I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further.

Message 1, about two weeks old, contained a simple URL shown as ‘facebook.com/abunk.maralyn’.  The hyperlink actually is for a different site, “medshealthtablets.net”, a site that has been taken down when I tested in our lab.

Message 2 contained another URL, also displayed as ‘facebook.com/abartha.leigha’ and the hyperlink this time was for another site, “meds-atcheap.com”.   As of April 27, the site was still alive, and appears to be a fake site for the purchase of drugs online:



Image 1 – fake pharma site

 

Message 3 arrived only a few days ago, and it too used the ‘facebook.com’ ruse. The message contained a single line of content, with a displayed link of ‘facebook.com/abeightol.jeremaine’ and an actual hyperlink of “borjborj.hpage.com”. I turned to a fellow researcher Tim to investigate. Below is a short summary of what he discovered.

When visiting the URL, it installs a program with a file name of “pack.exe” (ShA1: 6286972A5DA540E058DD2AEDFC38B6061FF67F14). A quick search at VirusTotal - an online service that scans submitted malware samples using multiple security scanners - indicated no current detection by security vendors.

When I ran the program, a familiar interface popped up – it was the rogue Win32/Winwebsec:



Image 2 – Win32/WinWebsec rogue

 

And now, they want $99.95 for it:

Image 3 – purchase lure

 

After having a peek at the HTML code of the malicious website, we found there was actually an exploit kit being implemented to install rogues, using a “drive-by-install” method. The exploit is similar to the known “Zombie Infection Kit” and also the “Siberia exploit kit”, and it includes the following exploitation methods:

 

Image 4 – CVE-2006-003 - Microsoft Data Access Components (MDAC) Vulnerability

 

Image 5 - CVE-2010-0886 - Java Deployment Toolkit Vulnerability

 

Image 6 - CVE-2010-1885 - Microsoft Windows Help and Support Center Vulnerability


If these exploit methods look familiar, that’s because they are the exact exploit toolkits heavily used to distribute Zbot (aka Zeus). The rogue installed by the web page mentioned above is detected as Rogue:Win32/Winwebsec.

If you only draw one conclusion from our research, let it be “don’t click on suspicious links”.

 

--Tim Liu & Scott Wu, MMPC