McAfee Labs Blog

On March 9 McAfee warned consumers that “scareware,” or fake anti-virus software, may be the most costly online scam in 2010, causing significant monetary loss and damage to users’ computers. In this blog, I’ll give you some additional details about the figures we cited last week in McAfee’s new Consumer Threat Alert program.

Apart from the scareware files themselves, many malware that aid rogue anti-virus programs in attacking computers are grouped into the fake-alert Trojan family. As shown in the following graph, their number exploded in 2009. To give you some idea of the rapid growth, from March 1 to March 10, 45,000 new FakeAlert samples entered in our malware collection!

Between January 2004 and December 2009, I cataloged more than 3,000 scareware software “products” created by various rogue companies. Many of them have a short life cycle (some weeks, some months), while others, some created in 2004, are still available on the web. For half of them (see next table) we were able to extrapolate the year they appeared. Their number surpassed 100 for the first two months of 2010.

For many of these “products,” only the name changes. This trick maximizes a malware developer’s chances to catch victims. The scareware companies create website after website with a single rogue offer repeated under various names.

Fake-alert malware and scareware software are numerous. But scareware companies are restricted in number. Perhaps between 30 and 50. The names change, but the managers remain the same. They create many subsidiaries and recruit affiliates. For more than 2,000 of these products, I was able to map them to the companies that distribute them. To avoid possible legal hassles as well as personal trouble, I will not give you the names–but the following table speaks for itself.

Some companies work openly. Their managers are not afraid to create even LinkedIn profiles. When the pressure becomes too strong they simply create a new business.

To multiply sales, scareware companies recruit affiliates and promise them commissions reaching 75 percent of the product’s sales price.

When I presented our research on scareware in Paris in January, I explained that a colleague monitored–during a six-month period–the production servers of one of the main scareware companies. In 10 days, he counted more than four million downloads (that is, more than four million scareware infections)! This was from only one company, and some victims made more than one download in a day.

In 11 months, this scareware company received more than 4.5 million orders. Using this figure, I forecast annual revenues of greater than US$162 million (assuming each order costs US$36). This equates to a worldwide income for this criminal activity (irrespective of companies) exceeding US$300 million per year.

Finally, these scareware companies have not only fake security software for sale. They also peddle many other fake products (multimedia software, fitness software, family software, etc.). And, above all, they offer pornography. Consequently, their revenues are still greater.

To avoid becoming a security software scam victim, the McAfee Consumer Threat Alert advises the following:

1. Before downloading any security software from the Web, get a recommendation from someone you trust who is savvy about Internet security software
2. Investigate the company before purchasing the software
3. Be careful when responding to pop-up ads
4. You can protect your computer from these types of cybercrimes by installing a complete security software suite that includes anti-virus, anti-spyware, and firewall protection, such as McAfee Total Protection. Ensure that your software is always up to date (enable the “auto-update” feature) and perform regular scans.

About a year or so ago one of the “McMarketeers” decided it would be fun to run a campaign against “fram”–spam that friends send you. As you might guess, we in the Labs have no friends, so it was no problem for us to ridicule the idea.

However, around the coffee machine the other day I got involved in a quick discussion about spam on Facebook. A long-term social networker genuinely thought that Facebook spam did not exist and that all the noise was from Facebookers playing games or using annoying apps. So I offered to write up an example.

One of the most subversive forms of advertising on Facebook is (though I hate to admit it) fram.

You receive a post like this from a friend:

^{(Sorry Plum)}

This page uses the FBML application to render content in a tab, and that tab is the default you see.
Step one is become a fan, so that you can see the next step.

This posts to your wall:

The fram quickly propagates from friend to friend–and spreads virally, to almost half a million fans.

Let’s return to step 2: after becoming a fan:

<click>

Oooh, SEKR3T CODE! <click>

This bit of JavaScript is very common on Facebook pages that want to spread quickly. It selects all your friends in the invite pop-up. It is a clear sign of something you don’t want to do, and it’s almost always related to some form of scam. I ask my friends not to do it; you should do the same.

Double bubble: Because you’ve posted to your wall once that you’re a fan, why not repeat the process and “share” the page, too?

