Microsoft Malware Protection Center

Dishigy dishes out the DDoS and we dig deeper...

2012-05-25T16:30:00Z

The May edition of the Microsoft Malicious Software Removal Tool saw the inclusion of two new malware families: Win32/Unruy and Win32/Dishigy. Let's dig a bit deeper into Dishigy and the nature of Denial of Service.

So, bear with me while I take you back to security 101…

A Denial of Service (DoS) attack is a pretty straightforward concept – an attacker floods or otherwise sends malicious traffic to a targeted system in such a way that the targeted system is not able to respond to legitimate requests. Sometimes, particularly for flood attacks, a single system may not be able to generate enough traffic to flood a target by itself, and so multiple machines are used in order to more effectively ‘flood’ the target and make the attack more difficult to block. This is where we get the term Distributed Denial of Service (DDoS) attack – where the attack is distributed across multiple machines, and those machines are ordered to attack a single target and overwhelm it with their concerted requests.

So, why would an attacker want to stop a system from being able to respond to requests from legitimate users? It’s a fairly common behavior amongst malware, and, like the vast majority of malware created and distributed these days, you just have to ask yourself how criminals could use such nefarious practices to make a buck. In the case of Denial of Service conditions, they could be used, for example, for extortion (i.e. "Do what we want or the website gets it, see?") or possibly for taking out the competition.

Where does Dishigy fit in? Dishigy traditionally targeted web servers. It uses HTTP requests to perform its denial of service payload against websites. While other types of network traffic might be subject to additional restrictions due to the threat it might pose, port 80 is often left mostly unchecked, enabling easy egress of web traffic. Dishigy is a distributed denial of service attack for hire and can be purchased from the seedier side of the internets to target websites of the purchaser’s choice. Now for the grim, technical details…

Win32/Dishigy is written in Delphi, and can be remotely instructed by an attacker to perform denial of service attacks on targets. The malware connects to a hard-coded remote host and sends an HTTP POST to obtain configuration data. The configuration data contains a set of three parameters separated by a token (delimiter) and is followed by a target URL, as shown in the image below:

Image 1 - Dishigy configuration data with target URL obscured

The first parameter defines the type of attack it uses; these can vary depending on what types are supported by each variant (for example, HTTP GET requests or HTTP POST requests).

The second parameter denotes the maximum number of threads (channels of execution) the malware should use in an attack; each thread sends several requests in a loop.

The third parameter is the frequency with which the malware should connect to the remote host to obtain updated configuration information. If, however, there is no target host available in the configuration data, the malware will connect back at the specified frequency but not perform any attacks.

The malware can be instructed to perform one of several types of attacks. The malware uses an open source TCP/IP Winsock library for Delphi called Synapse to construct the packets.

Early variants of Dishigy generated only HTTP GET requests against a target:

Image 2 - Use of HTTP GET request by Dishigy

The User-Agent field is randomly chosen from a large list contained in the malware, this makes it appear that the HTTP requests originate from a variety of sources. Later variants added more functionality, including the ability to generate HTTP POST requests against a target:

The POST request includes a Referer field which is also randomly chosen from a list contained in the malware. Worth noting is that the POST data contains the URL for the targeted host only as opposed to a typical POST which could include form data and other bits.

Dishigy’s addition to the Microsoft Windows Malicious Software Removal Tool this month makes the web a slightly better place. Dishigy’s success against a target relies on numbers, so taking out as many infections as possible that could contribute to a flood is key to making it ineffective. It is also highly resource intensive for the unfortunate victims who find their computers compromised by this menace, so removing it from victim computers should ease some pain for individuals whose computing experience has been affected by this threat. And maybe, most importantly, targeting Dishigy may help to stop criminals from deciding which websites you can and can’t visit.

- Ray Roberts
MMPC Melbourne

A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability

2012-05-24T22:46:00Z

Recently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player 11.2.202.233 and earlier is vulnerable. If you're using vulnerable version, you need to update your Flash Player now to be protected against these attacks. We had a chance to analyze how the malware (sha1: e32d0545f85ef13ca0d8e24b76a447558614716c) works and here are the interesting details we found during the investigation.

The following diagram shows the overview of the attack flow. The attack is initiated by sending a malicious document that contains a SWF download trigger and a malicious binary. The document doesn't contain any malicious SWF payload at all.

Figure 1 Overview of the attack

Here is the detailed process that describes how the infection occurs when the victim opens the malicious document:

1) When the user opens the malicious document, the SWF download trigger part of the document downloads external content for rendering. This is specifically crafted to download malicious SWF content from malicious server 1. The embedding feature is not malicious itself, but the downloaded SWF is malicious and abuses the vulnerability in the Adobe Flash Player plugin.

2) The malicious SWF content is downloaded to the user's application and is rendered. The malicious SWF is a wrapper with the actual payload encoded inside it and is loaded dynamically. We call this dynamically loaded content layer 2 SWF. The layer 2 SWF is loaded and spreads heap spraying code on the target application's memory space.

3) The vulnerability trigger part of the layer 2 SWF contacts the designated malicious server to retrieve malicious data. This data causes the vulnerability to manifest.

4) The heap spray code loaded by layer 2 SWF is executed when the vulnerability is triggered.

5) The shellcode inside this layer 2 SWF decrypts a PE file from the malicious document. First of all, it enumerates all the opened handles to find the original malicious document - if the enumerated file contains an 8 byte marker at a certain offset then it is found. Then it decrypts the PE file from 0x10 bytes after the found marker. Each byte is XORed with a hard coded key while skipping byte zero and the byte with the same value as" key". After decryption, the PE file (SHA1: 27c8bdacd4023858a810bec917381c6a7512715e) is detected as TrojanDropper:Win32/Glacid.A.

Compared to other attacks in the past, this attack is a little bit more complicated as different elements work together to achieve the whole attack. Each modularized component is designed to be configurable.

For example, when the original malicious SWF is downloaded from malicious server 1, the original malicious document is crafted to pass HTTP request parameters which will be used inside the malicious SWF file. The following packet capture shows one of the example requests we obtained. We can see that the request is using the "info" and "infosize" HTTP parameters. These parameters are later used in layer 2 SWF.

Figure 2 Malicious SWF Download Request

Here is the layer 2 SWF code which uses one of the dynamically passed parameters. The data dynamically passed is converted to binary form and is decompressed. The decompressed data is connection information about malicious server 2 which serves malicious data.

Figure 3 Parameter Usage Inside Layer2 SWF

As we saw from the overview diagram, layer 2 is loaded dynamically from the malicious SWF. The following code from the malicious SWF file shows how the layer 2 SWF file is loaded. The "loadBytes" method from "flash.display.Loader" class is called to load layer 2 SWF dynamically. This is a very typical way of loading malicious layer 2 SWF as seen in recent SWF malware.

Figure 4 Dynamic Loading Of Layer2 SWF Using loadBytes

One notable thing with the layer 2 SWF file is that it is using the"Shared Object" feature from Adobe Flash Player. This is the mechanism to save persistent data on a user's machine which can be shared through sessions. When the same SWF file is loaded later, it can retrieve previously saved data from this "Shared Object". By using this "Shared Object" feature, the malware avoids multiple exploitation attempts by checking the existence of the data and not performing the exploitation when it is found.

Figure 5 Usage Of Shared Object To Prevent Multiple Exploitation

As usually seen from malware abusing Adobe Flash Player, this malware is also using a heap spray technique to achieve shellcode execution. The following code part shows how the heap spray is happening. During this heap spray phase, you can observe that the application's memory usage spikes.

Figure 6 Heap Spraying

The following picture shows what the shellcode sprayed on the memory looks like. When the exploitation is successful, the control flow is passed to one of these sprayed shellcodes in the memory.

Figure 7 Sprayed Shellcode On the Memory

The overall attack requires multiple modules to work together. We don't see the attack as widespread yet. The vulnerability is not about the carrier that triggers the downloading of the SWF, but more of the Adobe Flash Player's vulnerability. So, if you update your Adobe Flash Player, you can prevent the attack from affecting you.

Related detection name and SHA1 for the SWF exploits:

4d12200ede6cf44660399ca43c92fc87295b31cd detected as Exploit:SWF/CVE-2012-0779.A

53FE2CE5920CA0963638A68338433AD85F55BD0D detected as Exploit:SWF/CVE-2012-0779.B

c485712675509c233f70c64b84969b41164fab48 detected as Exploit:SWF/CVE-2012-0779.D

-- Jeong Wook Oh & Chun Feng

Carl A. Someone has many names

2012-05-22T08:49:00Z

In days of old, a man without a signature would just mark an 'X', but today it seems like there is another, more common, signature. I was doing some work the other day and came across a Word document that had an attachment. It turned out to be a phishing scam but part of the document caught my eye.

The signature did not match the name. The name was Dr. Simon Brown and the signature looks like this:

The signature was for Carl A. [indecipherable]. This made me wonder if it was just some generic image of a signature that scammers use. So after a search through our file collection and a stroll around the internet I found that I was correct - this is one very popular signature indeed with the phishing community. Now there are many blogs and sites out there that cover these scams in far more detail but this is what I found about files with this image embedded in it.

There have been scams using this signature in them since at least 2006.

