3.5 hours each way, so I will probably leave home about 6AM and won't get back until around 9PM, still I might get a chance to write some of my EICAR 2008 paper, or at least some abstracts for the Virus Bulletin 2008 conference.

Stealthed Spam, Redux!

I originally covered this back in October of 2007, but things have, as usual, recently repeated themselves, the spammers that is. This time the stealthed spam is different as new approaches and techniques have been used. However, a quick recap of what I mean by stealth.

"Here's an interesting trick that the spammers are increasingly using to defeat not only software and hardware anti-spam defences but also "wetware" anti-spam defences; wetware is the geek/nerd term for you, dear reader, the interface between the chair and the keyboard. ;-)

Stealth is not a new idea, computer viruses and other malware have been using technique to hide since the very beginning of the problem on IBM and compatible PCs. In fact the very first virus on this platform 'Brain' used stealth. Also, most of you are aware that stealth is widely used by the military, not only to make warplanes invisible [or almost] to radar and other tracking technologies, but also warships."

So, now you know what I mean by stealth, so what does stealth spam look like, well guess what, you can't see it at first as it is stealthed [hidden], here's some recent examples so you can see what I mean:

The first one claims to be from 'Media Inc.':



The second one claims to be from 'Windows Live Hotmail':



The third and final one claims to be from 'A Credit-Card Company':



With all of the above examples, all the URLS [web-links] used in the e-mail point to the spammy site and the To and From e-mail address used tends to be the same, that being yours! All the text is probably taken from real newletters/e-mails/websites. These e-mails pass the tests that most of us use to decide if something is spam or not, in other words they pass the 'Eyeball' test fairly easily as they look like genuine e-mails from real companies. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what do they look like when I enable 'allow remote images' in the e-mail program?

They look like this:







Yes, you aren't seeing double, the second and third example produce the same result when viewed in an HTML capable e-mail reader or web browser.

Now they all fail the 'Eyeball' test with ease.

Why do I call these 'Stealthed Spam'? Well, simply because the spam component is hidden and not in plain view.

The final screenshot shows part of the HTML source of the final example shown above when it is only showing the image:



You can clearly see the other HTML, which doesn't get shown when rendered in a browser or a HTML e-mail reader.

As they say "Keep 'em peeled!", which means keep your eyes open and stay alert. Or, as other might say, "don't believe everything you see or read", it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!