Koobface on the Loose as "flash_update.exe"

"Koobface". Like "Facebook", only sort of backwards. Clever.

Social networking worms like the Koobface family are a reality, and their prevalence shows on our threatfire community. Users of facebook need to be aware that links appearing on friends' facebook pages may be links to malware downloads. Now, no need to stop clicking on links or visiting friends' pages. But just because a link is on a friend's page does not mean that the content at that link can be unconditionally trusted.

Basically, if you click on a link at a friend's profile, and your browser is redirected to a video page, do not download and run the executable when prompted. The consistent and malicious "flash_update.exe" is being prevented in high prevalence on a daily basis in our community. The little trick here is a twist on the need to update Adobe's Flash Player. But if you need to update your Flash Player, just go to Adobe's site and update it there. Here's an example from a Koobface distribution site already taken down:



Running the "flash_update.exe" download results in all sorts of problems for the user, including potential modifications to their own Facebook profile, prompting for captcha breaks, and others. The immediate result is an error message, "Error installing Flash Update. Please contact support".


In the infections we're observing this morning, an executable resembling the name "bolivar28.exe" is dropped to the system drive and run.


Update: the dropped executables, named "bolivar26.exe, bolivar28.exe" and so on, are copies of the original flash_update.exe files. A quick analysis shows them to be similar in functionality to the captcha crack scheming binaries previously observed in the wild. Also interesting is that these files are worming through and attacking other social networking sites like myspace.com, blackplanet.com, friendster.com, and bebo.com, in addition to its namesake.

Who Gave These Guys a Cert?

Xxx41.exe is a filename commonly associated with a trojan-downloader family that we've seen prevented all over the community for the past couple of weeks. It sometimes is dropped and run by phony video codecs with names like "moviecodec.278.exe", "k-codec.232.exe", etc. Xxx41.exe downloads fakealert executable components from sites like image-big-library.com and top100image.com using GET requests that evade weak firewall filters, looking like image file requests "/images/item_edjf.gif" and "/infoweek/footernav/new0808/ethrexpo.gif", which are then renamed to ~tmpc.exe (and similar names) and run on the system.



Interestingly, amongst the AntiVirus 2009 and ProAntiSpyware rogueware component downloads, a valid digital certificate popped up from "AntiSpywareSolutionsPro, Inc" out of Belize City, Belize for a "VirusRemover2008" component.



So, we can see who provided the certificate, the next question is why. Can some of the most prevalent rogueware groups on the internet continue to get valid digital certs from trusted providers? Next, will the Rustock, Coreflood and Storm groups have digitally signed certs for secure botnet sessions?

Crack.exe

If you find yourself installing and running cracks and keygens that you're downloading over Limeware, stop what you're doing. First, stop using cracks and pirated software. Secondly, nothing truly is for free.

Limewire users have been seeing various keygens offered over their P2P connections. Over the past few days, there have been multiple releases of AVG LICENSE KEY CRACK BY [SSG].ZIP, HALO KEYGEN BY [ZWT].ZIP, REALTEK AUDIO DRIVER CRACKED BY -=ROGUE=-.ZIP, and NERO 9 NO PATENT CRACK BY ZWT.ZIP. And surprise, surprise, all of these files come with a little treat inside, crack.exe. We've seen this sort of keygen package bundled with some severe malware in the past, and we continue to see downloaders and adware installed by this stuff.

Taking a quick look, we find that this dropper will disable the Windows Security Center and Firewall. It will then scan through the system32 directory, attempting to find a random dll name string to borrow from, and then select some digits from the system time to create its dropped dll name string, always ending with "32.dll". For our ThreatExpert report, the malicious downloader file name created was "glu3232.dll", and we can identify pieces of the code used to create a random portion of the name here:


and the concatenation of that semi-randomized string with "32.dll" here:

Retirement Community Computers, brastk.exe and AntiVirus 2009

Malware shows up in the most unexpected places. One of my previous colleagues regularly considered the idea of computer infections ridiculous, but wired Windows systems really are ubiquitous. And this last week's Thanksgiving trip provided another location to observe computer malware effecting unsuspecting Windows users.

This year's birthday celebration for our 92-year old grandmother was fantastic at her new home. Singing, dessert, multiple generations of our family were together for the holiday and grandma was in a great mood in her new digs.

In the meantime, a few of us celebrants, full of pizza and cake, left the party to check out the community building -- the pool table on the fourth floor, pianos on the first. After knocking an 8ball around the pool table at 8 p.m. in the relative quiet of the home, we noticed a computer center along the way back to the elavators. The monitors in that center could not have displayed a more disappointing screen.
Next to a little "M" square in the system tray (a competing AV product that will remain nameless here), was a large red circle with a white X through it and a familiar fakealert bubble caption containing a frightenting message about an infection and loss of privacy: "Privacy Violation Alert! Antivirus 2009 detected a Privacy Violation".



