Is W32.Flamer Evidence of Cyberwarfare Activities?

A number of commentators on the Net are suggesting that the recent malware infection in a number of Middle Eastern countries is evidence of Cyberwarfare Activities by a professional team

Flame, or W32.Flamer, or skywiper may have been developed by a nation state as part of cyberwarfare activities, and is targeted at information gathering, rather than distruction of data. Analysts who have been decoding the computer worm have been unable to identify the source, but they say only a professional team working for several months could have been behind it.

The CrySys Laboratory in Hungary was one of the first to attempt analysis, reported that: “The results of our technical analysis supports the hypothesis that skywiper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyberwarfare activities.”It is certainly the most sophisticated malware we have encountered. Arguably, it is the most complex malware ever found.”

According to Symantec, W32.Flamer is a worm that spreads through removable drives. It also opens a back door into the users computer and may steal information from the compromised computer. Symantec Security Response is currently investigating this threat but has classified the Threat Assessment in the wild as Low.

Damage
Damage Level: Medium
Payload: Opens a back door.
Releases Confidential Info: Steals information.

Although the rate of spread may be low, due to the propagation method, this malware is likely to attract a lot of attention and hot debate because of the potential for Cyberwarfare. Watch this space for more news as it emerges.

For more information see:

Bredolab Botnet Still Active

More Tax Payment malware news today, with a resurgence of the Bredolab botnet.

Our MessageLabs Anti-Virus Service reported a suspicious email, similar to the Tax Spam Malware Warning yesterday. The message title once again was Your Tax Payment ID [Random Number] is failed

This time Symantec reported it as Trojan.Bredolab, which is a likely resurfacing of a Bredolab botnet.

The Bredolab botnet was partially dismantled in November 2010 through the seizure by Dutch law enforcement agents of 143 command and control servers, effectively removing the botnet herder’s ability to control the botnet centrally. Although the botnet’s size and capacity has been severely reduced by the law enforcement intervention.

A PC infected with Bredolab shows a number of effects as the malware:

  • Downloads more malware on to the compromised computer
  • Lowers the security settings on the infected computer
  • May result in file deletion

If your anti virus software or mail gateway informs you that it has detected Bredolab, follow the instructions and do not open any affected files. To make sure that your machine does not get infected keep your anti virus software switched on and the signatures up to date.

Further resources

Tax Spam Malware Warning

The spam filters are currently working overtime catching dubious email messages about tax payments having failed. As you might expect, this is a Tax Spam Malware Warning, so take care before opening anything that tells you that Your Tax Payment failed.

This email, which purports to be from US tax payment service Electronic Federal Tax Payment System (EFTPS), claims that the recipient’s tax payment has been rejected due to a submission error. The message, which includes a sender address and link that are seemingly valid EFTPS addresses, asks the recipient to click a link in order to review details about the error.

Obviously the email is not from the EFTPS, and the link in the message has been disguised so that it appears to point to the genuine EFTPS website. In fact, it is a phishing scam designed to steal personal information from recipients. A sample of the email appear below:

Your Tax Payment ID [random number] is failed

Your Federal Tax Payment ID: 32127292 has been rejected.
Return Reason Code R21 - The identification number used in the Company Identification Field is not valid.

Please, check the information to get details about your company payment in transaction contacts section:

attach name = report.18653.pdf

In other way forward information to your accountant adviser.
EFTPS:
The Electronic Federal Tax Payment System
PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.

Attempting to open the attached file will result in a malware loader executing. This is detected by Sophos Anti-Virus as ‘Virus/Spyware Mal/FakeAV-OQ.

The gramatical errors should give you a clue to the bogus source of this Tax Spam Malware. Do not click on any links in this email or download any attachments. Flag as spam and press delete!

Malware Scripts Added To Websites

A couple of our customers have experienced hacks to their websites this last week, with malicious code (or malware) added to several pages. Normal visitors to the site have a little extra script added when they load the page, which good antivirus software will identify as a malware script. Kaspersky Labs identifies the Trojan loader as Heur: Trojan Script Generic, which is a generic Trojan loader identified by a heuristic algorithm. Alternatively, it may be identified as as Blackhole Exploit kit by other AV products.

Analysis of samples of the inserted code show some common strings, which can be used to find the script on an infected website. This appears to have been inserted by an automated script loader, probably a bot using brute force to guess FTP passwords.