The following are some of the names that have been attached to the signature in the phishing attachments:

Dr. (Mrs.) Felicia Daniel	Dr. (Mrs.) Mercy Hartemink	Dr. Austin Benjamin
Dr. Ferguson Andrew	Dr. Frank West	Dr. George Williams
Dr. John Briggs	Dr. Larry Smith	Dr. Mack Anthony
Dr. Mark Brown	Dr. Mark Winters	Dr. Martin Evans
Dr. Matt Brown	Dr. Richard Morrison	Dr. Robert Mueller
Dr. Smith Brown	Dr. Smith Don	Dr. Smith Williamson
Dr. Steve Mark	Dr. Tom Wilson	Jenni Falconer
Michelle Falkosky	Mr. Christ Rawlins	Mr. Daniel Rougerie
Mr. Evans Henshaw	Mr. Graham Smith	Mr. James Norris
Mr. Muhtar Kent	Mr. Roberth Mueller	Mr. Teddy Kennedy
Mrs. Brunelli Naleen	Mrs. Elizabeth Walters	Mrs. Lisa Parker
Mrs. Lourdes Vidaurre	Mrs. Nicola Mckeon	Mrs. Patricia.S.Brown
Mrs. Rita Brown	Mrs. Rosemary Clair	Prof. Alex Kingston
Prof. Martin Johnson	R. Simon Brown	Rev. James Moore
Rev. Robert Morgan	Sir. Muhtar Kent

At least 15 had the title of "Coca Cola Games/Lottery Coordinator"
The documents are all related to winning a prize of around £400,000 to £1,000,000 from different companies in England.
The following company names are among those that have been used illegitimately in these fake lotteries:
BBC
British High Commission
British Telecom
Coca-Cola
ESPN
Fifa World Cup
Golf international
Microsoft
Nokia
Toyota
UK Lottery
Yahoo

I suspect many of you have seen these emails, but if not they all follow the same sort of format. They tell you that you have won a prize and ask for a whole bunch of details so that you can claim that prize. I even came across one that wanted a photo. For those who have not seen them here are a few examples. Please note the signature on all of them, it should look familiar.

The oldest reference that I found to the signature on the web is a shipping company that dates their website to 2003. This leads me to believe that this was an open source image that the scammers have enjoyed using. (Unlike the various logos you see above, which are trade and service marks that are used illegally.)

I still do not know what the original name was though, Carl A...

- Michael Johnson
MMPC Melbourne

P.S. I do not think that I need to say it again but never open an email from someone that you do not know. It is very unlikely that you have won the Coca-Cola lottery or any lottery for that matter. Please use safe practices when dealing with email.

Facebook offers Microsoft Security Essentials as a security solution

2012-05-04T22:32:00Z

We’re very excited to announce that Microsoft has teamed up with Facebook to offer Windows users free malware protection with Microsoft Security Essentials. Since May 1st, Facebook users have had the choice of downloading and installing Microsoft Security Essentials as their security solution.

While there are numerous threats on the Internet, and while there are many things you can do to help prevent your computer from becoming infected, a cornerstone of protection is a strong anti-malware solution which offers real-time protection. Facebook is aware of this situation, which is why we think it’s great that they’re educating their users about available security solutions.

Microsoft Security Essentials, which is one of the solutions being offered, is free to download and use for all computers running genuine versions of Windows 7, Windows Vista, and Windows XP. More information about the Facebook initiative is here.

Don’t forget that the MMPC also has a Facebook page, where you can find out more about how we keep our users protected.

Keep safe online.

Jeff Williams

Principal Program Manager

An interesting case of Mac OSX malware

2012-04-30T23:20:00Z

In June 2009, Microsoft issued security update MS09-027, which fixed a remote code execution vulnerability in the Mac version of Microsoft Office. Despite the availability of the bulletin (and the passage of time), not every machine is up to date yet – which is how nearly three years later, malware has emerged that exploits the issue on machines running Office on Mac OS X. Fortunately, our data indicates that this malware is not widespread, but during our investigation we found a few interesting facts we’d like to share with you.

For our investigation, we used a malware sample (SHA1: 445959611bc2480357057664bb597c803a349386) that is detected as Exploit:MacOS_X/MS09-027.A.

Figure 1 - Overall Execution Flow

Firstly, the vulnerability is a stack-based buffer overflow - the attack code could corrupt variables and return addresses located on the stack. As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well.

This target address is important, as, with Snow Leopard, we could confirm that it was used to exploit a specific location on the heap that is writable and also executable. The point is, that with Lion, that specific memory address can't be written, so the exploit fails.

We can assume that this malware itself is targeting only Snow Leopard or lower versions of Mac OSX. That means the attacker had knowledge about the target environment beforehand. That includes the target operating system, application patch levels, etc.

Figure 2 Stage 1 Shellcode

This stage 1 shellcode leads to stage 2 shellcode, which is located in memory. The stage 2 shellcode is actually where the infection of the system occurs. The stage 2 shellcode creates three files:

/tmp/launch-hs
/tmp/launch-hse
/tmp/file.doc

Figure 3 File Creation by Stage 2 Shellcode

As you can see from the above picture, the exploit attack code uses typical Unix style shellcode to run system calls. So far, this is nothing new.

Later in the shellcode, the file "/tmp/launch-hs" is executed by a system call to "execve" to execute commands. The contents of "/tmp/launch-hs" should be a shell script or executable.

Figure 4 Execution of /tmp/launch-hs script file

We looked into the the contents of the "/tmp/launch-hs", and it appears like following:

Figure 5 /tmp/launch-hs script contents

It is just a tiny shell script that runs "/tmp/launch-hs" and and opens "/tmp/file.doc". The file "/tmp/launch-hse" should be the main binary that contains all the malicious code. Also "/tmp/file.doc" is a fake document file that will be displayed to the user to deceive the user from seeing any abnormalities or malicious symptoms.

The main payload file is "/tmp/launch-hse" - it is a Mach-O format, or standard executable format, for Mac OSX. This binary a command and control (C&C) agent that communicates with a C&C server (master) to perform unauthorized actions that are similar to other C&C bot clients. The function names give clues that might indicate that this binary is connecting to a C&C server, parses command from it and performs file retrieval or creates process.

Figure 6 Peek into the function names gives you an idea.

The main difference about this malware is that it is written for Mac OSX. For example, if you look into a "RunFile" function, which runs a command on the infected machine, you can see that it's a Mac OSX version of backdoor. Basically it runs a command supplied from the C&C server.

Figure 7 RunFile function

No operating system that exists outside a laboratory is entirely immune to malware. As different operating systems continue to gain in popularity they attract more attention from would-be attackers – especially since, as we see in the example analysis above, the techniques and understanding needed to do so may be much the same as those used against other platforms. And even though an operating system may include many risk-reducing mitigation technologies, any machine’s defenses against vulnerabilities are directly related to how current its security updates for applications are kept.

If you're using Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac or Open XML File Format Converter for Mac, be sure to update using the latest product updates. For this specific vulnerability, you can visit the Microsoft Security Bulletin MS09-027 page and download the update.

Jeong Wook (Matt) Oh
MMPC

A tangled web...

2012-04-27T18:43:00Z

The moment of infection, and the circumstances that lead to the introduction of malware to a system, are often not obvious. This short case study examines our observations and investigations into a particular example that illustrates a fairly typical method of compromise that is played out countless times each day all over the web.

A couple of days ago, our attention was drawn to a website that appeared to use the Microsoft brand. We received reports that a website with the word "Microsoft" in big friendly letters at the top of the page, may have been serving malware. We were worried that users may visit the site with confidence and trust its content because it carried our name. So, we took a closer look at this “Microsoft” website.

We can see it does use the title “MSPinoy - Microsoft Philippines Users Group”, and when you click on the Forums tab up top, it sends you directly to an actual Microsoft website. Everything goes well initially, but after less than a minute, the system becomes sluggish and Microsoft Security Essentials reports a possible malware infection.

So the question is: who is “MSPinoy”? After some searching, we found out that the website has existed since June 2008 and has a legitimate registration contact in the Philippines. Based on our research, we assume that this website is probably not malicious, but is a community users group which references some official Philippines Microsoft links for its users.

So, if the site is a real users group (if not Microsoft endorsed per se), then how are visitors getting infected? When we looked further into the webpage source a suspicious iframe emerges at the end of the page. This iframe, which referenced a different host (rvideos.info), soon redirected to another one. Upon being redirected the new webpage contained several malicious Java applets that tried to exploit vulnerabilities on the system and download other malware. When we visited, these exploits were detected as variants of Exploit:Java/CVE-2010-0840 (example file SHA1s observed 626D495992C77BE9E47A9F2A1ED573739F34636F and A67C7CC6BD6C516D865C8BB37134F457E0B89A3D) and Exploit:Java/CVE-2012-0507 (example SHA1 of file observed 374F8FDB2EB49D5C883785A6ED627BE6CF9BACC9).

We also then did an online search into rvideos.info:

Looks like the registrant is from Australia and belongs to an organization called Privacyprotect.org. The registration date is just a couple of days ago. We continued to monitor this website and found that the malicious iframe was refreshed every day with a different host (such as charming-cuties.com or hpicture.info) which was also registered to Privacyprotect.org.

So, it looks like the MSPinoy website we investigated had been compromised, and the hijack code is being refreshed daily, presumably from a C&C server.

So, our last question: Who is Privacyprotect.org? According to their website, Privacyprotect.org is a company that provides a privacy protection service for domain owners, so that their registration contact details are not generally available to the public. So the true identity behind these domains is still a mystery.

As stated, this short case study is a fairly typical illustration of how malware is distributed, and it teaches some valuable lessons about how to defend yourself:

Use a complete AV solution (such as Microsoft Security Essentials)
Update your AV daily. As this example shows, the bad guys update their code daily, so you need to as well.
Get and install the latest updates for ALL of your computer programs. Be proactive - this is really important.
Be vigilant. Bad guys will attempt to take advantage of your existing trusted relationships (such as the relationship you might have with a company like Microsoft).
Be aware that these types of attack are prevalent and dangerous and that attackers will try to take advantage of you, your computer and your assets. Use caution online.

Tim Liu
MMPC

SIRv12: The obstinacy of Conficker

2012-04-25T15:30:00Z

Conficker is one of the most significant threat families facing organizations worldwide today; its initial impact along with its continued obstinacy shows that clearly. In the fourth quarter of 2011 – three years after its initial release – it attempted to infect just over 1.7 million computers. Conficker’s persistence is illustrated not only by the number of computers it has attempted to infect, but also by the nearly 59 million attacks launched against those computers in the fourth quarter of 2011. But perhaps the most interesting manifestation of its obstinacy is that it has been the number one threat facing businesses for the past two and a half years.

Figure 1. Conficker affects a higher percentage of business computers than consumer computers

The nature of how later Conficker variants spread is the key to understanding what makes the worm so much more of an issue for businesses than for consumer users. Initially the worm spread through the Internet solely by exploiting a software vulnerability in the Windows Server service that had been addressed months earlier in Microsoft Security Bulletin MS08-067. About one month later, Conficker was updated to spread using the Autorun feature and weak passwords or stolen login tokens. The use of weak passwords and stolen login tokens was the change that gave it a foothold in the business sector environment.

Once later variants of Conficker infect a computer, they attempt to spread by copying themselves into administrative shares of other computers on the network. First the malware tries to use the current user’s credentials to copy itself, but if that fails it attempts to exploit weak passwords; the worm uses a pre-existing list of common weak passwords that it carries with it. If that fails, Conficker remains dormant until new credentials are available. If a remote administrator logs into the infected computer to try to clean it or diagnose problems caused by the worm, Conficker uses the administrator’s login token to infect as many computers as possible. The combination of these credential-based attacks accounted for 100% of all recent infection attempts from Conficker targeting Enterprise Microsoft Forefront Endpoint Protection users on Windows 7 and Windows Vista platforms.

Figure 2. How Conficker spreads through corporate networks

Despite Microsoft removing Conficker from approximately 283,000 computers per quarter on average for the past year, the worm continues to be persistent. As an illustration of this, the average number of attacks per system throughout 2011 is on the rise. During the first quarter of 2011 the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35.

Figure 3. The average number of Conficker attacks per system is on the rise

One of the primary ways to defend against Conficker is by enforcing a strong password policy. A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer. If the worm does get inside a network, a good guide to cleaning it out can be found in the How-to: Removal of Conficker in your FCS environment blog post. Along with strong passwords, it is important to keep systems up to date by regularly applying available updates for all software being used and to use antivirus software from a trusted source, and make sure AV signatures are regularly updated.

You can find more information there on the obstinacy of Conficker in our latest Microsoft Security Intelligence Report volume 12 that launched today, as well as other global and regional trends in Internet security.

- Joe Blackbird, MMPC

Analysis of the Eleonore exploit pack shellcode

2012-04-20T19:03:00Z

'Eleonore' is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run. Eleonore is purchased by an attacker from an underground website. The attacker then gains access to Internet web servers and installs the exploit by modifying webpages, which are then served to the public. The malware pack also contains functionality for the tracking and management of compromised computers.

Image 1 - Remote attacker purchases the exploit pack, retrieves web pages from Internet servers and installs Eleonore

Eleonore is developed and released as version updates. This blog post focuses on the shellcode exploit from one of the releases, version 1.2. At a high level, the Eleonore shellcode locates kernel32.dll in an exploited process space. It uses the spatially efficient hash lookup to find the absolute address of key Kernel32 APIs:

Image 2 - FindFuncHash routine

With access to these functions, the shellcode creates a file in the temporary files folder (%TEMP%) and calls URLDownloadToFile with a URL that is 0x67 bytes after the shellcode. The shellcode then executes that file.

The exact URL is dependent on bytes included in the exploit payload and is beyond the scope of this analysis. The exploit then decrypts bytes right after the shellcode for another URL and calls URLDownloadToFile for a second time, copying the file from a URL such as the following:

<website domain with Eleonore installation>/path/getexe.php

This URL was obtained by looking at the entire exploit payload from an Eleonore installation - that data is not included in this article. The "getexe.php" file creates a server-side response that returns a file named "load.exe". The contents of this file are put into a secondary file, decrypted in memory, written back to the file and finally executed.

Image 3 - DecryptBytes routine

The shellcode ends here as "load.exe" begins, with the affected computer now compromised.

Eleonore v1.2 contained numerous exploits and attack code that targets several programs including:

DirectX 9, affecting certain versions of Windows operating system

Vulnerability discussed in CVE-2008-0015 and
fixed with Microsoft Security Bulletin MS09-032
Malware detected as Exploit:JS/CVE-2008-0015 and Exploit:HTML/CVE-2008-0015

Microsoft Internet Explorer 7 memory corruption

Vulnerability discussed in CVE-2009-0075 and
fixed with Microsoft Security Bulletin MS09-002
Malware detected as Exploit:JS/CVE-2009-0075

Microsoft Internet Explorer ActiveX control "snpvw.Snapshot viewer Control.1"

Vulnerability discussed in CVE-2008-2463 and
fixed with Microsoft Security Bulletin MS08-041
Malware detected as Exploit:JS/Objsnapt.E, Exploit:JS/Objsnapt.F and Exploit:HTML/Snavic.gen!D

Microsoft Internet Explorer 6 MDAC

Multiple vulnerabilities, discussed in CVE-2004-0549 and CVE-2006-0003, and
fixed with Microsoft Security Bulletin MS04-025 and MS06-014
Malware detected as TrojanDownloader:VBS.Psyme.X, TrojanDownloader:JS/Adodb (and other names)

Opera telnet 9.25

Vulnerability discussed in CVE-2004-0473 and
fixed with an update of the Opera components

Certain versions of Mozilla Firefox

Multiple vulnerabilities, discussed in CVE-2006-3677 and CVE-2009-2478, and
fixed by updating to a version of Mozilla Firefox newer than 3.5.0

Certain versions of Adobe Reader

Multiple vulnerabilities, discussed in CVE-2008-2992, and
fixed by updating to the latest version of Adobe Reader

To protect against Eleonore and other threats, the MMPC recommends maintaining security updates across all products, not only those serviced by Microsoft Windows updates, and using security software with active scanning enabled.

-- Nik Livic & Patrick Nolan, MMPC

Revenge of the Reveton

2012-04-19T05:16:00Z

Computer users around the world are increasingly accustomed to managing their bank accounts, paying their bills and performing other activities online. The use of technology to manage finances has long been a target of attackers, and malware authors continue to create scams that try to persuade potential victims to provide access to their valuable personal information, including logon credentials for online accounts. Trojan:Win32/Reveton.A is a recent example of malware that attempts to phish these details from victims using the great motivator - fear.

Trojan:Win32/Reveton.A displays a warning that alleges that the affected computer has accessed "pornographic content, elements of violence and child pornography." The message also suggests that the computer has been "locked" and that the user is "obliged to pay a fine to unlock", as shown below:

This phishing and ransom message is also detected by MMPC as Trojan:HTML/Ransom.A. The scam in this attack attempts to phish user accounts for the electronic payment services Ukash and Paysafecard. We wrote about this type of ransom attack in a previous blog post.

Account information provided by the user is stolen and sent to a remote server at “91.195.254.86”. Indications are that this allocated server IP address may be physically located in Russia:

inetnum: 91.195.254.0 - 91.195.255.255
netname: GEOSYSTEM-NAVIGATION-NET
description: ZAO GeoSystem Navigation
country: RU

If you've been a victim of this scam, or similar, review these steps to take, to minimize your financial loss and/or damage to your identity.

As always, we advise you to be cautious when providing sensitive personal information, such as electronic account details, as it could lead to identity or financial theft.

Patrick Estavillo, MMPC

MSRT April 2012: Win32/Claretore

2012-04-10T17:06:00Z

We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool - Win32/Claretore, Win32/Bocinex and Win32/Gamarue. In this post, we discuss Win32/Claretore.

The earliest reported variant in this family can be traced back to November 2011. Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL. It also sends information about the affected computer to a remote server.

The installation and preservation mechanism employed by Claretore is not new but it is aggressive. Claretore drops copy of itself to the user profile's folder and the temp folder, and removes the original copy of the malware. The registry is modified to execute Claretore at every Windows start.

