Theft
As we discussed in Part I, the primary purpose of Qakbot is to steal information from the compromised computer. In addition to targeting login details for FTP, POP3 and IMAP, the worm also attempts to steal Cookies - not only regular browser session cookies but also Flash cookies. A discussion of Flash cookies is beyond the scope of this article, but be aware that unlike traditional browser cookies, Flash cookies are not controlled through the cookie privacy controls in a browser which means they cannot be cleared or deleted in the simple manner that normal tracking cookies are removed.
Qakbot uses several techniques to collect private keys from the system certificates contained on the compromised computer. First, it replaces all certificate-related dialog boxes so that the “OK” button is automatically pushed as soon as the dialog is created...
Motive
We recently had the opportunity to revisit a threat that first appeared on our radar back in May of this year. W32.Qakbot (hereafter referred to as Qakbot) is a somewhat benign worm that is capable of spreading through network shares, downloading additional files and opening a back door on the compromised computer, all in aid of its ultimate goal. Benign not because it is harmless - stealing login details, reporting keystrokes and uploading system certificates is malicious behavior indeed - but as will become obvious as we describe it in more detail below, because it moves slowly and with caution, trying not to bring attention to its presence.
The motive of Qakbot is quite clear, to steal information. Taking a peak under the proverbial covers, we see that it uses several components to accomplish the task, including the following:
Spammers are recycling their old spamming methods after more than two years. Symantec reported an .mp3 version of pump-and-dump stock spam back in October 2007.
In this recent spam attack, a small .mp3 file promoting a meds domain is attached in the email messages. These email messages contain no subject line or message body. The .mp3 file is a five-second message recorded in a female voice and promotes a particular meds domain. The file is approximately 11 KB in size and recorded at a 16 kbps bit rate. The voice is heavily distorted with background noise. The domain name described in the file is a recently registered domain in China.
Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.
Clicking on the play button or icon will send a request to update-activex.com, which will then eventually offer you a file named along the lines of Activex_Setup[1].45158.exe from the standardmultimedia.com domain. This is now detected as Trojan.FakeAV.
We have recently learned of yet another zero-day exploit in Adobe Acrobat. This time it's an overflow for a special type parameter in a function provided by the multimedia.api plugin that can be manipulated from JavaScript in the following manner:
media.newPlayer(null)
Somewhere deep in newPlayer, deinit_obj is set as the handler for deleting the object when it's no longer needed:
And eventually deinit_obj calls the destroy function from the object's v_table:
We’ve monitored a great deal of Christmas sales spam (in English) for the upcoming holiday. Compared to English holiday spam, Chinese spammers seem to have fewer activities for Christmas, most likely because it is not a major holiday in the Chinese calendar. The Christmas holiday is popular among younger Chinese generations, however, and shopping for gifts is still expected. We have observed a couple of notable Chinese samples covering the topic of Christmas shopping. In the first sample, a spammer has sent a random Christmas sales ad, and we found that the spammer purposely set the promotion text background color in gray (<FONT style="BACKGROUND-COLOR: gray" color=gray>); you have to highlight the gray line in order to see the promotion text. In the header we observed a forged and randomized “From” alias. They used a shortened URL service in the body image, which led to an actual business website.
Sample Header:...
Didn’t shop enough on Black Friday? Still looking for Christmas Gifts? Need to send holiday greetings? Spammers will send them all at your convenience! We started seeing Christmas-related spam just after the Thanksgiving holiday—spammers are just as busy as the rest of us are this holiday season.
We have recently observed many different types of Christmas-related spam, such as medical/replica/gift shopping offers, loan offers, lotto scams, fraud and viruses, etc. Many of them have Christmas themed key words in the header to lure users to open emails. We saw some last year and have already observed the familiar “festive” headers.
Earlier today, we received a tip from a source that there is a possible Adobe Reader and Acrobat 0-day vulnerability in the wild. We have indeed confirmed the existence of a 0-day vulnerability in these products. The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H.
We have reported our findings to Adobe who have acknowledged the vulnerability in this blog.
The analysis is still ongoing, so more details to follow. In the meantime, I recommend everyone to be extra vigilant during this holiday season, especially when...
Notable highlights this month include the continuing shift of the region of message origin to APJ and South America, and changes in the average size of spam messages.
• The EMEA region has been firmly displaced as the primary region of origin for spam—the APJ region has obtained that mantle. The APJ region currently accounts for 26 percent of all spam, which is a nine percentage point increase since June 2009.
• With respect to the average size of spam messages, 71.08 percent of messages now have an average message size between 2kb – 5 kb, while 19.53 percent have an average message size between 5kb – 10kb.
• With respect to spam categories, Internet spam decreased by four percent and now accounts for 35 percent of all spam messages, with leisure and fraud increasing by three and two percent, respectively.
The AVAR 2009 Conference was held in the historical city of Kyoto, Japan from November 5. As this year's trend is cloud computing, fake antivirus software and massive PDF file attacks, the cloud and PDF topics were covered in the conference.
We had several Japan-specific sessions. Some delegates from the Japanese ministries and governmental agencies spoke about their tasks and statistics on cyber crimes. As with other nations, Japan has its own specialty in computer usage and malware, such as wide-spread usage of the peer-to-peer software called Winny and the related malware W32.Antinny and a destructive Trojan horse Trojan.Haradong that was discovered in the Winny network (the creator was eventually arrested). Another trend in Japan is the so-...
The popularity of applications on social networking websites has increased a great deal this year. This has led to a new wave of phishing attacks targeting the users of these applications. Symantec has examined phishing websites exploiting three major social networking brands. The fake websites display attractive offers on the social networking applications to lure end users. Some of the applications that the phishing sites were based on are:
1. Social networking on mobile – Due to the rise in the number of users accessing the Internet through smart phones, social networking websites have expanded their services on smart phones, including messaging, chatting, photo viewing, etc. This increase in users has opened more doors to attackers because there are now more potential victims. Hence, attackers have created phishing websites on social networking brands claiming to provide these services on smart phones.
2. ...
In a new wave of phishing attacks, Symantec has observed that attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack.
The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel is Web hosting administration tool).
Some of the various subject lines observed are as follows:
Subject: for [hosting domain name] webhosting user
Subject: [hosting domain name] web hosting update
Subject: [hosting domain name] webhosting update
Subject: for [hosting domain name] web hosting user
In quality assurance circles at Symantec it is often stated that clean data (e.g. files from clean software) are to false positives as malicious data are to true positives. In simple terms this means that clean data helps us prevent false positives in the same way that we can’t write antivirus signatures or antivirus technology if we don’t have malicious data.
At Symantec we go to serious lengths to generate, and also source, clean data to assist with our false-positive prevention efforts. With this in mind, over the past 12 months we piloted a “software white-listing program” that allows software developers and Independent Software Vendors (ISVs) the opportunity to proactively white-list their software with Symantec. The good news is that, due to the success of the pilot program, we are ready to offer this program on a...