Of course you want to share this, even though you have not yet seen the content.

By now we hope your friends have said “no thanks” to this. That’s a vain hope, however, because they have nearly a half-million members.

<click> Oh drat. I had JavaScript blocked.

<click> Oh drat> I had ad-block installed.

At last the Video! … on http://thiswillruinurreputation.blogspot.com/

All that work and what do we see? It’s affiliate spam.

So there’s your example. Facebook spam is somewhat complicated and mostly initiated by your friends.

Here are my tips for avoiding wall spam. Befriend only people you know and trust. Hide all the daft apps your friends use. Hide all the friends who think the world wants to know every time they visit the bathroom. Think very very hard before granting an app permission. And please, please, please report spam on the bottom left of the wall page.

The tragedy is that the spammer didn’t lie because behind that advert on the blogspot site there really is a funny video, but to the average user friend it’s impossible to see.

32 minutes ago · Comment · Like

As we were working through URLs identified as suspicious due to our GTI technology, one of the URLs that presented itself was an average “.com” site that loaded a php. As we processed this – it was interesting to see that this php actually reached out to download a file that ended with the string facebook.com.exe — as this “.com” site was very social-network friendly – it would be easy to see how an average user, without web protection in place, would not even realize what was going on.

And what was this *facebook.com.exe?  This was  detected it immediately by the McAfee Web Gateway Engine as: McAfee-GW-Edition 6.8.5 2010.03.10 Trojan.Injector.Awi.88

By the time I am writing this – it is already being seen with further visibility across our Artemis detection and we are making sure that all of our products protect against this threat.

This server where this was hosted has already been taken off-line – however, this threat, maneuver, and piece of malware will continue to be seen again, and again, and again. In fact, we already have other webservers that are hosting that same attack – along the same lines – and will be continuing to monitor and follow this particular attack.

McAfee Labs today published its March Spam Report.

This month authors Adam Wosotowsky and Elan Winkler discuss a possible charity scam in France that takes advantage of sympathy for the victims of the Haitian earthquake, examine a “ham campaign” regarding events in Haiti, and look at another fraudulent attempt to connect “lonely women” with victims’ credit cards.

Our key topics:

• Security professionals working together can expose fraudsters and sometimes bring about their arrests. One of our French researchers shows how it can work.
• The disaster in Haiti was as usual a spark for spammers, but it also caused a significant amount of legitimate “ham” email
• Spammers based primarily in China are keeping busy sending out scams offering Russian “brides” for sale

For this report and others, many available in up to eight languages besides English, visit our Threat Center Technical White Papers page.

Most of us are familiar with how high profile news events are used for malware distribution. We’ve seen it many times such as with Tiger Woods’ scandal and the earthquake in Haiti. Now the recent earthquake in Chile is used to prey upon unsuspecting folks interested in what’s going on with the post-quake and tsunami. This shows we should really be careful in our choices of where we go to get information. Try any related search term or phrase related to “Chile Earthquake”, “Tsunami”, etc. I’ve done so and will walk us through a few examples of risky to malicious content that my search turned up. This type of malware distribution tends to target the broadest audience possible, so I entered the search term “Chile” and then let Google auto-complete my search to “Chile quake 2010 tsunami” to load what is a popular search phrase. Almost immediately, among some recognizable news site results are random blog posts touting words like “download” or “.exe”. We should be suspicious of these.

The first few I tested were not surprising; standard looking blog posts with YouTube videos. But when I clicked on the YouTube videos, it appears YouTube had already found them to be violating YouTube terms. This was likely malicious content that had fortunately been discovered already. Here are a couple of examples, one with the video still embedded in the blog page, and the other directly from YouTube.

I found about 3 of these right off the bat. But then something more disturbing, and much more dangerous. Google’s Safebrowse warned the next site was already identified as malicious.