Image 1 - Registry data associated with launching Win32/Claretore at Windows start

The aggressive part is that it injects itself as a DLL component to each running process that loads the kernel32 module. This method allows the malware to support being installed on Windows 2000 operating systems and helps in hiding the malware so that it is does not appear present when viewing running processes using Windows Task Manager.

Below, you can see Win32/Claretore injected into "iexplore.exe" as shown via a debugging utility:

Image 2 - View of process "iexplore.exe" with Win32/Claretore injection

The malware attempts to block its removal by manual cleaning or by a security product by creating two monitoring threads that persistently verify if its file component and registry has been modified by others. This mechanism is implemented by utilizing the following Windows APIs:

RegNotifyChageKeyVaule
ReadDirectoryChanges

Next, Claretore is ready to do its 'dirty work'. It hooks the following three network APIs to intercept certain web traffic:

WSPCloseSocket
WSPSend
WSPRecv

The trojan is then able to intercept every website accessed that also has contains a reference to Google Analytics JavaScript, and replaces the legitimate code with code from an attacker-supplied URL. For example, a variant of Win32/Claretore was observed to replace references to the Google Analytics JavaScript "google-analytics.com/ga.js" with "<removed>in-f108.com/ga.js", allowing attacker-specified code to execute.

Image 3 - Tracing through Win32/Claretore code

Win32/Claretore collects and sends the following details, encrypted using MD5, about the affected computer to an attacker-supplied URL:

Machine GUID
User logon account name
Computer name
Windows install date
Disk identifier

This threat is detected and removed by the Microsoft Windows Malicious Software Removal Tool and when using current security technologies and protection. Thank you for reading and stay tuned to the MMPC for the latest developments in the digital threat landscape.

--Tim Liu, MMPC

Microsoft and partners disrupt Zeus botnets

2012-03-26T05:30:00Z

We have discussed in the past our collaboration with external parties to combat botnet threats to further the betterment of the Internet, such as Operations b49, b107 and b79. This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71 to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot).

Due to the complexities of these targets, unlike Microsoft’s prior botnet operations, the goal of this action was not the permanent shutdown of all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers and also help further investigations against those responsible for the threat.

The Zbot /Zeus threat has targeted the financial sector for quite some time. We documented the threat in detail in a special Security Intelligence Report whitepaper published in 2010.

Millions of dollars of fraud are a result of this family of threat and it has taken cross-industry collaboration to take effective action against it. Microsoft has partnered with FS-ISAC, NACHA, Kyrus Tech, F-Secure and others to disrupt a large portion of the command and control infrastructure of various botnets using Zbot, Spyeye and Ice IX variants of the Zeus family of malware. More information about this operation can be found here: http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx

The Microsoft Malware Protection Center (MMPC) is proud to have supported this action, which represents the fourth operation of Project MARS - a component of Microsoft’s End-to-End Trust initiative. Project MARS is a joint effort between the Microsoft Digital Crimes Unit, MMPC, Microsoft Support and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone.

MMPC is committed to partnering across the industry to help disrupt threats to the Internet and our customers. We will have more to share on Project MARS and related operations as we move forward.

--Jeff Williams, Principal Group Program Manager

Vulnerability analysis, practical data flow analysis and visualization

2012-03-23T19:35:00Z

Recently at CanSecWest 2012, we presented on the technology we use for analyzing malicious samples and PoC files. As malware often actively attempts to exploit software vulnerabilities these days, understanding the internals of these vulnerabilities is essential when writing defense logic.

Out of the many methods that can be used for vulnerability analysis, we presented a method that uses dynamic binary instrumentation and data flow analysis. Dynamic binary instrumentation and data flow analysis are fancy concepts, and they can be a little bit difficult to apply to real world cases.

We showed a case where we used data flow analysis for a simple integer overflow vulnerability. By showing the result in a more visualized way, it helped us to understand the vulnerability. But the real issue we raised was how to use these technologies in more complicated cases, for example, for analyzing an uninitialized memory access vulnerability. We used CVE-2011-2462 (a vulnerability in Adobe Reader and Acrobat - this issue was addressed by Adobe and you can find more information here) as an example to show how to trace back to the root cause of the vulnerability using these techniques. (Note: the Adobe Reader X Protected Mode and Acrobat X Protected View mitigations (the Reader X and Acrobat X sandboxes) would prevent exploits of this vulnerability from executing – this is an exercise in analyzing a vulnerability not an exploit.)

The vulnerability is a little bit complicated, as the data flow does not show the whole picture of the connection between the user data and the crash point.

Figure 1 Data flow analysis for crash case

We performed data flow analysis on the data related to the crash point. As you can see from the above picture, we can clearly see that the data source used in the crash point comes from an area of freed memory. As the execution order is from bottom to top, the free operation is performed first - the data is passed to Adobe Reader and is used for operations later which leads to an uninitialized memory issue.

Figure 2 Data flow analysis for normal case

The above data flow graph is from a good sample file which hits the same area of the code as the crash case. But in this case, we can see that the data comes from an allocated area using malloc API.

Figure 3 Crash case and normal case

By performing data differential analysis between the crash case and the normal case, we can pinpoint the exact instruction that is responsible for the diversion of data flow. The following table shows the difference in the instruction that makes the data flow diversion and you can see that "mov dword ptr [ecx+ebx*4h], eax" is the key instruction that makes the difference.

Figure 4 Crash case and normal case

So we start control flow differential analysis from that specific key instruction.

Figure 5 Key instruction from data flow differential analysis

The following graph shows the control flow differential analysis result.

Figure 6 Control flow differential analysis result

From the graph above, we can see that the instruction at 10009E72 basic block (in red) is the instruction that determines the fate of the control flow. The control flow depends on the value of eax register; it is key to creating the crash condition.

We traced back this eax value from that instruction point in the crash case, and got the following graph. Finally we could locate the exact file location where the eax comes from. And this eax value controls the condition for the crash later.

Figure 7 EAX Control

So the whole point of this post is that data flow analysis is a good tool for vulnerability analysis, but it doesn't solve all the real world vulnerability cases. Real world vulnerabilities are more complicated. So to apply this technology, you need to introduce more strategies and methods. We showed data flow differential analysis and control flow differential analysis as examples that could solve an uninitialized memory access case.

For the full content of the presentation, please visit this page. It should be available soon.

Jeong Wook Oh

Piecing the malware puzzle – Exploring a spike in exploit activity

2012-03-20T19:29:00Z

In this post, we explore a telemetry spike in Java/OpenConnection and CVE-2011-3544 exploit activity.

While reviewing user feedback from the Microsoft Malware Protection Center recently, we noticed an unprecedented amount of feedback on one particular Java/OpenConnection variant -- TrojanDownloader:Java/OpenConnection.PK. Such interest in this type of Java applet-based exploit is quite unusual, and prompted us to investigate further.

A signature for this threat was introduced on February 22, 2012, and spiked to 7.5k reports on the first day. In the following days, the daily report volume fluctuated between 7.8k and 5k reports a day (this kind of spike is not entirely expected for this kind of threat, and such a peak is not very common), until on 28th February the volume started to subside and broke through 5k support, plateauing around 2.5k reports a day, as shown in the figure below:

Figure 1 – daily report volume of Java/OpenConnection.PK

Looking at prevalent reported samples of TrojanDownloader:Java/OpenConnection.PK, we see that there's no clear leader in the volume per sample distribution. A long tail spike in the distribution may point out a file of interest; however in this case, the top range numbers were quite flat and didn't appear in any way skewed, as shown in the graph below:

Figure 2 – top 10 Java/OpenConnection.PK samples

Closer examination confirmed all of the top reported files to be malware, detected legitimately.

The detected TrojanDownloader:Java/OpenConnection.PK class file contains mangled strings and variables which suggests that its code was generated by a machine or an obfuscation tool. In other words, it could be a product of one of the Java exploit toolkits, an obfuscation tool, or both.

Some of most prevalent toolkits around today are Blackhole and Phoenix. This particular threat, however, does not seem to be associated with either Blackhole or Phoenix, indicating that possibly another (less-utilized) expolit kit was used. A reminder that there are exploit kits out there that, while not as popular, are still causing users a considerable amount of pain.

What we know is that currently, most of the popular web malware exploit kits attack vulnerabilities described in CVE-2010-0094, CVE-2010-0840 and CVE-2011-3544 Java Runtime Environment vulnerabilities (among other techniques), which fall under our Java/OpenConnection family detections.

When new updates to exploit kits are released, it's not uncommon to see a spike in the exploits used for malicious purposes. This is just one of the many things we watch for while monitoring our detections.

These particular Java exploits are patched, but in the event a Java-user doesn't update a vulnerable version, or remove older versions of Java, they can be exploited by these attacks. As such, we recommend you update your version of Java, and remove older versions to thwart such attacks.

--Oleg Petrovsky & Jasmine Sesso

An interesting case of JRE sandbox breach (CVE-2012-0507)

2012-03-20T09:55:29Z

Recently we received a few samples that exploit the latest patched JRE (Java Runtime Environment) vulnerability. These samples are kind of unusual to see, but they can be used to develop highly reliable exploits. The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files - one Java class file triggers the vulnerability and the other one is a loader class used for loading.

The vulnerability triggering class is actually performing deserialization of an object array and uses a vulnerability in the AtomicReferenceArray to disarm the JRE sandbox mechanism. The attacker deliberately crafted serialized object data. This reference array issue is very serious since the exploit is not a memory corruption issue, but a logical flaw in the handling of the array. So the exploit is highly reliable and that might be one of the reasons why the bad guys picked up this vulnerability for their attacks. We determined this vulnerability to be CVE-2012-0507.

Figure 1 The vulnerability triggering class

The loader class is called from the vulnerability triggering class. This loader class can load additional classes in an escalated privilege context and perform any operations escaping the sandbox mechanism. This loader class creates a new class on the fly and uses it to do malicious jobs with escalated privileges.

The 3^rd class that is loaded by the loader class downloads a malicious file and decodes it using a simple XOR algorithm. It saves it into a local temporary folder and executes the file using Runtime's exec method. The decoded malicious file is detected as PWS:Win32/Zbot.gen!Y.

The following diagram shows the overall process of exploitation. A.class is the vulnerability triggering class, B.class is the loading class and C.class is the 3^rd class that downloads, decodes and executes a malicious binary.

Figure 2 The overall view of exploitation

The following code shows the actual decoding code inside the C.class file. The routine is using a very simple form of XOR decoding.

Figure 3 Decoding routine inside C.class file

Example SHA1s:

fc1ab8bf716a5b3450701ca4b2545888a25398c9 (detected as Exploit:Java/CVE-2012-0507.A)
03e26e735b2f33b3b212bea5b27cbefb2af4ed34 (detected as Exploit:Java/CVE-2012-0507.B)

The good news is that the vendor has provided a patch for this vulnerability since late February. Just make sure you have the latest JRE version installed on your system. Or you can visit this patch update advisory page to see if you require any updates.

So please, update your JRE installations and protect yourself.

Jeong Wook (Matt) Oh & Chun Feng

Ransomware: Playing on your fears

2012-03-16T07:30:00Z

The last two years have seen an increase in malware which takes control of, and holds hostage an infected machine, locking the user out until a payment of some form can be extorted. This threat type is also known as 'ransomware'.

Various tactics have been used by the malware writers in an attempt to intimidate users into paying a ransom in order to get back control of an infected machine. We wrote a blog post last December that describes malware extortion tactics, here.

Scare tactics include displaying fake Windows activation warnings: :

Figure 1: Ransom message displayed by Trojan:Win32/Serubsit.A

to other scare tactics:

Figure 2: Ransom message displayed by Trojan:Win32/Serubsit.A

The most recent of these comes in the form of the following variant we detect as Trojan:Win32/Ransirac.G (280bb31602a5dcb3674c7718f947ee0f4e44784f). In this case, an infected user is accused of illegally downloading music.

Figure 3: Ransom message displayed by Trojan:Win32/Ransirac.G

The malware writers attempt to add an air of legitimacy to their creation by using the HTML style sheets and image content for the actual organization GEMA (Gesellschaft für musikalische Aufführungs).

To thwart these and similar threats, we recommend using a complete and up-to-date antivirus solution such as Microsoft Security Essentials.

--Raymond Roberts
MMPC-Melbourne

MSRT March: Three Hioles in one

2012-03-15T17:00:00Z

In a previous post, we discussed Win32/Dorkbot, one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles, Win32/Pluzoks and Win32/Yeltminky.

Win32/Hioles

Similar to last month's focus on Win32/Pramro, Win32/Hioles is another trojan that resides on the computer and functions as a proxy server. The first variant was identified in mid-2011. One popular infection vector for the malware is via spammed messages containing a downloader such as variants of Worm:Win32/Gamarue, also mentioned in a previous blog.

Win32/Hioles may be present and execute in one of three ways:

as a direct action executable (.EXE)
as a dynamic link library (.DLL)
as a registered SSP (Security Support Provider)

When run, Win32/Hioles commonly drops its payload into the Application Data (%AppData%) folder as an executable with a misleading file name such as 'KB995202.exe' and modifies the registry to run the .EXE at Windows login. The trojan could drop other code into the %TEMP% folder and execute it, as shown in following figure:

Figure 1 - Win32/Hioles visible in Windows Task Manager

Running as a process named 'svchost.exe' has two advantages; one in fooling your eyes, and two, in bypassing firewalls that use rules based on process names. When installed as a .DLL, 'rundll32.exe' is used to load the trojan.

One advanced method that is rarely used in other malware families is to register the bootstrap DLL under the "%SystemRoot%\system32" folder as a Security Support Provider (SSP) so that it may be loaded into processes that try to initialize the SSPs. If the bootstrap is loaded by 'rundll32.exe' from the 'Run' key, the payload will be injected into current user's 'explorer.exe' process, and in the case of being loaded as an SSP, the payload is executed directly in the current process space.

The three installation and execution methods used by Win32/Hioles are performed to conceal its execution, and maximize its installation success rate, for the sole purpose of providing multi-protocol (Socks4, Socks5, HTTP, HTTPS) proxy services to its C&C server. The payload is designed to be concentrated, and can be as small as 9 Kb in file size. Once loaded, it generates a unique ID for the affected system and initiates communication by sending the ID to the C&C server. The C&C server can instruct the malware to update the configured C&C server address, initiate a reverse proxy, drop the connection and other actions.

In the wild, we observed the malware communicating as a Socks5 proxy with a C&C server. The following is an example of a communication packet that instructs the malware to connect to the port 1002 (0x03EA in hex):

Figure 2 - Win32/Hioles communication packet

Once connected, the C&C initiates a standard Socks5 handshake and sends a CONNECT request to a particular host via port 80.

In the above communications, Win32/Hioles functioned as a regular Socks5 proxy server. The HTTP traffic we observed included registering email accounts, browsing various websites and sending spam email messages. It appears as though the authors behind this botnet may be selling the network of infected computers, as evidenced by the C&C server in the above case being associated with an online proxy server merchant.

Win32/Pluzoks & Win32/Yeltminky

Pluzoks is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware to an affected computer (see our description for more information).

Yeltminky is a worm that spreads by making copies of itself on all available drives. The worm changes the start page for Internet Explorer and also communicates with a remote server (see our description for more information).

And so concludes another round of "What's in MSRT?"... The MMPC thanks you for reading and reminds you to stay safe on the roadway of the Internets.

The following are SHA1 examples for malware mentioned in this blog.

Win32/Hioles:
50ef1e136ba4bc7c16246366f471c53455a5a885
d653a8923a1a2bbdafc33b268b78a487f0490b23
27f007e8c5b7177621c4dd3090ddc961c0101172
3f0bb3f3d87851ccd2696062992237e409f73071

Win32/Pluzoks:
29ab4c105aed4b0f3544fe147e412fc7ee579e79
c85cb2ada1c6bd7f01fd45c96bfd17068d0c1bb5
efb3efdd92b20bcfdd902e08b900a008adb5eb4a
2bb914e1c61a8207734487fc8d9599734563953d

Win32/Yeltminky:
b4a679a2167073f89bdc7d65d49d51cdea243704
0857513860babf3cb82e9e8ff7de908ec161b740
d5540e8717545c7907ff67e87dc847053e66d551

-- Shawn Wang, MMPC

MSRT March 2012: Breaking bad

2012-03-13T17:00:00Z

This month, the MMPC added Win32/Dorkbot to the Microsoft Malicious Software Removal Tool along with detections for the threats Win32/Hioles, Win32/Pluzoks and Win32/Yeltminky.

Win32/Dorkbot is described as an IRC-based botnet and a worm, a backdoor with rootkit capability and a password stealer. Despite using a very simple IRC protocol to communicate with the command and control (C&C) server, it was able to build a substantial installation base after a couple of years in operation. Some might compare Win32/Dorkbot with the infamous Win32/EyeStye due to some similarities in their behavior and advanced features.

Dorkbot implements an advanced user-level rootkit that is very similar to the hooking technique used by EyeStye. The hooking is used to hide its registry and file components from users that are not using rootkit detection software. Both threats appear to have a dedicated development team and both threats can also steal users credentials, which may include personal and banking information, via a form grabbing technique.

For an attacker, the Dorkbot malware is simpler to configure and control, less aggressive and less expensive to own than EyeStye. It also strictly uses the IRC protocol, while EyeStye is a complex botnet with a changeable communication protocol, from P2P, UDP to a custom protocol.

The following is an example of an underground site promoting the malware (with offensive context edited) :

Figure 1 - Dorkbot as seen posted for sale in an underground forum in May 2011

Win32/Dorkbot spreads via the following three vectors:

USB drives: the worm transfers to inserted USB media. When the infected media is inserted in another computer, the worm spreads to the new host.
Instant Messaging (IM): the C&C master communicates malicious links to Win32/Dorkbot client that joins a specific IRC channel. The worm then hooks several important APIs to help monitor IM communication, and when the affected user chats with other contacts, the worm intercepts the conversation and injects the malicious link into the chat reply. When the user clicks the link, it will download and execute arbitrary files which could be other malware or an update of the worm.
Social network sites: similar to the IM spreading mechanism, Dorkbot monitors a large array of popular social networks such as Twitter, Facebook and others. Using the social network chat functionality, the worm may spread by injecting the malicious link into chat conversations.

The popularity of social networks is a contributing factor to success of the Dorkbot propagation and a majority of installations are presumed to be consumers in the private sector, primarily because communication on the IRC protocol is commonly blocked in corporate networks. Dorkbot has a long list of features, such as

data stealing via form grabbing
denial of service attacks
rootkit capability
modify DNS settings
and more...

The bot also uses two other features called "Ruskill" and "Pdef" or "Proactive Defense". The Ruskill feature is a mode that can be enabled by the bot master to command the bot to delete the file that Dorkbot downloads, creates or copies itself to, when the system restarts. PDEF mode commands the bot to "stand its ground" by attempting to remove other files that may exhibit behavior that resemble malware, such as an attempt to spread via USB drives, or an unknown IRC communication for example. Being a persistent threat on an installed host adds "value" for bot herders, or attackers that control an installed base of bot malware. The added "value" factors in when the attacker sells the bot on the underground market. Security researchers and aficionados may recall the silent war between released variants of MyDoom, Beagle and Netsky -- one malware would seek and remove another from an infected computer in order to remain installed.

Dorkbot can be a real killjoy by not allowing the infected system to reach security-related websites by hooking "Dnsapi.dll" APIs. The domain block list is a plain text file that may be updated by the botmaster by commanding the bot to download from a remote link, for example:

hxxp://<removed>.fuskbugg.se/<removed>/4e28ae2064f07_av.txt

The following is an example of the block list:

Figure 2 - Example domain access block list

The popularity of Dorkbot resulted in the reverse engineering of the bot by hackers. The modified binary has been sold for a mere $100 US, compared to the "official" Dorkbot release code, which sells for three times as much. Some hackers also created their own kit/builders that provides "script kiddies", or hackers that have little coding experience, an opportunity to create more Dorkbot variants, with their own configuration, such as command strings, C&C channel, and the malicious link that they can easily modify:

Figure 3 - Dorkbot builders (with offensive alias edited)

After generating new Dorkbot binaries, hackers stuff them inside VB or .Net crypters to try and avoid AV detection. For more details about this threat, please visit its detailed description here.

There is a slang saying for this time of year and that is "In like a lion, out like a lamb". Loosely translated, although the changing of the seasons brings a turbulent wind, it recesses and gives way to a calm. May your digital landscape be calm.

The following are SHA1 examples for malware mentioned in this blog.

Win32/Dorkbot:
f7f77927b000ef74dc244c48f5b550d3eedfca6d
fa7402f86131addbfb1ff4bd3c45b5f7973e602d
950ca89996b6ae85df0ada8a6d44fd948738e7a6
02127b7c97893f9fc76c72a46e5690b259bff7d8

-- Rex Plantado, MMPC

There's a cream for that

2012-03-12T07:18:00Z

The other day, while previewing messages in my inbox, I saw a conspicuous message with the following parameters, typos included:

To: (email address)
CC: (email address),...
Subject: Your ex sent me this pciture of you.
Body:
Hey (email address),
Your ex sent me this picture claiming it's you. Is it really so? You probaly should see a doctor:) They can cure it now:).
Attachment: "Photo.zip"

The attached file is a ZIP archive that contains an executable file named "IMG04958.exe" (SHA1: 51dd01ab8f18bc5e7875526db241d4ea79c136e8), detected as Worm:Win32/Gamarue.E.

Scanning other messages, I noticed three additional spam campaigns using different subject lines and message body text:

"I got you busted bro. You won't deny the obvious now. Check the photo in attachment ."
"I'm sorry man you seem to be in trouble. My girfriend got this picture of you yesterday and sent to your wife. Hope you can handle it"
"I got your picture yesterday, who is that girl next to you? In attachment"

The theme of the spam uses a type of social engineering that leverages the shock of allegation to trick the recipient into opening the attached file. If the recipient opens the attached file in an unprotected environment, this Win32/Gamarue variant will try to download other malware.

Downloads "888.exe" from IP 67.210.xxx.xxx:
235964da72a80425dfb74efc264fa0ba4d8189c7 – Trojan:Win32/Hioles.C
Downloads "sol.exe" from IP 176.31.xxx.xxx:
cfb374ae373f49ed7bf8da92fe725b4eaff5e1a5 – Trojan:Win32/FakeSysdef

Gamarue also communicates with a command and control server on a bot network to perform actions against the infected computer.

It can't be emphasized enough in our recommendation that you apply an "ointment" (i.e. active security scanning) to help prevent "outbreaks".

-- Patrick Nolan, MMPC

A Rogue by any other name...

2012-03-02T06:12:00Z

Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “Windows Threats Destroyer”, “Windows Firewall Constructor”, "Windows Attacks Preventor" and “Windows Basic Antivirus”. You can see some examples of these iterations below.

Each sample of FakePAV is distributed as a self-extracting RAR archive, which contains a second self-extracting RAR archive. This second, “inner” archive contains the rogue executable itself, but it is password-protected; simply trying to extract it without knowing the password doesn’t work. So how does the actual rogue get extracted and run? The first, “outer” RAR archive contains a script which tells the self-extractor what to do when the self-extractor runs. This script includes the command to execute the inner archive with a parameter that contains the password. Initially they were using scripts like this:

TempMode
Setup=temp.exe -e -p1329827306
Silent=1
Overwrite=1
Update=U

This script tells the RAR self-extractor to extract the file inside (“temp.exe” in this case) to the temporary folder and run it with the parameters “-e” (extract) and “-p1329827306” (use the password “1329827306”). The other lines of the script make sure that nothing is displayed while this happens and that any existing files are automatically replaced.

In the last few days they’ve started obfuscating these scripts, probably to make it harder for anti-malware scanners to detect them. Because RAR self-extractor scripts are stored as part of the archive comment, essentially anything that the self-extractor doesn’t recognize as an instruction is ignored, meaning pretty much any text can be added without changing the functionality. The creators of Win32/FakePAV have chosen to use excerpts from Shakespeare’s Romeo and Juliet. For example (with instructions highlighted in yellow):

Exeunt [all but Juliet and Nurse].
Jul. Come hither, nurse. What is yond gentleman?
Nurse. The son and heir of old Tiberio.
Jul. What's he that now is going out of door?
Nurse. Marry, that, I think, be young Petruchio.
Jul. What's he that follows there, that would not dance?
Nurse. I know not.
Jul. Go ask his name.- If he be married,
My grave is like to be my wedding bed.
Nurse. His name is Romeo, and a Montague,
The only son of your great enemy.
Jul. My only love, sprung from my only hate!
Too early seen unknown, and known too late!
Prodigious birth of love it is to me
That I must love a loathed enemy.
Nurse. What's this? what's this?
Jul. A rhyme I learnt even now
Of one I danc'd withal.
One calls within, 'Juliet.'
Nurse. Anon, anon!
Come, let's away; the strangers all are gone. Exeunt.

PROLOGUE
Enter Chorus.

Chor. Now old desire doth in his deathbed lie,
And young affection gapes to be his heir;
That fair for which love groan'd for and would die,
With tender Juliet match'd, is now not fair.
Overwrite=1
Now Romeo is belov'd, and loves again,
Alike bewitched by the charm of looks;
But to his foe suppos'd he must complain,
TempMode
And she steal love's sweet bait from fearful hooks.
Being held a foe, he may not have access
To breathe such vows as lovers use to swear,
And she as much in love, her means much less
To meet her new beloved anywhere;
But passion lends them power, time means, to meet,
Temp'ring extremities with extreme sweet. Exit.

ACT II. Scene I. A lane by the wall of Capulet's orchard.
Enter Romeo alone.

Rom. Can I go forward when my heart is here?
Turn back, dull earth, and find thy centre out.
[Climbs the wall and leaps down within it.]

Enter Benvolio with Mercutio.

Ben. Romeo! my cousin Romeo! Romeo!
Mer. He is wise,
And, on my life, hath stol'n him home to bed.
Ben. He ran this way, and leapt this orchard wall.
Call, good Mercutio.
Mer. Nay, I'll conjure too.
Romeo! humours! madman! passion! lover!
Appear thou in the likeness of a sigh;
Speak but one rhyme, and I am satisfied!
Update=U
Cry but 'Ay me!' pronounce but 'love' and 'dove';
Speak to my gossip Venus one fair word,
One nickname for her purblind son and heir,
Young Adam Cupid, he that shot so trim
When King Cophetua lov'd the beggar maid!
He heareth not, he stirreth not, be moveth not;
The ape is dead, and I must conjure him.
I conjure thee by Rosaline's bright eyes.
Setup=ww66viiszer85c7.exe -e -pz339dwh29n368u5
By her high forehead and her scarlet lip,
By her fine foot, straight leg, and quivering thigh,
And the demesnes that there adjacent lie,
That in thy likeness thou appear to us!
Ben. An if he hear thee, thou wilt anger him.
Mer. This cannot anger him. 'Twould anger him
To raise a spirit in his mistress' circle
Of some strange nature, letting it there stand
Till she had laid it and conjur'd it down.
That were some spite; my invocation
Is fair and honest: in his mistress' name,
I conjure only but to raise up him.
Ben. Come, he hath hid himself among these trees
To be consorted with the humorous night.
Blind is his love and best befits the dark.
Mer. If love be blind, love cannot hit the mark.
Now will he sit under a medlar tree
And wish his mistress were that kind of fruit
As maids call medlars when they laugh alone.
O, Romeo, that she were, O that she were
An open et cetera, thou a pop'rin pear!
Romeo, good night. I'll to my truckle-bed;
This field-bed is too cold for me to sleep.
Come, shall we go?
Ben. Go then, for 'tis in vain
'To seek him here that means not to be found.
Exeunt.

