Increase in Dutch banking phishing

The last few months there was an increase in a phishing campaign targeted on customers from Rabobank and ING, two major banks in The Netherlands and Belgium. Some examples of a phishing mail:

Phishing email for ING with the subject “Account Verificatie” (or in English: “Account Verification”)

Phishing email for Rabobank with the subject “Customer Services Update”.

If you speak the Dutch language, you notice the content of the emails are actually more different than most phishing mails. In fact there’s a bigger variety, and in the first version there is almost no grammatical or spelling error. The second email - for Rabobank- however, is clearly a Google Translate copy/paste job.

All emails seem to be originating from valid email addresses, domains are pointing to @rabobank.nl and @ing.nl , which are in fact legitimate addresses from the two banks.
However, if we check the message headers we can see IP’s originating from Nigeria:

41.155.32.70 – IPVoid results
82.128.38.67 – IPVoid results

Another IP address is originating from New Zealand and is actually blacklisted on several blacklists, as can be confirmed when checking with IPVoid:

203.97.33.68 – IPVoid results

This means the email-addresses are spoofed to trick users into believing the email is valid.
Now, what happens if you click on the link included in the message?  You will be redirected to any of these pages:

Phishing website for ING. The user needs to login with his/her username and password. You can also opt to login with the ‘calculator’. The calculator is in fact a card reader which you can use to login.

Phishing website for Rabobank.  You can login using your account number, access code, and PIN code. You can also use your card reader.

The intention of these emails is of course to steal user credentials and empty the account of the duped user. These attacks are pretty well orchestrated. If you click on any of the links on the phishing page, it will redirect you to the real ING website which provides extra information on the topic you clicked on.

The following tips do not only apply to the above story, but apply to any other (suspicious) email you receive:

• Do not click on any of the links (or anything for that matter) in the email you have received.
• Do not reply to the email.
• Delete the email immediately, certainly if you are not a customer of the aforementioned bank or did not order anything, changed your password, and so on.
• If you really need to access or check your bank account, visit the website directly by typing the address in your browser’s address bar. Also verify the URL starts with https instead of http.
• Another useful trick is to hover over the link in the email. In the bottom left corner you should be able to see the real address behind the URL displayed.
• When in doubt, you can double-check using URL scanning services such as VirusTotal or URLVoid by our partner NoVirusThanks.

Bart Parys
Malware Research
Twitter: @bartblaze

Ver más

New whitepaper about Carberp Botnet

Is available a new whitepaper that describes the operation of one of the botnets "wanted" by the security community: Carberp.

The article, called Inside Carberp Botnet and written by Francisco Ruiz, Crimeware Research of MalwareIntelligence, details the different parts of this crimeware, leaving evidence of its full operating mode.

In recent weeks, has returned to Carberp impact due to the revival of several of his former C&C. However, experts believe MalwareIntelligence have concrete evidence that would demonstrate that in fact the original group that was behind the first generation of Carberp is broken, and that some of the new botnets that spread banking trojan Carberp are managed through a modified version of the original.

MalwareIntelligence have a Carberp Working Group, responsible for private research and demand of this particular threat. In the main blog, Ruiz also said that a botnet Carberp private market in a very closed environment, but since a few days ago, the marketing model has been released, giving some details of its current features and costs.

Ver más

Facebook rogue applications still lurking around

For quite some time now there are rogue applications  trying to convince you that you are able to check whoever viewed your profile. There are a lot of different names for this rogue application, some but not all include:

• creep exterminators
• catch them being creepy
• creepy profile peekers
• privacy bros
• we catch stalkers

So what will this fake application do? For starters, it will surely NOT show you who's been viewing your profile.  If you land on this application, you will be presented with the following screen:

Profile Creeps application

Request for permission

You then have to allow access from the application so they can show you who's been lurking around your profile. But wait ! You first have to complete a survey and then you are able to check it out. Simple, right?

Facebook verification

Not exactly. These fake surveys are pretty common on the internet. It is a typical scam. For example, I had one particular survey that urged me to download SmileyCentral, the other tried to deliver me Webfetti.

• 9ed197b533fdf53ab8cf9e83a1b5951d (Webfetti.exe)
• ff8d221113615909b07b1ba9ceb8466a (SmileyCentralPFSetup2.3.78.2.NoSA.NoHP.ZNfox000.exe)

Another fake survey wanted me to fill in my phone number, and afterwards send an (expensive) text message to 'unlock' the application. In addition to letting you fall into one of these scams, the rogue application also promotes itself on all of your friends’ walls:

Rogue application spreading itself on other people’s wall

If you would like to remove it, follow the steps below:

• Go to your Facebook profile. Find the post that mentions the "stalker" application
• Skim over it and you will see an X appear. Click on it and choose "Remove (name of the fake application here)".
• Additionally, you can also report it as abusive to help in stopping these type of applications.
• Next step is to click on My Account and choose Privacy Settings. Down below you can see "Apps and websites". Click on Edit your settings.
• Select Remove unwanted or spammy apps. You can now Edit the application and remove it.