I didn’t continue further down that path, but continued to look at more of the search results. I next clicked to open what appeared to be a safe domain with terms about a princess apple, but what would a site such as this have to do with Chilean earthquakes? I was suspicious, and immediately knew why. Suddenly a pop-up message that we should all be familiar with or become aware opened without my action or approval. This is commonly referred to as Rogue AV, which is a malware disguised to look like an anti-malware security scan. These are very dangerous. Typically your best bet to get out of these is to go to your Windows Ctrl + Alt + Delete to call up the task manager and to kill your browser process. Otherwise the rogue AV will attempt to download the malicious payload. Don’t worry about clicking Cancel or trying to close your browser with the red X. Here’s a snapshot. Notice it attempts to look like a legitimate Windows Security alert, and reports your machine is infected with various Trojans and malware.

I clicked on one more blog, again looking like a fairly legit blog post with what I assumed may be a YouTube video, possibly pulled by YouTube like the previous examples, but what I found instead was my anti-virus software detected a hidden IFRAME to (modified for safety): ‘http://www.xxxxxx.xxxx/navbar.g?targetBlogID=78306394491143XXXXX&blogName=Auto+Loan+Insurance&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=BLUE&layoutType=LAYOUTS&searchRoot=http%3A%2F%2Fxxxxxxx.blogspot.com%2Fsearch&blogLocale=en&homepageUrl=http%3A%2F%2Fxxxxxxxxx.blogspot.com%2F’.

This should serve as a good reminder to be cautious when looking for information. Not only beware of where you are going to get information, consider some of the examples above and ask yourself, does this look like a legitimate site to get such information? Why would such a site turn up in search results for such a topic? Remember YouTube videos posted on blogs can easily be spoofed and may not be what you expect. For high profile news topics such as the recent earthquake in Chile, go to news sites you trust, rather than allowing a random search to take you to the information. In addition to developing wise surfing habits, McAfee has many tools to help, such as Site Advisor that will report how safe or risky a site may be, even before you click on them from your search results.

Earlier today, Microsoft released Security Advisory (981374). This advisory covers CVE-2010-0806, an unpatched vulnerability affecting Internet Explorer versions 6 and 7. This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out.

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

File names related to this attack include:

• 20100307.htm (CVE-2010-0806 exploit)
• bypasskav.txt (part of exploit obfuscation code)
  • notes.exe (backdoor installer)
    • note.exe (backdoor installer copy)
    • clipsvc.exe (backdoor installer copy)
      • wshipl.dll (backdoor)
    • rsvm.exe (backdoor installer)
      • wshipnotes.dll (backdoor)

Preliminary product coverage is as follows:

• McAfee DAT files (antivirus): Coverage will be provided for known exploits as Exploit-CVE-2010-0806 and known payloads as BackDoor-EMN in the 5916 DAT files, releasing March 10.
• McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Network Security Platform: The sigset releasing March 9 contains coverage under the signature “HTTP: Microsoft Internet Explorer Code Execution Vulnerability”.
• McAfee Vulnerability Manager: The FSL/MVM package of March 9 includes a vulnerability check to assess if your systems are at risk.
• McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

McAfee Labs is investigating this attack further and will continue to monitor any related activity closely.

Last week Apple formally announced the launch date for the Wi-Fi version of its much anticipated new tablet computer, the iPad. As with most events that generate a lot of media and consumer interest, this one also generated curiosity from the spammer community. They wonder how they can leverage this event to steal your sensitive information. 

Scams have already started to surface, claiming how you can win your own iPad for free. All you need to do is provide your address for shipment, and … Oh, yeah, to get your “free” iPad you also need to purchase something, which will require you to give us your credit card details. There had to be a catch somewhere.

Here is an example of such an email:

This scam is basically your typical “free offer” scam, but given the popularity and buzz surrounding any Apple product announcement, it’s essential to identify the legitimate from the “too good to be true.” As the release date for the iPad approaches, more scams such as this are likely to emerge, using email, social media technologies, and common search engine terms for delivery. 

Keep your eyes open, be diligent, and if you question whether any kind of offer you receive in email or on the web is legitimate, you should follow your instincts. Such offers are likely to be bogus.

We frequently read stories about spammers who can circumvent CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) authentication. Using bot-infected machines, they can create a vast number of random e-mail accounts for spamming purposes.

This week, a federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendents later allegedly resold the tickets on Internet at much higher prices.

According to the indictment, the distributed software was developed by some programmer accomplices in Bulgaria. The application defeated security measures designed to limit individual ticket purchases and snatched up the best ones. Unlike botnets we frequently encounter, this one was set up on dedicated computers designed solely for this purpose. The botnet purchased more than 1.5 million premium tickets to events from late 2002 to about January 2009, making a profit estimated at $28.9 million.

The employees, contractors, and defendants behind this rip-off are known as the “Wiseguys,” based on the name of the Nevada corporation they created (Wiseguy Tickets, Inc.). The Wiseguys botnet was a nationwide network of computers used to purchase thousands of tickets within minutes. The botnet:

• Monitored the online ticket vendors’ websites for the exact moment that tickets to popular events went on sale
• Opened thousands of connections at the instant that tickets went on sale
• Defeated the CAPTCHA challenge in a fraction of a second (a human needs five to ten seconds), thus speeding ahead of legitimate buyers
• Supervised by Wiseguys employees, prepared lists of hundreds of the best tickets almost instantly
• Filled in all the fields necessary to complete the purchases, including customer credit card information and false e-mail addresses

The indictment explains how the Wiseguys took advantage of many popular events such as the BCS college football championship game, the Barbara Streisand concert in Chicago, Hannah Montana concerts in New Jersey, and the 2008 Bruce Springsteen Tour. For this last event, the botnet was able to purchase approximately 11,800 tickets.

One of their last crimes occurred in January 2009, according to the indictment, when the botnet impersonated 1,000 individual ticket buyers for the New York Giants vs. Philadelphia Eagles NFL playoff game at Giants Stadium in East Rutherford, New Jersey.

This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies.

Check out this video for CNN’s coverage.

The combination of search engine optimization with sporting and holiday news continues to fascinate me. Oh, and did I mention malware and malicious websites? They always make for interesting bedfellows.

The Olympics have been getting massive coverage, of course, and St. Patrick’s Day is just around the corner. We can count on these events to provide cybercriminals with plenty of search engine manipulation possibilities and social engineering lures.

I ran a few basic Google searches and got pretty much what I expected: malicious sites and malware links. Starting with some basic Olympics-based searches, first for Olympic Games Wallpaper:

For this search three of the top five results lead to malicious links (not good). The next search moved onto Olympics-themed screensavers (which historically are heavily abused):

In this case two of the 10 results on the first page lead to malicious websites–actually less than I expected. But look what happened when I added the word download to my search:

In this case five of the 10 results on the first page were now malicious or questionable. Quite interesting. When I added an -s to download my results “improved” to six malicious entries!

Next I moved on to the theme of St. Patrick’s Day for wallpaper and screensavers. Lo and behold, just about the same types of results:

Just shy of half the results on the first page lead to some very nasty sites indeed for wallpaper. Next I also searched for themed screensavers:

Again, just about half the results on the first page lead to malicious links. That’s not surprising but certainly not good. Just remember this trend: news, sporting events, and holidays are common abuse targets for cybercriminals. Be suspicious when searching for info in any of these areas (and in many others). Safe-searching technologies such as SiteAdvisor are more important than ever.

Today’s cybercriminal is smart and prepared. Let’s all be smarter and better prepared.

5, 4, 3, 2, 1…malware!

It’s like clockwork, ain’t it? A popular holiday–such as Valentine’s Day–approaches and malware authors and cybercriminals ready for it.

I have done some Valentine’s Day searches for poisoned terms and found some nasty ones very quickly. Screensavers and ecards are always popular:

Even Rolex watches on Valentine’s Day are not safe:

Some of the poisoned terms I have seen today:

Valentine’s Day Screensavers
Valentine’s Day Downloads
Valentine’s Day Wallpaper
Valentine’s Day Rolex
Valentine’s Day eCards
Animated Valentine’s Day
Valentine’s Day Greetings
Valentine’s Day Cupids
Valentine’s Day Gift Ideas

Make sure you surf safely with SiteAdvisor and keep that machine updated!