New Oficla trojan variant targets Facebook users

April 27, 2010 by mxlab 2 Comments

MX Lab detected a new variant of the Oficla trojan that targets Facebook users and provides instructions on how to use the new password for their online Facebook account.

The emails is send from the spoofed email address The Facebook Team <profile@facebook.com> with subjects like for example:

Facebook Password Reset Confirmation! Customer Message.
Facebook Password Reset Confirmation! Customer Support.
Facebook Password Reset Confirmation! Important Message.
Facebook Password Reset Confirmation! Support Message.
Facebook Password Reset Confirmation! Your support.

The content of the email:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

The email contains the attachment Facebook_document_Nr1637.zip – where the last 4 digits ay vary – that contains the executable 48 kB large Facebook_document_Nr1637.exe once extracted.

The trojan is known as Trojan:Win32/Oficla.M (Microsoft), Trojan-Downloader:W32/Oficla.Y (F-Secure) or TR/Crypt.ZPACK.Gen (Antivir).

The trojan will attempt to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti. The Win32/FakeScanti family of trojans will present themselfs as being genuine anti virus programs but instead are malware and display fake warning of possible virus infections on your system. As a user you will be offered to register and pay for the so-called anti virus software.

The following files are being created:

%Temp%\1.tmp
%System%\ngts.vao

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 195.78.108.201 on port 80 and retrieve data from hxxp://designfolkov.ru/hules/bb.php?v=200&id=256235564&b=26aprela&tm=2.

Filed under Viruses Tagged with , , , ,

“updated account agreement” email contains Bredolab trojan

February 10, 2010 by mxlab Leave a Comment

MX Lab started to intercept emails with the subject “updated account agreement” that contains the Bredolab trojan. The campaign is designed for Facebook users because of the content. The email comes from the spoofed email address and contains “Facebook Team”.

The body of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.

Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

The email has the ZIP archive agreement.zip attached, once unpacked the file 28 kB big file agreement.exe is available.

Facebook, or any other company, will never distribute agreements,  software updates and patches or anything else in emails. Our recommendation is to delete the email immediatly because a lot of AV engines do not detect this variant very well at the moment.

Virus Total permlink and MD5: cc632e1dad8775e2bb558a6cd247b94b.

Filed under Viruses Tagged with , , , ,

Facebook subject to campaign that combines phishing and malware

December 8, 2009 by mxlab 2 Comments

MX Lab detected a large new campaign targetting Facebook users. The campaigns combines phishing techniques with the download of malware and a PDF exploit from the web site.

The phishing campaign has the same characteristics of the previous campaign that we have posted:

Facebook account update (part 1)
Facebook account update (part 2)

The message is being sent from the spoofed address “Facebook <update+umxlabvkqxqrig@facebookmail.com>” and has various subjects:

Facebook account update
Facebook update tool
New login system

This is the body of the phishing/malware email:

The included leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/MyAccount.php?ref=520***&email=***@***.com.

The phishing web site contains instructions on how to update your account.

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:

updatetool.exe

* Do not use the same password that you use for other online accounts.
* Your new password must be at least 6 characters in length.
* Use a combination of letters, numbers, and punctuation.
* Passwords are case-sensitive. Remember to check your CAPS lock key.

Old Password:
New Password:
(required) ?
Confirm Password:
(required)

On this page you can see a web page where you need to confirm your old and new password and the download link to the file updatetool.exe that leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/updatetool.exe.

When we have visited the first time the phishing site, an automated download was executed of the file pdf.pdf.

As expected, this PDF contains an exploit. When we submitted the PDF file for examination to Virus Total we got the names EXP/Pidief.FV (Antivir), Exploit.PDF-JS.Gen (BitDefender), Exploit.PDF-JS.Gen (GData), Exploit:Win32/Pdfjsc.CM (Microsoft) and Troj/PDFEx-CD (Sophos).

pdf.pdf:

AV detection rate: 9/40 AV engines did detected the threat
Virus Total permlink and MD5: 93cba9349ecc8fb605c7932be0cdc9c6

Updatetool.exe:

AV detection rate: 6/40 AV engines did detected the threat
Virus Total permlink and MD5: 095fe570f78c322c8e358c656816c200.

Filed under Phishing, Viruses Tagged with , , , ,

Facebook updated account agreement email contains Sasfis trojan

November 7, 2009 by mxlab 7 Comments

Apparently, the virus campaigns are far from over. MX Lab reported on this blog regarding the latest virus campaign that would be an attempt to grow the Cutwail botnet by infecting new computer systems by launching new trojan variants every few days.

MX Lab now intercepts a new Facebook virus campaign from the spoofed address <automailer+gtevzolc@facebook.com> or similar.

The campaign is send out with one of the following subjects:

Facebook updated account agreement
new Facebook account agreement
new account agreement

The content of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Confirmation Code #: 3233075834

The email contains the ZIP archive agreement.zip with the 20 kB big executable agreement.exe inside. This trojan is known as Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).

MX Lab submitted the sample to Virus Total at 2009.11.07 00:03:35 UTC and 21 of the 41 AV engines did detect the trojan. The first sample was submitted at 2009.11.06 09:24:44 UTC. So this means that after more than 2 hours 52% of the AV engines can intercept this piece of malware.

Please do remember that Facebook, or any other company, will not communicate in any way like this. Companies like Facebook will not send attachments to update your profile, agreement or anything else.

The trojan will create the files %Temp%\1.tmp and %System%\ifmq.kqo, modify the Windows registry and will try to connect to the remote host 193.104.27.91. The following URLs are requested:

hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=1&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=300

Virus Total link and MD5: c175b5afc8bb7a7f716ccf3829412ff1.

Filed under Viruses Tagged with , , , , ,

Email regarding Facebook account update is a phish – part 2

November 1, 2009 by mxlab 2 Comments

MX Lab did intercepted  emails what appeared as Facebook phishing emails.

The From address is obviously fake and not related to Facebook in any way. These come in with the subjects:

Facebook Account Update
Facebook Update Tool
new login system

But now we did managed to get a working host where the supposed phishing site was hosted. We have visited htxxp://www.facebook.com.ujtqwaqo.eu/globaldirectory/LoginFacebook.php?ref=xxx&email=xxx@xxx.com and got the login screen.

When filling in dummy login and password we got redirected to the following screen and to our suprise we didn’t found a webform to submit personal details but instead a link to a malware file updatetool.exe.

This malware is known as Gen:Trojan.Heur.Zbot.gq0@cS0Ulyb (BitDefender), PWS:Win32/Zbot.gen!R (Microsoft) or Mal/EncPk-LE (Sophos). As you may know by know, ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system. Hidden files are being created: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll all together with a hidden directory %System%\lowsec.

New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe, %System%\alg.exe adn %ProgramFiles%\internet explorer\iexplore.exe.

Windows registry modification are also part of the infection and a connection to a remote host will be established: hxxp://193.104.27.42/lcc/ip2.gif and hxxp://193.104.27.42/ip.php.

Virus Total permlink and MD5: 1ccbe2c88bbaeb8a72ca0ef7e5e51738. It is detected by only 17 of the 41 AV engines at Virus Total.

Filed under Phishing, Viruses Tagged with , , , ,

Email regarding Facebook account update is a phish

October 30, 2009 by mxlab 6 Comments

After a virus campaign, MX Lab now also intercepts a phishing campaign targetting Facebook users.

The From address is obviously fake and not related to Facebook in any way. This email in particular was directing users to the phishing site hxxp://www.facebook.com.saxzask.me.uk/globaldirectory/LoginFacebook.php?ref=******&email=info@****.com. Unfourtunalty, this host was already down when visiting so we didn’t had the chance to investigate it further but we’ll keep an eye on new ones.

Filed under Phishing Tagged with , ,

Facebook message with link to striptease video leads to malware

March 19, 2009 by mxlab Leave a Comment

A message from Facebook Mail with in the subject line “FaceBook message: Magnificent Striptease Dance (Last rated by Lorena Keyes)” contains an URL that leads to a host with malware.

Some alternative subjects are:

FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)

The body of the email:

Messages from Your Friends on Facebook, March 19, 2009

You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 14, 2009! We’re absolutely shocked!”.

Proceed to view full video message:

hxxp://facebook.shared.default.personalid-f58xc9cp8.launchpad.videosshared.com/home.htm?/efsonline/application=3l6mwjxsb1kpema

Message ID: FB-wtq2w9w5ig7z5gf
2009 Facebook community, Message Center.

The URL will lead to the Facebook look-a-like web site where the video is proposed.

From this page on you are required to download the newest Adobe Flash player. The file itself is presented as Flash_Adobe11.exe and is the same malware as in the Comcast High Speed Self Installation Kit malware posted earlier today.

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.

Filed under Malware Tagged with , ,