Bart Parys
Malware Research
twitter: @bartblaze

Ver más

Big Brother Brazil 2011 (AKA BBB 2011) malware attack

Big Brother 2011 (AKA BBB 2011) begins in Brazil and it's a motivation for social engineering attacks.

Big Brother Brasil 2011 began on January 11th in Brazil and malware authors should be celebrating, thus, because this is something very popular so it's easy to attract victims (via social engineering) to 'see' videos or pictures of the BBB 2011 participants.

We will show you a threat which came in form of a phishing and using social engineering ask recipients to click in a link in order to watch a video of a transsexual which is making the man's participants of the BBB 2011 confused.

As you can see on the original e-mail below, the attacker uses a technique known as DHA (Directory Harvest Attack) against the @hotmail.com domain in order to send the phishing message to valid e-mail addresses.

Note that when you move the mouse to the link which appears that will get you to the youtube.com, on the status bar you can see that it will not get you to the youtube.com website. It will get you to the website hxxp://twurl.nl/rbpm6s.

Below you have the source code of the phishing message:

----------------------------------------------------------------
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n
X-SID-PRA: globo.com (BBB 2011)
X-SID-Result: Fail
X-DKIM-Result: None
X-AUTH-Result: FAIL
X-Message-Info: DkpufaDli9Iih8M1I3rOCBHB3/E1htFb2qXrXVLfpfjlNFuHVG90WYrx2zq5Mw1fmsHKOjL4weQGCOatyx0Pn7FYN0czafnY9kSTqtv24cY=
Received: from wl01.ws.poa.ige ([201.94.125.1]) by col0-mc3-f16.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Tue, 18 Jan 2011 10:21:08 -0800
Received: from wl01.ws.poa.ige (dcrs8211 [127.0.0.1])
    by wl01.ws.poa.ige (8.13.8/8.13.8) with ESMTP id p0IH1auJ030937;
    Tue, 18 Jan 2011 15:01:36 -0200
Received: (from httpd@localhost)
    by wl01.ws.poa.ige (8.13.8/8.13.8/Submit) id p0IH1ZXl030933;
    Tue, 18 Jan 2011 15:01:35 -0200
To: baa@hotmail.com, bbb@hotmail.com, bcc@hotmail.com,
bdd@hotmail.com, bee@hotmail.com
Subject: ariadna (transesual) no bbb 2011 deixa homens confuso....
X-PHP-Script: mylove2010.info/catastrofe/feed10.php for 187.57.247.86
Date: Tue, 18 Jan 2011 15:01:34 -0200
From: "globo.com (BBB 2011)"
Reply-to: "globo.com (BBB 2011)"
Message-ID: <63a5faa6442cd3b2f870f2ac7a99bde7@mylove2010.info>
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.10.2800.1409.1718742875.rg.sm31
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
Return-Path: httpd@wl01.ws.poa.ige
----------------------------------------------------------------

As you can see on the source code, this phishing message involves three main characteristics:

1. A file named feed10.php
2. A file named ariedina.jpg3
3. A link pointing to the website hxxp://twurl.nl/rbpm6s.

 
Analyzing the file feed10.php
I have downloaded this script page by using the webget utility. See the screenshot below:

wget -v mylove2010.info/catastrofe/feed10.php

As you can see above, this is a smtp engine used by this threat. Just in case I have submitted this PHP script to virustotal and you can see the results. This sounds a true smtp engine script, so there is no malware associated to this program, while it might be used by malwares.

Analyzing the file ariedina.jpg3

This is just a picture which is used to attract people to click and see a 'video' at youtube.com, however, as you can see on the source code there is a HREF instruction so when the user clicks on this picture (anywhere) it will get the user to the malicious website: hxxp://twurl.nl/rbpm6s

I have downloaded this picture so I could analyze it and saw that it's really just a picture:

wget -v http://lh4.ggpht.com/_FJQwbg0nrOk/TTGRJVC1KtI/AAAAAAAAAMs/CUvYCECUkhM/ariedina.jpg3

I have submitted this file to the virustotal website so you can get the report using the link below. There are no detection since this is just a picture.

Analyzing the link hxxp://twurl.nl/rbpm6s

Using wget pointing to the URL hxxtp://twurl.nl/rbpm6s resulted in downloading a file named youtube_video756.exe.

wget -v http://twurl.nl/rbpm6s

Analyzing youtube_video756.exe

After submitting this sample to virustotal you can see that some AV vendors detects this threat. Some of them using signatures and a couple of them using a in-cloud technology.

If you run youtube_video756.exe, it will basically perform the following activities:

Create a copy of itself using a file named Recorte de tela e Iniciador do OneNote 2007.exe on the folder "C:\Documents and Settings\%user%\Start Menu\Programs\Startup\". This process is then launched.

