Black(hat) Friday

See how the Rick Astley iPhone hack attack works

We have created a video on how the iPhone/Eeki worm targeting iPhones works.

You can see it here:

As you can see in the video, this malware first checks it is not already running on the device. To do so, it checks whether the following file exists:

/var/lock/bbot.lock

This may help you know if you are infected; if the information is in your device, it means the worm is there.
Next, it changes the device host and stops the SSH daemon.
It then tries to spread on the subnet the phone is connected to and tries to create a random IP range. It tries pre-established ranges corresponding to certain companies’ IP addresses:

Once the IP address is created, it remotely accesses the jailbroken iPhone device, establishing an SSH connection and using the default root key, included in all iPhoneOS devices (1G, 2G and 3G Iphone and ipod touch devices). If access is denied, it tries to create a random IP again and repeats the process until it obtains a valid IP from a vulnerable victim.

Once the victim is found with the previous credentials, it obtains a remote session and copies itself to the affected phone, adding:

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist

to run on restart.

It stops the SSH service that has caused the infection. Finally, it copies a photo of Rick Astley and uses the image as the device wallpaper.

“Thanks to Gorka Ramírez and Francisco Berenguer for the information and the video”.

Blackhat SEO Aggressively Targets Halloween Related Keywords

Cyber criminals behind the Rogueware epidemic have been hard at work in poisoning search results to increase traffic to their campaign sites. Today, we identified a new Blackhat SEO campaign, which is currently targeting Halloween related keywords aggressively. While studying the campaign, I noticed that the most commonly targeted keywords were classic costume favorites, such as the Cat woman costume, vampire costume, and various adult costumes. In addition to costumes, the BHSEO campaign also targets Halloween related food recipes, haunted house directions, Halloween parties, and the movie Halloween.

Tainted search results:

Fake Antivirus site:

Tag cloud of targeted search terms:

As we have documented in prior blog posts, Blackhat SEO continues to be one of the most prevalent and pervasive attack vectors on the Internet today. As users, we tend to trust search engines to provide safe and accurate search results, but the reality is that today, search engines are becoming the most dangerous way to browse the Internet.

Blackhat SEO Campaign Targets 2009 Nobel Prize Winner

 We’ve identified a new Blackhat SEO campaign today which targets President Obama as the 2009 Nobel Peace Prize winner among a thousand or so other search terms.   Clicking on a malicious search result yields the typical Rogueware campaign. 

Search result:


Rogueware site:

The complete list of targeted search terms can be found here.   

Rogueware with new Ransomware Technology™

The criminals behind Rogueware attacks are becoming increasingly aggressive in their approach to make money. We recently stumbled across a sample (Adware/TotalSecurity2009) which uses a ransomware technique to improve its sales. Once the computer becomes infected, Total Security forces the victim to purchase it before it will allow any files from being accessed on the system.  When attempting to open a file, a message pops up in the notification area claiming that the application was blocked due to infection.  The pop up recommends activating the "antivirus" software, which costs $79.95. 

This would be a devistating blow to any user and would likely force the victim to purchase it, so we went ahead and cracked the sample to reveal all of the valid serial numbers. We're hoping that  victims can find this blog post before shelling out any hard earned cash to these criminals.

Watch the video to see it in action: 

Valid serials for Adware/TotalSecurity2009:

WNDS-TGN15-RFF29-AASDJ-ASD65
WNDS-U94KO-LF4G4-1V8S1-2CRFE
WNDS-6W954-FX65B-41VDF-8G4JI
WNDS-G84H6-S854F-79ZA8-W4ERS
WNDS-TTUYJ-7UO54-G561H-J1D6F
WNDS-A1SDF-6AS4D-RF5RE-79G84
WNDS-A1SDF-RY4E8-7U98D-F1GB2
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-JUYH3-24GHJ-HGKSH-FKLSD

You can download a free trial to completely remove the infection once the ransomware feature is removed.

Special thanks to Sherab Giovannini for extracting the serials. 

Rogueware distributors use Skype

Rogueware distributors are like the cockroaches of the Internet; they’re everywhere.   Malicious search results, online advertisements, and iframe hijacked sites are the typical distribution methods, but every once in a while we come across an interesting approach.

Recently, a colleague alerted me of a spam message coming through to his personal Skype account.  The message appeared out of nowhere from an account labeled “Online Notification” and made the typical claims of a found infection.  Once the victim navigates to the site, the usual fake antivirus trickery takes place.

Skype isn’t the most reliable or innovative distribution method, but we’ll go ahead and give them an "A" for effort. 

Q3 report released

We've just published our latest quarterly report. We'll show the different figures about malware in Q3, and some interesting articles.  If you want to know what has happened in the last 3 months, which have been the most important Blakhat SEO attackes or the latest movements of the Koobface worm, just download it and enjoy!

 English: 

Spanish:   

Fake IRS Notifications

Fake IRS notification e-mails have been in circulation on the Internet over the past few weeks. We've monitored the situation closely and have observed 30 active domain names currently spreading the Zeus trojan affiliated with the spam campaign, as well as 300 links used in the attack over the past month. The e-mail arrives as a notice of unreported income and directs the victim to click on a link (E.g. www.irs.gov.malwaredomain.com).  When clicked, the victim arrives at website designed to look like an official IRS page.    



The website attempts to legitimize itself by referencing the receivers name in the Taxpayer ID field and in the download link. Once the malware is accessed, the zeus trojan is silently installed on the victim’s computer and begins to intercept communication with banking sites in order to facilitate financial fraud.

Blackhat SEO continues to ravage search results

Every day cyber criminals are exploiting search engines to display high ranking malicious search results. Targeting hot topics allows for cyber criminals to improve infection rates for their money making Rogueware (pdf) schemes. Below is an example of the attack we observed today.  

 Most targeted search terms:

• Dallas Cowboys
• NFL
• School
• Emmy Awards
• Autumn Equinox (Mabon)
• Atlanta
• News

..The full list of targeted keywords can be downloaded here: BlackhatSEO3.txt

Rogueware: Adware/PCDefender



Tag cloud of targeted terms:

Hack MySpace, ICQ, and Vkontakte for $100 (50% discount for Russians)

The Ukrainian Facebook scam we blogged about on Friday has similar campaigns for MySpace, ICQ, and Vkontakte. All of the scam sites are identical in design and require the payment of $100 except for the Vkontakte scam site. Vkontakte is a Russian clone of Facebook and the scam offers to hack Vkontakte profiles for 1500 rubles, which is about $50 USD.

MySpace

ICQ

Vkontakte

What's strange here is that the Ukrainian scam crew responsible for these scam sites are making a run at conning Russians, which is a tactic we don't see very often in the labs.