Thursday, May 23, 2013

Another Skype worm


Remember this post from not too long ago?
Worm spreading through Skype and Messenger

Well, seems this tactic is getting more popular...

A new Skype worm shows you the following message:

this is a very nice photo of you http://bit.ly/10UCanc?fotos=%username% :$
this is a very nice photo of you http://bit.ly/10UCanc?id=%username% :P
Other languages are possible as well, for example Russian:
это очень хорошая фотография вы http://bit.ly/10UCanc?fotos=%username%


When clicking on the link, it gets redirected to a filesharing site and downloads the following file:
facebook_profile.zip

Inside is an EXE file called:
profile-facebook_23052013_img.exe
MD5: 669441b1f5532bdc1a5371112dabc4c8
VirusTotal Result (15/46)
Anubis Result
Malwr Result

When executing the file, you start spreading this message as well to all your Skype friends. There is no icon for the EXE file, which should ring some bells... Actually, the "pictures" being a single EXE file should ring bells so hard the whole neighbourhood wakes up.


Filesharing sites used to spread the malware:
4shared.com
hotfile.com


These filesharing sites have already removed all the malicious files and cannot be downloaded anymore.
Malware files already removed, awesome!





Some interesting stats for the bit.ly link:

Current amount of clicks








Geographic distribution of clicks.





As you can see, there have been over 120,000 clicks today, that's quite a lot!  Also interesting to note is that most clicks are in Belarus, which may indicate where the malware's origin lies (or at least where the infection point started).

As far as I could see, the malware creates a file with a random name in the C:\Programdata or %appdata% folder, injects into explorer.exe and thus is able to 'protect' itself:
When deleting said malware file, it will immediately re-create.

The malware also tries to phone home to (currently offline):
hXXp://r.gigaionjumbie.biz/images/gx.php
hXXp://x.dailyradio.su/images/gx.php
hXXp://w.kei.su/images/gx.php


The above links are related with the Alureon malware, which can download other malware as well as steal your credentials and other personal information. Microsoft:
Win32/Alureon is a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. It may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer. Source.


There are also some peculiar strings in the malware:
lTaj13zzz5632jetsusjabs 
Regrey8hiaid958562ids  
Culmbusy4teg217jo548 
Sel35scagalawn9ser84996  
Hinog968begs6421879  
Cyme28ilkax65274sunn35  
Toph8toil2528248030  
Pent8cute812  
hoorney milk  
DESTRUCT COMMON 

Not sure what those strings are supposed to mean, if there's any meaning to it at all.
To view all strings pulled from the malware image, check Pastebin:
http://pastebin.com/Svb40p9Q



Desinfection


  • Perform a full scan with your installed antivirus ànd a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this worm.
  • Change your Skype password.
  • Notify your friends that you had sent them a malware link.



Conclusion

This conclusion is pretty much the same as in my previous post about a Skype worm:


Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/


Thursday, May 16, 2013

Scareware page pushing PC Speed Maximizer


Everybody should by now be aware how most scareware (aka rogueware aka fake antivirus) operates:
you receive a warning message your PC is infected with malware, and a scan needs to run immediately to help you remedy the infections.

The latest scareware is System Care Antivirus:
System Care Antivirus. (Source: BleepingComputer)





















In the past, it was just that. Scareware pushes scareware. Scareware installs scareware. Not programs that can be considered as adware or Potentially Unwanted Program (PUP/PUA).



Thanks to a headsup from Maxstar on Twitter, I was able to see how scareware was pushing "PC Speed Maximizer", which can be considered as a PUP, but not as scareware.

PC Speed Maximizer, unlike "real" scareware does not have the following behaviour:

  • Annoying pop-ups everywhere, all the time
  • Blocking internet access
  • Blocking other programs (like Task Manager for example)
  • Showing numerous errors & malware infections (where there are none)
  • No real uninstall option (because it's malware)
  • Autostarts with the PC
  • Wants to rip off users


PC Speed Maximizer however does have the following behaviour:

  • Annoying pop-ups, but not constantly
  • Showing numerous errors (where there are none)
  • Autostarts with the PC
  • Wants to rip off users



So let's get to the point here. What is the purpose of this post? To show you an apparently new tactic on how PC Speed Maximizer wants to gather money from not technically savvy users.

A new page has been set up at hxxp://pcspeedplus.com
URLVoid Result
PasteBin script


When visiting this page, you are presented with the following message:

"Critical Security Warning!" Oh really?















This pop-up or messagebox is typical for scareware, clicking the X or clicking OK has the same result...


A "scan" starts running right away:


"Virus infections have been detected!" - XP Micro Antivirus

















The following file gets downloaded:
PCSpeedMaximizer.exe
MD5:  e557bf40e5b374b2fe65cfb2502f0a99
Result: 3/46
VirusTotal Result
Anubis Result
Malwr Result
ThreatExpert Result


This file is also digitally signed:
File is digitally signed with its own cert...














Thanks to a great post here, you can find the extracted digital certificate on Pastebin:
http://pastebin.com/50cUYHEc

Surely, this is not an "APT", but it's still interesting such a piece of crap is digitally signed.



PC Speed Maximizer Setup:

Setup screen

Items to clean and optimize on your PC


Obviously there aren't that many errors on my machine, interestingly enough, it's as good as fresh out of the box. To actually be able to fix the errors you have to pay up, what a surprise.

When looking around on Google a bit, it seems others are suffering from the same scareware page and the pushing of this... software:
http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/url-httppcspeedpluscomscan-keeps-bringing-up-fake/30ed02a6-2bb0-4165-84ac-56a188cfb131

This user was apparently getting fake messages when clicking on a Yahoo ad, when I received this headsup, it apparently spreads through Google Images as well.



Prevention


- Be careful when visiting any webpage. A useful trick is to check the real URL behind the image. Most of the times you can verify this by checking in the left corner of your browser:

Clicked on a picture and started loading this website instead of the original one

- Use browser extentions to verify the integrity of an image or URL. Useful add-ons for Google Chrome are for example NotScripts and WOT . For Firefox you have NoScript and WOT as well.

- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.

- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL+ALT+DEL or CTRL+SHIFT+ESC) and killing your browser's process:
  • a) For Google Chrome: chrome.exe or chrome.exe *32
  • b) For Mozilla Firefox: firefox.exe or firefox.exe *32
  • c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32




Desinfection

If the harm is already done and you are getting warnings, messages or pop-ups stating there are several errors and you need to take 'immediate action' to clean your computer, go to your
C:\Program Files\PC Speed Maximizer or C:\Program Files (x86)\PC Speed Maximizer folder and double-click on unins000.exe. The program will now uninstall itself. In that perspective, it is way less intrusive than real scareware.




Conclusion


  • Don't be fooled by warnings or message trying to scare you, it's all fake.
  • Follow the above prevention tips to decrease the chance of your computer becoming infected.


Final word: adware and/or PUP has always been annoying, and in a "grey" area for antivirus & antimalware applications to detect or not, since most of the times the EULA clearly states it's installing this software and you (as "the user") agree(s). However, pushing PUP via scareware is a new concept. I've made an earlier post about PUP and how you can prevent it as well:
http://bartblaze.blogspot.com/2013/01/about-youtube-top-comments.html

Stay safe.