< b o d y>< d i v id="w3stats">
< s c r i p t language="JavaScript" type="text/javascript">
window.w3ssss=function(){
=== Script Link and other code removed ===
CheckBody();
< / s c r i p t >< / b o d y >< / h t m l >

A quick Google search reveals that quite a few sites have had this little addition. If you find that you have been infected, carry out the following actions as soon as possible:

  • Search the code on each page for the string “window.w3ssss”
  • Remove the offending code from all of the pages where it has been installed
  • Change all your site passwords, including FTP
  • Monitor the site regularly for reinfection

Thousands of website owners are unaware that their sites are hacked and infected with malware scripts. Here are a few useful links to help:

ACH Spam With Malware Attachment

The spam filters have been busy over the last couple of days, with a number of Emails with the title of ACH NOTIFICATION and ACH Payment [Number] Rejected. In each case the email contains an attachment purporting to be a self extracting PDF file.

Of course, on closer examination the supposed self extracting PDF file is a malware down-loader, no doubt ready and waiting to connect you to one or more bot nets. This is a common scenario with a spammed-out trojan down-loader triggering the execution of multiple pieces of malware on the unwitting user’s computer. In this case, Sophos anti virus detects the file and identifies it as Mal/BredoZp-B. For a detailed analysis of the activities of the spam payload, see the article on the ACH spam campaign by M86 security labs via the link below.

Automated Clearing House (ACH) is an electronic network for financial transactions in the United States. As usual with this type of spam and associated malware, ACH have no connection with the email, so there is little point in blocking the sender’s address, in our case ach.01 at nacha.org.

Once again our advice is that you should not open any unexpected emails, or unsolicited attachments, as in this case it will attempt to infect your Windows computer. Just press delete and double check that your anti-virus software is up to date.

Resources relating to ACH Spam With Malware Attachment:

Uniform Traffic Ticket Malware Spam

If you live anywhere except the City of New York you may have been surprised to receive an email recently, which claims to come from the New York State Department of Motor Vehicles. Even if you aren’t based in the United States, or even don’t drive a car, you may well see the posting which poses as a “Uniform Traffic Ticket” and says that you are charged with speeding at 7:25 AM on the 5th July 2011.

People may be tempted to open the attachment out of curiosity, or even alarm if they have been driving in New York City, but do not, or you may end up with a computer infected with malware.

However, the message is certainly not from New York State Police and the attachment does not contain a speeding ticket. In fact, the attachment contains a trojan that, if opened, can install itself on the user’s computer. Typically, such trojans are able to contact a remote server and download further malware that can steal information from the infected computer and allow criminals to control it from afar.

The email sender address has been reported as automailer.nnn, no-reply.nnn and info.nnn, all purportedly at nyc.gov. It goes without saying that the New York State Police and the New York State Department of Motor Vehicles have nothing to do with this email, and this should be treated as all Viruses and Spyware. The New York State Police Computer Crime Unit has issued a Hoax E-mail Alert dealing with the Uniform Traffic Ticket Malware Spam.

The attached file, which is called something like Ticket-O64-211.zip, Ticket-728-2011.zip, or just Ticket.zip, is designed to download further malicious code onto your computer and compromise your security. Sophos anti-virus products detect the malware payload as Mal/ChepVil-A, while the CyberCrime & Doing Time Blog identifies that the malware connects to a Russian domain and downloads files called “/ftp/g.php” and “pusk3.exe”.

The Uniform Traffic Ticket Malware Spam email is probably the work of a Botnet, which is a group of computers infected with malicious software and controlled as a group without the owners’ knowledge. The network of private computers, sometimes known as zombies or robots, run autonomously and automatically to send out spam emails to encourage users to open virus or Trojan infected attachments. This means that it is pointless blocking the sender, as the sender address is forged, and unrelated to the actual computer used to send the email.

We recommend that you delete the e-mail it and not forward it to anyone else. Make sure that you have active anti-virus software, and have your firewall switched on. Of course you should only open e-mails from familiar and trusted sources; if you really have been speeding in New York City, the New York State Department of Motor Vehicles will certainly find a way to let you know!

For further information on this subject:

Beware of Emails Bearing Gifts

Have you seen an email entitled UPS notification? Have you received an unexpected email telling you about a parcel sent your home address, when you have nothing on order? Do you feel excited at the thought of getting an unexpected gift?