A quick look at the registry and taskman showed a spambot, the brastk.exe fakealert downloader, AntiVirus 2009, and a vundo component all installed and running. The brastk.exe downloader, one of the most familiar fakealert components that is being prevented in the ThreatFire community, was running full bore. And the Vundo dll locked up the CPU from within the explorer process. Add a half dozen ads open in half a dozen hung Internet Explorer windows, and the system was unusable.
There were various poker game shortcuts on the desktop, so I'm guessing that one of the senior citizens looking to play a game mistakenly installed a package of malware on the system, assuming that the free software game was innocent and the system was protected.
For a group of elderly that don't know much about technology but want to use it, this is very disappointing and discouraging.

Along those lines, the recent unusual and severe Mytob infection bringing down several british hospitals (the London Chest Hospital, the Royal London Hospital and St Bartholomew's) highlights the need for layered security as well. Malware is as ubiquitous as the PC itself.

USB Worms and Government Policy

When federal government systems are hit with malware, the incidents often receive no public reporting. However, the slew of infections from removable drive based worms have become so bad on the U.S. Dept of Defense's infrastructure that they've banned usb drives altogether, according to Wired's reporter Noah Shachtman. It's unfortunate that these drives are not being properly scanned, and that doing so must not be a part of process to this point.

The military's policy decision is somewhat unsurprising, considering that the Gammima worm that made it onto the international space station this past August also spread using the Usb autostart technique. Worms have been very effectively spreading using this technique to deliver password stealing components since early 2007, and it's about time policies are clamping down on the slack. Quick releases of worm variants evading anti-virus scanners continue to use the same autostart technique today. Of course, users running ThreatFire have been protected from these AV-evading autostart worms since they installed it.

Update (11/25/2008): The US-CERT posted information about what they are calling two popular "methods". Basically, the post describes removable drive-based infection vectors -- both to the removable drives, when worms copy themselves to the media from an infected system, and from the removable drives, when a worm abusing Windows' autoplay functionality executes itself on the system. Nice to see awareness increasing -- Autoplay can be dangerous!
It's not always a waste of time anymore. In addition to running TF, you can scan your usb drives on a system with Autoplay disabled with your anti-virus scanner. The scanning solutions have, for the most part, caught up with the two year old technique.

Microsoft Giving Away Live OneCare

Robert Vamosi has a nice writeup on the antivirus market following Microsoft's entrance into it. It's interesting that the massive company, with its marketing prowess along with the advantage of its desktop dominance, still gives anything away for free. But the security space is an unusual one:
'McAfee and Symantec both had something Microsoft did not: effectiveness.

Almost two years ago, independent antivirus-testing organizations faulted OneCare for missing known malware. Andreas Clementi of AV-Comparatives.org wrote in his February 2007 report (PDF) that OneCare did not meet the minimum requirements for participation. "Due (to) that, its inclusion in future tests of this year (will) have to be re-evaluated.'

It seems that effectiveness and innovation still matter. While there may be a stripped-down free version of OneCare, the resource intensive app most likely still will not be picked up by users.
One of their statements has been that there are too many systems out there without security software, so they want to make it free. But that's why Microsoft started the Malicious Software Removal Tool and its updates years ago. Their OneCare project, to this point, failed.

Our free behavioral-based ThreatFire continues to prevent two year old Parite variant infections on real users' machines on a regular basis, so we certainly see and have been meeting the need to provide protection to users from systems that are unprotected. And its performance can't be beat.

ATTENTION! If your computer is struck by the spyware, you could suffer

...from all sorts of bad things. We know.



However, you may be seeing this mis-spelled message, which has changed a little bit over the past few months:
"ATTENTION! If your computer is struck by the spyware, you could suffer data loss, erratic PC behaviour, PC freezes and creahes."

By the spyware? Creahes? Who writes this stuff?

"Detect and remove viruses before they damage your computer!
Antivirus 2009 will perform a 100% FREE and quick scan of your computer for Viruses, Spyware and Adware.
Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)"

Please be wary of this sort of scheme through the end of the year. A number of banner ads on very popular web sites have been redirecting users to sites serving up this garbage. This rogueware "Antivirus 2009" ad in particular will re-direct your browser to a web site using only javascript to mis-represent a common online malware scan of your windows system. As we've discussed before and at Virus Bulletin (slides on flash here), this stuff will attempt to shock you with a number of malware detections that are not really present on your computer, coercing you to pay for phony AV software. They detect the make-believe "Spyware.IEMonster.b", "Zlob.PornAdvertizer.Xplisit", and "Trojan.Infostealer.Banker.s", made-up names which unsurprisingly do not change: