Malware – Page 2 – Frank Leonhardt's Blog

The spammed malware attack continues, but Microsoft SE has been getting it wrong

Kudos to Microsoft Security Essentials for picking up the nasty attachment being pumped out like crazy by the clean-skin botnet recently, while most of the other scanners failed to detect it. However, it was wrong about the identity of the malware. It’s not Peals.F!plock, as I originally reported with skepticism. It’s now detected as a variation of something known as Troj/DocDl-YU (to use the name give by Sophos). Read about it here:

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DocDl-YU/detailed-analysis.aspx

This uses Microsoft’s Office macro language to download further malware from the Internet and install it on the victim’s PC, so if anyone activates it there’ll be more than just this Trojan downloader to worry about. As it’s a Microsoft Word document, people tend to open it. If the government really wants to spend money telling the public how to avoid falling victim to cybercrime, they should start by warning about sending documents by email, instead of the current nonsense. Microsoft might get the hump, though, and as I understand it, they’re acting as advisors.

If people have macros disabled on Word, they’re probably okay as long as they don’t get tricked in to enabling them. I’m not hopeful in this regard.

Meanwhile, those behind it are changing the message tweaking the payload to avoid detection – quite successfully! The latest incarnation reads:

From: UUSCOTLAND@example.com

Subject: Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of 22 September 2015 to 22 October 2015.

If you would like any more help, or information, please contact me on 0345 #######. Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to help you. Alternatively you can email me at UUSCOTLAND@example.com

Kind regards

Melissa

Melissa Lears

Billing Specialist

Business Retail

United Utilities Scotland

T: 0345 ####### (#####)

They appear to be updating it every morning at around 0800Z. Let’s see what we get tomorrow.

19-October-1520-October-15

New botnet spammed malware – Peals.F!plock

This is a big one, coming from hitherto unlisted botnet addresses – and it’s coming right now. I’m cross referencing the blacklisted addresses now to see if I can see who’s had an expansion lately. Spamassassin isn’t that great at picking it up, with about 10% getting straight through and about 90% failing to reach five points.

It’s a Microsoft Word document, apparently containing controversial malware Peals.F!plock. Little is known about this, other than Security Essentials flagging it but others say it’s a false positive. Well someone’s gone to a lot of trouble to sent it a “false positive”.

The messages all claim to come from “Stephanie Greaves”, sgreaves at btros.co.uk, with a fixed subject of COS007202, which is unusual. You’d have thought that if you’re using a clean botnet you’d randomise things a bit. This is a genuine domain name (with no SPF – come on guys!) and for all I know, Stephanie Greaves is the name of a genuine victim. Their MX is a virtual server and they’re probably wondering why it’s been heavily loaded since 9am.

Whoever’s doing this has a pretty comprehensive spamming list, containing nearly all of my honeypots.

Update:

This same malware is now being sent out claiming to be from customerservices@ocado.com with the subject “Your receipt for today’s Ocado delivery”, and an HTML message looking like an Ocado receipt (as far as I can tell – I shop for my own groceries!) Again, Ocado doesn’t seem to have SPF set up.

The message text is:

HERE’S YOUR RECEIPT

Hello

Your receipt for today’s delivery is attached to this email. I’ll be delivering your 12:00-14:00 order and, so you’ll know it’s me, I’ll be driving the Lemon van.

Your order doesn’t have any substitutions, everything’s there.

See you later,

Paul

The fake bombardier one reads:

Good morning,
Please see attached purchase order.
Kind regards,
Stephanie Greaves
cid:image002.jpg@01D01077.BAC48BA0
Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD

Update: 20-Oct-15 11:22

The malware spam now looks like this:

From: Shaun Buzzard <shaunb@hubbardproducts.com>
To: <to_addr}}>  <-- Note error
Subject: Order

Hi ,

Please find attached order.

Kind regards.

Shaun Buzzard

5-October-155-October-15

Malware sent in .ace format

This one made me look twice. I’m intercepting a lot of malware spreading attempts with text that starts out thus:

Dear Sir or madam
 Hi
 I'm milad and our company called UTIACHEM CO. located in Tehran-Iran.
 Following a telephone conversation with my colleague.
 I was going to send me your request.
 We have an inquiry from your products as attached file,please check.
 Please answer each request.
 Please certificate and an analysis and data sheet product send it to us.

