Websense ThreatSeeker® Network has detected malicious email messages claiming that the late Apple founder and CEO, Steve Jobs, is still alive.  Websense Email Security and Websense Web Security protect against these blended attacks with ACE, our Advanced Classification Engine.

Some of the email subjects used in this attack include :

• Steve Jobs: Not Dead Yet!
• Steve Jobs Alive!
• Steve Jobs Not Dead

Screenshot 1 : Sample Email Messages

The email messages contain links to compromised web sites that redirect to Blackhole Exploit Kit and install Rogue AV malware.  The malicious file used in this attack is poorly detected by AV engines.

Screenshot 2 : Malicious Redirect

Screenshot 3 : Obfuscated Exploit Code

As always, don't click on links in emails you didn't expect to receive, they tend to be bad news.

By now, it has become somewhat of a cliché to mention how cyber-criminals try to exploit the latest hot topics to lure victims to malicious content. The recent hurricane scares, however, provided an example that we found interesting. A few weeks ago, Websense Security Labs™ and the Websense ThreatSeeker® Network came across an email campaign that redirected users to Web pages downloading rogue AV via the Blackhole exploit kit.

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

This post examines how various vectors (email and Web) lead to Blackhole exploit kits and rogue AV, all hosted on a single IP address. It also shows how some messages from the same email campaign, as well as similar variants, lead to pharmaceutical sites related to the "Yambo Family" group of Web sites.

EXPLOITED

The malicious mail reads as follows:

As you can see, the text references hurricanes Irene and Katia, names various, random people in the text, addresses the potential victim by his or her email user name, and suggests that the reader check out a link whose domain name looks, at first glance, to be related to meteorology.

In fact, the Web site had nothing to do with the weather, but it did host a malicious page that contained this code:

The metrologyservices.com site was cleaned the next day, and the offending page was removed.

If we check out the redirection target, we see that it shares an IP address, 91.228.133.74, with a host of other domains with names that that look equally suspicious:

But it's not just the names that are suspicious. These domains are all related to Blackhole exploit kit and/or rogue AV, and we've seen them being accessed through various vectors:

• Email campaigns, as shown above and below
• SEO poisoning using compromised WordPress pages -- in fact, searching for page linked in the hurricane email leads to:

http://wordpress.org/support/topic/plugin-add-link-to-facebook-links-are-hijacked-to-softwarepromoru

http://wordpress.org/support/topic/dashboard-virus

In these cases, the htaccess file has been hacked for SEO poisoning, as seen here:

If we look up the whois information for these domains, we find they were registered to one private person: ivan-sushkin[at]yandex[dot]ru.

Looking this up leads us to all sorts of interesting information about domains related to that email address, like last year's attacks against osCommerce sites:

http://blog.unmaskparasites.com/2010/10/14/htaccess-redirect-to-example-rudirindex-php-2/

http://blog.unmaskparasites.com/2010/11/19/update-on-htaccess-redirects-of-oscommerce-sites/

http://blog.unmaskparasites.com/2011/01/18/another-update-on-the-oscommerce-htaccess-hack/

http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

Websense Security Labs'™ principal security researcher, Stephan Chenette, using his Fireshark tool, came across a CSS file on a popular sports fan site that was injected with malicious code also redirecting to the same IP address:

<compromised domain>/modules/mod_activitystream/style.css -> hxxp://protect-secure.ru/culture/index.php

It also alternated to other domains, like hxxp://protect-now.ru/upkeys/index.php, hxxp://yourprivacy.ru/product/index.php.

Here's an example one of our researchers, Armin Buescher, analyzed, using one of our proprietary tools:

 <compromised domain>/ modules/mod_activitystream/style.css (the compromised URL)
checkprivacy.ru / refresh / index.php (redirector)
yanquihkenu.monbe.be / main.php?page=ee87d5979969cea3 (Blackhole exploit kit)

Exploits or payloads hosted on the attack server included:

yanquihkenu.monbe.be / content/worms.jar
yanquihkenu.monbe.be / content/2fdp.php?f=26
yanquihkenu.monbe.be / w.php?f=26&e=4
yanquihkenu.monbe.be / w.php?f=26&e=6
yanquihkenu.monbe.be / GWeather.class

On September 8, detection of the malware payload on VirusTotal was at 5/44:
http://www.virustotal.com/file-scan/report.html?id=56742d301e1b7e62e831d13f6d1cdfd079a78be22c2bf0cbbc3b71eda18338a5-1315505246

A day later, detection climbed up to 18/44:
http://www.virustotal.com/file-scan/report.html?id=56742d301e1b7e62e831d13f6d1cdfd079a78be22c2bf0cbbc3b71eda18338a5-1315567566

 Another SEO poisoning example, this time just searching for the term "automobile" on Google, came up with this result at number 22:

hxxp://www.cheap-online-automobile-insurance.com/

On September 12, this site was redirecting to:

hxxp://privacy-check.ru/uptime/index.php (with the same IP address, of course 91.228.133.74).

