Within the last days we received a lot of scam emails pretending to originate from the Mazon State Bank, Fedwire (Federal Reserve Wire Network), Hinsdale Bank & Trust Co. and many others. The majority of these emails contained information about a money transfer or the account being disabled.

Of course the emails are scam with the target to make victims clicking links that lead to malicious websites. The websites run a BlackHole exploit to infect the visiting computer with a trojan spy by exploiting some known vulnerabilities, e.g. MDAC vulnerability (CVE-2006-0003).

The malicious site additionally notifies the user to update the Adobe Flash Player. Yes, this is also a fake. If the victims clicks on that link, another malware will be downloaded. Emsisoft Anti-Malware detects it as variant of Trojan-PSW.Win32.Zbot and Trojan-PSW.Win32.SpyEye.

There are a lot of different variants of the scam emails, here are some of them:

Dear account holder,

I regret to inform you that Money Transfer sent by you or on your behalf was hold by Mazon State Bank.

Transaction ID: 1707018975
Current status of transaction: on hold

Please review transaction details as soon as possible.

Eddy W. Jackson
Treasury Management

Good afternoon,

Your Account: Business Account XXX

Wire Amount: $ 72,549.89
Transaction Report: View

The wire transfer will be processed within 2 hours. Please make sure that everything is as you requested.

ELAINE GALVAN,
Federal Reserve Wire Network

Dear Account Holder,

I regret to inform you that Domestic Wire Transfer initiated by you or on your behalf was hold by Hinsdale Bank Trust Co.

Transaction ID: 1703559264
Current status of transaction: pending

Please review transaction details as soon as possible.

Sally Thorpe
Accounting Manager
Hinsdale Bank Trust Co

News about the death of Steve Jobs has been exploited by cyber-criminals by sending spam emails associated with this incident. The spam email has a subject like “Steve Jobs: Not Dead Yet!“, “Is Steve Jobs Really Dead?“, “Steve Jobs Alive!“, or “Steve Jobs Not Dead!“.

Clicking on the link provided will take the user to a site that has installed a number of exploits part of BlackHole exploit that will download and execute malware.

When executed, the malware will download other files and in a minute will make the victim’s machine as a spam machine:

Some malicious links provided in the email:

http://[censored]sting.info/am.html

http://[censored]yedge.net/noted.html

http://[censored]k.com/during.html

http://[censored]ilter.com.tr/hope.html

http://[censored]cu.com/dead.html

http://[censored]nnanatural.com/camp.html

http://[censored]-host.net/already.html

http://[censored]n.info/Mississippi.html

http://[censored]smaket.com/stone.html

http://[censored]rhotel.com/mill.html

http://[censored]ilthung.com/stems.html

http://[censored]llow.com/exact.html

http://[censored]tars.net/ten.html

http://[censored]hange.com/made.html

http://[censored]readingschedule.com/drive.html

http://[censored]ddy247events.co.za/Betsy.html

http://[censored]sinteract.com/arrangement.html

http://[censored]aservic.com/occasionally.html

http://[censored]ndtripp.com/improve.html

Currently the detection rate is very low, only 3 of 43 antivirus able to detect this malware. Emsisoft Anti-Malware detects this malware as Trojan.Win32.Spambot.

Every Facebook user is familiar with the friend invitation via email on Facebook. But you should be careful, as our malware analysis team has detected that this is now a tactic being used to infect users with malicious software.

In this case we received a phishing email with the subject “Kaamil Mahmoud wants to be friends on Facebook.“. But when the user clicks the “Confirm Friend Request” link he will not be directed to facebook.com, but to the following address instead: hxxp://session49778166786155.downtohole.com/confirm/req/

The link leads to a fake Facebook page, showing the message “Your version of Macromedia Flash Player is too old to continue. Download and install the latest version of Adobe Flash Player”. When the user clicks on the link “Download and Install“, the browser will download a malware file named updateflash.exe – it contains the well known Trojan Zeus, also known as Zbot.

Unfortunately, not executing the file doesn’t mean the victim escapes infection, as the fake Facebook page will also load another address (hxxp://vampirefishsd.com) in the background. An exploit script that is part of the BlackHole Exploit Kit, runs on this website. The address of the exploit is placed in a hidden iframe.

Whois records show the vampirefishsd.com was registered just a few days ago.

Created On: 8/23/2011 3:38:46 PM
Expires On: 8/23/2012 3:38:46 PM
Last Updated On: 8/23/2011 3:38:46 PM
Domain Status:

Registrant [PAK11082372783-1]:
NA
Minette Bazin jones@mail13.com
3059 Pitfield Blvd
St Laurent, QC H4S 1H3
CA
Phone: 1.514817375 Ext:
Fax: 1.

The exploit script tries to infiltrate the victim’s computer by exploiting some vulnerabilities. One of them targets Java, allowing the author to run the Malware automatically without the user’s knowledge and without requiring any interaction at all.

We advise you to update your operating system and all applications regularly, including the security programs that you use. Second, be careful with suspicious emails: emails from Facebook should always contain your name and the links should, of course, point to the legitimate Facebook website.

Hit singer Amy Winehouse has been found dead at her home in Camden, London on Saturday 23 July. Certainly, this tragedy caused a stir of her fans; and unfortunately it was easy to predict that such sad news would be used by cybercriminals. On Facebook we found quite many scam messages about a death video of Amy Winehouse.

If the user clicks the link, as for most scams that exist on Facebook, he will be taken to a survey page. The user now has to complete the survey before he may proceed. This is one of the blackhat tricks to earn money, because every time the user completes the survey the criminals will get a commission. Not only that, usually the user is also required to share the message with his Facebook friends, so it will furthermore be spread around.

In addition to surveys and earning money one  other purpose of these Facebook scams  is to get “Likes” from as many Facebook users as possible to promote a site, blog or even to increase the number of views of a YouTube video.

This is another example of the scam on a non-English page:

Users have to click the “Like” button to continue:

Users have to share this on their wall with the default text “omg :((( !!! F*ck!”:

“KLIKNĚTE NA TENTO ODKAZ” in English: “Click on this link”.

After users click on that link, they will be forwarded on another site with text “PRE SPUSTENIE VIDEA MUSITE KLIKNUT NA VSETKY PACI SA MI TO!!”, in English “To run the video, you must click on every Like button!”:

Google has launched competition for Facebook with the new Google+ social networking platform. The users are following every piece of news from the IT scene with great interest and many are eagerly waiting for an invitation to Google+. However, we warn against clicking too quickly: The first forged Google+ emails have already been detected. Anyone trusting the links in these forged emails quickly lands at websites offering fake pharmaceuticals or, in the worst case, at Malware-infested websites.

 

We advise a healthy dose of skepticism when receiving emails that supposedly come from Google. Unprofessional layout and spelling mistakes are clear indications of a forgery. Real emails from the search machine giant are usually personalized and the links always clearly point to Google domains.

Social websites like Facebook or Twitter tend to be the number one channel to distribute new malware in 2011. This time a new bot targets Twitter users and spreads via the microblogging service.  Emsisoft Anti-Malware detects this malware as Worm.Win32.Ngrbot. Read this article to learn more about this new outbreak and how to protect against it.

The malicious files we received  show  the picture of a woman as icon with a file name being in the format  ”facebook-pic% number%.exe”, which in our analysis shows that the malware is quite dangerous.

When executed, Ngrbot extracts the main file of his body to the directory “C:\Documents and Settings\%username%\Application Data\” on test machines running Windows XP. The used filename is generated using the HDD serial number as the initial key. If the malware however fails to get the HDD serial number, it will then use “1337B00B” (read: elite languages​​) as initial key.

One of its “features” is to block the access to various security sites, including emsisoft.com. So indirectly it prevents security programs from performing updates. The body of the worm contains the blocked sites names within the encrypted section .data:

In addition, Ngrbot also downloads a text file that is located at hxxp://212.7.214.16/list.txt, which contains 1269 sites domain and blogs related to computer security. This means it is also able to update the list of pages that are blocked.

As a self-defense, this malware also has rootkit capabilities to hide its presence on the created files and registry entries. Ngrbot performs a system wide hook to inject itself into the whole process and hooks some of the following APIs:

• advapi32.dll.RegCreateKeyExW
• advapi32.dll.RegCreateKeyExA
• ntdll.dl.NtQueryDirectoryFile
• ntdll.dl.NtEnumerateValueKey
• ntdll.dl.NtResumeThread
• ntdll.dl.LdrLoadDll
• kernel32.dll.CopyFileW
• kernel32.dll.CopyFileA
• kernel32.dll.CreateFileW
• kernel32.dll.CreateFileA
• kernel32.dll.MoveFileW
• kernel32.dll.MoveFileA
• wininet.dll.InternetWriteFile
• wininet.dll.HttpSendRequestW
• wininet.dll.HttpSendRequestA
• ws2_32.dll.getaddrinfo
• ws2_32.dll.send
• nspr4.dll.PR_Write

And, Ngrbot marks its presence in the infected system with a mutex named “s5rBKCUVfOF8JLVi” and “hex-Mutex”.

On the API list you can see several functions associated with the network/Internet, meaning that Ngrbot can monitor browsing activities of its victim. This malware communicates with the host or C&C server through the IRC protocol, so it can transmit any information found on the victims computer to the author. Additionally the author is able to instruct the malware to do something, like for example download another malicious file or to update the malware binary file.

This is obviously very dangerous – if the victim logs into his email, Facebook, Twitter, or even online banking account these are not safe any more. One example is shown in the picture above, the string was found in a hijacked process:

Here you can see some online banking sites like officebanking.cl, Alertpay, Moneybookers and PayPal.

On the infected computer Ngrbot collects several pieces of information like the IP address and country of origin by connecting to http://api.wipmania.com/.

On our test machine, the default page of the browser was also modified, leading to the site hxxp://redirecturls.info/ which then redirects to the following sites:

• hxxp://best-articles.li
• hxxp://bestarticles-ever.blogspot.com
• hxxp://amazingarticles.info
• hxxp://mega-articles.info

The MSN Messenger is also used as one of the spreading tools. What the bot does is to intercept messages sent by the user and then hijack the message on-the-fly.

For example in this case I try to send the message “Hello” to a friend, but apparently my friends actually get the message “LOL http://[MALICIOUS_LINK]“. The malicious URL being received can vary, depending on what is instructed by the host server. Furthermore the malware will report this action to the host server.

However, the author of Ngrbot seems to have a sense of humor despite being a criminal – he leaves some messages to those trying to crack and analyze his malware.

A commentary by Christian Mairoll, CEO of Emsisoft

Background

As CEO of an anti-virus company my friends and associates often ask me “Who writes all these viruses?” and hidden behind this question is the sometimes serious accusation that “You write them yourself, just to drum up business!”.

If it was only so simple… The reality is however very different. Apart from the fact that this would be morally reprehensible and also illegal, it is actually pretty easy to prove that it is technically impossible for the anti-virus companies to manufacture the sheer volume of viruses produced.

Cost/Benefit calculation

The currently produced Viruses, Trojans and Bots are the result of an enormous amount of programming work. Intentionally and unintentionally released source code only allows a rough estimate of the original effort required but one can easily assume that every new genus of Malware is the result of at least 1-3 months of programming work. New variants that are further developments of old Malware are of course easier to produce.

At Emsisoft, we add around 20,000 new Malware signatures (fingerprints) to our detection database every day, i.e. roughly half a million each month. Historical developments indicate that the number of new threats doubles each year. Emsisoft Anti-Malware currently has 5.5 million signatures in its database. This also includes many signatures that detect variants of the same Malware using generic detection, so the total number of signatures is less than the actual number of Malware programs.

If I was the CEO of an evil anti-virus company I would first need a new employee to write a Virus in the first place. I would also need someone for further development and maintenance to protect my investment by ensuring that the Virus will still run on future operating systems. Once the Virus is finally finished it would then released into the wild and entered into the detection database of our own Antivirus software.

Great! In only one month we have managed to build one new Virus – one single Virus among 500,000 others in this month.

By now, it should be clear to everyone that it simply makes no commercial sense for us to write the Viruses ourselves. The advantages obtained through detection of one extra piece of Malware against the sheer unbelievable volume released each month are simply too small. Even when the cost of hiring programmers in dumping-wage countries is very low, it is absolutely certain that no Antivirus manufacturer can afford to do this. Even all the Antivirus manufacturers in the world together would not be able to generate the current volume of new Malware.

Well, who then is writing all this new Malware?

Sorry to say but it seems that these are people who can earn much more money writing Malware than the Antivirus sector could ever earn by writing their own Malware.

10 years ago these programs were mostly written by hackers wanting to test the realms of what was possible, but these days an enormous amount of criminal energy and hard-core commercial enterprise lies behind most Malware. A centrally controlled network of several thousand kidnapped PCs (Botnet) can be used in variety of different ways. This massive amount of computer power can be hired as a package for various devious purposes: For sending Spam and Phishing emails, for coordinated webserver overload attacks (DDos) in order to blackmail companies or as a proxy server network for hiding the traces of illegal activities. The largest detected Botnets such as Conficker, Rustock or Cutwail had over a million such “Zombie” computers available.

Other Malware authors attempt to convert their work directly into hard cash by encrypting important personal information and then demanding ransom money for decrypting the data (so-called Ransomware). Some Malware is directly targeted at specific companies or systems, for instance the sabotage attacks on the Iranian atomic energy program using the Stuxnet Malware at the end of 2010.

Antivirus = Virus

Another reason for the rumor that Antivirus companies write the Viruses is the increase in the number of fake Antivirus products (so-called Rogue Antivirus software). The authors of this type of Malware use names that are similar to well-known Antivirus brands to trick users into installing software that only pretends to detect Viruses. Forged detections are then used to urge the customer to purchase a “Full version”.

Conclusion

As you can see, Malware authors have many incentives to write new damaging software. All these incentives have one thing in common: They offer much greater rewards than the Antivirus companies could expect from writing their own Viruses. Quite apart from the fact that only one public example of this type of activity would be a legal, commercial and media disaster for an Antivirus manufacturer.

There is also the argument that Antivirus companies depend on the work of the Malware authors. This may be true, but our intentions lie at the opposite end of the moral spectrum and we are always doing our best to make the Internet a safer place.

Have a nice (Malware-free) day!

Christian Mairoll – CEO
www.emsisoft.com

Rumors that said that on the next May 21st 2011 will be the end of the world indeed have become wide spread, and this news has become very popular since a few days ago, and the cyber criminal are also already aware of it.

When I do a search images on Google using keyword “end of the world may 21st”, it turns out there is already a dangerous image that leads to a malware site. And that site using keyword stuffing technique to increase the SERP (Search Engine Results Page) ranking.

When a user clicks on the malicious image, the browser will display the images in thumbnail, but then the browser will also run a malicious script, redirect user to the other malicious site and tries to run and exploit Java Runtime Environment vulnerability, to install malware to the victim’s machine.

In case the malware fails to be active, the user is also faced with a download window to download the PDF file. Once user executes this malicious PDF, it will try to exploit Adobe Reader vulnerability, to download files from the Internet and launch the malware, which actually a rogue application or FakeAV known as Win 7 Security 2011 or XP Home Security 2011, the same malware that occurs in “The Royal Wedding” scam.

As typical of fake antivirus, once installed, the rogue application will start a scan automatically, besides that it also displays many fake warning messages saying that your computer is infected with malware or your computer is under attack.

The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on various websites, especially the social networking sites.

No doubt, it also became an easy target for the malware authors to spread their malware using SEO poisoning techniques. This Black Hat SEO technique has been used by malware writers from time to time, using hot topics to improve their site ranking on the search engine results.

As you can see on Google Trends and Google Insights, the search volume increases massively, and it also happens on Facebook and Twitter.

When you do a search related to this, some of the results point to malicious websites.

When a victim clicks such a link, he is redirected to a malicious site that forces a download of a fake antivirus:

• http://rnzrrljt.co.cc/[censored]
• http://xnslrqlr.co.cc/[censored]

These point to the IP: 78.26.179.10.

The malicious site shows fake scanning dialogs and also displays fake alert messages.

Once the downloaded file is executed, the rogue application starts its actions.

The used name of this rogue application can be different. In our tests, the name of this fake antivirus is “Win 7 Anti-Spyware” on Windows 7, but on XP it shows up as “XP Home Security 2011″.

Emsisoft Anti-Malware detects this malware as Trojan.Win32.FakeAV. Currently, based on Virus Total, the detection rates are still low, only 10 of 41 detect it.

Previously we have written about the “i got u surprise” spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only “u?” and followed by a link, with the subject is “Hello“.

When the link is clicked, will lead to the following address:

• http://photo-album-#####.##/

The site only contains a message “Download photoalbum“, which is a link to the trojan file.

Just like previous variants, when executed, it will send the same spam message to every friend on Facebook. The data that is used for spam are obtained by querying their C&C servers, this time located at ddk100.com, which is previously located at ddk1000.org.

After decoding, we get:

1000|60000|Hello|u?
[http://goo.gl/Slqcr|http://goo.gl/QL5pE|http://goo.gl/FEUHe|http://goo.gl/4ol7i|

http://goo.gl/uvKBq|http://goo.gl/9TC4b|http://goo.gl/Si0jK|http://goo.gl/DcpVL|

http://goo.gl/mxcsM|http://goo.gl/vDFeS|http://goo.gl/5pHda|http://goo.gl/NagRi|

http://goo.gl/l7vbA|http://goo.gl/CC7kk|http://goo.gl/5uoiD|http://goo.gl/6vALZ|

http://goo.gl/ucVv8|http://goo.gl/L62bA|http://goo.gl/Rf6iM|http://goo.gl/TuHXw|

http://goo.gl/VWMUT]

Another interesting thing is, this malware able to create a dummy blog at Blogger.com, and then make the short URL of it using “goo.gl“, automatically. This blog created shortly after the victim login into their Google account. Then, the newly created blog URL and the short URL will be sent back into their C&C servers. The blog is just will be set as a redirector that will direct the victim to the malicious site that contains malware, by changing the blog template to load the address designated by “url.js”.

If you get a message that contains one of these links, please do not click!:

• hxxp://goo.gl/Slqcr
• hxxp://goo.gl/QL5pE
• hxxp://goo.gl/FEUHe
• hxxp://goo.gl/4ol7i
• hxxp://goo.gl/uvKBq
• hxxp://goo.gl/9TC4b
• hxxp://goo.gl/Si0jK
• hxxp://goo.gl/DcpVL
• hxxp://goo.gl/mxcsM
• hxxp://goo.gl/vDFeS
• hxxp://goo.gl/5pHda
• hxxp://goo.gl/NagRi
• hxxp://goo.gl/l7vbA
• hxxp://goo.gl/CC7kk
• hxxp://goo.gl/5uoiD
• hxxp://goo.gl/6vALZ
• hxxp://goo.gl/ucVv8
• hxxp://goo.gl/L62bA
• hxxp://goo.gl/Rf6iM
• hxxp://goo.gl/TuHXw
• hxxp://goo.gl/VWMUT
• hxxp://wpiulfcwa.blogspot.com/
• hxxp://kstxmjqgk.blogspot.com/
• hxxp://piajetqxo.blogspot.com/
• hxxp://lqehqblph.blogspot.com/
• hxxp://gtffwnzra.blogspot.com/
• hxxp://tcjibfezs.blogspot.com/
• hxxp://rxlabkufg.blogspot.com/
• hxxp://wydqfrnnd.blogspot.com/
• hxxp://dkrvrvhfr.blogspot.com/
• hxxp://sqpdtvhqi.blogspot.com/
• hxxp://vqujlkgco.blogspot.com/
• hxxp://balpfvhmc.blogspot.com/
• hxxp://cqfupksry.blogspot.com/
• hxxp://ahvrmdfky.blogspot.com/
• hxxp://lyglmonpx.blogspot.com/
• hxxp://acyzqudbo.blogspot.com/
• hxxp://nhbqcsrjz.blogspot.com/
• hxxp://dagmajmtr.blogspot.com/
• hxxp://fyjdppbyb.blogspot.com/
• hxxp://txghihpgs.blogspot.com/
• hxxp://oexfnbpuj.blogspot.com/

Emsisoft Anti-Malware detects the threat as a Trojan-Downloader.Win32.FraudLoad. At the time of writing this article, the detection rates are still low, only 14/41:

Join our Emsisoft Facebook page, and don’t forget to follow our Twitter to keep you stay update.