Malware Watch: iTunes gift certificates, Skype worm, fake CVs and greeting cards

Malware Watch: iTunes gift certificates, Skype worm, fake CVs and greeting cards

Summary: Today's Malware Watch details four spamvertised campaigns installing scareware, and a worm with rootkit capabilities, spreading across Skype.

SHARE:

Malware Watch is Zero Day's new section for covering currently spreading malware campaigns, with the idea to raise awareness on the themes and techniques used for propagation and infection.

Some of these campaigns include, bogus iTunes gift certificates, another bogus Windows 7 compatibility checker, "Look at my (malware-infected) CV" themed campaign, "Your mailbox settings have changed/bogus 123greetings ecards themed spam, and IM worm spreading across Skype.

- Thank you for buying iTunes Gift Certificate! themed malware campaign

This campaign spreading over email, attempts to social engineer the recipient into downloading, unzipping, and executing the attached iTunes_certificate_497.zip:

"Hello! You have received an iTunes Gift Certificate in the amount of $50.00. You can find your certificate code in attachment below. Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video  right away.

iTunes Store.

Moreover, once compromised, the cybercriminals attempt to monetize the infected hosts, by installing scareware on them. Considering going through the "The Ultimate Guide to Scareware Protection" in order to learn more about how the entire infection and propagation process works, including practical tips on how to avoid infections.

- Windows 7 Upgrade Advisor themed malware campaign

Yet another malware campaign propagation over email, this time attempting to trick the user into executing a bogus Windows 7 compatibility checker, Windows7UpgradeAdvisorySetup.zip:

Find out now if your PC can run Windows 7! To see if your PC is ready for Windows 7, download the free Windows 7 Upgrade Advisory. This software scans your PC for potential issues with your hardware, devices, and intalled programs, and recommends what to do before you upgrade. Attention! The information about your PC will be sent to Microsoft, but it will not be used to identify or contact you.

According to BitDefender, upon execution it "installs a backdoor which allows remote, clandestine access to the infected system. This backdoor may then be used by cybercriminals to upload and install additional malicious or potentially unwanted software on the captured system."

- Look at my CV themed malware campaign

What's particularly interesting about this campaign, once again using email as a propagation vector, is the fact that it's launched by the same individual/gang that's behind the iTunes Gift Certificate themed campaign.

Both campaigns (My_Resume_218.zip) are using identical command and control servers, with the bad guys once again attempting to monetize the infected hosts using scareware:

"Hello! I have figured out that you have an available job. I am quiet intrested in it. So I send you my resume, Looking forward to your reply. Thank you."

With professional cybercrime-friendly, translation services available since 2008, these campaigners appear to be (thankfully) unaware of the basics of quality assurance.

- Settings for your mailbox are changed/You received online Greeting Card themed campaign

Relying exclusively on the abuse of Google Groups in order to spread the malicious links, the campaign installing scareware on the infected host, has recently switched to 123greetings Ecard theme.

According to eSoft:

The link on the Google Groups page is a Downloader Trojan with better than normal virus detection. The Downloader then does its job, downloading a mixed bag of malware from several locations. Among the malware downloaded is Desktop Security 2010, a Rogue Anti-Virus program. Access to the Internet through the browser is blocked until you’ve purchased a license, adding a hint of Ransomware to the mix.

Three out of the four currently reviewed campaigns serve scareware. That's anything but a coincidence, with scareware currently representing 15 percent of all malware, according to Google.

- IM worm campaign spreading across Skype

This is perhaps one of the most interesting campaigns due to the fact that it's propagating across Skype and Yahoo! Messenger, and is also attempting to avoid automatic detection by engaging in a conversation with the prospective victim. Moreover, the executable file, masked as an image file, has rootkit capabilities, and is also disabling access to high trafficked download portals in an attempt to prevent users from downloading cleanup tools.

More info:

The malware also deactivates the Windows Firewall in order to breach the local security and to allow a remote attacker to connect to the worm’s backdoor component. To make things worse, the rootkit component also prevents the installation of any file known to be an antivirus product. Backdoor.Tofsee identifies these files by their filename, so renaming the blocked file should solve the issue.The worm’s spreading mechanism isn’t reduced to spamming itself via Skype and YIM; it also copies itself on any attached USB storage device.

Although none of these campaigns are relying on the exploitation of third-party application vulnerabilities or browser plugins, the same is not true for the hundreds of thousands of currently compromised sites doing exactly the same.

Since generalizing the ways to protect against emerging threats is pretty ambitions, basic security auditing practices, combined with informed decision making process, are always capable of mitigating a significant percentage of the risk.

Topics: Software, Apple, Collaboration, Malware, Microsoft, Operating Systems, Security, Windows, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • FYI these are just Windows-only worms.

    You can still view the messages on other operating systems, just not become infected.
    AzuMao
  • RE: Malware Watch: iTunes gift certificates, Skype worm, fake CVs and greeting cards

    It is interesting to watch SPAM change. I saw the first CV email and was not sure if it was legitimate until I saw another one from someone else with the same attachment. My policy is if I have not entered a sweepstakes to ignor winning emails, if a bank wants me to verify my account then I call them and if anything looks dodgy, has viagra in the title or address or has obvious mispellings then it gets trashed.

    Most of these are social engineering scams to add malware to those who trust too much. This can infect any operating system although the largest majority goes to those who pirated their OS followed by those who do not update their OS. Having a little protection helps if one takes care to not open attachments from strangers or automatically clicking on the "Yes" button. It also helps to have a degree of distrust of your security and monitor the system for problems.

    What does not work well in the long run is believing that your system is immune because it is not an MS product. The internet has dark alleyways that everyone walks near and not being aware of the surroundings can lead to nasty problems.
    sboverie
    • Other operating systems don't have the concept of executable attachments.

      They don't require you to randomly wander from one website to another downloading and installing things, and then (trying to) repeat the process when those things need updated.

      There's just no comparison, two completely different ecosystems.
      AzuMao
  • Don't trust anyone

    Not even yourself. This can't be repeated enough when it comes to the WWW [world's wildest wormhole].
    klumper
    • Trust klumper. YAY PARADOX!

      [b] [/b]
      AzuMao
  • What a d*ck headline!

    My email subject states: "iTunes malware."

    What a BS piece of crap email this is. Apple should sue the crap out of you for spreading such MALICIOUS, INTENTIONAL LIES! It's a s bad as the malware you're using to leverage traffic to your site.

    Shameful. Someone should be FIRED for this one.

    Now, will you just bury this comment (screed), or man-up and admit there's NO EXCUSE for it?
    JoeBob_z
    • He could have honestly believed it. Actus non facit reum nisi mens sit rea.

      [b] [/b]
      AzuMao
  • RE: Malware Watch: iTunes gift certificates, Skype worm, fake CVs and greeting cards

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    efsane
  • iTunes gift certificates emailed

    that is why I buy only from reputable stores such as 4saleusa or netstrada . buy only legal codes
    abdul zwis a-mulaha