The trending topics (email/SEO) are not the only lure the criminals try to use. Here's a later example that looks, at first, like a somewhat common "Secret Shopper" scam, suggesting you could be a Walmart evaluator:

It leads to this:

Blackhole exploit kit:

OK, I think everyone gets the idea. Whether it's topical emails or SEO poisoning, you are going to get served with something unpleasant from "Ivan Sushkin."

 SPAMMED

But wait! There's more!

Let's go back  to the hurricane scares for a minute. There are more of the same type of hurricane emails, sent at the same time, but with different links. These lead to pharmaceutical spam pages, like "US Drugs" (shown below):

And you think we'll leave you with that? No chance!

A few days later, what better topic to exploit than Labor Day. This time, it's with a little adult-themed lure, leading to Canadian Health & Care Mall and US Drugs. Notice how the email body also has random people's names, in an effort to give more credibility to the text:

For further reading about these two "distinguished" pharmaceutical establishments, see these entries in the spamtrackers.eu Wiki:

US Drugs

Canadian Health & Care Mall

Yambo Family

SUMMARY

What we see is that the use of hot topics to attract victims to cyber-criminals' sites is widespread and varied. It can be to exploit their computer, scare them into paying for rogue AV, and/or serve them a spam page (with all the monetary gain to the criminals that comes with the affiliate programs). We can also see how the various vectors are flexible enough to be used for spam or malicious purposes. At the same time, we get an underlying feeling that "the more things change, the more they stay the same." It was quite amusing for us to see how various, unrelated topics from different vectors all led to the same IP address, with domains all registered to the same name. But for a real user, replace the term "amusing" with frustrating, risky, or expensive. There's no guarantee that the victim will "just" get a pharmaceutical spam message, as it is quite common for redirection targets to change between malicious pages hosting exploit kits and more benign spam.

Besides the protection that Websense Email Security and Websense Web Security products offer, we can never emphasize enough how careful users should be when following any link related to current events, even if it seems to come from a known source. Of course, in this case, it's a good idea to block access to this particular IP address, but rest assured that the same gang will have other domains registered to other IP addresses. This is where the real-time protection of ACE, our Advanced Classification Engine, comes into play.

Over the past year, the prevalence of search results laced with rogue AV seemed to never end.  Whether the search was about celebrity, politics, calamity, or anything that was hot and trending, blackhat SEO was sure to follow.  Now, search engines are being more proactive in producing safer search results for users, forcing malware authors to think more intuitively and change the way of dispensing rogueware.  Lately, email appears to be, at least for the time being, the favorite vehicle to distribute rogue AV.  We've blogged and tweeted about malicious Twitter and Facebook password resets and big brand names being used in email containing malicious links or attachments in the past few months. 

Today, we are blogging about an interesting email our Websense® ThreatSeeker Network recently identified. With Websense® Advanced Classification Engine (ACE), Websense customers are proactively protected against this threat. 

The email appears to be a transaction receipt for someone who was enticed to buy rogue AV software called Security Suite Platinum.  Since Security Suite Platinum is a pretty popular rogue AV, it came as a surprise that none of the AV engines in Virus Total actually detected it.  This led us to look deeper into the binary.

What does Security Suite Platinum actually do?

Security Suite Platinum is a well-known rogue antivirus which uses scare tactics to extract fees from unsuspecting users. It acts like a legitimate virus scanner, searching a computer for viruses, trojans and other malicious files. At the end of its "scan" it claims to have detected malware which scares a user enough into paying a small fee to remove the threats.

This part has been discussed many times before in a variety of security forums and blogs. However, what happens when a person actually pays the required fee is not so clear.

After paying a registration fee the user will receive an email with a confirmation and download instructions, as you can see in the email sample above. After clicking the link provided and typing the transaction ID, the Web site leads us to download the registered Security Suite Platinum straight away.

The registered Security Suite Platinum contains real open-source antivirus, called ClamAV. Think of it this way: it’s like ClamAV, but illegally used to operate as Security Suite Platinum. Security Suite Platinum actually turns out to be somewhat "real" antivirus in that it actually does detect some malicious files and behaves almost like real antivirus software.  This also explains why none of the AV engines in Virus Total detected this binary.

By a simple string search we can clearly prove the existence of the well-known open-source antivirus inside the rogue AV. 

So far so good, so what is wrong with this? First, it scared people into paying a fee using fake detection (not to mention the bad guys getting hold of a user’s financial information). Second, although the code running the rogue AV is legitimate AV, it is still not a legal and truly legitimate antivirus. There’s no trustworthy company behind it run by antivirus experts. The detection rate cannot be guaranteed. Finally, it is just an illegal use of free and open-source antivirus software acting like it is proprietary, asking for money when anyone can get it free.