Scene II. Capulet's orchard.
Enter Romeo.

Rom. He jests at scars that never felt a wound.

Silent=1
Enter Juliet above at a window.

But soft! What light through yonder window breaks?
It is the East, and Juliet is the sun!
Arise, fair sun, and kill the envious moon,
Who is already sick and pale with grief
That thou her maid art far more fair than she.
Be not her maid, since she is envious.
Her vestal livery is but sick and green,
And none but fools do wear it. Cast it off.
It is my lady; O, it is my love!
O that she knew she were!
She speaks, yet she says nothing. What of that?
Her eye discourses; I will answer it.

The text used varies from sample to sample, as do the positions where the actual commands for the self-extractor are inserted. Here is an example from the inner archive, which extracts and runs the rogue itself (“filesystemscan.exe”):

By any other name would smell as sweet.
So Romeo would, were he not Romeo call'd,
Retain that dear perfection which he owes
Without that title. Romeo, doff thy name;
And for that name, which is no part of thee,
Take all myself.
Rom. I take thee at thy word.
Call me but love, and I'll be new baptiz'd;
Henceforth I never will be Romeo.
Jul. What man art thou that, thus bescreen'd in night,
So stumblest on my counsel?
Rom. By a name
I know not how to tell thee who I am.
My name, dear saint, is hateful to myself,
Because it is an enemy to thee.
Had I it written, I would tear the word.
Jul. My ears have yet not drunk a hundred words
Of that tongue's utterance, yet I know the sound.
Art thou not Romeo, and a Montague?
Rom. Neither, fair saint, if either thee dislike.
Jul. How cam'st thou hither, tell me, and wherefore?
The orchard walls are high and hard to climb,
And the place death, considering who thou art,
If any of my kinsmen find thee here.
Rom. With love's light wings did I o'erperch these walls;
For stony limits cannot hold love out,
And what love can do, that dares love attempt.
Therefore thy kinsmen are no let to me.
Jul. If they do see thee, they will murther thee.
Rom. Alack, there lies more peril in thine eye
Than twenty of their swords! Look thou but sweet,
And I am proof against their enmity.
Jul. I would not for the world they saw thee here.
Rom. I have night's cloak to hide me from their sight;
And but thou love me, let them find me here.
My life were better ended by their hate
Setup=filesystemscan.exe
Than death prorogued, wanting of thy love.
TempMode
Jul. By whose direction found'st thou out this place?
Rom. By love, that first did prompt me to enquire.
He lent me counsel, and I lent him eyes.
I am no pilot; yet, wert thou as far
As that vast shore wash'd with the farthest sea,
I would adventure for such merchandise.
Jul. Thou knowest the mask of night is on my face;
Else would a maiden blush bepaint my cheek
For that which thou hast heard me speak to-night.
Fain would I dwell on form- fain, fain deny
What I have spoke; but farewell compliment!
Dost thou love me, I know thou wilt say 'Ay';
And I will take thy word. Yet, if thou swear'st,
Thou mayst prove false. At lovers' perjuries,
They say Jove laughs. O gentle Romeo,
If thou dost love, pronounce it faithfully.
Or if thou thinkest I am too quickly won,
I'll frown, and be perverse, and say thee nay,
Update=U
So thou wilt woo; but else, not for the world.
In truth, fair Montague, I am too fond,
And therefore thou mayst think my haviour light;
Silent=1
But trust me, gentleman, I'll prove more true
Than those that have more cunning to be strange.
I should have been more strange, I must confess,
But that thou overheard'st, ere I was ware,
My true-love passion. Therefore pardon me,
And not impute this yielding to light love,
Which the dark night hath so discovered.
Rom. Lady, by yonder blessed moon I swear,
That tips with silver all these fruit-tree tops-
Jul. O, swear not by the moon, th' inconstant moon,
Overwrite=1
That monthly changes in her circled orb,
Lest that thy love prove likewise variable.
Rom. What shall I swear by?
Jul. Do not swear at all;
Or if thou wilt, swear by thy gracious self,
Which is the god of my idolatry,
And I'll believe thee.
Rom. If my heart's dear love-
Jul. Well, do not swear. Although I joy in thee,
I have no joy of this contract to-night.
It is too rash, too unadvis'd, too sudden;
Too like the lightning, which doth cease to be
Ere one can say 'It lightens.' Sweet, good night!
This bud of love, by summer's ripening breath,
May prove a beauteous flow'r when next we meet.
Good night, good night! As sweet repose and rest
Come to thy heart as that within my breast!
Rom. O, wilt thou leave me so unsatisfied?
Jul. What satisfaction canst thou have to-night?
Rom. Th' exchange of thy love's faithful vow for mine.
Jul. I gave thee mine before thou didst request it;
And yet I would it were to give again.
Rom. Would'st thou withdraw it? For what purpose, love?
Jul. But to be frank and give it thee again.
And yet I wish but for the thing I have.
My bounty is as boundless as the sea,
My love as deep; the more I give to thee,
The more I have, for both are infinite.
I hear some noise within. Dear love, adieu!
[Nurse] calls within.
Anon, good nurse! Sweet Montague, be true.
Stay but a little, I will come again. [Exit.]
Rom. O blessed, blessed night! I am afeard,
Being in night, all this is but a dream,
Too flattering-sweet to be substantial.

Enter Juliet above.

Jul. Three words, dear Romeo, and good night indeed.
If that thy bent of love be honourable,
Thy purpose marriage, send me word to-morrow,
By one that I'll procure to come to thee,
Where and what time thou wilt perform the rite;
And all my fortunes at thy foot I'll lay
And follow thee my lord throughout the world.

Nurse. (within) Madam!
Jul. I come, anon.- But if thou meanest not well,
I do beseech thee-
Nurse. (within) Madam!
Jul. By-and-by I come.-
To cease thy suit and leave me to my grief.
To-morrow will I send.

These kind of tactics are aimed at making it difficult for anti-malware scanners to look inside the malware’s distribution package, and they highlight the need for real-time malware protection. For the malware to work, the malicious executable has to be written to disk at which point real-time protection can not only detect it but stop it from being executed.

Example SHA1: 5ff1f908274a4f27bbcbadc2dbd5c064ad2bf7a4

Hamish O'Dea
MMPC Melbourne

In Memoriam - Tareq Saade

2012-02-28T11:24:00Z

January 26 1983 - February 19 2012

Tareq was part of the MMPC for several years, in which the social media properties (including this blog) were part of his responsibilities. He was one of those people who make an impact on you from the moment you meet them. He was well-loved and well-respected, much admired and very much missed. We at the MMPC feel his loss tremendously, and our thoughts are with his family and loved ones at this difficult time.

Can we believe our eyes? Another story…

2012-02-24T00:16:00Z

In Windows, the “hosts” file (located in “%SystemRoot%\System32\drivers\etc” directory by default) is often used by malware authors when hijacking websites. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware authors make changes to affected users’ Hosts files to redirect specified URLs to different IP addresses of the author’s choice. In August last year, I blogged about malware authors using Unicode characters in the hosts file filename, in order to trick users and hide the real hosts file. However, it seems that malware writers never stop doing their malicious work. This time, they’re using another trick to mislead people.

Several days ago, one of my friends wanted to buy something from Taobao, which is one of the most popular online trading platforms in China. When he opened the website by typing its URL “http://www.taobao.com” in the address bar of web browser, he found the URL changed to “http://www.taobao.com.cn” automatically, with some strings embedded in the URL, looking like an identifier, as the following example.

He has a little rough security knowledge, and thought this might be an attempted website hijacking. So he opened the hosts file using notepad. But to his surprise, the file seemed to be filled with garbage, as you can see below.

He couldn’t understand this, because he thought that the hosts file was just a text file, and that he could easily remove the website hijacking by deleting the corresponding entries in the hosts file. So he asked me.
At first, I just wanted to see what the real content of this hosts file was. So I opened it with a hex editor.

When I saw the BOM character (0xFEFF) at the beginning of the file and the ASCII text following it, I realized what it was. This hosts file is just an ASCII text file, but with a Unicode file marker at the beginning of the file, which misleads a Unicode aware text editor, such as notepad, into treating it as a Unicode text file. In the middle of this big hosts file, we can see the entry hijacking www.taobao.com.

But now the question is, how was this malicious Hosts file being interpreted? To figure out this question, I used Process Monitor with the following filters to identify which process in the system interprets the hosts file and uses it.

I made some minor modifications to the hosts file, saved it using notepad, and captured the whole process. After that, using Process Monitor’s stack function, I discovered that the hosts file is interpreted by the “DNS Client” service.

From the picture above, we can see that the “DNS Client” service (dnsrslvr.dll) calls the HostsFile_ReadLine function of dnsapi.dll to get the line from the hosts file, which in turn calls the fgets function of msvcrt.dll to do the real work of getting a line from the hosts file. The function fgets in the CRT library only supports ASCII files. Using this function to read the file means the system only supports hosts files in ASCII format, not Unicode format. The following is a part of a flowchart showing the HostsFile_ReadLine function.