They’re notable because they contain a pair of files of similar length (454K) which have names ending in .jpg.ace. It took me a while to figure this out; they’re compressed using a program called WinAce, a proprietary (paid for) German program from the late 1990’s. The only people likely to have a copy of this will likely be running Windows 98 – or so I thought. The company is still going, much to my surprise, and there are Linux and Mac versions too – although not UNIX, BSD, Android, Apple OS or anything else you’d need if you wanted to compete as a cross-platform archive format. There is, however, a DLL for unpacking that may be used in other people’s products, so perhaps decoders are more prevalent than might first appear.

I wonder how many they’ll have to spam out before they find someone (a) with an ACE decoder; and (b) dumb enough to use it?

Incidentally, most of these spams trace back to Mandril (aka Mailchimp), and are probably uploaded there by someone abusing an IOMart account (from Nottingham). In other words, zero abuse enforcement, based on previous attempts to contact them.

9-February-152-March-15

jpmoryan.com malware spam

Since about 2pm(GMT) today FJL has been intercepting a nice new zero-day spammed malware from the domain jpmoyran.com (domain now deleted). Obviously just one letter different from J P Morgan, the domain was set up in a fairly okay manner – it would pass through the default spamassassin criteria, although no SPF was added as it’s being sent out by a spambot.

The payload was a file called jpmorgan.exe (spelled correctly!) with an icon that was similar to an Adobe PDF file. Is it malware? Well yes, but I’ve yet to analyse just what. It’s something new.

Text of the message is something like:

Please fill out and return the attached ACH form along with a copy of a voided check (sic).

Anna Brown
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Anna.Brown@jpmchase.com
GRE Project Accounting

Be careful.

Update: 19:30

As a courtesy, I always let affected companies know they’re being attacked, with variable results. J P Morgan’s cyber security department in New York took about 30 minutes to get to; they couldn’t cope with the idea that (a) I was not in America; and (b) I wasn’t even a customer of theirs. I eventually ended up speaking to someone from the “Global(sic) Security Team” who told me that if I was a customer I didn’t need to worry about it, but I could sent it to abuse@… – and then put the phone down on me. This was an address for customers to send “suspicious” emails to. I doubt they’ll read it, or the malware analysis. If you’re a J P Morgan customer, you might want to have a word about their attitude.

3-October-13

Who needs a botnet when you can Yahoo?

Someone, somewhere is making full use of Yahoo webmail to send out what could be millions of fake emails pretending to be Amazon order confirmations (extrapolating on the numbers received here). Needless to say, they really contain a ZIP file with a rather nasty looking Microsoft executable file inside.

My guess is they’re using accounts compromised earlier in the year, as reported here, which gets them through spam filters as most ISPs trust Yahoo. Actually, ISPs generally don’t trust Yahoo but their users don’t see it that way when their friends’ Yahoo email is blocked.

Is this Yahoo’s fault? Normally I’d blame the criminals, but in this case Yahoo could be doing a lot more to to help. This has been going on for three days, and there’s no legitimate reason why any of its users should be sending out with addresses @amazon.co.uk. Even if they can’t scan to detect the latest malware, recognising these fake emails is easy enough.

It’s hardly a new tactic by the criminals, of course. amazon.co.uk’s name was abused back in May to deliver similar Trojan malware.

It’s about time Yahoo (and other freemail services) took responsibility for the damage caused by their business model.

21-March-1321-March-13

South Korea attacked from Chinese IP address so it must be North Korea

On Wednesday, South Korea’s government said a malicious code from unknown hackers caused “massive” computer network failures at several banks, the police and TV stations. ATM machines ceased to function. The South Koreans seemed fairly quick to blame it all on the nasty people from the North.

This morning I woke up to the news that the attacks originated from an IP address in China; “apparently” it’s a favourite tactic of the North Koreans to work indirectly through Chinese IP addresses to cover their tracks.

The whole story is starting to pong.

Facts are scarce, but the suspicion is that that this malware was distributed by email in the traditional manner, using files called ‘KBS.EXE’ and ‘MBC.EXE’ (Page in Korean but you can get Google to translate). This doesn’t sound like a targeted attack on critical infrastructure, it sounds like a standard malware delivery to PCs. It’s claimed that the malware activated on Wednesday and wiped the hard disks, displayed skulls and so on. It possible, but another explanation is that malware often attempts to install itself on the boot partition and sometimes goes wrong, leading the luser to believe the disk has been maliciously wiped when in fact it’s just been made inaccessible accidentally, and it won’t boot. The synchronised timing could be accounted for by a botnet software upgrade that didn’t work as expected.