To test its detection capability we just copied several random malicious files into the %SYSTEM32% directory to see if the registered Security Suite would really detect it. Its detection worked on at least one of the samples and then it asked us to reboot the computer to remove the threat. However, instead of deleting the malicious file or moving it to quarantine, it only renamed the file by just adding an extra ".virus" extension.

** Analysis by Tamas Rudnai

There is no stopping the abuse of social networking sites and an endless reign of social engineering tactics in email campaigns, be it spam or malicious.  Facebook seems to be a favourite for most attackers as it has a huge user base, and attackers are almost guaranteed to get their message propagated quickly. 

Websense customers are proactively protected against these threats by the real-time protection in our Advanced Classification Engine (ACE). 

This particular campaign is yet another rogue AV.  Here a user is presented with an email message which suggests opening the attached zip file, in order to retrieve a newly-created password due to supposed changes made to the user's Facebook account. 

The header details show the real source and origin of the email as the display name is the only relation to Facebook.

The zip file contains an icon for a PDF document, which is misleading as it is actually a Windows executable.  When the user double-clicks this downloader, a rogue AV application is downloaded and launched which scares the user into thinking their machine is infected.  

As a result of being scared into thinking their computer might have been infected, the user is lured into going ahead with the rogue AV's instructions to disinfect the machine.

The installation carries out a series of scans with fake detections to make it more convincing to the user. 

The next stage offers the user the opportunity to remove the threats of the fake detections carried out by the rogue AV.

When this is selected, the user is then presented with the alert that the rogue AV is not registered and to do so requires the user's credit card details. This is where the phishing for information takes place.

Currently we have seen over 240,000 of these email messages through our Websense Hosted Email Security product, and according to VirusTotal about 65% of anti-virus products detect the file attachment.

Websense Security Labs™ ThreatSeeker™ Network has detected a new virus spam outbreak after Daniel Covington's death. Websense customers were proactively protected against the malicious code by our Advanced Classification Engine (ACE).

Most popular sport Web sites have reported this news: Daniel Covington, a former Louisville football player, was shot and killed after an altercation in downtown Louisville in the early hours of the morning on Sep 16, 2010.  Of course, hackers never lose their chance to extend their criminal activities and this time, Daniel Covington has been their victim.

Let's track their vicious trail. Firstly, they send thousands of spam messages with a subject of "Daniel Covington die" to attract people's attention on the Internet.

Screenshot of the email:

Be careful of the HTML attachment: don't click it, as it hides malicious obfuscated JavaScript code and the obfuscation technique has been mentioned in our previous blog.

Let's see how evil they are. If a recipient clicks the HTML file, they will be redirected to two malicious sites. One site contains rogue AV, and the other one includes a Phoenix exploit kit - a well known kit used by web attackers.

"Daniel Covington die" is not the only theme in this campaign. We have also found the virus spam in emails with these subjects:

    * America's Got Talent
    * Cops kill active shooter at Johns Hopkins Hospital
    * Church of Body Modification
    * failure notice
    * Jackie Evancho and Sarah Brightman
    * NFL Picks Week 2

Websense Security Labs™ ThreatSeeker™ Network has detected thousands of malicious emails purporting to be from big-brand companies like Target, Macy’s, Best Buy, and Evite.

We blogged about the different attack strategies that malicious authors have been using in their recent tax-themed spam emails yesterday.   Today’s malicious emails go back to the fake AV strategy that we last saw two months ago, as we blogged here.  All the malicious URLs associated in the emails above redirect to the same fake AV web site.  Users are then prompted to run a malicious executable called "antivirus_24.exe" [MD5: 5be4b708a68687cb5490fe2caea49c82], currently detected by 11/42 AV engines.

Payload:

Fake AV Site:

Adding to virus notification pop-ups in system trays, this “System Update” notification window appears to be the latest addition in their fake AV concoction.

Our real-time analytics proactively identify this threat, and with ThreatSeeker, we get feedback into our email products to block messages containing these URLs.  Websense® Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has detected a spam posing as a Twitter Password Reset Notification.  We have seen about 55,000 instances of this malicious spam email so far. 

The spam contains a link to a compromised Web site that, when clicked or pasted into the browser, prompts the user to download a malicious executable named password.exe.  The executable turns out to be a rogue AV called Protection Center Safebrowser.  What distinguishes this rogue AV from the others is that it actually displays on the user's desktop some of the malicious files it installs.  This makes the attack notification more believable. 

The attack is detected as Trojan.Generic.Win32 (SHA:0b00649c14b96219dd080a0ce6492c4d04c7f45c) and is currently recognized by 19 of the 41 engines on Virus Total.

Websense® Messaging and Websense Web Security customers are protected against this attack.