Malware

IMG0893.zip – Your photo all over Facebook? Naked? Malware campaign spammed out

Posted on Updated on


SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient.

The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file (IMG0893.zip) which contains a Trojan horse.

Malicious email

Subject lines used in the spammed-out malware campaign include:

  • RE:Check the attachment you have to react somehow to this picture
  • FW:Check the attachment you have to react somehow to this picture
  • RE:You HAVE to check this photo in attachment man
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?

Subject lines used in the spammed-out malware campaign

The message bodies contained inside the email can also vary. Here are some examples:

    • Hi there ,
      I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??.
  • Hi there ,
    I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than i thought about you man :)))).
  • Excuse me,
    But i really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.MORE

Fake Instagram app infects Android devices with malware

Posted on


InstagramTempted to try out the much talked about Instagram app? Well, be careful where you get it from – as malware authors are distributing malware disguised as the popular app.

It’s a rain cloud on a summer’s day for the Instagram photo-sharing smartphone app, which is otherwise having a glorious time right now.

First of all, Instagram released a first version for Android and managed to get five million downloads in less than a week.

Then the 13-employee firm managed to sell itself to Facebook for a cool $1 billion, making some of us wonder about privacy, and others think – “to heck with that, do I have a program that’s never earnt any money that I might be able to flog to Mark Zuckerberg?”.

Naturally, the Facebook acquisition news raised Instagram to even higher levels of public awareness and that’s where the bad guys stepped in.

Cybercriminals have created fake versions of the Instagram Android app, designed to earn money from unsuspecting users.MORE

Is the art of computer viruses dead?

Posted on


Stop press! The art of computer viruses may not be dead, after all.

Vancouver-based artist Bratsa Bonifacho says his latest collection of paintings has been inspired by computer malware.

One of Bonifacho’s virus paintings is titled “Horty MyParty is Weird and Coolnow”.

An unusual name, you might think, but it is apparently inspired by a number of viruses from yesteryear including VBS/Horty (which claimed to offer pornographic content of adult film star Jenna Jameson), 2002’s MyParty email worm, and the CoolNow MSN Messenger worm.

MORE

Duqu Malware, son of Stuxnet raises questions of origin and intent

Posted on


Laptop spy

Early today Symantec published an inside look at a new targeted malware attack called Duqu. This might not be important news if it weren’t for its ties to Stuxnet.

Early analysis of Duqu shows it has evolved from the Stuxnet codebase. We shouldn’t jump to conclusions that it was developed by the same authors, but whoever created this malware likely had access to the original source code used to compile Stuxnet.

The components that were reused were not the pieces used to target SCADA/industrial control systems, but rather related driver files that provide the malware the ability to download additional components.

Symantec reports that after it retrieves the additional malicious files it is focused on gathering information rather than industrial sabotage.

SophosLabs confirms that the driver files are signed, similar to the drivers used by Stuxnet. In this case the certificate purports to belong to C-Media, a Taiwanese firm known for their embedded audio chipsets.

Signature of driver file:

SHA1 hash of file: A5190A8E01978C903BF1FABCFCBA40D75996D8B9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 3/08/2028 12:59:59 AM
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B

Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 21/05/2019 12:59:59 AM
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: C-Media Electronics Incorporation
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: 3/08/2012 12:59:59 AM
SHA1 hash: 83F430C7297FBF6C1D910B73414132DB48DBDE9C

This may not be a coincidence, as Stuxnet used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers in the same neighbourhood.

The mystery remains, however. Were these certificates stolen, or simply generated through compromised certificates to appear to belong to these organizations?

As with Stuxnet, it is too early to determine anything definitive about the who, why or what this malware was designed to do. I can assure you that the security industry will be analyzing these samples diligently to determine their intent.

Sophos customers are protected against the primary sample of this malware as Troj/Bdoor-BDA and the malicious driver files as W32/Duqu-A. SRC

Best practices for reporting malicious URLs

Posted on


One of the topics I frequently get asked about by customers when they visit SophosLabs, is what do we do about the hoards of legitimate web sites that we see getting hit with malware? How do we go about alerting them to the problem? How can we help to get things cleaned up quickly thereby reducing risk for users?

Sophos customers can take advantage of our WebAlert service, but this is not relevant to non-customers.

Web security is a topic that affects us all. The web has become the predominant way in which malware is delivered nowadays. Thanks to techniques such as blackhat search engine optimisation (SEO) or drive-by download attacks, failings in the security of a single site or hosting provider can expose many innocent users to malware. Improving the process by which the bad stuff gets reported and cleaned up is in all of our interests.

I am pleased to have been involved in a great initiative over the last few months, coordinated by the folks at StopBadware. They put together a working group in order to thrash out a process for reporting malicious URLs. I am happy to say that a few days ago the final version of Best Practices for Reporting Badware URLs was published.

Hopefully the initiative will facilitate communication between the parties that discover the bad stuff, and those in a position to do something about it, mitigating the effects of malicious URLs.

More information about the initiative can be found on the StopBadware blog, in their press release, or you can dive straight into the report here.

‘Peeping Tom’ webcam blackmailer jailed for six years

Posted on


Luis Mijangos. Picture credit: Nick Ut/AP

A man from Southern California who hacked into over 100 computers, and used personal information stolen from them to extort sexually explicit videos of young women and teenage girls, has been sentenced to six years in prison.

32-year-old Luis Mijangos, an illegal immigrant from Mexico who was living in Santa Ana, California, was arrested last year after a lengthy investigation by the authorities.

Mijangos infected his victims’ computers with malware, allowing him to gain access to their email accounts, turn on their webcam to take secret movies, and search their PCs for sexually explicit and intimate images and videos.

In some cases, Mijangos also posed as some of the victims’ boyfriends to convince them to send him nude pictures.

At this point, things got really nasty. Mijangos would threaten to post his victims’ intimate images online unless they provided him with more sexually explicit photos and videos for his personal gratification.

In at least one instance, Mijangos posted naked photographs of a woman on her friend’s MySpace page.

Mijangos, who is confined to a wheelchair because of a medical condition, was sentenced to six years in prison by US District Judge George King.

Before sentencing, Mijangos apologised to his victims:

"To all the victims I want to say that I'm sorry. I'm ready to do the right thing and stay out of trouble."

WebcamMijangos is far from the first hacker to take remote control of webcams to spy upon victims.

For instance, in early 2005, Spanish authoritiesfined a student who captured movie footage from unsuspecting users, and arrested a 37-year-old man who spied on victims via a webcam while stealing banking information.

The following year, Adrian Ringland, from the English town of Ilkeston, Derbyshire, wassentenced to jail for ten years after admitting posing as a minor on internet chatrooms and using spyware to take explicit photographs via children’s webcams.

And in 2008, a 27-year-old Canadian man was charged with using spyware to take over the webcams of women as young as 14 and coercing them into posing naked for him.

Perhaps the most eyebrow-raising incident I have heard of, however, is the case of the man who is alleged to have displayed error messages on his potential victims’ laptop screens, tricking them into taking their webcams into the shower with them.

With many home users keeping poorly-defended PCs in their bedroom, there is clearly considerable potential for abuse – particularly amongst the young. The message is simple: keep your PC protected against the latest threats with anti-malware software, security patches and firewalls, and if in any doubt unplug your webcam when you’re not using it.