Now let’s consider the “plot”: To knock out critical South Korean infrastructure. If you wished to disrupt the Internet, that’s what you’d have to attack; not the endpoint PCs. Attacking PCs simply inconveniences individual users rather than taking down an organisation. The suggestion that an email virus could take down the ATM network is, frankly, ridiculous. How do you kill an ATM machine by emailing it? Or the bank’s mainframe? If there was ATM disruption, it could have been a side-effect of botnet traffic gone wild, but to say it was targeting the ATM network needs evidence to back it up before I’d take it remotely seriously. A DDoS attack may be possible if it’s not isolated from the Internet, but if that were true they were being very lax about things, and reports are talking about PC malware, NOT a DDoS attack.

And what of the attacking IP address traced back to China? No surprise there. China is botnet central. To be blunt, a lot of the software used on private computers in China is bootleg, which means it’s either supplied with botnet software pre-loaded, or isn’t able to receive security updates from Microsoft making it easy prey. It’s no coincidence that the incidence of zombie computers is higher in countries where interlectual property rights are less vigorously enforced, and that part of the world is a case in point. So, whilst it’s true that North Koreans would use botnets based in China, it also a meaningless statement. Everyone uses botnets based in China and the Far East.

Reports could be wrong, of course. This could be a DDoS attack against the South Korean Internet in general, and specific high profile targets. However, this does not square with the malware reports of computers not booting, and “skulls appearing on screens”.

The whole thing pongs. Here’s my theory: Social engineering emails were used to distribute malware in South Korea. Because the criminals were using emails in Korean, only Korea was affected. Either maliciously, or more likely through incompetence, the malware tried to install some botnet software and broke a number of PCs. The news media in Korea has been quick to blame this on a sinister North Korean plot, and the world’s media has picked this up as a story without enough people sanity-checking the whole scenario.

17-October-126-November-12

BA e-ticket malware spam

Starting yesterday evening I’ve been seeing hundreds of emails sent to normally spam-free addresses claiming to be British Airways e-tickets. They are, of course, some new malware. It’s coming for a network of freshly compromised servers around the world (with a slight preference for Italy), so spam detection software won’t pick it up, and it’s new malware so virus scanners won’t find it either. As usual it’s a ZIP file containing an EXE, written in Borland Delphi I think.

The spambot code itself appears to be compiled on whatever Linux target the script attack has succeeded on, masquerading as “crond”.

19-August-1014-February-13

Intel has just bought McAfee

Intel has just bought its neighbour in Santa Clara.

Well there’s a surprise. According to today’s Wall Street Journal it’s a done deal at $48/share (about £5bn). Paul Otellini (Intel’s CEO) has been saying that “security was becoming important” in addition to energy efficiency and connectivity. This lack of insight does not bode well.

I’ve been expecting something like this since Microsoft really got its act together with “Security Essentials”, its own PC virus scanner by another name. Unlike other PC virus scanners, Microsoft’s just sits in the background and gets on with the job without slugging the PC’s performance. Why would anyone stick with McAfee and Symantec products in these circumstances?

Whether PC virus scanners have much benefit in today’s security landscape is questionable, but at least the Microsoft one does no harm.

Intel has (apparently) paid about £5bn in cash for McAfee. I wonder if they’ve paid too much. It’ll generate revenue while lusers and luser IT managers are too scared to stop paying the subscription, but as anti-virus becomes built in to Windows this is going to dry up. I suspect McAfee was aware of this situation ad was moving on to mobile device security – not by developing anything itself, but by buying out companies that are.

When McAfee bought Dr Solomons in 1998, it was basically to pinch their technology for detecting polymorphic viruses and close down their European rival, which they did – everyone lost their jobs and the office closed. (Declaration of interest: Dr Solomons was a client of mine). Whether McAfee has any technology worth plundering isn’t so obvious, so presumably Intel is buying them as a ready-made security division.

McAfee does, of course, have some good researchers in the background – we all know the score.

17-November-0914-February-13

New Botnet?

Over the last 24-hours I’ve intercepted several emails containing malicious attachments in .zip files. There’s nothing odd about that, expect these are coming from ‘clean’ IP addresess.

Is this a new Botnet, spreading fast?

Yesterday the subject was “your mailbox has been deactivated” and they pretended to come from the IT support team at your domain name. If you don’t have an IT support team it’s a bit of a giveaway. The message continued:

We are contacting you in regards an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, technical support.

Today they’ve got the subject “Payment request from , where the company varies.

The full text is:

We recorded a payment request from "" to enable the charge of $ on your account.


The payment is pending for the moment.
If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "".

If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).

The interesting thing is that none of these have come from IP addresses that are currently listed as part of a botnet, known spam sources or anything. They’re completely clean. I’ve no proof that the two attacks are related, but I’m suspicious.

If anyone has more parts to the jigsaw, please share them with a comment.