Malware Watch is Zero Day's new section for covering currently spreading malware campaigns, with the idea to raise awareness on the themes and techniques used for propagation and infection.
Some of these campaigns include, bogus iTunes gift certificates, another bogus Windows 7 compatibility checker, "Look at my (malware-infected) CV" themed campaign, "Your mailbox settings have changed/bogus 123greetings ecards themed spam, and IM worm spreading across Skype.
This campaign spreading over email, attempts to social engineer the recipient into downloading, unzipping, and executing the attached iTunes_certificate_497.zip:
"Hello! You have received an iTunes Gift Certificate in the amount of $50.00. You can find your certificate code in attachment below. Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.
Moreover, once compromised, the cybercriminals attempt to monetize the infected hosts, by installing scareware on them. Considering going through the "The Ultimate Guide to Scareware Protection" in order to learn more about how the entire infection and propagation process works, including practical tips on how to avoid infections.
Yet another malware campaign propagation over email, this time attempting to trick the user into executing a bogus Windows 7 compatibility checker, Windows7UpgradeAdvisorySetup.zip:
Find out now if your PC can run Windows 7! To see if your PC is ready for Windows 7, download the free Windows 7 Upgrade Advisory. This software scans your PC for potential issues with your hardware, devices, and intalled programs, and recommends what to do before you upgrade. Attention! The information about your PC will be sent to Microsoft, but it will not be used to identify or contact you.
According to BitDefender, upon execution it "installs a backdoor which allows remote, clandestine access to the infected system. This backdoor may then be used by cybercriminals to upload and install additional malicious or potentially unwanted software on the captured system."
What's particularly interesting about this campaign, once again using email as a propagation vector, is the fact that it's launched by the same individual/gang that's behind the iTunes Gift Certificate themed campaign.
Both campaigns (My_Resume_218.zip) are using identical command and control servers, with the bad guys once again attempting to monetize the infected hosts using scareware:
"Hello! I have figured out that you have an available job. I am quiet intrested in it. So I send you my resume, Looking forward to your reply. Thank you."
Relying exclusively on the abuse of Google Groups in order to spread the malicious links, the campaign installing scareware on the infected host, has recently switched to 123greetings Ecard theme.
According to eSoft:
The link on the Google Groups page is a Downloader Trojan with better than normal virus detection. The Downloader then does its job, downloading a mixed bag of malware from several locations. Among the malware downloaded is Desktop Security 2010, a Rogue Anti-Virus program. Access to the Internet through the browser is blocked until you’ve purchased a license, adding a hint of Ransomware to the mix.
Three out of the four currently reviewed campaigns serve scareware. That's anything but a coincidence, with scareware currently representing 15 percent of all malware, according to Google.
This is perhaps one of the most interesting campaigns due to the fact that it's propagating across Skype and Yahoo! Messenger, and is also attempting to avoid automatic detection by engaging in a conversation with the prospective victim. Moreover, the executable file, masked as an image file, has rootkit capabilities, and is also disabling access to high trafficked download portals in an attempt to prevent users from downloading cleanup tools.
The malware also deactivates the Windows Firewall in order to breach the local security and to allow a remote attacker to connect to the worm’s backdoor component. To make things worse, the rootkit component also prevents the installation of any file known to be an antivirus product. Backdoor.Tofsee identifies these files by their filename, so renaming the blocked file should solve the issue.The worm’s spreading mechanism isn’t reduced to spamming itself via Skype and YIM; it also copies itself on any attached USB storage device.