Malware in Space!

In an article by the BBC today, NASA confirms that a trojan virus designed to steal passwords and login information for online games such as World of Warcraft, has found its way onto the International Space Station. Many of these games are popular mostly in Asia, such as Maple Story, HuangYi Online, and Talesweaver. This virus didn't even have to pay as much as Lance Bass did to the Russians before they denied his flight! The trojan known as Gammima.AG traveled to space on a laptop that was going to be used for official space business by an American astronaut. It originally made it onto this laptop by way of an infected USB thumb drive, at least that's their guess.
NASA told the space news website SpaceRef that no command or control systems were in danger of being infected being the virus, as the ISS has no direct connection to the net, and the virus relies on "calls home" to communicate.
Strangely enough, this isn't the first time a virus has made it into orbit, according to NASA and the BBC report. It's a sad day when you can't even log into WoW and grind safely for a couple of hours whilst in orbit anymore.

Malware Authors Stealing Babies

This malware campaign has been coming through so frequently that it's really pointless, and likely boring, for me to blog about every single variation that is coming through. So, with that in mind, I do feel that it's at least a little interesting that theme has changed up suddenly today.
Starting with the first new variant of the day, around an hour or so ago, the subject matter strayed away from what has become the norm of delivery notices, and fake receipts to a more socially strange type of subject matter. The subject and body of this variant read "George W. Bush caught naked with Paris Hilton smoking marijuana". This email came with an attachment which was supposedly a picture of the debocale, photo.zip. This is definitely odd, and painful to picture, but I just made a mental note. This, the second variant of the day, is what prompted today's blog entry.
The subject of this one reads "We have hijacked you baby" The body of the email goes on to read:
"Hey We have hijacked your baby but you must pay once to us $50 000. The details will send later...
We has attached photo of your fume
attach password 123"
Another example of malware authors attempting to use fear in order to spread their infections. This one also contains an attachment named "photo.zip" which is supposedly of your 'fume'? I've never known that fume was another word for what I'm assuming is supposed to refer to the word baby, but I'm not claiming to be a master of language, any of them, as this sentence now proves.
Always be wary of emails from strangers, especially threatening ones, it's a technique used to get you upset, in one way or another, so that logical thinking and good decision making is diminished.
We are blocking all known variants of this campaign over here at AppRiver, but always stay vigilant.

Put Your Inbox on Bed Rest

If anyone's noticed any strange email lately, say in the past 2 months, claiming that the package you just tried to send never made it, by UPS or FedEx, or perhaps with a receipt for airline tickets you never purchased, loan contracts, business deals, a letter from the US Customs office, rental contracts, receipts thanking you for your $8000+ dollar mortgage payment, or perhaps any of the aforementioned in a German or French version,...you're surely not alone.
All of these have been pummeling email servers pretty much non-stop for the past month and a half, and they are all related in the sense that they are all being delivered by the same group/botnet. Early reports by Marshal told us that the Pushdo botnet was responsible for the first few, but no one has really placed blame since, so it makes me wonder, but I'm still sticking with Pushdo until I'm given proof to the contrary, since all of them do have that trademark early Pushdo style. That is, simple to-the-point type social engineering emails with the virus attached, as opposed to a link to the malware like the Storm Worm employs.
At any rate, virus levels are at an all time high, as far as traffic's concerned, and most of it is courtesy of this latest malware campaign. As you'll note from the chart below, you'll see the total number of virii quarantined here at AppRiver over the past year broken down in a month to month view. Wow, that's some crazy traffic! And to think this month isn't even over yet, and we're already up about 1600% from our average virus capture rates.The really tough thing for AV companies with these recent attacks is the response time. At the time these things start with a new variant, very few Anti-Virus companies are able to detect them, and if they do, it's with heuristic scanning, but that has still been very rare. It has taken hours in some cases for some of even the biggest AV's to push signatures down to their subscribers, and by the time they do, the campaign is usually over and the next one has started. With anywhere from 2 to 4 variants a day on average from this thing, that's a ton of leakage. Luckily here at AppRiver, we're able to shut them down much faster as we have a very manual approach, wherein, once we see a new campaign begin, we can take the sample and write a very quick byte-level signature, and place it directly into place so it will begin protecting clients immediately, as opposed to having to wait for your AV company's client-side software to receive a new defintion push.
It may look ugly out there, but fear not, we've got your back, I hate being self-promoting, or a braggard, but hey, it is Friday. I'm not sure what that means exactly, but I'm sticking to it.

Clipboards Hijacked!

A new(ish) drive-by exploit has begun to be reported across the web in the past few days. This "attack" if you will, affects both Windows and Mac users, and occurs when a user visits a website with an infected Flash item. Of the reports that I've read, most of these have been on legitimate websites, including sites such as MSNBC.com.
This exploit's intent is to get people to unintentionally visit their malware sites where they can hit you with one of their social engineering techniques in order to get you to install spyware. Currently all of these have pointed towards fake anti-virus installs that encourage you to pay them in order to correct your "already infected" computer.
The way this exploit works is by taking over your computer's clipboard. Using Flash's 'setClipboard' command, it places a link to their malware site on hold on your computer's clipboard. Therefore, anytime you attempt to paste something from your clipboard, you are pasting their malicious URL. Even if you copy something new to your clipboard, and then attempt to paste it somewhere, say in an IM to your friend, or an email, you instead continue to paste the malicious URL. The attackers here, are hoping you don't notice that you are helping them to spread their site on across the intertubes, which is very likely considering people copy and paste things all day long. It could be in emails, on blogs, Instant Messages, anywhere. It's especially effective when you receive the link from a friend who meant to paste something else. You're most likely going to trust links sent to you by someone you know, or with whom you pass links back and forth with all the time. It is also likely that the infected user will attempt to paste a link into their own address bar, in this case they'll just end up going to the infected site themselves.
If you notice that you're pasting the same URL over and over, no matter what you try to copy to it, you'll need to flush your clipboard cache. All you'll need to do is to shut down your browser and restart it, or in some cases, you may be able to simply shut down the infected tab, if you can tell which one that may be. It seems like an easy solution, but until you notice that it's happening, this exploit could have plenty of time to spread its word.

Baby, One More, One More Time.

It's always good to see a familiar face, at least that's how the saying goes. However, when it comes to your inbox, and unsolicited email, it's definitely the opposite. Along with stories of Angelina Jolie, Natalie Portman, and Nicole Kidman, Britney Spears is often a harbinger of malware and misfortune in the email/interweb world. Just when you had almost even forgotten who she was, here she is again today with a special delivery.
Todays emails feature one of many different pictures of Britney, some from various photo shoots, and others that are, let's say a little more candid along with links that say things such as " hot video","Download Video", Movie Here", etc etc Of course these links take you to one of many sites where you are to install the virus entitled either Mov.exe in the first wave of emails, or Vid.exe from the second wave.
Virus Total is showing a 37% detection rate at the moment out of 35 different Anti-Virus engines, not too bad. AVG is even detecting it as a gift from the Storm Worm, how nice!
We at AppRiver are blocking these emails, and the links to the malware from you, so you'll have to settle for the cropped versions above.
Here are the domains, and IPs associated with this current wave:

