The title of this blog post may make you think that we will discuss the security of your Facebook account. Not this time. However, I will analyze an attack which starts with a suspicious email sent to the victim’s email account.
The incoming email has the following subject, ‘Hey <name> your Facebook account has been closed!‘ or ‘Hi <name> your Facebook account is blocked!‘. The email has a ZIP file attachment with name <name>.zip, which contains a downloader file named <name>.exe. <name> stands for a random user name. After a user downloads and executes the executable file, he is presented with the message saying that “Your Facebook connection is now secured! Thank you for your support!” It tries to convince you that there was a problem with your Facebook account, which was later successfully solved by executing the application from the email attachment.
Let’s look inside the executable file!
Recently I wrote a blog post about a legitimate website spreading Sirefef malware. Then I continued with a deeper analysis and noticed that it uses an interesting cryptor.
Malware authors spread many new variants of malware every day. These variants often look completely different at the first glance. That’s why regular updates of your antivirus is important. However, when we look deeper into most malware spreading these days, we see that the core functions do not change very often. Most of the variability of today’s malware is caused by encapsulating it by so-called “cryptors.”
In most cases, these cryptors are pretty boring pieces of software. They usually take seemingly random data from the malicious file, reshuffle them in a correct way, so that these bytes then become an executable code, and then they execute them. However, authors of Sirefef malware often come up with more interesting methods of loading their programs, and we will look at their method in this blog post.
Now, let’s get to Sirefef. Soon after it is executed, we can see the following scheme.
I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://regents.la.gov/, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.
Several months ago I wrote a blog post about an adware downloader which after execution downloaded a few adware programs and installed them on the computer, giving no chance for the user to skip or bypass their installation. This time, we will analyze an application, which installs similar types of adware programs on user computers.
We received a file which appeared to be a crack of Pinnacle Studio HD Ultimate. After displaying the initial splash screen, it offers the user to install Pinnacle Pixie Activation 500. After confirmation, the crack is installed, but in addition to the crack, other programs and toolbars unexpectedly appeared on the compromised computer. Pinnacle was not the only target of this kind of attack. Cracks for programs like Sims, Nero, Rosetta Stone, and Pro Evolution Soccer 2013 were also used in distribution.
In this blog post, we will look at the attack originating from hxxp://www.spc.or.kr/ and targeting several major Korean banks.
As a malware analyst, I sometimes have to deal with files, which cannot be classified as computer virus or malware, but their behavior when executed by user is still considered unwanted or suspicious. In this blogpost, we will look at an adware downloader. It comes in two different versions, one tiny – having only about 17KB and being written in .NET, and the other one bigger, using getrighttogo downloader builder. In user’s computer, downloader was found in the following directory.
C:\Documents and Settings\Administrador\Meus documentos\Downloads\filme(1).exe
Users’ computer got infected via one of many sites similar to following ones – websites offering to download movies. After clicking on download links, .exe files were offered to download.
Figure 1 – Example of site the downloader was originally downloaded from
In this blog post, I would like to introduce one variant of the widely spread malware family, often detected by avast! as “Reveton.” Reveton is classified as ransomware; a program which locks your computer and expects an action, usually the payment of money. Unless the desired amount of money is paid or the malicious application is removed, you cannot do anything with your computer.
In the screenshot below (figure 1), you can see an example of the fake United States Cyber Security notice. Cybercrooks cleverly try to convince the user that activities which violate the law have been detected on his computer. In the sample we analyzed, the user is being accused of illegally downloading and distributing copyrighted contents.
To mimic a realistic look, the United States Cyber Authority logo as well as basic information about the user’s location (IP, Location, IPS) are shown in the upper left corner. A black and white image resembling a web camera is shown in the upper right corner. This creates a feeling that the user is being watched by authorities right now via an integrated web camera. Most computers nowadays have integrated web cameras, however, at the computer where our analysis was performed, no web camera was present, but the video recording image was still shown.
Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial – they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn’t install such a program, you don’t even know how it got installed on your computer. It’s just there, wanting to trick you to buy a license.
Have you ever wondered what happens when you “buy” the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called “S.M.A.R.T. Repair”.