It connects to the ftp site ftp.biancarox.net using the username cohabrox and a password which will not be reported here just in case. It downloads 10 files (listed below) to the folder C:\documents and setings\%user%\. While all of these files have a .txt extension, they are not a true .txt file. Looking at its strings you can see that they are really executables.

Taking a look at the process strings (below), we can see several internet bank sites of Brazil and two webmail websites.

When you open Internet Explorer and type one of the target URLs, like www.bradesco.com.br (which is a true bank of Brazil), it will kill iexplorer.exe and will load a new process C:\Document and Settings\%user%\®¢Ÿª¤ª¥ž¥.txt. If you type anoher URL on the IE address bar like www.bradescoprime.com.br, another process will be launched on this case it would be the ®ž“§«š§«š.txt.

This process is a fake application which emulates the requested website and it will capture your bank agency, account, token, passwords, etc. See screenshots below:

While you are typing your bank agency, account, password, token, etc, the trojan is capturing everything and is written it to a *.bsp file on the C:\Documents and settings\%user%\. Below you have an example:

Indicators of compromise

Check for the existence of the following MD5 on the C:\Documents and Settings\%user%\.

• edaa81ad2165c65bb340e636bf642291
• b82c51f94b0e516f461b6f84a668dfde
• 76184bebea96f59086368b64a896d224
• f590d18d7b50109c03c6237d86e8415d
• 52ea037028eb2274147aef1edfb64865
• daa21069ae179cc0f195cd42795b592b
• 86802efad8fb5b8153d7c7de67cb66bb
• fc7592c9f2e2264c687a806459387d30
• 9547ff6be241b5bb8a87f0dabe3b3218
• 5cd6a3ac2b2d97e36091a1ecd2fd0aec

Check if the process Recorte de tela e Iniciador do OneNote 2007.exe is running or present on the folder C:\Documents and Settings\*\Start Menu\Programs\Startup\ (it's MD5 is d34c8d3ad55f65d701264a5e8e278915)

Network connections to:

• hxxp://mylove2010.info/catastrofe/feed10.php
• hxxp://twurl.nl/rbpm6s
• hxxp://livinianot.com.br/
• ftp.biancarox.net

Below you have a report from VirusTotal regarding the samples that we have analyzed here:


id=968db70645fceeb734ba941ee78d51848057762b0559709238c59d4391d1c25e-1295986300
id=961a9c536b98d02172eb48bd2e0e4881591ac1eb607bf1ea7f267f4994c6b6f6-1295986210
id=e6a33cbba7e6348c41cb7e10acac4efaf47286603d54d1c7088f8772bb0f23e8-1295986257
id=4e908de9a38bb3b90435b0d8b733ad11836a8f65bff2cd6cd247fd47a332af16-1295996254
id=d12ef9562f2deae6ef8e7d5842bf1f1425fc23ce7b6c2265a62189eac14e966f-1295985855
id=8d1a2ece03010fe9610c852a70d13c22f9e91d93e39abc939a742d84b279ea64-1295996475
id=457278ad3bc382dd5159c0be8e9f2f2e3e1cf9191861b56497c81f21f423808d-1295996615
id=55d9afec1ad24fcfec03f03cbc7be9b6c21a614db87432e925cdc8112c551c5e-1295996949
id=73cc47196be7bd8c0f7764a46cb4488266bef2ea1ffccbdbd91cd0b62c79919d-1295997136
id=26f542326786e4facd624fcb170a71c6a2e709e23c8f4cffa4715e133869316b-1295980568
id=8f5c8ad99ded74d3cc233b691a803fc6f00ac3113ad67c6f6802ac3ea0f727fc-1295389644

Bruno Caseiro
Malware Researcher

Ver más

SMS Ransomware. From Russia to the world

The new generation of malicious code designed to increase the economic life of criminal groups through exercises that involve sending a text SMS message rate, is now a pattern that has already spread worldwide.

While this type of ransomware is developed for the Russian-speaking public, being a very common malware in Russia, any user anywhere in the world is a potential victim.

Daily offenders change the graphic design of what is shown on screen, although minimalist very aggressive, and always providing the necessary information so that, in theory, the victim can get the key to unlock access to the operating system, clear that exchange for a sum of money in this case, amounts to 360 rubles (just over $ 10).

SMS Ransomware template
The latest campaign to spread and infection of this family of ransomware, occurs with this design.

The truth is that despite not having a complex structure around its development; represent one of the malicious codes more aggressive and invasive. Not only because by blocking the system also blocks the ability to access any functionality and operating system software, but also while the user looks ransomware design, it’s reported against an affiliate business (usually the type Pay-per-Install), and in some cases, trying to steal information related to authentication credentials.

Related Information

New variant of SMS Ransomware ItW

Microsoft Security Antivirus ransomware
New SMS ransomware template with slight change
Campaign to disseminate russian ransomware
New Russian SMS ransomware In-the-Wild
SMS Ransomware porn template update
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

Ver más