Security Response

It’s almost like the age-old marketing strategy: put up a sale and offer huge discounts to draw customers. But, while doing so, retailers will make sure to use the “limited time offer” tactic. There is cause for worry, because spammers are following suit.

The spammers mislead recipients with false news that a law (the “Internet Pharmaceutical Law”) will take effect in a few days. After the so-called law is in place, it is purported that medicines that require a prescription won’t be available online without a doctor’s consent. Therefore, users are told that they should immediately place a pharmaceutical order using the provided website. With respect to the marketing strategy, spammers are creating an imaginary situation to hustle panicky recipients into buying medicines from their websites.

A sample message:
 
...

Symantec has observed a new trend in phishing in which the phishing Web page contains pornographic content. The phishing site states that the end user can obtain free pornography after logging in or signing up. These offers tempt users into entering their credentials in the hopes of obtaining pornography.

The attackers use several offers of pornography as bait. Some of the offers are adult chat, social networking with adult personals for sexual favors, blogs with free pornography, and so on. The screenshot below is an example of a phishing website using a leading information services brand. The site states that they provide email alerts for sex parties:

In January, new phishing attacks such as the above example continued to be observed abusing legitimate brands. The phishing pages were created using free Web...

While analyzing W32.Zimuse recently I was surprised to find two different passwords used within the threat: one of these decrypts a Word document that contains information about some members of a Slovakian motorbike forum.

In order to spread via USB drives, W32.Zimuse copies the file zipsetup.exe to removable drives. If zipsetup.exe is run with no parameters it shows the following message box:

The zipsetup.exe dialog box

This is not a real WinZip dialog box, just a password box made to look like the WinZip message box. The user has 10 chances to enter the correct password, after which the application will close. Entering "2008_15_12" (without quotes) decrypts a Word document named zoznam.doc:

...

If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring. Because of its profile in the media and varying assessments of the threat posed by and the complexity of Trojan.Hydraq we decided to present the facts of the threat.

Threats make their way into mainstream media for various reasons. Sometimes it’s the effectiveness of a threat or the elegance associated with a particular approach taken by a piece of malware. Some use near impenetrable packers to make analysis extremely difficult and some have novel approaches to make the malware more robust and harder to take down.

2010 saw Trojan.Hydraq hit the media. This incident was dubbed “Operation Aurora”. In case there is still any confusion at this stage, the malware used in the Aurora attack is Trojan.Hydraq.

Trojan....

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change attributes, and...

With Valentine’s day a little over two weeks away it is not surprising that spammers are already targeting this holiday. Valentine’s Day is a common target for spammers and in January 2009 the top five Valentine’s Day-related spam subject lines were as follows:

1.    Increase your length, the best valentine’s gift
2.    Show off your length for valentine’s
3.    Get it before Valentine’s day and watch her smile
4.    You have been invited to partake in a shopping spree with [Removed] This Month for Valentines!
5.    Happy Early Valentines Day, You have been selected to go on a $1000 Shopping spree to [Removed]

From time to time the products that spammers offer are surprising. A recent spam sample offered the perfect engagement ring but you would have to wonder about their target audience; seriously, who would buy an engagement ring...

While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate.  Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult.  The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear fashion.  The rearranged code blocks are connected by jump instructions that connect them in the proper order during execution.

However, spaghetti code has been used in the past and, due to the simple method of implementation by Hydraq, is easily reversed.  We posted one of the first blogs about spaghetti code in malware back in 2006 in regards to LinkOptimizer.  Most security companies have tools to simply reverse this type of obfuscation in an automated fashion and even off...