	68.178.197.15
	207.5.43.203
hanagasumi.net	125.100.100.14
kurushiunai.jp	125.100.100.14
lenapiel.com	193.41.235.105
bwlapdance.com	193.41.235.105
vaukary.com	200.58.100.2
anshi.com.ar	200.58.112.230
soft-corp.com.ar	201.235.253.7
roskiman.com	202.75.42.29
punniya.com.sg	203.116.95.203
technohub.co.th	203.121.144.20
matousconstruction.com	204.181.69.1
neptunegroup.net	207.106.22.54
conveying.com	207.44.250.15
mollinnovations.com	207.44.250.15
cesium-chloride.com	207.44.250.15
elexor.com	207.44.250.15
thomasregisterofnj.com	207.44.250.15
bulkconveyors.com	207.44.250.15
babaartslimited.com	207.45.186.122
handofset.com	208.109.181.17
elcihualteco.com	208.86.155.4
genclik19.com	209.160.41.164
7yascokgec.com	209.160.65.70
kampanya19.com	209.160.65.70
mavicanta.com	209.160.73.100
professionalinweb.in	209.97.214.175
mastersoftmobilesolutions.com	212.67.202.207
tokotor.cg.yu	213.149.105.28
de-plaggenmeijers.nl	213.188.129.78
aquamarin-t.ru	62.141.53.242
aquamarin-t.ru	62.141.53.242
bajajinternational.com	63.247.85.245
aicsolucoes.com	64.21.33.193
ikarosstudios.com	64.34.164.148
airinfotech.in	64.49.223.79
kailashkher.com	65.98.67.74
mci12bucaramanga.com	66.197.162.117
modalegal.com.br	67.15.188.4
shadowzprotection.com	67.15.197.19
pop40.com.br	67.15.236.108
polidados.com	67.205.102.9
jotna.com	67.225.176.169
3dcartstores.com	67.228.128.34
bows-n-toes.com	68.178.197.78
gdbdev.com	68.178.254.7
meyers.com	69.2.241.100
thinkwrap.com	69.42.58.110
moyboy.org	69.42.58.20
bolinfodecarlos.com.ar	69.50.193.44
deltaenkayak.com.ar	69.50.193.44
webfilesargentina.com.ar	69.50.193.44
implex.net	69.54.32.130
sexysanjusto.com.ar	69.61.65.38
shopathomecafe.com	69.93.254.130
bandabandit.com.br	70.87.19.130
spe-mst.com	72.167.131.56
powerhouseoptions.com	72.167.94.201
jornalcidade.com	72.232.102.235
tiafatimaecia.com.br	72.232.230.160
maroproducciones.com	72.29.83.164
andresmosquerafotografia.com	72.29.85.52
thejonwebgroup.com	74.208.18.238
incibaharat.com	74.54.164.194
gofsbo.ca	74.86.61.43
mukeshgroup.in	75.127.81.214
agmerparana.com.ar	76.74.155.154
armaka.com	78.47.219.42
valuespace.de	82.165.87.108
bodegasadan.com	82.98.135.178
compfix.ru	83.229.186.150
albenahills.ru	83.98.189.245
eservglobal.com	84.14.169.35
jet-multimedia.de	85.13.136.250
fireline.hu	87.229.26.24
yoyo.pl	88.198.196.10
ic.cz	88.86.103.242
mysteria.cz	88.86.113.152
home.pl	89.161.132.205
jekatur.com	89.19.29.101
iskilipgazetesi.com	89.19.29.80
infofeed.ro	89.38.128.195

Georgian Conflict Brings Along Malware

In what is very common place in today's spam culture, tragedy equals opportunity for those in the business, thus, current events create the most perfect subject matter for malware campaigns. This is especially true when a world event occurs.
A few moments ago a new variant of a malware campaign began rolling through. This particular campaign is just over a month old by about a week, and has had nearly 40 variants since it began on the 13th of July.
Today the campaign, which is distributed by the Pushdo botnet plays off of people's curiosity in the Russia-Georgia conflict, which has the world wondering what exactly's going on over there.
The Subject exclaims: "Journalists shot in Georgia" and the body of the email reads:"Turkish television has released video of four journalists on assignment in Georgia being shot at. The crew from NTV were in an area of Georgian-Russian fighting between the Georgian town of Gori and South Ossetia. Real photo in the attachment attach password: 123"

The "photo" attachment is entitled "georgia.zip", and unfortunately doesn't contain any photos, but instead a nasty little piece of malware which is still being analyzed, but if it's like most of the other versions, contains info-stealing intent.
AppRiver is currently blocking this piece of malware as "X.W32\troj.info.georgia"

BREAKING NEWS: MSNBC Used as a Front for Malware

You may remember just over a week ago, CNN.com was being spoofed in an attempt to socially engineer people into clicking on malicious links in email by providing recipients with the latest news story and outrageous headlines that were too juicy to pass up. Well, it looks like today they have moved on to using MSNBC as the fake source of these new news headlines.
These emails aren't nearly as flashy as the CNN versions, as they don't contain any graphics, or official logos. "They simply contain the line msnbc.com BREAKING NEWS:" along with many different subject matters, such as:

Wildfires hit Arizona, leave thousands homeless
Americans loves to sue people
Americans love law suits for breakfast
Arsenal buys Ronaldo from Man Utd
Stupid Asians lose lawsuits against Americans
High calorie food banned in canteens
Vitamin C shows promise in anti-cancer trials
GOld prices reach 25-year high, buy gold for a safe and reliable investment
Plane crashes into prep school, hundreds of kids killed

After that there is a link for you to click that appears to point at hxxp://breakingnews.msnbc.com, but once you mouse over the link you will see that they all point towards one of thousands of fraudulent domains and the html page therein titled ' /up.html'. These fake links actually point back towards the same fake CNN pages from last week that supposedly contain the video of the latest breaking news, and just as last time, you're prompted to install a necessary ActiveX Object in order to view the video. There is also a missing Adobe Flash issue warning beneath the ActiveX window. These of course are where you get the malware. I am pleased to report that AppRiver has pro-actively blocked all of these messages, but here they are in case you want to see them.

See You at DefCon16!

Today my associate and I fly out to the less than temperate Las Vegas to attend DefCon 16, where we'll be previewing all of the latest tricks of the trade in the security/hacking/malware industry. What started out as a small group gathering yearly to exchange and share like ideas in what was considered more of an underground activity than an industry, has grown into what is now the world's largest hacking convention. Last year there were more 6000 attendees over the 3 day event.
Last year was my first year attending, and I had a great time. There were a lot of discussions in my favorite categories, malware economy, analysis, defense, and the botnets that deliver them. There were also more discussions than I could ever imagine attending on other topics I found myself immediately intrigued in, such as the ever-popular ethics issues involved with security vulnerabilities, fuzzing, forensics, war-driving, XSS, and one of my favorite talks by a PenTester named Johnny Long and his subject of "No-Tech" Hacking. He had quite an entertaining presentation, and I personally dubbed him the rockstar of PenTesting due to his ability to keep the rather large crowd completely interested and amused.
This year there are a lot of events I'm also quite excited about, most of all a contest, which is now infamous for stirring up a lot of flak, called Race to Zero. In this contest competitors are given live detectable virus samples, and they must rewrite them code to then become undetectable by a series of AV engines. The code must have the same functionality once rewritten. There are several levels of difficulty that they must achieve as they advance. You can read more about the controversy that arose since the contest was announced simply by Googling Race to Zero.
Another interesting talk is going to be from Dan Kaminsky on his recently announced, end of the world, DNS vulnerablity. I'm interested to see how he's received considering many people are now saying he was just attempting to be a media whore, and it was blown out of proportion. Should be good.
Alright, I could go on forever, I'll spare you the ramblings, and I'll try to blog from the hotel, which will also be fun considering the network at the Riviera during DefCon has gained the title of most hostile in the world.
I'll leave you with this video of last year's DefCon when Dateline NBC producer Michelle Madigan attempted to go "undercover" in hopes of getting convention goers to admit they use their skills for criminal activities. Well, she was called out in front of hundreds of people, and had to make her escape with her tail tucked between her legs. Enjoy!

CNN Spoofed in Malware Campaign

Currently a fake CNN news email campaign is in progress pretending to be CNN.com's Daily Top Ten. The email above arrives from what appears to be "Daily Top Ten" complete with CNN,com logos, as well as two columns with both the Top Ten Stories of the day, and the Top Ten Videos of the day. The headlines vary from email to email with exciting topics such as:
"Laura Bush Naked"
"Police hunt stolen rare shark"
"Olympic athletes bare all"
"S. Koreans fire water cannons at Bush",
among many others. All of the story links within the emails lead to the same infected website hosting a malicious html page titled /cnnnews.html. Once there, surprise surprise, you need to update your Adobe Flash Player. You are then prompted to download and install get_flash_update.exe which some Anti-Virus engines detect as being delivered by Storm. Go Figure.

My Other House Must Be Huge!

This morning another variation of a malware campaign that has been going on for about 3 weeks now started hitting AppRiver's filters. This campaign began, and has often revisited a United Parcel Service theme, pretending to be a notice that a package you had sent was unable to be delivered. They contain an attachment that you're supposed to print out and take up to the UPS office in order to pick up your package.
Well, this morning, as I mentioned, the theme had changed again. This time the emails pretended to come from a Carrington Mortgage Services LLC. They thank you for your recent payment of $8000 + dollars, and give you your confirmation number and a fake privacy statement. Often times this type of social engineering tactic will attempt to scare you into believing you are being sued, or you owe money on a past due bill, but this one tries to scare you into thinking someone has already made this payment for you. With a random payment amount of over $8000 dollars, it seems this could be a good method for striking fear into a recipient.
Rest assured though that AppRiver had this blocked within its first few minutes of activity.