We can easily get the logical process for the hosts file from this picture. The system accepts the hosts file as an ASCII file and tries to get records from it. If any invalid record is found, it just drops the record, and continues to process the next record.

Now we can start to understand the whole trick being used by this hosts file. The first line of this file (the characters before the first CRLF) is useless for the system, and will be dropped when building the hosts file records. The rest of this file will be interpreted correctly by the system, as these records are valid, and these websites will be hijacked/diverted from the affected computer. But the first line will mislead Unicode aware editors, such as notepad, and render the text in an incorrect manner, which in turn prevents users from seeing what’s really going on.

In this sample, the malicious server redirects hijacked websites to a Taobao advertisement website. The website itself is legal, and is similar to Google AdWords. Presumably the author will get illegitimate income when people search using the website. This is a very popular way for malware authors in China to get gray income (and may not be viewed quite as severely as other types of more obviously illegal activity).

It’s a fairly straight-forward procedure to create a clean hosts file if you think yours has been corrupted in this way. Have a look at this KB article for full instructions.

When we “see” a file is filled with garbage, is it really useless? Can we believe our eyes? The answer is... not always.

Zhitao Zhou
Microsoft Malware Protection Center

Pramro and Sality - two PEs in a pod

2012-02-21T21:22:00Z

The second of the families added to the February release of the Microsoft Malicious Software Removal Tool (MSRT) is Win32/Pramro. Win32/Pramro is a family of trojans that can act as a SOCKS proxy on an infected computer. In this case, this proxy may be used to relay spam and HTTP traffic. Detection was first added for Pramro variants in January 2008.

There is a strong connection with the polymorphic file infector Win32/Sality, which shares portions of code with Pramo. For example, let's examine one of the encrypted files which is currently downloaded by a variant of Worm:Win32/Sality.AU from the host ‘baulaung.org’. If we apply the key ‘GdiPlus.dll’ and a modified RC4 algorithm, the resultant output is a PE file. This file is detected as TrojanProxy:Win32/Pramro.F.

Image 1 - View of Pramro using a file viewer utility

Examining this particular Win32/Pramro variant, we can see that it employs the same key and decryption algorithm as this Win32/Sality variant.

Looking closely at some detection statistics from MSRT, we observe that variants of Win32/Pramro have been reported on 104,120 unique machines during the first week of release. The majority of the affected machines were running Windows XP (81.8%), followed by Windows 7 (12.9%). For the machines which reported a variant of Win32/Pramro, the prevalence distribution of all detection reported by MSRT is listed in the following table. As expected, the connection to Win32/Sality is supported by our data.

Table 1 - MSRT detection statistics

The geographical breakdown of machines which reported a Win32/Pramro variant appears as:

Table 2 - Geographic distribution of Pramro

Interestingly, the top reported file MD5: 543b96731b80fc30a7583bd22cd0d567 / SHA1: 1B9E07EAAF512DA72850612AC6D41207D4340E3C was reported on 76,690 unique machines. This appears to be the most current variant of Win32/Pramro. It was first reported in the wild from our customers in the first week of January 2012 and the encrypted copy is still available at location(s) used by Win32/Sality. This suggests that MSRT was cleaning computers with an active Win32/Pramro infection.

Scott Molenkamp
MMPC, Melbourne

Extracting the fare

2012-02-14T17:00:00Z

When malware is found lurking on a system, quite often it isn't acting alone. Once malware distributors have control of a system, they will do everything they can to compromise the machine and the user for maximum gain -- for instance, hijacking a browser's search results, or using rogue security software to extract payments from affected users -- and will try to install whatever other malware components they need to in order to make this happen.

Such is the case with Win32/Fareit, which is one of two new additions to the Microsoft Malicious Software Removal Tool (MSRT) for February 2012. Win32/Fareit is a family consisting of a password stealer and a component for performing Distributed Denial of Service (DDoS) attacks, and is often present on an affected system along with a suite of other malware.

The Distributed Denial of Service component, which we detect as DDoS:Win32/Fareit, contacts a remote server, which may instruct it to flood a target server with bogus HTTP traffic. It randomly chooses several fields of the HTTP header, in order to make it difficult for the targeted server to filter the unwanted requests. Hijacking the browser and collecting payments for rogue security software are not the only methods of profiting from an infected system, and this is where the password stealing component PWS:Win32/Fareit fits in.

When run, the malware scans the system looking for installations of popular FTP clients and cloud storage clients. Most of these allow users to cache login details for servers that they often connect to, and they store these details encrypted in configuration files or registry entries. If any of these clients are present on the system, the malware attempts to retrieve this login information from the files or registry, decrypt it, and post it to a remote server controlled by the attackers. Once they have this account information, they can log in to the compromised accounts, which often provide access to web servers, and upload other malware that they wish to distribute. You can see a list of the FTP clients and other software that PWS:Win32/Fareit targets in our encyclopedia description. It also attempts to steal stored passwords from some of the major web browsers.

PWS:Win32/Fareit first came to our attention in large numbers in October, when we noticed it being installed by Win32/FakeScanti and Win32/Cycbot.

Win32/FakeScanti is a rogue security program that was added to MSRT in October 2009 and has recently gone by names such as Cloud AV 2012, AV Guard Online, Security Guard 2012, and Opencloud Antivirus.

Win32/Cycbot is a backdoor and browser hijacker, and was added to MSRT in February 2011. At various stages we have seen Win32/Cycbot and Win32/FakeScanti also downloading or installing one another, so this month's addition of Win32/Fareit helps complete the cleaning of this multi-family infection.

Win32/Cycbot remains highly prevalent, and Backdoor:Win32/Cycbot.G was the number-one threat removed by MSRT last month. Win32/FakeScanti activity has decreased, though we continue to monitor it closely; however, we have received no new undetected samples of it so far this year. Unfortunately, this isn't a sign that the rogue distributors have given up on their nefarious activities; most likely they have simply moved on to distributing different rogue families.

If your system has been infected with Win32/Fareit, or related families like Win32/Cycbot, and you have any account details saved in your FTP client, after cleaning your local system, we recommend that you immediately change your password for each account. Check the related servers for new or suspicious files that you did not upload, change passwords for any accounts whose details you may have saved in your browser, and check those accounts for any unexpected activity.

The password-stealing component may only need to be run once in order to steal your credentials, so, by the time MSRT has performed its monthly scan, the damage may have already been done. This emphasizes the importance of running an antivirus solution that provides real-time protection.

David Wood
MMPC Melbourne

Stratfor customers targeted by cybercriminals

2012-02-14T02:33:00Z

Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor - a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database.

The spammed email contains an attached PDF file named "stratfor.pdf". Upon opening the PDF file, it displays the following content, with a reference to using security software to scan for the fictional "Win32Azee virus":

The link displayed in the emails appears legitimate at first glance, but looking closely at the target address, you notice that it doesn't originate from the address in the email text. Stratfor is based in Texas, United States however the download URL is located somewhere in Turkey. A sample of another PDF file contained a download link for yet another compromised site, this time in Poland.

Clicking on the link, Adobe Reader will display a warning message asking you to verify if you trust the website. The file for download is actually a Win32/Zbot variant, which Microsoft already detects as PWS:Win32/Zbot.gen!R. The malicious PDF file is detected as Trojan:Win32/Pdfphish.A.

SHA1:
38421197bc27f9ae76c01595424b41d720adea05 (detected as Trojan:Win32/Pdfphish.A)
818ef49e658aa78df4a0d9b424fafcd37bcb288c (detected as PWS:Win32/Zbot.gen!R)

- Rodel Finones, MMPC

When imitation isn’t a form of flattery

2012-01-30T00:06:00Z

When I was at school (many, many years ago…) a teacher once told me that if someone copies you, it's a sign of flattery. Well, right now there are numerous "companies" copying us, but we are far from flattered.

For some time now, rogue security programs have been trying their hardest to look just like Microsoft security products. I suppose they figure that the more they look like us, the more likely unsuspecting users are to hand over their hard earned cash to have their computers "cleaned" by these imposters.

Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for fake antivirus software, when Microsoft consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users at no cost. This in turn causes affected users to voice their concerns and dissatisfaction through a number of Microsoft customer feedback channels, often after being tricked into paying for the bogus antivirus to remove threats that were more than likely never present on their computer. Below are some images of imitation scans and messages displayed by rogues:

Figure 1: 'Scan results' displayed by a Win32/FakeRean variant, Privacy Protection

Figure 2: 'Windows Security Center' message displayed by a Win32/FakeRean variant

Figure 3: 'Scanner' displayed by a Win32/FakeVimes variant

Figure 4: 'Scan results' displayed by a Win32/FakeVimes variant

Figure 5: 'Security settings options' displayed by a Win32/FakeVimes variant

In addition to an increase in the number of people being affected by rogues, there seems to be increase in users receiving calls, allegedly from Microsoft support, about their "infected" computers (which Microsoft has blogged about before). To set the record straight, Microsoft would never call a user to tell them that their computer was infected.

So, allow me to clarify a few things:

Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That's right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.

We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.

Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up.

We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call.

Jasmine Sesso
MMPC Melbourne