Unfortunately, that is not a mysterious present in the post, but a piece of malicious software, or malware, called the UPS Notification Virus. This is an automated attempt to install a Trojan on your computer, which is a piece of software that would connect to a medium risk domain in Russia and subsequently download all manner of undesirable additions to your computer.

If you are fortunate enough to operate behind a corporate firewall and email gateway this will be intercepted by the mail scanning software, and all you will get is an email with the subject line something like: WARNING. Someone tried to send you a potential virus or unauthorized code. If you see this message you need to do nothing further; the threat has been eliminated by the software.

At home, if you have up to date anti-virus software installed, you may see the email with an additional marker like [Quarantined], or a message from the anti-virus software manufacturers indicating that the threat has been removed. In this event you need to do nothing further except keep your anti-virus software current.

However, if you access your email by a webmail client, and do not subscribe to an anti virus service, then you may see an email in your inbox with the subject of UPS notification. Preview of the email will show you something like this:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

In this event, DELETE the email and do not attempt to open the attachment. UPS may sometimes send emails, but generally does not include attachments. If you see this email on a company computer then please additionally inform the local ICT helpdesk, to alert them so that they can investigate how the message reached you.

Remember

  • Only disclose your email address to known individuals and organizations
  • Only open email and attachments from known and trusted sources
  • If in doubt, check with your local IT department or support person if you are not sure that an email is genuine

McAfee Security Scan Problems

It was reported by one of our Windows XP users that they were getting a message from McAfee Security Scan® with a request to Check My Security Status. As we protect all of our Windows PCs using McAfee, this message was not out of place, and the user clicked Scan Now. The alarm bells started when the Security Scan reported that there was no anti-virus software installed, which just is not true.

A cursory glance (right click on the Shield in the system tools) shows that VirusScan Enterprise was alive and well on his machine, and the consol showed that the last auto-update was successful. Initial attempts to uninstall the unwanted program using Control Panel, Add or Remove Programs were unsuccessful. Googling the phrase How do I get rid of McAfee Security Scan turned up several suggestions involving booting into Safe Mode or installing anti-malware programs. There were also several suggestions that McAfee Security Scan is downloaded with an update to Adobe Reader, which our user had recently installed.

This is the removal method which worked for us:

  • Run msconfig using the Start, Run dialoge
  • When msconfig has loaded, click on the Startup tab
  • Find the entry for McAfee Security Scan, and uncheck the box
  • Then click on Apply

This will prevent the application from reloading next time you start up. Next you need to uninstall the application:

  • Call up Windows Task Manager
  • Click on the Applications tab
  • Click on McAfee Security Scan then click the End Task button
  • Fire up Control Panel then double click Add or Remove Programs
  • Wait a minute and McAfee Security Scan will relaunch and appear again in Task Manager, just like malware!
  • In Task Manager, click McAfee Security Scan, then End Task again
  • In Control Panel, immediately click Change for McAfee Security Scan, then Remove

If you have found this program installing itself without your conscious intent or consent we suggest that you voice your disapproval to Adobe. If enough people post their disapproval of this forced installation of annoying software to Adobe, they might just change their policy.

To any Adobe directors reading this, let me be the first to admit that you market some brilliant software, which is a credit to your company. Why risk your excellent corporate image with this offensive and shoddy software installation tactic?

For anyone else who is installing or upgrading Adobe Flash or Reader, take special note that there is an optional McAfee Scan listed in the installation that must be unchecked if you do not want to install McAfee Security Scan.

Parliamentary computers infected by Conficker worm

The House of Commons internal computer network has been infected by the “Conficker” worm and has had to ban its users from attaching outside storage, such as USB memory sticks, in case it gets reinfected. An estimated 10 million PCs worldwide have also been infected and experts fear next week will see problems worsen. For more on this story, see the article House of Commons network hit by Conficker computer worm from guardian.co.uk

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

  • Account lockout policies are being tripped.
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Domain controllers respond slowly to client requests.
  • The network is congested.
  • Various security-related Web sites cannot be accessed.

For more information about Win32/Conficker.b, visit the following Microsoft Malware Protection Center Web page http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker

Network managers can also stop Conficker from spreading by using Group Policy, and creating a policy that applies to all computers in a specific organizational unit (OU), site, or domain in your environment. For more details on this process see Microsoft Help and Support Article ID 962007